Category Archives: FortiOS

VOIP application control sessions are no longer blocked after an HA failover

If you were one of those people, like me, that would have application control sessions blocked after a failover on HA then 5.4 may be beneficial for you! See below!

VOIP application control sessions are no longer blocked after an HA failover (273544)

After an HA failover, VoIP sessions that are being scanned by application control will now continue with only a minor interruption, if any. To support this feature, IPS UDP expectation tables are now synchronized between cluster units

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FRUP is not supported by FortiOS 5.4

Leave a reply

FRUP is not supported by FortiOS 5.4

With the changes to switch mode, FRUP is no longer available on the FortiGate-100D

FGCP Supports BFD Enabled BGP Graceful Restart After an HA Failover

Leave a reply

FGCP supports BFD enabled BGP graceful restart after an HA failover

If an HA cluster is part of a Border Gateway Protocol (BGP) bidirectional forwarding detection (BFD) configuration where both the cluster and the BGP static neighbor are configured for graceful restart, after an HA failover BGP enters graceful restart mode and both the cluster and the BGP neighbor keep their BGP routes.

To support HA and BFD enabled BGP graceful:

From the cluster, configure the BFD enabled BGP neighbor as a static BFD neighbor using the config router bfd command.Set the BGP auto-start timer to 5 seconds so that after an HA failover BGP on the new primary unit waits for 5 seconds before connect to its BFD neighbors, and then registers BFD requests after establishing the connections. With static BFD neighbors, BFD requests and sessions can be created as soon as possible after the failover.The command get router info bfd requests shows the BFD peer requests.
The BFD session created for a static BFD neighbor/peer request initializes its state as INIT instead of DOWN and its detection time as bfd-required-min-rx * bfd-detect-mult msecs.
When a BFD control packet with a nonzero Your Discriminator (your_discr) value is received, if no session can be found to match the your_discr, instead of discarding the packet, other fields in the packet, such as addressing information, are used to choose one session that was just initialized, with zero as its remote discriminator.
When a BFD session in the UP state receives a control packet with zero as Your Discriminator and DOWN as State, the session changes its state to DOWN but will not notify this DOWN event to BGP and/or other registered clients.

High Availability FortiOS 5.4 Before You Begin

3 Replies

So, a lot of people are starting to deploy HA clusters of Fortinet hardware which is awesome. There are however some things you will want to consider before doing so. Here is a drill down from the Fortinet HA for FortiOS 5.4 Administration document.

Before you begin

Before you begin using this guide, take a moment to note the following:

If you enable virtual domains (VDOMs), HA is configured globally for the entire FortiGate unit and the configuration is called virtual clustering.
This HA guide is based on the assumption that you are a FortiGate administrator. It is not intended for others who may also use the FortiGate unit, such as FortiClient administrators or end users.
The configuration examples show steps for both the web-based manager (GUI) and the CLI. At this stage, the following installation and configuration conditions are assumed:
You have two or more FortiGate units of the same model available for configuring and connecting to form an HA cluster. You have a copy of the QuickStart Guide for the FortiGate units.
You have administrative access to the web-based manager and CLI.

Many of the configuration examples in this document begin FortiGates unit configured with the factory default configuration. This is optional, but may make the examples easier to follow. As well, you do not need to have installed the FortiGate units on your network before using the examples in this document.

Before you set up a cluster

Before you set up a cluster ask yourself the following questions about the FortiGate units that you are planning to use to create a cluster. Do all the FortiGate units have the same hardware configuration? Including the same hard disk configuration and the same optional components installed in the same slots?

1. Do all FortiGate units have the same firmware build?

2. Are all FortiGate units set to the same operating mode (NAT or Transparent)?

3. Are all the FortiGate units operating in the same VDOM mode?

4. If the FortiGate units are operating in multiple VDOM mode do they all have the same VDOM configuration?

Generate Reports During The Database Rebuild – FortiAnalyzer 5.4

Leave a reply

Generate reports during the database rebuild

After FortiAnalyzer is upgraded, the system may need to rebuild databases due to schema changes. Please note that the ability to generate accurate reports will be affected until the rebuild is complete.

Report Grouping – FortiAnalyzer 5.4

Leave a reply

Report grouping

If you are running a large number of reports which are very similar, you can significantly improve report generation time by grouping the reports. Report grouping can reduce the number of hcache tables and improve auto-hcache completion time and report completion time.

Step 1: Configure report grouping

To group reports whose titles contain the string Security_Report and are grouped by device ID and VDOM, enter the following CLI commands:

config system report group
edit 0
set adom root
config group-by
edit devid next edit
vd next

end

set report-like Security_Report

end Notes:

The report-like field is the name pattern of the report that will utilize the report-group This string is case-sensitive.
The group-by value controls how cache tables are grouped.
To see a listing of reports and which ones have been included in the grouping, enter the following CLI command:

execute sql-report list-schedule <ADOM>

Step 2: Initiate a rebuild of hcache tables

To initiate a rebuild of hcache tables, enter the following CLI command:

diagnose sql rebuild-report-hcache <start-time> <end-time>

Where <start-time> and <end-time> are in the format: <yyyy-mm-dd hh:mm:ss>.

Step 3: Perform an hcache-check for a given report

Perform an hcache-check for a given report to ensure that the hcache tables exactly match the start and end time frame for the report time period. Enter the following CLI command:

execute sql-report hcache-check <adom> <report_id> <start-time> <end-time>

If you do not run this command, the first report in the report group will take a little longer to run. All subsequent reports in that group will run optimally.

Extended UTM Log For Application Control – FortiAnalyzer 5.4

Leave a reply

Extended UTM log for Application Control

For FortiOS 5.0 devices, the application control log is not visible until you enable the extended UTM log in the FortiOS CLI. To enable extended UTM log, use the following CLI command:

config application list
edit [name here]
set extended-utm-log enable
end

SQL database rebuild – FortiAnalyzer 5.4

Leave a reply

SQL database rebuild

FortiAnalyzer can receive new logs during SQL database rebuild. FortiView, Log View, Event Management, and Reports are also available.However, all scheduled reports are skipped. It is recommended to generate reports only after finishing the database rebuilding process.