Category Archives: FortiOS

NGFW mode in the VDOM – NAT & SSL Inspection considerations (407547)

NGFW mode in the VDOM – NAT & SSL Inspection considerations (407547)

Due to how the NGFW Policy mode works, it can get complicated in the two areas of NAT and SSL Deep

Inspection. To match an application against a policy, some traffic has to pass through the FortiGate in order to be properly identified. Once that happens may end up getting mapped to a different policy, where the new policy will be appropriately enforced.

NAT

In the case of NAT being used, the first policy that is triggered to identify the traffic might require NAT enabled for it to work correctly. i.e., without NAT enabled it may never be identified, and thus not fall through. Let’s use a very simple example:

Policy 1: Block Youtube

Policy 2: Allow everything else (with NAT enabled)

Any new session established will never be identified immediately as Youtube, so it’ll match policy #1 and let some traffic go to try and identify it. Without NAT enabled to the Internet, the session will never be setup and thus stuck here.

Solution:

  • NAT for NGFW policies must be done via Central SNAT Map l Central SNAT Map entries now have options for ‘srcintf’, ‘dstintf’ and ‘action’. l If no IP-pools are specified in the Central SNAT entry, then the outgoing interface address will be used.
  • NGFW policies now must use a single default ssl-ssh-profile. The default ssl-ssh-profile can be configured under the system settings table.

SSL

In the case of SSL inspection, the issue is a bit simpler. For each policy there are 3 choices:

  1. No SSL,
  2. Certificate Only
  3. Deep Inspection.

For 1. and 2. there is no conflict and the user could enable them inter-changeably and allow policy fallthrough.

The issue happens when:

  • The first policy matched, uses Certificate Only
  • After the application is detected, it re-maps the session to a new policy which has Deep Inspection enabled This switching of behavior is the main cause of the issue.

Solution:

  • Multiple SSL profiles have been replaced with a single page of settings l The user can setup exemptions for destination web category, source IP or etc.

CLI

Changes

config system settings set inspection-mode flow set policy-mode [standard | ngfw]

Has been changed to:

config system settings set inspection-mode flow

set ngfw-mode [profile-based | policy-based]

l ngfw-mode – Next Generation Firewall mode. l profile-based – Application and web-filtering is configured using profiles applied to policy entries. l policy-based – Application and web-filtering is configured as policy match conditions.

Additions

Setting the vdom default ssl-ssh-profile

config system settings set inspection-mode flow set ngfw-mode policy-based set ssl-ssh-profile <profile> ssl-ssh-profile – VDOM SSL SSH profile.

Setting srcintf, dstintf, action on the central-snat policy

config firewall central-snat-map edit <id> set srcintf <names or any> set dstintf <names or any> set action (permit | deny)

l srcintf – Source interface name. l dstintf – Destination interface name. l action – Action of central SNAT policy.

GUI

System settings, VDOM settings list/dialog: l A field has been added to show the default ssl-ssh-profile IPv4/v6 Policy list and dialogs:

  • In NGFW policy-based mode, there are added tool tips under NAT columns/fields to indicate that NAT must be configured via Central SNAT Map. Additionally, links to redirect to Central SNAT list were added.
  • Default ssl-ssh-profile is shown in the policy list and dialog for any policies doing NGFW (`application, application-categories, url-categories`) or UTM (`av-profile etc.) inspection. l Default ssl-ssh-profile is disabled from editing in policy list dialog Central SNAT Policy list and dialogs:
  • In both profile-based & policy-basedngfw-mode, fields for srcintf, dstintf were added to Central

SNAT policies entries.

  • In policy-based mode only, a toggle-switch for NAT Action was added in Central SNAT policy dialog. The action is also configurable from the Action column in Central SNAT policy list.

 

SSL/SSH Inspection list:

  • In policy-based mode only, the navigation bar link to SSL/SSH Inspection redirects to the profiles list l In policy-based mode only, the SSL/SSH Inspection list table indicates which profile is the current VDOM default.

Additionally, options are provided in the list menu and context menu to change the current VDOM default.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Changes to SSL abbreviate handshake (407544)

Changes to SSL abbreviate handshake (407544)

The SSL handshake process has changed to make troubleshooting easier.

  • In order to better identify which clients have caused SSL errors, the WAD SSL log will use the original source address rather than the source address of packets. l The return value of wad_ssl_set_cipher is checked.
  • The wad_ssl_session_match has been removed because it will add the connection into bypass cache and bypass further inspection.
  • DSA and ECDSA certificates are filtered for admin-server-cert l cert-inspect is reset after a WAD match to a Layer 7 policy l An option to disable the use of SSL abbreviate handshake has been added
CLI addition

config firewall ssl setting set abbreviate-handshake [enable|disable]


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Internet service configuration (405518)

Internet service configuration (405518)

To make the CLI configuration of Internet service configuration more intuitive, the settings for Internet service in Explicit Web proxy are closer to those in the Firewall police. An Internet service enable switch has been added to the Explicit Web proxy with the same text description as the Firewall policy.

