{"id":1739,"date":"2021-10-22T08:27:16","date_gmt":"2021-10-22T08:27:16","guid":{"rendered":"http:\/\/www.borkedcode.com\/wp2\/?p=1739"},"modified":"2021-10-22T11:56:55","modified_gmt":"2021-10-22T11:56:55","slug":"setting-up-a-new-fortigate-firewall","status":"publish","type":"post","link":"https:\/\/www.borkedcode.com\/wp2\/2021\/10\/22\/setting-up-a-new-fortigate-firewall\/","title":{"rendered":"Setting Up A New Fortigate Firewall"},"content":{"rendered":"\n

Sooo\u2026my Cisco Meraki subscription runs out next month, and Cisco doesn\u2019t want to talk to me about what their re-licensing options are. I like my MX64, the interface is really nice, and the device is super effective. But I can\u2019t find out what they want to charge me for a fresh license, or even if they will sell me one. Their partners wouldn\u2019t respond, they themselves wouldn\u2019t respond, so I took the logical next step.<\/p>\n\n\n\n

And I upgraded to a Fortinet firewall. I wanted a NGFW with full-service features, Fortinet\u2019s got it. I wanted one that had a great rep, they got it. I wanted a good, clean UI, and they got it. Well, mostly they got it. I\u2019ll say this \u2013 Meraki\u2019s UI has Fortinet beat on intuitive nature, clean look, and logical division of features. It\u2019s just better. But Meraki\u2019s UI has a flaw: it is entirely cloud based. If I have a problem with my firewall, chances are high that I can\u2019t reach the internet. And that means I have no method to work with my firewall unless I happen to have all the CLI memorized and the Meraki unit decides to be kind to me while trying to authenticate my login with Putty.<\/p>\n\n\n\n

So I got myself a little Fortinet, a model 40F. Much like the Cisco offering, Fortinet uses the same web interface and commands across the board of their product line, so if you learn one you can run them all. Nice touch, that.<\/p>\n\n\n\n

\"\"
And it’s just so cute.  Who’s a widdle firewall?<\/em><\/figcaption><\/figure><\/div>\n\n\n\n

And much like the difference between the UIs, the setup had a similar situation.  Fortinet just required a bit of a push over the finish line, and it was a frustrating push.  With the Meraki, it was quite literally a plug-it-in-register-go affair.  You could add more complicated configs after setup, but if all you needed was an above-average firewall that would let you go after setup, that was the bomb.  I had it in and running in ten minutes. <\/p>\n\n\n\n

Next-Gen v. Traditional Firewalls<\/strong>\n\nYou keep hearing about \u201cNGFW\u201d devices in network circles, but what exactly are they? \n \nBriefly, traditional firewalls worked on a port-and-IP basis, blocking undesirable connections by simply turning away traffic that wasn\u2019t addressed acceptably.  Maybe it came from the wrong country, or asked for a port that wasn\u2019t \u201copen\u201d.  This is called \u201cintrusion prevention.\u201d\n\nNGFW devices do that too, but additionally they can inspect the contents of the packets that are accepted, and are able to filter traffic that contains unacceptable content.  For example, a NGFW might know to look for viruses or dangerous payloads in email traffic. \n \nAs well, the NGFW is usually enabled with frequent updates to its library of dangers, or it may even perform cloud-based real-time inspection to catch zero-day threats.  A Fritz!Box just doesn\u2019t do that.<\/em>\n<\/pre>\n\n\n\n
Not so much the Fortinet. <\/p>\n\n\n\n
Which is why I\u2019m writing this:  I want you to be able to do a fast setup and avoid the stress I had. <\/p>\n\n\n\n
So let\u2019s go through it, shall we? <\/p>\n\n\n\n
When you get your new device, you pop open the box and the first thing you see is a \u201cquick start\u201d manual, which will do you no good at all.  I\u2019ll explain why shortly. <\/p>\n\n\n\n
Beneath that, you\u2019ll get a net cable, a power adapter (standard wall-wort with various national plug adapters), and of course the device itself sealed up in a plastic bag.  As well, a little sticky that has some simple steps on it. <\/p>\n\n\n\n
