Академический Документы
Профессиональный Документы
Культура Документы
tocreateanewfirewallpolicy
configfirewallpolicy
edit1
setsrcintfinternal
setdstintfwan1
setsrcaddrall
setdstaddrall
setactionaccept
setschedulealways
setserviceANY
setnatenable
next
end
myfirewall1#showfullconfigurationsystemha
with the diagnose command the state again:
myfirewall1#diagnosesyshastatusHAinformationStatistics
myfirewall1#diagnosehardwaredeviceinfonicinternal
myfirewall1#diagnosevpntunnellistnamemyphase1listipsec
tunnelbynamesinvd0
with the dumpsa command:
myfirewall1#diagvpntunneldumpsa
The output of the command below shows zero sa (no security association)
myfirewall3#diagnosevpntunnelstat
Tunnel state is up
Informations from the output of the command below:
vpn peers
encrypted traffic (source and destination)
traffic counters for encrypted traffic
SPI for encrypt and decrypt
Encryption method
In the following output the second tunnel with the name fortigw-311b-wlan-ph2 is down.
with the diagnose command:
myfirewall1#diagnosevpntunnelstat
5.0 sniffertrace
The basic command is diagnose sniffer packet, after that you have to define the interface*
(or the keyword any):
myfirewall1#diagnosesnifferpacketthenetworkinterface
tosniff(or"any")
*Looks like you cannot filter explicitly on tunnel interface, you have to use any in that case
and define a filter string.
And the tcpdump like filter string (or the keyword none):
myfirewall1#diagnosesnifferpacketany
diagnosesnifferpacketport1
Configure logging
To view the logs on the CLI issue the following commands (it is better to use a syslog server as
checking the logs from memory, it is slow).
myfirewall#executelogfilterdevicememory
myfirewall#executelogfilterstartline1
myfirewall#executelogfilterviewlines10
myfirewall#executelogfiltercategoryevent
Check if that is correct for you.
myfirewall#executelogfilterdump
Use diagnose sniffer packet commands to capture packets traversing the Fortigate firewall.
diagnose sniffer packet <interface> <filter-argument> <debug level> <packet-count>
Examples:
1.
1
2 diagnose sniffer packet port2 "udp and port 53 host 192.168.1.10" 5
3
1.
1
diagnose sniffer packet any host 192.168.1.10 or host 192.168.1.15 and tcp port 22
2
<b>4</b>
3
1.
1
diagnose sniffer packet internal src host 192.168.1.10 and dst host 192.168.2.10 and
2
port 80
3
Output example:
1
id=36871 trace_id=1132 msg="vd-root received a packet(proto=17, 10.10.20.30:10292
192.168.110.11:161) from internal."
3
id=36871 trace_id=1132 msg="allocate a new session-00012042"
4
id=36871 trace_id=1132 msg="find a route: gw-172.20.120.2 via wan1"
5
id=36871 trace_id=1132 msg="find SNAT: IP-172.20.120.230, port-54409"
6
id=36871 trace_id=1132 msg="Allowed by Policy-5: SNAT"
7
id=36871 trace_id=1132 msg="SNAT 10.10.20.30->172.20.120.230:54409"
8
executelogfilterdump
execute
logfilter
startline
1
execute
Change
logfilter
sthe
view
log
lines
display
100
settings
execute
logfilter
max
checklin
es50000
execute Setsthe
logfilter log
category display
0
categor
yas
Traffic
.
Replace
"0"with
the
desired
categor
yfor
which
logis
required
Displaysthecurrentlogdisplaysettings
category:traffic
device:disk
startline:15
viewlines:50
maxchecklines:1000
SetsthestartlinetoLine1
Setsthenumberoflinestobedisplayedas100
Setsthenumberoflinestobecheckedas50000
Availablecategories:
16:netscan
10:applicationcontrol
9:dlp
6:content
5:spam
4:ids
3:webfilter
2:virus
1:event
0:traffic
Displays the
log based
execute log display on the
configured
settings
get system ha
Within a cluster, to de
status
high
get system ha
status
Model: 300
Mode: a-p
Group: 0
Debug: 0
ses_pickup: enable,
ses_pickup_delay=di
sable
availability
status of
the
Fortigate
firewall.
Master:150
FORTIGATE-FW-1 AB5KB3D10700369 1
Slave :200
FORTIGATE-FW-2 AB5KB3D10800490 0
number of vcluster:
1
vcluster 1: work
169.254.0.1
Master:0 AB5KB3D10700369
Slave :1 AB5KB3D10800490
enable
settings
sslv3 : enable
dns-server1 :
10.1.1.1
dns-server2 :
10.1.1.2
route-sourceinterface: disable
reqclientcert :
disable
sslv2 : disable
force-two-factorauth: disable
force-utf8-login :
disable
allow-unsafe-legacyrenegotiation:
disable
servercert : self-sign
algorithm : default
idle-timeout : 300
auth-timeout :
28800
tunnel-ip-pools:
== [ SSL-VPNPOOL ]
name: SSL-VPNPOOL
wins-server1 :
0.0.0.0
wins-server2 :
0.0.0.0
url-obscuration :
disable
http-compression :
disable
port : 443
edit
configuratio vip_172.16.1.50
n
set extip
200.1.1.10
set extintf
port10
set mappedip
172.16.1.50
next
end
set authmethod
psk
interfaces
phase1-interface
configured
set ike-version 1
for IPSec
set ip-version 4
VPN tunnel
set keepalive 10
set mode main
set nattraversal
enable
set remote-gw
172.16.1.50
set psksecret
ENC
ASDavbdgfadfadf
next
end
Shows the
phase2-interface
edit
test_vpn_phase2
set phase1name
test_vpn
set proposal
3des-sha1 aes128sha1
set keepalive
phase 2
phase2-interface
enable
interfaces
configured
set src-addr-type
for IPSec
ip
VPN tunnel
set dst-addr-type
ip
set
keylifeseconds 3600
set src-start-ip
172.16.1.10
set dst-start-ip
172.16.1.100
next
end
Activates
the phase 2
tunnel
Example: diagnose vp
log
syslogd
status
port
server
setting
override
enable
1300
10.20.30.1
set
set
set
end
csv
reliable
facility
enable
disable
local7
3) Open a command prompt on your machine and ping a web address, example: ping
8.8.8.8
4) Review the output on the FortiGate CLI
5) Youll see various information about which connection youre using along with the Policy
ID.
