Firewall Guru

tag:blogger.com,1999:blog-1532920267188739518Thu, 09 Apr 2026 06:15:31 +0000fortigatesoftwarefortiosCLIfortimanagerfortianalyzerpotential bugstroubleshootingtips+tricksfortimailconfiguration examplesdebugforticlientVPNfortiwebguifortidbfirmware updatesipsecaccess listsdynamic routingfortiapfortigate-onehardwareinterface modeipv6SSL VPNapplication controlclouddon't try this at homeexperimentalforticarrierfortiscanfortiswitchfortivmlinksnew featuresospfperformancereviewshortcutstotally obvious thingsFirewall GuruA real world resource for Fortinet firewalls including How-Tos and Frequently Asked Questionshttp://firewallguru.blogspot.com/noreply@blogger.com (Sebastian)Blogger207125tag:blogger.com,1999:blog-1532920267188739518.post-5312771380009131683Mon, 13 Jun 2022 20:29:00 +00002022-06-13T15:29:03.947-05:00FortiClient - RSA New Pin Is Wrong (-7201) errorThis message is somewhat misleading.One of our users was attempting to login to the VPN and their Active Directory password had expired.When they tried to follow the steps to enter their new password they received the above error message.The root cause was that the new password they were trying to use did not meet the Active Directory password complexity requirements.So while the error message http://firewallguru.blogspot.com/2022/06/forticlient-rsa-new-pin-is-wrong-7201.htmlnoreply@blogger.com (Sebastian)2tag:blogger.com,1999:blog-1532920267188739518.post-6239415988207727760Thu, 24 Mar 2022 03:14:00 +00002022-03-23T22:14:07.614-05:00Problems with FortiClient 7.0.2 and Firefox We noticed during recent testing that FortiClient 7.0.2 has an issue with Firefox, specifically any Google services such as Google Search and GMail.While web-filtering was enabled on the client an initial access to Google would work in Firefox, however after a minute or so nothing would happen when trying to refresh the browser session.The root cause appears to be related to 0RTT (Zero http://firewallguru.blogspot.com/2022/03/problems-with-forticlient-702-and.htmlnoreply@blogger.com (Sebastian)2tag:blogger.com,1999:blog-1532920267188739518.post-2821461467749624593Wed, 02 Sep 2020 21:21:00 +00002020-09-02T16:21:11.920-05:00clouddebugforticlientguipotential bugsFortiClient EMS Cloud Login Problem - Solved I noticed today that when you logout from your cloud based FortiClient EMS instance and then try to login again you receive the following error message in Firefox:{"result": {"retval": 0, "message": "Local signin is not available in EMS Cloud"}}  It appears to be a cookie related issue in Firefox. When I delete any cookies in the browser referencing "forticlient" I am able to http://firewallguru.blogspot.com/2020/09/forticlient-ems-cloud-login-problem.htmlnoreply@blogger.com (Sebastian)3tag:blogger.com,1999:blog-1532920267188739518.post-2931824185316942120Thu, 23 Aug 2018 19:38:00 +00002018-08-23T14:40:06.342-05:00Beware - Upgrade to FortiOS 5.6.3+ with IPSec VPNsIf you are upgrading from version 5.4.5, 5.4.6, or 5.4.7 to FortiOS 5.6.3, the IPsec phase1 psksecret setting might be lost. To avoid this, upgrade to FortiOS 5.6.2 and then to 5.6.3. If the psksecret setting is lost, you will need to reconfigure it after upgrading. Even if you have saved configs you will need to reset the passwords since FortiOS 5.6.3 will not allow you to paste the encrypted http://firewallguru.blogspot.com/2018/08/beware-upgrade-to-fortios-563-with.htmlnoreply@blogger.com (Sebastian)23tag:blogger.com,1999:blog-1532920267188739518.post-2550810785987995989Thu, 29 Dec 2016 20:58:00 +00002016-12-29T14:58:38.564-06:00Cisco ASA to Fortigate conversionI'm getting ready to migrate a number of Cisco ASA firewalls to Fortigate. Fortinet sells a ~$4000 license for their FortiConverter which I didn't want to spend. My goal was to automate the conversion of objects which will save time and virtually eliminate the possibility of