728x90
[FortiGate의 자주 쓰는 debug 명령]
 
1. diagnose debug flow
 
diag debug flow 명령은 FortiGate 의 inbound->outbound 트래픽의 flow를 확인할 수 있습니다.
 
filter, show, trace 3가지로 구성
 
FGT82C3109600076 # diagnose debug flow filter addr 122.49.65.221
 
FGT82C3109600076 # diagnose debug flow show console enable
show trace messages on console
 
FGT82C3109600076 # diagnose debug flow trace start 10
 
FGT82C3109600076 # id=36870 trace_id=21 msg="vd-root received a packet(proto=1, 122.49.65.222:1024->122.49.67.40:8) from port2."
id=36870 trace_id=21 msg="Find an existing session, id-0004a929, original direction"
id=36870 trace_id=22 msg="vd-root received a packet(proto=1, 122.49.67.40:1024->122.49.65.222:0) from local."
 
2. diagnose sniffer packet
 
FGT82C3109600076 # diagnose sniffer packet any "icmp" 4
 
문법
# diag sniffer packet <interface> <'filter'> <verbose> <count> <a>
 
<interface> can be an Interface name or "any" for all Interfaces.
<'filter'> is a very powerful filter functionality which will be described in more detail.
<verbose> means the level of verbosity as described already.
<count> the number of packets the sniffer reads before stopping. '0'이면 무한수행.
<a> absolute timestamps를 화면에 출력(하지만 반드시 <count> 가 있을때만 유효) defailt는 Relative timstamps이므로, 상대적인 시간만 나옴.
 
<verbose>
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
 
diagnose sniffer packet any "" 4 0 a
 
패킷 스니퍼
- ICMP확인
dia sniff packet port3 icmp 100
- TCP SYN 100개 확인
dia sniff packet port3 'tcp[13]==2' 100 0 a
- TCP SYN & SYN ACK 100개 확인
dia sniff packet port3 'tcp[13]&2==2' 100
 
3. NP2 ASIC accelerate enable/disable
 
FG3K6A3407600192 (global) # diagnose npu np2 fastpath
e2prom View E2PROM data
fastpath Configure fastpath
fastpath-sniffer Configure fastpath sniffer by port
list Display all NP2 devices
performance View NP2 performance
register View NP2 registers
status View NP2 device status
 
FG3K6A3407600192 (global) # diagnose npu np2 fastpath disable 0
 
4. NP4 ASIC accelerate enable/disable
 
# diagnose npu np4 fastpath disable 0
 
주의1) NP4 Fast Path disabled. Please clear session to clear existing path.
 
주의2) traffic log는 session is expired 되어야 기록됨.
 
설정법 .
 
==================================================================
 
diag debug flow filter <name> <value>
 
- 디버그 흐름추적 필터 추가 <필터옵션> <필터값/없으면any>
 
diag debug flow show console enable
 
- 디버그 내용 접속화면에 표시
 
diag debug flow show function-name enable
 
- 디버그 흐름추적시 사용된 함수이름 표시
 
diag debug flow trace start <repeat number>
 
- 디버그 흐름추적을 할 갯 수
 
diag debug enable
 
- 디버그 시작
 
==================================================================
예제 1. (외부와의 통신 디버깅)
 
인터페이스의 출발지, 세션의 종류, 적용된 정책, 적용된 vdom, 적용된 라우팅 등을 많은 정보를 볼 수 있음.
 
==================================================================
 
diag debug flow filter add 192.168.10.4
 
diag debug flow show console enable
 
diag debug flow show function-name enable
 
diag debug flow trace start 100
 
diag debug enable
 
==================================================================
 
...to stop the debug, type "diag debug flow trace stop"
 
 
 
20085 trace_id=29 func=get_new_addr line=1240 msg="find SNAT: IP-222.110.157.103, port-46024"
 
20085 trace_id=29 func=fw_forward_handler line=320 msg="Allowed by Policy-5: SNAT"
 
20085 trace_id=29 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->222.110.157.103:46024"
 
20085 trace_id=30 func=resolve_ip_tuple_fast line=2809 msg="vd-root received a packet(proto=6, 192.168.10.4:1159->222.234.226.3:110) from internal."
 