Position yourself within arms\u2019 reach of your internet modem\/router, and lay your things out around you in easy reach.  Have a laptop or other computer powered up and ready here.  Minimally you\u2019re going to need the Fortigate device, its power adapter, two patch cables (LAN cables), and your computer. <\/p>\n\n\n\n
Important:  Don\u2019t Get Ahead Of Yourself.<\/strong>  I had this device up in my office, getting it revved up to take over from the Meraki, and I was setting port forwards and a bunch of other stuff prior to the following steps.  That was a mistake that cost me a few serious head-scratches.  Some of that stuff conflicted with the basic setup and cost me time.<\/p>\n\n\n\n
\"\"
Yeah, that’s the sticky<\/em><\/figcaption><\/figure>\n\n\n\n
1. Follow the instructions on the sticky, but not in the order given.<\/h2>\n\n\n\n
Do the \u201cCloud Setup\u201d first.  Go register your name and enter the \u201ccloud key\u201d like it says.  <\/p>\n\n\n\n
Next, assemble the power plug and plug the little critter in.  Attach your laptop or other computer to the device using the included cable.  Turn off WiFi if it\u2019s on, and either enable DHCP (in which case you then need to tell your adapter to renew its IP) or set it to IP 192.168.1.1 with a subnet mask of 255.255.255.0. <\/p>\n\n\n\n
If you have a mac or an iPhone, do that Apple stuff.  Whatever. <\/p>\n\n\n\n
Open a browser and go to HTTPS:\/\/192.168.1.99<\/a>.  < Note the \u201cS\u201d there.  Gotta have that.  The device by default won\u2019t feed you a page if you\u2019re not on HTTPS.  You should at this point be given a web page interface to the device.  By the way, the login is \u201cadmin\u201d with no password.  It\u2019ll prompt you to change that when you enter.<\/p>\n\n\n\n
\"\"

Should look a little like this (I pulled my ISP\u2019s IP and the license server\u2019s IP just to avoid confusion \u2013 your IPs will be different)<\/figcaption><\/figure><\/div>\n\n\n\n
By the way, go look for my article on passwords.  You want to set a good one for your firewall.  And keep it safe in a manner that you won\u2019t forget it.<\/p>\n\n\n\n
It will also prompt you to register your device.  Ironically, you won\u2019t be able to, so just tell it \u201clater\u201d. <\/p>\n\n\n\n
If it does not give this to you for some reason, get your vendor on a chat line or a phone line and have them walk you through enabling the web GUI (details can be found here: https:\/\/kb.fortinet.com\/kb\/documentLink.do?externalID=FD34688<\/a>).  I didn\u2019t have this problem, so I don\u2019t anticipate it to be common on new devices. <\/p>\n\n\n\n
All good so far?  I hope so. <\/p>\n\n\n\n
2. Plug the Fortigate in to your modem\/router. <\/h2>\n\n\n\n
I have a \u201cFritz!Box\u201d 7490 here (yeah, I run multiple firewalls in a chain, call me paranoid if you have to), but this will work from a regular modem or other router, too.  The physical structure of your network when you do the setup should break down into the following:<\/p>\n\n\n\n
Wall Socket > modem\/router > Fortigate device<\/p>\n\n\n\n
Where \u201c>\u201d represents a physical cable (it might also be wireless, but I\u2019m not getting into that here).  So the wall cable goes into the \u201cWAN\u201d or \u201cInternet\u201d port (or whatever similar word they\u2019re using on the brand you have).  You\u2019d normally then have 2-4 \u201cLAN\u201d ports beside that which are supposed to lead to your computer or a switch or something. <\/p>\n\n\n\n
Take the second of your patch cables and plug it into the \u201cWAN\u201d port of the Fortigate (the first is running from the Fortigate\u2019s LAN port to your PC), and the other end of it should go in one of those LAN ports on your modem\/router.  <\/p>\n\n\n\n
Wait a few seconds, and then in the UI page of the Fortigate, navigate the left-side menu to Network > Interfaces.  You should see at the top of this page a little indicator showing which ports are active on the device.<\/p>\n\n\n\n
\"\"
That’d be what I’m talking about right there.<\/figcaption><\/figure><\/div>\n\n\n\n
You can hover over the ports, by the way, and they\u2019ll give you a read of the connection details.  Nice touch there, Fortinet, I appreciate that attention to detail. <\/p>\n\n\n\n