CLI:

The relevant options in the firewall policy are:

config firewall policy edit 1 set internet-service enable

set internet-service-id 327681 1572864 917519 393225 1572888 1572877 917505

next end

The Explicit Web proxy is now has these options:

config firewall explicit-proxy-policy

edit 1

set uuid f68e0426-dda8-51e6-ac04-37fc3f92cadf

set proxy web set dstintf “port9” set srcaddr “all” set internet-service 2686980 set action accept set schedule “always” set logtraffic all

next end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

AWS API integration for dynamic firewall address object (400265)

AWS API integration for dynamic firewall address object (400265)

Some new settings have been added to the CLI that will support instance information being retrieved directly from the AWS server. The IP address of a newly launched instance can be automatically added to a certain firewall address group if it meets specific requirements. The new address type is:ADDR_TYPE_AWS New CLI configuration settings:

The AWS settings config aws

set access-key set secret-key set region set vpc-id set update-interval

l access-key – AWS access key. l secret-key – AWS secret key. l region – AWS region name. l vpc-id – AWS VPC ID. l update-interval – AWS service update interval (60 – 600 sec, default = 60).

The AWS address:

config firewall address edit <address name> set type aws set filter <filter values>

The filter can be a combination of any number of conditions, as long as the total length of filter is less than 2048 bytes. The syntax for the filter is:

<key1=value1> [& <key2=value2>] [| <key3=value3>]

For each condition, it includes a key and value, the supported keys are:

  1. instanceId, (e.g. instanceId=i-12345678)
  2. instanceType, (e.g. instanceType=t2.micro)
  3. imageId, (e.g. imageId=ami-123456)
  4. keyName, (e.g. keyName=aws-key-name)
  5. architecture, (e.g. architecture=x86)
  6. subnetId, (e.g. subnetId=sub-123456)
  7. availabilityzone, (e.g. placement.availabilityzone=us-east-1a)
  8. groupname, (e.g. placement.groupname=group-name)
  9. tenancy, (e.g. placement.tenancy=tenancy-name)
  10. privateDnsName, (e.g. privateDnsName=ip-172-31-10-211.us-west-2.compute.internal)
  11. publicDnsName, (e.g. publicDnsName=ec2-54-202-168-254.us-west-2.compute.amazonaws.com)
  12. AWS instance tag, each tag includes a key and value, the format of tag set is: tag.Name=Value, maximum of 8 tags are supported.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Firewall (5.6)

New firewall features added to FortiOS 5.6.

Optimization of the firewall Service cache (355819)

In order to improve the efficiency and performance of the firewall Service cache, the following improvements have been made:

  • The logic behind the structure of the cache has been simplified. Instead of storing ranges of port numbers, we store each individual port number in the cache
  • Separate caches are created for each VDOM so that cache searches are faster.
  • The performance of more frequently used cases has been increased l Hash tables are used to improve the performance of complex cases. These could include such instances as:
  • service names tied to specific IP Ranges
  • redefinition (one port number with multiple service names)

New CLI option to prevent packet order problems for sessions offloaded to NP4 or NP6 (365497)

In order to prevent the issue of a packet, on FortiGate processing a heavy load of traffic, from being processed out of order, a new setting has been added to better control the timing of pushing the packets being sent to NP units.

The new option, delay-tcp-npc-session, has been added into the context of config firewall policy within the CLI

config firewall policy edit <Integer for policy ID> set delay-tcp-npc-session end

Policy may not be available on units not using NP units.

 

GUI changes to Central NAT (371516)

The Central NAT configuration interface prevents the accidental occurrence of being able to select “all” and “none” as two objects for the same field. It only allows the selecting of a single IP pool, though it is still possible to select multiple IP pools within the CLI.

Max value for Firewall User authentication changed (378085)

Previously, the maximum time that a member of a firewall user group could remain authenticated without any activity was 24 hours (1440 minutes). The maximum value for this setting has been changed to 72 hours (4320 minutes). This allow someone to log in but not be kicked off the system due to inactivity over the course of a weekend.

The syntax in the CLI for configuring this setting is: config user group edit <name of user group> set authtimeout 4320 end

Changes to default SSL inspection configuration (380736)

SSL is such a big part of normal traffic that SSL certificate inspection is no longer disabled by default. SSL inspection is not mandatory in both the CLI and GUI when it is applicable. The default setting is the Certificate Inspection level. As a result there have been a few changes within the CLI and the GUI.

CLI

The setting SSL-SSH-Profile, is a required option, with the default value being “certificate-inspection”, when it is applicable in the following tables:

  • profile-group l firewall.policy l firewall.policy6, l firewall.explicit-proxy-policy

The following default profiles are read-only:

  • certificate-inspection l deep-ssl-inspection

GUI

IPv4/IPv6 Policy and Explicit Proxy Policy edit window l The configuration and display set up for SSL/SSH Inspection is now similar to “profile-protocol-option” option l The disable/enable toggle button is no longer available for the Profile Protocol Option l The default profile is set to “certificate-inspection” IPv4/IPv6 Policy, Explicit Proxy Policy list page l There is validation for SSL-SSH-Profile when configuring UTM profiles

SSL/SSH Inspection list page

l There is no delete menu on GUI for default ssl profiles l The “Edit” menu has been changed to “View” for default SSL profiles l The default SSL profile entries are considered an implicit class and are grayed out SSL/SSH Inspection edit window l The only input for default SSL profiles is now download/view trusted certificate links l To return to the List page from default SSL profiles, the name of the button is now “Return” Profile Group edit window l There is no check box for SSL-SSH-Profile. It is always required.

Add firewall policy comment field content to log messages (387865)

There has been a need by some customer to have some information in the logs that includes specific information about the traffic that produced the log. The rather elegant solution is that when the log-policy-comment option is enabled, the comment field from the policy will be included in the log. In order to make the logs more useful regarding the traffic just include a customized comment in the policy and enable this setting.

