Check the High Availability state

to get the High Availability state info with get command:

myfirewall1#getsyshastatus

tocreateanewfirewallpolicy

configfirewallpolicy
edit1
setsrcintfinternal
setdstintfwan1
setsrcaddrall
setdstaddrall
setactionaccept
setschedulealways
setserviceANY
setnatenable
next
end

myfirewall1#showfullconfigurationsystemha
with the diagnose command the state again:
myfirewall1#diagnosesyshastatusHAinformationStatistics

myfirewall1#diagnosehardwaredeviceinfonicinternal

4.0 VPN Troubleshooting

The most significant part for vpn is the time on the devices. The check the time use the
following command:
myfirewall1#getsysstatus

Change the tunnel state

Bring up a vpn tunnel manually. No traffic required.
myfirewall#diagvpntunnelupphase2namephase1name
Shut down a vpn tunnel manually.
myfirewall#diagvpntunneldownphase2namephase1name

Check the tunnel state

If there is no SA that means the tunnel is down and does not work. To see if the tunnel is up
we need to check if any SA exist.
To see if the tunnel is up you can use the diagnose vpn tunnel list name or diagnose vpn
tunnel dumpsa command.
Tunnel state is down
Tunnel does not exist if there is no output of the commands below:

myfirewall1#diagnosevpntunnellistnamemyphase1listipsec
tunnelbynamesinvd0
with the dumpsa command:
myfirewall1#diagvpntunneldumpsa
The output of the command below shows zero sa (no security association)
myfirewall3#diagnosevpntunnelstat

Tunnel state is up
Informations from the output of the command below:
vpn peers
encrypted traffic (source and destination)
traffic counters for encrypted traffic
SPI for encrypt and decrypt
Encryption method
In the following output the second tunnel with the name fortigw-311b-wlan-ph2 is down.
with the diagnose command:
myfirewall1#diagnosevpntunnelstat

Check packet counters for the tunnel

To see if the encryption and decryption of the packages works use 2 or more times the
diagnose vpn ipsec status or the diagnose vpn tunnel list command and compare the values.
On the second and third outputs the counter should show larger number.
myfirewall1#diagvpntunnellist

5.0 sniffertrace
The basic command is diagnose sniffer packet, after that you have to define the interface*
(or the keyword any):
myfirewall1#diagnosesnifferpacketthenetworkinterface
tosniff(or"any")
*Looks like you cannot filter explicitly on tunnel interface, you have to use any in that case
and define a filter string.
And the tcpdump like filter string (or the keyword none):
myfirewall1#diagnosesnifferpacketany
diagnosesnifferpacketport1

6.0 View logging on cli

There are some fields that you wont ever see in webui as in the column setting you cannot
choose them. Just an example for this is a false pre-shared key, the field that tells you what
the problem is, called error_reason.
The buffer size is limited and if the buffer is full the old logs will be overwritten.
To check your buffer size issue the following command:
myfirewall#getlogmemoryglobalsetting

Configure logging
To view the logs on the CLI issue the following commands (it is better to use a syslog server as
checking the logs from memory, it is slow).
myfirewall#executelogfilterdevicememory
myfirewall#executelogfilterstartline1
myfirewall#executelogfilterviewlines10

myfirewall#executelogfiltercategoryevent
Check if that is correct for you.
myfirewall#executelogfilterdump

7.0 Backup and Restore

Backup command with tftp server:
myfirewall#executebackupfullconfigtftp<fullconfig
filename><tftpserverip>
With an example:
myfirewall1#executebackupfullconfigtftp
myfirewall1_full_config192.168.1.1
Restore command with tftp server:
myfirewall#executerestoreconfigtftp<fullconfigfilename>
<tftpserverip>
Example Restore:
myfirewall1#executerestoreconfigtftp
myfirewall1_full_config192.168.1.1

diagnose hardware deviceinfo nic

Equivalent to show interface

diagnose system session list

Show the excisting translations

diagnose system session clear

Clears all xlate/translations

diagnose ip arp list

Shows the arp table of connected hosts

diagnose system top

Show System Processes running with PIDs

diagnose system kill 9 <id>

Kill the specific PID

diag test auth ldap <server_name> <username> <password>

Ldap test query from the Forti to the AD

diag debug enable This will enable debug logging

diag debug disable This will turn off debug logging
diag debug reset This will reset the debug logging
diag debug flow show console enable This will output the debug logs to the CLI
screen so they can been seen
diag debug flow filter addr <IP address> This will show the flow of traffic from a
particular IP address
diag debug flow filter clear This will clear the logs for any flow filter debug command
Lets say you wanted to see if a particular node was sending pings successfully on any
interface:
diag sniffer packet any icmp and host x.x.x.x 4 If pings are successfully hitting the
appropriate interface, you will see the output on the CLI console

