Has anybody routed a block of public IPs down a VPN tunnel from the main site down to a remote spoke for use as VIPs?
Ie. the spoke site is dyanmic, establishing its VPN right away. Can it be staticly reachable from anywhere through a routed block down its VPN tunnel?
I've tried to setup the right routing/policies to allow the IP addresses to be routed, but I just haven't got the right combination yet. I'm using IPSec interface mode to try to make things easier.
What's the most efficient way of making exceptions for UTM application control rules?
Consider the following scenario: A policy x with UTM and appcontrol x has been created to block several apps. Now - one user needs access to torrent traffic for legitimate reasons. As far as I can see - I then need to clone policy x to policy y, create appctrl y manually and change the source address to limit this to the one inside host, and do the same for the appcontrol list. So far so good. This is one app, one user - not a big problem, but what about if I have 10 users needing access to 10 different applications that should be blocked for everybody else..That's a lot of policies and app control lists. And everytime the "global" appcontrol lists needs to be changed you'll have to do the job 10 times.... or am I missing something here and there is a far better way of doing this? :)
Axe, that sounds about right! However, the only way (off the top of my head) I could think of to make this easier would be to enable and use the 'Identity Based Policy' option. I'm sure you realize you'll still need separate Application Sensors. But, the good news is that in the end, you could have a Windows User Group that would be "mapped" to the appropriate Application Sensor. Does this help?
Most of this messages are between fortigate and my servers (DNS most).
I think that fortigate does not reckognize ICMP packets anymore. Services that are showed on log are 5/1/icmp and 3/3/icmp. I alowed ICMP betwene forti and servers but nothing.
I have seen something similiar on my home fortigate 60c after I moved to MR3. My xbox no longer plays nice at all, to point where it doesn't even NAT anymore. I have also seen some of my VMs in hyper-v freak out. Very odd.
Ok I manage to solve ICMP 3/3 error. When I checked with wireshark my traffic I found that my NTP service on my domain contr. wasnt reachable on port 123/UDP. I restart service and domain server was listening again on port 123 .
So conclusion abouth this error message "no protocol tuple found, drop." is that it means that some port in this case was not open.
The TNS session helper sniffs the return packet from an initial 1521 SQLNET exchange and then uses the port and session information uncovered in that return TNS redirect packet to add a temporary firewall policy that accepts the new port and IP address supplied as part of the TNS redirect.
CLI Guide 4.3.2 but what is the predefined Service for this Helper?
DCE-RPC or ANY is for RPC-Session Helper necessary
I'm running older code (3.0MR6) and I'm wondering about possible dNAT (VIP) improvements in newer releases. I can currently create a simple, global dNAT using a VIP (without port forwarding), or I can create a semi-conditional dNAT with port forwarding enabled. My problem is that even the VIP w/PF is still restricted to a single dNAT IP. I want to build different dNAT destinations based on source IP, not just dest port. Example:
Unfortunately, the 2nd line doesn't seem to be possible (at least not on my code level). I can do this on other platforms, so I'm hoping I just need to upgrade to get improved functionality.
Hello guys 1st time I post something here but I was sniffing the blog from a long time :)
I had some issue to built up a ip sec vpn connection ( either route based or policy based) with my fortigate 3600A 4.2(patch 9) I do follow the step on vpn guide and some other configuration example that I found but still no connectione from the remote site neither phase1 So can anyone paste simple configuration step for ipsec vpn connectio?
autokey phase1 Name Remote Gateway dialup user Local Interface /my local intf Mode MAIN id Authentication Method preshared Pre-shared Key Peer Options accept any peer ID
Advanced Enable ipsec intf Nat trasversal enable
Phase 2 recall phse1 name advanced DHCP ip sec ( got a static route that connect to my dhcp server in relay mode )
FW policies
ipsecint ---->local intf source all destination all action accept no nat local intf---->Ipsec intf source all destination all accept no nat
I have followed simple dial up configuration found on ipsecvpn handbook
Connecting clients through an IPSec VPN tunnel from one site to the HQ. Clients only do ssh/telnet, but after some inactivity (1 hour) they get disconnected and have to re-logon. Is this an issue for the "session-ttl" parameter? I've actually set this parameter to be far greater than usual "standards", but would like to knoe if it's OK doing so. My thoughts are as follows: if FGT60C has session-ttl of 5 hours but my Windows clients still use their standard values (3600 or 7200 seconds), wouldn't the session still get disconnected *before* the Fortigate timeout has been reached?
