A real world resource for Fortinet firewalls including How-Tos and Frequently Asked Questions
Saturday, December 25, 2010
Thursday, December 23, 2010
FortiOS 4.0 MR2 Patch 3 Issues
In my experience, as well as other people who post to the Fortinet forums the 4.2.3 patch causes significant problems when accessing websites. The reason for this appears to be the IPS engine. Disabling IPS on a firewall rule restores normal speed, however you lose IPS functionality which is of course not desirable.
Stay tune for updates on this one.
Stay tune for updates on this one.
Tuesday, December 21, 2010
It's an IPv6 World - Get out there and explore!
Have you been dying (like me) to get your hands dirty and head down the information highway in all of its IPv6 glory? Ever wondered if Google REALLY looks different when viewed via IPv6? ;)
Here is a quick walkthrough on how to get started even if your ISP does not provide IPv6 natively yet.
HE will also assign you a /64 subnet for use behind the firewall on your network. For most people trying this at home 18,446,744,073,709,551,616 IP addresses should be plenty.
If you need more space than this, or as is more likely the case, more subnets you can select the "Assign /48 subnet" in the Tunnel Details page on the HE website. This will provide you with 65,536 subnets for internal use.
Now back to the Fortinet GUI. When you configured the sit-tunnel the name you assigned on the CLI will now show up as a firewall interface in the GUI.
Router -> Static Route -> Create New -> IPv6 Route
Enjoy the holidays.
Here is a quick walkthrough on how to get started even if your ISP does not provide IPv6 natively yet.
- Register for an account with an IPv6 Tunnel Broker. I am using Hurricane Electric. Sign-up for a free account at www.tunnelbroker.net
- Once your registration is confirmed login to www.tunnelbroker.net and use the "Create Regular Tunnel" user function to allocate your IPv6 address space.
- Hurricane Electric (HE) will try to determine the closest of their POPs. You can manually override if required.
- In the "IPv4 endpoint (your side of the tunnel)" enter the public IP address of the WAN interface of the Fortinet. This of course works best when you have a static IP address. If your provider assigns you a dynamic IP address you will have to adjust your tunnel configuration on the HE website every time your IP changes. Most likely the IP address listed in "You are viewing from IP" will be your WAN IP.
- HE will now provide you with your tunnel details.
- config system sit-tunnel
- edit "HE" (the name you want to give to this tunnel/interface)
- set destination 216.218.224.42 (HE Server IPv4 address)
- set interface wan1 (the WAN interface of your firewall)
- set source 1.2.3.4 (the public IP address of your firewall that you specified above)
- set ip6 2001:x:x:x::2/64 (HE Client IPv6 address)
- end
HE will also assign you a /64 subnet for use behind the firewall on your network. For most people trying this at home 18,446,744,073,709,551,616 IP addresses should be plenty.
If you need more space than this, or as is more likely the case, more subnets you can select the "Assign /48 subnet" in the Tunnel Details page on the HE website. This will provide you with 65,536 subnets for internal use.
Now back to the Fortinet GUI. When you configured the sit-tunnel the name you assigned on the CLI will now show up as a firewall interface in the GUI.
Router -> Static Route -> Create New -> IPv6 Route
- Destination IP/Mask: ::/0 (the default route in IPv6 notation)
- Device: the tunnel interface you created earlier via the CLI (in my example "HE")
- Distance: 10
- Priority: 0
- Source Interface: internal
- Source Address: all
- Destination Interface: tunnel interface (in my example "HE)
- Destination Address: all
- Service: Any
- Action: Accept
- IPv6 Address: An address out of the "Routed /64" from the "HE Tunnel Details" page. For example if HE has assigned 2001:1234:4567:9999::/64 as your "Routed 64" your firewall internal IPv6 address could be 2001:1234:4567:9999:1::/64
Enjoy the holidays.
Friday, December 17, 2010
Software Updates
Wow, long time no post :)
FortiOS
FortiOS
- 4.0 MR2 Patch 3, Build 303
- 4.0 MR2 Patch 3, Build 221
Tuesday, October 26, 2010
Fortigate 60C Update 4.0 MR2 P2
After running the FortiWifi 60C with 4.0 MR2 Patch 2 for some time it appears there are still a number of bugs which need to be ironed out.
So while there is now a 4.0 MR2 release for the 60C I would still hold off as it seems there are problems with the platform itself.