typos. The below perl script is what I came up with. -Syntax: "perl converter.pl <ASA config file name>" (e.g. "http://firewallguru.blogspot.com/2016/12/cisco-asa-to-fortigate-conversion.htmlnoreply@blogger.com (Sebastian)16tag:blogger.com,1999:blog-1532920267188739518.post-4350056212860214926Thu, 29 Dec 2016 19:39:00 +00002016-12-29T13:41:08.700-06:00How-to: Automatically revert a config on a FortiGate There's nothing worse than remotely configuring a firewall and then loosing access once you've made your changes. Having a failsafe mechanism in place to revert to a previous config automatically will help you minimise potential issues and save you alot of stress! Luckily FortiOS gives you a few options on how to save your running config which we'll discuss below. We'll go through each of http://firewallguru.blogspot.com/2016/12/how-to-automatically-revert-config-on.htmlnoreply@blogger.com (Sebastian)1tag:blogger.com,1999:blog-1532920267188739518.post-5525203452843719716Thu, 01 Oct 2015 20:24:00 +00002015-10-01T15:24:17.020-05:00HA Console authentication when using remote AuthWhen you login to the CLI via a RADIUS or TACACS account and you then use "exec ha manage 1" to manage the subordinate unit you have to re-enter your user credentials. I remember seeing this in my TAM days. I'll submit a feature request to have the authentication carried over.http://firewallguru.blogspot.com/2015/10/ha-console-authentication-when-using.htmlnoreply@blogger.com (Sebastian)4tag:blogger.com,1999:blog-1532920267188739518.post-2925575528919665494Fri, 21 Aug 2015 15:37:00 +00002015-08-21T10:37:05.590-05:00Disable SSL VPN PortalHere's one for the serious customizer. If you are wanting to only accept IPSEC VPN connections via FortiClient and you don't want/need the SSL VPN portal here's the CLI config for turning off the SSL VPN page. config vpn ssl settings set sslvpn-enable disable end http://firewallguru.blogspot.com/2015/08/disable-ssl-vpn-portal.htmlnoreply@blogger.com (Sebastian)0tag:blogger.com,1999:blog-1532920267188739518.post-431461926922524994Wed, 19 Aug 2015 16:14:00 +00002015-08-19T11:14:40.708-05:00Wow .. it's been a while :) Haven't worked at Fortinet since January of this year. But my new gig just invested in Fortinet equipment. So stay tuned for new posts!http://firewallguru.blogspot.com/2015/08/wow.htmlnoreply@blogger.com (Sebastian)4tag:blogger.com,1999:blog-1532920267188739518.post-8381485651944340501Mon, 03 Nov 2014 23:12:00 +00002014-11-03T17:12:09.559-06:00HA with different revision hardwareThere may come a time when you have rev.1 and rev.2 hardware of a particular platform that you're trying to form an HA cluster with. To successfully accomplish this you need to tell the firewall to ignore the difference in hardware revision. In FortiOS 4.3 and earlier: config system global set ignore-hardware-revision enable end In FortiOS 5.0 and later: exec ha ignore-hardware-revision enablehttp://firewallguru.blogspot.com/2014/11/ha-with-different-revision-hardware.htmlnoreply@blogger.com (Sebastian)1tag:blogger.com,1999:blog-1532920267188739518.post-5918543709856132190Thu, 25 Sep 2014 21:47:00 +00002014-09-25T16:47:34.318-05:00More Shellshock Info FortiGuard Advisory with status of affected products FortiGuard Shellshock Blog Posthttp://firewallguru.blogspot.com/2014/09/more-shellshock-info.htmlnoreply@blogger.com (Sebastian)0tag:blogger.com,1999:blog-1532920267188739518.post-6046364219741445872Thu, 25 Sep 2014 15:44:00 +00002014-09-25T10:44:38.018-05:00Bash Vulnerability SignaturesThe newly announced Bash / Shellshock vulnerability is document in CVE2014-6271. Here are IPS rules for immediate manual deployment. Fortinet has already generated a new IPS signature, Bash.Function.Definitions.Remote.Code.Execution, which will be released in the next few hours after it has passed the QA testing process. Fortigate firewalls do NOT use Bash and