@Marco - With an IPSec Interface, you need to add a route to direct the remote traffic through the IPSec Interface, otherwise the VPN module will never see that you're trying to send traffic that way. You add the destination network, select the IPSec Interface, and gateway will be blank.
@FlavioB - Telnet (client) does not have a keep alive function. With SSH, some clients have this feature but you need to turn it on (Putty has it). The FGT establishes a session for your traffic, and after a period of idleness, you're disconnected as the ttl runs out. I've dealt with this before, and what I did was create a policy for just Telnet (over IPSec, you can still have multiple policies using the same tunnel) and then set session-ttl 43200 (or some other crazy high time). This way, the setting only affects Telnet and the other apps carry on as usual.
Hello Ben and thanks for replying so quickly! :-) I understand your explanation and I set the session-ttl for that single policy to be 18000. Still, I don't understand this thing of different session timeouts: do they depend on the software (telnet, ssh, internet explorer) or are they defined on an OS-basis? Or, again, is the firewall responsible for setting and respecting the session-ttl? I'd be glad to get a detailed explanation of this, as it is vital to understand in such a situation.
the timeouts are protocol (i.e. port) based. For example you can set the timeout for TCP Port 22 which would affect any SSH session or anything else running over TCP port 22. There is no application awareness when setting session ttl values, they are strictly destination port based.
Hy Sebastian, thanks for your reply. AFAIU I only need to set this session-ttl on the Fortigate of the destination/target location (where the server stands), right?
No question, but a hint: After the upgrade from 4.0MR2P7 to 4.0MR3P3, i had big troubles with the web gui. Address objects weren't shown, i wasn't able to select IPSec Tunnels from the drop down list and so on.
My problem was, and this is "new" in 4.0MR3: If you got anywhere german "Umlaute" which are "ä/ö/ü" or also "ß", the web gui behaves strange and won't show everything correctly - but the ruleset still works. You can simply save the config, search and replace for those letters, restore the cleaned config and you are done. After that the gui works again like it should.
Thank for the reply Ben Forgot to mention that I'm in a multiple vdom environment where my local resource are handled by a different vdom from the one that handle outside connectivity
sorry for my poor english I hope it's more clear possible
I have created the static route with DG the ipsec interface
For authentication puropose I made a local user
So my question is if in the advanced option of phase1 do I need to enable the xauth server?
The previously configuration that I past is correct?
Hello everybody. As it seems to have settled down, I'll open a new discussion: BLACKHOLE ROUTES. Anybody doing that stuff? I've being taught that it is a "good practice" whenever IPSec VPNs are being used. When a VPN would fail, the blackhole route would intervene and discard packets trying to go through the VPN Tunnel... any comments about this? Is this all one needs to know about blackhole routes?
It is possible that if a VPN tunnel goes down the firewall will attempt to route traffic originally destined for the VPN via the default route (typically out to the Internet).
In order to prevent any possibility of this you can use a blackhole route. This is easy on a route where you define a production route and then a route with a higher distance to the null interface. Fortinet doesn't have a null interface though.
config router static edit 0 set blackhole enable set distance 100 set dst 10.0.0.0/8 next edit 0 set blackhole enable set distance 100 set dst 192.168.0.0/16 next set blackhole enable set distance 100 set dst 172.16.0.0/12 next end
When you look at the Routing Monitor, you'll see those routes pointing to "null" interface.
I've dealt with this many times as well. Well, every time you've got an IPSec tunnel this is an issue.
Forget about null routing - it's unnecessary, and affects the entire routing table, which may not be desirable.
I've always just simply added a deny policy for private subnets (or subnets that are to be tunneled) after the encrypt policy. This way, the traffic is always trying to go the same "route", but is bouncing of the invalid encrypt policy and then dying at the deny policy.
