Thursday, December 23, 2010

FortiOS 4.0 MR2 Patch 3 Issues

In my experience, as well as other people who post to the Fortinet forums the 4.2.3 patch causes significant problems when accessing websites. The reason for this appears to be the IPS engine. Disabling IPS on a firewall rule restores normal speed, however you lose IPS functionality which is of course not desirable.

Stay tune for updates on this one.

Tuesday, December 21, 2010

It's an IPv6 World - Get out there and explore!

Have you been dying (like me) to get your hands dirty and head down the information highway in all of its IPv6 glory? Ever wondered if Google REALLY looks different when viewed via IPv6? ;)

Here is a quick walkthrough on how to get started even if your ISP does not provide IPv6 natively yet.

  • Register for an account with an IPv6 Tunnel Broker. I am using Hurricane Electric. Sign-up for a free account at
  • Once your registration is confirmed login to and use the "Create Regular Tunnel" user function to allocate your IPv6 address space.
  • Hurricane Electric (HE) will try to determine the closest of their POPs. You can manually override if required.
  • In the "IPv4 endpoint (your side of the tunnel)" enter the public IP address of the WAN interface of the Fortinet. This of course works best when you have a static IP address. If your provider assigns you a dynamic IP address you will have to adjust your tunnel configuration on the HE website every time your IP changes. Most likely the IP address listed in "You are viewing from IP" will be your WAN IP.
  • HE will now provide you with your tunnel details.
On to the Fortinet configuration. This must be done via the CLI.

  • config system sit-tunnel
  • edit "HE" (the name you want to give to this tunnel/interface)
  • set destination (HE Server IPv4 address)
  • set interface wan1 (the WAN interface of your firewall)
  • set source (the public IP address of your firewall that you specified above)
  • set ip6 2001:x:x:x::2/64 (HE Client IPv6 address)
  • end
HE will assign a /64 subnet for routing between their equipment and your firewall. Think of this as using a /30 in IPv4. Except in this case you are only using two IP addresses out of a space that is the entire IPv4 Internet address space squared, i.e. you are "wasting" eighteen quintillion, fourhundred forty-six quadrillion, sevenhundred forty-four trillion, seventy-three billion, sevenhundred nine million, five hundred fiftyone thousand, six hundred and fourteen addresses :)

HE will also assign you a /64 subnet for use behind the firewall on your network. For most people trying this at home 18,446,744,073,709,551,616 IP addresses should be plenty.
If you need more space than this, or as is more likely the case, more subnets you can select the "Assign /48 subnet" in the Tunnel Details page on the HE website. This will provide you with 65,536 subnets for internal use.

Now back to the Fortinet GUI. When you configured the sit-tunnel the name you assigned on the CLI will now show up as a firewall interface in the GUI.

Router -> Static Route -> Create New -> IPv6 Route
  • Destination IP/Mask: ::/0 (the default route in IPv6 notation)
  • Device: the tunnel interface you created earlier via the CLI (in my example "HE")
  • Distance: 10
  • Priority: 0
Firewall -> Policy -> IPv6 Policy -> Create New
  • Source Interface: internal
  • Source Address: all
  • Destination Interface: tunnel interface (in my example "HE)
  • Destination Address: all
  • Service: Any
  • Action: Accept
System -> Network -> Interface -> Internal
  • IPv6 Address: An address out of the "Routed /64" from the "HE Tunnel Details" page. For example if HE has assigned 2001:1234:4567:9999::/64 as your "Routed 64" your firewall internal IPv6 address could be 2001:1234:4567:9999:1::/64
Also don't forget to configure your workstation with IPv6. On the "Tunnel Details" page HE provides examples for IPv6 interface configurations for a number of operating systems including Linux and Windows. In the above example your workstation IP could be 2001:1234:4567:9999:2::/64. When configuring Windows simply ignore the error message about multiple default gateways. Windows will only use the IPv6 default gateway when sending IPv6 traffic.

Enjoy the holidays.

Friday, December 17, 2010

Software Updates

Wow, long time no post :)

  • 4.0 MR2 Patch 3, Build 303
  • 4.0 MR2 Patch 3, Build 221
    It seems like the FG/FWF60C are still having issues as the release for this new platform is still behind just like last time.