Featured

First Blog Post

Hello,

I am IT Networking Profession with Extensive experience in Wi-Fi and Security. Working with a leading security company as Sr.Wireless Expert and Field Support Engineer. My passion towards Wireless have driven me so far and I am pleased to introduce myself as a Wi-Fi Engineer.

Wireless Experts blogs and other Wi-Fi communities have always been so helpful in finding solutions for all my question ever. I am Very much excited and happy to share my thoughts and experience about Wireless and Security.

Captive portal Tricks & Tweaks on Fortigate Firewall

You can configure your Fortigate Firewall with Captive Portal user based authentication for both wired and wireless user traffic. There are few places in fortigate firewall you could control the settings.

#Fortigate captive portal:

To disable HTTP access based captive portal redirection & Enable Secure HTTP

config user settings
Auth-secure-http : Enable
(Or) for HTTP only redirection

To avoid certificate pining problems or HSTS(HTTP Strict-Transport-Security) based browser warnings and when Websites being strict for man-in-the-middle for enabling captive portals.

config user settings
Auth-secure-http : disable
NOTE: Fortigate uses port 1000 for HTTP and port 1003 for HTTPS based redirection.
These settings can be custom changed to one you would like to.

config system global
set auth-https-port xxxx (default = 1003)
end
#To redirect with FQDN & not IP address:

To redirect captive portal with DNS based which helps to mask the IP address on the captive portal redirection process.
config firewall auth-portal
portal-addr : my.fqdn.com

# Since you decided to do the Captive portal over HTTPS and with FQDN, you will need to have Trusted secure certificate in fortigate for CP redirection and Authentication.

config user setting
set auth-cert <auth-cert>
set auth-ca-cert <auth-ca-cert>
Note:

auth-cert -> Actual cert
&
auth-ca-cert -> Root CA signed your captive portal Certificate.
# If you want to enable captive portal on the LAN interface for the user traffic.
edit “port12_lan”

set vdom “Praveen_NAT”

set ip 2.2.2.2 255.255.255.0

set allowaccess ping https ssh snmp http

set security-mode captive-portal

next
#Enable Captive Portal at firewall policy level

You may also enable captive portal parameter’s from the firewall policy level on fortigate. These items on firewall policy level will override the global parameters under “config user setting”
This will help to manage different portal redirection and certificates for multiple clients.
#config firewall policy
edit <my_policy_ID>
set auth-redirect-addr “my.fqdn.com”
next
end

#config firewall policy
edit <my_policy_ID>
set auth-cert <auth-cert>
next
end

#config firewall policy
edit <my_policy_ID>
set disclaimer enable
set redirect-url “https://www.google.com&#8221;
end
Note: If you set the USER GROUP for the “security-mode =captive portal” user will land on the login portal page asking for USERNAME/PASSWORD. And if you don’t set any
“allow all ” will be set and user will be provided with disclaimer page.

#Wireless interface/SSID (Tunnel mode) default have Email collection as a authorization service and to allow secure access.

config wireless-controller vap
edit Guest_Access
set security captive-portal
set portal-type email-collect
end

And if you want to enable Email collection on the Wired Interface you might have to customize the default landing page to perform so. In-order to do that you might need some experience in code editing on the default page , so it could automate the email collection seamlessly and to authenticate and authorize the user access.
#If you want to exempt Captive portal redirection for certain “users/devices” then you may exempt to create a firewall policy for them.

config firewall policy
edit <id>
set captive-portal-exempt enable
next
end
#Customizing Captive portal pages:

This section helps you customize the default fortinet provided templates to your company policy and banner/logo.

customize

#Replacement message groups

 

You have settings called “replacement Message Group” which allows to use customized replacement message for individual policy and profile.

 

If you want this feature visible on GUI:

config system settings

set gui-replacement-message-groups enable

end

 

To Edit from CLI:

config system replacemsg-group

edit <group>

set group-type {auth | utm}

config <message_category>

edit <message_type>

set buffer <message>

set header {none | http | 8bit}

set format {none | text | html}

next

end

next

end

 

To Apply at firewall policy level:

config firewall policy

edit

set replacemsg-override-group “name”

set inspection-mode proxy

Disconnect User Network Access through Forti-Authenticator Usage profile

 

Goal:  Disconnect/Not to allow user network access after certain usage.

