Category Archives: FortiOS

How to verify FortiGuard connectivity

Leave a reply

How to verify FortiGuard connectivity

You can verify the FortiGuard connectivity in the License Information widget under System > Dashboard > Status. When FortiGate is connected to FortiGuard, a green check mark appears for available FortiGuard services.

From CLI, execute ping “service.fortiguard.net” and “update.fortiguard.net”.

 

Sample output:

FG100D# execute ping service.fortiguard.net

PING guard.fortinet.net (208.91.112.196): 56 data bytes

64 bytes from 208.91.112.196: icmp_seq=0 ttl=51 time=61.0 ms

64 bytes from 208.91.112.196: icmp_seq=1 ttl=51 time=60.0 ms

64 bytes from 208.91.112.196: icmp_seq=2 ttl=51 time=59.6 ms

64 bytes from 208.91.112.196: icmp_seq=3 ttl=51 time=58.9 ms

64 bytes from 208.91.112.196: icmp_seq=4 ttl=51 time=59.2 ms

— guard.fortinet.net ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 58.9/59.7/61.0 ms

 

FG100D# execute ping update.fortiguard.net

PING fds1.fortinet.com (208.91.112.68): 56 data bytes

64 bytes from 208.91.112.68: icmp_seq=0 ttl=53 time=62.0 ms

64 bytes from 208.91.112.68: icmp_seq=1 ttl=53 time=61.8 ms

64 bytes from 208.91.112.68: icmp_seq=2 ttl=53 time=61.3 ms

64 bytes from 208.91.112.68: icmp_seq=3 ttl=53 time=61.9 ms

64 bytes from 208.91.112.68: icmp_seq=4 ttl=53 time=61.8 ms


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

How to check wireless information

Leave a reply

How to check wireless information

Wireless connections, stations, and interfaces have different issues than other physical interfaces.

 

Troubleshooting station connection issue

To check whether station entry is created on Access Control:

FG600B3909600253 # diagnose wireless-controller wlac -d sta

* vf=0 wtp=70 rId=2 wlan=open ip=0.0.0.0 mac=00:09:0f:db:c4:03 rssi=0 idle=148 bw=0 use=2 vf=0 wtp=70 rId=2 wlan=open ip=172.30.32.122 mac=00:25:9c:e0:47:88 rssi=-40 idle=0 bw=9 use=2

 

Enable diagnostic for particular station

This example uses the station MAC address to find where it is failing:

FG600B3909600253 # diagnose wireless-controller wlac sta_filter 00:25:9c:e0:47:88 1

Set filter sta 00:25:9c:e0:47:88 level 1

FG600B3909600253 # 71419.245 <ih> IEEE 802.11 mgmt::disassoc <== 00:25:9c:e0:47:88 vap open rId 1 wId 0 00:09:0f:db:c4:03

71419.246 <dc> STA del 00:25:9c:e0:47:88 vap open rId 1 wId 0

71419.246 <cc> STA_CFG_REQ(34) sta 00:25:9c:e0:47:88 del ==> ws (0-192.168.35.1:5246) rId

1 wId 0

71419.246 <cc> STA del 00:25:9c:e0:47:88 vap open ws (0-192.168.35.1:5246) rId 1 wId 0

00:09:0f:db:c4:03 sec open reason I2C_STA_DEL

71419.247 <cc> STA_CFG_RESP(34) 00:25:9c:e0:47:88 <== ws (0-192.168.35.1:5246) rc 0 (Success).


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

How to examine the firewall session list

2 Replies

How to examine the firewall session list

One further step is to examine the firewall session. The firewall session list displays all the sessions the FortiGate unit has open. You will be able to see if there are strange patterns such as no sessions apart from the internal network, or all sessions are only to one IP address.

When examining the firewall session list in the CLI, filters may be used to reduce the output. In the web-based manager, the filters are part of the interface.

 

To examine the firewall session list – web-based manager

  • Go to System > FortiView> All Sessions.

 

To examine the firewall session list – CLI

When examining the firewall session list, there may be too many sessions to display. In this case it will be necessary to limit or filter the sessions displayed by source or destination address, or NATed address or port. If you want to filter by more than one of these, you need to enter a separate line for each value.

