FortiGate

FortiGate

基于Fortinet专有的FortiASIC加速芯片
FortiAp

FortiAp

无线接入点的企业级、控制器管理设备
FortiWeb

FortiWeb

Web应用层防火墙
FortiMail

FortiMail

先进的反垃圾邮件和反病毒过滤功能

FGSP配置指导

从FortiOS 5.0支持FortiGate Session Life Support Protocol (FGSP),在异步流量负载分担的场景中实现单机配置同步,会话同步。
 
另外FGSP+VRRP、FGSP+OSPF、FGSP+透明模式也可以实现类似主备HA的效果。流量是否对称由VRRP、OSPF Cost、上下游设备决定,而FGSP都可以适应于流量对称或不对称场景中。当然如果是对称的流量我们建议使用普通的HA即可,而FGSP通常用于非对称流量的场景中。
继续阅读 »
从FortiOS 5.0支持FortiGate Session Life Support Protocol (FGSP),在异步流量负载分担的场景中实现单机配置同步,会话同步。
 
另外FGSP+VRRP、FGSP+OSPF、FGSP+透明模式也可以实现类似主备HA的效果。流量是否对称由VRRP、OSPF Cost、上下游设备决定,而FGSP都可以适应于流量对称或不对称场景中。当然如果是对称的流量我们建议使用普通的HA即可,而FGSP通常用于非对称流量的场景中。 收起阅读 »

Fortinet Token Moblie(FortiToken)安卓/iOS/Windows Phone安装包

FortiTokenAndroid and FortiTokenIOS and FortiTokenWindows Phone安装包下载
当前(2018年3月15)最新版本为:

FortiTokenAndroid
v4.2.2 GA Release 
2018-03-15
fortitoken.png

FortiTokenAndroid
https://fortinet.egnyte.com/dl/gWWnSz6roW/FortiTokenAndroid-v400-build0078-release.apk_

FortiTokenIOS
https://fortinet.egnyte.com/dl/Q1LzUZkU8e/FortiTokenMobile-4.2.0.0084-release.ipa_

FortiTokenWindows Phone
https://fortinet.egnyte.com/dl/11BWt1ZGAi/FortiToken_4.0.1022.0_x86_x64_ARM_bundle.appxupload_
继续阅读 »
FortiTokenAndroid and FortiTokenIOS and FortiTokenWindows Phone安装包下载
当前(2018年3月15)最新版本为:

FortiTokenAndroid
v4.2.2 GA Release 
2018-03-15
fortitoken.png

FortiTokenAndroid
https://fortinet.egnyte.com/dl/gWWnSz6roW/FortiTokenAndroid-v400-build0078-release.apk_

FortiTokenIOS
https://fortinet.egnyte.com/dl/Q1LzUZkU8e/FortiTokenMobile-4.2.0.0084-release.ipa_

FortiTokenWindows Phone
https://fortinet.egnyte.com/dl/11BWt1ZGAi/FortiToken_4.0.1022.0_x86_x64_ARM_bundle.appxupload_ 收起阅读 »

FortiClient 安卓系统安装包

当前(2017年11月20)最新版本为:
FortiClientAndroid
v5.4.2 GA Release 
2017-08-30
forticlient.png

下载地址1:.apk格式包,安卓系统终端可直接安装(Fortinet共享地址):
forticlient vpn  only
https://fortinet.egnyte.com/dl ... .apk_

forticlient full  function
https://fortinet.egnyte.com/dl ... .apk_

下载地址2:.apk格式包,安卓系统终端可直接安装(百度共享地址)
forticlient vpn  only
https://pan.baidu.com/s/1xn5RM1GkPddprsVvuaeuSg

forticlient full  function
https://pan.baidu.com/s/1jo2_3AS7u40oiCEvlrNRIA
继续阅读 »
当前(2017年11月20)最新版本为:
FortiClientAndroid
v5.4.2 GA Release 
2017-08-30
forticlient.png

下载地址1:.apk格式包,安卓系统终端可直接安装(Fortinet共享地址):
forticlient vpn  only
https://fortinet.egnyte.com/dl ... .apk_

forticlient full  function
https://fortinet.egnyte.com/dl ... .apk_

下载地址2:.apk格式包,安卓系统终端可直接安装(百度共享地址)
forticlient vpn  only
https://pan.baidu.com/s/1xn5RM1GkPddprsVvuaeuSg

forticlient full  function
https://pan.baidu.com/s/1jo2_3AS7u40oiCEvlrNRIA 收起阅读 »

