Thursday, December 23, 2010

FortiOS 4.0 MR2 Patch 3 Issues

In my experience, as well as other people who post to the Fortinet forums the 4.2.3 patch causes significant problems when accessing websites. The reason for this appears to be the IPS engine. Disabling IPS on a firewall rule restores normal speed, however you lose IPS functionality which is of course not desirable.

Stay tune for updates on this one.

Tuesday, December 21, 2010

It's an IPv6 World - Get out there and explore!

Have you been dying (like me) to get your hands dirty and head down the information highway in all of its IPv6 glory? Ever wondered if Google REALLY looks different when viewed via IPv6? ;)

Here is a quick walkthrough on how to get started even if your ISP does not provide IPv6 natively yet.

  • Register for an account with an IPv6 Tunnel Broker. I am using Hurricane Electric. Sign-up for a free account at www.tunnelbroker.net
  • Once your registration is confirmed login to www.tunnelbroker.net and use the "Create Regular Tunnel" user function to allocate your IPv6 address space.
  • Hurricane Electric (HE) will try to determine the closest of their POPs. You can manually override if required.
  • In the "IPv4 endpoint (your side of the tunnel)" enter the public IP address of the WAN interface of the Fortinet. This of course works best when you have a static IP address. If your provider assigns you a dynamic IP address you will have to adjust your tunnel configuration on the HE website every time your IP changes. Most likely the IP address listed in "You are viewing from IP" will be your WAN IP.
  • HE will now provide you with your tunnel details.
On to the Fortinet configuration. This must be done via the CLI.

  • config system sit-tunnel
  • edit "HE" (the name you want to give to this tunnel/interface)
  • set destination 216.218.224.42 (HE Server IPv4 address)
  • set interface wan1 (the WAN interface of your firewall)
  • set source 1.2.3.4 (the public IP address of your firewall that you specified above)
  • set ip6 2001:x:x:x::2/64 (HE Client IPv6 address)
  • end
HE will assign a /64 subnet for routing between their equipment and your firewall. Think of this as using a /30 in IPv4. Except in this case you are only using two IP addresses out of a space that is the entire IPv4 Internet address space squared, i.e. you are "wasting" eighteen quintillion, fourhundred forty-six quadrillion, sevenhundred forty-four trillion, seventy-three billion, sevenhundred nine million, five hundred fiftyone thousand, six hundred and fourteen addresses :)


HE will also assign you a /64 subnet for use behind the firewall on your network. For most people trying this at home 18,446,744,073,709,551,616 IP addresses should be plenty.
If you need more space than this, or as is more likely the case, more subnets you can select the "Assign /48 subnet" in the Tunnel Details page on the HE website. This will provide you with 65,536 subnets for internal use.

Now back to the Fortinet GUI. When you configured the sit-tunnel the name you assigned on the CLI will now show up as a firewall interface in the GUI.


Router -> Static Route -> Create New -> IPv6 Route
  • Destination IP/Mask: ::/0 (the default route in IPv6 notation)
  • Device: the tunnel interface you created earlier via the CLI (in my example "HE")
  • Distance: 10
  • Priority: 0
Firewall -> Policy -> IPv6 Policy -> Create New
  • Source Interface: internal
  • Source Address: all
  • Destination Interface: tunnel interface (in my example "HE)
  • Destination Address: all
  • Service: Any
  • Action: Accept
System -> Network -> Interface -> Internal
  • IPv6 Address: An address out of the "Routed /64" from the "HE Tunnel Details" page. For example if HE has assigned 2001:1234:4567:9999::/64 as your "Routed 64" your firewall internal IPv6 address could be 2001:1234:4567:9999:1::/64
Also don't forget to configure your workstation with IPv6. On the "Tunnel Details" page HE provides examples for IPv6 interface configurations for a number of operating systems including Linux and Windows. In the above example your workstation IP could be 2001:1234:4567:9999:2::/64. When configuring Windows simply ignore the error message about multiple default gateways. Windows will only use the IPv6 default gateway when sending IPv6 traffic.

Enjoy the holidays.

Friday, December 17, 2010

Software Updates

Wow, long time no post :)

FortiOS
  • 4.0 MR2 Patch 3, Build 303
FortiAnalyzer
  • 4.0 MR2 Patch 3, Build 221
    It seems like the FG/FWF60C are still having issues as the release for this new platform is still behind just like last time.

