yurisk.info » Fortigate

Finally GEO location blocking has arrived to Fortigate

Yuri — Thu, 09 Feb 2012 18:35:47 +0000

It was predictable thing for Fortinet to do as everyone else has already been doing so.
I haven’t verified myself but according to the informed source (can only say his name – Hen) they are using
Maxmind database . So let’s see how to do it .
First you create in New Address dialog window the Geography type object specifying the country. As you can only pick one country per address use Address Groups to combine few countries together.
After creating such Address object you can use it in Firewall Policy just as you would the usual Address.
Personal Note: While there is an ongoing fuss/hysteria about the cyberwar being waged that started 2 weeks ago when Saudi “hackers” DDOS’ed few Israel websites, from what I see in the field it is more of a FUD campaign, one of the byproducts of which is rush of many website owners in Israel to block Saudi Arabia IPs (or any Arabic world IPs for that matter). What happened in fact was that most of DDOS came from anywhere but Arab world (Russia, China,US) , from botnets-for-hire.
The only reason I can think of why you would use Geo location block is to lower noise/size of logs by silently dropping traffic from unwanted countries.

Convert Fortigate diagnose sniffer packet output into tcpdump format understood by Wireshark

Yuri — Mon, 06 Feb 2012 18:06:31 +0000

Running diagnose sniffer packet on Fortinet Fortigate unit outputs human-readable packet information and packet data . Only that sometimes you would like to have the traffic sniffed at Fortigate in Wireshark-readable format so that it can be analyzed by all powerful Wireshark.
For this case Fortinet came up with the script and application that takes text output of this sniffer command and parses it into tcpdump format (.cap) which you can later open in Wireshark.
I guess there are other scripts available that do just that (after all it is just parsing the text file) , but from Fortinet you can find it here:
kb.fortinet.com/kb/viewContent.do?externalId=11186&sliceId=1

Or by searching their website for
fgt2eth.pl
fgt2eth.zip

Limit maximum size of scanned files in Fortigate firmware 4

Yuri — Mon, 03 Oct 2011 17:58:46 +0000

New operating systems are supposed to better user experience .. I thought. Well, so I thought, until today, when I had a need to lower the maximum size of files to be scanned by Fortigate 80C . It was a matter of few clicks in the good old version 3 via management GUI but in version 4 I spent some 20 minutes digging its GUI high and low and then finally opened Command Reference and found how to do it the CLI way.
Here is the solution :

FTG80C# config antivirus service http
FTG80C(http)# sho

config antivirus service “http”
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end

FTG80C(http) # set uncompsizelimit 2
FTG80C(http) # end

FTG80C# config antivirus service ftp
FTG80C(ftp) # set

scan-bzip2 enable scanning of bzip2 compressed files
uncompnestlimit uncompnestlimit
uncompsizelimit uncompsizelimit

FTG80C(ftp) # set uncompsizelimit

max uncompressed size to scan (1-50MB or use 0 for unlimited)

FTG80C(ftp) # set uncompsizelimit 2
FTG80C(ftp) # end

Best open source Netflow/sFlow analyzing software

Yuri — Sun, 12 Dec 2010 20:47:54 +0000

People ask me frequently what software I would recommend for Netflow analysis , especially with security implementations in mind. I made my choice a long ago and haven’t been complaining so far – Nfsen graphical frontend that has Nfdump as its data processing backend . It provides most flexibility, configurability; its filter syntax is very tcpdump-like; graphic front provides just enough of interactivity; the alerts system is just amazing.Moreover it supports not only Netflow but sFlow as well,so all Fortigate appliances with the last OS can be monitored this way.

Do not miss the long awaited addition to the Fortigate 4 MR2 – sFlow data export

Yuri — Thu, 14 Oct 2010 20:38:54 +0000

Great news – now Fortigate supports exporting data flows statistics to an external server using sFlow protocol (twin of Netflow from the Cisco world). I configured it in about a minute and it just works. To collect the sFlow data I use nfdump/Nfsen , that I found to be the most stable and versatile, not to mention being the rare one supporting both Netflow and sFlow.
You first set external server IP and destination port , here it is 10.99.99.158 and UDP 7774, and then enable flow export per interface. Example follows, here I did it on Fortigate 100.

# show system sflow

config system sflow

set collector-ip 10.99.99.158

set collector-port 7774

end

# show system interface dmz1

config system interface

edit “dmz1″

set vdom “root”

set ip 10.99.99.254 255.255.255.0

set allowaccess ping https ssh snmp
set type physical
set wccp enable
set sflow-sampler enable
next
end

Fortigate article

Break free from the GUI dependency – checking Fortigate logs on the cli.

