Posts Tagged ‘Fortinet’

When a user VPN into a Fortigate Router , make sure they can access all Subnet available to the router not just the local one :

  1. Added security policy – allow from SSL VPN interface to IPsec VPN  

Name : SSL VPN to New Subnet

Incoming Interface : SSL-VPN tunnlel Interface ( ssl.root ) 

Outgoing Interface – %Interface of Site to Site VPN for Remote Site%

Source : SSL VPN Client Range / SSLVPN_Users

Destination Address : %new subnet%

Schedule : Always

Service : ALl

Action : Accept

Nat : Enabled (  to traverse IPsec VPN as local address (192.168.0.x) as opposed to SSL VPN client range (192.168.1.x) 

IP Pool Configuration : Use Dymanic IP Pool and NAT Pool for SSL VPN Clients

 

2.  Make you have DHCP NAT pool Range excluded from your onsite DHCP 

3.Added New Subnet to routing address in SSL VPN portal – tunnel mode

VPN – > SSL VPN Portals

Tunnel Mode -> Enable Split Tunnelings -> Routing Address 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

If a website a being blocked from being viewed due to Fortinet web filter with the Category 

“newly observed domain” 

This is due to URLs whose domain name is not rated and were observed for the first time in the past 30 minutes. 

You can wait 30 minutes or you can use the Web Ratings Overrides below to change the category from newly observed domain to an accepted Category like Business and Finance

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Fortigate have recently released an AV update on their Fortinet which blocks websites with the following error


http://fortiguard.com/search?type=av&q=HTML%252FScrInject.B%2521tr

A few malware checks on the website shows there are no virus of malware on this site

A Support case with Fortigate there was an error in their AV database and they released an update 2 hours later

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Below changes were added.

  • Added TCP 5060 for SIP(As sometimes this can be TCP/UDP) for all WANS
  • RTP port range 6200 – 6214 added for Inbound for all WANS
  • SIP domains allowed for Inbound for all WANS

SIP ALG turn off – Need to run below commands if it’s required. Best to test the phones after above changes.

http://www.3cx.com/blog/docs/disable-sip-alg-on-fortigate/

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

A VPN for a new site had been working fine , however disconnected and would not stay Active

Enabling Debug

diagnose debug application ike -1
diagnose debug enable


Disable Debug
diagnose debug reset
diagnose debug disable
Produced the below sort of errors : 

ike 0:VPN TTN:16877: ignoring unencrypted PAYLOAD-MALFORMED message from 41.224.14.131:500.
 ike 0:VPN TTN:VPN TTN P2: IPsec SA connect 50 41.224.244.77->41.224.14.131:0
 ike 0:VPN TTN:VPN TTN P2: using existing connection
 ike 0:VPN TTN:VPN TTN P2: config found
 ike 0:VPN TTN:VPN TTN P2: IPsec SA connect 50 41.224.244.77->41.224.14.131:500 negotiating
 ike 0:VPN TTN:16877:VPN TTN P2:17015: ISAKMP SA still negotiating, queuing quick-mode request
 ike 0:VPN TTN:16877: out 474981673AAFACE9D0216ED361A1081D05100201000000000000006C338C4B9F667E7DC90860B2541F716F185CF7E6B42813D02B34C11EFD6B7530644B6D91E5685CA6D1609DFDE30FEE4108D130782677BC3B12A27E544C7E11D2EA89BB51401C1919352C6A93D5CBEB590B
 ike 0:VPN TTN:16877: sent IKE msg (P1_RETRANSMIT): 41.224.244.77:500->41.224.14.131:500, len=108, id=474981673aaface9/d0216ed361a1081d
 ike 0: comes 41.224.14.131:500->41.224.244.77:500,ifindex=50....
 ike 0: IKEv1 exchange=Identity Protection id=474981673aaface9/d0216ed361a1081d len=256
 ike 0: in 474981673AAFACE9D0216ED361A1081D0410020000000000000001000A00008408413E837E46626B7A07879E99EC6B73BF71A99C00F3AF2A0B68B526FD2D3EBDC7AF274255283369206E877CA0EBB0A62257AF229F0600D85C90BF266C8852B2336E9CAFE8F0E7EF63E57CD1E28647A049BF6D1DFCD45C6C23B3F92A95B1EC29A0F9992FC4D78EB018DC54C903339121BCD535F9C9246BD2E62A787466485D980D000018C30B61834BB43EBC5839BC3F53695599BF7DCA4C0D00001412F5F28C457168A9702D9FE274CC01000D00000C09002689DFD6B7120D00001425E6C9CE61A0081DB8BA401A26766C19000000141F07F70EAA6514D3B0FA96542A500100
 ike 0:VPN TTN:16877: retransmission, re-send last message
EBDC7AF274255283369206E877CA0EBB0A62257AF229F0600D85C90BF266C8852B2336E9CAFE8F0E7EF63E57CD1E28647A049BF6D1DFCD45C6C23B3F92A95B1EC29A0F9992FC4D78EB018DC54C903339121BCD535F9C9246BD2E62A787466485D980D000018C30B61834BB43EBC5839BC3F53695599BF7DCA4C0D00001412F5F28C457168A9702D9FE274CC01000D00000C09002689DFD6B7120D00001425E6C9CE61A0081DB8BA401A26766C19000000141F07F70EAA6514D3B0FA96542A500100
 ike 0:VPN TTN:16877: retransmission, re-send last message