    Tuesday, October 26, 2010

    Fortigate 60C Update 4.0 MR2 P2

    After running the FortiWifi 60C with 4.0 MR2 Patch 2 for some time it appears there are still a number of bugs which need to be ironed out.
    • Netflix becomes unreachable at random intervals
    • Shoutcast streaming radio stations on a Sonos audio system become unreachable
    Replacing the 60C with my trusty FortiWifi 50B resolved the problem.

    So while there is now a 4.0 MR2 release for the 60C I would still hold off as it seems there are problems with the platform itself.

    Tuesday, October 19, 2010

    uFlow Director - Like it on Facebook and win an iPod Shuffle

    Ok, not strictly Fortinet related but worth a mention. And read on to find out how to win an iPod shuffle.

    The folks at Kera Networks (i.e. me :) have developed a cool appliance/VM solution which helps you distribute UDP data across multiple devices. How is this useful you say? Glad you asked.

    Assume a hypothetical scenario like this:
    • You have a large number of firewalls/routers/other devices which send syslog, netflow and other UDP data
    • You want to slice and dice your data using various tools such as FortiAnalyzer, a SIEM solution or a Netflow Analysis tool for example
    • You can locate most or all of your tools in a central location
    • You pay money for bandwidth :)
    uFlow Director addresses some of the shortcomings of the sending devices:
    • If you want a firewall to send UDP data such as syslog to multiple devices over a WAN you have to send the data multiple times, thus paying multiple times for pushing the same data across the WAN
    • Some devices can only be configured to send to a single destination
    All you need to do is configure your devices to send their traffic to the uFlow Director appliance and it will make copies of the UDP flows and forward them to the correct receivers. It comes with a super simple web-based user interface to configure the UDP distribution rules.

    Of course it's not limited to syslog and netflow. It will distribute any kind of UDP traffic you throw at it.


    And now for the juicy bit. Visit our website www.keranetworks.com and like our Facebook page. In November we will randomly choose one of our Facebook fans to win an iPod shuffle. We'll even throw in a free copy of iTunes :)

    (Hint, hint: We'll also be running a promotion at the end of the year where you can receive a free iPad with purchase of a uFlow Director appliance)

    Happy liking.

    Wednesday, October 13, 2010

    Fortigate Virtual Appliances

    Here is some more information from Network World on the virtual appliances Fortinet is releasing.

    • FortiGate
    • FortiManager
    • FortiAnalyzer
    • FortiMail
    http://www.networkworld.com/news/2010/101210-fortinet-goes-virtual.html

    Monday, October 11, 2010

    FortiGate Virtual Machine

    Interesting news coming from Fortinet about the release of a VMWare Image of FortiOS. Take a look at this PDF document.

    http://docs.fortinet.com/fortigate-vm-admin.pdf

    Saturday, October 9, 2010

    Software Updates

    FortiOS
    • 4.0 MR2 Patch, Build 291 for Fortigate 60C and FortiWifi 60C

    Saturday, September 18, 2010

    FortiGate 60C - Initial Feedback

    The FortiGate 60C is a neat little unit. Hardware-wise it has some decent specs.
    At the moment the main problem is speed and software. The FG60C is currently running a branch build of FortiOS 4.0 MR1 Patch 4. Doing a straight comparison between a FWF60C and a FWF50B on a DSL connection the FWF50B wins out. Both systems were running firewall only with no protection profile.
    Download speed on the 60C was 10 Mbit/s and 16 Mbit/s on the 50B (both tested on the same 18 Mbit/s link).

    According to Fortinet a 4.0 MR2 Patch 2 build should be out for the 60C mid-to-late September.

    Friday, August 27, 2010

    Software Updates

    FortiClient
    • 4.0 MR2 Patch 1, Build 255

    FortiDB
    • 4.1.0, Build 54

    FortiGate
    • 4.0 MR2 Patch 2, Build 291
    • (Note: FG/FWF60C will not be released until mid-September)

    FortiManager
    • 4.0 MR2 Patch 2, Build 363

    FortiWeb
    • 4.1.0, Build 265

    Wednesday, August 25, 2010

    Software Update - Breaking News - Hold The Press :)

    FortiOS 4.0 MR2 Patch 2 is out.

