Documente Academic
Documente Profesional
Documente Cultură
Version 6.2.3
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://fortiguard.com/
FEEDBACK
Email: techdoc@fortinet.com
Change Log 4
Fabric connectors 5
Support for wildcard SDN connectors in filter configurations 5
FortiClient EMS Cloud support 7
Multi-Cloud 10
Azure extensions 10
Azure SDN connector support for non-VM resources 10
UX / Usability 12
Adding IPsec aggregate members in the GUI 12
Other 16
Remove FortiGate Cloud standalone reference 16
Dynamic address support for SSL VPN policies 19
Configure the FortiAuthenticator 20
Fortinet Single Sign-On Collector Agent 21
Configure the FortiGate 22
Confirmation 27
Fabric connectors
This section lists the new features added to FortiOS for Security Fabric connectors.
l Support for wildcard SDN connectors in filter configurations on page 5
l FortiClient EMS Cloud support on page 7
Wildcards are now supported in FortiOS 6.2.3 for SDN connectors when configuring dynamic address filters.
The following SDN connector types are currently supported:
l AWS
l Azure
l Google Cloud Platform
l Kubernetes
l OpenStack
l Oracle Cloud Infrastructure
l VMware ESXi
2. Create the dynamic firewall address and verify where the IPs resolve to:
config firewall address
edit "aws-address-1"
set type dynamic
set sdn "aws1"
set filter "Tag.Name=aws*"
set sdn-addr-type public
config list
edit "18.234.167.123"
next
edit "3.81.41.167"
next
edit "52.87.157.127"
next
end
next
end
The FortiGate Security Fabric root device can link to FortiClient Cloud (a cloud-based EMS solution) for endpoint
connectors and automation. Both cloud-based and on-premise EMS servers are supported.
To enable cloud-based EMS services, FortiGate must be registered to FortiCloud with an appropriate user account.
Only one FortiClient EMS Cloud server can be configured.
Multi-Cloud
This section lists the new features added to FortiOS for multi-cloud.
l Azure extensions on page 10
Azure extensions
This section lists the new features added for Azure extensions.
l Azure SDN connector support for non-VM resources on page 10
In FortiOS 6.2.3, support has been added for non-VM resources (load balancers and application gateways) to Azure
SDN connectors, which can be configured in the GUI or CLI.
Prior to FortiOS 6.2.3, only IP addresses of VMs were supported.
The tag filter now supports the VM, VMSS, application gateway (applicationgateway=<name>), and load balancer
types (loadbalancer=<name>).
4. Click OK.
The corresponding IP addresses are dynamically updated and resolved after applying the tag filter.
5. In the address table, hover over the address to view what IP it resolves to:
UX / Usability
This section lists the new features added to FortiOS for usability.
l Adding IPsec aggregate members in the GUI on page 12
The following support has been added to the GUI in FortiOS 6.2.3 for IPsec aggregate interfaces:
l You can configure the Device creation and Aggregate member settings in the VPN Creation Wizard so that a
tunnel can be an IPsec aggregate member candidate.
l You can create a new IPsec aggregate within the IPsec tunnels dropdown list.
l You can monitor the traffic for each aggregate member.
g. Click OK.
d. Click OK.
Other
If a FortiGate is registered in FortiCare using a FortiCloud account, then only that FortiCloud account can be used to
activate FortiGate Cloud. If a different FortiCloud account was already used to activate FortiGate Cloud, then a
notification asking you to migrate to FortiCloud is shown in the GUI after upgrading FortiOS.
If the FortiGate is not registered, activating FortiGate Cloud will force you to register with FortiCare.
The CLI can be used to activate FortiGate Cloud without registration, or with a different FortiCloud account.
3. Enter the password for the account that was used to register the FortiGate.
4. Click OK.
The FortiGate Cloud widget now shows the FortiCloud account.
To migrate from the activated FortiGate Cloud account to the registered FortiCloud account:
3. Enter the password for the account that was used to register the FortiGate, then click OK.
The FortiGate Cloud widget now shows the FortiCloud account.
To activate FortiGate Cloud and register with FortiCare at the same time:
To activate FortiGate Cloud using an account that is not used for registration:
Where the <account_id> and <password> are the credentials for the account that you are using to activate
FortiGate Cloud.
