Tag Archives: Fortinet

Fortigate HTTPS inspection Certificate error fixes

*Note – Most of these issues have been fixed in 5.2. By default now, if you select https inspection – Certificate inspection you will just get a blank page when you go to a https that is not allowed.

The Fortigate Web filter is amazing! I think it stands up to the best web filters out there.

But, like all webfilters SSL can be a bit tricky. Fortigate offers its own SSL Certifcate “Fortigate-CA-Proxy” to the client when it does a few things:

1. Deep packet inspection (imagine a man in the middle attack). This way the Fortigate sees all traffic that comes in the session even if it was encrypted.

2. When it sends its replacement message (Blocked) to the client.

Some problems come up with this. The cert has to be trusted by clients, this can be easily done if you have a internal CA, or you could create a Windows group policy to push the certificate into their trusted store. I know you might ask, what if I get a signed cert for this? The certificate is a CA-True certificate. That basically means you would have to get a certificate from a trusted publisher that says you are a public CA. I would say most CA’s would not give us one. But what if you want SSL inspection for Guest clients but don’t want them to see the cert error? The answer lies below friends. Something to remember is you have to have SSL inspection enabled on the firewall policy to get HTTPS inspection to work.

To have the Fortigate block the website without giving an error there are a few things that need to be done:

1. Select the webfilter to use https-url-scan to only look at the URL, not to use deep scanning

2. set the Fortigate to not respond with a replacement message. Remember it responds with a HTTPS blocked page – so  therefore you see the HTTPS cert.

As of Patch 7 this is a CLI command.

To enable HTTPS-url-scan which looks that the URL not the traffic going through:

config webfilter profile

edit default (or your profile name)

set options https-url-scan

end

To disable the HTTPS replacement message:

config webfilter profile

edit default (or your profile name)

set https-replacemsg disable

end

To give an example:

Lets say I block the category “social networking” and go to http://facebook.com it will be blocked. If I go to https://facebook.com it will show a blank screen – no error message, but will not work. Before enabling these commands I would see the error message, then after accepting the cert I would see the block page.

Note* there might be a way to have the replacement message be http, instead of https. I am looking into this.

 

Advertisements

Fortigate interface Speed/duplex

Hard coding speed and duplex settings on a device is very important. Some times it is essential to hard code your settings to work with and ISP or neighboring device. To change the speed/duplex settings manually you will need to use a CLI command. The default setting is to Auto Negotiate, but as we all know sometimes on the ISP or local side it can negotiate to half duplex, or never correctly negotiate.

Check Speed/Duplex

How check speed and duplex of the interface:

Fortinet now has the ability to see speed/duplex by hovering over the interfaces in the GUI. This option became available in MR5 patch 4 i think.

Image

To check this through the CLI there are a few ways to accomplish this. two command that can do this are:

get system interface physical

Image

This command shows the IP, status, and speed/duplex.

The next command is:

get hardware nic X

Image

This command gives you much more info, such as errors and drops.

 

Setting speed/duplex

To set the Speed and Duplex of the interface to 1 gig full duplex use the cli commands:

Config system interface

edit X

set speed 1000full

end

Image

Thats, it! Notice that get system hardware nic gives you all kinds of stats about that interface.

Fortinet BGP local Preference to influence outbound routing

Fortinet like all vendors supports BGP and has many ways to configure it. In this case almost all settings are configured VIA the CLI. In this post I will show how to configure the Local preference attribute to influence what routes a device will take to leave the network. For example, if you have two ISPs, and we use one for primary, and the second for a backup then we would want to change the local preference to make ISP 1 more a better choice.

Changing the local preference of routes from the default 100, to a higher value makes those routes the best choice when leaving the network. Also you can use a prefix-list to change just the preference of one or more routes, you do not have to do all routes advertised by the neighbor.

Steps needed are:

– Get BGP instance configured

– Configure neighbors

– Create route map

– assign preference in Route map

– Apply route map to neighbor

– Clear BGP routes, and check new preferences.

 

After you get BGP configured VIA CLI or GUI we can start with creating the route map.

Image

You can name the Route map whatever you like, for example if you have two ISPs, you might say ISP-1-Local-Pref. Then modify the rule you want, and change the local preference. Remember the higher the local preference the more preferred.

Command:

config router route-map

edit name

config rule

edit 10

set local-preference X

end

Next we can apply the route-map to the neighbor we want to set preference on.

Image

Once that is configured, we can check the perfernce of the routes with the command:

get router info bgp networks

You might notice that the preference has not changed. This is because we will need to clear the routes first. We can do this with a few different commands:

exe router clear bgp ip x.x.x.x out

This will clear all routes from this neighbor. If this is a live production network, it would be better to run the command:

exe router clear bgp ip x.x.x.x soft out

A soft reset uses stored prefix information to reconfigure and activate BGP routing tables without tearing down existing peering sessions. Soft reconfiguration uses stored update information, at the cost of additional memory for storing the updates, to allow you to apply new BGP policy without disrupting the network. Soft reconfiguration can be configured for inbound or outbound sessions.