    ** Update **

    No images yet for FG/FWF 60C .. baaaaaah :(

    Monday, August 23, 2010

    Software Update

    FortiOS 4.0 MR2 Patch 2 was originally scheduled for release on August 9th. Apparently a major bug held up the release and it has been rescheduled for August 25th.

    Tuesday, July 13, 2010

    High CPU Utilization caused by IPS Engine

    Over the past few weeks I have been seeing quite a number of CPU spikes for various types of firewalls ranging from FG60B to 310B to 800. In every instance the "ipsengine" process was consuming all available CPU resources on the firewall. After consulting with Fortinet there appears to be an issue related to the current IPS Engine. Ask your SE and they may be able to provide you with a pre-release version of IPS Engine 1.165.

    In the meantime if you run into this problem you can run the following command to restart the IPS Engine:

    # diag test app ipsmonitor 99

    Friday, July 2, 2010

    Software Updates

    FortiOS
    • 4.0 MR1 Patch 6, Build 205 (Patch 6 was released the day after Patch 5)
    FortiAnalyzer
    • 4.0 MR2 Patch 1, Build 208
    FortiSwitch
    • 4.0 MR2 GA, Build 355

    Monday, June 28, 2010

    FortiAP - First Review

    Review by Ben Boysza

    I’ve just received the long-awaited and much overdue Fortinet dedicated Access-Point, dubbed the FortiAP 220A. Though Fortinet has had WiFi capable devices in the past, they have always fallen short when it came to a wireless cloud solution – actually, they’ve had none. I’ve been using Cisco Aironet products for years with success, despite the usual non-ergonomic configuration options of both the CLI and GUI. But they work, most of the time – and they offer me features that frankly our beloved FortiWifi’s could not.
    And this market is getting more and more crowded, with priced-to-sell solutions from Meraki and Ruckus competing for your building-wide wireless needs. This has certainly been an area where Fortinet has fallen behind, way behind. One FortiWifi device is just not enough. And paying for additional FortiWifi 50B UTMs to use solely as Access Points just did not make sense, even though they can be powered conveniently by PoE.


    With the introduction of FortiOS 4.0, we’ve been teased with a new menu option labeled Wireless Controller. Even without the new hardware, we’ve been able to create Virtual Access-Points (VAPs) and get an idea of how this new FortiWifi Cloud solution was going to work and be managed. Embedding a Wireless Controller into an existing Firewall or UTM is pure convenience and efficiency. Though the FortiAP 220A is not officially supported until FortiOS 4.2 (rumored), they are being distributed. However, even though we are seeing the Wireless Controller option on our existing installations of FortiOS 4.0, a special branch version of FortiOS is required. From the release notes:

    The FortiAP device must be supported by a special FortiOS branch image for FortiGate model 60B and above, excluding any FortiWiFi models.
    The officially released image of FortiOS to support the FortiAP device is based off of FortiOS v4.0 MR2 – fg_4_thin_ap_openssl/build_tag_6322.


    You can find the special version on the Fortinet FTP site under the FortiAP directory


    Now that I’ve had a few hours with this new line, here’s what I’ve found:

