Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiDeceptor 6.0.0 Administration Guide
    6.0.0
    6.0.1
    6.0.0
    5.3.2
    5.3.1
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.0
    4.1.1
    4.1.0
    4.0.2
    4.0.1
    4.0.0
    3.3.3
    3.3.2
    3.3.1
    3.3.0
    3.2.2
    3.2.1
    3.2.0
    3.1.1
    3.1.0
    3.0.2
    3.0.1
    3.0.0
    2.1.0
    2.0.0
    1.1.0
    1.0.1

    Mitigation using Windows remote command

    Mitigation using Windows remote command

    1. Configure the endpoint

    1.1 Verify the endpoint domains and permissions.

    FortiDeceptor will use the administrator account of the AD domain to access Windows endpoints. Please ensure the Windows endpoints are connected to the AD domain and the administrator account of AD domain can access the endpoints.

    Note

    The administrator can also be a domain local admin with permission to disable the endpoint network interfaces.

    1.2 Open the Windows SMB port

    By default, Windows blocks the SMB port 445. To open the port run the following command in PowerShell:

    Set-NetFirewallRule -Name FPS-SMB-In-TCP -Enabled True

    1.3 Enable SMB

    Note

    If the Firewall is enabled by the A/D GPO, you will need to add the FortiDeceptor management IP to the exclusion list.
    1. Type wf. msc in the Windows search box.
    2. Click Inbound Rules in the navigation pane.
    3. Scroll down to File and Printer Sharing (Echo Request - ICMPv4-In).
    4. Enable the options in both Private and Domain profile

    2. Configure FortiDeceptor

    1. In FortiDeceptor, go to Fabric > Quarantine Integration and click + Quarantine Integration with new device.
    2. Configure the integration settings ensuring the user has sufficient privileges to manage NICs.

      Note

      For Edge appliances:

      You are required to go to Network > Interfaces and configure the relevant interface to where the endpoint is accessible. FortiDeceptor v6.0.0 does not support a Trunk port for Windows Network Isolation, IR collector and SSH connector.

    3. (Optional) Click Credentials Test and then click Start to test the connection.

    Previous
    Next

    Mitigation using Windows remote command

    Mitigation using Windows remote command

    1. Configure the endpoint

    1.1 Verify the endpoint domains and permissions.

    FortiDeceptor will use the administrator account of the AD domain to access Windows endpoints. Please ensure the Windows endpoints are connected to the AD domain and the administrator account of AD domain can access the endpoints.

    Note

    The administrator can also be a domain local admin with permission to disable the endpoint network interfaces.

    1.2 Open the Windows SMB port

    By default, Windows blocks the SMB port 445. To open the port run the following command in PowerShell:

    Set-NetFirewallRule -Name FPS-SMB-In-TCP -Enabled True

    1.3 Enable SMB

    Note

    If the Firewall is enabled by the A/D GPO, you will need to add the FortiDeceptor management IP to the exclusion list.
    1. Type wf. msc in the Windows search box.
    2. Click Inbound Rules in the navigation pane.
    3. Scroll down to File and Printer Sharing (Echo Request - ICMPv4-In).
    4. Enable the options in both Private and Domain profile

    2. Configure FortiDeceptor

    1. In FortiDeceptor, go to Fabric > Quarantine Integration and click + Quarantine Integration with new device.
    2. Configure the integration settings ensuring the user has sufficient privileges to manage NICs.

      Note

      For Edge appliances:

      You are required to go to Network > Interfaces and configure the relevant interface to where the endpoint is accessible. FortiDeceptor v6.0.0 does not support a Trunk port for Windows Network Isolation, IR collector and SSH connector.

    3. (Optional) Click Credentials Test and then click Start to test the connection.

    Previous
    Next