Docstoc

Internet

Document Sample
Internet Powered By Docstoc
					                             Aruba/Fortinet Configuration example




     Aruba/Fortinet configuration example




Topology example of test setup .................................................................................. 3
Aruba configuration .................................................................................................... 4
FortiGate Configuration ............................................................................................ 15
FortiGate Screenshots ............................................................................................... 26
Troubleshooting ........................................................................................................ 30




   John Schaap
   Senior Systems Engineer
   Aruba Networks
   jschaap@arubanetworks.com




                                                      -1-
                    Aruba/Fortinet Configuration example

The Aruba Mobility Controller receives the traffic and redirects
relevant traffic (including but not limited to all HTTP/HTTPS, Email
protocols such as SMTP, POP3) to the ESI server device to provide
services such as Anti-virus scanning, email scanning, web content
inspection etc.

This traffic is redirected on the “un-trusted” interface between the
Aruba Mobility Controller and the ESI server device.

The Aruba Mobility Controller also redirects the traffic intended for
the clients – coming from either the Internet or the internal network.
This traffic is redirected on the “trusted” interface between the Aruba
Mobility Controller and the ESI server device.

The Aruba Mobility controller forwards all other traffic (for which ESI
server does not perform any of the required operations such as AV
scanning). An example of such traffic would be database traffic running
from a client to an internal server.

The ESI server can be configured in bridge mode (ESI server operating
as a transparent bridge) or route mode (ESI server operating as a
router). This document describes the route mode

Users are blacklisted based on SYSLOG information send by the Fortigate
to the Aruba controller. The correct setup of the log settings on the
Fortigate is very important for this feature to work.

Make sure that you don’t use the “log” keyword in the redirect acl in a
production environment because it can have a serious performance impact.




                                    -2-
                   Aruba/Fortinet Configuration example



Topology example of test setup




                Internet
                    |
               +--------+
               | Router |
               +----+---+
                    |.254
                    |
-----------+--------+----------------------
           |192.168.1.0/24
           |
 vlan2 1/8 |.1
  +--------+---------+ 172.16.101.0/24 +-----+-----+
  |      vlan101 1/5 +------------------+ internal |
  |                   |.1          .254 |           |
  |       A800        |                 |    FG60   |
  |                   | 172.16.100.0/24 |           |
  |      vlan100 1/4 +------------------+ wan1      |
  +--------+---------+.1           .254 +-----------+
 vlan1 1/0 |.1
           |172.16.1.0/24
           |
       +--------+
       | Client |
       +--------+




                                   -3-
                            Aruba/Fortinet Configuration example



Aruba configuration

Most relevant config items are highlighted

(Aruba800) #show ver
Aruba Operating System Software.
ArubaOS (MODEL: Aruba800), Version 2.4.1.7
Website: http://www.arubanetworks.com
Copyright (c) 2002-2005, Aruba Wireless Networks Inc.
Compiled on 2005-07-27 at 00:17:20 PDT (build 10898) by p4build

ROM: System Bootstrap, Version CPBoot 1.1.3 (Feb 25 2004 - 13:00:04)

Switch uptime is 3 hours 4 minutes 55 seconds
Reboot Cause: Power Failure.
Supervisor Card
Processor (revision 16.20 (pvr 8081 1014)) with 256M bytes of memory.
32K bytes of non-volatile configuration memory.
128M bytes of Supervisor Card System flash (model=TOSHIBA THNCF128MMA).

(Aruba800) #write t
Building Configuration...

version 2.4
enable secret "969e3e0c3a669c86844c1c6b25cab6e2"
enable "1n1d0R0L1f1n"
loginsession timeout 60
hostname "Aruba800"
logging level alerts crypto
logging level alerts l2tp
logging level alerts pptp
logging level alerts wms
logging level alerts mmgr
logging level alerts mobagent
logging level alerts master
logging level alerts stm
logging level alerts localdb
logging level alerts sapm
logging level alerts fpapps
logging level alerts cfgm
logging level informational suser
logging level informational intuser
logging level alerts aaa
logging level alerts traffic
logging level alerts dhcpd
logging level informational processes
logging level informational publisher
logging level informational ads
logging level informational pim
logging level alerts snmp
logging level alerts packetfilter
clock summer-time CEST recurring last sunday march 02:00 last sunday october 02:00

clock timezone UTC 1
ip NAT pool test 1.1.1.1 1.1.1.1 192.168.1.254
netservice svc-snmp-trap udp 162
netservice svc-syslog udp 514
netservice svc-l2tp udp 1701
netservice svc-ike udp 500
netservice svc-https tcp 443
netservice svc-smb-tcp tcp 445
netservice svc-dhcp udp 67 68
netservice svc-pptp tcp 1723
netservice svc-telnet tcp 23
netservice svc-sip-tcp tcp 5060
netservice svc-tftp udp 69
netservice svc-kerberos udp 88
netservice svc-adp udp 8200




                                             -4-
                         Aruba/Fortinet Configuration example

netservice svc-pop3 tcp 110
netservice svc-msrpc-tcp tcp 135 139
netservice svc-dns udp 53
netservice svc-http tcp 80
netservice svc-sip-udp udp 5060
netservice svc-nterm tcp 1026 1028
netservice svc-papi udp 8211
netservice svc-natt udp 4500
netservice svc-ftp tcp 21
netservice svc-svp 119
netservice svc-smtp tcp 25
netservice svc-gre 47
netservice svc-smb-udp udp 445
netservice svc-esp 50
netservice svc-snmp udp 161
netservice svc-bootp udp 67 69
netservice svc-msrpc-udp udp 135 139
netservice svc-ntp udp 123
netservice svc-icmp 1
netservice svc-ssh tcp 22
time-range test-time periodic
 daily 14:35 to 14:40
!
ip access-list session control
  any any svc-icmp permit
  any any svc-dns permit
  any any svc-papi permit
  any any svc-adp permit
  any any svc-tftp permit
  any any svc-dhcp permit
  any any svc-natt permit
!
ip access-list session validuser
  any any any permit
!
ip access-list session remoteap
  any any any permit
!
ip access-list session NAT
  any any any dual-nat pool test
!
ip access-list session captiveportal
  user   alias mswitch svc-https permit
  user any svc-http dst-nat 8080
  user any svc-https dst-nat 8081
!
ip access-list session Fortinet
  any any svc-dhcp permit
  any any svc-dns permit
  any any svc-icmp permit
  any any svc-http redirect esi-group FortiNet direction both
  any any svc-https redirect esi-group FortiNet direction both
  any any svc-pop3 redirect esi-group FortiNet direction both
  any any svc-smtp redirect esi-group FortiNet direction both
  any any svc-ftp redirect esi-group FortiNet direction both
!
ip access-list session allowall
  any any any permit
!
ip access-list session strap
  any   alias mswitch udp 4500 permit
!
ip access-list session srcnat
  user any any src-nat
!
ip access-list session vpnlogon
  user any svc-ike permit
  user any svc-esp permit
  any any svc-l2tp permit
  any any svc-pptp permit
  any any svc-gre permit



