目錄表

有關 FortiGate 防火牆相關設定

有關 FortiGate 防火牆相關設定

設備型號 : FortiGate 40C (v5.2.13,build762)
WAN1 : 220.100.100.100 GW: 220.100.100.254
LAN(Internal) : 192.168.0.1

基本設定

設定 WAN1 (wan1)
設定 LAN (intrtnal)
設定 Default Route
- System → Network → Routing
  - Create New :
    - Destination IP/Mask : 0.0.0.0/0.0.0.0
    - Device : wain1
    - Gateway : 220.100.100.254
- Policy & Objects → Policy → IPV4
  - Create New :
    - Incoming Interface : internal
    - Source Address : all
    - Outgoing Interface : wan1
    - Destination Address : all
    - Schedule : always
    - Service : ALL
    - Action : ACCEPT

設定 Port Mapping

預計設定 WAN1 的 Port 80 / 443 → 192.168.0.200:80 / 443
定義 VIP : Polocy & Objects → Objects → Virtual IPs
1. 建立 VIP : web-http 與 web-https 看畫面
2. 建立 VIP Group : webserver-group 看畫面
3. 完成 VIP 建立看畫面
4. 確認與建立 Services : HTTP/HTTPS 看畫面
定義 Policy : Policy & Objects → Policy → IPv4
1. 建立 wan1→internal port mapping Policy 看畫面
2. 完成 wan1→internal port mapping Policy 看畫面

如果 Policy 中有啟動 NAT 轉過去的內部 Server 來源 IP 就會是 Fortigate 的 IP
- Exp. Fortigate 的 internal IP 是 192.168.0.1 在 21/May/2018:11:29:57 切換成有 NAT 的規則, 結果 Web Server Log 內看到的來源 IP 都變成 192.168.0.1 看畫面

針對 Port Mapping (WAN 連入 Internal) (Virtual IP) 特定來源(黑名單)IP 設定技巧

透過 UI 設定 WAN → Internal 的 Deny 規則後, 是無法實際阻擋特定來源 IP
但使用命令方式, 針對這 Policy 編號進行設定, 增加 “set match-vip enable” 才能真正阻擋.
參考 - http://kb.fortinet.com/kb/documentLink.do?externalID=FD33338

設定 SSL VPN

建立使用者 :
1. User & Device → User → User Group
  - Create New :
    - Name : vpn-user
    - Type : Firewall
2. User & Device → User → User Definition
  - Create New :
    1. User Type : Local User
    2. Login Credentials :
      - User Name : vpnuser1
      - Password : password1
    3. Contact Info :
      - Email Address : [email protected]
    4. Extra Info :
      - [V] Enable
      - [ ] Two-factor Authentication
      - [V] User Group : vpn-user
VPN → SSL → Portals
- Create New¹⁾ :
  - Name : ichiayi-sslvpn
  - [V] Enable Tunnel Mode
    - [V] Enable Split Tunneling
      - Routing Address : SSLVPN_TUNNEL_ADDR1
    - Source IP Pooles : SSLVPN_TUNNEL_ADDR1
  - Client Options : [V] A;ways Up (Keep Alive)
  - [V] Enable Web Mode
  - Portal Message : Welcome to SSL VPN Service

設定帳號一次只能一個連線 :
- VPN → SSL → Portals → 選擇指定的項目 Exp. full-access → Edit
- [V] Limit Users to One SSL-VPN Connection at a Time
- 點這裡看參考畫面

防止暴力登入 SSL VPN 方式

參考 - https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-limit-SSL-VPN-login-attempts-and-block/ta-p/194229?externalID=FD48714
當 Log & Report 的 VPN Events 出現大量 ssl-login-fail , sslvpn_login_unknown_user 狀況
設定當 SSL VPN 登入失敗超過 x 次就鎖定 n 秒, 來降低嘗試暴力登入的狀況 Exp. 失敗超過 3 次, 就鎖 3600 秒
```
config vpn ssl settings
    set login-attempt-limit 3
    set login-block-time 3600
end
```

當出現 CPU 100% 時釐清問題方式

看哪個服務造成

diagnose sys top -d 3

Exp.

