Murat ASLANBAKAN Personal Page

Parallel Redundancy Protocol  (PRP) Endüstriyel Ethernet için standart ağ protokolüdür. EC 62439-3’te ifade edilen Parallel Redundancy Protocol, Ağın herhangi bir bileşeninin arızalarına karşı, Tek bir kesinti noktasından sorunsuz yük devretme sağlar. STP/RTSP'den daha verimlidir, 0 kesinti süresi avantajına sahiptir. PRP aşağıdaki cihazlarda desteklenir. Fortigate Rugged 30D, Fortigate Rugged 35D ve Fortigate Rugged 90D.  Güvenlik duvarlarının Redundancy algoritması olarak PRP ile bir ağa entegre edilmesine izin vermek için aşağıdaki özelliği etkinleştirmemiz gerekir. config system setting set keep-prp-trailer [enable/*disable] end Entegrasyon şeması

RPF (Reverse Path Forwarding) IP Spoofing saldırılarına karşı korur ve  Input Interface  üzerinden Source IP'ye geri dönen aktif bir Route olup olmadığını kontrol eder. RPF, aşağıdaki şekillerde yapılması mümkün olmasına rağmen , devre dışı bırakılması önerilmeyen bir güvenlik mekanizmasıdır  Asymmetric Routing'e  izin verdiğimizde, bu sistemde RPF'nin doğrulanmasını engeller ve Fortigate Statefull yerine Stateless Firewall'a dönüştürür. asymmetric routing  izin verme komutu aşağıdaki gibidir. config system setting set asymroute enable end Firmware 5.6 sürümünden itibaren, aşağıdaki komutlarla arayüz seviyesinde RPF kontrolünü devre dışı bırakabiliriz. config system interface edit <interface> set src-check disable end

Versiyon 6.0 sürümü ile beraber yeni bir özellik olarak VRF desteği geldi. Bu yeni işlevsellik VDOM'ların, FortiOS içerisinde VRF uygulamasının göz önünde bulundurulması gereken şartları kapsaması şartıyla, Route tablolarının ayrılması ve izolasyonunun gerekli olduğu durumlarda kullanılmasına alternatif olabilir. FortiOS 6.0’da VRF yapılandırmasının ana özellikleri Varsayılan olarak bulunan VRF göz önüne alındığında, Şu anda 32'ye kadar VRF VDOM desteklenmektedir. VRF isimleri desteklenmiyor, sadece ID ile tanımlanabilir (0 ve 31 arasında) VRF'ler arasındaki Overlapping adres alanları için temel desteği OSFP Multi-Instance, Global parametrelerle (örnek başına yapılandırma yok) Static Routes ve Static Black hole için desteği Virtual Routing durumları için IPSec/GRE desteği Sadece Linux 3.2 Kernel olan modellerde desteklenir (#fnsysctl cat / proc / version) FortiOS'ta VRF'nin konfigürasyonu VRF uygulamasının multiple kullanım durumlarından biri aşağıdak...

Bazı senaryolarda, SD-WAN arayüzünde kullanılan hatların durumunu doğru bir şekilde izlemek için, Bu izlemenin gerçekleştirildiği Source IP'yi ayarlamamız gerekir. Bu seçenek CLI tarafından aşağıdaki şekilde yapılandırılmıştır. config system virtual-wan-link config members edit 1 set source <x.x.x.x> next end end

Fortigate üzerinde traffic aktif iken Dynamic Routing değişiklikleri gerçekleşebilir. Bu değişiklikler aktif Session’lar tarafından kullanılan rotaları etkileyebilir ve bu nedenle “Dirty-Sessions” olarak adlandırılabilir. Dinamik bir rota değişikliği öncesinde bu Session’ların davranışını kontrol edebiliriz. Etkin oturumlar için Orjinal yönlendirmeyi tutmayı seçebilir veya yeni hedeflerden geçmek için rota tablosundaki değişiklikleri bu oturumlar üzerinde uygulayabiliriz. Aşağıdaki CLI komutunun varsayılan değeri (Enable) etkin oturumların dinamik yönlendirme değişikliklerinden etkilenmeden bitirilmesine izin verir. config system interface edit <interface_name> set preserve-session-route {enable | disable} next

