Yearly Archives: 2017

FortiGate VM High Availability Hyper-V configuration

High Availability Hyper-V configuration

Promiscuous mode and support for MAC address spoofing is required for FortiGate-VM for Hyper-V to support FortiGate Clustering Protocol (FGCP) high availability (HA). By default the FortiGate-VM for Hyper-V has promiscuous mode enabled in the XML configuration file in the FortiGate-VM Hyper-V image. If you have problems with HA mode, confirm that this is still enabled.

In addition, because the FGCP applies virtual MAC addresses to FortiGate data interfaces and because these virtual MAC addresses mean that matching interfaces of different FortiGate-VM instances will have the same virtual MAC addresses you have to configure Hyper-V to allow MAC spoofing. But you should only enable MAC spoofing for FortiGate-VM data interfaces. You should not enable MAC spoofing for FortiGate HA heartbeat interfaces.

With promiscuous mode enabled and the correct MAC spoofing settings you should be able to configure HA between two or more FortiGate-VM for Hyper-V instances.

Start the FortiGate VM

You can now proceed to power on your FortiGate VM. Select the name of the FortiGate VM in the list of virtual machines, right-click, and select Start in the menu. Optionally, you can select the name of the FortiGate VM in the list of virtual machines and select Start in the Actions menu.

Create the virtual machine Deployment example – KVM

FortiGate VM Deployment example – MS Hyper-V

Leave a reply

Deployment example – MS Hyper-V

Once you have downloaded the FGT_VMxx_HV-v5-build0xxx-FORTINET.out.hyperv.zip file and extracted the package contents to a folder on your Microsoft server, you can deploy the VHD package to your Microsoft Hyper-V environment.

The following topics are included in this section:

Create the FortiGate VM virtual machine

Configure FortiGate VM hardware settings

Create the FortiGate VM virtual machine

To create the FortiGate VM virtual machine:

Launch the Hyper-V Manager in your Microsoft server.

The Hyper-V Manager home page opens.

Select the server in the right-tree menu. The server details page is displayed.
Right-click the server and select New and select Virtual Machine from the menu. Optionally, in the Actions menu, select New and select Virtual Machine from the menu.

The New Virtual Machine Wizard opens.

Select Next to create a virtual machine with a custom configuration.

The Specify Name and Location page is displayed.

Enter a name for this virtual machine. The name is displayed in the Hyper-V Manager.

Select Next to continue. The Assign Memory page is displayed.

Specify the amount of memory to allocate to this virtual machine. The default memory for FortiGate VM is 1GB (1024MB).

Select Next to continue. The Configure Networking page is displayed.

Each new virtual machine includes a network adapter. You can configure the network adapter to use a virtual switch, or it can remain disconnected. FortiGate VM requires four network adapters. You must configure network adapters in the Settings

Select Next to continue. The Connect Virtual Hard Disk page is displayed.

Select to use an existing virtual hard disk and browse for the vhd file that you downloaded from the Fortinet Customer Service & Support portal.

Select Next to continue. The Summary page is displayed.

To create the virtual machine and close the wizard, select Finish.

Configure FortiGate VM hardware settings

Before powering on your FortiGate VM you must configure the virtual memory, virtual CPU, and virtual disk configuration to match your FortiGate VM license.

To configure settings for FortiGate VM on the server:

In the Hyper-V Manager, locate the name of the virtual machine, right-click the entry, and select Settings from the menu. Optionally, you can select the virtual machine and select Settings in the Actions

The Settings page is displayed.

Configure virtual processors, network adapters, and virtual hard drive settings.
Select Apply to save the settings and then select OK to close the settings page.

FortiGate VM virtual processors

You must configure FortiGate VM virtual processors in the server settings page. The number of processors is dependent on your server environment.

Configure FortiGate VM virtual processors:

In the Settings page, select Processor from the Hardware

The Processor page is displayed.

Configure the number of virtual processors for the FortiGate VM virtual machine. Optionally, you can use resource controls to balance resources among virtual machines.
Select Apply to save the settings.

FortiGate VM network adapters

You must configure FortiGate VM network adapters in the server settings page. FortiGate VM supports four network adapters.

Configure FortiGate VM network adapters:

In the Settings page, select Add Hardware from the Hardware menu, select Network Adapter in the device list, and select the Add button.

