Fortigate

By | 03/02/2016

Out of the box setup

Network

Port 1 / Internal interface – 192.168.1.99/24

DHCP often enabled in port 1 / internal interface

Change admin password

Default username: admin / <blank>

config system admin
 edit admin
  set password PASSWORD

Switch modes

Two available modes – need to be setup as a first step

Interface – Each internal interface acts as a L3 interface with it’s own IP

Switch – All internal interfaces work as a L2 switch

config system global
set internal-switch-mode [interface/switch]

Licensing

Fortiguard provides updates and access to the different security services.

  • Packages updates for Antivirus, IPS, etc – uses HTTPS to download them
  • Queries to Fortiguard servers for Web filter, Antispam – uses port UDP 53 or UDP 8888

Force to register:

exec update-now

Debug problems with the registration:

diag debug app update -1
diag debug en

Configuration basics

Interface

config system interface
 edit port X
  set ip X.X.X.X/M
  set allowaccess services
end

Logging

Check status:

get system status
config log disk setting
 get

If status is needs format:

execute formatlogdisk

 

 

Firewall Admin Operation

Reset admin password

  1. Restart Fortigate device phisically
  2. Through console, login with the following information before 14 seconds
    • user: maintainer
    • pass: bcpbSERIALNUMBER

Reference: http://docs.fortinet.com/uploaded/files/1708/Resetting_a_lost_admin_password.pdf

Reset to factory defaults

execute factoryreset

Export – Import configuration

Configuration specific per model although the configuration file can be edited (first text line) to be accepted by other models.

Sequence keys

CTRL+L – clear screen

CTRL+C – Abort command and exit

Ping

execute ping-options source IP
execute ping IP
execute traceroute IP

Ping-options also impact on execute traceroute command

Basic troubleshooting

show system interface
show system interface portX
show route static
show full-configuration
show full-configuration system interface portX

get system status 
get system performance status
diagnose system session filter clear
diagnose system session filter dport PORT
diagnose system session filter dst IP
diagnose system session ?
diagnose system session list
diagnose system session clear

diagnose ip arp list
get router info routing-table all
get router info routing-table database
get router info kernel
diagnose ip address list

diagnose system session stat

diagnose debug crashlog read
diagnose debug rating

diagnose firewall statistics show
diagnose system top [refresh in s]
diagnose system top-summary
diagnose hardware deviceinfo nic portX

Add additional monitors to the GUI:

config system global
 set gui-utm-monitors enable
 set gui-?

Other commands

execute reboot

 

Logging and Monitoring

Types of Logs

  • Traffic Log – Traffic forward, local, invalid and multicast
  • Event Log – System, User, Network (Router, VPN, Wifi)
  • Security Log – Antivirus, Web Filter, IPS, etc

Display logs on the cli

exe log display
exe log filterk



Alert emails to send emails based on log events

SMTP configuration needs to be done on the cli:

config system email-server
 set type custom
 set reply-to (email)
 set server (IP or FQDN)
 set port (connection port)
 set source-ip (interface ip)
 set authenticate [enable|disable]
 set security [none|starttls|smtps]
end

Alert email setup is done in the GUI

Packet Capture (CLI)

diag sniff packet interface 'filter' level
diag sniff packet any 'dst host 10.200.1.2540' 4
diag sniff packet any 'host 10.200.1.254 and icmp' 4
diag sniff packet any 'tcp[13]&2==2' 4
diag sniff packet any 'host 10.200.1.254 and (port 21 or port ??)' 4

Level  – 1 to 6
Interface – physical or logical name

Export to Wireshark CAP file – requires a external pl script: http://kb.fortinet.com/kb/viewContent.do?externalId=11186

 

Packet flow debug

diag debug flow show function enable
diag debug flow show console enable
diag debug flow filter addr IP
diag debug flow filter port PORTNUM
diag debug enable
diag debug flow trace start 20

It’s possible to combine packet flow and sniffer outputs

Session information

diag sys session filter dst IP
diag sys session list

 

 

 

Packet Handling

Phase 1 – Ingress

  • Denial of service sensor
  • Packet integrity check
  • IPSec tunnel match
  • Destination NAT
  • Routing

Phase 2 – Stateful Inspection

  • Management Traffic
  • Policy lookup
    • Session tracking
    • Session helpers
    • SSL VPN
    • User Authentication
    • Traffic Shaping

Phase 3 – UTM Scanning

  • Flow-based inspection
    • IPS
    • Application Control
    • Email Filtering
    • Web Filtering
    • Antivirus
  • Proxy-based inspection
    • VoIP Inspection
    • Data Leak Prevention
    • Email Filtering
    • Web Filtering
    • Antivirus
    • ICAP

Phase 4 – Egress

  • IPSec
  • Source NAT
  • Routing

 

Inspection modes

  • Proxy based
  • Flow based

 

 

VPN

SSL VPN Access modes

  • Web-only – limited to a few protocols
  • Port Forward – based on proxy setup
  • Tunnel – Forti SSL client

IPSec

diag debug reset
diag vpn ike log-filter ?
diag debug application ike 255
diag debug enable
diag vpn tunnel list

Clustering

Electing the Master

HA Override disable

  • Monitored Ports
  • Greater Uptime
  • Greater Priority
  • Greater Serial #

Force failover:

Master> diagnose sys ha reset-uptime

 

HA Override enable

  • Monitored Ports
  • Greater Priority
  • Greater Uptime
  • Greater Serial #

Failback to Master will be automatically when it’s online again.

 

Troubleshooting:

!check HA status
diagnose sys ha status
diagnose sys ha showcsum

!access to slave member from the master
execute ha manage ?
execute ha manage <HA_unit_index>

!check configuration syncronization
diagnose sys ha showcsum

IPS

Troubleshooting

diag test app ipsm <number>

SSL Inspection

In order to do full SSL inspection, for the owned servers, it’s required to install the private key certificate in the Fortigate, so it can show the right CA to the user when accessing the system.

For clients accessing public SSL systems, a SSL.Proxy certificate needs to be created and signed internally (no public CAs will sign it). The local CA will need to be installed in the clients as well (AD GPO for example) and then the HTTPs pages won’t show a warning, but they won’t be signed by the right public CA, the certificates will be issued by the internal CA.

Network Acceleration

 

Fortimanager  / Fortianalyzer

Required ports: http://docs.fortinet.com/uploaded/files/1880/fortiGate_open_ports-52.pdf

Debug device discovery:

diagnose debug application depmanager 255
diagnose debug enable

 

 

References:

Quick Start Guide