Category Archives: FortiOS

New PPPoE features

Leave a reply

New PPPoE features

PPPoE dynamic gateway support (397628)

Original design for PPPoE requires to configure a static gateway. Although it works in many scenarios, some customers require to add support for dynamic gateway for internet-service based routes.

No changes to the CLI neither to the GUI.

Support multiple PPPoE connections on a single interface (363958)

Multiple PPPoE connections on a single physical or vlan interface are now supported by the FortiGate. In addition the interface can be on demand PPPoE.

 

New PPPoE features                                            Support multiple PPPoE connections on a single interface (363958)

GUI

CLI

config system pppoe-interace edit <name> set dial-on-demand [enable|disable] set ipv6 [enable|disable] set device <interface> set username <string> set password <string>

set auth-type [auto|pap|chap|mschapv1|mschapv2] set ipunnumbered <class_ip>

set pppoe-unnumbered-negotiate [enable|disable] set idle-timeout <integer> set disc-retry-timeout <integer> set padt-retry-timeout <integer> set service-name <string> set ac-name <string>

Support multiple PPPoE connections on a single interface (363958)                                            New PPPoE features

set lcp-echo-interval <integer> set lcp-max-echo-fails <integer>

  • dial-on-demand- Enable/disable the dial on demand.feature l ipv6 – Enable/disable the use of IPv6. l device – The name of the physical interface.
  • username – User name for credentials l password – Password matching the above username l auth-type – The type of PPP authentication to be used.
  • auto – Automatic choice of authentication l pap – PAP authentication l chap – CHAP authentication l mschapv1 – MS-CHAPv1 authentication l mschapv2 – MS-CHAPv2 authentication
  • ipunnumbered – PPPoE unnumbered IP. l pppoe-unnumbered-negotiate – Enable/disable PPPoE unnumbered negotiation. l idle-timeout – Idle time in seconds before PPPoE auto disconnects. 0 (zero) for no timeout. l disc-retry-timeout – Timeout value in seconds for PPPoE initial discovery. 0 to 4294967295. Default = 1. l padt-retry-timeout – Timeout value in seconds for PPPoE terminatation. 0 to 4294967295. Default = 1.
  • service-name – PPPoE service name.) l ac-name – PPPoE AC name. l lcp-echo-interval – Interval in seconds allowed for PPPoE LCP echo. 0 to 4294967295. Default = 5.
  • lcp-max-echo-fails – Maximum number of missed LCP echo messages before disconnect. 0 to 4294967295. Default = 3.

Adding Internet services to firewall policies (389951)                                                                                           CLI


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

VXLAN support for multiple remote IPs (398959)

Leave a reply

VXLAN support for multiple remote IPs (398959)

VXLAN is now supported for multiple remote IPs, these remote IPs can be IPv4 unicast, IPv6 unicast, IPv4 multicast, or IPv6 multicast. This is useful in datacenter scenarios where the FortiGate can be configured with multiple tunnels to computer nodes.

CLI changes set ip-version option can be set to the following: ipv4-unicast //Use IPv4 unicast addressing for VXLAN. ipv6-unicast //Use IPv6 unicast addressing for VXLAN. ipv4-multicast //Use IPv4 multicast addressing for VXLAN. ipv6-multicast //Use IPv6 multicast addressing for VXLAN.

When ip-version is set to ipv4-multicast or ipv6-multicast, ttl option is replaced by multicast-ttl.

PPPoE dynamic gateway support (397628)                                                                              New PPPoE features


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

VTEP (VXLAN Tunnel End Point) support (289354)

Leave a reply

VTEP (VXLAN Tunnel End Point) support (289354)

Native VXLAN is now supported by FortiOS. This feature is configurable from the CLI only:

Syntax

config system vxlan edit <vxlan1> //VXLAN device name (Unique name in system.interface).

set interface //Local outgoing interface. set vni //VXLAN network ID. set ip-version //IP version to use for VXLAN device (4 or 6).

set dstport //VXLAN destination port, default is 4789.

set ttl //VXLAN TTL.

set remote-ip //Remote IP address of VXLAN.

next

end

This will create a VXLAN interface:

show system interface vxlan1 config system interface edit “vxlan1” set vdom “root” set type vxlan set snmp-index 36 set macaddr 8a:ee:1d:5d:ae:53 set interface “port9”

next

end

From the GUI, go to Network > Interfaces to verify the new VXLAN interface:

To diagnose your VXLAN configuration, from the CLI, use the following command:

diagnose sys vxlan fdb list vxlan1

This command provides information about the VXLAN forwarding data base (fdb) associated to the vxlan1 interface. Below is a sample output:

———–mac=00:00:00:00:00:00 state=0x0082 flags=0x00———–

———–remote_ip=2.2.2.2 remote_port=4789———————remote_vni=1 remote_ifindex=19———-total fdb num: 1

VXLAN support (289354)                                                                 VXLAN support for multiple remote IPs (398959)


