====== 有關 FortiGate 防火牆相關設定 ======
* 設備型號 : FortiGate 40C (v5.2.13,build762)
* WAN1 : 220.100.100.100 GW: 220.100.100.254
* LAN(Internal) : 192.168.0.1
===== 基本設定 =====
* 設定 WAN1 (wan1)
* 設定 LAN (intrtnal)
* 設定 Default Route
* System -> Network -> Routing
* Create New :
* Destination IP/Mask : 0.0.0.0/0.0.0.0
* Device : wain1
* Gateway : 220.100.100.254
* Policy & Objects -> Policy -> IPV4
* Create New :
* Incoming Interface : internal
* Source Address : all
* Outgoing Interface : wan1
* Destination Address : all
* Schedule : always
* Service : ALL
* Action : ACCEPT
===== 設定 Port Mapping =====
* 預計設定 WAN1 的 Port 80 / 443 -> 192.168.0.200:80 / 443
* 定義 VIP : Polocy & Objects -> Objects -> Virtual IPs
- 建立 VIP : web-http 與 web-https ++看畫面|{{:tech:2018052301.png}}++
- 建立 VIP Group : webserver-group ++看畫面| \\ {{:tech:2018052302.png}} \\ {{:tech:2018052303.png}}++
- 完成 VIP 建立 ++看畫面|{{:tech:2018052304.png}}++
- 確認與建立 Services : HTTP/HTTPS ++看畫面|{{:tech:2018052305.png}}++
* 定義 Policy : Policy & Objects -> Policy -> IPv4
- 建立 wan1->internal port mapping Policy ++看畫面|{{:tech:2018052401.png}}++
- 完成 wan1->internal port mapping Policy ++看畫面|{{:tech:2018052402.png}}++
* 如果 Policy 中有啟動 NAT 轉過去的內部 Server 來源 IP 就會是 Fortigate 的 IP
* Exp. Fortigate 的 internal IP 是 192.168.0.1 在 21/May/2018:11:29:57 切換成有 NAT 的規則, 結果 Web Server Log 內看到的來源 IP 都變成 192.168.0.1 ++看畫面|{{:tech:2018052403.png}}++
===== 針對 Port Mapping (WAN 連入 Internal) (Virtual IP) 特定來源(黑名單)IP 設定技巧 =====
* 透過 UI 設定 WAN -> Internal 的 Deny 規則後, 是無法實際阻擋特定來源 IP
* 但使用命令方式, 針對這 Policy 編號進行設定, 增加 "set match-vip enable" 才能真正阻擋.
* 參考 - http://kb.fortinet.com/kb/documentLink.do?externalID=FD33338
===== 設定 SSL VPN =====
* 建立使用者 :
- User & Device -> User -> User Group
* Create New :
* Name : vpn-user
* Type : Firewall
- User & Device -> User -> User Definition
* Create New :
- User Type : Local User
- Login Credentials :
* User Name : vpnuser1
* Password : password1
- Contact Info :
* Email Address : vpnuser1@imail.com
- Extra Info :
* [V] Enable
* [ ] Two-factor Authentication
* [V] User Group : vpn-user
* VPN -> SSL -> Portals
* Create New((免費只能建立一組, 預設是 full-access)) :
* Name : ichiayi-sslvpn
* [V] Enable Tunnel Mode
* [V] Enable Split Tunneling
* Routing Address : SSLVPN_TUNNEL_ADDR1
* Source IP Pooles : SSLVPN_TUNNEL_ADDR1
* Client Options : [V] A;ways Up (Keep Alive)
* [V] Enable Web Mode
* Portal Message : Welcome to SSL VPN Service
* 設定帳號一次只能一個連線 :
* VPN -> SSL -> Portals -> 選擇指定的項目 Exp. full-access -> Edit
* [V] Limit Users to One SSL-VPN Connection at a Time
* ++點這裡看參考畫面|{{:tech:2018060501.png}}++
===== 防止暴力登入 SSL VPN 方式 =====
* 參考 - https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-limit-SSL-VPN-login-attempts-and-block/ta-p/194229?externalID=FD48714
* 當 Log & Report 的 VPN Events 出現大量 ssl-login-fail , sslvpn_login_unknown_user 狀況
* 設定當 SSL VPN 登入失敗超過 x 次就鎖定 n 秒, 來降低嘗試暴力登入的狀況 Exp. 失敗超過 3 次, 就鎖 3600 秒
config vpn ssl settings
set login-attempt-limit 3
set login-block-time 3600
end
===== IPSec - L2TP 用戶撥入 VPN 設定 =====
* 參考 - http://kb.fortinet.com/kb/viewContent.do?externalId=FD36253
===== 設定多條 WAN 備援方式 =====
* 參考 - http://cookbook.fortinet.com/redundant-internet-connections-54/
===== 路由偵錯檢測方式 =====
* 參考 - http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD37024&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=43706420&stateId=1%200%2043708158
* 連上 Fortigate 查看有經過這 FW 的 IP 流量訊息 Exp. 192.168.0.250
diag debug reset
diag debug flow filter clear
diagnose sniffer packet any "host 192.168.0.250 and icmp" 4
* 可以在外部 192.168.1.140 的 Windows 10 PC 執行 ping 與 tracert , 只要有經過 Fortigate 就會顯示流量訊息
* ping 範例 ++PC 端 |
C:\Users\jonathan>ping 192.168.0.250
Ping 192.168.0.250 (使用 32 位元組的資料):
回覆自 192.168.0.250: 位元組=32 時間=38ms TTL=62
回覆自 192.168.0.250: 位元組=32 時間=41ms TTL=62
++ ++Fortigate 端 |
TPFortiGate40C-1 # diag debug reset
TPFortiGate40C-1 # diag debug flow filter clear
TPFortiGate40C-1 # diagnose sniffer packet any "host 192.168.0.250 and icmp" 4