FortiOS支持VXLAN

Virtual Extensible LAN( 虚拟可扩展局域网 )
1.VXLAN是一种常用于大型的云计算部署的网络虚拟化技术
2.VXLAN使用标准目标端口4789将OSI第2层以太网帧封装在第3层IP数据包中
3.终结VXLAN隧道的VXLAN端点可以是虚拟或物理交换机端口,也称为VXLAN tunnel Endpoints(VTEP)
4.基于RFC 7348实现的标准VXLAN
从FortiOS 5.6开始FortiGate支持标准的VXLAN协议
 
 
继续阅读 »
Virtual Extensible LAN( 虚拟可扩展局域网 )
1.VXLAN是一种常用于大型的云计算部署的网络虚拟化技术
2.VXLAN使用标准目标端口4789将OSI第2层以太网帧封装在第3层IP数据包中
3.终结VXLAN隧道的VXLAN端点可以是虚拟或物理交换机端口,也称为VXLAN tunnel Endpoints(VTEP)
4.基于RFC 7348实现的标准VXLAN
从FortiOS 5.6开始FortiGate支持标准的VXLAN协议
 
  收起阅读 »

NSE 4 考试通过后如何获取证书以及将证书关联到公司

很多人不知道NSE 4 考试通过后如何获取证书,证书是通过什么方式通知到个人,如何关联到公司的Partner,其实证书是可以自己下载的,PDF文件,而且能下载的速度极快,基本上考试通过24小时后,就能在相关的网站上面下载到,下面是教程
很多人不知道NSE 4 考试通过后如何获取证书,证书是通过什么方式通知到个人,如何关联到公司的Partner,其实证书是可以自己下载的,PDF文件,而且能下载的速度极快,基本上考试通过24小时后,就能在相关的网站上面下载到,下面是教程

阿里云openswan与FGT IPsec VPN对接

Centos 6.5安装并配置OPENSWAN
(1)使用yum -y install openswan安装openswan
# yum -y install openswan
# ipsec verify

# vi /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 0 ---改成1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1 ---改成0

# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
改为
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 0

(3).运行如下命令配置环境变量
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf
成功执行后运行sysctl -p使修改的参数生效。

(4).关闭selinux:setenforce 0(关闭selinux,重启失效),接下来永久关闭selinux
修改vi /etc/selinux/config 把
SELINUX=enforcing
改为
SELINUX=disabled
[按照需求调整此配合,完全关闭不安全]

(5)关闭iptables
# /etc/init.d/iptables stop 
# chkconfig iptables off
[按照需求调整此配合,完全关闭不安全,实际只需将相关流量放通即可]

(6).运行#chkconfig ipsec on 开机自动启动ipsec服务
 
(7)开启Linux的路由转发功能:
echo "1">/proc/sys/net/ipv4/ip_forward
 
(8).启动ipsec # service ipsec restart 并重新运行检查命令ipsec verify

(9)配置openswan
# vi /etc/ipsec.conf
# vi /etc/ipsec.secrets
# service ipsec restart 
 
 IPsec VPN FGT与阿里云OPENSWAN对接配置案例:
飞塔  Fortigate     公网:111.207.223.66    内网网段:192.168.146.0/24
阿里云Openswan 公网: 39.107.48.171     内网网段:10.25.0.0/16


拓扑:
192.168.146.0/24------------FGT----------Internet---------OPENSWAN-----------10.25.0.0/16
                                  
阿里云OPENSWAN IPsec VPN配置:
# vi /etc/ipsec.secrets
39.107.48.171 111.207.223.66: PSK "root123"

# vi /etc/ipsec.conf
config setup
   plutodebug=all
   plutostderrlog=/var/log/pluto.log
   protostack=netkey
   nat_traversal=yes
   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16

conn vpn-tunnel
   auto=start
   type=tunnel
   authby=secret
   compress=no
   pfs=yes

  left=39.107.48.171             
  #leftid=openswan
  leftsubnet=10.25.0.0/16                
  leftnexthop=%defaultroute

  right=111.207.223.66
  #rightid=fgt
  rightsubnet=192.168.146.0/24
  rightnexthop=%defaultroute

FGT IPsec VPN配置:
config system interface
    edit "wan1"
        set ip 111.207.223.66 255.255.255.224
end
config vpn ipsec phase1-interface
    edit "to-aliyun"
        set interface "wan1"
        set peertype any
        set remote-gw 39.107.48.171
        set psksecret ENC osY8nq9ytG9TwSANhARRNzLQCSNQ2m7WSsZrJVCNFuwjtwiMvth6hayrHdFqU7CuWai+337BiJPgSJ+ycQqgoPfRYrqg/KG/9K/Kv4HyPDYtKq7WuOyODjz2hlCCIsF5yLkHZSKgsNsXuTi+MDgRoT3YA6TbAn+yjsU4W5BJXyWKKNz6f2KG/cmQSKjIlo6Ak/awCw==
    next
end
config vpn ipsec phase2-interface
    edit "to-aliyun"
        set phase1name "to-aliyun"
        set auto-negotiate enable
        set keylifeseconds 3600
        set src-subnet 192.168.146.0 255.255.255.0
        set dst-subnet 10.25.0.0 255.255.0.0
    next
end
config firewall policy
    edit 0
        set name "vpnlocal-to-aliyun"
        set srcintf "port1"
        set dstintf "to-aliyun"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "aliyun-to-vpnlocal"
        set srcintf "to-aliyun"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
config router static
    edit 1
        set gateway 111.207.223.65
        set device "wan1"
    next
    edit 0
        set dst 10.25.0.0 255.255.0.0
        set device "to-aliyun"
    next
    edit 0
        set dst 10.25.0.0 255.255.0.0
        set distance 254
        set blackhole enable
    next
end
继续阅读 »
Centos 6.5安装并配置OPENSWAN
(1)使用yum -y install openswan安装openswan
# yum -y install openswan
# ipsec verify

