FortiGate Cloud – Functions

March 19, 2020, 3:59 pm

≫ Next: FortiGate Cloud – How FortiGate Cloud works

Functions

FortiGate Cloud has the following functions:

Function	Description
Centralized dashboard	System and log widgets plus real-time monitors.
FortiView log viewer	Real-time log viewing with filters and download capability.
Drilldown analysis	Real-time location, user, and network activity analysis, and alert profiles.
Report generator	Create custom report templates and schedule reports in different formats to display location-based analytics or illustrate network usage platforms.
Device management	Scheduled configuration backup and history and script management. If using multitenancy license, includes group management.
Antivirus (AV) submission	Shows the status of suspicious files undergoing cloud-based sandbox analysis.
AP and FortiSwitch management via FortiGate	l Wireless configuration: l View, add, and remove APs managed by FortiGates l Create and edit SSID settings l Create and edit FortiAP profiles l Create and edit WIDS profiles l Guest management: Add guests and notify them of credentials via SMS or email.
Zero-touch deployment	Automatic connection of FortiGate devices for FortiGate Cloud management using FortiDeploy.
Multitenancy templates	Create templates and push to multiple devices.

Function	Description
Remote access	Import local configuration to web browser and push changes to device through network.
FortiGate virtual domain (VDOM) support	Support for VDOMs configured in FortiGate devices.
Active Directory (AD) management	Integration with AD.
Firmware upgrade	Remotely upgrade FortiOS on FortiGate devices.
Event management	Set up email alerts for specific network structure emergencies, such as FortiGate Cloud losing connection to the device, or the device’s power supply failing.
Regional datacenters	Datacenters located in Canada and Germany for better performance and GDPR compliance for international customers.

↧

FortiGate Cloud – How FortiGate Cloud works

March 20, 2020, 3:59 pm

≫ Next: FortiGate Cloud – Requirements

≪ Previous: FortiGate Cloud – Functions

How FortiGate Cloud works

You can register one or multiple devices with FortiGate Cloud under a single account on the FortiGate Cloud portal.

Each device periodically sends logs to FortiGate Cloud for storage. You can configure log settings. For example, you can configure devices to send only traffic and event logs, or include security logs such as AV, application control, and IPS.

From the recorded logs, you can generate reports to identify trends in network traffic, individual user activity, and security threats across different applications. Drilldown capability and real-time alerting are also available.

FortiGate Cloud also creates copies of configurations that you can use for backup, restoration, or provisioning new devices. You can use a VPN tunnel to bring up the console of a device behind a firewall to perform configuration or policy changes remotely.

FortiGate Cloud is integrated with FortiCloud single sign on. After you create a FortiCloud SSO account, you can enable the FortiGate Cloud global or European service. You can also enable both services. You can deploy FortiGate devices to the global or Europe cloud service from the unified device inventory in the FortiGate Cloud portal. See Inventory on page 40. You can migrate historical data such as logs, reports, and backups between accounts under the same service (global or Europe), but you cannot migrate such data from one service to another. To migrate a FortiGate device from one service to the other, you must undeploy the device, then deploy the device again from Inventory on the desired service portal.

When you initially create your account in FortiGate Cloud, you choose the data center to use. You cannot transfer data and accounts between data centers, so migration requires a new account.

To confirm which version of FortiGate Cloud is currently in use, on the Fortinet website, use your FortiCloud account to access FortiGate Cloud. The version details are at the bottom of the FortiGate Cloud homepage.

FortiGate Cloud currently supports two languages: English and Japanese. You can select a language from the web portal login page. Other languages may be available in other regions.

You can provide feedback or request improvements to FortiGate Cloud using the envelope icon on the top-right of every screen. Fortinet cannot guarantee individual responses to requests.

↧

FortiGate Cloud – Requirements

March 21, 2020, 3:59 pm

≫ Next: Deploying a FortiGate/FortiWifi to FortiGate Cloud

≪ Previous: FortiGate Cloud – How FortiGate Cloud works

Requirements

The following items are required before you can initialize FortiGate Cloud:

Requirement	Description
FortiCloud account	Create a FortiCloud account if you do not have one. A FortiCloud account is required to launch FortiGate Cloud. A primary FortiCloud account can invite other users to launch FortiGate Cloud as secondary administrator/regular users. Some customers may be using their FortiCare account. It is strongly recommended to merge these accounts to your FortiCloud account.
FortiGate/FortiWifi license	You must register all FortiGate/FortiWifi devices on FortiCloud.
FortiGate Cloud entitlement	Purchase FortiGate Cloud licenses from Fortinet.
Internet access	You must have Internet access to create a FortiGate Cloud instance and to enable devices to communicate with and periodically send logs to FortiGate Cloud.
Browser	FortiGate Cloud supports Firefox, Chrome, and Edge.

For Management, FortiGate Cloud supports FortiOS 5.0.0 through 6.2.1. For devices that are running unsupported FortiOS versions, you can use the Remote Access feature.

For Analysis, FortiGate Cloud supports all FortiOS versions.

FortiGate Cloud supports all high-end, mid-range, and entry-level FortiGate models. You can find more information about FortiGate models and specifications on the Fortinet website. All FortiWifi models support FortiGate Cloud.

The FortiGate does not require a hard drive if it uploads logs to FortiGate Cloud in real-time, which you can enable under Log Settings in FortiOS.

The following table lists port numbers that outbound traffic requires. On request, Fortinet can supply the destination IP addresses to add to an outbound policy, if required.

Purpose	Protocol	Port
Syslog, registration, quarantine, log, and report	TCP	443
OFTP	TCP	514
Management	TCP	541
Contract validation	TCP	443

↧

Deploying a FortiGate/FortiWifi to FortiGate Cloud

March 22, 2020, 3:59 pm

≫ Next: FortiGate Cloud – Homepage

≪ Previous: FortiGate Cloud – Requirements

Deploying a FortiGate/FortiWifi to FortiGate Cloud

You can deploy FortiGate Cloud using one of the following methods:

l FortiGate key l Bulk key l Zero-touch deployment l FortiOS GUI

After deploying FortiGate Cloud using one of the methods described, complete basic configuration by doing the following:

Create a firewall policy with logging enabled. Configure log uploading if necessary.
Log in to FortiGate Cloud using your FortiCloud account.

To deploy a FortiGate/FortiWifi to FortiGate Cloud using the key:

Log in to the FortiGate Cloud portal, then click Add FortiGate.
In the Add FortiGate dialog, enter the key printed on your FortiGate.
From the Select Display Timezone forDevice dropdown list, select the desired time zone.
Under Select Sub Account, select the desired subaccount.
Click Submit.

To deploy multiple FortiGate/FortiWifi devices to FortiGate Cloud using a bulk key:

Log in to the FortiGate Cloud portal, then click Inventory.
Click Import Bulk Key.
In the Please input the Bulk Key: field, enter the bulk key.
Click Submit. The portal displays a list of the FortiGate/FortiWifi serial numbers associated with the bulk key.

To deploy multiple FortiGate/FortiWifi devices to FortiGate Cloud using zero-touch deployment:

See FortiDeploy on page 50.

To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI:

In the FortiCloud portal, ensure that you have a product entitlement for FortiGate Cloud for the desired FortiGate or FortiWifi.
In FortiOS, do one of the following:
1. Go to Security Fabric > Settings, and enable Central Management. Click FortiGate Cloud.
2. In the Dashboard, in the FortiGate Cloud widget, the Status displays as Not Activated. Click Not Activated.
Click the Activate
In the Activate FortiGate Cloud panel, for Account, select FortinetOne.
In the Email and Password fields, enter the email address and password associated with the FortiCloud account.
Enable Send logs to FortiGate Cloud. Click OK.
This should have automatically enabled Cloud Logging. Ensure that Cloud Logging was enabled. If it was not enabled, enable it, then set Type to FortiGate Cloud.

Deploying a FortiGate/FortiWifi to FortiGate Cloud

At this point, in FortiGate Cloud, you can access Analysis and SandBox features for this device. To access Management features, you must authorize the FortiGate in FortiGate Cloud by entering the a local superadministrator username and password when prompted. After authorization, you can manage that FortiGate from FortiGate Cloud.

To unsubscribe from FortiGate Cloud:

You can disconnect your account from the dashboard in your FortiGate/FortiWifi.

In the FortiOS Dashboard FortiGate Cloud widget, the Status appears as Activated. Click Activated, then click the Logout
In the confirmation dialog, click OK. This detaches the FortiGate/FortiWifi from the account and stops uploading logs.

↧

FortiGate Cloud – Homepage

March 23, 2020, 4:00 pm

≫ Next: FortiGate Cloud – Analysis

≪ Previous: Deploying a FortiGate/FortiWifi to FortiGate Cloud

Homepage

You see the homepage when you first open the FortiGate Cloud interface. From the homepage, you can add a FortiGate as described in To deploy a FortiGate/FortiWifi to FortiGate Cloud using the key: on page 11. You can also go to the Analysis on page 16, Management on page 29, SandBox on page 35, and Inventory on page 40 pages.

