Friday, October 21, 2011

Questions for the "Eggspehrts"

Got any burning Fortinet questions you want to ask?
Post them in the comments and our panel of knowledgeable Fortinet users will try to answer them.

62 comments:

dpmcintyre said...

Has anybody routed a block of public IPs down a VPN tunnel from the main site down to a remote spoke for use as VIPs?

Ie. the spoke site is dyanmic, establishing its VPN right away. Can it be staticly reachable from anywhere through a routed block down its VPN tunnel?

I've tried to setup the right routing/policies to allow the IP addresses to be routed, but I just haven't got the right combination yet. I'm using IPSec interface mode to try to make things easier.

Ben Boysza said...

Sorry for the delay - I didn't see this post!

I believe that yes, your wish is possible as long as the VPN are done in interface mode.

Can you share with us your routes, interface IPs, VIPs and policies?

AxelT said...

What's the most efficient way of making exceptions for UTM application control rules?

Consider the following scenario:
A policy x with UTM and appcontrol x has been created to block several apps. Now - one user needs access to torrent traffic for legitimate reasons. As far as I can see - I then need to clone policy x to policy y, create appctrl y manually and change the source address to limit this to the one inside host, and do the same for the appcontrol list. So far so good. This is one app, one user - not a big problem, but what about if I have 10 users needing access to 10 different applications that should be blocked for everybody else..That's a lot of policies and app control lists. And everytime the "global" appcontrol lists needs to be changed you'll have to do the job 10 times.... or am I missing something here and there is a far better way of doing this? :)

Ben Boysza said...

Axe, that sounds about right! However, the only way (off the top of my head) I could think of to make this easier would be to enable and use the 'Identity Based Policy' option. I'm sure you realize you'll still need separate Application Sensors. But, the good news is that in the end, you could have a Windows User Group that would be "mapped" to the appropriate Application Sensor. Does this help?

AxelT said...

that was what I was afraid of :)

I'll look into the identity based policy.

thx

Ben Boysza said...

Let us know if you need anymore explanation.

kloby said...

Under traffic log I have lots of these messages :

Message "no protocol tuple found, drop."
Service "5/1/icmp"

All started when I updated Fortigate 200A with new MR3 Patch 1.


What this message means?

Ben Boysza said...

ICMP was malformed. Someone sent you some bad ICMP packets. Are you sure that wasn't in the Attack log?

kloby said...

No it is on traffic log.

Most of this messages are between fortigate and my servers (DNS most).

I think that fortigate does not reckognize ICMP packets anymore.
Services that are showed on log are 5/1/icmp and 3/3/icmp.
I alowed ICMP betwene forti and servers but nothing.

RedPill said...

I have seen something similiar on my home fortigate 60c after I moved to MR3. My xbox no longer plays nice at all, to point where it doesn't even NAT anymore. I have also seen some of my VMs in hyper-v freak out. Very odd.

kloby said...

Ok I manage to solve ICMP 3/3 error. When I checked with wireshark my traffic I found that my NTP service on my domain contr. wasnt reachable on port 123/UDP. I restart service and domain server was listening again on port 123 .

So conclusion abouth this error message "no protocol tuple found, drop." is that it means that some port in this case was not open.

hope it will help someone.

Anonymous said...

Hi,
can Fortigate OS 4.3.2 support Oracle Sessions with Session Helper without Predefined Oracle Service? or only with ANY

Regards
Tom

Sebastian said...

Tom,

I'm not sure that FortiOS has a session helper specifically for Oracle. Can you provide some more details about what it is that you're looking for?

Anonymous said...

The TNS session helper sniffs the return packet from an initial 1521 SQLNET exchange and then uses
the port and session information uncovered in that return TNS redirect packet to add a temporary
firewall policy that accepts the new port and IP address supplied as part of the TNS redirect.

CLI Guide 4.3.2
but what is the predefined Service for this Helper?

DCE-RPC or ANY is for RPC-Session Helper necessary

Matthew said...

Has anyone succesfully established an IPsec VPN connection from an iPad2 to a Fortigate 620B?

slash28 said...