20085 trace_id=30 func=resolve_ip_tuple line=2908 msg="allocate a new session-02bb75c1"
 
20085 trace_id=30 func=rpdb_srv_match line=422 msg="Match policy routing: to 222.234.226.3 via ifindex-3"
 
20085 trace_id=30 func=vf_ip4_route_input line=1599 msg="find a route: gw-121.131.216.126 via wan1"
 
20085 trace_id=30 func=get_new_addr line=1240 msg="find SNAT: IP-121.131.216.116, port-46025"
 
20085 trace_id=30 func=fw_forward_handler line=320 msg="Allowed by Policy-7: SNAT"
 
20085 trace_id=30 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->121.131.216.116:46025"
 
20085 trace_id=31 func=resolve_ip_tuple_fast line=2809 msg="vd-root received a packet(proto=6, 192.168.10.4:1159->222.234.226.3:110) from internal."
 
20085 trace_id=31 func=resolve_ip_tuple_fast line=2836 msg="Find an existing session, id-02bb75c1, original direction"
 
20085 trace_id=31 func=__ip_session_run_tuple line=1562 msg="SNAT 192.168.10.4->121.131.216.116:46025"
 
예제2. (TP모드의 내부끼리의 통신 디버깅)
 
==================================================================
 
diag debug flow filter add 192.168.10.4
 
diag debug flow show console enable
 
diag debug flow show function-name enable
 
diag debug flow trace start 100
 
diag debug enable
 
==================================================================
 
...to stop the debug, type "diag debug flow trace stop"
 
Example of debug flow output when traffic flows :
 
id=20085 trace_id=113 msg="vd-tp_mode received a packet(proto=6, 192.168.10.4:4370->192.168.10.2:23) from internal."
id=20085 trace_id=113 msg="Find an existing session, id-00000a40, original direction"
id=20085 trace_id=113 msg="enter fast path"
id=20085 trace_id=113 msg="send out via dev-dmz1, dst-mac-00:01:02:03:04:05"

 

 

728x90
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Scheduled Daily Reboot of FortiGate  (0) 2018.05.08
FortiGate DNS Translation  (0) 2018.05.08
Fortigate IPv6 over IPv4 VPN Tunnel  (0) 2018.05.08
FortiGate Service Objects Category별 우선 순위  (0) 2018.05.08
FortiSandbox Cluster  (0) 2018.05.08
728x90
Configure FortiGate A interfaces
 
config system interface
edit port2
set 10.0.0.1/24
next
edit port3
config ipv6
set ip6-address fec0::0001:209:0fff:fe83:25f3/64
end
 
Configure FortiGate A IPsec settings
config vpn ipsec phase1-interface
edit toB
set interface port2
set remote-gw 10.0.1.1
set dpd enable
set psksecret maryhadalittlelamb
set proposal 3des-md5 3des-sha1
end
 
config vpn ipsec phase2-interface
edit toB2
set phase1name toB
set proposal 3des-md5 3des-sha1
set pfs enable
set replay enable
set src-addr-type subnet6
set dst-addr-type subnet6
end
 
Configure FortiGate A security policies
 
config firewall policy6
edit 1
set srcintf port3
set dstintf toB
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
next
 
edit 2
set srcintf toB
set dstintf port3
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
end
Configure FortiGate A routing
 
edit 1
set device toB
set dst fec0:0000:0000:0004::/64
end
config router static
edit 1
set device port2
set dst 0.0.0.0/0
set gateway 10.0.0.254
end
 