- Netflix becomes unreachable at random intervals
- Shoutcast streaming radio stations on a Sonos audio system become unreachable
So while there is now a 4.0 MR2 release for the 60C I would still hold off as it seems there are problems with the platform itself.
Tuesday, October 19, 2010
uFlow Director - Like it on Facebook and win an iPod Shuffle
Ok, not strictly Fortinet related but worth a mention. And read on to find out how to win an iPod shuffle.
The folks at Kera Networks (i.e. me :) have developed a cool appliance/VM solution which helps you distribute UDP data across multiple devices. How is this useful you say? Glad you asked.
Assume a hypothetical scenario like this:
Of course it's not limited to syslog and netflow. It will distribute any kind of UDP traffic you throw at it.
And now for the juicy bit. Visit our website www.keranetworks.com and like our Facebook page. In November we will randomly choose one of our Facebook fans to win an iPod shuffle. We'll even throw in a free copy of iTunes :)
(Hint, hint: We'll also be running a promotion at the end of the year where you can receive a free iPad with purchase of a uFlow Director appliance)
Happy liking.
The folks at Kera Networks (i.e. me :) have developed a cool appliance/VM solution which helps you distribute UDP data across multiple devices. How is this useful you say? Glad you asked.
Assume a hypothetical scenario like this:
- You have a large number of firewalls/routers/other devices which send syslog, netflow and other UDP data
- You want to slice and dice your data using various tools such as FortiAnalyzer, a SIEM solution or a Netflow Analysis tool for example
- You can locate most or all of your tools in a central location
- You pay money for bandwidth :)
- If you want a firewall to send UDP data such as syslog to multiple devices over a WAN you have to send the data multiple times, thus paying multiple times for pushing the same data across the WAN
- Some devices can only be configured to send to a single destination
Of course it's not limited to syslog and netflow. It will distribute any kind of UDP traffic you throw at it.
And now for the juicy bit. Visit our website www.keranetworks.com and like our Facebook page. In November we will randomly choose one of our Facebook fans to win an iPod shuffle. We'll even throw in a free copy of iTunes :)
(Hint, hint: We'll also be running a promotion at the end of the year where you can receive a free iPad with purchase of a uFlow Director appliance)
Happy liking.
Wednesday, October 13, 2010
Fortigate Virtual Appliances
Here is some more information from Network World on the virtual appliances Fortinet is releasing.
- FortiGate
- FortiManager
- FortiAnalyzer
- FortiMail
Monday, October 11, 2010
FortiGate Virtual Machine
Interesting news coming from Fortinet about the release of a VMWare Image of FortiOS. Take a look at this PDF document.
http://docs.fortinet.com/fortigate-vm-admin.pdf
http://docs.fortinet.com/fortigate-vm-admin.pdf
Saturday, October 9, 2010
Software Updates
FortiOS
- 4.0 MR2 Patch, Build 291 for Fortigate 60C and FortiWifi 60C
Saturday, September 18, 2010
FortiGate 60C - Initial Feedback
The FortiGate 60C is a neat little unit. Hardware-wise it has some decent specs.
At the moment the main problem is speed and software. The FG60C is currently running a branch build of FortiOS 4.0 MR1 Patch 4. Doing a straight comparison between a FWF60C and a FWF50B on a DSL connection the FWF50B wins out. Both systems were running firewall only with no protection profile.
Download speed on the 60C was 10 Mbit/s and 16 Mbit/s on the 50B (both tested on the same 18 Mbit/s link).
According to Fortinet a 4.0 MR2 Patch 2 build should be out for the 60C mid-to-late September.
At the moment the main problem is speed and software. The FG60C is currently running a branch build of FortiOS 4.0 MR1 Patch 4. Doing a straight comparison between a FWF60C and a FWF50B on a DSL connection the FWF50B wins out. Both systems were running firewall only with no protection profile.
Download speed on the 60C was 10 Mbit/s and 16 Mbit/s on the 50B (both tested on the same 18 Mbit/s link).
According to Fortinet a 4.0 MR2 Patch 2 build should be out for the 60C mid-to-late September.
Friday, August 27, 2010
Software Updates
FortiClient
FortiDB
FortiGate
FortiManager
FortiWeb
- 4.0 MR2 Patch 1, Build 255
FortiDB
- 4.1.0, Build 54
FortiGate
- 4.0 MR2 Patch 2, Build 291
- (Note: FG/FWF60C will not be released until mid-September)
FortiManager
- 4.0 MR2 Patch 2, Build 363
FortiWeb
- 4.1.0, Build 265
Wednesday, August 25, 2010
Software Update - Breaking News - Hold The Press :)
FortiOS 4.0 MR2 Patch 2 is out.