 

The following example shows filtering the session list based on a source address of 10.11.101.112.

FGT# diag sys session filter src 10.11.101.112

FGT# diag sys session list

 

The following example shows filtering the session list based on a destination address of 172.20.120.222.

FGT# diag sys session filter dst 172.20.120.222

FGT# diag sys session list

 

To clear all sessions corresponding to a filter – CLI

FGT# diag sys session filter dst 172.20.120.222

FGT# diag sys session clear

 

Check source NAT information

Remember NAT when troubleshooting connections. NAT is especially important if you are troubleshooting from the remote end of the connection outside the FortiGate unit firewall. On the dashboard session list, pay attention to Src address after NAT, and Src port after NAT. These columns display the IP and port values after NAT has been applied.

The NAT values can be helpful to ensure they are the values you expect, and to ensure the remote end of the sessions can see the expected IP address and port number.

When displaying the session list in the CLI, you can match the NATed source address (nsrc) and port (nport). This can be useful if multiple internal IP addresses are NATed to a common external facing source IP address.

FGT# diag sys session filter nsrc 172.20.120.122

FGT# diag sys session filter nport 8888

FGT# diag sys session list


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

How to check number of sessions used by UTM proxy

Leave a reply

How to check number of sessions used by UTM proxy

Each FortiGate model has a set limit of the maximum number of sessions the UTM proxy supports. The UTM proxy handles all the traffic for the following protocols: HTTP, SMTP, POP3, IMAP, FTP, and NNTP. If the proxy for a protocol fills up its session table, the FortiGate unit will enter conserve mode, where it behaves differently, until entries and memory free up again.

 

Conserve or failopen mode

Once you reach the limit, depending on your FortiGate unit’s conserve mode configuration, no new sessions are created until an old ones end. You can configure your FortiGate unit’s behavior when memory is running low or the proxy connection limit has been reached. There are two related commands for this in the CLI:

config system global

set av-failopen-session {enable | disable}

set av-failopen { idledrop | off | one-shot | pass}

end

av-failopen-session must be enabled to set the behavior for these conditions. When it is enabled, and a proxy for a protocol runs out of room in its session table that protocol goes into failopen mode and behaves as defined in the av-failopen command.

av-failopen determines the behavior of the proxy until entries are free in the session table again for that proxy.

  • idledrop — This option removes idle sessions from the session table, starting with the clients that have the most sessions currently open. This method assumes that idle sessions are not being used and it will not cause problems to close these sessions. This is usually true, but some applications may have problems with this and start complaining about either not having or being able to open a session. If this occurs, try another method to check if this is really the problem. This is a secure option as no unscanned traffic is allowed to pass.
  • off — This option turns off accepting any new AV sessions, but will continue to process any existing AV sessions that are currently active. All the protocols listed (HTTP, SMTP, POP3, IMAP, FTP, and NNTP) are scanned by FortiGate Antivirus. If AV scanning is enabled, av-failopen off is selected, and the proxy session table fills up, then no new sessions of that type will be accepted. For example, if POP3 session table is filled and email AV scanning is enabled, no more POP3 connections will be allowed until the session table gets some free space. This is a secure option because no unscanned traffic is allowed to pass.
  • one-shot — When memory is low, bypass the antivirus system. The name one-shot comes from the fact that once you are in one-shot av-failopen mode, you must set av-failopen to either pass or off to restart AV scanning. This is a very unsecure option because it allows all traffic without AV scanning, and it never reverts to normal without manual assistance.
  • pass — When memory is low, bypass the antivirus system much as one-shot. The difference is that when memory is freed up, the system will start AV scanning automatically again. This is an unsecure option because it allows

 

traffic to pass without AV scanning. However, it is better than one-shot because it automatically restarts AV scanning when possible.

If the proxy session table is full for one or more protocols and your FortiGate unit enters into conserve or failopen mode, it will appear as if you have lost connections, network services are intermittent or non-existent, and yet other services work normally for a while until their sessions end and they join the queue of session-starved applications.

 

Checking sessions in use

To make troubleshooting this type of problem easier, sessions are broken down by which protocol they use. This provides you with statistics and errors specific to one of the protocols.