\"\"
Fly-by hints are nice. IP blocked to protect the innocent.<\/figcaption><\/figure><\/div>\n\n\n\n
This would be a good time to go into your modem\/router and fix the IP it gives your Fortigate, just so you have a record of it somewhere. <\/p>\n\n\n\n
3. You\u2019re all done!  Happy surfing.  No, just kidding, this is just where they dump you on the side of the road.<\/h2>\n\n\n\n
No, really.  This is where they leave you.  On my old Meraki, that\u2019d be fine, because I could get out to the internet from here and start goofing around and playing World of Warships or reading stupid Facebook posts.  But really, you\u2019re not done here.  If you try to get out to the internet (go ahead, I\u2019ll wait) you\u2019ll find that your browser just gives you the finger.  Usually in the form of \u201cDNS can\u2019t be resolved\u201d or something equally useful.  Also, in the Fortigate dashboard you\u2019ll see under \u201cLicenses\u201d that none of them are confirmed and there\u2019s a red bar that says \u201cUnable to connect to Fortinet servers\u201d or something like that.<\/p>\n\n\n\n
@Fortinet \u2013 here\u2019s where you guys dropped the ball.  A couple of simple defaults would have saved me (and who knows how many other people) a few hours of grief and head-scratching.  <\/p>\n\n\n\n
Are you still at the \u201cNetwork > Interfaces\u201d page?  If not, go back there.  You have to configure something.  In my case (with a model 40F) there aren\u2019t too many interfaces to choose from, and mine is called the \u201cPhysical Interface\u201d.  Yours probably shows up as \u201cwan\u201d or something similar.<\/p>\n\n\n\n
\"\"
That’s the bugger right there.<\/em><\/figcaption><\/figure><\/div>\n\n\n\n
Double-click on its name or right-click and choose \u201cedit\u201d. <\/p>\n\n\n\n
Here\u2019s what you get taken to next \u2013 most of it won\u2019t need to be modified, you just need to review it and be passingly familiar with what\u2019s in here:<\/p>\n\n\n\n
\"\"
Let’s touch on these points in red.<\/figcaption><\/figure>\n\n\n\n
The items highlighted in red there are ones you need to pay attention to.<\/p>\n\n\n\n
  1. Alias \u2013 give your WAN connection a meaningful name.  Even if you only have one WAN hookup, it doesn\u2019t hurt to name it after your router or your ISP so you know what you\u2019re looking at.<\/li>
  2. Leave role as \u201cwan\u201d.  If you\u2019re using others, then you probably know enough that this article isn\u2019t telling you anything new.<\/li>
  3. Depening on how your modem\/router hands out IPs to equipment, pick the appropriate style here.  My Fritz!Box is set up to use DHCP, and I\u2019ve told it to always give the Fortigate the same IP when it sees it, so that\u2019s the route I took here.  If you prefer to fix the IP within the device itself, then you\u2019ll want to set it up on Manual. <\/li>
  4. DNS \u2013 confirm that your DNS server is set correctly.  If you don\u2019t know what I\u2019m talking about, ignore this for now.  I prefer to use Google\u2019s DNS servers for my stuff, so the Fritz! Hands that off when an IP is requested.  Your mileage may vary. <\/li>
  5. Default gateway \u2013 for the Fortigate, its default gateway out to the internet will be your modem\/router.  Ensure that this value represents the IP that your modem\/router presents inside your walls (not the value it uses on the world-facing side).<\/li><\/ol>\n\n\n\n
    Record your default gateway value in notepad or something.  You\u2019ll need it shortly.<\/p>\n\n\n\n
    4. Here\u2019s The Biggie<\/h2>\n\n\n\n
    We\u2019re at the point where the biggest \u201cmissing link\u201d should have been.<\/p>\n\n\n\n
    @Fortigate \u2013 again, a short add here will save your customers some grief.<\/p>\n\n\n\n
    Devices like a regular modem\/router or regular commercial firewall products that you can buy at MediaMarkt or Best Buy, etc., have a default rule in them: \u201cIf I get traffic coming in on the LAN ports, and the address isn\u2019t in my house, squirt it out to the internet to find its way.\u201d <\/p>\n\n\n\n
