Happy to say that Fortinet GURU turned 7 months old today! The site has come a long ways in this short amount of time. Really excited for the direction and new content that is coming down the pipe!
Don’t forget to join our forums (the link is at the top of the site) and join in on the Fortinet discussion. We are trying to build a strong community of knowledge Fortinet hardware users that are able to discuss the different implementations they are utilizing and the issues they are coming across. The key to a better product is a strong community with great communication!
Going to spend some time this evening cranking out some more videos for you guys. Give me a shout (post in the comments) if there are any specific questions, how to’s, guides, etc that you would like me to push out. I want to get you guys the information you want. Right now I’m spending most of my time focusing on the more rudimentary and simple tasks for now unless you guys have specific scenarios and configurations you would like me to run through.
Managing your FortiSwitch from your FortiGate is an awesome feature set that Fortinet implemented in their hardware. 5.4.1 makes it so much easier to accomplish this. Nothing sucks worse than running out of port density on your FortiGate. Now you really don’t have to worry about it (ok, you didn’t really have to before but it is neat none-the-less)
I have officially launched the Fortinet GURU Forums. There is no cool custom template yet. Just placed our logo on the basic forum design. I will be tweaking it as I have time to play with it and figure out what I like. In the meantime, this is an awesome way for the Fortinet community to enjoy great conversation and discuss tips, tricks, guides, and issues that one another are experiencing!
Hope to see you guys there!
This is my first ever custom video so please take it easy on me. I get nervous and tend to ramble but I hit the high points. These videos will become very frequent and obviously the quality of the presentation will improve as I get more comfortable and in the groove. Anyways, here is a video that explains how to upgrade your Fortinet FortiGate to a newer version of firmware.
Something to consider: I didn’t mention this in the video but you need to verify you can upgrade to your destination Firmware from the version of code you currently have loaded. Sometimes, changes are drastic enough that you have to “step” your upgrade process. An example of this would be you have 5.2.3 loaded and you want to go to 5.2.8. You can’t do this until you have at least 5.2.6 loaded so you have to upgrade to 5.2.6 THEN upgrade to 5.2.8. These requirements are listed in the release notes so be sure to read those for your Firmware Version!
Multicast forwarding and FortiGate units
In both transparent mode and NAT mode you can configure FortiGate units to forward multicast traffic.
For a FortiGate unit to forward multicast traffic you must add FortiGate multicast security policies. Basic multicast security policies accept any multicast packets at one FortiGate interface and forward the packets out another FortiGate interface. You can also use multicast security policies to be selective about the multicast traffic that is accepted based on source and destination address, and to perform NAT on multicast packets.
In the example shown below, a multicast source on the Marketing network with IP address 192.168.5.18 sends multicast packets to the members of network 239.168.4.0. At the FortiGate unit, the source IP address for multicast packets originating from workstation 192.168.5.18 is translated to 192.168.18.10. In this example, the FortiGate unit is not acting as a multicast router.
Multicast forwarding and RIPv2
RIPv2 uses multicast to share routing table information. If your FortiGate unit is installed on a network that includes RIPv2 routers, you must configure the FortiGate unit to forward multicast packets so that RIPv2 devices can share routing data through the FortiGate unit. No special FortiGate configuration is required to share RIPv2 data, you can simply use the information in the following sections to configure the FortiGate unit to forward multicast packets.
RIPv1 uses broadcasting to share routing table information. To allow RIPv1 packets through a FortiGate unit you can add standard security policies. Security policies to accept RIPv1 packets can use the ANY predefined firewall service or the RIP pre- defined firewall service.
Example multicast network including a FortiGate unit that forwards multicast packets
Configuring FortiGate multicast forwarding
You configure FortiGate multicast forwarding from the Command Line Interface (CLI). Two steps are required:
This second step is only required if your FortiGate unit is operating in NAT mode. If your FortiGate unit is operating in transparent mode, adding a multicast policy enables multicast forwarding.
There is sometimes a confusion between the terms “forwarding” and “routing”. These two functions should not be taking place at the same time.
It is mentioned that multicast-forward should be enabled when the FortiGate unit is in NAT mode and that this will forward any multicast packet to all interfaces. However, this parameter should NOT be enabled when the FortiGate unit operates as a mul- ticast router (i.e. with a routing protocol enabled. It should only be enabled when there is no routing protocols activated.
Adding multicast security policies
You need to add security policies to allow packets to pass from one interface to another. Multicast packets require multicast security policies. You add multicast security policies from the CLI using the config firewall multicast-policy command. As with unicast security policies, you specify the source and destination interfaces and optionally the allowed address ranges for the source and destination addresses of the packets.
You can also use multicast security policies to configure source NAT and destination NAT for multicast packets. Keep the following in mind when configuring multicast security policies:
My “Where Fortinet is Going Wrong” page will be getting updated soon. I have been receiving a large amount of emails from users of Fortinet regarding various things that are rubbing them the wrong way about our beloved device manufacturer. I am sure a lot of you will agree with a lot of what will be listed. Hopefully, someone at Fortinet is listening and can assist us with tackling these issues!