Yuri — Thu, 15 Jul 2010 19:14:04 +0000

Fortinet are doing a lot to keep us away from the command line. And that’s ok in 95% of the cases. But sooner or later you come to meet the 5% of the bad and the ugly when you have no access to the GUI at all. Can you imagine the terror of such situation ? Fear no more – forewarned is forearmed. Just grab the Fortigate CLI Reference PDF (all in all 754 pages) , learn it by heart then return to my blog . A year has passed quickly, ah ?
Now you are ready for the introduction. One late evening [ and I am sure all security/networking equipment long ago conspired with clients against us to cause troubles at abnormal/non-working hours only] one of the clients asked if I can check something. "No, not something critical but STILL can you check it NOW ..? " , of course ,why not ?
To check something I needed access to the Fortigate logs. All good and well if it were not for the excruciatingly slow connection (in your case it may be blocked GUI management ports, out of band console access, high Fortigate CPU utilization) that made the GUI unusable. As I had not slightest inclination to turn late evening into early morning I did SSH to the machine, run #show log and #get log commands … and got logging configuration settings on the firewall. But where are the logs?
Here:

FGT-ugly # execute log display

Hurray ! I got lots of lines running on the terminal, only that it was traffic log and I wanted Event log, and moreover it showed only first 100 lines out of 3400 and I wanted it all. So let’s do it by steps.
Step 1 – know what is served
Run this first to see what you will be presented and what not:

FGT-ugly # execute log filter dump

category: traffic // each type of log is called category , see later
device: memory // from where logs are to be read
roll: 0 // archived version
start-line: 1 // on which line of the logs to start presenting
view-lines: 700 // how many lines to show

Step 2 – I want Event logs now !

FGT-ugly# execute log filter category //this way you can see all available logs

Available categories:
10: application control
9: dlp
6: content
5: spam
4: ids
3: webfilter
2: virus
1: event
0: traffic

FGT-ugly# execute log filter category 1 // switch to Event log

Left is how many lines to show at once .

FGT-ugly # execute log filter view-lines

number 5 – 1000 /// Aha, so we can see maximum 1000 lines per go. Not a problem actually cause every time you hit # execute log display starting line is increased for the next time by the number of lines shown.
To conclude it all I enabled logging in Putty through which I connected to the firewall and run

FGT-ugly# execute log display

3011 logs found.
1000 logs returned.
1: 2010-07-13 19:10:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=4 msg=”Performance statistics”
2: 2010-07-1319:05:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=7 msg=”Performance statistics”
3: 2010-07-1319:01:28 log_id=0104032001 type=event subtype=admin vd=root pri=information user=”admin” ui=https(21.14.127.14) action=login status=success reason=none profile=”super_admin” msg=”Administrator admin logged in successfully from https(21.14.127.14)”
4: 2010-07-1319:00:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=5 msg=”Performance statistics”
5: 2010-07-1318:55:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=8 msg=”Performance statistics”
6: 2010-07-1318:54:09 log_id=0104032003 type=event subtype=admin vd=root pri=information user=”admin” ui=https(21.14.127.14) action=logout status=success reason=timeout msg=”Administrator admin timed out on https

Reference of all log messages known to Fortigate firmware 4 :
FortiGate_Log_Message_Reference

MAC finder script

Yuri — Fri, 02 Jul 2010 05:35:37 +0000

While I don’t like going down to Layer 2 , recently I had to do it – I didn’t know IP address of the Cisco router I wanted to connect to but I had access to the Cisco router sitting in the same network. That would be pretty easy to do #show arp on this router and then search on Google to whom belongs each MAC if it wasn’t the subnet mask of /26. Copy pasting each entry of the ARP table into Google didn’t look like a lot of fun. So I wrote a python script that reads MAC addresses in bulk from command line and using downloaded beforehand database of MAC-vendor translations prints vendor for each MAC address. It works for #show arp on CIsco,#show mac-address-table on CIsco switches, #arp -en on Linux (means including Checkpoint), #arp -a on Freebsd ,#show arp of Junos from Juniper, #get sys arp on Fortigate.
Below is the script.
Here:
mac-database.txt – file containing MAC-vendor translation in format , I used standards.ieee.org/regauth/oui/oui.txt as the source with a bit of sed, but if you want ready to use file I recommend nmap-mac-prefixes from nmap source-code distribution http://nmap.org/svn/nmap-mac-prefixes
Download script (to make sure formatting is preserved, an important thing for Python)
http://yurisk.info/scripts/mac-finder.py
Script AND mac database from nmap project – http://yurisk.info/scripts/mac.tar.gz