To view Fortinet devices that you have deployed using the same FortiCloud account under a different service, you can click # device(s)in othersite. This does not display if you have not deployed any devices under a different service. This displays a dropdown list of devices deployed using the same FortiCloud account under a different service. For example, if you are currently logged in to the Europe service, this link displays a dropdown list of devices deployed under the global service. If there are more than 20 devices deployed to the other service, the dropdown list only displays 20. You can go to the other service homepage by clicking Switch Site.

The homepage also displays currently active devices that you previously deployed to the current service, but later deployed to another service. For example, if you deployed a FortiGate to the global service, then deployed it to the Europe service, it shows up in the homepage for both services. The Active in column in the Analysis, Management, and SandBox homepages displays which service the device is currently connected to.

To add more administrators/users:

In the upper right of the FortiGate Cloud interface, select the My Account
Select Add User in the window.
Enter the new admin/user’s email address and name.
Select whether they are an admin (total control over the FortiGate Cloud interface) or a regular user (limited control, monitoring only).
From the Language dropdown list, select the desired language.
From the Default Entry Point dropdown list, select the desired default page. This is the default page the user sees when they log in to FortiGate Cloud.
Select Submit. The admin/user receives an email prompting them to set their account password and log in.

To replace an account ID with a new email address:

Log in to FortiGate Cloud using the account that you want to replace. In the upper right of the FortiGate Cloud interface, select the My Account In the list of users, ensure that the new email address is not already in use.
Add a new admin user, using the desired new email address. Follow the instructions in To add more administrators/users: on page 14 to add the new admin user.
Select Set as primary.
Log out of FortiGate Cloud.
Log in to FortiGate Cloud as the admin user added in step 2.
Click the My Account
In the list of users, click the Delete icon beside the old account to remove it from FortiGate Cloud.

You can move a FortiGate from the global service to the Europe service, or vice-versa. The example illustrates moving a FortiGate Cloud from the global service to the Europe service.

Homepage

To move a FortiGate from the global service to the Europe service:

Log in to the FortiGate Cloud global service.
On the Analysis, Management, or SandBox page, undeploy the FortiGate:
1. Click the Config icon for the desired device.
2. Click Undeploy.
3. In the confirmation dialog, click YES.
4. You have the option to place a unit where the FortiGate was deployed. The unit contains historical data and a serial number that starts with U.
Go to Inventory and confirm that the FortiGate is now listed under inventory.
Log in to the FortiGate Cloud Europe service.
Go to Inventory. Select the desired FortiGate, then click Deploy to FortiGate Cloud.

Log in to the FortiOS GUI. Reactivate FortiGate Cloud by following To deploy a FortiGate/FortiWifi to FortiGate Cloud in the FortiOS GUI: on page 12.

↧

FortiGate Cloud – Analysis

March 24, 2020, 4:09 pm

≫ Next: FortiGate Cloud – FortiView

≪ Previous: FortiGate Cloud – Homepage

Analysis

The Analysis tab provide tools for monitoring and logging your device’s traffic, providing you centralized oversight of traffic and security events.

The Analysis homepage provides the following information about devices. You can select a device’s serial number or name to access analysis tools for that device:

Model/serial number l Fortinet product type l Firmware version
Status (If the device is connected through a management tunnel) l Last compiled report and last log uploaded l Subscription expiry date

You can use the gear icon to access additional functions:

To undeploy the FortiGate:

Click the Config icon for the desired device.
Click Undeploy.
In the confirmation dialog, click YES.
You have the option to place a unit where the FortiGate was deployed. The unit contains historical data and a serial number that starts with U.

To set the display timezone for the FortiGate:

The display timezone only affects log data view for the FortiGate and does not affect the FortiGate’s configured timezone. You can modify the FortiGate’s display timezone after it has already been set.

Go to Analysis.
Click the Config icon beside the desired device, then click Display Timezone.
From the Display Timezone forDevice dropdown list, select the desired timezone. Click Submit. The FortiGate Cloud GUI shows the FortiGate’s display timezone in the upper right corner.

To rename the FortiGate:

Click the Config icon for the desired device, then click Rename.
In the Device Name field, enter the desired name. Click Submit.

To delete data from the FortiGate:

Go to Analysis.
Click the Config icon beside the desired device, then click Options.
In the Delete Data before field, selected the desired date. Click Apply. FortiGate Cloud deletes the data on the FortiGate from before the selected date.

To go to the device list:

You can return to the device list from the Analysis, Management, or Sandbox page for an individual device.

In the upper left corner, click Show Device List.

↧

FortiGate Cloud – FortiView

March 25, 2020, 4:09 pm

≫ Next: FortiGate Cloud – Logs

≪ Previous: FortiGate Cloud – Analysis

FortiView

The default FortiView page is the summary view, which uses widgets to show a general overview of what is happening with your device. You can add new widgets by selecting Add Widget.

Each widget is a customizable box, showing certain information about the device. You can do the following with widgets:

Click a widget title and drag it to move it around. l Delete a widget by selecting the X icon. l Set the refresh rate of widgets by selecting the dropdown list beside the refresh icon.

The following lists all widget types, grouped according to function:

Threats

Widget	Description	Feature required to be enabled on device
Top Threats	Displays which threats trigger the most detection events on the network.	At least one of the following: IPS, AV, AntiSpam, DLP, or Anomaly Detection.
Top Spam	Displays which sources send the most spam email into the network.	AntiSpam
Top Viruses	Counts the viruses that the device’s AV most frequently finds.	AV
Top Applications by Threat Score	Compares which applications have the most traffic compared to their threat score, based on the device’s Application Control settings.	Application Control
Top Attacks	Counts the attacks that the device’s IPS most frequently prevents.	IPS
Top DLP By Rules	Counts the DLP events that the device detects, sorted by DLP rule.	DLP

Traffic Analysis

Widget	Description	Feature required to be enabled on device
Top Applications	Compares which applications are most frequently used, based on the device’s Application Control settings.	Application Control
Top Application Categories	Compares which application categories are most frequently used, based on the device’s Application Control settings.	Application Control
Top Sources	Displays which sources have the most traffic from or to the device.
Top Destinations	Displays which destinations have the most traffic from or to the device.
Widget	Description		Feature required to be enabled on device
Top Protocols	Compares the traffic volume that has passed through a certain interface, based on which protocol it uses (HTTP, HTTPS, DNS, TCP, UDP, other).
Top Countries	Displays which countries have the most traffic from or to the device.
Traffic History	Displays volume of incoming and outgoing traffic over time.

Websites

Widget	Description	Feature required to be enabled on device
Top Websites	Compares which websites are most frequently visited. You can click a category to see which websites in that category are being visited.	Web Filtering
Top Web Categories	Compares which web filtering categories are most frequently used, based on the device’s Web Filtering settings.	Web Filtering
Top Users/IP by Browsing Time in Seconds	Compares which users visit which IP addresses most frequently in the greatest ratio. You can click a user to see which IP addresses they visit.	Web Filtering

FortiView offers log information, reformatted into easily navigable charts, in a style similar to FortiView in FortiOS.

You can select a time period to view data for:

Last 60 minutes l Last 24 hours l Last 7 days
Last 30 days l Specified time period

You can set the chart’s refresh rate by clicking the Refresh icon. By using the Add Filter dropdown list, you can filter the chart by various factors. Individual chart entries may also allow you to filter by that entry’s data by selecting a filter icon on the right, or drill down to see all related log data, such as all log data through that interface.

FortiView charts reference

The following provides descriptions of all FortiView charts.

User Dashboard

The User Dashboard displays the number of users/entities that fit into the following security categories:

l Visited high risk websites l Infected by malware l Targeted by malware l Targeted by spam l Violated data leak rules l Used high-risk applications l Targeted by attacks l Attacked by protocol intrusion

You can click each category to view the list of users/entities affected. You can drill down further to view the list of incidents for each user/entity and the logs for each incident.

FSBP Dashboard

The FSBP Dashboard displays security rating results for the device, in the following categories:

Overall Score l Maturity Milestones l Top Achievement
Top Todo
History Trend

The FSBP Dashboard is only available for devices that support the Security Rating feature.

Threats

Chart	Description
Top Threats	Lists the top threats to your network. The following incidents are considered threats: l Risk applications detected by application control. l Intrusion incidents detected by IPS.
Chart		Description
		l Malicious web sites detected by web filtering. l Malware/botnets detected by antivirus.
IPS		Lists intrusion incidents detected by IPS.
AntiVirus		Lists the malware/botnets detected by AV.
AntiSpam		Lists the spam detected by AntiSpam.
DLP & Archives		Lists the DLP and archives incidents.
Anomaly		Lists network anomalies.