                                          -5-
                         Aruba/Fortinet Configuration example

!
ip access-list session cplogout
  user   alias mswitch svc-https permit
!
ip access-list session guest
  any any any permit
!
ip access-list session ap-acl
  any any svc-gre permit
  any any svc-syslog permit
  any user svc-snmp permit
  user any svc-snmp-trap permit
  user any svc-ntp permit
!
vpn-dialer default-dialer
  no   ppp authentication PAP
  no   ppp authentication CHAP
  no   ppp authentication MSCHAP
  ike authentication PRE-SHARE 4f55f5cc167603b15479bb59cb9cdd42
!
vpn-dialer test-dialer
  ike authentication PRE-SHARE 37d9901d0dd07f3dcb06237886996922a35b542ffefaadf4
!
user-role ap-role
 session-acl control
 session-acl ap-acl
!
user-role remoteap
 session-acl remoteap
!
user-role NAT
 session-acl NAT
!
user-role trusted-ap
 session-acl allowall
!
user-role employee
 dialer test-dialer
 session-acl allowall
!
user-role default-vpn-role
 session-acl allowall
!
user-role Fortinet
 session-acl Fortinet
!
user-role 802.1x_user_default
 session-acl guest
!
user-role 802.1x_machine_default
 session-acl guest
!
user-role guest
 session-acl guest
 session-acl cplogout
!
user-role stateful-dot1x
!
user-role stateful
 session-acl control
!
user-role 802.1x_fully_authenticated
 session-acl allowall
!
user-role logon
 session-acl control
 session-acl captiveportal
 session-acl vpnlogon
 session-acl strap
!
ip radius source-interface vlan 1



                                          -6-
                         Aruba/Fortinet Configuration example

aaa radius-server MEDION host 172.16.15.2 key
bb8c2a07196055e74699a5c10b2489b31a59eae27c5bd225
aaa derivation-rules server Internal
  set role condition Role value-of
!
aaa derivation-rules server MEDION
  set vlan condition Filter-Id equals "personnel" set-value 12
  set vlan condition Filter-Id equals "student" set-value 13
!
aaa derivation-rules user
  set vlan condition essid equals "aruba-ap" set-value 1
!
aaa captive-portal guest-logon
aaa captive-portal default-role Fortinet
aaa captive-portal auth-server Internal
aaa captive-portal auth-server MEDION
aaa vpn-authentication default-role default-vpn-role
aaa vpn-authentication mode enable
aaa vpn-authentication auth-server Internal
aaa pubcookie-authentication
!
aaa radius-accounting
 auth-server MEDION
!
aaa dot1x mode enable
dot1x wired-clients
aaa dot1x default-role 802.1x_fully_authenticated
aaa dot1x enforce-machine-authentication
 mode enable
 machine-authentication default-role 802.1x_machine_default
 user-authentication default-role 802.1x_user_default
!
dot1x timeout wpa-key-timeout 3
aaa dot1x auth-server MEDION

logging 172.16.15.2

no spanning-tree
interface mgmt
        shutdown
!

vlan   2
vlan   3
vlan   10
vlan   12
vlan   13
vlan   100
vlan   101


interface fastethernet 1/0
        description "CONNECTION TO AP"
        trusted
!

interface fastethernet 1/1
        description "CONNECTION TO AP"
        trusted
!

interface fastethernet 1/2
        description "CONNECTION TO AP"
        trusted
!

interface fastethernet 1/3
        description "CONNECTION TO AP"
        trusted
!




                                          -7-
                         Aruba/Fortinet Configuration example

interface fastethernet 1/4
        description "CONNECTION TO FORTGATE (WAN1)"
        trusted
        switchport access vlan 100
!

interface fastethernet 1/5
        description "CONNECTION TO FORTGATE (INTERNAL)"
        trusted
        switchport access vlan 101
!

interface fastethernet 1/6
        description "CONNECTION TO LOCAL SWITCH"
        trusted
!

interface fastethernet 1/7
        description "CONNECTION TO WIN2003 SERVER"
        trusted
        switchport access vlan 3
!

interface gigabitethernet 1/8
        description "CONNECTION TO LINKSYS (INTERNET)"
        trusted
        switchport access vlan 2
!

interface vlan 1
        ip address 172.16.1.1 255.255.255.0
        description "VLAN FOR AP'S AND WLAN CLIENTS"
!

interface vlan 3
        ip address 172.16.15.1 255.255.255.0
        description "VLAN FOR WIN2003 SERVER"
!

interface vlan 2
        ip address 192.168.1.1 255.255.255.0
        description "VLAN FOR INTERNET CONNECTION"
!

interface vlan 12
        ip address 172.16.12.1 255.255.255.0
        description "TEST VLAN FOR VLAN DERIVATION GROUP PERSONNEL"
!

interface vlan 13
        ip address 172.16.13.1 255.255.255.0
        description "TEST VLAN FOR VLAN DERIVATION GROUP STUDENT"
!

interface vlan 10
        ip address 172.16.254.254 255.255.255.0
!

interface vlan 100
        ip address 172.16.100.1 255.255.255.0
        description "UNTRUSTED INTERFACE TO FORTIGATE (WAN1)"
!

interface vlan 101
        ip address 172.16.101.1 255.255.255.0
        description "TRUSTED INTERFACE TO FORTIGATE (INTERNAL)"
!

ip default-gateway 192.168.1.254
ip route 172.16.2.0 255.255.255.0 172.16.1.254
ip route 172.16.3.0 255.255.255.0 172.16.1.254



