Administration Guide FortiGate Cloud 2.0 Beta 22.2 - AWS
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Administration Guide FortiGate Cloud 2.0 Beta 22.2
FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/training-certification NSE INSTITUTE https://training.fortinet.com FORTIGUARD CENTER https://www.fortiguard.com END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: techdoc@fortinet.com May 27, 2022 FortiGate Cloud 2.0 22.2 Administration Guide 32-222-812118-20220527
TABLE OF CONTENTS
Change log 4
Introduction 5
Functions 5
Requirements 6
Getting started with FortiGate Cloud 2.0 7
License types 8
Dashboard 10
Inventory 11
Cloud provisioning 12
Accessing a FortiGate 14
Sandbox 16
Analytics 17
Reports 17
Reports reference 17
Audit Log 18
Configuration 19
FortiGate Cloud 2.0 22.2 Administration Guide 3
Fortinet Inc.
Change log
Date Change Description
2022-05-27 Initial release.
FortiGate Cloud 2.0 22.2 Administration Guide 4
Fortinet Inc.
Introduction
FortiGate Cloud is a cloud-based SaaS offering a range of management, reporting, and analytics for FortiGate next
generation firewalls. FortiGate Cloud 2.0 is the latest version, which includes various user experience and feature
enhancements.
FortiGate Cloud 2.0 provides the following features:
l Centralized dashboard with widgets to view Fortinet Security Fabric devices, health, licenses, and other information
l Real-time FortiOS configuration management
l Centralized logging, analytics, and reports powered by FortiAnalyzer Cloud backend
l Ability to create and schedule a full range of reports
l FortiCloud account support, including multifactor authentication and user management based on FortiCloud Identity
and Access Management
l Read-only configuration views based on user role or subscription
l Audit logs to view user actions
You can upgrade your FortiGate Cloud environment to FortiGate Cloud 2.0.
FortiGate Cloud 2.0 does not support multitenancy-enabled accounts.
See Upgrading to FortiGate Cloud 2.0 for details.
Functions
FortiGate Cloud 2.0 has the following functions:
Function Description
Centralized dashboards Network overview dashboard includes widgets for the status of Fortinet Security
Fabric devices, device health, licenses, Sandbox, and other information.
Customizable status, network, and security widgets plus real-time monitors for
each FortiGate.
Inventory Device inventory as list or on map with diagnostic health, network statistics, and
license information.
Device management Real-time FortiGate configuration management from the cloud to configure your
network interfaces, SD-WAN, firewall policies, security profiles, VPN, and
Security Fabric.
Log analysis Real-time traffic, events, system logs for network activity, and threat analysis.
Centralized reports Generate on-demand reports or schedule and get predefined reports delivered at
intervals for network analytics and monitor usage patterns.
Firmware upgrade Remotely upgrade FortiOS on FortiGate devices.
FortiGate Cloud 2.0 22.2 Administration Guide 5
Fortinet Inc.Introduction
Function Description
AP, FortiSwitch, and l Manage FortiAPs, AP profiles, SSIDs, and monitor WiFi clients and NAC
FortiExtender management via policies
FortiGate l Manage FortiSwitches, VLANs, ports, and policies
l Manage FortiExtenders, profiles, and data plans
Cloud Sandbox Upload and analyze files that FortiGate antivirus (AV) marks as suspicious.
Indicators of Compromise (IOC) Alerts on newly found infections and threats to devices in the network
Regions FortiGate Cloud includes the Global (Canada), Europe (Germany), and APAC
(Japan) regions.
FortiGate Cloud Sandbox includes the Global, Europe, U.S., and Japan regions.
Requirements
You can only access FortiGate Cloud 2.0 by upgrading an existing FortiGate Cloud environment. Before upgrading to
FortiGate Cloud 2.0, you must upgrade all FortiGates with a subscription to FortiOS 7.0.2 or a later version.
Requirement Description
FortiCloud account Create a FortiCloud account if you do not have one. Launching FortiGate Cloud requires a
FortiCloud account. A FortiCloud account administrator can add Identity and Access
Management users to the access the account with admin or read-only roles. If you are using a
legacy FortiGate Cloud account, merging your account to your FortiCloud account is
recommended.
FortiGate/FortiWifi You must register all FortiGate/FortiWifi devices on FortiCloud.
license
FortiGate Cloud Purchase FortiGate Cloud licenses from Fortinet.
entitlement
Internet access You must have Internet access to create a FortiGate Cloud instance and to enable devices to
communicate with and periodically send logs to FortiGate Cloud.
