Skip to content

Instantly share code, notes, and snippets.

@githubfoam

githubfoam/fortigate cheat sheet

Last active March 12, 2025 06:34
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save githubfoam/66c9b8e08498867df393a600a290de45 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save githubfoam/66c9b8e08498867df393a600a290de45 to your computer and use it in GitHub Desktop.
Download ZIP
fortigate cheat sheet
Raw
fortigate cheat sheet
#=====================================================================
#CIS benchmark
https://www.cisecurity.org/benchmark/fortinet
#=====================================================================
Packet flow ingress and egress: FortiGates without network processor offloading
https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/packet-flow-ingress-and-egress-fortigates-without-network-processor-offloading
#=====================================================================
CLI
the control key sequences shown in the following table:
Previous command
Up arrow
Next command
Down arrow
Beginning of line
Ctrl + a
End of line
Ctrl + e
Back one word
Ctrl + b
Forward one word
Ctrl + f
Delete current character
Ctrl + d
Clear screen
Ctrl + l
Abort command and exit
Ctrl + c
Auto repeat history
Ctrl + p
#=====================================================================
#enable tor browser
# show
config firewall policy
edit 14
set name "enable-tor"
set uuid 3aeaa466-2f8d-51ee-6fae-9bf68cfc8222
set srcintf "TRUST"
set dstintf "UNTRUST"
set action accept
set srcaddr "SOURCE_IPADDRESS"
set internet-service enable
set internet-service-name "Tor-Relay.Node"
set schedule "always"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set dnsfilter-profile "default"
set file-filter-profile "default"
set ips-sensor "default"
set application-list "default"
set logtraffic all
set nat enable
set comments "enable tor browser"
next
end
#=====================================================================
#ChatGPT
FortiGate can be deployed as a DHCP server to automate the process of assigning IP addresses and network configuration settings to devices on a network. DHCP (Dynamic Host Configuration Protocol) is a standard network protocol used by devices to obtain IP addresses and other network configuration information automatically.
To deploy FortiGate as a DHCP server, you would typically follow these steps:
Configure the DHCP service: Enable the DHCP service on your FortiGate firewall and configure the DHCP server settings, including the IP address range, subnet mask, gateway address, and DNS server.
Create DHCP pools: Create DHCP pools that define the range of IP addresses that will be assigned to devices on your network.
Configure DHCP options: Configure DHCP options to provide additional network configuration settings to devices, such as DNS server addresses, WINS server addresses, and domain names.
Test your DHCP server: Test your FortiGate DHCP server by connecting devices to your network and verifying that they are assigned IP addresses and network configuration settings correctly.
Monitor and adjust: Monitor your FortiGate DHCP server logs and adjust your DHCP settings as needed to ensure optimal performance and security.
Overall, deploying FortiGate as a DHCP server can help to simplify network administration and reduce the risk of configuration errors by automating the process of assigning IP addresses and network configuration settings to devices on your network.
#=====================================================================
#ChatGPT
FortiGate can be deployed as a DNS server, allowing it to perform DNS resolution and caching functions. DNS (Domain Name System) is a crucial component of the Internet that translates human-readable domain names (such as google.com) into IP addresses that computers can use to communicate with each other.
To deploy FortiGate as a DNS server, you would typically follow these steps:
Configure the DNS service: Enable the DNS service on your FortiGate firewall and configure the DNS server settings, including the primary and secondary DNS servers that your FortiGate will use to resolve DNS queries.
Configure DNS policies: Create DNS policies that define which DNS queries should be allowed or blocked based on various criteria such as source/destination IP address, domain name, and DNS server.
Configure DNS caching: Enable DNS caching on your FortiGate firewall to improve DNS resolution performance by storing frequently requested DNS records in memory.
Test your DNS server: Test your FortiGate DNS server by sending DNS queries and verifying that the responses are correct.
Monitor and adjust: Monitor your FortiGate DNS server logs and adjust your DNS policies and caching settings as needed to ensure optimal performance and security.
Overall, deploying FortiGate as a DNS server can help to improve network performance and security by providing a reliable, fast, and secure DNS resolution service that is integrated with your firewall.
#=====================================================================
#ChatGPT
FortiGate is a next-generation firewall that can be deployed as an internal segmentation firewall to protect different segments of a network from each other. Internal segmentation is an approach to network security that involves dividing the network into smaller, more manageable segments or zones, each with its own security policy and access control rules.
To deploy FortiGate as an internal segmentation firewall, you would typically follow these steps:
Plan your segmentation strategy: Determine how you want to divide your network into segments, based on factors such as security requirements, business functions, and user groups.
Configure your FortiGate firewall: Configure your FortiGate firewall with the appropriate interfaces and IP addresses for each network segment. You may need to create virtual LANs (VLANs) to separate traffic between different segments.
Create security policies: Create security policies for each network segment that define what traffic is allowed or blocked based on various criteria such as source/destination IP address, port number, and application.
Test your segmentation: Test your segmentation by sending traffic between different network segments to ensure that the security policies are working as expected.
Monitor and adjust: Monitor your FortiGate firewall logs and adjust your security policies as needed to ensure that your network remains secure and compliant with your organization's policies and regulations.
Overall, deploying FortiGate as an internal segmentation firewall helps to improve the security posture of your network by reducing the attack surface and limiting the impact of any security breaches that may occur.
#=====================================================================
#ChatGPT
Compare flow-based inspection mode vs proxy-based inspection mode in fortigate.
Flow-based inspection mode and proxy-based inspection mode are two different methods for traffic inspection and processing in FortiGate firewalls.
Flow-based inspection mode operates at the network layer and uses a flow-based approach to process traffic. When a packet enters the firewall, the FortiGate checks the packet header against existing session information to determine whether the packet is part of an existing session or if it should initiate a new session. Flow-based inspection mode is optimized for high-speed traffic processing and is well-suited for environments where network performance is critical, such as data centers and large enterprises.
Proxy-based inspection mode, on the other hand, operates at the application layer and uses a proxy-based approach to process traffic. In this mode, the FortiGate acts as a proxy for the client and initiates a separate connection with the server on behalf of the client. The FortiGate then inspects and filters the traffic before passing it on to the client. Proxy-based inspection mode is well-suited for environments where security is the top priority and where advanced features such as content filtering, application control, and intrusion prevention are needed.
Here are some key differences between flow-based inspection mode and proxy-based inspection mode in FortiGate:
Performance: Flow-based inspection mode is optimized for high-speed traffic processing and can handle large volumes of traffic without affecting network performance. Proxy-based inspection mode, on the other hand, can be resource-intensive and may impact network performance, particularly in high-traffic environments.
Security: Proxy-based inspection mode provides greater security than flow-based inspection mode as it can inspect traffic at the application layer and apply advanced security features such as content filtering, application control, and intrusion prevention. Flow-based inspection mode, however, is more limited in terms of security features.
Compatibility: Flow-based inspection mode is compatible with a wider range of protocols and applications than proxy-based inspection mode, which may have compatibility issues with certain applications and protocols.
Deployment: Flow-based inspection mode is easier to deploy than proxy-based inspection mode as it requires fewer resources and is less complex to configure. Proxy-based inspection mode, however, provides more granular control over traffic and allows for more advanced security features.
Ultimately, the choice between flow-based inspection mode and proxy-based inspection mode will depend on the specific needs and priorities of your organization. If network performance is critical, flow-based inspection mode may be the best option, while if security is the top priority, proxy-based inspection mode may be more appropriate.
#=====================================================================
Put the most specific, or narrow, policies at the top of the policy list.
Do not use the all or any objects in a policy, except when routing to the internet.
Use users in policies. This makes the policy more specific and reduces the chances of unintended traffic matching. (user-based policies versus IP-based policies)
https://docs.fortinet.com/document/fortigate/7.2.0/best-practices/862226/policies#LocalInPolicies
#=====================================================================
#ChatGPT
FortiGate firewalls support both user-based policies and IP-based policies. Here's a comparison between the two:
User-based policies:
User-based policies allow you to create policies based on specific user identities, which can be authenticated through various methods such as LDAP, RADIUS, SSO, etc.
With user-based policies, you can apply policies to specific users or user groups, which can help to provide granular access control and security.
User-based policies are useful in environments where users have different levels of access requirements, and where you need to enforce policies based on user identities rather than IP addresses.
User-based policies can be more complex to configure, especially if you have a large number of users and user groups to manage.
IP-based policies:
IP-based policies allow you to create policies based on source and destination IP addresses or address ranges.
With IP-based policies, you can apply policies to specific IP addresses or ranges, which can help to control access to specific networks or devices.
IP-based policies are useful in environments where you need to enforce policies based on network topology, or where users are not authenticated through a centralized directory service.
IP-based policies can be less granular than user-based policies, as you are limited to controlling access based on IP addresses or ranges.
In summary, both user-based policies and IP-based policies have their own strengths and weaknesses. The choice between the two depends on your specific requirements and environment. If you need to enforce policies based on specific user identities, user-based policies may be more appropriate. If you need to control access based on network topology or specific IP addresses, IP-based policies may be more appropriate. In some cases, a combination of both types of policies may be necessary to provide comprehensive access control and security.
#=====================================================================
#ChatGPT
Port block allocation, fixed port range, one-to-one, and overload are all different types of NAT (Network Address Translation) configurations that can be used in FortiGate firewall. While they are not directly related to identifying user connections without logging user traffic, they are commonly used in network security and can help administrators manage network access.
Port block allocation: Port block allocation is a NAT configuration in which a range of consecutive port numbers is allocated to a single public IP address. When traffic comes into the network, the firewall translates the source port number to a port number in the allocated range before forwarding it to the destination. Port block allocation can be useful for load balancing and managing network traffic.
Fixed port range: Fixed port range is a NAT configuration in which a range of fixed port numbers is allocated to a single public IP address. This configuration is similar to port block allocation, but instead of allocating a consecutive range of ports, a specific range of ports is used. Fixed port range can also be useful for load balancing and managing network traffic.
One-to-one: One-to-one NAT is a configuration in which a single public IP address is mapped to a single private IP address. This type of NAT is useful for scenarios where a public IP address is required to access a specific device or service on a private network.
Overload: Overload NAT, also known as port address translation (PAT), is a configuration in which multiple private IP addresses are mapped to a single public IP address. This configuration is commonly used in scenarios where there are more private IP addresses than available public IP addresses. The firewall translates the source IP address and port number to a unique combination before forwarding the traffic to the destination. Overload NAT can be useful for managing network traffic and conserving public IP addresses.
While these configurations are not directly related to identifying user connections without logging user traffic, they can be useful tools in network security and management.
#=====================================================================
Replace the certificate that is offered for HTTPS access with a trusted certificate that has the FQDN or IP address of the FortiGate.
Configure the Fortinet Security Fabric when multiple FortiGates and fabric devices are used. It provides a single-pane-of-glass administration, allowing administrators access to each device in the fabric using SSO.
https://docs.fortinet.com/document/fortigate/7.2.0/best-practices/103945/administrative-settings
#=====================================================================
#=====================================================================
Using FSSO, the Fortigate firewall can enforce user-based security policies, such as URL filtering, web filtering, and VPN access, based on the user's AD group membership.
FSSO is also used to provide single sign-on for web-based applications, such as webmail and file sharing portals, that are protected by the Fortigate firewall. When users log in to the firewall, they are automatically logged in to the protected applications without having to enter their credentials again.
#=====================================================================
FSSO works by using an agent installed on a domain controller to communicate with the Fortigate firewall and pass information about user logins and logouts. The agent captures user login events and sends the information to the Fortigate firewall, which then updates its user database with the current login status of each user.
Using FSSO, the Fortigate firewall can enforce user-based security policies, such as URL filtering, web filtering, and VPN access, based on the user's AD group membership. This allows administrators to set up granular access controls for different groups of users and helps ensure that users have the appropriate level of access to network resources and applications
FSSO is also used to provide single sign-on for web-based applications, such as webmail and file sharing portals, that are protected by the Fortigate firewall. When users log in to the firewall, they are automatically logged in to the protected applications without having to enter their credentials again.
Overall, FSSO provides a convenient and secure way for organizations to manage user access to network resources and applications, helping to reduce the administrative burden of managing user accounts and passwords, and improving overall security.
#=====================================================================
#ChatGPT
When a user logs in to the network, the FSSO agent sends their login information to the FortiGate firewall,
which then maps the user's IP address to their FSSO credentials. This method can be used to identify users
who frequently log in to the network from different devices.
#=====================================================================
#ChatGPT
Explain the role of a DC agent in an FSSO DC agent mode solution in fortigate.
In Fortinet's FortiGate firewall, FSSO (Fortinet Single Sign-On) is a feature that allows users to authenticate once
and gain access to multiple network resources without having to enter their credentials each time.
FSSO can work in DC agent mode, where a DC (Domain Controller) agent is installed on a domain controller to gather user login events
and pass them to the FortiGate firewall.
The DC agent acts as a middleman between the FortiGate firewall and the domain controller. It monitors the Windows Security event log
on the domain controller for login events and sends them to the FortiGate firewall. The firewall then uses this information
to create user-based policies, allowing or denying access to network resources based on the user's credentials.
In summary, the DC agent plays a critical role in an FSSO DC agent mode solution by gathering user
login events and passing them to the FortiGate firewall, enabling the firewall to create user-based policies
and ensure secure access contro
#=====================================================================
#ChatGPT
Explain FSSO in fortigate - ChatGPT
FSSO (Fortinet Single Sign-On) is a feature in Fortigate firewalls that allows users to log in to the firewall using their existing Active Directory (AD) credentials.
With FSSO, users are able to access network resources and applications without having to enter their credentials multiple times.
FSSO works by using an agent installed on a domain controller to communicate with the Fortigate firewall and pass information about user logins and logouts.
The agent captures user login events and sends the information to the Fortigate firewall, which then updates its user database with the current login status of each user.
Using FSSO, the Fortigate firewall can enforce user-based security policies, such as URL filtering, web filtering, and VPN access, based on the user's AD group membership.
This allows administrators to set up granular access controls for different groups of users and helps ensure that users have the appropriate level of access to network resources and applications.
FSSO is also used to provide single sign-on for web-based applications, such as webmail and file sharing portals, that are protected by the Fortigate firewall.
When users log in to the firewall, they are automatically logged in to the protected applications without having to enter their credentials again.
Overall, FSSO provides a convenient and secure way for organizations to manage user access to network resources and applications,
helping to reduce the administrative burden of managing user accounts and passwords, and improving overall security.
#=====================================================================
Security Fabric - External Connectors - Endpoint/Identity - FSSO Agent on Windows AD (old tech)
Security Fabric - External Connectors - Endpoint/Identity - Poll Active Directory Server (new tech )
#=====================================================================
#ChatGPT
Explain Virtual IPs in fortigate with use cases.
Virtual IPs (VIPs) is a feature found in FortiGate firewalls that allows multiple public IP addresses to be associated with a single private IP address. VIPs are typically used in scenarios where a single private IP address needs to be accessed through multiple public IP addresses. Some common use cases for VIPs in FortiGate firewalls include:
High Availability: In this scenario, multiple FortiGate firewalls are deployed in a high availability cluster. A single private IP address is associated with multiple public IP addresses through VIPs, allowing incoming traffic to be distributed between the different firewalls in the cluster.
Load Balancing: In this scenario, multiple servers are deployed to handle incoming traffic for a service or application. A single private IP address is associated with multiple public IP addresses through VIPs, allowing incoming traffic to be load balanced between the different servers.
Multi-Tenant Networks: In this scenario, a single private IP address is used to host multiple virtual machines for different tenants. Each tenant is assigned a separate public IP address through VIPs, allowing them to access their virtual machine through a dedicated IP address.
NAT Pooling: In this scenario, multiple private IP addresses are associated with a pool of public IP addresses through VIPs. Incoming traffic is distributed between the different private IP addresses in the pool, allowing for greater flexibility in managing network resources.