 

STEP 1:

Configure your Fortigate/NAS to send User Accounting information to Forti-Authenticator after successful user authentication. In this case Forti-Authenticator is  used as Authentication server as well.

#Sample Radius configuration on Fortigate :

config user radius

edit “10.47.1.148”

set server “10.47.1.148”

set secret ENC     zMbdF/mNYBr5a4Cc3cP

set nas-ip 192.168.242.80

set acct-interim-interval 600

set radius-coa enable

config accounting-server

edit 1

set status enable

set server “10.47.1.148”

set secret ENC   nGw/l5GCxHSymW3SnXGJKgmk

set port 1646

next

 

Note: Port 1646 is used for Accounting traffic on Fortigate and Forti-Authenticator.

Interim Acct and COA is enabled.

 

acct port

 

STEP 2:

Make sure to enable Accounting monitor on the FAC interface that will be talking to NAS/Fortigate.

2

 

STEP 3:

Enable to “Accept Accounting” on the radius client profile and support COA.

3.png

 

STEP 4 :

Usage profile for time or data is configured.

4

 

STEP 5 :

Usage profile can be applied to user/ user group /Device.

5

Remember to add the Radius Attribute  interim update set to 600 sec once.

 

STEP 6:

After successful authentication and Receiving Radius Accounting information you get to see the sample like below.

Navigation:  Monitor->Radius Accounting

accounting

STEP 7:

If FAC(Forti Authenticator) find the user crossed time/usage(data) limit , then it sends out a COA message to Fortigate and also disables the user at FAC.

10

 

STEP 8:

User session state at Fortigate 

==> User Session before Disconnect/bounce from network

Alza-kvm21 # diagnose firewall auth list | grep -A5 “test1”
10.120.0.125, test1, captive FAC user
src_mac: 00:0c:29:xx:xx:xx
type: fw, id: 0, duration: 547, idled: 64
expire: 236, allow-idle: 300
flag(30): radius idle
server: 10.47.8.250

 

==> User session after Disconnect/bounced from network.

Alza-kvm21 # diagnose firewall auth list | grep -A5 “test1”

Alza-kvm21 #

 

 

SMS Token Based Captive Portal Authentication with Forti Authenticator

Forti Authenticator is a Identity and Access Management system and very efficient when it comes for client Access Control Management. In this Blog post you will see how can you use the captive portal function on FAC for SMS Based Token Authentication. We integrate the FAC with Fortigate Firewall being NAS.

Token Authentication can be done using Hardware(Forti Hardware Token) or Soft Token(Fortinet Token Mobile) too. In this case we use SMS Gateway to deliver the token for users over SMS. I believe this could come effective for a Wireless Guest user Authentication with Token Code.

 

Step1:  Creating  wireless interface/ SSID and set the captive portal redirection URL to external portal landing page at Forti-Authenticator

21

 

Step2: You need to configure a Radius Server on fortigate Firewall for back end Authentication with Forti Authenticator.

22

 

Step3: On the fortigate Firewall you need to make sure HTTP or HTTPS/DNS allowed for the Guest user’s traffic to get successfully redirected to  captive portal page.

23

 

Step4: Now on the Forti-Authenticator you could configure the social login page with Guest account settings.

4.1 You need to enable Social Login page first.

4.2 You could then select the User Group to be placed for all the users through this portal.

4.3 Set  the Account expiration Hour for your Users

4.4 If you have multiple SMS Gateway Service then choose the one which you would like to be used. In this example, i have used Fortiguard Messaging service(Need to purchase the license)

Note: If you like to Give other Social Login access on the same page then you could enable FACEBOOK LOGIN , GOOGLE LOGIN etc. However you may need to configure the respected login key and secret setting for them to work.

 

24

 

Step 5.Setup your Radius client settings, in this case it will be your fortigate firewall.  You must use the same Shared Secret key you configured on “step-2” at fortigate firewall.

5.1 Enable  Social login portal  under radius client settings.

25

 

Step 6. After a successful user authentication you will see the user information captured as social login user.

