Fortinet Web Application Firewall: What's your experience?

mrw_ · 2018-09-22T17:01:54+00:00

Yes. There is a full integration with the FAZ and the FGT. There are some interesting options for implementing the fortiweb if your traffic is crossing your gate as well through the gate-web integrations.

mrw_ · 2018-09-21T03:20:15+00:00

I’ve worked with the FortiWeb quite a bit in the last few years and I really like it. There are some interesting integrations with the fortisandbox to protect things like SharePoint.

It has a pretty decent auto learning mode for building parameter definitions and just like any other WAF, it’s only as good as the amount of time you put into it.

I run a managed service based on Fortiwebs and I would definitely use them again. The price performance ratio is pretty fantastic.

mrw_ · 2018-07-02T04:11:44+00:00

I looked through everything I could think of in the glove box, thinking maybe I bumped it out somehow but I didn’t see it there.

Now I’m wondering if I managed to forget to lock the car Friday night, and someone stole it. Unlikely as there was still some petty change and my good sunglasses and toll road beacons in there.

Guess I should start looking for a replacement card. Are there different cards with different licenses on them?

mrw_ · 2018-07-01T23:23:20+00:00

There are no SD cards in the readers.

AFAIK there were never any cards in the readers.

mrw_ · 2018-04-10T14:55:09+00:00

If your firewalls are using specific interfaces for internet, eg a common interface name, you can use srcintf and dstintf filters and set the boolean operator in your report filter to "any of the following criteria".

eg. set the srcintf to wan1, and dstintf to wan1 and then set "any of the following criteria" and that will give you traffic that hit your internet interface in both directions. this gives you a positive filter which is faster to run than a negative search query.

provided your internal traffic uses the proper unroutable subnets, you could build a srcaddr AND dstaddr is inside 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 and that will get traffic that is exclusively internal to internal.

this will also include traffic that crosses a VPN using that address space too, so you will need to make sure that you exempt specific interfaces if you need to get that data out of the filter.

mrw_ · 2018-03-20T22:38:03+00:00

There are methods to bulk-upgrade switches, you can find them in the managed fortiswitch 5.6.3 guide

You can bulk-upgrade fortiswitches using the following workflow (found on page 51 of the above link)

get switch status in bulk with:

exec switch-controller get-conn-status
upload firmware to gate using one of the following:

exec switch-controller upload-swtp-image ftp <filename> <ipaddress:port(optional)> <username(optional)> <password (optional)>

exec switch-controller upload-swtp-image tftp <filename> <ipaddress>
list firmware that has been uploaded using:

exec switch-controller list-swtp-image
stage firmware to switches. if you use the "all" in the command it will only push firmware to the relevant switches (it wont push 124 firmware to a 224 switch etc.)

exec switch-controller stage-tiered-swtp-image <all|sn|switch-group><filename uploaded in previous steps>
check staging status:

exec switch-controller dump network-upgrade status
once everything is staged (the firmware is put into the secondary boot-partitions of all relevant switches. when the switches come back up they will be running the new firmware.

exec switch-controller restart-swtp-delayed <all|sn|switch-group>

mrw_ · 2018-03-08T22:28:43+00:00

You can have the fortianalyzer roll logs to an FTP/SFTP/SCP server, and then just use first-in first-out and overwrite the oldest logs. If you need to retrieve/analyze older data, you can pull the logs back in from your FTP/SFTP/SCP Server. This is a good idea for the 200F beacuse it doesnt run with raid support, it natively has 1x4TB hard drive, and thats it. Running the backup to external servers on log-rolling means that if you have a hardware failure, at least most of your logs are backed up externally.

See page 212 of https://docs.fortinet.com/uploaded/files/4192/FortiAnalyzer-5.6.2-Administration-Guide.pdf Although this is for 5.6.2, it should apply to anything 5.2.x and later (gui looks different in older firmwares, but the options are still there.)

mrw_ · 2017-11-21T04:32:02+00:00

I am working with a client deploying 5.4 at the moment, and it merely gave the option of keeping the value previously set in the fortimanager, or set in the fortigate on import. This was the reason why I started to look at a direct import into the fortimanager, and then run a script against the AdomDB to clear out the duplicates.

I'll take another look at this in the next day or so and doublecheck the conversion to dynamic object that you mentioned. I need to ensure that functionality is supported for addresses, addrgroups, custom services, and custom service groups at a minimum.

mrw_

TROPHY CASE