Syntax

config system settings set log-policy-comment [enable | disable] end

l This setting is for all traffic and security logs. l It can be select on a per VDOM basis

Learning mode changes profile type to single (387999)

The Learning mode does not function properly when it is applied to a policy that has a UTM profile group applied to it. The logging that should be taking place from the Learning Mode profiles does not occur as intended, and the

Automatically switching the profile type to single on a policy with Learning mode enabled prevents it from being affected by the UTM policy groups.

MAC address authentication in firewall policies and captive portals (391739)

When enabled, a MAC authentication request will be sent to fnbamd on any traffic. If the authentication receives a positive response, login becomes available. If the response is negative the normal authentication process takes over.

CLI

New option in the firewall policy setting

config firewall policy edit <policy ID> set radius-mac-auth-bypass [enable |disable] end

New option in the interface setting config system interface

edit <interface> set security-mode captive-portal set security-mac-auth-bypass end

Display resolved IP addresses for FQDN in policy list (393927)

If a FQDN address object is used in a policy, hovering the cursor over the icon for that object will show a tool tip that lists the parameters of the address object. This tool tip now includes the IP address that the FQDN resolves to.

Added comment for acl-policy, interface-policy and DoS-policy (396569)

A comment field has been added to the following policy types: l acl-policy l interface-policy l DoS-policy

Comments of up to 1023 characters can be added through the CLI.

Examples:

DoS policy

config firewall DoS-policy edit 1 set comment “you can put a comment here(Max 1023).”

set interface “internal” set srcaddr “all” set dstaddr “all” set service “ALL” config anomaly edit “tcp_syn_flood” set threshold 2000

next

end

end

Interface policy

config firewall interface-policy edit 1 set comment “you can put a comment here(max 1023).”

set interface “dmz2” set srcaddr “all” set dstaddr “all” set service “ALL” end

Firewall ACL

config firewall acl edit 1 set status disable

set comment “you can put a comment here(max 1023).”

set interface “port5” set srcaddr “all” set dstaddr “all” set service “ALL”

end

Internet service settings moved to more logical place in CLI (397029)

The following settings have moved from the application context of the CLI to the firewall context: l internet-service l internet-service-custom

Example of internet-service

config firewall internet-service 1245324 set name “Fortinet-FortiGuard”

set reputation 5 set icon-id 140 set offset 1602565 config entry

edit 1

set protocol 6 set port 443 set ip-range-number 27 set ip-number 80

next

edit 2

set protocol 6 set port 8890 set ip-range-number 27 set ip-number 80

next

edit 3

set protocol 17 set port 53 set ip-range-number 18 set ip-number 31

next

edit 4

set protocol 17 set port 8888 set ip-range-number 18 set ip-number 31

next

end

Example of internet-service-custom

config firewall internet-service-custom edit “custom1” set comment “custom1”

config entry

edit 1

set protocol 6 config port-range

edit 1

set start-port 30 set end-port 33

next

end

set dst “google-drive” “icloud”

next

end

next

end

Example of get command:

get firewall internet-service-summary

Version: 00004.00002

Timestamp: 201611291203

Number of Entries: 1349

Certificate key size selection (397883)

FortiOS will now support different SSL certificate key lengths from the HTTPS server. FortiOS will select a key size from the two options of 1024 and 20148, to match the key size (as close as possible, rounding up) on the HTTS server. If the size of the key from the server is 512 or 1024 the proxy will select a 1024 key size. If the key size from the servers is over 1024, the proxy will select a key size of 2048.

CLI changes:

In ssl-ssh-profile remove:

  • certname-rsa l certname-dsa l certname-ecdsa

In vpn certificate setting, add the following options :

  • certname-rsa1024 l certname-rsa2048 l certname-dsa1024 l certname-dsa2048 l certname-ecdsa256 l certname-ecdsa384

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Firewall (5.6.1)

Firewall (5.6.1)

New firewall features added to FortiOS 5.6.1.

Improvement to NAT column in Policy List Display (305575)

The NAT column in the listing of Policy can provide more information than before.

Previously the field for the policy in the column only showed whether NAT was Enabled or Disabled.

With the new improvements, not only does the field show the name of the Dynamic Pool, if one is being used, but the tool-tip feature is engaged if you hover the cursor over the icon in the field and provides even more specific information.

GUI support for adding Internet-services to proxy-policies (405509)

There is now GUI support for the configuration of adding Internet services to proxy policies. When choosing a destination address for a Proxy Policy, the Internet Service tab is visible and the listed objects can be selected.

Firewall (5.6.1)

By choosing an Internet Service object as the Destination, this sets internet-service to enable and specifying either an Address or IPv6 Address object will set internet-service to disable.

Inline editing of profile groups on policy (409485)

There can now be editing to the profile groups within the policy list display window. Before, you had to go into the edit window of the policy, such as in the image below:

However, now the editing can be done from the list display of policies and clicking on the GRP icon. Right clicking on the icon will slide a window out from the left and left clicking will give you a drop-down menu.

Rename “action” to “nat” in firewall.central-snat-map (412427)

The action field option in thecontext of firewall central-snat-map in the CLI was considered by some to be a little ambiguous, so it has been renamed to nat, an option that can either be enabled or disabled.

Explicit proxy supports session-based Kerberos authentication (0437054)

  • Explicit proxy supports session-based Kerberos authentication l Transparent proxy will create an anonymous user if the an attempt to create a NTLM connection fails.
  • When FSSO authentication fails for the explicit FTP proxy, the FortiGate responses with the error message “match policy failed”.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Explicit web proxy (5.6)

Explicit web proxy (5.6)

New explicit web proxy features added to FortiOS 5.6.

Explicit proxy supports multiple incoming ports and port ranges (402775, 398687)

Explicit proxy can now be configured to listen on multiple ports on the same IP as well as listen for HTTP and HTTPS on those same (or different) ports.