are not vulnerable to this exploithttp://firewallguru.blogspot.com/2014/09/bash-vulnerability-signatures.htmlnoreply@blogger.com (Sebastian)0tag:blogger.com,1999:blog-1532920267188739518.post-8529560756358184575Mon, 15 Sep 2014 15:39:00 +00002014-09-15T10:40:13.233-05:00Switching interface modesBy default smaller Fortigate units such as the 60D or 90D series combine their interfaces into a virtual switch. Via a configuration change all ports can be assigned to their own broadcast domains. This is useful for example if you want to configure a number of different trunk ports. By default the firewalls are also configured with basic policies that permit and NAT outbound traffic as well as http://firewallguru.blogspot.com/2014/09/switching-interface-modes.htmlnoreply@blogger.com (Sebastian)0tag:blogger.com,1999:blog-1532920267188739518.post-8079060183132098009Wed, 27 Aug 2014 18:57:00 +00002014-08-27T13:57:14.697-05:00Silence of the Local BroadcastsWhen setting up a new FortiGate you tend to receive a lot of logs for traffic destined to 255.255.255.255 (aka the global broadcast address) or x.x.x.255 (your local subnet broadcast address). To reduce clutter and have the firewall drop these broadcasts silently use: FortiAnalyzer: config log fortianalyzer filter    set local-traffic disableend Log Disk config log disk filter http://firewallguru.blogspot.com/2014/08/silence-of-local-broadcasts.htmlnoreply@blogger.com (Sebastian)0tag:blogger.com,1999:blog-1532920267188739518.post-9018177547882359456Tue, 29 Jul 2014 18:42:00 +00002014-07-29T13:43:09.097-05:00New Feature Highlight: Dedicated Management CPUIn FortiOS 5.2 and higher you can dedicate one of the CPUs for management access, in other words GUI and CLI access. If the system is running under extremely high loads this will guarantee access to management functions. This feature is available in 2U firewalls and blades only that have multiple CPUs. To enable this feature (default disabled): conf system npu    set http://firewallguru.blogspot.com/2014/07/new-feature-highlight-dedicated.htmlnoreply@blogger.com (Sebastian)0tag:blogger.com,1999:blog-1532920267188739518.post-6105653845994740639Mon, 21 Jul 2014 14:26:00 +00002014-07-21T09:26:50.607-05:00Fortinet Diagnostic WIKIVery useful resource for diagnostic commands. http://wiki.diagnose.fortinet.com:1080/index.php/Overviewhttp://firewallguru.blogspot.com/2014/07/fortinet-diagnostic-wiki.htmlnoreply@blogger.com (Sebastian)4tag:blogger.com,1999:blog-1532920267188739518.post-7153786563664434551Thu, 15 May 2014 19:18:00 +00002014-05-15T14:23:04.323-05:00Exporting a local certificate with private keyIf you have a local certificate on the Fortigate and the original certificate request (csr) was generated on the Fortigate then the private key resides on the Fortigate and you need to export this in order to install your signed certificate on another server. The problem with the Fortigate certificate export feature is that it will only export the signed certificate (which you likely already http://firewallguru.blogspot.com/2014/05/exporting-local-certificate-with.htmlnoreply@blogger.com (Sebastian)0tag:blogger.com,1999:blog-1532920267188739518.post-5667902103792230186Fri, 11 Apr 2014 21:15:00 +00002014-04-11T16:19:48.969-05:00Heartbleed - Part 3Anyone running FortiOS 5.0 GA to 5.0.6 can protect the firewall itself by limiting access to the firewall's Admin interface using "Trusted Hosts" in the Admin profiles or  configuring an interface policy as per below config firewall interface-policy edit 1 set interface "wan1" set srcaddr "all" set dstaddr "all" set service "HTTPS" set http://firewallguru.blogspot.com/2014/04/heartbleed-part-3.htmlnoreply@blogger.com (Sebastian)0tag:blogger.com,1999:blog-1532920267188739518.post-6841989905614835998Wed, 09 Apr 2014 15:41:00 +00002014-04-09T10:41:32.623-05:00Heartbleed - Part 2Here is some more information