Enable Fortigate local logging

In order for traffic logging on the device to work you need to use these cli commands. This results in changing the severity level from the default warning to informational.

config log memory filter
set severity information
end

If you also want to increase the max memory size to 128kB for this log use this:

config log memory global-setting
set max-size 128000
end

Hits: 11

Serial console connection from your mac using a usb-to- serial adapter

First plug in your usb to serial adapter and find the devicename using the Terminal program, mine is listed here:

ls /dev/tty.*

/dev/tty.usbserial-AH06ORK9

Then start the screen command with the devicename and baudrate

screen /dev/tty.usbserial-AH06ORK9 9600

If you want to keep a log you can do so with

Control-a H

When your finished exit with :

Control-a Control-\    

Thanks Jeff Huckaby at Rackaid for this nice post.

Hits: 63

Blackhole Routing

OK, so you’ve created your ipsec vpn tunnels and added the corresponding static routes, but which path does the VPN traffic take if your tunnel is down ?

Right, it uses the next best route in the routing table and chances are this is your default route pointing to your internet router…

But luckily you did add a blackhole route for this traffic, preventing this:

 

 

 

 

 

So next time your VPN tunnel is down, traffic will be dropped by the Fortigate and not use your default route again.

Or you can use the CLI for this:

config router static
edit 0
set blackhole enable
set dst 172.16.0.0/12
next
end

Hits: 51

Troubleshooting Fortigate using CLI

First check if and how traffic enters the device. Use the filter option.

Make sure traffic offloading to the NP is disabled for the policy in question, (remove this command when done):

config firewall policy
   edit <policyID>
      set auto-asic-offload disable

Using the FortiOS  packet sniffer

Assgined Internet Protocol numbers

Then check the flow through the firewall and find out the policy id

Using debug flow

Find the system session and PolicyID

session info: proto=1 proto_state=00 duration=96 <snip>
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
<snip>
total session 2

Then use  show firewall policy <id> to list the policy used for the traffic:

FGT60ELexThuis # show firewall policy 3
config firewall policy
edit 3
set name "Lex"
set uuid d42a3556-cb66-51e7-e20b-6be8577def0b
set srcintf "internal"
set dstintf "wan1"
set srcaddr "Lex zolder" "Laptop Lex" "PC Huiskamer"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set av-profile "Quick block"
set ips-sensor "protect_client"
set application-list "block-botnet-monitor"
set profile-protocol-options "custom-default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end

Hits: 101

Fortigate Password recovery

https://docs.fortinet.com/uploaded/files/1708/Resetting_a_lost_admin_password.pdf

via console access 9600,n,8,1:

logon immediately after login prompt with:

username: maintainer

password: bcpbFGT60E4Q16092486

(bcpb+serialnr)

Change old password with:

In a unit where vdoms are not enabled:

config system admin
edit admin
set password <psswrd>
end
In a unit where vdoms are enabled:

config global
config system admin
edit admin
set password <psswrd>
end

 

reset to factory default with:

exec factoryreset

Hits: 66

Fortigate Tips & Tricks

Switch to VDOMs:

GUI:

Dashboard>System>VirtualDomain

CLI:

config system global
  set vdom-admin enable
end

Select Global from GUI and create VDOMS from there,

Set dedicated mgmt port in ROOT vdom via Network>Interfaces

Create VDOMS as needed, add interfaces, configure administrators

Check Cookbook for more info

Hits: 221

Ping sweep using command line

FOR /L %i in (1,1,255) do @ping -n 1 172.17.1.%i | find “TTL”

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\llu> FOR /L %i in (1,1,255) do @ping -n 1 172.17.1.%i | find “TTL”
Reply from 172.17.1.1: bytes=32 time=1ms TTL=255
Reply from 172.17.1.4: bytes=32 time=1ms TTL=255
Reply from 172.17.1.34: bytes=32 time<1ms TTL=128
Reply from 172.17.1.41: bytes=32 time<1ms TTL=128
Reply from 172.17.1.46: bytes=32 time<1ms TTL=128
Reply from 172.17.1.49: bytes=32 time<1ms TTL=128
Reply from 172.17.1.51: bytes=32 time<1ms TTL=128
Reply from 172.17.1.56: bytes=32 time=6ms TTL=128
Reply from 172.17.1.58: bytes=32 time=10ms TTL=128
Reply from 172.17.1.60: bytes=32 time<1ms TTL=128
Reply from 172.17.1.67: bytes=32 time<1ms TTL=128
Reply from 172.17.1.68: bytes=32 time<1ms TTL=128
Reply from 172.17.1.76: bytes=32 time<1ms TTL=128
Reply from 172.17.1.79: bytes=32 time<1ms TTL=128
Reply from 172.17.1.84: bytes=32 time<1ms TTL=128
Reply from 172.17.1.86: bytes=32 time<1ms TTL=128
Reply from 172.17.1.88: bytes=32 time<1ms TTL=128
Reply from 172.17.1.93: bytes=32 time<1ms TTL=128
Reply from 172.17.1.94: bytes=32 time<1ms TTL=128
Reply from 172.17.1.95: bytes=32 time=1ms TTL=128
Reply from 172.17.1.96: bytes=32 time=2ms TTL=128

 

Hits: 75

Certificate types PEM, DER, PKCS#7 and PKX(PKCS#12)

PEM Format
PEM is the most common format in which Certificate Authorities (CA) issue certificates. These are more widely used by Unix/Linux users.
If you see “Proc-type” present in a PEM format certificate it means that it is encrypted and these are called as base-64 encoded DER certificates.
The public part of the certificate will be represented in 
—–BEGIN PUBLIC KEY—–” and “—–END PUBLIC KEY—–
Whereas the private part of the certificate will be represented in  “—–BEGIN RSA PRIVATE KEY—–” and “—–END RSA PRIVATE KEY—–“.
PEM format can contain any or all of the client/server certificate, intermediate certificate, root CA and the private key.

  • They are Base64 encoded ASCII files
  • They have extensions such as .pem, .crt, .cer, .key
  • Apache and similar servers uses PEM format certificates

DER Format
DER is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format.
This format supports storage of single certificate and does not include private key for the intermediate/root CA.

  • They are Binary format files
  • They have extensions .cer and .der

DER is typically used in Java platform

PKCS#7
This format contains only certificate or certificate chain but does not store the private key.
This format is usually used by CA’s to provide certificate chains to users.

PFX Format (PKCS#12)
PFX is a format for storing a server certificate or any intermediate certificate along with private key in one encrypted file. PFX follows Public Key Cryptography Standard(PKCS). The term PFX is used interchangeably with PKCS#12.

Hits: 138