    • No PoE support. WHAT? It’s an AP with no option for PoE. Though, Fortinet does say you can use the Linksys WAPPOE12 adapter with the 220A power supply.
    • No SSID->VLAN Interface bridging. Still, an enormous thorn in my side. Though, the pain is dulled when you realize now that you can implement a true cloud solution consisting of many FortiAPs and have roaming clients, you will just dedicate a wireless network. But bridging is still required or preferred by some installations.
    • Doesn’t run FortiOS. Well, that’s fine and was expected – it’s a completely new piece of hardware running BusyBox. You can shell in and browse the directory structure as well as manually update network settings (even cat cpuinfo to see it is running an Atheros AR7100 MIPS 24k)
    • Telnet disabled when Registered. When the AP is discovered by your WC, and you set Admin level to Enabled, you can no longer Telnet to the AP. Security feature; you’re already managing the device from a WC at this point, and there are remote execute options from the WC CLI.
    • Has 4 “Do not use these ports” Ethernet Ports. That’s right, of the 5 ports, 4 are 100Mbps Ethernet ports that are apparently not for use. This really leads us to believe that the hardware used is off-the-shelf and not engineered from scratch by or for Fortinet.
    • Reset Button. The first Fortinet device to have a Factory Reset button. Reset it and then re-discover the AP on your Wireless Controller and away you go. This again indicates the use of generic appliance hardware (which, don’t get me wrong, is NOT new to Fortinet)
    • Limited WEP SSIDs. You are limited to no more than 4 WEP-Enabled SSIDs; WEP is supported only as a ‘legacy feature’. WEP has long been “de-secured”, and shouldn’t be anywhere near a Corporate or Enterprise environment anyway. If you’re running WEP, use this as a ‘goose’ to migrate to WPA.
    • Useless Button. There is a button in the center of the housing on the front of the AP that has apparently no function.
    • Dual Radios. Great support for all the bands, including N and G. Like others, you can assign your SSIDs to specific radios/bands using Access Point Profiles. These profiles are then applied to the physical Access Point registrations. This is nice and will really help flexibility in larger implementations.
    • Limited Documentation. Actually, besides the Quick Start guide there isn’t much. Since it’s managed by a FortiGate (FortiWifi models cannot be Wireless Controllers), you’ll find most of the necessary information in the FortiOS 4.0 Administration Guides.
    • Manual or Automatic Firmware Upgrade. When the AP is not ‘Enabled’ by the WC, you can telnet in and manually TFTP in new firmware. Better yet, upgrading the WC’s firmware will update the AP’s firmware if necessary as long as the AP is ‘Enabled’ by the WC.
    Overall, I’m still excited, though disappointed with Fortinets first stab at a cloud WiFi solution. The FortiAP 220A appears to be an off-the-shelf OEM piece that has been rushed into production. As I said, I’ve only spent a few hours with the device thus far. I have several to implement for customers in completely different industries, so we still have plenty of learning to do. The unit is priced middle-market, it’s light and is attractive enough to hang on a wall or ceiling without sticking out like a sore thumb. I look forward to the official release (rumored 4.2) and expect to see many features and improvements. It wouldn’t be a Fortinet product if it didn’t evolve in a matter of months with features we weren’t even asking for.

    Friday, June 25, 2010

    VPN Debug Enhancements

    In newer versions of FortiOS (such as 4.0 MR1 and MR2) Fortinet has enhanced the capability of debugging individual VPN connections terminating on Fortigate firewalls.
    Previously when debugging connections you only had the ability to filter IKE traffic by destination IP. The new "diag vpn ike log-filter" command has added several more filter criteria which you can use for troubleshooting VPN connections. Using this command is extremely helpful in cases where you have several active VPN sessions on your firewall. The console will most likely be spammed with log messages from tunnels which you are not interested in. To filter VPN connections use the following syntax:

    diag vpn ike log-filter


    Available options are:
    clear erase the current filter
    dst-addr4 the IPv4 destination address range to filter by
    dst-addr6 the IPv6 destination address range to filter by
    dst-port the destination port range to filter by
    interface interface that IKE connection is negotiated over
    list display the current filter
    name the phase1 name to filter by
    negate negate the specified filter parameter
    src-addr4 the IPv4 source address range to filter by
    src-addr6 the IPv6 source address range to filter by
    src-port the source port range to filter by
    vd index of virtual domain. -1 matches all


    For example if you have a VPN tunnel from your firewall to a remote gateway with IP 1.2.3.4 you would use the following commands:
    • diag vpn ike log-filter dst-addr4 1.2.3.4
    • diag debug enable
    • diag debug console
    • diag debug app ike 200
    Now only log messages matching a destination address of 1.2.3.4 will be displayed.

    Also don't forget to reset your debug level when you are done to conserve system resources:
    • diag debug disable
    • diag debug reset

    Friday, June 11, 2010

    Packet Sniffers, Traffic Counters and NP2 Accelerated Ports

    After switching from a FG800 platform (non accelerated network ports) to a 310B (NP2 accelerated ports) I noticed that the "diag sniffer packet" command is no longer very useful.

    • Packets are only displayed on the first pass through the firewall. Subsequent packets appear to be "flowed" and not displayed by the sniffer.
    • IP addresses are incorrect in certain cases. The sniffer shows packets as originating from the firewall's IP address. When performing a packet capture on the target host the source is that of the original sending host, so a discrepancy there.
    • The traffic counters in the firewall policy screen no longer show accurate values. We are receiving several gigs of log traffic through the firewall per day but after several weeks of uptime the counter only displays ~250 MByte of traffic. 
    • SNMP statistics do not show correct values due to fastpathing of packets
    Solution:

    For troubleshooting purposes and when it is desired to capture packets or check the flow on the FortiGate, you can bypass H/W acceleration with the following command on a specific port.