Due to the amount of output from this command, you should connect to the CLI with a terminal program, such as puTTY, that logs output. Otherwise, you will likely not be able to access all the output information from the command.

In the following output, only the HTTP entries are displayed. The other protocols have been removed in an attempt to shorten the output. There will be separate entries for each supported protocol (HTTP, SMTP, POP3, IMAP, FTP, and NNTP) in each section of the output.

 

To check sessions in use and related errors – CLI

FGT# # get test proxyworker 4

Worker[0] HTTP Common

Current Connections 8/8032

Max Concurrent Connections 76

Worker Stat

Running time (HH:MM:SS:usec) 29:06:27:369365

Time in loop scanning 2:08:000198

Error Count (accept) 0

Error Count (read) 0

Error Count (write) 0

Error Count (poll) 0

Error Count (alloc) 0

Last Error 0

Acceptor Read 6386

Acceptor Write 19621

Acceptor Close 0

 

HTTP Stat

Bytes sent 667012 (kb) Bytes received 680347 (kb) Error Count (alloc) 0

Error Count (accept) 0

Error Count (bind) 0

Error Count (connect) 0

Error Count (socket) 0

Error Count (read) 134

Error Count (write) 0

 

Error Count (retry) 40

Error Count (poll) 0

Error Count (scan reset) 2

Error Count (urlfilter wait) 3

Last Error 104

Web responses clean 17950

Web responses scan errors 23

Web responses detected 16

Web responses infected with worms 0

Web responses infected with viruses 0

Web responses infected with susp 0

Web responses file blocked 0

Web responses file exempt 0

Web responses bannedword detected 0

Web requests oversize pass 16

Web requests oversize block 0

Last Server Scan errors 102

URL requests exempt 0

URL requests blocked 0

URL requests passed 0

URL requests submit error 0

URL requests rating error 0

URL requests rating block 0

URL requests rating allow 10025

URL requests infected with worms 0

Web requests detected 0

Web requests file blocked 0

Web requests file exempt 0

POST requests clean 512

POST requests scan errors 0

POST requests infected with viruses 0

POST requests infected with susp 0

POST requests file blocked 0

POST requests bannedword detected 0

POST requests oversize pass 0

POST requests oversize block 0

Web request backlog drop 0

Web response backlog drop 0

 

Worker Accounting

poll=721392/649809/42 pollfail=0 cmdb=85 scan=19266 acceptor=25975

 

HTTP Accounting

setup_ok=8316 setup_fail=0 conn_ok=0 conn_inp=8316 urlfilter=16553/21491/20 uf_lookupf=0

scan=23786 clt=278876 srv=368557

 

SMTP Accounting

setup_ok=12 setup_fail=0 conn_ok=0 conn_inp=12

scan=12 suspend=0 resume=0 reject=0 spamadd=0 spamdel=0 clt=275 srv=279

 

POP3 Accounting

setup_ok=30 setup_fail=0 conn_ok=0 conn_inp=30 scan=3 clt=5690 srv=5836

 

IMAP Accounting

setup_ok=0 setup_fail=0 conn_ok=0 conn_inp=0 scan=0 clt=0 srv=0

 

FTP Accounting

setup_ok=0 setup_fail=0 conn_ok=0 conn_inp=0

scan=0 clt=0 srv=0 datalisten=0 dataclt=0 datasrv=0

 

NNTP Accounting

setup_ok=0 setup_fail=0 conn_ok=0 conn_inp=0 scan=0 clt=0 srv=0

 

The output from this command falls into the following sections:

 

  • HTTP Common current connections — There is an entry for each protocol that displays the connections currently used, and the maximum connections allowed. This maximum is for the UTM proxy, which means all the protocols connections combined cannot be larger than this number. To support this, note that the maximum

session count for each protocol is the same. You may also see a line titled Max Concurrent Connections for each protocol. This number is the maximum connections of this type allowed at one time. If VDOMs are enabled, this value is defined either on the global or per-VDOM level at VDOM > Global Resources.