interfaces=[any]
filters=[host 192.168.0.250 and icmp]
5.053098 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
5.053240 internal out 192.168.1.140 -> 192.168.0.250: icmp: echo request
5.053447 internal in 192.168.0.250 -> 192.168.1.140: icmp: echo reply
5.053555 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: echo reply
6.036276 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
6.036615 internal out 192.168.1.140 -> 192.168.0.250: icmp: echo request
6.036885 internal in 192.168.0.250 -> 192.168.1.140: icmp: echo reply
6.037006 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: echo reply
8 packets received by filter
0 packets dropped by kernel
++
* tracert 範例 ++PC 端 |
C:\Users\jonathan>tracert 192.168.0.250
在上限 30 個躍點上追蹤 192.168.0.250 的路由
1 1 ms 1 ms 1 ms 192.168.1.254
2 11 ms 10 ms 10 ms 192.168.0.254
3 14 ms 16 ms 15 ms 192.168.0.250
追蹤完成。
++ ++Fortigate 端 |
TPFortiGate40C-1 # diagnose sniffer packet any "host 192.168.0.250 and icmp" 4
interfaces=[any]
filters=[host 192.168.0.250 and icmp]
8.541353 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
8.541438 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
10.076119 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
10.076201 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
11.555745 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
11.555828 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
18.573750 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
18.583995 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
18.595516 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
24.118851 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
24.119128 internal out 192.168.1.140 -> 192.168.0.250: icmp: echo request
24.120764 internal in 192.168.0.250 -> 192.168.1.140: icmp: echo reply
24.120917 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: echo reply
24.132986 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
24.133519 internal out 192.168.1.140 -> 192.168.0.250: icmp: echo request
24.135474 internal in 192.168.0.250 -> 192.168.1.140: icmp: echo reply
24.135559 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: echo reply
24.151568 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
24.152277 internal out 192.168.1.140 -> 192.168.0.250: icmp: echo request
24.152673 internal in 192.168.0.250 -> 192.168.1.140: icmp: echo reply
24.152749 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: echo reply
24.208985 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
24.209067 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
25.743512 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
25.743598 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
27.209075 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
27.209157 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
27 packets received by filter
0 packets dropped by kernel
++
===== FortiGate 60D 特別設定 =====
==== 端對端 VPN 使用 traceroute 非預期出現 DMZ IP ====
* 參考 - http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36799&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=116930985&stateId=0%200%20116932943
traceroute 192.168.1.5
traceroute to 192.168.1.5 (192.168.1.5), 30 hops max, 60 byte packets
1 192.168.0.254 (192.168.0.254) 4.692 ms 4.602 ms 4.524 ms
2 60-248-245-172.HINET-IP.hinet.net (60.248.245.172) 14.593 ms 14.556 ms 14.483 ms
3 192.168.1.5 (192.168.1.5) 20.283 ms 20.285 ms 20.261 ms
* 只要設定 VPN 虛擬介面的 IP 即可解決 Exp. 192.168.101.254 ++看畫面|{{:tech:2018082301.png}}++
traceroute 192.168.1.5
traceroute to 192.168.1.5 (192.168.1.5), 30 hops max, 60 byte packets
1 192.168.0.254 (192.168.0.254) 4.586 ms 4.502 ms 4.412 ms
2 192.168.101.254 (192.168.101.254) 15.170 ms 15.092 ms 13.887 ms
3 192.168.1.5 (192.168.1.5) 16.199 ms 16.203 ms 16.184 ms
===== FortiGate 40C 特別設定 =====
==== 啟動 SNMP ====
* https://note.chiatse.com/2017/05/08/fortigate-40c-snmp-enable-from-cli/
==== 建立 VLAN ====
* http://kb.fortinet.com/kb/viewContent.do?externalId=FD33738
