Articles tagged with #Fortigate




Using external threat feeds in FortiGate has become much easier with 6.0 and 6.2 versions

Recently I had the opportunity to configure an external threat feed as a block list for the Fortigate and was pleasantly surprised by how much simpler it has become. Task at hand: Block incoming connections sourced from IP addresses supplied as a list by a 3rd party commercial Threat Intelligence …



Fortigate guest user accounts - create, edit, delete and deploy

The guest user accounts are special in Fortigate and unlike regular local Firewall user accounts. The flow of creating them is: Let's configure it. First, you create Groups, which serve, in this case, as a template for various parameters users can/must have later: User & Device -> User Groups -> New .. -> Type …



Fortigate how to verify that IPS is actually working

Is your IPS actually doing what you expect? You have to test your configurations, especially with the Intrusion Prevention System, which demands not only On/Off switch, but also tuning or it may become useless. With AntiVirus we have Eicar fake virus on eicar.org to download. With IPS there …



Fortigate to Fortimanager management tunnel connection debug how-to

When the policy install fails on Fortimanager, it may mean many things as the process is quite complex with database/policy verification. But frequently, it happens because the communication tunnel between Fortimanager and Fortigate is down. The tunnel works on port 514, is encrypted (so we cannot see the contents …



Fortigate Local in Policy what it does and how to change/configure it

Fortigate comes with some services allowed in incoming direction, even without any configuration done by you. Important to note is that in such pre-configured security rules the destination is mostly the Fortigate itself, sometimes its specific interfaces, sometimes all of the interfaces. That is, this does not allow access though …



Fortigate virtual IP server load balancing configuration and debug

The general workflow is: Facts to know: Available server types: http, https, imaps, pop3s, smtps, ssl, tcp, udp, ip Server types ssl, https and all the SSL based ones are available in Proxy inspection mode of the Fortigate only. Only starting with FortiOS 6.2.1 https load balancing supports …



Fortigate DoS/DDoS sensor/policy rules configuration and verification

Facts to know: You use Dos protection by creating Dos policy (Policy & Objects -> IPv4/Ipv6 DoS Policy) in which you enable/modify anomalies. The list of anomalies is pre-set in any policy you create. You only have the choice which ones to enable and which ones not to. All anomalies …



Fortigate BGP cookbook of example configuration and debug commands

Last updated: August 2020 PDF version of this post: Fortigate BGP cookbook of example configuration and debug commands.pdf BGP with two ISPs for multi-homing, each advertising default gateway and full routing table. Uses route-map, prefix list, weight Prevent our Fortigate from becoming a transit AS, do not advertise learned …



Fortigate - enable e-mail as a two-factor authentication for a user and increase token timeout

I'll say outright that FortiToken (be it a mobile app or a physical token) is the most secure and preferable way today for multi-factor authentication. The other two - SMS message and e-mail message are vulnerable to many attacks, including not so technically sofisticated SMS swapping. But sometimes less secure method …



Fortigate CLI command alias to create shortcuts and save time

Fortigate CLI commands can be long, like really long. And it is no fun to get an error running a command of 6 words because of the typo! The solution to this is simple - command aliases. Coming from the Cisco world I got used to creating command aliases as a …