When a user VPN into a Fortigate Router , make sure they can access all Subnet available to the router not just the local one :

1. Added security policy – allow from SSL VPN interface to IPsec VPN  

Name : SSL VPN to New Subnet

Incoming Interface : SSL-VPN tunnlel Interface ( ssl.root ) 

Outgoing Interface – %Interface of Site to Site VPN for Remote Site%

Source : SSL VPN Client Range / SSLVPN_Users

Destination Address : %new subnet%

Schedule : Always

Service : ALl

Action : Accept

Nat : Enabled (  to traverse IPsec VPN as local address (192.168.0.x) as opposed to SSL VPN client range (192.168.1.x) 

IP Pool Configuration : Use Dymanic IP Pool and NAT Pool for SSL VPN Clients

2.  Make you have DHCP NAT pool Range excluded from your onsite DHCP 

3.Added New Subnet to routing address in SSL VPN portal – tunnel mode

VPN – > SSL VPN Portals

Tunnel Mode -> Enable Split Tunnelings -> Routing Address 

• No Comments

If a website a being blocked from being viewed due to Fortinet web filter with the Category 

“newly observed domain” 

This is due to URLs whose domain name is not rated and were observed for the first time in the past 30 minutes. 

You can wait 30 minutes or you can use the Web Ratings Overrides below to change the category from newly observed domain to an accepted Category like Business and Finance

• No Comments

Fortigate have recently released an AV update on their Fortinet which blocks websites with the following error

http://fortiguard.com/search?type=av&q=HTML%252FScrInject.B%2521tr

A few malware checks on the website shows there are no virus of malware on this site

A Support case with Fortigate there was an error in their AV database and they released an update 2 hours later

• No Comments

Below changes were added.

• Added TCP 5060 for SIP(As sometimes this can be TCP/UDP) for all WANS
• RTP port range 6200 – 6214 added for Inbound for all WANS
• SIP domains allowed for Inbound for all WANS

SIP ALG turn off – Need to run below commands if it’s required. Best to test the phones after above changes.

en the Fortigate CLI from the dashboard and enter the following commands:

• config system settings
• set sip-helper disable
• set sip-nat-trace disable
• reboot the device

Re-open the CLI and enter the following commands:

• config system session-helper
• show    (locate the SIP entry, usually 12, but can vary)
• delete 12    (or the number that you identified from the previous command)

Disable RTP processing as follows:

• config voip profile
• edit default
• config sip
• set rtp disable

config system settings
set default-voip-alg-mode kernel-helper-based
end

Important is that you need to configure it on all the VDOM`s
 
A reboot is not necessary, Clearing the sessions worked for us:

diagnose sys session filter
diagnose sys session filter dport 5060
diagnose sys session clear
diagnose sys session filter dport 2000
diagnose sys session clear

• No Comments

A VPN for a new site had been working fine , however disconnected and would not stay Active

Enabling Debug

Source code
   
diagnose debug application ike -1
diagnose debug enable


Disable Debug

Source code
   
diagnose debug reset
diagnose debug disable

Produced the below sort of errors : 