                                          -8-
                         Aruba/Fortinet Configuration example


country NL

ap location 0.0.0
hostname "AP"
snmp-server enable trap
snmp-server community "public"
syslocation "Gorinchem"
syscontact "John Schaap"
snmp-server host 172.16.15.2 version 2c public udp-port 162
ap-logging level warnings snmpd

ap-logging level warnings stm
max-imalive-retries 10
ap-logging level warnings sapd
ap-logging level warnings am
double-encrypt disable
forward-mode tunnel
native-vlan-id 1
arm voip-aware-scan enable
arm max-tx-power 4
bkplms-ip 0.0.0.0
opmode opensystem
mode ap_mode
authalgo opensystem
rts-threshhold 2333
tx-power 2
max-retries 4
dtim-period 1
max-clients 0
beacon-period 100
ap-enable enable
power-mgmt enable
ageout 1000
hide-ssid disable
deny-bcast disable
local-probe-response disable
max-tx-fail 0
arm assignment disable
arm client-aware enable
arm scanning disable
arm scan-time 110
arm scan-interval 10
rf-band g
essid "aruba-ap"
radio-off-threshold 3
bootstrap-threshold 7
arm multi-band-scan enable
arm rogue-ap-aware enable
  phy-type a
    channel 52
    rates 6,12,24
    txrates 6,9,12,18,24,36,48,54
    max-clients 10
    vlan-id 1
    arm scanning enable
    arm scan-interval 2
    arm assignment single-band
    mode ap_mode
    ap-enable disable
  !
  phy-type g
    short-preamble enable
    rates 1,2
    txrates 1,2,5,11,6,9,12,18,24,36,48,54
    bg-mode mixed
    max-clients 10
    tx-power 4
    vlan-id 1
    arm client-aware enable
    mode ap_mode



                                             -9-
                         Aruba/Fortinet Configuration example

   arm scanning enable
   arm scan-time 110
   ap-enable enable
   channel 6
   arm assignment single-band
   arm scan-interval 2
   arm rogue-ap-aware enable
  !
!
ap location 0.0.0
  phy-type enet1
    mode active-standby
    switchport mode access
    switchport access vlan 1
    switchport trunk native vlan 1
    switchport trunk allowed vlan 1-4094
    trusted disable
  !
!
ap location 1.1.254
radio-off-threshold 3
bootstrap-threshold 7
!
ap location 1.1.1
rf-band g
  phy-type g
    mode ap_mode
  !
!
ap location -1.0.0
mode am_mode
max-clients 0
!
wms
 general poll-interval 60000
 general poll-retries 2
 general ap-ageout-interval 30
 general sta-ageout-interval 30
 general ap-inactivity-timeout 5
 general sta-inactivity-timeout 60
 general grace-time 2000
 general laser-beam enable
 general laser-beam-debug disable
 general wired-laser-beam enable
 general stat-update enable
 ap-policy learn-ap disable
 ap-policy classification enable
 ap-policy protect-unsecure-ap disable
 ap-policy detect-misconfigured-ap disable
 ap-policy protect-misconfigured-ap disable
 ap-policy protect-mt-channel-split disable
 ap-policy protect-mt-ssid disable
 ap-policy detect-ap-impersonation disable
 ap-policy protect-ap-impersonation disable
 ap-policy beacon-diff-threshold 50
 ap-policy beacon-inc-wait-time 3
 ap-policy min-pot-ap-beacon-rate 25
 ap-policy min-pot-ap-monitor-time 3
 ap-policy protect-ibss enable
 ap-policy ap-load-balancing disable
 ap-policy ap-lb-max-retries 8
 ap-policy ap-lb-util-high-wm 90
 ap-policy ap-lb-util-low-wm 80
 ap-policy ap-lb-util-wait-time 30
 ap-policy ap-lb-user-high-wm 1
 ap-policy ap-lb-user-low-wm 1
 ap-config short-preamble enable
 ap-config privacy enable
 ap-config wpa disable
 station-policy protect-valid-sta enable
 station-policy handoff-assist disable



                                          - 10 -
                        Aruba/Fortinet Configuration example

station-policy rssi-falloff-wait-time 4
station-policy low-rssi-threshold 20
station-policy rssi-check-frequency 3
station-policy detect-association-failure disable
global-policy detect-bad-wep disable
global-policy detect-interference disable
global-policy interference-inc-threshold 100
global-policy interference-inc-timeout 30
global-policy interference-wait-time 30
event-threshold fer-high-wm 0
event-threshold fer-low-wm 0
event-threshold frr-high-wm 16
event-threshold frr-low-wm 8
event-threshold flsr-high-wm 16
event-threshold flsr-low-wm 8
event-threshold fnur-high-wm 0
event-threshold fnur-low-wm 0
event-threshold frer-high-wm 16
event-threshold frer-low-wm 8
event-threshold ffr-high-wm 16
event-threshold ffr-low-wm 8
event-threshold bwr-high-wm 0
event-threshold bwr-low-wm 0
valid-11b-channel 1 mode enable
valid-11b-channel 6 mode enable
valid-11b-channel 11 mode enable
valid-11a-channel 36 mode enable
valid-11a-channel 40 mode enable
valid-11a-channel 44 mode enable
valid-11a-channel 48 mode enable
valid-11a-channel 52 mode enable
valid-11a-channel 56 mode enable
valid-11a-channel 60 mode enable
valid-11a-channel 64 mode enable
valid-ssid ASUS mode enable
ids-policy signature-check disable
ids-policy rate-check disable
ids-policy dsta-check disable
ids-policy sequence-check disable
ids-policy mac-oui-check disable
ids-policy eap-check disable
ids-policy ap-flood-check disable
ids-policy adhoc-check enable
ids-policy wbridge-check enable
ids-policy sequence-diff 100
ids-policy sequence-time-tolerance 500
ids-policy sequence-quiet-time 900
ids-policy eap-rate-threshold 10
ids-policy eap-rate-time-interval 60
ids-policy eap-rate-quiet-time 900
ids-policy ap-flood-threshold 50
ids-policy ap-flood-inc-time 3
ids-policy ap-flood-quiet-time 900
ids-policy signature-quiet-time 900
ids-policy dsta-quiet-time 900
ids-policy adhoc-quiet-time 900
ids-policy wbridge-quiet-time 900
ids-policy mac-oui-quiet-time 900
ids-policy rate-frame-type-param assoc channel-threshold 30
ids-policy rate-frame-type-param assoc channel-inc-time 3
ids-policy rate-frame-type-param assoc channel-quiet-time 900
ids-policy rate-frame-type-param assoc node-threshold 30
ids-policy rate-frame-type-param assoc node-time-interval 60
ids-policy rate-frame-type-param assoc node-quiet-time 900
ids-policy rate-frame-type-param disassoc channel-threshold 30
ids-policy rate-frame-type-param disassoc channel-inc-time 3
ids-policy rate-frame-type-param disassoc channel-quiet-time 900
ids-policy rate-frame-type-param disassoc node-threshold 30
ids-policy rate-frame-type-param disassoc node-time-interval 60
ids-policy rate-frame-type-param disassoc node-quiet-time 900
ids-policy rate-frame-type-param deauth channel-threshold 30



