Remotely accessing FortiRecorder through a FortiGate

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you set up a FortiGate with a secondary IP to provide remote access to a FortiRecorder. This allows you to securely view live FortiCamera video feeds over the Internet, using either the FortiRecorder GUI, FortiRecorder Mobile, or FortiRecorder Central.

This recipe employs a secondary IP and two port forwarding virtual IPs to forward HTTPS and Real Time Streaming Protocol (RTSP) packets from the Internet to the FortiRecorder. To use a secondary IP address you must have a second Internet IP address for your FortiRecorder. Instead of adding this IP address to the FortiRecorder, you add it to your FortiGate and forward traffic for the FortiRecorder IP address through the FortiGate.

1. Connect the hardware

Connect your devices as shown in the diagram.

In this example, the FortiCamera connects to a PoE switch, which is then connected to port3 on the FortiRecorder. The FortiRecorder’s port1 connects to the FortiGate lan interface.

 

2. Configuring the FortiRecorder and FortiCamera

On the FortiRecorder, go to System > Network > Interface and edit port1. Set a manual IP/Netmask for the interface that is on the same subnet as the FortiGate lan interface (in the example, 192.168.1.99).

Set Access to allow HTTPS and any other protocols you require. If you are using FortiRecorder Central, you must enable FRC-Central.

 
Edit port3. Make sure that Discover cameras on this port is enabled. Set a manual IP/Netmask for the interface.  

Go to System > Network > DHCP and create a new DHCP server. Set Interface to port3 and Gateway to port3’s IP address (in the example, 192.168.200.2).

Create a new DHCP IP Range that is on the same subnet as port3.

 
Go to System > Network > Routing. Add a default route that uses the IP address of the FortiGate’s lan interface (in the example, 192.168.1.2). Set Interface to port1.  

Go to Camera > Configuration > Camera. Click on Force Discover to have connected cameras displayed.

The FortiCamera will appear on the list, with the Status column displayed as Not Configured.

 
Select the FortiCamera and select Configure. Set the unit’s Name and Location, and Profile, as well as any other required configuration settings.  

3. Adding a secondary IP to the FortiGate

From the FortiGate GUI, go to System > Network > Interfaces and edit your Internet-facing interface. Enable Secondary IP Address and create a new IP/Network Mask for the interface.  

Adding a secondary IP address allows the FortiGate and the network to see two IP addresses, the primary and the secondary, that terminate at the interface.

In this example, the primary IP address is used to connect to the FortiGate, while the secondary IP will be used to connect to the FortiRecorder.

4. Creating virtual IPs

From the FortiGate GUI, go to Policy & Objects > Objects > Virtual IPs. Create the two virtual IPs: one for HTTPS traffic and one for RTSP traffic.

For both virtual IPs, set External Interface to your Internet-facing interface, External IP Address/Range to the secondary IP of that interface (in the example, 172.20.120.237) and the Mapped IP Address/Range to the IP of port1 on the FortiRecorder unit (in the example, 192.168.1.99).

Enable Port Forwarding and use the standard port for each protocol. HTTPS uses TCP port 443 and RTSP uses TCP port 554.

 

If you are using FortiRecorder Central, you must create a third virtual IP to allow TCP port 8550.

 

5. Creating a security policy to access to the FortiRecorder  

Go to Policy & Object > Policy > IPv4 and create a new policy that allows access to the FortiRecorder from the Internet.

Set Incoming Interface to your Internet-facing interface, Outgoing Interface to lan, and Destination Address to the new virtual IPs.

 

6. Configuring FortiRecorder Mobile for iOS 

On your FortiRecorder, go to System > Configuration > Options. Set FortiRecorder Mobile to use HLS over HTTPS.

You can also connect using HLS over HTTP, as long as you add another virtual IP to allow TCP port 80.

 

FortiRecorder Mobile for iOS 

Download the FortiRecorder Mobile app onto your iOS device. 

If you will connect using HTTPS, the iOS device must be able to verify the FortiRecorder certificate. To do this, you can either sign the FortiRecorder local certificate with one of the world’s largest certificate authorities, whose CA certificate are trusted by the iOS device, or install the CA certificate on the iOS device, if the CA certificate is not trusted by the iOS device. For information about this, see the technical note Provisioning CA Certificate to iOS Devices for FortiRecorder Mobile.

Open FortiRecorder Mobile. Use the + to add a new location.

Enter the information for the FortiRecorder device, including the Address (in the example, 172.20.120.237) and the admin account username and password.

 
The FortiRecorder is shown in the list of Locations.  

FortiRecorder Mobile for Android

Download the FortiRecorder Mobile app onto your Android device.

Open FortiRecorder Mobile. Select Add Location.

Enter the information for the FortiRecorder device, including the Address (in the example, 172.20.120.237) and the admin account username and password

 
 The FortiRecorder is shown in the list of Locations.  

7. Configuring FortiRecorder Central

FortiRecorder Central is a Windows-based video management system that is used to connect and view information from several FortiRecorder units at the same time. It can be downloaded at the Fortinet Support website

The recipe was written using FortiRecorder Central 1.0.0.

From FortiRecorder Central, use the Settings cogwheel in the top right corner to go to Settings > Users. Make sure the admin account settings are identical to those on the FortiRecorder because FortiRecorder Central has to be able to log into FortiRecorder using these credentials.   
Go to Settings > Recorders. Set the IP to the FortiGate’s secondary IP (in this example, 172.20.120.237).  
The FortiRecorder will appear in the list of devices, with its connected cameras listed underneath.  

8. Results  

From the Internet you can browse to the secondary IP address, using HTTPS (in the example, https://172.20.120.237). The FortiRecorder GUI login screen appears.

Go to Monitor > Video Monitor to see the live video feed from the FortiCamera.

 

View out the window from Fortinet Tech Doc offices in Ottawa, Canada

In FortiRecorder Mobile for iOS, go the the Locations list and select the FortiRecorder. A list of the available cameras will be shown. Click on the camera you wish to view.

 

In FortiRecorder Mobile for Android, go the the Locations list and select the FortiRecorder, then select Cameras. A list of the available cameras will be shown. Click on the camera you wish to view.

 

In FortiRecorder Central, click on the listing for the FortiCamera and drag it onto a square in the grid. The live video feed will be shown.

 

View out the window from Fortinet Tech Doc offices in Ottawa, Canada

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
If you do not have any profiles already created, you will have to configure one. For more information, see the FortiRecorder 2.0.0 Administration guide.
All FortiRecorders must use the same admin credentials in order to be used by FortiRecorder Central.
Quicktime 6.0 or higher is required to view the Video Monitor.