Fortigate – adding additional IP’s for PPPoE connections

Here in Australia we receive IP blocks for PPPoE connections. Since the IP is dynamically assigned to us we can’t manually add a “secondary IP” like you would with a static connection.

So what do you need to do?

Configure an IP pool!

  1. Go to Policy & Objects > Objects > IP Pools
  2. Specify whether it’s IPv4 or IPv6 and give a name
  3. Leave the type as Overload (unless you have a requirement to use the other types)
  4. Enter the additional IP’s given to you from your ISP
    Configuring IP Pools in GUI
  5. Now that you’ve configured your IP pool you can allocate inbound services to those additional IP’s. Configure your VIPs, VIP groups, and policies to use these additional IP’s and of course Test!

Fortigate Troubleshooting Cheatsheet

For all you Fortinuts out there I’m hoping this cheat sheet will help you as much as it’s helped me 🙂

CPU Utilisation

diag sys top

Fortigate Top Processes

Diagnose Sessions

diag sys session…
diag sys session filter <see below screenshot for options>

 

E.g.
diag sys session filter dport 443 –> displays sessions that have a destination port of 443

diag sys session list –> displays sessions that match the filter

diag sys session clear –> clears sessions that match the filter

 

Fortigate Session Filter

Network troubleshooting commands

execute ping <ip or hostname>

execute traceroute <ip or hostname>

execute telnet <ip or hostname> <port>

 

Network troubleshooting

Running a packet trace

diag sniffer packet <interface> <filter> <verbose level logging>

 

Where

  • Interface:  Network interface to sniff
  • Filter: Flexible logical filters for sniffer (or “none”).
    For example: To print UDP 1812 traffic between forti1 and either forti2 or forti3
    ‘udp and port 1812 and host forti1 and \( forti2 or forti3 \)’
  • Verbose logging:
    1: print header of packets
    2: print header and data from ip of packets
    3: print header and data from ethernet of packets (if available)
    4: print header of packets with interface name
    5: print header and data from ip of packets with interface name
    6: print header and data from ethernet of packets (if available) with intf name

E.g.

diag sniffer packet any ‘port 5060’ 6

Run a packet trace

Running debug for traffic flow

1) Clear debug results and output to console

diag debug reset
diag debug enable
diag debug console timestamp enable
diag debug flow show console enable
diag debug flow show function-name enable

 

2) Set a filter and start the debug trace

diag debug flow filter <filter>
diag debug flow trace start <number>

 

E.g.

diag debug flow filter port 5060

diag debug flow trace start 1000

 

3) Force stop the trace and reset the results

diag debug flow trace stop
diag debug reset

Debug flow

Get the system status

Get the system status including Fortigate version, hostname, operation mode, HA status, system time.

get sys status

Get the system performance status

Get the system performance status including CPU, Memory, network utilisation, uptime.

get sys performance status

Enjoy! 🙂

Intel NUC – Next Unit of Computing

Next Unit of Computing. A sweet, little device that packs a punch, uses minimal power and can fit it in the palm of your hand (note: requires pretty massive hands).

So what can you do with it? Thin client, test lab, HTPC, NAS, i.e. whatever you want to do with it.

What will I do with it? I have three uses: Day to day PC, HTPC and Steam Box.

Here are the specs for the little beast I bought:

  • Intel NUC Kit i5-4250U HD Graphics 5000 2.5in SATA PC
  • Intel Dual Band Wireless-AC 7260 802.11ac Wi-Fi + Bluetooth adapter (more on this here)
  • Kingston 8GB 1600MHz DDR3 CL11 SODIMM RAM KVR16LS118
  • Samsung 840 EVO mSATA 120GB SSD
NUC - Intel NUC Box

What will you make?

The guys and glory of the mighty NUC!

The guts and glory of the mighty NUC!

mSATA SSD for the win. It's as tiny as an SD card!

mSATA SSD for the win. It’s as tiny as an SD card!

NUC - Wireless and NUC

I’ll be preparing a guide on how to setup and configure the NUC and also give you an insight of how I’ll be using mine!

Subscribe on the right side of the page for up to date info!

Fortigate: Configure High Availability

So this may not be necessary for most home users out there but for those that need a quick rundown on how to configure High Availability between Fortigates, I hope this helps:

Prerequisites:

  • All Fortigates need to have the same hardware configuration i.e. hard disk configuration, optional components installed, same model version.
  • All Fortigates need to have the same firmware build e.g. v5.0,build0271 (GA Patch 6)
  • All Fortigates need to be using the same operating mode e.g. NAT or Transparent
  • All Fortigates need be operating in the same VDOM mode
  • If all Fortigates are operating in multiple VDOM mode, have they all got the same VDOM configuration
  • All interfaces need to have a static IP address. If any interface is using DHCP you can’t configure HA
  • Fortigates that have an in built switch will not work. You will need to configure Interface Mode.

