tag:blogger.com,1999:blog-15329202671887395182026-03-29T11:31:11.614-05:00A real world resource for Fortinet firewalls including How-Tos and Frequently Asked QuestionsSebastianhttp://www.blogger.com/profile/15029150331907372597noreply@blogger.comBlogger207125tag:blogger.com,1999:blog-1532920267188739518.post-53127713800091316832022-06-13T15:29:00.000-05:002022-06-13T15:29:03.947-05:00

This message is somewhat misleading.One of our users was attempting to login to the VPN and their Active Directory password had expired.When they tried to follow the steps to enter their new password they received the above error message.The root cause was that the new password they were trying to use did not meet the Active Directory password complexity requirements.So while the error message

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com2tag:blogger.com,1999:blog-1532920267188739518.post-62394159882077277602022-03-23T22:14:00.000-05:002022-03-23T22:14:07.614-05:00

 We noticed during recent testing that FortiClient 7.0.2 has an issue with Firefox, specifically any Google services such as Google Search and GMail.While web-filtering was enabled on the client an initial access to Google would work in Firefox, however after a minute or so nothing would happen when trying to refresh the browser session.The root cause appears to be related to 0RTT (Zero

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com2tag:blogger.com,1999:blog-1532920267188739518.post-28214614677496245932020-09-02T16:21:00.002-05:002020-09-02T16:21:11.920-05:00

 I noticed today that when you logout from your cloud based FortiClient EMS instance and then try to login again you receive the following error message in Firefox:{"result": {"retval": 0, "message": "Local signin is not available in EMS Cloud"}}  It appears to be a cookie related issue in Firefox. When I delete any cookies in the browser referencing "forticlient" I am able to

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com3tag:blogger.com,1999:blog-1532920267188739518.post-29318241853169421202018-08-23T14:38:00.001-05:002018-08-23T14:40:06.342-05:00

If you are upgrading from version 5.4.5, 5.4.6, or 5.4.7 to FortiOS 5.6.3, the IPsec phase1 psksecret setting might be lost. To avoid this, upgrade to FortiOS 5.6.2 and then to 5.6.3. If the psksecret setting is lost, you will need to reconfigure it after upgrading. Even if you have saved configs you will need to reset the passwords since FortiOS 5.6.3 will not allow you to paste the encrypted

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com23tag:blogger.com,1999:blog-1532920267188739518.post-25508107859879959892016-12-29T14:58:00.002-06:002016-12-29T14:58:38.564-06:00

I'm getting ready to migrate a number of Cisco ASA firewalls to Fortigate. Fortinet sells a ~$4000 license for their FortiConverter which I didn't want to spend. My goal was to automate the conversion of objects which will save time and virtually eliminate the possibility of typos. The below perl script is what I came up with. -Syntax: "perl converter.pl <ASA config file name>" (e.g. "

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com16tag:blogger.com,1999:blog-1532920267188739518.post-43500562128602149262016-12-29T13:39:00.003-06:002016-12-29T13:41:08.700-06:00

There's nothing worse than remotely configuring a firewall and then loosing access once you've made your changes. Having a failsafe mechanism in place to revert to a previous config automatically will help you minimise potential issues and save you alot of stress! Luckily FortiOS gives you a few options on how to save your running config which we'll discuss below. We'll go through each of

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com1tag:blogger.com,1999:blog-1532920267188739518.post-55252034528437197162015-10-01T15:24:00.001-05:002015-10-01T15:24:17.020-05:00

When you login to the CLI via a RADIUS or TACACS account and you then use "exec ha manage 1" to manage the subordinate unit you have to re-enter your user credentials. I remember seeing this in my TAM days. I'll submit a feature request to have the authentication carried over.

