Professional Documents
Culture Documents
Tunnel state is up
Informations from the output of the command below:
– vpn peers
– encrypted traffic (source and destination)
– traffic counters for encrypted traffic
– SPI for encrypt and decrypt
– Encryption method
In the following output the second tunnel with the name fortigw-311b-wlan-ph2 is down.
with the diagnose command:
myfirewall1 # diagnose vpn tunnel stat
Check packet counters for the tunnel
To see if the encryption and decryption of the packages works use 2 or more times the
diagnose vpn ipsec status or the diagnose vpn tunnel list command and compare the values.
On the second and third outputs the counter should show larger number.
5.0 sniffertrace
The basic command is “diagnose sniffer packet”, after that you have to define the interface*
(or the keyword any):
myfirewall1 # diagnose sniffer packet the network interface to sniff (or "any")
*Looks like you cannot filter explicitly on tunnel interface, you have to use any in that case
and define a filter string.
And the tcpdump like filter string (or the keyword none):
myfirewall1 # diagnose sniffer packet any
diagnose sniffer packet port 1
“diag debug flow show console enable” – This will output the debug logs to the CLI
screen so they can been seen
“diag debug flow filter addr <IP address>” – This will show the flow of traffic from a
particular IP address
“diag debug flow filter clear” – This will clear the logs for any flow filter debug command
Let’s say you wanted to see if a particular node was sending pings successfully on any
interface:
“diag sniffer packet any ‘icmp and host x.x.x.x’ 4” – If pings are successfully hitting the
appropriate interface, you will see the output on the CLI console
Use “diagnose sniffer packet” commands to capture packets traversing the Fortigate firewall.
diagnose sniffer packet <interface> <filter-argument> <debug level> <packet-count>
– Interface: specify ingress or egress flow interface or just “any” port
– use “filter” to specify source and destination ip/port
– use “packet-count” to specify how many packets to capture
– debug level is 1 to 6 (6 more detailed)
Examples:
1. capture all traffic from host 192.168.1.10
1
2 diagnose sniffer packet any "host 192.168.1.10" 2
3
1. capture all UDP port 53 from and to host 192.168.1.10
1
2 diagnose sniffer packet port2 "udp and port 53 host 192.168.1.10" 5
3
1. capture all SSH traffic from and to host 192.168.1.10/15
1
2 diagnose sniffer packet any “host 192.168.1.10 or host 192.168.1.15 and tcp port 22” <b>4</b>
3
1. capture all http traffic from host 192.168.1.10 towards 192.168.2.10
category:
traffic
device:
Displays
disk
the
execute start-line:
current
log filter 15
log
dump view-lines:
display
50
settings
max-
checklines:
1000
1
2 diagnose sniffer packet internal “src host 192.168.1.10 and dst host 192.168.2.10 and port 80”
3
Output example:
1
id=36871 trace_id=1132 msg="vd-root received a packet(proto=17, 10.10.20.30:1029-192.168.110.11:161) from
2
internal."
3
id=36871 trace_id=1132 msg="allocate a new session-00012042"
4
id=36871 trace_id=1132 msg="find a route: gw-172.20.120.2 via wan1"
5
id=36871 trace_id=1132 msg="find SNAT: IP-172.20.120.230, port-54409"
6
id=36871 trace_id=1132 msg="Allowed by Policy-5: SNAT"
7
id=36871 trace_id=1132 msg="SNAT 10.10.20.30->172.20.120.230:54409"
8
execute
log filter
start-line
1
execute
Changes
log filter Sets the start-line to Line 1
the log
view-lines Sets the number of lines to be displayed as 100
display
100 Sets the number of lines to be checked as 50000
settings
execute
log filter
max-
checklines
50000
Available categories:
16: netscan
10: application control
9: dlp
6: content
5: spam
4: ids
3: webfilter
2: virus
1: event
0: traffic
Displays the
log based on
execute log display
the configured
Sets the
settings
log
display
category FORTIGATE-FW-1 # get
as system ha status
“Traffic”.
execute Model: 300
log filter Replace
category 0 "0" with Mode: a-p
the Group: 0
desired
category Debug: 0
for which Displays the ses_pickup: enable,
log is
required high ses_pickup_delay=disable
Within a cluster, to determine the primary
availability Master:150 FORTIGATE-
get system ha status number of the primary firewall. Then use "
status of the FW-1 AB-
number of current firewall.
Fortigate 5KB3D10700369 1
firewall. Slave :200 FORTIGATE-
FW-2 AB-
5KB3D10800490 0
number of vcluster: 1
vcluster 1: work
169.254.0.1
Master:0 AB-
5KB3D10700369
Slave :1 AB-
5KB3D10800490
sslvpn-enable : enable
sslv3 : enable
dns-server1 : 10.1.1.1
dns-server2 : 10.1.1.2
route-source-interface:
disable
reqclientcert : disable
sslv2 : disable
force-two-factor-auth:
disable
force-utf8-login : disable
allow-unsafe-legacy-
Displays the
renegotiation: disable
get vpn ssl settings SSL VPN
servercert : self-sign
settings
algorithm : default
idle-timeout : 300
auth-timeout : 28800
tunnel-ip-pools:
== [ SSL-VPN-POOL ]
name: SSL-VPN-POOL
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
url-obscuration : disable
http-compression :
disable
port : 443
5) You’ll see various information about which connection you’re using along with the Policy
ID.