29

7. You will get to see the following user Event on the Fortigate for the successful user login with Token.

7

8. Further on the FAC side you may be able to see the following user Events under logging and log access.

27

 

Hope the following blog post is helpful in setting up your FAC for SMS based Token Authentication.

Setting up Fortinet Remote VPN AP

FortiRU Wireless controllers support remote AP setup mostly from SD6.0 Onwords. You will have a remote AP configured at your small office/remote office or home that can be managed/Provisioned by WLC  sitting at Data Center. In this case the data communication between controller and AP goes over the internet which is secure by open VPN encryption.

Configuring VPN AP:

First step, is to install a SSL Certificate for WLC controller (VPN server certificate) to manage and authenticate the remote APs.

+Before Processing to import the signed SSL certificate for controller first install the trusted CA certificates.

import

CA

+Similarly import all subordinate CA certificates(if any sub CA’s).

 

Create a certificate Signing request(csr) for Controller:

+Login to Controller, Go to Configuration ->Security-> Certificates -> Controller Certificates.

CSR

+Click on Add button (You can see a Certificate Add Popup), Fill in the Input Fields and click on Save.

+User can View CSR (select the radio button against the Pending CSR) and then Click View button or export the CSR by clicking Export Button

+Once the CSR is created, User can see Entry Created (showing the Type as Pending-CSR)

+Select the radio button against the Pending CSR, then click on Import Certificate Button

csr1

 

+User can see the Certificate Alias name, issued to, Issued By etc.

 

done

 

Step Two, Configuring Remote VPN AP and assigning a certificate for the VPN client.

i. Login to Controller, Go to Configuration -> Certificates -> AP Certificates and List of AP’s will be displayed, Make sure that the AP for which you are installing is Enabled and its Online.

AP1

ii. Select the radio button against the AP, then click on Create CSR Button
iii. A Create Signing Request – AP Certificate Popup will Appear
iv. Enter the Validity (in days) and then click Apply.

AP2

v. Click the Refresh Button, Once on Refresh, user can see CSR-Generation-in-Progress under User Req status.

AP3

vii. User can View CSR (select the radio button against the AP) and the Click View button or export the CSR by clicking Export Button

AP4

viii. Give the CSR File or the Contents to the CSR to the admin to get the Certificate and the CA Certificate
ix. Incase if the Certificates is issued by a different CA server, First install the CA Certificate as mentioned in “Trusted CA install section at the beginning .”.
x. Import the Certificate for the AP, by selecting the radio button against the AP and by clicking Import Button

 

AP5

xi. Once the Certificate is copied, user can see a message “Cert-Installation-In-Progress ” under user Req Status

xii. Once the Certificate is Installed, user can see “Cert-Installed” message under User Req Status

AP7

NOTE: AP must be on L3 connection(must assign IP)

 

Assigning the server certificate for the VPN server:

i. Login to Controller, Go to Configuration -> Certificates -> Controller Certificates
ii. Click on Application Button, A Popup will appear, select the certificate next to VPN Application and click save.

CERT1

iii. A popup message will be displayed asking user to run reload-vpn command from CLI ( On running reload-vpn, selected certificate will be used by VPN Server) Forti-Ru gives this option to user, because if already all AP’s are connected using VPN, running reload-vpn will cause all VPN AP’s to reboot, Hence when there are no stations, the user can run reload-vpn.

 

Creating a VPN SERVER on Controller:

I. Login to Controller, Go to Configuration -> Security -> VPN Server
ii. Fill in VPN Server/IP Name, it should be Controller’s Publicly reachable IP address or the hostname (FQDN), also fill the port, default will be 1194, IP pool and subnet needs to be added.

vpn server

 

Finally, Adding the AP to VPN Group:

i. Login to Controller, Go to Configuration -> security -> VPN server -> VPN AP’s

ii. Select the AP’s that you want to add to the VPN Group and Click on next

select1

iii. See the Column below Action required, if the status is “No Action Required“, Click activate, if there is any pending action, User need to finish the pending action before activating.

select2

iv. Once User clicks Activate, Initially the VPN connectivity status will be disconnected, AP will go for reboot

v. Once the AP comes back, AP will connect back to controller in VPN mode and user can see the status as Connected under VPN Connectivity Status.

