Posts Tagged ‘Fortinet’

Recently I got hold of a Fortinet Lab FG-100D. The Fan in this unit is around 50db and not suitable for a lounge. The device is not licensed and out of support so I could ‘tweak’ it!

The quietest 4-Pin ( sending feedback back to to the Fortinet of fan speed so it can adjust ) 40mmx 20mm fan I could find was a NF-A4x20 with 15db of noise , however much-reduced airflow!

The NF-A4x20 comes with a different fan plug then the Fortinet Socket. The connect should match the other size , however a little pressure helps the fortinet socket accept this! 

The good thing about this fan is it also comes with a LNA ( Low noise adapter ) a cable that drops down the (voltage) speed of the fan. The 100D also has two power fan points. I was able to put the LNA on the original fan, then readjust the fans like below. I ran both for a week however sometimes the old fan would whir up, so I ended up disconnecting the original and left the NF-A4x20 and it has been stable!

 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently a few users had the following bounce backs from Office 365 to an On-Prem Mailserver with the error

‘550 5.4.316 Message expired, connection refused(Socket error code 10061)

Checking the logs in 365 of this, this was due to the Fortigate adding some 365 SMTP servers to the IPS Quantarine List

Removing these servers from the Quarantine and also removing IPS checking in the Policy of 365 servers to on-prem via SMTP resolved this

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)
Recommended Firmware Lastest of : 5.6.X Range ( Last Edited 12/06/2019 )
 
Add Interface Bandwidth of Wan port to Dashboard
 
Enable device detection on LAN interfaces
 
Proxy based always
 
DOss Policies
 
System->Settings -> Enable SNMP for Monitoring
 
Activate License and Forticloud

 

 

 
 
 
 
 
Feature List
 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
  1. Add VPN profile to both sides with same PreShared Key

2020-01-07_23-39-50.png

 

 

2) Add Static Routes on both sides to each other’s Subnets via the VPN Connection Interface created in Step 1

3) Add Policies

WAN->VPN Connection Interface created in Step 1 ( without NAT ) 

VPN Connection Interface created in Step 1 -> All  ( without NAT ) 

 

 

 

***********

DES and 3DES does not need as strong a DH group, however DES and 3DES should never be used unless you are under some encryption restriction based on country restriction.  AES should use a stronger DH Group.  If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 19, 20. If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-Hellman group 21. RFC 5114 Sec 4 states DH Group 24 strength is about equal to a modular key that is 2048-bits long, that is not strong enough to protect 128 or 256-bit AES, you should stay away from 24.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

 

 

On the Fortigate

 
On the LAN Interface ( Gateway Address ) Enable SNMP
 

Enable SNMP with your chosen Community Name
 
 
Add the Host IP of the local N-able Agent/Server Polling the Device

In Nable

Import Following Service Templates for Fortigate

ServiceTemplateExport

ServiceTemplateExport (1)


Add a new Device via IP Address ( Category Router ) 
 
Add a Professional License so that you can query the Device using SNMP
 

Add Service templates to device

 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

To access the Secondary unit without changing HA Primary unit , which I would advise against if you are not sure of the VPN status run the following

execute ha manage 1

Login with the credentials

Then run 

diagnose vpn ike gateway

Lists all the current VPNS

diagnose vpn tunnel stat

Check how many are up

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

On the Fortigate , Create a new Interface and assign it to the Uplink of your internet or DMZ with a Vlan ID and Enable DHCP

Create a policy to allow outbound

 

On the Switch ( ours GS752TP ) that the access points plug into,  Tag the ports with the Vlan ID you created above, where your access points plug into as all as the port for the Uplink from the Switch to the Router

On your access points  ( Ours WNDAP360 ) create a new SSID and Tag these to the new VLAN ID

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)