    That rule doesn\u2019t exist here on the Fortigate.  Which is why if you try to reach a Google server right now, your system will tell you to go spin.  So, we have to create it and give it to the Fortigate, so it knows that it should do its job. <\/p>\n\n\n\n
    Navigate on the left-hand menu to \u201cNetwork > Static Routes\u201d.  There\u2019ll be a big bag of nothing there.  At the top, choose \u201cCreate New\u201d, and you\u2019ll get this:<\/p>\n\n\n\n
    \"\"
    Just need to tell the Fortigate where the door is so it can let your traffic out.<\/figcaption><\/figure>\n\n\n\n
    Leave \u201cDestination\u201d alone.  That represents the address of the packets the firewall receives.  Grab that \u201cInterface\u201d drop-down and choose the Wan interface you configured (you did give it a good name, right?) a few moments ago.  It should populate the Gateway Address for you automatically, but if it doesn\u2019t, you can enter it because you recorded it in Notepad or something when I told you to. \ud83d\ude0a<\/p>\n\n\n\n
    When you\u2019re done, it should look like this:<\/p>\n\n\n\n
    \"\"
    It assigns this just from choosing that drop-down.<\/figcaption><\/figure>\n\n\n\n
    In computer-speak, we\u2019re creating a default static route that\u2019ll go into the route table of the device.  In human language, that means \u201cWhen the firewall sees an address on a packet it doesn\u2019t recognize, it throws it out the window into the Internet to get handled.\u201d <\/p>\n\n\n\n
    @Fortigate \u2013 Really folks, you should just include this as a default.  Experienced users can always delete or disable it.  How many people buy a firewall and then don\u2019t have a default like this? <\/p>\n\n\n\n
    Don\u2019t worry about Advanced Options or anything, just make sure to \u201cOK\u201d it.<\/p>\n\n\n\n
    At this stage, I re-booted my firewall (just pull the power and put it back in) to get it to take up the new route.  I suspect if you go get a coffee or something instead it will eventually pick up the rule and apply it without this, but I didn\u2019t want to wait.  <\/p>\n\n\n\n
    Now that the static route is in, you should be able to connect to the internet from your firewall.  At the top right of the page, you\u2019ll see an option for a command-line interface:<\/p>\n\n\n\n
    \"\"
    That’s it, right there ^^<\/figcaption><\/figure>\n\n\n\n
    Click on that, and in the faux terminal that pops up, enter:<\/p>\n\n\n\n
    execute ping 8.8.8.8<\/code><\/strong><\/p>\n\n\n\n
    You should be getting back something that looks like this:<\/p>\n\n\n\n
    \"\"
    Queue John Mayer singing about 1983…<\/figcaption><\/figure><\/div>\n\n\n\n
    You can also now connect out from your computer connected to the firewall.<\/p>\n\n\n\n
    The dashboard of the Fortigate should now also show under \u201cLicenses\u201d which ones are active, and that red \u201cunable to connect\u201d bar should be gone.<\/p>\n\n\n\n
    By the way \u2013 you can now safely set up your port-forwarding rules.  If you\u2019d done so before this, your default way out into the internet would have conflicted with rules already governing the default gateway, and you\u2019d be wondering why the Fortigate won\u2019t accept your default route outwards. <\/p>\n\n\n\n
    That sucked, for about a half an hour.<\/p>\n\n\n\n
    5. You\u2019re in the Home Stretch now<\/h2>\n\n\n\n
    So, you bought a firewall, and you\u2019re all set to connect to the internet.  But this isn\u2019t just some plain old Fritz!Box, this is a Next-Generation Firewall that can protect you in all manner of ways that you should expect out of a 21st<\/sup> Century product. <\/p>\n\n\n\n
    But as with the \u201ctell it to send my traffic to the internet\u201d case, we have to actively tell the firewall to use those abilities<\/em><\/strong>. <\/p>\n\n\n\n
    @Fortigate \u2013 really?  You ship all these cool features and you ship with them disabled?  The FW can\u2019t ask \u201cwhat am I licensed to turn on\u201d and then turn that stuff on in a policy for the user?  At least provide some basic enabled stuff, folks. <\/p>\n\n\n\n
    Let\u2019s turn on the goods you paid for. <\/p>\n\n\n\n
