Posts Tagged ‘Fortigate’

On the Fortigate , Create a new Interface and assign it to the Uplink of your internet or DMZ with a Vlan ID and Enable DHCP

Create a policy to allow outbound


On the Switch ( ours GS752TP ) that the access points plug into,  Tag the ports with the Vlan ID you created above, where your access points plug into as all as the port for the Uplink from the Switch to the Router

On your access points  ( Ours WNDAP360 ) create a new SSID and Tag these to the new VLAN ID

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Login to Fortigate WebUI

Go to System , then Administrators, Enable Trusted Hosts for the user account and add the IP/Subnet to the allow lists ( remember to do internal as well ) 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

When a user VPN into a Fortigate Router , make sure they can access all Subnet available to the router not just the local one :

  1. Added security policy – allow from SSL VPN interface to IPsec VPN  

Name : SSL VPN to New Subnet

Incoming Interface : SSL-VPN tunnlel Interface ( ssl.root ) 

Outgoing Interface – %Interface of Site to Site VPN for Remote Site%

Source : SSL VPN Client Range / SSLVPN_Users

Destination Address : %new subnet%

Schedule : Always

Service : ALl

Action : Accept

Nat : Enabled (  to traverse IPsec VPN as local address (192.168.0.x) as opposed to SSL VPN client range (192.168.1.x) 

IP Pool Configuration : Use Dymanic IP Pool and NAT Pool for SSL VPN Clients


2.  Make you have DHCP NAT pool Range excluded from your onsite DHCP 

3.Added New Subnet to routing address in SSL VPN portal – tunnel mode

VPN – > SSL VPN Portals

Tunnel Mode -> Enable Split Tunnelings -> Routing Address 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

If a website a being blocked from being viewed due to Fortinet web filter with the Category 

“newly observed domain” 

This is due to URLs whose domain name is not rated and were observed for the first time in the past 30 minutes. 

You can wait 30 minutes or you can use the Web Ratings Overrides below to change the category from newly observed domain to an accepted Category like Business and Finance

VN:F [1.9.22_1171]
Rating: 6.5/10 (6 votes cast)
VN:F [1.9.22_1171]
Rating: +1 (from 3 votes)

Fortigate have recently released an AV update on their Fortinet which blocks websites with the following error

A few malware checks on the website shows there are no virus of malware on this site

A Support case with Fortigate there was an error in their AV database and they released an update 2 hours later

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

So you’ve just got a TPG IP Line connection and they have sent you your IP , how do you set this up on your Fortigate or other router?

They would have sent you an IP with Netmask e.g. : 210.9.x.x/30

How do you set this up on your router?

Enter the IP in the Subnet Calculator with the mask bit e.g. 30 and it will give you the range you can work from

38.242.x.x will be the network address cannot be used as it used to identify where the network starts

38.242.x.x ( +1) Will be the ISP Gateway , you need this to add a static route on the foritgate for this WAN Port

38.242.x.x ( +2) Will be the IP address you need to set on your Foritgate


Next you will need to add a policy to allow all outbound from Lan to the new WAN Port


VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Below changes were added.

  • Added TCP 5060 for SIP(As sometimes this can be TCP/UDP) for all WANS
  • RTP port range 6200 – 6214 added for Inbound for all WANS
  • SIP domains allowed for Inbound for all WANS

SIP ALG turn off – Need to run below commands if it’s required. Best to test the phones after above changes.


en the Fortigate CLI from the dashboard and enter the following commands:

  • config system settings
  • set sip-helper disable
  • set sip-nat-trace disable
  • reboot the device

Re-open the CLI and enter the following commands:

  • config system session-helper
  • show    (locate the SIP entry, usually 12, but can vary)
  • delete 12    (or the number that you identified from the previous command)

Disable RTP processing as follows:

  • config voip profile
  • edit default
  • config sip
  • set rtp disable



config system settings
set default-voip-alg-mode kernel-helper-based

Important is that you need to configure it on all the VDOM`s
A reboot is not necessary, Clearing the sessions worked for us:

diagnose sys session filter
diagnose sys session filter dport 5060
diagnose sys session clear
diagnose sys session filter dport 2000
diagnose sys session clear


VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Users who SSL-VPN into the office need to route to a different subnet which is connected via an IPSEC VPN

You should already have Address Setup for your SSL VPN Users and Address for Remote Site

Add the below polices

Policy :

Incoming Interface <VPN interface to Remote Site>
Source Address VPN all
Outgoing Interface ssl.root
Destination Address SSLVPN_TUNNEL_ADDR1
Schedule Always
Service all
Action Accept

Policy :

Incoming Interface ssl.root
Outgoing Interface <VPN interface to Remote Site>
Destination Address all
Schedule Always
Service all
Action Accept
Enable NAT
Use Dynamic IP Pool and Create a pool (<IP of Fortigate>-<IP of Fortigate>).

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Users who could connect where no longer connecting to our Foritgate

If using VDOM use 

#conf Global

#diagnose sys top

Check for Free Memory Usage( Should not be over 80% ) 

Enable Debug for VPN

#dia debug en
#dia debug reset
#dia debug application sslvpn -1

Then Connect VPN , and check for logs for that user

Found : 

 “no more addresses” fortigate

#diagnose debug disable

#exec vpn sslvpn list

If using VDOM Use this before

#conf vdom

#edit Vdom Name 

Users where getting 4 Address in the SSL VPN Sessions instead of one which was filling up the DHCP List

#fnsysctl ps

find the PID of sslvpnd

#run diag sys kill 11 <pid>

VPN Service will restart Automatically.


VN:F [1.9.22_1171]
Rating: 10.0/10 (2 votes cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)


316NYS8Bn9L[1]USB Compatibility can be found here

A fortinet device does not recognise a Sierra Wireless 320U IMEI , you will need the following config

config system lte-modem
    set status enable
    set apn “Telstra.internet”
config system modem
    set status enable
    set auto-dial enable
    set connect-timeout 30
    set wireless-port 4
    set phone1 "*99#"
    set extra-init1 "at+cgdcont=1,\"IP\",\"telstra.internet\""
    set extra-init2 "at+cgdcont=1,\"IP\",\"telstra.internet\""
    set altmode disable
config system 3g-modem custom
    edit 1
        set vendor "Sierra Wireless"
        set model "320U"
        set vendor-id 1199
        set product-id 68aa


Enable 4G/LTE:

#config system global
#set usb-lte enable


#diagnose sys modem detect wireless
#diagnose sys modem external-modem


Create a Policy allowing outbound through the Modem

Change the static route to via Modem

Make sure DNS is set on DHCP

VN:F [1.9.22_1171]
Rating: 8.0/10 (2 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)