Category Archives: Fortinet GURU

What I learned at Accelerate 18

Leave a reply

What I Learned at Accelerate18

I was incredibly blessed to get the opportunity to go to Las Vegas this year for the Fortinet Accelerate 18 conference. For those that don’t know, this conference is the Fortinet Conference where they unveil all the goodies, provide excellent hands on trainings, and give the clients, partners, and distributors the unique opportunity to mingle, get to know each other, and more importantly put faces to names for people that could have been working together for years and never got the face to face time they normally would have.

As always, this event was a blast. Obviously, any event that takes place in Sin City is going to be a fun adventure for any red-blooded male that has a few bucks and some time to kill but let’s face it, that could probably be said about any major city these days.

This little post is going to be a summary of the things I consider to be the most important that I learned at the conference this year. This is purely subjective and geared more towards my interests so you may have differences of opinion.

FortiOS 6

Just as FortiOS 5.6 was starting to get stable enough to use Fortinet has unleashed FortiOS 6 which is going to bring a plethora of new features and capabilities. A lot of you will get a kick out of the revamped SD-WAN capabilities that make the functionality far superior to existing iterations. Not to mention the incredible visibility enhancements that are going to make your ability to decipher what is truly taking place on your network much easier.

FortiGate 6000 Series

The 7000 series (I’m running a 7060E) is an incredible piece of machinery. The 6000 series is going to provide excellent performance but in an appliance form. So, while you may be looking at doing some data center consolidation or space reduction this is definitely going to be the edge “top of rack” style FortiGate that you are going to look at. The Chassis are large, and with real estate being a premium, this appliance is really going to be a great replacement for those that aren’t looking to grow into the device (most chassis clients approach)

Wie Ling Neo Is Super Intelligent

Ok, so I didn’t learn this at Accelerate18. I got to learn this directly by having some discussions with her while troubleshooting some 7060E issues. Wie Ling is the product manager for the 5k chassis, 6k appliance, and 7k chassis. Words can not describe how sharp this woman is. If you ever get the opportunity to sit down with her and discuss FortiGate architecture, why they do what they do, and how they work in general you will be in for a treat.

The Fabric Is Growing

The direction the company is taking with the security fabric is incredible. When the fabric first came out I was skeptical. I thought to myself, “ahh another fabric/API/thing that is never going to be used. Well, I was wrong. Fortinet has taken this initiative and ran with it and the things that are coming out of the developer’s labs are just getting better and better. Automated responses, incident response readiness, it’s all going to be great.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

T Minus 6 Days

Leave a reply

Only 6 days before I arrive in Vegas for Accelerate 18. Looking forward to catching up with some old friends and meeting some new ones at this years partner conference. I will be posting videos and misc other items from the conference so keep an eye out.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

WAN optimization configuration summary

Leave a reply

WAN optimization configuration summary

This section includes a client-side and a server-side WAN Optimization configuration summary.:

Client-side configuration summary

WAN optimization profile

Enter the following command to view WAN optimization profile CLI options:

tree wanopt profile — [profile] –*name (36)

|- transparent

|- comments

|- auth-group (36)

|- <http> — status

|- secure-tunnel

|- byte-caching

|- prefer-chunking

|- tunnel-sharing

|- log-traffic

|- port (1,65535)

|- ssl

|- ssl-port (1,65535)

|- unknown-http-version

+- tunnel-non-http

|- <cifs> — status

|- secure-tunnel

|- byte-caching

|- prefer-chunking

|- tunnel-sharing

|- log-traffic

+- port (1,65535)

WAN optimization configuration summary

|- <mapi> — status

|- secure-tunnel

|- byte-caching

|- tunnel-sharing

|- log-traffic

+- port (1,65535)

|- <ftp> — status

|- secure-tunnel

|- byte-caching

|- prefer-chunking

|- tunnel-sharing

|- log-traffic

+- port (1,65535)

+- <tcp> — status

|- secure-tunnel

|- byte-caching

|- byte-caching-opt

|- tunnel-sharing

|- log-traffic

|- port

|- ssl

+- ssl-port (1,65535)

Local host ID and peer settings

config wanopt settings set host-id client

end config wanopt peer edit server set ip 10.10.2.82

end

Security policies

Two client-side WAN optimization security policy configurations are possible. One for active-passive WAN optimization and one for manual WAN optimization.