I have a fortigate 200b and its working with fortios 4.0 mr3 p1. The unit have FSM. I having trouble to log msn chat. I got a ticket open on the fortinet. I think that the source of the problem are the sql. the support on fortinet told me to donwgrade from mr3 patch 3 to mr3 patch 2 and i still raving problems with logging. I use one policy with DLP sensor content archive and the web, ftp, email are logging fine but the im logging are not working. in the bottom of logging page i receve a warning- sql logging are not enable. Can you help me?
@Ben: could you explain any deeper? You wrote about "after the encrypt policy", therefore I guess we're not talking about the same thing. I am talking about IPSec VPN Tunnels in "Interface Mode", where I have policies like "VPN-Tunnel-1-->internal" and alike.
@Flavio - It will still work. Remember, the goal is to keep traffic from establishing a stubborn session in the firewall session table. IF the IPSec Interface goes down, the traffic will then want to flow via the greater, default route. So, if that happens to be Internal->Wan1, for example, then you would just add a deny policy at the top of that interface pair's policy section. Since the traffic is denied, a session is never built. When the routing is restored, the traffic will then take the 'tighter', more appropriate route.
so. my english is poor. 1. in mr3 p2 the system looks to memory and see 2 disks, thing that dont happen on MR2. 2. on mr3 if a manualy turn off one feature of sql logging, the option apears on config log and in the log page i have got a warning: sql logging not enable. ps. on mr2 the log works fine also the sql and archiving but in mr3 the interface looks more clear but full of bugs. i like the mr3 but i'm forced to use mr2 because of loggin and archiving.
i dot have a fortianalizer. if i can specify where the file will take place, like sql-db archiving and woc.
@Andre - MR3 has many logging changes. You may need to manually import your MR2 logs into the database on MR3 after you have enabled SQL on MR3. See: http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-loggingreporting-40-mr3.pdf
I'm going to go ahead and close this thread. One of the things I don't want to do is to open an alternative support forum :) Thanks for all the great questions and answers. Fortinet also has a very active support forum at http://support.fortinet.com/forum (no support contract required as far as I know).
I have a fortigate 310B on which the modem is connected. i have internal webservers, and internal DNS server installed on domain controller.
For providing internet to clients, i changed the secondary DNS IP address of the clients to a modem IP address, with this i am able to get internet but clients are unable to access the internal websites.
when i type the URL of internal sites in a browser the request is going to the modem (internet), not to internal sites.
Are there any tools that work to remotely configure Fortigate firewalls besides the FortiManager? I have tried Kiwi CatTools and it doesnt seem to be working correctly.
Hi, I have the following: - Fortigate 310B unit, v4.0 MR3 Patch 5 - Fortigate unit is configured with two VDOM's, first VDOM is named "root", operation mode is set to NAT; second VDOM is named "voz", operation mode is set to Transparent - FSSO 4.3 running on Active Directory Domain Controller - Active Directory under Windows 2008 Server R2 - DNS Server integrated into Active Directory - Fortigate is running DHCP Server for my network
The fortigate unit (specifically root VDOM) and my AD are configured to allow Internet Access to some AD Groups, and it's "working fine". But often, AD user have problems to browse on the Internet.
I check FSSO Agent "Show Logon users" and one of the following is true: - AD User is not listed in the "Logon users list" - AD User is listed, but his Status is "Not Verified" - AD User is listed, and Status is "OK"
No matter what of the previously listed conditions are true, sometimes the User is not listed in the monitor when I check the Web GUI: User > Monitor > Firewall
I have an intranet with 8 sites running a mix of 80c and 60c units. I am setting up dynamic routing over my IPSec tunnels. Wouuld you recommend bgp or ospf. I generally prefer bgp but I've heard the 60c units may not handle the load. Any thoughts?
I am having an issues with our Fortigate 310B. We have a load balancer sitting behind it with cluster of apps server behind that. Now we are trying to load test the apps externally but the test fails at only 200 request per second. The load test are two servers that are sending 100 rps each using apache ab load test. What we are seeing is the test fail at 40000 requests. What's unusual is that I can run the test internally directly at the LB and load test it with 6000 request per second with no problems. On the Fortigate I have everything UTM related turned off, or so I think I do. I have a VIP set with external map to internal ip via port 80. The policy has only logging enabled.
Oh what I did noticed in the log event was NAT Port source is exhausted. I'm out of ideas as we dont have this issue our Cisco ASA.
