Fortinet black logo

Administration Guide

Home FortiDeceptor 5.3.0 Administration Guide

Deployment Wizard

5.3.0
5.3.0
5.2.0
5.1.0
5.0.0
4.3.0
4.2.0
4.1.1
4.1.0
4.0.2
4.0.1
4.0.0
3.3.3
3.3.2
3.3.1
3.3.0
3.2.2
3.2.1
3.2.0
3.1.1
3.1.0
3.0.2
3.0.1
3.0.0
2.1.0
2.0.0
1.1.0
1.0.1
Copy Link
Copy Doc ID 250a63c1-9b8e-11ee-a142-fa163e15d75b:699147
Download PDF

Deployment Wizard

Use the Deployment Wizard to create and deploy Decoy VMs on your network. Decoy VMs appear as real endpoints to hackers and can collect valuable information about attacks.

To deploy Decoys on the network:
  1. Go to Deception > Deployment Wizard.
  2. Click + Create a new decoy to add a Decoy VM.
  3. Configure the following:

    Name

    Specify the name of the deployment profile. Maximum 15 characters using A‑Z, a-z, 0-9, dash, or underscore. No duplicate profile names.

    Appliance Name

    Destination of the Decoy VM. This can be local (manager) or remote client (remote appliance).

    This column only shows in Central Management mode on manager.

    Available Deception OSes

    Select a Deception OS. The OS you select determines the services that are available.

    Available Deception Decoys

    Select a deception decoy. This option is only available in SCADAV3/IoT, Ubuntu16v2, Ubuntu18v1, VoIPv1, Medicalv1 and EV2023 deception OSes. The decoy you select determines the options in the Selected Services dropdown. See Available Deception OSes, Decoys and Selected Services.

    Selected Services

    Select a service based on the Deception OS. See Available Deception OSes, Decoys and Selected Services.

    Automate Lures

    Select one or more tag names to automate lure generation and to generate related contents. Selecting any and all generate random content.

    Click Generate Lures to automatically generate lures and list them in the panes below.

    Click Clear to delete the lures on this page.

  4. If applicable, click Generate lures or Add Lure for the service and configure the lure settings. See, Lure Settings.
  5. To launch the decoy VM immediately, scroll to the bottom of the page and enable Launch Immediately.
  6. To reset the decoy VM after it detects incidents, enable Reset Decoy and specify the Reset Interval value in seconds.
  7. In the HTTP/HTTPS Merge Time Window field, enter a range between 0-300 seconds. The default is 30 seconds.
    Note

    When the time difference between last activity of the first HTTP request and the first activity of next HTTP request is less than the configured time, FortiDeceptor will merge the activities into the same HTTP incident.

  8. In the Monitor Admin Behaviors for field, enter the number of minutes to trigger the reset. Enter 0 to shutdown the decoy immediately after admin activities are found. The decoy will re-launch in approximately 30 seconds.
    Note

    Configure this option for deployments with the RDP service is enabled.

  9. Click Next. The Set Network tab opens.
  10. Configure the network IP and Hostname. You can enter up to two DNS IP addresses.

    DNS

    Enter the network IP address.

    You must set Domain DNS server IP to be the 1st DNS when custom Windows decoys are in the domain(s).

    DNS2

    (Optional) Enter a second network IP address.

    Two DNS IP addresses are not supported in t FortiGate SSLVPN decoy deployments.

    Hostname

    Enter the hostname for the network.

    The Hostname can start with an English character or a digit, and must not end with a hyphen. Maximum 15 characters using A-Z, a-z, 0-9, or hyphen (case-sensitive). Other symbols, punctuation, or white space are not supported.

    The Hostname cannot conflict with decoy names.

  11. Click Deploy Into Network.
  12. Select the Deploy Interface. Set this to the VLAN or subnet added in Deployment Network
  13. Configure the following settings in the Add Interface for Decoy pane:

    Addressing Mode

    Select Static or DHCP.

    Static allows you to configure the IP address for all the decoys.

    DHCP allows the decoys to receive IP address from the DHCP server. If you select DHCP, IP Count is automatically set to 1 and all other fields are not applicable.

    Network Mask

    This field is set automatically.

    Gateway

    Specify the gateway.

    MAC Address OUI

    The first three octets of the MAC address for the device vendor. Only the xx:xx:xx format is supported.

    IP Count

    Specify the number of IP addresses to be assigned, up to 24 ( for both STATIC and DHCP).

    Min

    The minimum IP address in the IP range.