Overall, VIPs in FortiGate firewalls provide a flexible and scalable solution for managing multiple public IP addresses associated with a single private IP address. They are commonly used in high availability and load balancing scenarios, as well as in multi-tenant networks and NAT pooling scenarios.
#=====================================================================
#ChatGPT
Explain DNAT in fortigate with use cases.
DNAT (Destination Network Address Translation) is a feature found in FortiGate firewalls that allows incoming traffic to be redirected from one public IP address to a private IP address on a different network. DNAT is typically used in scenarios where incoming traffic needs to be redirected to a different server or service on the network. Some common use cases for DNAT in FortiGate firewalls include:
Web Server Redirection: In this scenario, incoming HTTP traffic is redirected from a public IP address to a private IP address where a web server is hosted. This is commonly used in situations where multiple web servers are hosted on a single network and need to be accessed through a single public IP address.
Email Server Redirection: In this scenario, incoming email traffic is redirected from a public IP address to a private IP address where an email server is hosted. This is commonly used in situations where multiple email servers are hosted on a single network and need to be accessed through a single public IP address.
Remote Access VPN: In this scenario, incoming VPN traffic is redirected from a public IP address to a private IP address where a VPN gateway is hosted. This is commonly used in situations where remote workers need to connect to the corporate network securely.
Load Balancing: In this scenario, incoming traffic is redirected from a public IP address to a group of private IP addresses that are configured to load balance traffic between them. This is commonly used in situations where high availability and scalability are required for a service or application.
Overall, DNAT in FortiGate firewalls is a powerful tool that can be used to redirect incoming traffic from a public IP address to a private IP address on a different network. This allows network administrators to better manage and secure their networks while ensuring that traffic is routed to the correct server or service.
#=====================================================================
traffic shaping
It is a method of network traffic management that limits the amount of bandwidth available to certain types of traffic, such as peer-to-peer (P2P) file sharing, while ensuring that other types of traffic, such as VoIP or video conferencing, have the necessary bandwidth to function properly.
FortiGate uses a number of techniques to shape traffic, including Quality of Service (QoS), bandwidth shaping, and packet prioritization
QoS ensures that certain types of traffic are given priority over others, while bandwidth shaping limits the amount of bandwidth available to specific types of traffic
Packet prioritization, on the other hand, assigns higher or lower priority to individual packets based on their source or destination, or the type of traffic they belong to.
#=====================================================================
#ChatGPT
explain why a server located in DMZ ZONE in fortigate configured with DNAT.
A server located in the Demilitarized Zone (DMZ) of a FortiGate firewall is typically used to provide public-facing services to the internet, while also providing an additional layer of security by isolating these services from the internal network.
To make these public-facing services accessible to the internet, Network Address Translation (NAT) is often used. Dynamic NAT (DNAT) is a technique that allows incoming traffic to be redirected to a specific server located in the DMZ based on the destination IP address of the incoming packet.
Configuring DNAT on the FortiGate firewall ensures that any incoming traffic to a specific public IP address is automatically forwarded to the designated server located in the DMZ, thus providing public access to the server's services without compromising the security of the internal network.
Furthermore, by configuring DNAT on the FortiGate firewall, network administrators can also configure other security measures such as traffic shaping, firewall policies, and access control lists to ensure that only authorized traffic is allowed to access the server in the DMZ. This provides an additional layer of protection against potential attacks and unauthorized access to the server.
#=====================================================================
#ChatGPT
If both servers located in the Demilitarized Zone (DMZ) of a FortiGate firewall have their own public IP addresses, then the difference between configuring them with or without Dynamic NAT (DNAT) may be less significant. However, here are some key differences between a server located in a DMZ zone configured with DNAT and one configured without DNAT, even if they have their own public IP addresses:
Network traffic: If a server in the DMZ is configured without DNAT, traffic destined for that server from the Internet must be directed to its public IP address, but the server may not know how to respond to it unless it has a public IP configured on its network interface. In contrast, if the server is configured with DNAT, the FortiGate firewall can direct incoming traffic to the correct private IP address within the DMZ, even if the server's network interface only has a private IP address assigned to it.
Firewall policies: Configuring a server in the DMZ zone with DNAT allows for more granular control of network traffic to and from that server, as firewall policies can be created to specifically allow or deny traffic destined for the private IP address assigned to the server. Without DNAT, firewall policies must be created to allow or deny traffic based on the server's public IP address, which may not provide the same level of control.
Security: Even with their own public IP addresses, servers in the DMZ are still considered to be more exposed to the Internet and potentially vulnerable to attacks. Configuring a server in the DMZ zone with DNAT can provide additional security by preventing the server's private IP address from being exposed to the Internet, which reduces the likelihood of it being targeted by attackers.
In summary, while the difference between configuring a server in a DMZ zone with or without DNAT may be less significant if both servers have their own public IP addresses, there are still differences in network traffic, firewall policies, and security considerations to take into account. Configuring a server with DNAT can provide additional security and control over network traffic, which may be beneficial even if the server already has its own public IP address
#=====================================================================
VIPs are typically used to translate external, or public, IP addresses to internal, or private, IP addresses.
For DNAT on FortiGate, use a VIP as the destination address field of a firewall policy.
#=====================================================================
#ChatGPT
Compare DNAT and Virtual IPs in fortigate .
In FortiGate firewalls, both DNAT (Destination Network Address Translation) and Virtual IPs (VIPs) are used to redirect traffic from one IP address to another. However, there are some differences in their implementation in FortiGate firewalls:
Purpose: DNAT in FortiGate firewalls is used to redirect incoming traffic to a different IP address or port, while VIPs are used to associate multiple public IP addresses with a single private IP address.
Configuration: DNAT and VIPs are configured differently in FortiGate firewalls. DNAT rules are typically created in the firewall policy, where the NAT type is set to "Central NAT" and the DNAT configuration is selected. VIPs are created under Policy & Objects > Objects > Virtual IPs, where you can specify the private IP address and the public IP addresses that should be associated with it.
Implementation: DNAT in FortiGate firewalls is typically implemented using NAT techniques, which involve modifying the headers of incoming packets to redirect them to a different IP address or port. VIPs are implemented using IP address pooling, which allows multiple public IP addresses to be associated with a single private IP address.
Use cases: DNAT in FortiGate firewalls is commonly used to redirect incoming traffic to a different server or service, such as redirecting all incoming HTTP traffic to a specific web server. VIPs are commonly used in scenarios where multiple public IP addresses are required to be associated with a single private IP address, such as in load-balancing or high-availability scenarios.
Overall, while both DNAT and VIPs in FortiGate firewalls are used to redirect traffic from one IP address to another, they serve different purposes and are configured and implemented differently.
#=====================================================================
#ChatGPT
Explain what the difference is between destination network address translation - DNAT and source network address translation - SNAT in fortigate..- ChatGPT
Destination Network Address Translation (DNAT) and Source Network Address Translation (SNAT) are two common types of Network Address Translation (NAT) used in Fortigate and other networking devices.
DNAT is a type of NAT where the destination IP address of incoming traffic is translated to a different IP address. DNAT is often used to redirect traffic from one external IP address to another internal IP address. For example, if you have a web server on an internal network with the IP address 192.168.1.10, you can use DNAT to translate incoming traffic to the public IP address of the Fortigate device to that internal IP address.
SNAT, on the other hand, is a type of NAT where the source IP address of outgoing traffic is translated to a different IP address. SNAT is often used to allow internal clients with private IP addresses to access the internet using a public IP address. For example, if you have a network with private IP addresses such as 192.168.1.0/24, you can use SNAT to translate the source IP address of outgoing traffic to a public IP address assigned to the Fortigate device. This allows the outgoing traffic to be routed over the internet.
In summary, DNAT is used to translate the destination IP address of incoming traffic, while SNAT is used to translate the source IP address of outgoing traffic. Both are common types of NAT used in Fortigate and other networking devices to help manage and route network traffic.
#=====================================================================
#ChatGPT
Explain how to configure LDAPS in fortigate.- ChatGPT
To configure LDAPS (LDAP over SSL/TLS) in FortiGate, you can follow these steps:
Log in to your FortiGate device's web-based management interface.
Navigate to the "Security Fabric" menu and select "LDAP Servers" from the drop-down list.
Click on the "Create New" button to add a new LDAP server.
In the "General Settings" section, give a name to the LDAP server and select "LDAPS" as the protocol.
Enter the server's hostname or IP address, as well as the port number. Typically, LDAPS uses port 636.
In the "Authentication Settings" section, enter the username and password that will be used to authenticate to the LDAP server.
Under "SSL/TLS Settings", set "Use SSL/TLS" to "Enable".
If the LDAP server's SSL certificate is signed by a trusted CA, set "Certificate Verification" to "Enable" and select the appropriate CA from the list. If the LDAP server uses a self-signed certificate, set "Certificate Verification" to "Disable".
Click on the "Test Connection" button to ensure that the FortiGate device can connect to the LDAP server using LDAPS.
If the test is successful, click on the "Save" button to save the LDAP server configuration.
Repeat the above steps for any additional LDAP servers that you wish to configure.
Once you have configured one or more LDAP servers using LDAPS, you can use them to authenticate users and enforce access policies in your FortiGate device. To do so, you can create user groups and map them to LDAP groups, and then configure firewall policies to allow or deny access based on the user groups.
#=====================================================================
#ChatGPT
Compare LDAPS over LDAP. Explain advantages of one over other. - ChatGPT
LDAP (Lightweight Directory Access Protocol) is a standard protocol for accessing and managing directory information services. It is commonly used for user authentication and authorization, as well as for storing information such as email addresses, phone numbers, and organizational data.
LDAPS (LDAP over Secure Sockets Layer) is a variant of LDAP that uses SSL/TLS to encrypt and secure communication between the LDAP client and server. Here are some advantages of LDAPS over LDAP:
Security: LDAPS encrypts all communication between the LDAP client and server, which makes it more secure than LDAP. LDAP does not encrypt the communication, which means that sensitive data such as passwords can be intercepted and read by attackers.
Authentication: LDAPS uses digital certificates for server authentication, which provides an additional layer of security. LDAP, on the other hand, relies on simple bind authentication, which is less secure.
Compliance: LDAPS is often required for compliance with regulations such as HIPAA and PCI-DSS, which mandate the use of secure communication protocols.
Performance: LDAPS can be slower than LDAP due to the overhead of encrypting and decrypting data. However, with modern hardware and software, this performance difference is often negligible.
Overall, LDAPS provides a more secure and compliant way of accessing directory services compared to LDAP. However, LDAPS may be more resource-intensive, so organizations should weigh the benefits against the potential impact on performance when deciding which protocol to use.
#=====================================================================
#ChatGPT
Explain traffic shaping in fortigate.- ChatGPT
Traffic shaping in Fortinet's FortiGate firewall is the process of controlling and managing network traffic to optimize performance and ensure that critical applications receive the bandwidth they require. It is a method of network traffic management that limits the amount of bandwidth available to certain types of traffic, such as peer-to-peer (P2P) file sharing, while ensuring that other types of traffic, such as VoIP or video conferencing, have the necessary bandwidth to function properly.
FortiGate uses a number of techniques to shape traffic, including Quality of Service (QoS), bandwidth shaping, and packet prioritization. QoS ensures that certain types of traffic are given priority over others, while bandwidth shaping limits the amount of bandwidth available to specific types of traffic. Packet prioritization, on the other hand, assigns higher or lower priority to individual packets based on their source or destination, or the type of traffic they belong to.
To configure traffic shaping in FortiGate, you must first define the traffic classes that will be shaped. Traffic classes are defined based on criteria such as source or destination IP address, port numbers, protocols, or applications. Once traffic classes are defined, you can configure traffic shaping policies that apply to those classes. These policies define the amount of bandwidth that will be allocated to each traffic class, and specify the QoS settings and packet prioritization for each class.
Overall, traffic shaping in FortiGate is an important tool for managing network traffic, improving network performance, and ensuring that critical applications receive the bandwidth they need to function properly.
#=====================================================================
Security Fabric in FortiGate
Establish a Security Fabric: Create a Security Fabric by connecting your FortiGate firewall to other Fortinet security solutions, such as FortiAnalyzer, FortiManager, FortiWeb, FortiMail, and FortiSandbox.
Automate Threat Response: Use the Security Fabric's automation capabilities to automate threat response and orchestrate security workflows. For example, when a threat is detected, the Security Fabric can automatically quarantine an infected device, block traffic from the source IP address, and update other Fortinet security solutions to prevent future attacks
#=====================================================================
#ChatGPT
Explain how to use security fabric in fortigate - ChatGPT
The Fortinet Security Fabric is a comprehensive and integrated security platform that connects different Fortinet security solutions together to share threat intelligence and coordinate threat response in real-time. Here's how to use the Security Fabric in FortiGate:
Deploy FortiGate firewalls: Deploy FortiGate firewalls throughout your network to protect against network threats.
Enable Fabric Connectors: Configure Fabric Connectors on your FortiGate firewall to allow it to communicate with other security solutions in your network.
Establish a Security Fabric: Create a Security Fabric by connecting your FortiGate firewall to other Fortinet security solutions, such as FortiAnalyzer, FortiManager, FortiWeb, FortiMail, and FortiSandbox.
Share Threat Intelligence: Enable the sharing of threat intelligence among all connected Fortinet security solutions in the Security Fabric to provide a comprehensive view of network security and to identify and respond to threats more quickly.
Automate Threat Response: Use the Security Fabric's automation capabilities to automate threat response and orchestrate security workflows. For example, when a threat is detected, the Security Fabric can automatically quarantine an infected device, block traffic from the source IP address, and update other Fortinet security solutions to prevent future attacks.
By following these steps, organizations can leverage the Fortinet Security Fabric to improve their security posture and protect against a wide range of network threats.
#=====================================================================
Outbreak Prevention
Enable AntiVirus scanning: Enable AntiVirus scanning for all traffic to detect and block known malware.
Enable IPS signatures: Enable Intrusion Prevention System (IPS) signatures to detect and block network-based attacks, such as buffer overflows and SQL injections.
Enable behavioral analysis: Enable behavioral analysis to detect and block unknown malware by analyzing the behavior of network traffic.
Configure quarantine settings: Configure quarantine settings to specify what to do with malware when it is detected, such as blocking traffic or quarantining infected files
#=====================================================================
#ChatGPT
Explain how to use outbreak prevention in fortigate.- ChatGPT
Outbreak Prevention is a security feature in Fortinet's FortiGate firewall that helps protect against the spread of malware, such as viruses, worms, and Trojans. It uses a combination of signature-based and behavior-based analysis to detect and prevent the spread of malware across the network. Here's how to use Outbreak Prevention in FortiGate:
Enable Outbreak Prevention: Navigate to the Outbreak Prevention section of the FortiGate firewall's web interface and enable Outbreak Prevention.
Configure Outbreak Prevention settings: Configure the Outbreak Prevention settings to specify which protocols, services, and ports to monitor for malware activity.
Enable AntiVirus scanning: Enable AntiVirus scanning for all traffic to detect and block known malware.
Enable IPS signatures: Enable Intrusion Prevention System (IPS) signatures to detect and block network-based attacks, such as buffer overflows and SQL injections.
Enable behavioral analysis: Enable behavioral analysis to detect and block unknown malware by analyzing the behavior of network traffic.
Configure quarantine settings: Configure quarantine settings to specify what to do with malware when it is detected, such as blocking traffic or quarantining infected files.
By following these steps, organizations can leverage FortiGate's Outbreak Prevention feature to detect and prevent the spread of malware across their network, helping to protect against potential security threats and data breaches
#=====================================================================
Fortinet's FortiGate firewall supports ZTNA through its implementation of the Secure Access Service Edge (SASE) framework
#=====================================================================
#ChatGPT
Explain how to use ZTNA in fortigate firewall - ChatGPT
Zero Trust Network Access (ZTNA) is a security approach that focuses on providing secure access to resources based on user and device identity, as well as the context of the request. Fortinet's FortiGate firewall supports ZTNA through its implementation of the Secure Access Service Edge (SASE) framework. Here's how to use ZTNA in FortiGate:
Identify the resources that need to be protected: Determine which applications and services need to be secured and who needs access to them.
