쫑콩아빠의 지금 이 순간...

Step 1 - Configure the master
1. Configure the port IP addresses and gateway address with the following commands:
set port1-ip 192.168.1.99/24
set port2-ip 192.168.2.99/24
set port3-ip 192.168.3.99/24
set default-gw 192.168.1.1

2. Configure the device as the master node and its cluster fail-over IP for Port1 with the following commands:
hc-settings -sc -tM -nMasterA -cTestHCsystem -ppassw0rd -iport2
hc-settings -si -iport1 -a192.168.1.98/24
See Appendix A - CLI Reference on page 1 for more information about the CLI commands.

3. Review the cluster status with the following command:
hc-status -l
Other ports on the device can be used for file inputs.

Step 2 - Configure the primary slave
1. Configure the port IP addresses and gateway address with the following commands:
set port1-ip 192.168.1.100/24
set port2-ip 192.168.2.100/24
set port3-ip 192.168.3.100/24
set default-gw 192.168.1.1

2. Configure the device as the primary slave node with the following commands:
hc-settings -s -tP -nPslaveB -iport2
hc-settings -l
hc-slave -a -s192.168.2.99 -ppassw0rd

3. Review the cluster status with the following command:
hc-status -l

Step 3 - Configure the normal slave
1. Configure the port IP addresses and gateway address with the following commands:
set port1-ip 192.168.1.101/24
set port2-ip 192.168.2.101/24
set port3-ip 192.168.3.101/24
set default-gw 192.168.1.1

2. Configure the device as a slave node with the following commands:
hc-settings -s -tR -nSlaveC -iport2
hc-settings -l
hc-slave -a -s192.168.2.99 -ppassw0rd

3. Review the cluster status with the following command:
hc-status -l

아래한글 지원 custom VM 입니다.

http://fsavm.fortinet.net/WIN7X86VM_HWP.pkg.7z 
파일을받아서 FTP 서버에올려놓고아래처럼 fw-upgrade 로올려야합니다.
>fw-upgrade -l -v -tftp -s192.168.200.100 -uadmin -padmin -f/VM/WIN7X86VM_HWP.pkg.7z

기본 패키지 업로드
>fw-upgrade -l -v -tftp -sfsavm.fortinet.net -uanonymous -f/general/image/2.0.0/2015022118_vm.pkg.7z

ftp://fsavm.fortinet.net/general/image/2.0.0/2015022118_vm.pkg.7z


커스텀 패키지 업로드
> vm-customized -cn -tftp -s10.10.11.111 -uadmin -padmin1 -f/V5Win7EntSP1x64.vdi -oWindows7_64 -vCustHWP7

> vm-customized -cn -tftp -s192.168.234.223 -unicstech -pnics00 -f/V5Win7ProSP1x86/V5Win7ProSP1x86.vdi -k344ADE788168B08581349D71C8299AFA -voWindows7 -vnCustHWP

메타 파일 업로드
> vm-customized -cf -tftp -s10.10.11.111 -uadmin -padmin1 -f/metafile.txt -vCustWin7-32
--2016-09-29 17:33:09--  ftp://10.10.11.111/metafile.txt
=> '/drive0/tmp/customizedvm.meta.tmp'
Connecting to 10.10.11.111:21... connected.
Logging in as admin ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD not needed.
==> SIZE metafile.txt ... 108
==> PASV ... done. ==> RETR metafile.txt ... done.
Length: 108 (unauthoritative)

metafile.txt 100%[=============================================================================>] 108 --.-KB/s in 0.002s  

2016-09-29 17:33:09 (43.7 KB/s) - '/drive0/tmp/customizedvm.meta.tmp' saved [108]

> 

메타파일
파일명 : metafile.txt
HWP NEO Viewer
Visual C++ Redistributor 2013
.NET Framework 4.0
Adobe Flash Player 22.0
Alzip 10.5

Fortinet euc-kr 한글 지원 설정

CLI>
config system appearance
set fallback-charset EUC-KR
end

Spam Score 96 설정

CLI>
config antispam deepheader-analysis
set confiddence 96.000000
set greyscale-level 7
end

## Dynamic source NAT without changing the source port (one-to-one source NAT)

# Problem


Some protocols or services will only function if they use a specific source port, or a source port that does not change. Normally source NAT changes the source port to allow multiple simultaneous sessions. 

# Solution

You can select the fixed port option to restrict the FortiGate unit to not translate the source port. This results in a one-to-one NAT configuration. One-to-one NAT limits the number of simultaneous sessions that are supported because one variable for tracking sessions (the source port number) is no longer available. To allow more sessions, one-to-one NAT is normally used with multiple external IPs added to an IP pool. 