                                         - 11 -
                           Aruba/Fortinet Configuration example

 ids-policy rate-frame-type-param deauth channel-inc-time 3
 ids-policy rate-frame-type-param deauth channel-quiet-time 900
 ids-policy rate-frame-type-param deauth node-threshold 20
 ids-policy rate-frame-type-param deauth node-time-interval 60
 ids-policy rate-frame-type-param deauth node-quiet-time 900
 ids-policy rate-frame-type-param probe-request channel-threshold 200
 ids-policy rate-frame-type-param probe-request channel-inc-time 3
 ids-policy rate-frame-type-param probe-request channel-quiet-time 900
 ids-policy rate-frame-type-param probe-request node-threshold 200
 ids-policy rate-frame-type-param probe-request node-time-interval 15
 ids-policy rate-frame-type-param probe-request node-quiet-time 900
 ids-policy rate-frame-type-param probe-response channel-threshold 200
 ids-policy rate-frame-type-param probe-response channel-inc-time 3
 ids-policy rate-frame-type-param probe-response channel-quiet-time 900
 ids-policy rate-frame-type-param probe-response node-threshold 150
 ids-policy rate-frame-type-param probe-response node-time-interval 15
 ids-policy rate-frame-type-param probe-response node-quiet-time 900
 ids-policy rate-frame-type-param auth channel-threshold 30
 ids-policy rate-frame-type-param auth channel-inc-time 3
 ids-policy rate-frame-type-param auth channel-quiet-time 900
 ids-policy rate-frame-type-param auth node-threshold 30
 ids-policy rate-frame-type-param auth node-time-interval 60
 ids-policy rate-frame-type-param auth node-quiet-time 900
 ids-signature "ASLEAP"
   mode enable
   frame-type beacon ssid asleap
 !
 ids-signature "Null-Probe-Response"
   mode enable
   frame-type probe-response ssid-length 0
 !
 ids-signature "AirJack"
   mode enable
   frame-type beacon ssid AirJack
 !
 ids-signature "NetStumbler Generic"
   mode enable
   payload 0x00601d 3
   payload 0x0001 6
 !
 ids-signature "NetStumbler Version 3.3.0x"
   mode enable
   payload 0x00601d 3
   payload 0x000102 12
 !
 ids-signature "Deauth-Broadcast"
   mode enable
   frame-type deauth
   dst-mac ff:ff:ff:ff:ff:ff
 !
!
site-survey calibration-max-packets 256
site-survey calibration-transmit-rate 500
site-survey rra-max-compute-time 600000
site-survey max-ha-neighbors 3
site-survey neighbor-tx-power-bump 2
site-survey ha-compute-time 0


arm   min-scan-time 8
arm   ideal-coverage-index 5
arm   acceptable-coverage-index 2
arm   wait-time 15
arm   free-channel-index 25
arm   backoff-time 240
arm   error-rate-threshold 0
arm   error-rate-wait-time 30
arm   noise-threshold 0
arm   noise-wait-time 120

crypto isakmp policy 1



                                          - 12 -
                           Aruba/Fortinet Configuration example

    authentication pre-share
!

crypto isakmp key "27ac645da752eea8d8f4c0ba16af125409b21d30c398ee15" address 0.0.0.0
netmask 0.0.0.0
crypto isakmp groupname changeme

ip local pool l2tp_remote_ap 10.1.1.1 10.1.1.10
vpdn group l2tp
  client configuration dns 192.168.1.254
  ppp authentication PAP
  ppp authentication CHAP
  ppp authentication MSCHAP
  ppp authentication MSCHAPv2
!

ip dhcp pool vlan-1
 default-router 172.16.1.1
 dns-server 192.168.1.254
 domain-name homelab.arubanetworks.local
 lease 0 12 0
 network 172.16.1.0 255.255.255.0
!
ip dhcp pool vlan-10
 default-router 172.16.254.254
 dns-server 192.168.1.254
 domain-name homelab.arubanetworks.local
 lease 0 12 0
 network 172.16.254.0 255.255.255.0
!
ip dhcp pool vlan-12
 default-router 172.16.12.1
 dns-server 172.16.15.2
 domain-name homelab.arubanetworks.local
 lease 0 12 0
 network 172.16.12.0 255.255.255.0
!
ip dhcp pool vlan-13
 default-router 172.16.13.1
 dns-server 172.16.15.2
 domain-name homelab.arubanetworks.local
 lease 0 12 0
 network 172.16.13.0 255.255.255.0
!
service dhcp
masterip 127.0.0.1
location "Building1.floor1"
mobility
  parameters 60 buffer 32
  manager disable
  proxy-dhcp enable
  station-masquerade enable
  on-association disable
  trusted-roam disable
  ignore-l2-broadcast disable
  max-dhcp-requests 4
  secure 1000 shared-secret db1089c2b84a1db95a865ac58f27e7d3
!
mobility-local
  local-ha disable
!
mobagent
  home-agent parameters 1000 bindings 300
  secure-mobile spi 1000 d14646c0d5ee575d6f5a1d76588b31b6
  foreign-agent parameters 1100 bindings 300 pending 0 pending-time 300
!

syslocation "Gorinchem"
syscontact "John"
snmp-server community public
pptp ip local pool pptp_pool 172.16.200.1 172.16.200.10



                                          - 13 -
                           Aruba/Fortinet Configuration example

vpdn group pptp
  disable
  disable
  no ppp authentication PAP
  ppp authentication MSCHAPv2
!

stm   dos-prevention disable
stm   strict-compliance enable
stm   fast-roaming enable
stm   sta-dos-prevention enable
stm   sta-dos-block-time 3600
stm   auth-failure-block-time 0
stm   coverage-hole-detection disable
stm   good-rssi-threshold 20
stm   poor-rssi-threshold 10
stm   hole-detection-interval 180
stm   good-sta-ageout 30
stm   idle-sta-ageout 90
stm   ap-inactivity-timeout 15

mux-address 0.0.0.0

adp discovery disable
adp igmp-join enable
adp igmp-vlan 0


mgmt-role root
        description "This is Default Super User Role"
        permit super-user
!
mgmt-user admin root e64804748ae0595895e31e281cd54f30


no database synchronize
database synchronize rf-plan-data

esi ping FortiPing
  frequency 300
  timeout 2
  retry-count 3
!
esi server FortiGate60
  trusted-ip-addr 172.16.101.254 health-check
  untrusted-ip-addr 172.16.100.254 health-check
  mode route
!
esi group FortiNet
  ping FortiPing
  server FortiGate60
!
esi blacklist virus-infected

ip igmp
!

ip router pim
!

