yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Category: Fortigate (page 3 of 3)

Debug VPN in Fortigate – seeing is believing

[showmyads]You can’t really debug VPN problems with static show commands, if VPN fails to function you HAVE to
see it happening real-time. Below I list few debug commands that do just that for IPSEC site-to-site
tunnels in Fortigate.

Here:
192.168.168.254 – IP address on the LAN interface of the fortigate
10.170.15.131′ – IP address on the remote LAN
200.199.20.162 – (sanitazed) IP of the wan interface of Fortigate
72.21.207.65 – (sanitazed) IP of the remote VPN peer

-Enable debugging
FG100A# diag debug en

– Enable debug messages for specific application , here we are interested in IKE (note debug level -1,
following logic I enabled first +1, 255 etc and surprisingly had no effect at all )
FG100A # diag debug app ike -1
Continue reading

Black hole routing to the rescue – Fortigate OS 4 surprise

Many times there is more than one solution to the problem, and the most obvious is not the best one. I
reminded myself this when came to my care Fortigate 60 unit that was periodically blocking traffic,
you know this not-saying-much system alert “..has reached connection limit” and then no traffic goes from LAN to WAN.
Clearly being a resource starvation issue you may never know for sure what causes this , it may be
oversized rulebase, custom IPS , AV set on everything and everywhere, etc.,.. The only way to pinpoint the
misbehaving component is by elimination – disabling one by one until problem disappears. So for this
particular Fortigate it was URL-filtering used to block access to Facebook.com. Unfortunately once this
disabled users in LAN would cause starvation of the bandwidth by accessing (or rather not leaving) this
website. An internal fair use policy issue ? – yes of course, but the only way to implement the policy
was by force in this case. So if not URL-filtering (being the obvious solution) then black-hole routing would
be the better one I thought – but in this FG OS 3 i didnt find such option, and as upgrade to Fortios 4 wasnt
an option I blackholed Facebook.com IP range (thanks to Facebook for the convenience of continuous IP
range ) in the WAN facing Cisco router.

In the FortiOS 4 you can configure blackhole routing with no hassle:
FG100 # config router static
FG100 (static) # edit 5
FG100 (5) # set blackhole ?
disable disable setting
enable enable setting
FG100 (5) # set blackhole enable
FG100 (5) # set dst 69.63.176.0/20
FG100 (5) # end

Verify:
FG100 # show router static
config router static
edit 1
----output omitted----
edit 5
set blackhole enable
set dst 69.63.176.0 255.255.240.0
next
end

From station in LAN:
# ping 69.63.184.142
PING 69.63.184.142 (69.63.184.142) 56(84) bytes of data.
From 10.99.99.254 icmp_seq=1 Destination Net Unreachable
From 10.99.99.254 icmp_seq=2 Destination Net Unreachable

Facebook IP range:
whois 69.63.176.140
[Querying whois.arin.net]
[whois.arin.net]
OrgName: Facebook, Inc.
OrgID: THEFA-3
Address: 156 University Ave, 3rd floor
City: Palo Alto
StateProv: CA
PostalCode: 94301
Country: US
NetRange: 69.63.176.0 – 69.63.191.255
CIDR: 69.63.176.0/20

Newer posts

© 2016 yurisk.info

Theme by Anders NorenUp ↑