select3

 

Troubleshooting command:

Controller level:

default(15)# show vpn-ap

default(15)# show vpn-server

default(15)# show vpn-ap <id>

default(15)# show ap-certificate <id>

default(15)# capture-packets -R ip.addr==x.x.x.x

+Run Capture packets command with filter as AP’s Real IP address, the communication between controller and AP should happen only on VPN port (in this case UDP port 1194)

 

AP Level:

ap 8> ip vpn show

Chromcast SSDP and mDNS Service Control on Fortinet Wireless Controllers

Service control feature on FortiRu Controller’s been there for quite some time now. This has been very effective in managing the mDNS traffic on wireless side. Once you enable this feature on the Wireless controller you could manage the mDNS traffic flow across VLANS and ESSIDS by creating Service control policy.

This works well for mDNS traffic control for Airprint ,Airplay, etc. There are some limitation in case of chromecast multicast traffic management when it comes managing SSDP traffic.

FortiRU controller don’t support SSDP service control across multiple VLANs from day one. While still this can work between ESSIDs within VLAN.

Reason, In your FortiRU controller’s :

                           SSDP forwarding happens on data path
                           mDNS forwarding happens on user space.

Since SSDP traffic doesn’t hit the user space the Service control policy don’t get applied.

A real world condition:  If you try use your Windows computer with chromecast you mostly will notice mDNS traffic used for discovery and mirroring. While on a iPad running YouTube application and you try to mirror that application you will see SSDP application used for discovery. So, this very well depends on Device/Application using SSDP ( udp dst port 1900) for discovery.

Following a Feature request, now from SD 8.4 General release onward it will be supported.

SSDP

By default, on  FortiRU OS you will have apple service types available for service control while for chromecast you might need to create your own service types(FortiRu OS might be missing what exactly you want).

#Configuration on WLC controller is straight forward::

1.Enable service control

enable service control

2.Confirm that your interested service types are available on your WLC controller for service control

service type

3.SC-AP Group creation

sc ap group

4. Publisher and subscriber User Group creation.

user group

5. Finally Policy creation:

policy.PNG

To debug Service control issue on WLC-Controller:

FortiMeruXXX(15)# sup-cli
FortiMeruXXX]
FortiMeruXXX] tr ServiceMgr ffffffff

FortiMeruXXX] trace on (turn on the trace)

Once the issue is captured turn it OFF.

FortiMeruXXX] trace off (turn OFF the trace)

To debug on AP side:

AP level : (check the client connected AP and run the trace on the AP)

Conn ap  

ap X> trace on 
Real-time trace display enabled for severity >= 0. 

Once the issue is captured turn it OFF. 

ap X> trace off 
Real-time trace display disabled. 

 

Internet Service DB (ISDB) on Fortigate

A  feature called Internet service DB(ISDB) is introduce on ForitOS. Using this feature you could write firewall policy and Route and ask Fortigate to take Necessary action based on the Application IP DB it has.

This feature was introduced in FortiOS v5.4 and above. NOTE: ISDB updates require active FortiCare support contact, no FortiGuard subscription required.

During FortiOS v5.2 days  you could create a firewall policy with FQDN to Block/Allow users based  website Hostname. However that is no more an option from v5.4 and above(not supported)

Blocking/allowing user access based on Public Application IP address is not a easy task. There will be dozens of IP address “Ex: Facebook an Google” and its not easy to manage the IP DB by Every one, While new IP address’s will always get added to this list.

So , You could now take advantage of this feature ISDB and manage the Dynamic changes of IP address.

ISDB

 

>While running the following command will show you the available and updated signature DB on fortigate. And you should see ISDB also showing up there.

# diagnose autoupdate versions

>Inorder to list out the IPs address on DB for a particular Application (or)  can see through GUI also.

# diagnose firewall internet-service list 3604481

‘3604481’ is application ID for Github-Web.

Github

NOTE: I have chosen Application GitHub just for my examples.

>FortiOS also lets you to create your own custom ISDB, this helps customer to manage their own list on top of what FortiOS is offering. You could list your custom object after you create one like below.

