#!/bin/bash # Patrick Marc Preuss (c)2021 - 2025 # Check for required environment variable if [ -z "${SSHPASS}" ]; then echo "Error: Please set the SSHPASS environment variable." exit 127 fi # Check for firewall argument FW="$1" if [ -z "${FW}" ]; then echo "Usage: $0 <firewall-hostname-or-IP>" exit 127 fi # Timestamp for output file …
Fortigate – IPerf3
Note to my self. Looks like Fortigate changed the access to IPerf3. FG (global) # diagnose traffictest set_pair mgmt:mgmt Server:Client pair is mgmt:mgmt Server CPU affinity: None Client CPU affinity: None Stream number: 1 Traffic protocol: TCP Server IP address: 192.90.255.199 Server VDOM: vsys_hamgmt Client IP address: 192.90.255.199 Client VDOM: vsys_hamgmt FG (global) # diagnose …
FortiGate Cluster Deployment – Zero Touch / Low Touch Debugging Notes
After a long day of back-and-forth debugging, here are some takeaways from trying to deploy a FortiGate cluster with dedicated management interfaces: FortiGates must without current support contract, needs to have the same version allready installed and FortiManager enforce Firmware needs to be set to this Version. Otherwhise this fails. FortiManager 6.4.14 and configure dedicated …
Continue reading "FortiGate Cluster Deployment – Zero Touch / Low Touch Debugging Notes"
BGP – Asymmetric Routing Fortigate or when it is the policy
Change the Setup to have two dedicated links from the fortigate to the Edgerouter. Internal6 and 7 on the Fortigate and eth4 on the edgerouters. Note to myself Policy blocked the traffic. Needed to change the source interfaces to include i6 and i7. config firewall policy edit 1 set srcintf internal1.997 next end Links https://community.fortinet.com/t5/FortiGate/Technical-Note-Reverse-Path-Forwarding-RPF-implementation-and/ta-p/194382
BGP – Do not advertise a network
Remove routes from Advertisement on a Forigate firewall Not to myself: 10.255.32.0/20 was wired on C1, local pref was missing. so it might make sens to add this to all incoming routes 'set local-preference 100', incoming there is no issue. show router route-map show router route-map config router route-map edit "EBGP-OUT-R2" config rule edit 1 …
BGP – MultiHoming
Cisco cisco01config show ip bgp summaryshow ip routeshow ip bgpcisco02config show ip bgp summaryshow ip routeEdgeRouter-Xedge01configshow ip routeedge02configshow ip routeFortiGateconfigget router info routing-table detailsTestsChanging the AS Numbersshow ip routeshow ip bgpOptimizing route mapscisco1show ip bgp neighbors 10.255.80.29 received-routesshow ip bgpshow ip routecisco2show ip bgp neighbors 10.255.80.28 received-routesshow ip routeBGP Prevent becoming an Transit ASNo-Export CommunityLinks …
Fortinet – Named Static Routes
Fortinet Firewalls support the use of address objects in static routes. This includes individual address objects, address groups and FQDN address objects. This feature is particularly useful if you have numerous VPN connections or if you reach the maximum number of configurable static routes on the gateway. For example, lower-end models like the 60E support …
Fortinet Lookup Policies
Some times you need to know which firewall policy will allow traffic and does it have be used. I had allready posted Fortigate – Policy lookup a while ago. diagnose firewall iprope lookup <src ip> <src port> <dst ip> <dst port> <protocol> <device> <src_ip> Source IP address. <src_port> Source port. <dst_ip> Destination IP address. <dst_port> Destination …
Fortinet – Fragmentation – DF – IPSec
System SettingsFragmentation Check Interface MTULinks System Settings config global config system global set honor-df enable end end Fragmentation The default ip-fragmentation setting is post-encapsulation as that is RFC compliant. config vpn ipsec phase1-interface edit <name> set ip-fragmentation post-encapsulation next end Check Interface MTU To check the MTU size of an interface, use 'diag netlink interface …
LAG Groups
Some collection of LAG configurations and status commands seen over time. LinuxManually ConfigurationStatusFreeBSDConfig ExampleStatusPermanentCheckpoint ConfigStatus - Clish Status - Expert ModeFortigateConfigStatusCisco - CatalystsConfig StatusLinks Linux Manually Configuration modprobe bonding mode=802.3ad ifconfig bond1 192.168.1.1 netmask 255.255.255.0 up ifenslave bond1 eth0 ifenslave bond1 eth1 The Permanent way depends on the distribution. Status cat /proc/net/bonding/bond1 Ethernet Channel Bonding …
Fortigate – USB
List USB DevicesList disk content wrong partioningFormat the diskNo fnsysctl List the primary and secondary firmware List USB Devices FG5H0E (root) # execute usb-device list T: Bus=02 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 D: Ver= 3.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 P: Vendor=0781 ProdID=5581 Rev= 1.00 S: Manufacturer=SanDisk S: …
Patrick Marc's Networks 