How-to: Change WebGUI HTTPS certificate on Fortinet devices

Below is a list of commands required to change the default HTTPS certificate that gets presented on the admin WebGUI.

For each of these examples I've already loaded a certificate called 'webgui-cert'. Change this value to match the certificate you import.

How-to: Disable SSLv3 on Fortinet devices

With the release of the POODLE vulnerability, Fortinet have released a great article on howto disable SSLv3 on all the Fortinet devices that are affected.

The list goes on to include:

• FortiGate
• FortiMail
• FortiAnalyzer
• FortiManager
• FortiAuthenticator
• FortiCache
• FortiWeb
• FortiDDOS
• FortiADC-D
• FortiClient
• FortiVoice-Enterprise
• FortiRecorder
• FortiDB
• FortiSwitchOS
• FortiSwitch ATCA

Fortunately disabling SSLv3 is very simple on all devices, with some just requiring an upgrade.

I won't go into detail on howto disable SSLv3 on every box as it's covered in the article linked above. I just wanted to go through on how you can test to ensure that SSLv3 has been disabled once you've made the configuration change.

How-to: Configure Quotas by Data Usage on a FortiGate

Long ago, you had two options when it came to usage quotas on the FortiGate; it was either based on data usage, or time usage. Fortinet then decided to remove the data usage quota and only have time based ones available. Recently Fortinet have decided to reintroduce the data based quotas (albeit it can only be configured via the CLI).

We'll go through creating a data usage quota on a web filtering profile, and some things you should know.

How-to: Change default policy columns on a FortiGate

When you log into a FortiGate and browse to the policies section you will see the pre-defined default policy columns which include seq#, source, destination, schedule, service, action, nat, av etc..

I normally go through and change the columns so that they are more compact. Generally this includes adding the 'policy ID' column, removing the schedules, replacing all the UTM columns with the 'security profiles' column and moving a few others around as per below:

Now this is all well and good, except for the fact that it will only save these columns for the computer and browser that I'm using. If I connect via another browser or from another device then the default columns will show up again.

Good news is that the default columns can all be changed with a setting to ensure that the columns you want to show up by default will, no matter which browser or computer you connect from.

How-to: Configure User Alias Options on a FortiMail

If your organisation is using aliases, it's generally a good idea to configure the 'User Alias Options' within the LDAP settings to ensure users only get one quarantine email for all their addresses, instead of one for each alias address.

To configure this, first edit the LDAP profile you've configured for your domain (found under Profile > LDAP) and expand the 'User Alias Options' section.

Ensure the tickbox has been enabled next-to 'User Alias Options', then configure your base DN, Bind DN and Bind password as normal. For the 'Alias member query' option use proxyAddresses=smtp:$m. Lastly untick the 'User group expansion in advance' box.

Your final configuration should look something like this:

To test this out click on the 'Test LDAP Query...' link near the top of the LDAP profile page. From here choose 'Alias' from the dropdown menu and type in your email address at the bottom. For the below example my normal email address is amouawad@wglab.com.au and my alias is allan@wglab.com.au.

Click on 'Test' and you should see the alias match!

FortiGate Web SSL VPN gives "Connection Exception" error when trying to RDP to a Windows PC

I've finished configuring a Web SSLVPN on my FortiGate and created a few RDP bookmarks to my internal PCs. As per below, the bookmarks were nothing special and just using the Java based RDP (not native).

When it came time to test this out however, I keep getting the following error:

Connection Exception: Connection to remote desktop failed, please check network connection or remote computer configuration

Luckily the fix is simple.

FortiWeb RADIUS authentication login failing

I'm currently rebuilding my FortiWeb VM in the lab and started the configuration from scratch.

One of the config steps I have for all my devices is to use RADIUS for the user authentication. For some reason though when I test the RADIUS server it keeps on giving me a timeout error.

Looking at my FortiAuthenticator I can see the request has come through and been authenticated correctly.

So what's going on here?