Define the IP ranges using a hyphen (). As shown below, port_high is not necessary to specify if port_low is equal to port_high.

CLI syntax

config web-proxy explicit set http-incoming-port <port_low> [-<port_high>]

end

Explicit proxy supports IP pools (402221)

Added a new command, poolname, to config firewall explicit-proxy-policy. When setting the IP pool name with this command, the outgoing IP will be selected.

CLI syntax

config firewall explicit-proxy-policy edit <example> set poolname <name>

end

Option to remove unsupported encoding from HTTP headers (392908)

Added a new command to config web-proxy profile that, when enabled, allows the FortiGate to strip out unsupported encoding from request headers, and correctly block banned words. This is to resolve issues when attempting to successfully block content using Google Chrome.

CLI syntax:

config web-proxy profile edit <example> set strip-encoding {enable | disable}

end

New authentication process for explicit web proxying (386474, 404355)

While in Proxy inspection mode, explicit proxy options can be set under Network > Explicit Proxy. These settings will affect what options are available for creating proxy policies under Policy & Objects > Proxy Policy. From here you may create new policies with Proxy Type set to either Explicit Web, Transparent Web, or FTP.

Explicit web proxy (5.6)

Authentication will be triggered differently when configuring a transparent HTTP policy. Before such a policy can be configured, you must enable HTTP Policy Redirect under Security Profiles > Proxy Options.

Added Internet services to explicit proxy policies (386182)

Added two new commands to config firewall explicit-proxy-policy. FortiOS can use the Internet Service Database (introduced in 5.4.1) as the web-proxy policy matching factor.

CLI syntax:

config firewall explicit-proxy-policy edit <example> set internet-service <application-id> set internet-service-custom <application-name>

Virtual WAN link in an explicit proxy firewall policy (385849, 396780)

Virtual WAN link (VWL) interfaces may now be set as the destination interface in an explicit proxy policy, routing traffic properly using basic virtual WAN link load balance settings. This is now configurable through both the CLI under firewall explicit-proxy-policy and the GUI.

Added application ID and category setting on the explicit proxy enabled service (379330)

This feature introduces support for application ID/category in the service of explicit proxy as one policy selection factor. The intent is to identify the application type based on the HTTP request with IPS application type detection function. It is similar to the current firewall explicit address, but it is implemented as a service type, and you can select the application ID/ category to define explicit service. Of course, now it must be an HTTP-based application.

CLI syntax

config firewall service custom edit “name” set app-service-type [disable|app-id|app-category]

next

end

Explicit Proxy – populate pac-file-url in transparent mode (373977)

You can now use manageip to populate pac-file-url in transparent opmode. Previously, in the CLI, when displaying pac-file-url, the code only tries to get interface IP to populate pac-file-url.

CLI syntax

config vdom edit root config system settings set opmode transparent set manageip 192.168.0.34/24

end config web-proxy explicit set pac-file-server-status enable get pac-file-url [url.pac]

Explicit web proxy

end

SSL deep inspection OCSP support for Explicit Proxy (365843)

OCSP support for SSL deep inspection added for Explicit Proxy.

CLI syntax

config vpn certificate setting set ssl-ocsp-status [enable|disable] set ssl-ocsp-option [certificate|server]

end

Timed out authentication requests are now logged (357098)

CLI syntax

config web-proxy explicit set trace-auth-no-rsp [enable|disable] end

 

(5.6.1)


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Diagnose command changes (5.6.1)

Diagnose command changes (5.6.1)

New diagnose features added to FortiOS 5.6.1.

crash dump improvement on i386/X86_64 (396580)

The output from the WPAD crash dump can now be in binary format as well as hexidecimal. The two commands are:

  1. For dump in binary format diagnose debug app wpad-dump <debug_level>
  2. For dump in hexidecimal format

diagnose debug app wpad-crash-hexdump <debug_level>

LLDP diagnose commands easier to execute (413102)

While there is no change to the syntax of the commands, the LLDP diagnose commands are allowed to execute without switchid/portid parameters configured.

New command to monitor IPS stats (414496)

When WAD IPS scanning took place with a failed result, the message caused the IPS sensor to mistakenly record the event as something triggering the sensor. To correct this, a new command was created.

Command:

diagnose wad stats ips [list | clear ]

list List IPS statistics
clear Clear IPS statistics

Example

diagnose wad stats ips list IPS status unix stream counter = 0 active sess counter = 0 ips provider counter = 0 not running failure = 0 all busy failure = 0 conn close counter = 0 conn connected counter = 0 conn failure = 0 zero len failure = 0

 

suspended failure = 0 push failure = 0 block write counter = 0 un-block write counter = 0 un-matching failure = 0 ips action failure = 0 ips action permit = 0 ips action deny = 0 ips action bypass = 0

New diagnose sys fips kat-error options (440186)

The command diagnose sys fips kat-error has added additional options, like ECDSA.

Diagnose command changes (5.6)

New diagnose features added to FortiOS 5.6.