#!/usr/bin/python
#This script accepts MAC addresses from the command line and
#prints vendor for each mac address
# Author:Yuri, yurisk@yurisk.info,06.2010
import sys
import re
#This function removes from MACs colon or dot and returns MAC as a sequence of HEX chars
def dotreplace(matchobj):
         if matchobj.group(0) == '.':
                return ''
         elif  matchobj.group(0) == ':':
                return ''
#open file with MAC addresses and vendors database,it has form xxxx 
macs=open('mac-database.txt','r')
macs_lines=macs.readlines()
#Read from stdinput
data = sys.stdin.readlines()
for ppp in data:
       popa=re.search('.*([a-f0-9]{4}\.[a-f0-9]{4}\.[a-f0-9]{4}).*',ppp,re.IGNORECASE)
       if popa:
             newpopa=re.sub('\.', dotreplace,popa.group(1))[0:6]
             newpopa_re=re.compile(newpopa,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopa_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]
       popalinux = re.search('.*([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popalinux:
             newpopalinux=re.sub(':',dotreplace,popalinux.group(1))[0:6]
             newpopalinux_re=re.compile(newpopalinux,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopalinux_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

       popadash = re.search('.*([a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popadash:
             newpopadash=re.sub('-',dotreplace,popadash.group(1))[0:6]
             newpopadash_re=re.compile(newpopadash,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopadash_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

Running it:

[root@darkstar ]# ./mac-finder.py

$ arp -a
(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet]
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet]

(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet] VMware, Inc.
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet] Fortinet Inc.

Visio stencils for Cisco, Juniper, Fortinet, Checkpoint, Avaya

Yuri — Sat, 26 Jun 2010 12:43:25 +0000

Some links to download Visio stencils of the few most popular vendors.
Juniper
Cisco
Avaya
BlueCoat
Fortinet
Dell
Checkpoint happen not to have official stencils set, only Nokia appliances stuff can be found. So someone volunteered and using icons/press releases/PowerPoint presentations done by the Checkpoint turned it into the Visio stencils:
fireverse.org
If nothing else helps here you can find the rest:
nag.ru/projects/visio

Fortigate BGP – configure and debug

Yuri — Fri, 26 Mar 2010 14:56:12 +0000

Everyone today speaks BGP: Cisco routers, Juniper routers and ScreenOS firewalls, Fortigate does it,even SonicWall have it as planned feature So question is not whether but how. The opportunity to see how it works on Fortigate recently presented itself and here is the sum up of how I configured and debugged Fortigate BGP set up.
Task at hand: configure BGP peering with Bogon Route project by Team Cymru www.team-cymru.org/Services/Bogons/routeserver.html . More information about the Bogon Routes can be found at the source – www.team-cymru.org/Services/Bogons . But in few words they advertise to you routes that are never to be seen in your network for legitimate reasons. Those are networks not only from RFC 1918 but those reserved by RIPE for special purposes, and those unallocated to anyone as of now.
What we need to know for this set up is this:

They advertise all the networks with no-export community
also they attach 65333:888 community (as per their site)
they use md5 password authentication
they don’t expect you to advertise to them anything
in advertised networks next hop is their advertising router
their AS number is 65333

Based on all the above my Fortigate BGP peer had to :

enable multihop peering
use MD5 password authentication
have route-map to attach no-export community so that we don’t inadvertently advertise learned routes to other peers ( just safety net , in case BGP peer stops attaching no-export community to their routes)
set next hop for the learned routes to Null 0 interface.

Let’s start configuring something. Important surprise here – in Fortigate GUI you can only set 3 parameters:
As number , Peer Ip and networks to be advertised, the rest is to be done on the command line . So here it goes
1) Configuring route-map to set no-export community on learned networks and force next hop to be some reserved Ip (192.0.2.1 ) that in turn is statically routed to Null interface ,

config router route-map
edit “NO-EXPORT”
config rule
edit 3
set set-community “no-advertise”
set set-ip-nexthop 192.0.2.1
next
end
next
End

2) Configure BGP peer

(root) # show router bgp
config router bgp
set as 65002
config neighbor
edit 84.22.96.5
set ebgp-enforce-multihop enable
set remote-as 65333
set route-map-in “NO-EXPORT”
set password “yuiyui”
next
end
config redistribute “connected”
set status enable
end

3) Configure static blackhole route for the reserved IP used as the next hop for this.

(root) # sh router static
config router static
edit 3
set blackhole enable
set dst 192.0.2.1 255.255.255.255
next
End

Validation phase.
All configs are as good as the prove that it works.

