Friday, October 21, 2011

Questions for the "Eggspehrts"

Got any burning Fortinet questions you want to ask?
Post them in the comments and our panel of knowledgeable Fortinet users will try to answer them.

Thursday, September 22, 2011

FortiOS 4.0 MR3 Patch 2 - Problems on FortiWifi

This was released earlier in the week. I installed it on my FortiWifi 60C and it caused my firewall to no longer respond to ARP requests, thus making it invisible to my network. Rolling back to 4.0 MR2 Patch 8 fixed the problem. I then re-installed MR3 Patch 2 via tftp as a clean install and had the same problem as before with no ARP responses.

Let me know what you find on other platforms.

Monday, August 15, 2011

IPS Tidbits

(Thanks to M00sebyte for kicking me in the rear and having me restart posting now that things have calmed down)

If you run into problems with your firewall CPU running unexpectedly high there are a couple of things you can do to diagnose the problem before engaging Fortinet Support.

First of all try to understand which process is causing the problem. In order to narrow it down issue the following command on the command line:

# diag sys top 1

This will list the running processes and their memory and CPU utilization with a refresh rate of 1 second.
You'll get output similar to the following:

Run Time:  1 days, 18 hours and 52 minutes
0U, 7S, 91I; 439T, 156F, 121KF
       ipsengine       53      S <     94.6    22.1
          newcli      182      R       3.7     3.2
            sshd      180      S       2.8     2.5
          dhcpcd       65      S       0.9     2.5
         cmdbsvr       20      S       0.0     4.8

Press "q" to return to the command prompt.

Looking at the above output we can tell that the ipsengine, which is responsible for intrusion prevention functionality, is consuming 94.6% CPU time. This is unusually high and can have a number of root causes.
Below are a number of CLI commands you can issue to try and correct the problem in the short term.


# diag test application ipsmonitor
IPS Engine Test Usage: (Values for >
1: Display IPS engine information
2: Toggle IPS engine enable/disable status
3: Display restart log
4: Clear restart log
5: Toggle bypass status
6: Submit attack characteristics now
97: Start all IPS engines
98: Stop all IPS engines
99: Restart all IPS engines and monitor


The most common command that we issue to deal with the IPS Engine running high is the following which restarts the IPS process:

# diag test application ipsmonitor 99

Tuesday, July 19, 2011

Useful Interface Statistics

On the CLI try this

> diag hardware deviceinfo nic "interface name"

for example

> diag hardware deviceinfo nic wan1

produces the following sample output. Very handy to check for duplex mismatches, collisions, errors, etc in a pinch.

Driver Name: NP2
Version: 0.92
Chip Revision: 2
BoardSN: N/A
Module Name: 310B
DDR Size: 256 MB
Bootstrap ID: 11
PCIX-64bit-@133MHz bus: 03:01.0
Admin: up
Link: up
Speed: 1000Mbps
Duplex: Full
Rx Pkts: 3875403410
Tx Pkts: 3337050564
Rx Bytes: 1095981056
Tx Bytes: 1043256285
MAC0 Rx Errors: 0
MAC0 Rx Dropped: 0
MAC0 Tx Dropped: 0
MAC0 FIFO Overflow: 0
MAC0 IP Error: 0

TAE Entry Used: 0
TSE Entry Used: 0
Host Dropped: 1477715
Shaper Dropped: 121
EEI0 Dropped: 0
EEI1 Dropped: 0
EEI2 Dropped: 0
EEI3 Dropped: 0
IPSEC QFIFO Dropped: 0
IPSEC DFIFO Dropped: 0
PBA: 123/1019/251
Forwarding Entry Used: 0
Offload IPSEC Antireplay ENC Status: Disable
Offload IPSEC Antireplay DEC Status: Enable
Offload Host IPSEC Traffic: Disable