ads netad mode disable

packet-capture-defaults tcp disable udp disable sysmsg disable other disable
end




                                          - 14 -
                         Aruba/Fortinet Configuration example



FortiGate Configuration
Most relevant config items are highlighted

Fortigate-60 # show
#config-version=FGT-60-2.80-FW-build393-050405
config system vdom
    edit "root"
    next
end
config system global
    set admintimeout 480
    set authtimeout 15
    set failtime 5
    set hostname "Fortigate-60"
    set interval 5
    set ntpserver "132.246.168.148"
    set refresh 5
    set syncinterval 60
    set timezone 26
end
config system interface
    edit "internal"
        set ip 172.16.101.254 255.255.255.0
        set allowaccess ping https http telnet
    next
    edit "wan1"
        set ip 172.16.100.254 255.255.255.0
        set allowaccess ping
    next
    edit "wan2"
        set ip 192.168.101.99 255.255.255.0
        set allowaccess ping
        set status down
    next
    edit "dmz"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https
        set status down
    next
end
config system dns
    set primary 65.39.139.53
    set secondary 65.39.139.63
    set fwdintf internal
end
config system accprofile
    edit "prof_admin"
        set admingrp rw
        set authgrp rw
        set loggrp rw
        set secgrp rw
        set sysgrp rw
        set sysshutdowngrp rw
        set updgrp rw
    next
end
config system admin
    edit "admin"
        set accprofile "prof_admin"
    next
end
config system replacemsg mail "email_block"
    set buffer "Potentially Dangerous Attachment Removed. The file \"%%FILE%%\" has been
blocked. File quarantined as: \"%%QUARFILENAME%%\"."
    set format text
    set header 8bit
end
config system replacemsg mail "email_virus"



                                             - 15 -
                         Aruba/Fortinet Configuration example

    set buffer "Dangerous Attachment has been Removed. The file \"%%FILE%%\" has been
removed because of a virus. It was infected with the \"%%VIRUS%%\" virus. File
quarantined as: \"%%QUARFILENAME%%\"."
    set format text
    set header 8bit
end
config system replacemsg mail "email_filesize"
    set buffer "This email has been blocked. The email message is larger than the
configured file size limit."
    set format text
    set header 8bit
end
config system replacemsg mail "partial"
    set buffer "Fragmented emails are blocked."
    set format text
    set header 8bit
end
config system replacemsg mail "smtp_block"
    set buffer "The file %%FILE%% has been blocked. File quarantined
as: %%QUARFILENAME%%"
    set format text
    set header none
end
config system replacemsg mail "smtp_virus"
    set buffer "The file %%FILE%% has been infected with the virus %%VIRUS%% File
quarantined as %%QUARFILENAME%%"
    set format text
    set header none
end
config system replacemsg mail "smtp_filesize"
    set buffer "This message is larger than the configured limit and has been blocked."
    set format text
    set header none
end
config system replacemsg http "bannedword"
    set buffer "<HTML><BODY>The page you requested has been blocked because it contains a
banned word. URL = http://%%URL%%</BODY></HTML>"
    set format html
    set header http
end
config system replacemsg http "url_block"
    set buffer "<HTML><BODY>The URL you requested has been blocked. URL
= %%URL%%</BODY></HTML>"
    set format html
    set header http
end
config system replacemsg http "http_block"
    set buffer "<HTML> <BODY> <h2>High security alert!!!</h2> <p>You are not permitted to
download the file \"%%FILE%%\".</p> <p>URL = http://%%URL%%</p> </BODY> </HTML>"
    set format html
    set header http
end
config system replacemsg http "http_virus"
    set buffer "<HTML><BODY><h2>High security alert!!!</h2><p>You are not permitted to
download the file \"%%FILE%%\" because it is infected with the virus \"%%VIRUS%%\".
</p><p>URL = http://%%URL%%</p><p>File quarantined
as: %%QUARFILENAME%%.</p></BODY></HTML>"
    set format html
    set header http
end
config system replacemsg http "http_filesize"
    set buffer "<HTML><BODY> <h2>Attention!!!</h2><p>The file \"%%FILE%%\" has been
blocked. The file is larger than the configured file size limit.</p> <p>URL =
http://%%URL%%</p> </BODY></HTML>"
    set format html
    set header http
end
config system replacemsg http "http_client_block"
    set buffer "<HTML> <BODY> <h2>High security alert!!!</h2> <p>You are not permitted to
upload the file \"%%FILE%%\".</p> <p>URL = http://%%URL%%</p> </BODY> </HTML>"
    set format html



                                          - 16 -
                         Aruba/Fortinet Configuration example

    set header http
end
config system replacemsg http "http_client_virus"
    set buffer "<HTML><BODY><h2>High security alert!!!</h2><p>You are not permitted to
upload the file \"%%FILE%%\" because it is infected with the virus \"%%VIRUS%%\".
</p><p>URL = http://%%URL%%</p><p>File quarantined
as: %%QUARFILENAME%%.</p></BODY></HTML>"
    set format html
    set header http
end
config system replacemsg http "http_client_filesize"
    set buffer "<HTML><BODY> <h2>Attention!!!</h2><p>Your request has been blocked. The
request is larger than the configured file size limit.</p> <p>URL = http://%%URL%%</p>
</BODY></HTML>"
    set format html
    set header http
end
config system replacemsg http "http_client_bannedword"
    set buffer "<HTML><BODY>The page you uploaded has been blocked because it contains a
banned word. URL = http://%%URL%%</BODY></HTML>"
    set format html
    set header http
end
config system replacemsg ftp "ftp_dl_infected"
    set buffer "Transfer failed. The file %%FILE%% is infected with the virus %%VIRUS%%.
File quarantined as %%QUARFILENAME%%."
    set format text
    set header none
end
config system replacemsg ftp "ftp_dl_blocked"
    set buffer "Transfer failed. You are not permitted to transfer the file
\"%%FILE%%\"."
    set format text
    set header none
end
config system replacemsg ftp "ftp_dl_filesize"
    set buffer "File size limit exceeded."
    set format text
    set header none
end
config system replacemsg alertmail "alertmail_virus"
    set buffer "Virus/Worm detected: %%VIRUS%% Protocol: %%PROTOCOL%% Source
IP: %%SOURCE_IP%% Destination IP: %%DEST_IP%% Email Address From: %%EMAIL_FROM%% Email
Address To: %%EMAIL_TO%% "
    set format text
    set header none
end
config system replacemsg alertmail "alertmail_block"
    set buffer "File Block Detected: %%FILE%% Protocol: %%PROTOCOL%% Source
IP: %%SOURCE_IP%% Destination IP: %%DEST_IP%% Email Address From: %%EMAIL_FROM%% Email
Address To: %%EMAIL_TO%% "
    set format text
    set header none
end
config system replacemsg alertmail "alertmail_nids_event"
    set buffer "The following intrusion was observed: %%NIDS_EVENT%%."
    set format text
    set header none
end
config system replacemsg alertmail "alertmail_crit_event"
    set buffer "The following critical firewall event was detected: %%CRITICAL_EVENT%%."
    set format text
    set header none
end
config system replacemsg alertmail "alertmail_disk_full"
    set buffer "The log disk is Full."
    set format text
    set header none
end
config system replacemsg catblock "cat_block"




