■Fortigate-VM64版をVMPlayerにインストールしてみる。
残念ながら一般公開されていないので、評価版であっても製品版であっても
入手経路の確保が必要。
$ vmplayer -v
VMware Player 7.1.0 build-2496824
$ zipinfo FortiOS5.2.3/FGT_VM64-v5-build0670-FORTINET.out.ovf.zip
Archive: FortiOS5.2.3/FGT_VM64-v5-build0670-FORTINET.out.ovf.zip
Zip file size: 33024916 bytes, number of entries: 6
-rw-r--r-- 3.0 unx 71680 bx defN 10-Aug-24 02:32 datadrive.vmdk
-rw-r--r-- 2.3 unx 26956 tx defN 15-Mar-18 12:44 FortiGate-VM64.ovf
-rw-r--r-- 2.3 unx 21879 tx defN 15-Mar-18 12:44 FortiGate-VM64.hw04.ovf
-rw-r--r-- 2.3 unx 26996 tx defN 15-Mar-18 12:44 FortiGate-VM64.hw07_vmxnet2.ovf
-rw-r--r-- 2.3 unx 32800 tx defN 15-Mar-18 12:44 FortiGate-VM64.hw07_vmxnet3.ovf
-rw------- 2.3 unx 33266176 bx defN 15-Mar-18 12:44 fortios.vmdk
6 files, 33446487 bytes uncompressed, 33023958 bytes compressed: 1.3%
■変換対象のOVFファイルを確認。
仮想マシンは、Linux2.4系のOther 64bitらしい。
$ mkdir FGT-VM64 && cd FGT-VM64; \
unzip ../FortiOS5.2.3/FGT_VM64-v5-build0670-FORTINET.out.ovf.zip; \
cd ..
$ ovftool FGT-VM64/FortiGate-VM64.ovf | tail -90 | grep -v "^\$"
Download Size: 31.79 MB
Deployment Sizes:
Flat disks: 32.00 GB
Sparse disks: Unknown
Networks:
Name: Network 1
Description: The VM Network network
Name: Network 2
Description: The Network 2 network
Name: Network 3
Description: The Network 3 network
Name: Network 4
Description: The Network 4 network
Name: Network 5
Description: The Network 5 network
Name: Network 6
Description: The Network 6 network
Name: Network 7
Description: The Network 7 network
Name: Network 8
Description: The Network 8 network
Name: Network 9
Description: The Network 9 network
Name: Network 10
Description: The Network 10 network
Virtual Machines:
Name: Fortigate-VM
Operating System: other24xlinux64guest
Virtual Hardware:
Families: vmx-07
Number of CPUs: 1
Cores per socket: 1
Memory: 1024.00 MB
Disks:
Index: 0
Instance ID: 6
Capacity: 2.00 GB
Disk Types: SCSI-lsilogic
Index: 1
Instance ID: 7
Capacity: 30.00 GB
Disk Types: SCSI-lsilogic
NICs:
Adapter Type: E1000
Connection: Network 3
Adapter Type: E1000
Connection: Network 4
Adapter Type: E1000
Connection: Network 5
Adapter Type: E1000
Connection: Network 6
Adapter Type: E1000
Connection: Network 7
Adapter Type: E1000
Connection: Network 8
Adapter Type: E1000
Connection: Network 9
Adapter Type: E1000
Connection: Network 10
Adapter Type: E1000
Connection: Network 1
Adapter Type: E1000
Connection: Network 2
■OVFをVMXに変換
$ ovftool "FGT-VM64/FortiGate-VM64.ovf" "FGT-VM64/FortiGate-VM64.vmx"
...
Accept end-user license agreement?
Write 'yes' or 'no' (write 'read' to reread the EULA):
yes
Writing VMX file: FGT-VM64/FortiGate-VM64.vmx
Transfer Completed
Warning:
- No manifest file found.
- No manifest entry found for: 'fortios.vmdk'.
- No manifest entry found for: 'datadrive.vmdk'.
