Fortinet black logo

Administration Guide

Deploy Decoy VMs with the Deployment Wizard

Copy Link
Copy Doc ID 63cab9f6-5858-11ec-bdf2-fa163e15d75b:699147
Download PDF

Deploy Decoy VMs with the Deployment Wizard

Use the Deception > Deployment Wizard page to create and deploy Decoy VMs on your network. Decoy VMs appear as real endpoints to hackers and can collect valuable information about attacks.

To deploy Decoys on the network:
  1. Go to Deception > Deployment Wizard.
  2. Click + to add a Decoy VM.
  3. Configure the following:

    Name

    Specify the name of the deployment profile. Maximum 15 characters using A‑Z, a-z, 0-9, dash, or underscore. No duplicate profile names.

    Appliance Name

    Destination of the Decoy VM. This can be local (manager) or remote client (remote appliance).

    This column only shows in Central Management mode on manager.

    Available Deception OSes

    Select a Deception OS. The OS you select determines the services that are available.

    Available Deception Decoys

    This only supports SCADAV3/IoT deception OS. The decoy you select determines the specific services set.

    Selected Services

    Displays the services available for the Deception OS you selected.

    Services for Windows include RDP, SMB, NBNSSpoofSpotter (responder tool detection), TCPLISTENER, ICMP, IIS(HTTP), and IIS(HTTPS).

    Services for SCADA include HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GUARDIAN-AST, ENIP, DNP3, KAMSTRUP, and IEC104.

    Services for Ubuntu include SSH, SAMBA, TCPLISTENER, HTTP, HTTPS, GIT, ICMP.

    Services for Medical OS include Infusion Pump (Telnet), Infusion Pump (FTP), PACS, PACS-WEB, and DICOM server

    Services for POS OS include POS-WEB.

    Services for ERP OS include ERP-WEB.

    Services for FortiGate include SSLVPN.

    Services for Cisco Router include Telnet, HTTP, SNMP and CDP.

    Services for HP Printer include Jetdirect, Printer-WEB and SNMP.

    Services for SAP include SAP ROUTER, SAP DISPATCHER and SAP WEB

    Services for IoT include SNMP, Jetdirect, Printer-WEB, Telnet, HTTP, CDP, TP-LINK WEB, CWMP, IP Camera-WEB, UPnP and RTSP.

    Services for IP Camera include IP Camera-Web, UPnP, SNMP and RTSP.

    CentOS include SSH, SAMBA, TCPLISTENER, HTTP, HTTPS, GIT, and ICMP.

    Automate Lures

    Select one or more tag names to automate lure generation and to generate related contents. Selecting any and all generate random content.

    Click Generate Lures to automatically generate lures and list them in the panes below.

    Click Clear to delete the lures on this page.

  4. If applicable, click Generate lures or Add Lure for the service and configure the lure settings. See, Lure Settings.
  5. To launch the decoy VM immediately, enable Launch Immediately.
  6. To reset the decoy VM after it detects incidents, enable Reset Decoy and specify the Reset Interval value in seconds.
  7. Click Next.
  8. Specify the DNS and Hostname. The Hostname can start with an English character or a digit, and must not end with a hyphen. Maximum 15 characters using A-Z, a-z, 0-9, or hyphen (case-sensitive). Other symbols, punctuation, or white space are not allowed. The Hostname cannot conflict with decoy names.
  9. Click Deploy Into Network.
  10. Select the Deploy Interface. Set this to the VLAN or subnet added in Set up the Deployment Network
  11. Configure the following settings in the Add Interface for Decoy pane:

    Addressing Mode

    Select Static or DHCP.

    Static allows you to configure the IP address for all the decoys.

    DHCP allows the decoys to receive IP address from the DHCP server. If you select DHCP, IP Count is automatically set to 1 and all other fields are not applicable.

    Network Mask

    This field is set automatically.

    Gateway

    Specify the gateway.

    MAC Address OUI

    The first three octets of the MAC address for the device vendor. Only the xx:xx:xx format is supported.

    IP Count

    Specify the number of IP addresses to be assigned, up to 24 ( for both STATIC and DHCP).

    Min

    The minimum IP address in the IP range.

    Max

    The maximum IP address in the IP range.

    IP Ranges

    Specify the IP range between Min and Max.

