From SAASYAN docs
Jump to: navigation, search

Assure Deployment Guide - Fortigate

Create LDAP service account

  • Create an LDAP service account in AD (can be called svc_assure for easy identification). It should be able to query AD users and group memberships.

Create AD groups

  • Create a security group in AD (can be called Assure_Admins for easy identification) and populate it with the users who need to have administrative privileges on Assure.
  • Create a security group in AD per student group (the group name can be prefixed with Assure_ for easy identification). These groups will be used to grant privileges over different student groups. Users placed in these groups will be allowed to log on to Assure and have access to the corresponding student groups.

Generate API key and token

  • In order to use the token-based authentication, user must first create a special API admin. The user can assign vdom provision and admin profile to this API admin which defines the admin's privileges. Only Super admin can create or modify API admin.
  • Log on to the CLI and execute the following commands:
config system api-user
edit assure
set comments "admin for Assure API access only"
set accprofile prof_admin
set vdom "root"
config trusthost
edit 1
set ipv4-trusthost [network_address] [subnet_mask]
next
end
next
end
  • At least one trusted host must be configured for the API admin. The user can define multiple trusted host/subnet. IPv6 hosts are also supported.
  • After creating the api-user, user can generate new token via CLI command, GUI, or REST API. The token is only shown once and cannot be retrieved after. The user needs to generate new token if they forget. CLI command:
execute api-user generate-key assure

Create Rule Placeholders

  • Create the following placeholder rules. Assure will use these to determine where to place the programmatically created override rules in the ruleset. It's best to create these rules in such a way that they will never match any traffic.
  • ASSURE-OVERRIDE-DENY-PLACEHOLDER
  • ASSURE-OVERRIDE-ALLOW-PLACEHOLDER

Fill out the onboarding form

  • Download the onboarding form by clicking on this. Fill out the onboarding form and email it to support@saasyan.com.au. If you need assistance filling out the form, please contact SAASYAN support.
  • SAASYAN support will email you a link to download the preconfigured Assure collector VM along with the login credentials to logon to this VM's console.
  • Deploy the Assure collector virtual appliance.
  • Make sure your network is configured to allow the Assure Collector VM outbound internet access on TCP port 443 - it uses this port to establish an SSL encrypted tunnel to the hosted Assure back end.
  • Once the virtual appliance is deployed and started, use the provided login credentials to logon to its console. The Assure Collector management console will launch and you will have the below screen. Press OK to continue.
C1.png
You can perform several actions, as per below. You can either type the number or use the arrow keys to move up and down to select the desired action.
C2.png
Select the first option for Interface Configuration and a screen similar to the below will appear:
C3.png
Select the interface ens32 or eth0 and you will have two options as per below:
C4.png
Select Static IP and enter the needed values for the static IP configuration. Make sure the DNS Nameservers are space separated.
C5.png

Firewall Configuration

  • Log Settings:
Make sure in Log Settings, you enable the “Send Logs to Syslog” and use the IP address of the collector VM. Also make sure you select All for both Event Logging and Local Traffic log.
Fortigate - Log Settings.png
  • Policy:
For your policies, you have to make sure the Web Filter is on (in Security Profiles) and also the Application Control is on. And in logging options, you have to make sure the Log Allowed Traffic is on and for All Sessions.This needs to be done for all the needed rules / policies, the ones Assure will be used for reporting and alerting.
Fortigate - Policy.png
  • Application Control and SSL Deep Inspection need to be enabled for the chat/messaging applications from which chat messages need to be intercepted and passed through the Assure Alerts module.

Web Categories

  • Once Assure is online and the initial synchronization is complete, an admin has to login and go the Categories page (using the Admin menu) and change the ratings (by default all 5), exclude some Categories from the reports (by default all are included) and also set the Categories that can be used for Web Overrides (by default all categories).
  • With the rating, 1 is the poorest and 10 is the highest.
  • We recommend excluding Categories such as Content Delivery Networks, Web Advertisements and other similar ones.
Categories-1.png
  • For the Rating, you can click on the original value (by default 5) to enter a new value between 1 and 10, with 1 being the poorest and 10 being the highest. These are used when calculating the user ratings and web behaviour.
Categories-3.png
  • To exclude a Category from the reports, you can click on the original value (by default No) to switch it to Yes.
Categories-2.png
  • To disallow a Category being used for Web Overrides, you can click on the original value (by default Yes) to switch it to No.
Categories-4.png