The Network Adapter page is displayed.

You must manually configure four network adapters for FortiGate VM in the settings page. For each network adapter, select the virtual switch from the drop-down list.
Select Apply to save the settings.

FortiGate VM virtual hard disk

You must configure the FortiGate VM virtual hard disk in the server settings page.

If you know your environment will expand in the future, it is recommended to increase the hard disk size beyond 30GB. The VM license limit is 2TB.

Configure a FortiGate VM virtual hard drive:

In the Settings page, select IDE Controller 0 > Hard Drive from the Hardware

The Hard Drive page is displayed.

Select New to create a new virtual hard disk.

The New Virtual Hard Disk Wizard opens.

This wizard helps you to create a new virtual hard disk.

Select Next to continue. The Choose Disk Format page opens.

Select to use VHDX format virtual hard disks. This format supports virtual disks up to 64TB and is resilient to consistency issues that might occur from power failures. This format is not supported in operating systems earlier than Windows Server 2012. Note that FortiGate-VM does not support hard disks larger than 2TB.

Select Next to continue. The Choose Disk Type page opens.

Select the type of virtual disk you want to use. Select one of the following disk types:
- Fixed size: This type of disk provides better performance and is recommended for servers running applications with high levels of disk activity. The virtual hard disk file that is created initially uses the size of the virtual hard disk and does not change when data is deleted or added.
- Dynamic expanding: This type of disk provides better use of physical storage space and is recommended for servers running applications that are not disk intensive. The virtual disk file that is created is small initially and changes as data is added.
- Differencing: This type of disk is associated in a parent-child relationship with another disk that you want to leave intact. You can make changes to the data or operating system without affecting the parent disk, so that you can revert the changes easily. All children must have the same virtual hard disk format as the parent (VHD or VHDX).

Select Next to continue. The Specify Name and Location page opens.

Specify the name and location of the virtual hard disk file. Use the Browse button to select a specific file folder on your server.

Select Next to continue. The Configure Disk page opens.

Select to Create a new blank virtual hard disk and enter the size of the disk in GB. The maximum size is dependent on your server environment.

Select Next to continue. The Summary page opens.

The summary page provides details of the virtual hard disk. Select Finish to create the virtual hard disk.
Select Apply to save the settings and select OK to exit the settings page.

High Availability Hyper-V configuration Start the FortiGate VM

FortiGate VM High Availability VMware configuration

Leave a reply

High Availability VMware configuration

If you want to combine two or more FortiGate-VM instances into a FortiGate Clustering Protocol (FGCP) High Availability (HA) cluster the VMware server’s virtual switches used to connect the heartbeat interfaces must operate in promiscuous mode. This permits HA heartbeat communication between the heartbeat interfaces. HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891, and 0x8890. The FGCP uses link-local IPv4 addresses in the 169.254.0.x range for HA heartbeat interface IP addresses.

To enable promiscuous mode in VMware:

In the vSphere client, select your VMware server in the left pane and then select the Configuration tab in the right pane.
In Hardware, select Networking.
Select Properties of a virtual switch used to connect heartbeat interfaces.
In the Properties window left pane, select vSwitch and then select Edit.
Select the Security tab, set Promiscuous Mode to Accept, then select OK.
Select Close.

You must also set the virtual switches connected to other FortiGate interfaces to allow MAC address changes and to accept forged transmits. This is required because the FGCP sets virtual MAC addresses for all FortiGate interfaces and the same interfaces on the different VM instances in the cluster will have the same virtual MAC addresses.

To make the required changes in VMware:

In the vSphere client, select your VMware server in the left pane and then select the Configuration tab in the right pane.
In Hardware, select Networking.
Select Properties of a virtual switch used to connect FortiGate VM interfaces.
Set MAC Address ChangestoAccept.
Set Forged Transmits to Accept.

Power on your FortiGate VM

You can now proceed to power on your FortiGate VM. There are several ways to do this:

Select the name of the FortiGate VM you deployed in the inventory list and select Power on the virtual machine in the Getting Started
In the inventory list, right-click the name of the FortiGate VM you deployed, and select Power > Power On. l Select the name of the FortiGate VM you deployed in the inventory list. Click the Power On button on the toolbar.