** Update **
No images yet for FG/FWF 60C .. baaaaaah :(
** Update **
No images yet for FG/FWF 60C .. baaaaaah :(
Monday, August 23, 2010
Software Update
FortiOS 4.0 MR2 Patch 2 was originally scheduled for release on August 9th. Apparently a major bug held up the release and it has been rescheduled for August 25th.
Tuesday, July 13, 2010
High CPU Utilization caused by IPS Engine
Over the past few weeks I have been seeing quite a number of CPU spikes for various types of firewalls ranging from FG60B to 310B to 800. In every instance the "ipsengine" process was consuming all available CPU resources on the firewall. After consulting with Fortinet there appears to be an issue related to the current IPS Engine. Ask your SE and they may be able to provide you with a pre-release version of IPS Engine 1.165.
In the meantime if you run into this problem you can run the following command to restart the IPS Engine:
# diag test app ipsmonitor 99
In the meantime if you run into this problem you can run the following command to restart the IPS Engine:
# diag test app ipsmonitor 99
Friday, July 2, 2010
Software Updates
FortiOS
- 4.0 MR1 Patch 6, Build 205 (Patch 6 was released the day after Patch 5)
- 4.0 MR2 Patch 1, Build 208
- 4.0 MR2 GA, Build 355
Monday, June 28, 2010
FortiAP - First Review
Review by Ben Boysza
I’ve just received the long-awaited and much overdue Fortinet dedicated Access-Point, dubbed the FortiAP 220A. Though Fortinet has had WiFi capable devices in the past, they have always fallen short when it came to a wireless cloud solution – actually, they’ve had none. I’ve been using Cisco Aironet products for years with success, despite the usual non-ergonomic configuration options of both the CLI and GUI. But they work, most of the time – and they offer me features that frankly our beloved FortiWifi’s could not.
And this market is getting more and more crowded, with priced-to-sell solutions from Meraki and Ruckus competing for your building-wide wireless needs. This has certainly been an area where Fortinet has fallen behind, way behind. One FortiWifi device is just not enough. And paying for additional FortiWifi 50B UTMs to use solely as Access Points just did not make sense, even though they can be powered conveniently by PoE.
With the introduction of FortiOS 4.0, we’ve been teased with a new menu option labeled Wireless Controller. Even without the new hardware, we’ve been able to create Virtual Access-Points (VAPs) and get an idea of how this new FortiWifi Cloud solution was going to work and be managed. Embedding a Wireless Controller into an existing Firewall or UTM is pure convenience and efficiency. Though the FortiAP 220A is not officially supported until FortiOS 4.2 (rumored), they are being distributed. However, even though we are seeing the Wireless Controller option on our existing installations of FortiOS 4.0, a special branch version of FortiOS is required. From the release notes:
The FortiAP device must be supported by a special FortiOS branch image for FortiGate model 60B and above, excluding any FortiWiFi models.
The officially released image of FortiOS to support the FortiAP device is based off of FortiOS v4.0 MR2 – fg_4_thin_ap_openssl/build_tag_6322.
You can find the special version on the Fortinet FTP site under the FortiAP directory
Now that I’ve had a few hours with this new line, here’s what I’ve found:
I’ve just received the long-awaited and much overdue Fortinet dedicated Access-Point, dubbed the FortiAP 220A. Though Fortinet has had WiFi capable devices in the past, they have always fallen short when it came to a wireless cloud solution – actually, they’ve had none. I’ve been using Cisco Aironet products for years with success, despite the usual non-ergonomic configuration options of both the CLI and GUI. But they work, most of the time – and they offer me features that frankly our beloved FortiWifi’s could not.
And this market is getting more and more crowded, with priced-to-sell solutions from Meraki and Ruckus competing for your building-wide wireless needs. This has certainly been an area where Fortinet has fallen behind, way behind. One FortiWifi device is just not enough. And paying for additional FortiWifi 50B UTMs to use solely as Access Points just did not make sense, even though they can be powered conveniently by PoE.