List shortly all the peers

(root) # get router info bgp summary

BGP router identifier 10.250.250.2, local AS number 65002
BGP table version is 159
2 BGP AS-PATH entries
0 BGP community entries

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
84.22.96.5   4  65333       4       6      159    0    0 00:00:48        0

Total number of neighbors 1

List all BGP neighbors and their peering state

My-FG (root) # get router info bgp neighbors

BGP neighbor is 84.22.96.5, remote AS 65333, local AS 65002, external link
  BGP version 4, remote router ID 84.22.96.5
  BGP state = Established, up for 00:00:58
  Last read 00:00:58, hold time is 180, keepalive interval is 60 seconds
  Configured hold time is 180, keepalive interval is 60 seconds
  Neighbor capabilities:
    Route refresh: advertised and received (old and new)
    Address family IPv4 Unicast: advertised and received
  Received 4 messages, 0 notifications, 0 in queue
  Sent 6 messages, 0 notifications, 0 in queue
  Route refresh request: received 0, sent 0
  Minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast
  BGP table version 160, neighbor version 159
  Index 3, Offset 0, Mask 0x8
  Community attribute sent to this neighbor (both)
  Inbound path policy configured
  Route map for incoming advertisements is *NO-EXPORT
  0 accepted prefixes
  19 announced prefixes
  Connections established 1; dropped 0
  External BGP neighbor may be up to 255 hops away.
Local host: 10.250.250.2, Local port: 9188
Foreign host: 84.22.96.5, Foreign port: 179
Nexthop: 10.250.250.1

See the routes learned through the BGP protocol

(root) # get router info bgp network

BGP table version is 161, local router ID is 10.250.250.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 5.0.0.0          192.0.2.1                0             0 65333 65333 i
*> 14.0.0.0         192.0.2.1                0             0 65333 65333 i
*> 23.0.0.0         192.0.2.1                0             0 65333 65333 i
*> 31.0.0.0         192.0.2.1                0             0 65333 65333 i
*> 36.0.0.0         192.0.2.1                0             0 65333 65333 i
*> 37.0.0.0         192.0.2.1                0             0 65333 65333 i
*> 39.0.0.0         192.0.2.1                0             0 65333 65333 i
*> 42.0.0.0         192.0.2.1                0             0 65333 65333 i
*> 49.0.0.0         192.0.2.1                0             0 65333 65333 i
*> 100.0.0.0        192.0.2.1                0             0 65333 65333 i
*> 101.0.0.0        192.0.2.1                0             0 65333 65333 i
*> 102.0.0.0        192.0.2.1                0             0 65333 65333 i
*> 103.0.0.0        192.0.2.1                0             0 65333 65333 i
*> 104.0.0.0        192.0.2.1                0             0 65333 65333 i
*> 105.0.0.0        192.0.2.1                0             0 65333 65333 i
*> 106.0.0.0        192.0.2.1                0             0 65333 65333 i
*> 169.254.0.0      192.0.2.1                0             0 65333 65333 i
*> 172.16.0.0/12    192.0.2.1                0             0 65333 65333 i
*> 176.0.0.0/8      192.0.2.1                0             0 65333 65333 i
*> 177.0.0.0/8      192.0.2.1                0             0 65333 65333 i
*> 179.0.0.0/8      192.0.2.1                0             0 65333 65333 i
*> 181.0.0.0/8      192.0.2.1                0             0 65333 65333 i
*> 185.0.0.0/8      192.0.2.1                0             0 65333 65333 i

List routes that are currently installed in the routing table that were learned by BGP .

(root) # get router info routing-table bgp

B       5.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B       14.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B       23.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B       31.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B       36.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B       37.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B       39.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B       42.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19

After all is configured and saved (and probably doesn’t work) comes the bgp debug round.
Enable bgp debug on the appliance

#diag ip router bgp all enable

Enable debug output to console

diag debug enable

To stop this output

diagnose debug disable

To verify that debug is on

# diag ip router bgp show

BGP debugging status:
  BGP events debugging is on
  BGP debug level: INFO

If nothing after that happens try clearing all BGP sessions

#exec router clear bgp all

The good way to judge something new is to compare it with something you already know. To continue
With that logic I cross-reference debug output seen on Fortigate with the one seen on the Cisco BGP peer. That
way you can decide what is more informative and who wins the race (Cisco of course, what you thought?).