Active/passive mode on the client-side

config firewall policy edit 2 set srcintf internal set dstintf wan1 set srcaddr all set dstaddr all set action accept set schedule always set service ALL

set wanopt enable <<< enable WAN optimization set wanopt-detection active <<< set the mode to active/passive set wanopt-profile “default” <<< select the wanopt profile

next end

configuration summary

Manual mode on the client-side

config firewall policy edit 2 set srcintf internal set dstintf wan1 set srcaddr all set dstaddr all set action accept set schedule always set service ALL

set wanopt enable <<< enable WAN optimization set wanopt-detection off <<< sets the mode to manual set wanopt-profile “default” <<< select the wanopt profile

set wanopt-peer “server” <<< set the only peer to do wanopt

                                                                    with

(required for manual mode) next

end

server-side configuration summary

Local host ID and peer settings

config wanopt settings set host-id server

end config wanopt peer edit client set ip 10.10.2.81

end

Security policies

Two server-side WAN optimization security policy configurations are possible. One for active-passive WAN optimization and one for manual WAN optimization.

Active/passive mode on server-side

config firewall policy edit 2 <<< the passive mode policy set srcintf wan1 set dstintf internal set srcaddr all set dstaddr all set action accept set schedule always set service ALL set wanopt enable set wanopt-detection passive set wanopt-passive-opt transparent

end

config firewall proxy-policy edit 3 <<< policy that accepts wanopt tunnel connections from the server set proxy wanopt <<< wanopt proxy type

set dstintf internal

Best practices

set srcaddr all set dstaddr server-subnet set action accept set schedule always set service ALL

next

end

Manual mode on server-side config firewall proxy-policy

edit 3 <<< policy that accepts wanopt tunnel connections from the set proxy wanopt <<< wanopt proxy type

set dstintf internal set srcaddr all set dstaddr server-subnet set action accept set schedule always set service ALL

next end

 client

Best practices

This is a short list of WAN optimization and explicit proxy best practices.

  • WAN optimization tunnel sharing is recommended for similar types of WAN optimization traffic. However, tunnel sharing for different types of traffic is not recommended. For example, aggressive and non-aggressive protocols should not share the same tunnel. See Best practices on page 239.
  • Active-passive HA is the recommended HA configuration for WAN optimization. See Best practices on page 239.
  • Configure WAN optimization authentication with specific peers. Accepting any peer is not recommended as this can be less secure. See Accepting any peers on page 1.
  • Set the explicit proxy Default Firewall Policy Action to Deny. This means that a security policy is required to use the explicit web proxy. See General explicit web proxy configuration steps on page 1.
  • Set the explicit FTP proxy Default Firewall Policy Action to Deny. This means that a security policy is required to use the explicit FTP proxy. See General explicit FTP proxy configuration steps on page 1.
  • Do not enable the explicit web or FTP proxy on an interface connected to the Internet. This is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you must enable the proxy on such an interface make sure authentication is required to use the proxy. See General explicit web proxy configuration steps on page 1.

Example Basic manual (peer-to-peer) WAN optimization configuration

In a manual (peer to peer) configuration the WAN optimization tunnel can be set up between one client-side FortiGate unit and one server-side FortiGate unit. The peer ID of the server-side FortiGate unit is added to the client-side WAN optimization policy. When the client-side FortiGate unit initiates a tunnel with the server-side FortiGate unit, the packets that initiate the tunnel include information that allows the server-side FortiGate unit to determine that it is a manual tunnel request. The server-side FortiGate unit does not require a WAN optimization

 

profile; you just need to add the client peer host ID and IP address to the server-side FortiGate unit peer list and from the CLI an explicit proxy policy to accept WAN optimization tunnel connections.

In a manual WAN optimization configuration, you create a manual WAN optimization security policy on the clientside FortiGate unit. To do this you must use the CLI to set wanopt-detection to off and to add the peer host ID of the server-side FortiGate unit to the WAN optimization security policy.

Network topology and assumptions

This example configuration includes a client-side FortiGate unit called Client-Fgt with a WAN IP address of 172.20.34.12. This unit is in front of a network with IP address 172.20.120.0. The server-side FortiGate unit is called Server_Fgt with a WAN IP address of 192.168.30.12. This unit is in front of a web server network with IP address 192.168.10.0.