Create user and device identities: Establish and authenticate user and device identities, and assign appropriate access levels based on predefined policies.
Implement dynamic policy-based access control: Use the FortiGate's dynamic policy-based access control to enforce access controls based on user identity, device identity, and context of the request.
Use multi-factor authentication: Require multi-factor authentication to ensure secure access.
Utilize real-time threat intelligence: Monitor and analyze network traffic in real-time using Fortinet's advanced threat intelligence to detect and respond to potential security threats.
By following these steps, FortiGate users can effectively implement ZTNA to secure their network resources while also enabling secure access for authorized users and devices.
#=====================================================================
RSSO is a feature in FortiGate that enables users to authenticate once and access multiple resources without having to re-authenticate. This feature simplifies the login process for users and helps to improve productivity by reducing the number of times users need to enter their credentials. RSSO works by intercepting authentication requests from different Fortinet products and forwarding them to a FortiGate unit for authentication. Once the user is authenticated, RSSO allows them to access different resources without having to re-enter their credentials.
FortiAuthenticator is an identity management solution that centralizes and simplifies authentication across multiple applications, while RSSO is a feature in FortiGate that simplifies the login process for users by allowing them to authenticate once and access multiple resources.
#=====================================================================
#ChatGPT
Compare Forti Authenticator and RSSO in fortigate. - ChatGPT
FortiAuthenticator and FortiGate's Remote Single Sign-On (RSSO) feature are both authentication and access control solutions offered by Fortinet, but they serve different purposes.
FortiAuthenticator is an authentication and identity management solution that centralizes and simplifies the management of user identities and authentication across different Fortinet products and third-party applications. It provides advanced features such as two-factor authentication, password management, and integration with Active Directory and LDAP servers. FortiAuthenticator is typically deployed as a standalone appliance and integrated with Fortinet products, including FortiGate, FortiWeb, and FortiMail.
On the other hand, RSSO is a feature in FortiGate that enables users to authenticate once and access multiple resources without having to re-authenticate. This feature simplifies the login process for users and helps to improve productivity by reducing the number of times users need to enter their credentials. RSSO works by intercepting authentication requests from different Fortinet products and forwarding them to a FortiGate unit for authentication. Once the user is authenticated, RSSO allows them to access different resources without having to re-enter their credentials.
In summary, FortiAuthenticator is an identity management solution that centralizes and simplifies authentication across multiple applications, while RSSO is a feature in FortiGate that simplifies the login process for users by allowing them to authenticate once and access multiple resources.
#=====================================================================
#ChatGPT
#Explain how to test anti-virus security profile in fortigate 7.2.3.
To test the anti-virus security profile in Fortigate 7.2.3, you can follow these steps:
Create a test policy:
Go to Policy & Objects > IPv4 Policy > Create New.
In the General tab, configure the policy with the source, destination, and service fields.
In the Security Profiles tab, select the profile that includes the anti-virus security profile you want to test.
Enable logging for the policy:
In the Logging Options tab of the policy, select the options you want to enable, such as All Sessions or Security Events.
Test the anti-virus security profile:
Download a virus file from a known source or use an online virus scanner to simulate a virus download.
Check the FortiGate log for the session created by the virus download.
If the file is infected, the log entry should show a message similar to "Virus Detected."
If the file is clean, the log entry should show a message similar to "No Virus Detected."
Check the security profile settings:
If the anti-virus security profile does not work as expected, check the profile settings to ensure they are configured correctly.
Go to Security Profiles > AntiVirus > Profiles, and check the file types, scanning options, and action settings.
If you need to adjust the settings, you can edit the profile and retest the anti-virus security profile.
Troubleshoot the security profile:
If the security profile still does not work as expected, you can use the debug feature to troubleshoot the issue.
Go to System > Config > Features > Debug > AntiVirus > Debug.
In the Debug tab, enter the file name or file hash you want to test, and click Start Debugging.
The debug output should provide more information on why the security profile is not working as expected.
By following these steps, you can test the anti-virus security profile in Fortigate 7.2.3 and ensure that it is configured correctly to protect your network from malware and viruses.
#=====================================================================
#ChatGPT
# list known sources to download a virus file in order to test anti-virus security profile in fortigate 7.2.3
I'm sorry, but as an AI language model, I cannot provide a list of known sources to download a virus file. Downloading and using virus files can be dangerous and is not recommended. Additionally, accessing and downloading malicious files could violate laws and ethical principles.
Instead, you can use a test file created specifically for this purpose, such as the EICAR test file. The EICAR test file is a harmless file that is designed to be detected as a virus by anti-virus software. You can download the EICAR test file from the official EICAR website (eicar.org).
To test the anti-virus security profile in Fortigate 7.2.3 using the EICAR test file, simply download the file and attempt to transfer it through your Fortigate device. If your anti-virus security profile is properly configured, it should detect the file as a virus and log the event accordingly.
#=====================================================================
#ChatGPT
#Explain how to use access control lists (ACLs) in fortigate
Access Control Lists (ACLs) in FortiGate are used to define policies that allow or deny traffic based on various criteria, such as source and destination IP addresses, protocol types, and port numbers. ACLs can be created for both inbound and outbound traffic and can be applied to specific interfaces or globally across the FortiGate device.
Here are the steps to use ACLs in FortiGate:
Log in to the FortiGate web interface and go to Policy & Objects > IPv4 Policy.
Click the Create New button to create a new ACL policy.
In the General section, give the policy a name and select the desired direction of traffic (inbound or outbound).
In the Source section, select the source address or address group for the traffic that you want to allow or deny.
In the Destination section, select the destination address or address group for the traffic that you want to allow or deny.
In the Service section, select the desired protocol type and port number. You can choose from predefined services or create a custom service for a specific port or protocol.
In the Action section, select Allow or Deny to permit or block traffic that meets the criteria defined in the policy.
If desired, configure any additional options in the remaining sections, such as logging or security profiles.
Click the OK button to save the policy.
To apply the ACL policy to a specific interface, go to Network > Interfaces and select the interface you want to apply the policy to. In the Security Policy section, select the newly created ACL policy from the list of available policies.
Alternatively, you can apply the ACL policy globally by going to Policy & Objects > Policy > Policy and selecting the newly created policy from the list of available policies.
By using ACLs in FortiGate, you can create policies that control the flow of traffic in and out of your network. This can help you to enforce security policies and protect against malicious traffic.
#=====================================================================
#Explain Zone structure in fortigate, ChatGPT
Fortinet's FortiGate firewall devices use a zone-based architecture to control network traffic flow between different security
domains, such as LAN, WAN, DMZ, or VPNs. The zone structure allows for granular control over network traffic by grouping
interfaces and networks into logical zones and applying security policies between them.
Here is an explanation of the different components of the zone structure in FortiGate:
Zones: A zone is a logical grouping of interfaces and networks that share similar security policies. Each zone is
given a name and a unique identifier.
Interfaces: An interface is a physical or virtual network connection on the FortiGate device. Each interface is
assigned to a zone, and it can be a member of multiple zones.
Policies: A policy is a set of rules that dictate how traffic is allowed or blocked between different zones.
Policies are created and applied between two zones, and they can be based on a variety of criteria, such as source and
destination IP addresses, ports, protocols, and applications.
Objects: An object is a reusable configuration item that can be referenced in multiple policies. Objects can be IP addresses,
networks, services, and applications.
By using the zone structure, FortiGate administrators can easily manage and secure traffic flow between different security
domains. For example, traffic from the internet to the DMZ zone can be restricted to only allow traffic on specific ports
or protocols, while traffic between the LAN and DMZ zones can be allowed based on more permissive policies. This granular
control over traffic flow helps to prevent unauthorized access and data breaches.
#=====================================================================
#Explain when I need to choose transparent mode over NAT/Route mode in fortigate, ChatGPT
DMZ, TRUST, and UNTRUST are three common network zones in FortiGate that are used to enforce security policies and control
network traffic flow.
DMZ Zone: DMZ stands for Demilitarized Zone, which is a network zone that is located between the internal and external
networks and is designed to host servers and services that are publicly accessible, such as web servers, email servers,
and FTP servers. The DMZ zone is isolated from the internal network and has limited access to the external network.
By placing publicly accessible servers in the DMZ, you can minimize the risk of a security breach and prevent attackers
from gaining access to your internal network.
TRUST Zone: The TRUST zone is the network zone that contains trusted network devices, such as internal servers, workstations,
and printers. The TRUST zone is usually located behind the firewall and is protected from external threats by the
firewall's security policies. By controlling access to the TRUST zone, you can ensure that only authorized devices and
users can access the network resources.
UNTRUST Zone: The UNTRUST zone is the network zone that contains untrusted network devices, such as the Internet,
external servers, and external users. The UNTRUST zone is usually located outside the firewall and is separated from
the TRUST zone by the firewall's security policies. By controlling access to the UNTRUST zone, you can prevent
external threats from accessing the network resources and protect the TRUST zone from unauthorized access.
In summary, DMZ, TRUST, and UNTRUST are three common network zones in FortiGate that are used to enforce security policies
and control network traffic flow. The DMZ zone is used to host publicly accessible servers and services, the TRUST zone is
used to contain trusted network devices, and the UNTRUST zone is used to contain untrusted network devices. By configuring
the firewall's security policies to control access to these zones, you can ensure that only authorized devices and users can
access the network resources and prevent external threats from gaining access to the network.
#=====================================================================
#Explain when I need to choose transparent mode over NAT/Route mode in fortigate, ChatGPT
Network Security: If you want to monitor or protect the traffic passing through your network without modifying the source
or destination IP addresses, then Transparent mode can be a good choice. This is because in Transparent mode, the FortiGate
device does not modify the IP addresses of the packets passing through it, making it easier to enforce security policies
and apply security features like antivirus scanning, intrusion prevention, and content filtering.
Network Design: If you have an existing network that uses VLANs, and you want to connect these VLANs to a firewall to
apply security policies without changing the existing IP addressing scheme, then Transparent mode can be a good choice.
This is because in Transparent mode, the FortiGate device operates as a bridge between the VLANs, allowing you to apply
security policies to the traffic without changing the VLANs' IP addressing scheme.
Network Performance: If you want to minimize latency and maximize network performance, then Transparent mode can be a good
choice. This is because in Transparent mode, the FortiGate device operates at Layer 2, allowing packets to pass through
the device without being processed by the firewall's routing and NAT functions, resulting in lower latency and faster
network performance.
In summary, Transparent mode in FortiGate is a good choice when you want to monitor or protect traffic passing through
your network, maintain an existing IP addressing scheme, connect VLANs to a firewall, or minimize network latency and
maximize performance.
#=====================================================================
#Explain when I need to choose NAT/Route mode over transparent mode in fortigate, ChatGPT
Network Address Translation (NAT): If you need to translate the IP addresses of packets passing through the firewall,
then NAT/Route mode is necessary. NAT/Route mode allows you to translate the source and/or destination IP addresses of
packets passing through the firewall, which can be useful for connecting private networks to the Internet or for routing
traffic between different networks with overlapping IP addresses.
Network Design: If you are designing a new network or redesigning an existing network, and you need to implement routing
and gateway functionality, then NAT/Route mode is necessary. NAT/Route mode allows you to configure static or dynamic
routing protocols, implement Quality of Service (QoS), and control traffic flow between different networks.
Network Management: If you need to manage your network devices with centralized management tools like FortiManager or
FortiCloud, then NAT/Route mode is necessary. FortiManager and FortiCloud are designed to manage FortiGate devices running
in NAT/Route mode, allowing you to automate network configuration, monitor network activity, and streamline network
management.
In summary, NAT/Route mode in FortiGate is a good choice when you need to translate IP addresses, implement routing and
gateway functionality, or manage your network devices with centralized management tools.
#=====================================================================
#VLAN
Virtual local area networks (VLANs) multiply the capabilities of your FortiGate and can also provide added network security
VLANs use ID tags to logically separate devices on a network into smaller broadcast domains.
These smaller domains forward packets only to devices that are part of that VLAN domain.
This reduces traffic and increases network security.
#VLANs in NAT mode
In NAT mode, the FortiGate unit functions as a layer-3 device.
The FortiGate unit controls the flow of packets between VLANs and can also remove VLAN tags from incoming VLAN packets.
The FortiGate unit can also forward untagged packets to other networks such as the Internet.
#=====================================================================
CLI Console # top right click on sign ">_"
#=====================================================================
ctrl+C #stop running command
#=====================================================================
# Troubleshooting 7.2.3 https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/244292/troubleshooting
#=====================================================================
Dashboard > Status > System > Mode # verify the mode of fortigate
#=====================================================================
# When FortiGate is set to transparent mode, it acts like a bridge and sends all incoming traffic out on the other interfaces.
# Each bridge is a link between interfaces
diagnose netlink brctl list #view the list of bridge instances
diagnose netlink brctl domain <name> <id> #display the forward domains information
diagnose netlink brctl name host <name> #list the existing bridge MAC table
diagnose netlink brctl name port <name> # list the existing bridge port list
#=====================================================================
#see if there is a disk attached to, fortiOS 6.4.4 without HHD
Log Settings-CLI Console- get sys stat - Log Hard Disk
#=====================================================================
#download FortiGate configuration file & Debug log from GUI
Admin -> Configuration -> Backup select 'Local PC' in 'Backup to' and select'OK'
System -> Settings -> Debug Logs and select the 'Download' button
#=====================================================================
#increase the timeout duration Web GUI v7.2.3
System > Admin > Settings > Idle timeout
#=====================================================================
logid="0100032102"
Log Description="Configuration changed"
Log & Report > System events > General System Events
#=====================================================================
Log ID 0100022222
Log Description Threat feed loaded
Log ID 0100022220
Log Description Threat feed updated
Log & Report > System events > General System Events
#=====================================================================
#Save the debugging using Putty Logging
Session > Logging > All session output > Log File name > save the file as *.log
#Save the debugging using mremoteNG
Tools -> Options - > Advanced -> To configure Putty Sessions -> Session -> Load Default Settings ->
Tools -> Options - > Advanced -> To configure Putty Sessions -> Session -> Logging -> All session output -> Log file name "C:\tmp"
Tools -> Options - > Advanced -> To configure Putty Sessions -> Session -> Save to Default Settings -> Close
#=====================================================================
Network Layer Troubleshooting
FortiGate can contact some hosts through port1, but not others. Is the problem in the physical layer or the link layer? Neither.
Connectivity has been proven with at least part of the network.
Instead, you should check the network layer. To test this, as usual, start with ping and traceroute
To test from FortiGate (to FortiAnalyzer or FortiGuard, for example), use the FortiGate execute ping and execute traceroute CLI commands
test the path through FortiGate, also use ping and tracert or traceroute from the endpoint—from the Windows, Linux, or Mac OS X computer—not only from the FortiGate CLI
Because of NAT and routing, you might need to specify a different ping source IP address
—the default address is the IP of the outgoing interface. If there is no response,
verify that the target is configured to reply to ICMP echo requests.
execute ping 8.8.8.8
# execute ping-options
adaptive-ping Adaptive ping <enable|disable>.
data-size Integer value to specify datagram size in bytes.
df-bit Set DF bit in IP header <yes | no>.
interface Auto | <outgoing interface>.
interval Integer value to specify seconds between two pings.
pattern Hex format of pattern, e.g. 00ffaabb.
repeat-count Integer value to specify how many times to repeat PING.
execute ping-options view
execute ping-options source 192.168.1.4
execute traceroute 8.8.8.8
execute telnet targethost
#=====================================================================
troubleshoot Layer 3 issues
Here's why these commands are relevant for Layer 3 troubleshooting:
1. execute ping:
Tests basic IP reachability between the FortiGate and a target device.