With the introduction of FortiOS 4.0, we’ve been teased with a new menu option labeled Wireless Controller. Even without the new hardware, we’ve been able to create Virtual Access-Points (VAPs) and get an idea of how this new FortiWifi Cloud solution was going to work and be managed. Embedding a Wireless Controller into an existing Firewall or UTM is pure convenience and efficiency. Though the FortiAP 220A is not officially supported until FortiOS 4.2 (rumored), they are being distributed. However, even though we are seeing the Wireless Controller option on our existing installations of FortiOS 4.0, a special branch version of FortiOS is required. From the release notes:
The FortiAP device must be supported by a special FortiOS branch image for FortiGate model 60B and above, excluding any FortiWiFi models.
The officially released image of FortiOS to support the FortiAP device is based off of FortiOS v4.0 MR2 – fg_4_thin_ap_openssl/build_tag_6322.
You can find the special version on the Fortinet FTP site under the FortiAP directory
Now that I’ve had a few hours with this new line, here’s what I’ve found:
- No PoE support. WHAT? It’s an AP with no option for PoE. Though, Fortinet does say you can use the Linksys WAPPOE12 adapter with the 220A power supply.
- No SSID->VLAN Interface bridging. Still, an enormous thorn in my side. Though, the pain is dulled when you realize now that you can implement a true cloud solution consisting of many FortiAPs and have roaming clients, you will just dedicate a wireless network. But bridging is still required or preferred by some installations.
- Doesn’t run FortiOS. Well, that’s fine and was expected – it’s a completely new piece of hardware running BusyBox. You can shell in and browse the directory structure as well as manually update network settings (even cat cpuinfo to see it is running an Atheros AR7100 MIPS 24k)
- Telnet disabled when Registered. When the AP is discovered by your WC, and you set Admin level to Enabled, you can no longer Telnet to the AP. Security feature; you’re already managing the device from a WC at this point, and there are remote execute options from the WC CLI.
- Has 4 “Do not use these ports” Ethernet Ports. That’s right, of the 5 ports, 4 are 100Mbps Ethernet ports that are apparently not for use. This really leads us to believe that the hardware used is off-the-shelf and not engineered from scratch by or for Fortinet.
- Reset Button. The first Fortinet device to have a Factory Reset button. Reset it and then re-discover the AP on your Wireless Controller and away you go. This again indicates the use of generic appliance hardware (which, don’t get me wrong, is NOT new to Fortinet)
- Limited WEP SSIDs. You are limited to no more than 4 WEP-Enabled SSIDs; WEP is supported only as a ‘legacy feature’. WEP has long been “de-secured”, and shouldn’t be anywhere near a Corporate or Enterprise environment anyway. If you’re running WEP, use this as a ‘goose’ to migrate to WPA.
- Useless Button. There is a button in the center of the housing on the front of the AP that has apparently no function.
- Dual Radios. Great support for all the bands, including N and G. Like others, you can assign your SSIDs to specific radios/bands using Access Point Profiles. These profiles are then applied to the physical Access Point registrations. This is nice and will really help flexibility in larger implementations.
- Limited Documentation. Actually, besides the Quick Start guide there isn’t much. Since it’s managed by a FortiGate (FortiWifi models cannot be Wireless Controllers), you’ll find most of the necessary information in the FortiOS 4.0 Administration Guides.
- Manual or Automatic Firmware Upgrade. When the AP is not ‘Enabled’ by the WC, you can telnet in and manually TFTP in new firmware. Better yet, upgrading the WC’s firmware will update the AP’s firmware if necessary as long as the AP is ‘Enabled’ by the WC.
Friday, June 25, 2010
VPN Debug Enhancements
In newer versions of FortiOS (such as 4.0 MR1 and MR2) Fortinet has enhanced the capability of debugging individual VPN connections terminating on Fortigate firewalls.
