Category Archives: FortiOS

Configuring Virtual Domains

Only a super_admin administrator account such as the default “admin” account can create, disable, or delete VDOMs. That account can create additional administrators for each VDOM. This section includes:

Creating a Virtual Domain
Disabling a Virtual Domain
Deleting a VDOM
Administrators in Virtual Domains

Creating a Virtual Domain

Once you have enabled Virtual Domains on your FortiGate unit, you can create additional Virtual Domains beyond the default root Virtual Domain.

By default new Virtual Domains are set to NAT/Route operation mode. If you want a Virtual Domain to be in Transparent operation mode, you must manually change it.

You can name new Virtual Domains as you like with the following restrictions:

only letters, numbers, “-”, and “_” are allowed
no more than 11 characters are allowed
no spaces are allowed
VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other VDOMs.

When creating large numbers of VDOMs you should not enable advanced features such as proxies, web filtering, and antivirus due to limited FortiGate unit resources. Also when creating large numbers of VDOMs, you may experience reduced per- formance for the same reason.

To create a VDOM – web-based manager:

1. Log in with a super_admin account.

2. Select Global > System > VDOM.

3. Select Create New.

4. Enter a unique name for your new VDOM.

5. Enter a short and descriptive comment to identify this VDOM.

6. Select OK.

Repeat Steps 3 through 6 to add additional VDOMs.

To create a VDOM – CLI:

config vdom

edit <new_vdom_name>

end

If you want to edit an existing Virtual Domain in the CLI, and mistype the name a new Virtual Domain will be created with this new misspelled name. If you notice expected configuration changes are not visible, this may be the reason. You should periodically check your VDOM list to ensure there are none of these misspelled VDOMs present.

Disabling a Virtual Domain

The status of a VDOM can be Enabled or Disabled.

Active status VDOMs can be configured. Active is the default status when a VDOM is created. The management VDOM must be an Active VDOM.

Disabled status VDOMs are considered “offline”. The configuration remains, but you cannot use the VDOM, and only the super_admin administrator can view it. You cannot delete a disabled VDOM without first enabling it, and removing references to it like usual—there is no Delete icon for disabled status VDOMs. You can assign interfaces to a disabled VDOM.

The following procedures show how to disable a VDOM called “test-vdom”.

To disable a VDOM – web-based manager:

1. Go to Global > System > VDOM.

2. Open the VDOM for editing.

3. Ensure Enable is not selected and then select OK.

The VDOM’s Enable icon in the VDOM list is a grey X.

To disable a VDOM – CLI:

config vdom

edit test-vdom

config system settings set status disable

end

To enable a VDOM – web-based manager:

1. Go to Global > System > VDOM.

2. Open the VDOM for editing.

3. Ensure Enable is selected and then select OK.

The VDOM’s Enable icon in the VDOM list is a green checkmark.

To enable a VDOM – CLI:

config vdom

edit test-vdom

config system settings set status enable

end

Deleting a VDOM

Deleting a VDOM removes it from the FortiGate unit configuration.

Before you can delete a VDOM, all references to it must be removed, including any per-VDOM objects. If there are any references to the VDOM remaining, you will see an error message and not be able to delete the VDOM.

A disabled VDOM cannot be deleted. You can also not delete the root VDOM or the management VDOM.

Before deleting a VDOM, a good practice is to reset any interface referencing that VDOM to its default configuration, with “root” selected as the Virtual Domain.

The following procedures show how to delete the test-vdom VDOM.

To delete a VDOM – web-based manager:

1. Go to Global > System > VDOM.

2. Select the check box for the VDOM and then select the Delete icon.

If the Delete icon is not active, there are still references to the VDOM that must first be removed. The Delete icon is available when all the references to this VDOM are removed.

3. Confirm the deletion.

To delete a VDOM – CLI:

config vdom

delete test-vdom end

Removing references to a VDOM

When you are going to delete a VDOM, all references to that VDOM must first be removed. It can be difficult to find all the references to the VDOM. This section provides a list of common objects that must be removed before a VDOM can be deleted, and a CLI command to help list the dependencies.

Interfaces are an important part of VDOMs. If you can move all the interfaces out of a VDOM, generally you will be able to delete that VDOM.

Common objects that refer to VDOMs

When you are getting ready to delete a VDOM check for, and remove the following objects that refer to that VDOM or its components:

Routing – both static and dynamic routes
Firewall addresses, policies, groups, or other settings
Security Features/Profiles
VPN configuration
Users or user groups
Logging
DHCP servers
Network interfaces, zones, custom DNS servers
VDOM Administrators

Administrators in Virtual Domains

When Virtual Domains are enabled, permissions change for administrators. Administrators are now divided into per-VDOM administrators, and super_admin administrators. Only super_admin administrator accounts can create other administrator accounts and assign them to a VDOM.

Administrator VDOM permissions

Different types of administrator accounts have different permissions within VDOMs. For example, if you are using a super_admin profile account, you can perform all tasks. However, if you are using a regular admin account, the tasks available to you depend on whether you have read only or read/write permissions. The following table shows what tasks can be performed by which administrators.