Browser FortiGate Cloud supports Firefox, Chrome, and Edge.
The following table lists port numbers that outbound traffic requires. On request, Fortinet can supply the destination IP
addresses to add to an outbound policy, if required.
Purpose Protocol Port
Syslog, registration, quarantine, log, and report TCP 443
OFTP TCP 514
Management TCP 541
Contract validation TCP 443
Config portal TCP 8443
FortiGate Cloud 2.0 22.2 Administration Guide 6
Fortinet Inc.Introduction
Getting started with FortiGate Cloud 2.0
After upgrading to FortiGate Cloud 2.0, go to https://fortigate.forticloud.com to access FortiGate Cloud 2.0.
After you log in, the FortiGate Cloud 2.0 portal displays the Dashboard > Devices page. You can switch regions and
access FortiGate Cloud 2.0 documentation from the ? icon on the FortiCloud banner at the top of the page.
The Dashboard > Devices page displays a variety of widgets. The widgets provide information about the devices that
your FortiGate Cloud 2.0 is managing, such as how many FortiGates have subscriptions, and the current FortiSandbox
URL threat database version.
From the banner, you can access options including the following:
Option Description
FortiGate quick selection menu Select a FortiGate from the dropdown list to access it. See Accessing a FortiGate
on page 14.
Menu icon Use the menu icon to collapse or display the left pane, which displays other
configuration options.
Services Access another Fortinet service.
Support Access Fortinet support options, such as contacting the Fortinet support team.
Region selection Select another region to access FortiGate Cloud 2.0 in.
Light/dark mode Toggle between light and dark modes for displaying FortiGate Cloud 2.0.
Documentation link Access FortiGate Cloud documentation.
User menu dropdown Displays the current logged in user. You can use the dropdown list to switch
accounts or view account settings.
From the left pane, you can access other options including inventory, Sandbox, analytics, and configuration features.
The following describes the portal options available from the left pane:
FortiGate Cloud 2.0 22.2 Administration Guide 7
Fortinet Inc.Introduction
Option Description
Dashboard Dashboard displays a variety of widgets. The widgets provide information about
the devices that your FortiGate Cloud 2.0 is managing.
Inventory View a centralized inventory of all FortiGate and FortiWifi devices. See Inventory
on page 11.
Sandbox View the scan results from files that Sandbox submitted to FortiGuard for threat
analysis. See Sandbox on page 16.
Analytics Create and alter report configurations and their settings. These report
configurations are available for all deployed devices. You can also view the Audit
Log. See Analytics on page 17.
Configuration Manage FortiGate Cloud 2.0 account and Sandbox settings. See Configuration
on page 19.
License types
You can use FortiGate Cloud 2.0 with a free or paid subscription.
You do not need a support contract to enable the service. However, you must register each
device on the Fortinet Support site. You cannot enable FortiGate Cloud 2.0 without registering
each device in your network.
You can enjoy the free subscription of FortiGate Cloud 2.0 on any FortiGate or FortiWifi device, or purchase an annual-
subscription-based license with a one-, two-, or three-year service term. FortiGate Cloud 2.0 requires the account to
have at least one device with an annual subscription-based license. For devices without a subscription, FortiGate Cloud
2.0 supports read-only configuration view.
To activate FortiGate Cloud 2.0, you must acquire a subscription license based on the SKUs listed in the following table:
Description SKU
FortiGate Cloud 2.0 management, analysis, and one-year log retention
FortiGate and FortiWifi FC-10-00XXX-131-02-DD
FortiGate Cloud 2.0 IOC (Indicator of Compromise)
FortiGate 20 to 90 models FC-10-90803-142-02-12
FortiGate 100 to 300 models FC-10-90804-142-02-12
Other services
FortiDeploy access FDP-SINGLE-USE
You must purchase a subscription for each FortiGate in a high availability (HA) cluster. FortiGate Cloud 2.0 handles each
device separately regardless of configuration. FortiGate Cloud 2.0 accepts inbound logs from each device independently
and cannot detect whether connected devices are in an HA cluster. Though multiple HA clustered devices theoretically
FortiGate Cloud 2.0 22.2 Administration Guide 8
Fortinet Inc.Introduction send identical logs to FortiGate Cloud 2.0, if one device stops logging or cannot reach FortiGate Cloud 2.0, the other devices do not send logs on its behalf. The Cloud Sandbox feature has paid and free tiers. For devices with a paid Cloud Sandbox license, FortiGate Cloud supports 365 days of records and file submission limits, based on the model. For the free tier, FortiGate Cloud supports limited file submissions (100 per day/2 per minute) and up to seven days of records for FortiGates running FortiOS 6.2 and earlier versions. For pricing information, contact your Fortinet partner or reseller. FortiGate Cloud 2.0 reserves the right to impose limits upon detection of abnormal or excessive traffic originating from a certain device and perform preventive measures including blocking the device and restricting log data. FortiGate Cloud 2.0 22.2 Administration Guide 9 Fortinet Inc.
