I recently had the chance to work with Fabrizio on a new book he was writing. Go ahead and check it out. Yours truly served as a technical reviewer :)
Getting Started with FortiGate
A real world resource for Fortinet firewalls including How-Tos and Frequently Asked Questions
Tuesday, December 24, 2013
Thursday, December 5, 2013
Get a 'grep' on your config
I search configs a lot via the CLI. This saves time and sometimes downloading a config and searching it in Notepad++ is not an option.
When looking for particular pieces of a config you can use the UNIX style "grep" command to filter output, for example:
# show | grep 192.168.1.99
set ip 192.168.1.99 255.255.255.0
Great. Now we know that there is a line that contains the IP address. But where in the config is it? In FortiOS 5.0 the "FortiOS context" switch was introduced which helps in tracking this down.
# show | grep -f 192.168.1.99
config system interface
edit "port10"
set vdom "root"
set ip 192.168.1.99 255.255.255.0 <---
set type physical
set snmp-index 10
next
end
Notice that when using the -f switch the firewall shows the entire "context" that the string is used in. Also there's a handy little arrow on the right which points out where in the context the string exists.
When looking for particular pieces of a config you can use the UNIX style "grep" command to filter output, for example:
# show | grep 192.168.1.99
set ip 192.168.1.99 255.255.255.0
Great. Now we know that there is a line that contains the IP address. But where in the config is it? In FortiOS 5.0 the "FortiOS context" switch was introduced which helps in tracking this down.
# show | grep -f 192.168.1.99
config system interface
edit "port10"
set vdom "root"
set ip 192.168.1.99 255.255.255.0 <---
set type physical
set snmp-index 10
next
end
Notice that when using the -f switch the firewall shows the entire "context" that the string is used in. Also there's a handy little arrow on the right which points out where in the context the string exists.
Monday, September 30, 2013
The Mad Scientist's Lab
From time to time I need to setup lab devices to troubleshoot particular scenarios. Since it is pretty impractical to have "one of each" I use a lot of virtualization technology for this. Here are some handy pointers if you have ever wanted to setup your own lab to test things out.
VMware vSphere Hypervisor
http://www.vmware.com/products/vsphere-hypervisor/
VMware ESXi is the free version of the popular hypervisor. You can load this on most any hardware and have a system ready to host your virtual lab setup in minutes.
Fortigate / FortiAnalyzer / FortiManager
http://support.fortinet.com
These and an increasing number of other Fortinet products are available in a VMware version. Head on over to the support site, look for the firmware images section and get yourself a copy. They are valid for 14 days as an evaluation version. Note that FortiOS is limited to a single VDOM when in eval mode.
Vyatta Router
http://www.vyatta.org
To make things more realistic I tend to throw a router in between two firewalls. Vyatta has a free version of their routing software available which runs nicely inside the ESXi hypervisor. Their CLI is very JunOS like. So if you're already familiar with Juniper gear that helps immensely. It's significantly different from Cisco's IOS but well worth jumping into.
VMware vSphere Hypervisor
http://www.vmware.com/products/vsphere-hypervisor/
VMware ESXi is the free version of the popular hypervisor. You can load this on most any hardware and have a system ready to host your virtual lab setup in minutes.
Fortigate / FortiAnalyzer / FortiManager
http://support.fortinet.com
These and an increasing number of other Fortinet products are available in a VMware version. Head on over to the support site, look for the firmware images section and get yourself a copy. They are valid for 14 days as an evaluation version. Note that FortiOS is limited to a single VDOM when in eval mode.
Vyatta Router
http://www.vyatta.org
To make things more realistic I tend to throw a router in between two firewalls. Vyatta has a free version of their routing software available which runs nicely inside the ESXi hypervisor. Their CLI is very JunOS like. So if you're already familiar with Juniper gear that helps immensely. It's significantly different from Cisco's IOS but well worth jumping into.
Thursday, September 12, 2013
Abort - Abort - Abort
Ever found yourself editing a config via the command line and you just noticed that you made a mistake? Wouldn't it be nice to not have to change everything back to the way it was before you commit with "next" or "end"? Simply use the "abort" command and it will kick you straight back to the main menu without making any changes.
Friday, September 6, 2013
Wireless Mesh Gotcha
FortiAP wireless access points have the ability to create a full mesh. This is a pretty nifty feature as described in the FortiOS Wireless Deployment Guide:
The access points of a WiFi network are usually connected to the WiFi controller through Ethernet wiring. A wireless mesh eliminates the need for Ethernet wiring by connecting WiFi access points to the controller by radio. This is useful where installation of Ethernet wiring is impractical.
The AP that is connected to the network by Ethernet is called the Mesh Root node. It is configured with an SSID (also called a virtual access point or VAP) dedicated to backhaul communication with the remote FortiAP units. The backhaul SSID carries CAPWAP discovery, configuration, and other communications that would usually be carried on an Ethernet connection. Regular WiFi clients cannot connect to the backhaul SSID. They connect to the regular SSIDs carried on the access points.
The root node can be a FortiAP unit or the built-in AP of a FortiWiFi unit. APs that serve only regular WiFi clients are called Leaf nodes. Leaf APs that also carry the mesh SSID for more distant Leaf nodes are called Leaf/branch nodes.
In other words you can have the APs all wirelessly connected to each other and APs that are not wired into the network can backhaul their traffic via other APs. The requirement is that at least one of the APs in the chain is hard-wired to the network.