Verifies if Layer 3 communication is functioning correctly.
Helps isolate whether an issue lies within the local network or beyond.
This command allows you to perform a ping test to check the connectivity between two devices, helping to identify Layer 3 issues.
2. execute traceroute:
Traces the path packets take to reach a destination, identifying each hop along the way.
Reveals potential routing problems or latency issues at different network segments.
Pinpoints where in the network a connectivity issue might be occurring.
Traceroute is used to trace the route that packets take to reach a destination. It can help identify the routers or hops where issues might be occurring in the Layer 3 path.
3. get system arp:
Displays the FortiGate's Address Resolution Protocol (ARP) table, which maps IP addresses to MAC addresses.
Ensures correct Layer 3 to Layer 2 address resolution within the local network.
Helps troubleshoot issues related to ARP cache poisoning or incorrect entries.
This command displays the Address Resolution Protocol (ARP) table, showing the mapping of IP addresses to MAC addresses. It can help troubleshoot connectivity issues by checking ARP entries.
#=====================================================================
list the MAC addresses for all interfaces
diag hardware deviceinfo nic <interface-name>
#=====================================================================
# diagnose sys session list #Show Session Table
# diagnose sys session clear # clear filtered sessions (or all sessions, if no session filter is set)
# diagnose sys session filter <options> # set up a session filter
FGT # diagnose sys session filter #see the current filter settings
# filter matching a source IP and a destination por
FGT# diagnose sys session filter src 10.160.0.1
FGT# diagnose sys session filter dport 80
FGT# diagnose sys session filter
# filter matching a range of source IP and a range of destination port
FGT# diagnose sys session filter src 10.160.0.1 10.160.0.10
FGT# diagnose sys session filter dport 80 888
FGT# diagnose sys session filter
FGT # diagnose sys session clear
#=====================================================================
# diagnose sys session filter dst 10.200.1.254
# diag sys session filter dport 80
# diag sys session list
session info: proto=6 proto_state=05 duration=2 expire=78 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=538/6/1 reply=5407/6/0 tuples=2
tx speed(Bps/kbps): 5/0 rx speed(Bps/kbps): 2/0
orgin->sink: org pre->post, reply pre->post dev=5->3/3->5 gwy=10.200.1.254/10.0.1.10
hook=post dir=org act=snat 10.0.1.10:64624->10.200.1.254:80(10.200.1.1:64624)
hook=pre dir=reply act=dnat 10.200.1.254:80->10.200.1.1:64624(10.0.1.10:64624)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0
policy_id=1 auth_info=0 chk_client_info=0 vd=0
#see the session TTL, which reflects how long FortiGate can go without receiving any packets for this session,
#until it removes the session from its table.
timeout=3600
The firewall policy ID is tracked
policy_id=1
TCP States
proto_state=05
ICMP has no state
proto_state is always 00
#=====================================================================
#the FortiGate is a stateful firewall (keeps the track of both directions of the session)
#https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-session-table-information/ta-p/196988?externalID=FD30042
a) ICMP (proto 1).
b) TCP (proto 6)
#=====================================================================
Example of session table entry:
session info: proto=6 proto_state=01 duration=142250 expire=3596 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=rsh vlan_cos=255/255
state=local
statistic(bytes/packets/allow_err): org=9376719/61304/1 reply=3930213/32743/1 tuples=2
tx speed(Bps/kbps): 65/0 rx speed(Bps/kbps): 27/0
orgin->sink: org out->post, reply pre->in dev=13->0/0->13 gwy=0.0.0.0/10.5.27.238
hook=out dir=org act=noop 10.5.27.238:16844->173.243.132.165:514(0.0.0.0:0)
hook=in dir=reply act=noop 173.243.132.165:514->10.5.27.238:16844(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=0161f3cf tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
proto: protocol number
proto_state: state of the session (depending on protocol)
ICMP (proto 1).
Note: There are no states for ICMP. It always shows proto_state=00.
TCP (proto 6).
Note: proto_state is a 2-digit number because the FortiGate is a stateful firewall (keeps track of both directions of the session); proto_state=OR means the Original direction and the Reply direction.
For example, when FortiGate receives the SYN packet, the second digit is 2. It changes to 3 when the SYN/ACK packet is received. After the three-way handshake, the state value changes to 1.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-session-table-information/ta-p/196988?externalId=FD30042
#=====================================================================
# diag debug crashlog read #list crash logs
# diag debug crashlog clear
#=====================================================================
#list of interfaces
get sys int phy
get sys int
config system interface #Show network interface configuration:
diagnose hardware deviceinfo nic #Show all nics
diagnose hardware deviceinfo nic dmz #Show all info for specific nic
runs the hardware tests from FortiOS. The hardware tests require user interaction while running
diagnose hardware test suite all
#=====================================================================
get router info ospf status #Get Router Status
get router info ospf neighbor all #Neighbor status (neighbours have state up/down)
excecute router clear ospf process #Delete all OSPF entries
diagnose sniffer packet any ‘proto 89’ 4 #Trace / Sniff for OSPF packets
#Enable debug output
diagnose ip router ospf all enable
diagnose ipo router ospf level info
#Debug OSPF
dignose ip router ospf all enable
diagnose ip router ospf level info
diagnose debug enable
#=====================================================================
#Set certificate for admin interface
config system global
set admin-server-cert certname
end
#=====================================================================
get ipsec tunnel list #Show ipsec tunnels
#=====================================================================
#Country based limitation firewall policies
Policy & Objects > Addresses > Type > Geography
#=====================================================================
#https://community.fortinet.com/t5/FortiGate/Technical-Tip-Commands-to-verify-GeoIP-information-and/ta-p/190341
execute update-geo-ip #update the geo ip
Use the below command to know the current FortiGuard IP Geography DB version in the FortiGate.
# diagnose autoupdate versions | grep -A5 Geo
diagnose firewall ipgeo ip2country x.x.x.x <----- IP.
diagnose firewall ipgeo country-list
diagnose firewall ipgeo ip-list all Show Geo IP IPv4 address list
identify the complete Geo-location of a specific IP address from FortiGuard IP Geography DB.
This will initiate a query to FortiGuard and will provide added information under city/continent/country/subdivision/location/postal categories.
#diagnose geoip geoip-query <public ip>
identify the physical and registered locations of the Public IP as well and if the type is anycast.
This will query the "local" GeoIP database (local is Fortiguard provided DB + geoip-override [more on that below]
or if there are no communication to FortiGuard, this is the DB included from the firmware + geoip-override).
# diagnose geoip ip2country <public ip>
below command to do a look up of the physical-location (the actual geographic location
where the person using the IP is located) and registered-location (where the IP address is registered) of the Public IP :
# diagnose firewall ipgeo ip2country x.x.x.x
command to know the IPs or IP ranges belonging to a specific country. This will query the "local" GeoIP database.
Note that IPv4 will be provided, you need to use the keyword "iprange6" for IPv6. The "country name" should start with a capital letter and space need to be leaded with a backslash character ("\").
# diagnose geoip iprange Canada
# diagnose geoip iprange United\ States
# diagnose geoip iprange Brunei\ Drarussalam
Use the below command to know the IPs or IP ranges belonging to a specific country. This will query the "local" GeoIP database.
# diagnose firewall ipgeo ip-list <country 2 letter code>
Use the below command to see the simplified list of the 2 letters country code (mostly based on ISO 3166).
# diagnose firewall ipgeo country-list
Use the below command to see the IPs or IP ranges overriding the GeoIP database.
# diagnose firewall ipgeo override
To move a specific IP or range to a different Geo-location in FortiGate, follow the below steps. Note this will create an override that is local to the FortiGate and have priority over the GeoIP database corresponding entry (if any). The override will apply to both the physical and the registered locations.
Example 1: Address is overridden and moved from Canada to India
# diagnose geoip ip2country 208.91.112.52
208.91.112.52-Canada, is not anycast IP.
# config system geoip-override
edit India
config ip-range
edit 1
set start-ip 208.91.112.52
set end-ip 208.91.112.52
next
end
next
end
# diagnose firewall ipgeo override
Location: India, code: A0 (ip-ranges 1) (ip6-ranges 0)
ip-range 1: 208.91.112.52 - 208.91.112.52
# diagnose geoip iprange India | grep 208.91.112.52
208.91.112.52 -- 208.91.112.52
# diagnose firewall ipgeo ip-list IN | grep 208.91.112.52
208.91.112.52 - 208.91.112.52
#=====================================================================
#Bard
Enter the following command to list all interfaces:
The command output will show a list of all the interfaces on the FortiGate, along with their status, type, and IP address.
show system interface
To list a specific interface, you can use the following command:
show system interface interface-name
view the port3 interface configuration
show system interface port3
show full-configuration system interface port3
#Bing
To list interfaces on FortiOS 7.2.5, you can use the following command:
get system interface
You can also use the following command to list a specific interface:
get system interface <interface-name>
#=====================================================================
Static routes can utilize both IP/Netmask and FQDN, and both are considered service objects in FortiGate firewalls. However, displaying an FQDN in the get router info routing-table all output wouldn't be possible because this command shows the resolved destination IP address instead of the original FQDN.
For a complete example, let's assume you have a static route configured using an FQDN:
Scenario: You have a web server with the FQDN "accounting.yourcompany.com" on a remote network, and you want to route traffic to it through a specific gateway.
Static Route Configuration:
Create a service object of type FQDN:
config system dns
edit "accounting.yourcompany.com"
set hostname "accounting.yourcompany.com"
end
end
Configure the static route:
config router static
edit 10
set dst-address "accounting.yourcompany.com"
set gateway "10.0.1.254"
set device "wan1"
next
end
Explanation:
In the service object configuration, you define the FQDN "accounting.yourcompany.com".
In the static route, you use the service object name ("accounting.yourcompany.com") as the destination address.
When you run get router info routing-table all, the resolved IP address of the FQDN (obtained through DNS) will be displayed instead of the FQDN itself.
Sample Output (showing resolved IP):
S* 0.0.0.0/0 [10/0] via 10.0.1.254, wan1
... other routes ...
C accounting.yourcompany.com/32 is directly connected, internal
Here, you can see the static route with the destination address as the resolved IP (not the FQDN) followed by a directly connected route for the actual server with the resolved IP assigned.
#=====================================================================
#chatgpt
FGT1# get router info routing-table all
The command get router info routing-table all on FortiOS 7.2 retrieves and displays the routing table information for all Virtual Routing and Forwarding (VRF) instances on the FortiGate device. Let's break down the output step by step to understand what each line represents.
Command Explanation
Command:
plaintext
FGT1# get router info routing-table all
This command is executed on a FortiGate device and it retrieves the routing table information for all VRFs.
Output Explanation
Output:
plaintext
Routing table for VRF-0
This indicates that the routing table information being displayed is for VRF-0, the default VRF instance.
Routing Table Entries
Each line in the routing table provides specific information about a route:
Route Type:
S: Static route
C: Connected route
Destination Network:
This specifies the network address and subnet mask of the destination network.
Administrative Distance / Metric:
These values are used to determine the priority of the route.
Next-Hop IP Address and Interface:
The IP address of the next-hop router and the interface used to reach this network.
Additional Metrics:
Further metrics for more specific routing decisions.
Detailed Output Breakdown
Example Entry:
plaintext
S 0.0.0.0/0 [10/01] via 172.20.121.2, port1, [1/0]
S: Static route
0.0.0.0/0: Default route (matches all IP addresses)
[10/01]: Administrative distance (10) / Metric (01)
via 172.20.121.2: Next-hop IP address
port1: Interface to use
[1/0]: Additional metric values (e.g., weight, preference)
Connected Routes:
plaintext
C 172.20.121.0/24 is directly connected, port1
C 172.20.168.0/24 is directly connected, port2
C 172.20.167.0/24 is directly connected, port3
C: Connected route
172.20.121.0/24: Directly connected network on port1
172.20.168.0/24: Directly connected network on port2
172.20.167.0/24: Directly connected network on port3
Static Routes:
plaintext
S 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]
S 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
S 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
S: Static route
10.20.30.0/26, 10.20.30.0/24, 10.30.20.0/24: Destination networks
[10/0]: Administrative distance (10) / Metric (0)
via 172.20.168.254, 172.20.167.254, 172.20.121.2: Next-hop IP addresses
port2, port3, port1: Interfaces to use
[1/0]: Additional metric values
Summary
S (Static routes) and C (Connected routes) indicate the type of route.
The destination network and subnet mask follow, showing the network this route applies to.
The [AD/Metric] values show the administrative distance and metric used to prioritize routes.
via [IP] and port[#] indicate the next-hop IP address and the interface through which the network is reachable.
[Additional metrics] provide further details for more specific routing decisions.
This command and its output help network administrators understand how traffic will be routed through the FortiGate device, providing crucial information for troubleshooting and network design.
#=====================================================================
#gemini
FGT1# get router info routing-table all
Routing table for VRF-0
S 0.0.0.0/0 [10/01 via 172.20.121.2, port1, [1/0]
C 172.20.121.0/24 is directly connected, portl
C 172.20.168.0/24 is directly connected, port2
C 172.20.167.0/24 is directly connected, port3
S 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]
S 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
S 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
The command get router info routing-table all executed on a FortiGate device running FortiOS 7.2 displays the routing table for all Virtual Routing and Forwarding (VRF) instances.
Here's a breakdown of the output you provided:
FGT1#: This is the prompt on the FortiGate device, indicating the switch to configuration mode.
get router info routing-table all: This is the command used to retrieve the routing table information.
get: Keyword to retrieve information.
router: Specifies we're interested in routing information.
info: Further specifies details about the routing table.
routing-table: Indicates we want to see the routing table.
all: Shows entries for all VRFs (Virtual Routing and Forwarding instances).
Routing Table for VRF-0:
This section displays the routing table for the default VRF instance (VRF-0). VRFs allow for separation of routing tables within a single physical router. Here's an explanation of each line:
Codes:
S: Static route (manually configured route).
C: Connected route (directly connected network).
Destination Network/Mask [ADmetric]:
This specifies the destination network address and subnet mask for which the route applies.
[ADmetric]: The Administrative Distance (AD) is a metric used to determine the preferred route in case of multiple paths. A lower AD indicates a more preferred route.
Next Hop: This is the IP address of the next hop device used to reach the destination network.
Interface: This is the interface on the FortiGate through which traffic is routed to reach the destination network.
[Distance]: This shows the route's distance or metric used by the routing protocol to determine the best path (shown as [1/0] in this case, which might be a hop count or cost).
Breakdown of Specific Routes:
S 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]: This is a static route for the default internet gateway (0.0.0.0/0) with a next hop of 172.20.121.2 through interface port1. The AD is 10 (might be configurable) and the distance is 1.
C 172.20.121.0/24 is directly connected, port1: This is a connected route for the network 172.20.121.0/24 which is directly connected to the FortiGate through interface port1.
(Similar entries for other connected networks): There are entries for other directly connected networks on ports 2 and 3.
S 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]: This is a static route for the network 10.20.30.0/26 with a next hop of 172.20.168.254 through interface port2. The AD is 10 and the distance is 1.
(Similar entries for other static routes): There are similar entries for another network (10.30.20.0/24) with a next hop through port1.
This output provides a snapshot of the routing table on the FortiGate device, showing how packets are directed to different networks based on their destination addresses.
#=====================================================================
#get router info routing-table all #verify the routing table
The entry in the routing table you provided is in a format commonly used to represent a static default route. Let's break down each part of the entry:
css
Copy code
S* 0.0.0.0/0 [10/0] via 10.0.1.254, wan1
S:*
Indicates that this is a static route.
0.0.0.0/0:
Represents the destination IP address range. In this case, it's 0.0.0.0/0, which is a shorthand for all possible IP addresses (any destination IP address).
[10/0]:
The square bracket notation represents the routing metrics associated with the route.
