Category Archives: Fortigate

sslvpnd can cause ha sync /Webinterface unresponsive issue? -another Fortinet story-

Today we faced Fortinet web interface become unresponsive,  we find out some articles and expect that killing/restarting httpd will be enough but we faced policy load issues for example try to list rules but we have empty response and after some time its gone and need to restart httpd to access webui again.

Then after some investigation we saw that cluster checksum is not consistent (command:diagnose sys ha cluster-csum)

Tried to sync ha config but not succeed (command:exec ha synchronize start) (for more pls check)

Then somehow we maybe did not prioritise  but cluster member which web interface is working but first snmp service stop response and then sslvpn connections are start to not work ! in this time what i remember we changed the password of sslvpn user but i don’t think that this help us but when we kill the sslvpnd magically non-responsive fortinet box become to run , after all checked ha csum its worked and snmp also start to work !

Actually if we did not try this (also vendor said that related firmware have a bug) we have to restart nodes and this will cause some downtime  . Version is 5.2.6

Some good link for debugging ha http://kb.fortinet.com/kb/documentLink.do?externalID=FD36494

diag  debug enable
diagnose  debug  console  timestamp enable
diag debug application hasync -1
diag debug application hatalk -1
execute ha synchronize start

When you can not kill process gently -another Fortinet story-

I expect that you know the pid but if its not you have two ways

Option 1

Walter (global) # diag test app snmpd 1

snmpd pid = 161

Option 2 (somehow related commands are not return some processes pids, then start to use fnsysctl )

List pid files then get pid id from related file

Walter (global) # fnsysctl ls /var/run/

Walter (global) # fnsysctl cat /var/run/snmpd.pid

161

Then execute (somehow diag sys kill 11 <pid_id> do not kill related pid)

Walter (global) # fnsysctl kill -9 161

thats it !

When Fortigate ips engine and AV engine fuck everything !

Since the beginning we have always trouble about choosing wrong hardwares , developer issues like handle sessions with single core , then ASIC things , its always changing  NPx support something NPy support more , end of the day you will always have NPx/y/z/t/u what released but cost is another issue but don’t worry providers always things these are usual things. Hope one day with DPDK or another technology will help us to use firewalls without ASICs and without need always buy new hardwares. (I know you know SDDC , SDN also i know ! )

I know this device is UTM , UTM is somehow fancy things, you know you shouldn’t use , know what will happen but you have to because of some situations (for ISPs)

AV issues , IPS engine issues , conserve mode ! I don’t how you really protect my device and network behind

Big problem AV and memory , still can not understand small to bigger devices why more ram is not used ! Memory is expensive ? or maybe still 32 bit ! What developers can’t handle ?

at the end AV full the ram , whole device under stress and communication issues , BGPs or OSPF are gone ! :(((

For AV its not working like a linux services or something ? you should kill it ! Step by Step , each process , disabling AV is not helping every time

Login your device , switch to config global (it is also command ) then execute diagnose sys top see the processed press q and leave to console execute diagnose sys kill 11 <process_id> . Here we are using because maybe some outputs we could have then fallow console for mem usage.

Another issue is ips engine , so understandable command diag test 🙂 lovely , its not meaningful for me but meaningful for developer or who maintain cli commands

diagnose test app ipsmonitor

You will see nice options and choose what you exactly want , restart , stop , start , get status

Also if you run cluster then consider do same things on slave 🙂 to switch slave

  • config global
  • get system ha status
  • exec ha manage 1 (mostly)

Good fixes !

VM

Dynamic Routing BGP Configuration for FortiGate

Hello All,

After switching static routing to dynamic routing with OSPF next level is create redundancy if one of the OSPF neighbor goes down.

Problem is with our Fortigate we can not achive OSPF redundancy with the network routers or L3 devices, then we switched to BGP and success about it.

Architecture is like below , two Juniper MX960 routers and a Fortigate 3600c firewall box. Fortigate outside interface and one interface from each routers are on same network like any /29 network for example ; MX960-1 xxx.yyy.zzz.1/29 , MX960-2 xxx.yyy.zzz.2/29 and FG3600C xxx.yyy.xxx.3/29

Also we have additional network for inside which servers are behind for example ttt.yyy.zzz.0 /24

You have to provide this information’s from network guys also they have to provide AS number which we will use it in our configuration

BGP_F_MX

You can do the %90 configuration from GUI also maybe need something via CLI.

On fortigate we are using firmware 5.x , configuration is done under one of the VDOM. You can access the screens from Virtual Domains and go under related VDOM, open Router , Dynamic and BGP section. You can see everything in one screen 😀

Screen Shot 2014-01-08 at 15.31.10

Set Local AS what provided from your network guys
Router ID will be your outside interface ip address in our example xxx.yyy.xxx.3Neighbors will be the peers in my example they are two MXs xxx.yyy.zzz.1 and xxx.yyy.zzz.2
No need to set the Networks because i will configure to advertise all my connected interfaces but if you want to you add the network want to advertise instead of advertise connected interface from CLI for example you can add ttt.yyy.zzz.0 /24

Now switch to CLI of Fortigate

config vdom
edit VDOM1 (choose your one)
config router bgp

end then execute this things

config redistribute connected

set status enable

end

Also in our config network guys extra configured next-hop-self configuration, a good post you can find from this link.