    Max

    The maximum IP address in the IP range.

    IP Ranges

    Specify the IP range between Min and Max.

  14. Click Done.
  15. To deploy the decoys on the network, click Deploy.
  16. To save this as a template in Deception > Deployment Wizard, click Template.
Note

For deception strategies and examples, see Deployment best practices checklist and Deception decoy best practices
Previous
Next

Deployment Wizard

Use the Deployment Wizard to create and deploy Decoy VMs on your network. Decoy VMs appear as real endpoints to hackers and can collect valuable information about attacks.

To deploy Decoys on the network:
  1. Go to Deception > Deployment Wizard.
  2. Click + Create a new decoy to add a Decoy VM.
  3. Configure the following:

    Name

    Specify the name of the deployment profile. Maximum 15 characters using A‑Z, a-z, 0-9, dash, or underscore. No duplicate profile names.

    Appliance Name

    Destination of the Decoy VM. This can be local (manager) or remote client (remote appliance).

    This column only shows in Central Management mode on manager.

    Available Deception OSes

    Select a Deception OS. The OS you select determines the services that are available.

    Available Deception Decoys

    Select a deception decoy. This option is only available in SCADAV3/IoT, Ubuntu16v2, Ubuntu18v1, VoIPv1, Medicalv1 and EV2023 deception OSes. The decoy you select determines the options in the Selected Services dropdown. See Available Deception OSes, Decoys and Selected Services.

    Selected Services

    Select a service based on the Deception OS. See Available Deception OSes, Decoys and Selected Services.

    Automate Lures

    Select one or more tag names to automate lure generation and to generate related contents. Selecting any and all generate random content.

    Click Generate Lures to automatically generate lures and list them in the panes below.

    Click Clear to delete the lures on this page.

  4. If applicable, click Generate lures or Add Lure for the service and configure the lure settings. See, Lure Settings.
  5. To launch the decoy VM immediately, scroll to the bottom of the page and enable Launch Immediately.
  6. To reset the decoy VM after it detects incidents, enable Reset Decoy and specify the Reset Interval value in seconds.
  7. In the HTTP/HTTPS Merge Time Window field, enter a range between 0-300 seconds. The default is 30 seconds.
    Note

    When the time difference between last activity of the first HTTP request and the first activity of next HTTP request is less than the configured time, FortiDeceptor will merge the activities into the same HTTP incident.

  8. In the Monitor Admin Behaviors for field, enter the number of minutes to trigger the reset. Enter 0 to shutdown the decoy immediately after admin activities are found. The decoy will re-launch in approximately 30 seconds.
    Note

    Configure this option for deployments with the RDP service is enabled.

  9. Click Next. The Set Network tab opens.
  10. Configure the network IP and Hostname. You can enter up to two DNS IP addresses.

    DNS

    Enter the network IP address.

    You must set Domain DNS server IP to be the 1st DNS when custom Windows decoys are in the domain(s).

    DNS2

    (Optional) Enter a second network IP address.

    Two DNS IP addresses are not supported in t FortiGate SSLVPN decoy deployments.

    Hostname

    Enter the hostname for the network.

    The Hostname can start with an English character or a digit, and must not end with a hyphen. Maximum 15 characters using A-Z, a-z, 0-9, or hyphen (case-sensitive). Other symbols, punctuation, or white space are not supported.

    The Hostname cannot conflict with decoy names.

  11. Click Deploy Into Network.
  12. Select the Deploy Interface. Set this to the VLAN or subnet added in Deployment Network
  13. Configure the following settings in the Add Interface for Decoy pane:

    Addressing Mode

    Select Static or DHCP.

    Static allows you to configure the IP address for all the decoys.

    DHCP allows the decoys to receive IP address from the DHCP server. If you select DHCP, IP Count is automatically set to 1 and all other fields are not applicable.

    Network Mask

    This field is set automatically.

    Gateway

    Specify the gateway.

    MAC Address OUI

    The first three octets of the MAC address for the device vendor. Only the xx:xx:xx format is supported.

    IP Count

    Specify the number of IP addresses to be assigned, up to 24 ( for both STATIC and DHCP).

    Min

    The minimum IP address in the IP range.

    Max

    The maximum IP address in the IP range.

    IP Ranges

    Specify the IP range between Min and Max.

  14. Click Done.
  15. To deploy the decoys on the network, click Deploy.
  16. To save this as a template in Deception > Deployment Wizard, click Template.
Note

For deception strategies and examples, see Deployment best practices checklist and Deception decoy best practices
Previous
Next