A small gotcha is that by default the wireless mesh uses its own internal IP addressing scheme. The default IP address for the full-mesh interface is 192.168.3.99/24. I found this out the hard way because I have a VPN tunnel to a remote network which also uses 192.168.3.x/24. Looking at the routing table it was easy to see why I could no longer reach the remote VPN network after I had setup my new wireless access points.
FGT # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
S *> 0.0.0.0/0 [5/0] via 1.2.3.4, wan1
C *> 10.1.1.0/24 is directly connected, Internal
S * 192.168.3.0/24 [1/0] is directly connected, FW_VPN_2_0
C *> 192.168.3.0/24 is directly connected, wl.mesh
There are two routes available in the routing database to 192.168.3.0/24, the ">" in front of the route shows which one has been selected as the active route. Simply changing the network of the mesh interface to something like 192.168.254.99/24 will resolve the issue. This can be done in the GUI via "System -> Network -> Interfaces"
The access points of a WiFi network are usually connected to the WiFi controller through Ethernet wiring. A wireless mesh eliminates the need for Ethernet wiring by connecting WiFi access points to the controller by radio. This is useful where installation of Ethernet wiring is impractical.
The AP that is connected to the network by Ethernet is called the Mesh Root node. It is configured with an SSID (also called a virtual access point or VAP) dedicated to backhaul communication with the remote FortiAP units. The backhaul SSID carries CAPWAP discovery, configuration, and other communications that would usually be carried on an Ethernet connection. Regular WiFi clients cannot connect to the backhaul SSID. They connect to the regular SSIDs carried on the access points.
The root node can be a FortiAP unit or the built-in AP of a FortiWiFi unit. APs that serve only regular WiFi clients are called Leaf nodes. Leaf APs that also carry the mesh SSID for more distant Leaf nodes are called Leaf/branch nodes.
In other words you can have the APs all wirelessly connected to each other and APs that are not wired into the network can backhaul their traffic via other APs. The requirement is that at least one of the APs in the chain is hard-wired to the network.
A small gotcha is that by default the wireless mesh uses its own internal IP addressing scheme. The default IP address for the full-mesh interface is 192.168.3.99/24. I found this out the hard way because I have a VPN tunnel to a remote network which also uses 192.168.3.x/24. Looking at the routing table it was easy to see why I could no longer reach the remote VPN network after I had setup my new wireless access points.
FGT # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
S *> 0.0.0.0/0 [5/0] via 1.2.3.4, wan1
C *> 10.1.1.0/24 is directly connected, Internal
S * 192.168.3.0/24 [1/0] is directly connected, FW_VPN_2_0
C *> 192.168.3.0/24 is directly connected, wl.mesh
There are two routes available in the routing database to 192.168.3.0/24, the ">" in front of the route shows which one has been selected as the active route. Simply changing the network of the mesh interface to something like 192.168.254.99/24 will resolve the issue. This can be done in the GUI via "System -> Network -> Interfaces"
Friday, August 30, 2013
Backing up the entire config with VDOMs enabled
When you have Virtual Domains (VDOMs) enabled on a Fortigate and you want to create a backup from the command line make sure you use the following command:
#config global
#exec backup full-configuration
Using "exec backup config" will only backup your current context, i.e. Global or the current VDOM.
#config global
#exec backup full-configuration
Using "exec backup config" will only backup your current context, i.e. Global or the current VDOM.
Thursday, February 28, 2013
Enhanced Single Sign-On to Windows AD in FortiOS 5.0
FortiOS 5.0 brings with it an enhancement to how single sign-on can be performed in a Microsoft Active Directory environment.
In prior versions of FortiOS an agent software was needed on either a Domain Controller or a Member Server. There was a lot of push back since many IT admins were not comfortable running third-party software on their critical AD servers. FortiOS 5.0 allows the firewalls to directly query the AD global catalog and event logs, the agents are now optional.
When a Windows AD user logs on at a workstation in a monitored domain, the FortiGate unit:
(From the FortiOS 5.0 Authentication Guide)
In prior versions of FortiOS an agent software was needed on either a Domain Controller or a Member Server. There was a lot of push back since many IT admins were not comfortable running third-party software on their critical AD servers. FortiOS 5.0 allows the firewalls to directly query the AD global catalog and event logs, the agents are now optional.
When a Windows AD user logs on at a workstation in a monitored domain, the FortiGate unit:
- detects the logon event in the domain controller’s event log and records the workstation name, domain, and user
- resolves the workstation name to an IP address
- uses the domain controller’s LDAP server to determine which groups the user belongs to
- creates one or more log entries on the FortiGate unit for this logon event as appropriate
(From the FortiOS 5.0 Authentication Guide)
Wednesday, February 13, 2013
Software Updates
Here's the latest and greatest.
FortiOS: 4.0 MR3 Patch 12, Build 656 (Just released)
(stable, recommended for production)
FortiOS: 5.0.1, Build 147
(recommended for limited deployment in production if you need cutting edge features)
FortiOS: 4.0 MR3 Patch 12, Build 656 (Just released)
(stable, recommended for production)
FortiOS: 5.0.1, Build 147
(recommended for limited deployment in production if you need cutting edge features)
Labels:
software
Friday, January 25, 2013
FortiOS Cookbook
Here's a great guide for new Fortinet Admins. Updated for FortiOS 5 and with a yummy picture of FortiCake on the front :)
http://docs.fortinet.com/cookbook.html
http://docs.fortinet.com/cookbook.html
Subscribe to:
Posts (Atom)