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com4tag:blogger.com,1999:blog-1532920267188739518.post-29255755289196654942015-08-21T10:37:00.000-05:002015-08-21T10:37:05.590-05:00

Here's one for the serious customizer. If you are wanting to only accept IPSEC VPN connections via FortiClient and you don't want/need the SSL VPN portal here's the CLI config for turning off the SSL VPN page. config vpn ssl settings set sslvpn-enable disable end

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com0tag:blogger.com,1999:blog-1532920267188739518.post-4314619269225249942015-08-19T11:14:00.002-05:002015-08-19T11:14:40.708-05:00

Wow .. it's been a while :) Haven't worked at Fortinet since January of this year. But my new gig just invested in Fortinet equipment. So stay tuned for new posts!

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com4tag:blogger.com,1999:blog-1532920267188739518.post-83814856519443405012014-11-03T17:12:00.000-06:002014-11-03T17:12:09.559-06:00

There may come a time when you have rev.1 and rev.2 hardware of a particular platform that you're trying to form an HA cluster with. To successfully accomplish this you need to tell the firewall to ignore the difference in hardware revision. In FortiOS 4.3 and earlier: config system global set ignore-hardware-revision enable end In FortiOS 5.0 and later: exec ha ignore-hardware-revision enable

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com1tag:blogger.com,1999:blog-1532920267188739518.post-59185437098561321902014-09-25T16:47:00.000-05:002014-09-25T16:47:34.318-05:00

FortiGuard Advisory with status of affected products FortiGuard Shellshock Blog Post

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com0tag:blogger.com,1999:blog-1532920267188739518.post-60463642197414458722014-09-25T10:44:00.001-05:002014-09-25T10:44:38.018-05:00

The newly announced Bash / Shellshock vulnerability is document in CVE2014-6271. Here are IPS rules for immediate manual deployment. Fortinet has already generated a new IPS signature, Bash.Function.Definitions.Remote.Code.Execution, which will be released in the next few hours after it has passed the QA testing process. Fortigate firewalls do NOT use Bash and are not vulnerable to this exploit

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com0tag:blogger.com,1999:blog-1532920267188739518.post-85295607563581845752014-09-15T10:39:00.003-05:002014-09-15T10:40:13.233-05:00

By default smaller Fortigate units such as the 60D or 90D series combine their interfaces into a virtual switch. Via a configuration change all ports can be assigned to their own broadcast domains. This is useful for example if you want to configure a number of different trunk ports. By default the firewalls are also configured with basic policies that permit and NAT outbound traffic as well as

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com0tag:blogger.com,1999:blog-1532920267188739518.post-80790601831320980092014-08-27T13:57:00.001-05:002014-08-27T13:57:14.697-05:00

When setting up a new FortiGate you tend to receive a lot of logs for traffic destined to 255.255.255.255 (aka the global broadcast address) or x.x.x.255 (your local subnet broadcast address). To reduce clutter and have the firewall drop these broadcasts silently use: FortiAnalyzer: config log fortianalyzer filter    set local-traffic disableend Log Disk config log disk filter

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com0tag:blogger.com,1999:blog-1532920267188739518.post-90181775478823594562014-07-29T13:42:00.002-05:002014-07-29T13:43:09.097-05:00

In FortiOS 5.2 and higher you can dedicate one of the CPUs for management access, in other words GUI and CLI access. If the system is running under extremely high loads this will guarantee access to management functions. This feature is available in 2U firewalls and blades only that have multiple CPUs. To enable this feature (default disabled): conf system npu    set

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com0tag:blogger.com,1999:blog-1532920267188739518.post-61056538459947406392014-07-21T09:26:00.001-05:002014-07-21T09:26:50.607-05:00

Very useful resource for diagnostic commands. http://wiki.diagnose.fortinet.com:1080/index.php/Overview

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com4tag:blogger.com,1999:blog-1532920267188739518.post-71537865636644345512014-05-15T14:18:00.001-05:002014-05-15T14:23:04.323-05:00

If you have a local certificate on the Fortigate and the original certificate request (csr) was generated on the Fortigate then the private key resides on the Fortigate and you need to export this in order to install your signed certificate on another server. The problem with the Fortigate certificate export feature is that it will only export the signed certificate (which you likely already

