Monday, June 30, 2008

Hands on Fortigate Demo

New to Fortinet? Want to get a first hand look at the GUI?
Take the Fortinet Demo unit for a spin here.
Login: demo
Password: fortigate

Thursday, June 26, 2008

Bugs in SSL VPN Process

Fortinet is currently working on a bug related to the SSL VPN process. After upgrading to FortiOS 3.0 MR6 Patch 2 the SSL VPN process can consume all available CPU resources regardless of user load. Fortinet is currently working on this problem with bug id 77702.

As a temporary workaround, if you are running into this issue you can use following procedure to restart the process and bring down the cpu usage from the command line interface.

diag sys top to identify the process id (pid) for sslvpnd
diag sys kill 11 (pid) to restart sslvpnd

-Thanks to Dan Orth for the info.

Monday, June 23, 2008

VPN Manager Gotchas in Fortimanager

Be careful when using interface mode VPN setups created in Fortimanager.
Imagine the following setup:
-HQ Site has a number of networks (10.x.x.x, 172.16.x.x, 192.168.x.x)
-Remote site has a class C network (172.17.1.x)

When defining your protected subnets in VPN-Manager -> VPN List -> Gateways you should configure specific networks and not use the default 0.0.0.0/0.0.0.0 network. If you use the 0.0.0.0 network and let the Fortimanager handle the static route creation you can end up with a situation where you have two default routes configured, one pointing to your valid WAN router and one pointing to the VPN tunnel. This has the undesirable effect of making your firewall unreachable.
(Not that this has happened to me of course :)

Thursday, June 19, 2008

Problems with IPS Engine

IPS Engine 1.092 is causing high CPU utilization on various models of Fortigate firewalls. As per Fortinet IPS Engine 1.096 should fix this issue and is due to be released via automatic update on Friday, June 27th.
Use the following command to determine which engine you are currently running

get system fortiguard-service status

You can use the following command to restart the IPS engine. This resolves the high CPU utilization temporarily without having to reboot the firewall.

diag test app ipsmonitor 99

Another command you can try is

diag test app ipsmonitor 5

This puts the IPS Engine into bypass mode. Issuing the same command again turns it back on.

Friday, June 6, 2008

Software Updates

FortiManager 3.0 MR6 Patch 3 and FortiOS 3.0 MR6 Patch 2 are now available on the Fortinet Support Website.