IPS error initiated by Fortigate firewall

In this case, we had a user who had no internet access and got this screen when web browsing.

We found that the Fortigate 60D we had was causing this.  The cause seems to have been multiple invalid DNS lookups.  We didn't find any error logs that suggested that problem, but this is what this IPS block is typically caused by.  In the end, we fixed this by changing the user's LAN IP address, but we also could have seen the blocked IP addresses via these commands from the CLI:

OS 5.0:
get user ban list

OS 5.2
diagnose firewall ip_host list

To delete an entry, you'd enter this command:
diagnose firewall ip_host delete src4/src6

Exmaple:
diagnose firewall ip_host delete src4 10.10.10.21

The information from this page came from here:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD36211

How to remove entries from a Fortigate IPS block list

If you find that you've got an IP address on the block list that is incorrect, you can remove the entry via CLI.  From the CLI, you can run this command to get the list of blocked IP addresses:

diagnose firewall ip_host list

If the IP address 123.123.123.123 was on the block list, here's how you'd remove it:

diagnose firewall ip_host delete src4 123.123.123.123

Set up IPS on Fortigte firewall to block brute force RDP attacks

Like most people, my terminal servers are constantly being probed via brute force attacks trying to find a weak spot.  The better answer is to put the terminal server behind a VPN.  Short of that, I like setting up Duo Security for two factor authentication.  Another alternative (and perhaps in addition to Duo) is to detect and protect against brute force attacks on your firewall.

Here's how I configure that on my Fortigate firewall.

First, enable the Intrusion Prevention module (if not already done) in Config -> Features

First, I enable the IPS rule for RDP brite force attacks. I set a threshold of 15 over 900 seconds (15 minutes) with a block duration of 259200 seconds (3 days).

Then you go to your RDP policy and set the default policy for your RDP policy.

That's all you need to do.  If you want to see what IP addresses have been blocked, go to Log & Report -> Security Log -> Intrusion Protection

Configuring Fortigate for VOIP phones behind it

These are the general steps for allowing VOIP phones behind a Fortigate to work properly.  Please also note these steps to put QoS on voice traffic for better performance.

1. Open the Fortigate CLI from the dashboard.
2. Enter the following commands in FortiGate’s CLI:
   1. config system settings
   2. set sip-helper disable
   3. set sip-nat-trace disable
   4. reboot the device
3. Reopen CLI and enter the following commands – do not enter the text after //:
   1. config system session-helper
   2. show    //locate the SIP entry, usually 12, but can vary.
   3. delete 12     //or the number that you identified from the previous command.
4. Disable RTP processing as follows:
   1. config voip profile
   2. edit default
   3. config sip
   4. set rtp disable

There might be other settings that you need to configure depending on the FortiOS version that you are using. If you continue encountering issues related to SIP ALG, please contact Fortinet Support.

Configuring VOIP priority on a Fortigate firewall

IMPORTANT NOTE - If you are sending your voice traffic over a route based IPSec VPN, the WAN interface you'll be referencing will the the name of the VPN interface (for example DCtoSF instead of WAN1).


I put together this list of CLI commands to enter on a Fortigate firewall to give VOIP traffic priority.  Some instructions may vary based on your setup, but I took most of these from Fortigate cookbooks and then fixed all the typos.  I use the CLI commands because the GUI (my preference) didn't have all the options where they were supposed to be in my test box.  I tested this on Fortigate 40C running version 5.0 of the firmware.

config firewall shaper traffic-shaper
edit voip
set maximum-bandwidth 1000
set guaranteed-bandwidth 800
set per-policy enable
set priority high
end


then

config firewall policy
edit 6
set srcintf internal
set srcaddr all
set dstintf wan1
set dstaddr all
set action accept
set schedule always
set service SIP
set traffic-shaper voip
set traffic-shaper-reverse voip
end


Please also note these steps for disabling SIP ALG and other processes to allow VOIP phones behind a Fortigate firewall.

allowing SRP on a BB server on an SBS Premium box

I'm documenting my own confusion here, as I know it'll come up later.

When creating a Blackberry Professional Express server, it needs to have SRP access to the Blackberry servers (port 3101). They have a test for this connectivity here:

c:\Program Files\RIM\BlackBerry Enterprise Server\Utility\BBSRPTEST.EXE

I was having trouble with getting port 3101 to connect to the RIM server, and then I thought I made some firewall changes to make it work - but even after disabling the firewall changes I made, it still worked - so I figure it worked without my assistance. For my own knowledge . . .

I opened up port 3101 outbound to all blackberry.net addresses and I made sure the SBS Internet Access Rule was set for all users and was not set to read only for FTP. I made these changes and then it worked. Then I disabled all these things, and it still worked. I have replicated this issue multiple times. Very strange.

This is what the test gives you when it's successful:

c:\Program Files\RIM\BlackBerry Enterprise Server\Utility>BBSrpTest.exe
NetworkAccessNode is srp.us.blackberry.net.
Attempting to connect to srp.us.blackberry.net (204.187.87.33), port 3101
Sending test packet
Waiting for response
Receiving response
Checking response
Successful