Source code
   
ike 0:VPN TTN:16877: ignoring unencrypted PAYLOAD-MALFORMED message from 41.224.14.131:500.
 ike 0:VPN TTN:VPN TTN P2: IPsec SA connect 50 41.224.244.77->41.224.14.131:0
 ike 0:VPN TTN:VPN TTN P2: using existing connection
 ike 0:VPN TTN:VPN TTN P2: config found
 ike 0:VPN TTN:VPN TTN P2: IPsec SA connect 50 41.224.244.77->41.224.14.131:500 negotiating
 ike 0:VPN TTN:16877:VPN TTN P2:17015: ISAKMP SA still negotiating, queuing quick-mode request
 ike 0:VPN TTN:16877: out 474981673AAFACE9D0216ED361A1081D05100201000000000000006C338C4B9F667E7DC90860B2541F716F185CF7E6B42813D02B34C11EFD6B7530644B6D91E5685CA6D1609DFDE30FEE4108D130782677BC3B12A27E544C7E11D2EA89BB51401C1919352C6A93D5CBEB590B
 ike 0:VPN TTN:16877: sent IKE msg (P1_RETRANSMIT): 41.224.244.77:500->41.224.14.131:500, len=108, id=474981673aaface9/d0216ed361a1081d
 ike 0: comes 41.224.14.131:500->41.224.244.77:500,ifindex=50....
 ike 0: IKEv1 exchange=Identity Protection id=474981673aaface9/d0216ed361a1081d len=256
 ike 0: in 474981673AAFACE9D0216ED361A1081D0410020000000000000001000A00008408413E837E46626B7A07879E99EC6B73BF71A99C00F3AF2A0B68B526FD2D3EBDC7AF274255283369206E877CA0EBB0A62257AF229F0600D85C90BF266C8852B2336E9CAFE8F0E7EF63E57CD1E28647A049BF6D1DFCD45C6C23B3F92A95B1EC29A0F9992FC4D78EB018DC54C903339121BCD535F9C9246BD2E62A787466485D980D000018C30B61834BB43EBC5839BC3F53695599BF7DCA4C0D00001412F5F28C457168A9702D9FE274CC01000D00000C09002689DFD6B7120D00001425E6C9CE61A0081DB8BA401A26766C19000000141F07F70EAA6514D3B0FA96542A500100
 ike 0:VPN TTN:16877: retransmission, re-send last message
EBDC7AF274255283369206E877CA0EBB0A62257AF229F0600D85C90BF266C8852B2336E9CAFE8F0E7EF63E57CD1E28647A049BF6D1DFCD45C6C23B3F92A95B1EC29A0F9992FC4D78EB018DC54C903339121BCD535F9C9246BD2E62A787466485D980D000018C30B61834BB43EBC5839BC3F53695599BF7DCA4C0D00001412F5F28C457168A9702D9FE274CC01000D00000C09002689DFD6B7120D00001425E6C9CE61A0081DB8BA401A26766C19000000141F07F70EAA6514D3B0FA96542A500100
 ike 0:VPN TTN:16877: retransmission, re-send last message


Turns out the remote site did not have a static IP Address from it's ISP , we need to get this set from the ISP and change the IP's each time

• No Comments

Users who SSL-VPN into the office need to route to a different subnet which is connected via an IPSEC VPN

You should already have Address Setup for your SSL VPN Users and Address for Remote Site

Add the below polices

Policy :

Incoming Interface <VPN interface to Remote Site>
Source Address VPN all
Outgoing Interface ssl.root
Destination Address SSLVPN_TUNNEL_ADDR1
Schedule Always
Service all
Action Accept

Policy :

Incoming Interface ssl.root
Source Address VPN SSLVPN_TUNNEL_ADDR1
Outgoing Interface <VPN interface to Remote Site>
Destination Address all
Schedule Always
Service all
Action Accept
Enable NAT
Use Dynamic IP Pool and Create a pool (<IP of Fortigate>-<IP of Fortigate>).

• No Comments

Users who could connect where no longer connecting to our Foritgate

If using VDOM use 

#conf Global

#diagnose sys top

Check for Free Memory Usage( Should not be over 80% ) 

Enable Debug for VPN

#dia debug en
#dia debug reset
#dia debug application sslvpn -1

Then Connect VPN , and check for logs for that user

Found : 

 “no more addresses” fortigate

#diagnose debug disable

#exec vpn sslvpn list

If using VDOM Use this before

#conf vdom

#edit Vdom Name 

Users where getting 4 Address in the SSL VPN Sessions instead of one which was filling up the DHCP List

#fnsysctl ps

find the PID of sslvpnd

#run diag sys kill 11 <pid>

VPN Service will restart Automatically.

