I’ve been doing a little playing with some products from Fortinet, and right now I’m testing FortiDeceptor. FortiDeceptor is a Fortinet deception-based security solution designed to detect and deceive attackers by deploying fake assets throughout IT, OT, and IoT networks.
FortiDeceptor can be installed on several hypervisors, including KVM. By now you should tell that I really like Proxmox as a hypervisor, but there wasn’t specific instructions on how to do that (although there were instructions for KVM). So I decided to document the steps here.
The general steps outlined in this guide can be applied to other Fortinet products which run on KVM. As FortiDeceptor deploys decoys on different networks, it is useful to know specific steps to implement on Proxmox.
Step 1: Create your virtual machine.
Create your virtual machine with a relevant Name and taking note of the VM ID.
At the OS tab, select “Do not use any media”.
You can leave the defaults for the System tab.
At the disks tab, delete the initial disk by clicking on the trash can button. There should be no disks.
At the CPU tab select the number of vCPUs to assign the VM. You need two vCPUs for core FortiDeceptor OS, and then two vCPUs for each decoy. For example, for four decoys, you will need ten vCPUs (2 for core and 2 x 4 for the decoys).
Ensure that “nested-virt” is selected in the “on” position as this is important for FortiDeceptor to launch the decoys.
For the memory, you need four GBs for the core FortiDeceptor OS and then four for each decoy. For example, for four decoys, you will need 20GBs memory (4 for core and 4 x 4 for the decoys).
For the network, select the network interface for the FortiDeceptor management network. This is not the decoy deployment network interface. We will add that later.
Confirm the settings and click Finish. Ensure that “Start after created” is deselected.
Step 2: Add the virtual disks to the VM.
First, extract the FortiDeceptor KVM Installation files downloaded from the Fortinet Support portal. Proxmox uses KVM as the hypervisor so you will need to use the KVM VM package.
Then upload the required disks to the Proxmox server. Go the Proxmox storage you want to install the virtual disks, then go to Import. Click on Upload.
Browse to the location where you extracted the FortiDeceptor KVM installation files and select the “FDC-bootdrive.qcow2” file, and click Upload.
Once the “FDC-bootdrive.qcow2” file is uploaded, select the uploaded file and click on Import.
Select the FortiDeceptor VM as the Target Guest and add it.
Now add the data drive. Repeat the above steps to upload the “FDCVMS-datadrive.qcow2” virtual disk from the FDCVMS folder in the location where you extracted the FortiDeceptor KVM installation files.
Note: When deploying a FortiDeceptor VME appliance you will attach the “FDCVME-datadrive.qcow2”. See the README.txt file in the extracted location.
You should have both disks attached as shown in the image below.
Step 3: Configure the deployment network.
On the Proxmox server configure a bridge interface to allow VLANs for the deployment network. In the Proxmox GUI select the host server and go to System, then Network.
Edit the bridge interface for the decoy network and ensure that “VLAN aware” is selected.
Return to the FortiDeceptor VM settings and add the deployment network virtual bridge interface. Select the FortiDeceptor virtual machine and go to Hardware. Click on Add and select “Network Device”.
Select the virtual bridge for the decoy network. Ensure Firewall is deselected.
Ensure that the physical switch interface that the virtual bridge that will be used for the decoy deployment networks is set up as a tagged interface and allowing the relevant VLANs.
Step 4: Boot the FortiDeceptor VM.
Before you can boot the FortiDeceptor VM you need to first edit the Boot Order by going to the VM Options.
Move the virtual disks (usually scsi0 and scsi1) to the top. Deselect all the devices and select ONLY scsi0 as the boot device.
Step 5: Start the FortiDeceptor Virtual Machine.
Note that you will need to configure the Port1 IP address and gateway settings to access the GUI. See the CLI Reference for more information (https://docs.fortinet.com/document/fortideceptor/latest/cli-reference/726050/configuration-commands).
Step 6: Create the Deployment Networks.
In FortiDeceptor, go to Deception then Deployment Network. Click on Add new VLAN/Subnet. When adding a VLAN interface, turn the “Tagged Interface” selector to On, then enter the VLAN ID of the VLAN. Configure the monitor IP address and gateway. And click save.
Repeat the process for the additional VLANs.
Note that if you are creating a deployment network where the VLAN is the Native VLAN of the interface, turn the “Tagged Interface” selector to Off.
Step 7: Deploy your decoys selecting the relevant deployment networks.
Use the Deployment Wizard to deploy a decoy. When choosing the network to deploy into, select the relevant deployment network created in the previous step.
Test and verify that you can access the decoys from a device on the same network.
Conclusion
So far, I’m very impressed with FortiDeceptor and it looks like a great tool to have in a network defender’s arsenal to protect their environment. It adds a layer of visibility to catch unknown threat actors in the network.
References:
Technical Tip: How to install FortiGate VM on Proxmox https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-install-FortiGate-VM-on-Proxmox/ta-p/301097
Deploying a FortiGate-VM into Proxmox https://docs.fortinet.com/document/fortigate-private-cloud/latest/proxmox-administration-guide/37920/deploying-a-fortigate-vm-into-proxmox
Deploying FortiDeceptor VM on KVM https://docs.fortinet.com/document/fortideceptor-private-cloud/latest/kvm-vm-deployment-guide/162154/deploying-fortideceptor-vm-on-kvm