FortiGate # diagnose sys top -d 3
Run Time:  443 days, 19 hours and 44 minutes
17U, 0N, 3S, 80I; 1838T, 1135F
         sslvpnd    10073      R      93.2     1.5
          newcli    24900      R       1.4     1.0
       ipsengine      158      S <     0.0     4.0
Run Time:  443 days, 19 hours and 44 minutes
26U, 0N, 3S, 71I; 1838T, 1135F
         sslvpnd    10073      S      92.2     1.5
          httpsd    24886      S       3.9     1.5
          httpsd    23905      S       1.3     1.6
 
FortiGate #

釐清是 sslvpnd 造成

先刪除這程序

diagnose sys kill 11 {pid}

Exp.

diagnose sys kill 11 10073

針對這程序進行處理, Exp. 遭受攻擊 : 找出並封鎖攻擊來源

IPSec - L2TP 用戶撥入 VPN 設定

參考 - http://kb.fortinet.com/kb/viewContent.do?externalId=FD36253

設定多條 WAN 備援方式

參考 - http://cookbook.fortinet.com/redundant-internet-connections-54/

路由偵錯檢測方式

參考 - http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD37024&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=43706420&stateId=1%200%2043708158

連上 Fortigate 查看有經過這 FW 的 IP 流量訊息 Exp. 192.168.0.250

diag debug reset
diag debug flow filter clear
diagnose sniffer packet any "host 192.168.0.250 and icmp" 4

可以在外部 192.168.1.140 的 Windows 10 PC 執行 ping 與 tracert , 只要有經過 Fortigate 就會顯示流量訊息

ping 範例 PC 端

C:\Users\jonathan>ping 192.168.0.250

Ping 192.168.0.250 (使用 32 位元組的資料):
回覆自 192.168.0.250: 位元組=32 時間=38ms TTL=62
回覆自 192.168.0.250: 位元組=32 時間=41ms TTL=62

Fortigate 端

TPFortiGate40C-1 # diag debug reset

TPFortiGate40C-1 # diag debug flow filter clear

TPFortiGate40C-1 # diagnose sniffer packet any "host 192.168.0.250 and icmp" 4
interfaces=[any]
filters=[host 192.168.0.250 and icmp]
5.053098 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
5.053240 internal out 192.168.1.140 -> 192.168.0.250: icmp: echo request
5.053447 internal in 192.168.0.250 -> 192.168.1.140: icmp: echo reply
5.053555 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: echo reply
6.036276 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
6.036615 internal out 192.168.1.140 -> 192.168.0.250: icmp: echo request
6.036885 internal in 192.168.0.250 -> 192.168.1.140: icmp: echo reply
6.037006 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: echo reply

8 packets received by filter
0 packets dropped by kernel

tracert 範例 PC 端

C:\Users\jonathan>tracert 192.168.0.250

在上限 30 個躍點上追蹤 192.168.0.250 的路由

  1     1 ms     1 ms     1 ms  192.168.1.254
  2    11 ms    10 ms    10 ms  192.168.0.254
  3    14 ms    16 ms    15 ms  192.168.0.250

追蹤完成。

Fortigate 端

TPFortiGate40C-1 # diagnose sniffer packet any "host 192.168.0.250 and icmp" 4
interfaces=[any]
filters=[host 192.168.0.250 and icmp]
8.541353 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
8.541438 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
10.076119 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
10.076201 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
11.555745 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
11.555828 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
18.573750 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
18.583995 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
18.595516 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
24.118851 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
24.119128 internal out 192.168.1.140 -> 192.168.0.250: icmp: echo request
24.120764 internal in 192.168.0.250 -> 192.168.1.140: icmp: echo reply
24.120917 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: echo reply
24.132986 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
24.133519 internal out 192.168.1.140 -> 192.168.0.250: icmp: echo request
24.135474 internal in 192.168.0.250 -> 192.168.1.140: icmp: echo reply
24.135559 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: echo reply
24.151568 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
24.152277 internal out 192.168.1.140 -> 192.168.0.250: icmp: echo request
24.152673 internal in 192.168.0.250 -> 192.168.1.140: icmp: echo reply
24.152749 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: echo reply
24.208985 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
24.209067 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
25.743512 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
25.743598 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
27.209075 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
27.209157 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable

27 packets received by filter
0 packets dropped by kernel

FortiGate 60D 特別設定

端對端 VPN 使用 traceroute 非預期出現 DMZ IP

參考 - http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36799&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=116930985&stateId=0%200%20116932943

traceroute 192.168.1.5

traceroute to 192.168.1.5 (192.168.1.5), 30 hops max, 60 byte packets
 1  192.168.0.254 (192.168.0.254)  4.692 ms  4.602 ms  4.524 ms
 2  60-248-245-172.HINET-IP.hinet.net (60.248.245.172)  14.593 ms  14.556 ms  14.483 ms
 3  192.168.1.5 (192.168.1.5)  20.283 ms  20.285 ms  20.261 ms