Add missing “diag npu np6 …” Commands (305808)

The following diag npc np6 commands have been reintroduced into 5.6.0. These options were available in 5.2.x but were not in 5.4.0

l diag npc np6 gmac-stats – Shows the GMAC MIBs counters l diag npc np6 gmac-stats-clear – Clears the GMAC MIBS counters l diag npc np6 gige-port-stats – Shows the GIGE PORT MIBs counters l diag npc np6 gige-port-stats-clear – Clears the GIGE PORT MIBs counters

Diagnose command to show firewall service cache (355819)

A diagnostic command has been added to dump out the service name cache kept by the miglogd daemon for each individual VDOM. diag test app miglogd 106 Example output:

This output has been edited down to conserve space. Only the first 5 of each grouping has been included.

diag test app miglogd 106

tcp port(0), name(NONE) port(21), name(FTP) port(22), name(SSH) port(23), name(TELNET) port(25), name(SMTP) udp port(53), name(DNS) port(67–68), name(DHCP) port(69), name(TFTP) port(88), name(KERBEROS)

port(111), name(ONC-RPC) extra: (ONC-RPC) (NFS) icmp port(1), name(test) port(8), name(PING) port(13), name(TIMESTAMP) port(15), name(INFO_REQUEST) port(17), name(INFO_ADDRESS) general

prot(6), port(4300), name(example.com_Webadmin) prot(6), port(5060), name(SIP) prot(6), port(5190–5194), name(AOL) prot(6), port(5631), name(PC-Anywhere) prot(6), port(5900), name(VNC) service names:

WINFRAME,DNS,DCE-RPC,H323,RLOGIN,IRC,UUCP,example.com_Webadmin,HTTPS,WAIS,FINGER,REXEC, RAUDIO,SNMP,TIMESTAMP,RADIUS-OLD,DHCP,AOL,MGCP,SMTPS,INFO_REQUEST,HTTP,SCCP,SOCKS,PPTP,

ONC-RPC,NNTP,SMTP,QUAKE,PC-Anywhere,TFTP,NONE,SSH,RSH,IMAPS,LDAP_UDP,SIP,RIP,PING,PING6,

X-WINDOWS,SMB,SAMBA,TRACEROUTE,NFS,WINS,L2TP,IMAP,GOPHER,SIP-MSNmessenger,SYSLOG,DHCP6,

TELNET,LDAP,MS-SQL,MMS,KERBEROS,SQUID,NTP,FTP,CVSPSERVER,test,AFS3,POP3,Internet-Locator-

Service, service groups:

Email Access(DNS,IMAP,IMAPS,POP3,POP3S,SMTP,SMTPS,)

Windows AD(DCE-RPC,DNS,KERBEROS,LDAP,LDAP_UDP,SAMBA,SMB,)

Web Access(DNS,HTTP,HTTPS,) Exchange Server(DCE-RPC,DNS,HTTPS,) policies involving multiple service definitions:

Diagnose command to show crash history and adjust crash interval (366691)

In order to alleviate the impact logging put on resources if processes repeatedly crash, limits have been put on crash logs.

  • The default limit is 10 times per 60 minutes for crash logs. This limit can be edited using the command: diagnose debug crashlog interval <interval>

<interval> is the number of second to log crash logs for a particular process l The miglogd daemon is the only one to write crash logs directly. Crash logs from other processes are done through miglogd.

  • Crash logs for a single crash are written all at once so that the logs are easier to read if there are crashes of multiple processes at the same time.
  • A diagnose command has been added to show crash history.

# diagnose debug crashlog history

# Crash log interval is 3600 seconds

# reportd crashed 2 times. The latest crash was at 2016-12-01 17:53:45 diagnose switch-controller commands (368197)

The following diagnose commands in the CLI, are designed to l Output stats on the managed switches l Kick the client from the managed switches diagnose switch-controller dump lldp neighbors-summary <device-id> <portid> diagnose switch-controller dump lldp neighbors-detail <device-id> <portid> diagnose switch-controller dump lldp Stats <device-id> diagnose switch-controller dump port-stats <device-id> diagnose switch-controller dump trunk-state <device-id>

diagnose switch-controller kick <device-id> <vlan ID> <port ID> <MAC ID>

While not a diagnostic command, the following can also be run from VDOMs execute replace-device fortiswitch <device-id>

These commands are now longer restricted to being run from the root VLAN and can be run from any VDOM

Diagnose commands for monitoring NAT sessions (376546)

We have developed the following monitoring capabilities in CLI and SNMP.

  • NAT sessions per IP pool l Total tcp sessions per IP pool l Total udp sessions per IP pool
  • Total others (non-tcp and non-udp) sessions per IP pool FortiGate supports 4 types of NAT, which are l Overload l One-to-one l Fixed-port-range l Port-block-allocation.

diagnose firewall ippool-all

l list – lists all of the IP Pools l stats – Statistics of the IP Pools

list

diagnose firewall ippool-all list

Example output:

vdom:root owns 4 ippool(s) name:Client-IPPool type:port-block-allocation nat-ip-range:10.23.75.5-10.23.75.200

name:Fixed Port Range type:fixed-port-range

nat-ip-range:20.20.20.5-20.20.20.50

name:One to One type:one-to-one

nat-ip-range:10.10.10.5-10.10.10.50 name:Sales_Team

type:overload nat-ip-range:10.23.56.18-10.23.56.20

Stats

This option has two methods of being used. By just hitting enter after stats, the output contains the stats for all of the IP Pools. By putting the name of an IP Pool after stats, the output is filtered so that only stats relating to that particular IP Pool is included in the output.

