New to Fortinet? Want to get a first hand look at the GUI?
Take the Fortinet Demo unit for a spin here.
Login: demo
Password: fortigate
Monday, June 30, 2008
Thursday, June 26, 2008
Bugs in SSL VPN Process
Fortinet is currently working on a bug related to the SSL VPN process. After upgrading to FortiOS 3.0 MR6 Patch 2 the SSL VPN process can consume all available CPU resources regardless of user load. Fortinet is currently working on this problem with bug id 77702.
As a temporary workaround, if you are running into this issue you can use following procedure to restart the process and bring down the cpu usage from the command line interface.
diag sys top to identify the process id (pid) for sslvpnd
diag sys kill 11(pid) to restart sslvpnd
-Thanks to Dan Orth for the info.
As a temporary workaround, if you are running into this issue you can use following procedure to restart the process and bring down the cpu usage from the command line interface.
diag sys top to identify the process id (pid) for sslvpnd
diag sys kill 11
-Thanks to Dan Orth for the info.
Labels:
potential bugs,
SSL VPN,
troubleshooting
Monday, June 23, 2008
VPN Manager Gotchas in Fortimanager
Be careful when using interface mode VPN setups created in Fortimanager.
Imagine the following setup:
-HQ Site has a number of networks (10.x.x.x, 172.16.x.x, 192.168.x.x)
-Remote site has a class C network (172.17.1.x)
When defining your protected subnets in VPN-Manager -> VPN List -> Gateways you should configure specific networks and not use the default 0.0.0.0/0.0.0.0 network. If you use the 0.0.0.0 network and let the Fortimanager handle the static route creation you can end up with a situation where you have two default routes configured, one pointing to your valid WAN router and one pointing to the VPN tunnel. This has the undesirable effect of making your firewall unreachable.
(Not that this has happened to me of course :)
Imagine the following setup:
-HQ Site has a number of networks (10.x.x.x, 172.16.x.x, 192.168.x.x)
-Remote site has a class C network (172.17.1.x)
When defining your protected subnets in VPN-Manager -> VPN List -> Gateways you should configure specific networks and not use the default 0.0.0.0/0.0.0.0 network. If you use the 0.0.0.0 network and let the Fortimanager handle the static route creation you can end up with a situation where you have two default routes configured, one pointing to your valid WAN router and one pointing to the VPN tunnel. This has the undesirable effect of making your firewall unreachable.
(Not that this has happened to me of course :)
Labels:
fortimanager,
interface mode,
ipsec,
VPN
Thursday, June 19, 2008
Problems with IPS Engine
IPS Engine 1.092 is causing high CPU utilization on various models of Fortigate firewalls. As per Fortinet IPS Engine 1.096 should fix this issue and is due to be released via automatic update on Friday, June 27th.
Use the following command to determine which engine you are currently running
get system fortiguard-service status
You can use the following command to restart the IPS engine. This resolves the high CPU utilization temporarily without having to reboot the firewall.
diag test app ipsmonitor 99
Another command you can try is
diag test app ipsmonitor 5
This puts the IPS Engine into bypass mode. Issuing the same command again turns it back on.
Use the following command to determine which engine you are currently running
get system fortiguard-service status
You can use the following command to restart the IPS engine. This resolves the high CPU utilization temporarily without having to reboot the firewall.
diag test app ipsmonitor 99
Another command you can try is
diag test app ipsmonitor 5
This puts the IPS Engine into bypass mode. Issuing the same command again turns it back on.
Labels:
debug,
potential bugs,
troubleshooting
Friday, June 6, 2008
Software Updates
FortiManager 3.0 MR6 Patch 3 and FortiOS 3.0 MR6 Patch 2 are now available on the Fortinet Support Website.
Labels:
software
Subscribe to:
Posts (Atom)