Thursday, June 2, 2022

FortiGate Site-to-Site IPSec VPN

Here's a link in configuring a Site-to-Site IPSec VPN in a FortiGate firewall. Below is the virtual lab I used to established a Site-to-Site IPSec VPN between a FortiGate and a Cisco CSRv router.

To create a Site-to-Site IPSec VPN in FortiGate, go to VPN > IPSec Wizard.

 

Under VPN Setup tab > type a Name: FTG_CISCO_VPN > select Template type: Site to Site > NAT configuration: No NAT between sites > Remote device type: Cisco > click Next.

 

Under Authentication tab > type the Remote IP address (CSRv WAN IP): 192.168.1.140 > select Outgoing Interface (WAN): port1 > select Authentication method: Pre-shared Key (default) > type Pre-shared key: fortinet (same PSK on the remote CSRv) > click Next.

Under Policy & Routing tab > select Local interface: port2 (LAN) > the Local subnets will auto detect/fill: 172.16.1.0/24 > type Remote Subnets (LAN behind CSRv): 10.1.1.0/24 (you could also create an Address Object) > leave the default Internet Access: None > click Next.

Under Review Settings > review the Object Summary settings > click Create.

Click Show Tunnel List.

It will redirect you to IPSec Tunnels > click the created FTG_CISCO_VPN template > click Edit (or just double-click).

Click Convert to Custom Tunnel.

Under Phase 1 Proposal > click Edit.

Notice the only available Encryption is DES since this is an Eval VM.


 The only available Authentication are: MD5, SHA1, SHA256, SHA384 and SHA512 for the Eval VM.

Remove the second Phase 1 Proposal: DES and SHA1 > deselect Diffie-Hellman Group 14 and 5 > select DH Group 2 > click the check icon (beside refresh) in order to save.

Click on the Phase 2 Selectors area/box in order to edit.

Click Advanced (+ icon).

Remove the second Phase 2 Proposal: DES and SHA1 > delesect PFS (generate Phase 2 DH keys).

Leave the default settings for Key Lifetime > click OK.

The FortiGate IPSec Wizard automatically created two Firewall Policies for Inbound and Outbound traffic.

 

Using the IPSec Wizard is very convenient compared to doing the VPN setup manually.

 

This is the Firewall Policy for Inbound traffic (from remote Cisco CSRv to FortiGate).

Under Log Allowed Traffic > select All Sessions > click OK.

This is the Firewall Policy for the Outbound traffic (FortiGate to CSRv).


 Under Log Allowed Traffic > select All Sessions > click OK.

The IPSec Wizard also created the static routes needed.



I generated the "interesting" traffic to establish an IPSec Security Association (SA) between the FortiGate and Cisco CSRv.

To view VPN traffic logs, go to Log & Report > Forward Traffic.

Select a specific log > click Details.

You can also view specific VPN events by going to Log & Report > Events > VPN Events.




Sunday, May 1, 2022

FortiGate Application Control

The FortiGate can recognize network traffic generated by a large number of applications. Application Control sensors specify what action to take with the application traffic. Application Control uses IPS protocol decoders that can analyze network traffic to detect application traffic, even if the traffic uses non-standard ports or protocols. Application control supports traffic detection using the HTTP protocol (versions 1.0, 1.1, and 2.0).

To configure the FortiGate Application Control, go to Security Profiles > Application Control > Create New.

Notice there are several default Application Control Profiles.

 

Type a Name: BLOCK_SOCIAL_MEDIA > under Social Media > select Block.

Click OK.


The next step is to apply the Application Control Profile in a Firewall Policy, go to Policy & Objects > Firewall Policy > select FG_LAN_INTERNET (Policy ID 1).

Go under Security Profiles.

Enable (toggle) Application Control > select BLOCK_SOCIAL_MEDIA > click OK.


I tried to access facebook.com from 172.16.1.100 (Windows 7 VM) but it only timed out. There was a Application Blocked error when I tried instagram.com and twitter.com.



To view Application Control logs, go to Log & Report > Application Control.


Notice the Application Name: Twitter and Facebook had an Action: block. 

 

You can use the Add Filter to only display Action: block.

Select a log > click Details.





Friday, April 1, 2022

FortiGate Web Filtering (Static URL)

You can lookup which Web Category a website falls under using the FortiGuard Web Filter tool. In the example, I lookup: youtube.com and it's under the Category: Streaming Media and Download.

 

To configure a Static URL Filter, go to Security Profiles > Web Filter > Create New.

 

Notice there are system default profiles created.

 

Type a Name: LAB_URL_FILTER > enable URL filter (toggle) > click Create New.

Type URL: *.facebook.com > select Type: Wildcard > select Action: Block > click OK.

Create Static URL Filter for cisco.com and youtube.com > click OK.


The next step is to apply the Web Filter Profile in a Firewall Policy. Go to Policy & Object > Firewall Policy > select FG_LAN_INTERNET > click Edit (or just double-click).

Go under Security Profiles.

Under Security Profiles > enable Web Filter (toggle) > select LAB_URL_FILTER > click OK.


I tried to access the websites from 172.16.1.100 (Windows 7 VM) but got a Web Page Blocked error.



To view the FortiGate Web Filter logs, go to Log & Report > Web Filter.

Select a log > click Details.

 

Notice the Action: blocked and Web Filter Profile Name: LAB_URL_FILTER were applied to the HTTP traffic.