From time to time Fortinet will release information on critical bugs/bug fixes that are likely to impact a large number of customers. There were 3 of these for 2012. To review them login to the Customer Service & Support Portal and click on the "Important Info".
Alternatively you can access them via this link:
https://support.fortinet.com/EndUser/Bulletin.aspx
A real world resource for Fortinet firewalls including How-Tos and Frequently Asked Questions
Monday, December 17, 2012
Tuesday, December 11, 2012
DHCP for IPv6 in FortiOS 5
FortiOS 5 adds support for RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)". To activate a DHCPv6 server on an interface use the following syntax:
# config system interface
# config system interface
# edit internal
# config ipv6
# set ip6-mode dhcp
# config ipv6
# set ip6-mode dhcp
Finding CLI Commands
Sometimes it's handy to know which CLI commands correspond to actions you are performing in the GUI. With the following commands you can enable debugging on the console that will show you in the CLI what you're doing in the GUI.
# diag debug reset
# diag debug enable
# diag debug console
# diag debug cli 7
Here is some sample output in the CLI when adding and deleting static routes in the GUI.
0: config router static
0: edit 0
0: set device "VPN_Tunnel"
0: set dst 1.1.1.1 255.255.255.255
0: end
0: config router static
0: delete 16
0: end
Also, if you are performing an action in the GUI and you get no output on the CLI then chances are that there is no equivalent CLI command.
# diag debug reset
# diag debug enable
# diag debug console
# diag debug cli 7
Here is some sample output in the CLI when adding and deleting static routes in the GUI.
0: config router static
0: edit 0
0: set device "VPN_Tunnel"
0: set dst 1.1.1.1 255.255.255.255
0: end
0: config router static
0: delete 16
0: end
Also, if you are performing an action in the GUI and you get no output on the CLI then chances are that there is no equivalent CLI command.
Monday, December 10, 2012
External Images in Replacement Messages
If you are using Webfiltering and would like to host your images on an external server rather than using the builtin ones in FortiOS here is a little code sample to make that happen.
config system replacemsg http "url-block"
set buffer "<BODY>
<center><img src=\"http://www.example.com/img/example.gif\" alt=\"Example Logo\"/> <img src=\"http://www.example.com/blocked.gif\" alt=\"Logo\"/></center>
<center><H1><FONT color=#ff0000 size=6>Access Restricted by Web Access Policy </FONT></H1></center>
<P><B><FONT size=4>The website you are trying to access has been
restricted because it does not fall within the business scope of Example Company. All websites have been categorized through third party software. The categories are generalized and the website you are attempting to access may be blocked in error. Please email <a href=\"mailto:security.operations@example.com?\"><B>Security Operations</B></a> for any questions.</FONT></B></P>
<P></P>
<div style=\"padding:10px 10px;border:1px solid black;\">
<FONT color=#ff0000 size=5><B><center>To access web-based mail, online file sharing, or internal company sites please use the browser in your Start menu.</B></center></FONT>
</div>
</BODY>"
set header http
set format html
end
config system replacemsg http "url-block"
set buffer "<BODY>
<center><img src=\"http://www.example.com/img/example.gif\" alt=\"Example Logo\"/> <img src=\"http://www.example.com/blocked.gif\" alt=\"Logo\"/></center>
<center><H1><FONT color=#ff0000 size=6>Access Restricted by Web Access Policy </FONT></H1></center>
<P><B><FONT size=4>The website you are trying to access has been
restricted because it does not fall within the business scope of Example Company. All websites have been categorized through third party software. The categories are generalized and the website you are attempting to access may be blocked in error. Please email <a href=\"mailto:security.operations@example.com?\"><B>Security Operations</B></a> for any questions.</FONT></B></P>
<P></P>
<div style=\"padding:10px 10px;border:1px solid black;\">
<FONT color=#ff0000 size=5><B><center>To access web-based mail, online file sharing, or internal company sites please use the browser in your Start menu.</B></center></FONT>
</div>
</BODY>"
set header http
set format html
end
Thursday, December 6, 2012
FortiAnalyzer - System Registration
If you are running FortiAnalyzer and you start feeding it logs from Fortigates they will (depending on your settings) automatically register and show up in your device view. By default they will show up in the format of "hostname_serialnumber".
If you have a hostname configured on your Fortigate but it only shows up using its serial number in FAZ then you maybe running into a versioning issue. Specifically if you're using FAZ 4.1 with FortiOS 4.3 devices reporting into it.
The reason for this is that in FortiOS 4.3 the firewalls will by default try to encrypt the communication to the FortiAnalyzer which FAZ 4.1 does not understand. To work around this disable the encryption for logging to FAZ on the Fortigate using the following command:
# config log fortianalyzer setting
# set enc-algorithm disable
# end
If you have a hostname configured on your Fortigate but it only shows up using its serial number in FAZ then you maybe running into a versioning issue. Specifically if you're using FAZ 4.1 with FortiOS 4.3 devices reporting into it.
The reason for this is that in FortiOS 4.3 the firewalls will by default try to encrypt the communication to the FortiAnalyzer which FAZ 4.1 does not understand. To work around this disable the encryption for logging to FAZ on the Fortigate using the following command:
# config log fortianalyzer setting
# set enc-algorithm disable
# end
Traffic Blocked by Policy ID 0
After upgrading to FortiOS 4.3 you may see an increase in the number of log entries displayed which mention Policy ID 0. This is generally due to more extended logging being enabled by default when upgrading to 4.3. Here are a couple of good knowledge base entries that have more info.
Technical Note : other-traffic is changed to extended-traffic-log in FortiOS 4.0MR3 and enabled by default
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33208&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=40690597&stateId=0%200%2040692421
FortiGate log information : traffic log with firewall policy of 0 (zero) "policyid=0"
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=13900&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=40690572&stateId=0%200%2040692396
Technical Note : other-traffic is changed to extended-traffic-log in FortiOS 4.0MR3 and enabled by default
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33208&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=40690597&stateId=0%200%2040692421
FortiGate log information : traffic log with firewall policy of 0 (zero) "policyid=0"
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=13900&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=40690572&stateId=0%200%2040692396
Wednesday, December 5, 2012
Maxizing Performance with NPU Port Mappings
To get the most performance out of NPU accelerated ports you should keep traffic on the same NPU.
For example if most of your traffic is between your external and your DMZ interfaces (you are hosting a lot of web servers?) you should make sure this traffic remains on the same NPU.
To figure out which port is assigned to which NPU use the following command:
#get hardware npu <model> list
So if you have a model with NP4s use
#get hardware npu np4 list
Your output will be similar to the one below depending on your model firewall.
In the below example you might want to connect port25 to the Internet and port26 to the DMZ to keep that traffic on a single NPU.
For example if most of your traffic is between your external and your DMZ interfaces (you are hosting a lot of web servers?) you should make sure this traffic remains on the same NPU.
To figure out which port is assigned to which NPU use the following command:
#get hardware npu <model> list
So if you have a model with NP4s use
#get hardware npu np4 list
Your output will be similar to the one below depending on your model firewall.
In the below example you might want to connect port25 to the Internet and port26 to the DMZ to keep that traffic on a single NPU.
# get hardware npu np4 list
|
ID Model Slot Interface
|
0 On-board port1 port2 port3 port4
|
port5 port6 port7 port8
|
port9 port10 port11 port12
|
port13 port14 port15 port16
|
port17 port18 port19 port20
|
port21 port22 port23 port24
|
1 On-board port25 port26 port27 port28
|
port29 port30 port31 port32
|
port33 port34 port35 port36
|
port37 port38
|
Subscribe to:
Posts (Atom)