Fortigate 6.0.3 versiyonu ile beraber, DNS Filtering engine performansını iyileştirdi. Önceki sürümlerde, Tüm DNS Filtering isteklerini işleme almaktan sorumlu tek bir işlem vardı, şimdi dört adede kadar DNS Proxy yapılandırabilirsiniz. Bu DNS Proxy işlemi, DNS Filtering Engine’den geçen DNS isteklerini işlemekten sorumludur. Default olarak tüm trafiği işlemekten sorumlu tek bir işlem vardır. Kapasiteyi arttırmak için aşağıdaki komutla yapılandırılabilir. config system global set dnsproxy-worker-count 4 end

Bazen Fortigate-FortiAnalyzer veya Fortigate'in kendi Local Logging arasındaki iletişimini kanıtlamak gerekebilir. CLI ile, Fortigate'de her bir işlevi için bir Log girdisi oluşturabileceğimiz bir komut var, Bu şekilde Traffic, Antivirüs, Ips, vb. için sahte bir girdi oluşturulacak ve böylece Logging işlemi sağlanabilir.  Komut diagnose log test 1 CLI çıktısı generating a system event message with level - warning generating an infected virus message with level - warning generating a blocked virus message with level - warning generating a URL block message with level - warning generating a DLP message with level - warning generating an IPS log message generating an anomaly log message generating an application control IM message with level - information generating an IPv6 application control IM message with level - information generating deep application control logs with level - information generating an antispam message with level - notification generating an allo...

Engellenen (Blocked) SA oturumları nasıl silinir? Flush Tünel Bir tüneli temizlemek için aşağıdaki komutu kullanabiliriz diag vpn tunnel flush <PhaseName1> Reset Tunel Tüneli sıfırlamak da mümkündür, Bu durumda Fortigate IPSec VPN'i tamamen yeniden müzakere (renegotiate) eder. diag vpn tunnel reset <PhaseName1> Not: Fortigate'de Reset of ALL Tunnels işlemi yapılması durumunda, phase1 adını belirtmek çok önemlidir.

Aşağıdaki FortiMail CLI komutuyla, FortiSandbox ile bağlantının doğru çalıştığını doğrulayabilirsiniz. diagnose test application fortisandbox connectivity Haberleşme sağlandığı takdirde, şu mesajı verecektir. diag test application fortisandbox connectivity System Time: 2018-09-20 19:02:38 CEST (Uptime: 38d 2h 40m) connected to fortisandbox server  total detected malware: 0 total clean files: 0 total low risk files: 0 total medium risk files: 0 total high risk files: 0 İletişim sorunları varsa, bu hata iletisini döndürür. diag test application fortisandbox connectivity System Time: 2018-09-20 18:57:47 CEST (Uptime: 38d 2h 35m) test failed: connection to sandbox server is broken

FortiOS içinde belirli durumlarda çok yararlı olabilecek belirli programlama  ile küçük script'leri çalıştırmak mümkündür. Komutların sözdizimi (Syntax) https://docs.fortinet.com adresinde açıklanmıştır ve bunların içinde belirli FortiOS komutlarını (Backups, Diagnostics, Configuration vb.) uygulayabiliriz. Ayrıca farklı amaçlar için de çok yararlı olabilirler (Backups, Restarting Processes, Equipment, Monitoring Commands, Traffic Generation vb.) config system auto-script edit "backup" set interval 1 set repeat 0 set start auto set script "execute backup config ftp backup.conf 1.1.1.1 test test " next end config system auto-script  edit "backupvdom"  set interval 120  set repeat 0  set start auto  set script "  config global  execute backup config ftp backup.conf 10.10.10.2 test test"   next  end config system auto-script  edit “reiniciaproceso”  set interval 43200  set repeat 356  set start auto  set s...

Default olarak FortiSandbox, sisteme analiz için numuneler gönderebilen her cihazın yetkilendirilmesini (Authorized) gerektirir. Ancak, aşağıdaki CLI komutuyla, sisteme numuneler gönderen her yeni cihazı otomatik olarak yetkilendirmek üzere yapılandırılabilir. device-authorization -e -a Öte yandan, bu CLI komutuyla cihazların yetkilendirilme ve yapılandırma şeklini kontrol edebilirsiniz. device-authorization -l

In FortiWeb version 6.0, the Self-Learning module has been rewritten from the ground up. This new Learning Module is based on Artificial Intelligence, specifically Machine Learning, which was the first WAF (Web Application Firewall) to use this technology. Unlike other WAFs, the Self-Learning module learns without interruption. In this case, when new applications are added or previously learned applications change (New Forms, Parameters, URLs, etc.), the Self-Learning module will change according to the changes. Limitations on Traditional WAFs Traditional WAF learns in the first phase, and then a protection profile based on that learning is applied. If an application changes, WAF does not automatically adapt to those changes. WAFs that base their security on signatures are obligated to avoid as they rely on regular expressions. In addition, it produces many False Positives, increasing the hours devoted to the operation of the WAF platform. Operation method Anomaly Detection Phase Fort...