Dashboard
You see the Dashboard > Devices page when you first open the FortiGate Cloud 2.0 interface. The widgets provide
information about the devices that your FortiGate Cloud 2.0 is managing, such as how many FortiGates have
subscriptions, and the current FortiSandbox URL threat database version.
The page contains the following widgets:
Widget Description
FortiGate Licenses Displays how many FortiGates have a subscription applied, and how many do
not.
Fabric Device Overview Displays the platforms for the Fortinet Security Fabric devices connected to
FortiGate Cloud 2.0.
Device Health Displays tunnel uptime and CPU usage stats for the connected FortiGates.
FortiSandbox System Status Displays the database versions and last updated dates for the dynamic malware
and URL threat databases.
Top FortiSandbox File Types Displays the most commonly analyzed file types in the last 24 hours of scanning.
(Last 24 Hours)
FortiSandbox Scan Results (Last Shows the last seven days of results and their risk levels.
7 Days)
For most widgets, you can click in to a section of the widget's displayed chart to view more details. For example, for the
FortiGate Licenses widget, you can click the green portion of the donut chart, which represents the FortiGates that have
a subscription. FortiGate Cloud 2.0 then displays the Inventory > Asset List filtered to only display FortiGates that have a
subscription.
FortiGate Cloud 2.0 22.2 Administration Guide 10
Fortinet Inc.Inventory
Inventory > Asset List displays a centralized inventory of all FortiGate and FortiWifi devices from all FortiGate Cloud 2.0
instances in a domain group, regardless of region. For example, if you are accessing Inventory from the European
region, you see the region of a connected FortiGate Cloud 2.0 instance from the global region.
For instructions on deploying a FortiGate to FortiGate Cloud 2.0, see Cloud provisioning on page 12.
You can view the device CPU and memory usage under the Diagnostics column. The Asset List page provides the
following information about devices. Asset List displays the following device information:
l Serial number
l Fortinet product type
l Firmware version
l Tunnel status (If the device is connected through a management tunnel)
l Diagnostics (device CPU and memory usage)
l Subscription status
l Configuration save mode. See Using configuration save mode.
You can select go to Inventory > Map to view the device list as a map. This allows you to see the geographic location of
the deployed devices. The left panel displays a list of FortiGates that includes similar information as you can find in Asset
List. You can click the Locate on map icon for each device to zoom in to the device's location on the map. You can zoom
in and out on the map using the + and - buttons in the lower right corner of the map. To return the map to the global view,
click Reset map.
FortiGate Cloud 2.0 22.2 Administration Guide 11
Fortinet Inc.Inventory
Cloud provisioning
Cloud provisioning or deployment is the mechanism to connect a FortiGate to FortiGate Cloud 2.0 and configure it for
cloud management and logging. You can provision a FortiGate to FortiGate Cloud 2.0 using one of the following
methods:
l FortiCloud key
l FortiOS GUI
After provisioning a FortiGate to FortiGate Cloud 2.0 using one of the methods described, complete basic configuration
by doing the following:
1. Create a firewall policy with logging enabled. Configure log uploading if necessary.
2. Log in to FortiGate Cloud 2.0 using your FortiCloud account.
For FortiGates that are part of a high availability (HA) pair, you must activate FortiGate Cloud
2.0 on the primary FortiGate. Activate FortiGate Cloud 2.0 on the primary FortiGate as To
provision a FortiGate/FortiWifi to FortiGate Cloud 2.0 in the FortiOS GUI: on page 13
describes. FortiGate Cloud 2.0 activation on the primary FortiGate activates FortiGate Cloud
2.0 on the secondary FortiGate. Local FortiGate Cloud 2.0 activation on the secondary
FortiGate will fail.
FortiGate Cloud 2.0 22.2 Administration Guide 12
Fortinet Inc.Inventory
To provision a FortiGate/FortiWifi to FortiGate Cloud 2.0 using the FortiCloud key:
1. Log in to the FortiGate Cloud 2.0 portal.
2. Go to Inventory, then click Import FortiGate.
3. In the FortiGate Cloud Key field, enter the key printed on your FortiGate.
4. From the Select Display Timezone for Device dropdown list, select the desired time zone.
5. Click Submit.
After the device is successfully deployed, the device key becomes invalid. You can only
use the key once to deploy a device.
