FortiGate Port Forwarding
KB ID 0001742 Problem I was back on the tools again today setting up FortiGate Port Forwarding! This was for one of our partners that I have to do some remote work for, so I temporarily needed to get onto their servers. Normally I’d just SSL VPN in, (but that’s what I’m setting up!) So to get onto their servers I had to setup a port forward for RDP. WARNING: Port forwarding RDP from ALL / Any is a BAD IDEA...
Replacing Cisco Firewalls with Fortinet Firewalls
KB ID 0001741 Replacing Cisco If you’ve been following articles on the site you will know that the focus of the firewall related output is shifting from Cisco ASA / Cisco FirePOWER to Fortinet (FortiGate) firewalls. This article is so you can make an informed choice about what you want to replace your Cisco firewall with. Note: I’m starting with SOHO and Small Business sized firewalls, but I will extend this to...
FortiGate Securing Remote Administration
KB ID 0001734 Problem When considering Securing FortiGate remote administration, I’ve written about changing the https management port to something other than TCP 443 before, I suppose that’s security by obfuscation (though even a script kiddy with one hours experience, will be able to spot an html responses). Typically with other vendors you limit remote administration access, to specific IP addresses (or ranges). So...
FortiGate LDAPS Authentication Failure
KB ID 0001733 Problem Here’s a brief one that tripped me up a couple of weeks ago, I was deploying FortiGate LDAPS authentication for some FortiClient SSL VPN connections into a FortiGate firewall like so; Despite my best efforts I was getting authentication failures? If I tested the username and password in the GUI web management portal, that worked fine? Testing FortiGate LDAPS First step is to test authentication at command...
FortiGate High Availability (Active / Passive)
KB ID 0001730 So my aim was to setup FortiGate High Availability failover in Active / Passive mode. I’m setting this up in EVE-NG and here’s what my lab looks like; Note: Im using TWO connections for Heartbeat/Failover, you can simply use one if you prefer. FortiGate High Availability (Pre-Requisites) Obviously the firewalls need to be the same! For physical firewalls that’s straightforward, but be careful if you are...
FortiGate: SSL Inspection (HTTPS Inspection)
KB ID 0001729 Problem Do you inspect the traffic on your network? You have a firewall? Maybe an IDS appliance? That’s good news, do you inspect HTTPS traffic? In most cases the answer is no. Because either you do not have the capability, or enabling SSL Inspection will degrade the firewall’s performance so much that you accept the risk. At time of writing (Early 2021) it’s estimated that 85% of all web traffic is now...