Completed successfully
■Bridge1ネットワークを1つめをNAT(wan)にそれ以外をhostonly(internal)に。
$ ip a list | grep vmnet1\$
inet 172.16.76.1/24 brd 172.16.76.255 scope global vmnet1
$ ip a list | grep vmnet8\$
inet 192.168.152.1/24 brd 192.168.152.255 scope global vmnet8
$ sed -i -e 's/nat/hostonly/' FGT-VM64/FortiGate-VM64.vmx
$ sed -i -e 's/\(ethernet0.*\)hostonly/\1nat/' FGT-VM64/FortiGate-VM64.vmx
■初回起動
$ vmrun -T player start FGT-VM64/FortiGate-VM64.vmx
■ログイン「admin/パスワードなし」
port1、port2にIPを設定、ping/https/telnet許可。
ちなみに「edit 0」は自動採番のテクニック。
参考:FortiGate完全攻略
https://gihyo.jp/book/2015/978-4-7741-7266-8
FortiGate-VM64 login: admin
Password:
FortiGate-VM64
FortiGate-VM64 (interface)
FortiGate-VM64 (port1)
FortiGate-VM64 (port1)
FortiGate-VM64 (port1)
config system interface
edit "port1"
set vdom "root"
set ip 192.168.152.155 255.255.255.0
set type physical
set description "wan"
set snmp-index 1
next
end
FortiGate-VM64 (port1)
FortiGate-VM64 (interface)
FortiGate-VM64 (port2)
FortiGate-VM64 (port2)
FortiGate-VM64 (port2)
FortiGate-VM64 (port2)
config system interface
edit "port2"
set vdom "root"
set ip 172.16.76.155 255.255.255.0
set allowaccess ping http telnet
set type physical
set description "internal"
set snmp-index 2
next
end
FortiGate-VM64 (port2)
■ルーティング設定
FortiGate-VM64
FortiGate-VM64 (static)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (static)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
■ping/httpチェック、telnetログイン
$ ping -c 2 172.16.76.155
PING 172.16.76.155 (172.16.76.155) 56(84) bytes of data.
64 bytes from 172.16.76.155: icmp_req=1 ttl=255 time=0.418 ms
64 bytes from 172.16.76.155: icmp_req=2 ttl=255 time=0.471 ms
--- 172.16.76.155 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.418/0.444/0.471/0.033 ms
$ w3m -no-proxy -dump_head http://172.16.76.155 | grep ^HTTP
HTTP/1.1 200 OK
$ telnet 172.16.76.155Trying 172.16.76.155...
Connected to 172.16.76.155.
Escape character is '^]'.
FortiGate-VM64 login: admin
Password:
Welcome !
■ライセンス投入まで15日の評価ライセンスで稼働する。
ただし、シリアルが「FGVMEV0000000000」のままでは
パターンファイルのアップデートもHA構成にも出来ない。
また、VM版のHA構成時、ホストがESXiの場合は
ハートビートのためのVMNICの偽装MACを許可する必要がある。
FortiGate-VM64
antispam-license : Unknown
avquery-license : Unknown
webfilter-license : Unknown
FortiGate-VM64
Serial-Number: FGVMEV0000000000
■GUIの日本語化
FortiGate-VM64
FortiGate-VM64 (global)
FortiGate-VM64 (global)
FortiGate-VM64
set language japanese
set timezone 60
■ログのフォーマット
※強制再起動
FortiGate-VM64
Log hard disk: Need format
FortiGate-VM64
Log disk is /dev/sdb1.
Formatting this storage will erase all data on it, including
logs, quarantine files;
and require the unit to reboot.
Do you want to continue? (y/n)
■シャットダウンを契機にGUI起動を止めてCUIバックグラウンド起動に変更
$ vmrun -T player start FGT-VM64/FortiGate-VM64.vmx nogui
$ vmrun -T player list
Total running VMs: 1
/home/labunix/dlsv/FGT-VM64/FortiGate-VM64.vmx
■ログの設定
ローテーション等はお好きなように。今回はデフォルトのまま。
FortiGate-VM64
Log hard disk: Available
FortiGate-VM64
status : enable
ips-archive : enable
max-policy-packet-capture-size: 10
log-quota : 0
dlp-archive-quota : 0