Previously when debugging connections you only had the ability to filter IKE traffic by destination IP. The new "diag vpn ike log-filter" command has added several more filter criteria which you can use for troubleshooting VPN connections. Using this command is extremely helpful in cases where you have several active VPN sessions on your firewall. The console will most likely be spammed with log messages from tunnels which you are not interested in. To filter VPN connections use the following syntax:
diag vpn ike log-filter
Available options are:
clear erase the current filter
dst-addr4 the IPv4 destination address range to filter by
dst-addr6 the IPv6 destination address range to filter by
dst-port the destination port range to filter by
interface interface that IKE connection is negotiated over
list display the current filter
name the phase1 name to filter by
negate negate the specified filter parameter
src-addr4 the IPv4 source address range to filter by
src-addr6 the IPv6 source address range to filter by
src-port the source port range to filter by
vd index of virtual domain. -1 matches all
For example if you have a VPN tunnel from your firewall to a remote gateway with IP 1.2.3.4 you would use the following commands:
Also don't forget to reset your debug level when you are done to conserve system resources:
Previously when debugging connections you only had the ability to filter IKE traffic by destination IP. The new "diag vpn ike log-filter" command has added several more filter criteria which you can use for troubleshooting VPN connections. Using this command is extremely helpful in cases where you have several active VPN sessions on your firewall. The console will most likely be spammed with log messages from tunnels which you are not interested in. To filter VPN connections use the following syntax:
diag vpn ike log-filter
Available options are:
clear erase the current filter
dst-addr4 the IPv4 destination address range to filter by
dst-addr6 the IPv6 destination address range to filter by
dst-port the destination port range to filter by
interface interface that IKE connection is negotiated over
list display the current filter
name the phase1 name to filter by
negate negate the specified filter parameter
src-addr4 the IPv4 source address range to filter by
src-addr6 the IPv6 source address range to filter by
src-port the source port range to filter by
vd index of virtual domain. -1 matches all
For example if you have a VPN tunnel from your firewall to a remote gateway with IP 1.2.3.4 you would use the following commands:
- diag vpn ike log-filter dst-addr4 1.2.3.4
- diag debug enable
- diag debug console
- diag debug app ike 200
Also don't forget to reset your debug level when you are done to conserve system resources:
- diag debug disable
- diag debug reset
Labels:
CLI,
debug,
fortigate,
tips+tricks,
troubleshooting,
VPN
Friday, June 11, 2010
Packet Sniffers, Traffic Counters and NP2 Accelerated Ports
After switching from a FG800 platform (non accelerated network ports) to a 310B (NP2 accelerated ports) I noticed that the "diag sniffer packet" command is no longer very useful.
For troubleshooting purposes and when it is desired to capture packets or check the flow on the FortiGate, you can bypass H/W acceleration with the following command on a specific port.
Be aware that this might affect performance and should only be used for troubleshooting purpose.
"diagnose npu np2 fastpath-sniffer enable port(s)_number"
This now shows all traffic for all sessions to/from this or those port(s) when using the sniffer or the diag debug flow commands
The command below will re-enable H/W offloading :
"diagnose npu np2 fastpath-sniffer disable port(s)_number"
Note that this is not saved in the configuration and will be lost after a reboot.
(From Fortinet Knowledge Base)
- Packets are only displayed on the first pass through the firewall. Subsequent packets appear to be "flowed" and not displayed by the sniffer.
- IP addresses are incorrect in certain cases. The sniffer shows packets as originating from the firewall's IP address. When performing a packet capture on the target host the source is that of the original sending host, so a discrepancy there.
- The traffic counters in the firewall policy screen no longer show accurate values. We are receiving several gigs of log traffic through the firewall per day but after several weeks of uptime the counter only displays ~250 MByte of traffic.
- SNMP statistics do not show correct values due to fastpathing of packets
For troubleshooting purposes and when it is desired to capture packets or check the flow on the FortiGate, you can bypass H/W acceleration with the following command on a specific port.
Be aware that this might affect performance and should only be used for troubleshooting purpose.
"diagnose npu np2 fastpath-sniffer enable port(s)_number
This now shows all traffic for all sessions to/from this or those port(s) when using the sniffer or the diag debug flow commands
The command below will re-enable H/W offloading :
"diagnose npu np2 fastpath-sniffer disable port(s)_number
Note that this is not saved in the configuration and will be lost after a reboot.
(From Fortinet Knowledge Base)
Labels:
fortigate
Saturday, May 22, 2010
Software Updates
FortiOS
- 4.0 MR2 Patch 1, Build 279
- 4.0 MR2 GA, Build 272
- 4.0 MR1 Patch 5, Build 138
- 4.0 MR2 GA, Build 250
- 4.0 MR2 Patch 1, Build 348
- 4.0 GA Patch 3, Build 130
- 4.0 GA Patch 2, Build 211
- 4.0 MR2 GA, Build 106
Wednesday, May 19, 2010
Fortigate 800 DIY
What do you do if you shut down your Fortigate 800 and it won't come back on? What if this firewall provides critical Internet access? What if the power supply on the firewall is dead?
Easy, as per the attached pictures (and no, don't try this at home kids :).