Use diagnose sniffer packet commands to capture packets traversing the Fortigate firewall.
diagnose sniffer packet <interface> <filter-argument> <debug level> <packet-count>

Interface: specify ingress or egress flow interface or just any port

use filter to specify source and destination ip/port
use packet-count to specify how many packets to capture
debug level is 1 to 6 (6 more detailed)

Examples:

1. capture all traffic from host 192.168.1.10

1
2 diagnose sniffer packet any "host 192.168.1.10" 2
3

1.

capture all UDP port 53 from and to host 192.168.1.10

1
2 diagnose sniffer packet port2 "udp and port 53 host 192.168.1.10" 5
3

1.

capture all SSH traffic from and to host 192.168.1.10/15

1
diagnose sniffer packet any host 192.168.1.10 or host 192.168.1.15 and tcp port 22
2
<b>4</b>
3

1.

capture all http traffic from host 192.168.1.10 towards 192.168.2.10

1
diagnose sniffer packet internal src host 192.168.1.10 and dst host 192.168.2.10 and
2
port 80
3

DIAGNOSE SYSTEM SESSION COMMANDS:

Use diagnose system session commands to show all sessions and translations on the
fortigate platform.
diagnose system session filter <filter-argument > : filter session based on destination
diagnose system session list : show sessions
diagnose system session clear : clear filter

DIAGNOSE DEBUG FLOW COMMANDS:

Use diagnose debug flow commands to verify how traffic is being accepted or denied by a
security policy:
diagnose debug enable
diagnose debug flow show console enable
diagnose debug flow filter host x.x.x.x
diagnose debug flow show function-name enable
diagnose debug flow trace start N : (where N is the number of flow to show)

Output example:

1
id=36871 trace_id=1132 msg="vd-root received a packet(proto=17, 10.10.20.30:10292
192.168.110.11:161) from internal."
3
id=36871 trace_id=1132 msg="allocate a new session-00012042"
4
id=36871 trace_id=1132 msg="find a route: gw-172.20.120.2 via wan1"
5
id=36871 trace_id=1132 msg="find SNAT: IP-172.20.120.230, port-54409"
6
id=36871 trace_id=1132 msg="Allowed by Policy-5: SNAT"
7
id=36871 trace_id=1132 msg="SNAT 10.10.20.30->172.20.120.230:54409"
8

executelogfilterdump
execute
logfilter
startline
1
execute
Change
logfilter
sthe
view
log
lines
display
100
settings
execute
logfilter
max
checklin
es50000
execute Setsthe
logfilter log
category display
0
categor
yas
Traffic
.
Replace
"0"with
the
desired
categor
yfor
which
logis
required

Displaysthecurrentlogdisplaysettings

category:traffic
device:disk
startline:15
viewlines:50
maxchecklines:1000

SetsthestartlinetoLine1
Setsthenumberoflinestobedisplayedas100
Setsthenumberoflinestobecheckedas50000

Availablecategories:
16:netscan
10:applicationcontrol
9:dlp
6:content
5:spam
4:ids
3:webfilter
2:virus
1:event
0:traffic

Displays the
log based
execute log display on the
configured
settings

get system ha

Displays the FORTIGATE-FW-1 #

Within a cluster, to de

status

high

status" to know the se

get system ha

status
Model: 300
Mode: a-p
Group: 0
Debug: 0
ses_pickup: enable,
ses_pickup_delay=di
sable
availability
status of
the
Fortigate
firewall.

Master:150
FORTIGATE-FW-1 AB5KB3D10700369 1
Slave :200
FORTIGATE-FW-2 AB5KB3D10800490 0
number of vcluster:
1
vcluster 1: work
169.254.0.1
Master:0 AB5KB3D10700369
Slave :1 AB5KB3D10800490

get vpn ssl settings Displays the sslvpn-enable :

SSL VPN

enable

settings

sslv3 : enable
dns-server1 :
10.1.1.1
dns-server2 :
10.1.1.2
route-sourceinterface: disable
reqclientcert :
disable
sslv2 : disable
force-two-factorauth: disable

status" (shown below

force-utf8-login :
disable
allow-unsafe-legacyrenegotiation:
disable
servercert : self-sign
algorithm : default
idle-timeout : 300
auth-timeout :
28800
tunnel-ip-pools:
== [ SSL-VPNPOOL ]
name: SSL-VPNPOOL
wins-server1 :
0.0.0.0
wins-server2 :
0.0.0.0
url-obscuration :
disable
http-compression :
disable
port : 443

show firewall vip

Displays the config firewall vip

virtual IP

edit

configuratio vip_172.16.1.50
n

set extip
200.1.1.10
set extintf
port10
set mappedip

172.16.1.50
next
end

config vpn ipsec

phase1-interface
edit test_vpn
set interface
port10
set dhgrp 2
set keylife 3600
set proposal
3des-sha1 aes128sha1
Shows the
phase 1

