Category Archives: Fortigate
Today we faced Fortinet web interface become unresponsive, we find out some articles and expect that killing/restarting httpd will be enough but we faced policy load issues for example try to list rules but we have empty response and after some time its gone and need to restart httpd to access webui again.
Then after some investigation we saw that cluster checksum is not consistent (command:diagnose sys ha cluster-csum)
Tried to sync ha config but not succeed (command:exec ha synchronize start) (for more pls check)
Then somehow we maybe did not prioritise but cluster member which web interface is working but first snmp service stop response and then sslvpn connections are start to not work ! in this time what i remember we changed the password of sslvpn user but i don’t think that this help us but when we kill the sslvpnd magically non-responsive fortinet box become to run , after all checked ha csum its worked and snmp also start to work !
Actually if we did not try this (also vendor said that related firmware have a bug) we have to restart nodes and this will cause some downtime . Version is 5.2.6
Some good link for debugging ha http://kb.fortinet.com/kb/documentLink.do?externalID=FD36494
diag debug enable
diagnose debug console timestamp enable
diag debug application hasync -1
diag debug application hatalk -1
execute ha synchronize start
I expect that you know the pid but if its not you have two ways
Walter (global) # diag test app snmpd 1
snmpd pid = 161
Option 2 (somehow related commands are not return some processes pids, then start to use fnsysctl )
List pid files then get pid id from related file
Walter (global) # fnsysctl ls /var/run/
Walter (global) # fnsysctl cat /var/run/snmpd.pid
Then execute (somehow diag sys kill 11 <pid_id> do not kill related pid)
Walter (global) # fnsysctl kill -9 161
thats it !
Since the beginning we have always trouble about choosing wrong hardwares , developer issues like handle sessions with single core , then ASIC things , its always changing NPx support something NPy support more , end of the day you will always have NPx/y/z/t/u what released but cost is another issue but don’t worry providers always things these are usual things. Hope one day with DPDK or another technology will help us to use firewalls without ASICs and without need always buy new hardwares. (I know you know SDDC , SDN also i know ! )
I know this device is UTM , UTM is somehow fancy things, you know you shouldn’t use , know what will happen but you have to because of some situations (for ISPs)
AV issues , IPS engine issues , conserve mode ! I don’t how you really protect my device and network behind
Big problem AV and memory , still can not understand small to bigger devices why more ram is not used ! Memory is expensive ? or maybe still 32 bit ! What developers can’t handle ?
at the end AV full the ram , whole device under stress and communication issues , BGPs or OSPF are gone ! :(((
For AV its not working like a linux services or something ? you should kill it ! Step by Step , each process , disabling AV is not helping every time
Login your device , switch to config global (it is also command ) then execute diagnose sys top see the processed press q and leave to console execute diagnose sys kill 11 <process_id> . Here we are using because maybe some outputs we could have then fallow console for mem usage.
Another issue is ips engine , so understandable command diag test 🙂 lovely , its not meaningful for me but meaningful for developer or who maintain cli commands
diagnose test app ipsmonitor
You will see nice options and choose what you exactly want , restart , stop , start , get status
Also if you run cluster then consider do same things on slave 🙂 to switch slave
- config global
- get system ha status
- exec ha manage 1 (mostly)
Good fixes !
After switching static routing to dynamic routing with OSPF next level is create redundancy if one of the OSPF neighbor goes down.
Problem is with our Fortigate we can not achive OSPF redundancy with the network routers or L3 devices, then we switched to BGP and success about it.
Architecture is like below , two Juniper MX960 routers and a Fortigate 3600c firewall box. Fortigate outside interface and one interface from each routers are on same network like any /29 network for example ; MX960-1 xxx.yyy.zzz.1/29 , MX960-2 xxx.yyy.zzz.2/29 and FG3600C xxx.yyy.xxx.3/29
Also we have additional network for inside which servers are behind for example ttt.yyy.zzz.0 /24
You have to provide this information’s from network guys also they have to provide AS number which we will use it in our configuration
You can do the %90 configuration from GUI also maybe need something via CLI.