Traffic Analysis

Chart	Description
Application	Displays the top applications used on the network including the application name, category, bandwidth (sent/received), sessions, and risk level.
Cloud Application	Displays the top cloud applications used on the network.
Source	Displays the highest network traffic by source IP address and name, bandwidth (sent/received), sessions, and risk level.
User	Displays the highest network traffic by user in terms of bandwidth sent/received, sessions, and risk level.
Destination	Displays the highest network traffic by destination IP addresses, the applications used to access the destination, bandwith sent/received, sessions, and risk level.
Interface	Displays the highest network traffic by interface in terms of bandwidth sent/received, traffic sessions. and risk level. You can view by source or destination interface.
Country	Displays the highest network traffic by country in terms of bandwidth sent/received, traffic sessions, and risk level. You can view by source or destination country.
Policy Hits	Lists the policy hits by policy, device name, VDOM, number of hits, bytes, and last used time and date.

Website

Chart	Description
Website	Displays the top allowed and blocked website domains on the network. You can also view by source. You can filter by threat level.
Web Category	Displays the top website categories. You can filter by threat level.
Chart	Description
Browsing User/IP	Displays the top web-browsing users and their IP addresses by total browsing time duration. You can also view by category or domain. You can filter by threat level.

System Events

Chart	Description
System Activity	Displays events on the managed devices, their severity, and number of incidents. You can filter by user or severity level.
Admin Session	Displays the users who logged into managed devices, the number of configuration changes they performed, number of admin sessions, and their total duration of logged-in time. You can also view by login interface. You can filter by severity level.
Failed Login	Displays the users who failed to log into managed devices. You can also view by login interface. You can filter by severity level.
Wireless	Displays wireless events. You can filter by severity level.

VPN Events

Chart	Description
Site to Site	Displays the names of VPN tunnels with IPsec that are accessing the network.
SSL and Dialup	Displays the users who are accessing the network by using an SSL or IPsec VPN tunnel.
Failed VPN Login	Displays the users who failed to log in successfully via VPN.

↧

FortiGate Cloud – Logs

March 26, 2020, 4:09 pm

≫ Next: FortiGate Cloud – Reports

≪ Previous: FortiGate Cloud – FortiView

Logs

Logs offers more detailed log information, access to individual log data, and downloadable log files. You can select a category of logs to view from the list on the left.

You can select a time period to view data for:

l Last 60 minutes l Last 24 hours l Last 7 days l Last 30 days l Specified time period

You can set the chart’s refresh rate by selecting the Change Refresh Period icon. By using the Add Filter dropdown list, you can filter the log list by various factors. Selecting Column Setting allows you to customize the default log view. By selecting Log Files, you can see the raw log data files and manually download them. The box in the lower right allows you to move through pages of log data by clicking the arrows or entering a page number.

You can download various types of raw logs from FortiGate Cloud. The log filename format is as follows:

<FortiGate serial number>_<log type>_<beginning of log date range>-<time of first log>-<end of log date range>-<time of last log>.log.gz

The log filename format uses a shortened identifier for each log type:

Log type	Identifier
Traffic	tlog
Web Filter	wlog
Application Control	rlog
AntiSpam	slog
AntiVirus	vlog
Log type		Identifier
DLP		dlog
Attack		alog
Anomaly		mlog
DNS		olog
Event (including all subtypes)		elog

For example, consider an Application Control log that is generated for the period between October 23, 2019 and November 2, 2019 for a FortiGate with the serial number “FGT123”. The first log in the file has a timestamp of 6:09 PM, while the last log in the file has a timestamp of 9:32 AM. The log file name is as follows: FGT123_rlog_20191023-1809-20191101-0932.log.gz

↧

FortiGate Cloud – Reports

March 27, 2020, 4:09 pm

≫ Next: FortiGate Cloud – Event Management

≪ Previous: FortiGate Cloud – Logs

Reports

Reports generates custom reports of specific traffic data, and can email them to specified addresses. Select a report to see a list of collected reports of that type. By default, there is a preconfigured Summary Report and a Web Activity Report.

You can Add new reports or Edit existing ones. Both open an editing interface, which allows you to edit the report content and add or remove sections.

To create a custom report:

Go to Analysis > Reports.
Click Add in the upper right, and choose to create a blank report, default Summary or Web Activity Report, copy an existing report, or import an external template. Click Submit.
To add a chart, click the gear icon and select Add Chart.
In the Predefined Chart List dialog, select the desired chart. You can further customize the chart by clicking Customize. Click Save.
Click the gear icon to add Descriptions, and Titles to the current section, or new 1- or 2-column sections.
Click Settings. You can upload a report logo and set the report language.
Click Save.
Select Run, and view the finished report.

To schedule a report:

Go to Analysis > Reports.
Click the desired report from the left pane.
Click Schedule to determine the range of time for which to generate reports: Daily, Weekly or Monthly, and which email to send the reports to. For example, if you want to generate a report for a month of data, you can select

Monthly and FortiGate Cloud will run and send the report once a month. You can also run a report immediately.

To configure report settings:

If you have enabled multitenancy, you can access these options in Group Management > Manage Report Configs.

Go to Analysis > Reports.
Click the desired report from the left pane.
Click Settings. You can upload a report logo and set the report language. Click Submit.

Reports reference

The following provides descriptions of preconfigured reports:

Report	Description
DNS	The default version of this report displays the following charts: l Queried Botnet C&C domains and IP addresses l High risk sources l Top queried domains l Top domain lookup block l Top domain lookup timeout
FSBP	The default version of this report displays results based on the device’s security rating result: l Fabric components audited l Score history (industry average and industry range) l Maturity milestones l Achievements and to-do list The FSBP Dashboard is only available for devices that support the Security Rating feature. If the device does not have any Security Rating results, all charts show no data.
High Bandwidth Application Usage	Shows you applications that may affect network performance by using high bandwidth, allowing you to quickly pinpoint high bandwidth usage and violation of corporate policies.

Report	Description
	This report focuses on peer-to-peer applications (such as BitTorrent, Xunlei, Gnutella, Filetopia), file sharing and storage applications (such as Onebox, Google Drive, Dropbox, Apple Cloud), and voice/video applications (such as YouTube, Skype, Spotify, Vimeo, Netflix). You cannot edit this report.
Summary	The default version of this report displays the following sections: l Threat Analysis l Traffic Analysis l Web Activities l VPN Analysis l System Activity
Web Activity	The default version of this report displays the following charts: l Most Visited Web Categories l Most Visited Websites l Most Visited Web Categories and Web Sites l Most Active Web Users l Most Visited Web Sites by Most Active Users l Most Active Users of Most Visited Web Sites
360 Degree Activities	Displays the following sections: l Application Visibility l Web Traffic Analysis l User Behavior Analysis You cannot edit this report.
Cyber Threat Assessment	An enhanced version of the Summary Report. Displays the following sections: l User Productivity l Application Usage l Web Usage l Security and Threat Prevention l Application Vulnerability Exploits l Virus Prevention l At-Risk Devices and Hosts l High Risk Application l Network Utilization l Bandwidth You cannot edit this report.

↧

FortiGate Cloud – Event Management

March 28, 2020, 4:11 pm

≫ Next: FortiDeceptor – Introduction

≪ Previous: FortiGate Cloud – Reports

Event Management

In Event Management, you can set up email alerts for specific network structure emergencies, such as FortiGate Cloud losing connection to the device, or the device’s power supply failing. The page defaults to All Events in the left menu, which lists all past emergency events. Select Event Handlers to configure the alert settings.

You can enable events to track by selecting their checkboxes. If you want to receive an alert email when they occur, select the checkbox under Send Alert Email and enter the email address to send the alert email to.

Select the gear icon to configure each Event Handler directly and set the logged severity level and notification frequency.

↧

FortiDeceptor – Introduction

March 29, 2020, 1:31 pm

≫ Next: FortiGate Cloud – Management

≪ Previous: FortiGate Cloud – Event Management

Introduction

FortiDeceptor creates a network of decoy VMs to lure attackers and monitor their activities on the network. When attackers attack decoy VMs, their actions are analyzed to protect the network.

Key features of FortiDeceptor include:

Deception OS: Windows, Linux, or SCADA OS images are available to create Decoy VMs. l Decoy VMs: Decoy VMs that behave like real endpoints can be deployed through FortiDeceptor. l Lures: Lures are services, applications, or users added to a Decoy VM to simulate a real user environment.
FortiDeceptor Token Package: Install a FortiDeceptor Token Package to add breadcrumbs on real endpoints and lure an attacker to a Decoy VM. Tokens are normally distributed within the real endpoints and other IT assets on the network to maximize the deception surface. Use tokens to influence attackers’ lateral movements and activities. Examples of what you can use in a token include: cached credentials, database connections, network share, data files, and configuration files. l Monitor the hacker’s actions: Monitor Incidents, Events, and Campaign.
An Event represents a single action, for example, a login-logout event on a victim host.
An Incident represents all actions on a single victim host, for example, a login-logout, file system change, a registry modification, and a website visit on a single victim host.
A Campaign represents the hacker’s lateral movement. All related Incidents are a Campaign. For example, an attacker logs on to a system using the credentials found on another system.
Log Events: Log all FortiDeceptor system events.