The first number (10 in this case) is the administrative distance, which is a measure of the trustworthiness of the source of the route. Lower values are more trusted.
The second number (0 in this case) is the metric, which is used to determine the best route when there are multiple routes to the same destination with the same administrative distance.
via 10.0.1.254:
Specifies the next-hop IP address for the route. This is the IP address of the next device to which the traffic will be forwarded.
In this example, the next-hop IP address is 10.0.1.254.
wan1:
Indicates the outgoing interface through which the traffic should be forwarded.
In this example, the outgoing interface is named "wan1."
Now, let's illustrate with an example:
Assume you have a network setup where a device needs to send traffic to destinations outside of its local network. The static default route entry is used to specify that any traffic with a destination IP address not explicitly covered by more specific routes should be sent to the next-hop IP address 10.0.1.254 via the "wan1" interface.
Example:
Destination IP: 192.168.1.100 (outside of the local network)
Static Default Route Entry: S* 0.0.0.0/0 [10/0] via 10.0.1.254, wan1
When the device wants to send traffic to 192.168.1.100, it matches the default route because the destination IP address is not covered by a more specific route. The traffic will be forwarded to the next-hop IP address 10.0.1.254 via the "wan1" interface. This allows the device to reach destinations outside of its local network using the specified next-hop gateway
#=====================================================================
#get router info routing-table all #verify the routing table
The entry in the routing table you provided is in a format commonly used to represent a static default route. Let's break down each part of the entry:
css
Copy code
S* 0.0.0.0/0 [10/0] via 10.0.1.254, wan1
S:*
Indicates that this is a static route.
0.0.0.0/0:
Represents the destination IP address range. In this case, it's 0.0.0.0/0, which is a shorthand for all possible IP addresses (any destination IP address).
[10/0]:
The square bracket notation represents the routing metrics associated with the route.
The first number (10 in this case) is the administrative distance, which is a measure of the trustworthiness of the source of the route. Lower values are more trusted.
The second number (0 in this case) is the metric, which is used to determine the best route when there are multiple routes to the same destination with the same administrative distance.
via 10.0.1.254:
Specifies the next-hop IP address for the route. This is the IP address of the next device to which the traffic will be forwarded.
In this example, the next-hop IP address is 10.0.1.254.
wan1:
Indicates the outgoing interface through which the traffic should be forwarded.
In this example, the outgoing interface is named "wan1."
Now, let's illustrate with an example:
Assume you have a network setup where a device needs to send traffic to destinations outside of its local network. The static default route entry is used to specify that any traffic with a destination IP address not explicitly covered by more specific routes should be sent to the next-hop IP address 10.0.1.254 via the "wan1" interface.
Example:
Destination IP: 192.168.1.100 (outside of the local network)
Static Default Route Entry: S* 0.0.0.0/0 [10/0] via 10.0.1.254, wan1
When the device wants to send traffic to 192.168.1.100, it matches the default route because the destination IP address is not covered by a more specific route. The traffic will be forwarded to the next-hop IP address 10.0.1.254 via the "wan1" interface. This allows the device to reach destinations outside of its local network using the specified next-hop gateway
#=====================================================================
get router info routing-table all #verify the routing table
show system interface port1 #Verify that all appropriate services are opened on the interface that is being accessed. (telnet, http...)
config firewall policy # If the interface is accessed via another port of the FortiGate, a firewall policy must exist to allow this traffic
- Is traffic arriving to the FortiGate and does it arrive on the expected port?
- Is the ARP resolution correct for the targeted next-hop?
- Is the traffic exiting the FortiGate to the destination?
- Is the traffic sent back to the source?
#stop the sniffer, type CTRL+C.
diagnose sniffer packet any "(host <PC1> and host <PC2>) and icmp" 4
diagnose sniffer packet any "host <PC1> and host <PC2>" 4
firewall statistic show
sys session full-stat #session table
#=====================================================================
Change vdom:
config vdom
edit vdomname
#=====================================================================
## excute tac report GUI
System-Settings-Debug Logs-Download
#=====================================================================
## excute tac report CLI
# get system status # firmware version,fortigate brand model name
#=====================================================================
troubleshooting Slowness
High CPU usage
High memory usage
How high is the CPU usage? Why?
# get system performance status
# diagnose sys top 1
High CPU and Memory Troubleshooting
# diagnose sys top
# get system performance top #(use Shift+M for memory usage
#=====================================================================
How to do initial troubleshooting of high memory utilization issues (conserve mode)
Run the command above a few times and compare patterns of memory usage, throughput and number of sessions
If the used memory is more than 75%, this may indicate that a further check may be required.
get system performance status
CPU states: 1% user 0% system 0% nice 99% idle 0% iowait 0% irq 0% softirq
CPU0 states: 1% user 0% system 0% nice 99% idle 0% iowait 0% irq 0% softirq
Memory: 2004540k total, 586528k used (29%), 1418012k free (71%)
Average network usage: 1 / 0 kbps in 1 minute, 0 / 0 kbps in 10 minutes, 0 / 0 kbps in 30 minutes
Average sessions: 25 sessions in 1 minute, 25 sessions in 10 minutes, 25 sessions in 30 minutes
Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 0 days, 23 hours, 41 minutes
find memory usage per process instance.
diagnose sys top 1 45
In order: process name, Process ID, Process state, CPU usage %, Memory usage %.
'1' stands for refreshing period in seconds
'45' stands for a number of processes displayed. See part of it as example below:
Run Time: 0 days, 23 hours and 54 minutes
0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 1957T, 1271F
newcli 308 R 0.9 0.5
sshd 305 S 0.9 0.5
pyfcgid 142 S 0.0 2.0
reportd 154 S 0.0 1.8
cmdbsvr 120 S 0.0 1.4
pyfcgid 184 S 0.0 1.2
pyfcgid 186 S 0.0 1.2
pyfcgid 185 S 0.0 1.2
forticron 149 S 0.0 1.2
miglogd 139 S 0.0 1.1
httpsd 141 S 0.0 1.1
scanunitd 158 S < 0.0 1.0
#=====================================================================
# show system interface
# diagnose ip address list
# show full-configuration system dns
# show full-configuration system global
# show full-configuration system settings
# diagnose hardware lspci -v
# get hardware cpu
# get hardware memory
At the physical layer, troubleshooting analyzes which ports are plugged in, media capacity, and negotiated speed and duplex mode
At the data link layer, diagnostics often analyze how many frames are being dropped because of CRC errors or collisions
# get hardware nic <interface_name>
#=====================================================================
#list directories on fortios
# fnsysctl ls -l /dev/shm
# fnsysctl ls -l /dev/cmdb
# fnsysctl ls -l /tmp
#=====================================================================
execute log filter dump
execute log filter category 0
execute log filter field hostname www.google.ch
execute log display
#=====================================================================
diag debug enable
diag debug authd fsso list
diag debug authd fsso server-status
diag debug authd fsso summary
diag debug authd fsso clear-logons
diag debug authd fsso refresh-logons
diag debug authd fsso refresh-groups
#=====================================================================
diagnose test application ssl 0
diagnose test application ssl 4 #SSL Proxy Usage
diagnose test application ssl 44 #
#===============================================Show info per connection======================
#Troubleshooting Fortigate LDAP
# <LDAP server_name> is the name of LDAP object on FortiGate (not actual LDAP server name)
#LDAP support 3 types of authentication (Binding): anonymous, simple and SASL authentication.
#FGT# diagnose test authserver ldap LDAP_SERVER user1 password
# diagnose test authserver ldap External_Server aduser1 Training!
authenticate 'aduser1' against 'External_Server' succeeded!
Group membership(s) - CN=AD-users,OU=Training,DC=trainingAD,DC=training,DC=lab
diagnose debug {enable|disable}
FGT# diagnose debug enable
FGT# diagnose debug application fnbamd 255
#=====================================================================
Tests preshared key between FortiGate and the RADIUS server
diagnose test authserver radius-direct <ip> <port> <secret>
#=====================================================================
#fnbamd FortiGate non-blocking auth daemon
diagnose debug application fnbamd
#==========================================================================================================================================
#Debug LDAP or Radius
diagnose debug enable
diagnose debug application fnbamd -1
#=====================================================================
#Troubleshooting EmailFilter
# diagnose emailfilter fortishield servers
Locale : english
Service : Web-filter
Status : Enable
License : Contract
Service : Antispam
Status : Disable
Service : Virus Outbreak Prevention
Status : Disable
Num. of servers : 3
Protocol : https
Port : 443
Anycast : Enable
Default servers : Included
#=====================================================================
#Browse file system
fnsysctl ls -la /data/lib/libips.bak
fnsysctl ls -la /data/lib/libgif.so
fnsysctl ls -la /data/lib/libiptcp.so
fnsysctl ls -la /data/lib/libipudp.so
fnsysctl ls -la /data/lib/libjepg.so
fnsysctl ls -la /var/.sslvpnconfigbk
fnsysctl ls -la /data/etc/wxd.conf
fnsysctl ls -la /flash
# fnsysctl ls -l /data/lib
# fnsysctl ls -la /var
# fnsysctl ls -l /data/etc
# fnsysctl ls -l /
#=====================================================================
#trusted host,configure an administrative account to be accessible only to someone who is using a trusted host
#Set Trusted Host 1 to the static IP address of the computer you use to administer the FortiGate
System > Administrators > Enable Restrict login to trusted hosts
add 10.0.1.0/24 as the trusted IP subnet (Trusted Host 2) to the Security administrator account:
config system admin
edit Security
set trusthost2 10.0.1.0/24
end
#=====================================================================
#The status of the session
deny - Session was denied
accept - Allowed Forward session
start - Session starts (log message was created when the session was created)
dns - DNS query return error
ip-conn - Failed connection attempts
close - Local-traffic session allowed
timeout - Allowed session was timeout
client-rst - Session reset by client
server-rst - Session reset by server
#=====================================================================
The FortiGate usually uses a subordinate CA certificate that is signed by the company's private CA, such as a FortiAuthenticator or a Windows server with certificate services
there must be certificate chain back to the trusted root CA that is installed on the user's endpoint. If the root certificate is not installed, the user receives a certificate warning every time they access a website that is scanned by the FortiGate using deep inspection. Administrators should provide the CA certificate to the end users if deep inspection will be used.
Performing deep inspection might be undesirable when users are accessing certain web categories, such banking or personal health related sites. When creating SSL/SSH inspection profiles that use full SSL inspection, the Finance and Banking, Health and Wellness, and Personal Privacy categories are exempt from inspection by default.Administrators can customize these categories, enable Reputable websites, and add individual addresses to the SSL exemptions as required
https://docs.fortinet.com/document/fortigate/7.2.0/best-practices/598577/ssl-tls-deep-inspection
#=====================================================================
You can configure address and web category allowlists to bypass SSL deep inspection.
For example, you might download a file containing a virus during an e-commerce session, or you might receive a phishing email containing a seemingly harmless download that, when launched, creates an encrypted session to a command and control (C&C) server and downloads malware onto your computer. Because the sessions in these attacks are encrypted, they might get past your network's security measures.
Deep inspection not only protects you from attacks that use HTTPS, it also protects you from other commonly-used SSL-encrypted protocols such as SMTPS, POP3S, IMAPS, and FTPS.
When FortiGate re-encrypts the content, it uses a certificate stored on the FortiGate such as Fortinet_CA_SSL, Fortinet_CA_Untrusted, or your own CA certificate that you uploaded.
Because there is no Fortinet_CA_SSL in the browser trusted CA list, the browser displays an untrusted certificate warning when it receives a FortiGate re-signed server certificate. To stop the warning messages, trust the FortiGate-trusted CA Fortinet_CA_SSL and import it into your browser
After importing Fortinet_CA_SSL into your browser, if you still get messages about untrusted certificate, it must be due to Fortinet_CA_Untrusted. Never import the Fortinet_CA_Untrusted certificate into your browser.
Exempt web sites from deep inspection
If you do not want to apply deep inspection for privacy or other reasons, you can exempt the session by address, category, or allowlist.
If you want to exempt all bank web sites, an easy way is to exempt the Finance and Banking category which includes all finance and bank web sites identified in FortiGuard.
If you want to exempt commonly trusted web sites, you can bypass the SSL allowlist in the SSL/SSH profile. The allowlist includes common web sites trusted by FortiGuard. Simply enable Reputable Websites.
https://docs.fortinet.com/document/fortigate/6.2.6/cookbook/122078/deep-inspection
#=====================================================================
get system settings | grep ssl-ssh-profile #check if SSL inspection is enabled
#SSL inspection profile named "ssl_inspection" is currently in use and SSL inspection is enabled on the device
get firewall ssl-ssh-profile ssl_inspection | grep status
#=====================================================================
#view ports that are being listened on, and active connections and the services or processes using them
diagnose sys tcpsock | grep 0.0.0.0
https://docs.fortinet.com/document/fortigate/7.2.0/fortios-ports/637075/incoming-ports
https://docs.fortinet.com/document/fortigate/7.2.0/fortios-ports/160067/outgoing-ports
#=====================================================================
#Verifying the correct route is being used
The first hop contains the IP address 10.10.1.99, which is the internal interface of the FortiGate.
The second hop contains the IP address 172.20.120.2, to which the wan1 interface of the FortiGate is connected.
This means the route through the wan1 interface is being used for this traffic.
C:\>tracert www.fortinet.com
Tracing route to www.fortinet.com [66.171.121.34]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.10.1.99
2 1 ms <1 ms <1 ms 172.20.120.2
3 3 ms 3 ms 3 ms static-209-87-254-221.storm.ca [209.87.254.221
#=====================================================================
#Troubleshoot Local-In-Policy
#Traffic destined for the FortiGate itself, and not being passed through or dropped, is called local-in traffic
#a variety of services, such as HTTPS for administrative access, or BGP for inter-router communication.
#Local-in traffic is controlled by local-in policies.
#enable viewing local-in policies in the GUI
System > Feature Visibility and enable Local In Policy.
#windows PC that you are connecting to Fortigate Web GUI, pinging Fortigate IP
From the PC at 10.10.10.12, start a continuous ping to port1:
ping 192.168.2.5 –t
#On the FortiGate CLI, enable debug flow:
# diagnose debug flow filter addr 10.10.10.12
# diagnose debug flow filter proto 1
# diagnose debug enable
# diagnose debug flow trace start 10
Menu > Log&Report > Local Traffic # Local-In-Policy logs
#=====================================================================
#List Local-In-Policy
FW02 # # config firewall local-in-policy
FW02 # (local-in-policy) # show full
#=====================================================================
#Configure Local-In-Policy
#create address object you want to access to GUI from
GUI>Policy & Objects >Addresses >Create New> Address
"IP_172.14.4.143"
"IP_172.14.4.144"
config firewall local-in-policy
edit 1
set intf "mgmt"
set srcaddr "IP_Allow" ---->> Ip_allow is object you allow access to GUI as per on 1. step.
set dstaddr "IP_172.14.4.143" "IP_172.14.4.144"
set action accept
set service HTTP HTTPS
set schedule "always"
next
edit 2
set intf "mgmt"
set srcaddr "all"
set dstaddr "IP_172.14.4.143" "IP_172.14.4.144"
set service HTTP HTTPS
next
end
#=====================================================================
#fortyanalyzer
# conf log fortianalyzer setting
FW02 (setting) # get
FW02 (filter) # end
FW02 # conf log fortianalyzer filter
FW02 (filter) # get
FW02 (filter) # end
FW02 # exe log filter category
FW02 # exe log filter device
FW02 # exe log filter field
FW02 # exe log display
#display the current configuration of the log filter on the FortiAnalyzer device.
#The log filter is used to filter the logs that are collected by the FortiAnalyzer
FW02 # exe log filter dump
FW02 # exe log display #Display filtered log entries
FW02 (global) # abort #End and discard last config
FW02 (global) # end #End and save last config
#ChatGPT
#diagnose the miglogd service which is responsible for the storage and management of logs
#used to troubleshoot and check the health of the miglogd service.
