Tuesday, December 24, 2013

New Book - Getting Started with Fortigate

I recently had the chance to work with Fabrizio on a new book he was writing. Go ahead and check it out. Yours truly served as a technical reviewer :)

Getting Started with FortiGate

Thursday, December 5, 2013

Get a 'grep' on your config

I search configs a lot via the CLI. This saves time and sometimes downloading a config and searching it in Notepad++ is not an option.
When looking for particular pieces of a config you can use the UNIX style "grep" command to filter output, for example:

# show | grep      
  set ip

Great. Now we know that there is a line that contains the IP address. But where in the config is it? In FortiOS 5.0 the "FortiOS context" switch was introduced which helps in tracking this down.

# show | grep -f
config system interface
    edit "port10"
        set vdom "root"
        set ip <---
        set type physical
        set snmp-index 10

Notice that when using the -f switch the firewall shows the entire "context" that the string is used in. Also there's a handy little arrow on the right which points out where in the context the string exists.

Monday, September 30, 2013

The Mad Scientist's Lab

From time to time I need to setup lab devices to troubleshoot particular scenarios. Since it is pretty impractical to have "one of each" I use a lot of virtualization technology for this. Here are some handy pointers if you have ever wanted to setup your own lab to test things out.

VMware vSphere Hypervisor

VMware ESXi is the free version of the popular hypervisor. You can load this on most any hardware and have a system ready to host your virtual lab setup in minutes.

Fortigate / FortiAnalyzer / FortiManager

These and an increasing number of other Fortinet products are available in a VMware version. Head on over to the support site, look for the firmware images section and get yourself a copy. They are valid for 14 days as an evaluation version. Note that FortiOS is limited to a single VDOM when in eval mode.

Vyatta Router

To make things more realistic I tend to throw a router in between two firewalls. Vyatta has a free version of their routing software available which runs nicely inside the ESXi hypervisor. Their CLI is very JunOS like. So if you're already familiar with Juniper gear that helps immensely. It's significantly different from Cisco's IOS but well worth jumping into.

Thursday, September 12, 2013

Abort - Abort - Abort

Ever found yourself editing a config via the command line and you just noticed that you made a mistake? Wouldn't it be nice to not have to change everything back to the way it was before you commit with "next" or "end"? Simply use the "abort" command and it will kick you straight back to the main menu without making any changes.

Friday, September 6, 2013

Wireless Mesh Gotcha

FortiAP wireless access points have the ability to create a full mesh. This is a pretty nifty feature as described in the FortiOS Wireless Deployment Guide:

The access points of a WiFi network are usually connected to the WiFi controller through Ethernet wiring. A wireless mesh eliminates the need for Ethernet wiring by connecting WiFi access points to the controller by radio. This is useful where installation of Ethernet wiring is impractical. 

The AP that is connected to the network by Ethernet is called the Mesh Root node. It is configured with an SSID (also called a virtual access point or VAP) dedicated to backhaul communication with the remote FortiAP units. The backhaul SSID carries CAPWAP discovery, configuration, and other communications that would usually be carried on an Ethernet connection. Regular WiFi clients cannot connect to the backhaul SSID. They connect to the regular SSIDs carried on the access points.
The root node can be a FortiAP unit or the built-in AP of a FortiWiFi unit. APs that serve only regular WiFi clients are called Leaf nodes. Leaf APs that also carry the mesh SSID for more distant Leaf nodes are called Leaf/branch nodes.

In other words you can have the APs all wirelessly connected to each other and APs that are not wired into the network can backhaul their traffic via other APs. The requirement is that at least one of the APs in the chain is hard-wired to the network.

A small gotcha is that by default the wireless mesh uses its own internal IP addressing scheme. The default IP address for the full-mesh interface is I found this out the hard way because I have a VPN tunnel to a remote network which also uses 192.168.3.x/24. Looking at the routing table it was easy to see why I could no longer reach the remote VPN network after I had setup my new wireless access points.

FGT # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       > - selected route, * - FIB route, p - stale info

S    *> [5/0] via, wan1
C    *> is directly connected, Internal
S    * [1/0] is directly connected, FW_VPN_2_0
C    *> is directly connected, wl.mesh

There are two routes available in the routing database to, the ">" in front of the route shows which one has been selected as the active route. Simply changing the network of the mesh interface to something like will resolve the issue. This can be done in the GUI via "System -> Network -> Interfaces"

Friday, August 30, 2013

Backing up the entire config with VDOMs enabled

When you have Virtual Domains (VDOMs) enabled on a Fortigate and you want to create a backup from the command line make sure you use the following command:

#config global
#exec backup full-configuration

Using "exec backup config" will only backup your current context, i.e. Global or the current VDOM.

Thursday, February 28, 2013

Enhanced Single Sign-On to Windows AD in FortiOS 5.0

FortiOS 5.0 brings with it an enhancement to how single sign-on can be performed in a Microsoft Active Directory environment.

In prior versions of FortiOS an agent software was needed on either a Domain Controller or a Member Server. There was a lot of push back since many IT admins were not comfortable running third-party software on their critical AD servers. FortiOS 5.0 allows the firewalls to directly query the AD global catalog and event logs, the agents are now optional.

When a Windows AD user logs on at a workstation in a monitored domain, the FortiGate unit:
  • detects the logon event in the domain controller’s event log and records the workstation name, domain, and user
  • resolves the workstation name to an IP address
  • uses the domain controller’s LDAP server to determine which groups the user belongs to
  • creates one or more log entries on the FortiGate unit for this logon event as appropriate
When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. The selection consists of matching the FSSO group or groups the user belongs to with the security policy or policies that match that group. If the user belongs to one of the permitted user groups associated with that policy, the connection is allowed. Otherwise the connection is denied.

(From the FortiOS 5.0 Authentication Guide)

Wednesday, February 13, 2013

Software Updates

Here's the latest and greatest.

 FortiOS: 4.0 MR3 Patch 12, Build 656 (Just released)
(stable, recommended for production)

FortiOS: 5.0.1, Build 147
(recommended for limited deployment in production if you need cutting edge features)

Friday, January 25, 2013

FortiOS Cookbook

Here's a great guide for new Fortinet Admins. Updated for FortiOS 5 and with a yummy picture of FortiCake on the front :)