set authmethod
psk

show vpn ipsec

interfaces

set dpd disable

phase1-interface

configured

set ike-version 1

for IPSec

set ip-version 4

VPN tunnel

set keepalive 10
set mode main
set nattraversal
enable
set remote-gw
172.16.1.50
set psksecret
ENC
ASDavbdgfadfadf
next
end

show vpn ipsec

Shows the

config vpn ipsec

phase2-interface
edit
test_vpn_phase2
set phase1name
test_vpn
set proposal
3des-sha1 aes128sha1
set keepalive
phase 2
phase2-interface

enable

interfaces

set pfs enable

configured

set src-addr-type

for IPSec

ip

VPN tunnel

set dst-addr-type
ip
set
keylifeseconds 3600
set src-start-ip
172.16.1.10
set dst-start-ip
172.16.1.100
next
end

diagnose vpn tunnel

up

Activates

This command manua

the phase 2
tunnel

Example: diagnose vp

The commands below can be used to configure syslog for Fortinet

config
unset
set
set
set

log

syslogd
status
port
server

setting
override
enable
1300
10.20.30.1

set
set
set
end

csv
reliable
facility

enable
disable
local7

Firewall policy commands

3) Open a command prompt on your machine and ping a web address, example: ping
8.8.8.8
4) Review the output on the FortiGate CLI
5) Youll see various information about which connection youre using along with the Policy
ID.
Step 2 Reviewing the Firewall Policy ID
1) Go to the Policy section of your FortiGate
2) Right click the Column Bar and verify ID is selected. Seq.# is not the Policy ID.
3) You can filter the ID for your specific # or go down the list to identify the Policy ID you
found in Step 1.
he IPS engine can be restarted & updated from the CLI by executing the below commands.
You may want to restart the IPS engine if it crashes or to reduce CPU usage.
1.

Log into the CLI

2.

Restart the ipsmonitor application

3.

diag test application ipsmonitor 99

Update the ipsengine


4.

exec update-ips

Check running processes for ipsengine

diagnose sys top

A null route or blackhole route is a network route that goes nowhere. Matching packets are
dropped rather than forwarded.
Null routes are often used on high-performance core routes to mitigate large-scale denialof-service attacks before the packets reach a bottleneck. There is virtually no performance
impact which is why this is commonly used.
Blackhole filtering can also be abused by malicious attackers on compromised routers to
filter out traffic destined to a certain address.
Enabling blackhole or null route is only available through the CLI of a FortiGate.
Steps to enable a blackhole route:
1.

Connect to the CLI

2.

Enter the static route configuration:

A.

3.

config router static

Create a new entry

A.

edit next available # in sequence

4.

Enable blackhole

5.

Set Distance

A.
A.
6.

set blackhole enable

set distance 100

Configure IP address youd like to block

A.

set dst ip address mask

SSL Inspection inadvertently blocks Citrix screen sharing sessions like Gotomeeting and
Gotoassist. This behavior is experienced when SSL Inspection is turned on in the Web
Filtering UTM Control & the firewall policy.
A workaround can be implemented to allow these sessions to connect. Version 5.2 of
FortiOS is revamping the way SSL Inspection is handled and this should not be needed if
you are running 5.2.
Follow the below steps for versions prior to 5.2.
Steps
1) Go to Security Profiles > Web Filter > Profiles, select your Web Filter profile.
2) Turn on Enable Web Site Filter
3) Add two new wild car entries. You are telling the FortiGate to bypass UTM filtering for
any web pages that contain gotomeeting or citrixonline in its name.

FortiGate Safely Restarting a HA

Cluster
Your FortiGate units should be restarted regularly to ensure stability and maintain
performance.
You can safely restart a FortiGate HA Cluster by following the below steps:
Restarting the Master
1) Connect to the CLI
2) run exec reboot This will restart the Master.
Restarting the Slave
1) Connect to the CLI
2) Execute the below commands
# exec ha manage (id of slave) This is to switch to the slave, press ?/tab to check
options and choose the slave unit.
get sys status This is to check whether you are in the Slave or Master
exec reboot
Tips
1) Take a fresh backup of your config file prior to restarting.
2) Restart your FortiGate before a Firmware Upgrade to ensure a smooth upgrade.
3) Configure temporary out of band access to the unit if you are restarting remotely.

FortiGate SSL VPN: DNS Resolution

The key to a smoother user experience is to add the DNS Suffix into the SSL VPN
configuration. This will allow access to resources without having to know the Fully Qualified
Domain Name (FQDN).
The below steps outlines how you can enable DNS Resolution across a FortiGate SSL VPN
Connection.

