FortiRecorder - SD Branch Deployment Guide

Version 2.7.2
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://fortiguard.com/

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdoc@fortinet.com

October 23, 2019

FortiRecorder 2.7.2 SD Branch Deployment Guide
00-272-591034-20191023
 TABLE OF CONTENTS

Change Log 4
Introduction 5
SD-Branch configuration using VPN tunnels 6
Obtaining camera information 6
Establishing a tunnel 7
Configuring the HQ FortiGate tunnel 9
Configuring the cameras 9
SD-Branch configuration using NAT 12
Configuring port forwarding and routing 12
Creating a policy 14
Setting up RTSP on FortiGate 15
Configuring the cameras 16
Real-Time Streaming Protocol (RTSP) session helper 17
Monitoring SD-Branch recordings on the HQ FortiRecorder 19

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

Change Log

Date Change Description

2019-10-23 Initial release.

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

Introduction 5

Introduction

This deployment guide demonstrates how to configure your FortiRecorder and FortiCameras using edge recording in a
typical SD-Branch scenario.
This setup is optimal when there are several branch offices with a small number of cameras connected to an HQ
datacenter with a FortiRecorder. See the example diagram below.

SD-Branch edge recording allows you to manage cameras across multiple branches from a single HQ FortiRecorder
through a VPN tunnel or NAT. In this configuration, only status information is exchanged between the camera and
recorder, resulting in the use of less bandwidth than when transferring video.
Captured video is recorded onto the local SD card of the camera, and can be viewed from the HQ FortiRecorder after a
short delay while the video downloads. FortiCameras set up in this way can be configured to record continuously or with
motion detection only. When a live stream is required, the recorder establishes a streaming connection to the camera
that stays active as long as the view is in use.
Edge recording in an SD branch scenario can be set up using one of two methods:
l SD-Branch configuration using VPN tunnels on page 6
l SD-Branch configuration using NAT on page 12

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

SD-Branch configuration using VPN tunnels 6

SD-Branch configuration using VPN tunnels

In order to configure a FortiRecorder SD-Branch using VPN tunnels, complete the following steps:
1. Obtaining camera information on page 6
2. Establishing a tunnel on page 7
3. Configuring the HQ FortiGate tunnel on page 9
4. Configuring the cameras on page 9
The topology and example addresses used for these instructions are as follows:

Obtaining camera information

First you will need to obtain the IP address of your DHCP enabled camera in FortiGate. Make note of the MAC address
of the camera before deployment.

To obtain the addresses of your cameras:

1. Go to Network > Interfaces.

2. Select the interface, and click Edit.
3. Enable Device Detection.

Device detection does not work with all camera models.

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

SD-Branch configuration using VPN tunnels 7

4. Go to User & Device > Device Inventory.

5. Copy the Address numbers for your cameras.

Alternatively, you can look at FGT1 Monitor-DHCP monitor.

Establishing a tunnel

With the camera addresses obtained, you can now establish a tunnel between the HQ and the branch.

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

SD-Branch configuration using VPN tunnels 8

To establish a tunnel:

1. In the FortiGate branch, go to VPN > IPsec Wizard.

2. Enter a name and select the Site to Site template type.

3. Select FortiGate for the Remote Device Type.

4. For NAT Configuration, select No NAT between sites, then click Next.
5. Enter the address of your headquarters FortiGate.

6. Enter the pre-shared key, and select Next.

7. Select your local interface from the dropdown menu.

8. Enter the address where the cameras are located in the Local Subnets field.
9. Enter the address where your FortiRecorder is located in the Remote Subnets field, then select Create.

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

SD-Branch configuration using VPN tunnels 9

Configuring the HQ FortiGate tunnel

You can now set up the HQ FortiGate tunnel following a similar procedure as before; however, in the Authentication
portion of the VPN Creation Wizard, enter the WAN1 address for the branch where the cameras are located.

Once completed, bring up the tunnel.

Configuring the cameras

Cameras can now be configured in FortiRecorder, and routing can be established to the FortiGate HQ.

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

SD-Branch configuration using VPN tunnels 10

To set up a camera in FortiRecorder:

1. Go to Camera > Configuration > Camera Profile.

2. Select an existing camera and select Edit or select New.

3. Name the profile and edit the settings as desired.

Edge recording works with either continuous or motion detection.
4. In the Recording section, enable SD card.
5. Select Create.
6. Go to System > Network > Routing.
7. Select New.

8. Enter the DMZ subnet of your branch location where the cameras are located in the Destination IP/netmask field.
9. Select the desired interface and enter the gateway.
10. Select Create.
11. Ping the camera from the recorder.

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

SD-Branch configuration using VPN tunnels 11

12. Go to Camera > Configuration > Camera.

13. Enter the necessary details and select Wired from the address mode dropdown menu.
14. Enter the address, select edge-recording from the Profile dropdown menu, and select Create.

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

SD-Branch configuration using NAT 12

SD-Branch configuration using NAT

In order to configure a FortiRecorder SD-Branch using NAT, complete the following steps:
1. Configuring port forwarding and routing on page 12
2. Creating a policy on page 14
3. Setting up RTSP on FortiGate on page 15
4. Configuring the cameras on page 16
5. Real-Time Streaming Protocol (RTSP) session helper on page 17
The topology and example addresses used for these instructions are as follows:

Configuring port forwarding and routing

You will first need to port forward the WAN1 camera in the FortiGate branch.

