How-to: Change default policy columns on a FortiGate

When you log into a FortiGate and browse to the policies section you will see the pre-defined default policy columns which include seq#, source, destination, schedule, service, action, nat, av etc..

I normally go through and change the columns so that they are more compact. Generally this includes adding the 'policy ID' column, removing the schedules, replacing all the UTM columns with the 'security profiles' column and moving a few others around as per below:

Now this is all well and good, except for the fact that it will only save these columns for the computer and browser that I'm using. If I connect via another browser or from another device then the default columns will show up again.

Good news is that the default columns can all be changed with a setting to ensure that the columns you want to show up by default will, no matter which browser or computer you connect from.

How-to: Configure User Alias Options on a FortiMail

If your organisation is using aliases, it's generally a good idea to configure the 'User Alias Options' within the LDAP settings to ensure users only get one quarantine email for all their addresses, instead of one for each alias address.

To configure this, first edit the LDAP profile you've configured for your domain (found under Profile > LDAP) and expand the 'User Alias Options' section.

Ensure the tickbox has been enabled next-to 'User Alias Options', then configure your base DN, Bind DN and Bind password as normal. For the 'Alias member query' option use proxyAddresses=smtp:$m. Lastly untick the 'User group expansion in advance' box.

Your final configuration should look something like this:

To test this out click on the 'Test LDAP Query...' link near the top of the LDAP profile page. From here choose 'Alias' from the dropdown menu and type in your email address at the bottom. For the below example my normal email address is amouawad@wglab.com.au and my alias is allan@wglab.com.au.

Click on 'Test' and you should see the alias match!

FortiGate Web SSL VPN gives "Connection Exception" error when trying to RDP to a Windows PC

I've finished configuring a Web SSLVPN on my FortiGate and created a few RDP bookmarks to my internal PCs. As per below, the bookmarks were nothing special and just using the Java based RDP (not native).

When it came time to test this out however, I keep getting the following error:

Connection Exception: Connection to remote desktop failed, please check network connection or remote computer configuration

Luckily the fix is simple.

FortiWeb RADIUS authentication login failing

I'm currently rebuilding my FortiWeb VM in the lab and started the configuration from scratch.

One of the config steps I have for all my devices is to use RADIUS for the user authentication. For some reason though when I test the RADIUS server it keeps on giving me a timeout error.

Looking at my FortiAuthenticator I can see the request has come through and been authenticated correctly.

So what's going on here?

Uploaded license for Fortinet VM appliance but get stuck on 'please wait for authentication with registration servers'

Fortinet VM appliances require the installation of a license file to get the full functionality and support. Once you've uploaded the file the device will reboot and try to connect to the Fortinet authentication servers to confirm it's valid.

When you try to log back into the device after the reboot you may get the following screen:

Obviously you'll need an internet connection for it to contact the registration servers, but sometimes it will get stuck on this screen regardless of your internet connection or how many times you reboot the device.

Luckily you can force this update which will take a matter of seconds. Login to the CLI and issue the execute update-now command. The device will log you out, and the license registration status will change to VALID. Once this is done log back in to the GUI and you should see the normal configuration page.

Getting iprope_in_check() errors when routing is configured correctly

I was working on a FG90D for a customer a while back and had just finished configuring some extra routes, but no traffic was passing through the device.

Using the 'diag debug flow' command I was seeing the below message:

id=36870 pri=emergency trace_id=8 msg="iprope_in_check() check failed, drop"

This usually means a packets arrived where no forwarding or return routes exist, so the firewall drops it.

Knowing this I double (and triple!) checked the routes and routing table, and confirmed that everything was correct.

So having confirmed it's configured correctly, the could only assume that the routing table hasn't been refreshed when I added the new routes. This is something that's done automatically on the firewall when a change is made to the routing table (ex: a route has been added/deleted, interface up/down etc) but for some reason wasn't happening.

Using the below command I flushed the routing table and forced it to refresh:

diagnose firewall iprope flush

After that, the traffic is now routing correctly! :)

How-to: Configure a User Group using LDAP filters on a FortiAuthenticator

Recently I've been playing around with a FortiAuthenticator which turns out to have some very cool features. One thing I noticed while configuring my user groups, is that it relies on 'LDAP filters' to define your groups. What I couldn't find was an explanation regarding the format on which to configure these groups.

The administration guide has no information except that you need to use an 'LDAP filter' here... being an LDAP noob I tried to put the CN of my group as per below, but it didn't like it...

CN=fulladmin,OU=Groups,OU=Lab,DC=wglab,DC=com,DC=au

After searching for a while I've found some on-line articles on LDAP search queries and have found the below query to work. This will match all users in the 'Fulladmin' group.

(&(objectCategory=user)(memberOf=CN=fulladmin,OU=Groups,OU=lab,DC=wglab,DC=com,DC=au))

How-to: Factory reset a FortiGate config but preserve the interface IP address

Not many people realise the FortiGates allow to you factory reset the device while maintaining the interface IP and static route settings. It's useful when you want to wipe away the entire config but still have management access to the device when it reboots.

This is done via the CLI using the follow command: execute factoryreset2.

I've included a screenshot of the command and confirmation prompt below.

How-to: Seperate UTM security logs from traffic logs

With FortiOS 5.0 Fortinet had decided to consolidate all logs into the traffic log. This improves performance, and allows you to search for all logs (traffic and security) in the one screen.

While I can see the benefit and reasoning behind this, I prefer to have my security logs separated from my traffic ones since they are generally the kind that I would look through.

Thankfully Fortinet haven't disabled this feature and still allow you to configure the device to separate the security and traffic logs. We'll go through the steps required to enable this for each of the security profiles.

How-to: Create a SSL VPN login report on a FortiAnalyzer

This quick how-to guide will go through creating a chart/report on a FortiAnalyzer to show successful SSL VPN logins, displaying the date/time, user, mode (tunnel or web) and the remote IP address the VPN was established from.

This config is done on a FortiAnalyzer running 5.0.6.