If you have defined a Web URL filter for blocking certain web sites but simply can't seem to get it to work (i.e. you can still access the websites you want to block) try restarting the HTTP proxy. On the CLI enter the following command:
diag test application http 99
A real world resource for Fortinet firewalls including How-Tos and Frequently Asked Questions
Tuesday, April 29, 2008
Friday, April 25, 2008
Web URL Filtering breaks SSL communication
Wednesday, April 23, 2008
Fortimanager Device Synchronization
In the latest releases of Fortimanager there is no longer a "Synchronize all Devices" button in the GUI. If you have made changes to your firewalls through their individual Web interfaces you can bring all your configurations up to date in your Fortimanager using the following CLI command:
execute fmpolicy reload group "groupname" (hit ? for a list of groups)
execute fmpolicy reload group "groupname" (hit ? for a list of groups)
Labels:
CLI,
fortimanager
Thursday, April 17, 2008
Software Updates
FortiManager 3.0 MR6 Patch 2 and FortiAnalyzer 3.0 MR6 Patch 1 are now available on the Fortinet Support Website.
Friday, April 11, 2008
Packet capture - SYN packets only
To capture only SYN packets (i.e. packets trying to initiate a session) you can use the following CLI command.
diag sniffer packet internal 'tcp[13] == 2'
This can be useful when you are trying to investigate suspicious activity on the network.
diag sniffer packet internal 'tcp[13] == 2'
This can be useful when you are trying to investigate suspicious activity on the network.
Thursday, April 10, 2008
IPSEC VPNs - Advanced NAT
Here are some pointers for when you are trying to build an IPSEC VPN to a remote organization and they NAT the remote host due to address overlap.
For example:
Remote Host: 172.16.1.2
Translated Public IP: 2.2.2.2
Remote Firewall: 2.2.2.1 (Cisco 3000 Series VPN Concentrator/PIX/ASA)
Local Firewall: 3.3.3.1 (Fortigate)
Local Network: 172.16.1.0/255.255.255.0 (NAT traffic to external firewall interface)
Begin by reading this previous post: Advanced IPSEC with Phase 2 Quick Mode Selectors
The one change to note is that you need to configure this scenario in policy mode. There is either a bug or a "feature" which prevents the NAT from working correctly in interface mode. I am currently investigating.
The challenge for the above scenario is typically to select the correct phase 2 source and destination addresses to match the remote access lists. In the above example your local configuration should look similar to the following:
config firewall address
edit "net-172.16.1.0/24"
set subnet 172.16.1.0 255.255.255.0
next
edit "host -2.2.2.2"
set subnet 2.2.2.2 255.255.255.255
next
edit "host-3.3.3.1"
set subnet 3.3.3.1 255.255.255.255
next
end
config firewall addrgrp
edit "encdom-local-remote"
set member "net-172.16.1.0/24" "host-3.3.3.1"
next
end
config vpn ipsec phase1
edit "Remote_Firewall"
set interface "external"
set dpd disable
set nattraversal enable
set dhgrp 2
set proposal 3des-md5
set keylife 86400
set remote-gw 2.2.2.1
next
end
config vpn ipsec phase2
edit "Remote_Tunnel"
set phase1name "Remote_Firewall"
set proposal 3des-md5
set src-addr-type name
set src-name "encdom-local-remote"
set dst-addr-type name
set dst-name "host-2.2.2.2"
set keylifeseconds 28800
next
end
config firewall policy
edit 1
set srcintf "internal"
set dstintf "external"
set srcaddr "n-172.16.1.0/24"
set dstaddr "h-2.2.2.2"
set action ipsec
set schedule "always"
set service "ANY"
set profile-status enable
set logtraffic enable
set profile "scan"
set outbound enable
set natoutbound enable # Hide traffic behind firewall's external interface
set vpntunnel "Remote_Firewall"
next
end
Here is what you are telling the firewall: Take my traffic from 172.16.1.0/24 and send it through the VPN tunnel to the remote firewall. NAT the traffic so it appears to be coming from my firewall's external interface 3.3.3.1.
Notice that in the phase 2 quick mode selectors you specify both 3.3.3.1 as well as your local network 172.16.1.0/24. Otherwise the phase 2 parameters sent to the peer do not match.