只要設定 VPN 虛擬介面的 IP 即可解決 Exp. 192.168.101.254 看畫面

traceroute 192.168.1.5
traceroute to 192.168.1.5 (192.168.1.5), 30 hops max, 60 byte packets
 1  192.168.0.254 (192.168.0.254)  4.586 ms  4.502 ms  4.412 ms
 2  192.168.101.254 (192.168.101.254)  15.170 ms  15.092 ms  13.887 ms
 3  192.168.1.5 (192.168.1.5)  16.199 ms  16.203 ms  16.184 ms

FortiGate 40C 特別設定

啟動 SNMP

https://note.chiatse.com/2017/05/08/fortigate-40c-snmp-enable-from-cli/

建立 VLAN

設定 HA

參考手冊 - fortigate-ha-56.pdf
設定前確認
1. 兩台 FortiGate 的 Firmware 版本必須相同 Exp. v5.2.13,build762
2. 兩台 FortiGate 的網路介面要先設定成固定 IP (不要 DHCP / PPPoE), 如果設定 Active-Passive 模式等 HA 建立完成後可再改回 DHCP or PPPoE²⁾
3. 兩台 FortiGate 的設定幾乎相同 (Exp. 只有 hostname / Internal IP 不同 / wan IP 不同)
4. 尚未設定 VDOM / HA CLI 語法
```
get system ha status
```
```
ichiayi-02-FG40C # get system ha status
Model: FortiGate-40C
Mode: standalone
Group: 0
Debug: 0
ses_pickup: disable
number of vcluster: 0
```

預計設定的 HA 架構與模式
- 設定 HA 的模式 : FGCP Active-Active HA (這模式最多可以設定到四台 FortiGate³⁾)
- 配置架構圖

graph TD Internet["Internet"] Router["VDSL Router"] FG1["Fortigate 40c
ichiayi-01-FG40C"] FG2["Fortigate 40c
ichiayi-02-FG40C"] Switch["Internal Switch"] PC1["PC or NB"] AP["Wi-Fi AP"] PC2["PC or NB"] Internet <-->|"WAN"| Router Router -->|"Static IP (wan1)"| FG1 Router -->|"Static IP (wan1)"| FG2 FG1 <-->|"wan2 HA 連線"| FG2 FG1 -->|"Internal"| Switch FG2 -->|"Internal"| Switch Switch --> PC1 Switch --> AP Switch --> PC2 style Internet fill:#e1f5ff,stroke:#333,stroke-width:3px style Router fill:#fff4e1,stroke:#333,stroke-width:2px style FG1 fill:#cce5ff,stroke:#333,stroke-width:2px style FG2 fill:#d4f1d4,stroke:#333,stroke-width:2px style Switch fill:#ffe1e1,stroke:#333,stroke-width:2px style PC1 fill:#f0f0f0,stroke:#333,stroke-width:2px style AP fill:#fff0cc,stroke:#333,stroke-width:2px style PC2 fill:#f0f0f0,stroke:#333,stroke-width:2px

設定方式

每一台都登入啟用 HA CLI 語法

config system ha
set group-id 10
set mode a-a
set hbdev wan2 50
set group-name ichiayi_cluster
set load-balance-all enable
set password **Password**
end

設定好 fortigate 應該會自動重開機
經過一小段時間 HA 燈號會亮起 (如果是綠燈表示 HA 正常, 橘燈表示 HA 異常)

檢查 HA 相關資訊狀態 CLI 語法

get system ha status

Model: FortiGate-40C
Mode: a-a
Group: 10
Debug: 0
ses_pickup: disable
load_balance: enable
load_balance_udp: disable
schedule: Round robin.
upgrade_mode: unset
Master:128 ichiayi-01-FG40C FGT40C391xxxxxx5 1
Slave :128 ichiayi-02-FG40C FGT40C391xxxxxx1 0
number of vcluster: 1
vcluster 1: work 169.254.0.2
Master:0 FGT40C391xxxxxx5
Slave :1 FGT40C391xxxxxx1

