Tag Archives: FortiGate

FortiGate Out-of-Band Management

2018-07-03Design/Policy, Fortinetfail, FortiGate, Fortinet, Management, OoB, Out-of-Band Management, WorkaroundJohannes Weber

In some situations, you want to manage your firewall only from a dedicated management network and not through any of the data interfaces. For example, when you’re running an internal data center with no Internet access at all but your firewalls must still be able to get updates from the Internet. In those situations, you need a real out-of-band (OoB) management interface from which all management traffic (DNS, NTP, Syslog, Updates, RADIUS, …) is sourced and to which the admins can connect to via SSH/HTTPS. Another example is a distinct separation of data and management traffic. For example, some customers want any kind of management traffic to traverse through some other routing/firewall devices than their production traffic.

Unfortunately, the Fortinet FortiGate firewalls don’t have a reasonable management port. Their so-called “MGMT” port is only able to limit the access of incoming traffic but is not able to source outgoing traffic by default. Furthermore, in an HA environment you need multiple ports to access the firewalls independently. What a mess. (Little exception: You can use the set ha-direct enable option in the HA setup which sources *some* but not all protocols from the Mgmt interface. But only when you’re using a HA scenario. Reference.)

A functional workaround is to add another VDOM solely for management. From this VDOM, all management traffic is sourced. To have access to all firewalls in a high availability environment, a second (!) interface within this management VDOM is necessary. Here we go:

Continue reading FortiGate Out-of-Band Management →

File Blocking Shootout – Palo Alto vs. Fortinet

2018-06-27Fortinet, Palo Alto Networks, PasswordData Leak Prevention, DLP, Encrypted, fail, File Blocking, FortiGate, Fortinet, Microsoft Office, Palo Alto Networks, Password, PDF, Protected, ZIPJohannes Weber

We needed to configure the Internet-facing firewall for a customer to block encrypted files such as protected PDF, ZIP, or Microsoft Office documents. We tested it with two next-generation firewalls, namely Fortinet FortiGate and Palo Alto Networks. The experiences were quite different…

TL;DR: While Fortinet is able to block encrypted files, Palo Alto fails since it does not identify encrypted office documents! [UPDATE: Palo Alto has fixed the main problem, see notes below.]

Continue reading File Blocking Shootout – Palo Alto vs. Fortinet →

Using a FortiGate for Bitcoin Mining

2018-04-01Crypto, FortinetApril 1st, ASIC, Bitcoin, FortiGate, Fortinet, Mining, SHA-256Johannes Weber

Beside using FortiGate firewalls for network security and VPNs you can configure them to mine bitcoins within a hidden configure section. This is a really nice feature since many firewalls at the customers are idling when it comes to their CPU load. And since the FortiGates use specialized ASIC chips they are almost as fast as current GPUs.

If you have not yet used those hidden commands, here we go:

Continue reading Using a FortiGate for Bitcoin Mining →

Generating SSHFP Records Remotely

2018-02-08DNS/DNSSEC, Linux, Security, SSH, Tutorial/HowtoCisco Router, DNSSEC, DSA, FortiGate, Fortinet, Juniper ScreenOS, Juniper SSG, Nmap, Palo Alto Networks, SSH, ssh-keygen, ssh-keyscan, SSHFP, WorkaroundJohannes Weber

Until now I generated all SSHFP resource records on the SSH destination server itself via ssh-keygen -r <name>. This is quite easy when you already have an SSH connection to a standard Linux system. But when connecting to third-party products such as routers, firewalls, whatever appliances, you don’t have this option. Hence I searched and found a way to generate SSHFP resource records remotely. Here we go:

Continue reading Generating SSHFP Records Remotely →

IKEv2 IPsec VPN Tunnel Palo Alto <-> FortiGate

2017-09-21Fortinet, IPsec/VPN, IPv6, Palo Alto NetworksFortiGate, Fortinet, IKEv2, IPsec, IPv6, Palo Alto Networks, Site-to-Site VPNJohannes Weber

And one more IPsec VPN post, again between the Palo Alto Networks firewall and a Fortinet FortiGate, again over IPv6 but this time with IKEv2. It was no problem at all to change from IKEv1 to IKEv2 for this already configured VPN connection between the two different firewall vendors. Hence I am only showing the differences within the configuration and some listings from common CLI outputs for both firewalls.

Continue reading IKEv2 IPsec VPN Tunnel Palo Alto <-> FortiGate →

IPv6 IPsec VPN Tunnel Palo Alto <-> FortiGate

2017-09-11Fortinet, IPsec/VPN, IPv6, Palo Alto NetworksFortiGate, Fortinet, IPsec, IPv6, Palo Alto Networks, Site-to-Site VPNJohannes Weber

Towards the global IPv6-only strategy ;) VPN tunnels will be used over IPv6, too. I configured a static IPsec site-to-site VPN between a Palo Alto Networks and a Fortinet FortiGate firewall via IPv6 only. I am using it for tunneling both Internet Protocols: IPv6 and legacy IP.

While it was quite easy to bring the tunnel “up”, I had some problems tunneling both Internet Protocols over the single phase 2 session. The reason was some kind of differences within the IPsec tunnel handling between those two firewall vendors. Here are the details along with more than 20 screenshots and some CLI listings.

Continue reading IPv6 IPsec VPN Tunnel Palo Alto <-> FortiGate →

CPU Usage Increase FortiGate 100D -> 90D

2016-08-25Fortinet, MonitoringAnti-Virus, CPU, FortiGate, Fortinet, NGFW, ThroughputJohannes Weber

A few weeks ago I swapped a FortiGate 100D firewall to a 90D firewall. The 100D was defective and needed to be replaced. Since the customer only has a 20 Mbps ISP connection, I thought that a FortiGate 90D would fit for the moment, since it has a firewall throughput of 3,5 Gbps, compared to the lower value of 2,5 Gbps from the 100D.