Step 1
Set the DNS Server IP Addresses in the Advanced settings of the SSL VPN Config.

Step 2
Launch the CLI and enter the following commands to add a DNS Suffix to the VPN Config:

config vpn ssl settings

set dns-suffix suffix.com
end

Step 3
Connect to your SSL VPN connection and verify you can ping hosts without requiring the
FQDN.

Happy Connecting!!

FortiGate UTM Troubleshooting: Slow

or Blocked Web Pages

Turning on various UTM features on a FortiGate unit may inadvertently increase latency or
block access to certain webpages.
Websites are becoming increasingly integrated with Social Media, File Sharing Services and
other categories which could be blocked by your security policy.
The below steps demonstrate how you can use the debugging tools in Internet Explorer to
diagnose slow loading web pages.

Step 1
Launch Internet Explorer and press F12 to open the Developer Tools. A box will appear at
the bottom of IE.

Step 2
Select the Network Tab and click Start Capturing. This will capture all network activity that
occurs when visiting a web page.
Step 3
Navigate to the website you are trying to diagnose and launch the page. You should
immediately start seeing data in the capture field. URLs with a result of Pending instead
of Get usually points to it being blocked or intercepted. The Timing tab illustrates which
sections of the web page took the longest to load and its latency.
In the example below we are navigating to www.cnn.com. Social Media is blocked on the
FortiGate Unit. You can see that the Facebook connections are in the pending state due
to it being intercepted by the FortiGate.

Following the above steps will help you diagnose these issues very quickly and add
exception rules to enhance user experience!
Happy capturing!

FortiGate URL Filtering: Exempt vs.

Allow vs. Monitor vs. Block
URL Filtering is a powerful feature on a FortiGate Firewall to prevent users from visiting
dangerous or inappropriate web sites. The 4 options available to filter a website is
explained below.
Block
Prevents users from accessing the website by delivering a warning message when access is
denied.
Allow
Allows user to access a certain website. Traffic is passed on to additional Fortinet security
functions for inspection as needed.
Monitor
Allows users to access a certain website. Web site traffic is allowed to bypass additional
Fortinet security functions. A log message will be generated each time a matching traffic
session is established.
Exempt

Allows a user to access a certain website. Web site traffic is allowed to bypass additional
Fortinet security functions. Exempt bypasses the entire URL connection and does not
require re-scanning while the connection remains open.
Example URL Filter Entry: www.domain.com
www.domain.com Passed without scanning
www.domain.com/page2 Passed without scanning
www.domain.com/virus.zip Passed without scanning
Recommendations

Use Monitor when you are unsure if Exempt is needed.

Use Exempt only if you trust the content of the site you exempt, otherwise there
may be a security risk.

Allow, Block, Exempt, Fortigate, Fortinet, Monitor, URL Filtering, UTM

FortiGate HA: Active-Active vs. ActivePassive

Posted on April 12, 2014 by Nawaz Alli in Fortinet 4 Comments

There are two modes available to you when configuring HA for a FortiGate Cluster, ActiveActive or Active-Passive. The section below outlines the main differences between the two
modes.
Active-Active

Load balances UTM (Antivirus, IPS, Web Filtering, etc.) packets between all cluster
units. This can lead to overall improvement in UTM performance by sharing the
processing load among the cluster units.
The following sessions are processed by the primary unit & not load balanced: UDP,
ICMP, Multicast, Broadcast, VoIP, IM, P2P, IPSEC VPN, HTTPS, SSL VPN, HTTP
Multiplexing, SSL Offloading, WAN Optimization, Explicit Web Proxy & WCCP
sessions.
TCP traffic is not load balanced by default. It is recommended to test this setting in
your environment as it may degrade performance rather than increase. The
overhead required to load balance TCP traffic is as much as just processing it.
If the primary unit fails, the other unit negotiates and becomes the primary unit.
The remaining unit continues to function as the primary unit, maintaining the HA
virtual MAC address for all of its interfaces.
Session failover is provided for all TCP sessions except UTM, UDP, ICMP, Multicast &
Broadcast sessions. This requires Session Pickup to be turned on.

Active-Passive

All traffic is processed by the primary FortiGate unit.

Provides Hot Standby failover protection
Does not process communication sessions, the configuration is synchronized with
the primary unit.
Can be a more robust session failover solution than Active-Active by handling the
failover of UDP, ICMP, Multicast & Broadcast sessions better. This is very condition
specific. The cluster does not specifically support failover of these packets.

Recommendations

Utilize Active-Active mode if you are utilizing UTM features.

Utilize Active-Passive mode if you are not utilizing UTM features.
Utilize Session Failover to maintain TCP, SIP & IPsec VPN sessions after a failure

Unit in Active-Passive Mode