In this example, you enable one-to-one NAT by enabling the fixed port option in a security policy and adding an IP pool containing three IP addresses: 172.20.120.[13-15]. The fixed port option is enabled from the CLI so this entire example is configured from the CLI.

1 Enter the following command to add the IP pool:

config firewall ippool

edit Dynamic-Source

set startip 172.20.120.13

set endip 172.20.120.15

end

2 Enter the following command to add a security policy that allows users on the private network to access the Internet.

config firewall policy

edit 0

set srcintf internal

set srcaddr all

set dstintf wan1

set dstaddr all

set schedule always

set service ANY

set action accept

set nat enable

set fixedport enable

set ippool enable

set poolname Dynamic-Source

end

If you edit this policy from the web‑based manager, you will notice that the Fixed Port option is visible and is selected.

Self Serve Spam
http://www.maysoft.com/selfservespam.nsf/dl

Type of Spam
https://www.securelist.com/en/threats/spam?chapter=88

Sample Spam Email
http://www.kevingunn.com/spam.htm

Fortigate SIP ALG / Fortinet SIP ALG

FortiOS has two features that can modify the SIP headers and SDP parameters. The first feature is called the “SIP Session Helper”. If you are experiencing one way audio issues disable this feature first, reboot your IP phone then try making another call. If disabling the session helper does not work, disable the SIP ALG as well.

To disable the sip session helper:

1 Enter the following command to find the sip session helper entry in the session-helper list:

show system session-helper

edit 10
set name sip
set port 5060
set protocol 17

2 Enter the following command to delete session-helper list entry number 10 to disable the sip session helper:

config system session-helper
delete 10

To disable the SIP ALG:

There are typically two VOIP profiles on a factory shipped Fortinet firewall. You may need to disable both profiles to fully stop the ALG.

config voip profile
edit VoIP_Pro_2
config sip
set status disable
end
end

See the Fortigate Technical documentation page for further details.

FortiAP Configuration

To enable the FortiAP using Zero Configuration:
1. After connecting the FortiAP unit as described in the previous chapter, the unit goes through its boot procedure and requests an IP address from the DHCP server.
2. If the IP address is retrieved successfully, the FortiAP enters discovery mode to locate a FortiGate or FortiWifi wireless controller. The discovery modes are:
• Broadcast
• Multicast
• DHCP option 138
3. Verify that the FortiAP has successfully connected to the controller.
In the FortiGate Web-based Manager, go to WiFi Controller > Managed Access Points > Managed FortiAP. A successfully discovered unit displays an orange circle with a question mark.
4. Select the access point and click Edit.
5. In the State field, select Authorize.
6. In the AP Profile field, select Change, then select a profile from the list and click OK.
The configuration is downloaded from the wireless controller to the FortiAP and the WiFi LED lights up.
To enable the FortiAP with a static IP address:
1. Connect the FortiAP device to a separate private switch or hub, or directly connect it to your management computer via a cross-over cable.
2. Configure the management computer to be on the same subnet as the internal interface of the FortiAP unit:
a. Browse to the Network and Sharing Center > Change Adapter Settings > Local Area Connection Properties > Internet Protocol Version 4 (TCP/IPv4) Properties.
b. Change the IP address of the management computer to 192.168.1.3 and the netmask to 255.255.255.0.
3. Use a Telnet apllication to connect to IP address 192.168.1.2.
4. Type admin in the Name field, leave the Password field blank, and press Enter.
5. Configure a static IP address for the FortiAP unit and netmask & gateway information for your network, using the following commands:
cfg -a ADDR_MODE=STATIC
cfg –a AP_IPADDR=xxx.xxx.xxx.xx
cfg –a AP_NETMASK=255.255.255.0
cfg –a IPGW=yyy.yyy.yyy.yyy
cfg –a AC_IPADDR_1=zzz.zzz.zzz.zzz
where xxx is the IP address of the FortiAP unit, yyy is the Gateway IP address and zzz is the IP address of the FortiGate Wireless Controller.
6. Save the configuration by typing the following command:
cfg –c
7. Unplug the FortiAP unit and plug it back in order for the configuration to take effect.
8. Move the FortiAP to the intended deployment location and connect the Ethernet cable as described in the Connecting Your FortiAP Unit section.
9. Log in to the FortiGate controller Web-based Manager, and go to WiFi Controller > Managed Access Points > Managed FortiAP. A successfully discovered unit displays an orange circle with a question mark in the Status column.
10. Select the access point and click Edit.
11. In the State field, select Authorize.
12. In the Edit FortiAP dialog box, select Enable Wireless Radio. Leave the remaining settings at their default values. The configuration is downloaded from the FortiGate unit to the FortiAP device.
For more information, see the Deploying Wireless Networks Guide, available on Fortinet’s technical documentation website, http://docs.fortinet.com.