↧

FortiGate Cloud – Management

March 30, 2020, 1:32 pm

≫ Next: FortiGate Cloud – SandBox

≪ Previous: FortiDeceptor – Introduction

Management

On the Management tab, you can remotely manage FortiGate and FortiWiFi devices that are connected to the FortiGate Cloud service.

The Management homepage provides the following information about devices. You can select a device’s serial number or name to access management tools for that device:

Model/serial number l Fortinet product type l Firmware version
Status (If the device is connected through a management tunnel) l Service the device is currently active in l Applied template

You can use the gear icon to access additional functions:

To undeploy the FortiGate:

Click the Config icon for the desired device.
Click Undeploy.
In the confirmation dialog, click YES.
You have the option to place a unit where the FortiGate was deployed. The unit contains historical data and a serial number that starts with U.

To authorize a new account to access the FortiGate’s historical data:

Click the Config icon for the desired device.
Click Authorize New Account.
In the Account ID field, enter the desired account ID.
Click Submit.

To rename the FortiGate:

Click the Config icon for the desired device, then click Rename.
In the Device Name field, enter the desired name. Click Submit.

To go to the device list:

You can return to the device list from the Analysis, Management, or Sandbox page for an individual device.

In the upper left corner, click Show Device List.

You must first enable the management tunnel on your device before you can see any management functions. On the device, run the following CLI commands:

config system central-management set mode backup set type fortiguard

end

Config

In Config, you can access a pared-down version of the remote device’s management interface to configure major features as if you were accessing the device itself. For descriptions of the configuration options, see the FortiOS documentation.

The configuration you see in FortiGate Cloud does not autorefresh. FortiGate Cloud displays a notification if the current local FortiGate configuration differs from the latest configuration uploaded to FortiGate Cloud. You can overwrite the FortiGate Cloud configuration with the current local FortiGate configuration by clicking Import, or merge the two configurations by clicking Merge. If you are merging the configurations and there is a conflict between them (for example, an option is enabled locally on the FortiGate but disabled in FortiGate Cloud), FortiGate Cloud keeps the local FortiGate Cloud configuration for that option. You can then make any changes you want to reflect on the device, and select Deploy to push the configuration to the device.

In the case that your device configuration version does not match the firmware version, FortiGate Cloud may display a Device config version does not match device firmware version message. You can click the Import button to synchronize the configurations.

To deploy cloud configuration to devices:

Go to Management > Config.
Before you edit any settings, click the Import button to retrieve the most up-to-date configuration from the FortiGate Cloud-connected device.
On this page, you have limited access to a pared-down version of the FortiGate interface, allowing you to edit interfaces, routes, policies, etc. Edit the FortiGate configuration as needed.
When you are ready to push your updated configuration back to the device, select Deploy in the upper right.
Wait for the configuration to download to the device. When it completes, a deployment log appears, showing you the changes as they appear in the CLI.

Backup

In Backup, you can back up, Edit, View, Compare (to other revisions), Download, Restore (to device), and Delete revisions. You can filter the revision list by firmware version or created time. You can also search for a specific backup.

To back up the device configuration to the cloud:

Go to Management > Backup.
Select Backup Config in the upper right, and enter the backup revision name. FortiGate Cloud adds the new configuration to the list. By selecting the icons on the right side, you can rename, view, compare, download, restore, and delete configuration files. The compare icon only appears once you have multiple revisions available.

To enable auto backup:

Go to Management > Backup > Auto Backup Setting.
Click Enable Auto Backup. Only setting changes on the FortiGate (locally from the FortiGate or from FortiGate

Cloud) trigger auto backup. You can select one of the following auto back up settings:

Option

Description

Per Session

By default, the session duration is 600 seconds. For example, if you modify

FortiGate settings at 10:00 AM, FortiGate Cloud schedules an auto backup in

600 seconds. If no other setting changes occur within the 600 seconds, FortiGate Cloud performs an auto backup at 10:10 AM. However, if you further modify settings, for example, at 10:05 AM, this resets the timer and FortiGate Cloud schedules an auto backup for 600 seconds after 10:05 AM.

FortiGate Cloud keeps every backup revision for all sessions in one day.

You can only configure an alert email for this option. The alert email does not contain a copy of the backup revision.

Per Day

This option operates the same as PerSession, except that FortiGate Cloud only keeps one latest backup revision per day.

Click Apply.

Upgrade

In Upgrade, you can see the current firmware version installed on the device, and update to newer stable versions if they are available. The upgrade path that FortiGate Cloud displays may differ from the upgrade path that FortiGuard displays.

To upgrade remote device firmware:

Go to Management > Upgrade.
Verify your device’s current firmware version in the upper left before continuing.
If you are concerned about the effects of upgrading or have not upgraded recently, use the Upgrade Path Tool to ensure you are following the recommended upgrade path.
It is recommended to back up your device’s configuration before upgrading, in Management > Backup or in the device’s management interface.
Select an available firmware from the list, and select Upgrade. You can schedule a time and date to perform the remote upgrade. For example, you can schedule it during downtime to minimize disruption. A caution icon may also display to indicate that the upgrade path may not be supported.
Wait for the upgrade to take effect.

Script

In Script, you can create and run script files on connected remote devices to check device status or get bulk configuration information quickly.

To execute a script on a remote device:

Go to Management > Script.
In the upper right, select Add Script.
Enter a name and a description, and the CLI script content that you want to run. Each script is a series of CLI commands, one command per line. Click Submit.
Click the Deploy icon, and select a time to automatically deploy the script to the device.
To cancel the scheduled run, click the Cancel icon next to the scheduled time.
FortiGate Cloud records that script’s output. You can read it by clicking View Result.

↧

FortiGate Cloud – SandBox

March 31, 2020, 1:32 pm

≫ Next: FortiGate Cloud – Inventory

≪ Previous: FortiGate Cloud – Management

SandBox

FortiSandbox Cloud is a service that uploads and analyzes files that FortiGate AV marks as suspicious.

In a proxy-based AV profile on a FortiGate, the administrator selects Inspect Suspicious Files with FortiGuard Analytics to enable a FortiGate to upload suspicious files to FortiGuard for analysis. Once uploaded, the file is executed and the resulting behavior analyzed for risk. If the file exhibits risky behavior or is found to contain a virus, a new virus signature is created and added to the FortiGuard AV signature database. The next time the FortiGate updates its AV database it will have the new signature. The turnaround time on Cloud SandBoxing and AV submission ranges from ten minutes (automated SandBox detection) to ten hours (if FortiGuard Labs is involved).

FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known virus (the behaviors that FortiGate Cloud Analytics considers suspicious change depending on the current threat climate and other factors).

The FortiGate Cloud console enables administrators to view the status of any suspicious files uploaded: Pending, Clean, Malware, or Unknown. The console also provides data on time, user, and location of the infected file for forensic analysis. SandBoxing is available in both free and paid FortiGate Cloud subscriptions.

You can view the FortiSandbox Cloud Service Description for details.

The SandBox tab collects information that the FortiSandbox Cloud service compiles. FortiSandbox Cloud submits files to FortiGuard for threat analysis. You can configure your use of the service and view analyzed files’ results.

You must enable Cloud SandBoxing on the FortiGate and submit a suspicious file for the SandBox tab to become visible.

The SandBox homepage provides the following information about devices. You can select a device’s serial number or name to access SandBox tools for that device:

Model/serial number l Fortinet product type l Firmware version
Status (If the device is connected through a management tunnel) l Service the device is currently active in l Last compiled report and last log uploaded l Subscription expiry date

You can use the gear icon to access additional functions:

To undeploy the FortiGate:

Click the Config icon for the desired device.
Click Undeploy.
In the confirmation dialog, click YES.
You have the option to place a unit where the FortiGate was deployed. The unit contains historical data and a serial number that starts with U.

To rename the FortiGate:

Click the Config icon for the desired device, then click Rename.
In the Device Name field, enter the desired name. Click Submit.

To set up FortiSandbox:

Go to Security Fabric > Settings and enable SandBox Inspection. Set SandBox type to FortiSandbox Cloud. The associated FortiGate Cloud account appears.
In Security Profiles > AntiVirus, create a profile that has Send Files To FortiSandbox Cloud ForInspection
Create a firewall policy with logging enabled that uses the FortiSandbox-enabled AV profile.
Once devices have uploaded some files to FortiSandbox Cloud, log in to the FortiGate Cloud portal to see the results.

To go to the device list:

You can return to the device list from the Analysis, Management, or Sandbox page for an individual device.

In the upper left corner, click Show Device List.

Dashboard

You can see an overview of the FortiSandbox results on the Dashboard.

