Once upon a time reading some CCIE paper at work I asked myself a question : “Why would someone bother to invent ttl-security and even write RFC http://tools.ietf.org/html/rfc5082 on it when multi-hop EBGP feature provides the same end result ?” .
The results of my busy/doing-nothing activity I present here.First some background. For some (unknown to [...]
Feb
26
2010
26
2010
Difference between ebgp-multihop and ttl-security.
Feb
3
2010
3
2010
Fortigate firewall demo free access. Also FortiManager and FortiAnalyzer
As someone said best things in life are free.
Here are links to the demo Forigate firewall, ForiAnalyzer and FortiManager open to access from anywhere . So that you can
familiarize yourself with the Management GUI look and feel.
NOTE: Access is read-only.
NOTE 2: No , it is not me being so generous, it’s Fortinet caring for us.
Fortigate [...]
Jan
19
2010
19
2010
Scheduled/Daily Reboot of FortiGate
Recently I had to do late night restart of a Fortigate and was looking for “Reload in…”
I found it, but in Fortigate it is a little different.
It’s called Daily Restart, and if you want to use it once you need to remember to remove this command.
config system global
set daily-restart enable
set restart time [...]
Jun
19
2009
19
2009
Failed to connect to Fortiguard servers
Today encountered otherwise easy to diagnose misconfiguration only that Fortinet decided to ‘hide’ this parameter deep enough so that it got on my nerves until I fixed it.
NOTE : Fortiguard is subscription based service when your Fortigate unit periodically
connects to the Fortinet servers (collectively named Fortiguard servers) to get info that enables advanced
feautures [...]
Jun
10
2009
10
2009
You can't set duplex/speed settings of the Fortigate interfaces?
You can’t set duplex/speed settings of the Fortigate interfaces.
Important FIX: depends on which interface you are trying to set! [ Thanks to Chen for pointing out ]
Upon careful reexamination turns out that you can’t set duplex/speed settings of 4-port switch interfaces only, i.e. Internal interface of Fortigate 60, 60M, 100A, 200A, [...]
Apr
21
2009
21
2009
Debug VPN in Fortigate – seeing is believing
You can’t really debug VPN problems with static show commands, if VPN fails to function you HAVE to
see it happening real-time. Below I list few debug commands that do just that for IPSEC site-to-site
tunnels in Fortigate.
Here:
192.168.168.254 – IP address on the LAN interface of the fortigate
10.170.15.131′ – IP address on [...]
Apr
9
2009
9
2009
Black hole routing to the rescue – Fortigate OS 4 surprise
Many times there is more than one solution to the problem, and the most obvious is not the best one. I
reminded myself this when came to my care Fortigate 60 unit that was periodically blocking traffic,
you know this not-saying-much system alert “..has reached connection limit” and then no traffic goes from LAN to [...]