Administrator VDOM permissions

Tasks

Regular administrator account

Super_admin profile admin-

Read only per-

mission

Read/write per-

mission

istrator account

View global settings yes yes yes

Configure global settings no no yes

Create or delete VDOMs no no yes

Configure multiple VDOMs no no yes

Assign interfaces to a VDOM

Revision Control Backup and Restore

no no yes

Create VLANs no yes – for 1 VDOM yes – for all VDOMs

Assign an administrator to a VDOM

no no yes
Create additional admin accounts

Create and edit protection profiles

no yes – for 1 VDOM yes – for all VDOMs

The only difference in admin accounts when VDOMs are enabled is selecting which VDOM the admin account belongs to. Otherwise, by default the administration accounts are the same as when VDOMs are disabled and closely resemble the super_admin account in their privileges.

Creating administrators for Virtual Domains

Using the admin administrator account, you can create additional administrator accounts and assign them to VDOMs.

The newly-created administrator can access the FortiGate unit only through network interfaces that belong to their assigned VDOM or through the console interface. The network interface must be configured to allow management access, such as HTTPS and SSH. Without these in place, the new administrator will not be able to access the FortiGate unit and will have to contact the super_admin administrator for access.

The following procedure creates a new Local administrator account called admin_sales with a password of fortinet in the sales VDOM using the admin_prof default profile.

To create an administrator for a VDOM – web-based manager:

1. Log in with a super_admin account.

2. Go to System > Administrators.

3. Select Create New.

4. Select Regular for Type, as you are creating a Local administrator account.

5. Enter the necessary information about the administrator: email, password, etc.

6. If this admin will be accessing the VDOM from a particular IP address or subnet, enable Restrict this Admin

Login from Trusted Hosts Only and enter the IP in Trusted Host #1.

7. Select prof_admin for the Admin Profile.

8. Select sales from the list of Virtual Domains.

9. Select OK.

To create administrators for VDOMs – CLI:

config global

config system admin

edit <new_admin_name>

set vdom <vdom_for_this_account>

set password <pwd>

set accprofile <an_admin_profile>

… end

Virtual Domain administrator dashboard display

When administrators logs into their virtual domain, they see a different dashboard than the global administrator will see. The VDOM dashboard displays information only relevant to that VDOM — no global or other VDOM information is displayed.

VDOM dashboard information

Information

per–VDOM

Global

System Information

read-only

yes

License Information

yes

CLI console

yes

Unit Operation

read-only

yes

Alert Message Console

yes

Top Sessions

limited to VDOM sessions

yes

Traffic

limited to VDOM interfaces

yes

Statistics

yes

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Enabling and accessing Virtual Domains

Leave a reply

Enabling and accessing Virtual Domains

While Virtual Domains are essentially the same as your regular FortiGate unit for menu configuration, CLI command structure, and general task flow, there are some small differences.

After first enabling VDOMs on your FortiGate unit, you should take the time to familiarize yourself with the interface. This section will help walk you through virtual domains.

This section includes:

Enabling Virtual Domains
Viewing the VDOM list
Global and per-VDOM settings
Resource settings
Virtual Domain Licensing
Logging in to VDOMs

Enabling Virtual Domains

Using the default admin administration account, you can enable or disable VDOM operation on the FortiGate unit.

To enable VDOM configuration – web-based manager:

1. Log in with a super_admin account.

2. Go to the Dashboard.

3. In the System Information widget, locate Virtual Domain. Select Enable and confirm your selection. The FortiGate unit logs off all sessions. You can now log in again as admin.

To enable VDOM configuration – CLI:

config system global

set vdom-admin enable end

Changes to the web-based manager and CLI

When Virtual Domains are enabled, your FortiGate unit will change. The changes will be visible in both the web- based manager and CLI, just the web-based manager, or just the CLI.

When enabling VDOMs, the web-based manager and the CLI are changed as follows:

Global and per-VDOM configurations are separated. This is indicated in the Online Help by Global and VDOM icons.
Only admin accounts using the super_admin profiles can view or configure global options
Admin accounts using the super_admin profile can configure all VDOM configurations.
All other administrator accounts can configure only the VDOM to which they are assigned. The following changes are specific to the web-based manager:
In the Global view, the System section of the left-hand menu is renamed to Global, and includes a VDOM sub- menu.
The Log Config menu is moved from Log & Report into the new Global section.
For admin accounts using the super_admin profile, a new section called Virtual Domains is added at the bottom of the left-hand menu. It lists all the individual VDOMs as expandable menus, with all VDOM specific options in that menu, which allows you to easily select which VDOM to configure, including the root VDOM.

In the CLI, admin accounts using the super_admin profile must specify either the global or a VDOM-specific shell before entering commands:

To change FortiGate unit system settings, from the top level you must first enter the following CLI before entering commands:

config global

To change VDOM settings, from the top level you must first enter the following CLI before entering commands for that VDOM:

config vdom

edit <vdom_name>

Settings configured outside of a VDOM are called global settings. These settings affect the entire FortiGate unit and include areas such as interfaces, HA, maintenance, some antivirus settings, and some logging settings. In general, any unit settings that should only be changed by the top level administrator are global settings.

Settings configured configwithin a VDOM are called VDOM settings. These settings affect only that specific VDOM and include areas such as operating mode, routing, firewall, VPN, some antivirus, some logging, and reporting.