Hi All, setup: I have clients who have offices in syd + melb We have fortigate 60a (3.00-b0753(MR7 Patch 9)in melb + we have fortigate 60b in syd 3.00-b5115(MR5 Patch 3) Until recently we were using 1 wan connection adsl 2+ over that connection we were sending web traffic ipsec vpn to the syd <> melb avaya voip over the ipsec tunnel the avaya units in sydney + melb are on the same network as all the computers 192.168.x.x
issue: the voice quality between the offices in melb / syd has become unusable
recently a second adsl 2+ connected to wan2 configured the fortigate units to create another ipsec tunnel between melb <> syd I would like to be able to configure the fortigate unit to be able to send traffic from a single ip address (avaya unit) on an internal lan down wan2 on a fortigate 60a.
Whilst all the other traffic is send down the wan1
I have tried looking in the fortigate on line doc ...but couldn't find info to help
BTW – I have tried several configs without much success
also > I have just figured out how to access the avaya units. I have had some experience with them but I won't call myself an expert.
Fortinet released IPS signature Openssl.ChaCha20.Poly1305.Heap.Buffer.Overflow to address this vulnerability.
We keep getting a warning on Fortianalyser from our wireless AP which appears to be an android phone communicating with android.clients.google.com on port 443. Has anyone else had any of this? It appears to me to be a false positive.
Has anybody routed a block of public IPs down a VPN tunnel from the main site down to a remote spoke for use as VIPs?
ReplyDeleteIe. the spoke site is dyanmic, establishing its VPN right away. Can it be staticly reachable from anywhere through a routed block down its VPN tunnel?
I've tried to setup the right routing/policies to allow the IP addresses to be routed, but I just haven't got the right combination yet. I'm using IPSec interface mode to try to make things easier.
Sorry for the delay - I didn't see this post!
ReplyDeleteI believe that yes, your wish is possible as long as the VPN are done in interface mode.
Can you share with us your routes, interface IPs, VIPs and policies?
What's the most efficient way of making exceptions for UTM application control rules?
ReplyDeleteConsider the following scenario:
A policy x with UTM and appcontrol x has been created to block several apps. Now - one user needs access to torrent traffic for legitimate reasons. As far as I can see - I then need to clone policy x to policy y, create appctrl y manually and change the source address to limit this to the one inside host, and do the same for the appcontrol list. So far so good. This is one app, one user - not a big problem, but what about if I have 10 users needing access to 10 different applications that should be blocked for everybody else..That's a lot of policies and app control lists. And everytime the "global" appcontrol lists needs to be changed you'll have to do the job 10 times.... or am I missing something here and there is a far better way of doing this? :)
Axe, that sounds about right! However, the only way (off the top of my head) I could think of to make this easier would be to enable and use the 'Identity Based Policy' option. I'm sure you realize you'll still need separate Application Sensors. But, the good news is that in the end, you could have a Windows User Group that would be "mapped" to the appropriate Application Sensor. Does this help?
ReplyDeletethat was what I was afraid of :)
ReplyDeleteI'll look into the identity based policy.
thx
Let us know if you need anymore explanation.
ReplyDeleteUnder traffic log I have lots of these messages :
ReplyDeleteMessage "no protocol tuple found, drop."
Service "5/1/icmp"
All started when I updated Fortigate 200A with new MR3 Patch 1.
What this message means?
ICMP was malformed. Someone sent you some bad ICMP packets. Are you sure that wasn't in the Attack log?
ReplyDeleteNo it is on traffic log.
ReplyDeleteMost of this messages are between fortigate and my servers (DNS most).
I think that fortigate does not reckognize ICMP packets anymore.
Services that are showed on log are 5/1/icmp and 3/3/icmp.
I alowed ICMP betwene forti and servers but nothing.
I have seen something similiar on my home fortigate 60c after I moved to MR3. My xbox no longer plays nice at all, to point where it doesn't even NAT anymore. I have also seen some of my VMs in hyper-v freak out. Very odd.
ReplyDeleteOk I manage to solve ICMP 3/3 error. When I checked with wireshark my traffic I found that my NTP service on my domain contr. wasnt reachable on port 123/UDP. I restart service and domain server was listening again on port 123 .