To provision a FortiGate/FortiWifi to FortiGate Cloud 2.0 in the FortiOS GUI:
1. In the FortiCloud portal, ensure that you have a product entitlement for FortiGate Cloud for the desired FortiGate or
FortiWifi.
2. In FortiOS, in the Dashboard, in the FortiGate Cloud widget, the Status displays as Not Activated. Click Not
Activated.
3. Click the Activate button.
4. In the Activate FortiGate Cloud panel, the Email field is already populated with the FortiCloud account that this
FortiGate is registered to.
5. In the Password field, enter the password associated with the FortiCloud account.
6. Enable Send logs to FortiGate Cloud. Click OK.
7. This should have automatically enabled Cloud Logging. Ensure that Cloud Logging was enabled. If it was not
enabled, go to Security Fabric > Fabric Connectors > Cloud Logging, enable it, then set Type to FortiGate Cloud.
8. You must set the central management setting to FortiCloud, as this is the initial requirement for enabling device
management features.
To configure a ForiGate-VM for FortiGate Cloud 2.0:
FortiGate-VMs require additional configuration to ensure that they function with FortiGate Cloud 2.0. Run the following
commands in the FortiOS CLI:
config system fortiguard
unset update-server-location
end
FortiGate Cloud 2.0 22.2 Administration Guide 13
Fortinet Inc.Inventory
Accessing a FortiGate
You can access the remote device's management interface to configure major features as if you were accessing the
device itself. For descriptions of the configuration options, see the FortiOS documentation.
For devices with a subscription that are have been upgraded to FortiOS 7.0.2 or a later version, you have full access to
configure features. For devices without a subscription, you have a read-only view of the configuration.
To remotely access and configure a FortiGate:
1. Do one of the following:
a. In the upper left corner, click the FortiGate Cloud dropdown list and select the desired FortiGate.
b. Go to Inventory > Asset List. Select the desired FortiGate, then click Remote Access.
2. If the FortiGate does not have a subscription, FortiGate Cloud 2.0 displays a warning that you will have read-only
access. Click OK.
3. FortiGate Cloud 2.0 displays the FortiOS interface in the current browser window. You do not need to enter
credentials to log in to the FortiGate. View and make changes as desired. The following shows the FortiOS GUI as
shown in FortiGate Cloud 2.0, in light and dark modes:
FortiGate Cloud 2.0 22.2 Administration Guide 14
Fortinet Inc.Inventory
4. Return to FortiGate Cloud 2.0 using the icons on the left pane.
FortiGate Cloud 2.0 22.2 Administration Guide 15
Fortinet Inc.Sandbox
Sandbox is a service that uploads and analyzes files that FortiGate antivirus (AV) marks as suspicious.
In a proxy-based AV profile on a FortiGate, the administrator configures Send files to FortiSandbox for inspection to
enable a FortiGate to upload suspicious files to FortiSandbox for analysis. Once uploaded, the file is executed and the
resulting behavior analyzed for risk. If the file exhibits risky behavior or is found to contain a virus, a new virus signature
is created and added to the FortiGuard AV signature database. The next time the FortiGate updates its AV database it
has the new signature. The turnaround time on Cloud SandBoxing and AV submission ranges from ten minutes for
automated Sandbox detection to ten hours if FortiGuard Labs is involved.
FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known virus. The
behaviors that FortiGate Cloud 2.0 Analytics considers suspicious change depending on the current threat climate and
other factors.
The FortiGate Cloud 2.0 console enables administrators to view the status of any suspicious files uploaded: pending,
clean, malware, or unknown. The console also provides data on time, user, and location of the infected file for forensic
analysis. Sandboxing is available in both free and paid FortiGate Cloud 2.0 subscriptions.
The Sandbox tab collects information that the Cloud Sandbox service compiles. Cloud Sandbox submits files to
FortiGuard for threat analysis. You can configure your use of the service and view analyzed files' results.
FortiGate Cloud Sandbox regions include Global, Europe, U.S., and Japan.
To set up Sandbox:
1. Complete the FortiGate Cloud Sandbox steps.
2. In Security Profiles > AntiVirus, create a profile that has Send files to FortiSandbox Cloud for inspection configured.