Select the Console tab to view the console. To enter text, you must click in the console pane. The mouse is then captured and cannot leave the console screen. As the FortiGate console is text-only, no mouse pointer is visible. To release the mouse, press Ctrl-Alt.

FortiGate VM Transparent Mode VMware Configuration

Leave a reply

Transparent mode VMware configuration

If you want to use your FortiGate-VM in transparent mode, your VMware server’s virtual switches must operate in promiscuous mode. This permits these interfaces to receive traffic that will pass through the FortiGate unit but was not addressed to the FortiGate unit.

In VMware, promiscuous mode must be explicitly enabled:

In the vSphere client, select your VMware server in the left pane and then select the Configuration tab in the right pane.
In Hardware, select Networking.
Select Properties of vSwitch0.
In the Properties window left pane, select vSwitch and then select Edit.
Select the Security tab, set Promiscuous Mode to Accept, then select OK.
Select Close.
Repeat steps 3 through 6 for other vSwitches that your transparent mode FortiGate-VM uses.

High Availability VMware configuration Power on your FortiGate VM

FortiGate VM Deployment example – VMware

Leave a reply

Deployment example – VMware

Once you have downloaded the FGT_VMxx-v5-build0xxx-FORTINET.out.ovf.zip file from http://support.fortinet.com and extracted the package contents to a folder on your local computer, you can use the vSphere client to create the virtual machine from the deployment package OVF template.

The following topics are included in this section:

Open the FortiGate VM OVF file with the vSphere client

Configure FortiGate VM hardware settings

Open the FortiGate VM OVF file with the vSphere client

To deploy the FortiGate VM OVF template:

Launch the VMware vSphere client, enter the IP address or host name of your server, enter your user name and password and select Login.

The vSphere client home page opens.

Select File > Deploy OVF Template to launch the OVF Template wizard.

Open the OVF file with the vSphere client

Source page opens.

Select the source location of the OVF file. Select Browse and locate the OVF file on your computer. Select Next to continue.

The OVF Template Details page opens.

Verify the OVF template details. This page details the product name, download size, size on disk, and description. Select Next to continue.

End User License Agreement page opens.

Read the end user license agreement for FortiGate VM. Select Accept and then select Next to continue.

Open the OVF file with the vSphere client

Name and Location page opens.

Enter a name for this OVF template. The name can contain up to 80 characters and it must be unique within the inventory folder. Select Next to continue.

Disk Format page opens.

Select one of the following:

Thick Provision Lazy Zeroed: Allocates the disk space statically (no other volumes can take the space), but does not write zeros to the blocks until the first write takes place to that block during runtime (which includes a full disk format).
Thick Provision Eager Zeroed: Allocates the disk space statically (no other volumes can take the space), and writes zeros to all the blocks.
Thin Provision: Allocates the disk space only when a write occurs to a block, but the total volume size is

reported by VMFS to the OS. Other volumes can take the remaining space. This allows you to float space between your servers, and expand your storage when your size monitoring indicates there is a problem. Note that once a Thin Provisioned block is allocated, it remains on the volume regardless if you have deleted data, etc.

Select Next to continue.

The OVF Template Network Mapping page opens.

Configure hardware settings

Map the networks used in this OVF template to networks in your inventory. Network 1 maps to port1 of the FortiGate VM. You must set the destination network for this entry to access the device console. Select Next to continue.

The OVF Template Ready to Complete page opens.

Review the template configuration. Make sure that Power on after deployment is not enabled. You might need to configure the FortiGate VM hardware settings prior to powering on the FortiGate VM.
Select Finish to deploy the OVF template. You will receive a Deployment Completed Successfully dialog box once the FortiGate VM OVF template wizard has finished.

Configure FortiGate VM hardware settings

Before powering on your FortiGate VM you must configure the virtual memory, virtual CPU, and virtual disk configuration to match your FortiGate VM license.

Configure FortiGate VM hardware settings

Configure hardware settings Transparent mode VMware configuration

FortiGate VM Overview

Leave a reply

FortiGate VM Overview

The following topics are included in this section:

FortiGate VM models and licensing

Registering FortiGate VM with Customer Service & Support

Downloading the FortiGate VM deployment package

Deployment package contents

Deploying the FortiGate VM appliance

FortiGate VM models and licensing

Fortinet offers the FortiGate VM in five virtual appliance models determined by license. When configuring your FortiGate VM, be sure to configure hardware settings within the ranges outlined below. Contact your Fortinet Authorized Reseller for more information.