  12. Click Done.
  13. To deploy the decoys on the network, click Deploy.
  14. To save this as a template in Deception > Deployment Wizard, click Template.
Note

For deception strategies and examples, see Deployment best practices checklist and Deception decoy best practices

Deploy Decoy VMs with the Deployment Wizard

Use the Deception > Deployment Wizard page to create and deploy Decoy VMs on your network. Decoy VMs appear as real endpoints to hackers and can collect valuable information about attacks.

To deploy Decoys on the network:
  1. Go to Deception > Deployment Wizard.
  2. Click + to add a Decoy VM.
  3. Configure the following:

    Name

    Specify the name of the deployment profile. Maximum 15 characters using A‑Z, a-z, 0-9, dash, or underscore. No duplicate profile names.

    Appliance Name

    Destination of the Decoy VM. This can be local (manager) or remote client (remote appliance).

    This column only shows in Central Management mode on manager.

    Available Deception OSes

    Select a Deception OS. The OS you select determines the services that are available.

    Available Deception Decoys

    This only supports SCADAV3/IoT deception OS. The decoy you select determines the specific services set.

    Selected Services

    Displays the services available for the Deception OS you selected.

    Services for Windows include RDP, SMB, NBNSSpoofSpotter (responder tool detection), TCPLISTENER, ICMP, IIS(HTTP), and IIS(HTTPS).

    Services for SCADA include HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GUARDIAN-AST, ENIP, DNP3, KAMSTRUP, and IEC104.

    Services for Ubuntu include SSH, SAMBA, TCPLISTENER, HTTP, HTTPS, GIT, ICMP.

    Services for Medical OS include Infusion Pump (Telnet), Infusion Pump (FTP), PACS, PACS-WEB, and DICOM server

    Services for POS OS include POS-WEB.

    Services for ERP OS include ERP-WEB.

    Services for FortiGate include SSLVPN.

    Services for Cisco Router include Telnet, HTTP, SNMP and CDP.

    Services for HP Printer include Jetdirect, Printer-WEB and SNMP.

    Services for SAP include SAP ROUTER, SAP DISPATCHER and SAP WEB

    Services for IoT include SNMP, Jetdirect, Printer-WEB, Telnet, HTTP, CDP, TP-LINK WEB, CWMP, IP Camera-WEB, UPnP and RTSP.

    Services for IP Camera include IP Camera-Web, UPnP, SNMP and RTSP.

    CentOS include SSH, SAMBA, TCPLISTENER, HTTP, HTTPS, GIT, and ICMP.

    Automate Lures

    Select one or more tag names to automate lure generation and to generate related contents. Selecting any and all generate random content.

    Click Generate Lures to automatically generate lures and list them in the panes below.

    Click Clear to delete the lures on this page.

  4. If applicable, click Generate lures or Add Lure for the service and configure the lure settings. See, Lure Settings.
  5. To launch the decoy VM immediately, enable Launch Immediately.
  6. To reset the decoy VM after it detects incidents, enable Reset Decoy and specify the Reset Interval value in seconds.
  7. Click Next.
  8. Specify the DNS and Hostname. The Hostname can start with an English character or a digit, and must not end with a hyphen. Maximum 15 characters using A-Z, a-z, 0-9, or hyphen (case-sensitive). Other symbols, punctuation, or white space are not allowed. The Hostname cannot conflict with decoy names.
  9. Click Deploy Into Network.
  10. Select the Deploy Interface. Set this to the VLAN or subnet added in Set up the Deployment Network
  11. Configure the following settings in the Add Interface for Decoy pane:

    Addressing Mode

    Select Static or DHCP.

    Static allows you to configure the IP address for all the decoys.

    DHCP allows the decoys to receive IP address from the DHCP server. If you select DHCP, IP Count is automatically set to 1 and all other fields are not applicable.

    Network Mask

    This field is set automatically.

    Gateway

    Specify the gateway.

    MAC Address OUI

    The first three octets of the MAC address for the device vendor. Only the xx:xx:xx format is supported.

    IP Count

    Specify the number of IP addresses to be assigned, up to 24 ( for both STATIC and DHCP).

    Min

    The minimum IP address in the IP range.

    Max

    The maximum IP address in the IP range.

    IP Ranges

    Specify the IP range between Min and Max.

  12. Click Done.
  13. To deploy the decoys on the network, click Deploy.
  14. To save this as a template in Deception > Deployment Wizard, click Template.
Note

For deception strategies and examples, see Deployment best practices checklist and Deception decoy best practices