report-quota : 0
maximum-log-age : 7
upload : disable
full-first-warning-threshold: 75
full-second-warning-threshold: 90
full-final-warning-threshold: 95
max-log-file-size : 100
storage :
roll-schedule : daily
roll-time : 00:00
diskfull : overwrite
■Syslogサーバにログを転送
Fortigate-80CのログをDebian Wheezyのrsyslogに転送してみる。
http://labunix.hateblo.jp/entry/20150226/1424960541
■プロキシ設定
FortiGate-VM64
FortiGate-VM64 (tunneling)
FortiGate-VM64 (tunneling)
FortiGate-VM64 (tunneling)
FortiGate-VM64 (tunneling)
status : enable
address : 10.10.10.88
port : 3128
username :
password : *
FortiGate-VM64 (tunneling)
■プロキシサーバへのルーティング設定
FortiGate-VM64
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64
PING 10.10.10.88 (10.10.10.88): 56 data bytes
64 bytes from 10.10.10.88: icmp_seq=0 ttl=128 time=0.7 ms
--- 10.10.10.88 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.7/0.7/0.7 ms
■プロキシサーバからの時刻同期
FortiGate-VM64
FortiGate-VM64 (ntp)
FortiGate-VM64 (ntp)
FortiGate-VM64 (ntp)
FortiGate-VM64 (ntpserver)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (ntp)
FortiGate-VM64
ntpsync : enable
type : custom
syncinterval : 60
ntpserver:
== [ 1 ]
id: 1
source-ip : 192.168.152.155
server-mode : disable
FortiGate-VM64
synchronized: yes, ntpsync: enabled, server-mode: disabled
ipv4 server(10.10.10.88) 10.10.10.88 -- reachable(0xff) S:1 T:705 selected
server-version=4, stratum=2
reference time is d905ba0e.126f0e87 -- UTC Tue May 19 13:33:02 2015
clock offset is -32400.107223 sec, root delay is 661 msec
root dispersion is 2330 msec, peer dispersion is 56 msec
FortiGate-VM64
current time is: 23:09:07
last ntp sync:Tue May 19 22:49:07 2015
■DNSクライアントの設定
外部へのpingを許可して、疎通が確認出来たら[Ctrl]+[C]で停止
FortiGate-VM64
FortiGate-VM64 (dns)
FortiGate-VM64 (dns)
FortiGate-VM64 (dns)
FortiGate-VM64 (dns)
FortiGate-VM64
primary : 192.168.152.2
secondary : 10.10.10.254
domain :
ip6-primary : ::
ip6-secondary : ::
dns-cache-limit : 5000
dns-cache-ttl : 1800
cache-notfound-responses: disable
source-ip : 192.168.152.155
FortiGate-VM64
PING fds1.fortinet.com (96.45.33.88): 56 data bytes
64 bytes from 96.45.33.88: icmp_seq=0 ttl=128 time=116.8 ms
64 bytes from 96.45.33.88: icmp_seq=1 ttl=128 time=116.3 ms
64 bytes from 96.45.33.88: icmp_seq=2 ttl=128 time=117.3 ms
--- fds1.fortinet.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 116.3/116.8/117.3 ms
FortiGate-VM64
PING guard.fortinet.net (208.91.112.198): 56 data bytes
64 bytes from 208.91.112.198: icmp_seq=0 ttl=128 time=95.1 ms
64 bytes from 208.91.112.198: icmp_seq=1 ttl=128 time=94.3 ms
64 bytes from 208.91.112.198: icmp_seq=2 ttl=128 time=94.8 ms
--- guard.fortinet.net ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 94.3/94.7/95.1 ms
■DNS proxyを確認
FortiGate-VM64
DST HOSTNAME CACHE: 9
vdom=0 num=9 ttl=86400 limit=5000
...
208.91.112.196 (domain=service.fortiguard.net, ttl=84970)
...
208.91.114.28 (domain=fortiguard.com, ttl=84709)
...
96.45.34.47 (domain=flow.fortinet.net, ttl=84741)
208.91.112.68 (domain=update.fortiguard.net, ttl=84734)
...