# diagnose firewall internet-service-custom list

List internet service in kernel(custom):
name=Git-custom, id=4294901760 flags=0x0 protocol=6 port=80-65535 1-65535
addr ip range(1): 200.X.X.X-200.X.X.X

 

>You could also Add more IP address that you feel ISDB missing for an application by just creating a custom object mentioning the master-service-id

# config firewall internet-service-custom

(internet-service~tom) #

(internet-service~tom) # show
config firewall internet-service-custom
edit “Git-custom”
set master-service-id 3604481
set comment “git”
config entry
edit 1
set protocol 6
config port-range
edit 1
set start-port 80
next
edit 2
next
end
set dst “x.x.x.x”
next
end
next
end

 

>You could create a firewall policy with Existing Internet service DB available or customer Internet service DB created while also doing route control.

github policy

route

FortiGate on SIP/ALG/Session Helper

If you are looking for some idea on change/tweak on fortigate for SIP/VoIP traffic,  I believe the below details could give help you a bit of insight on configuring Fortinet for your SIP/VoIP design. I know there are other Fortinet Experts who already shared some idea related to this Topic. This is just my version of the same and with some add-ons!!

When to use”session helper” && “Voip-ALG(Kernel mode)” && “Voip-ALG(Proxy mode)”??

Type of SIP VoIP design:

*Picture courtesy fortinet Voip Guide.

Peer to peer configuration

SIP proxy server configuration

 

 

SIP redirect server configuration

 

SIP registrar configuration

SIP with a FortiGate running Transparent Mode

 

SIP network with FortiGate running NAT/Route Mode:

 

 

Tweaking your Fortigate  based on your design requirements for SIP VoIP Traffic :

*SIP sessions using port 5060 accepted by a security policy that does not include a VoIP profile are processed by the “SIP session helper”.

*Session helper + Fortigate VoIP ALG mode “Kernel Mode” = SIP session offload, SDP conversion happens with RTP session pin hole

*Fortigate VoIP ALG mode “Proxy Mode”(ALG)  = More SIP ALG features /security features and explicit FW policy required.

*Fortigate VoIP ALG mode “kernel Mode” + Disable Session Helper = no SIP ALG on fortigate.

 

By default FortiOS uses the Proxy Mode SIP ALG for SIP traffic. If you want to use the SIP session helper you need to enter the following command:

config system settings

set default-voip-alg-mode kernel-helper-based

end

NOTE: Also remove SIP session helper profile under”config system session-helper”

In most cases you would want to use the SIP ALG since the SIP session helper provides limited functionality. However, the SIP session helper is available and can be useful for high-performance solutions where a high level of SIP security is not a requirement.

 

#Key Things you should understand#

*Controlling NAT for addresses in SDP lines
You can use the no-sdp-fixup option to control whether the Fortigate performs NAT on addresses in SDP lines in the SIP message body.

The no-sdp-fixup option is disabled by default and the FortiGate performs NAT on addresses in SDP lines. Enable this option if you don’t want the FortiGate to perform NAT on the addresses in SDP lines.

config voip profile

edit VoIP_Pro_1

config sip

set no-sdp-fixup enable

end

end

 

*How the SIP ALG performs NAT :

I see this as an important portion to understand atleast while working with fortigate firewalls.

NAT with SIP gets bit complex because of IP and Port Number used in SIP message Header and Bodies. When a SIP caller on private network calls the phone server or SIP phone on internet, the SIP ALG must translate the private network addresses to internet valid IP and port numbers. And when receiving the response message to the caller, the SIP ALG must translate back to valid private network address.

Additionally, the media stream generated by SIP session are independent SIP message and use different port numbers during media session. Based on the information in the SIP message the SIP ALG opens pinholes to accept media stream and perform port translation on media stream.

When SIP ALG receives an INVITE message, fortigate extracts information like port number and IP address and stores it in SIP Dialog table. This is similar to IP session table and this data is used for subsequent SIP message that are part of same call.

ALG then using the information in SDP field helps reserve port number and IP address for media session and create NAT mapping between ports in the SDP field. Normally SDP uses sequential ports for the RTP and RTCP channels and ALG provides consecutive even-odd ports.