Posts Tagged ‘Fortigate’

You have a device connected to a Router ( Fortigate for this case ) with two IP’s on different Subnets

Solutions

 

GD Star Rating
loading...
GD Star Rating
loading...
  1. Add new WAN interface, enable for Ping and HTTPS
  2. Add a new Static Route with the gateway of ISP with interface of above
  3. Make sure the distance is the same as the existing WAN interface( without the same distance it won’t appear in the routing table )
  4. Try and ping ISP Gateway from CLI
  5. Test Inbound access to https (on right port ) 
  6. Add Policies for new Interface Inbound and Outbound
  7. Make sure the priority is lower than the existing WAN connection for testing, when ready to match existing priority
GD Star Rating
loading...
GD Star Rating
loading...

This enables you to make a change , and if it doesn’t work , the config gets rolled back

config system global
set cfg-save revert
set cfg-revert-timeout 300
end

(Press Enter)

**Make Change**

If not issue then , change back

config system global
set cfg-save auto
end


(Press Enter)

GD Star Rating
loading...
GD Star Rating
loading...

By default Fortigates come with all their LAN interfaces on a hardware switch. You might want to change this so you can use these as seperate interfaces

  1. Delete all the policies attaches to the LAN network
  2. Removed DHCP from the Lan Network

Next in CLI run the below

configure system virtualswitch

delete lan
GD Star Rating
loading...
GD Star Rating
loading...

Recently a few users had the following bounce backs from Office 365 to an On-Prem Mailserver with the error

‘550 5.4.316 Message expired, connection refused(Socket error code 10061)

Checking the logs in 365 of this, this was due to the Fortigate adding some 365 SMTP servers to the IPS Quantarine List

Removing these servers from the Quarantine and also removing IPS checking in the Policy of 365 servers to on-prem via SMTP resolved this

GD Star Rating
loading...
GD Star Rating
loading...
Recommended Firmware Lastest of : 5.6.X Range ( Last Edited 12/06/2019 )
 
Add Interface Bandwidth of Wan port to Dashboard
 
Enable device detection on LAN interfaces
 
Proxy based always
 
DOss Policies
 
System->Settings -> Enable SNMP for Monitoring
 
Activate License and Forticloud

 

 

 
 
 
 
 
Feature List
 

 

GD Star Rating
loading...
GD Star Rating
loading...
  1. Add VPN profile to both sides with same PreShared Key

2020-01-07_23-39-50.png

 

 

2) Add Static Routes on both sides to each other’s Subnets via the VPN Connection Interface created in Step 1

3) Add Policies

WAN->VPN Connection Interface created in Step 1 ( without NAT ) 

VPN Connection Interface created in Step 1 -> All  ( without NAT ) 

 

 

 

***********

DES and 3DES does not need as strong a DH group, however DES and 3DES should never be used unless you are under some encryption restriction based on country restriction.  AES should use a stronger DH Group.  If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 19, 20. If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-Hellman group 21. RFC 5114 Sec 4 states DH Group 24 strength is about equal to a modular key that is 2048-bits long, that is not strong enough to protect 128 or 256-bit AES, you should stay away from 24.

GD Star Rating
loading...
GD Star Rating
loading...