#runs various tests on the service and provides the output of these tests on the console.
#can be used to check if the service is running properly, if there are any issues with the storage of logs, and if there are any other problems with the miglogd service.
#run this command when troubleshooting issues with log collection, storage, and management on the FortiAnalyzer device
#helps to identify any problems with the miglogd service and fix them, ensuring that logs are being collected, stored and managed properly.
FW02 # diag test app miglogd
FW02 # d test app miglogd 6
#ChatGPT
#used to enable debugging for the miglogd service, which is responsible for the storage and management of logs
#When the debugging is enabled, the miglogd service generates detailed log messages that provide information about the internal operations and status of the service.
#can be used to gather more information about the service when troubleshooting issues with log collection, storage, and management on the FortiAnalyzer device.
#important to note that enabling debugging can generate a significant amount of log data, it is recommended to use it only when necessary and to disable it as soon as the troubleshooting is done to avoid filling up the log storage and impacting the performance of the system
FW02 # diag debug app miglogd -1 #enable the highest level of debugging
FW02 # diag debug enable
FW02 # diag debug app miglogd -0 #disable debugging
FW02 # diag debug reset #disable debugging
#ChatGPT
#enable debugging for the httpsd service, which is responsible for the handling of HTTP connections to the FortiAnalyzer device
#used to gather more information about the service when troubleshooting issues with connectivity to the FortiAnalyzer device over HTTP.
# run this command when you are troubleshooting issues related to connectivity to the FortiAnalyzer device over HTTP
FW02 # d de app httpsd -1 #enable the highest level of debugging
FW02 # d de app httpsd 0 #disable debugging
FW02 # diag debug reset #disable debugging
FW02 # d de en
FW02 # d de dis
#ChatGPT
Here is a scenario where "diagnose debug application httpsd" command is useful:
Imagine that an administrator is having trouble connecting to the FortiAnalyzer device over the web interface. They have tried multiple browsers and even different computers but the problem persists. In this case, the administrator can use the "diagnose debug application httpsd" command to enable debugging for the httpsd service, which will generate detailed log messages that can provide information about the internal operations and status of the service.
The administrator can then check the logs generated by the httpsd service to see if there are any error messages or other information that can help identify the problem. For example, the logs may show that there is a problem with the certificate being used for the web interface, or that there is an issue with the configuration of the httpsd service.
Once the administrator has identified the problem, they can then use this information to troubleshoot and fix the issue. For example, if the issue is with the certificate, the administrator can replace the certificate with a valid one.
#=====================================================================
# diag system ntp status
#=====================================================================
#A FortiGate is able to display by both the GUI and via CLI
#execute log display #display logs through CLI.
#define a filter giving the logs you need
#execute log filter reset
#execute log filter dump <--- to show settings, example output bellow
#execute log filter device
0: memory
1: disk
2: fortianalyzer
3: fortianalyzer-cloud <--- added with FortiAnalyzer-cloud introduction
4: forticloud <--- moved one position down
#execute log filter device 0 <--- this will display logs from memory
#execute log filter category
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
19: utm-file-filter
20: utm-icap
22: utm-sctp-filter
# show full-configuration log memory filter
#display all utm-webfilter logs with the destination ip address 40.85.78.63
# execute log filter category 3
# execute log filter field dstip 40.85.78.63
# execute log display
#display all utm-webfilter logs with destination ip address 40.85.78.63 that are not from September 13, 2019
# execute log filter free-style "(date 2019-09-13 not) and (dstip 40.85.78.63)"
# execute log filter field url http://example.com/phpmyadmin/
#==========================================================================================================================================
But it is needed to be clear that the Full SSL Inspection the certificate used to sign those sites (by default SSL_Proxy_Inspection into the FortiGate) is needed to be recognized as a valid CA. Otherwise, the warning message will be shown everytime an SSL/TLS connection is made.
This certificate (SSL_Proxy_Inspection) must be installed in each PC to be used by their Operating System and/or for browsers/applications (Mozilla Firefox or Java JRE) which has its own Certificate repository
If webfilter only is required, SSL Certificate Inspection is the correct option.
If webfilter, identify attacks, viruses and application control are required, then Full SSL Inspection is the best option.
https://community.fortinet.com/t5/FortiGate/Technical-Note-Differences-between-SSL-Certificate-Inspection/ta-p/192301
#==========================================================================================================================================
#import the CA certificate for full SSL inspection
System -> Certificates -> Import -> Local Certificate -> PKCS#12. #If there is the private key in the same file as the certificate,
System -> Certificates -> Import -> Local Certificate -> Certificate # If there is the private key in a separate file as the certificate
#==========================================================================================================================================
#Process Monitor
Left-click in the CPU or Memory widget and select Process Monitor.
Click the user name in the upper right-hand corner of the screen, then go to System > Process Monitor.
#kill a process within the process monitor
Select a process.Click the Kill Process dropdown.
Kill: the standard kill option that produces one line in the crash log (diagnose debug crashlog read).
Force Kill: the equivalent to diagnose sys kill 9 <pid>. This can be viewed in the crash log.
Kill & Trace: the equivalent to diagnose sys kill 11 <pid>. This generates a longer crash log and backtrace. A crash log is displayed afterwards.
#==========================================================================================================================================
When in conserve mode, FortiOS generates conserve mode log messages and SNMP traps, and a conserve mode banner is shown in the GUI.
view current information about memory conservation status:
# diagnose hardware sysinfo conserve
memory conserve mode: on
total RAM: 997 MB
memory used: 735 MB 73% of total RAM
memory freeable: 173 MB 17% of total RAM
memory used + freeable threshold extreme: 947 MB 95% of total RAM
memory used threshold red: 877 MB 88% of total RAM
memory used threshold green: 817 MB 82% of total RAM
If the GUI is unresponsive due to high memory usage, making the logs inaccessible, they can be viewed in the CLI:
# execute log filter category 1
# execute log display
1: date=2022-11-02 time=16:58:37 eventtime=1667433517502192693 tz="-0700" logid="0100022011" type="event" subtype="system" level="critical" vd="root" logdesc="Memory conserve mode entered" service="kernel" conserve="on" total=997 MB used=707 MB red="877 MB" green="698 MB" msg="Kernel enters memory conserve mode
view the crash log in the CLI:
# diagnose debug crashlog read
#==========================================================================================================================================
diag debug rating Show list of FortiGuard Services
#==========================================================================================================================================
config system interface Show all NIC’s
#==========================================================================================================================================
config router prefix-list Add a prefix-list Type show, to see current prefix-lists.
config router route-map Add a route-map Type show, to see current route maps
get router info routing-table all Show routing table
get router info routing-table database Show routing database
get router info routing-table bgp Show BGP routes
get router info routing-table ospf Show OSPF routes
get router info routing-table connected Show Direct Connected routes
get router info routing-table details <host> Get routing information for specific <host>
get router info bgp summary Show BGP Peer status and received prefixes
get router route-map Show available route-maps
get router prefix-list Show available prefix-lists
#==========================================================================================================================================
diag ip arp delete <interface name> <IP address> Remove a single ARP table entry
diag ip arp list View ARP cache
config system arp-table Add static ARP entries
get system arp #Show ARP table,troubleshoot Layer 2 issues, such as an IP address conflict
#==========================================================================================================================================
#Debug BGP
diag debug reset
diag ip router bgp all enable
diag ip router bgp level info
diag debug enable
#==========================================================================================================================================
exec log display Display log
exec ping <dst> Execute a ping
exec ping-options Set specific ping options
exec ping-options source Set specific source IP
exec tac report Generate a TAC report
exec telnet ip:port Execute a telnet
exec ssh ip:port Execute a SSH client
exec traceroute Execute a traceroute
exec clear system arp table Clear ARP cache
exec log filter Set a log filter
exec update-geo-ip Update Geo IP addresses
exec update-av Update Antivirus Database
exec update-ips Update IPS Database
#==========================================================================================================================================
exec router clear bgp all Clear all BGP sessions
exec router clear bgp all soft Soft Clear all BGP (this will refresh the BGP routing table, but BGP session remains)
exec router clear bgp ip soft x.x.x.x Soft Clear BGP for specific neighbor
#==========================================================================================================================================
diagnose sys session list Show session table
diagnose sys tcpsock List open networking ports:
diagnose sys top Show top with processes:
#==========================================================================================================================================
diagnose sys kill process_id 15 Kill processes – uses a unconditional kill.
#==========================================================================================================================================
diagnose hardware deviceinfo nic Show hardware info for NIC
diagnose hardware deviceinfo nic <nic> Show device information for specific NIC:
#diagnose hardware sysinfo shm Show shared memory information – Look if conservemode is 1
identify if a FortiGate device is currently in memory conserve mode
#diagnose hardware sysinfo conserve
memory conserve mode: on
total RAM: 3040 MB
memory used: 2706 MB 89% of total RAM
memory freeable: 334 MB 11% of total RAM
memory used + freeable threshold extreme: 2887 MB 95% of total RAM
memory used threshold red: 2675 MB 88% of total RAM
memory used threshold green: 2492 MB 82% of total RAM
#==========================================================================================================================================
get system performance status Show performance usage
get system performance top Show top – , use SHIFT+M to sort on memory usage.
get system session list Short list for session table
get system status Show system status
get system session list
PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT
As a result of the VIP (which is a static NAT), FortiGate uses the VIP external address as the NAT IP address
when performing SNAT for the ingress-to-egress direction of the traffic, provided the matching outgoing firewall policy has NAT enabled.
That is, FortiGate doesn't use the egress interface address.
This is a behavior for SNAT when using a static NAT VIP. That is, when you enable NAT on a policy,
the external address of a static NAT VIP takes precedence over the destination interface IP address
if the source address of the connections matches the VIP internal address.
#==========================================================================================================================================
get vpn ipsec tunnel details Show details for IPSEC VPN tunnel
get vpn ipsec tunnel summary Show summary list of IPSEC VPN tunnels
diag vpn ipsec status Verify IPsec Offload to Network Processors (NP)
diag vpn tunnel list
npu_flag=00 Means that ingress & egress ESP packets are not offloaded
npu_flag=01 Means only egress ESP packets can be offloaded, ingress ESP packets will be handled by the kernel
npu_flag=02 Means only ingress ESP packets can be offloaded, egress ESP packets will be handled by the kernel
npu_flag=03 Means that both ingress & egress ESP packets will be offloaded
For a fast tunnel npu_flag=03 is essential
#==========================================================================================================================================
#schedule a firewall policy to expire after a certain period of time
#CLI
# show
# config firewall policy
# edit <Policy ID>
# set policy-expiry enable
# set policy-expiry-date 2022-10-03 15:45:12
# show
# end
The Date and time format to be followed on the CLI would be YYY-MM-DD HH:MM:SS
#GUI
System > Feauture Visiblity > Workflow Management #enable
#==========================================================================================================================================
#set
FW02 # show alertemail setting
config alertemail setting
set username "[email protected]"
set mailto1 "[email protected]"
end
FW02 #
#test
# diagnose debug application alertmail -1
#unset
FW02 # conf alertemail setting
FW02 (setting) # unset username
FW02 (setting) # unset mailto1
FW02 (setting) # show
config alertemail setting
end
FW02 (setting) # end
FW02 #
FW02 # show alertemail setting
config alertemail setting
end
FW02 #
#options
FW02 # show full alertemail setting
config alertemail setting
set username "[email protected]"
set mailto1 "[email protected]"
set mailto2 ''
set mailto3 ''
set filter-mode category
set email-interval 5
set IPS-logs disable
set firewall-authentication-failure-logs disable
set HA-logs disable
set IPsec-errors-logs disable
set FDS-update-logs disable
set PPP-errors-logs disable
set sslvpn-authentication-errors-logs disable
set antivirus-logs disable
set webfilter-logs disable
set configuration-changes-logs disable
set violation-traffic-logs disable
set admin-login-logs disable
set FDS-license-expiring-warning disable
set FSSO-disconnect-logs disable
set ssh-logs disable
set FDS-license-expiring-days 15
end
FW02 #
FW02 (setting) # set
username Name that appears in the From: field of alert emails (max. 63 characters).
mailto1 Email address to send alert email to (usually a system administrator) (max. 63 characters).
mailto2 Optional second email address to send alert email to (max. 63 characters).
mailto3 Optional third email address to send alert email to (max. 63 characters).
filter-mode How to filter log messages that are sent to alert emails.
email-interval Interval between sending alert emails (1 - 99999 min, default = 5).
IPS-logs Enable/disable IPS logs in alert email.
firewall-authentication-failure-logs Enable/disable firewall authentication failure logs in alert email.
IPsec-errors-logs Enable/disable IPsec error logs in alert email.
FDS-update-logs Enable/disable FortiGuard update logs in alert email.
PPP-errors-logs Enable/disable PPP error logs in alert email.
sslvpn-authentication-errors-logs Enable/disable SSL-VPN authentication error logs in alert email.
antivirus-logs Enable/disable antivirus logs in alert email.
webfilter-logs Enable/disable web filter logs in alert email.
configuration-changes-logs Enable/disable configuration change logs in alert email.
violation-traffic-logs Enable/disable violation traffic logs in alert email.
admin-login-logs Enable/disable administrator login/logout logs in alert email.
FDS-license-expiring-warning Enable/disable FortiGuard license expiration warnings in alert email.
FSSO-disconnect-logs Enable/disable logging of FSSO collector agent disconnect.
ssh-logs Enable/disable SSH logs in alert email.
FDS-license-expiring-days Number of days to send alert email prior to FortiGuard license expiration (1 - 100 days, default = 15).
#=====================================================================
#chatGPT
To convert a CA SSL certificate file (cer) to a CA SSL certificate file (crt), you can follow these steps:
Understand the file format: Firstly, it's important to understand that both the .cer and .crt extensions are commonly used for the same type of file, which is an X.509 certificate. In many cases, these extensions are used interchangeably, and the actual file format may be the same.
Verify the file format: Check the content of your .cer file to determine if it already contains the required X.509 certificate data. You can use a text editor to open the file and inspect its contents. Look for lines that start with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----". If you find such lines, then your .cer file is likely already in the correct format and can be used as a .crt file without any conversion.
Rename the file: If you are certain that your .cer file needs to be converted to a .crt file, you can simply rename the file by changing the extension from .cer to .crt. This is often sufficient, as the actual content and format of the file remain the same.
Test the converted file: Once you have renamed the file to .crt, you can attempt to use it as a CA SSL certificate file in the desired context. For example, you can try importing the file into a server or application that requires a CA SSL certificate. If the file is recognized and accepted, then the conversion process is successful.
In summary, the conversion process from a .cer file to a .crt file is often as simple as renaming the file, as the actual content and format of the file are typically the same. However, it's important to verify the file's content and check the requirements of the target system/application to ensure compatibility.
#=====================================================================
#https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/497952/policy-views-and-policy-lookup
In Policy & Objects policy list page, there are two policy views: Interface Pair View and By Sequence view.
By Sequence displays policies in the order that they are checked for matching traffic without any grouping.
Firewall policy lookup is based on the Source_interfaces/Protocol/Source_Address/Destination_Address that matches the source-port
and dst-port of the protocol. Use this tool to find out which policy matches specific traffic from a number of policies
#=====================================================================
Upgrade Path Tool Table
https://docs.fortinet.com/upgrade-tool
v7.2.5
Upgrading FortiGates in an HA cluster
https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/247944/upgrading-fortigates-in-an-ha-cluster
end of life (EOF) tracking FortiOS
https://endoflife.date/fortios
v7.2
Best Praactices
https://docs.fortinet.com/document/fortigate/7.2.0/best-practices/587898/getting-started
v7.2
Hardening
https://docs.fortinet.com/document/fortigate/7.2.0/best-practices/555436
Recommended Release for FortiOS (Product Family)
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-Release-for-FortiOS/ta-p/227178
#=====================================================================
#upgrade logs
Log & Report -> System Events -> General System Events -> Messagge -> "device rebooted"
System - Fabric Management - Upgrade - All Upgrades #available firmware upgrades
System - Fabric Management - Upgrade - All Downgrades # all firmware upgrades done
System - Fabric Management - Upgrade - File Upload # upload firmware to upgrade
#====================================================================
v7.2.
