Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiDeceptor 6.2.0 Administration Guide
    6.2.0
    6.2.1
    6.2.0
    6.1.1
    6.1.0
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.2
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.0
    4.1.1
    4.1.0
    4.0.2
    4.0.1
    4.0.0
    3.3.3
    3.3.2
    3.3.1
    3.3.0
    3.2.2
    3.2.1
    3.2.0
    3.1.1
    3.1.0
    3.0.2
    3.0.1
    3.0.0
    2.1.0
    2.0.0
    1.1.0
    1.0.1

    Mitigation using Linux remote command

    Mitigation using Linux remote command

    1. Configure the endpoint

    1.1 Verify the endpoint permissions

    FortiDeceptor will use the user account with sudo permissions to access Linux endpoints. Please ensure the user account is included in the sudo group at the endpoint(s).

    To create and add a user in the sudo group in the Linux endpoint terminal:

    Ubuntu:

    CentOS/RedHat:

    Debian:

    1.2 Allow the Linux SSH connection

    By default, the SSH service may not be installed at the Linux endpoint, or the local firewall at the endpoint blocks the SSH traffic. To install the SSH service and open the port, run the following command:

    sudo apt install openssh-server

    sudo ufw allow ssh

    1.3 Install nmcli at Linux endpoints

    nmcli is the network management command-line tool required for Linux endpoint isolation.

    To install the nmcli, run the following command:

    Ubuntu/Debian (Debian-based distribution)

    sudo apt update

    sudo apt install network-manager

    CentOS/RedHat (RPM-based distribution)

    sudo yum check-update

    sudo yum install NetworkManager

    1.4 Allow nmcli command to run without password prompt

    1. Create a new file named quarantine under /etc/sudoers.d.
    2. Copy YOUR_USERNAME_HERE ALL = (ALL) NOPASSWD: /bin/nmcli networking off to the new file. Change YOUR_USERNAME_HERE to the real user name.

    2. Configure FortiDeceptor

    1. In FortiDeceptor, go to Fabric > Quarantine Integration and click + Quarantine Integration with new device.
    2. Configure the integration settings ensuring the user has sufficient privileges to manage NICs.

    3. (Edge appliance only) Configure interface IP address for endpoint connection.

      Example:

      If a decoy (IP: 10.10.2.12) is deployed in the deployment network (subnet 10.10.2.0/24) under the interface (port2), then the interface (port2) should be assigned an IP address in the same subnet as below. Thereby, the isolation command can be sent to the endpoints from the corresponding interface.

      Note

      For Edge appliances:

      You are required to go to Network > Interfaces and configure the relevant interface to where the endpoint is accessible. FortiDeceptor v6.0.0 does not support a Trunk port for Windows Network Isolation, IR collector and SSH connector.

    4. (Optional) Click Credentials Test and then click Start to test the connection.

    3. (Optional) Share SSH public key to the endpoint

    This step is required for the SSH connector configured with a SSH certificate as authentication method.

    1. In FortiDeceptor , go to Fabric > Quarantine Integration, and download the generated SSH public key.
    2. Apply the downloaded generated SSH public key to the corresponding user at the endpoints.

    Previous
    Next

    Mitigation using Linux remote command

    Mitigation using Linux remote command

    1. Configure the endpoint

    1.1 Verify the endpoint permissions

    FortiDeceptor will use the user account with sudo permissions to access Linux endpoints. Please ensure the user account is included in the sudo group at the endpoint(s).

    To create and add a user in the sudo group in the Linux endpoint terminal:

    Ubuntu:

    CentOS/RedHat:

    Debian:

    1.2 Allow the Linux SSH connection

    By default, the SSH service may not be installed at the Linux endpoint, or the local firewall at the endpoint blocks the SSH traffic. To install the SSH service and open the port, run the following command:

    sudo apt install openssh-server

    sudo ufw allow ssh

    1.3 Install nmcli at Linux endpoints

    nmcli is the network management command-line tool required for Linux endpoint isolation.

    To install the nmcli, run the following command:

    Ubuntu/Debian (Debian-based distribution)

    sudo apt update

    sudo apt install network-manager

    CentOS/RedHat (RPM-based distribution)

    sudo yum check-update

    sudo yum install NetworkManager

    1.4 Allow nmcli command to run without password prompt

    1. Create a new file named quarantine under /etc/sudoers.d.
    2. Copy YOUR_USERNAME_HERE ALL = (ALL) NOPASSWD: /bin/nmcli networking off to the new file. Change YOUR_USERNAME_HERE to the real user name.

    2. Configure FortiDeceptor

    1. In FortiDeceptor, go to Fabric > Quarantine Integration and click + Quarantine Integration with new device.
    2. Configure the integration settings ensuring the user has sufficient privileges to manage NICs.

    3. (Edge appliance only) Configure interface IP address for endpoint connection.

      Example:

      If a decoy (IP: 10.10.2.12) is deployed in the deployment network (subnet 10.10.2.0/24) under the interface (port2), then the interface (port2) should be assigned an IP address in the same subnet as below. Thereby, the isolation command can be sent to the endpoints from the corresponding interface.

      Note

      For Edge appliances:

      You are required to go to Network > Interfaces and configure the relevant interface to where the endpoint is accessible. FortiDeceptor v6.0.0 does not support a Trunk port for Windows Network Isolation, IR collector and SSH connector.

    4. (Optional) Click Credentials Test and then click Start to test the connection.

    3. (Optional) Share SSH public key to the endpoint

    This step is required for the SSH connector configured with a SSH certificate as authentication method.

    1. In FortiDeceptor , go to Fabric > Quarantine Integration, and download the generated SSH public key.
    2. Apply the downloaded generated SSH public key to the corresponding user at the endpoints.

    Previous
    Next