Wednesday, January 14, 2009

Bulk Host/Network Object Import

Using the method described here you can import bulk commands through the Fortinet GUI. If you have a long list of IP addresses you want to import and have Microsoft Word handy you can use the following trick to turn your list into a bulk import file:

-copy and paste your IP addresses (one IP address per line) into a new Word document
-bring up the replace dialog in Word and insert the following
-Find what: (<*>).(<*>).(<*>).(<*>)
-Replace with: edit h-\1.\2.\3.\4^lset subnet \1.\2.\3.\4 255.255.255.255^lnext
-check "Use wildcards"
-click "Replace All"

VERY IMPORTANT
-add "config firewall address" to the top of your file
-save your file as plain text
-follow this procedure to import your bulk commands.

Before:
192.168.1.1

After:
edit h-192.168.1.1
set subnet 192.168.1.1 255.255.255.255
next

Obviously you can adjust the h-IP.add.re.ss naming convention to suit your needs. You can also use the above syntax for creating lots of network objects by replacing the netmask with 255.255.255.0 or similar.

Sunday, January 11, 2009

Hard Disk Logging Problems

If you are using a Fortigate model which has an on-board hard drive for logging locally and you don't see it show up in the "Log Access" section of the GUI try the following on the command line:

config log disk setting
set status enable
end

Then log out of the GUI and log back in. The "disk" option should now show in the "Log Access" section of the GUI. If it still does not show run the following command:

diag hardware deviceinfo ide hda

This will provide status on your logdisk on the Fortigate 800 and 1000 series. If your system does not show any information the log disk may have failed and you may have to RMA the drive or the entire unit.

Monday, January 5, 2009

Traffic Sniffer on PPPoE Interfaces

When you are investigating traffic on PPPoE enabled interfaces you need to use a special interface to debug packets. For example your WAN1 interface is connected to your ISP via PPPoE. If you simply use the "diag sniffer packet wan1" command all you see are PPPoE encapsulated packets but not the actual source or destination traffic.
To investigate the packets on the WAN1 interface before they are encapsulated use the "ppp0" (that's a zero) interface.

Example: "diag sniffer packet ppp0"