Category Archives: Fortinet

Install Public SSL Certificate on Fortigate

Installing a GoDaddy certificate on your Fortigate is fairly straight forward. Perform the following steps:

1) Log into the Forgitate. On the main dashboard, under ‘Features’, be sure to enable the ‘Certificates’  option. It will then display in the left sidebar.

2) Go to System > Certificates > Local Certificates.

3) Click Generate. Fill in the fields:

Certificate Name: vpn.domain.com
Subject Information
ID Type: Domain Name
Domain Name: vpn.domain.com

Key Type: RSA

Key Size: 2048

Enrollment Method: File Based

4) Click OK.

5) Highlight the newly created entry in Local Certificates and download it. Open with notepad to grab the CSR. Use this CSR to request your certificate with GoDaddy.

6) Once GoDaddy has issued the certificates, download the IIS package from GoDaddy. Return to the Local Certificates section of the Fortigate, and select ‘Import’, selecting the newly downloaded GoDaddy certificate.

Fortigate 60D – Enable Disk Logging

**UPDATE: This only works for 60D’s running 5.0.7 or earlier. Disk logging on the lower end models has been disabled in the 5.2.x code base. You either log to RAM (which is reset upon device reboot, or log to FortiCloud where you can get 1GB of space free upon signup***

To enable logging to local disk on Fortigate, it is a combination of GUI settings and CLI commands to run.

1) Go to System > Config > Advanced. Allocate a portion of the local disk to be utilized for logging. I chose to alot 2GB:

2) Go to the Policy section. Find the policy you want to log and confirm have logging enabled and to Log All Traffic Sessions:

3) Go to Log & Report > Log Config > Log Settings. Select Disk and choose the Disk in the GUI preferences as the log to display:

4) Open CLI and run the following commands to enable and review you disk logging settings:

fgt-01 # config log disk setting
fgt-01 (setting) # set status enable
fgt-01 (setting) # show
config log disk setting
set status enable
set log-quota 2048
end

 

If you run into formatting and allocation issues with your disk, check the following CLI values:

– Validate disk status: get system status
– Format disk: execute formatlogdisk
– Reboot device, re-run set status enable commands above

Configure SSLVPN on Fortigate with Local Authentication

NOTE: These steps were performed on a Fortigate 60-D. The concepts are the same across all devices, the menus vary just slightly between models.

1. Configuring a VPN User Account

Log into the Fortigate and go to User & Device > User > User Definition and create a new user account:

 

2. Create Web Portal For End User

The main thing to note on this screen is the IP Pool. It will use a default SSLVPN pool as the addresses it uses for incoming VPN connections. You can modify the scope/subnet in Firewall Objects > Address > Addresses if the range conflicts with your network. Add a tagline, theme, layout as you prefer. It really depends on your users and not overloading them with options. On the larger Fortigate units, you can create multiple portal pages for different groups of users. For smaller customers, they typically use it for a VPN connection, and not much else.

 

3. Create a Security Policy

I typically create two security policies to accommodate the VPN traffic. Obviously, you can widen or narrow what your granting access to. In this example we are giving the remote user access to the entire LAN behind the Fortigate.

First Policy:

This is essentially the NONAT policy between the VPN subnet and destination internal network.

Second Policy:

Under the Configure SSL-VPN Authentication Roles section, you can click the Create button to add the vpnuser we created initially. You can of course add a group and select the portal that user/group will see.

 

4. Certs, Timeouts, DNS

Confirm your IP Pool, Self-Signed cert is fine for now, and make sure your DNS servers specified are correct for your internal network. You’ll mostlikely want your users to resolve internal hostnames correctly.

 

5. Grab a beer