    Be aware that this might affect performance and should only be used for troubleshooting purpose.

     "diagnose npu np2 fastpath-sniffer enable port(s)_number"

    This now shows all traffic for all sessions to/from this or those port(s) when using the sniffer or the diag debug flow commands

    The command below will re-enable H/W offloading :

     "diagnose npu np2 fastpath-sniffer disable port(s)_number"

    Note that this is not saved in the configuration and will be lost after a reboot. 

    (From Fortinet Knowledge Base) 

      Saturday, May 22, 2010

      Software Updates

      FortiOS
      • 4.0 MR2 Patch 1, Build 279
       Fortigate-One
      • 4.0 MR2 GA, Build 272
       FortiAnalyzer
      • 4.0 MR1 Patch 5, Build  138
       FortiClient
      •  4.0 MR2 GA, Build 250
       FortiManager
      • 4.0 MR2 Patch 1, Build  348
       FortiMail
      • 4.0 GA Patch 3, Build 130
       FortiWeb
      • 4.0 GA Patch 2, Build 211
      FortiAP
      • 4.0 MR2 GA, Build 106

      Wednesday, May 19, 2010

      Fortigate 800 DIY

      What do you do if you shut down your Fortigate 800 and it won't come back on? What if this firewall provides critical Internet access? What if the power supply on the firewall is dead?

      Easy, as per the attached pictures (and no, don't try this at home kids :).

      Required Ingredients:
      • Fortigate 800
      • Old PC
      • Various tools such as screwdrivers and pliers
      Proceed as follows:
      • Open Fortigate 800
      • Remove power supply from old PC
      • Disconnect built-in power supply of Fortigate
      • Position old PC power supply next to Fortigate 800
      • Connect old PC power supply to Fortigate
      And voila it works :)



      Wednesday, May 12, 2010

      Blocking Facebook Social Plugins

      Here is an interesting blog post from Fortinet on how to block the new Facebook Social Plugins via FortiOS Application Control. The article is here: http://blog.fortinet.com/facebook-social-plugins-world-domination/

      Monday, May 10, 2010

      FortiManager 4.0 MR2

      After running FortiManager 4.0 MR2 for a while now it's been mostly smoothing sailing. There are some things to be aware of:

      • After FortiManager runs for extended periods of time the memory utilization goes to almost 100%. This can be fixed by a reboot
      • The "diag sys top" command is no longer implemented to view process utilization. Therefore it is difficult to understand which process is using most of the memory
      • This appears similar to an issue in early FM 4.0 MR1 releases where memory utilization would spike high also

      Tuesday, April 13, 2010

      Software Updates

      FortiOS
      •  4.0 MR2 GA, Build 272
      FortiAnalyzer
      • 4.0 MR2 GA, Build 198
       FortiManager
      • 4.0 MR2 GA, Build  336

      Friday, April 2, 2010

      FortiOS 4.0 MR2 - Initial Impressions

      Fortinet has shown once again that they continuously work on improving their products. The WEB UI has been give a complete overhaul. While the new look will certainly take some getting used to it is fairly clean and efficient. Some of the initial things I noticed:

      • Performance of the UI is better in Internet Explorer than in Firefox

      • The new UI no longer uses the edit and trashcan icons on the right. Instead you now use check boxes. One of the advantages is that it's easier to quickly remove multiple rules or objects.

        On the downside you can no longer quickly determine whether an object is in use or not by looking for the trashcan icon next to the object. If you select an object that is in use the "Delete" option stays greyed out. And if you select multiple objects (including ones that are in use) and delete them you get a warning that some elements could not be deleted. In my opinion that is a step backwards as far as usability goes. It would be nice to have a column indicating if the objects are in use or not.

        Personally I use the "trashcan indicator" frequently to weed out unused objects.
      • The release notes mention "Protection Profile Re-work". What that apparently means is that protection profiles are gone and you select individual UTM policies on a per-rule basis. This is something I spoke to the Fortinet guys about during the RSA show in early March.

        While I certainly see the intention of making rule creation more flexible it also provides a significant downside. If for example I wanted to change the UTM policies for several rules I will now have to find each rule where the UTM policy is applied and change it there. Previously I could make a change to the protection profile and it would apply to all rules which use the profile.