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com0tag:blogger.com,1999:blog-1532920267188739518.post-56679021037922301862014-04-11T16:15:00.002-05:002014-04-11T16:19:48.969-05:00

Anyone running FortiOS 5.0 GA to 5.0.6 can protect the firewall itself by limiting access to the firewall's Admin interface using "Trusted Hosts" in the Admin profiles or  configuring an interface policy as per below config firewall interface-policy edit 1 set interface "wan1" set srcaddr "all" set dstaddr "all" set service "HTTPS" set

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com0tag:blogger.com,1999:blog-1532920267188739518.post-68419899056148359982014-04-09T10:41:00.003-05:002014-04-09T10:41:32.623-05:00

Here is some more information from FortiGuard http://www.fortiguard.com/advisory/FG-IR-14-011/

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com0tag:blogger.com,1999:blog-1532920267188739518.post-90096288677859266272014-04-08T13:51:00.001-05:002014-04-08T13:52:55.923-05:00

Sometimes it can be useful to export and analyze rules in a CSV type format. This comes in especially handy when working with long and complex firewall policies. I came across the perl script below that takes firewall policies from a text file and performs the CSV conversion for you. Syntax: csvparse.pl rules.txt <rules.txt> should be in the following format: config firewall policy

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com24tag:blogger.com,1999:blog-1532920267188739518.post-62336744096729068702014-04-08T10:48:00.000-05:002014-04-08T10:53:55.262-05:00

You can use the following custom IPS signature to detect and block the recently disclosed OpenSSL "Heartbleed" vulnerability. F-SBID( --name "OpenSSL.TLS.Heartbeat.Information.Disclosure"; --protocol tcp;  --flow from_client; --service SSL; --pattern "|18|"; --context packet; --within 1,context; --byte_test 2,>,255,2,relative; ) More information about the vulnerability can be found here

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com1tag:blogger.com,1999:blog-1532920267188739518.post-27875946215347278982014-03-18T14:12:00.001-05:002014-03-18T14:12:43.947-05:00

You can use SCEP to auto-enroll devices in FortiAuthenticator as well as retrieve CRLs. When configuring this on a firewall or other device the correct URL to use is: http://<fortiauth IP>/cert/scep I have asked the technical documentation team to add this to the FortiAuthenticator Admin Guide.

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com3tag:blogger.com,1999:blog-1532920267188739518.post-86584474761079093452014-03-14T09:20:00.005-05:002014-09-15T13:38:37.905-05:00

When inspecting DNS traffic it can be useful to log the domain names that are part of the DNS request. In order to accomplish this you can use a custom IPS signature: IPS Custom Signature: F-SBID( --attack_id 4153; --name DOM-ALL; --protocol udp; --service dns; --log DNS_QUERY;) The signature below allows you to search for and prevent DNS lookups for a specified domain, in this example

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com0tag:blogger.com,1999:blog-1532920267188739518.post-25369584243997418982014-03-05T12:44:00.003-06:002014-03-20T15:22:48.245-05:00

VDOMs have quite a number of dependencies that need to be deleted before you can get rid of the VDOM itself. Below is a useful little script that goes through all the sections and purges them so the VDOM can be deleted. Adjust it as needed. ## This script needs to be run interactively. In other words you cannot copy and paste the whole script. You have to acknowledge each purge command. ##

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com2tag:blogger.com,1999:blog-1532920267188739518.post-52434083223034534312014-02-27T12:15:00.003-06:002014-02-27T12:16:30.233-06:00

When you replace firewall hardware that's reporting into a FortiAnalyzer due to an RMA or other failure it's important to make sure you update FortiAnalyzer with the new serial number of the device. Use the following command on the FAZ: execute device replace <old serial number> <name> <new serial number>

Sebastianhttp://www.blogger.com/profile/08701147779838193450noreply@blogger.com0