This example customizes the default WAN optimization profile on the client-side FortiGate unit and adds it to the WAN optimization policy. You can also create a new WAN optimization profile.

Example manual (peer-to-peer) topology

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

  1. Configure the client-side FortiGate unit:

l Add peers. l Configure the default WAN optimization profile to optimize HTTP traffic. l Add a manual WAN optimization security policy.

  1. Configure the server-side FortiGate unit: l Add peers. l Add a WAN optimization tunnel policy.

Configuring basic peer-to-peer WAN optimization – web-based manager

Use the following steps to configure the example configuration from the web-based manager.

To configure the client-side FortiGate unit

  1. Go to WAN Opt. & Cache > Peersand enter a Local Host ID for the client-side FortiGate unit:
Local Host ID Client-Fgt
  1. Select Apply.
  2. Select Create New and add the server-side FortiGate unit Peer Host ID and IP Address for the server-side FortiGate:
Peer Host ID Server-Fgt
IP Address 192.168.30.12
  1. Select OK.
  2. Go to Policy & Objects > Addresses and select Create New to add a firewall address for the client network.
Category Address
Name Client-Net
Type Subnet
Subnet / IP Range 172.20.120.0/24
Interface port1
  1. Select Create New to add a firewall address for the web server network.
Category Address
Name Web-Server-Net
Type Subnet
Subnet / IP Range 192.168.10.0/24
Interface port2
  1. Go to WAN Opt. & Cache > Profiles and edit the default profile.
  2. Select Transparent Mode.
  3. Under Protocol, select HTTP and for HTTP select Byte Caching. Leave the HTTP Port set to 80.
  4. Select Apply to save your changes.
  5. Go to Policy & Objects > IPv4 Policy and add a WAN optimization security policy to the client-side FortiGate unit that accepts traffic to be optimized:
Incoming Interface   port1
Source Address   all
Outgoing Interface port2
Destination Address all
Schedule always
Service ALL
Action ACCEPT
  1. Select Enable WAN Optimization and configure the following settings:
Enable WAN Optimization active
Profile default
  1. Select OK.
  2. Edit the policy from the CLI to turn off wanopt-detection, add the peer ID of the server-side FortiGate unit, and the default WAN optimization profile. The following example assumes the ID of the policy is 5:

config firewall policy edit 5 set wanopt-detection off set wanopt-peer Server-Fgt set wanopt-profile default

end

When you set the detection mode to off the policy becomes a manual mode WAN optimization policy. On the web-based manager the WAN optimization part of the policy changes to the following:

Enable WAN Optimization Manual (Profile: default, Peer: Peer-Fgt-2)

To configure the server-side FortiGate unit

  1. Go to WAN Opt. & Cache > Peersand enter a Local Host ID for the server-side FortiGate unit:
Local Host ID Server-Fgt
  1. Select Apply.
  2. Select Create New and add a Peer Host ID and the IP Address for the client-side FortiGate unit:
Peer Host ID Client-Fgt
IP Address 172.20.34.12
  1. Select OK.
  2. Enter the following CLI command to add an explicit proxy policy to accept WAN optimization tunnel connections. configure firewall proxy-policy edit 0 set proxy wanopt set dstintf port1 set srcaddr all set dstaddr all

set action accept set schedule always set service ALL

next

end

Configuring basic peer-to-peer WAN optimization – CLI

Use the following steps to configure the example WAN optimization configuration from the client-side and serverside FortiGate unit CLI.