  • Worker Stat — This is statistics about the UTM proxy including how long it has been running, and how many errors it has found.
  • HTTP Stat — This section includes statistics about the HTTP protocol proxy. This is a very extensive list covering errors, web responses, and any UTM positive matches. There are similar sections for each protocol, but the specific entries in each vary based on what UTM scanning is looking for in each — spam control for email, file transfer blocking for FTP, and so on.
  • Worker Accounting — Lists accounting information about the UTM proxy such as polling statistics, how many sessions were scanned, and how many were just accepted. This information can tell you if expect AV scanning is taking place or not. Under normal operation there should be no errors or fails.
  • HTTP Accounting — The accounting sections for each protocol provide information about successful session creation, failures, how many sessions are being scanned or filtered, and how many are client or server originated. If setup_fail is larger than zero, run the command again to see if it is increasing quickly. If it is, your FortiGate unit may be in conserve mode.

 

Related commands

To dump memory usage:

# get test proxyworker 1

 

To display statistics per VDOM:

# get test proxyworker 4444

 

To restart the proxy:

# get test proxyworker 99


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

How to check the bridging information in Transparent mode

Leave a reply

How to check the bridging information in Transparent mode

When FortiOS is in Transparent mode, the unit acts like a bridge sending all incoming traffic out on the other interfaces. The bridge is between interfaces on the FortiGate unit.

Each bridge listed is a link between interfaces. Where traffic is flowing between interfaces, you expect to find bridges listed. If you are having connectivity issues, and there are no bridges listed, that is a likely cause. Check for the MAC address of the interface or device in question.

 

How to check the bridging information

To list the existing bridge instances on the FortiGate unit, use the following command:

diagnose netlink brctl list

 

Sample output:

#diagnose netlink brctl list list bridge information

1. b fdb: size=256 used=6 num=7 depth=2 simple=no

Total 1 bridges

 

How to display forwarding domain information

Forwarding domains, or collision domains, are used in routing to limit where packets are forwarded on the network. Layer-2 broadcasts are limited to the same group. By default, all interfaces are in group 0. For example, if the FortiGate unit has 12 interfaces, only two may be in the same forwarding domain, which will limit packets that are broadcast to only those two interfaces. This reduces traffic on the rest of the network.

Collision domains prevent the forwarding of ARP packets to all VLANs on an interface. Without collision domains, duplicate MAC addresses on VLANs may cause ARP packets to be duplicated. Duplicate ARP packets can cause some switches to reset. It is important to know what interfaces are part of which forwarding domains as this determines which interfaces can communicate with each other.

To manually configure forwarding domains in Transparent mode, use the following FortiOS CLI command:

config system interface edit <interface_name>

set forward-domain <integer>

end

 

To display the information for forward domains

Use the following command:

diagnose netlink brctl domain <name> <id>

where <name> is the name of the forwarding domain to display and <id> is the domain id.

 

Sample output

diagnose netlink brctl domain ione 101 show bridge root.b ione forward domain. id=101 dev=trunk_1 6

 

To list the existing bridge MAC table, use the following command:

diagnose netlink brctl name host <name>

 

Sample output

show bridge control interface root.b host.

fdb: size=256, used=6, num=7, depth=2, simple=no

Bridge root.b host table

 

port

 

2

 no device

 

7

 devname

 

wan2

 mac addr

 

02:09:0f:78:69:00

 ttl

 

0

 attributes

 

Local

Static
 

5

    

6

  

vlan_1

  

02:09:0f:78:69:01

  

0

 Local

Static
 

3

    

8

  

dmz

  

02:09:0f:78:69:01

  

0

 Local

Static
4

 

3

   9

 

8

 internal

 

dmz

 02:09:0f:78:69:02

 

00:80:c8:39:87:5a

 0

 

194

 Local

Static
 

4

    

9

  

internal

  

02:09:0f:78:67:68

  

8

  
 

1

    

3

  

wan1

  

00:09:0f:78:69:fe

  

0

 Local

Static

 

 

To list the existing bridge port list, use this command:

diagnose netlink brctl name port <name>

 

Sample Output:

show bridge root.b data port. trunk_1 peer_dev=0

internal peer_dev=0 dmz peer_dev=0

wan2 peer_dev=0 wan1 peer_dev=0


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

How to verify the correct firewall policy is being used

Leave a reply

How to verify the correct firewall policy is being used

If you have more than one firewall policy, use the count column to check which policy is being used, the count must show traffic increasing. To do so, go to Policy & Objects > Policy page.