ReplyDeleteSo conclusion abouth this error message "no protocol tuple found, drop." is that it means that some port in this case was not open.
hope it will help someone.
Hi,
ReplyDeletecan Fortigate OS 4.3.2 support Oracle Sessions with Session Helper without Predefined Oracle Service? or only with ANY
Regards
Tom
Tom,
ReplyDeleteI'm not sure that FortiOS has a session helper specifically for Oracle. Can you provide some more details about what it is that you're looking for?
The TNS session helper sniffs the return packet from an initial 1521 SQLNET exchange and then uses
ReplyDeletethe port and session information uncovered in that return TNS redirect packet to add a temporary
firewall policy that accepts the new port and IP address supplied as part of the TNS redirect.
CLI Guide 4.3.2
but what is the predefined Service for this Helper?
DCE-RPC or ANY is for RPC-Session Helper necessary
Has anyone succesfully established an IPsec VPN connection from an iPad2 to a Fortigate 620B?
ReplyDeleteI'm running older code (3.0MR6) and I'm wondering about possible dNAT (VIP) improvements in newer releases. I can currently create a simple, global dNAT using a VIP (without port forwarding), or I can create a semi-conditional dNAT with port forwarding enabled. My problem is that even the VIP w/PF is still restricted to a single dNAT IP. I want to build different dNAT destinations based on source IP, not just dest port. Example:
ReplyDeletesrcA --> vipA:25/tcp ==> dNAT dstA
srcB --> vipA:25/tcp ==> dNAT dstB
Unfortunately, the 2nd line doesn't seem to be possible (at least not on my code level). I can do this on other platforms, so I'm hoping I just need to upgrade to get improved functionality.
Hello guys
ReplyDelete1st time I post something here but I was sniffing the blog from a long time :)
I had some issue to built up a ip sec vpn connection ( either route based or policy based) with my fortigate 3600A 4.2(patch 9) I do follow the step on vpn guide and some other configuration example that I found but still no connectione from the remote site neither phase1
So can anyone paste simple configuration step for ipsec vpn connectio?
Thank you in advance
Marco
Is FSSO(latest version) Compatible with Fortigate4.0 MR2 ?
ReplyDelete@Marco - can you post your IPSec configuration instead? This way we may be able to tell you where your problem is.
ReplyDelete@Anonymous - Looking over the docs, FSSO 4.3.0 B0108 is compatible with MR2 P9, and I would think Patch 8 as well.
Thank you for the reply Ben
ReplyDeleteI will post it as soon I came back to my workplace
autokey
ReplyDeletephase1
Name
Remote Gateway dialup user
Local Interface /my local intf
Mode MAIN id
Authentication Method preshared
Pre-shared Key
Peer Options accept any peer ID
Advanced
Enable ipsec intf
Nat trasversal enable
Phase 2
recall phse1 name
advanced
DHCP ip sec ( got a static route that connect to my dhcp server in relay mode )
FW policies
ipsecint ---->local intf
source all destination all action accept no nat
local intf---->Ipsec intf
source all destination all
accept no nat
I have followed simple dial up configuration found on ipsecvpn handbook
This comment has been removed by the author.
ReplyDeleteHello everybody.
ReplyDeleteConnecting clients through an IPSec VPN tunnel from one site to the HQ. Clients only do ssh/telnet, but after some inactivity (1 hour) they get disconnected and have to re-logon. Is this an issue for the "session-ttl" parameter? I've actually set this parameter to be far greater than usual "standards", but would like to knoe if it's OK doing so. My thoughts are as follows: if FGT60C has session-ttl of 5 hours but my Windows clients still use their standard values (3600 or 7200 seconds), wouldn't the session still get disconnected *before* the Fortigate timeout has been reached?
I'm a bit confused about this issue...
Kind regards,
F.
@Marco - With an IPSec Interface, you need to add a route to direct the remote traffic through the IPSec Interface, otherwise the VPN module will never see that you're trying to send traffic that way. You add the destination network, select the IPSec Interface, and gateway will be blank.