FortiGate VM model information

Technical Specification	FG-VM00	FG-VM01	FG-VM02	FG-VM04	FG-VM08
Virtual CPUs (min / max)	1 / 1	1 / 1	1 / 2	1 / 4	1 / 8
Virtual Network Interfaces (min / max)			2 / 10
Virtual Memory (min / max)	1GB / 1GB	1GB / 2GB	1GB / 4GB	1GB / 6GB	1GB /12GB
Virtual Storage (min / max)			32GB / 2TB
Managed Wireless APs (tunnel mode / global)	32 / 32	32 / 64	256 / 512	256 / 512	1024 / 4096
Virtual Domains (default / max)	1 / 1	10 / 10	10 / 25	10 / 50	10 / 250

After placing an order for FortiGate VM, a license registration code is sent to the email address used on the order form. Use the registration number provided to register the FortiGate VM with Customer Service & Support and then download the license file. Once the license file is uploaded to the FortiGate VM and validated, your FortiGate VM appliance is fully functional.

FortiGate VM Overview Registering FortiGate VM with Customer Service & Support

The number of Virtual Network Interfaces is not solely dependent on the FortiGate VM. Some virtual environments have their own limitations on the number of interfaces allowed. As an example, if you go to https://docs.microsoft.com/en-us/azure/virtualnetwork/virtual-networks-multiple-nics, you will find that Azure has its own restrictions for VMs, depending on the type of deployment or even the size of the VM.

FortiGate VM evaluation license

FortiGate VM includes a limited embedded 15-day trial license that supports: l 1 CPU maximum l 1024 MB memory maximum

l low encryption only (no HTTPS administrative access) l all features except FortiGuard updates

You cannot upgrade the firmware, doing so will lock the Web-based Manager until a license is uploaded. Technical support is not included. The trial period begins the first time you start FortiGate VM. After the trial license expires, functionality is disabled until you upload a license file.

Registering FortiGate VM with Customer Service & Support

To obtain the FortiGate VM license file you must first register your FortiGate VM with Customer Service & Support.

To register your FortiGate VM:

Log in to the Customer Service & Support portal using an existing support account or select Sign Up to create a new account.
In the main page, under Asset, select Register/Renew.

The Registration page opens.

Enter the registration code that was emailed to you and select Register. A registration form will display.
After completing the form, a registration acknowledgement page will appear.
Select the License File Download
You will be prompted to save the license file (.lic) to your local computer. See “Upload the license file” for instructions on uploading the license file to your FortiGate VM via the Web-based Manager.

Downloading the FortiGate VM deployment package

FortiGate VM deployment packages are included with FortiGate firmware images on the Customer Service & Support site. First, see the following table to determine the appropriate VM deployment package for your VM platform.

Downloading the FortiGate VM deployment package

Selecting the correct FortiGate VM deployment package for your VM platform

VM Platform	FortiGate VM Deployment File
Citrix XenServer v5.6sp2, 6.0 and later	FGT_VM64-v500-buildnnnn-FORTINET. out.CitrixXen.zip
OpenXen v3.4.3, 4.1	FGT_VM64-v500-buildnnnn-FORTINET. out.OpenXen.zip
Microsoft Hyper-V Server 2008R2 and 2012	FGT_VM64-v500-buildnnnn-FORTINET. out.hyperv.zip
KVM (qemu 0.12.1)	FGT_VM64-v500-buildnnnn-FORTINET. out.kvm.zip
VMware ESX 4.0, 4.1 ESXi 4.0/4.1/5.0/5.1/5.5	FGT_VM32-v500-buildnnnn-FORTINET. out.ovf.zip (32-bit) FGT_VM64-v500-buildnnnn-FORTINET. out.ovf.zip

For more information see the FortiGate product datasheet available on the Fortinet web site, http://www.fortinet.com/products/fortigate/virtualappliances.html.

The firmware images FTP directory is organized by firmware version, major release, and patch release. The firmware images in the directories follow a specific naming convention and each firmware image is specific to the device model. For example, the FGT_VM32-v500-build0151-FORTINET.out.ovf.zip image found in the v5.0 Patch Release 2 directory is specific to the FortiGate VM 32-bit environment.