I'm running older code (3.0MR6) and I'm wondering about possible dNAT (VIP) improvements in newer releases. I can currently create a simple, global dNAT using a VIP (without port forwarding), or I can create a semi-conditional dNAT with port forwarding enabled. My problem is that even the VIP w/PF is still restricted to a single dNAT IP. I want to build different dNAT destinations based on source IP, not just dest port. Example:

srcA --> vipA:25/tcp ==> dNAT dstA
srcB --> vipA:25/tcp ==> dNAT dstB

Unfortunately, the 2nd line doesn't seem to be possible (at least not on my code level). I can do this on other platforms, so I'm hoping I just need to upgrade to get improved functionality.

Marco said...

Hello guys
1st time I post something here but I was sniffing the blog from a long time :)

I had some issue to built up a ip sec vpn connection ( either route based or policy based) with my fortigate 3600A 4.2(patch 9) I do follow the step on vpn guide and some other configuration example that I found but still no connectione from the remote site neither phase1
So can anyone paste simple configuration step for ipsec vpn connectio?

Thank you in advance

Marco

Anonymous said...

Is FSSO(latest version) Compatible with Fortigate4.0 MR2 ?

Ben Boysza said...

@Marco - can you post your IPSec configuration instead? This way we may be able to tell you where your problem is.

@Anonymous - Looking over the docs, FSSO 4.3.0 B0108 is compatible with MR2 P9, and I would think Patch 8 as well.

Marco said...

Thank you for the reply Ben

I will post it as soon I came back to my workplace

Marco said...

autokey
phase1
Name
Remote Gateway dialup user
Local Interface /my local intf
Mode MAIN id
Authentication Method preshared
Pre-shared Key
Peer Options accept any peer ID

Advanced
Enable ipsec intf
Nat trasversal enable

Phase 2
recall phse1 name
advanced
DHCP ip sec ( got a static route that connect to my dhcp server in relay mode )

FW policies

ipsecint ---->local intf
source all destination all action accept no nat
local intf---->Ipsec intf
source all destination all
accept no nat

I have followed simple dial up configuration found on ipsecvpn handbook

FlavioB said...
This comment has been removed by the author.
FlavioB said...

Hello everybody.

Connecting clients through an IPSec VPN tunnel from one site to the HQ. Clients only do ssh/telnet, but after some inactivity (1 hour) they get disconnected and have to re-logon. Is this an issue for the "session-ttl" parameter? I've actually set this parameter to be far greater than usual "standards", but would like to knoe if it's OK doing so. My thoughts are as follows: if FGT60C has session-ttl of 5 hours but my Windows clients still use their standard values (3600 or 7200 seconds), wouldn't the session still get disconnected *before* the Fortigate timeout has been reached?

I'm a bit confused about this issue...

Kind regards,
F.

Ben Boysza said...

@Marco - With an IPSec Interface, you need to add a route to direct the remote traffic through the IPSec Interface, otherwise the VPN module will never see that you're trying to send traffic that way. You add the destination network, select the IPSec Interface, and gateway will be blank.

@FlavioB - Telnet (client) does not have a keep alive function. With SSH, some clients have this feature but you need to turn it on (Putty has it). The FGT establishes a session for your traffic, and after a period of idleness, you're disconnected as the ttl runs out. I've dealt with this before, and what I did was create a policy for just Telnet (over IPSec, you can still have multiple policies using the same tunnel) and then set session-ttl 43200 (or some other crazy high time). This way, the setting only affects Telnet and the other apps carry on as usual.

FlavioB said...

Hello Ben and thanks for replying so quickly! :-)
I understand your explanation and I set the session-ttl for that single policy to be 18000.
Still, I don't understand this thing of different session timeouts: do they depend on the software (telnet, ssh, internet explorer) or are they defined on an OS-basis? Or, again, is the firewall responsible for setting and respecting the session-ttl?
I'd be glad to get a detailed explanation of this, as it is vital to understand in such a situation.

