Posts Tagged ‘fortigate’

How-To authenticate users for a Fortinet IPSEC VPN to an Active Directory Server with LDAP

PostDateIcon September 21st, 2009 | PostAuthorIcon Author: Riccardo

This how-to will explain how to use LDAP authentication to Microsoft Active Directory with an IPSEC VPN to a Fortinet device.

I’ve tested it with a Fortigate 60B and a Fortigate 100A with success.
This post assume you have a fully function VPN IPSEC configuration on your fortinet device with authentication based on a Fortigate group.

Connect to your device with SSH (or as you prefer, even with the web browser), and login as “admin”.

From the console insert the following :


config user ldap
 edit "GroupName"
 set server "my.adserver.ip.address"
 set cnid "sAMAccountName"
 set dn "ou=xxx,dc=yyyy,dc=zzzz"
 set type regular
 set username "domain\\Administrator"
 set password ENC *******************************************
 next
end

Where :
- “GroupName” will be a lable of the Auth Group
- cnid will be the common name identifier, with this syntax you check the AD login name
- dn will be your LDAP tree path to reach the Organization Unit on which your users are
- type regular will be the authentication type
- username will be an account who can read your AD ldap tree (you should, and it will be better, use an account different than Administrator).
- password will be the password of tha account above

Then edit your local group with the following command

config user group

locate your VPN group and add the LDAP group created before.

Test it with a Fortinet VPN Client (http://www.fortinet.com/products/forticlient/)

Hope this help

Bye
Riccardo

Print This Post Print This Post
Posted in Information Technology | Tags: , , , , | 1 Comment »

How-To create a basic configuration on a Fortinet Fortigate

PostDateIcon February 13th, 2009 | PostAuthorIcon Author: Riccardo

This post will explain some useful command on a fortigate firewall.
This post assume you have a Fortinet Fortigate device and want to use it to
connect your local network (192.168.1.0/24) to internet and you have an
internet connection.
This post also assume that you have a router with a pubblic IP address
111.222.111.1 and you have a pubblic subnet 111.222.111.0/29.
In this case I’ve used a point-to point device to detect the connection
failure with IP address 111.222.111.123.

Obviously you must change your private (INTERNAL) IP address to adapt it to
your network, and use your public subnet and not the one used here for the
example (111.222.111.0/29).

config system global
# Set the http admin port to 80/tcp
set admin-port 80

# Set the https admin port to 443/tcp
set admin-sport 443

# Set the ssh admin port to 22/tcp
set admin-ssh-port 22

# Set the telnet admin port to 23/tcp
set admin-telnet-port 23

# Set the hostname
set hostname “FGT50B-MAGAZZINO”

# Set the ntp server to “time.ien.it” and enable it
set ntpserver “time.ien.it”
set ntpsync enable

# Set to 43200 seconds the tcp-halfclose timer
set tcp-halfclose-timer 43200
end

# Set the telnet 23/tcp port timeout to 43200 seconds.
# This is very useful if you have an AS400 (iSeries) to avoid session
timeout.
config system session-ttl
set default 43200
config port
edit 23
set timeout 43200
next
end

# Set the IP address and administrative access options (ping https http) for
INTERNAL interface.
config system interface
edit “internal”
set ip 192.168.1.254 255.255.255.0
set allowaccess ping https http
set type physical
next

# Set the IP address and administrative access options (ping https) for WAN1
interface.
# Set “gateway Detect” option enable and set the “Ping Server” destination.
# Set the interface speed to 10 Mb/s Half Duplex, this is useful for some
connections like radio bridge.
edit “wan1″
set ip 111.222.111.2 255.255.255.248
set allowaccess ping https
set gwdetect enable
set detectserver “111.222.111.123″
set type physical
set speed 10half
next
end

# Set DNS Servers and DNS options
config system dns
set primary 192.168.1.3
set secondary 212.97.32.2
set domain ”
set autosvr disable
set dns-cache-limit 5000
set cache-notfound-responses disable
end

# Set a firewall policy to enable traffic from INTERNAL TO WAN1 using NAT
# Set a protection profile (a default one) called “scan”
config firewall policy
edit 1
set srcintf “internal”
set dstintf “wan1″
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
set profile-status enable
set profile “scan”
set nat enable
next
end

# Set a default gateway on the WAN1 interface
config router static
edit 1
set device “wan1″
set gateway 111.222.111.2
end

Hope this help

Bye
Riccardo
Print This Post Print This Post

Posted in Networking | Tags: , , | No Comments »
Contacts
Look at me at Linkedin Follow me on Twitter
My Flickr Albums My Facebook profile My YouTube Videos
SkypeMe My Linux Counter GMail me
Search
Google Search
Categories
Tag Cloud 3D
Tag Cloud
FeedBurner RSS

Visitors
Locations of visitors to this page
VMware related Blogs
The following are Blog sites with feeds I personally follow. When I'll have some spare time I will complete all Feed and Twitter links.

RSS My VMware Feeds
Powered by WordPress Powered by Linux Hosted on Apache Interpreted by PHP Database on MySQL License Details
W3C XHTML Validator W3C CSS Validator

WordPress theme designed by Riccardo Riva.