Tuesday, July 21, 2009

FortiOS, Sonos Network Music Players and Pandora

If you happen to own one of these cool things (http://www.sonos.com) and you listen to music via their Pandora plugin you might experience some problems with firewall protection profiles in FortiOS 4.x. After upgrading to the latest beta version of 4.1 I was unable to play Pandora music any longer. Playing with the protection profiles I noticed that you have to ensure that under Firewall -> Protection Profile -> Anti-Virus the "Comfort Clients" option is enabled. Pandora receives music via port 80. Apparently the firewall tries to scan the music stream for viruses which causes the Sonos Pandora plugin to timeout.

Monday, July 20, 2009

Combining Firewall Interfaces

Sometimes there is a need to combine multiple firewall interfaces to function like a switch or hub (for those of us who remember what a hub is :). A good example would be the internal interface of a FortiWifi and the WLAN interface. If your firewall is in NAT mode you have to assign separate IP addresses in different subnets to each interface.

Now let's assume you have some kind of device on your network like a Sonos music player. Your laptop is on the wireless network provided by the FortiWifi and the Sonos is on the wired net. Even if you have rules permitting all traffic between your wired and wireless network you will not be able to connect to your Sonos player. This is because the Sonos is detected via broadcasts that stay local to each subnet. The same principle is used for Slingboxes and other devices.

The answer is to combine the WLAN and internal interfaces into a new "switch" interface. This can be done from the command line. As a prerequisite you must not have anything referecing the interfaces you wish to combine, such as firewall policies, routes, etc. Also you have to be running at least FortiOS 3.0 MR6. Here's an example of how to set it up:

** Important: You should enable https or ssh access to some other interface other than the ones you are combining. When you combine the internal interface with another one you will loose connectivity to the internal interface until you access the firewall either via the console or another interface and configure an IP on the newly create interface. (Thanks for the heads up Simon). **

config system switch-interface
edit Lan
set member internal wlan
end

You now have a new interface in the GUI called Lan which you can use to create policies with and combines the internal and wlan interfaces. Any traffic between the two interfaces will always be allowed, including broadcasts, since they are now part of the same "switching zone".
There are a number of other options for this command. For more information go ahead and check out the FortiOS CLI reference at http://docs.forticare.com

** It appears that combining interfaces using this "software switch" causes problems with various forms of spanning tree (STP) **

Monday, July 6, 2009

Software Updates

Current Updates

FortiOS:
4.0.3, Build 106
(I had been anxiously awaiting this one but still managed to leave it off the list, so thanks Guzik for reminding me ;)

FortiAnalyzer:
3.0 MR 7 Patch 5, Build 733

FortiMail:
3.0 MR5 Patch 1, Build 517

FortiWeb:
3.22, Build 98