Required Ingredients:
Easy, as per the attached pictures (and no, don't try this at home kids :).
Required Ingredients:
- Fortigate 800
- Old PC
- Various tools such as screwdrivers and pliers
- Open Fortigate 800
- Remove power supply from old PC
- Disconnect built-in power supply of Fortigate
- Position old PC power supply next to Fortigate 800
- Connect old PC power supply to Fortigate
Wednesday, May 12, 2010
Blocking Facebook Social Plugins
Here is an interesting blog post from Fortinet on how to block the new Facebook Social Plugins via FortiOS Application Control. The article is here: http://blog.fortinet.com/facebook-social-plugins-world-domination/
Monday, May 10, 2010
FortiManager 4.0 MR2
After running FortiManager 4.0 MR2 for a while now it's been mostly smoothing sailing. There are some things to be aware of:
- After FortiManager runs for extended periods of time the memory utilization goes to almost 100%. This can be fixed by a reboot
- The "diag sys top" command is no longer implemented to view process utilization. Therefore it is difficult to understand which process is using most of the memory
- This appears similar to an issue in early FM 4.0 MR1 releases where memory utilization would spike high also
Tuesday, April 13, 2010
Software Updates
FortiOS
- 4.0 MR2 GA, Build 272
- 4.0 MR2 GA, Build 198
- 4.0 MR2 GA, Build 336
Friday, April 2, 2010
FortiOS 4.0 MR2 - Initial Impressions
Fortinet has shown once again that they continuously work on improving their products. The WEB UI has been give a complete overhaul. While the new look will certainly take some getting used to it is fairly clean and efficient. Some of the initial things I noticed:
- Performance of the UI is better in Internet Explorer than in Firefox
- The new UI no longer uses the edit and trashcan icons on the right. Instead you now use check boxes. One of the advantages is that it's easier to quickly remove multiple rules or objects.
On the downside you can no longer quickly determine whether an object is in use or not by looking for the trashcan icon next to the object. If you select an object that is in use the "Delete" option stays greyed out. And if you select multiple objects (including ones that are in use) and delete them you get a warning that some elements could not be deleted. In my opinion that is a step backwards as far as usability goes. It would be nice to have a column indicating if the objects are in use or not.
Personally I use the "trashcan indicator" frequently to weed out unused objects.
- The release notes mention "Protection Profile Re-work". What that apparently means is that protection profiles are gone and you select individual UTM policies on a per-rule basis. This is something I spoke to the Fortinet guys about during the RSA show in early March.
While I certainly see the intention of making rule creation more flexible it also provides a significant downside. If for example I wanted to change the UTM policies for several rules I will now have to find each rule where the UTM policy is applied and change it there. Previously I could make a change to the protection profile and it would apply to all rules which use the profile.
A possible solution would be to have a radio button which would allow the use of a pre-defined protection profile or to let you select individual UTM policies.
- Some of the links do not work in IE. For example in the "Top Sessions" widget on the dashboard the "Details" link does not work in Internet Explorer, no problems in Firefox. Also the link to change the operation mode on the main dashboard has this problem.
(Funny thing I just noticed is that the "Logout" button is also broken in IE :)
- When using the "Insert" function to add a firewall policy above an existing one there appears to be a bug in the GUI. No matter in which section I insert a policy (such as internal to DMZ) the destination interface is always set to WAN1. In the drop down box that is the only destination interface available. The workaround right now is to add a policy and then move it to the right location.
Software Update - 4.0 MR2
Fortinet has released FortiOS 4.0 MR2. This is a major release and below are highlights of new features from the release notes.
I shall sink my teeth into the new version later today. However since this is a major release with lots of new features my recommendation is as usual to wait one or two patch releases before deploying to mission critical production firewalls.
