Monday, December 17, 2012

Customer Support Bulletins

From time to time Fortinet will release information on critical bugs/bug fixes that are likely to impact a large number of customers. There were 3 of these for 2012. To review them login to the Customer Service & Support Portal and click on the "Important Info".
Alternatively you can access them via this link:

Tuesday, December 11, 2012

DHCP for IPv6 in FortiOS 5

FortiOS 5 adds support for RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)". To activate a DHCPv6 server on an interface use the following syntax: 

# config system interface
# edit internal
# config ipv6
# set ip6-mode dhcp

Finding CLI Commands

Sometimes it's handy to know which CLI commands correspond to actions you are performing in the GUI. With the following commands you can enable debugging on the console that will show you in the CLI what you're doing in the GUI.

# diag debug reset
# diag debug enable
# diag debug console
# diag debug cli 7

Here is some sample output in the CLI when adding and deleting static routes in the GUI.

0: config router static
0: edit 0
0: set device "VPN_Tunnel"
0: set dst
0: end
0: config router static
0: delete 16
0: end

Also, if you are performing an action in the GUI and you get no output on the CLI then chances are that there is no equivalent CLI command.

Monday, December 10, 2012

External Images in Replacement Messages

If you are using Webfiltering and would like to host your images on an external server rather than using the builtin ones in FortiOS here is a little code sample to make that happen.

config system replacemsg http "url-block"
    set buffer "<BODY>

<center><img src=\"\" alt=\"Example Logo\"/>            <img src=\"\" alt=\"Logo\"/></center>

<center><H1><FONT color=#ff0000 size=6>Access Restricted by Web Access Policy </FONT></H1></center>

<P><B><FONT size=4>The website you are trying to access has been
restricted because it does not fall within the business scope of Example Company. All websites have been categorized through third party software. The categories are generalized and the website you are attempting to access may be blocked in error. Please email <a href=\"\"><B>Security Operations</B></a> for any questions.</FONT></B></P>

<div style=\"padding:10px 10px;border:1px solid black;\">
<FONT color=#ff0000 size=5><B><center>To access web-based mail, online file sharing, or internal company sites please use the browser in your Start menu.</B></center></FONT>

    set header http
    set format html

Thursday, December 6, 2012

FortiAnalyzer - System Registration

If you are running FortiAnalyzer and you start feeding it logs from Fortigates they will (depending on your settings) automatically register and show up in your device view. By default they will show up in the format of "hostname_serialnumber".
If you have a hostname configured on your Fortigate but it only shows up using its serial number in FAZ then you maybe running into a versioning issue. Specifically if you're using FAZ 4.1 with FortiOS 4.3 devices reporting into it.
The reason for this is that in FortiOS 4.3 the firewalls will by default try to encrypt the communication to the FortiAnalyzer which FAZ 4.1 does not understand. To work around this disable the encryption for logging to FAZ on the Fortigate using the following command:

# config log fortianalyzer setting
# set enc-algorithm disable
# end

Traffic Blocked by Policy ID 0

After upgrading to FortiOS 4.3 you may see an increase in the number of log entries displayed which mention Policy ID 0. This is generally due to more extended logging being enabled by default when upgrading to 4.3. Here are a couple of good knowledge base entries that have more info.

Technical Note : other-traffic is changed to extended-traffic-log in FortiOS 4.0MR3 and enabled by default

FortiGate log information : traffic log with firewall policy of 0 (zero) "policyid=0"

Wednesday, December 5, 2012

Maxizing Performance with NPU Port Mappings

To get the most performance out of NPU accelerated ports you should keep traffic on the same NPU.
For example if most of your traffic is between your external and your DMZ interfaces (you are hosting a lot of web servers?) you should make sure this traffic remains on the same NPU.

To figure out which port is assigned to which NPU use the following command:

#get hardware npu <model> list

So if you have a model with NP4s use

#get hardware npu np4 list

Your output will be similar to the one below depending on your model firewall.
In the below example you might want to connect port25 to the Internet and port26 to the DMZ to keep that traffic on a single NPU.