Some useful commands ;

Check the neighbors

get router info bgp neighbors

See the for such network which next hop is used

get router info bgp network

See the routing table

get router info routing-table details

Don’t forget to test failover scenarios because BGP converge time can be slow , need to play with timers, a good explanation about it in cisco community maybe can help you

Take a Care
VM

Fortigate and SSL VPN Configuration

I know you do not have enough time, go !!

First activate SSL VPN on forti.

Need to create ip pool which forti  will set when people connected, you can see below default forti already have such pre-configured one, if you want you can use it or create new object and set ip address range what you want assign to consumers , i generally add /24 C class

Need to modify routing table, add static route and forti should know what it will be do where it will route SSL-VPN source traffic for reach target

Device should be you interface which start with ssl.
No need to set default gw, leave 0.0.0.0 ,forti will handle it
Distance and priority is not important if you do not have other or more preferential one

Portals, i remember that SSL VPN and SSL VPN portals are pushed by Juniper, they have additional SSL VPN boxes for handle this jobs also extra cost and what good in Forti, no need to pay extra for it, but i don’t know what juniper do now !

Portals are used what customer/user sees when they login also applications are important because its affect how you configure the widgets later on

 

Set the name and application what you need, actually i used it for only use it on rules , after all changes pls don’t forget to click apply on left-top site

Pls set the ip range to portal what you created on second step like below and click OK (Click Edit on IP Pools and choose the IP Mode as a Range), after all changes pls don’t forget to click apply on left-top site

Create Users ….

 

Create Group and assign user and portal to group , to do it click SSL-VPN Access and choose portal from drop down , move the user right site

Last 2 steps …

First need to create auth rule, via this we will make authentication, you decide which ip address which destination,which group , which services and go !

and last thing

Where this customers/users allowed to access, need to write down a rule from network which assigned by forti to customer and target, where they need to access

Lets try , link should be like below if you did not change the port number on first step and give the username and pass and try to access

https://forti.out.site.ip:10443/remote/login

i wrote down forti.out.site.ip this is what outside ip of forti or related VDOM outside ip

For extra and more information maybe you would like to check out

http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-sslvpn-40-mr3.pdf

VM

VMware vSphere4/5 Cluster , FortiGate and isolation address issue

We had a problem about isolation address ping issue, somebody can say “you stupid” but i would like to create such article who can have such issue an maybe like us forgot or can imagine the problem

Short explanation, when you crate VMware vSphere4/5 cluster , default system check the isolation address which is default ESX/ESXi node/host gateway, which usually your firewall 🙂

When you install FortiGate and configure the “Administrator” settings like below (Black line indicate allowed IP address who can access FortiGate Box to manage)

 

Related picture indicate inside interface are allowed to ping

 

You can think that inside interface open for PING but don’t forget because of you activated Administrative access which was 0.0.0.0/0 (any) default and set some ip addresses which only can access to management Forti , now no any ESX/ESXi node/host can PING the their gateway and you will get an isolation error messages.

Pls add your ESX/ESXi node/host ip network in to Administrative access section , then you done !

VM

Factory Reset Your Fortigate

if you need to back to configure everything from the beginning , pls do ssh to telnet to your forti and under global (do ‘config global’) execute fallowing command, thats it

 

FGT1KB3911600635 (global) # execute factoryreset

This operation will reset the system to factory default!

Do you want to continue? (y/n)y

 

VM

Dynamic Routing OSPF Configuration for FortiGate

Hi ,

Instead of using static routing use OSPF for better management and flexibility.

To configure ;

config router ospf

config area

edit 0.0.0.0

next

end

PS: 0.0.0.0 is indicating routing table, in my configuration its 0.0.0.0 but maybe it could be different in your network pls ask to network guys …

config network

edit 1

set prefix xxx.xxx.xxx.xxx 255.255.255.248

next

end

PS: You should ask to network guys to with which network you will talk OSPF

config ospf-interface

edit “gig10”

set interface “port10”

next

end

PS: Also you should inform that via which interface you will talk OSPF, its generally your outside interface

config redistribute connected

set status enable

end

PS : This configuration explain that each internal stetted vlan interface or interface will be published to OSPF routing table

    set router-id xxx.xxx.xxx.xxx

end

PS : This is only a tag, not more, generally i set the interface ip address.

Regards
VM

Enable FortiGate vDOM Administration

Hi,

To enable FortiGate vDom administration pls run fallowing commands on console.

config system global

set vdom-admin enable

end

Thats it ..

VM