Category Archives: FortiGate

Firewall local-in policies are supported for the dedicated HA management interface

Firewall local-in policies are supported for the dedicated HA management interface

To add local in polices for the dedicated management interface, enable ha-mgmt-inft-only and set intf to any. Enabling ha-mgmt-intf-only means the local-in policy applies only to the VDOM that contains the dedicated HA management interface.

config firewall local-in-policy

edit 0

set ha-mgmt-intf-only enable

set intf any

etc…

end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

VOIP application control sessions are no longer blocked after an HA failover

Leave a reply

If you were one of those people, like me, that would have application control sessions blocked after a failover on HA then 5.4 may be beneficial for you! See below!

VOIP application control sessions are no longer blocked after an HA failover (273544)

After an HA failover, VoIP sessions that are being scanned by application control will now continue with only a minor interruption, if any. To support this feature, IPS UDP expectation tables are now synchronized between cluster units

FGCP Supports BFD Enabled BGP Graceful Restart After an HA Failover

Leave a reply

FGCP supports BFD enabled BGP graceful restart after an HA failover

If an HA cluster is part of a Border Gateway Protocol (BGP) bidirectional forwarding detection (BFD) configuration where both the cluster and the BGP static neighbor are configured for graceful restart, after an HA failover BGP enters graceful restart mode and both the cluster and the BGP neighbor keep their BGP routes.

To support HA and BFD enabled BGP graceful:

From the cluster, configure the BFD enabled BGP neighbor as a static BFD neighbor using the config router bfd command.Set the BGP auto-start timer to 5 seconds so that after an HA failover BGP on the new primary unit waits for 5 seconds before connect to its BFD neighbors, and then registers BFD requests after establishing the connections. With static BFD neighbors, BFD requests and sessions can be created as soon as possible after the failover.The command get router info bfd requests shows the BFD peer requests.
The BFD session created for a static BFD neighbor/peer request initializes its state as INIT instead of DOWN and its detection time as bfd-required-min-rx * bfd-detect-mult msecs.
When a BFD control packet with a nonzero Your Discriminator (your_discr) value is received, if no session can be found to match the your_discr, instead of discarding the packet, other fields in the packet, such as addressing information, are used to choose one session that was just initialized, with zero as its remote discriminator.
When a BFD session in the UP state receives a control packet with zero as Your Discriminator and DOWN as State, the session changes its state to DOWN but will not notify this DOWN event to BGP and/or other registered clients.

High Availability FortiOS 5.4 Before You Begin

3 Replies

So, a lot of people are starting to deploy HA clusters of Fortinet hardware which is awesome. There are however some things you will want to consider before doing so. Here is a drill down from the Fortinet HA for FortiOS 5.4 Administration document.

Before you begin

Before you begin using this guide, take a moment to note the following:

If you enable virtual domains (VDOMs), HA is configured globally for the entire FortiGate unit and the configuration is called virtual clustering.
This HA guide is based on the assumption that you are a FortiGate administrator. It is not intended for others who may also use the FortiGate unit, such as FortiClient administrators or end users.
The configuration examples show steps for both the web-based manager (GUI) and the CLI. At this stage, the following installation and configuration conditions are assumed:
You have two or more FortiGate units of the same model available for configuring and connecting to form an HA cluster. You have a copy of the QuickStart Guide for the FortiGate units.
You have administrative access to the web-based manager and CLI.

Many of the configuration examples in this document begin FortiGates unit configured with the factory default configuration. This is optional, but may make the examples easier to follow. As well, you do not need to have installed the FortiGate units on your network before using the examples in this document.

Before you set up a cluster

Before you set up a cluster ask yourself the following questions about the FortiGate units that you are planning to use to create a cluster. Do all the FortiGate units have the same hardware configuration? Including the same hard disk configuration and the same optional components installed in the same slots?