FortiSwitch has a command that allows you to verify the condition of the cables and express one of the following states. Open  (when the cable is not connected) Short OK Open_Short Unknown Crosstalk CLI command diagnose switch physical-ports cable-diag <Name of Physical Port> Example # diagnose switch physical-ports cable-diag port1 port1: cable (4 pairs, length +/- 10 meters) pair A Open, length 0 meters pair B Open, length 0 meters pair C Open, length 0 meters pair D Open, length 0 meters Note: When this command is executed, the equipment will interrupt service to be able to run tests on the cable, so it is recommended to use the command in a maintenance window.

Fortinet İşletim sisteminin yeni sürümü olan FortiOS 6.2 kullanıma sunuldu. Yeni sürümde 120'den fazla yeni özellik tanıtılıyor. Yeni özellikler, aşağıdaki bileşenlerde işletim sisteminin farklı yönlerini geliştirmektedir. Security Fabric Security Fabric VDOMS desteği Security Fabric Yeni Unsurların Desteklenmesi:  FortiMail FortiWeb FortiADC FortiDDOS FortiWLC Yeni Fabric Connectors Desteği Aynı Cloud türüne birden çok bağlantıyı destekleme (örneğin, Azure veya AWS'deki iki farklı ortama bağlantı) Yeni Cloud bağlantılarına destek: AWS bulut ortamlarında Alibaba AliCloud, VMware ESXi ve VCENTER, Azure Stack, Openstack ve Kubernetes, Azure, Oracle, Google GPC veya Private Bulut. Harici yayınlardan oluşturulan dinamik kategoriler yoluyla IP, DNS (DNS Filtresi) veya URL (Web Filtresi) seviyesindeki trafiği engelleyebilme. SD-WAN Tünellerin toplanması ve Paket Başına Load Balancing dahil, IPSEC’deki iyileştirmeler. Yeni FEC işlevselliği (Forwared...

A new service known as "Cloud-Assisted One-Click VPN" (Cloud-Assisted One-Click VPN) has been introduced since version 6.0. OCVPN is a Cloud-based solution that greatly simplifies the provisioning and configuration of IPsec VPNs. The Administrator activates OCVPN with one click, adds the required Subnets, and then the configuration is complete. The OCVPN solution automatically updates each FortiGate, creates VPNs on registered computers, and the service is automatically changed using a dynamic IP even if one of the computers changes its WAN IP. The service has the following limitations Fortigate Firewall must have a valid FortiCare Support license. Only Full-mesh VPN configurations using PSK encryption are supported. Public IP addresses must be used (Fortigate cannot join behind a NAT router) Non-root VDOMs and FortiGate VMs are not supported. Up to 16 nodes can be added to the OCVPN cloud, each consisting of up to 16 subnets. You can find the details of the configuration...

Fortinet has multiple authentication solutions in their Fortigate and FortiAuthenticator products, but deciding which solution is best for each environment can be difficult. We'll go over the different options in this post. Authentication methods FG with Captive Portal This is open authentication (not Transparent), but no infrastructure is required and can even work without LDAP or RADIUS. Recommended for guest networks or low infrastructure environments. FG con LDAP Polling It is the most basic solution of SSO, only the firewall asks LDAP to check the users name. It has the advantage of not needing to deploy agents, the disadvantage is limited to very large or complex environments, so it is often used in small spaces. FG with DC-Agent (TS-Agent and other agents) In this deployment, specific Agents are activated in Domain Controllers and Terminal Server to control users' mobility. The Collector (distributed on a server or Windows PC) is responsible for collecting all users...

The "Link-Fail-Signal" command allows us to force switches next to the Cluster Fortigate unit to refresh their MAC tables, which will be useful if the Switches do not refresh their MAC tables correctly. Normally, after Link Failover, the new Primary sends Gratuitous ARP (GARP) packets to refresh the MAC forwarding tables of the switches connected to the Cluster. In some cases, Switches ignore GARP packets and continue to reference the MAC address of the port. So the transaction fails on the Fortigate side and continues to send packets. You can use the following command to prevent a Cluster unit with Monitored Interface connection from turning off all interfaces (except Heartbeat Interfaces and HA Mgmt Interfaces) after Link Failure occurs. config system ha set link-failed-signal enable end If cluster computers are managed with a Mgmt interface, it must be specified, otherwise the port on which it is managed is Down. config system ha set link-failed-signal enable en...