Viewing the VDOM list

The VDOM list shows all virtual domains, their status, and which VDOM is the management VDOM. It is accessible if you are logged in on an administrator account with the super_admin profile such as the “admin” administrator account.

In the VDOM list you can create or delete VDOMs, edit VDOMs, change the management VDOM, and enable or disable VDOMs.

You can access the VDOM list when viewing by going to Global > System > VDOM.

The root domain cannot be disabled, even if it is not the management VDOM.

Global and per-VDOM settings

Settings configured outside of a VDOM are called global settings. These settings affect the entire FortiGate unit and include areas such as interfaces, HA, maintenance, some antivirus, and some logging. In general, any unit settings that should only be changed by the top level administrator are global settings.

Settings configured within a VDOM are called VDOM settings. These settings affect only that specific VDOM and include areas such as operating mode, routing, firewall, VPN, some antivirus, some logging settings, and reporting.

When Virtual Domains are not enabled, the entire FortiGate unit is effectively a single VDOM. Per-VDOM limits apply. For some resource types, the global limit cannot be reached with only one VDOM.

Resource settings

Your FortiGate unit has a limited amount of hardware resources such as memory, disk storage, CPU operations. When Virtual Domains are disabled, this limit is not a major concern because all sessions, users, and other processes share all the resources equally.

When using Virtual Domains, hardware resources can be divided differently between Virtual Domains as they are needed. Minimum levels of resources can be specified for each VDOM, so that no Virtual Domain will suffer a complete lack of resources.

For example, if one VDOM has only a web server and logging server connected, and a second VDOM has an internal network of 20 users, these two VDOMs will require different levels of resources. The first VDOM will require many sessions but no user accounts. This compares to the second VDOM where user accounts and management resources are required, but fewer sessions.

Using the global and per-VDOM resource settings, you can customize the resources allocated to each VDOM to ensure the proper level of service is maintained on each VDOM.

Global resource settings

Global Resources apply to the whole FortiGate unit. They represent all of the hardware capabilities of your unit. By default the values are set to their maximum values. These values vary by your model due to each model having differing hardware capabilities.

It can be useful to change the maximum values for some resources to ensure there is enough memory available for other resources that may be more important to your configuration.

To use the earlier example, if your FortiGate unit is protecting a number of web servers and other publicly accessible servers you would want to maximize the available sessions and proxies while minimizing other settings that are unused such as user settings, VPNs, and dial-up tunnels.

Global Resources are only configurable at the global level, and only the admin account has access to these settings. To view the resource list, go to Global > System > Global Resources. You can also use the following CLI command:

config global

config system resource-limits get

Note that global resources, such as the log disk quota resource, will only be visible if your FortiGate unit hardware supports those resources, such as having a hard disk to support the log disk resource.

For explicit proxies, when configuring limits on the number of concurrent users, you need to allow for the number of users based on their authentication method. Other- wise you may run out of user resources prematurely.

Each session-based authenticated user is counted as a single user using their authen- tication membership (RADIUS, LDAP, FSAE, local database etc.) to match users in other sessions. So one authenticated user in multiple sessions is still one user.

For all other situations, the source IP address is used to determine a user. All sessions from a single source address are assumed to be from the same user.

Per–VDOM resource settings

While Global resources apply to resources shared by the whole FortiGate unit, per-VDOM resources are specific to only one Virtual Domain.

By default all the per-VDOM resource settings are set to no limits. This means that any single VDOM can use up all the resources of the entire FortiGate unit if it needs to do so. This would starve the other VDOMs for resources to the point where they would be unable to function. For this reason, it is recommended that you set some maximums on resources that are most vital to your customers.

Each Virtual Domain has its own resource settings. These settings include both maximum, and minimum levels. The maximum level is the highest amount of that resource that this VDOM can use if it is available on the FortiGate unit. Minimum levels are a guaranteed level that this minimum level of the resource will always be available no matter what the other VDOMs may be using.

For example, consider a FortiGate unit that has ten VDOMs configured. vdom1 has a maximum of 5000 sessions and a minimum of 1000 sessions. If the FortiGate unit has a global maximum of 20,000 sessions, it is possible that vdom1 will not be able to reach its 5000 session upper limit. However, at all times vdom1 is guaranteed to have 1000 sessions available that it can use. On the other hand, if the remaining nine VDOMs use only 1000 sessions each, vdom1 will be able to reach its maximum of 5000.

To view per-VDOM resource settings – web-based manager:

1. Select Global > System > VDOM.

2. Select the root VDOM, and select Edit.

3. Adjust the settings in the Resource Usage section of the page.

4. Select OK.

To view per-VDOM resource settings – CLI:

config global

config system vdom-property edit root

get

Virtual Domain Licensing

For select FortiGate models in the 1U category and higher, you can purchase a license key to increase the maximum number of VDOMs. Most Enterprise and Large Enterprise (2U) models can support up to 500 VDOMs. Chassis-based models can support over 500 VDOMs. For specific information, see the product data sheet.

Configuring 500 or more VDOMs will result in reduced system performance. See Troubleshooting Virtual Domains.