• 1 Comment

Compatibility of 3g/4G usb modems can be found here : 

Configuring Modems on the FortiGate

Always a time when an ISP doesn’t deliver internet to premises so the office is without Internet. Thanks to 4g connections , you can pipe internet out through that however most VPN’s need static IP’s which you don’t get with 4g / 3g cards. Fortinet provides a DDNS service for this problem per : http://video.fortinet.com/video/99/site-to-site-ipsec-vpn-setup-with-dynamic-interface , however some providers assign IP’s on their private network ( Telstra ) so you need to put the VPN in aggressive mode and authenticate with Passkey 

here is the config to get the VPN working on a Fortinet Firewall.

See here how to get the Modem working : http://pariswells.com/blog/fixes/fortinet-60d-model-with-telstra-sierra-wireless-320u

Remote Office VPN Config

Source code

config vpn ipsec phase1
    edit "VPN"
        set interface "modem"
        set dhgrp 2
        set proposal aes128-sha1
        set remote-gw **IP-Address of remote-gw**
        set psksecret ENC ***PASSKEY***
    next
end
config vpn ipsec phase2
    edit "192.168.10.0-192.168.11.0"
        set phase1name "VPN"
        set proposal aes128-sha1
        set keepalive enable
        set dhgrp 2
        set keylifeseconds 3600
        set src-subnet 192.168.16.0 255.255.255.0
        set dst-subnet 192.168.18.0 255.255.255.0
    next
end

Remote Office Firewall Config

Source code

config firewall policy
    edit 8
        set srcintf "wan1"
        set dstintf "modem"
        set srcaddr "192.168.16.0/24"
        set dstaddr "192.168.18.0/24"
        set action ipsec
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set inbound enable
        set outbound enable
        set vpntunnel "VPN"
    next
    edit 4
        set srcintf "wan1"
        set dstintf "modem"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
    edit 5
        set srcintf "switch"
        set dstintf "modem"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
    edit 6
        set srcintf "switch"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 7
        set srcintf "wan1"
        set dstintf "switch"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Main Office

Source code

edit "VPN"
        set vdom "root"
        set type tunnel
        set snmp-index 25
        set interface "*INTERNET**"
    nex
 
 
 
    edit "VPN"
        set type dynamic
        set interface "*INTERNET**"
        set keylife 28800
        set proposal aes128-sha1
        set comments "VPN"
        set dhgrp 2
        set psksecret ENC **passphrase**
    next
 
 
 
 
    edit "192.168.16.0-192.168.18.0"
        set phase1name "VPN"
        set proposal aes128-sha1
        set dhgrp 14 2
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 192.168.18.0 255.255.255.0
        set dst-subnet 192.168.16.0 255.255.255.0
    next

• No Comments

USB Compatibility can be found here http://docs.fortinet.com/uploaded/files/2440/fortigate-modem-compatibility-matrix.pdf

A fortinet device does not recognise a Sierra Wireless 320U IMEI , you will need the following config

Source code

config system lte-modem
    set status enable
 
    set apn “Telstra.internet”
 
 
config system modem
    set status enable
    set auto-dial enable
    set connect-timeout 30
    set wireless-port 4
    set phone1 "*99#"
    set extra-init1 "at+cgdcont=1,\"IP\",\"telstra.internet\""
    set extra-init2 "at+cgdcont=1,\"IP\",\"telstra.internet\""
    set altmode disable
end
config system 3g-modem custom
    edit 1
        set vendor "Sierra Wireless"
        set model "320U"
        set vendor-id 1199
        set product-id 68aa
    next

Enable 4G/LTE:

#config system global
#set usb-lte enable
#end

Troubleshooting:

#diagnose sys modem detect wireless
#diagnose sys modem external-modem

Create a Policy allowing outbound through the Modem

Change the static route to 0.0.0.0 via Modem

Make sure DNS is set on DHCP

• No Comments