Keep on with this great blog!
F.

Sebastian said...

Hi Flavio,

the timeouts are protocol (i.e. port) based. For example you can set the timeout for TCP Port 22 which would affect any SSH session or anything else running over TCP port 22.
There is no application awareness when setting session ttl values, they are strictly destination port based.

FlavioB said...

Hy Sebastian, thanks for your reply.
AFAIU I only need to set this session-ttl on the Fortigate of the destination/target location (where the server stands), right?

Cheers,
F.

Andi said...

No question, but a hint:
After the upgrade from 4.0MR2P7 to 4.0MR3P3, i had big troubles with the web gui. Address objects weren't shown, i wasn't able to select IPSec Tunnels from the drop down list and so on.

My problem was, and this is "new" in 4.0MR3:
If you got anywhere german "Umlaute" which are "ä/ö/ü" or also "ß", the web gui behaves strange and won't show everything correctly - but the ruleset still works. You can simply save the config, search and replace for those letters, restore the cleaned config and you are done. After that the gui works again like it should.

Sebastian said...

Nice one. But really, who would want to use such strange characters anyways?

Grue(ü)ss(ß)e aus Texas ;)

-Sebastian

Marco said...
This comment has been removed by the author.
Marco said...

Thank for the reply Ben
Forgot to mention that I'm in a multiple vdom environment where my local resource are handled by a different vdom from the one that handle outside connectivity

sorry for my poor english I hope it's more clear possible

I have created the static route with DG the ipsec interface

For authentication puropose I made a local user

So my question is if in the advanced option of phase1 do I need to enable the xauth server?

The previously configuration that I past is correct?

thank for your time btw

FlavioB said...

Hello everybody.
As it seems to have settled down, I'll open a new discussion: BLACKHOLE ROUTES.
Anybody doing that stuff? I've being taught that it is a "good practice" whenever IPSec VPNs are being used. When a VPN would fail, the blackhole route would intervene and discard packets trying to go through the VPN Tunnel... any comments about this? Is this all one needs to know about blackhole routes?

Kind regards!
F.

Sebastian said...

It is possible that if a VPN tunnel goes down the firewall will attempt to route traffic originally destined for the VPN via the default route (typically out to the Internet).

In order to prevent any possibility of this you can use a blackhole route. This is easy on a route where you define a production route and then a route with a higher distance to the null interface.
Fortinet doesn't have a null interface though.

Can anyone share how they have set this up?

FlavioB said...

I've taught to do it like this:

config router static
edit 0
set blackhole enable
set distance 100
set dst 10.0.0.0/8
next
edit 0
set blackhole enable
set distance 100
set dst 192.168.0.0/16
next
set blackhole enable
set distance 100
set dst 172.16.0.0/12
next
end

When you look at the Routing Monitor, you'll see those routes pointing to "null" interface.

If there's an other way to do it, just tell me!

F.

Ben Boysza said...

I've dealt with this many times as well. Well, every time you've got an IPSec tunnel this is an issue.

Forget about null routing - it's unnecessary, and affects the entire routing table, which may not be desirable.

I've always just simply added a deny policy for private subnets (or subnets that are to be tunneled) after the encrypt policy. This way, the traffic is always trying to go the same "route", but is bouncing of the invalid encrypt policy and then dying at the deny policy.

André Queiroz said...

Hi all.

I have a fortigate 200b and its working with fortios 4.0 mr3 p1.
The unit have FSM.
I having trouble to log msn chat.
I got a ticket open on the fortinet.
I think that the source of the problem are the sql.
the support on fortinet told me to donwgrade from mr3 patch 3 to mr3 patch 2 and i still raving problems with logging.
I use one policy with DLP sensor content archive and the web, ftp, email are logging fine but the im logging are not working.
in the bottom of logging page i receve a warning- sql logging are not enable.
Can you help me?

FlavioB said...

@Ben: could you explain any deeper? You wrote about "after the encrypt policy", therefore I guess we're not talking about the same thing. I am talking about IPSec VPN Tunnels in "Interface Mode", where I have policies like "VPN-Tunnel-1-->internal" and alike.