Turns out the remote site did not have a static IP Address from it's ISP , we need to get this set from the ISP and change the IP's each time
VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Users who SSL-VPN into the office need to route to a different subnet which is connected via an IPSEC VPN

You should already have Address Setup for your SSL VPN Users and Address for Remote Site

Add the below polices

Policy :

Incoming Interface <VPN interface to Remote Site>
Source Address VPN all
Outgoing Interface ssl.root
Destination Address SSLVPN_TUNNEL_ADDR1
Schedule Always
Service all
Action Accept

Policy :

Incoming Interface ssl.root
Source Address VPN SSLVPN_TUNNEL_ADDR1
Outgoing Interface <VPN interface to Remote Site>
Destination Address all
Schedule Always
Service all
Action Accept
Enable NAT
Use Dynamic IP Pool and Create a pool (<IP of Fortigate>-<IP of Fortigate>).

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Users who could connect where no longer connecting to our Foritgate

If using VDOM use 

#conf Global

#diagnose sys top

Check for Free Memory Usage( Should not be over 80% ) 

Enable Debug for VPN

#dia debug en
#dia debug reset
#dia debug application sslvpn -1

Then Connect VPN , and check for logs for that user

Found : 

 “no more addresses” fortigate

#diagnose debug disable

#exec vpn sslvpn list

If using VDOM Use this before

#conf vdom

#edit Vdom Name 

Users where getting 4 Address in the SSL VPN Sessions instead of one which was filling up the DHCP List

#fnsysctl ps

find the PID of sslvpnd

#run diag sys kill 11 <pid>

VPN Service will restart Automatically.

 

VN:F [1.9.22_1171]
Rating: 10.0/10 (2 votes cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)

Compatibility of 3g/4G usb modems can be found here : 

Configuring Modems on the FortiGate

Always a time when an ISP doesn’t deliver internet to premises so the office is without Internet. Thanks to 4g connections , you can pipe internet out through that however most VPN’s need static IP’s which you don’t get with 4g / 3g cards. Fortinet provides a DDNS service for this problem per : http://video.fortinet.com/video/99/site-to-site-ipsec-vpn-setup-with-dynamic-interface , however some providers assign IP’s on their private network ( Telstra ) so you need to put the VPN in aggressive mode and authenticate with Passkey 

here is the config to get the VPN working on a Fortinet Firewall.

See here how to get the Modem working : http://pariswells.com/blog/fixes/fortinet-60d-model-with-telstra-sierra-wireless-320u

Remote Office VPN Config

config vpn ipsec phase1
    edit "VPN"
        set interface "modem"
        set dhgrp 2
        set proposal aes128-sha1
        set remote-gw **IP-Address of remote-gw**
        set psksecret ENC ***PASSKEY***
    next
end
config vpn ipsec phase2
    edit "192.168.10.0-192.168.11.0"
        set phase1name "VPN"
        set proposal aes128-sha1
        set keepalive enable
        set dhgrp 2
        set keylifeseconds 3600
        set src-subnet 192.168.16.0 255.255.255.0
        set dst-subnet 192.168.18.0 255.255.255.0
    next
end

 

Remote Office Firewall Config

config firewall policy
    edit 8
        set srcintf "wan1"
        set dstintf "modem"
        set srcaddr "192.168.16.0/24"
        set dstaddr "192.168.18.0/24"
        set action ipsec
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set inbound enable
        set outbound enable
        set vpntunnel "VPN"
    next
    edit 4
        set srcintf "wan1"
        set dstintf "modem"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
    edit 5
        set srcintf "switch"
        set dstintf "modem"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
    edit 6
        set srcintf "switch"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 7
        set srcintf "wan1"
        set dstintf "switch"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

 

 

Main Office

 

edit "VPN"
        set vdom "root"
        set type tunnel
        set snmp-index 25
        set interface "*INTERNET**"
    nex
 
 
 
    edit "VPN"
        set type dynamic
        set interface "*INTERNET**"
        set keylife 28800
        set proposal aes128-sha1
        set comments "VPN"
        set dhgrp 2
        set psksecret ENC **passphrase**
    next
 
 
 
 
    edit "192.168.16.0-192.168.18.0"
        set phase1name "VPN"
        set proposal aes128-sha1
        set dhgrp 14 2
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 192.168.18.0 255.255.255.0
        set dst-subnet 192.168.16.0 255.255.255.0
    next
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

 

316NYS8Bn9L[1]USB Compatibility can be found here http://docs.fortinet.com/uploaded/files/2440/fortigate-modem-compatibility-matrix.pdf

A fortinet device does not recognise a Sierra Wireless 320U IMEI , you will need the following config

config system lte-modem
    set status enable
 
    set apn “Telstra.internet”
 
 
config system modem
    set status enable
    set auto-dial enable
    set connect-timeout 30
    set wireless-port 4
    set phone1 "*99#"
    set extra-init1 "at+cgdcont=1,\"IP\",\"telstra.internet\""
    set extra-init2 "at+cgdcont=1,\"IP\",\"telstra.internet\""
    set altmode disable
end
config system 3g-modem custom
    edit 1
        set vendor "Sierra Wireless"
        set model "320U"
        set vendor-id 1199
        set product-id 68aa
    next

 

Enable 4G/LTE:

#config system global
#set usb-lte enable
#end

Troubleshooting:

#diagnose sys modem detect wireless
#diagnose sys modem external-modem

 

VN:F [1.9.22_1171]
Rating: 8.0/10 (2 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)