Case 1
One of the peers is configured with wrong AS number.
In Fortigate you see this:

BGP: 84.22.96.5-Outgoing [FSM] State: Idle Event: 3
BGP: 84.22.96.5-Outgoing [NETWORK] FD=15, Sock Status: 0-Success
BGP: 84.22.96.5-Outgoing [FSM] State: Connect Event: 17
BGP: 84.22.96.5-Outgoing [ENCODE] Msg-Hdr: Type 1
BGP: 84.22.96.5-Outgoing [ENCODE] Open: Ver 4 MyAS 65002 Holdtime 180
BGP: 84.22.96.5-Outgoing [ENCODE] Open: Msg-Size 45
BGP: 84.22.96.5-Outgoing [DECODE] Msg-Hdr: type 3, length 23
BGP: %BGP-3-NOTIFICATION: received from 84.22.96.5 2/2 (OPEN Message Error/Bad Peer AS.) 2 data-bytes

Now let’s compare to the debug from Cisco

#debug ip bgp events

Mar 24 13:14:55.572: %BGP-3-NOTIFICATION: sent to neighbor 10.250.250.2 2/2 (peer in wrong AS) 2 bytes FDEA FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 002D 0104 FAEA 01B4 0AFA EA02 1302 0201 1400 0100 0132 0222 0012 0222 00

Case 2
MD5 authentication is set on Cisco but not on the Fortigate. Again for comparison
debug from Fortigate and debug from Cisco
Cisco:

Jan  5 10:42:14.299: %TCP-6-BADAUTH: No MD5 digest from 10.250.250.2 (1037) to 84.22.96.5(179)

Fortigate:

84.22.96.5-Outgoing [FSM] State: Connect Event: 9
BGP: [RIB] Scanning BGP Network Routes...
84.22.96.5-Outgoing [FSM] State: Connect Event: 9
BGP: [RIB] Scanning BGP Network Routes...

Case 3 (that actually happened when I configured this Fortigate) is mismatched MD5 password on either side

Fortigate:
Doing summary listing showed peering as down :

84.22.96.5   4  65333     934    1036        0    0    0    never Connect

Cisco:

*Mar 24 13:40:28.800: BGP: Regular scanner event timer
*Mar 24 13:40:28.800: BGP: Import timer expired. Walking from 1 to 1
*Mar 24 13:40:42.764: %TCP-6-BADAUTH: Invalid MD5 digest from 10.250.250.2(11064) to 84.22.96.5(179)

Case 4 On Cisco ttl-security is enabled while on Forigate ebgp multi-hop is not .
There is no such thing as TTL security on the Fortigate by the way, all you can do to handle this state is enable ebgp-multihop and them it starts sending BGP packets with ttl = 255 .

Cisco:

Jan  7 13:01:36.992: %BGP-4-INCORRECT_TTL: Discarded message with TTL 2 from 10.250.250.2

Forigate:

BGP: 84.22.96.5-Outgoing [FSM] State: OpenConfirm Event: 11
BGP: 84.22.96.5-Outgoing [ENCODE] Msg-Hdr: Type 4
BGP: 84.22.96.5-Outgoing [ENCODE] Keepalive: 13548 KAlive msg(s) sent
84.22.96.5-Outgoing [FSM] State: OpenConfirm Event: 10
BGP: 84.22.96.5-Outgoing [ENCODE] Msg-Hdr: Type 3
BGP: %BGP-3-NOTIFICATION: sending to 84.22.96.5 4/0 (Hold Timer Expired/Unspecified Error Subcode) 0 data-bytes
BGP: 84.22.96.5-Outgoing [FSM] State: Idle Event: 3
BGP: 84.22.96.5-Outgoing [NETWORK] FD=14, Sock Status: 111-Connection refused
BGP: 84.22.96.5-Outgoing [FSM] State: Connect Event: 18

Bonus Case Bug-not-a-feature thing on the Fortigate – when configuring MD5 password for BGP authentication you get Cross-Site vulnerability protection for free Don’t ask me how XSS is connected to cli configuration of BGP …

set password <2AEARep>

The string contains XSS vulnerability characters
value parse error before ”
Command fail. Return code -173

Fortigate firewall demo free access. Also FortiManager and FortiAnalyzer

Yuri — Wed, 03 Feb 2010 18:37:25 +0000

As someone said best things in life are free.
Here are links to the demo Forigate firewall, ForiAnalyzer and FortiManager open to access from anywhere . So that you can
familiarize yourself with the Management GUI look and feel.
NOTE: Access is read-only.
NOTE 2: No , it is not me being so generous, it’s Fortinet caring for us.
Fortigate 300 :
user:demo
password: fortigate
fortigate.com
ForiAnalyzer 800:
user:demo
password: fortianalyzer
fortianalyzer.com
FortiManager 400:
user:demo
password: fortimanager
fortimanager.com