[UPDATE 1] Decommissioned Cisco ASA 5506-X Firepower Firewall and Deployed Fortigate 60F Firewall for an Investment Company in Singapore on 8 July 2021 Thursday

Subject: [UPDATE 1] Decommissioned Cisco ASA 5506-X Firepower Firewall and Deployed Fortigate 60F Firewall for an Investment Company in Singapore on 8 July 2021 Thursday


Good day from Singapore,


On 8 July 2021 Thursday, between 2 PM and 5 PM Singapore time, I have decommissioned a Cisco ASA 5506-X Firepower Firewall and deployed/replaced it with Fortigate 60F firewall for an investment company in Singapore.


Configuration of the Fortigate 60F firewall appliance includes Duo 2FA integration and SSL VPN. You will also need to configure a RADIUS server on your Windows Server 2016/2019 in the same network as the Fortigate using Duo Authentication Proxy. No other RADIUS server is necessary.


The firmware of Fortigate 60F firewall has been upgraded to the latest version 7.0.0.


The most singular point about this Fortigate 60F firewall appliance deployment is that the SSL VPN uses Duo 2FA instead of Fortitokens. It is a rather unusual setup. You can read about Duo 2FA integration with Fortigate SSL VPN below.


Reference Guide: Fortinet FortiGate SSL VPN with RADIUS Auto Push

Link: https://duo.com/docs/fortinet


If your enterprise/business/corporate internet plan has a dynamic IP address, you need to configure FortiGuard Dynamic DNS (DDNS).


Reference Guide: DDNS

Link: https://docs.fortinet.com/document/fortigate/latest/administration-guide/685361/ddns


Before you can configure FortiGuard DDNS, you need to register your Fortigate firewall appliance at https://support.fortinet.com/ with the serial number and contract number.


To configure the SSL VPN tunnel, you need to read the following guide.


Reference Guide: Configuring the SSL VPN tunnel

Link: https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/690301/configuring-the-ssl-vpn-tunnel


It is also mandatory to add firewall security policies otherwise your SSL VPN tunnel will not work.


Reference Guide: Adding security policies

Link: https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/364638/adding-security-policies


In short, you will need to configure the following security policies on your Fortigate firewall:


(1) internal/LAN to WAN1 (otherwise known as outgoing internet access policy)


(2) allow SSL VPN tunnel to access your internal network


(3) allow SSL VPN tunnel to access the internet (optional)


The last one will be an IMPLICITY DENY security policy to block all incoming connections.


There are, of course, many other guides to follow but I will only list the above guides for now.


Single-handedly, I spent a few days (over a period of about 2 weeks) to configure this Fortigate 60F firewall appliance before actual day deployment on 8 July 2021 Thursday. On the day of deployment at our customer's site, it is just plug and play. The whole process was very smooth. There were no hiccups.


Fortigate firewall appliances are based on open source Linux. Sophos firewall appliances are also based on open source Linux. Cisco ASA firewall appliances are also based on open source Linux.


Mr. Turritopsis Dohrnii Teo En Ming, 43 years old as of 9 July 2021, is a TARGETED INDIVIDUAL living in Singapore. He is an IT Consultant with a System Integrator (SI)/computer firm in Singapore. He is an IT enthusiast.





REFERENCES

==========


[1] https://marc.info/?l=netfilter&m=162583986807702&w=2

Comments

Post a Comment

Popular posts from this blog

[24 Mar 2022 Thursday] Erectile Dysfunction and Viagra

Image
Subject: [24 Mar 2022 Thursday] Erectile Dysfunction and Viagra I have erectile dysfunction due to taking medications for mental illness (schizophrenia). Without Viagra, my penis is soft like jelly most of the time. There is no way I can penetrate a woman’s vagina due to erectile dysfunction. Today is the very 1st time I am taking Viagra. It allows my penis to remain hard and fully erected for 2 solid hours during sexual intercourse. Thanks Viagra! I can finally have sex! I am already 44 years old. What am I missing out in life?????? Do I still qualify to be a Japanese Adult Video (JAV) porn star actor???????? Link:  https://m.facebook.com/story.php?story_fbid=10158113552827735&id=646397734
Read more

Patching Linux Kernel 5.5.7 to Add Support for AUFS Filesystem

Subject of Hint: Patching Linux Kernel 5.5.7 to Add Support for AUFS Filesystem ORIGINAL AUTHOR: JIMMY ANDERSON ORIGINAL DATE: 2013-01-20 EDITED BY: TURRITOPSIS DOHRNII TEO EN MING, SINGAPORE EDIT DATE: 15 MAR 2020 SUNDAY MANDATORY PREREQUISITES ======================= You *MUST* follow the guide/hint here first (COMPULSORY): http://lists.linuxfromscratch.org/pipermail/hints/2020-March/003334.html HINT ==== To obtain the aufs5 kernel patches, do the following:   $ sudo apt install git #------------ Cut and Paste start cd $LFS/sources git clone git://github.com/sfjro/aufs5-standalone.git \ aufs5-standalone.git cd aufs5-standalone.git git checkout -b origin/aufs5.5 cp aufs5-*.patch .. rm -f include/uapi/linux/Kbuild tar cvfz $LFS/sources/aufs5.tar.gz Documentation fs include cd .. rm -rf aufs5-standalone.git #------------ Cut and Paste end Rebuilding your kernel ======================    Follow the instructions in the LFS/BLFS book and build your LF
Read more