ReplyDelete@FlavioB - Telnet (client) does not have a keep alive function. With SSH, some clients have this feature but you need to turn it on (Putty has it). The FGT establishes a session for your traffic, and after a period of idleness, you're disconnected as the ttl runs out. I've dealt with this before, and what I did was create a policy for just Telnet (over IPSec, you can still have multiple policies using the same tunnel) and then set session-ttl 43200 (or some other crazy high time). This way, the setting only affects Telnet and the other apps carry on as usual.
Hello Ben and thanks for replying so quickly! :-)
ReplyDeleteI understand your explanation and I set the session-ttl for that single policy to be 18000.
Still, I don't understand this thing of different session timeouts: do they depend on the software (telnet, ssh, internet explorer) or are they defined on an OS-basis? Or, again, is the firewall responsible for setting and respecting the session-ttl?
I'd be glad to get a detailed explanation of this, as it is vital to understand in such a situation.
Keep on with this great blog!
F.
Hi Flavio,
ReplyDeletethe timeouts are protocol (i.e. port) based. For example you can set the timeout for TCP Port 22 which would affect any SSH session or anything else running over TCP port 22.
There is no application awareness when setting session ttl values, they are strictly destination port based.
Hy Sebastian, thanks for your reply.
ReplyDeleteAFAIU I only need to set this session-ttl on the Fortigate of the destination/target location (where the server stands), right?
Cheers,
F.
No question, but a hint:
ReplyDeleteAfter the upgrade from 4.0MR2P7 to 4.0MR3P3, i had big troubles with the web gui. Address objects weren't shown, i wasn't able to select IPSec Tunnels from the drop down list and so on.
My problem was, and this is "new" in 4.0MR3:
If you got anywhere german "Umlaute" which are "ä/ö/ü" or also "ß", the web gui behaves strange and won't show everything correctly - but the ruleset still works. You can simply save the config, search and replace for those letters, restore the cleaned config and you are done. After that the gui works again like it should.
Nice one. But really, who would want to use such strange characters anyways?
ReplyDeleteGrue(ü)ss(ß)e aus Texas ;)
-Sebastian
This comment has been removed by the author.
ReplyDeleteThank for the reply Ben
ReplyDeleteForgot to mention that I'm in a multiple vdom environment where my local resource are handled by a different vdom from the one that handle outside connectivity
sorry for my poor english I hope it's more clear possible
I have created the static route with DG the ipsec interface
For authentication puropose I made a local user
So my question is if in the advanced option of phase1 do I need to enable the xauth server?
The previously configuration that I past is correct?
thank for your time btw
Hello everybody.
ReplyDeleteAs it seems to have settled down, I'll open a new discussion: BLACKHOLE ROUTES.
Anybody doing that stuff? I've being taught that it is a "good practice" whenever IPSec VPNs are being used. When a VPN would fail, the blackhole route would intervene and discard packets trying to go through the VPN Tunnel... any comments about this? Is this all one needs to know about blackhole routes?
Kind regards!
F.
It is possible that if a VPN tunnel goes down the firewall will attempt to route traffic originally destined for the VPN via the default route (typically out to the Internet).
ReplyDeleteIn order to prevent any possibility of this you can use a blackhole route. This is easy on a route where you define a production route and then a route with a higher distance to the null interface.
Fortinet doesn't have a null interface though.
Can anyone share how they have set this up?
I've taught to do it like this:
ReplyDeleteconfig router static
edit 0
set blackhole enable
set distance 100
set dst 10.0.0.0/8
next
edit 0
set blackhole enable
set distance 100
set dst 192.168.0.0/16
next
set blackhole enable
set distance 100
set dst 172.16.0.0/12
next
end
When you look at the Routing Monitor, you'll see those routes pointing to "null" interface.
If there's an other way to do it, just tell me!
F.
I've dealt with this many times as well. Well, every time you've got an IPSec tunnel this is an issue.
ReplyDeleteForget about null routing - it's unnecessary, and affects the entire routing table, which may not be desirable.
I've always just simply added a deny policy for private subnets (or subnets that are to be tunneled) after the encrypt policy. This way, the traffic is always trying to go the same "route", but is bouncing of the invalid encrypt policy and then dying at the deny policy.
Hi all.
ReplyDeleteI have a fortigate 200b and its working with fortios 4.0 mr3 p1.
The unit have FSM.
I having trouble to log msn chat.
I got a ticket open on the fortinet.
