Fortinet black logo

Administration Guide

Deploy Decoy VMs with the Deployment Wizard

Copy Link
Copy Doc ID 730dcfd9-f176-11eb-97f7-00505692583a:699147
Download PDF

Deploy Decoy VMs with the Deployment Wizard

Use the Deception > Deployment Wizard page to create and deploy Decoy VMs on your network. Decoy VMs appear as real endpoints to hackers and can collect valuable information about attacks.

To deploy Decoys on the network:
  1. Go to Deception > Deployment Wizard.
  2. Click + to add a Decoy VM.
  3. Configure the following:

    Name

    Specify the name of the deployment profile. Maximum 15 characters using A‑Z, a-z, 0-9, dash, or underscore. No duplicate profile names.

    Appliance Name

    Destination of the Decoy VM. This can be local (manager) or remote client (remote appliance).

    This column only shows in Central Management mode on manager.

    Available Deception OSes

    Select a Deception OS. The OS you select determines the services that are available.

    Available Deception Decoys

    This only supports SCADAV3 deception OS. The decoy you select determines the specific services set.

    Selected Services

    Displays the services available for the Deception OS you selected.

    Services for Windows include RDP, SMB, NBNSSpoofSpotter (responder tool detection), and TCPLISTENER.

    Services for SCADA include HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GUARDIAN-AST, ENIP, DNP3, and IEC104.

    Services for Ubuntu include SSH, SAMBA, TCPLISTENER, HTTP, HTTPS, and GIT.

    Services for medical OS include Infusion Pump (Telnet), Infusion Pump (FTP), PACS, PACS-WEB, and DICOM server

    Services for POS OS include POS-WEB.

    Services for ERP OS include ERP-WEB.

    Services for FortiGate include SSLVPN.

    Services for Cisco Router include Telnet, HTTP, SNMP and CDP

    Services for HP Printer include Jet-direct, Printer-Web and SNMP

    Services for IP Camera include Camera-Web, UPnP, SNMP and RTSP

    Automate Lures

    Select one or more tag names to automate lure generation and to generate related contents. Selecting any and all generate random content.

    Click Generate Lures to automatically generate lures and list them in the panes below.

    Click Clear to delete the lures on this page.

  4. If applicable, click Generate lures or Add Lure for the service and configure the following:

    Username

    Specify the username for the decoy. Maximum 64 characters using A-Z, a-z, 0-9, or @.

    Do not set the username of the lures to be the same as existing usernames in the decoy, such as administrator for RDP/SMB services on Windows, or root for SSH/SAMBA services on Linux.

    Password

    Specify the password for the decoy in 1-32 non-unicode characters.

    Sharename

    This option is only available for SAMBA (Ubuntu) or SMB (Windows). Specify a Sharename in 3-63 characters using a-z, 0-9, or dash.

    Update or Cancel

    Click Update to save the username and password. Click Cancel to discard the username and password. Click Delete to delete an existing lure.

    For windows - NBNSSpoofSpotter:

    Username Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
    Password 1-32 characters using A-Z, a-z, 0-9, or -!@#$%(~)^&?<>:|+;*/,."'_
    Domain (optional) Domain can only contain characters a - z, A - Z, 0 - 9 and "." .
    Hostname Hostname can only contain characters a - z, A - Z, 0 - 9, "-" and "_".
    Interval(sec) Enter a valid integer between 60-3600.

    For Ubuntu:

    TCP Listener

    Separate multiple ports with ,.

    HTTP Listening Port

    1-65535. Default is 80.

    HTTPS Listening Port

    1-65535. Default is 443.

    Username

    Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.

    Password

    1-32 characters using A-Z, a-z, 0-9, or -!@#$%(~)^&?<>:|+;*/,."'_

    HTTPS SSL Certificate

    Optional. Upload using default settings is supported.

    For GIT users:

    Username

    Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.

    Password

    1-32 characters using A-Z, a-z, 0-9, or -!@#$%(~)^&?<>:|+;*/,."'_

    Repository Name

    1-100 characters using a-z, A-Z, 0-9, dash, or underscore.

    For GIT repository import:

    URL

    Cannot be empty. Permitted characters are a-z, A-Z, 0-9, space, or -@#~?:./_=.