Boring stuff done, let’s get to work.

High level steps required to configure HA:

  1. Configure Fortigate units for HA operation individually and power off.
  2. Connect the Fortigates to the network
  3. Connect all interfaces (LAN, Heartbeat, Internet)
  4. Power on both Fortigate units
  5. Test!

Details Instructions

  1. Log onto the first Fortigate unit (FG1) and configure all your interface settings, policies, hostnames, VIPs, firewall addresses, routes etc.

    FG1# conf sys hostname
    FG1# conf sys interface
    FG1$ conf firewall policy
    etc

  2. Configure High Availability via CLI. Here is my standard setup but ensure you read the Fortigate manual for further clarification

    FG1# conf sys ha
    FG1# set mode a-a
    FG1# set group-name SAMHA
    FG1# set password Th!sIs@s3CurePa$$w0rd
    FG1# set hbdev “port2” 50 “port3” 50
    FG1# set session-pickup enable
    FG1# set override disable
    FG1# set priority 50
    FG1# set monitor “port1” “wan1”
    FG1# set pingserver-monitor-interface “port1”
    FG1# set pingserver-failover-threshold 1
    FG1# end

    Notes:
    – Set “hbdev”: this is the interface that you will connect to your second unit and monitors the heartbeat of the unit i.e. port2 on FG1 will be connected to port2 on FG2. The number after is the priority of that interface. It is recommended that you have at least 2 heartbeat interfaces configured.
    – Set “monitor”: this is the interface that the Fortigate will monitor. If there is a fail on this interface, the unit will failover to the second unit.
    – Set “priority”: this sets the priority of the cluster device. Whenever you change the device priority of a cluster unit, when a cluster negotiation occurs, the unit with the highest priority becomes the primary unit.

  3. Power off FG1
  4. Perform steps 1 to 3 on FG2. Power off FG2
  5. Connect all interfaces correctly, ensure switching is correct, and heartbeat Interfaces are connected.
  6. Power on both Fortigates at the same time.
  7. Log on to one of the units and identify which of them is the master Fortigate by entering

    FG1# get sys stat

    You should get output that looks like the below. You can see from the output that this unit is the master unit.

    FG1 # get sys stat
    Version: FortiGate-60D v5.0,build0271,140124 (GA Patch 6)
    Virus-DB: 19.00098(2013-09-01 11:46)
    Extended DB: 1.00000(2012-10-17 15:46)
    IPS-DB: 4.00385(2013-08-28 22:38)
    IPS-ETDB: 0.00000(2001-01-01 00:00)
    Serial-Number: FG60D3911452369
    Botnet DB: 1.00229(2013-09-01 11:39)
    BIOS version: 04000007
    Log hard disk: Available
    Internal Switch mode: interface
    Hostname: FG1
    Operation Mode: NAT
    Current virtual domain: root
    Max number of virtual domains: 10
    Virtual domains status: 1 in NAT mode, 0 in TP mode
    Virtual domain configuration: disable
    FIPS-CC mode: disable
    Current HA mode: a-a, master
    Branch point: 271
    Release Version Information: GA Patch 6
    System time: Mon Mar 15 16:19:18 1996

  8. Test failover using these tests as a bare minimum:
  9. – Power off a Fortigate unit
    – Unplug port1 (production network)
    – Unplug internet connection (wan1)
    – Unplug one of the two heartbeat interfaces

Go forth and ensure you can keep that 99.999999999% uptime 🙂

Fortigate: Configure Interface Mode

Some of the SMB Fortigate units will have default settings that are good for the everyday user. But what if there’s more to life then an in built switch? What if we want to configure, respect and treat all interfaces as their own?

For anyone that has a Fortigate unit and does not want to use the internal switch (factory default), here are quick steps to configure interface mode i.e. all ports are treated as individual interfaces and will need to be configured appropriately:

1. Delete DHCP server entries

FG123456# conf sys dhcp server
FG123456# delete 1
FG123456# end

2. Delete default firewall policy

FG123456# conf firewall policy
FG123456# delete 1
FG123456# end

3. Enable interface mode

FG123456# conf system global
FG123456# set internal-switch-mode interface
FG123456# end

Done and dusted. Now get that config up and ready!