The Dashboard contains the following widgets:

Widget	Description
System Status	Quick view of the current state of the AV databases and load.
Top 5 Targeted Hosts (Last 24 Hours)	Displays which hosts received the most threats during the last 24 hours.
Scan Result (Today and Past 7 Days)	Shows the last eight days of results and their risk levels. You can toggle the display of clean files in the chart by selecting the checkmark in the lower right of the widget.
Top 20 File Types (Last 24 Hours)	Displays the most commonly analyzed file types in the last 24 hours of scanning.

Records and On-Demand

Records displays files that your connected device’s AV has flagged as suspicious, which have been uploaded to FortiGate Cloud for FortiGuard analysis. In On-Demand, you can manually upload files for FortiGuard analysis, and view the analysis results. These pages may not appear if you do not have the FortiSandbox Cloud service enabled on the connected device.

You can select an analysis level and click the file names for more information. On-Demand also has an Export option, which allows you to export a CSV or PDF of on-demand results, and Upload File, where you can manually upload a file for analysis.

The maximum file size is 10 MB. The processing time may vary based on the file size.

Setting

In Setting, you can configure FortiSandbox Cloud settings:

Enable Alert Setting: to enable alert emails, enter multiple emails (one per line) to receive alerts, and set which severity level triggers sending alert emails.
Log Retention: set number of days to retain log data.
Malware Package Options and URL Package Options: select the risk level of data that will be automatically submitted to FortiGuard to further antithreat research.

To configure FortiSandbox alert emails:

Go to SandBox > Setting.
Select Enable Alert Setting.
Enter emails into the list to contact in the event of a FortiSandbox alert.
Select the severity levels to trigger an alert.

↧

FortiGate Cloud – Inventory

April 1, 2020, 1:32 pm

≫ Next: FortiGate Cloud – Multitenancy

≪ Previous: FortiGate Cloud – SandBox

Inventory

Inventory displays a centralized inventory of all FortiGate and FortiWifi devices from all FortiGate Cloud instances in a domain group, regardless of datacenter. For example, if you are accessing Inventory from the European datacenter, you will see the inventory of a connected FortiGate Cloud instance from the global datacenter.

Inventory is divided into tabs: FortiGate Inventory, FortiCare Inventory, FortiGate Cloud Deployed, and FortiManager Deployed. You can filter each list by searching for the device serial number in the SN searchbar or selecting the desired bulk key from the Bulk Key dropdown list.

FortiGate Inventory

FortiGate Inventory displays the inventory of all FortiGate and FortiWifi devices imported by FortiCloud key or bulk key to FortiGate Cloud, including each device’s subscription status. The inventory provides a centralized view of all devices imported into the Europe and global services. From here, you can deploy devices to FortiGate Cloud or FortiManager, if configured. You can also delete an imported device from the inventory.

To deploy devices to FortiGate Cloud:

On the homepage, go to Inventory.
Select the desired devices.
Click Deploy to FortiGate Cloud.
In the Deploy to FortiGate Cloud dialog, if you have enabled multitenancy, configure the following options:

Option	Description
Sub Account	Select the desired subaccount to add the devices to.
Task Name	Enter the desired task name.
Template	From the dropdown list, select the desired template. This dialog only displays templates applicable for the selected devices. If you select a template, this enables configuration management for the devices. For details on creating and configuring a template, see Templates on page 47.
Auto Upgrade Firmware to Match Template Version	Enable to automatically upgrade FortiOS on these devices to the template version, if the template FortiOS version is newer. Ensure that you review the FortiOS Upgrade Path to ensure that upgrade is supported before enabling this option.

Configure the timezone for the selected devices.
Click Deploy. These devices are deployed to FortiGate Cloud, and you can now access them on the FortiGate Cloud Deployed

To deploy a device to FortiManager:

On the homepage, go to Inventory.
From the Deploy to FortiManager dropdown list, select FortiManagerSetup .

Inventory

In the FortiManagerSetup dialog, enter the desired FortiManager IP address/FQDN and serial number. Click Submit.
Select the desired devices.
Click Deploy to FortiManager.
Click Deploy. These devices are deployed to FortiManager, and you can now view their serial numbers on the FortiManagerDeployed Once deployed to FortiManager, FortiGate Cloud has no control over the device. You cannot manage the device in FortiGate Cloud until you set central management back to FortiGate Cloud.

To delete a device from inventory:

On the homepage, go to Inventory.
Select the desired devices.
Click Delete.
In the confirmation dialog, click YES.

FortiCare Inventory

FortiCare Inventory displays the devices that are registered to FortiCare under the account’s primary administrator email address. Only the primary administrator can view and deploy these devices from the FortiCare Inventory to FortiGate Cloud. To deploy FortiCare devices to FortiGate Cloud, follow the instructions described in To deploy devices to FortiGate Cloud: on page 40, from the FortiCare Inventory tab.

FortiGate Cloud Deployed and FortiManager Deployed

The FortiGate Cloud Deployed and FortiManagerDeployed tabs displays all FortiGate and FortiWifi devices deployed to FortiGate Cloud and FortiManager, respectively. The tabs also display the devices’ subscription statuses and the date and time that they were deployed to FortiGate Cloud or FortiManager. Click a device serial number to access Analysis, Management, and SandBox functions for that device.

The FortiGate Inventory tab provides a centralized view of all devices imported into the Europe and global services. However, after you deploy a FortiGate to FortiGate Cloud, you can only view the FortiGates deployed to the service that you are currently logged in to on the FortiGate Cloud Deployed tab. For example, if you are currently logged in to the Europe service, the FortiGate Cloud Deployed tab only displays FortiGates deployed to the FortiGate Cloud Europe service.

↧

FortiGate Cloud – Multitenancy

April 2, 2020, 1:34 pm

≫ Next: FortiGate Cloud – IOC

≪ Previous: FortiGate Cloud – Inventory

Multitenancy

The multitenancy account is a FortiGate Cloud premium account designed for MSSPs. A multitenancy account is a oneor five-year service for an administrator to create and manage multiple subaccounts. It also allows you to move devices between these accounts. You can allocate administrators to each subaccount with full or read-only access, allowing more control over a managed service’s provisioning.

After you activate multitenancy, FortiGate Cloud replaces the default Analysis, Management, and SandBox homepages with the multitenancy Analysis, Management, and SandBox homepages.

You can access management actions from the multitenancy homepage. Some actions are not unique to multitenancy and are described elsewhere in this document. For descriptions of these functions, see Analysis on page 16, Management on page 29, and SandBox on page 35.

To activate multitenancy:

Contact your Fortinet partner or reseller, requesting the following SKU: FCLE-10-FCLD0-161-02-DD. They email you a multitenancy activation code.
In the FortiGate Cloud interface, select the My Account
Under the admin/user list, select Activate multi-tenancy feature.
Enter the activation code, and click Submit.

To configure basic multitenancy:

On the Inventory page, select Import FortiCloud Key or Import Bulk Key to add multiple FortiGate Cloud licenses at once.
On the FortiGate Inventory subpage, select one or multiple devices, and select Deploy to FortiGate Cloud. Select the subaccount for the selected devices and template, if any. You can also select a timezone for the devices.
Click Deploy. The devices are moved to the FortiGate Cloud Deployed

To assign a device to a subaccount on the homepage:

Assigning a device to a new subaccount keeps the device data in FortiGate Cloud, including logs, reports, and configuration backup, and moves this data to the new subaccount. To delete this data, you must undeploy your device from FortiGate Cloud, then assign it to the desired subaccount.

You can assign a device to a different subaccount, including RMA devices.

On the multitenancy homepage, click the Config icon beside the desired device, then click Assign To.
In the Assign To dialog, select the desired subaccount, then click Submit.
In the confirmation dialog, click YES.

To manage subaccounts:

The multitenancy homepage lists subaccounts on the left panel. To manage a subaccount, click the desired subaccount. From the dropdown list, select the desired management action.
On the multitenancy page, click the My Account You can view all accounts associated with this FortiGate Cloud. Use the dropdown list to view Global, SubAccount, or All Users. You can see in this dialog that users have different roles. For descriptions of the roles, see User roles on page 44.
Click the Edit icon for the desired account.
In the My Account > Edit User dialog, for Manage Sub Account, select Selected. Select the desired subaccounts for this user to manage.

User roles

The multitenancy account includes different user roles. You can view users and their roles by clicking the My Account icon.

User role	Description
Admin (All)	Administrator who can access devices under all subaccounts.
Admin (1)	Administrator who can only access devices under the one subaccount that is assigned to them, including the assigned subaccount’s child subaccounts.
Regular (All)	Regular user who has view-only access to all subaccounts.
Regular (1)	Regular user who has view-only access to all subaccounts, including the assigned subaccount’s child subaccounts.

Admin (All)

The Admin (All) user can view and access all subgroups on the left pane, and use Management functions.

Admin (1)

The Admin (1) user can only access devices under the one subaccount assigned to them (and any child subaccounts), as shown in the left pane. They can access Management functions.

Regular (All)

The Regular (All) user has view-only access to all subgroups, but has no access to Management functions.