Your FortiGate unit has limited resources that are divided among all configured VDOMs. These resources include system memory and CPU. Running security fea- tures on many VDOMs at once can limit resources available for basic processing. If you require many VDOMs, all with active security features, it is recommended to upgrade to a more powerful FortiGate unit.

It is important to backup your configuration before upgrading the VDOM license on your FortiGate unit or units, especially with FortiGate units in HA mode.

To obtain a VDOM license key

1. Log in with a super_admin account.

2. Go to the Dashboard.

3. Record your FortiGate unit serial number as shown in System Information widget.

4. In the License Information widget, locate Virtual Domain and select Purchase More.

If you do not see the Purchase More option on the System Dashboard, your FortiGate model does not support more than 10 VDOMs.

5. You will be taken to the Fortinet customer support website where you can log in and purchase a license key for 25,50, 100, 250, 500, or more VDOMs.

6. When you receive your license key, go to the Dashboard and select Upload License under License

Information, Virtual Domains.

7. In the Input License Key field, enter the 32-character license key you received from Fortinet customer support.

8. Select Apply.

To verify the new VDOM license, in global configuration go to System > Dashboard. Under License

Information, Virtual Domains the maximum number of VDOMs allowed is shown.

VDOMs created on a registered FortiGate unit are recognized as real devices by any connected FortiAnalyzer unit. The FortiAnalyzer unit includes VDOMs in its total num- ber of registered devices. For example, if three FortiGate units are registered on the FortiAnalyzer unit and they contain a total of four VDOMs, the total number of registered FortiGate units on the FortiAnalyzer unit is seven. For more information, see the FortiAnalyzer Administration Guide.

Logging in to VDOMs

Management services communicate using the management VDOM, which is the root VDOM by default.

Management traffic requires an interface that has access to the Internet. If there is no interface assigned to the VDOM containing the management traffic, services including updates will not function.

To access a VDOM with a super_admin account – web-based manager:

1. Log in with a super_admin account.

2. In the Virtual Domains menu on the left-hand side, select the VDOM to configure.

The menu will expand to show the various pages and settings for that VDOM.

3. When you have finished configuring the VDOM, you can

open the Global menu to return to global configuration
log out

To access a VDOM with a super_admin account – CLI:

With the super_admin, logging into the CLI involves also logging into the specific VDOM. If you need a reminder, use edit ? to see a list of existing VDOMs before you editing a VDOM.

If you misspell a VDOM you are trying to switch to, you will create a new VDOM by that name. Any changes you make will be part of the new VDOM, and not the intended VDOM. If you are having problems where your changes aren’t visible, back up to the top level and use edit ? to see a list of VDOMs to ensure this has not happened. If it has happened, see Enabling and accessing Virtual Domains.

config vdom edit ?

edit <chosen_vdom>

.. end

exit

To access a VDOM with a non super_admin account – web-based manager:

1. Connect to the FortiGate unit using an interface that belongs to the VDOM to be configured.

2. Log in using an administrator account that has access to the VDOM.

The main web-based manager page opens. The interface is largely the same as if the device has VDOMs disabled. From here you can access VDOM-specific settings.

To access a VDOM with a non-super_admin account – CLI:

A non-super_admin account has access to only one VDOM and must log in through an interface that belongs to the same VDOM, but the process is the same as logging into a non-VDOM unit.

Password: <password>

.. exit

Benefits of Virtual Domains

Leave a reply

Benefits of Virtual Domains

VDOMs provide the following benefits:

Easier administration
Continued security
Savings in physical space and power
Improving Transparent mode configuration
More flexible MSSP configurations

Easier administration

VDOMs provide separate security domains that allow separate zones, user authentication, firewall policies, routing, and VPN configurations. VDOMs separate security domains and simplify administration of complex configurations—you do not have to manage as many settings at one time.

By default, each FortiGate unit has a VDOM named root. This VDOM includes all of the unit’s physical interfaces, modem, VLAN subinterfaces, zones, firewall policies, routing settings, and VPN settings.

Also, you can optionally assign an administrator account restricted to one VDOM. If the VDOM is created to serve an organization, this feature enables the organization to manage its own configuration.

Each physical FortiGate unit requires a FortiGuard license to access security updates. VDOMs do not require any additional FortiGuard licenses, or updating — all the security updates for all the VDOMs are performed once per update at the global level. Combined this can be a potentially large money and time saving feature in your network.

Management systems such as SNMP, logging, alert email, FDN-based updates, and NTP-based time setting use addresses and routing in the management VDOM to communicate with the network. They can connect only to network resources that communicate with the management VDOM. Using a separate VDOM for management traffic enables easier management of the FortiGate unit global settings, and VDOM administrators can also manage their VDOMs more easily.

Continued security

When a packet enters a VDOM, it is confined to that VDOM and is subject to any firewall policies for connections between VLAN subinterfaces or zones in that VDOM, just like those interfaces on a FortiGate unit without VDOMs enabled.

To travel between VDOMs, a packet must first pass through a firewall policy on a physical interface. The packet then arrives at another VDOM on that same FortiGate unit, but on a different interface, where it must pass through another firewall before entering. It doesn’t matter if the interface is physical or virtual — inter-VDOM packets still require the same security measures as when passing through physical interfaces.