Configure FortiGate B
 
config system interface
edit port2
set 10.0.1.1/24
next
edit port3
config ipv6
set ip6-address fec0::0004:209:0fff:fe83:2569/64
end
config vpn ipsec phase1-interface
edit toA
set interface port2
set remote-gw 10.0.0.1
set dpd enable
set psksecret maryhadalittlelamb
set proposal 3des-md5 3des-sha1
end
config vpn ipsec phase2-interface
edit toA2
set phase1name toA
set proposal 3des-md5 3des-sha1
set pfs enable
set replay enable
set src-addr-type subnet6
set dst-addr-type subnet6
end
config firewall policy6
edit 1
set srcintf port3
set dstintf toA
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
next
edit 2
set srcintf toA
set dstintf port3
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
end
config router static6
edit 1
set device toA
set dst fec0:0000:0000:0000::/64
end
config router static
edit 1
set device port2
set gateway 10.0.1.254
end

 

 
728x90
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

FortiGate DNS Translation  (0) 2018.05.08
[FortiGate의 자주 쓰는 debug 명령]  (0) 2018.05.08
FortiGate Service Objects Category별 우선 순위  (0) 2018.05.08
FortiSandbox Cluster  (0) 2018.05.08
FortiAuthenticator FSSO 설정  (0) 2018.05.08
728x90
 
Windows Server 2008 R2에서 기본 적용되어 있는 암호에 조건은 다음과 같습니다.
[그림 1. "암호는 복잡성을 만족해야 함" 속성]
 
이 화면을 확인 하기 위해서는
"실행 > gpedit.msc >로컬 컴퓨터 정책 > 컴퓨터 구성 > Windows 설정 > 보안 설정 > 계정 정책 > 암호 정책"
이라는 긴 과정을 거쳐서 확인할 수 있습니다.
 
[그림 2. 로컬 그룹 정책 편집기]
 
여기서 로컬 보안 설정 탭에 설정된 "사용"을 "사용 안 함"으로 선택하면 위 4가지의 암호 복잡성 조건을 사용하지 않게 됩니다.
일반적인 사용자 OS급(Windows 7같은)에 경우 이런 문제가 발생하지 않고, 이 설정을 편집할 일도 없습니다.
즉, Server급 OS에만 해당된다는 말이 됩니다.

 

위와 같이 간단한 방법으로 암호 복잡성 조건을 해제 할 수 있지만 간혹 아래와 같이 비활성화된 상태에 암호 복잡성 설정창을 만날 수 있습니다.
[그림 3. 암호는 복잡성을 만족해야 함 속성 변경 불가]
 
이는 Windows Server에서 Active Directory Service를 사용하게 되면 위 그림과같이 설정을 할 수 없게 됩니다.
필자의 개발용 서버도 위 그림과 같이 설정이 불가능한 상태였습니다.
알아보니 해결 방법은 다음과 같았습니다.
 
1. 실행 > gpmc.msc
2. 그룹 정책 관리 > 포트리스: ___ > 도메인 > ___ > 그룹 정책 개체 > Default Domain Policy"
[그림 4. gpmc.msc 화면]
 
3. Default Domain Policy 마우스 우클릭 컨텍스트 메뉴에서 편집
[그림 5. Default Domain Policy 편집]
 
4. 새로 뜨는 "그룹 정책 관리 편집기"에서 "Default Domain Policy [___] > 컴퓨터 구성 > 정책 > Windows 설정 > 보안 설정 > 계정 정책 > 암호 정책"으로 이동
[그림 6. 그룹 정책 관리 편집기]
 
5. 암호는 복잡성을 만족해야 함 정책 더블클릭으로 속성창 열어 "사용"에서 "사용 안 함"으로 설정 후 확인
[그림 7. "암호는 복잡성을 만족해야 함 속성" 창]
 
 
그리고 나서 맨 마지막으로 "실행 > gpupdate /force"를 입력하면 변경된 정책이 적용 됩니다
[그림 8. gpupdate /force 화면]

 

