Fortinet Fortigate¶
This guide describes how to install and configure a Lantronix Local Manager (LM) to manage, monitor, and facilitate remote connectivity to a Fortinet Fortigate firewall.
Features¶
- Supports Fortinet Fortigate
- Monitors CLI availability
- Monitors network availability
- Monitors CPU usage
- Collects hostname, serial number, and OS version
- Backs up configurations
Physical Connection¶
Connect a serial port on the Lantronix LM to the Fortinet's RS-232 console management port with a standard Cat 5 Ethernet patch cable.
Recommended Configuration¶
For proactive monitoring of the Fortinet’s status and to ensure the availability of backup configurations it is recommended that:
- the Lantronix LM serial port connected to the Fortinet is configured as “enhanced” via the config init command.
- automatic backup of the configuration is scheduled.
- the Rulesets described in this guide are loaded on the Lantronix LM and scheduled on the serial port that the Fortigate is connected to.
Configuring the Port¶
The Lantronix LM will use the Enhanced driver to log into the Fortinet and run commands. If possible, provide the Lantronix driver with a username and password that will be enabled to run super user commands. Without admin privileges, the Lantronix LM will not be able to run the commands needed to backup configurations and perform other automation.
To configure the Lantronix LM for connection to a Fortinet, navigate to the port that the Fortinet is connected to, run the config init command, and follow the prompts as shown below (substituting your Fortinet’s IP address for 203.0.113.16):
[athompson@Envoy-TOR-114 (port1/5)]# config init
--- Enter New Values ---
description [port 1/5]: Fortinet
make [native]: enhanced
model:
os []:
os version:
management IP [203.0.113.16]:
command prompt [[#>]]:
login prompt [sername:\s]: (?<!Last\s)login:\s
password prompt [ssword:\s]:
logout command [exit\r]:
wakeup command [\r]:
console username: admin
console password: ********
confirm password: ********
Serial Bit Rate [9600]:
Serial Data Bit [8]:
Serial Parity [none]:
Serial Stop Bit [1]:
Serial Flow Control [none]:
Do you want to commit these changes? (y/n): y
Testing login will take a few moments...
Login successful; credentials are valid.
Initialize device logging
Scheduling default jobs
Testing job rulesMonitor
Job rulesMonitor was successful
Job rulesMonitor was scheduled
The default console settings for the Fortinet are 9600 bit rate, 8 serial data bit, no serial parity, serial stop bit 1, no flow control.
Managing Configurations¶
Backup Configuration¶
The Lantronix LM can save a local copy of the Fortinet’s running configuration. Up to twenty-four backup files can be saved on the Lantronix LM’s file system for use in restoring a configuration or pushing a configuration to a replacement Fortinet. The file can be transferred to the Lantronix LM via TFTP.
To manually save the Fortinet’s configuration to the Lantronix LM, navigate to the port that the Fortinet is connected to and run the following command:
Example:
[admin@LantronixLM]# port 1/4
Enhanced
Fortinet
[admin@LantronixLM (port1/4)]# pull tftp "execute backup config tftp config ${ip}"
config running-config current
Pull runningConfig/current ...
TFTP server at 10.0.1.1:69
Executing: execute backup config tftp config ${ip}
Received config (73,936 bytes)
MD5: dcce22f764cc7b7f9fd38ee034644f93
These files can also be saved during a terminal session by using ~t to activate the Lantronix LM’s TFTP server and running the copy commands manually.
Automatic Configuration Backup¶
To configure the Lantronix LM to back up the running-config of a Fortinet every three hours, use the following command:
config schedule pullTftp "execute backup config tftp config ${ip}" config running-config current -d 10800
Restore Configuration¶
Use the following commands to restore a backup configuration to a Fortinet. The file can be transferred via TFTP.
First, navigate to the port the Fortinet is connected to, and stage the file to be restored as a candidate configuration.
Example:
Next, run the following command:
These files can also be pushed during a terminal session by using ~t to activate the Lantronix LM’s TFTP server and running the copy commands manually.
Monitoring Fortinet Network Status¶
Fortinet Network Check Ruleset¶
The Lantronix LM can be configured to monitor the status of a managed Fortinet’s network connections using the FortinetPing rule set. The Lantronix LM will send commands to make the Fortinet ping a specified IP and send an alarm if it is not successful.