You can also download the FortiOS Release Notes, FORTINET-FORTIGATE MIB file, FSSO images, and SSL VPN client in this directory. The Fortinet Core MIB file is located in the main FortiGate v5.00 directory.

To download the FortiGate VM deployment package:

In the main page of the Customer Service & Support site, select Download > Firmware Images.

The Firmware Images page opens.

In the Firmware Images page, select FortiGate.
Browse to the appropriate directory on the FTP site for the version that you would like to download.
Download the appropriate .zip file for your VM server platform.

You can also download the FortiGate Release Notes.

Extract the contents of the deployment package to a new file folder.

FortiGate VM Overview Deployment package contents

Deployment package contents

Citrix XenServer

The FORTINET.out.CitrixXen.zip file contains:

vhd: the FortiGate VM system hard disk in VHD format l fortios.xva: binary file containing virtual hardware configuration settings l in the ovf folder:
FortiGate-VM64.ovf: Open Virtualization Format (OVF) template file, containing virtual hardware settings for

Xen l fortios.vmdk: the FortiGate VM system hard disk in VMDK format l datadrive.vmdk: the FortiGate VM log disk in VMDK format

The ovf folder and its contents is an alternative method of installation to the .xva and VHD disk image.

OpenXEN

The FORTINET.out.OpenXen.zip file contains only fortios.qcow2, the FortiGate VM system hard disk in qcow2 format. You will need to manually:

l create a 32GB log disk l specify the virtual hardware settings

Microsoft Hyper-V

The FORTINET.out.hyperv.zip file contains:

in the Virtual Hard Disks folder:
vhd: the FortiGate VM system hard disk in VHD format l DATADRIVE.vhd: the FortiGate VM log disk in VHD format
In the Virtual Machines folder:
xml: XML file containing virtual hardware configuration settings for Hyper-V. This is compatible with Windows Server 2012.
Snapshots folder: optionally, Hyper-V stores snapshots of the FortiGate VM state here

KVM

The FORTINET.out.kvm.zip contains only fortios.qcow2, the FortiGate VM system hard disk in qcow2 format. You will need to manually:

l create a 32GB log disk l specify the virtual hardware settings

VMware ESX/ESXi

You will need to create a 32GB log disk.

Deploying the FortiGate VM appliance

The FORTINET.out.ovf.zip file contains:

vmdk: the FortiGate VM system hard disk in VMDK format l datadrive.vmdk: the FortiGate VM log disk in VMDK format l Open Virtualization Format (OVF) template files:
FortiGate-VM64.ovf: OVF template based on Intel e1000 NIC driver l FortiGate-VM64.hw04.ovf: OVF template file for older (v3.5) VMware ESX server l FortiGate-VMxx.hw07_vmxnet2.ovf: OVF template file for VMware vmxnet2 driver l FortiGate-VMxx.hw07_vmxnet3.ovf: OVF template file for VMware vmxnet3 driver

Deploying the FortiGate VM appliance

Prior to deploying the FortiGate VM appliance, the VM platform must be installed and configured so that it is ready to create virtual machines. The installation instructions for FortiGate VM assume that

You are familiar with the management software and terminology of your VM platform.
An Internet connection is available for FortiGate VM to contact FortiGuard to validate its license or, for closed environments, a FortiManager can be contacted to validate the FortiGate VM license. See “Validate the FortiGate VM license with FortiManager”.

For assistance in deploying FortiGate VM, refer to the deployment chapter in this guide that corresponds to your VMware environment. You might also need to refer to the documentation provided with your VM server. The deployment chapters are presented as examples because for any particular VM server there are multiple ways to create a virtual machine. There are command line tools, APIs, and even alternative graphical user interface tools.

Before you start your FortiGate VM appliance for the first time, you might need to adjust virtual disk sizes and networking settings. The first time you start FortiGate VM, you will have access only through the console window of your VM server environment. After you configure one FortiGate network interface with an IP address and administrative access, you can access the FortiGate VM web-based manager.

After deployment and license validation, you can upgrade your FortiGate VM appliance’s firmware by downloading either FGT_VM32-v500-buildnnnn-FORTINET.out (32-bit) or FGT_VM64-v500-buildnnnnFORTINET.out (64-bit) firmware. Firmware upgrading on a VM is very similar to upgrading firmware on a hardware FortiGate unit.