Uploaded license for Fortinet VM appliance but get stuck on 'please wait for authentication with registration servers'

Fortinet VM appliances require the installation of a license file to get the full functionality and support. Once you've uploaded the file the device will reboot and try to connect to the Fortinet authentication servers to confirm it's valid.

When you try to log back into the device after the reboot you may get the following screen:

Obviously you'll need an internet connection for it to contact the registration servers, but sometimes it will get stuck on this screen regardless of your internet connection or how many times you reboot the device.

Luckily you can force this update which will take a matter of seconds. Login to the CLI and issue the execute update-now command. The device will log you out, and the license registration status will change to VALID. Once this is done log back in to the GUI and you should see the normal configuration page.

Getting iprope_in_check() errors when routing is configured correctly

I was working on a FG90D for a customer a while back and had just finished configuring some extra routes, but no traffic was passing through the device.

Using the 'diag debug flow' command I was seeing the below message:

id=36870 pri=emergency trace_id=8 msg="iprope_in_check() check failed, drop"

This usually means a packets arrived where no forwarding or return routes exist, so the firewall drops it.

Knowing this I double (and triple!) checked the routes and routing table, and confirmed that everything was correct.

So having confirmed it's configured correctly, the could only assume that the routing table hasn't been refreshed when I added the new routes. This is something that's done automatically on the firewall when a change is made to the routing table (ex: a route has been added/deleted, interface up/down etc) but for some reason wasn't happening.

Using the below command I flushed the routing table and forced it to refresh:

diagnose firewall iprope flush

After that, the traffic is now routing correctly! :)

How-to: Configure a User Group using LDAP filters on a FortiAuthenticator

Recently I've been playing around with a FortiAuthenticator which turns out to have some very cool features. One thing I noticed while configuring my user groups, is that it relies on 'LDAP filters' to define your groups. What I couldn't find was an explanation regarding the format on which to configure these groups.

The administration guide has no information except that you need to use an 'LDAP filter' here... being an LDAP noob I tried to put the CN of my group as per below, but it didn't like it...

CN=fulladmin,OU=Groups,OU=Lab,DC=wglab,DC=com,DC=au

After searching for a while I've found some on-line articles on LDAP search queries and have found the below query to work. This will match all users in the 'Fulladmin' group.

(&(objectCategory=user)(memberOf=CN=fulladmin,OU=Groups,OU=lab,DC=wglab,DC=com,DC=au))

How-to: Factory reset a FortiGate config but preserve the interface IP address

Not many people realise the FortiGates allow to you factory reset the device while maintaining the interface IP and static route settings. It's useful when you want to wipe away the entire config but still have management access to the device when it reboots.

This is done via the CLI using the follow command: execute factoryreset2.

I've included a screenshot of the command and confirmation prompt below.

How-to: Seperate UTM security logs from traffic logs

With FortiOS 5.0 Fortinet had decided to consolidate all logs into the traffic log. This improves performance, and allows you to search for all logs (traffic and security) in the one screen.

While I can see the benefit and reasoning behind this, I prefer to have my security logs separated from my traffic ones since they are generally the kind that I would look through.

Thankfully Fortinet haven't disabled this feature and still allow you to configure the device to separate the security and traffic logs. We'll go through the steps required to enable this for each of the security profiles.

How-to: Create a SSL VPN login report on a FortiAnalyzer

This quick how-to guide will go through creating a chart/report on a FortiAnalyzer to show successful SSL VPN logins, displaying the date/time, user, mode (tunnel or web) and the remote IP address the VPN was established from.

This config is done on a FortiAnalyzer running 5.0.6.

How-to: Upgrade a FortiGate HA Cluster

I often get asked how well the FortiGates handle firmware upgrades when they're in a high availability cluster. Clients want to know how the upgrade is handled and if there's any 'gotchas' they should be aware of.

Great news is that for the last few years the HA firmware upgrades are very simple and automated. No more manually breaking, upgrading then rejoining the clustered units each time a firmware upgrade is required.

Q&A: Can you transfer FortiTokens from one FortiGate device to another?