2. Check the account type with following command:
# diagnose fdsm contract-controller-update
Protocol=2.0|Response=202|Firmware=FAZ-4K-FW-2.50-
100|SerialNumber=FAMS000000000000|Persistent=false|ResponseItem=HomeServer:172.16.95.151:44
3*AlterServer:172.16.95.151:443*Contract:20200408*NextRequest:86400*UploadConfig:False*Mana
gementMode:Local*ManagementID:737941253*AccountType:multitenancy
Result=Success
A FortiCloud account that is not used for the support portal account cannot be used to register
FortiGate. Attempting to activate FortiGate Cloud with this type of account will fail.
Dynamic SSO user groups can be used in place of address objects when configuring SSL VPN policies. This allows
dynamic IP addresses to be used in SSL VPN policies. A remote user group can be used for authentication while an
FSSO group is separately used for authorization. Using a dummy policy for remote user authentication and a policy for
FSSO group authorization, FSSO can be used with SSL VPN tunnels
This image shows the authentication and authorization flow:
In this example, FortiAuthenticator is used as a RADIUS server. It uses a remote AD/LDAP server for authentication,
then returns the authentication results to the FortiGate. This allows the client to have a dynamic IP address after
successful authentication.
First, on the LDAP server, create two users each in their own group, user142 in group pc_group1, and user143 in group
pc_group2.
4. Select Enable RADIUS accounting server and set the Shared secret.
next
end
5. Create an SSL VPN portal and assign the RADIUS user group to it:
config vpn ssl web portal
edit "testportal"
set tunnel-mode enable
set ipv6-tunnel-mode enable
set web-mode enable
...
next
end
config vpn ssl settings
...
set default-portal "full-access"
config authentication-rule
edit 1
set groups "rad_group"
set portal "testportal"
next
end
end
7. Create one dummy policy for authentication only, and two normal policies for authorization:
config firewall policy
edit 1
set name "sslvpn_authentication"
set srcintf "ssl.vdom1"
set dstintf "port1"
set srcaddr "all"
6. Click OK.
7. Configure an accounting server with the following CLI command:
config user radius
edit rad150
set acct-interim-interval 600
config accounting-server
edit 1
set status enable
set server 172.16.200.60
5. Click OK.
To create user groups for each of the FSSO groups in the GUI:
5. Click OK.
6. Add a second user group with PC_GROUP2 as a member:
CN=PC_GROUP1,OU=TESTING,DC=FSSO-QA,DC=COM
7. Click OK.
To create an SSL VPN portal and assign the RADIUS user group to it in the GUI:
Confirmation
On Client 1, log in to FortiClient using user142. Traffic can go to pc4 (172.16.200.44), but cannot go to pc5
(172.16.200.55).
On Client 2, log in to FortiClient using user143. Traffic can go to pc5 (172.16.200.55), but cannot go to pc4
(172.16.200.44).
On the FortiGate, check the authenticated users list and the SSL VPN status:
# diagnose firewall auth list
10.212.134.200, USER142
type: fsso, id: 0, duration: 173, idled: 173
server: AD_CollectAgent
packets: in 0 out 0, bytes: in 0 out 0
user_id: 16777229
group_id: 3 33554434
group_name: fsso_group1 CN=PC_GROUP1,OU=TESTING,DC=FSSO-QA,DC=COM
10.212.134.200, user142
type: fw, id: 0, duration: 174, idled: 174
expire: 259026, allow-idle: 259200
flag(80): sslvpn
server: rad150
packets: in 0 out 0, bytes: in 0 out 0
group_id: 4
group_name: rad_group
10.212.134.201, USER143
type: fsso, id: 0, duration: 78, idled: 78
server: AD_CollectAgent
packets: in 0 out 0, bytes: in 0 out 0
group_id: 1 33554435
group_name: fsso_group2 CN=PC_GROUP2,OU=TESTING,DC=FSSO-QA,DC=COM
10.212.134.201, user143
type: fw, id: 0, duration: 79, idled: 79
expire: 259121, allow-idle: 259200
flag(80): sslvpn
server: rad150
packets: in 0 out 0, bytes: in 0 out 0
group_id: 4
group_name: rad_group