VDOMs provide an additional level of security because regular administrator accounts are specific to one VDOM— an administrator restricted to one VDOM cannot change information on other VDOMs. Any configuration changes and potential errors will apply only to that VDOM and limit any potential down time. Using this concept, you can farther split settings so that the management domain is only accessible by the super_admin and does not share any settings with the other VDOMs.

Savings in physical space and power

To increase the number of physical FortiGate units, you need more rack space, cables, and power to install the new units. You also need to change your network configuration to accommodate the new physical units. In the future, if you need fewer physical units you are left with expensive hardware that is idle.

Increasing VDOMs involves no additional hardware, no additional cabling, and very few changes to existing networking configurations. VDOMs save physical space and power. You are limited only by the size of the VDOM license you buy and the physical resources on the FortiGate unit.

For example, if you are using one FortiGate 620B unit with 10 VDOMs instead of 10 physical units, over a year you will save an estimated 18,000 kWh. You could potentially save ten times that amount with a 100 VDOM license.

By default, most FortiGate units support 10 VDOMs. Many FortiGate models support purchasing a license key to increase the maximum number.

Improving Transparent mode configuration

When VDOMs are not enabled and you put your FortiGate unit into Transparent mode, all the interfaces on your unit become broadcast interfaces. The problem with this is that there are no interfaces free to do anything else.

With multiple VDOMs you can have one of them configured in Transparent mode, and the rest in NAT/Route mode. In this configuration, you have an available transparent mode FortiGate unit you can drop into your network for troubleshooting, and you also have the standard NAT for networking.

More flexible MSSP configurations

If you are a managed security and service provider (MSSP), VDOMs are fundamental to your business. As a service provider you have multiple customers, each with their own needs and service plans. VDOMs allow you to have a separate configuration for each customer, or group of customers; with up to 500 VDOMs configured per FortiGate unit on high end models.

Not only does this provide the exact level of service needed by each customer, but administration of the FortiGate unit is easier as well – you can provide uninterrupted service generally with immediate changes as required. Most importantly, it allows you to only use the resources that each customer needs. Inter-VDOM links allow you to customize the level of interaction you need between each of your customers and your administrators.

Chapter 27 – Virtual Domains

Leave a reply

Chapter 27 – Virtual Domains

Virtual Domains in NAT/Route mode on page 2602detailed explanations and examples for configuring VDOM features for a FortiGate in NAT/Route mode.
Virtual Domains in Transparent mode on page 2621detailed explanations and examples for configuring VDOM features for a FortiGate in Transparent mode.
Inter-VDOM routing on page 2638: concepts and scenarios for inter-VDOM routing.
Troubleshooting Virtual Domains on page 2671diagnostic and troubleshooting information for some potential VDOM issues.

Before you begin using this guide, take a moment to note the following:

By default, most FortiGate units support 10 VDOMs. Many FortiGate models support purchasing a license key to increase the maximum number
This guide uses a FortiGate unit with interfaces named port1 through port4 for examples and procedures. The interface names on some models will vary. Where possible aliases for these ports are indicated to show their intended purpose and to help you determine which ports to use if your ports are labelled differently.
Administrators are assumed to be super_admin administrators unless otherwise specified. Some restrictions will apply to other administrators.

Virtual Domains Overview

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs can provide separate firewall policies and, in NAT/Route mode, completely separate configurations for routing and VPN services for each connected network or organization.

This chapter will cover the basics of VDOMs, how they change your FortiGate unit, and how to work with VDOMs. VDOMs let you split your physical FortiGate unit into multiple virtual units. The resulting benefits range from limiting Transparent mode ports to simplified administration, to reduced space and power requirements.

When VDOMs are disabled on any FortiGate unit, there is still one VDOM active: the root VDOM. It is always there in the background. When VDOMs are disabled, the root VDOM is not visible but it is still there.

The root VDOM must be there because the FortiGate unit needs a management VDOM for management traffic among other things. It is also why when you enable VDOMs, all your configuration is preserved in the root VDOM- because that is where you originally configured it.

This section includes:

Benefits of Virtual Domains
Enabling and accessing Virtual Domains
Configuring Virtual Domains

Technical Support Organization Overview

Leave a reply

Technical Support Organization Overview

This section explains how Fortinet’s technical support works, as well as how you can easily create an account to get technical support for when issues arise that you cannot solve yourself.

This section contains the following topics:

Fortinet Global Customer Services Organization
Creating an account
Registering a device
Reporting problems
Assisting technical support
Support priority levels
Return material authorization process

Fortinet Global Customer Services Organization

The Fortinet Global Customer Services Organization is composed of three regional Technical Assistance Centers (TAC):

The Americas (AMER)
Europe, Middle East, and Africa (EMEA)
Asia Pacific (APAC)

The regional TACs are contacted through a global call center. Incoming service requests are then routed to the appropriate TAC. Each regional TAC delivers technical support to the customers in its regions during its hours of operation. These TACs also combine to provide seamless, around-the-clock support for all customers.

Fortinet regions and TAC

Creating an account

To receive technical support and service updates, Fortinet products in the organization must be registered. The Product Registration Form on the support website will allow the registration to be completed online. Creating an account on the support website is the first step in registering products.

Go to the Fortinet support site shown below:

https://support.fortinet.com/

Customer service and support home page

Once the support account has been created, product details can be provided by going to the Product Register/Renew and Manage Product buttons displayed on the home page. Alternately, the product registration can be completed at a later time.

Registering a device

Complete the following steps when registering a device for support purposes:

1. Log in using the Username and Password defined when the account was created

2. Under the Asset section, select Register/Renew to go to the Registration Wizard. Alternatively, use the Asset menu at the top of the page.

3. Get a serial number from the back of the FortiGate unit or from the exterior of the FortiGate shipping box.

4. Enter the serial number, service contract registration code or license certificate number to start the product registration.

Adding a product to a support account

5. Enter your registration information.

6. Read and accept the license agreement.

7. Complete the verification process.

8. Select Finish to complete the registration process.

9. Registration wizard

Reporting problems

Problems can be reported to a Fortinet Technical Assistance Center in the following ways:

By logging an online ticket
By phoning a technical support center

Logging online tickets

Problem reporting methods differ depending on the type of customer.

Fortinet partners

Fortinet Partners are entitled to priority web-based technical support. This service is designed for partners who provide initial support to their customers and who need to open a support ticket with Fortinet on their behalf. We strongly encourage submission and follow up of support tickets using this service.

The support ticket can be submitted after logging into the partner website using one of the following links using FortiPartner account details:

http://partners.fortinet.com

This link will redirect to the general Fortinet Partner Portal extranet website. Click Support > Online Support Ticket.

https://forticare.fortinet.com/customersupport/Login/CommonLogin.aspx

Fortinet customers

There are two methods to report a technical issue on the Fortinet Support website: creating a technical support ticket by product or creating any type of ticket with the Ticket Wizard for more options.

Fortinet customers should complete the following steps to create a support ticket by product:

1. Log in to the support website at the following address with the account credentials used when the account was created: https://supporfortinet.com

2. Navigate to the top menu, click Asset and select Manage/View Products.

3. In the product list, select the product that is causing the problem.

4. On the left side bar, go to the Assistance category, and select Technical Request to create a TA Ticket.

5. Complete the Create TA Ticket fields.

6. Click View Products.

7. In the Products List, select the product that is causing the problem.

8. Complete the Create Support Ticket fields.

9. Select Finish to complete the support ticket.

Fortinet customers who would like to submit a customer service ticket, DOA ticket, RMA ticket, or FortiGuard service ticket should use the Ticket Wizard and complete the following steps:

1. Log in to the support website at the following address with the account credentials used when the account was created: https://supporfortinet.com

2. Navigate to the top menu, click Assistance and select Create a Ticket from the drop down menu.

3. Select a ticket type and complete the remaining steps in the Ticket Wizard.

4. Select Finish to complete the ticket.

Following up on online tickets

Perform the following steps to follow up on an existing issue. Partners should log into the following web site: http://partners.fortinet.com

Customers should log into the following site:

http://support.fortinet.com

1. Log in with the account credentials used when the account was created.

2. Navigate to the top menu, click Assistance, and select Manage Tickets.

3. Use the search field on the View Tickets page to locate the tickets assigned to the account.

4. Select the appropriate ticket number. Closed tickets cannot be updated. A new ticket must be submitted if it concerns the same problem.

5. Add a New Comment or Attachment.

6. Click Submit when complete.

Every web ticket update triggers a notification to the ticket owner, or ticket queue supervisor.

Telephoning a technical support center

The Fortinet Technical Assistance Centers can also be contacted by phone. Call Fortinet Support Center at 1-408-486-7899 (international) or go to http://www.fortinet.com/support/contact_support.html and select your country from the drop-down list for local contact number.

Assisting technical support

The more information that can be provided to Fortinet technical support, the better they can assist in resolving the issue. Every new support request should contain the following information:

A valid contact name, phone number, and email address.
A clear and accurate problem description.
A detailed network diagram with complete IP address schema.
The configuration file, software version, and build number of the Fortinet device.
Additional log files such as Antivirus log, Attack log, Event log, Debug log or similar information to include in the ticket as an attachment. If a third-party product is involved, for example, email server, FTP server, router, or switch, please provide the information on its software revision version, configuration, and brand name.

Support priority levels

Fortinet technical support assigns the following priority levels to support cases:

Priority 1

This Critical priority is assigned to support cases in which:

The network or system is down causing customers to experience a total loss of service.
There are continuous or frequent instabilities affecting traffic-handling capability on a significant portion of the network.
There is a loss of connectivity or isolation to a significant portion of the network.
This issue has created a hazard or an emergency.

Priority 2

This Major priority is assigned to support cases in which:

The network or system event is causing intermittent impact to end customers.
There is a loss of redundancy.
There is a loss of routine administrative or diagnostic capability.
There is an inability to deploy a key feature or function.
There is a partial loss of service due to a failed hardware component.

Priority 3

This Medium priority is assigned to support cases in which:

The network event is causing only limited impact to end customers.
Issues seen in a test or pre-production environment exist that would normally cause adverse impact to a production network.
The customer is making time sensitive information requests.
There is a successful workaround in place for a higher priority issue.

Priority 4

This Minor priority is assigned to support cases in which:

The customer is making information requests and asking standard questions about the configuration or functionality of equipment.

Customers must report Priority 1 and 2 issues by phone directly to the Fortinet EMEA Support Center. For lower priority issues, you may submit an assistance request (ticket) via the web system.

The web ticket system also provides a global overview of all ongoing support requests.

Return material authorization process

In some cases hardware issues are experienced and a replacement unit must be sent. This is referred to as a Return Material Authorization (RMA). In these cases or RMAs, the support contract must be moved to the new device. Customers can move the support contract from the failing production unit to the new device through the support web site.

To move the support contract to a new device

1. Log in to the support web site with the credentials indicated when the account was created.

2. From Manage Products, locate the serial number of the defective unit from the list of devices displayed for the account. The Product Info for the selected device will be displayed.

3. In the left side bar under the Assistance section, select RMA Transfer.

4. Enter the Original Serial Number of the original device, enter the New Serial Number, and click Replace to complete the transfer.

This will transfer the support contract from the defective unit to the new unit with the serial number provided.

Troubleshooting resources

Leave a reply

Troubleshooting resources

You can always check out the Fortinet GURU Forums @ http://forums.fortinetguru.com.

Before you begin troubleshooting, you need to know Fortinet’s troubleshooting resources. Doing so will shorten the time to solve your issue. Indeed, an administrator can save time and effort during the troubleshooting process by first checking if the issue has been experienced before. Several self-help resources are available to provide valuable information about FortiOS technical issues, including:

Technical Documentation

Installation Guides, Administration Guides, Quick Start Guides, and other technical documents are available online at the following URL:

http://docs.fortinet.com

Fortinet Video Library

The Fortinet Video Library hosts a collection of video which provide valuable information about Fortinet products.

http://video.fortinet.com

Release Notes

Issues that are uncovered after the technical documentation has been published will often be listed in the Release Notes that accompany the device.

Knowledge Base

The Fortinet Knowledge Base provides access to a variety of articles, white papers, and other documentation providing technical insight into a range of Fortinet products. The Knowledge Base is available online at the following URL:

http://kb.fortinet.com

Fortinet Technical Discussion Forums

An online technical forums allow administrators to contribute to discussions about issues related to their Fortinet products. Searching the forum can help the administrator identify if an issue has been experienced by another user. The support forums can be accessed at the following URL:

http://forum.fortinet.com

Fortinet Training Services Online Campus

The Fortinet Training Services Online Campus hosts a collection of tutorials and training materials which can be used to increase knowledge of the Fortinet products.

http://www.fortinet.com/training/

Fortinet Customer Support

You have defined your problem, researched a solution, put together a plan to find the solution, and executed that plan. At this point if the problem has not been solved, its time to contact Fortinet Customer Support for assistance.

http://support.fortinet.com

How to debug the packet flow

Leave a reply

How to debug the packet flow

Traffic should come in and leave the FortiGate unit. If you have determined that network traffic is not entering and leaving the FortiGate unit as expected, debug the packet flow.

Debugging can only be performed using CLI commands. Debugging the packet flow requires a number of debug commands to be entered as each one configures part of the debug action, with the final command starting the debug.

If your FortiGate unit has FortiASIC NP4 interface pairs that are offloading traffic, this will change the packet flow. Before performing the debug on any NP4 interfaces, you should disable offloading on those interfaces.

The following configuration assumes that PC1 is connected to the internal interface of the FortiGate unit and has an IP address of 10.11.101.200. PC1 is the host name of the computer.

To debug the packet flow in the CLI, enter the following commands:

FGT# diag debug disable

FGT# diag debug flow filter add <PC1> FGT# diag debug flow show console enable

FGT# diag debug flow show function-name enable

FGT# diag debug flow trace start 100

FGT# diag debug enable

The start 100 argument in the above list of commands will limit the output to 100 packets from the flow. This is useful for looking at the flow without flooding your log or displaying too much information.

To stop all other debug activities, enter the command:

FGT# diag debug flow trace stop

The following is an example of debug flow output for traffic that has no matching security policy, and is in turn blocked by the FortiGate unit. The denied message indicates that the traffic was blocked.

id=20085 trace_id=319 func=resolve_ip_tuple_fast line=2825 msg=”vd-root received a packet (proto=6, 192.168.129.136:2854->192.168.96.153:1863) from port3.”

id=20085 trace_id=319 func=resolve_ip_tuple line=2924 msg=”allocate a new session-013004ac”

id=20085 trace_id=319 func=vf_ip4_route_input line=1597 msg=”find a route: gw-192.168.150.129 via port1″

id=20085 trace_id=319 func=fw_forward_handler line=248 msg=” Denied by forward policy check”

How to perform a sniffer trace (CLI and Packet Capture)

8 Replies

How to perform a sniffer trace (CLI and Packet Capture)

When troubleshooting networks and routing in particular, it helps to look inside the headers of packets to determine if they are traveling along the expected route. Packet sniffing can also be called a network tap, packet capture, or logic analyzing.

If your FortiGate unit has NP2/NP4 interfaces that are offloading traffic, this will change the sniffer trace. Before performing a trace on any NP2/NP4 interfaces, you should disable offloading on those interfaces.

What can sniffing packets tell you

If you are running a constant traffic application such as ping, packet sniffing can tell you if the traffic is reaching the destination, what the port of entry is on the FortiGate unit, if the ARP resolution is correct, and if the traffic is being sent back to the source as expected.

Sniffing packets can also tell you if the FortiGate unit is silently dropping packets for reasons such as Reverse Path Forwarding (RPF), also called Anti Spoofing, which prevents an IP packet from being forwarded if its Source IP does not either belong to a locally attached subnet (local interface), or be part of the routing between the FortiGate unit and another source (static route, RIP, OSPF, BGP). Note that RPF can be disabled by turning on asymmetric routing in the CLI (config system setting, set asymetric enable), however this will disable stateful inspection on the FortiGate unit and cause many features to be turned off.

If you configure virtual IP addresses on your FortiGate unit, it will use those addresses in preference to the physical IP addresses. You will notice this when you are sniffing packets because all the traffic will be using the virtual IP addresses. This is due to the ARP update that is sent out when the VIP address is configured.

How do you sniff packets

The general form of the internal FortiOS packet sniffer command is:

diag sniffer packet <interface_name> <‘filter’> <verbose> <count>

To stop the sniffer, type CTRL+C.

<interface_name> The name of the interface to sniff, such as “port1” or “internal”. This can also be “any” to sniff all interfaces.

<‘filter’>

What to look for in the information the sniffer reads. “none” indicates no fil- tering, and all packets will be displayed as the other arguments indicate.

The filter must be inside single quotes (‘).

<verbose> The level of verbosity as one of:

1 – print header of packets

2 – print header and data from IP of packets

3 – print header and data from Ethernet of packets

4 – print header of packets with interface name

<count> The number of packets the sniffer reads before stopping. If you do not put a number here, the sniffer will run forever unit you stop it with <CTRL C>.

For a simple sniffing example, enter the CLI command diag sniffer packet port1 none 1 3. This will display the next three packets on the port1 interface using no filtering, and using verbose level 1. At this verbosity level you can see the source IP and port, the destination IP and port, action (such as ack), and sequence numbers.

In the output below, port 443 indicates these are HTTPS packets, and 172.20.120.17 is both sending and receiving traffic.

Head_Office_620b # diag sniffer packet port1 none 1 3 interfaces=[port1] filters=[none]

0.545306 172.20.120.17.52989 -> 172.20.120.141.443: psh 3177924955 ack 1854307757

0.545963 172.20.120.141.443 -> 172.20.120.17.52989: psh 1854307757 ack 3177925808

0.562409 172.20.120.17.52988 -> 172.20.120.141.443: psh 4225311614 ack 3314279933

For a more advanced example of packet sniffing, the following commands will report packets on any interface travelling between a computer with the host name of “PC1” and the computer with the host name of “PC2”. With verbosity 4 and above, the sniffer trace will display the interface names where traffic enters or leaves the FortiGate unit. Remember to stop the sniffer, type CTRL+C.

FGT# diagnose sniffer packet any “host <PC1> or host <PC2>” 4

FGT# diagnose sniffer packet any “(host <PC1> or host <PC2>) and icmp” 4

The following sniffer CLI command includes the ARP protocol in the filter which may be useful to troubleshoot a failure in the ARP resolution (for instance PC2 may be down and not responding to the FortiGate ARP requests).

FGT# diagnose sniffer packet any “host <PC1> or host <PC2> or arp” 4

Packet Capture

When troubleshooting networks, it helps to look inside the header of the packets. This helps to determine if the packets, route, and destination are all what you expect. Packet capture can also be called a network tap, packet sniffing, or logic analyzing.

To use the packet capture:

1. Go to System > Network > Packet Capture.

2. Select the interface to monitor and select the number of packets to keep.

3. Select Enable Filters.

4. Enter the information you want to gather from the packet capture.

5. Select OK.

To run the capture, select the play button in the progress column in the packet capture list. If not active, Not Running will also appear in the column cell. The progress bar will indicate the status of the capture. You can stop and restart it at any time.

When the capture is complete, click the Download icon to save the packet capture file to your hard disk for further analysis.

Packet capture tells you what is happening on the network at a low level. This can be very useful for troubleshooting problems, such as:

Finding missing traffic.
Seeing if sessions are setting up properly.
Locating ARP problems such as broadcast storm sources and causes.
Confirming which address a computer is using on the network if they have multiple addresses or are on multiple networks.
Confirming routing is working as you expect.
Wireless client connection problems.
Intermittent missing PING packets.
A particular type of packet is having problems, such as UDP, which is commonly used for streaming video.

If you are running a constant traffic application such as ping, packet capture can tell you if the traffic is reaching the destination, how the port enters and exits the FortiGate unit, if the ARP resolution is correct, and if the traffic is returning to the source as expected. You can also use packet switching to verify that NAT or other configuration is translating addresses or routing traffic the way that you want it to.

Before you start capturing packets, you need to have a good idea of what you are looking for. Capture is used to confirm or deny your ideas about what is happening on the network. If you try capture without a plan to narrow your search, you could end up with too much data to effectively analyze. On the other hand, you need to capture enough packets to really understand all of the patterns and behavior that you are looking for.