· New Web UI Design
· Supports Dynamic Proxy Allocation
· IS-IS Routing Protocol Support
· WCCP Client Support
· Explicit Proxy Improvements
· HA Management Port Reservation
· SSL Proxy Exemption by FortiGuard Category
· Web 2.0 Log Viewer
· Introduced 'grep' Capability in the CLI
· Supports sFlow (Client)
· Supports FortiGuard Widget on the Dashboard
· Local Content Archive Support
· Introduces Report Module Feature
· HA Sub-second Failover Support
· Enhanced Support for BGP Routing
· Introduction of Web Filtering Quota
· Supports ELBC Synchronization
· Endpoint Control - Extension to Endpoint Application Detection
· Dashboard Widget Extensions
· Supports L2TP with IPSec
· Skype Control Improvement
· Supports VRRP and Link Failure Control
· Per-IP Bandwidth Dashboard Widget
· Improved Client Certificate Handling for SSL Inspection
· Maximum Concurrent Users for Explicit Proxy
· Full SIP Feature Support
· FSAE Support Polling Domain Controllers
· Improved DC Agent Distribution (MSI)
· Storage Health Monitor Feature
· Improved Disk I/O Scalability
· Protection Profile Re-work
· Supports Web Cache Exempt List
· Introduction of Network Scan Feature
· Introduction of Network Monitoring Feature
· Supports Password Renewal for LDAP or RADIUS Users
· Disk Management
· Supports Extreme AV Database
· Introduction of Flow-based AntiVirus Feature
· Supports Diagnostic Command Lock-down
· Configuration Revision History and Templates
· Enhanced Customizable Web UI Feature
· Introduces Support for Statefull SCTP Firewall
I shall sink my teeth into the new version later today. However since this is a major release with lots of new features my recommendation is as usual to wait one or two patch releases before deploying to mission critical production firewalls.
· New Web UI Design
· Supports Dynamic Proxy Allocation
· IS-IS Routing Protocol Support
· WCCP Client Support
· Explicit Proxy Improvements
· HA Management Port Reservation
· SSL Proxy Exemption by FortiGuard Category
· Web 2.0 Log Viewer
· Introduced 'grep' Capability in the CLI
· Supports sFlow (Client)
· Supports FortiGuard Widget on the Dashboard
· Local Content Archive Support
· Introduces Report Module Feature
· HA Sub-second Failover Support
· Enhanced Support for BGP Routing
· Introduction of Web Filtering Quota
· Supports ELBC Synchronization
· Endpoint Control - Extension to Endpoint Application Detection
· Dashboard Widget Extensions
· Supports L2TP with IPSec
· Skype Control Improvement
· Supports VRRP and Link Failure Control
· Per-IP Bandwidth Dashboard Widget
· Improved Client Certificate Handling for SSL Inspection
· Maximum Concurrent Users for Explicit Proxy
· Full SIP Feature Support
· FSAE Support Polling Domain Controllers
· Improved DC Agent Distribution (MSI)
· Storage Health Monitor Feature
· Improved Disk I/O Scalability
· Protection Profile Re-work
· Supports Web Cache Exempt List
· Introduction of Network Scan Feature
· Introduction of Network Monitoring Feature
· Supports Password Renewal for LDAP or RADIUS Users
· Disk Management
· Supports Extreme AV Database
· Introduction of Flow-based AntiVirus Feature
· Supports Diagnostic Command Lock-down
· Configuration Revision History and Templates
· Enhanced Customizable Web UI Feature
· Introduces Support for Statefull SCTP Firewall
Tuesday, March 30, 2010
HTTP A/V Scanning breaking Web Applications
If you are running FortiOS 4.0 MR1 at pretty much any patch level there is currently a bug which breaks or severely slows certain web applications. For example the BMC Service Desk (Magic) Ticketing systems runs VERY slow. Also certain web-based management platforms are broken completely.
At the moment the workaround is to disable HTTP scanning in the protection profile and to not apply any DLP settings for HTTP in the UTM config.
Fortinet has identified the root cause of this issue and a patch is scheduled to be included in FortiOS 4.0 MR1 Patch 5. Patch 5 is slated to be released towards the end of April.
** Update **
From the 4.0 MR1 Patch 5 release notes:
Description: The FortiGate may drop pipelined HTTP requests.
Bug ID: 120936
Status: Fixed in v4.0 MR1 - Patch Release 5.
At the moment the workaround is to disable HTTP scanning in the protection profile and to not apply any DLP settings for HTTP in the UTM config.
Fortinet has identified the root cause of this issue and a patch is scheduled to be included in FortiOS 4.0 MR1 Patch 5. Patch 5 is slated to be released towards the end of April.
** Update **
From the 4.0 MR1 Patch 5 release notes:
Description: The FortiGate may drop pipelined HTTP requests.
Bug ID: 120936
Status: Fixed in v4.0 MR1 - Patch Release 5.