 

728x90
저작자표시 비영리 변경금지

'업무이야기 > OS' 카테고리의 다른 글

[MicroSoft] Windwos Powershell ISE  (1) 2018.05.08
[MicroSoft] AD GPO  (0) 2018.05.08
[MicroSoft] SSL Certificate SHA256 관련  (0) 2018.05.08
[Linux] Centos root passewd for parallels desktop  (0) 2018.05.08
[MacOS] Mac LaunchPad 사이즈 조절  (0) 2017.08.08
728x90
  1. tcp-52000-Uncategorized
  2. tcp-52000-web Access
  3. tcp-52000-File Access
  4. tcp-52000-Email
  5. tcp-52000-Network Services
  6. tcp-52000-Authentication
  7. tcp-52000-Remote Access
  8. tcp-49152-65535-Authentication
  9. tcp-49152-65535-Remote Access
  10. tcp-52000-Tunneling / tcp-49152-52000-Tunneling
  11. tcp-49152-65535-Tunneling / tcp-52000-tunneling
  12. tcp-52000-VOIP, Messaging & Other Applications / tcp-49152-52000-VOIP, Messaging & Other Applications
  13. tcp-49152-52000-VOIP, Messaging & Other Applications / tcp-52000-VOIP, Messaging & Other Applications
  14. tcp-52000-Web Proxy / tcp-49152-52000-Web Proxy
  15. tcp-49152-52000-Web Proxy / tcp-52000-Web Proxy
  16. tcp-49152-52000-Uncategorized
  17. tcp-49152-52000-Web Access
  18. tcp-49152-52000-File Access
  19. tcp-49152-52000-Email
  20. tcp-49152-52000-Network Services
  21. tcp/52000
  22. tcp-52000-General TCP-49152-65535-General : 로그 찍지 않음
 
config firewall service custom
    edit "TCP-49152-65535-general"
        set category "General"
        set tcp-portrange 49152-65535
    next
    edit "TCP-52000-uncat"
        set tcp-portrange 52000
    next
    edit "TCP-49152-65535-auth"
        set category "Authentication"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-remote"
        set category "Remote Access"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-tunnel"
        set category "Tunneling"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-voip"
        set category "VoIP, Messaging & Other Applications"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-webproxy"
        set category "Web Proxy"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-uncat"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-web"
        set category "Web Access"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-file"
        set category "File Access"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-email"
        set category "Email"
        set tcp-portrange 49152-65535
    next
    edit "TCP-49152-65535-network"
        set category "Network Services"
        set tcp-portrange 49152-65535
    next
    edit "TCP-52000-general"
        set category "General"
        set tcp-portrange 52000
    next
    edit "TCP-52000-web"
        set category "Web Access"
        set tcp-portrange 52000
    next
    edit "TCP-52000-file"
        set category "File Access"
        set tcp-portrange 52000
    next
    edit "TCP-52000-email"
        set category "Email"
        set tcp-portrange 52000
    next
    edit "TCP-52000-network"
        set category "Network Services"
        set tcp-portrange 52000
    next
    edit "TCP-52000-auth"
        set category "Authentication"
        set tcp-portrange 52000
    next
    edit "TCP-52000-remote"
        set category "Remote Access"
        set tcp-portrange 52000
    next
    edit "TCP-52000-tunnel"
        set category "Tunneling"
        set tcp-portrange 52000
    next
    edit "TCP-52000-voip"
        set category "VoIP, Messaging & Other Applications"
        set tcp-portrange 52000
    next
    edit "TCP-52000-webproxy"
        set category "Web Proxy"
        set tcp-portrange 52000
    next

 

end 

 

 