Kind regards,
F.

Ben Boysza said...

@Flavio - It will still work. Remember, the goal is to keep traffic from establishing a stubborn session in the firewall session table. IF the IPSec Interface goes down, the traffic will then want to flow via the greater, default route. So, if that happens to be Internal->Wan1, for example, then you would just add a deny policy at the top of that interface pair's policy section. Since the traffic is denied, a session is never built. When the routing is restored, the traffic will then take the 'tighter', more appropriate route.

Ben Boysza said...

@Andre - The 200B has a SSD, correct? On the GUI - if you click on Config, under System - is SQL Database an option?

André Queiroz said...
This comment has been removed by the author.
André Queiroz said...

FG200xxxxxxxx # get system status

Version: Fortigate-200B v4.0,build0328,110718 (MR2 Patch 8)

Virus-DB: 14.00965(2011-12-11 23:29)

Extended DB: 14.00000(2011-08-24 17:09)

IPS-DB: 3.00115(2011-11-30 16:49)

FortiClient application signature package: 1.446(2011-12-12 07:16)

Serial-Number: FG200Bxxxxxxxxx

BIOS version: 04000006

Log hard disk: Available

Internal Switch mode: switch

Hostname: FG200Bxxxxxxxxx

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Distribution: International

Branch point: 328

Release Version Information: MR2 Patch 8

System time: Mon Dec 12 18:46:40 2011

Ben Boysza said...

@Andre - Can you run "get sys sql" from the command line and post the output?

André Queiroz said...

so. my english is poor.
1. in mr3 p2 the system looks to memory and see 2 disks, thing that dont happen on MR2.
2. on mr3 if a manualy turn off one feature of sql logging, the option apears on config log and in the log page i have got a warning: sql logging not enable.
ps. on mr2 the log works fine also the sql and archiving but in mr3 the interface looks more clear but full of bugs.
i like the mr3 but i'm forced to use mr2 because of loggin and archiving.

i dot have a fortianalizer.
if i can specify where the file will take place, like sql-db archiving and woc.

thank you

André Queiroz said...

get sys sql return in error.

# get sys sql



command parse error before 'sql'

Command fail. Return code -61

André Queiroz said...

Ben, Now i'm on mr2.
the problem is on mr3.

Ben Boysza said...

@Andre - MR3 has many logging changes. You may need to manually import your MR2 logs into the database on MR3 after you have enabled SQL on MR3. See: http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-loggingreporting-40-mr3.pdf

André Queiroz said...

i have tryed to delete all logs and start from zero.
still dont working

Sebastian said...

Hi all,

I'm going to go ahead and close this thread. One of the things I don't want to do is to open an alternative support forum :)
Thanks for all the great questions and answers.
Fortinet also has a very active support forum at
http://support.fortinet.com/forum
(no support contract required as far as I know).

MRK said...

MRK

Hi,

I have a fortigate 310B on which the modem is connected. i have internal webservers, and internal DNS server installed on domain controller.

For providing internet to clients, i changed the secondary DNS IP address of the clients to a modem IP address, with this i am able to get internet but clients are unable to access the internal websites.

when i type the URL of internal sites in a browser the request is going to the modem (internet), not to internal sites.

How to resolve it Please Help.

Anonymous said...

Hey there, partner!

Do you know if it is possible to schedule automatic restarts of a FortiGate/Wifi unit running 4.0 MR3, p3?

Sebastian said...

Not as far as I know. You could however use some type of scheduler to SSH into the box and execute a "exec reboot" command.

I'm curious why you would want to schedule reboots for a firewall?

prathamesh said...

Dear Sir,

Can you please tell me how to minimize high ips usage in 1240 fortigate model?

Please reply asap.

FlavioB said...

Hello!
For rebooting the Fortigate unit, just enter CLI end do as follows:

config system global
set daily-restart enable
set restart-time hh:mm
end

Cheers,
F.

Anonymous said...

Just note that application control has capability to change session ttl, just in regards somebody asked recently.