Wednesday, March 24, 2010
Software Updates
FortiOS
- 4.0 MR1 Patch 4, Build 196
- 4.0 GA Patch 2, Build 126
- 4.0 MR1 Patch 4, Build 196
Tuesday, March 23, 2010
Fortigate GUI Problem with Firefox and Adblock Plus
Known to be affected:
- FortiOS 4.0 MR1
- Adblock Plus 1.1.X
- Router -> Dynamic -> OSPF: The little blue triangle to expand the "Advanced Options" does not display but can be clicked if you know its location
- VPN -> IPSEC -> Auto Key: The "Advanced" option buttons for both Phase 1 and 2 appear but do not expand the GUI when clicked.
Saturday, March 20, 2010
Software Updates
FortiClient
- 4.0, MR1 Patch 3, Build 143
- 4.0 GA, Patch 2, Build 004
- 4.0 GA, Build 199
Thursday, February 25, 2010
Custom DHCP Options in FortiSpeak
Sometimes it is useful to configure certain custom DHCP options in your DHCP scopes. For example to point your clients to a network time server you use DHCP option 42. Also custom DHCP options are typically used for VoIP phones to find their softswitch.
Here are some tips for configuring these parameters properly as it is not entirely obvious. The example I am using is to point some VoIP phones to an IP PBX.
Also see RFC2131 for the official DHCP definition.
Address info:
You can also accomplish the above tasks via the CLI:
Here are some tips for configuring these parameters properly as it is not entirely obvious. The example I am using is to point some VoIP phones to an IP PBX.
Also see RFC2131 for the official DHCP definition.
Address info:
- Firewall IP: 192.168.1.1
- TFTP Host Name (IP PBX): 192.168.1.10
- NTP Server: 192.168.1.20
- Phone IP Range: 192.168.1.100 - 192.168.1.200
- FTP Username: user1 (this is for the phone to login to the IP PBX)
- FTP Password: password1
- Browse to System -> DHCP and create or modify an appropriate DHCP scope
- Name: VoIP_Phone_Scope
- IP Range: 192.168.1.100 - 192.168.1.200
- Network Mask: 255.255.255.0
- Default Gateway: 192.168.1.1
- Domain: example.com
- Click the Advanced button to expand your available options
- IP Assignment Mode: Server IP Range
- DNS Server 1:
- Option 1: Code = 42, Option = C0A80114
- This defines the NTP Time Server (Option 42) as 192.168.1.20 (192=C0, 168=A8,1=01,20=14 in hex). You can use the Windows Calculator in scientific mode to do the decimal to hex conversion if you don't do dec to hex in your head :)
- Option 2: Code = 66, Option = 6674703a2f2f75736572313a70617373776f726431403139322e3136382e312e3130
You can also accomplish the above tasks via the CLI:
- config system dhcp server
- edit "dhcp scope name"
- set option 1 42 C0A80114
- set option 2 66 6674703a2f2f75736572313a70617373776f726431403139322e3136382e312e3130
- end
Software Updates
FortiOS:
FortiAnalyzer:
FortiManager:
- 4.0 MR1 Patch 3, Build 194
FortiAnalyzer:
- 4.0 MR1 Patch 3, Build 130
FortiManager:
- 4.0 MR1 Patch 3, Build 224
Tuesday, January 19, 2010
Software Updates
FortiOS:
- 4.0 MR1 Patch 2, Build 192
- 4.0 GA Patch 4, Build 5103
- 4.0 GA Patch 4, Build 51
- 4.0 GA Patch 1, Build 103
- 3.2.5, Build 23
- 4.0 GA Patch 1, Build 003
- 3.0 MR3 Patch 2, Build 332
Friday, January 8, 2010
Problem with A/V Update Today
Today at around 12.30pm PST Fortinet pushed out an A/V signature update that caused virtually every file to be identified as infected with the js/gumblar.gen virus. This was most likely a problem with a false positive in the signature file. Fortinet made a new signature update available by 4pm PST today which resolved the issue.
** Update from Fortinet **
A false positive is discovered in our AV Database Version 11.351 on the signature JS/Gumblar.gen.
A new version of the AV Database, version 11.352, has been release to correct this issue around 4:20 PM Pacific Time today (Friday, January 8, 2010).
** Update from Fortinet **
A false positive is discovered in our AV Database Version 11.351 on the signature JS/Gumblar.gen.
A new version of the AV Database, version 11.352, has been release to correct this issue around 4:20 PM Pacific Time today (Friday, January 8, 2010).
Subscribe to:
Posts (Atom)