get system ha

ichiayi-01-FG40C # get system ha
group-id            : 10
group-name          : ichiayi_cluster
mode                : a-a
password            : *
hbdev               : "wan2" 50
session-sync-dev    :
route-ttl           : 10
route-wait          : 0
route-hold          : 10
sync-config         : enable
encryption          : disable
authentication      : disable
hb-interval         : 2
hb-lost-threshold   : 6
helo-holddown       : 20
gratuitous-arps     : enable
arps                : 5
arps-interval       : 8
session-pickup      : disable
update-all-session-timer: disable
session-sync-daemon-number: 1
link-failed-signal  : disable
uninterruptible-upgrade: enable
ha-mgmt-status      : disable
ha-eth-type         : 8890
hc-eth-type         : 8891
l2ep-eth-type       : 8893
ha-uptime-diff-margin: 300
vcluster2           : disable
vcluster-id         : 1
override            : disable
priority            : 128
schedule            : round-robin
monitor             :
pingserver-monitor-interface:
pingserver-failover-threshold: 0
pingserver-slave-force-reset: enable
pingserver-flip-timeout: 60
load-balance-all    : enable

get system status

ichiayi-01-FG40C # get system status
Version: FortiGate-40C v5.2.13,build0762,171212 (GA)
Virus-DB: 52.00006(2017-09-28 20:11)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 12.00234(2017-09-28 01:27)
IPS-ETDB: 0.00000(2001-01-01 00:00)
Serial-Number: FGT40C391xxxxxx5
Botnet DB: 1.00000(2012-05-28 22:51)
BIOS version: 04000006
System Part-Number: P08924-05
Log hard disk: Not available
Internal Switch mode: switch
Hostname: ichiayi-01-FG40C
Operation Mode: NAT
FIPS-CC mode: disable
Current HA mode: a-a, master
Branch point: 762
Release Version Information: GA
System time: Sat Jun 16 16:17:52 2018

連上 Slave 檢查 HA 相關狀態 CLI 語法

execute ha manage 0

ichiayi-01-FG40C # execute ha manage 0


ichiayi-02-FG40C login: admin
Password: ********
Welcome !

get system status

ichiayi-02-FG40C # get system status
Version: FortiGate-40C v5.2.13,build0762,171212 (GA)
Virus-DB: 52.00006(2017-09-28 20:11)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 12.00234(2017-09-28 01:27)
IPS-ETDB: 0.00000(2001-01-01 00:00)
Serial-Number: FGT40C391xxxxxx1
Botnet DB: 1.00000(2012-05-28 22:51)
BIOS version: 04000009
System Part-Number: P08924-09
Log hard disk: Not available
Internal Switch mode: switch
Hostname: ichiayi-02-FG40C
Operation Mode: NAT
FIPS-CC mode: disable
Current HA mode: a-a, backup
Branch point: 762
Release Version Information: GA
System time: Sat Jun 16 16:20:05 2018

~~如果沒問題, 就可以將 wan1 改成 PPPoE 模式, 以及 Internal 啟動 DHCP Server~~⁴⁾

如果對自動選擇的 Master 不滿意, 可以透過設定 priority 來指定(越大的數值優先當 Master) Exp. CLI語法連入後先將 Master 設定 200

config system ha
set priority 200
end

切換到 Slave 設定 255(最大值)

execute ha manage 1
 
config system ha
set priority 255
end

會斷掉一下, 重新登入後可以看到已經切換

TPFortiGate40C-1 # get system ha status
Model: FortiGate-40C
Mode: a-a
Group: 10
Debug: 0
ses_pickup: disable
load_balance: enable
load_balance_udp: disable
schedule: Round robin.
upgrade_mode: unset
Master:255 TPFortiGate40C-1 FGT40C391xxxxxx7 1
Slave :200 TPFortiGate40C-2 FGT40C391xxxxxx1 0
number of vcluster: 1
vcluster 1: work 169.254.0.2
Master:0 FGT40C391xxxxxx7
Slave :1 FGT40C391xxxxxx1
<file>

取消(解除) HA 設定
- 直接連入要移除的那台 fortigate 執行系統重設 CLI語法
```
exec factoryreset 
```
```
ichiayi-02-FG40C # exec factoryreset
This operation will reset the system to factory default!
Do you want to continue? (y/n)y
```
- 連入將 ha mode 設定 standlone CLI語法
```
config system ha
set mode standalone
end
```
  這樣設定之後, 就解除掉 HA 模式, 每一台 fortigate 的 internal / wan1 IP 都相同, 所以可以透過 Internal IP 連入的是 master 那台, 若想在遠端以原本 Internal IP 連上其他 slave 必須將可連入的 fortigate 修改 Internal IP 就能用原本 Internal IP 連入.

參考網址

firewall, fortigate

¹⁾

免費只能建立一組, 預設是 full-access

²⁾

fortigate-ha-56.pdf Page.28

³⁾

fortigate-ha-56.pdf Page.24

⁴⁾

Active-Active 模式 wan1 介面無法使用 PPPoE