I think that the source of the problem are the sql.
the support on fortinet told me to donwgrade from mr3 patch 3 to mr3 patch 2 and i still raving problems with logging.
I use one policy with DLP sensor content archive and the web, ftp, email are logging fine but the im logging are not working.
in the bottom of logging page i receve a warning- sql logging are not enable.
Can you help me?
@Ben: could you explain any deeper? You wrote about "after the encrypt policy", therefore I guess we're not talking about the same thing. I am talking about IPSec VPN Tunnels in "Interface Mode", where I have policies like "VPN-Tunnel-1-->internal" and alike.
ReplyDeleteKind regards,
F.
@Flavio - It will still work. Remember, the goal is to keep traffic from establishing a stubborn session in the firewall session table. IF the IPSec Interface goes down, the traffic will then want to flow via the greater, default route. So, if that happens to be Internal->Wan1, for example, then you would just add a deny policy at the top of that interface pair's policy section. Since the traffic is denied, a session is never built. When the routing is restored, the traffic will then take the 'tighter', more appropriate route.
ReplyDelete@Andre - The 200B has a SSD, correct? On the GUI - if you click on Config, under System - is SQL Database an option?
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteFG200xxxxxxxx # get system status
ReplyDeleteVersion: Fortigate-200B v4.0,build0328,110718 (MR2 Patch 8)
Virus-DB: 14.00965(2011-12-11 23:29)
Extended DB: 14.00000(2011-08-24 17:09)
IPS-DB: 3.00115(2011-11-30 16:49)
FortiClient application signature package: 1.446(2011-12-12 07:16)
Serial-Number: FG200Bxxxxxxxxx
BIOS version: 04000006
Log hard disk: Available
Internal Switch mode: switch
Hostname: FG200Bxxxxxxxxx
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Distribution: International
Branch point: 328
Release Version Information: MR2 Patch 8
System time: Mon Dec 12 18:46:40 2011
@Andre - Can you run "get sys sql" from the command line and post the output?
ReplyDeleteso. my english is poor.
ReplyDelete1. in mr3 p2 the system looks to memory and see 2 disks, thing that dont happen on MR2.
2. on mr3 if a manualy turn off one feature of sql logging, the option apears on config log and in the log page i have got a warning: sql logging not enable.
ps. on mr2 the log works fine also the sql and archiving but in mr3 the interface looks more clear but full of bugs.
i like the mr3 but i'm forced to use mr2 because of loggin and archiving.
i dot have a fortianalizer.
if i can specify where the file will take place, like sql-db archiving and woc.
thank you
get sys sql return in error.
ReplyDelete# get sys sql
command parse error before 'sql'
Command fail. Return code -61
Ben, Now i'm on mr2.
ReplyDeletethe problem is on mr3.
@Andre - MR3 has many logging changes. You may need to manually import your MR2 logs into the database on MR3 after you have enabled SQL on MR3. See: http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-loggingreporting-40-mr3.pdf
ReplyDeletei have tryed to delete all logs and start from zero.
ReplyDeletestill dont working
Hi all,
ReplyDeleteI'm going to go ahead and close this thread. One of the things I don't want to do is to open an alternative support forum :)
Thanks for all the great questions and answers.
Fortinet also has a very active support forum at
http://support.fortinet.com/forum
(no support contract required as far as I know).
MRK
ReplyDeleteHi,
I have a fortigate 310B on which the modem is connected. i have internal webservers, and internal DNS server installed on domain controller.
For providing internet to clients, i changed the secondary DNS IP address of the clients to a modem IP address, with this i am able to get internet but clients are unable to access the internal websites.
when i type the URL of internal sites in a browser the request is going to the modem (internet), not to internal sites.
How to resolve it Please Help.
Hey there, partner!
ReplyDeleteDo you know if it is possible to schedule automatic restarts of a FortiGate/Wifi unit running 4.0 MR3, p3?
Not as far as I know. You could however use some type of scheduler to SSH into the box and execute a "exec reboot" command.
ReplyDeleteI'm curious why you would want to schedule reboots for a firewall?
Dear Sir,
ReplyDeleteCan you please tell me how to minimize high ips usage in 1240 fortigate model?
Please reply asap.
Hello!