I know I am late, I missed this topic completely.

-Astib

Anonymous said...

Counter in the policies is a nice thing, but:

How to clear ALL counter from CLI?

I found only guidelines how toto clear counter from the GUI...

In GUI it is obvious... but on CLI... and for all counters..

Anonymous said...

Are there any tools that work to remotely configure Fortigate firewalls besides the FortiManager? I have tried Kiwi CatTools and it doesnt seem to be working correctly.

madval said...

Hi, I have the following:
- Fortigate 310B unit, v4.0 MR3 Patch 5
- Fortigate unit is configured with two VDOM's, first VDOM is named "root", operation mode is set to NAT; second VDOM is named "voz", operation mode is set to Transparent
- FSSO 4.3 running on Active Directory Domain Controller
- Active Directory under Windows 2008 Server R2
- DNS Server integrated into Active Directory
- Fortigate is running DHCP Server for my network

The fortigate unit (specifically root VDOM) and my AD are configured to allow Internet Access to some AD Groups, and it's "working fine". But often, AD user have problems to browse on the Internet.

I check FSSO Agent "Show Logon users" and one of the following is true:
- AD User is not listed in the "Logon users list"
- AD User is listed, but his Status is "Not Verified"
- AD User is listed, and Status is "OK"

No matter what of the previously listed conditions are true, sometimes the User is not listed in the monitor when I check the Web GUI: User > Monitor > Firewall

What can cause this behavior?

Anonymous said...

I have an intranet with 8 sites running a mix of 80c and 60c units. I am setting up dynamic routing over my IPSec tunnels. Wouuld you recommend bgp or ospf. I generally prefer bgp but I've heard the 60c units may not handle the load. Any thoughts?

Unknown said...

Hi,

I am having an issues with our Fortigate 310B. We have a load balancer sitting behind it with cluster of apps server behind that. Now we are trying to load test the apps externally but the test fails at only 200 request per second. The load test are two servers that are sending 100 rps each using apache ab load test. What we are seeing is the test fail at 40000 requests. What's unusual is that I can run the test internally directly at the LB and load test it with 6000 request per second with no problems.
On the Fortigate I have everything UTM related turned off, or so I think I do. I have a VIP set with external map to internal ip via port 80. The policy has only logging enabled.

Oh what I did noticed in the log event was NAT Port source is exhausted. I'm out of ideas as we dont have this issue our Cisco ASA.

Any help with is greatly appreciated.

evan kelly said...

Hi All,
setup:
I have clients who have offices in syd + melb
We have fortigate 60a (3.00-b0753(MR7 Patch 9)in melb + we have fortigate 60b in syd 3.00-b5115(MR5 Patch 3)
Until recently we were using 1 wan connection adsl 2+
over that connection we were sending
web traffic
ipsec vpn to the syd <> melb
avaya voip over the ipsec tunnel
the avaya units in sydney + melb are on the same network as all the computers 192.168.x.x

issue: the voice quality between the offices in melb / syd has become unusable

recently a second adsl 2+ connected to wan2
configured the fortigate units to create another ipsec tunnel between melb <> syd
I would like to be able to configure the fortigate unit to be able to send traffic from a single ip address (avaya unit) on an internal lan down wan2 on a fortigate 60a.

Whilst all the other traffic is send down the wan1

I have tried looking in the fortigate on line doc ...but couldn't find info to help

BTW – I have tried several configs without much success

also > I have just figured out how to access the avaya units. I have had some
experience with them but I won't call myself an expert.

any ideas > thx in advance

Free Antivirus Download said...

this is too short but average content. free antivirus download

AlFillmore said...

Hello experts!

Since Fortinet released this IPS signature;

Fortinet released IPS signature Openssl.ChaCha20.Poly1305.Heap.Buffer.Overflow to address this vulnerability.

We keep getting a warning on Fortianalyser from our wireless AP which appears to be an android phone communicating with android.clients.google.com on port 443. Has anyone else had any of this? It appears to me to be a false positive.

Thanks!

Al