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

SD-Branch configuration using NAT 13

To configure forwarding and routing:

1. Go to Policy & Objects > Virtual IPs.

2. Click Create New and Virtual IP.

3. Enter a name for the Virtual IP.

4. Select the WAN1 interface from the dropdown interface menu.
5. Enable Port Forwarding and select OK.

The External Service Port range is required during camera configuration. See Configuring
the cameras on page 16.

You can now make a virtual IP group to apply the policy to the entire group, rather than individual VIPs.
1. Go to Policy & Objects > Virtual IPs.
2. Click Create New and Virtual IP Group.

3. Enter a name for the group.

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

SD-Branch configuration using NAT 14

4. Select the cameras in the group from the Members section.

5. Select OK.

Creating a policy

You will now need to create a policy to route.

To create a policy to route:

1. Go to Policy & Objects > IPv4 Policy.

2. Select Create New.

3. Enter a name for the policy.

4. Select wan1 for the incoming interface and dmz for the outgoing interface.
5. Select the VIP group for the Destination.
6. Enter the rest of the options as desired, and click OK.
The camera will now be available under 172.20.110.68:4430.

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

SD-Branch configuration using NAT 15

Setting up RTSP on FortiGate

To set up the RTSP:

1. Go to Policy & Objects > Virtual IPs.

2. Click Create New and Virtual IP.

3. Enter the addresses.

4. Enter a name for the virtual IP and select wan1 from the Interface dropdown menu.
5. Select TCP as the desired protocol and enter 5540-5540 for the External Service Port range, and 554 for the Map to
Port.

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

SD-Branch configuration using NAT 16

Configuring the cameras

To add your cameras in FortiRecorder:

1. Go to Camera > Configuration > Camera.

2. Select New.

3. Enter the name of the camera.

4. Select VIP from the Address mode dropdown menu, and enter the address and port.
5. Select the SD Card tab and enable SD Storage.
6. Enter the rest of the options as desired, and click Create.

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

SD-Branch configuration using NAT 17

7. Go to System > Configuration > Options and enter a Public Access address.

The example screenshots of the setup work because the recorder is using a VIP, which puts the FortiRecorder
basically directly on the internet. In a NAT translated situation on the recorder side, you may require a session
helper to get RTSP/RTP live streaming operational. See Real-Time Streaming Protocol (RTSP) session helper on
page 17.

Real-Time Streaming Protocol (RTSP) session helper

The Real-Time Streaming Protocol (RTSP) is an application layer protocol often used by SIP to control the delivery of
multiple synchronized multimedia streams, for example, related audio and video streams. Although RTSP is capable of
delivering the data streams itself it is usually used like a network remote control for multimedia servers. The protocol is
intended for selecting delivery channels (like UDP, multicast UDP, and TCP) and for selecting a delivery mechanism
based on the Real-Time Protocol (RTP). RTSP may also use the SIP Session Description Protocol (SDP) as a means of
providing information to clients for aggregate control of a presentation consisting of streams from one or more servers,
and non-aggregate control of a presentation consisting of multiple streams from a single server.

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

SD-Branch configuration using NAT 18

To accept RTSP sessions you must add a security policy with service set to any or to the RTSP pre-defined service
(which listens on TCP ports 554, 770, and 8554 and on UDP port 554). The RTSP session helper listens on TCP ports
554, 770, and 8554.
The RTSP session help is required because RTSP uses dynamically assigned port numbers that are communicated in
the packet body when end points establish a control connection. The session helper keeps track of the port numbers and
opens pinholes as required. In Network Address Translation (NAT) mode, the session helper translates IP addresses
and port numbers as necessary.
In a typical RTSP session the client starts the session (for example, when the user selects the Play button on a media
player application) and establishes a TCP connection to the RTSP server on port 554. The client then sends an
OPTIONS message to find out what audio and video features the server supports. The server responds to the OPTIONS
message by specifying the name and version of the server, and a session identifier, for example, 24256-1.
The client then sends the DESCRIBE message with the URL of the actual media file the client wants to play. The server
responds to the DESCRIBE message with a description of the media in the form of SDP code. The client then sends the
SETUP message, which specifies the transport mechanisms acceptable to the client for streamed media, for example
RTP/RTCP or RDT, and the ports on which it receives the media.
In a NAT configuration the RTSP session helper keeps track of these ports and addresses translates them as necessary.
The server responds to the SETUP message and selects one of the transport protocols. When both client and server
agree on a mechanism for media transport the client sends the PLAY message, and the server begins streaming the
media.

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

Monitoring SD-Branch recordings on the HQ FortiRecorder 19

Monitoring SD-Branch recordings on the HQ FortiRecorder

When everything has been properly configured, recordings from SD-Branch cameras can be viewed through the
HQ FortiRecorder.
l Motion events are viewable by going to Monitor > Event > Event.

l You can select the desired clip and then click Show . After a few moments the clip has been downloaded and
playback begins.
l Downloaded clips appear as bright-red bars to indicate that they are available on the local recorder storage.

l Most clips begin with an event marker. If the motion is extended and triggers multiple clips nearly consecutively, a
marker is generated every minute.
l When viewing video through a live feed, temporary recordings display in your timeline as blue bars.

l View motion events in the detection log by going to Monitor > Log Viewer > Detection.

FortiRecorder SD Branch Deployment Guide Fortinet Technologies Inc.

Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.