    This is the stuff you pay annually for, the really solid protection measures.  You might have bought your device without any subscription, in which case you can skip this step, but I suspect you wouldn\u2019t shell out that kind of bank just for an intrusion-protection brick. <\/p>\n\n\n\n
    In the left-hand menu, head for \u201cPolicy & Objects > IPv4 Policy\u201d.  There will be one or more rules already present in that bucket.  What you want is the one that is titled \u201cinternal > [your WAN name here]\u201d.  Open that one up and edit it. <\/p>\n\n\n\n
    You\u2019ll get a screen something like this:<\/p>\n\n\n\n
    \"\"
    This is fully configured for me, see below for what would be some good ideas to perform on your own.<\/figcaption><\/figure><\/div>\n\n\n\n
    First, give it a name.  I use \u201cDefault Permitted\u201d because this policy will by default permit someone to issue requests out to the Internet, and will only interfere if the target has some issue.  Hence, by default it permits the traffic. <\/p>\n\n\n\n
    Incoming interface refers to where the firewall is seeing the traffic originate.  In this case, it will come from my internal network.  Outgoing is where the traffic wants to go \u2013 in this instance, out the WAN into the wild, wild internet.<\/p>\n\n\n\n
    Source\/Destination should be \u201call\u201d in this case.  I\u2019m defaulting to allow almost anything, after all.<\/p>\n\n\n\n
    Schedule \u2013 how or when is this rule going to run?  You can create rules that apply only during office hours, or ones that turn off when the kids are at school, etc. <\/p>\n\n\n\n
    Service \u2013 this refers to what protocols are covered (HTTP, mail, pings, yadda yadda).  Kind of a poor choice of name for a pack of protocols.<\/p>\n\n\n\n
    Action \u2013 in my case here, \u201caccept\u201d.  If I wanted to shut everything down by default then I\u2019d use deny.  If, for example, I was operating a high-security bank or defense contractor, I\u2019d probably start with \u201cdeny\u201d and add exceptions for accept.  But, this is my home network, and I want my Netflix, so Accept it is. <\/p>\n\n\n\n
    The Firewall\/Network options should be left alone.  If you\u2019re comfortable enough to dork around with those, you don\u2019t need to be listening to me ramble on.<\/p>\n\n\n\n
    Now, here\u2019s what you paid for: \u201cSecurity Profiles\u201d.<\/em><\/strong>  By default, these things are turned off.  Turn them all on.  Your device will eventually complain to you if you don\u2019t have a license to run a particular profile, and you can turn it off then.  This section should have been called services, because really that\u2019s what they are \u2013 paid services that add value beyond just the hardware and the Fortinet SOC chip. <\/p>\n\n\n\n
    Take note of the \u201cWeb Filter\u201d \u2013 you\u2019re probably going to want to go in and adjust a few things there, as this is what governs the content filter for your network.  For example, I occasionally play on pokerstars, but gambling sites are by default blocked.  So I wanted to loosen that rule a bit.  I also wanted to block certain types of site from my net which my kid doesn\u2019t need to see, so reviewing those settings was pretty important.  <\/p>\n\n\n\n
    Once you\u2019ve enabled what needs to be on, make sure \u201cEnable this policy\u201d is green and \u201cOK\u201d this to apply it.  The line entry should now look a little bit like this:<\/p>\n\n\n\n
    \"\"
    Safe as houses.  Well, hopefully more, since most accidents happen around the home…<\/figcaption><\/figure><\/div>\n\n\n\n
    6.  You\u2019re All Done!  Seriously, this time.  Time to wrap up.<\/h2>\n\n\n\n
    So, from the perspective of a home or small business, you should now be good to go.  If you are going to implement a security fabric, that\u2019s really beyond the scope of this little how-to (and if you\u2019re familiar with that angle of Fortinet\u2019s stuff, you probably didn\u2019t need this guide anyway). <\/p>\n\n\n\n