Safe deletion of data from hard disks in FortiAnalyzer can be achieved with the CLI command. The operation with the command is actually writing all sectors of the hard disk with random data. As an option, the command lets us choose the number of iterations, up to 35, that we want to do on this hard drive to ensure that data cannot be recovered. The command to perform the aforementioned secure erase is as follows. execute format disk deep-erase [ number_iterations ]

Extension mechanisms for DNS (EDNS) is a feature that expands the size of various DNS protocol parameters with size restrictions when it comes to increased protocol functionality. The first set of extensions was published by the IETF as RFC 2671 (also known as EDNS0) in 1999. EDNS0 means a DNS UDP message length greater than 512 bytes. Some Firewalls may block such a message, assuming the maximum size of the DNS message is 512 bytes. Since FortiGate Version 5.2 it supports EDSN0 and DNS messages greater than 512 bytes in length.

You can drastically change all types of settings for multiple profiles simultaneously from FortiMail's graphical interface, this process is called "Batch Edit". This process can be applied to Session profiles, AntiSpam, Antivirus, Content and Resources. The only requirement to be able to "Batch Edit" on multiple profiles is if they all belong to the system category or the same domain. For example, if we want to disable Greylist option of multiple profiles at once with Antispam, we can do the following. In the profiles we want to change, we will make the selections by pressing the shift or control key Once all are selected, click on "Batch Edit". We will disable Profile's Greylist option. If we click on "Apply To All", what we have changed will be applied to all selected AntiSpam profiles. If we click on the "Apply" option, all the selected profiles will appear in order, and each can be individually modified.

In version 6.0, Automation rules were introduced that allow automation of a series of actions before certain events. An example of this is the possibility to quarantine when the device is detected to be compromised or to initiate a Log via API (Webhook) when a particular Event Log is created. There are two types of actuators (Triggers-triggers) that cannot be configured via the graphical interface, but that we can configure with the CLI, and we will see that the configuration made on the CLI side is then reflected in the GUI. These methods take effect when the CPU is at very high values or enters Conserve mode with high memory. To configure them, we will launch the following commands from the CLI. high cpu low-memory first config system automation-trigger edit "cpu" set event-type high-cpu next edit "memoria" set event-type low-memory next end Once the trigger is configured, we will create a new Automation rule and associate it with the trigger configured in the ...

Server Load Balance Content Routing support for Virtual Servers L2 TCP / UDP / IP Routing can be determined according to the source addresses VS L7 for FTP with FullNAT DNAT/Transparent Mode support Support for Health Checks of Oracle DB on Virtual Servers Proxy replacement for ADFS is complete Enhancements for Virtual Server SIP SupportNATofMediaServerAddress KeepClientAddressofUDPtrafficforSIPserver New functions for scripts created in FortiADC Authenticationeventandoperation ookieencrypt/decrypt AESencrypt/decrypt URLencode/decode/parse Base32 Fileoperation Randomgeneration  get_pid HTTP:respond Global Load Balance New distribution method based on CPU and Server memory usage  The "Server-Performance" method dynamically sends the DNS request to the server with the lowest CPU/Memory usage. Security New JSON schema validation functionality added to the XML validation feature already available in previous versions. Supporting Black Lists Based on IP Reputation It is possible t...

SSL inspection on Fortigate is a mechanism that can be used to protect and inspect the content of encrypted sessions, find and block threats. SSL inspection not only protects against attacks using HTTPS, but also against other commonly used encrypted protocols such as SMTPS, POP3S, IMAPS, and FTPS. A full SSL inspection (Deep Inspection) should be used to ensure that all encrypted content is inspected. When SSL inspection is used, Fortigate acts as the receiver of the source SSL session and decrypts and inspects its content, Then the content is encrypted again, a new SSL session is established between Fortigate and the receiver by impersonating the sender, and the content is freed from threats. It is possible to "Mirror" or send a copy of the traffic Decrypted by SSL inspection to one or more Fortigate interfaces so that the traffic can be collected by the Raw Packet Capture tool for archiving or analysis. Mirroring occurs after it is processed by the SSL Decoder and at the s...

