Wednesday, November 18, 2009

CLI Magic: Renaming Existing Interfaces

If you ever run into a situation where you have configured a VLAN interface on a Fortigate firewall and the purpose of the VLAN changes you might have to rename it. The GUI will not let you rename an existing VLAN interface. However there are workarounds, ranging from very impacting to transparent:
  • Remove the VLAN interface and create a new one with the updated name. This method incurs downtime since you first have to remove any rules, routing, etc that reference the VLAN.
  • Download the firewall config, rename the interface in the backup file and restore the config. This will reboot the firewall and also impact user traffic.
The fastest, easiest and least impacting method is:
  • #config system interface
  • #rename "VLAN Name" to "New VLAN Name"
  • #end

Friday, November 6, 2009

FortiOS - Application Control Logging Gotcha

FYI,

if you are using FortiOS 4.x and a Fortimanager. When configuring application control on your FortiGate units you have the option to "Enable logging for undefined applications". Another possibility is to create a rule something like this:
  • Category: All
  • Application: All
  • Action: Pass
  • Log: Enable
I have found that creating a rule to log undefined applications can cause problems. When you use this second method rather than checking the "Enable logging ..." box the Fortigates will send an SNMP trap for EVERY detected application to the FortiManager. This leads to the SNMP daemon process on the FM using up all available memory and eventually crashing the FM box completely.

Fortinet is currently investigating this behaviour.