For example:
Remote Host: 172.16.1.2
Translated Public IP: 2.2.2.2
Remote Firewall: 2.2.2.1 (Cisco 3000 Series VPN Concentrator/PIX/ASA)
Local Firewall: 3.3.3.1 (Fortigate)
Local Network: 172.16.1.0/255.255.255.0 (NAT traffic to external firewall interface)
Begin by reading this previous post: Advanced IPSEC with Phase 2 Quick Mode Selectors
The one change to note is that you need to configure this scenario in policy mode. There is either a bug or a "feature" which prevents the NAT from working correctly in interface mode. I am currently investigating.
The challenge for the above scenario is typically to select the correct phase 2 source and destination addresses to match the remote access lists. In the above example your local configuration should look similar to the following:
config firewall address
edit "net-172.16.1.0/24"
set subnet 172.16.1.0 255.255.255.0
next
edit "host -2.2.2.2"
set subnet 2.2.2.2 255.255.255.255
next
edit "host-3.3.3.1"
set subnet 3.3.3.1 255.255.255.255
next
end
config firewall addrgrp
edit "encdom-local-remote"
set member "net-172.16.1.0/24" "host-3.3.3.1"
next
end
config vpn ipsec phase1
edit "Remote_Firewall"
set interface "external"
set dpd disable
set nattraversal enable
set dhgrp 2
set proposal 3des-md5
set keylife 86400
set remote-gw 2.2.2.1
next
end
config vpn ipsec phase2
edit "Remote_Tunnel"
set phase1name "Remote_Firewall"
set proposal 3des-md5
set src-addr-type name
set src-name "encdom-local-remote"
set dst-addr-type name
set dst-name "host-2.2.2.2"
set keylifeseconds 28800
next
end
config firewall policy
edit 1
set srcintf "internal"
set dstintf "external"
set srcaddr "n-172.16.1.0/24"
set dstaddr "h-2.2.2.2"
set action ipsec
set schedule "always"
set service "ANY"
set profile-status enable
set logtraffic enable
set profile "scan"
set outbound enable
set natoutbound enable # Hide traffic behind firewall's external interface
set vpntunnel "Remote_Firewall"
next
end
Here is what you are telling the firewall: Take my traffic from 172.16.1.0/24 and send it through the VPN tunnel to the remote firewall. NAT the traffic so it appears to be coming from my firewall's external interface 3.3.3.1.
Notice that in the phase 2 quick mode selectors you specify both 3.3.3.1 as well as your local network 172.16.1.0/24. Otherwise the phase 2 parameters sent to the peer do not match.
Monday, April 7, 2008
Recommended Reading
Migrating to IPv6 - A practical guide to implementing IPv6 in mobile and fixed networks
Author: Marc Blanchet
ISBN: 0-471-49892-0
A must read if you are even thinking about implementing IPv6 in your network.
Author: Marc Blanchet
ISBN: 0-471-49892-0
A must read if you are even thinking about implementing IPv6 in your network.
Sunday, April 6, 2008
Fortinet Maximum Values by Platform
Ever wondered about the maximum number of interfaces, Vlans, VPN tunnels or static routes that you can define for your Fortigate platform? Here is a very helpful list of all features and their maximum values broken down by platform.
Fortinet Maximum Values Matrix
Fortinet Maximum Values Matrix
Tuesday, April 1, 2008
Pedal to the metal with FortiAnalyzer
Beginning in 3.0 MR3 FortiAnalyzer supports the ext3 file system in addition to the Reiser file system used in previous versions. The ext3 file system provides much better stability and it is the recommended filesystem to use on all FortiAnalyzer units. To convert to the ext3 filesystem upgrade your FortiAnalyzer to 3.0 MR3 or above and reformat your log disks or change RAID levels which will cause all information to be erased.
Beginning in MR4 you can also speed-up the FortiAnalyzer by indexing the ext3 file system. Execute the following command on the CLI: "diagnose sys file-system fsfix". This command will check and index the filesystem. It will take some time and reboot the FortiAnalyzer, however the perfomance increase is tremendous so this is highly recommended.
Also, Fortinet recommends that you run this command periodically if you receive a lot of log traffic.
Beginning in MR4 you can also speed-up the FortiAnalyzer by indexing the ext3 file system. Execute the following command on the CLI: "diagnose sys file-system fsfix". This command will check and index the filesystem. It will take some time and reboot the FortiAnalyzer, however the perfomance increase is tremendous so this is highly recommended.
Also, Fortinet recommends that you run this command periodically if you receive a lot of log traffic.
Subscribe to:
Posts (Atom)