    Username

    Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.

    Password

    Optional. Can be empty.

    For GitHub repository import:

    URL

    Cannot be empty. Permitted characters are a-z, A-Z, 0-9, space, or -@#~?:./_=.

    Token

    Permitted characters are a-z, A-Z, 0-9, or period.

    For SCADAV3:

    FTP Banner

    Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.

    SNMP

    Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.

    Page title

    Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.

    Module type

    Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.

    PLC name

    Permitted characters are a-z, A-Z, 0-9,dash, underscore, or space.

    Plant Identification

    Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.

    Serial number

    Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.

    For ERP (CRM):

    Username

    Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.

    Password

    1-32 characters. Permitted characters are a-zA-Z0-9-!@#$%(~)^&?<>:|+;*/,."'_

    For medical:

    Username

    Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.

    Password

    1-32 characters. Permitted characters are a-zA-Z0-9-!@#$%(~)^&?<>:|+;*/,."'_

    PACS System Name

    1-16 characters. Cannot start with digit. Permitted characters are a-z, A-Z, 0-9, dash, or underscore.

    PACS Listening Port

    1-65535. Default is 80.

    DICOM Listening Port

    1-65535. Default is 4242.

    DICOM Server Name

    1-16 characters. Cannot start with digit. Permitted characters a-z, A-Z, 0-9, dash, or underscore.

    For POS:

    Listening Port

    1-65535. Default is 80.

    Username

    Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.

    Password

    1-32 characters. Permitted characters are a-zA-Z0-9-!@#$%(~)^&?<>:|+;*/,."'_

    For FortiGate:

    SSLVPN Listening Port

    1-65535. Default is 10443.

    Username

    Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.

    Password

    1-32 characters. Permitted characters are a-zA-Z0-9-!@#$%(~)^&?<>:|+;*/,."'_

    SSLVPN Bookmarks Name

    1-15 characters. Permitted characters are a-z, A-Z, 0-9, dash, underscore, period, or space.

    SSLVPN Bookmarks URL

    Cannot be empty. Permitted characters are a-z, A-Z, 0-9, space, or -@#~?:./_=.

    For Cisco Router (Telnet/HTTP):

    Username Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
    Password 1-32 characters. Permitted characters are a-zA-Z0-9-!@#$% (~)^&?<>:|+;*/,."'_

    For HP Printer (HTTP):

    Username Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
    Password 1-32 characters. Permitted characters are a-zA-Z0-9-!@#$% (~)^&?<>:|+;*/,."'_

    For IP Camera (HTTP):

    Username Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
    Password 1-32 characters. Permitted characters are a-zA-Z0-9-!@#$% (~)^&?<>:|+;*/,."'_
  5. To launch the decoy VM immediately, enable Launch Immediately.
  6. To reset the decoy VM after it detects incidents, enable Reset Decoy and specify the Reset Interval value in seconds.
  7. Click Next.
  8. Specify the DNS and Hostname. The Hostname can start with an English character or a digit, and must not end with a hyphen. Maximum 15 characters using A-Z, a-z, 0-9, or hyphen (case-sensitive). Other symbols, punctuation, or white space are not allowed. The Hostname cannot conflict with decoy names.
  9. Click Add Interface.
  10. Select the Deploy Interface. Set this to the VLAN or subnet added in Set up the Deployment Network
  11. Configure the following settings in the Add Interface for Decoy pane:

    Addressing Mode

    Select Static or DHCP.

    Static allows you to configure the IP address for all the decoys.

    DHCP allows the decoys to receive IP address from the DHCP server. If you select DHCP, IP Count is automatically set to 1 and all other fields are not applicable.

    Network Mask

    This field is set automatically.

    Gateway

    Specify the gateway.

    MAC Address OUI

    The first three octets of the MAC address for the device vendor. Only the xx:xx:xx format is supported.

    IP Count

    Specify the number of IP addresses to be assigned, up to 24 ( for both STATIC and DHCP).

    Min

    The minimum IP address in the IP range.

    Max

    The maximum IP address in the IP range.

    IP Ranges

    Specify the IP range between Min and Max.