1. Do all FortiGate units have the same firmware build?

2. Are all FortiGate units set to the same operating mode (NAT or Transparent)?

3. Are all the FortiGate units operating in the same VDOM mode?

4. If the FortiGate units are operating in multiple VDOM mode do they all have the same VDOM configuration?

AV Throughput Removed From DataSheets

1 Reply

So, I am sure some of you have been running around a little bit like chickens with your heads cut off about that fact that the data sheets no longer list the AV throughput. Don’t worry, this is by design. They are switching to NGFW values for these to compete with Palo Alto and the likes in the NGFW market. Don’t worry, AV throughput is about to be useless anyways as 5.4 comes more mainstream. the 5.4 code is SO MUCH better on speed and reliability that even if they kept the AV numbers they would have to retest the hardware to get new numbers.

Official Fortinet Response:

“The Proxy AV specification will no longer be presented and removed from all existing FortiGate data sheet starting from 15th January 2016. An archive of old data sheets will be available. We’ll be replacing these specifics with more widely used NGFW values. The new data sheet should be out 28th January and Product Matrix updated in February Edition.”

Zones Will Save Your Sanity

10 Replies

FortiGates are interface driven firewalls. Policy is relatively straight forward. Port 1 to Wan 1 Allow HTTP NAT you get my drift. In more complex environments though where you can easily have 5-10 interfaces (even more if you bring in VLAN’s) you will most certainly want to use Zones.

What is a zone? A zone is a created “Interface” that you assign other interfaces to. For instance, my common deployment has 2 main zones, INSIDE and OUTSIDE. This keeps policy extremely simple.

The train of thought with this ZONE setup is traffic is either coming in or out. From there you just create the policy and work accordingly. This makes deployments for my clients super easy.

The setup at my house is utilized this way as well (I have a FortiGate 92D at home). My setup is slightly more advanced though thanks to having dual internet connections, SSL VPN, and other capabilities kicked on. But as you can see in the policy set below I have an INSIDE zone. That zone has my work network, my personal home network, and my DMZ wireless network (for when I am cleaning peoples deranged and abused machines). I have each one assigned to the INSIDE zone so that I can apply the same policy for traffic that is traveling from inside sources to the internet. This greatly reduces policy count and helps keep things uniform.

Disclaimer: Make sure to click the “Block Intra-Zone Traffic” check box when creating a zone that includes a set of networks that you don’t want to communicate without policy. For instance, my INSIDE zone has my work network which I need to make sure only my work laptop can see, My personal network which sees everything on the personal net, and a DMZ network that I absolutely don’t want ANY of my other networks to receive traffic from or send traffic to. So I check the “block intra-zone traffic” box when I create my zone (can be edited after the zone is created as well) and then manually allow it via policy (work network is able to access printer on personal net etc). Remember, the more granular you are the better your security will be. Also, the only traffiic that should be able to flow is the traffic you explicitly allow.

Zone Setup FortiGate FortiOS 5.4

Dedicated Management CPU

Leave a reply

Have a FortiGate that is getting slammed with traffic? Tired of not being able to manage the damn thing because of resource utilization? Boy do I have the fix for YOU! Hah, seriously though. If you suffer from these issues then there is definitely a way to guarantee management access to the device as long as you are running FortiOS 5.2 or newer and it is a 2U / blade firewall with mutliple CPUs.

Below are the commands to configure this

conf system npu
set dedicated-management-cpu <enable | disable>
end

Stop logging of local broadcasts

Leave a reply

So as you may have noticed, your logs can often be filled with local broadcasts and traffic of that sort. You can remove these from your logging to help clean things up. This never crossed my mind until I was reading some other blogs that belong to Fortinet TAM’s, consultants etc. This little tid bit is thanks to FireWall GURU. Below you will see commands on how to do this for specific devices:

FortiAnalyzer:
config log fortianalyzer filter
set local-traffic disable
end

Log Disk
config log disk filter filter
set local-traffic disable
end

Memory:
config log memory filter
set local-traffic disable
end

Syslog
config log syslogd filter
set local-traffic disable
end