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

VXLAN support (289354)

3 Replies

VXLAN support (289354)

Virtual Extensible LAN (VXLAN) is a network virtualization technology used in large cloud computing deployments. It encapsulates OSI layer 2 Ethernet frames within layer 3 IP packets using standard destination port 4789. VXLAN endpoints that terminate VXLAN tunnels can be virtual or physical switch ports, are known as VXLAN tunnel endpoints (VTEPs). For more information about VXLAN, see RFC 7348.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Multiple PSK for WPA Personal (393320)

1 Reply

Multiple PSK for WPA Personal (393320)

New CLI commands have been added, under config wireless-controller vap, to configure multiple WiFi Protected Access Pre-Shared Keys (WPA-PSKs), as PSK is more secure without all devices having to share the same PSK.

Note that mpsk-concurrent-clients and the mpsk-key configuration method are only available when mpsk is set to enable.

CLI syntax

config wireless-controller vap edit <example> set mpsk {enable|disable} set mpsk-concurrent-clients [0-65535] Default is 0.

config mpsk-key edit <key-name> set passphrase <wpa-psk> set concurrent-clients [0-65535] Default is empty. set comment <comments>

next

end

end

Use the mpsk-concurrent-clients entry to set the maximum number of concurrent connected clients for each mpsk entry. Use the mpsk-key configuration method to configure multiple mpsk entries.

VTEP (VXLAN Tunnel End Point) support (289354)                                                             VXLAN support (289354)


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Controlled failover between wireless controllers

Leave a reply

Controlled failover between wireless controllers

1+1 Wireless Controller HA

Instances of failover between FortiAP units was too long and lead to extended periods of time where WiFi users were without network connection. Because WiFi is considered a primary network connection in today’s verticals (including enterprise, retail, education, warehousing, healthcare, government, and more), it is necessary for successful failover to occur as fast as possible.

Primary and secondary ACs

You can now define the role of the primary and secondary controllers on the FortiAP unit, allowing the unit to decide the order in which the FortiAP selects the FortiGate. This process was previously decided on load-based detection, but can now be defined by each unit’s pre-determined priority. In addition, heartbeat intervals have been lowered to further improve FortiAP awareness and successful failover.

1+1 redundancy

1+1 HA is a form of resilience whereby a component has a backup component to take its place in the event of component failure, and successfully manage FortiAP without long failover periods.

CLI syntax

config wireless-controller inter-controller set inter-controller-mode {disable | l2-roaming | 1+1} Default is disable. set inter-controller-key <password> set inter-controller-pri {primary | secondary} Default is primary. set fast-failover-max [3-64] Default is 10. set fast-failover-wait [10-86400] Default is 10. config inter-controller-peer edit <name> set peer-ip <ip-address> set peer-port [1024-49150] Default is 5246.

set peer-priority {primary | secondary} Default is primary. next

end end

 

Multiple PSK for WPA Personal (393320)                                                                        1+1 Wireless Controller HA


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate Logs can be sent to syslog servers in Common Event Format

Leave a reply

FortiGate Logs can be sent to syslog servers in Common Event Format (CEF) (300128)

You can configure FortiOS to send log messages to remote syslog servers in CEF format. CEF is an open log management standard that provides interoperability of security-related information between different network devices and applications. CEF data can be collected and aggregated for analysis by enterprise management or Security Information and Event Management (SIEM) systems such as FortiSIEM.

FortiOS supports logging to up to four remote syslog servers. Each server can now be configured separately to send log messages in CEF or CSV format. Previously only CSV format was supported.

Use the following command to configure syslog3 to use CEF format:

config log syslog3 setting set format cef

end

All other syslog settings can be configured as required independently of the log message format including the server address and transport (UDP or TCP). You can also configure filtering for both CEF and CSV formatted log messages.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Real time logging to FortiAnalyzer and FortiCloud

Leave a reply

Real time logging to FortiAnalyzer and FortiCloud

FortiOS 5.6.0 adds new real-time logging options for FortiAnalyzer in System > Security Fabric and for FortiCloud in Log & Report > Log Settings. The default option is still every 5 minutes, but this will allow near real-time uploading and consistent high-speed compression and analysis.

For FortiAnalyzer, the CLI syntax to enable real-time is:

config log fortianalyzer setting set upload-option [realtime/1-minute/5-minute]

For FortiCloud:

config log fortiguard setting set upload-option [realtime/1-minute/5-minute]

Reliable Logging updated for real-time functionality (378937)

Previously, reliable logging was a feature for buffering and collecting logs for upload, to guarantee that no logs would be dropped before being passed to logging solutions. Reliable logging has been updated for 5.6.0 and is now enabled by default, so that real-time logs do not outpace upload speed.

It can be configured in the CLI with:

config log fortianalyzer setting set reliable [enable/disable]

FortiGate Logs can be sent to syslog servers in Common Event Format (CEF) (300128)

 

Reliable Logging updated for real-time functionality (378937)

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!