Tuesday, July 5, 2011

Software Updates: FortiOS 4.0 MR3 Patch 1 is out

Summary of Enhancements

· BGP AS Overrides
· Central Management Locking/Unloking
· Control and Mitigate Traffic Bypassing SSL Proxy
· Convert Web UI Language Files To Be UTF-8 Standard
· Enlarge Table Size for Firewall Address and Firewall Service on High-End Models
· FMC-C20 and FMC-F20 Support
· FortiClient Connect Licensing Support
· FSSO Sniffer Policy Support
· Geographic Destinations Chart in Default Report
· GTP v1 release 7.15.0 support
· GTP v1 release 8.12.0 support
· Improvements of Usability on Firewall Policy configurations via Web UI
· Improvements and Simplification of Local Ratings & Local Categories Settings in Web Filter Configuration
· Improvements of Usability on Application Control and IPS Sensor configurations via Web UI
· Improvements of Usability on Web Filter Profile configurations via Web UI
· Integration of DNS Service on Interface and Server adminstration
· Increase for Maximum Value of Local Users on FortiGate-50x Serial Models
· Increase for MaximumValue of User Group
· Quick Test Button for Remote Server Reachablilty via Web UI
· Restoration of Function LDAP-Group-Check
· STARTTLS Scanning Over SMTP Proxy
· Web Cache Monitor via Web UI
· Web Mail Logging Support
· Web UI Navigation Menu Reorganization and Improvement
· WiFi Controller on FortiWiFi Models Under Client Mode

Thursday, April 7, 2011

Software Updates

Here's the latest and greatest.

FortiAnalyzer: 4.0 MR2 Patch 3, Build 221
FortiAP: 4.0 MR3 GA, Build 212
FortiClient: 4.0 MR 2 Patch 3, Build 271
FortiDB: 4.2.1, Build 113

FortiOS: 4.0 MR1 Patch 9, Build 213
(stable, recommended for production)
FortiOS: 4.0 MR2 Patch 5, Build 315
(stable, recommended for production)
FortiOS: 4.0 MR3 GA, Build 441
(recommended for test systems only)

FortiGate-One: 4.0 MR2 Patch 3, Build 303
FortiMail: 4.0 MR2 GA, Build 355
FortiManager: 4.0 MR2 Patch 5, Build 392
FortiScan: 4.1 GA, Build 190
FortiSwitch: 4.0 MR2 Patch 2, Build 094
FortiWeb: 4.2.1, Build 412

Friday, March 25, 2011

HTTP A/V scanning breaks web requests - it's back

We confirmed with Fortinet today that a bug that was fixed in 4.1.6 apparently exists in 4.2.x. It is scheduled to be fixed (again) in 4.2.6.

Here is the original problem from March 2010. It's not a good thing that this was fixed a year ago and is still around in newer builds of the 4.2 branch.
http://firewallguru.blogspot.com/2010/03/http-av-scanning-breaking-web.html

** Update **

Due to 4.2.6 being a quick fix for the split tcp handshake the bug fix will be included in 4.2.7.

Wednesday, March 23, 2011

Monday, March 21, 2011

Enhancements in FortiOS 4.3 (aka 4.0 MR3 GA)

Here is Fortinet's official list of new and improved features.
As with any major new release the recommendation is to not run this on critical production systems but instead give the community some time to work out some of the early bugs with Fortinet.

