The Packets, Life and everything
"Reminder to self regarding routing information: This document is derived from Fortinet KB Articles and covers topics such as accessing FIB/RIB routing data via the CLI, understanding the routing process in FortiGate (route-lookup-process), handling multiple default routes when SD-WAN rules are not the preferred option, and more." Routing in FortiGate (route-lookup-process) How does FortiGate decide …
Continue reading "FortiGate – Viewing FIB/RIB routing information in CLI"
Short collection of what is my IP Servers. ifconfig.io ifconfig.me ifconfig.co icanhazip.com Usage curl ifconfig.co/port/22 SD-WAN As a personal note route ifconfig.* over the primary connection on the Fortigate firewall and icanhazip.com over the secondary config firewall address edit "ifconfig.co" set type fqdn set fqdn "ifconfig.co" next edit "ifconfig.me" set type fqdn set fqdn "ifconfig.me" …
After my recently doing some exploration of HPE/Aruba ZTP, I found myself truly captivated by the potential of FortiGates doing Zero Touch Provisioning. I've been contemplating a solution that involves deploying a bootstrap server for remote site installations. Whether dealing with clients or servers, this approach is a network boot environment, which can be seamlessly …
I like the the Idea to configure static routing over firewall objects. This avoids the static route limit on FortiGate Firewall. config firewall address edit "N.203.0.113.0--24" set allow-routing enable set subnet 203.0.113.0 255.255.255.0 next end config firewall addrgrp edit "R.Networks" set allow-routing enable set member "N.203.0.113.0--24" next end config router static edit 0 set gateway …
Continue reading "Fortinet – Static routes with Firewall objects"
Recently, we encountered significant CPU and memory utilization spikes on one of our Fortigate Firewalls. Despite consistently handling around 1.5 million sessions for several months without any problems, the situation took a turn for the worse. The firewall became unresponsive through the Command Line Interface (CLI), and at that time, we hadn't configured a dedicated …
It is a good idea to do basic DoS Protection, even internaly. Configuring DoS policyVerificationdiagnose ips anomaly listReleasing the blocked sendersdiagnose ips anomaly clearLinks Configuring DoS policy This will configure a basic DoS Policy for Traffic with default values and block violations for 2 Minutes. config firewall DoS-policy edit 1 set name "ALL DoS-Policy" set …
Force VPN Tunnels to the CPUFirst you need to force the Encrypted traffic over the CPU. Take packet captures from the GUI It is somehow counter intuitive but we need to take care that the IPSec session is not offloaded into Hardware. This basically the Opposite as described in Ensuring IPSec traffic is offloaded for …
Continue reading "Fortigate – IPSec Troubleshooting – VPN Analyse"
This is my personal catalog of typical troubleshooting commands I employ when dealing with FortiGate Firewalls. In contrast to Cisco, where 'show' is the universal command, Fortinet offers a range of options, including 'show,' 'get,' 'diagnose,' and 'execute,' for retrieving pertinent information. Important to remember It is 'get router info routing-table' to see the routing …
My personal collection of CheckPoint Commands. Most of them work best in expert mode. [Expert@gateway:0]# CommandDescriptioncpconfigchange SIC, licenses and morecpview -tshow top style performance counterscphaprob statlist the state of the high availability cluster members. Should show active and standby devices.cphaprob -a ifdisplay status of monitored interfaces in a clustercphaprob -l listdisplay registered cluster devices and …
FWCLUSTER:FWNODE(M)-> get arp usage: 42/8192 miss: 0 always-on-dest: disabled ----------------------------------------------------------------------------------------- IP Mac VR/Interface State Age Retry PakQue Sess_cnt ----------------------------------------------------------------------------------------- 10.62.92.62 92e2ba6225e4 vpn-vr/agg1.971 VLD 371 0 0 55 Arp entries on ASIC chip(s) L2idx IP Dst_Mac Interface Src_Mac Vlan Sat Flag Ref_cnt 218 10.62.92.62 92e2ba6225e4 agg1.971 0010dbff62d0 971 0 0x2 0
get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF …
Continue reading "Fortigate – get router info routing-table all"
Patrick Marc's Networks 