From version 6.0 of FortiOS, permissions must be granted with commands to enable "Extended Logs" in IPS, Antivirus, Webfilter, Application Control, and DLP protection profiles. This means more domains, more traffic details, and the HTTP method used, UserAgent, Type, etc. It allows us to see requests. It can be activated in Flow Mode, profiles such as Application Control, IPS, Antivirus, Webfilter, DLP. To enable Extended Logs, we must make the necessary definitions with the CLI in each security profile we want to enable. Here you can see all the examples to activate in each of the profiles and sensors. Application Control config application list edit "nombre_perfil" set extended-log enable end IPS config ips sensor edit " nombre_sensor " set extended-log enable end Antivirus config antivirus profile edit " nombre_perfil" set extended-log enable end Webfilter config webfilter profile edit " nombre_perfil" set in...

When there is a problem with HA (High Availability) synchronization, there is a command that can tell us which part of the configuration is not synchronized correctly. HA checksums are organized into sections and subsections. With the "diagnose sys ha checksum show" command, we can view the Hash values of the global Configuration and Root Vdom configuration. While running this command on Cluster Nodes, if we notice a difference in any of them, we can tell that something is out of sync. CLI diagnose sys ha checksum [global | root | all] [element name] For example, if we have seen different Hash or Checksums in the Global, we can verify that the items in the global are not synchronized by executing the command "diagnose sys ha checksum show global" on all Nodes. If we verify that the hash system.global differs between Nodes, we can continue to examine with the command "diagnose sys ha checksum show global system.global" , we can see the general settings...

SD-WAN functionality enables Fortigate to choose the best Wan output to an application, perform other QoS and security applications. Also at the level of security policies it is very simple to manage because as the target interface it is only necessary to put “SD-WAN” which will contain all the WAN interfaces that make it up (for practical purposes it works like a Zone) It is common for these SD-WAN supported security policies to activate NAT output, and Fortigate gives us the option to exit with the IP of the exit interface or exit with an IPPool. However, if you don't associate each IPPool with an interface, connection errors will occur, as Fortigate will assign that IPPool without ordering. The way to solve this is to associate IPPools objects with a wan interface, this way, Fortigate knows which one to use at any given moment and for each WAN interface of SD-WAN. This Example will be done via the CLI. config firewall ippool edit "IPPOOL-WAN1" set startip 1.1.1.1 se...

It is recommended to enable the snat-route-change command in security policies where Source-Nat is implemented (common on Internet access and SD-WAN), because when enabled the routing information is deleted from the table. When SNAT is not valid for a session, it means that SD-WAN sessions can be 100% stabilized and redirected if an SD-WAN rule is changed  without waiting for the session to expire. (for example, by increasing the latency on one of the SD-WAN lines)  With this configuration disabled (by default) after a routing change, sessions created with SNAT will continue to use the same exit interface, provided the previous route is still active or has expired (although the route is no longer optimal) config system global set snat-route-change enable end

The main innovation is the change in having the same look (GUI) as the rest of Fortinet products. However, other interesting new features of the functionality SAML IDP Proxy Transparent authentication SAML protocol allows browsers to perform SSO. FAC can act as SP (requesting authentication) or IDP (providing it). As of 6.0, Proxy IDP can act as well, The aim is to be able to provide 2FA without having to change cloud providers' IDPs.        User-Sync LDAP improvements You can now also assign a role when users are synced. OATH server Third-party tokens can now be verified with OATH via the REST API. Integration with FortiNAC SSO monitoring improvements Customizable FAC error pages In addition to customizable messages (registration, Token delivery, user-portal etc.) you can now customize error pages 500, 503, 404 and 403.       Integration with FortiOS From FortiOS 6.2, the user information, authentication and status of the FAC can be seen in Fort...

As of Fortimail 6.0.4, the encryption level it supports for both HTTPS connections and SMTP connections is configurable in detail. The configuration method is defined by the CLI as follows admin-global access control config system global set ssl-versions tls1_0 tls1_1 tls1_2 end  Control emails The following controls connections from FortiMail to other gateways. config system security crypto edit mail set ssl-versions tls1_1 tls1_2 next end In the initial configuration, we will leave both TLS.1.0, TLS 1.1 and TLS 1.2 open to administrative access, but for SMTP mail connection, it will only support TLS 1.1 or TLS1.2.