Sunday, September 12, 2021

Fortinet NTP Configuration

                                                            

For an accurate time, use an NTP server to set the system time. Synchronized time facilitates auditing and consistency between expiry dates used in the expiration of certificates and security protocols.

Basically, there are three-step you can follow:-

Configure the correct time zone.
One can also configure custom NTP servers that the FortiGate will use to synchronize its own time.

From GUI you can add a maximum of 1 server but from CLI you can add up to 2.

From the GUI go to System > Settings > System Time and select Synchronize with NTP Server

By default, this causes FortiOS to synchronize with Fortinet's FortiGuard secure NTP server.

For a custom NTP server, you have to add the below configuration.

This is only configurable from the CLI:

Fortigate-01#config system ntp

#set type custom
#set ntpsync enable
#config ntpserver
#edit 1
#set server <IP address or hostname>
##next
#edit 2
#set server <IP address or hostname>
#end

To verify the synchronization status from the FortiGate using “diag sys NTP status”.

Below is an example using FortiGuard servers as NTP source:

Fortinet-01 # diag sys NTP status
synchronized: yes, ntpsync: enabled, server-mode: enabled

Remote Access VPN - Fortinet

                      Remote Access VPN - Fortinet

In Remote Access VPN, Individual users are connected to the private network and It allows the technique to access the services and resources of that private network remotely. 

It is most suitable for business and home users. In remote access VPN, multiple users are allowed.

The remote access VPN does this by creating a tunnel between an organization’s network and a remote user that is “virtually private,” even though the user may be in a public location. This is because the traffic is encrypted, which makes it unintelligible to any eavesdropper.

Remote users can securely access and use their organization’s network in much the same way as they would if they were physically in the office. 

With remote access VPN, data can be transmitted without an organization having to worry about the communication being intercepted or tampered with.





Configuring the IPsec VPN


1. Add Radius Server 

In the radius server section, you have to add Primary/Secondary radius server IP with their respective secret keys. 




                                                                                                                                                      
2. Create User Group

In this, you have to link the radius to the group.





3. Add VPN Forticlient




If you Enable IPv4 Split Tunnel is not selected, so that all Internet traffic will go through the FortiGate.
If you do select Enable Split Tunneling, traffic not intended for the corporate network will not flow through the FortiGate or be subject to the corporate security profiles.



Save Password: This allows the user to save the VPN connection password in the console.

Auto Connect: When FortiClient is launched, the VPN connection will automatically connect.

Always Up (Keep Alive): When selected, the VPN connection is always up even when no data is being processed. If the connection fails, keep-alive packets sent to the FortiGate will sense when the VPN connection is available and re-connect.

After you create the tunnel, a summary page appears listing the objects which have been added to the FortiGate’s configuration by the wizard.

4. Creating a security policy

The IPsec wizard automatically created a security policy allowing IPsec VPN users to access the internal network.

However, if split tunneling is disabled, another policy must be created to allow users to access the Internet through FortiGate.

To create a new policy, go to Policy & Objects > IPv4 Policies and select Create New.

5. Configuring FortiClient

To add the VPN connection, open FortiClient, go to Remote Access and click Add a new connection.

Set the VPN to IPsec VPN and Remote Gateway to the FortiGate IP address.

Set Authentication Method to Pre-Shared Key and enter the key below.


                                  



6. Final Step to create User 

In this case, we are using local users.





Please add the user in that group which you have created initially.


Note:- All FortiGate appliances are bundled with 10 free licenses of managed Forticlient that performs 'Compliance Check'. If you go beyond 10, then an additional license must be purchased. However, if you are using Forticlient for the purpose of VPN alone, then you don't require an additional license.


Regards,

Siddharth

HTH

 

The pleasant morning wake up sounds get far if we don’t conserve birds and trees.








Fortinet NTP Configuration

                                                             For an accurate time, use an NTP server to set the system time. Synchronized ti...