728x90
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

[FortiGate의 자주 쓰는 debug 명령]  (0) 2018.05.08
Fortigate IPv6 over IPv4 VPN Tunnel  (0) 2018.05.08
FortiSandbox Cluster  (0) 2018.05.08
FortiAuthenticator FSSO 설정  (0) 2018.05.08
FortiSandbox VM package  (0) 2018.05.08
728x90
Example configuration
This example shows the steps for setting up an HA cluster using three FortiSandbox 3000D units.
Step 1 - Prepare the hardware
The following hardware will be required:
l Nine cables for network connections
l Three 1/10 Gbps switches
l Three FortiSandbox 3000D units with proper power connections (units A, B, and C).
The master and primary slaves should be on different power circuits.
Step 2 - Prepare the subnets
Prepare three subnets for your cluster (customize as needed):
l Switch A: 192.168.1.0/24: For system management.
l Gateway address: 192.168.1.1
l External management IP address: 192.168.1.99
l Switch B: 192.168.2.0/24: For internal cluster communications.
Administration Guide
Fortinet, Inc.
116
HA-Cluster URL Package
l Switch C: 192.168.3.0/24: For the outgoing port (port 3) on each unit.
l Gateway address: 192.168.3.1
Step 3 - Setup the physical connections
1. Connect port 1 of each FortiSandbox device to Switch A..
2. Connect port 2 of each FortiSandbox device to Switch B.
3. Connect port 3 of each FortiSandbox device to Switch C.
Step 4 - Configure the master
1. Power on the device (Unit A), and log into the CLI (see Connecting to the Command Line Interface on page 11).
2. Configure the port IP addresses and gateway address with the following commands:
set port1-ip 192.168.1.99/24
set port2-ip 192.168.2.99/24
set port3-ip 192.168.3.99/24
set default-gw 192.168.3.1
3. Configure the device as the master node with the following commands:
hc-settings -s -tM -nMasterA -cTestHCsystem -ppassw0rd -iport2
hc-settings -l
See Appendix A - CLI Reference on page 163 for more information about the CLI commands.
4. Review the cluster status with the following command:
hc-status -l
Other ports on the device can be used for file inputs.
Step 5 - Configure the primary slave
1. Power on the device (Unit B), and log into the CLI.
2. Configure the port IP addresses and gateway address with the following commands:
set port1-ip 192.168.1.100/24
set port2-ip 192.168.2.100/24
set port3-ip 192.168.3.100/24
set default-gw 192.168.3.1
3. Configure the device as the primary slave node with the following commands:
hc-settings -s -tP -nPslaveB -iport2
hc-settings -l
hc-slave -a -s192.168.2.99 -ppassw0rd
4. Review the cluster status with the following command:
hc-status -l
Step 6 - Configure the normal slave
1. Power on the device (Unit C), and log into the CLI.
2. Configure the port IP addresses and gateway address with the following commands:
set port1-ip 192.168.1.101/24
set port2-ip 192.168.2.101/24
set port3-ip 192.168.3.101/24
set default-gw 192.168.3.1
3. Configure the device as a slave node with the following commands:
hc-settings -s -tR -nSlaveC -iport2
hc-settings -l
hc-slave -a -s192.168.2.99 -ppassw0rd
117 Administration Guide
Fortinet, Inc.
URL Package HA-Cluster
4. Review the cluster status with the following command:
hc-status -l
Step 7 - Configure other settings
Configure required settings, such as other static routes if you need to access the HA cluster through a router and
scan profiles for malware detection. All configuration can only be done on the master device.
Step 8 - Finish
The HA cluster can now be treated like a single, extremely powerful standalone FortiSandbox unit.

 

In this example, files are submitted to, and reports and logs are available over IP address 192.168.1.99.