Thats it! now we should see the new preference associated with our routes:

Image

Notice the 500 instead of the default of 100. Everything is working, now all my routes going to the 10.0.0.0/16 network will take the 169.254.255.77 neighbor. Also notice the > symbol. This means it is the best route, and therefore the one put into the routing table. Other routes will not show up in the GUI routing table.

Fortigate BGP AS Path prepending

Docs.fortinet.com is always the best place to get any Fortinet info.

Fortinet like most firewall vendors supports almost all Dynamic routing protocols. BGP is one, the GUI has simple to setup BGP options, but many do not exist in CLI, which might be for the best. In this post I will show how to create a Route-map and prepend the AS path influence ISP/neighbor routing.

First lets talk about why you would want to prepend an AS path. You would want to do this to influence how neighbors get to your routes. For example, if you had two ISPs, or neighbors and wanted to broadcast your routes to both neighbors, but wanted everyone to take neighbor 1 to get to your router, with a backup of Neighbor 2 you could prepend the AS path and make this happen.

BGP is a very deep protocol and there are many different ways to influence routing. Routers will always take the shortest AS path to get to its destination so that is the preferred method for this.

Steps:

– Add BGP neighbors/networks – you can do this in GUI

– In CLI create route-map and use the commands to prepend YOUR AS path

– Assign Route-map to neighbor

– Clear BGP routes.

 

Create BGP in GUI.

This includes our AS number, the Neighbors and their AS numbers, and our networks we are advertising.

Image

Route-map Creation

Lets then drop to CLI and create our Route-map

Image

Commands:

config router route-map

config “Name”  —- create route map

edit rule X — from there you can set your Prepend

set set-aspath “x x x “

set action permit — I did not add this in the image. Routes will be blocked if this is not added.

end

Assigning Route-map

Now lets assign the route map to our neighbor. Since we are wanting to control how routing will get to us, we will apply this route map to outgoing routes.

Image

the command “set route-map-out” is what sets the route map on the outbound routes.

Last but not least, lets clear the IP routes so our prepend takes effect. You can do this through the command:

exe router clear bgp ip x.x.x.x out

This will clear all routes from this neighbor. If this is a live production network, it would be better to run the command:

exe router clear bgp ip x.x.x.x soft out

A soft reset uses stored prefix information to reconfigure and activate BGP routing tables without tearing down existing peering sessions. Soft reconfiguration uses stored update information, at the cost of additional memory for storing the updates, to allow you to apply new BGP policy without disrupting the network. Soft reconfiguration can be configured for inbound or outbound sessions.

Status

So now we need to take a look at the routes we are sending out to see if our AS has actually be altered. After resetting the peer it might take a minute or two before this shows up correctly.

Image

The command is:

get router info bgp neighbors x.x.x.x advertised-routes

That’s it!

Now we are controlling how devices will get to our networks in a Dual homed situation (two connections to ISPs). The querying devices will always take the lower AS path to get to its destination.

Login to the Fortigate firewall with Active Directory accounts

Logging into the firewall with Active directory accounts can be a great thing. You can base login privileges on A.D. security groups, and track what the users do. For example if you had help desk users and only wanted them to only have read access, no problem. Also, what if you wanted to audit what a user does on the firewall, no problem. You can do this through a mix of Logins and admin profiles.

There are a few things we need to do, create the LDAP connection, create our security groups in A.D. to match in the firewall, create the user group in the FW and assign it the correct admin profiles.

1. Create the LDAP connection

Image

You do not have to be a super user to query the LDAP account, I would just create a Fortinet service account, and use that to query with.

2. Create AD security groups. If you want domain admins to log in, great just match it in the firewall. If you have help desk users that you want to have restricted privilege than you would have to create that in A.D. and add the needed members.

3. Create local firewall groups that match the LDAP groups.

Image

Here we create a “Firewall” Group, and add our remote server to the list. If you notice you can query LDAP from here, and select the group you want by clicking on the folder to the left side of the group name.

4. Add the group as a admin that can login

Under system – admin – administrators add a new admin.

Image

Create the name you want, and select the group we just created. Then select the admin profile we want. This is for admins, so they will be super admins when they log in. If you wanted a custom profile, lets say restart the device, but that’s it then we can create that, then add it. There are more options here such as using Forti-token, and email.

Notice that the wildcard option is checked – A wildcard admin account is an administrator account with the wildcard option enabled. This option allows multiple different remote administration accounts to match one local administration account, avoiding the need to set up individual admin accounts on the FortiGate unit. Instead multiple LDAP admin accounts will all be able to use one FortiGate admin account.

5. Create a different admin profile for privileges.

In this example I will create a help desk account, that can only configure system settings (IP address, etc). Otherwise everything is read only.

Image

After saving this, you can go back and add it to the admin group.