To configure the client-side FortiGate unit

  1. Add the Local Host ID to the client-side FortiGate configuration: config wanopt settings set host-id Client-Fgt

end

  1. Add the server-side Local Host ID to the client-side peer list:

config wanopt peer edit Server-Fgt set ip 192.168.30.12

end

  1. Add a firewall address for the client network. config firewall address edit Client-Net set type ipmask set subnet 172.20.120.0 255.255.255.0 set associated-interface port1

end

  1. Add a firewall address for the web server network. config firewall address edit Web-Server-Net set type ipmask set subnet 192.168.10.0 255.255.255.0 set associated-interface port2

end

  1. Edit the default WAN optimization profile, select transparent mode, enable HTTP WAN optimization and enable byte caching for HTTP. Leave the HTTP Port set to 80.

config wanopt profile edit default set transparent enable config http set status enable set byte-caching enable

end

end

  1. Add a WAN optimization security policy to the client-side FortiGate unit to accept the traffic to be optimized: config firewall policy edit 0

set srcintf port1 set dstintf port2 set srcaddr all set dstaddr all set action accept set service ALL set schedule always set wanopt enable set wanopt-profile default set wanopt-detection off set wanopt-peer Server-Fgt

end

To configure the server-side FortiGate unit

  1. Add the Local Host ID to the server-side FortiGate configuration:

config wanopt settings set host-id Server-Fgt

end

  1. Add the client-side Local Host ID to the server-side peer list:

config wanopt peer edit Client-Fgt set ip 192.168.30.12

end

  1. Add a WAN optimization tunnel explicit proxy policy. configure firewall proxy-policy edit 0 set proxy wanopt set dstintf port1 set srcaddr all set dstaddr all set action accept set schedule always set service ALL

next

end

Testing and troubleshooting the configuration

To test the configuration attempt to start a web browsing session between the client network and the web server network. For example, from a PC on the client network browse to the IP address of a web server on the web server network, for example http://192.168.10.100. Even though this address is not on the client network you should be able to connect to this web server over the WAN optimization tunnel.

If you can connect, check WAN optimization monitoring. If WAN optimization has been forwarding the traffic the WAN optimization monitor should show the protocol that has been optimized (in this case HTTP) and the reduction rate in WAN bandwidth usage.

If you can’t connect you can try the following to diagnose the problem:

  • Review your configuration and make sure all details such as address ranges, peer names, and IP addresses are correct.
  • Confirm that the security policy on the client-side FortiGate unit is accepting traffic for the 192.168.10.0 network. You can do this by checking the policy monitor (Monitor > Firewall User Monitor). Look for sessions that use the policy ID of this policy.
  • Check routing on the FortiGate units and on the client and web server networks to make sure packets can be forwarded as required. The FortiGate units must be able to communicate with each other, routing on the client network must allow packets destined for the web server network to be received by the client-side FortiGate unit, and packets from the server-side FortiGate unit must be able to reach the web servers.

You can use the following get and diagnose commands to display information about how WAN optimization is operating.

Enter the following command to list all of the running WAN optimization tunnels and display information about each one. The command output for the client-side FortiGate unit shows 10 tunnels all created by peer-to-peer WAN optimization rules (auto-detect set to off).

diagnose wad tunnel list

Tunnel: id=100 type=manual vd=0 shared=no uses=0 state=3

peer name=Web-servers id=100 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp= bytes_in=348 bytes_out=384

Tunnel: id=99 type=manual vd=0 shared=no uses=0 state=3

peer name=Web-servers id=99 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp= bytes_in=348 bytes_out=384

Tunnel: id=98 type=manual vd=0 shared=no uses=0 state=3

peer name=Web-servers id=98 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp= bytes_in=348 bytes_out=384

Tunnel: id=39 type=manual vd=0 shared=no uses=0 state=3

peer name=Web-servers id=39 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp= bytes_in=1068 bytes_out=1104

Tunnel: id=7 type=manual vd=0 shared=no uses=0 state=3

peer name=Web-servers id=7 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264

Tunnel: id=8 type=manual vd=0 shared=no uses=0 state=3

peer name=Web-servers id=8 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264

Tunnel: id=5 type=manual vd=0 shared=no uses=0 state=3

peer name=Web-servers id=5 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp=

 

bytes_in=1228 bytes_out=1264

Tunnel: id=4 type=manual vd=0 shared=no uses=0 state=3

peer name=Web-servers id=4 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264

Tunnel: id=1 type=manual vd=0 shared=no uses=0 state=3

peer name=Web-servers id=1 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264

Tunnel: id=2 type=manual vd=0 shared=no uses=0 state=3

peer name=Web-servers id=2 ip=192.168.30.12

SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264

Tunnels total=10 manual=10 auto=0


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

NAT46 Policy

Leave a reply

NAT46 Policy

To configure a NAT46 policy in the GUI

  1. Go to Policy & Objects > NAT46 Policy

The right side window will display a table of the existing NAT46 Policies.

