Category Archives: Consulting Stories

FortiRPS 100 in the wild!

For those of you that have never seen one in the wild before, this is a FortiRPS (it’s the white box closest to us with the black and yellow cables coming out of it). It connects to the FortiGates and does exactly what you think a Forti Redundant Power Supply does……

FortiRPS 100

 

One thing to note however is that you must cable it differently than the documentation as it is painfully wrong. If you cable it up the way the below image says……losing a power supply will cause you to lose a device. Not so redundant in that configuration eh? Look below, it tells you to put device one on ports 1 and 2 of the FortiRPS and device two on RPS ports 3 and 4. Ports 1 and 2 on the dang thing only goes to a single power supply. In order to actually have your device cabled for REDUNDANT POWER you need to switch the middle cables. IE, plug device one into RPS ports 1 and 3 and device two into RPS ports 2 and 4.

Stupid Fortinet

Don’t cable it like this, cable it like the bold section of the post (above the picture)

 

Session Based Network Issues on 7060E?

So if you are running a 7060E chassis in your enterprise and you are suddenly experiencing strange behavior relating to session based traffic, disable the TCP-Options setting in config global. This is on by default and enables the the client and server to negotiate MSS, window scaling, selective acknowledgements, timestamps, and NOP. These are completely option settings that specifically help the packet along and improve performance.

If any device on your network suffers an issue though and the packets start showing up differently, this becomes an issue and can cause intermittent network connectivity issues and any traffic that is session based (non UDP) will randomly drop and experience extreme latency.

 

I will do a video once I finish assessing the Root Cause Analysis on the issue that I just experienced at an enterprise client.

I love what I do

Technology is amazing. It drastically reduces the size of the world. I love that I get to work with it every day. It’s just a little before 1 AM here in Montgomery, Alabama. I just finished assisting a friend in Saudi Arabia with their FortiGate issue. This friend I met through this site. Think about that for a second. Small town Alabama boy getting to meet and help people from all over the world.

It’s an amazing time we live in. Good night everyone! See you in the morning!

Policy Based IPSec and NAT

Think of the little things

This is going to be a quick guide on things to check when your Policy based IPSec tunnels decide to not work properly with NAT enabled.

Have this client, they were getting ready to migrate a bunch of IPSec tunnels from one of their client’s firewalls. The firewall that was originally hosting these tunnels is a Dell Sonicwall (threw up a little in my mouth right there).

We get the tunnels loaded and all are working fine except for the ones that require NAT due to overlapping subnets.

Just a reminder boys and girls, when your settings APPEAR to be correct but things still aren’t working…..it’s going to be something simple.

It is always something simple!

When you create a phase 2 for your tunnels through the GUI certain parameters are predefined. This is fine if you are using a simple tunnel with no NAT being applied.

One of these settings is the “use-natip enabled” setting that comes swinging right out the gate. If you have never looked at your phase 2 through the CLI you wouldn’t even know this existed.

Proof is in the pudding:

There is nothing more frustrating than having your policy setup improperly (no NATĀ applied through policy) and the tunnel come up, but no traffic flows……but if you enable NAT in the policy all of a sudden no tunnel OR traffic.

The two conflict. So if you are doing policy based IPSec tunnels that ALSO happen to be performing NAT on the policy (which you can only enable on the policy through CLI by the way…) you are going to be in for a bad time until you turn off the NATĀ setting on the phase 2

In Conclusion:

I know this entire post is basically a giant run on sentence but I wanted to get it on paper as it was fresh in my head. I tend to forget things you know. By all means express your findings on these types of situations in the comments. Would love a healthy dialogue regarding these types of things! If I need to expand on anything to make it easier to understand please let me know. I am always available to answer questions.

Route based VPN is WAY better than Policy based VPN

I am in the middle of helping a client absorb one of their clients. This involves moving all of the client’s client’s (redundant I know) IPSec tunnels into my clients FortiGate. This is all fine and dandy. I do IPSec tunnels all the time. Unfortunately for me though, my client’s client utilizes policy based VPN’s which work fine I suppose but jesus they are annoying. Yes, I know they do things just fine. Yes, I know they have their place. I may just be an old dog set in my ways but to me…..Route based IPSec tunnels is bae, Route based IPSec tunnels is life.