 

 

728x90
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Fortigate IPv6 over IPv4 VPN Tunnel  (0) 2018.05.08
FortiGate Service Objects Category별 우선 순위  (0) 2018.05.08
FortiAuthenticator FSSO 설정  (0) 2018.05.08
FortiSandbox VM package  (0) 2018.05.08
Fortigate Custom Application Control  (0) 2018.05.08
728x90
Authentication > Remote Auth. Servers > LDAP
 
Fortinet SSO Methods > SSO > General
 
Fortinet SSO Methods > SSO > Domain Controllers
 
Fortinet SSO Methods > SSSO > Syslog Sources
 
Syslog WLC Parse
Trigger: enterprise=1.3.6.1.4.1.9.9.599.0.4
Logon: enterprise=1.3.6.1.4.1.9.9.599.0.4
Logoff: 
Username field: 1.3.6.1.4.1.9.9.599.1.3.1.1.27.0={{:username}},     /     1.3.6.1.4.1.9.9.599.1.2.1.0={{:username}},
Client IP field: 1.3.6.1.4.1.9.9.599.1.3.1.1.10.0={{:client_ip}},
Group field: 1.3.6.1.4.1.9.9.599.1.3.1.1.28.0={{:group}}      /     1.3.6.1.4.1.9.9.599.1.2.2.0={{:group}} 
 
Fortinet SSO Methods > SSO > FortiGate Filtering
 
 
 
 
 
Syslog Sample
2015-12-11 10:44:53    Local7.Debug    10.0.56.4    community=dic, enterprise=1.3.6.1.4.1.9.9.599.0.4, uptime=1265877000, agent_ip=10.14.4.5, 1.3.6.1.4.1.9.9.599.1.3.1.1.1.0="Hex String=F0 F6 1C 4D A7 96", 1.3.6.1.4.1.9.9.513.1.1.1.1.5.0=YH_1602_AP_11F_6, 1.3.6.1.4.1.9.9.599.1.3.1.1.8.0="Hex String=1C 1D 86 CF BA 00", 1.3.6.1.4.1.9.9.513.1.2.1.1.1.0=1, 1.3.6.1.4.1.9.9.599.1.3.1.1.10.0=172.20.20.12, 1.3.6.1.4.1.9.9.599.1.3.1.1.27.0=T070415, 1.3.6.1.4.1.9.9.599.1.3.1.1.28.0=DaelimWifi
 

 

2015-12-29 14:20:14 Local7.Debug 10.0.56.4 community=dic, enterprise=1.3.6.1.4.1.9.9.599.0.4, uptime=2635334200, agent_ip=10.14.4.6, 1.3.6.1.4.1.9.9.599.1.3.1.1.1.0="Hex String=F0 F6 1C 4D A7 96", 1.3.6.1.4.1.9.9.513.1.1.1.1.5.0=SS_1142_AP_5F_5, 1.3.6.1.4.1.9.9.599.1.3.1.1.8.0="Hex String=08 17 35 C6 2E F0",1.3.6.1.4.1.9.9.513.1.2.1.1.1.0=1, 1.3.6.1.4.1.9.9.599.1.3.1.1.10.0=172.20.20.12, 1.3.6.1.4.1.9.9.599.1.2.1.0=T070415, 1.3.6.1.4.1.9.9.599.1.2.2.0=DaelimWifi 

 

 

728x90
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

FortiGate Service Objects Category별 우선 순위  (0) 2018.05.08
FortiSandbox Cluster  (0) 2018.05.08
FortiSandbox VM package  (0) 2018.05.08
Fortigate Custom Application Control  (0) 2018.05.08
Fortigate SSLVPN Host Check  (0) 2018.05.08
728x90
1. Install Microsoft Windows VM package 
 