Regular (1)

The Regular (1) user has view-only access to devices under the subaccount assigned to them (and any child subaccounts), as shown in the left pane. In this example, the user is assigned access to the sub_2 subaccount, which means they can also view devices assigned to the sub_2_a and sub_2_b subaccounts, which are children of the sub_2 subaccount. The Regular (1) user cannot access Management functions.

Group management

Multitenancy also enables group management actions. You can apply actions to a group of FortiGate and FortiWifi devices, simplifying administrative tasks.

Some group management actions require that you enable management on the selected device. See Management on page 29.

You can access group management actions from the Analysis and Management homepages when multitenancy is enabled.

Some actions are not unique to group management and are described elsewhere in this document in the context of use on a single device; multitenancy simply offers the ability to apply the action to multiple devices. For descriptions of these functions, see the following topics:

Schedule Report	To schedule a report: on page 25
Deploy Config	To deploy cloud configuration to devices: on page 31
Upgrade Firmware	To upgrade remote device firmware: on page 32
Run Script	To execute a script on a remote device: on page 33
Set Auto Backup	To enable auto backup: on page 31
Manage Report Configs	Reports on page 24
Manage Scripts	Script on page 33

The following describes actions exclusive to group management:

To view group task status:

You can view the current status of group management actions.

On the Management homepage, click Group Management > Task Status. The Group Task Status displays the group management actions and their statuses. You can click # devices beside the task type to view the devices

that the group management action was applied to.

Templates

You can create device configuration templates and deploy different templates to applicable devices to simplify device management. FortiGate Cloud applies the template to the selected devices.

To create a template:

On the Management homepage, click Group Management > Manage Templates.
Click Create Template.
In the Name field, enter the desired template name.
In the Description field, enter the desired template description.
For Create template based on, select one of the following:

Option	Description
In-cloud config copy of sampling device	Create a template based on a sample device that has already been added to FortiGate Cloud. Select the desired device from the dropdown list. Only devices from the subaccount selected in Sub Account are available.
Platform and version	Create a template based on a specific FortiGate or FortiWifi platform and FortiOS version.
Config file	Create a template based on a configuration file. You must upload a .conf file.

For Feature set, select the desired features.
For Sub Account, select the desired sub account for this template.
Click Apply.

To apply a template to devices:

On the Management homepage, select the desired devices
Click Group Management > Use Templates.
In the Use Templates dialog, select the desired template. The dialog only shows templates applicable for the current selected devices.
Click Apply. FortiGate Cloud applies the template to the selected devices.

To revoke templates from devices:

On the Management homepage, select the desired devices.
Click Group Management > Un-use Templates.
Click Apply. FortiGate Cloud revokes the templates from the selected devices.

To edit a template:

On the Management homepage, go to Group Management > Manage Templates.
Click the Edit icon for the desired template.
For a template that has already been applied to devices, you can configure device-specific settings:
1. Go to the desired configuration page, then expand Device Specific Settings.
2. Click Create New.
3. In the New Device Specific Settings dialog, select the desired device’s serial number from the SN dropdown list.
4. To configure a device-specific setting, enable Override Template Setting, then configure the desired option. Otherwise, FortiGate Cloud applies the template setting to the device. Click OK.

The example configures a device-specific setting for the time zone using Cape Verde Island time, which differs from the template setting, which uses Jerusalem time.

↧

FortiGate Cloud – IOC

April 3, 2020, 1:34 pm

≫ Next: FortiGate Cloud – FortiDeploy

≪ Previous: FortiGate Cloud – Multitenancy

IOC

FortiGate Cloud IOC alerts administrators about newly found infections and threats to devices in their network. By analyzing UTM logging and activity, IOC provides a comprehensive overview of threats to the network.

IOC detects three threat types, based on the evolving FortiGuard database:

Threat type	Description
Malware	Malicious programs residing on infected endpoints
Potentially unwanted programs	Spyware, adware, and toolbars
Unknown	Threats that the signature has detected but are not associated with any known malware

The free version of IOC is currently available on all accounts in the North America datacenter. The free version alerts you to threats and automatically prepares a comprehensive threat report. Threats listed only provide infected devices’ partial IP addresses: server and subnet.

A subscription grants access to IP address whitelisting, which allows you to narrow your malware search by excluding safe IP addresses and domains, and alert emails to notify you directly of detected network threats. You can also view infected devices’ full IP addresses, allowing you to better control their access to your network.

To purchase an IOC subscription:

Open the Plan page in the FortiGate Cloud IOC site, and select Buy Online.
Complete the purchase process, and wait for the key to arrive by email.
Log into the Fortinet Support website.
On the Asset page, register the code as if it were a new product’s serial number, and then enter the serial number of the FortiGate Cloud-connected device that you want the service to monitor. The service automatically takes effect.

To access IOC using a non-multitenancy account:

In the FortiGate list, click the Threats/Suspicious label under System Status. This only appears if the FortiGate has detected any threats.

To access IOC using a multitenancy account:

In the FortiGate list, look to the right. If your FortiGate has detected any threats, a bomb icon is visible. Click the bomb icon.

↧

FortiGate Cloud – FortiDeploy

April 4, 2020, 1:36 pm

≫ Next: Set up FortiDeceptor

≪ Previous: FortiGate Cloud – IOC

FortiDeploy

FortiDeploy is a product built into FortiGate Cloud for one-touch provisioning when devices are deployed locally or remotely. FortiDeploy provides automatic connection of FortiGates to be managed by FortiGate Cloud or a FortiManager.

At time of purchase, you can order a FortiDeploy SKU in addition to your FortiGate Cloud subscription.

When you visit the FortiGate Cloud portal and enter the bulk FortiGate Cloud key, you see a list of serial numbers from the order that contained the FortiDeploy SKU. After you confirm that the devices are connected, you can perform basic configuration on the devices remotely, such as sending a FortiManager IP address to all remote FortiGates, so that the FortiManager can manage them remotely.

FortiDeploy support starts the moment you send an email to cs@fortinet.com. You can also contact cs@fortinet.com if you have already purchased a FortiGate Cloud subscription and want to purchase FortiDeploy to add to your existing subscription.

FortiDeploy is available for FortiGate, FortiWiFi, and PoE desktop and 1U models up to the 900D. It is recommended for trained personnel to handle larger deployments. FortiDeploy is available for devices running FortiOS 5.2.2 and later.

To enable autojoining FortiGate Cloud:

From FortiOS 5.2.3 and later, the auto-join-forticloud option is enabled by default. It must be enabled for FortiDeploy to function correctly. You can ensure that the option is enabled by running the following commands:

config system fortiguard set auto-join-forticloud enable

end

After changing this setting, restart the device and ensure that the device is sending traffic to FortiGate Cloud to verify that you have configured it correctly.

To set central management to FortiGuard:

If your device is connected to FortiGate Cloud but not cloud-managed, ensure that central management is set to FortiGuard:

config system central-management set type fortiguard

end

Reboot the device, log into FortiGate Cloud, and see if you can manage the device.

To use FortiDeploy with a device deployed behind a NAT device:

The default address of the internal or LAN interface is the 192.168.1.0/24 subnet. IP conflicts can occur with departmentalization devices. You can unset each device’s default IP address:

config system interface edit internal unset ip

end end

FortiDeploy

config system interface edit lan unset ip

end

You can change the web-based management interface’s internal interface IP address in Network > Interfaces.

↧

Set up FortiDeceptor

April 5, 2020, 1:38 pm

≫ Next: FortiDeceptor – Deploy Decoy VM

≪ Previous: FortiGate Cloud – FortiDeploy

Set up FortiDeceptor

This section explains the initial set up of FortiDeceptor.

Connect to the GUI

Use the GUI to configure and manage FortiDeceptor.

To connect to the FortiDeceptor GUI:

Connect the port1 (administration) interface of the device to a management computer using an Ethernet cable.
Configure the management computer to be on the same subnet as the internal interface of the FortiDeceptor unit:
- Change the IP address of the management computer to 168.0.2.
- Change the IP address of the network mask to 255.255.0.
Go to https://192.168.0.99.
Type admin in the Name field, leave the Password field blank, and click Login.

You can now proceed with configuring your FortiDeceptor unit.

Connect to the CLI

You can use CLI commands to configure and manage FortiDeceptor.

To connect to the FortiDeceptor CLI:

In the FortiDeceptor banner at the top, click the CLI Console

The CLI Console pane opens.

If necessary, click Connect and enter your username and password.

The CLI Console pane has icons to disconnect from the CLI console, clear console text, download console text, copy console text, open the CLI console in its own window, and close the console.

To close the CLI console, click the Close

Change the system hostname

The System Information widget displays the full host name. You can change the FortiDeceptor host name.

To change the host name:

Go to Dashboard, System Information
Click Change beside Host Name.
In the New Name field, type a new host name.

The hostname can start with a character or digit, and cannot end with a hyphen. A-Z, a-z, 0-9, or hyphen are allowed (case-sensitive). Other symbols, punctuation, or white space are not allowed.