  12. Click Done.
  13. To deploy the decoys on the network, click Deploy.
  14. To save this as a template in Deception > Deployment Wizard, click Template.

Deploy Decoy VMs with the Deployment Wizard

Use the Deception > Deployment Wizard page to create and deploy Decoy VMs on your network. Decoy VMs appear as real endpoints to hackers and can collect valuable information about attacks.

To deploy Decoys on the network:
  1. Go to Deception > Deployment Wizard.
  2. Click + to add a Decoy VM.
  3. Configure the following:

    Name

    Specify the name of the deployment profile. Maximum 15 characters using A‑Z, a-z, 0-9, dash, or underscore. No duplicate profile names.

    Appliance Name

    Destination of the Decoy VM. This can be local (manager) or remote client (remote appliance).

    This column only shows in Central Management mode on manager.

    Available Deception OSes

    Select a Deception OS. The OS you select determines the services that are available.

    Available Deception Decoys

    This only supports SCADAV3 deception OS. The decoy you select determines the specific services set.

    Selected Services

    Displays the services available for the Deception OS you selected.

    Services for Windows include RDP, SMB, NBNSSpoofSpotter (responder tool detection), and TCPLISTENER.

    Services for SCADA include HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GUARDIAN-AST, ENIP, DNP3, and IEC104.

    Services for Ubuntu include SSH, SAMBA, TCPLISTENER, HTTP, HTTPS, and GIT.

    Services for medical OS include Infusion Pump (Telnet), Infusion Pump (FTP), PACS, PACS-WEB, and DICOM server

    Services for POS OS include POS-WEB.

    Services for ERP OS include ERP-WEB.

    Services for FortiGate include SSLVPN.

    Services for Cisco Router include Telnet, HTTP, SNMP and CDP

    Services for HP Printer include Jet-direct, Printer-Web and SNMP

    Services for IP Camera include Camera-Web, UPnP, SNMP and RTSP

    Automate Lures

    Select one or more tag names to automate lure generation and to generate related contents. Selecting any and all generate random content.

    Click Generate Lures to automatically generate lures and list them in the panes below.

    Click Clear to delete the lures on this page.

  4. If applicable, click Generate lures or Add Lure for the service and configure the following:

    Username

    Specify the username for the decoy. Maximum 64 characters using A-Z, a-z, 0-9, or @.

    Do not set the username of the lures to be the same as existing usernames in the decoy, such as administrator for RDP/SMB services on Windows, or root for SSH/SAMBA services on Linux.

    Password

    Specify the password for the decoy in 1-32 non-unicode characters.

    Sharename

    This option is only available for SAMBA (Ubuntu) or SMB (Windows). Specify a Sharename in 3-63 characters using a-z, 0-9, or dash.

    Update or Cancel

    Click Update to save the username and password. Click Cancel to discard the username and password. Click Delete to delete an existing lure.

    For windows - NBNSSpoofSpotter:

    Username Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
    Password 1-32 characters using A-Z, a-z, 0-9, or -!@#$%(~)^&?<>:|+;*/,."'_
    Domain (optional) Domain can only contain characters a - z, A - Z, 0 - 9 and "." .
    Hostname Hostname can only contain characters a - z, A - Z, 0 - 9, "-" and "_".
    Interval(sec) Enter a valid integer between 60-3600.

    For Ubuntu:

    TCP Listener

    Separate multiple ports with ,.

    HTTP Listening Port

    1-65535. Default is 80.

    HTTPS Listening Port

    1-65535. Default is 443.

    Username

    Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.

    Password

    1-32 characters using A-Z, a-z, 0-9, or -!@#$%(~)^&?<>:|+;*/,."'_

    HTTPS SSL Certificate

    Optional. Upload using default settings is supported.

    For GIT users:

    Username

    Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.

    Password

    1-32 characters using A-Z, a-z, 0-9, or -!@#$%(~)^&?<>:|+;*/,."'_

    Repository Name

    1-100 characters using a-z, A-Z, 0-9, dash, or underscore.

    For GIT repository import:

    URL

    Cannot be empty. Permitted characters are a-z, A-Z, 0-9, space, or -@#~?:./_=.

    Username

    Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.

    Password

    Optional. Can be empty.