The answer is yes. You can request the tokens to be transferred by creating a ticket to Customer Service (not the Technical Help-desk) and asking for tokens A to be transferred from FortiGate B to FortiGate C.

If you're using the FortiToken 200CD then this is not necessary as you should have the seed on a CD. This seed can in turn be installed on multiple FortiGates. You'll only need to request the transfer if you have the FortiToken 200 or the FortiToken Mobile licenses (as the seeds are stored with Fortinet).

How-to: Automatically revert a config on a FortiGate

There's nothing worse than remotely configuring a firewall and then loosing access once you've made your changes. Having a failsafe mechanism in place to revert to a previous config automatically will help you minimise potential issues and save you alot of stress! Luckily the FortiGate's give you a few options on how to save your running config which we'll discuss below.

How-to: Configure SMS Two Factor Authentication on a FortiGate

A while ago I wrote a 'How-to' guide on the steps required to configure SMS Two Factor Authentication using a FortiAuthenticator and a FortiGate. This involved configuring the a SMS gateway on the FortiAuthenticator using HTTP and then getting the FortiGate to send authentication requests to it.

A little known fact is that the FortiGate can actually do two factor SMS authentication out of the box, all for free and with no licenses required! There's two ways of configuring the SMS authentication. Firstly with the prepaid FortiGuard SMS servers (preconfigured) and then with your own custom SMS server.

Ttoday I decided to test out this feature with my custom SMS server and initially struggled as there's no proper documentation on how it actually works, what it sends etc. Below are the steps I took and the bits of information that I gleamed during the configuration.

How-to: Factory reset a FortiGate

We get dozens of FortiGates back from evaluations and the standard way of factory reseting the configuration is by running the command execute factoryreset.

This will reset the full configuration back to factory default.

The problem is that it does nothing to the flash, and sometimes clients make revision configuration saves to the flash.

How-to: Route all internet traffic through one link and all VPN traffic through another on a FortiGate

Recently one of our customers configured a FG60D with two ADSL WAN links (both on the same provider, going to the same default gateway). They wanted all internet traffic to go out through WAN1 and all RDP and VPN traffic to go out through WAN2.

The problem was when they created the policy based route (PBR) for all outbound internet via WAN1, it also sent the traffic destined for the VPN through the same interface and thus failed.

Q&A: Do FortiFones come with power supplies?

Today I had a customer ask if the FortiFone 560i comes with a power adapter since there's no mention of it on the price-list. There is also no mention of a power adapter being supplied in the 'Quick Start Guide' either.

To clarrify, all x60i phones (260i, 360i, 460i, 560i) come with a power supply included in the box.

They all support PoE except for the 260i which can only run on the power supply.

How-to: Create an interface usage report on a FortiAnalyzer

This quick how-to guide will go through creating a chart/report on a FortiAnalyzer to show the upload, download and total data transfers for interfaces on a FortiGate.

This config is done a FortiAnalyzer running 5.0.5.

***Updated with new CASE selector***

How-to: Automate FortiGate configuration backups

The FortiGates don't have any backup automation abilities out of the box. Generally you'd use a FortiManager for the config, backup and control of multiple FortiGates.

I've recently setup a lab with several FortiGates for testing and wanted a simple way of backing up the configs every day so I could always revert back to a previous day quickly.

You could just backup the config before making changes, but I wanted to automate this process. Below is a quick and dirty script to automate the config backup.

A few notes to begin with; this script requires a read only user to be created on each FortiGate that have the same password. These passwords are stored in the script itself; so while it never gets transmitted in cleartext over the link, be aware that it is stored in the file. Since this is a lab and it's a readonly account I'm not too fussed. Another thing to note is that the strict host check for the SSH keys has been disabled (so you don't get a confirmation request for new IP addresses). There is a more secure way to do this without using passwords but ssh keys which I may create a blog on at a latter date.

The only dependency is that the script requires sshpass to be installed.

My guide goes through setting this all up on a Debian based Linux system (like Mint or Ubuntu). It should be fine to work on other distributions with few command changes.