* https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-1q-on-a/ta-p/193893
==== 設定 HA ====
* 參考手冊 - [[https://docs.fortinet.com/uploaded/files/3997/fortigate-ha-56.pdf|fortigate-ha-56.pdf]]
* 設定前確認
- 兩台 FortiGate 的 Firmware 版本必須相同 Exp. v5.2.13,build762
- 兩台 FortiGate 的網路介面要先設定成固定 IP (不要 DHCP / PPPoE), 如果設定 Active-Passive 模式等 HA 建立完成後可再改回 DHCP or PPPoE((fortigate-ha-56.pdf Page.28))
- 兩台 FortiGate 的設定幾乎相同 (Exp. 只有 hostname / Internal IP 不同 / wan IP 不同)
- 尚未設定 VDOM / HA ++CLI 語法|get system ha status
ichiayi-02-FG40C # get system ha status
Model: FortiGate-40C
Mode: standalone
Group: 0
Debug: 0
ses_pickup: disable
number of vcluster: 0
++
* 預計設定的 HA 架構與模式
* 設定 HA 的模式 : FGCP Active-Active HA (這模式最多可以設定到四台 FortiGate((fortigate-ha-56.pdf Page.24)))
* ++配置架構圖 |
/---------------\
| |
| Internet |
| |
\-------^-------/
|
v
+-------+-------+
| |
| VDSL Router |
| |
+----+-----+----+
Static IP^ ^Static IP
| |
+----------------+ +-----------------+
wan1| |wan1
v v
+----------------------+ +----------------------+
|cBLU |wan2 wan2| |
| Fortigate 40c |<---------------==--------------->| Fortigate 40c |
| ichiayi-01-FG40C | | ichiayi-02-FG40C |
| | | cGRE |
+-------------------^--+ +--^-------------------+
Internal| |Internal
+----------------+ +----------------+
| |
v v
+------------------------+
| |
| Internal Switch |
| |
+---^-------^-------^----+
| | |
+--------+ | +--------+
| | |
v | v
+-------------+ | +--------------+
| | v | |
| +------------+ +-------+ | +--------------+
| | | | Wi-Fi | | | |
| | PC or NB | | AP | | | PC or NB |
+---| | +-------+ +---| |
+------------+ +--------------+
++
* 設定方式
- 每一台都登入啟用 HA ++CLI 語法|
config system ha
set group-id 10
set mode a-a
set hbdev wan2 50
set group-name ichiayi_cluster
set load-balance-all enable
set password **Password**
end
++
- 設定好 fortigate 應該會自動重開機
- 經過一小段時間 HA 燈號會亮起 (如果是綠燈表示 HA 正常, 橘燈表示 HA 異常)
- 檢查 HA 相關資訊狀態 ++CLI 語法|
get system ha status
Model: FortiGate-40C
Mode: a-a
Group: 10
Debug: 0
ses_pickup: disable
load_balance: enable
load_balance_udp: disable
schedule: Round robin.
upgrade_mode: unset
Master:128 ichiayi-01-FG40C FGT40C391xxxxxx5 1
Slave :128 ichiayi-02-FG40C FGT40C391xxxxxx1 0
number of vcluster: 1
vcluster 1: work 169.254.0.2
Master:0 FGT40C391xxxxxx5
Slave :1 FGT40C391xxxxxx1
get system ha
ichiayi-01-FG40C # get system ha
group-id : 10
group-name : ichiayi_cluster
mode : a-a
password : *
hbdev : "wan2" 50
session-sync-dev :
route-ttl : 10
route-wait : 0
route-hold : 10
sync-config : enable
encryption : disable
authentication : disable
hb-interval : 2
hb-lost-threshold : 6
helo-holddown : 20
gratuitous-arps : enable
arps : 5
arps-interval : 8
session-pickup : disable
update-all-session-timer: disable
session-sync-daemon-number: 1
link-failed-signal : disable
uninterruptible-upgrade: enable
ha-mgmt-status : disable
ha-eth-type : 8890
hc-eth-type : 8891
l2ep-eth-type : 8893
ha-uptime-diff-margin: 300
vcluster2 : disable
vcluster-id : 1
override : disable
priority : 128
schedule : round-robin
monitor :
pingserver-monitor-interface:
pingserver-failover-threshold: 0
pingserver-slave-force-reset: enable
pingserver-flip-timeout: 60
load-balance-all : enable
get system status
ichiayi-01-FG40C # get system status
Version: FortiGate-40C v5.2.13,build0762,171212 (GA)
Virus-DB: 52.00006(2017-09-28 20:11)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 12.00234(2017-09-28 01:27)
IPS-ETDB: 0.00000(2001-01-01 00:00)
Serial-Number: FGT40C391xxxxxx5
Botnet DB: 1.00000(2012-05-28 22:51)
BIOS version: 04000006
System Part-Number: P08924-05
Log hard disk: Not available
Internal Switch mode: switch
Hostname: ichiayi-01-FG40C
Operation Mode: NAT
FIPS-CC mode: disable
Current HA mode: a-a, master
Branch point: 762
Release Version Information: GA
System time: Sat Jun 16 16:17:52 2018
++
- 連上 Slave 檢查 HA 相關狀態 ++CLI 語法|
execute ha manage 0
ichiayi-01-FG40C # execute ha manage 0
ichiayi-02-FG40C login: admin
Password: ********
Welcome !