· Supports "Local In" Policies to and from the FortiGate
· Introduces Unified AV Engine
· Supports Configuration Object Tagging
· Introduces Configuration Rollback feature
· Supports Explicit FTP proxy
· Enhanced Explicit Proxy feature to support Proxy Chaining
· Supports FAS (previously known as FAMS) and FortiAnalyzer Logging Extensions
· Flow-based DLP Support
· Flow-based Web Content Filtering
· Supports IPv6 Firewall offload feature on ASM-CE4, ADM-XE2 and ADM-FB8 modules
· FTPS protocol support for SSL Inspection feature
· Supports Log Viewer Filters
· Network Scan feature Improvements
· Supports Per-VDom Configuration Files
· Policy Table web UI Improvements
· Introduces 'Port Pair' feature in Transparent mode
· Supports SSL-VPN Client in Port Forward mode
· Enhanced User Authentication feature
· Extends Wireless Controller feature support to FortiAP-220A and FortiAP-220B
· Introduces 2-Factor Authentication
· Supports Dynamic Profiles
· Added support for Pictures in Replacement Messages
· Authentication Page Style Improvements
· Enhanced Logging feature
· Supports Configuration Restore via SCP Protocol
· Improved Dashboard Widgets
· Supports DHCP Address Reservation
· Support for DHCP6
· Endpoint NAC Improvement
· Facebook Application Control
· Firewall Schedule Enforcement
· FortiASIC traffic offload Improvements
· HTTP Host Load Balancing
· Improved Chart Display
· Improved Firewall Session Control
· Firewall Session Control Improvements
· IPS Sensor Enhancements
· Supports IPS Signature Search and IPS Signature Threshold
· IPSec 'get' Command Improvement
· IPv6 Firewall Authentication
· Added IPv6 SNMP Support
· Traffic Logging Improvements
· Modem Interface Improvements
· MultiCast IGMP Static Join and PIM Enhancement
· Session Table Enhancements
· NTLM Authentication Extensions
· Supports Per-IP Traffic Shaping for Application Control
· Firewall Policy Enhancements
· Proxy Support with SSL Offload
· RADIUS Accounting Extension
· 'Top Session widget' supports IPv6 sessions
· Simplify Report Configuration
· SNMP Enhancements including web UI support for SNMPv3
· Various web UI consolidation and Enhancements
· SSL-VPN Tunnel Widget Improvements
· Supports SSL-VPN Web Mode over IPv6
· Supports SSL-VPN Policy DE-Authentication
· Static Route web UI Improvements
· Supports sub-second Failover for NP4 Ports
· Supports Authentication Group Matching for TACACS+
· Troubleshooting Improvement
· SQL Logging Enhancements
· VRRP Virtual MAC Support
· Enhanced Web Filter Override feature
· Weighted HA Failover Improvements
· WiFi Enterprise Authentication Support
· Supports per-zone option for Local DNS Server
· Explicit Proxy Improvements
· Supports Hosted NAT traversal for RTP pin-holing
· Introduced Quotas for Web Cache / Byte Cache
· Supports Password Renewal for LDAP Users over SSLVPN
· Supports FMC-XG2 Module
· Generate protocol identification tag for FDN reporting on AV
· Extension of SP acceleration to support offloading of interface-based IPS
· Support for Monitoring Dynamic Data on FMG
· Support for Internet Content Adaptation Protocol (ICAP)
· PKI Authentication Extensions (Merge Top3 1359)
· Merge UTM Logs into one Category
· Configurable Global Admin Profiles
· Add monitor section in menu system
· Support IPS one-arm on XLR
· Inter-Product Secure Communications
· DiffServ per Application Filter
· DLP: Document Fingerprinting
· Geography-based Filtering
· FortiGate Default Report
· Endpoint NAC Extension
· Rogue AP Detection & Reporting
· Captive Portal for Wifi Authentication
· Rogue AP Suppression
· Distributed ARRP (automatic radio resource provisioning)
· Simplify Email Filtering
· ELBCv3 graceful firmware upgrade
· File Filter Reorganization
· SHA-384 and SHA-512 support to IKE and IPsec
· SSL Proxy: Verify Host SSL Certificates
· Dynamic Profile & Endpoint Filter Extensions
· Replacement Message Reorganization
· DNS zone transfer and dns forwarder feature
· Setup Wizard for FOS
· Simple Forticlient VPN GUI
· Web Filter Improvement
· Web Filtering Disclaimer
· Web Filter Category Reorg
· Report Editor Improvements
· FortiGate Default Report - Improvements

Saturday, March 19, 2011

FortiOS 4.3 Released

FortiOS 4.0 MR3 GA was released on Friday. As soon as it shows up on the FTP site it'll get a good kicking of the tires. Stay tuned for initial reviews and new features.

Friday, March 4, 2011

FortiOS 4.2.4 Released

We have had 4.2.4 running on some of our test systems for the past 24 hours with no adverse affects. Specifically CPU usage is staying within normal levels. I will also test this on the FWF 60C platform over the weekend.
Please post your feedback after you try it out.

Wednesday, January 19, 2011

FortiOS 4.2.3 for FG/FWF 60C

This was just released. I very quickly started to receive feedback about high CPU utilization problems for the 60C build also. You may want to stick with 4.2.2 for now.