How to check FortiOS network settings

How to check FortiOS network settings

FortiOS network settings are present in both the web-based manager interface and the CLI. The following information includes troubleshooting and best practice information. The network settings include:

  • Interface settings
  • DNS settings
  • DHCP Server settings

 

Interface settings

If you can access the FortiGate unit with the management cable only, the first step is to display the interface settings. To display the settings for the internal interface, use the following CLI command:

 

FGT# show system interface <Interface_mane>

For a complete listing of all the possible interface settings, use the following CLI command:

 

config system interface edit <Interface_name> get

end

Check the interface settings to ensure they are not preventing traffic. Specific things to check include (only the web-based manager names are shown, CLI names may vary slightly):

 

  • Link Status — Down until a valid cable is plugged into this interface, after which it will be Up. The Link Status is shown physically by the connection LED for the interface. If it lights up green, it is a good connection. If Link Status is Down, the interface does not work. Link Status is also displayed on the System > Network > Interface screen by default.
  • Addressing mode — Do not use DHCP if you don’t have a DHCP server —you will not be able to logon to an interface in DHCP mode as it will not have an IP address.
  • IP/Netmask — An interface needs an IP address to be able to connect to other devices. Ensure there is a valid IP address in this field. The one exception is if DHCP is enabled for this interface to get its IP address from an external DHCP server.
  • IPv6 address — The same protocol must be used by both ends to complete the connection. Ensure both this interface and the remote connection are both using IPv4 or both using IPv6 addressing.
  • Administrative access — If no protocols are selected, you will have to use the local management cable to connect to the unit. If you are using IPv6, configure the IPv6 administrative access protocols.
  • Administrative status — Set to Up or the interface will not work.

 

DNS settings

While this section is not complicated, many networking problems can be traced back to DNS problems. Things to check in this area include:

  • Are there values for both primary and secondary entries?
  • Is the local domain name correct?
  • Are you using IPv6 addressing? If so, are the IPv6 DNS settings correct?
  • Are you using Dynamic DNS (DDNS)? If so, is it using the correct server, credentials, and interface?
  • Can you contact both DNS servers to verify the servers are operational?
  • If an interface addressing mode is set to DHCP and is set to override the internal DNS, is that interface receiving a valid DNS entry from the DHCP server? Is it a reasonable address and can it be contacted to verify it’s operational?
  • Are there any DENY security policies that need to allow DNS?
  • Can any internal device perform a successful traceroute to a location using the FQDN?

 

DHCP Server settings

DHCP Servers are common on internal and wireless networks. If the DHCP server is not configured properly it can cause problems. Things to check in this area include:

  • Is the DHCP server entry set to Relay? If so, verify there is another DHCP server to which requests can be relayed.

Otherwise, it should be set to Server.

  • Is the DHCP server enabled?
  • Does this DHCP server use a valid range of IP addresses? Are those addresses in use by other devices? If one or more devices are using IP addresses in this range, you can use the IP reservation feature to ensure the DHCP server does not use these addresses.
  • Is there a gateway entry? Include a gateway entry to ensure clients of this server have a default route.
  • Is the system DNS setting being used? The best practice is to avoid confusion by using the system DNS whenever possible. However, the option to specify up to three custom DNS servers is available, and all three entries should be used for redundancy.

There are some situations, such as a new wireless interface, or during the initial FortiGate unit configuration, where interfaces override the system DNS entries. When this happens, it often shows up as intermittent Internet connectivity. To fix the prob- lem, go to System > Network > DNS and ensure to enable Use FortiGuard Servers.

This entry was posted in FortiOS, FortiOS 5.4 Handbook, How To on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.