2) Right click the Column Bar and verify ID is selected. Seq.# is not the Policy ID.
3) You can filter the ID for your specific # or go down the list to identify the Policy ID you
found in Step 1.
he IPS engine can be restarted & updated from the CLI by executing the below commands.
You may want to restart the IPS engine if it crashes or to reduce CPU usage.
Null routes are often used on high-performance core routes to mitigate large-scale denial-
of-service attacks before the packets reach a bottleneck. There is virtually no performance
impact which is why this is commonly used.
Enabling blackhole or null route is only available through the CLI of a FortiGate.
SSL Inspection inadvertently blocks Citrix screen sharing sessions like Gotomeeting and
Gotoassist. This behavior is experienced when SSL Inspection is turned on in the Web
Filtering UTM Control & the firewall policy.
Steps
1) Go to Security Profiles > Web Filter > Profiles, select your Web Filter profile.
3) Add two new wild car entries. You are telling the FortiGate to bypass UTM filtering for
any web pages that contain “gotomeeting” or “citrixonline” in it’s name.
You can safely restart a FortiGate HA Cluster by following the below steps:
# exec ha manage (id of slave) – This is to switch to the slave, press “?/tab” to check
options and choose the slave unit.
get sys status – This is to check whether you are in the Slave or Master
exec reboot
Tips
1) Take a fresh backup of your config file prior to restarting.
3) Configure temporary out of band access to the unit if you are restarting remotely.
The below steps outlines how you can enable DNS Resolution across a FortiGate SSL VPN
Connection.
Step 1
Set the DNS Server IP Addresses in the Advanced settings of the SSL VPN Config.
Step 2
Launch the CLI and enter the following commands to add a DNS Suffix to the VPN Config:
end
“
Step 3
Connect to your SSL VPN connection and verify you can ping hosts without requiring the
FQDN.
Happy Connecting!!
Turning on various UTM features on a FortiGate unit may inadvertently increase latency or
block access to certain webpages.
Websites are becoming increasingly integrated with Social Media, File Sharing Services and
other categories which could be blocked by your security policy.
The below steps demonstrate how you can use the debugging tools in Internet Explorer to
diagnose slow loading web pages.
Step 1
Launch Internet Explorer and press F12 to open the Developer Tools. A box will appear at
the bottom of IE.
Step 2
Select the Network Tab and click Start Capturing. This will capture all network activity that
occurs when visiting a web page.
Step 3
Navigate to the website you are trying to diagnose and launch the page. You should
immediately start seeing data in the capture field. URL’s with a result of “Pending” instead of
“Get” usually points to it being blocked or intercepted. The Timing tab illustrates which
sections of the web page took the longest to load and its latency.
In the example below we are navigating to www.cnn.com. Social Media is blocked on the
FortiGate Unit. You can see that the Facebook connections are in the “pending” state due
to it being intercepted by the FortiGate.
Following the above steps will help you diagnose these issues very quickly and add
exception rules to enhance user experience!
Happy capturing!
Block
Prevents users from accessing the website by delivering a warning message when access is denied.
Allow
Allows user to access a certain website. Traffic is passed on to additional Fortinet security functions for inspection
as needed.
Monitor
Allows users to access a certain website. Web site traffic is allowed to bypass additional Fortinet security
functions. A log message will be generated each time a matching traffic session is established.
Exempt
Allows a user to access a certain website. Web site traffic is allowed to bypass additional Fortinet security
functions. Exempt bypasses the entire URL connection and does not require re-scanning while the connection
remains open.
Example -
Recommendations
Use Monitor when you are unsure if Exempt is needed.
Use Exempt only if you trust the content of the site you exempt, otherwise there may be a security risk.
There are two modes available to you when configuring HA for a FortiGate Cluster, Active-Active or Active-
Passive. The section below outlines the main differences between the two modes.
Active-Active
Load balances UTM (Antivirus, IPS, Web Filtering, etc.) packets between all cluster units. This can lead
to overall improvement in UTM performance by sharing the processing load among the cluster units.
The following sessions are processed by the primary unit & not load balanced: UDP, ICMP, Multicast,
Broadcast, VoIP, IM, P2P, IPSEC VPN, HTTPS, SSL VPN, HTTP Multiplexing, SSL Offloading, WAN
Optimization, Explicit Web Proxy & WCCP sessions.
TCP traffic is not load balanced by default. It is recommended to test this setting in your environment as it
may degrade performance rather than increase. The overhead required to load balance TCP traffic is as
much as just processing it.
If the primary unit fails, the other unit negotiates and becomes the primary unit. The remaining unit
continues to function as the primary unit, maintaining the HA virtual MAC address for all of its interfaces.
Session failover is provided for all TCP sessions except UTM, UDP, ICMP, Multicast & Broadcast
sessions. This requires Session Pickup to be turned on.
Active-Passive
All traffic is processed by the primary FortiGate unit.
Provides Hot Standby failover protection
Does not process communication sessions, the configuration is synchronized with the primary unit.
Can be a more robust session failover solution than Active-Active by handling the failover of UDP, ICMP,
Multicast & Broadcast sessions better. This is very condition specific. The cluster does not specifically
support failover of these packets.
Recommendations
Utilize Active-Active mode if you are utilizing UTM features.
Utilize Active-Passive mode if you are not utilizing UTM features.
Utilize Session Failover to maintain TCP, SIP & IPsec VPN sessions after a failure
Unit in Active-Passive Mode