  • To edit an existing policy, double click on the policy you wish to edit l To create a new policy, select the Create New icon in the top left side of the right window.
  1. Set the Incoming Interface parameter by selecting the field with the “+” next to the field label. Selecting the field will slide out a window from the right where you can select from the available interfaces. You can select one or more specific interfaces or you can select the any Choosing the any option will remove any other interfaces. For more information on interfaces, check the Concepts section called Interfaces and Zones.
  2. Set the Outgoing Interface parameter by selecting the field with the “+” next to the field label. (Same rules apply as with the above step.)
  3. Set the Source parameter by selecting the field with the “+” next to the field label. The source in this case is either the source address, source user or source device of the initiating traffic. When the field is selected a window will slide out from the right. Tabs indicating Address, User or Device options are there to help categorize the options along with the option to search. In order to be able to select one of these options it needs to be configured as a firewall object before hand. The “+” icon next to the Search field is a shortcut for creating a new firewall object based on the tab that is currently selected. For the Address and Device tabs, single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  4. Set the Destination Address parameter by selecting the field with the “+” next to the field label. This field is similar to the Source field but address objects are the only available options to select. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  5. Set the Schedule parameter by using the drop down menu to select a preconfigured schedule. The “+” icon next to the Search field is a shortcut for creating a new schedule object. For more information on addresses, check the Firewall Objects section called Firewall schedules
  6. Set the Service parameter by selecting the field with the “+” next to the field label. (Same mechanics for selection apply as with the other similar fields in this window.) Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  7. Set the Action Select one of the following options for the action:
    • ACCEPT – lets the traffic through to the next phase of analysis l DENY – drops the session

While there are not as many Action options as with the IPv4 policy, because the choice of Action determines the settings and options below this parameter in the window the rest of the step are associated with a specific Action.

Settings if the ACCEPT action is selected.

Firewall / Network Options

  1. Skip the NAT setting. This type of policy is intended only for traffic that is being NATed from IPv4 to IPv6, because without NATing the traffic couldn’t reach its destination, so disabling NAT would be pointless.

Central SNAT

  1. Set the Fixed Port parameter by toggling the slider button.(gray means it is disabled)
  2. Set the IP Pool Configuration by selection one of the options of:

l Use Outgoing Interface Address l Use Dynamic IP Pool

If the Use Dynamic IP Pool option is selected, an additional field will appear with the + icon. Selecting this field will slide out a window from the right where a preexisting IP Pool can be chosen. One or more IP Pools can be chosen and the “+” icon next to the Search field is a shortcut for creating a new IP Pool.

  1. Set the Log Allowed Traffic parameter by toggling the slider button (gray means it is disabled).

If the Log Allowed Traffic setting is enabled, choose whether to log just Security Events or All Sessions and determine whether or not to keep a record of the packets by toggling the Capture Packets setting on or off.

  1. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  2. Toggle whether or not to Enable this policy.The default is enabled.
  3. Select the OK button to save the policy.

Settings if the DENY action is selected

Enable the Log Violation Traffic setting by toggling the slider button.

  1. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  2. Toggle whether or not to Enable this policy.The default is enabled.
  3. Select the OK button to save the policy.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Session Based Network Issues on 7060E?

Leave a reply

So if you are running a 7060E chassis in your enterprise and you are suddenly experiencing strange behavior relating to session based traffic, disable the TCP-Options setting in config global. This is on by default and enables the the client and server to negotiate MSS, window scaling, selective acknowledgements, timestamps, and NOP. These are completely option settings that specifically help the packet along and improve performance.

If any device on your network suffers an issue though and the packets start showing up differently, this becomes an issue and can cause intermittent network connectivity issues and any traffic that is session based (non UDP) will randomly drop and experience extreme latency.

 

I will do a video once I finish assessing the Root Cause Analysis on the issue that I just experienced at an enterprise client.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Moving to a new house!

Leave a reply

Hey guys!

Just wanted to let you all know that I am moving to a new house starting tomorrow so I will be slow to respond to questions and comments for the next few days so it is nothing personal! Have a wonderful weekend!


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!