Posts Tagged ‘Fortigate’

The normal way you would switch over a service to use a specific internet connection is Policy Routes , however you can’t define services like just https

SD Wan would be able to force specific application traffic  , however you can do this with an Outbound NAT rule , but declaring the IP of the internet connection you want to use in IP Pool Configuration

GD Star Rating
loading...
GD Star Rating
loading...

Recently had a site to site tunnel randomly drop , fix was to  Set set npu-offload disable 

 

config vpn ipsec phase1-interfaceeditset npu-offload disableend

GD Star Rating
loading...
GD Star Rating
loading...

We were trying to allow access to activate Office 365 from a closed bubble , deployed the Application Whitelists per below

Upon Office activation we were still getting the below :

 

Looking at the block in the end I had to whitelist the FQDN 

fs-wildcard.microsoft.com.edgekey.net

And the following App

The servers were using Protected View for IE and that as a default browser so I also had to add https://login.microsoftonline.com/ to Trusted sites

GD Star Rating
loading...
GD Star Rating
loading...

You have a device connected to a Router ( Fortigate for this case ) with two IP’s on different Subnets

Solutions

 

GD Star Rating
loading...
GD Star Rating
loading...
  1. Add new WAN interface, enable for Ping and HTTPS
  2. Add a new Static Route with the gateway of ISP with interface of above
  3. Make sure the distance is the same as the existing WAN interface( without the same distance it won’t appear in the routing table )
  4. Try and ping ISP Gateway from CLI
  5. Test Inbound access to https (on right port ) 
  6. Add Policies for new Interface Inbound and Outbound
  7. Make sure the priority is lower than the existing WAN connection for testing, when ready to match existing priority
GD Star Rating
loading...
GD Star Rating
loading...

This enables you to make a change , and if it doesn’t work , the config gets rolled back

config system global
set cfg-save revert
set cfg-revert-timeout 300
end

(Press Enter)

**Make Change**

If not issue then , change back

config system global
set cfg-save auto
end


(Press Enter)

 

 

In the new firmware, a new option added to GUI for saving configuration, previously this was in CLI only.

Default is automatic, changes apply as made.

Workspace, changes do not commit until saved manually. Workspace + Revert upon timeout, FortiGate reboots and changes revert if not committed within the configured number of seconds. Very useful for remote changes that might cause loss of connectivity.

Adds a new option to save in GUI top right corner

 

GD Star Rating
loading...
GD Star Rating
loading...