Monday, December 17, 2012

Customer Support Bulletins

From time to time Fortinet will release information on critical bugs/bug fixes that are likely to impact a large number of customers. There were 3 of these for 2012. To review them login to the Customer Service & Support Portal and click on the "Important Info".
Alternatively you can access them via this link:

Tuesday, December 11, 2012

DHCP for IPv6 in FortiOS 5

FortiOS 5 adds support for RFC 3315 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)". To activate a DHCPv6 server on an interface use the following syntax: 

# config system interface
# edit internal
# config ipv6
# set ip6-mode dhcp

Finding CLI Commands

Sometimes it's handy to know which CLI commands correspond to actions you are performing in the GUI. With the following commands you can enable debugging on the console that will show you in the CLI what you're doing in the GUI.

# diag debug reset
# diag debug enable
# diag debug console
# diag debug cli 7

Here is some sample output in the CLI when adding and deleting static routes in the GUI.

0: config router static
0: edit 0
0: set device "VPN_Tunnel"
0: set dst
0: end
0: config router static
0: delete 16
0: end

Also, if you are performing an action in the GUI and you get no output on the CLI then chances are that there is no equivalent CLI command.

Monday, December 10, 2012

External Images in Replacement Messages

If you are using Webfiltering and would like to host your images on an external server rather than using the builtin ones in FortiOS here is a little code sample to make that happen.

config system replacemsg http "url-block"
    set buffer "<BODY>

<center><img src=\"\" alt=\"Example Logo\"/>            <img src=\"\" alt=\"Logo\"/></center>

<center><H1><FONT color=#ff0000 size=6>Access Restricted by Web Access Policy </FONT></H1></center>

<P><B><FONT size=4>The website you are trying to access has been
restricted because it does not fall within the business scope of Example Company. All websites have been categorized through third party software. The categories are generalized and the website you are attempting to access may be blocked in error. Please email <a href=\"\"><B>Security Operations</B></a> for any questions.</FONT></B></P>

<div style=\"padding:10px 10px;border:1px solid black;\">
<FONT color=#ff0000 size=5><B><center>To access web-based mail, online file sharing, or internal company sites please use the browser in your Start menu.</B></center></FONT>

    set header http
    set format html

Thursday, December 6, 2012

FortiAnalyzer - System Registration

If you are running FortiAnalyzer and you start feeding it logs from Fortigates they will (depending on your settings) automatically register and show up in your device view. By default they will show up in the format of "hostname_serialnumber".
If you have a hostname configured on your Fortigate but it only shows up using its serial number in FAZ then you maybe running into a versioning issue. Specifically if you're using FAZ 4.1 with FortiOS 4.3 devices reporting into it.
The reason for this is that in FortiOS 4.3 the firewalls will by default try to encrypt the communication to the FortiAnalyzer which FAZ 4.1 does not understand. To work around this disable the encryption for logging to FAZ on the Fortigate using the following command:

# config log fortianalyzer setting
# set enc-algorithm disable
# end

Traffic Blocked by Policy ID 0

After upgrading to FortiOS 4.3 you may see an increase in the number of log entries displayed which mention Policy ID 0. This is generally due to more extended logging being enabled by default when upgrading to 4.3. Here are a couple of good knowledge base entries that have more info.

Technical Note : other-traffic is changed to extended-traffic-log in FortiOS 4.0MR3 and enabled by default

FortiGate log information : traffic log with firewall policy of 0 (zero) "policyid=0"

Wednesday, December 5, 2012

Maxizing Performance with NPU Port Mappings

To get the most performance out of NPU accelerated ports you should keep traffic on the same NPU.
For example if most of your traffic is between your external and your DMZ interfaces (you are hosting a lot of web servers?) you should make sure this traffic remains on the same NPU.

To figure out which port is assigned to which NPU use the following command:

#get hardware npu <model> list

So if you have a model with NP4s use

#get hardware npu np4 list

Your output will be similar to the one below depending on your model firewall.
In the below example you might want to connect port25 to the Internet and port26 to the DMZ to keep that traffic on a single NPU.

# get hardware  npu np4 list
ID      Model           Slot            Interface
0       On-board                        port1 port2 port3 port4
                                        port5 port6 port7 port8
                                        port9 port10 port11 port12
                                        port13 port14 port15 port16
                                        port17 port18 port19 port20
                                        port21 port22 port23 port24
1       On-board                        port25 port26 port27 port28
                                        port29 port30 port31 port32
                                        port33 port34 port35 port36
                                        port37 port38