# vi /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 0 ---改成1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1 ---改成0

# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
改为
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 0

(3).运行如下命令配置环境变量
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print $1"= 0"}' >> /etc/sysctl.conf
成功执行后运行sysctl -p使修改的参数生效。

(4).关闭selinux:setenforce 0(关闭selinux,重启失效),接下来永久关闭selinux
修改vi /etc/selinux/config 把
SELINUX=enforcing
改为
SELINUX=disabled
[按照需求调整此配合,完全关闭不安全]

(5)关闭iptables
# /etc/init.d/iptables stop 
# chkconfig iptables off
[按照需求调整此配合,完全关闭不安全,实际只需将相关流量放通即可]

(6).运行#chkconfig ipsec on 开机自动启动ipsec服务
 
(7)开启Linux的路由转发功能:
echo "1">/proc/sys/net/ipv4/ip_forward
 
(8).启动ipsec # service ipsec restart 并重新运行检查命令ipsec verify

(9)配置openswan
# vi /etc/ipsec.conf
# vi /etc/ipsec.secrets
# service ipsec restart 
 
 IPsec VPN FGT与阿里云OPENSWAN对接配置案例:
飞塔  Fortigate     公网:111.207.223.66    内网网段:192.168.146.0/24
阿里云Openswan 公网: 39.107.48.171     内网网段:10.25.0.0/16


拓扑:
192.168.146.0/24------------FGT----------Internet---------OPENSWAN-----------10.25.0.0/16
                                  
阿里云OPENSWAN IPsec VPN配置:
# vi /etc/ipsec.secrets
39.107.48.171 111.207.223.66: PSK "root123"

# vi /etc/ipsec.conf
config setup
   plutodebug=all
   plutostderrlog=/var/log/pluto.log
   protostack=netkey
   nat_traversal=yes
   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16

conn vpn-tunnel
   auto=start
   type=tunnel
   authby=secret
   compress=no
   pfs=yes

  left=39.107.48.171             
  #leftid=openswan
  leftsubnet=10.25.0.0/16                
  leftnexthop=%defaultroute

  right=111.207.223.66
  #rightid=fgt
  rightsubnet=192.168.146.0/24
  rightnexthop=%defaultroute

FGT IPsec VPN配置:
config system interface
    edit "wan1"
        set ip 111.207.223.66 255.255.255.224
end
config vpn ipsec phase1-interface
    edit "to-aliyun"
        set interface "wan1"
        set peertype any
        set remote-gw 39.107.48.171
        set psksecret ENC osY8nq9ytG9TwSANhARRNzLQCSNQ2m7WSsZrJVCNFuwjtwiMvth6hayrHdFqU7CuWai+337BiJPgSJ+ycQqgoPfRYrqg/KG/9K/Kv4HyPDYtKq7WuOyODjz2hlCCIsF5yLkHZSKgsNsXuTi+MDgRoT3YA6TbAn+yjsU4W5BJXyWKKNz6f2KG/cmQSKjIlo6Ak/awCw==
    next
end
config vpn ipsec phase2-interface
    edit "to-aliyun"
        set phase1name "to-aliyun"
        set auto-negotiate enable
        set keylifeseconds 3600
        set src-subnet 192.168.146.0 255.255.255.0
        set dst-subnet 10.25.0.0 255.255.0.0
    next
end
config firewall policy
    edit 0
        set name "vpnlocal-to-aliyun"
        set srcintf "port1"
        set dstintf "to-aliyun"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "aliyun-to-vpnlocal"
        set srcintf "to-aliyun"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
config router static
    edit 1
        set gateway 111.207.223.65
        set device "wan1"
    next
    edit 0
        set dst 10.25.0.0 255.255.0.0
        set device "to-aliyun"
    next
    edit 0
        set dst 10.25.0.0 255.255.0.0
        set distance 254
        set blackhole enable
    next
end 收起阅读 »