3. Create a firewall policy with logging enabled that uses the Sandbox-enabled AV profile.
4. Once devices have uploaded some files to Cloud Sandbox, log in to the FortiGate Cloud 2.0 portal to see the
results.
To upload a sample to Sandbox:
1. Go to Sandbox > Scan Results.
2. Click Upload Sample.
3. Browse to and select a file to upload, then click Submit. Once analysis completes, Scan Results displays the results.
FortiGate Cloud 2.0 22.2 Administration Guide 16
Fortinet Inc.Analytics
Analytics provide tools for monitoring and logging your device's traffic, providing you centralized oversight of traffic and
security events.
Reports
You can generate and view reports of specific traffic data. You can configure FortiGate Cloud 2.0 to generate reports at
scheduled times, and run reports on-demand as desired.
To schedule a report:
1. Go to Analytics > Scheduled Reports.
2. Select the desired report.
3. Click Edit Schedule to determine the range of time for which to generate the report. In the Generate report every,
Start time, and End time fields, configure the desired schedule for the report.
4. Click OK. FortiGate Cloud 2.0 generates the report as per the configured schedule. You can view these reports in
Analytics > Generated Reports.
To run a report on-demand:
1. Go to Analytics > Scheduled Reports.
2. Select the desired report, then click Run Report. FortiGate Cloud 2.0 generates the report. You can view these
reports in Analytics > Generated Reports.
Reports reference
The following provides descriptions of preconfigured reports:
Report Description
Application Risk and Control Application risk, categories, bandwidth by app, web categories, vulnerability
exploits, virus, botnet, adware malicious attacks, file transfers.
Bandwidth and Applications Traffic, bandwidth, sessions, destinations summaries by users and applications.
Report
Cyber-Bullying Indicators Report Offensive or threatening phrases, bad terms or phrases, as used in various social
media platforms and searches.
High Bandwidth Application Shows you applications that may affect network performance by using high
Usage bandwidth, allowing you to quickly pinpoint high bandwidth usage and violation of
corporate policies.
FortiGate Cloud 2.0 22.2 Administration Guide 17
Fortinet Inc.Analytics
Report Description
This report focuses on peer-to-peer applications (such as BitTorrent, Xunlei,
Gnutella, Filetopia), file sharing and storage applications (such as Onebox,
Google Drive, Dropbox, Apple Cloud), and voice/video applications (such as
YouTube, Skype, Spotify, Vimeo, Netflix).
You cannot edit this report.
Self-Harm and Risk Indicators Risky terms or phrases, as used in social media and searches.
Report
Cyber Threat Assessment Cyber threat review of application visibility and control, threat detection,
prevention, and recommended actions.
Security Events and Incidents Presents a brief summary of the events/incidents collected.
Summary
Threat Report Malware and botnets detected, victims, and sources. Intrusions detected,
sources, blocked severity, and timeline.
VPN Report VPN traffic, authenticated and failed user logins, and top VPN users. SSL VPN
tunnels and IPsec VPN, users, web mode by bandwidth and duration.
Web Usage Report Web usage requests, browsing and bandwidth summary. Top active users, sites
categories. Top bandwidth and most blocked.
Audit Log
The Audit Log displays a log of actions that users have performed on FortiGate Cloud 2.0. You can filter the page to only
view logs for actions for a certain date range, module, or action type. The log displays information for the following
modules:
Module Actions
Report Downloading, scheduling, and running reports
Remote Access Viewing and configuring a device via Remote Access
Sandbox Uploading files to Sandbox for analysis
The following information is available for each action. You can configure which columns display:
l Time when the action occurred
l User who completed the action
l Module that the action falls under
l Action type
l Subject that the action was performed on
l Other details as available
FortiGate Cloud 2.0 22.2 Administration Guide 18
Fortinet Inc.Configuration
In Configuration, you can configure the following settings.
To configure settings:
1. Go to Configuration > Account Settings.
2. From the Language dropdown list, select the desired language to display the GUI in.
3. Click Apply.
4. Go to Configuration > Sandbox Settings.
5. Configure the following settings:
Setting Description
Email Alerts
Alert status Toggle on the alert status feature to enable receiving alerts when Sandbox
scans files.
Admin email address Enter the desired email address to receive alerts.
Enable alerts for following You can enable alerts for when Sandbox scans and detects a file as Malware,
threat classifications High Risk, Medium Risk, and Low Risk.
Log Retention
Days to retain data Set number of days to retain log data.
6. Click OK.
FortiGate Cloud 2.0 22.2 Administration Guide 19
Fortinet Inc.www.fortinet.com Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
You can also read