# get hardware  npu np4 list
ID      Model           Slot            Interface
0       On-board                        port1 port2 port3 port4
                                        port5 port6 port7 port8
                                        port9 port10 port11 port12
                                        port13 port14 port15 port16
                                        port17 port18 port19 port20
                                        port21 port22 port23 port24
1       On-board                        port25 port26 port27 port28
                                        port29 port30 port31 port32
                                        port33 port34 port35 port36
                                        port37 port38

Wednesday, November 28, 2012

FortiOS 5.0 Tips & Tricks - Part 1 - Column Settings

When editing a policy in FortiOS 4.x there was a "Column Settings" button which allowed you to add or remove columns from the current view. This feature does exist in FortiOS 5 but there is no longer a button for it. Instead, right click on one of the existing column headings such as Source or Destination. From there you can select the "Column Settings" as you did before.

Friday, November 23, 2012

Software Updates

Here's the latest and greatest.

FortiAnalyzer: 5.0 Patch 1, Build 87 (Just released)
FortiAP: 5.0 GA, Build 21
FortiClient: 5.0 GA, Build 161
FortiDB: 4.4.2, Build 240

FortiOS: 4.0 MR3 Patch 11, Build 646 (Just released)
(stable, recommended for production)
FortiOS: 4.0 MR2 Patch 13, Build 349
(stable, recommended for production)
FortiOS: 5.0 GA, Build 128
(recommended primarily for test systems)

FortiGate-One: 4.0 MR3 Patch 11, Build 646
FortiMail: 4.0 MR3 Patch 3, Build 520
FortiManager: 5.0 GA, Build 76
FortiScan: 4.3.0, Build 260

FortiWeb: 4.4.4, Build 669

Software Updates: FortiOS 5.0

For those of you who like to live on cutting edge Fortinet has released FortiOS 5.0 recently. This new version introduces a whole slew of new features. Check out the below PDF for more information.

Monday, November 12, 2012

New Job

Well .. wouldn't you know it. Yours truly now works for a pioneer in the UTM space. I'll leave it up to you to guess who it is ;) So watch this space for new posts coming soon.

Friday, May 18, 2012

Fortinet vs Palo Alto Networks

So yes, I changed jobs which is why this blog has been a little quiet.
At my new employer we are about to replace Checkpoint with a UTM solution.
While I understand that most people that read this blog work with Fortinet I'm also looking to solicit some real world feedback from anyone out there who has used both Fortinet and Palo Alto Network boxes.
I'm not looking for "Fortinet is better because PA blows", rather I'm looking for technical differences and usability nuances that would help us make an informed decision.

If you have information to help out do please post a comment.

Thanks everyone for reading!

Tuesday, February 14, 2012

Renewing Support versus new Hardware

One of the things to keep in mind is that annual support costs (A/V, IDS/IPS updates, hardware maintenance) are based around the list price of the hardware itself. When the time comes to renew your Fortinet support take a close look at how much money you're spending on support versus the cost of newer, faster hardware.

I was amazed to see that for the same cost of renewing support on a Fortigate 800 we were able to purchase a new Fortigate 310B system, including a year of bundled support.

Just sayin .. :)

Tuesday, January 24, 2012

Log uploads in realtime (FortiOS 4.0 MR3)

After upgrading several firewalls to 4.0 MR3 I noticed that by default the logs are no longer sent to my FortiAnalyzer unit in realtime. Instead they are scheduled to upload to the FAZ once per day.
If, like me, you are relying on these logs to provide realtime visibility into your network here is how to turn realtime logging back on.

On the CLI (really, Fortinet??):
config log fortianalyzer setting
set upload-option realtime

This is only available on smaller units, such as the FG60C and FWF60C.
On units such as the FG200B and FG310B the "set upload-option realtime" switch does not exist, thus defaulting to realtime logging to FAZ or Syslog.

Friday, January 20, 2012

The cmdb add entry failed

I recently started noticing that when I try to add objects, policies, etc to one of our firewalls I receive an error dialog of "The cmdb add entry failed." After doing some research on the knowledge base the most likely explanation was related to memory utilization on the Fortigate.
There are a number of ways to resolve the problem, although they are all temporary until Fortinet comes up with a fix.

  • Reboot the firewall
  • In Firewall -> Policy -> Protocol Options modify your scan profile(s) and reduce the file Size Threshold down to 2MB from 10MB.
  • From the CLI you can run "diag sys top 1" and figure out which processes are using the most memory (right most column in the process list). You can then restart the processes using "diag test app 99", so for example "diag test app ipsmonitor 99" if the IPS engine is running high.