Category Archives: Fortigate

Fortigate Netflow & Sflow

Take note that netflow is only configurable on the CLI. So we need to make sure that telnet, shh or CLI console is working.

• Configuring the Netflow collector IP:
Config system network
Set collector-ip 192.168.131.93 (Solarwinds)
Set source-ip 172.30.34.131
Set active-flow-timeout 1

Enabling Netflow on the interface:
Config system interface
Edit NET-406 (Internet)
Set netflow-sampler both (RX/TX)

• NTA default port 2055 should be allowed on collector.
• Add Fortigate device and specific port in NTA device,
• Verification:
Show system interface NET-406
Show system netflow
Diagnose sniffer packet 2055

config system sflow
set collector-ip 10.0.0.50
set collector-port 6343
end

Then for each interface:

config sys interface
edit
set sflow-sampler enable
set sample-rate 512
set sample-direction both
set polling-interval 30
next
end

http://kb.fortinet.com/kb/documentLink.do?externalID=FD32024

Fortigate Syslog servers

Configuring logging to multiple Syslog servers
When configuring multiple Syslog servers (or one Syslog server), you can configure reliable
delivery of log messages from the Syslog server. Configuring of reliable delivery is available only
in the CLI.
If VDOMs are enabled, each VDOM will use the default FortiAnalyzer/Syslog server, but an
individual override can be enabled in the CLI, allowing you to specify a different
FortiAnalyzer/Syslog server for that VDOM.
To enable logging to multiple Syslog servers

1. Log in to the CLI.
Enter the following commands:
config log syslogd setting
set csv {disable | enable}
set facility
set port
set reliable {disable | enable}
set server
set status {disable | enable}
end
Fortinet Technologies Inc. Page 47 FortiOS™ Handbook – Logging and Reporting for FortiOS 5.0

2. Enter the following commands to configure the second Syslog server:
config log syslogd2 setting
set csv {disable | enable}
set facility
set port
set reliable {disable | enable}
set server
set status {disable | enable}
end

3. Enter the following commands to configure the third Syslog server:
config log syslogd3 setting
set csv {disable | enable}
set facility
set port
set reliable {disable | enable}
set server
set status {disable | enable}
end

Most FortiGate features are, by default, enabled for logging. You can disable individual
FortiGate features you do not want the Syslog server to record, as in this example:

config log syslogd filter
set traffic {enable | disable}
set web {enable | disable}
set url-filter {enable | disable}
end

To enable/disable override settings per-VDOM
config log fortianalyzer override-filter
set override {enable | disable}

end

config log fortianalyzer override-setting
set override {enable | disable}

end

config log syslogd override-filter
set override {enable | disable}

end

config log syslogd override-setting
set override {enable | disable}

end

http://docs.fortinet.com/uploaded/files/1084/fortigate-loggingreporting-509.pdf

Fortinet Management via WAN Port

Step 1: Allow HTTPS on Management Interface
On GUI, Network > Interfaces, on Administrative Access section, allow HTTPS

Step 2: Permit Public IP Addresses
On GUI, System > Administrators, enable Restrict login to trusted hosts and specify your Public IP addresses from where you will access. Do not forget to add your Internal hosts, otherwise you lose connectivity to firewall from Internal hosts.

Step 3: Change default https port to 444
On GUI, System > Settings > FortiCloud and change the default https port from 443 to 444.

Fresh from the box Fortigate

1. Register your device.
http://help.fortinet.com/coyotepoint/10-3-2/Content/Install/E300_Register.htm

2. Run HQIP Test.
http://wiki.diagnose.fortinet.com/index.php/Running_an_HQIP_(Hardware_Quick_Inspection_Package)_test

Download HQIP:
https://support.fortinet.com/Download/HQIPImages.aspx

Steps:
https://samuellasmana.wordpress.com/2015/06/01/how-to-perform-hqip-test/

3. Migrate your configuration from old appliance if needed.
Options are:
1. Forticonverter.
2. Modify Configuration header.
3. Manually putting the configurations.