SaintAndrew Knowledge

Description If several VDOMs are used in an HA cluster, it is advisable to distribute them over virtual clusters. This can increase the throughput of the VDOMs. Solution With the Virtual Cluster, the VDOMs can be distributed to the primary and the first secondary firewall. The following options are available. config global confg system ha     set vcluster2 enable      config secondary-vcluster          set priority 128          set override-wait-time 60          set monitor port1 port2          set pingserver-monitor-interface wan1      next     end next end vcluster2 : enable or disable the virtual cluster priority : set the priority of the second virtual cluster override-wait-time : Wait time after firewall is back online before failover the the former master. pingserver-monitor-interface : Use link-monitor to test if the current master can still reach all needed system. Please read the documentation for more information.

Problem Internally, a SIEM solution or similar is operated and therefore all traffic coming in and out of the Internet should be sent to the logging solution. Solution About Netflow NetFlow allows you to collect IP network traffic statistics for an interface, and then export those statistics for analysis. NetFlow samplers, that sample every packet, are configured per interface. Full NetFlow is supported through the information maintained in the firewall session. Configuration The configuration differs whether VDOMs are active on the FortiGate unit or not. Without VDOM Netflow can only be configured via the CLI and consists of two parts. First, the receiver of the data must be configured globally: config system netflow set collector-ip 192.168.80.3 set collector-port 2055 set source-ip 192.168.80.254 end collector-ip : IP address of the recipient (of the SIEM solution) collector-port : Receiver UDP port (optional ; default udp/2055) source-ip : IP of the interface from which the t

Problem Depending on the user or user group, a different VLAN ID is to be assigned in the WLAN.  Solution FortiAuthenticator On FortiAuthenticator, the following RADIUS attributes must be assigned either per user or per group: FortiGate In order for the FortiGate unit to accept the attributes and assign them to the user, the Dynamic VLAN assignment option must be enabled in the SSID profile. A static VLAN can be defined via the CLI if the RADIUS server does not send any attributes. config wireless-controller vap edit example-wifi set vlanid 10 next end IMPORTANT: Please make sure, that all needed VLAN interfaces are configured on all switches, routers and firewalls - as well on the FortiGate.

Problem FortiWeb is an excellent solution to protect web applications based on HTTP/HTTPS.  The big question is how to configure the appliance for basic protection. Solution Szenario An internal web server should be accessible from the Internet. However, this is located in the LAN zone and should therefore be protected by a FortiWeb from the outside. Configuration Options You have two different Configuration Options. Decide which one fits better for you: Single Server/Server Load Balance Generally, only one server policy can be created per Virtual IP. With this limitation this method is a kind of IP to IP connection. Here you define a Virtual IP which is matched to a Server Pool. A Server Pool can have one or more Real Servers.  This means that with the Server Load Balance variant the HTTP header cannot be distinguished and the policy decision is based on IP address. Content Routing This method decides which server pool to use based on the HTTP header host field. This means that, for e

Problem How can FortiADC be used to increase website performance? Solution Compression Offloading can be used to compress all or certain URIs or content types before they are transmitted to the client. The configuration for this is simple: URI Rule Type:   This option can be used to control whether the entries in the two tables below are understood as "include" or "exlcude". IMPORTANT:  The include or exclude option applies to the "Content Type" table as well! The name of the option is a bit misleading. No other configuration is needed. Advanced options You can use the CLI to configure advanced options: config load-balance compression     edit 1          set cpu-limit {enable |disable}          set max-cpu-usage <percent>          set min-content-length <bytes>     next end max-cpu-usage : max cpu usage for compression min-content-length : how big need the file to be for compression

  Problem Nowhere is it written exactly how FortiMail must be configured in Relay Mode to run a secure Basic Mail Server. Here is a summary of most of the settings: Solution System Network Configure your  Interfaces Be sure that you have configured an  default Gateway Port Forwarding FortiMail are able to forward Traffic from a the internet to the local LAN (DNAT). For more information:  FortiMail Doc FortiGate The FortiGate are able to send SMTP traffic through an WCCP Tunnel to the FortiMail for scanning. See for more information:  FortiDoc Configuration Set the correct  Time Zone Configure your  Password Policy Change the  Admin Ports  to non default ports If you need configure the SNMP settings Mail Settings Set the  Hostname  and the  Local domain name . Togther there are the FQDN of the FortiMail. Activate the  SMTP MA service  (use other ports for mail submiting by clients as mail transfer to other Mail servers.  FortiGuard Activate the  License Domain & User Domain Configur

 Problem Nowhere is it written exactly how FortiMail must be configured in Server Mode to run a secure Basic Mail Server. Here is a summary of most of the settings: Solution System Network Configure your Interfaces Be sure that you have configured an default Gateway Port Forwarding FortiMail are able to forward Traffic from a the internet to the local LAN (DNAT). For more information:  FortiMail Doc FortiGate The FortiGate are able to send SMTP traffic through an WCCP Tunnel to the FortiMail for scanning. See for more information:  FortiDoc Configuration Set the correct Time Zone Configure your Password Policy Change the Admin Ports  to non default ports If you need configure the SNMP settings Mail Settings Set the Hostname  and the Local domain name . Togther there are the FQDN of the FortiMail. Activate the SMTP MA service  (use other ports for mail submiting by clients as mail transfer to other Mail servers.  Relay Host If you run the FortiMail behind another Mailserver which acts a

 Problem You have configured a VIP object to allow an incoming connection. The object is configured correctly and there is a firewall policy for it. However, the connection does not work. In the "diag debug flow" the following error message appears: "pre_route_auth check fail(id=0), drop" Solution In most cases there is something wrong with the routing: - There is a route which does not correspond to the incoming interface. - There is an interface (e.g. loopback) which includes the external IP address of the VIP object. For detailed information about this there is a KB article from Fortinet. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Debug-flow-output-shows-pre-route-auth-check-fail/ta-p/195351?externalID=FD38850

 Problem Several Branch Offices are connected to the HQ. In addition, the branches must also communicate each other. The configuration should be kept as simple and easy to maintain as possible. Solution There are several solutions on the internet to configure an AD-VPN (Branch to Hub IPsec with Shortcuts). In this tutorial I tried to keep the necessary steps as simple as possible. In principle, a classic Hub2Spoke (star) topology is created. The only difference is that the routing is solved via OSPF and the VPN tunnel is allowed to create a shortcut VPN tunnel if necessary. HQ First, let's look at the necessary configuration in HQ: IPsec config vpn ipsec phase1-interface edit "ADVPN-Hub" set type dynamic set interface "port4" set ike-version 2 set peertype any set net-device enable set proposal aes256-sha256 set add-route disable set dpd on-idle set auto-discovery-sender enable