Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Category: Fortigate (page 3 of 3)

Debug VPN in Fortigate – seeing is believing

[showmyads]You can’t really debug VPN problems with static show commands, if VPN fails to function you HAVE to
see it happening real-time. Below I list few debug commands that do just that for IPSEC site-to-site
tunnels in Fortigate.

Here: – IP address on the LAN interface of the fortigate′ – IP address on the remote LAN – (sanitazed) IP of the wan interface of Fortigate – (sanitazed) IP of the remote VPN peer

-Enable debugging
FG100A# diag debug en

– Enable debug messages for specific application , here we are interested in IKE (note debug level -1,
following logic I enabled first +1, 255 etc and surprisingly had no effect at all )
FG100A # diag debug app ike -1
Continue reading

Black hole routing to the rescue – Fortigate OS 4 surprise

Many times there is more than one solution to the problem, and the most obvious is not the best one. I
reminded myself this when came to my care Fortigate 60 unit that was periodically blocking traffic,
you know this not-saying-much system alert “..has reached connection limit” and then no traffic goes from LAN to WAN.
Clearly being a resource starvation issue you may never know for sure what causes this , it may be
oversized rulebase, custom IPS , AV set on everything and everywhere, etc.,.. The only way to pinpoint the
misbehaving component is by elimination – disabling one by one until problem disappears. So for this
particular Fortigate it was URL-filtering used to block access to Facebook.com. Unfortunately once this
disabled users in LAN would cause starvation of the bandwidth by accessing (or rather not leaving) this
website. An internal fair use policy issue ? – yes of course, but the only way to implement the policy
was by force in this case. So if not URL-filtering (being the obvious solution) then black-hole routing would
be the better one I thought – but in this FG OS 3 i didnt find such option, and as upgrade to Fortios 4 wasnt
an option I blackholed Facebook.com IP range (thanks to Facebook for the convenience of continuous IP
range ) in the WAN facing Cisco router.

In the FortiOS 4 you can configure blackhole routing with no hassle:
FG100 # config router static
FG100 (static) # edit 5
FG100 (5) # set blackhole ?
disable disable setting
enable enable setting
FG100 (5) # set blackhole enable
FG100 (5) # set dst
FG100 (5) # end

FG100 # show router static
config router static
edit 1
----output omitted----
edit 5
set blackhole enable
set dst

From station in LAN:
# ping
PING ( 56(84) bytes of data.
From icmp_seq=1 Destination Net Unreachable
From icmp_seq=2 Destination Net Unreachable

Facebook IP range:
[Querying whois.arin.net]
OrgName: Facebook, Inc.
Address: 156 University Ave, 3rd floor
City: Palo Alto
StateProv: CA
PostalCode: 94301
Country: US
NetRange: –

Newer posts

© 2016 yurisk.info

Theme by Anders NorenUp ↑