New Features
https://docs.fortinet.com/document/fortigate/7.2.0/new-features/770045/overview
v7.2.5
Known issues
https://docs.fortinet.com/document/fortigate/7.2.5/fortios-release-notes/236526
v7.2.5
Resolved issues
https://docs.fortinet.com/document/fortigate/7.2.5/fortios-release-notes/289806
#=====================================================================
#use the revision feature in case of configuration change to revert back to a configuration previously saved in the FortiGate flash memory.
#configuration revision option enables the user to maintain multiple versions of the configuration file on the device (the device flash memory should be 512 or higher
Configuration > Revisions
# flash images
diag sys flsh list
# show full-configuration system global
#To enable or disable auto-back up of the config when firmware is upgraded:
config system global
set revision-image-auto-backup enable
end
#To auto-create a configuration revision on logout, execute the following commands via the CLI
# config system global
# set revision-backup-on-logout enable
# end
#To check the configuration revision information
execute revision list config
#To delete a configuration file
execute revision delete config <revision>
#To delete a firmware image file (not the configuration)
execute revision delete image <revision>
#=====================================================================
#troubleshoot fortiguard connectivity, Bard
#Check DNS resolution. Make sure that the FortiGate can resolve the DNS names of FortiGuard servers.
# execute ping service.fortiguard.net
# execute ping update.fortiguard.net
#Check connectivity to FortiGuard servers
#diagnose debug rating
#=====================================================================
#Hetzner netscan abuse ChatGPT
Blocking outgoing traffic to the private network ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 100.64.0.0/10 can have the following potential drawbacks:
Impaired Communication with Local Resources: Blocking outgoing traffic to these private network ranges can prevent devices within the same network from communicating with each other. This can disrupt internal services, shared resources, and local applications that rely on local network connectivity. It can cause challenges in file sharing, printer access, inter-device communication, and other collaborative activities.
Inability to Access Remote Resources: If certain remote resources or services utilize IP addresses within these private network ranges, blocking outgoing traffic can prevent access to those resources. For example, if a branch office or a partner organization uses IP addresses from these ranges, outbound connections to their resources may be restricted. This can hinder inter-organizational communication and collaboration.
VPN and Remote Access Limitations: Virtual Private Networks (VPNs) often use IP addresses from private network ranges for remote access. By blocking outgoing traffic to these ranges, organizations may hinder their ability to establish VPN connections with remote employees, business partners, or satellite offices. This can impede remote work capabilities and limit secure access to critical resources.
Configuration Complexity and Maintenance: Managing firewall rules to block outgoing traffic to these private network ranges requires careful configuration and ongoing maintenance. Organizations need to ensure that legitimate traffic is not inadvertently blocked and that necessary exceptions are properly defined. As network configurations evolve or new requirements arise, the firewall rules may need regular updates, adding complexity to the configuration and maintenance processes.
Compliance and Compatibility Considerations: Some network protocols or applications may rely on IP addresses within these private network ranges, and blocking outgoing traffic to these ranges can impact their functionality. In certain industries or regulatory frameworks, specific applications or devices may be required to communicate over these private networks. Blocking the traffic may conflict with compliance requirements or hinder compatibility with certain systems or applications.
It's crucial for organizations to carefully evaluate the potential drawbacks and weigh them against the security benefits when deciding to block outgoing traffic to these private network ranges. Consideration should be given to the specific network environment, the requirements of internal and external services, and the potential impact on productivity, collaboration, and compliance obligations. Implementing proper network segmentation and configuring firewall rules to allow necessary traffic while still maintaining security is essential for addressing these challenges effectively.
#=====================================================================
#Hetzner netscan abuse Bard
here are some potential drawbacks to blocking outgoing traffic to the private networks you mentioned:
It can make it more difficult for users on your network to access resources on those networks. This could include things like accessing file shares, printers, or other devices that are located on those networks.
If you block outgoing traffic to a private network that you need to access, you may need to make an exception for that network in your firewall settings. This can be a hassle, and it's possible that you could forget to make the exception, which could lead to security problems.
Blocking outgoing traffic can impact the performance of your network. This is because the firewall will have to inspect all outgoing traffic, which can add some overhead.
If you block outgoing traffic to a private network that is used for legitimate purposes, you could prevent users from being able to access those services. This could impact their productivity or cause other problems.
In addition to these drawbacks, there are also some specific considerations for each of the private networks you mentioned:
10.0.0.0/8 is a common private network range used by businesses and organizations. Blocking outgoing traffic to this range could prevent users from accessing resources on their company's network, such as file shares or printers.
172.16.0.0/12 is another common private network range used by businesses and organizations. Blocking outgoing traffic to this range could have similar impacts as blocking outgoing traffic to 10.0.0.0/8.
192.168.0.0/16 is the most common private network range used by home networks. Blocking outgoing traffic to this range could prevent users from accessing resources on their home network, such as file shares or printers.
100.64.0.0/10 is a less common private network range, but it is still used by some businesses and organizations. Blocking outgoing traffic to this range could have similar impacts as blocking outgoing traffic to the other private networks mentioned.
Ultimately, the decision of whether or not to block outgoing traffic to these private networks is a security trade-off. You need to weigh the risks and benefits carefully before making a decision.
#=====================================================================
#Hetzner netscan abuse Bard
The four private networks you mentioned, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 100.64.0.0/10, are all reserved for private use. This means that they are not routable on the public internet. If you try to send traffic to one of these networks from the public internet, it will be blocked by your firewall.
There are a few reasons why you might want to block outgoing traffic to private networks. First, it can help to protect your network from malware. Malware can often spread by infecting computers on a private network and then using those computers to send malicious traffic to other networks. By blocking outgoing traffic to private networks, you can help to prevent this type of attack.
Second, blocking outgoing traffic to private networks can help to protect sensitive data. If your network contains sensitive data, such as financial information or customer records, you may want to block outgoing traffic to private networks to prevent unauthorized users from accessing that data.
Finally, blocking outgoing traffic to private networks can help you to comply with regulations. Some regulations, such as HIPAA and PCI DSS, require organizations to protect sensitive data. By blocking outgoing traffic to private networks, you can help to comply with these regulations.
Of course, there are also some potential drawbacks to blocking outgoing traffic to private networks. For example, it can make it more difficult for users on your network to access resources on private networks. Additionally, if you block outgoing traffic to a private network that you need to access, you may need to make an exception for that network in your firewall settings.
Ultimately, the decision of whether or not to block outgoing traffic to private networks is a security trade-off. You need to weigh the risks and benefits carefully before making a decision.
#=====================================================================
#Hetzner netscan abuse ChatGPT
Outgoing traffic to the private network ranges you mentioned (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 100.64.0.0/10) is typically blocked in firewalls for several reasons:
Private IP Addressing: These IP address ranges are reserved for private networks as defined by the Internet Engineering Task Force (IETF). Private IP addresses are not routable on the public internet, and their use is intended for internal networks. Blocking outgoing traffic to these ranges helps enforce the separation between private and public networks.
Network Segmentation: Organizations often use private IP address ranges to segment their internal networks. By blocking outgoing traffic to these ranges, they maintain strict control over the flow of traffic between different segments. This helps reduce the attack surface and prevents unauthorized access or communication between different internal networks.
Preventing IP Spoofing: IP spoofing is a technique where an attacker forges the source IP address of a packet to make it appear as if it originated from a different network. By blocking outgoing traffic to private IP ranges, organizations can mitigate the risk of IP spoofing attacks originating from within their network, as such traffic would be dropped at the firewall.
Internet Standards and Best Practices: The IP address ranges you mentioned (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 100.64.0.0/10) are reserved for private networks by the Internet Assigned Numbers Authority (IANA) and are widely recognized and implemented in networking standards and best practices. Blocking outgoing traffic to these ranges aligns with industry norms and helps ensure network compatibility and interoperability.
Address Space Conservation: The private IP address ranges were specifically designated to conserve IPv4 address space. By using private IP addressing, organizations can reuse the same IP ranges internally without requiring unique public IP addresses for every device. Blocking outgoing traffic to these ranges helps maintain address space integrity and avoids conflicts with public IP addresses.
It's worth noting that while outgoing traffic to these private network ranges is typically blocked, there may be specific scenarios where allowing outbound connections to certain subnets within these ranges is required, such as for interconnecting branch offices or VPN connections. In such cases, firewall rules can be configured to permit the necessary traffic while still maintaining security controls and policies.
#=====================================================================
#username sensitivity check,
#User & Authentication > User Definition
By default, remote LDAP and RADIUS user names are case sensitive.
When a remote user object is applied to SSL VPN authentication, the user has to type the exact case that is used in the user definition on the FortiGate.
Case sensitivity can be disabled, allowing the remote user object to match any case that the end user types in while login.
by the ‘set username-case-sensitivity’ CLI command
To disable case sensitivity for individual users use the following command.
config user local
edit "<name>"
set type password
set username-case-sensitivity disable/enable
end
#=====================================================================
Denial of service (DoS)
If you have an idea of your traffic rates for the preceding traffic patterns, you may adjust the threshold. Otherwise, begin with the default and adjust after a period of observing normal traffic.
https://docs.fortinet.com/document/fortigate/7.2.0/best-practices/555436/hardening#DoS
#=====================================================================
The ses-denied-traffic and block-session-timer are not effective at blocking denial of service attacks.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-denied-session-to-be-added-into-the/ta-p/195478?externalID=FD46328
#=====================================================================
The provided CLI commands configure certain session-related settings on a FortiGate firewall running FortiOS:
config system settings
set ses-denied-traffic enabled: This command enables the feature to log denied traffic sessions. When traffic is denied by the firewall, a session is typically not established, and this setting enables logging for such denied sessions.
config system global
set block-session-timer 30: This command sets the session block timer to 30 seconds. The session block timer is a mechanism that temporarily blocks further new sessions when a certain threshold is reached to mitigate DoS (Denial of Service) attacks. In this case, it's set to 30 seconds, which means if the threshold is reached, new session creation will be blocked for that duration.
These settings impact how the FortiGate firewall handles session-related events, such as logging denied traffic sessions and controlling new session creation during potential DoS attacks. The specific impact of these settings depends on the overall configuration and security policies of the FortiGate firewall.
#=====================================================================
The CLI commands on FortiOS:
config system settings
set ses-denied-traffic enabled
end
config system global
set block-session-timer 30
end
will result in the following:
ses-denied-traffic enabled: This will enable the FortiGate to add denied sessions to the session table. This can reduce CPU processing resources by preventing the FortiGate from having to reassess whether or not to deny each of the packets on an individual basis.
block-session-timer 30: This will set the block session timer to 30 seconds. This means that denied sessions will be removed from the session table after 30 seconds.
By enabling ses-denied-traffic and setting the block-session-timer to 30 seconds, you can improve the performance and scalability of your FortiGate firewall.
Here is a more detailed explanation of each command:
config system settings: This command enters the system settings configuration mode.
set ses-denied-traffic enabled: This command enables the FortiGate to add denied sessions to the session table.
end: This command exits the system settings configuration mode.
config system global: This command enters the system global configuration mode.
set block-session-timer 30: This command sets the block session timer to 30 seconds.
end: This command exits the system global configuration mode.
Please note that these commands should only be used if you are familiar with FortiOS firewall configuration. If you are unsure about how to use these commands, you should consult with a FortiOS expert.
#=====================================================================
By default the authentication timeout is set to 5 minutes.
FGT# show full-configuration user setting
set auth-timeout 5
The authentication timeout can be changed globally.
FG100D3G16xxxxxx # config user setting
FG100D3G16xxxxxx (setting) # set auth-timeout
<timeout_integer> The auth time-out range is 1-1440 minutes (24 hours)
FG100D3G16xxxxxx (Guest-group) # end
By default all user groups use the global auth timeout value. In case this value is to be changed for a particular user group, use:
FG100D3G16xxxxxx # config user group
FG100D3G16xxxxxx (group) # edit Guest-group
FG100D3G16xxxxxx (Guest-group) # set authtimeout
<integer> The auth time-out range is 0-1440 minutes (0 = use global authtimeout value)
FG100D3G16xxxxxx (Guest-group) # end
The 'auth-timeout type' global setting controls how the authentication entry is removed.
# config user setting
set auth-timeout-type ?
idle-timeout Idle timeout.
hard-timeout Hard timeout.
new-session New session timeout.
By default, authentication timeout type is set to "idle-timeout".
Idle timeout: User entry will be removed if there is no traffic received for configured idle time (5 minutes by default).
Example
User1 authenticated by identity based policy and granted to access resources.
Now the User1 idle timer can be triggered if there is no traffic received from the user, this can happen in one of the following scenarios;
- User locked the computer
- User logged out of the computer.
- User PC disconnected from network.
- User PC shutdown or put to standby mode.
If there is no traffic received from the user IP address for the configured auth-timeout (5 minutes by default), user authentication entry will be removed.
If the user tries to access resources now, FortiGate will prompt the user to authenticate again.
#=====================================================================
#troubleshooting
"Unable to Connect to FortiManager "
FW02 # diagnose fdsm central-mgmt-status
Connection status: Down
Registration status: Unknown
#=====================================================================
#Bard
you have a firewall policy from trust zone to untrust zone on fortigate firewall which has source to all, internet service to blockchaing-crypto.mining.pool , action to deny set. explain this policy
The firewall policy you have configured blocks all traffic from the trust zone to the internet service blockchaing-crypto.mining.pool. This means that no devices in the trust zone will be able to access the cryptocurrency mining pool at that domain name.
This policy is typically used to prevent devices in the trust zone from being infected with malware or from being used to mine cryptocurrency without the permission of the network administrator.
Here is a breakdown of the policy:
Source: All - This means that the policy applies to all devices in the trust zone.
Internet service: blockchaing-crypto.mining.pool - This is the domain name that you want to block traffic to.
Action: Deny - This means that all traffic to the destination domain name will be blocked.
This policy can be useful for a number of reasons, including:
To prevent devices in the trust zone from being infected with malware. Cryptocurrency mining pools are a common target for malware attacks. By blocking traffic to cryptocurrency mining pools, you can help to protect your network from malware infections.
To prevent devices in the trust zone from being used to mine cryptocurrency without the permission of the network administrator. Cryptocurrency mining can be a resource-intensive process and it can also generate heat and noise. If you do not want users to mine cryptocurrency on your network, you can block traffic to cryptocurrency mining pools.
To comply with organizational policies. Some organizations have policies that prohibit cryptocurrency mining on their networks. By blocking traffic to cryptocurrency mining pools, you can help to ensure that your organization is complying with its own policies.
It is important to note that blocking all traffic to a particular domain name can have unintended consequences. For example, if the domain name belongs to a legitimate website or service that your users need to access, you will need to create a separate policy to allow traffic to that domain name.
#=====================================================================
you configure a firewall policy from trust zone to untrust zone on fortigate firewall.you set source to all. you set destination to blockchaing-crypto.mining.pool .you set action deny. explain this policy
you configure a firewall policy from trust zone to untrust zone on fortigate firewall.you set source to all. you set destination to blockchaing-crypto.mining.pool .you set action deny. explain this policy
The firewall policy you have configured blocks all traffic from the trust zone to the destination IP address blockchaing-crypto.mining.pool. This means that no devices in the trust zone will be able to access the cryptocurrency mining pool at that IP address.
This policy is typically used to prevent devices in the trust zone from being infected with malware or from being used to mine cryptocurrency without the permission of the network administrator.
Here is a breakdown of the policy:
Source: All - This means that the policy applies to all devices in the trust zone.
Destination: blockchaing-crypto.mining.pool - This is the IP address block that you want to block traffic to.