FortiOS 5.4 VM Install Guide

Leave a reply

Introduction

FortiGate virtual appliances allow you to mitigate blind spots by implementing critical security controls within your virtual infrastructure. They also allow you to rapidly provision security infrastructure whenever and wherever it is needed. FortiGate virtual appliances feature all of the security and networking services common to traditional hardware-based FortiGate appliances. With the addition of virtual appliances from Fortinet, you can deploy a mix of hardware and virtual appliances, operating together and managed from a common centralized management platform.

Document scope

This document describes how to deploy a FortiGate virtual appliance in several virtualization server environments. This includes how to configure the virtual hardware settings of the virtual appliance.

This document assumes:

you have already successfully installed the virtualization server on the physical machine,
you have installed appropriate VM management software on either the physical server or a computer to be used for VM management.

This document does not cover configuration and operation of the virtual appliance after it has been successfully installed and started. For these issues, see the FortiGate 5.2 Handbook.

This document includes the following sections:

FortiGate VM Overview l Deployment example – VMware l Deployment example – MS Hyper-V l Deployment example – KVM l Deployment example – OpenXen l Deployment example – Citrix XenServer

What’s new in VM in 5.4 New Features in 5.4.0

What’s new in VM in 5.4

New Features in 5.4.0

FGT-VM VCPUs (308297)

Fortinet has now launched licensing for FortiGate VMs that support larger than 8 vCPUs. The new models/licenses include:

l Support for up to 16 vCPU – FortiGate-VM16 l Support for up to 32 vCPU – FortiGate-VM32 l Support for unlimited vCPU – FortiGate-VMUL

Each of these models should be able to support up to 500 VDOMs.

Improvements to License page (382128)

The page has been rewritten with some minor improvements such as:

An indicator to show when a VM is waiting for authentication or starting up l Shows VM status when license is valid
Shows CLI console window when VM is waiting too long for remote registration of server

Citrix XenServer tools support for XenServer VMs (387984)

This support allows users, with Citrix XenServer tools to read performance statistics from XenServer clients and do Xenmotion with servers in the same cluster

There are no changes to the GUI, but there are some changes to the CLI.

A setting has been edited to control the debug level of the XenServer tools daemon diag debug application xstoolsd <integer>

Integer = Debug level

An additional update has been added to set the update frequency for XenServer tools

config system global set xstools-update-frequency Xenserver <integer> end

Enter an integer value from 30 to 300 (default = 60).

New Features in 5.4.0 What’s new in VM in 5.4

FOS VM supports more interfaces (393068)

The number of virtual interfaces that the VM version of FortiOS supports has been raised from 3 to 10.

NSX security group importing (403975)

A feature has been added to allow the importation of security group information from VMware’s NSX firewall.

CLI Changes: nsx group list

This is used to list NSX security Groups

Syntax:

execute nsx group list <name of the filter>

nsx group import

This is used to import NSX security groups.

Syntax:

execute nsx group import <vdom> <name of the filter>

nsx group delete

This is used to delete NSX security Groups

Syntax:

execute nsx group delete <vdom> <name of the filter>

nsx.setting.update-period

This is used to set the update period for the NSX security group

Syntax:

config.nsx.setting.update-period <0 – 3600 in seconds>

0 means disabled

Default value: 0

Non-vdom VM models FGVM1V/FGVM2V/FGVM4V (405549)

New models of the FortiGate-VM have been introduced. These match up with the existing FortiGate-VM models of FG-VM01, FG-VM02 and FG-VM04. The difference being that the new models don’t support VDOMs. 8

What’s new in VM in 5.4 New Features in 5.4.0

New FortiGate-VM without VDOM support

Original FortiGate-VM

FG-VM01

FG-VM02

FG-VM02v

FG-VM01v

FG-VM04 FG-VM04v

FortiGate VM models and licensing

FortiOS 5.6 SSL VPN Troubleshooting

Leave a reply

Troubleshooting

This section contains tips to help you with some common challenges of SSL VPNs.

