Managed Security on FortiGate Firewall

In this document, we will look at the use case of managed security on Fortigate firewall.

Goal

  • Create a customer.

  • Create and activate a device.

  • Build a security configuration profile and associate it with the device.

  • Configure syslog on the firewall, collect the logs and build a dashboard.

  • Do some simple policy management.

  • Remove the service.

Prerequisites

Knowledge of MSActivator concepts, such as:

  • What a tenant is.

  • What a customer is.

  • What a device is.

Some network and security knowledge

  • What is an SNMP and an SNMP community?

  • What is a syslog?

  • What is a router, a firewall policy,...?

Create a customer

Login as a manager on your MSActivator and select (or create if necessary) a customer.

Device creation and activation

Creation

Click on your customer name to go into the customer tenant space.

Click the “Create device” button (top right)

Select the "Expert" view (top right button):

It’s important to set the correct manufacturer and model because this is how the Device Adaptor is selected. This cannot be changed once the device is created.

 

 

 

Add all other values such as Name, Management IP and Credentials, as found in the above section FGT_TRAINING_<number> or as provided by your lab manager.

Check the option in the service assurance component to activate monitoring and syslog collecting.

Then save and activate the device.

Activation

Click the “Device” you just created (click on underlined device name).

Click the “Details” tab.

Select “Actions” (dropdown on right), then select “Initial provisioning”.

Click on to update the status of the provisioning.

The provisioning only takes a few seconds and the status should turn green.

 

 

 

 

 

Once the provisioning is executed, you may have to wait up to one minute for the device monitoring status to turn green (it should take less than one minute).

The page does not refresh automatically, you need to reload the browser page manually.

Once the device is activated and it’s status is green, we can verify that its running configuration was properly archived in the configuration change management module.

Change Management

Go to tab “History” and check that the running config was archived in the configuration change management view.

Click on the tab “History” then click the “Change Mgt” button (top right).

The change management GUI pops-up.

Configuration backup

Trigger a backup (does a backup of the device configuration).

Click the “Backup” button (button inside the change management window).

 

 

 

 

 

 

 

 

 

 

 

 

 

Then verify that a new configuration revision entry is listed.

Configure SNMP and Syslog

You will be configuring:

  • SNMP management ("Silver Monitoring” in MSActivator dialect) to enable SLA management and KPI monitoring.

  • Syslogs management ("Gold Monitoring”) to enable log analytics.

The configuration will have the following impact on the Fortigate device configuration:

  1. The management interface of the Fortigate device will be configured to accept SNMP requests.

  2. A new SNMP community will be configured (Silver Monitoring).

  3. A syslog host has to be configured on the Fortigate device to send the syslogs to the MSActivator (Gold Monitoring).

Configure SNMP on the device

By default, the Fortigate device configuration doesn’t allow SNMP request on its management interface.

We can use a template from the repository to add this SNMP configuration.

Go back to the main device overview page and click on “Attach files” on the “Overview” tab

 

 

 

 

 

Make sure to click on the green plus sign to open the folder tree.

 

 

 

 

 

 

 

 

 

Choose "Post-configuration template” and save.

Trigger a configuration update.

Once the configuration update is done, verify that the configuration was applied by going back to the “Change management” in the “History” tab.

Configure syslog collecting

Use a Microservice to configure a syslog server on the FortiGate device.

 

 

 

 

 

 

 

Attach it to the device by opening the Microservice management console (via the green plus sign at the far right).

 

 

 

 

 

 

 

 

 

 

 

 

Server IP = 213.30.172.50

This is the public IP of the MSActivator, to which the device will send its syslogs.

Apply the configuration and then check the change management view (“History” tab > “Change Management” button) that the new configuration was applied.

 

 

 

 

 

The FortiGate is now sending syslogs to the MSActivator. You can check this in the device log search GUI.

Go to the “Logs” tab and input a “*” into the search bar to execute a search for these syslogs.

Configure and display a dashboard

The MSActivator uses a pre-packaged Workflow to deploy the dashboard for a customer.

The steps below will show you how to do this.

1. Attach the Workflow “kibana_dashboard” to your customer

Click tab “Services”

Click tab “Workflows”

Click the little green “+” button top right

Select Workflow > Reference > Customer > Kibana > kibana_dashboard.xml

2. Create the dashboard

 

3. Refresh the customer page and check the dashboard

Security management with Microservice

Attach the folder “ ManagedSecurity ” in the Microservice repository to the device.

Then go the the device config tab and see if you can configure a route on the FortiGate (or an address).

Cleanup the lab

At the end of the session, make sure that you rollback the device config to its initial configuration (use the Change Management GUI) and delete the customer.