get system status
ichiayi-02-FG40C # get system status
Version: FortiGate-40C v5.2.13,build0762,171212 (GA)
Virus-DB: 52.00006(2017-09-28 20:11)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 12.00234(2017-09-28 01:27)
IPS-ETDB: 0.00000(2001-01-01 00:00)
Serial-Number: FGT40C391xxxxxx1
Botnet DB: 1.00000(2012-05-28 22:51)
BIOS version: 04000009
System Part-Number: P08924-09
Log hard disk: Not available
Internal Switch mode: switch
Hostname: ichiayi-02-FG40C
Operation Mode: NAT
FIPS-CC mode: disable
Current HA mode: a-a, backup
Branch point: 762
Release Version Information: GA
System time: Sat Jun 16 16:20:05 2018
++
- 如果沒問題, 就可以將 wan1 改成 PPPoE 模式, 以及 Internal 啟動 DHCP Server((Active-Active 模式 wan1 介面無法使用 PPPoE ))
* 如果對自動選擇的 Master 不滿意, 可以透過設定 priority 來指定(越大的數值優先當 Master) ++Exp. CLI語法| 連入後先將 Master 設定 200
config system ha
set priority 200
end
切換到 Slave 設定 255(最大值)
execute ha manage 1
config system ha
set priority 255
end
會斷掉一下, 重新登入後可以看到已經切換
TPFortiGate40C-1 # get system ha status
Model: FortiGate-40C
Mode: a-a
Group: 10
Debug: 0
ses_pickup: disable
load_balance: enable
load_balance_udp: disable
schedule: Round robin.
upgrade_mode: unset
Master:255 TPFortiGate40C-1 FGT40C391xxxxxx7 1
Slave :200 TPFortiGate40C-2 FGT40C391xxxxxx1 0
number of vcluster: 1
vcluster 1: work 169.254.0.2
Master:0 FGT40C391xxxxxx7
Slave :1 FGT40C391xxxxxx1
++
* 取消(解除) HA 設定
* 直接連入要移除的那台 fortigate 執行系統重設 ++CLI語法|
exec factoryreset
ichiayi-02-FG40C # exec factoryreset
This operation will reset the system to factory default!
Do you want to continue? (y/n)y
++
* 連入將 ha mode 設定 standlone ++CLI語法|
config system ha
set mode standalone
end
++ 這樣設定之後, 就解除掉 HA 模式, 每一台 fortigate 的 internal / wan1 IP 都相同, 所以可以透過 Internal IP 連入的是 master 那台, 若想在遠端以原本 Internal IP 連上其他 slave 必須將可連入的 fortigate 修改 Internal IP 就能用原本 Internal IP 連入.
===== 參考網址 =====
* https://www.mobile01.com/topicdetail.php?f=110&t=4237563
* http://my-fish-it.blogspot.tw/2017/01/ss-fortigate-543-firewall-tunnel-ssl-vpn.html
* https://blog.imprezagt1031.idv.tw/2015/12/04/fortigate-5-2-sslvpn-%E8%A8%AD%E5%AE%9A/
* https://forum.fortinet.com/tm.aspx?m=95662
* http://cookbook.fortinet.com/high-availability-two-fortigates-56/
* http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_FGCP_best_practices.htm
* http://cookbook.fortinet.com/redundant-internet-connections-54/
* http://kb.fortinet.com/kb/documentLink.do?externalID=FD33338
Everplast –
Extruder Machine
{{tag>firewall fortigate}}