from FortiGuard http://www.fortiguard.com/advisory/FG-IR-14-011/http://firewallguru.blogspot.com/2014/04/heartbleed-part-2.htmlnoreply@blogger.com (Sebastian)0tag:blogger.com,1999:blog-1532920267188739518.post-9009628867785926627Tue, 08 Apr 2014 18:51:00 +00002014-04-08T13:52:55.923-05:00Exporting firewall rules to a CSVSometimes it can be useful to export and analyze rules in a CSV type format. This comes in especially handy when working with long and complex firewall policies. I came across the perl script below that takes firewall policies from a text file and performs the CSV conversion for you. Syntax: csvparse.pl rules.txt <rules.txt> should be in the following format: config firewall policy http://firewallguru.blogspot.com/2014/04/exporting-firewall-rules-to-csv.htmlnoreply@blogger.com (Sebastian)24tag:blogger.com,1999:blog-1532920267188739518.post-6233674409672906870Tue, 08 Apr 2014 15:48:00 +00002014-04-08T10:53:55.262-05:00Heartbleed OpenSSL VulnerabilityYou can use the following custom IPS signature to detect and block the recently disclosed OpenSSL "Heartbleed" vulnerability. F-SBID( --name "OpenSSL.TLS.Heartbeat.Information.Disclosure"; --protocol tcp;  --flow from_client; --service SSL; --pattern "|18|"; --context packet; --within 1,context; --byte_test 2,>,255,2,relative; ) More information about the vulnerability can be found herehttp://firewallguru.blogspot.com/2014/04/heartbleed-openssl-vulnerability.htmlnoreply@blogger.com (Sebastian)1tag:blogger.com,1999:blog-1532920267188739518.post-2787594621534727898Tue, 18 Mar 2014 19:12:00 +00002014-03-18T14:12:43.947-05:00FortiAuthenticator SCEPYou can use SCEP to auto-enroll devices in FortiAuthenticator as well as retrieve CRLs. When configuring this on a firewall or other device the correct URL to use is: http://<fortiauth IP>/cert/scep I have asked the technical documentation team to add this to the FortiAuthenticator Admin Guide.http://firewallguru.blogspot.com/2014/03/fortiauthenticator-scep.htmlnoreply@blogger.com (Sebastian)3tag:blogger.com,1999:blog-1532920267188739518.post-8658447476107909345Fri, 14 Mar 2014 14:20:00 +00002014-09-15T13:38:37.905-05:00Logging DNS RequestsWhen inspecting DNS traffic it can be useful to log the domain names that are part of the DNS request. In order to accomplish this you can use a custom IPS signature: IPS Custom Signature: F-SBID( --attack_id 4153; --name DOM-ALL; --protocol udp; --service dns; --log DNS_QUERY;) The signature below allows you to search for and prevent DNS lookups for a specified domain, in this example http://firewallguru.blogspot.com/2014/03/logging-dns-requests.htmlnoreply@blogger.com (Sebastian)0tag:blogger.com,1999:blog-1532920267188739518.post-2536958424399741898Wed, 05 Mar 2014 18:44:00 +00002014-03-20T15:22:48.245-05:00Deleting VDOMsVDOMs have quite a number of dependencies that need to be deleted before you can get rid of the VDOM itself. Below is a useful little script that goes through all the sections and purges them so the VDOM can be deleted. Adjust it as needed. ## This script needs to be run interactively. In other words you cannot copy and paste the whole script. You have to acknowledge each purge command. ## http://firewallguru.blogspot.com/2014/03/deleting-vdoms.htmlnoreply@blogger.com (Sebastian)2tag:blogger.com,1999:blog-1532920267188739518.post-5243408322303453431Thu, 27 Feb 2014 18:15:00 +00002014-02-27T12:16:30.233-06:00Replacing firewall hardware which is logging to a FortiAnalyzerWhen you replace firewall hardware that's reporting into a FortiAnalyzer due to an RMA or other failure it's important to make sure you update FortiAnalyzer with the new serial number of the device. Use the following command on the FAZ: execute device replace <old serial number> <name> <new serial number>http://firewallguru.blogspot.com/2014/02/replacing-firewall-hardware-and.htmlnoreply@blogger.com (Sebastian)0