Indeed, it worked. However, the CPU usage increase was huge, almost related to the NGFW throughput. Here are some graphs:

Continue reading CPU Usage Increase FortiGate 100D -> 90D →

FortiGate Application Traffic Shaping

2016-08-08Bandwidth/Delay, Fortinet, Tutorial/HowtoApplication, Bandwidth, FortiGate, Fortinet, TrafficJohannes Weber

This is a really cool and easy to use feature of the FortiGate firewall: the traffic shaper. Once an application category uses too much traffic, the bandwidth consumption can be decreased with it. Just about three clicks:

Continue reading FortiGate Application Traffic Shaping →

Fortinet Feature Requests

2016-08-01Fortinetfail, Feature Request, FortiGate, Fortinet, GUIJohannes Weber

I really like the FortiGate firewalls. They are easy to manage and have lots of functionality. However, I am also aware of some other firewall products and therefore have some feature requests to Fortinet that are not currently implemented in their firewalls. I am sometimes forwarding these FRs to the Fortinet support or to a SE, but they are not really interested in that. ;( So here is a list of my ideas that could improve the firewall. Hopefully/maybe some of them will be implemented one day…

Continue reading Fortinet Feature Requests →

FortiGate Virtual IPs without Reference

2016-04-20Fortinet, NATfail, FortiGate, Fortinet, MIP, NAT, VIP, Virtual IPJohannes Weber

Migrating from Juniper ScreenOS firewalls to FortiGates, there are some differences to note with static NATs, i.e., Mapped IPs (MIPs) on a Netscreen and Virtual IPs (VIPs) on a FortiGate. While the Juniper MIPs on an interface are always used by the firewall whenever a packet traverses the interface, the virtual IP objects on a FortiGate must be used at least once in the security policy before they are really used by the firewall.

Continue reading FortiGate Virtual IPs without Reference →

FortiGate Virtual IPs with Interface “Any”

2016-04-20Fortinet, NATFortiGate, Fortinet, MIP, NAT, Policy Routing, VIP, Virtual IPJohannes Weber

On the FortiGate firewall, address objects and virtual IPs (VIPs) can be set up with an interface. For address objects this has no technical relevance – the address objects simply only appear on policies if the appropriate interface is selected. But for virtual IPs, this setting has relevance on how connections are NATed. This can be problematic.

Continue reading FortiGate Virtual IPs with Interface “Any” →

FortiGate IPv4 vs. IPv6 Performance Speedtests

2016-03-30Bandwidth/Delay, Fortinet, IPv6Bandwidth, FortiGate, Fortinet, iperf, IPv4, IPv6, Knoppix, ThroughputJohannes Weber

I was interested in the performance of my FortiGate firewall when comparing IPv4 and IPv6 traffic. Therefore I built a small lab consisting a FortiWiFi 90D firewall and two Linux clients running iperf. I tested the network throughput for both Internet Protocols in both directions within three scenarios: 1) both clients plugged into the same “hardware switch” on the FortiGate, 2) different subnets with an “allow any any” policy without any further security profiles, and finally, 3) activating antivirus, application control, IPS, and SSL inspection.

Continue reading FortiGate IPv4 vs. IPv6 Performance Speedtests →

FortiGate VPN Speedtests

2016-03-15Bandwidth/Delay, Fortinet, IPsec/VPNBandwidth, FortiGate, Fortinet, iperf, Knoppix, Site-to-Site VPN, ThroughputJohannes Weber

Triggered by a customer who had problems getting enough speed through an IPsec site-to-site VPN tunnel between FortiGate firewalls I decided to test different encryption/hashing algorithms to verify the network throughput. I used two FortiWiFi 90D firewalls that have an official IPsec VPN throughput of 1 Gbps. Using iperf I measured the transfer rates with no VPN tunnel as well as with different IPsec proposals.

I first ran into really slow performances which were related to the default “Software Switch” on the FortiGate. After deleting this type of logical switch, the VPN throughput was almost as expected.

Continue reading FortiGate VPN Speedtests →

Network Transfer: 1 Big vs. 100 Small Files

2016-03-09Bandwidth/Delay, MemorandumBandwidth, Delay, FortiGate, FTP, I/O Graph, Speed, Throughput, Transfer, VPN, WiresharkJohannes Weber

A common mistake when analyzing network speed/bandwidth between different applications and servers is to fully rely on the mere size of the files being transferred. In fact, one big file will transfer much faster than thousands of small files that have the same accumulated size. This depends on the overhead of reading/writing these files, building TCP/IP sessions, scanning them for viruses, etc. Furthermore, it is application dependent.

I built a small lab with an FTP server, switch, firewall, and an FTP client in which I played a bit with different file sizes. In this blog post I am showing the measured transfer times and some Wireshark graphs.

Continue reading Network Transfer: 1 Big vs. 100 Small Files →

FortiGate HA Cluster

2016-03-03Fortinet, Tutorial/HowtoCluster, FortiGate, Fortinet, HA, High AvailabilityJohannes Weber

This is a step-by-step tutorial for configuring a high availability cluster (active-standby) with two FortiGate firewalls. Since almost all firewall vendors have different principles for their HA cluster, I am also showing a common network scenario for Fortinet.

Continue reading FortiGate HA Cluster →

Weberblog.net

IT-Security, Networks, IPv6, VPN, DNSSEC, NTP