                                         - 17 -
                         Aruba/Fortinet Configuration example

    set buffer "<html><head><title>Webfilter Violation</title></head><body><font
size=2><table width=\"100%\"><tr><td>%%FORTIGUARD%%</td><td
align=\"right\">%%FORTINET%%</td></tr><tr><td bgcolor=#ff6600 align=\"center\"
colspan=2><font color=#ffffff><b>Web Page Blocked</b></font></td></tr></table><br><br>You
have tried to access a web page which is in violation of your internet usage
policy.<br><br>URL:&nbsp;%%URL%%<br>Category:&nbsp;%%CATEGORY%%<br><br>To have the rating
of this web page re-evaluated please contact your administrator.<br><br><hr><br>Powered
by %%SERVICE%%.</font></body></html>"
    set format html
    set header http
end
config system replacemsg catblock "http_err"
    set buffer
"<html><head><title>%%HTTP_ERR_CODE%% %%HTTP_ERR_DESC%%</title></head><body><font
size=2><table width=\"100%\"><tr><td>%%FORTIGUARD%%</td><td
align=\"right\">%%FORTINET%%</td></tr><tr><td bgcolor=#3300cc align=\"center\"
colspan=2><font
color=#ffffff><b>%%HTTP_ERR_CODE%% %%HTTP_ERR_DESC%%</b></font></td></tr></table><br><br>
The webserver for %%URL%% reported that an error occurred while trying to access the
website. Please click <u><a onclick=\"history.back()\">here</a></u> to return to the
previous page.<br><br><hr><br>Powered by %%SERVICE%%.</font></body></html>"
    set format html
    set header http
end
config system replacemsg spam "ipblocklist"
    set buffer "Mail from this IP address is not allowed and has been blocked."
    set format text
    set header none
end
config system replacemsg spam "smtp_spam_rbl"
    set buffer "This message has been blocked because it is from a RBL/ORDBL IP address."
    set format text
    set header none
end
config system replacemsg spam "smtp_spam_feip"
    set buffer "This message has been blocked because it is from a FortiSpamshield black
IP address."
    set format text
    set header none
end
config system replacemsg spam "smtp_spam_helo"
    set buffer "This message has been blocked because the HELO/EHLO domain is invalid."
    set format text
    set header none
end
config system replacemsg spam "smtp_spam_emailblack"
    set buffer "Mail from this email address is not allowed and has been blocked."
    set format text
    set header none
end
config system replacemsg spam "smtp_spam_mimeheader"
    set buffer "This message has been blocked because it contains an invalid header."
    set format text
    set header none
end
config system replacemsg spam "reversedns"
    set buffer "This message has been blocked because the return email domain is
invalid."
    set format text
    set header none
end
config system replacemsg spam "smtp_spam_bannedword"
    set buffer "This message has been blocked because it contains a banned word."
    set format text
    set header none
end
config system replacemsg spam "smtp_spam_fsurl"
    set buffer "This message has been blocked because it contains FortiSpamshield
blocking URL(s)."
    set format text
    set header none



                                          - 18 -
                         Aruba/Fortinet Configuration example

end
config system snmp sysinfo
end
config firewall profile
    edit "strict"
        set http scan block oversize bannedword urlblock scriptfilter urlexempt
        set imap scan block oversize spamemailbwl spamraddrdns spamhdrcheck bannedword
        set pop3 scan block oversize spamemailbwl spamraddrdns spamhdrcheck bannedword
        set smtp scan block oversize spamipbwl spamhelodns spamrbl spamemailbwl
spamraddrdns spamhdrcheck bannedword splice
        set ips anomaly
    next
    edit "scan"
        set ftp scan splice
        set http scan
        set imap scan
        set pop3 scan
        set smtp scan splice
    next
    edit "web"
        set http scan bannedword urlblock urlexempt
        set imap fragmail
        set pop3 fragmail
        set smtp fragmail splice
    next
    edit "unfiltered"
        set imap fragmail
        set pop3 fragmail
        set smtp fragmail splice
    next
end
config webfilter catblock
end
config firewall schedule recurring
    edit "always"
        set day sunday monday tuesday wednesday thursday friday saturday
    next
end
config antivirus filepattern
    edit "*.bat"
        set block imap smtp pop3 http ftp
    next
    edit "*.com"
        set block imap smtp pop3 http ftp
    next
    edit "*.dll"
        set block imap smtp pop3 http ftp
    next
    edit "*.doc"
        set block imap smtp pop3 http ftp
    next
    edit "*.exe"
        set block imap smtp pop3 http ftp
    next
    edit "*.gz"
        set block imap smtp pop3 http ftp
    next
    edit "*.hta"
        set block imap smtp pop3 http ftp
    next
    edit "*.ppt"
        set block imap smtp pop3 http ftp
    next
    edit "*.rar"
        set block imap smtp pop3 http ftp
    next
    edit "*.scr"
        set block imap smtp pop3 http ftp
    next
    edit "*.tar"
        set block imap smtp pop3 http ftp



                                          - 19 -
                          Aruba/Fortinet Configuration example

   next
   edit "*.tgz"
       set block   imap smtp pop3 http ftp
   next
   edit "*.vb?"
       set block   imap smtp pop3 http ftp
   next
   edit "*.wps"
       set block   imap smtp pop3 http ftp
   next
   edit "*.xl?"
       set block   imap smtp pop3 http ftp
   next
   edit "*.zip"
       set block   imap smtp pop3 http ftp
   next
   edit "*.pif"
       set block   imap smtp pop3 http ftp
   next
   edit "*.cpl"
       set block   imap smtp pop3 http ftp
   next
end
config antivirus service "http"
    set memfilesizelimit 10
    set port 80
    set uncompsizelimit 10
end
config antivirus service "ftp"
    set memfilesizelimit 10
    set port 21
    set uncompsizelimit 10
end
config antivirus service "pop3"
    set memfilesizelimit 10
    set port 110
    set uncompsizelimit 10
end
config antivirus service "imap"
    set memfilesizelimit 10
    set port 143
    set uncompsizelimit 10
end
config antivirus service "smtp"
    set memfilesizelimit 10
    set port 25
    set uncompsizelimit 10
end
config antivirus grayware "Adware"
end
config antivirus grayware "Dial"
end
config antivirus grayware "Game"
end
config antivirus grayware "Joke"
end
config antivirus grayware "P2P"
end
config antivirus grayware "Spy"
end
config antivirus grayware "Keylog"
end
config antivirus grayware "Hijacker"
end
config antivirus grayware "Plugin"
end
config antivirus grayware "NMT"
end
config antivirus grayware "RAT"
end
config antivirus grayware "Misc"