    For GitHub repository import:

    URL

    Cannot be empty. Permitted characters are a-z, A-Z, 0-9, space, or -@#~?:./_=.

    Token

    Permitted characters are a-z, A-Z, 0-9, or period.

    For SCADAV3:

    FTP Banner

    Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.

    SNMP

    Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.

    Page title

    Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.

    Module type

    Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.

    PLC name

    Permitted characters are a-z, A-Z, 0-9,dash, underscore, or space.

    Plant Identification

    Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.

    Serial number

    Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.

    For ERP (CRM):

    Username

    Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.

    Password

    1-32 characters. Permitted characters are a-zA-Z0-9-!@#$%(~)^&?<>:|+;*/,."'_

    For medical:

    Username

    Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.

    Password

    1-32 characters. Permitted characters are a-zA-Z0-9-!@#$%(~)^&?<>:|+;*/,."'_

    PACS System Name

    1-16 characters. Cannot start with digit. Permitted characters are a-z, A-Z, 0-9, dash, or underscore.

    PACS Listening Port

    1-65535. Default is 80.

    DICOM Listening Port

    1-65535. Default is 4242.

    DICOM Server Name

    1-16 characters. Cannot start with digit. Permitted characters a-z, A-Z, 0-9, dash, or underscore.

    For POS:

    Listening Port

    1-65535. Default is 80.

    Username

    Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.

    Password

    1-32 characters. Permitted characters are a-zA-Z0-9-!@#$%(~)^&?<>:|+;*/,."'_

    For FortiGate:

    SSLVPN Listening Port

    1-65535. Default is 10443.

    Username

    Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.

    Password

    1-32 characters. Permitted characters are a-zA-Z0-9-!@#$%(~)^&?<>:|+;*/,."'_

    SSLVPN Bookmarks Name

    1-15 characters. Permitted characters are a-z, A-Z, 0-9, dash, underscore, period, or space.

    SSLVPN Bookmarks URL

    Cannot be empty. Permitted characters are a-z, A-Z, 0-9, space, or -@#~?:./_=.

    For Cisco Router (Telnet/HTTP):

    Username Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
    Password 1-32 characters. Permitted characters are a-zA-Z0-9-!@#$% (~)^&?<>:|+;*/,."'_

    For HP Printer (HTTP):

    Username Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
    Password 1-32 characters. Permitted characters are a-zA-Z0-9-!@#$% (~)^&?<>:|+;*/,."'_

    For IP Camera (HTTP):

    Username Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
    Password 1-32 characters. Permitted characters are a-zA-Z0-9-!@#$% (~)^&?<>:|+;*/,."'_
  5. To launch the decoy VM immediately, enable Launch Immediately.
  6. To reset the decoy VM after it detects incidents, enable Reset Decoy and specify the Reset Interval value in seconds.
  7. Click Next.
  8. Specify the DNS and Hostname. The Hostname can start with an English character or a digit, and must not end with a hyphen. Maximum 15 characters using A-Z, a-z, 0-9, or hyphen (case-sensitive). Other symbols, punctuation, or white space are not allowed. The Hostname cannot conflict with decoy names.
  9. Click Add Interface.
  10. Select the Deploy Interface. Set this to the VLAN or subnet added in Set up the Deployment Network
  11. Configure the following settings in the Add Interface for Decoy pane:

    Addressing Mode

    Select Static or DHCP.

    Static allows you to configure the IP address for all the decoys.

    DHCP allows the decoys to receive IP address from the DHCP server. If you select DHCP, IP Count is automatically set to 1 and all other fields are not applicable.

    Network Mask

    This field is set automatically.

    Gateway

    Specify the gateway.

    MAC Address OUI

    The first three octets of the MAC address for the device vendor. Only the xx:xx:xx format is supported.

    IP Count

    Specify the number of IP addresses to be assigned, up to 24 ( for both STATIC and DHCP).

    Min

    The minimum IP address in the IP range.

    Max

    The maximum IP address in the IP range.

    IP Ranges

    Specify the IP range between Min and Max.

  12. Click Done.
  13. To deploy the decoys on the network, click Deploy.
  14. To save this as a template in Deception > Deployment Wizard, click Template.