Click Apply.

Change the administrator password

By default, you can log in to the GUI using admin and no password. It is highly recommended that you add a password to the admin account. For better security, regularly change the admin account password and the passwords for any other administrator accounts that you add.

To change the password of the logged in administrator:

In the FortiDeceptor banner at the top, click the username and select Change Password.
Change the password and click OK.

To change the administrator password in the Administrators page:

Go to System > Administrators.
Select an administrator and click Edit.
Change the password and click OK.

Configure the system time

You can change the FortiDeceptor system time in the Dashboard. You can configure the FortiDeceptor system time manually or synchronize with an NTP server.

To configure the system time:

Go to Dashboard, System Information
Click Change beside System Time.
Set the system time and click Apply. You might need to log in again.

↧

FortiDeceptor – Deploy Decoy VM

April 6, 2020, 1:38 pm

≫ Next: FortiDeceptor – Monitor Attacks

≪ Previous: Set up FortiDeceptor

Deploy Decoy VM

Use the Deception pages allows you to deploy Decoy VMs on your network. When a hacker gains unauthorized access to Decoy VMs, their movements can be monitored to understand how they attack the network.

Apart from the default decoy Windows, Linux, or SCADA OS images, FortiDeceptor supports custom OS images with a purchased subscription service. You can upload your custom ISO images and install the FortiDeceptor Toolkit on the image. For instructions, click the Help icon in the toolbar and select Customization.

To use FortiDeceptor to monitor the network:

Go to Deception > Deception OS to check the Deception OS available. See View available Deception OS on page

9. l Go to Deception > Deployment Network to auto-detect or specify the network where the Decoy VMs are deployed.

Go to Deception > Deployment Wizard to deploy the Decoy VM on the network.
Go to Deception > Decoy & Lure Status to start or stop deployed Decoy VMs, or download the FortiDeceptor Token Package to manually install on computers. l Go to Deception > Decoy Map to see the network of Decoy VMs.
Go to Deception > Whitelist to specify the network that is to be considered safe. This is useful if the administrator wants to log into the deployment network and not be flagged as an attacker.

View available Deception OS

The Deception > Deception OS page lists the deception OSes available for creating Decoy VMs.

Column		Description
Delete		Delete a custom OS that you have applied.
Status		Status of the Deception OS.
Name		Name of the Deception OS.
OS Type		Operating System type.
VM Type		VM type of the Deception OS endpoint.
Lures		Lures used by the Decoy VM such as SSH, SAMBA, SMB, RDP, HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GuardianAST, or IEC104.

Set up the Deployment Network

Use the Deception > Deployment Network page to set up a monitoring interface into a VLAN or a subnet.

To add a VLAN or subnet to FortiDeceptor:

Go to Deception > Deployment Network.
Enable Auto VLAN Detection to automatically detect the VLANs on your network.

Auto VLAN detection allows FortiDeceptor to detect the available VLANs on the deployment network interface and display them in the GUI. You can select and add the VLANs for the deployment of Decoys later.

Select the Detection Interface and click OK.

You can select multiple ports.

Click Add New VLAN/Subnet to manually add a VLAN or a subnet. Configure the following settings:

Interface	The port that connects to the VLAN or subnet.
VLAN ID	The VLAN’s unique integer ID.
Deploy Network IP/Mask	The IP address to monitor. This is useful to mask the actual IP address.
Ref	The number of objects referring to this object.
Status	Status of the IP address, such as if it is initialized.
Action	Click Edit to edit the VLAN or subnet entry. The Edit button is visible only after the entry is saved.

Click Save.

The network IP/mask must be an IP address and not a subnet.

You must use the following guidelines to set the network IP/mask:

Interface name and VLAN ID must be unique among all network IP/masks.
If VLAN ID is 0, the network IP/mask must be unique among all the network IP/masks without VLAN and all system interfaces.
If VLAN is not 0, the network IP/mask must be unique among all subnets in the same VLAN.

Deploy Decoy VMs with the Deployment Wizard

Use the Deception > Deployment Wizard page to create and deploy Decoy VMs on your network. Decoy VMs appear as real endpoints to hackers and can collect valuable information about attacks.

To deploy Decoys on the network:

Go to Deception > Deployment Wizard.
Click + to add a Decoy VM.
Configure the following:

Name	Specify the name of the deployment profile. Maximum 15 characters using A-Z, a-z, 0-9, dash, or underscore. No duplicate profile names.
Available Deception OSes	Select a Deception OS.
Selected Services	Displays the selected services. You cannot edit this field.

For an Ubuntu VM, turn on SSH or SAMBA. For Windows, turn on RDP or SMB.

For SCADA, turn on HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GUARDIANAST, or IEC104.

Click Add Lure for the service and configure the following:

Username	Specify the username for the decoy. Maximum 19 characters using A-Z, a-z, or 0-9. Do not set the username of the lures to be the same as existing usernames in the decoy, such as administrator for RDP/SMB services on Windows, or root for SSH/SAMBA services on Linux.
Password	Specify the password for the decoy in 1-14 non-unicode characters.
Sharename	This option is only available for SAMBA (Ubuntu) or SMB (Windows). Specify a Sharename in 3-63 characters using A-Z, a-z, or 0-9.
Update or Cancel	Click Update to save the username and password. Click Cancel to discard the username and password. Click Delete to delete an existing lure.

To launch the decoy VM immediately, enable Launch Immediately.
To reset the decoy VM after it detects incidents, enable Reset Decoy and specify the Reset Interval value in seconds.
Click Next.
The Hostname can start with an English character or a digit, and must not end with a hyphen. Maximum 15 characters using A-Z, a-z, 0-9, or hyphen (case-sensitive). Other symbols, punctuation, or white space are not allowed. The Hostname cannot conflict with decoy names.
Click Add Interface.
Select the Deploy Interface. Set this to the VLAN or subnet added in Set up the Deployment Network on page 10
Configure the following settings in the Add Interface forDecoy pane:

Addressing Mode	Select Static or DHCP. Static allows you to configure the IP address for all the decoys. DHCP allows the decoys to receive IP address from the DHCP server. If you select DHCP, IP Count is automatically set to 1 and all other fields are not applicable.
Network Mask	This field is set automatically.
Gateway	Specify the gateway.
IP Count		Specify the number of IP addresses to be assigned, up to 16. If Addressing Mode is DHCP, IP Count is automatically set to 1.
Min		The minimum IP address in the IP range.
Max		The maximum IP address in the IP range.
IP Ranges		Specify the IP range between Min and Max.

Click Done.
To deploy the decoys on the network, click Deploy.
To save this as a template in Deception > Deployment Wizard, click Template.

Deploy the FortiDeceptor Token Package

Use a FortiDeceptor Token Package to add breadcrumbs on real endpoints and lure an attacker to a Decoy VM. Tokens are normally distributed within real endpoints and other IT assets on the network to maximize the deception surface.

To download a FortiDeceptor Token Package:

Go to Deception > Decoy & Lure Status.
Select the Decoy VM by clicking its checkbox.
To download the FortiDeceptor Token Package, click Download Package.

You can only download packages with valid IP addresses. A package must have a status of Initialized, Stopped, Running, or Failed.

To deploy or uninstall a FortiDeceptor Token Package on an existing endpoint:

Copy the downloaded FortiDeceptor Token Package to an endpoint such as a Windows or Linux endpoint.
Unzip the FortiDeceptor Token Package.
In the folder for the OS, such as windows or ubuntu, follow the instructions in txt to install or uninstall the Token Package.

l For Windows, open the windows folder, right-click windows_token.exe and select Run as administrator. l For Ubuntu, open Terminal and run python ./ubuntu_token.py.

When the FortiDeceptor Token Package is installed on a real Windows or Ubuntu endpoint, it increases the deception surface and lures the attacker to a Decoy VM.

Monitor Decoy & Lure Status

The Deception > Decoy & Lure Status page shows the status of the Decoys on your network.

We recommend operating Decoy VMs with the same status for expected behavior.

To view the Deception Status:

Go to Deception > Decoy & Lure Status.

Action	Click View detail to see the decoy’s configuration details. Click Copy to Template to duplicate the decoy as a template. Click Start or Stop to start or stop the decoy. Click Delete to delete the decoy. Click Download to download the FortiDeceptor Token Package. Click VNC to open a VNC of the decoy.
Status	The status of the decoy can be Initializing, Running, Stopped, or Cannot Start. If the Decoy VM cannot start, hover over the VM to see the reason.
Decoy Name	Name of the decoy.
OS	Operating system of the decoy.
VM	The name of the Decoy VM.
Enabled Services	The number of decoy services enabled on this VM.
IP	The IP address of the Decoy VM.
Services	List of services enabled. Hover over an icon to see a text list.
Network Type	Shows if the IP address is Static or DHCP.
DNS	DNS of the Decoy VM.
Gateway	Gateway of the Decoy VM.