    Anyway, I hope this helped to walk quickly through the setup of your new Fortigate, without all the hair loss and whiskey drinking that my own setup ended up putting me through.  If it did help you, let me know in the comments.  Makes me feel good to know that I helped at least one person avoid the trouble. <\/p>\n\n\n\n
    Happy (safe) computing \ud83d\ude0a. <\/p>\n\n\n\n
    This all seems like a lot of trouble\u2026<\/h2>\n\n\n\n
    Yeah, admittedly it is a bit of a pain in the ass.  But I have to say, as an IT person reading the news, the cost of a NGFW is pretty worthwhile.  In the case of Fortinet, you pay about six to eight hundred euros for the device itself and a one-year subscription to the security services.  It\u2019ll be a two or three hundred per year after that.  Other vendors of similar quality cost about the same.  That\u2019s not cheap. <\/p>\n\n\n\n
    But then, losing my entire ripped video or music collection would represent a few hundred hours of work that would have to be re-done.  Worse still, losing the first eight years of digital photos of my kid would really chap my ass too.  And I haven\u2019t even touched on the potential for identity theft or potential monetary loss if my digital bank statements got stolen.  Or if my network somehow became compromised and my work laptop got exposed.  I think it\u2019s safe to say that anyone who runs their business on computers needs the kind of protection a NGFW offers.<\/p>\n\n\n\n
    None of these problems is a certainty, and none of them is even a probability.  I know my stuff, and I\u2019m not likely to have a fault in my own behavior.  Likely being the key word.  I can still make mistakes.  Hell, even Jason Momoa has a squad of bodyguards.  Jason freaking Momoa. <\/p>\n\n\n\n
    I\u2019ve got a family now.  My kid has figured out how to download stuff to her tablet (thanks, Google, for the Family Link \u2013 I know exactly what she\u2019s getting into now).  My mother doesn\u2019t necessarily have the same paranoid instincts I do about mail attachments.  My wife is pretty darn sharp, but she can make an error just as I can.  Who knows what some cretin in a professional hack-farm is designing right now to screw everyone over with? <\/p>\n\n\n\n
    I know I won\u2019t necessarily be prepared to deal with it.  So, I outsource it to the best minds in the business.  They will see the news about that guy before I ever do, and will be working on a fix before I\u2019m done with my coffee that morning.  They\u2019ll jet it into my device while I\u2019m still getting dressed.  <\/p>\n\n\n\n
    I like that. <\/p>\n","protected":false},"excerpt":{"rendered":"
    Sooo\u2026my Cisco Meraki subscription runs out next month, and Cisco doesn\u2019t want to talk to me about what their re-licensing options are. I like my MX64, the interface is really nice, and the device is super effective. But I can\u2019t … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[162,163,156,157,158,159,161,160],"class_list":["post-1739","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-default-route","tag-firewall-policy","tag-firewalls","tag-fortigate","tag-fortinet","tag-fortinet-40f","tag-problems","tag-setup"],"_links":{"self":[{"href":"https:\/\/www.borkedcode.com\/wp2\/wp-json\/wp\/v2\/posts\/1739","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.borkedcode.com\/wp2\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.borkedcode.com\/wp2\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.borkedcode.com\/wp2\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.borkedcode.com\/wp2\/wp-json\/wp\/v2\/comments?post=1739"}],"version-history":[{"count":4,"href":"https:\/\/www.borkedcode.com\/wp2\/wp-json\/wp\/v2\/posts\/1739\/revisions"}],"predecessor-version":[{"id":1757,"href":"https:\/\/www.borkedcode.com\/wp2\/wp-json\/wp\/v2\/posts\/1739\/revisions\/1757"}],"wp:attachment":[{"href":"https:\/\/www.borkedcode.com\/wp2\/wp-json\/wp\/v2\/media?parent=1739"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.borkedcode.com\/wp2\/wp-json\/wp\/v2\/categories?post=1739"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.borkedcode.com\/wp2\/wp-json\/wp\/v2\/tags?post=1739"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}