        A possible solution would be to have a radio button which would allow the use of a pre-defined protection profile or to let you select individual UTM policies.
      • Some of the links do not work in IE. For example in the "Top Sessions" widget on the dashboard the "Details" link does not work in Internet Explorer, no problems in Firefox. Also the link to change the operation mode on the main dashboard has this problem.
        (Funny thing I just noticed is that the "Logout" button is also broken in IE :)
      • When using the "Insert" function to add a firewall policy above an existing one there appears to be a bug in the GUI. No matter in which section I insert a policy (such as internal to DMZ) the destination interface is always set to WAN1. In the drop down box that is the only destination interface available. The workaround right now is to add a policy and then move it to the right location.
        More feedback later.

        Software Update - 4.0 MR2

        Fortinet has released FortiOS 4.0 MR2. This is a major release and below are highlights of new features from the release notes.
        I shall sink my teeth into the new version later today. However since this is a major release with lots of new features my recommendation is as usual to wait one or two patch releases before deploying to mission critical production firewalls.

        · New Web UI Design
        · Supports Dynamic Proxy Allocation
        · IS-IS Routing Protocol Support
        · WCCP Client Support
        · Explicit Proxy Improvements
        · HA Management Port Reservation
        · SSL Proxy Exemption by FortiGuard Category
        · Web 2.0 Log Viewer
        · Introduced 'grep' Capability in the CLI
        · Supports sFlow (Client)
        · Supports FortiGuard Widget on the Dashboard
        · Local Content Archive Support
        · Introduces Report Module Feature
        · HA Sub-second Failover Support
        · Enhanced Support for BGP Routing
        · Introduction of Web Filtering Quota
        · Supports ELBC Synchronization
        · Endpoint Control - Extension to Endpoint Application Detection
        · Dashboard Widget Extensions
        · Supports L2TP with IPSec
        · Skype Control Improvement
        · Supports VRRP and Link Failure Control
        · Per-IP Bandwidth Dashboard Widget
        · Improved Client Certificate Handling for SSL Inspection
        · Maximum Concurrent Users for Explicit Proxy
        · Full SIP Feature Support
        · FSAE Support Polling Domain Controllers
        · Improved DC Agent Distribution (MSI)
        · Storage Health Monitor Feature
        · Improved Disk I/O Scalability
        · Protection Profile Re-work
        · Supports Web Cache Exempt List
        · Introduction of Network Scan Feature
        · Introduction of Network Monitoring Feature
        · Supports Password Renewal for LDAP or RADIUS Users
        · Disk Management
        · Supports Extreme AV Database
        · Introduction of Flow-based AntiVirus Feature
        · Supports Diagnostic Command Lock-down
        · Configuration Revision History and Templates
        · Enhanced Customizable Web UI Feature
        · Introduces Support for Statefull SCTP Firewall

        Tuesday, March 30, 2010

        HTTP A/V Scanning breaking Web Applications

        If you are running FortiOS 4.0 MR1 at pretty much any patch level there is currently a bug which breaks or severely slows certain web applications. For example the BMC Service Desk (Magic) Ticketing systems runs VERY slow. Also certain web-based management platforms are broken completely.
        At the moment the workaround is to disable HTTP scanning in the protection profile and to not apply any DLP settings for HTTP in the UTM config.

        Fortinet has identified the root cause of this issue and a patch is scheduled to be included in FortiOS 4.0 MR1 Patch 5. Patch 5 is slated to be released towards the end of April.

        ** Update **


        From the 4.0 MR1 Patch 5 release notes:


        Description: The FortiGate may drop pipelined HTTP requests.
        Bug ID: 120936
        Status: Fixed in v4.0 MR1 - Patch Release 5.

        Wednesday, March 24, 2010

        Software Updates

        FortiOS
        • 4.0 MR1 Patch 4, Build 196
        FortiMail
        • 4.0 GA Patch 2, Build 126
        FortiCarrier
        • 4.0 MR1 Patch 4, Build 196

        Tuesday, March 23, 2010

        Fortigate GUI Problem with Firefox and Adblock Plus

        Known to be affected:
        • FortiOS 4.0 MR1
        • Adblock Plus 1.1.X
        If you are running the Adblock Plus plugin for Firefox there are problems when expanding some of the "Advanced" fields in the firewall GUI. In particular
        • Router -> Dynamic -> OSPF: The little blue triangle to expand the "Advanced Options" does not display but can be clicked if you know its location
        • VPN -> IPSEC -> Auto Key: The "Advanced" option buttons for both Phase 1 and 2 appear but do not expand the GUI when clicked.
        The current workaround I found is to simply disable Adblock Plus for a particular firewall.