Also debuging the packet flow in the CLI shows the policy id allowing the traffic.

 

Sample output:

id=13 trace_id=1 func=fw_forward_handler line=650 msg=”Allowed by Policy-14: SNAT”

For more information on debuging the packet flow, see How to debug the packet flow.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

How to verify the correct route is being used

Leave a reply

How to verify the correct route is being used

If you have more than one default route and wants to make sure that traffic is flowing as expected via the right route, you can run a trace route from a machine in the local area network, this will indicate you the first hop that the traffic goes through.

 

Sample output:

C:\>tracert www.fortinet.com

Tracing route to www.fortinet.com [66.171.121.34]

over a maximum of 30 hops:

 

1 <1 ms <1 ms <1 ms 10.10.1.99

2 1 ms <1 ms <1 ms 172.20.120.2

3 3 ms 3 ms 3 ms static-209-87-254-221.storm.ca [209.87.254.221]

4 3 ms 3 ms 3 ms core-2-g0-2.storm.ca [209.87.239.129]

5 13 ms 13 ms 13 ms core-3-bdi1739.storm.ca [209.87.239.199]

6 12 ms 19 ms 11 ms v502.core1.tor1.he.net [216.66.41.113]

7 22 ms 22 ms 21 ms 100ge1-2.core1.nyc4.he.net [184.105.80.9]

8 84 ms 84 ms 84 ms ny-paix-gni.twgate.net [198.32.118.41]

9 82 ms 84 ms 82 ms 217-228-160-203.TWGATE-IP.twgate.net [203.160.22

8.217]

10 82 ms 81 ms 82 ms 229-228-160-203.TWGATE-IP.twgate.net [203.160.22

8.229]

11 82 ms 82 ms 82 ms 203.78.181.2

12 84 ms 83 ms 83 ms 203.78.186.70

13 84 ms * 85 ms 66.171.127.177

14 84 ms 84 ms 84 ms fortinet.com [66.171.121.34]

15 84 ms 84 ms 83 ms fortinet.com [66.171.121.34] Trace complete.

In this scenario, the first hop contains the IP address 10.10.1.99, which is the internal interface of the FortiGate. The second hop contains the IP address 172.20.120.2, to which the wan1 interface of the FortiGate is connected, so we can conclude that the route via wan1 interface is being used for this traffic.

 

Also debug the packet flow in the CLI shows the route taken for each session.

 

Sample output:

id=20085 trace_id=319 func=vf_ip4_route_input line=1597 msg=”find a route: gw-172.20.120.2 via wan1″

For more information on debuging the packet flow, see How to debug the packet flow.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

How to check the logs

Leave a reply

How to check the logs

This step in troubleshooting can be forgotten, but its an important one. Logging records the traffic passing through the FortiGate unit to your network and what action the FortiGate unit took during its scanning process of the traffic. This recorded information is called a log message.

When you configure FortiOS initially, log as much information as you can. If needed, logging of unused features can be turned off or scaled back if the logs generated are too large.

As with most troubleshooting steps, before you can determine if the logs indicate a problem, you need to know what logs result from normal operation. Without a baseline it is difficult to properly troubleshoot.

When troubleshooting with log files:

  • Compare current logs to a recorded baseline of normal operation.
  • If needed increase the level of logging (such as from Warning to Information) to obtain more information.

When increasing logging levels, ensure that alert email is configured and both disk usage and log quota are selected. This ensures you will be notified if the increased logging causes problems. You can also use Logging Monitor (located in Log&Report > Monitor > Logging volume Monitor) to determine the activities that generate the most log entries.

  • check all logs to ensure important information is not overlooked
  • filter or order log entries based on different fields (such as level, service, or IP address) to look for patterns that may indicate a specific problem (such as frequent blocked connections on a specific port for all IP addresses)

Logs will help identify and locate any problems, but they will not solve the problems. The job of logs is to speed up your problem solving and save you time and effort.

For more information on Logging and Log Reports, see the Logging and Reporting handbook chapter.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!