Example output #1

# diagnose firewall ippool-all stats vdom:root owns 5 ippool(s) name: Client-IPPool type: port-block-allocation startip: 10.23.75.5 endip: 10.23.75.200 total ses: 0 tcp ses: 0 udp ses: 0 other ses: 0 name: Fixed Port Range type: fixed-port-range startip: 20.20.20.5 endip: 20.20.20.50 total ses: 0 tcp ses: 0 udp ses: 0 other ses: 0 name: One to One type: one-to-one startip: 10.10.10.5 endip: 10.10.10.50 total ses: 0 tcp ses: 0 udp ses: 0 other ses: 0 name: Sales_Team type: overload startip: 10.23.56.18 endip: 10.23.56.20 total ses: 0 tcp ses: 0 udp ses: 0 other ses: 0

Example #2

# diagnose firewall ippool-all stats “Sales_Team” name: Sales_Team type: overload startip: 10.23.56.18 endip: 10.23.56.20 total ses: 0 tcp ses: 0 udp ses: 0

other ses: 0

SIP diagnose command improvements (376853)

A diagnose command has been added to the CLI that outputs VDOM data located in the voipd daemon.

diagnose sys sip-proxy vdom

Example

(global) # diagnose sys sip-proxy vdom VDOM list by id: vdom 0 root (Kernel: root) vdom 1 dmgmt-vdom (Kernel: dmgmt-vdom) vdom 2 test2 (Kernel: test2) vdom 3 test3 (Kernel: test3) vdom 4 vdoma2 (Kernel: vdoma2) vdom 5 vdomb2 (Kernel: vdomb2) vdom 6 vdomc2 (Kernel: vdomc2) vdom 7 vdoma (Kernel: vdoma) vdom 8 vdomb (Kernel: vdomb) vdom 9 vdomc (Kernel: vdomc) VDOM list by name: vdom 1 dmgmt-vdom (Kernel: dmgmt-vdom) vdom 0 root (Kernel: root) vdom 2 test2 (Kernel: test2) vdom 3 test3 (Kernel: test3) vdom 7 vdoma (Kernel: vdoma) vdom 4 vdoma2 (Kernel: vdoma2) vdom 8 vdomb (Kernel: vdomb) vdom 5 vdomb2 (Kernel: vdomb2) vdom 9 vdomc (Kernel: vdomc) vdom 6 vdomc2 (Kernel: vdomc2)

Diagnose command to get AV virus statistics (378870)

A new diagnostic command has been added for the showing of AV statistics. This can be used within each VDOM Syntax: diagnose ips av stats show

Example output

diagnose ips av stats show AV stats:

HTTP virus detected: 0

HTTP virus blocked: 0

SMTP virus detected: 0

SMTP virus blocked: 0

POP3 virus detected: 0

POP3 virus blocked: 0

IMAP virus detected: 0

IMAP virus blocked: 0

NNTP virus detected: 0

NNTP virus blocked: 0

FTP virus detected: 0

FTP virus blocked: 0

SMB virus detected: 0

SMB virus blocked: 0

Diagnose command to get remote FortiSwitch trunk information (379329)

To ensure that a FortiGate and its managed FortiSwitches stay in synchronization in the event of an inadvertent trunk table change situation, there is a new CLI setting that checks for discrepancies.

The idea is to check to see if there will be a synchronization issue between the FortiGate and the FortiSwitch before applying the configuration

  1. On fortilink reconnection, FGT reads trunk table of FSW using REST API GET– Hence FGT gets all the port and its trunk membership information from FSW
  2. FGT then compares its managed FSW trunk information with received FSW information
  3. If there is any conflict, FGT will delete extra/conflicted trunk on FSW using REST API POST
  4. At the end FGT replays all configuration to FSW as usual

This will help delete the extra trunks, conflicted trunks on the FSW and to make sure in sync Possible reasons for losing synchronization include:

l The FortiGate reboots after a factory reset while there is still a trunk configuration in the FortiSwitch. l The managed FortiSwitch’s trunk table gets edited on the FortiGate while the FortiSwitch is offline. l A trunk table on the FortiSwitch gets added or the existing one gets modified or deleted by a user.

New diagnose command for the CLI: diagnose switch-controller dump trunk-switch-config <Managed FortiSwitch device ID> help provided for diagnose debug application csfd (379675)

The syntax for the command is: diagnose debug application csfd <Integer>

The <Integer> being the debug level. To get the integer value for the debug level, run the command without the integer. You will get the following:

# diagnose debug application csfd csfd debug level is 0 (0x0)

Error 0x01

Warning 0x02

Function trace 0x04

Information 0x08

Detail 0x10

MAC packet encryption debug 0x20

MAC learning debug 0x40

FAZ configuration synchronize debugging 0x0080

FAZ configuration function trace 0x00100

Configuration tree update debug 0x00200

Configuration tree function trace 0x00400

HA Sync plugin debug 0x00800

Convert the value next to the debug level you want to an integer. For example, to set the debug level to Information, convert 0x08 to 8 and use it for the option at the end of the command.

# diagnose debug application csfd 8

New IPS engine diagnose commands (381371)

Periodically, when troubleshooting, an different IPS engine will need to be installed on the FortiGate but there will also be a restriction that the FortiGate can’t be rebooted. Normally, a new IPS engine will not be fully recognized by the system until after a reboot. This command allows the running of new commands or new versions of commands in the IPS engine without having to reboot the FortiGate.

diagnose ips test cmd <command strings>

The command strings are separated by a semicolon such as: diagnose ips test cmd command1;command2;command3

Examples:

  • diagnose ips test cmd “ips session status”

This command triggers the diagnosis command in the double quotation marks: “diagnose ips session status”

  • diag ips test cmd “ips memory track; ips memory status; ips session status”

This command triggers the diagnosis commands in the double quotation marks in order.

The results:

Commands[0]: ips memory track

—-< execute “diagnose ips memory track” >—-

Commands[1]: ips memory status

—-< execute “diagnose ips memory status” >—-

Commands[2]: ips session status

—-< execute “diagnose ips session status” >—-

New AV engine diagnose commands (383352)

The purpose of this diagnostic command is to display information from within the AV engine for the purposes of aiding trouble shooting and diagnostics if the AV engine crashes or times out.