Step 2 Reviewing the Firewall Policy ID
1) Go to the Policy section of your FortiGate
2) Right click the Column Bar and verify ID is selected. Seq.# is not the Policy ID.
3) You can filter the ID for your specific # or go down the list to identify the Policy ID you
found in Step 1.
he IPS engine can be restarted & updated from the CLI by executing the below commands.
You may want to restart the IPS engine if it crashes or to reduce CPU usage.
1.
2.
3.
4.
exec update-ips
A null route or blackhole route is a network route that goes nowhere. Matching packets are
dropped rather than forwarded.
Null routes are often used on high-performance core routes to mitigate large-scale denialof-service attacks before the packets reach a bottleneck. There is virtually no performance
impact which is why this is commonly used.
Blackhole filtering can also be abused by malicious attackers on compromised routers to
filter out traffic destined to a certain address.
Enabling blackhole or null route is only available through the CLI of a FortiGate.
Steps to enable a blackhole route:
1.
2.
3.
4.
Enable blackhole
5.
Set Distance
A.
A.
6.
SSL Inspection inadvertently blocks Citrix screen sharing sessions like Gotomeeting and
Gotoassist. This behavior is experienced when SSL Inspection is turned on in the Web
Filtering UTM Control & the firewall policy.
A workaround can be implemented to allow these sessions to connect. Version 5.2 of
FortiOS is revamping the way SSL Inspection is handled and this should not be needed if
you are running 5.2.
Follow the below steps for versions prior to 5.2.
Steps
1) Go to Security Profiles > Web Filter > Profiles, select your Web Filter profile.
2) Turn on Enable Web Site Filter
3) Add two new wild car entries. You are telling the FortiGate to bypass UTM filtering for
any web pages that contain gotomeeting or citrixonline in its name.
The key to a smoother user experience is to add the DNS Suffix into the SSL VPN
configuration. This will allow access to resources without having to know the Fully Qualified
Domain Name (FQDN).
The below steps outlines how you can enable DNS Resolution across a FortiGate SSL VPN
Connection.
Step 1
Set the DNS Server IP Addresses in the Advanced settings of the SSL VPN Config.
Step 2
Launch the CLI and enter the following commands to add a DNS Suffix to the VPN Config:
Step 3
Connect to your SSL VPN connection and verify you can ping hosts without requiring the
FQDN.
Happy Connecting!!
Turning on various UTM features on a FortiGate unit may inadvertently increase latency or
block access to certain webpages.
Websites are becoming increasingly integrated with Social Media, File Sharing Services and
other categories which could be blocked by your security policy.
The below steps demonstrate how you can use the debugging tools in Internet Explorer to
diagnose slow loading web pages.
Step 1
Launch Internet Explorer and press F12 to open the Developer Tools. A box will appear at
the bottom of IE.
Step 2
Select the Network Tab and click Start Capturing. This will capture all network activity that
occurs when visiting a web page.
Step 3
Navigate to the website you are trying to diagnose and launch the page. You should
immediately start seeing data in the capture field. URLs with a result of Pending instead
of Get usually points to it being blocked or intercepted. The Timing tab illustrates which
sections of the web page took the longest to load and its latency.
In the example below we are navigating to www.cnn.com. Social Media is blocked on the
FortiGate Unit. You can see that the Facebook connections are in the pending state due
to it being intercepted by the FortiGate.
Following the above steps will help you diagnose these issues very quickly and add
exception rules to enhance user experience!
Happy capturing!
Allows a user to access a certain website. Web site traffic is allowed to bypass additional
Fortinet security functions. Exempt bypasses the entire URL connection and does not
require re-scanning while the connection remains open.
Example URL Filter Entry: www.domain.com
www.domain.com Passed without scanning
www.domain.com/page2 Passed without scanning
www.domain.com/virus.zip Passed without scanning
Recommendations
There are two modes available to you when configuring HA for a FortiGate Cluster, ActiveActive or Active-Passive. The section below outlines the main differences between the two
modes.
Active-Active
Load balances UTM (Antivirus, IPS, Web Filtering, etc.) packets between all cluster
units. This can lead to overall improvement in UTM performance by sharing the
processing load among the cluster units.
The following sessions are processed by the primary unit & not load balanced: UDP,
ICMP, Multicast, Broadcast, VoIP, IM, P2P, IPSEC VPN, HTTPS, SSL VPN, HTTP
Multiplexing, SSL Offloading, WAN Optimization, Explicit Web Proxy & WCCP
sessions.
TCP traffic is not load balanced by default. It is recommended to test this setting in
your environment as it may degrade performance rather than increase. The
overhead required to load balance TCP traffic is as much as just processing it.
If the primary unit fails, the other unit negotiates and becomes the primary unit.
The remaining unit continues to function as the primary unit, maintaining the HA
virtual MAC address for all of its interfaces.
Session failover is provided for all TCP sessions except UTM, UDP, ICMP, Multicast &
Broadcast sessions. This requires Session Pickup to be turned on.
Active-Passive
Recommendations