To delete one or more Decoy VMs:

Go to Deception > Decoy & Lure Status.
Click Delete beside the Decoy VM.
Click OK.

To start one or more Decoy VM:

Go to Deception > Decoy & Lure Status.
Select one or more Decoy VMs that are stopped.
Click Start.

To stop one or more Decoy VMs:

Go to Deception > Decoy & Lure Status.
Select one or more Decoy VMs that are running.
Click Stop.

Decoy Map

Deception > Decoy Map is a visual representation of the entire network showing real endpoints and Decoy VMs. You can apply filters to focus on specific decoys.

To work with the Decoy Map:

Go to Deception > Decoy Map. l To change the display, drag items to another location. l Scroll to zoom in or out.

l Click a node to see its information.

Click Click to begin filtering to select a filter type and type values. Filter types include Decoy Name, Decoy IP, and Lure Type.

You can use multiple arguments with different filter types. All filter arguments and time indicator arguments are considered “AND” conditions.

To locate the node on the map, use the LOCATE BY IP
To save a snapshot of the map, click Save view .

Configure a Whitelist

Use the Deception > Whitelist page to add an IP address for an administrator to log into the network. User actions from a whitelisted IP address are recorded as an Event or Incident.

To add a new whitelist IP address:

Go to Deception > Whitelist.
Click Add New Whitelist IP and configure its settings:

IP Address		Specify the IP address from where the connection originates.
Source Ports		Specify the source ports from where the connection originates.
Destination Ports		Specify the destination ports on the network where the connection terminates.
Description		Specify a description. For example, you can name it as Safe_Network.
Services		Select the name of the services used to connect to the network.
Status		Select Enabled or Disabled.
Action		Click Update or Cancel.

DMZ Mode

Deploy a FortiDeceptor hardware unit or VM in the Demilitarized Zone (DMZ). You can monitor attacks on the DMZ network when FortiDeceptor is installed in the DMZ network.

Limitations of the DMZ Mode

The DMZ Mode in FortiDeceptor functions like regular mode with the following exceptions:

When DMZ mode is enabled, the banner displays DMZ-MODE.
In Deception > Deployment Network, Deception MonitorIP/Mask is hidden. See Set up the Deployment Network on page 10.
In Deception > Decoy & Lure Status in the Deception Status view, the Attack Test selection is disabled.
Decoy VMs are limited to one deploy Interface. For information about IP address range, see Deploy Decoy VMs with the Deployment Wizard on page 10.

To enable DMZ mode in the CLI:

dmz-mode -e

To disable DMZ mode in the CLI: dmz-mode -d

↧

FortiDeceptor – Monitor Attacks

April 7, 2020, 1:40 pm

≫ Next: FortiDeceptor – Fabric

≪ Previous: FortiDeceptor – Deploy Decoy VM

Monitor Attacks

Administrators can monitor attacks in two ways:

To monitor attacks using Incident pages:

Incident > Analysis lists incidents and related events detected by FortiDeceptor. l Incident > Campaign lists attacks and related events detected by FortiDeceptor. l Incident > Attack Map shows attacks and related events detected by FortiDeceptor.

To monitor attacks using Dashboard widgets:

Use the Dashboard Incidents & Events Distribution See Incidents and Events Distribution on page 18. l Use the Dashboard Incidents & Events Count widget.

Analysis

Incident > Analysis lists the Incidents detected by FortiDeceptor.

To use the Analysis page:

Go to Incident > Analysis.
The Analysis page displays the list of events:

Severity	Severity of the event.
Last Activity	Date and time of the last activity.
Type	Type of event.
Attacker IP	Attacker IP mask.
Attacker User	Attacker username.
Victim IP	IP address of the victim.
Victim Port	Port of the victim.
Lure	Name of the lure service.
Decoy ID	Unique ID of the Decoy VM.
ID	ID of the incident.
Attacker Port	Port where the attack originated.
Tag Key	Unique key string for the incident.
Attacker Password	Password used by the attacker.
Start		Date and time when the attack started.

To refresh the data, click Refresh.
To download the detailed analysis report in PDF format, click Export to PDF.
To mark items as read, expand the incident details or click Mark all as read.

Newly-detected incidents are in bold to indicate they are unread.

To display specific types of events, click Show All, IPS Events Only, or Web FilterEvents Only.
To specify columns and table settings, use the Settings icon at the bottom right.

Campaign

Incident > Campaign lists the Attacks detected by FortiDeceptor. An Attack consists of multiple Incidents.

To use the Campaign page:

Go to Incident > Campaign.
The Campaign page displays the list of attacks:

Severity		Severity of the event.
Start		Date and time when the attack started.
Last Activity		Date and time of the last activity.
Attacker IP		IP mask of the attacker.
ID		ID of the campaign record.
Timeline		Click Timeline to see the timeline of the Attack from start to finish.
Table		Click Table to see all the Events in table view.

To refresh the data, click Refresh.
To export the data, click Export to PDF.
To specify columns and table settings, use the Settings icon at the bottom right.

Attack Map

Incident > Attack Map is a visual representation of the entire network showing real endpoints, Decoy VMs, and ongoing attacks.

To work with the Attack Map:

Go to Incident > Attack Map. l To change the display, drag items to another location. l Scroll to zoom in or out. l Click a node to see its information.
At the bottom of the Attack Map, use the timeline indicator to set the start and end time.
Click Click to begin filtering to select a different filter type and type values. Filter types include AttackerIP, Victim IP, and Decoy IP.

You can use multiple arguments with different filter types. All filter arguments and time indicator arguments are considered “AND” conditions.

To locate the node on the map, use the LOCATE BY IP
To save a snapshot of the map, click Save view .

Incidents and Events Distribution

This dashboard widget displays the number of incidents and events with the following risk level information and options.

Unknown	Incident or Event where the risk level is unknown. Entries are in grey.
Low Risk	Incident or Event where the risk level is low. Entries are in green.
Medium Risk	Incident or Event where the risk level is medium. Entries are in yellow.
High Risk	Incident or Event where the risk level is high. Entries are in orange.
Critical	Incident or Event where the risk level is critical. Entries are in red.

Hover over the pie chart to see the number of Incidents or Events and their percentage.

To customize this widget:

Click the edit icon to make the following changes:

l Enter a Customized Widget Title. l Change the Refresh Interval. l Select a Time Period: Last 24 Hours, Last 7 Days, or Last 4 Weeks.

Incidents and Events Count

This dashboard widget displays the number of Incidents and Events.

Event	Click Event to show or hide the number of events in the time period. Events are in blue.
Incidents	Click Incident to show or hide the number of incidents in the time period. Incidents are in orange.
Time/Date	The time or date the Incident or Event occurred.

To customize this widget:

Click the edit icon to make the following changes:

l Enter a Customized Widget Title. l Change the Refresh Interval. l Select a Time Period: Last 24 Hours, Last 7 Days, or Last 4 Weeks.

Top 10 Attackers by Events

This dashboard widget displays the top ten attackers by the number of events.

IP Address	IP address of the attacker.
Number of Events	Hover over an IP address to see the total number of Events.

Top 10 Attackers by Incidents

This dashboard widget displays the top ten attackers by the number of incidents.

IP Address	IP address of the attacker.
Number of Incidents	Hover over an IP address to see the total number of Incidents.

Top 10 IPS Attacks

This widget displays the top 10 IPS attacks by the number of attack events.

IPS attack name	IP address of the attacker.
Number of attack events	Hover over an IPS attack name to see the total number of attack events.

Incidents Distribution by Service

This dashboard widget displays the number of Incidents by service with the following information and options.

SSH	Number of incidents occurring on SSH service with the percentage on a pie chart.
SAMBA	Number of incidents occurring on SAMBA service with the percentage on a pie chart.
SMB	Number of incidents occurring on SMB service with the percentage on a pie chart.
RDP		Number of incidents occurring on RDP service with the percentage on a pie chart.
HTTP		Number of incidents occurring on HTTP service with the percentage on a pie chart.
FTP		Number of incidents occurring on FTP service with the percentage on a pie chart.
TFTP		Number of incidents occurring on TFTP service with the percentage on a pie chart.
SNMP		Number of incidents occurring on SNMP service with the percentage on a pie chart.
MODBUS		Number of incidents occurring on MODBUS service with the percentage on a pie chart.
S7COMM		Number of incidents occurring on S7COMM service with the percentage on a pie chart.
BACNET		Number of incidents occurring on BACNET service with the percentage on a pie chart.
IPMI		Number of incidents occurring on IPMI service with the percentage on a pie chart.
TRICONEX		Number of incidents occurring on TRICONEX service with the percentage on a pie chart.
GUARDIAN-AST		Number of incidents occurring on GUARDIAN-AST service with the percentage on a pie chart.
IEC104		Number of incidents occurring on IEC104 service with the percentage on a pie chart.

Global Attacker Distribution

This widget displays the number of Attackers by country on a global map.

↧