                                             - 20 -
                         Aruba/Fortinet Configuration example

end
config antivirus grayware "BHO"
end
config antivirus grayware "Toolbar"
end
config antivirus grayware "Download"
end
config antivirus grayware "HackerTool"
end
config spamfilter fortishield
end
  config ips group "dns_decoder"
    set port_list "53"
end
config ips group "ftp_decoder"
    set port_list "21"
end
config ips group "http_decoder"
    set port_list "80"
    set uri_length "4096"
end
config ips group "im"
    set codepoint "-1"
end
config ips group "imap_decoder"
    set port_list "143"
end
config ips group "p2p"
    set codepoint "-1"
end
config ips group "pop_decoder"
    set port_list "109, 110"
end
config ips group "rpc_decoder"
    set port_list "111, 32771"
end
config ips group "smtp_decoder"
     set port_list "25"
end
config ips group "snmp_decoder"
    set port_list "161, 162"
    set oid_list
".4.1.77.1.2;.2.1.10.23.2.3.1.5.2.1;.2.1.10.23.2.3.1.6.2.1;.4.1.11.2.3.9.1.1.13.0;.4.1.11
.2.3.1.4.2.1.22;.2.1.1.1;.6.3.16.1.2.1.3"
end
config ips group "tcp_reassembler"
    set idle_timeout "120"
    set min_ttl "2"
    set port_list "21, 23, 25, 53, 80, 110, 111, 143, 513"
    set bad_flag_list "NULL, F, U, P, SF, PF, UP, UPF, UAPSF, UAPRSF"
    set direction "from-client"
end
config ips anomaly "icmp_dst_session"
        config limit
            edit "default"
                set threshold 1000
            next
        end
    set status enable
end
config ips anomaly "icmp_flood"
    set threshold "250"
    set status enable
end
config ips anomaly "icmp_src_session"
        config limit
            edit "default"
                set threshold 100
            next
        end
    set status enable



                                          - 21 -
                         Aruba/Fortinet Configuration example

end
config ips anomaly "icmp_sweep"
    set threshold "100"
    set status enable
end
config ips anomaly "large_icmp"
    set threshold "32000"
    set status enable
end
config ips anomaly "portscan"
    set threshold "1000"
    set status enable
end
config ips anomaly "syn_flood"
    set threshold "2000"
    set status enable
end
config ips anomaly "tcp_dst_session"
        config limit
            edit "default"
                set threshold 5000
            next
        end
    set status enable
end
config ips anomaly "tcp_src_session"
        config limit
            edit "default"
                set threshold 2000
            next
        end
    set status enable
end
config ips anomaly "udp_dst_session"
        config limit
            edit "default"
                set threshold 5000
            next
        end
    set status enable
end
config ips anomaly "udp_flood"
    set threshold "2000"
    set status enable
end
config ips anomaly "udp_scan"
    set threshold "2000"
    set status enable
end
config ips anomaly "udp_src_session"
        config limit
            edit "default"
                set threshold 1000
            next
        end
    set status enable
end
config log syslogd setting
    set server “172.16.1.1”
    set status enable
end
config log fortilog setting
    set status enable
end
config log memory setting
    set status enable
end
config log syslogd filter
    set severity information
    set virus enable
    set blocked enable



                                        - 22 -
                          Aruba/Fortinet Configuration example

   set infected enable
   set oversized enable
end
config log memory filter
    set attack enable
    set email enable
    set event enable
    set severity information
    set virus enable
    set web enable
    set admin enable
    set anomaly enable
    set auth enable
    set blocked enable
    set cat_block enable
    set cat_errors enable
    set cat_monitor enable
    set dhcp enable
    set email_log_imap enable
    set email_log_pop3 enable
    set email_log_smtp enable
    set exempt enable
    set ha enable
    set infected enable
    set ipsec enable
    set oversized enable
    set pattern enable
    set ppp enable
    set signature enable
    set system enable
    set url_block enable
    set web_content enable
end
config system session-helper
    edit 1
        set name pptp
        set port 1723
        set protocol 6
    next
    edit 2
        set name h323
        set port 1720
        set protocol 6
    next
    edit 3
        set name ras
        set port 1719
        set protocol 17
    next
    edit 4
        set name tns
        set port 1521
        set protocol 6
    next
    edit 5
        set name ident
        set port 21
        set protocol 6
    next
    edit 6
        set name ident
        set port 23
        set protocol 6
    next
    edit 7
        set name ident
        set port 25
        set protocol 6
    next
    edit 8
        set name tftp



                                         - 23 -
                           Aruba/Fortinet Configuration example

       set   port 69
       set   protocol 17
   next
   edit 9
       set   name rtsp
       set   port 554
       set   protocol 6
   next
   edit 10
       set   name rtsp
       set   port 7070
       set   protocol 6
   next
   edit 11
       set   name ftp
       set   port 21
       set   protocol 6
   next
   edit 12
       set   name mms
       set   port 1863
       set   protocol 6
   next
   edit 13
       set   name pmap
       set   port 111
       set   protocol 6
   next
   edit 14
       set   name pmap
       set   port 111
       set   protocol 17
   next
end
config system console
    set output more
end
exec enter root

config system dhcp server
    edit "internal_dhcp_server"
        set default-router 192.168.1.99
        set dns-server1 192.168.1.99
        set end-ip 192.168.1.210
        set interface "internal"
        set netmask 255.255.255.0
        set start-ip 192.168.1.110
    next
end
config firewall address
    edit "all"
    next
end
config firewall vip
end
config firewall policy
    edit 2
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ANY"
        set profile_status enable
        set profile "strict"
    next
    edit 3
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"



                                          - 24 -
                          Aruba/Fortinet Configuration example

       set   dstaddr "all"
       set   action accept
       set   schedule "always"
       set   service "ANY"
       set   profile_status enable
       set   profile "strict"
   next
end
config router rip
        config redistribute "connected"
        end
        config redistribute "static"
        end
        config redistribute "ospf"
        end
        config redistribute "bgp"
        end
end
config router static
    edit 1
        set device "wan1"
        set dst 172.16.0.0 255.255.0.0
        set gateway 172.16.100.1
    next
    edit 2
        set device "internal"
        set gateway 172.16.101.1
    next
end
config router ospf
        config redistribute "connected"
        end
        config redistribute "static"
        end
        config redistribute "rip"
        end
end




                                          - 25 -
                             Aruba/Fortinet Configuration example



FortiGate Screenshots

System overview




Session status. Here you can check the current sessions




Network configuration




Static route configuration




                                            - 26 -
                         Aruba/Fortinet Configuration example


Routing table




Firewall policy configuration




Log configuration. Make sure that Syslog is setup correctly and configure the Aruba
controllers master IP address as Syslog server, port=514 level=informational,
facility=local7




Log configuration. Make sure that the Fortigate sends Syslog messages for Anti-virus
alerts.