Action: Deny - This means that all traffic to the destination IP address will be blocked.
You can configure this policy on a FortiGate firewall by following these steps:
Go to Policy & Objects > Firewall Policies.
Click on Create New.
Enter a name for the policy and select the trust zone as the source zone and the untrust zone as the destination zone.
In the Services section, select ALL.
In the Action section, select Deny.
Click on OK to save the policy.
Once you have saved the policy, it will be applied to the firewall and all traffic from the trust zone to the destination IP address will be blocked.
Note: It is important to note that blocking all traffic to a particular IP address can have unintended consequences. For example, if the IP address belongs to a legitimate website or service that your users need to access, you will need to create a separate policy to allow traffic to that IP address.
Additional notes:
The internet service field in a FortiGate firewall policy is used to match traffic based on the destination domain name. It is different from the destination IP address field, which is used to match traffic based on the destination IP address.
The blockchaing-crypto.mining.pool domain name is associated with cryptocurrency mining. Cryptocurrency mining is the process of verifying transactions and adding new blocks to a blockchain. Cryptocurrency miners are rewarded with cryptocurrency for their work.
It is important to note that cryptocurrency mining can be a resource-intensive process. It can also generate heat and noise. For these reasons, some organizations choose to block cryptocurrency mining on their networks.
Here is a breakdown of the policy:
Source: All - This means that the policy applies to all devices in the trust zone.
Internet service: blockchaing-crypto.mining.pool - This is the domain name that you want to block traffic to.
Action: Deny - This means that all traffic to the destination domain name will be blocked.
This policy can be useful for a number of reasons, including:
To prevent devices in the trust zone from being infected with malware. Cryptocurrency mining pools are a common target for malware attacks. By blocking traffic to cryptocurrency mining pools, you can help to protect your network from malware infections.
To prevent devices in the trust zone from being used to mine cryptocurrency without the permission of the network administrator. Cryptocurrency mining can be a resource-intensive process and it can also generate heat and noise. If you do not want users to mine cryptocurrency on your network, you can block traffic to cryptocurrency mining pools.
To comply with organizational policies. Some organizations have policies that prohibit cryptocurrency mining on their networks. By blocking traffic to cryptocurrency mining pools, you can help to ensure that your organization is complying with its own policies.
It is important to note that blocking all traffic to a particular domain name can have unintended consequences. For example, if the domain name belongs to a legitimate website or service that your users need to access, you will need to create a separate policy to allow traffic to that domain name.
#=====================================================================
The firewall policy you've described is a rule configured on a FortiGate firewall. Let's break down the elements of this policy:
Policy Name: The policy should have a name that helps identify its purpose. You haven't provided a name, but it's common to give policies meaningful names for easier management.
Source Zone: The "trust zone" is the source zone in this policy. In a typical FortiGate configuration, the trust zone is where trusted devices or networks are located. This policy allows traffic to initiate from this trust zone.
Source: You've set the source to "all." This means that traffic from any source within the trust zone is allowed to pass through this policy. In other words, it applies to all devices or IP addresses within the trust zone.
Destination Zone: The destination zone is the "untrust zone." In a typical FortiGate configuration, this would be the zone where untrusted or external networks reside.
Destination: You've set the destination to "blockchaing-crypto.mining.pool." This indicates that the policy is specifically blocking traffic to the domain or IP address "blockchaing-crypto.mining.pool." It implies that any traffic from the trust zone to this destination will be denied.
Action: The action is set to "deny." This means that if any traffic from the trust zone tries to reach the specified destination, it will be denied or blocked by the firewall.
In summary, this firewall policy is designed to prevent any traffic originating from the trust zone (which includes all devices within that trusted network) from accessing or communicating with the domain or IP address "blockchaing-crypto.mining.pool" located in the untrust zone. The purpose of this policy is to block any attempts to connect to or communicate with a crypto mining pool, likely as a security measure to prevent unauthorized or unwanted cryptocurrency mining activity from occurring within the trusted network.
#=====================================================================
Using Dynamic NAT With IP Pools
IP pools are used to translate the source address to an address from that pool, rather than the egress interface address.
#=====================================================================
#notification
Make sure to have a working WAN link to send out the email.
Do a test ping to the default mail server: notification.fortinet.net
Fortigate# exe ping notification.fortinet.net
When the custom email server is used on FortiGate to send the emails out from the FortiGate for purposes like FortiToken Activation Email or Email Alerts, the emails may not be received at the user side
default settings
Fortigate# get system email-server
#=====================================================================
# diagnose fortitoken ?
info Show current drift and status for each FortiToken.
test Test FortiToken with screen setting for drift of internal clock.
debug Debug enable/disable
# diag fortitoken info
# show user fortitoken
#=====================================================================
FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.
In this scenario, what are two requirements for the VLAN ID? (Choose two.)
A. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.
B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
C. The two VLAN subinterfaces must have different VLAN IDs.
D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
#ChatGPT
The correct requirements for VLAN IDs in the described scenario are:
C. The two VLAN subinterfaces must have different VLAN IDs.
D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
In a FortiGate firewall operating in NAT mode with multiple VLAN subinterfaces on the same physical interface, each VLAN subinterface should have a unique VLAN ID to distinguish between the different VLANs. Additionally, if two VLAN subinterfaces have the same VLAN ID, they can coexist on the same physical interface only if they have IP addresses in different subnets.
#Bard
C. The two VLAN subinterfaces must have different VLAN IDs.
D. The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in different subnets.
Here's why:
A. Incorrect: Two VLAN subinterfaces on the same physical interface cannot have the same VLAN ID even if they belong to the same subnet. Each VLAN represents a separate broadcast domain, and having duplicate IDs would lead to confusion and potential network issues.
B. Incorrect: While VDOMs (Virtual Domain) provide separate management domains within a FortiGate unit, they don't impact the requirement for unique VLAN IDs on the same physical interface. Each VLAN still needs a distinct identifier regardless of VDOM association.
C. Correct: This principle ensures each VLAN subinterface on the same physical interface operates as a distinct broadcast domain. Without unique IDs, network traffic wouldn't know which VLAN to reach, leading to connectivity problems and potential security vulnerabilities.
D. Correct: However, there's a specific scenario where duplicate VLAN IDs are allowed – only if the subinterfaces have IP addresses in different subnets. This enables communication between separate networks while leveraging the same physical interface. Remember, even though the VLAN IDs are the same, the different subnet masks ensure traffic remains segregated within each network.
Conclusion:
Unique VLAN IDs are crucial for proper network segmentation and communication with VLAN subinterfaces on the same physical interface.
Identical VLAN IDs are only permissible when paired with distinct subnet masks on the subinterfaces, creating logically separate network segments.
By understanding these requirements, you can effectively configure and manage VLANs on your FortiGate firewall, ensuring seamless and secure network operation.
#=====================================================================
In FortiGate firewall operating in NAT mode, VLAN subinterfaces are often utilized to segregate network traffic logically. The statement implies that two VLAN subinterfaces with the same VLAN ID are allowed as long as they have IP addresses in different subnets. This scenario is commonly used to enable different IP subnets on the same VLAN, allowing for better network segmentation.
Here's an explanation with examples:
Let's consider a physical interface, for example, "port1," configured with two VLAN subinterfaces:
VLAN ID: 10
Subinterface IP: 192.168.1.1/24
Subnet: 192.168.1.0/24
VLAN ID: 10
Subinterface IP: 192.168.2.1/24
Subnet: 192.168.2.0/24
In this example, both VLAN subinterfaces have the same VLAN ID (10), but they operate in different IP subnets (192.168.1.0/24 and 192.168.2.0/24). The VLAN ID is used to logically separate the traffic, and the unique subnets ensure that devices on VLAN 10 with IP addresses in the 192.168.1.0/24 subnet are kept separate from devices with IP addresses in the 192.168.2.0/24 subnet.
This configuration allows the FortiGate firewall to handle multiple IP subnets on the same VLAN, facilitating network segmentation while using the same VLAN ID for organizational purposes. It's a common practice in environments where VLAN IDs are used primarily for logical separation, and IP addresses are used for defining different subnets.
#=====================================================================
In FortiGate's NAT mode, two virtual LAN (VLAN) subinterfaces on the same physical interface can have the same VLAN ID only if they have IP addresses in different subnets. Here's why:
Understanding VLAN Subinterfaces:
Imagine a physical interface like a highway with multiple lanes. Each lane can represent a separate VLAN subinterface, carrying traffic for a specific VLAN.
VLAN IDs act like traffic signs, identifying which lane belongs to which VLAN.
Requirement for Different Subnets:
When NAT mode is enabled, the FortiGate needs to distinguish between traffic originating from different VLANs even if they share the same VLAN ID.
Different subnet addresses provide this distinction. Each VLAN subinterface acts as a separate network, and their subnets ensure routing and NAT functions work correctly.
Example:
Consider a physical interface with two VLAN subinterfaces:
VLAN 10 with subnet 10.0.1.0/24
VLAN 20 with subnet 10.0.2.0/24
Both subinterfaces have the same VLAN ID (100), but their different subnets allow the FortiGate to:
Route traffic for each VLAN to its intended destination.
Apply separate NAT rules based on the source subnet, ensuring traffic from each VLAN is translated appropriately.
Consequences of Same Subnet:
If both VLAN subinterfaces had the same subnet (e.g., 10.0.1.0/24), the FortiGate would face ambiguity:
It wouldn't know which VLAN the traffic originated from.
NAT rules wouldn't work properly, potentially causing connectivity issues or security vulnerabilities.
Key Points:
Same VLAN ID for subinterfaces is allowed in NAT mode, but different subnets are mandatory.
Subnets provide essential information for routing and NAT, ensuring each VLAN operates as a distinct network.
This configuration enables efficient network management and security within a single physical interface.
I hope this explanation clarifies the requirement for different subnets when using the same VLAN ID on FortiGate VLAN subinterfaces in NAT mode!
#=====================================================================
An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must
also allow other websites in the same category.
Configure a separate firewall policy with action Deny and an FQDN address object for *. download.com as destination address.
#=====================================================================
#Permanent trial mode for FortiGate-VM
get sys stat
Version: FortiGate-VM64 v7.2.1,build1242,220715 (interim)
...
Serial-Number: FGVMEVNXFLTGKOBC
License Status: Invalid
VM Resources: 1 CPU/1 allowed, 2007 MB RAM/2048 MB allowed
#=====================================================================
FortiGate Memory Threshold Settings and Example Scenarios:
The provided configuration defines three important thresholds for FortiGate memory usage:
memory-use-threshold-red: This sets the memory usage level at which the firewall enters conserve mode. In this configuration, it's set to 88%.
memory-use-threshold-extreme: This sets the level at which the firewall starts dropping new sessions to conserve memory. Here, it's set to 95%.
memory-use-threshold-green: This level signifies normal operation and indicates when the firewall exits conserve mode. It's set to 82%.
Example Scenarios:
Normal Operation (Memory below 82%): The firewall operates normally, using all available memory for its functions.
Memory Usage Increases (82% - 88%): Memory usage crosses the green threshold. While still functional, consider monitoring resource usage and optimizing if necessary to prevent reaching higher thresholds.
Conserve Mode (88% - 95%): Memory usage reaches the red threshold. The firewall enters conserve mode, which includes:
Disabling non-essential features like antivirus transparent proxy.
Reducing logging verbosity.
Prioritizing existing connections over new ones.
Showing a conserve mode banner on the GUI.
Critical State (Above 95%): Memory usage reaches the extreme threshold. The firewall starts dropping new sessions to free up memory, potentially impacting new connections and network functionality. This is a critical situation requiring immediate action to free up memory.
Understanding the Impact:
Setting lower thresholds will trigger conservative mode earlier, potentially impacting performance even under moderate memory usage. However, it provides a cushion to prevent reaching the critical extreme threshold.
Setting higher thresholds allows the firewall to use more memory before taking action, offering better performance but risking reaching the critical state faster.
Recommendations:
Monitor memory usage regularly and adjust thresholds based on your specific needs and risk tolerance.
Identify and address memory leaks or resource-intensive processes.
Consider adding more RAM if memory usage consistently reaches high levels.
Understand the impact of conserve mode on your network functionality and have mitigation strategies in place.
By understanding these settings and their implications, you can effectively manage memory usage on your FortiGate firewall and ensure optimal performance and security.
#=====================================================================
The configuration settings you provided are related to memory usage thresholds on a FortiGate firewall. These settings help monitor the memory consumption of the device and trigger alerts or actions based on predefined thresholds. Let's break down each setting:
memory-use-threshold-red:
This sets the memory usage threshold for the "Red" state, indicating a critical level of memory usage.
In the example, it is set to 88%.
memory-use-threshold-extreme:
This sets the memory usage threshold for the "Extreme" state, indicating an extremely high level of memory usage.
In the example, it is set to 95%.
memory-use-threshold-green:
This sets the memory usage threshold for the "Green" state, indicating a normal or acceptable level of memory usage.
In the example, it is set to 82%.
These settings are part of the global system configuration on FortiGate and are used for monitoring and alerting purposes. Here are some scenarios explaining the significance of these settings:
Normal Operation (Green):
Memory usage is below 82%.
No immediate action is taken as the memory usage is considered acceptable.
Warning State (Yellow):
Memory usage is between 82% and 88%.
The firewall enters the "Yellow" state, indicating a warning.
Administrators may receive alerts to monitor the situation closely.
Critical State (Red):
Memory usage is between 88% and 95%.
The firewall enters the "Red" state, indicating a critical condition.
Alerts are escalated, and administrators are notified for immediate attention.
System performance may start to degrade.
Extreme State:
Memory usage is above 95%.
The firewall enters the "Extreme" state, indicating an extremely high level of memory usage.
Immediate action is required, and administrators may need to intervene to address the issue.
System stability is at risk, and critical functions may be impacted.
These thresholds allow administrators to proactively monitor the health of the FortiGate firewall and take appropriate actions based on the severity of the memory usage. It helps in identifying potential issues before they cause major disruptions to the firewall's performance
#=====================================================================
define memory and CPU usage thresholds:
config system global
set cpu-use-threshold <percent>
set memory-use-threshold-extreme <percent>
set memory-use-threshold-green <percent>
set memory-use-threshold-red <percent>
end
cpu-use-threshold
Threshold at which CPU usage is reported, in percent of total possible CPU utilization (default = 90).
memory-use-threshold-extreme
Threshold at which memory usage is considered extreme, and new sessions are dropped, in percent of total RAM (default = 95).
memory-use-threshold-green
Threshold at which memory usage forces the FortiGate to exit conserve mode, in percent of total RAM (default = 82).
memory-use-threshold-red
Threshold at which memory usage forces the FortiGate to enter conserve mode, in percent of total RAM (default = 88).
#=====================================================================
#check the total number of TCP sessions for an IP pool named INTERNAL
diagnose firewall ippool-all stats INTERNAL
#Lists all the configured NAT IP pools with NAT IP range and type
diagnose firewall ippool-all list
#====================================================================
#show configured session helpers
show system session-helper
#=====================================================================
Shows authenticated users, associated groups and their IP address
diagnose firewall auth list
Clears all authorized users from the current list
diagnose firewall auth clear
#=====================================================================
#the amount of reserved space on your FortiGate
diagnose sys logdisk usage
#=====================================================================
Check FortiGuard website for latest antivirus database version
https://fortiguard.com/updates/antivirus
diagnose debug application update -1
# diagnose debug enable
# execute update-av
# get system performance status
# diagnose antivirus database-info
# diagnose autoupdate versions
# diagnose antivirus test "get scantime"
# execute update-av
#=====================================================================
# create multiple IP address objects on a FortiGate firewall through the Command Line Interface (CLI)
Enter Configuration Mode:
config firewall address
Create IP Address Objects:
For each IP address object, use the following commands:
edit RAC_1
set subnet 172.18.12.13 255.255.255.255
next
Review Configuration:
show firewall address
#=====================================================================
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment