Category Archives: FortiOS

Interface MTU packet size

You can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits to improve network performance. Ideally, the MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets. If the packets that the FortiGate unit sends are larger than the smallest MTU, they are broken up or fragmented, which slows down transmission. You can easily experiment by lowering the MTU to find an MTU size for optimum network performance.

To change the MTU, select Override default MTU value (1500) and enter the MTU size based on the addressing mode of the interface

68 to 1 500 bytes for static mode
576 to 1 500 bytes for DHCP mode
576 to 1 492 bytes for PPPoE mode
larger frame sizes if supported by the FortiGate model – up to 9216 bytes for NP2, NP4, and NP6-accelerated interfaces

Only available on physical interfaces. Virtual interfaces associated with a physical interface inherit the physical interface MTU size.

Interfaces on some models support frames larger than the traditional 1500 bytes. Jumbo frames are supported on FortiGate models that have either a SOC2 or NP4lite, except for the FortiGate-30D, as well as on FortiGate-100D series models (for information about your FortiGate unit’s hardware, see the Hardware Acceleration guide). For other models, please contact Fortinet Customer Support for the maximum frame size that is supported.

If you need to enable sending larger frames over a route, you need all Ethernet devices on that route to support that larger frame size, otherwise your larger frames will not be recognized and are dropped.

If you have standard size and larger size frame traffic on the same interface, routing alone cannot route them to different routes based only on frame size. However, you can use VLANs to make sure the larger frame traffic is routed over network devices that support that larger size. VLANs will inherit the MTU size from the parent interface. You will need to configure the VLAN to include both ends of the route as well as all switches and routers along the route.

MTU packet size is changed in the CLI. If you select an MTU size larger than your FortiGate unit supports, an error message will indicate this. In this situation, try a smaller MTU size until the value is supported.

In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces on the FortiGate unit to match the new MTU.

To change the MTU size, use the following CLI commands:

config system interface edit <interface_name>

set mtu-override enable set mtu <byte_size>

end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Wireless

Leave a reply

Wireless

A wireless interface is similar to a physical interface only it does not include a physical connection. The FortiWiFi units enables you to add multiple wireless interfaces that can be available at the same time (the FortiWiFi-30B can only have one wireless interface). On FortiWiFi units, you can configure the device to be either an access point, or a wireless client. As an access point, the FortiWiFi unit can have up to four separate SSIDs, each on their own subnet for wireless access. In client mode, the FortiWiFi only has one SSID, and is used as a receiver, to enable remote users to connect to the existing network using wireless protocols.

Wireless interfaces also require additional security measures to ensure the signal does not get hijacked and data tampered or stolen.

For more information on configuring wireless interfaces see the Deploying Wireless Networks Guide.

Administrative access

Leave a reply

Administrative access

Interfaces, especially the public-facing ports can be potentially accessed by those who you may not want access to the FortiGate unit. When setting up the FortiGate unit, you can set the type of protocol an administrator must use to access the FortiGate unit. The options include:

HTTPS
HTTP
SSH
TELNET
SNMP
PING
FortiManager Access (FMG-Access)
FortiHeartBeat

You can select as many, or as few, even none, that are accessible by an administrator.

This example adds an IPv4 address 172.20.120.100 to the WAN1 interface as well as the administrative access to HTTPS and SSH. As a good practice, set the administrative access when you are setting the IP address for the port.

To add an IP address on the WAN1 interface – web-based manager

1. Go to System > Network > Interface.

2. Select the WAN1 interface row and select Edit.

3. Select the Addressing Mode of Manual.

4. Enter the IP address for the port of 172.20.120.100/24.

5. For Administrative Access, select HTTPS and SSH.

6. Select OK.

To create IP address on the WAN1 interface – CLI

config system interface

edit wan1

set ip 172.20.120.100/24 set allowaccess https ssh

end

When adding to, or removing a protocol, you must type the entire list again. For example, if you have an access list of HTTPS and SSH, and you want to add PING, typing:

set allowaccess ping

…only PING will be set. In this case, you must type…

set allowaccess https ssh ping

PPPoE addressing mode on an interface

Leave a reply

PPPoE addressing mode on an interface

If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a PPPoE request from the interface.

The FortiGate units support many PPPoE RFC features (RFC 2516) including unnumbered IPs, initial discovery timeout and PPPoE Active Discovery Terminate (PADT).

PPPoE is only configurable in the web-based manager on desktop FortiGate units. 1U FortiGates and up must be configured in the CLI using the commands:

config system interface edit <port_name>

set mode pppoe

set username <ISP_username> set password <ISP_password> set idle-timeout <seconds> set distance <integer>

set ipunnumbered <unumbered-IP> set disc-retry-timeout <seconds> set padt-retry-timeout <seconds>

end

set lcp-echo-interval <seconds>

set dns-server-override {enable | disable}

Configure PPPoE on an interface in System > Network > Interface. The table describes the PPPoE status information when PPPoE is configured for an interface.

Addressing mode section of New Interface page

Status Displays PPPoE status messages as the FortiGate unit connects to the PPPoE server and gets addressing information. Select Status to refresh the addressing mode status message.

The status is only displayed if you selected Edit. Status can be any one of the following 4 messages.

Initializing No activity.

Connecting The interface is attempting to connect to the PPPoE server.

Connected

The interface retrieves an IP address, netmask, and other settings from the PPPoE server.

When the status is connected, PPPoE connection information is dis- played.

Failed The interface was unable to retrieve an IP address and other inform- ation from the PPPoE server.

Reconnect

Select to reconnect to the PPPoE server.

Only displayed if Status is connected.

User Name The PPPoE account user name.

Password The PPPoE account password.

Unnumbered IP Specify the IP address for the interface. If your ISP has assigned you a block of IP addresses, use one of them. Otherwise, this IP address can be the same as the IP address of another interface or can be any IP address.

Initial Disc Timeout Enter Initial discovery timeout. Enter the time to wait before starting to retry a PPPoE discovery.

Initial PADT timeout Enter Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. PADT must be supported by your ISP. Set initial PADT timeout to 0 to disable.

Addressing mode section of New Interface page

Distance

Enter the administrative distance for the default gateway retrieved from the PPPoE server. The administrative distance, an integer from 1-255, specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route. The default distance for the default gateway is 1.

Retrieve default gateway from server

Enable to retrieve a default gateway IP address from a PPPoE server. The default gateway is added to the static routing table.

Override internal DNS

Enable to replace the DNS server IP addresses on the System DNS page with the DNS addresses retrieved from the PPPoE server.

When VDOMs are enabled, you can override the internal DNS only on the management VDOM.

DHCP addressing mode on an interface

Leave a reply

DHCP addressing mode on an interface

If you configure an interface to use DHCP, the FortiGate unit automatically broadcasts a DHCP request from the interface. The interface is configured with the IP address and any DNS server addresses and default gateway address that the DHCP server provides.

DHCP IPv6 is similar to DHCP IPv4, however there is:

no default gateway option defined because a host learns the gateway using router advertisement messages
there is no WINS servers because it is obsolete.

For more information about DHCP IPv6, see RFC 3315.

Configure DHCP for an interface in System > Network > Interface and selecting the interface from the list, and selecting DHCP in the Address Mode. The table describes the DHCP status information when DHCP is configured for an interface.

Addressing mode section of New Interface page for DHCP informatio

Status Displays DHCP status messages as the interface connects to the DHCP server and gets addressing information. Select Status to refresh the addressing mode status message.

Status can be one of:

initializing – No activity.
connecting – interface attempts to connect to the DHCP server.
connected – interface retrieves an IP address, netmask, and other set- tings from the DHCP server.
failed – interface was unable to retrieve an IP address and other settings from the DHCP server.

Addressing mode section of New Interface page for DHCP informatio

Obtained IP/Netmask

The IP address and netmask leased from the DHCP server. Only dis- played if Status is connected.

Renew Select to renew the DHCP license for this interface. Only displayed if Status is connected.

Expiry Date

The time and date when the leased IP address and netmask is no longer valid for the interface. The IP address is returned to the pool to be alloc- ated to the next user request for an IP address. Only displayed if Status is connected.

Default Gateway The IP address of the gateway defined by the DHCP server. Only dis- played if Status is connected, and if Receive default gateway from server is selected.

Distance

Enter the administrative distance for the default gateway retrieved from

the DHCP server. The administrative distance, an integer from 1-255, spe- cifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more pre- ferred route.

Retrieve default gateway from server

Enable to retrieve a default gateway IP address from the DHCP server. The default gateway is added to the static routing table.

Override internal DNS

Enable to use the DNS addresses retrieved from the DHCP server instead of the DNS server IP addresses on the DNS page.

When VDOMs are enabled, you can override the internal DNS only on the management VDOM.

Aggregate Interfaces

Leave a reply

Aggregate Interfaces

Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred automatically to the remaining interfaces with the only noticeable effect being a reduced bandwidth.

This is similar to redundant interfaces with the major difference being that a redundant interface group only uses one link at a time, where an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or more).

Support of the IEEE standard 802.3ad for link aggregation is available on some models. An interface is available to be an aggregate interface if:

it is a physical interface, not a VLAN interface or subinterface
it is not already part of an aggregate or redundant interface
it is in the same VDOM as the aggregated interface. Aggregate ports cannot span multiple VDOMs.
it does not have an IP address and is not configured for DHCP or PPPoE l it is not referenced in any security policy, VIP, IP Pool or multicast policy l it is not an HA heartbeat interface
it is not one of the FortiGate-5000 series backplane interfaces

Some models of FortiGate units do not support aggregate interfaces. In this case, the aggregate option is not an option in the web-based manager or CLI. As well, you cannot create aggregate interfaces from the interfaces in a switch port.

To see if a port is being used or has other dependencies, use the following diagnose command:

diagnose sys checkused system.interface.name <interface_name>

When an interface is included in an aggregate interface, it is not listed on the System > Network > Interface page. Interfaces will still appear in the CLI, although configuration for those interfaces will not take affect. You cannot configure the interface individually and it is not available for inclusion in security policies, VIPs, IP pools, or routing.

Example

This example creates an aggregate interface on a FortiGate-3810A using ports 4-6 with an internal IP address of 10.13.101.100, as well as the administrative access to HTTPS and SSH.

To create an aggregate interface – web-based manager

1. Go to System > Network > Interface and select Create New.

2. Enter the Name as Aggregate.

3. For the Type, select 802.3ad Aggregate.

If this option does not appear, your FortiGate unit does not support aggregate interfaces.

4. In the Available Interfaces list, select port 4, 5 and 6 and move it to the Selected Interfaces list.

5. Select the Addressing Mode of Manual.

6. Enter the IP address for the port of 10.13.101.100/24.

7. For Administrative Access select HTTPS and SSH.

8. Select OK.

To create aggregate interface – CLI

config system interface edit Aggregate

set type aggregate

set member port4 port5 port6 set vdom root

set ip 172.20.120.100/24 set allowaccess https ssh

end

One-armed sniffer

2 Replies

One–armed sniffer

A one-armed sniffer is used to configure a physical interface on the FortiGate unit as a one-arm intrusion detection system (IDS). Traffic sent to the interface is examined for matches to the configured IPS sensor and application control list. Matches are logged and then all received traffic is dropped. Sniffing only reports on attacks. It does not deny or otherwise influence traffic.

Using the one-arm sniffer, you can configure a FortiGate unit to operate as an IDS appliance by sniffing network traffic for attacks without actually processing the packets. To configure one-arm IDS, you enable sniffer mode on a FortiGate interface and connect the interface to a hub or to the SPAN port of a switch that is processing network traffic.

To assign an interface as a sniffer interface, go to System > Network > Interface, edit the interface and select One-Arm Sniffer.

If the check box is not available, the interface is in use. Ensure that the interface is not selected in any firewall policies, routes, virtual IPs or other features in which a physical interface is specified.

Enable Filters Select to include filters to define a more granular sniff of network traffic.

Select specific addresses, ports, VLANs and protocols.

In all cases, enter a number, or number range, for the filtering type. For Pro- tocol values, standard protocols are:

UDP – 17
TCP – 6
ICMP – 1

Include IPv6 Packets

If your network is running a combination of IPv4 and IPv6 addressing, select to sniff both addressing types. Otherwise, the FortiGate unit will only sniff IPv4 traffic.

Include Non-IP Packets Select for a more intense scan of content in the traffic.

UTM Security Profiles

IPS sensors, and application control lists enable you to select specific sensors and application you want to identify within the traffic.

Redundant interfaces

1 Reply

Redundant interfaces

On some models you can combine two or more physical interfaces to provide link redundancy. This feature enables you to connect to two or more switches to ensure connectivity in the event one physical interface or the equipment on that interface fails.

In a redundant interface, traffic is only going over one interface at any time. This differs from an aggregated interface where traffic is going over all interfaces for distribution of increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.

An interface is available to be in a redundant interface if:

it is a physical interface, not a VLAN interface
it is not already part of an aggregated or redundant interface
it is in the same VDOM as the redundant interface
it has no defined IP address
is not configured for DHCP or PPPoE
it has no DHCP server or relay configured on it
it does not have any VLAN subinterfaces
it is not referenced in any security policy, VIP, or multicast policy
it is not monitored by HA
it is not one of the FortiGate-5000 series backplane interfaces

When an interface is included in a redundant interface, it is not listed on the System > Network > Interface page. You cannot configure the interface individually and it is not available for inclusion in security policies, VIPs, or routing.