Enter the following to display debug messages for SSL VPN: diagnose debug application sslvpn -1

This command enables debugging of SSL VPN with a debug level of -1. The -1 debug level produces detailed results. l Enter the following command to verify the debug configuration:

diagnose debug info debug output: disable console timestamp: disable console no user log message: disable sslvpn debug level: -1 (0xffffffff) CLI debug level: 3

This output verifies that SSL VPN debugging is enabled with a debug level of -1, and shows what filters are in place. The output above indicates that debug output is disabled, so debug messages are not displayed. The output also indicates that debugging has not been enabled for any software systems.

Enter the following to enable displaying debug messages: diagnose debug enable

To view the debug messages, log into the SSL VPN portal. The CLI displays debug output similar to the following:

FGT60C3G10002814 # [282:root]SSL state:before/accept initialization (172.20.120.12)

[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)

[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)

[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)

[282:root]SSL state:SSLv3 write finished B (172.20.120.12)

[282:root]SSL state:SSLv3 flush data (172.20.120.12)

[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)

[282:root]SSL state:SSLv3 read finished A (172.20.120.12)

[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)

[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 l Enter the following to stop displaying debug messages: diagnose debug disable

The following is a list of potential issues. The suggestions below are not exhaustive, and may not reflect your network topology.

There is no response from the SSL VPN URL.

Go to VPN > SSL-VPN Settings and check the SSL VPN port assignment. Also, verify that the SSL VPN policy is configured correctly. l Check the URL you are attempting to connect to. It should follow this pattern:

https://<FortiGate IP>:<Port>/remote/login

Troubleshooting

Ensure that you are using the correct port number in the URL.

FortiClient cannot connect.

Read the Release Notes to ensure that the version of FortiClient you are using is compatible with your version of FortiOS.

Tunnel-mode connection shuts down after a few seconds.

This issue can occur when there are multiple interfaces connected to the Internet (for example, a dual WAN). Upgrade to the latest firmware then use the following CLI command:

config vpn ssl settings set route-source-interface enable

end

When you attempt to connect using FortiClient or in Web mode, you are returned to the login page, or you receive the following error message: “Unable to logon to the server. Your user name or password may not be configured properly for this connection. (-12).”

Ensure that cookies are enabled in your browser. l If you are using a remote authentication server, ensure that the FortiGate is able to communicate with it.
Access to the web portal or tunnel will fail if Internet Explorer has the privacy Internet Options set to High. If set to High, Internet Explorer will block cookies that do not have a compact privacy policy, and that use personally identifiable information without your explicit consent.

You receive an error message stating: “Destination address of Split Tunneling policy is invalid.“

The SSL VPN security policy uses the ALL address as its destination. Change the address to that of the protected network instead.

The tunnel connects but there is no communication.

Go to Network > Static Routes and ensure that there is a static route to direct packets destined for the tunnel users to the SSL VPN interface.

You can connect remotely to the VPN tunnel but are unable to access the network resources.

Go to Policy & Objects > IPv4 Policy and examine the policy allowing VPN access to the local network. If the destination address is set to all, create a firewall address for the internal network. Change the destination address and attempt to connect remotely again.

Users are unable to download the SSL VPN plugin.

Go to VPN > SSL-VPN Portals to make sure that the option to Limit Users to One SSL-VPN Connection at a Time is disabled. This allows users to connect to the resources on the portal page while also connecting to the VPN through FortiClient.

Users are being assigned to the wrong IP range.

Ensure that the same IP Pool is used in VPN Portal and VPN Settings to avoid conflicts. If there is a conflict, the portal settings will be used.

Troubleshooting

Flow-based (vdom) AntiVirus profiles in SSL VPN web mode limitation

In flow mode vdom, SSL VPN web mode doesn’t block antivirus even when av-profile is set (however, SSL VPN tunnel mode AV profile does work).

Sending tunnel statistics to FortiAnalyzer

By default, logged events include tunnel-up and tunnel-down status events. Other events, by default, will appear in the FortiAnalyzer report as “No Data Available”. More accurate results require logs with action=tunnelstats, which is used in generating reports on the FortiAnalyzer (rather than the tunnel-up and tunnel-down event logs). The FortiGate does not, by default, send tunnel-stats information.

To allow VPN tunnel-stats to be sent to FortiAnalyzer, configure the FortiGate unit as follows using the CLI:

config system settings set vpn-stats-log ipsec ssl set vpn-stats-period 300 end