On fortigate we are using firmware 5.x , configuration is done under one of the VDOM. You can access the screens from Virtual Domains and go under related VDOM, open Router , Dynamic and BGP section. You can see everything in one screen 😀
Set Local AS what provided from your network guys
Router ID will be your outside interface ip address in our example xxx.yyy.xxx.3Neighbors will be the peers in my example they are two MXs xxx.yyy.zzz.1 and xxx.yyy.zzz.2
No need to set the Networks because i will configure to advertise all my connected interfaces but if you want to you add the network want to advertise instead of advertise connected interface from CLI for example you can add ttt.yyy.zzz.0 /24
Now switch to CLI of Fortigate
edit VDOM1 (choose your one)
config router bgp
end then execute this things
config redistribute connected
set status enable
Also in our config network guys extra configured next-hop-self configuration, a good post you can find from this link.
Some useful commands ;
Check the neighbors
get router info bgp neighbors
See the for such network which next hop is used
get router info bgp network
See the routing table
get router info routing-table details
Don’t forget to test failover scenarios because BGP converge time can be slow , need to play with timers, a good explanation about it in cisco community maybe can help you
Take a Care
I know you do not have enough time, go !!
First activate SSL VPN on forti.
Need to create ip pool which forti will set when people connected, you can see below default forti already have such pre-configured one, if you want you can use it or create new object and set ip address range what you want assign to consumers , i generally add /24 C class
Need to modify routing table, add static route and forti should know what it will be do where it will route SSL-VPN source traffic for reach target
Device should be you interface which start with ssl.
No need to set default gw, leave 0.0.0.0 ,forti will handle it
Distance and priority is not important if you do not have other or more preferential one
Portals, i remember that SSL VPN and SSL VPN portals are pushed by Juniper, they have additional SSL VPN boxes for handle this jobs also extra cost and what good in Forti, no need to pay extra for it, but i don’t know what juniper do now !
Portals are used what customer/user sees when they login also applications are important because its affect how you configure the widgets later on
Set the name and application what you need, actually i used it for only use it on rules , after all changes pls don’t forget to click apply on left-top site
Pls set the ip range to portal what you created on second step like below and click OK (Click Edit on IP Pools and choose the IP Mode as a Range), after all changes pls don’t forget to click apply on left-top site
Create Users ….
Create Group and assign user and portal to group , to do it click SSL-VPN Access and choose portal from drop down , move the user right site
Last 2 steps …
First need to create auth rule, via this we will make authentication, you decide which ip address which destination,which group , which services and go !
and last thing
Where this customers/users allowed to access, need to write down a rule from network which assigned by forti to customer and target, where they need to access
Lets try , link should be like below if you did not change the port number on first step and give the username and pass and try to access
i wrote down forti.out.site.ip this is what outside ip of forti or related VDOM outside ip
For extra and more information maybe you would like to check out
We had a problem about isolation address ping issue, somebody can say “you stupid” but i would like to create such article who can have such issue an maybe like us forgot or can imagine the problem
Short explanation, when you crate VMware vSphere4/5 cluster , default system check the isolation address which is default ESX/ESXi node/host gateway, which usually your firewall 🙂
When you install FortiGate and configure the “Administrator” settings like below (Black line indicate allowed IP address who can access FortiGate Box to manage)
Related picture indicate inside interface are allowed to ping
You can think that inside interface open for PING but don’t forget because of you activated Administrative access which was 0.0.0.0/0 (any) default and set some ip addresses which only can access to management Forti , now no any ESX/ESXi node/host can PING the their gateway and you will get an isolation error messages.
Pls add your ESX/ESXi node/host ip network in to Administrative access section , then you done !
if you need to back to configure everything from the beginning , pls do ssh to telnet to your forti and under global (do ‘config global’) execute fallowing command, thats it
FGT1KB3911600635 (global) # execute factoryreset
This operation will reset the system to factory default!
Do you want to continue? (y/n)y
Instead of using static routing use OSPF for better management and flexibility.
To configure ;
config router ospf
PS: 0.0.0.0 is indicating routing table, in my configuration its 0.0.0.0 but maybe it could be different in your network pls ask to network guys …
set prefix xxx.xxx.xxx.xxx 255.255.255.248
PS: You should ask to network guys to with which network you will talk OSPF
set interface “port10”
PS: Also you should inform that via which interface you will talk OSPF, its generally your outside interface
config redistribute connected
set status enable
PS : This configuration explain that each internal stetted vlan interface or interface will be published to OSPF routing table
set router-id xxx.xxx.xxx.xxx
PS : This is only a tag, not more, generally i set the interface ip address.