The command is: diagnose antivirus test

It’s syntax can be one of the following:

diagnose antivirus test <command> diagnose antivirus test <command argument1>; <argument2>; …

The command is defined and interpreted by the AV engine. FortiOS just passes the CLI command into the AV engine and outputs the strings returned by AV engine.

In AV engine 5.4.239, the following command are supported. l get scantypes l set scantypes

l debug

NPU diagnose command now included HPE info in results (384692)

There is no change to the CLI but the results of the diagnose npu np6 npu-feature command now include results regarding HPE.

clear checksum log files (diag sys ha checksum log clear) (385905)

There is currently a command, diag sys ha checksum log [enable | disable] that enables a

checksum debug log by saving checksum calculations to a temp file. However, the checksum calculations saved in this file can be processed by two different functions, cmdbsvr and the CLI.

The function cmf_context-is-server() now enables the determining whether the running process is cmdbsvr or the CLI and also a diagnose command has been added to clear the contents of the file. diag sys ha checksum log clear new diagnose command to delete avatars (388634)

It is now possible to delete avatars associated with FortiClient clients. diagnose endpoint avatar delete <FortiClient UID> or

diagnose endpoint avatar delete <FortiClient UID> <username>

  • If only the FortiClient UID is used, all of the avatars, except those that are currently being used will be deleted.
  • If both the FortiClient UID and the username are used, all of the avatars that belong to that combination, except those being used, will be deleted.

CID signatures have been improved for DHCP and CDP (389350, 409436)

More parameters have been added to make them more specific. This helps to reduce false positives.

  • DHCP signatures:
  • A new dhcp signature file has been added ‘cid.dhcp2’ that allows for the class and host name to specified in the same signature. This is for increased accuracy.
  • Relevant signatures from ‘cid.dhcp’ have been ported to the new signature file ‘cid.dhcp2’ l Support DHCP parameter matching in signatures.
  • Support DHCP option list matching in signatures. l CDP mac analyzer now passes all three keys to the OS matcher.
  • Tests:
  • A number of new tests (including pcaps) have been added to match existing signatures and new signatures.
  • Some tests where multiple protocols were present in a single pcap, have been modified. These are now split into multiple pcaps, each containing a single protocol. This allows FortiOS to fully test a signature, where previously a single test may have matched multiple signatures.
  • CID debug statistics now use shared memory. This prevents the daemon from having to respond to CLI requests and allows for the stats to persist across daemon restarts.
  • A Change has been made to the host ip update priority. IP changes for routers that have had their type set by heuristic are not allowed to change IPs.
  • If it is a Fortinet device, the change is allowed if it comes through a protocol we trust more (CDP, DHCP, LLDP, or MAC).

diagnose command to calculate socket memory usage (392655)

This diagnostic command gives the socket memory usage by individual process.

diagnose sys process sock-mem <pid>; <pid> …

Separate arguments with a semicolon “;”

Example

Run diagnose sys top to get the pid of a few process…

diagnose sys top

Run Time: 1 days, 0 hours and 44 minutes

214
173

0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 7996T, 5839F httpsdS 0.1 0.2 httpsd 1398 S 0.1 0.2 snmpdS 0.1 0.1

Then use those pid with the command…

diagnose sys process sock-mem 214; 173

Process ID=214, sock_mem=0(bytes)

Process ID=173, sock_mem=2(bytes)

FortiGuard can determine a FortiGate’s location from its public IP address (393972)

The FortiGate now shows the public IP address and the geographical location (country) in the dashboard. The FortiGate sends a ping to the FortiCare/FortiGuard network and as a response receives the local WAN IP, or if it is being NATed the public IP of the network. Using the public IP address a geo-ip Blackpool is done to determine the country.

In the same location on the Dashboard, it also shows whether or not the listed IP address if a member of the

Fortinet Blacklist.

CLI

The diagnostic command to get the information is:

diag sys waninfo Example:

diagnose sys waninfo Public/WAN IP: 209.87.240.98 Location:

Latitude: 45.250100

Longitude: -75.916100

Accuracy radius: 5

Time zone: America/Toronto City: Stittsville Subdivisions:

0: Ontario Country: Canada Postal:

Code: K2S

Continent: North America

Registered country: Canada

ISP: Unknown

Failed to query whether 209.87.240.98 is in the FortiGuard IP Blacklist: ret=-1 buf_ sz=1024

Command fail. Return code 5

To get information about the address’s inclusion as a member of the Fortinet Blacklist, the command is: diag fortiguard ipblacklist [db | vr | ip | ctx]

  • db – Get Database and Vendor/Reason List Versions. l vr – Get Vendor/Reason List.
  • ip – Get Information on Specific IP.
  • ctx – Show Local Context.

If using the ip option, specify the IPv4 address after the ip option. Example:

diagnose fortiguard ipblacklist ip 209.87.240.98

AWS bootstrapping diagnose commands (394158)

Bootstrap feature is quite similar to cloudinit in Openstack. When user launching a new instance of FGT-VM in AWS, it needs to provide some basic information of license and config stored in AWS s3 bucket via userdata. Bootstrap will download license and config from s3 bucket and apply them to FGT automatically. CLI

Add a new cli to show the results of bootstrap config apply.

Example:

diagnose debug aws-bootstrap show >> FGVM040000066475 $ config sys glo

>> FGVM040000066475 (global) $ set hostname awsondemand

>> FGVM040000066475 (global) $ end

Diagnose command to aid in conserver mode issues (394856)

The diagnose hardware sys conserve command provides memory information about the system that is useful in diagnosing conserve mode issues.

