Tuesday, April 29, 2008

Web URL Filtering does not block Websites

If you have defined a Web URL filter for blocking certain web sites but simply can't seem to get it to work (i.e. you can still access the websites you want to block) try restarting the HTTP proxy. On the CLI enter the following command:

diag test application http 99

Friday, April 25, 2008

Web URL Filtering breaks SSL communication

If you have run into problems with devices exchanging configuration updates over SSL on port 443 and you are using Web URL Filtering try disabling the filtering for HTTPS. Fortinet TAC is currently investigating this issue.

Wednesday, April 23, 2008

Fortimanager Device Synchronization

In the latest releases of Fortimanager there is no longer a "Synchronize all Devices" button in the GUI. If you have made changes to your firewalls through their individual Web interfaces you can bring all your configurations up to date in your Fortimanager using the following CLI command:

execute fmpolicy reload group "groupname" (hit ? for a list of groups)

Thursday, April 17, 2008

Friday, April 11, 2008

Packet capture - SYN packets only

To capture only SYN packets (i.e. packets trying to initiate a session) you can use the following CLI command.

diag sniffer packet internal 'tcp[13] == 2'

This can be useful when you are trying to investigate suspicious activity on the network.

Thursday, April 10, 2008

IPSEC VPNs - Advanced NAT

Here are some pointers for when you are trying to build an IPSEC VPN to a remote organization and they NAT the remote host due to address overlap.

For example:

Remote Host: 172.16.1.2
Translated Public IP: 2.2.2.2
Remote Firewall: 2.2.2.1 (Cisco 3000 Series VPN Concentrator/PIX/ASA)

Local Firewall: 3.3.3.1 (Fortigate)
Local Network: 172.16.1.0/255.255.255.0 (NAT traffic to external firewall interface)

Begin by reading this previous post: Advanced IPSEC with Phase 2 Quick Mode Selectors
The one change to note is that you need to configure this scenario in policy mode. There is either a bug or a "feature" which prevents the NAT from working correctly in interface mode. I am currently investigating.

The challenge for the above scenario is typically to select the correct phase 2 source and destination addresses to match the remote access lists. In the above example your local configuration should look similar to the following:

config firewall address
edit "net-172.16.1.0/24"
set subnet 172.16.1.0 255.255.255.0
next
edit "host -2.2.2.2"
set subnet 2.2.2.2 255.255.255.255
next
edit "host-3.3.3.1"
set subnet 3.3.3.1 255.255.255.255
next
end

config firewall addrgrp
edit "encdom-local-remote"
set member "net-172.16.1.0/24" "host-3.3.3.1"
next
end

config vpn ipsec phase1

edit "Remote_Firewall"
set interface "external"
set dpd disable
set nattraversal enable
set dhgrp 2
set proposal 3des-md5
set keylife 86400
set remote-gw 2.2.2.1
next
end

config vpn ipsec phase2
edit "Remote_Tunnel"
set phase1name "Remote_Firewall"
set proposal 3des-md5
set src-addr-type name
set src-name "encdom-local-remote"
set dst-addr-type name
set dst-name "host-2.2.2.2"
set keylifeseconds 28800
next
end

config firewall policy
edit 1
set srcintf "internal"
set dstintf "external"
set srcaddr "n-172.16.1.0/24"
set dstaddr "h-2.2.2.2"
set action ipsec
set schedule "always"
set service "ANY"
set profile-status enable
set logtraffic enable
set profile "scan"
set outbound enable
set natoutbound enable # Hide traffic behind firewall's external interface
set vpntunnel "Remote_Firewall"
next
end

Here is what you are telling the firewall: Take my traffic from 172.16.1.0/24 and send it through the VPN tunnel to the remote firewall. NAT the traffic so it appears to be coming from my firewall's external interface 3.3.3.1.
Notice that in the phase 2 quick mode selectors you specify both 3.3.3.1 as well as your local network 172.16.1.0/24. Otherwise the phase 2 parameters sent to the peer do not match.

Monday, April 7, 2008

Recommended Reading

Migrating to IPv6 - A practical guide to implementing IPv6 in mobile and fixed networks
Author: Marc Blanchet
ISBN: 0-471-49892-0

A must read if you are even thinking about implementing IPv6 in your network.

Sunday, April 6, 2008

Fortinet Maximum Values by Platform

Ever wondered about the maximum number of interfaces, Vlans, VPN tunnels or static routes that you can define for your Fortigate platform? Here is a very helpful list of all features and their maximum values broken down by platform.
Fortinet Maximum Values Matrix

Tuesday, April 1, 2008

Pedal to the metal with FortiAnalyzer

Beginning in 3.0 MR3 FortiAnalyzer supports the ext3 file system in addition to the Reiser file system used in previous versions. The ext3 file system provides much better stability and it is the recommended filesystem to use on all FortiAnalyzer units. To convert to the ext3 filesystem upgrade your FortiAnalyzer to 3.0 MR3 or above and reformat your log disks or change RAID levels which will cause all information to be erased.

Beginning in MR4 you can also speed-up the FortiAnalyzer by indexing the ext3 file system. Execute the following command on the CLI: "diagnose sys file-system fsfix". This command will check and index the filesystem. It will take some time and reboot the FortiAnalyzer, however the perfomance increase is tremendous so this is highly recommended.

Also, Fortinet recommends that you run this command periodically if you receive a lot of log traffic.