Showing posts with label fortinet. Show all posts
Showing posts with label fortinet. Show all posts

Tuesday, January 23, 2018

IPS error initiated by Fortigate firewall

In this case, we had a user who had no internet access and got this screen when web browsing.


We found that the Fortigate 60D we had was causing this.  The cause seems to have been multiple invalid DNS lookups.  We didn't find any error logs that suggested that problem, but this is what this IPS block is typically caused by.  In the end, we fixed this by changing the user's LAN IP address, but we also could have seen the blocked IP addresses via these commands from the CLI:

OS 5.0:
get user ban list

OS 5.2
diagnose firewall ip_host list

To delete an entry, you'd enter this command:
diagnose firewall ip_host delete src4/src6

Exmaple:
diagnose firewall ip_host delete src4 10.10.10.21

The information from this page came from here:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD36211


Posted by at No comments:
Labels: , , , , , , , ,

Sunday, November 8, 2015

Setting up SNMP via CLI (for Fortigate 40C or lower)

The Fortigate 40C doesn't have a GUI method of enabling SNMP.  This is lame.  I use PRTG Traffic Grapher to monitor bandwidth usage.  I found CLI instructions here:
http://www.howtodo.co.il/?p=184

I made some slight adjustments and entered these CLI commands.

config system interface
    edit "internal"
        set allowaccess ping https ssh snmp fgfm
    next
end

config system snmp sysinfo
    set description "Enter your company name here"
    set location "Enter your company location here"
    set status enable
end

config system snmp community
   edit 1
           config hosts
                edit 1
                     set interface "internal"
                     set ip 0.0.0.0
                next
           end
      set name "public"
      set trap-v1-status enable
      set trap-v2c-status enable
   next
end
Posted by at No comments:
Labels: , , , , , ,

Tuesday, August 4, 2015

Configuring Fortigate for VOIP phones behind it

These are the general steps for allowing VOIP phones behind a Fortigate to work properly.  Please also note these steps to put QoS on voice traffic for better performance.


  1. Open the Fortigate CLI from the dashboard.
  2. Enter the following commands in FortiGate’s CLI:
    1. config system settings
    2. set sip-helper disable
    3. set sip-nat-trace disable
    4. reboot the device
  3. Reopen CLI and enter the following commands – do not enter the text after //:
    1. config system session-helper
    2. show    //locate the SIP entry, usually 12, but can vary.
    3. delete 12     //or the number that you identified from the previous command.
  4. Disable RTP processing as follows:
    1. config voip profile
    2. edit default
    3. config sip
    4. set rtp disable
There might be other settings that you need to configure depending on the FortiOS version that you are using. If you continue encountering issues related to SIP ALG, please contact Fortinet Support.


Posted by at No comments:
Labels: , , , , , , ,

Saturday, July 4, 2015

Set internet failover on Fortigate 40C on firmware 5.2.3

On the Fortigate 40C, setting the dead gateway detection (aka WAN failover, aka link failover) can only be done by command line interface on firmware 5.2.3.

Why?  I have no idea.  But per support, here are the steps to create failover if WAN1 is your primary circuit:

config system link-monitor
edit 0
set srcintf "WAN1"
set server "8.8.8.8"
set protocol ping
set gateway-ip 0.0.0.0
set source-ip 0.0.0.0
set interval 5
set timeout 1
set failtime 5
set recoverytime 5
set ha-priority 1
set status enable
next
end



If you want to check status of the failover, here is the command:

diag sys link-monitor status


Posted by at No comments:
Labels: , , , , , , ,

Wednesday, January 14, 2015

Enabling advanced features in Fortigate firmware 5.0

You can enable some hidden/advanced features in Fortigate OS 5.0 via System -> Config -> Features and turn on Advanced Routing,

In my case, I was looking for "dead gateway detection" so I could switch to my secondary ISP when my primary ISP failed, but the option wasn't there in Router -> Static -> Settings.  Once Advanced Routing was turned on, I had the option for dead gateway detection.
Posted by at No comments:
Labels: , , , , , ,

Thursday, June 24, 2010

setting a Fortigate back to factory defaults using the console cable

The other day, I had lost connectivity to the Fortigate 50B that I had set up. Luckily, I had the console cable and a machine with a serial port that I could use. I was able to get into the CLI using that console cable and use these commands to set the device back to factory defaults:

Connect with a terminal program (like hyperterminal or putty)
connect with these settings:
8 bits
no parity
1 stop bit
9600 baud (the FortiGate-300 uses 115,000 baud)
Flow Control = None

log in as admin (perhaps with no password - perhaps with a password you set)

run this from the CLI:
exec factoryreset
Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)