ReplyDeleteFor rebooting the Fortigate unit, just enter CLI end do as follows:
config system global
set daily-restart enable
set restart-time hh:mm
end
Cheers,
F.
Just note that application control has capability to change session ttl, just in regards somebody asked recently.
ReplyDeleteI know I am late, I missed this topic completely.
-Astib
Counter in the policies is a nice thing, but:
ReplyDeleteHow to clear ALL counter from CLI?
I found only guidelines how toto clear counter from the GUI...
In GUI it is obvious... but on CLI... and for all counters..
Are there any tools that work to remotely configure Fortigate firewalls besides the FortiManager? I have tried Kiwi CatTools and it doesnt seem to be working correctly.
ReplyDeleteHi, I have the following:
ReplyDelete- Fortigate 310B unit, v4.0 MR3 Patch 5
- Fortigate unit is configured with two VDOM's, first VDOM is named "root", operation mode is set to NAT; second VDOM is named "voz", operation mode is set to Transparent
- FSSO 4.3 running on Active Directory Domain Controller
- Active Directory under Windows 2008 Server R2
- DNS Server integrated into Active Directory
- Fortigate is running DHCP Server for my network
The fortigate unit (specifically root VDOM) and my AD are configured to allow Internet Access to some AD Groups, and it's "working fine". But often, AD user have problems to browse on the Internet.
I check FSSO Agent "Show Logon users" and one of the following is true:
- AD User is not listed in the "Logon users list"
- AD User is listed, but his Status is "Not Verified"
- AD User is listed, and Status is "OK"
No matter what of the previously listed conditions are true, sometimes the User is not listed in the monitor when I check the Web GUI: User > Monitor > Firewall
What can cause this behavior?
I have an intranet with 8 sites running a mix of 80c and 60c units. I am setting up dynamic routing over my IPSec tunnels. Wouuld you recommend bgp or ospf. I generally prefer bgp but I've heard the 60c units may not handle the load. Any thoughts?
ReplyDeleteHi,
ReplyDeleteI am having an issues with our Fortigate 310B. We have a load balancer sitting behind it with cluster of apps server behind that. Now we are trying to load test the apps externally but the test fails at only 200 request per second. The load test are two servers that are sending 100 rps each using apache ab load test. What we are seeing is the test fail at 40000 requests. What's unusual is that I can run the test internally directly at the LB and load test it with 6000 request per second with no problems.
On the Fortigate I have everything UTM related turned off, or so I think I do. I have a VIP set with external map to internal ip via port 80. The policy has only logging enabled.
Oh what I did noticed in the log event was NAT Port source is exhausted. I'm out of ideas as we dont have this issue our Cisco ASA.
Any help with is greatly appreciated.
Hi All,
ReplyDeletesetup:
I have clients who have offices in syd + melb
We have fortigate 60a (3.00-b0753(MR7 Patch 9)in melb + we have fortigate 60b in syd 3.00-b5115(MR5 Patch 3)
Until recently we were using 1 wan connection adsl 2+
over that connection we were sending
web traffic
ipsec vpn to the syd <> melb
avaya voip over the ipsec tunnel
the avaya units in sydney + melb are on the same network as all the computers 192.168.x.x
issue: the voice quality between the offices in melb / syd has become unusable
recently a second adsl 2+ connected to wan2
configured the fortigate units to create another ipsec tunnel between melb <> syd
I would like to be able to configure the fortigate unit to be able to send traffic from a single ip address (avaya unit) on an internal lan down wan2 on a fortigate 60a.
Whilst all the other traffic is send down the wan1
I have tried looking in the fortigate on line doc ...but couldn't find info to help
BTW – I have tried several configs without much success
also > I have just figured out how to access the avaya units. I have had some
experience with them but I won't call myself an expert.
any ideas > thx in advance
this is too short but average content. free antivirus download
ReplyDeleteHello experts!
ReplyDeleteSince Fortinet released this IPS signature;
Fortinet released IPS signature Openssl.ChaCha20.Poly1305.Heap.Buffer.Overflow to address this vulnerability.
We keep getting a warning on Fortianalyser from our wireless AP which appears to be an android phone communicating with android.clients.google.com on port 443. Has anyone else had any of this? It appears to me to be a false positive.
Thanks!
Al