                                         - 27 -
                           Aruba/Fortinet Configuration example




Antivirus report. Go to: http://eicar.com/anti_virus_test_file.htm and download the
testfile to generate security alerts




You will see the alert below on your browser




And the wlan client is disconnected (blacklisted) from the network.
(Aruba800) #show log all 7
Aug 31 16:53:53 date=2005-08-31 time=16:49:46 device_id=FGT-602103240114
log_id=0212063000 type=virus subtype=filename pri=warning vd=root src=172.16.1.252
dst=83.246.65.3 src_int=wan1 dst_int=internal service=http status=blocked from="n/a"
to="n/a" fi
Aug 31 16:53:53 date=2005-08-31 time=16:49:46 device_id=FGT-602103240114
log_id=0212063000 type=virus subtype=filename pri=warning vd=root src=172.16.1.252
dst=83.246.65.3 src_int=wan1 dst_int=internal service=http status=blocked from="n/a"
to="n/a" fi
Aug 31 16:53:53 <authmgr INFO> blacklisting user 00:05:4e:44:c8:a8
Aug 31 16:53:53 <authmgr INFO> Removing session entries for 172.16.1.252 from datapath
Aug 31 16:53:53 <authmgr INFO> user del <00:05:4e:44:c8:a8 172.16.1.252 test> user entry
deleted; reason=blacklist user
Aug 31 16:53:53 <authmgr INFO> tunnel del <00:05:4e:44:c8:a8> Reset station role to
logon (1) (ingress=4170)
Aug 31 16:53:53 <authmgr INFO> station down <00:05:4e:44:c8:a8> bssid 00:0b:86:a0:ab:30,
essid aruba-ap, vlan 1, ingress 0x104a (tunnel 10), u_encr 1, m_encr 1, loc 1.1.1
slotport 0x1020

(Aruba800) #show    stm dos-sta

DoS STA List
------------
STA                 reason              block-time(sec)
---                 ------              ---------------
00:05:4e:44:c8:a8   session-blacklist   230


Default blacklist time is 1 hour
(Aruba800) #show stm config

STM Configuration
-----------------
key                       value
---                       -----
strict-compliance         enable
dos-prevention            disable



                                            - 28 -
                          Aruba/Fortinet Configuration example

fast-roaming              enable
sta-dos-prevention        enable
sta-dos-block-time        3600
auth-failure-block-time   0
coverage-hole-detection   disable
good-rssi-threshold       20
poor-rssi-threshold       10
hole-detection-interval   180
good-sta-ageout           30
idle-sta-ageout           90
ap-inactivity-timeout     15




                                         - 29 -
                         Aruba/Fortinet Configuration example


Troubleshooting
Verify that the ESI server(s) are up and healthy
(Aruba800) #show esi servers
ESI Server Table
----------------
Name         Trusted IP      Untrusted IP    Trusted s/p      Untrusted s/p      Group       Mode
ID Flags
----         ----------       ------------   -----------       -------------     -----       ----
-- -----
FortiGate60 172.16.101.254 172.16.100.254 -/-                  -/-               FortiNet    route
0   S U HT HU
Flags:
  S :Sibyte Download complete
  U :Server Up
  D :Server Down
  PT:Trusted Ping response outstanding
  PU:Untrusted Ping response outstanding
  HT:Health Check Trusted IP
  HU:Health Check Untrusted IP
  FT:Trusted Ping failed
  FU:Untrusted Ping failed

Verify the ESI group
(Aruba800) #show esi groups

ESI Group Table
---------------
Name      Tunnel ID Ping         Flags   Servers
----      --------- ----         -----   -------
FortiNet 0x1049      FortiPing   S       1
Flags:
  S:Sibyte Download complete


Verify the datapath
(Aruba800) #show datapath esi

Datapath ESI Server Entries
---------------------------
Server         IP              MAC            Dest    VLAN     Type      Flags
------ --------------- -----------------      ----    ----   ---------   -----
0       172.16.100.254   00:09:0F:0A:61:C2    1/4     100    Untrusted   R
0       172.16.101.254   00:09:0F:0A:61:C0    1/5     101    Trusted     R


Verify that the user is authenticated via the CP and that the user is in the correct role
where redirection takes place for http, https, pop3, smtp and ftp (Fortinet)
(Aruba800) #show user-table verbose

Users
-----
    IP             MAC           Name       Role      Age(d:h:m)     Auth     VPN link   location
Roaming     Essid/Bssid/Phy                Server   Vlan    Bwm
----------    ------------      ------      ----      ----------     ----     --------      --------
-------     ---------------                ------    ----   ---
172.16.1.253 00:0e:35:89:0c:05 test         Fortinet 00:02:20        Web                 1.1.1
Associated aruba-ap/00:0b:86:a0:ab:30/g    Internal 1 (1)

User Entries: 1/1

Verify session redirection
(Aruba800) #show datapath session tab 172.16.1.253

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn



                                             - 30 -
                          Aruba/Fortinet Configuration example

      H - high prio, P - set prio, T - set ToS
      C - client, M - mirror, V - VOIP

  Source IP      Destination IP   Prot   SPort   DPort    Cntr   Prio   ToS   Age   Flags
--------------   --------------   ----   -----   -----    ----   ----   ---   ---   -----
172.16.1.253     216.219.72.135   6      1309    80       0      0      0     0     RC
172.16.1.253     216.219.72.135   6      1310    80       0      0      0     0     FRC
172.16.1.253     216.219.72.135   6      1311    80       0      0      0     0     RC
172.16.1.253     216.219.72.135   6      1307    80       0      0      0     0     FRC
216.219.72.135   172.16.1.253     6      80      1307     0      0      0     1     R
216.219.72.135   172.16.1.253     6      80      1311     0      0      0     1     R
216.219.72.135   172.16.1.253     6      80      1310     0      0      0     1     R
216.219.72.135   172.16.1.253     6      80      1309     0      0      0     1     R




                                                 - 31 -

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:66
posted:8/10/2011
language:English
pages:31