96.45.33.88 (domain=update.fortiguard.net, ttl=84734)
96.45.33.89 (domain=update.fortiguard.net, ttl=84734)
■ポリシー(アドレス)の作成
FortiGate-VM64
FortiGate-VM64 (address)
FortiGate-VM64 (10.10.10.0/24)
FortiGate-VM64 (10.10.10.0/24)
FortiGate-VM64 (address)
FortiGate-VM64 (192.168.152.0/24)
FortiGate-VM64 (192.168.152.0/24)
FortiGate-VM64 (address)
FortiGate-VM64 (172.16.76.0/24)
FortiGate-VM64 (172.16.76.0/24)
■ポリシー(ルール)を作成
FortiGate-VM64
FortiGate-VM64 (policy)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64
FortiGate-VM64 (policy)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
FortiGate-VM64 (0)
Gate-VM64 (policy)
FortiGate-VM64 (policy)
config firewall policy
edit 1
set uuid 421c184e-fe3d-51e4-8f9c-cf1d0a244192
set srcintf "port2"
set dstintf "port1"
set srcaddr "172.16.76.0/24" "192.168.152.0/24"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL_TCP" "ALL_UDP"
set logtraffic-start enable
set nat enable
next
edit 2
set uuid aa769f90-fe3d-51e4-efdb-f0f48eaa7843
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "172.16.76.0/24" "192.168.152.0/24"
set action accept
set schedule "always"
set service "ALL_UDP" "ALL_TCP"
set logtraffic-start enable
set nat enable
next
end
FortiGate-VM64 (policy)
■パターンアップデート(※ライセンス適用前)
FortiGate-VM64
FortiGate-VM64
FDN availability: unknown at Thu Jan 1 09:00:00 1970
Push update: disable
Scheduled update: enable
Update daily: at 1 after 81 minutes
Virus definitions update: enable
IPS definitions update: enable
Push address override: disable
Web proxy tunneling: enable
Proxy address: 10.10.10.88
Proxy port: 3128
Username:
Password:
■GUIからの評価ライセンスの投入
以下でライセンスファイルをWeb管理画面からアップロード
システム > ダッシュボード > ステータス
> ライセンス情報 > バーチャルマシーン(ライセンス) > アップデート
■パターンアップデート確認
FDN availability: available at Wed May 20 21:37:30 2015
Push update: disable
Scheduled update: enable
Update daily: at 1 after 230 minutes
Virus definitions update: enable
IPS definitions update: enable
Push address override: disable
Web proxy tunneling: enable
Proxy address: 10.10.10.88
Proxy port: 3128
Username:
Password:
NAME VERSION LAST UPDATE METHOD EXPIRE
AV Engine 5.164 2015-01-27 14:28:00 manual 201X-XX-XX 09:00:00
Virus Definitions 25.764 2015-05-20 21:28:09 manual 201X-XX-XX 09:00:00
Extended set 1.000 2012-10-17 15:46:00 manual 201X-XX-XX 09:00:00
Attack Definitions 6.645 2015-05-20 21:28:09 manual 201X-XX-XX 09:00:00
Attack Extended Definitions 0.000 2001-01-01 00:00:00 manual 201X-XX-XX 09:00:00
Botnet Definitions 2.254 2015-05-20 21:28:09 manual n/a
IPS/FlowAV Engine 3.073 2015-05-20 21:28:09 manual 201X-XX-XX 09:00:00
FGVM010000037084
Virus-DB: 25.00764(2015-05-20 01:10)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 6.00645(2015-05-16 01:40)
IPS-ETDB: 0.00000(2001-01-01 00:00)
Botnet DB: 2.00254(2015-05-19 20:30)
■WebフィルタとE-Mailフィルタ時のFortiguardへのDNSの疎通は
問い合わせをした時のみなので、GUIから。
システム > 設定 > Fortiguard
> WebフィルタリングとE-Mailフィルタリングオプション
「Test Availablity」
なお、53/UDPはプロキシを通らず、直接アクセスする。
上位のDNSサーバだけが外部への53/UDPを許可しているような環境では
フィルタが使えない。(戻ってこれるルートがあればNATしてても大丈夫。)
$ sudo awk '/dstip=208.*dstport=53/{print}' /var/log/Fortigate-VM.log | \
sed -e 's/ devname=/\n&/' -e 's/ vd=/\n&/' -e 's/ sessionid=/\n&/' \
-e 's/ policyid=/\n&/' -e 's/ service=/\n&/' -e 's/ sentbyte=/\n&/'
May 20 22:29:10 vmhost date=2015-05-20 time=22:29:11
devname=FGVMXXXXXXXXXXXX devid=FGVMXXXXXXXXXXXX logid=0001000014 type=traffic subtype=local level=notice
vd=root srcip=192.168.152.155 srcport=1025 srcintf="root" dstip=208.91.112.198 dstport=53 dstintf="port1"
sessionid=313 proto=17 action=accept
policyid=0 dstcountry="United States" srccountry="Reserved" trandisp=noop
service="DNS" app="DNS" duration=182
sentbyte=184 rcvdbyte=504 sentpkt=2 rcvdpkt=2
May 20 22:29:10 vmhost date=2015-05-20 time=22:29:11
devname=FGVMXXXXXXXXXXXX devid=FGVMXXXXXXXXXXXX logid=0001000014 type=traffic subtype=local level=notice
vd=root srcip=192.168.152.155 srcport=1025 srcintf="root" dstip=208.91.112.196 dstport=53 dstintf="port1"
sessionid=314 proto=17 action=accept
policyid=0 dstcountry="United States" srccountry="Reserved" trandisp=noop
service="DNS" app="DNS" duration=182
sentbyte=184 rcvdbyte=504 sentpkt=2 rcvdpkt=2