If the unit is not does not have Microsoft Windows VM package installed, they can be installed manually. 
To manually download the package: 
1. FSA-1000D, FSA-3000D, and FSA-VM models: 
Download the package from ftp://fsavm.fortinet.net/general/image/2.0.0/2015022118_vm.pkg.7z 
Users can also try or purchase, download and install extra Android, Windows 8.1 and Windows 10 image 
packages. These packages can be downloaded from: 
Android: Download the package from ftp://fsavm.fortinet.net/images/v2.00/AndroidVM.pkg.7z 
Windows 8.1: Download the package from ftp://fsavm.fortinet.net/images/v2.00/WIN81VM.pkg.7z 
Windows 10:Download the package from ftp://fsavm.fortinet.net/images/v2.00/WIN10VM.pkg.7z 
MD5 File: Download the package from ftp://fsavm.fortinet.net/images/v2.00/md5.txt 
2. Put the package on a host that supports file copy with the SCP or FTP command. The FortiSandbox must be able 
to access the SCP or FTP server. 
3. In a console window, enter the following command string to download and install the package: 
fw-upgrade -v -s<SCP/FTP server IP address> -u<user name> -p<password> -t<ftp|scp> -f<file path> 
 
2. Install the Microsoft Office license file 
 
1. If the unit has no Office license file installed, download the Microsoft Office license file from the Fortinet 
Customer Service & Support portal. 
2. Log into the FortiSandbox and go to System > Dashboard . In the System Information widget, click the Upload 
License link next to Microsoft Office. The Microsoft Office License Upload page is displayed. Browse to the 
license file on the management computer and select the Submit button. The system will reboot. 
3. The Microsoft Office license must be activated against the Microsoft activation server. This is done automatically 
after a system reboot. To ensure the activation is successful, port3 must be able to access the Internet and the 
DNS servers should be able to resolve the Microsoft activation servers. 
 
3. Install Windows 8.1 or Windows 10 license files 
 
1. If user purchases Windows 8.1 or Windows 10 support, download the Windows license file from the Fortinet 
Customer Service & Support portal 
2. Log into FortiSandbox and go to System > Dashboard. In the System Information widget, click the Upload 
License link next to Windows VM field. The Microsoft VM License Upload page is displayed. Browse to the 
license file on the management computer and click the Submit button. The system will reboot. 
3. The Microsoft Windows license must be activated against the Microsoft activation server. This is done 
automatically after a system reboot. To ensure the activation is successful, port3 must be able to access the 
Internet and the DNS servers should be able to resolve the Microsoft activation servers. Network configurations for 

 

port3 can be configure on the Scan Policy > General page. 

 

 

728x90
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

FortiSandbox Cluster  (0) 2018.05.08
FortiAuthenticator FSSO 설정  (0) 2018.05.08
Fortigate Custom Application Control  (0) 2018.05.08
Fortigate SSLVPN Host Check  (0) 2018.05.08
FortiAnalyzer SQL database delete and rebuild  (0) 2018.05.08
728x90
 
C:\Program Files (x86)\OpenSSL-Win64\bin>openssl genrsa -des3 -out nicscaprivatekey.key 2048
C:\Program Files (x86)\OpenSSL-Win64\bin>openssl req -new -x509 -days 3650 -extensions v3_ca -keyout nicscaprivatekey.key -out nicssslca.crt
 
인증서와 Key 생성 완료 화면(2개의 File 생성)
nicscaprivatekey.key
nicssslca.crt
 
FortiGate > System > Certificates > Import > Local Certificate
 
Certificate 선택
 
Certificate file 및 Key file 선택
 
신규 SSL Certificate 추가 확인
 
Deep-Inspection 생성
 
클라이언트 PC에 인증서 설치
 
SHA256 확인
 
FortiGate Policy
 
클라이언트 어플리케이션 컨트롤 차단 예
 

 

728x90
저작자표시 비영리 변경금지

'업무이야기 > OS' 카테고리의 다른 글

[MicroSoft] AD GPO  (0) 2018.05.08
[MicroSoft] Windows Server 2008 R2에서 비활성화된 암호 복잡성 변경  (0) 2018.05.08
[Linux] Centos root passewd for parallels desktop  (0) 2018.05.08
[MacOS] Mac LaunchPad 사이즈 조절  (0) 2017.08.08
[MacOS] Mac 자체 tftp, FTP 서버 이용 방법  (0) 2017.08.08

+ Recent posts

티스토리툴바