Example

diagnose hardware sys conserve memory conserve mode: off total RAM: 7996 MB

memory used: 2040 MB 25% of total RAM memory used threshold extreme: 7597 MB 95% of total RAM memory used threshold red: 7037 MB 88% of total RAM memory used threshold green: 6557 MB 82% of total RAM

Diagnose commands to display FortiCare registration information (395254)

The Dashboard License widget can display information about the registered company owner and industry. There are some diagnostic commands that can do that in the CLI.

diagnose forticare protocol [HTTP | HTTPS] diagnose forticare server < server IP>

diagnose forticare cnreg-code-list – List of known ISO 3166-1 numeric country/region codes.

diagnose forticare direct-registration reseller-list <cnreg-code> diagnose forticare direct-registration country-data <cnreg-code> diagnose forticare direct-registration organization-list diagnose forticare direct-registration product-registration <arguments>

Options/arguments for product registration:

  • a = account_id l A = address l y = city l C = company
  • c = contract_number l T = country_code l e = existing_account l F = fax
  • f = first_name l h = help
  • I = industry l i = industry_id l l = last_name l O = orgsize l o = orgsize_id l p = password l P = phone
  • z = postal_code l R = reseller l r = reseller_id l S = state
  • s = state_code l t = title l v = version new diag test app csfd options (395302)

Two additional test levels have been added to the diag test app csfd command in order to dump some additional information about timers, file handlers status and received MAC addresses to the HA master. diag test app csfd 11 diag test app csfd 40 new ‘AND’ and ‘OR’ filter capabilities for debug flow addr (398985)

In order to make a more flexible filter for the debug flow address command, the Boolean arguments of ‘AND’ and ‘OR’ have been added to the command parser. This will work regardless of whether or not the source or destination address is being filtered.

Syntax:

diagnose debug flow filter address <IP1|from IP> <IP2|to IP> <ENTER|and/or>

Improve wad debug trace and crash log information (400454)

Previously, when filtering on a wad debug trace or crash log information, the information may not have been as targeted as necessary. A new setting has been added to target a specific policy.

diagnose wad filter firewall-policy <index> diagnose wad filter explicit-policy <index>

These commands will target the firewall or explicit proxy policies. Using a “-1” as the value will index of that particular policy type.

diagnose hardware test added to additional models (403571)

The diagnose hardware test that was previously on FortiGate E Series models, and the FortiGate 300/500D models, has been expanded to include:

l Multiple low range models l Multiple mid range models l FortiGate 3800D model

This diagnostic feature replaces much of the functionality of the HQIP test that requires the installation of a separate firmware image.

diag sys sip-proxy config profile –> diag sys sip-proxy config profiles (404874)

Diagnose command has been changed to make it more consistent with other similar commands.

diagnose sys sip-proxy config profile has been changed to

diagnose sys sip-proxy config profiles

diag debug flow changes (405348)

For crash and console logs, the logs are no longer parsed before being sent to their destination. Now they are dumped directly to the destination.

In addition the following options have been removed from the diagnose command list:

diag debug flow show console diag debug flow show console enable diag debug flow show console disable improve wad memory diagnose process (408236)

The WAD SSL memory dump functions have been moved to migbase so they can be shared by both WAD and

CLI.

CLI additions

l diagnose wad memory – WAD memory diagnostics l diagnose wad memory general – List of WAD memory blocks. l diagnose wad memory bucket List suspicious WAD memory buckets. l diagnose wad memory ssl List SSL memory statistics

New daemon watchdog framework in forticron (409243)

A new feature has been added to dump userspace’s process stacks.

CLI additions: diagnose sys process pstack <pid>

<pid> – Process ID, such as those displayed when using diagnose sys top

Output from diagnose wad debug command filterable(410069)

The output from the command was so verbose that there was some concern that the information that was being looked for could get lost in all of the extraneous data so some parameters were added that allow the information to be filtered by both severity level and the category of the information.

The command has a few settings diagnose wad debug [enable|disable|show|clear|display]

  • enable – Enable the level or category debug setting. l disable – Disable debug setting. l show – Show the current debug setting. l clear – Clear the exiting debug setting.
  • display – Changes to the Display setting.
  • diag wad debug dispay pid enable – enables the display of PID values in the output.

Syntax to set the level diagnose wad debug enable level <level>

Where the <level> is one of:

  • error – error l warn – warning l info – information l verbose – verbose

Syntax to set the category diag wad debug enable category <category>

Where <category> is one of the following:

  • connection – connection l session – session l protocol – protocol l io – I/O l packet – packet l db – cache database l cifs – CIFS l ssl – SSL l webcache – webcache l policy – policy matching l auth – authentication l scan – UTM scan l cache – wanopt cache l tunnel – wanopt tunnel l bank – bank l stats – stats l disk – cache disk l video – cache video l rplmsg – replacement message l ipc – IPC
  • bar – Fortinet top bar
  • waf – WAF
  • memblk – memory block l all – all catetory

DNS log improvements (410132)

DNS logs have been improved to make the presentation of the data clearer. These changes involve a reorganization of the DNS log subtypes.

These changes include:

  • Change dns-subtype to dns-response l Remove status field and add Pass/Block/Redirect to action field l Change the msg field display DNS filter rating results l All error messages now to the error field l Change urlfilteridx to domainfilteridx l Change urlfilterlist to domainfilterlist l Add a query type value field.

 

Explicit web proxy


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!