        Saturday, March 20, 2010

        Software Updates

        FortiClient
        • 4.0, MR1 Patch 3, Build 143
        FortiDB
        • 4.0 GA, Patch 2, Build 004
        FortiWeb
        • 4.0 GA, Build 199

        Thursday, February 25, 2010

        Custom DHCP Options in FortiSpeak

        Sometimes it is useful to configure certain custom DHCP options in your DHCP scopes. For example to point your clients to a network time server you use DHCP option 42. Also custom DHCP options are typically used for VoIP phones to find their softswitch.

        Here are some tips for configuring these parameters properly as it is not entirely obvious. The example I am using is to point some VoIP phones to an IP PBX.
        Also see RFC2131 for the official DHCP definition.

        Address info:
        • Firewall IP: 192.168.1.1
        • TFTP Host Name (IP PBX): 192.168.1.10
        • NTP Server: 192.168.1.20
        • Phone IP Range: 192.168.1.100 - 192.168.1.200
        • FTP Username: user1 (this is for the phone to login to the IP PBX)
        • FTP Password: password1

        • Browse to System -> DHCP and create or modify an appropriate DHCP scope
        • Name: VoIP_Phone_Scope
        • IP Range: 192.168.1.100 - 192.168.1.200
        • Network Mask: 255.255.255.0
        • Default Gateway: 192.168.1.1
        • Domain: example.com
        • Click the Advanced button to expand your available options
        • IP Assignment Mode: Server IP Range
        • DNS Server 1:
        Now for the fun part, defining the custom options.
        • Option 1: Code = 42, Option = C0A80114
        • This defines the NTP Time Server (Option 42) as 192.168.1.20 (192=C0, 168=A8,1=01,20=14 in hex). You can use the Windows Calculator in scientific mode to do the decimal to hex conversion if you don't do dec to hex in your head :)
        • Option 2: Code = 66, Option = 6674703a2f2f75736572313a70617373776f726431403139322e3136382e312e3130
        How do you get this value for option 66? Simply take this string "ftp://user1:password1@192.168.1.10" which is what you need to send to the phone and run it through an ASCII to HEX converter, such as http://www.dolcevie.com/js/converter.html. Remove any %s or :s from the output and you get the correct hex string.

        You can also accomplish the above tasks via the CLI:
        • config system dhcp server
        • edit "dhcp scope name"
        • set option 1 42 C0A80114
        • set option 2 66 6674703a2f2f75736572313a70617373776f726431403139322e3136382e312e3130
        • end

        Software Updates

        FortiOS:
        • 4.0 MR1 Patch 3, Build 194

        FortiAnalyzer:
        • 4.0 MR1 Patch 3, Build 130

        FortiManager:
        • 4.0 MR1 Patch 3, Build 224

        Tuesday, January 19, 2010

        Software Updates

        FortiOS:
        • 4.0 MR1 Patch 2, Build 192
        Fortigate-One:
        • 4.0 GA Patch 4, Build 5103
        FortiAnalyzer:
        • 4.0 GA Patch 4, Build 51
        FortiMail:
        • 4.0 GA Patch 1, Build 103
        FortiDB:
        • 3.2.5, Build 23
        • 4.0 GA Patch 1, Build 003
        FortiWeb:
        • 3.0 MR3 Patch 2, Build 332

        Friday, January 8, 2010

        Problem with A/V Update Today

        Today at around 12.30pm PST Fortinet pushed out an A/V signature update that caused virtually every file to be identified as infected with the js/gumblar.gen virus. This was most likely a problem with a false positive in the signature file. Fortinet made a new signature update available by 4pm PST today which resolved the issue.

        ** Update from Fortinet **

        A false positive is discovered in our AV Database Version 11.351 on the signature JS/Gumblar.gen.
        A new version of the AV Database, version 11.352, has been release to correct this issue around 4:20 PM Pacific Time today (Friday, January 8, 2010).