To load the FortinetPing rule set on the Lantronix LM, copy and paste the following into the Lantronix LM at the system level, replacing X.X.X.X with the IP to be pinged:
config rule no enhancedPing1
config rule enhancedPing1
action clearValue monitor enhancedPingResponse
action execute -command "execute ping X.X.X.X" -pattern "(ttl)" -setValue monitor enhancedPingResponse $1 -multiline
conditions
true
exit
exit
config rule no enhancedPing2
config rule enhancedPing2
action writeStatus OK
conditions
compare-value monitor enhancedPingResponse = ttl
exit
exit
config rule no enhancedPing3
config rule enhancedPing3
action writeStatus ALARM
action alarm GENERIC -a "network test failing"
conditions
NOT compare-value monitor enhancedPingResponse = ttl OR
NOT has-value monitor enhancedPingResponse
exit
exit
config ruleset no enhancedPing
config ruleset enhancedPing
description null
rules
enhancedPing1 | enhancedPing2 | enhancedPing3
exit
exit
To configure the Lantronix LM to use the enhancedPing rule set to monitor a Fortinet, navigate to the port that the Fortinet is connected to and run the following command:
Fortinet CPU Monitor Ruleset¶
The Lantronix LM can be configured to monitor CPU usage on a Fortinet firewall. To load these rules, copy and paste the following:
config rule no FortinetCPU0
config rule FortinetCPU0
conditions
true
exit
action execute -pattern "(\d?\d?\d)%\sidle" -command "get system performance status | grep CPU" -setValue monitor FortinetCPU $1
exit
config rule no FortinetCPU1
config rule FortinetCPU1
description a rule to send an alarm when CPU idle is below a certain number - adjust target as appropriate
conditions
compare-value monitor FortinetCPU <= 100
exit
action alarm GENERIC -a "CPU usage above 0%"
exit
To configure the Lantronix LM to use the CPU rules to monitor a Fortinet, navigate to the port that the Fortinet is connected to and run the following command:
Fortinet Hostname Collection Ruleset¶
The Lantronix LM can be configured to collect the hostname of a Fortinet firewall. To load the required rules, copy and paste the following:
config rule no FortinetHostname0
config rule FortinetHostname0
action execute -pattern "Hostname:\s(\w+)" -command "get system status | grep Hostname" -setValue monitor FortinetHostname $1
conditions
true
exit
exit
config rule no FortinetHostname1
config rule FortinetHostname1
action setDevice monitor FortinetHostname hostname
conditions
true
exit
exit
To configure the Lantronix LM to use the hostname collection rules, navigate to the port that the Fortinet is connected to and run the following command:
Fortinet Serial Number Collection Ruleset¶
The Lantronix LM can be configured to collect the serial number of a Fortinet firewall. To load the required rules, copy and paste the following:
config rule no FortinetSerialNumber0
config rule FortinetSerialNumber0
action execute -pattern "Serial-Number:\s(\w+)" -command "get system status | grep Serial-Number" -setValue monitor FortinetSerialNumber $1
conditions
true
exit
exit
config rule no FortinetSerialNumber1
config rule FortinetSerialNumber1
action setDevice monitor FortinetSerialNumber serialNumber
conditions
true
exit
exit
To configure the Lantronix LM to use the serial number collection rules, navigate to the port that the Fortinet is connected to and run the following command:
Fortinet OS Version Collection Ruleset¶
The Lantronix LM can be configured to collect the OS version of a Fortinet firewall. To load the required rules, copy and paste the following:
config rule no FortinetOSVersion0
config rule FortinetOSVersion0
action execute -pattern "Version:\s.+v(\d\.\d,build\d+)" -command "get system status | grep Version:" -setValue monitor FortinetOSVersion $1
conditions
true
exit
exit
config rule no FortinetOSVersion1
config rule FortinetOSVersion1
action setDevice monitor FortinetOSVersion osVersion
conditions
true
exit
exit
To configure the Lantronix LM to use the serial number collection rules, navigate to the port that the Fortinet is connected to and run the following command:
Combining Multiple Rulesets¶
The Lantronix LM can have only one chassis monitor running per serial ports. If multiple rulesets are required they can be combined into Rule Sets or strung together as in the following examples:
config monitor chassis FortinetHostname0 | FortinetHostname1 | FortinetSerialNumber0 | FortinetSerialNumber1
config monitor chassis FortinetHostname0 | FortinetHostname1 | FortinetSerialNumber0 | FortinetSerialNumber1 | FortinetCPU0 | FortinetCPU1
config mon chassis FortinetHostname0 | FortinetHostname1 | FortinetSerialNumber0 | FortinetSerialNumber1 | FortinetCPU0 | FortinetCPU1 | enhancedPing
To combine all the above rules into one Rule Set:
config ruleset FortinetRules
rules
FortinetHostname0 | FortinetHostname1 | FortinetSerialNumber0 | FortinetSerialNumber1 | FortinetCPU0 | FortinetCPU1 | FortinetOSVersion0 | FortinetOSVersion1 | enhancedPing
exit
exit
To schedule with the combined ruleset:
For more information about using rules, see Rules and Monitors.