Fortigate Hairpin NAT
KB ID 0001781 Problem Imagine the following scenario, you have a PUBLIC web server and it’s either in the same network your uses are or attached to a DMZ on your FortiGate. So above our users open a web browser and attempts to go to www.ubique.com (1) Their PC will do a DNS lookup for www.ubique.com and (in this case) a public web server returns an ip of 192.168.100.200 (2). The browser then attempts to HAIRPIN to that IP which...
Cisco to FortiGate Command Conversion
KB ID 0001776 Problem Bah what the hell is ‘show run’? If you’ve spent years on Cisco IOS and ASA/Firepower, then FortiGate can be a little confusing. Hopefully this Cisco to FortiGate list below will make it a little easier. Cisco to Fortigate Translation Cisco Command FortiGate Command Basic commands show run show full-config show version get system status show ip interface brief show system interface show run...
FortiGate Sub Interfaces (VLAN Trunking)
KB ID 0001772 Problem I was asked by a colleague at work the other day, can we replace the Cisco firewalls with FortiGate firewalls for a client? As a business we are heading towards Forti, but before I said yes I wanted to know what the firewall was actually doing before I said yes. On closer inspection the firewall in question didn’t appear to be doing anything too scary, but I did notice that the LAN interface was...
FortiGate HTTPS Error
KB ID Article Problem While attempting to connect to a FortiGate firewall (with Firefox over HTTPS) you may see this error; Secure Connection Failed An error occurred during a connection to {x.x.x.x} SSL received a record that exceeded the maximum permissible length error code : SSL_ERROR_RX_RECORD_TOO_LONG The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please...
Fortigate Load Balancing
KB ID 0001762 Problem I’ve been getting through my NSE4, and one of todays topics was NAT, just as an offhand comment the ‘narrator’ (I say narrator because it’s a monotonous robot AI voice,) mentioned Fortigate Load Balancing. In the past (with my Cisco hat on) when I’ve been asked about load balancing, I’ve said ‘If you want to load balance, buy a load balancer’. But the Fortigate does...
What is SD-WAN?
KB ID 0001752 SD-WAN? What is SD-WAN? A (Software Defined Wide Area Network) is a solution that unlike previous WAN architectures, (the type you typically see on a Visio diagram with maybe some MPLS, leased lines, and maybe some Optical DWDM etc. in them). SD-WAN gives you a more ‘Layered’ approach, that directs USERS to APPLICATIONS based on POLICIES. For example, let’s say your main business CRM is a SaaS solution...
FortiClient: Unlicensed VPN access is available until..
KB ID 0001745 Problem I got an email from a client I deployed SSL VPN for, (a couple of weeks ago), one of his users was seeing this; Unlicensed VPN access is available until {Date} {Time} Solution: Unlicensed VPN access is available until… At first I was confused, unlike other vendors SSL VPN is not a licensed requirement? As it turns out in my instructions, I’d written ‘Download the Forticliet” when I...
FortiGate Certificates Missing?
KB ID 0001743 Problem Nice quick easy one today, while setting up SSL VPNs for a client I needed to import their Root CA certificate, and found the Fortigate Certificates Missing? Usually they are under System > Certificates. But the tab was simply not there? Solution: Fortigate Certificates Missing Fortunately it was simple to fix, it’s a ‘feature’ you simply need to ‘enable’. Go to System >...
FortiGate Port Forwarding
KB ID 0001742 Problem I was back on the tools again today setting up FortiGate Port Forwarding! This was for one of our partners that I have to do some remote work for, so I temporarily needed to get onto their servers. Normally I’d just SSL VPN in, (but that’s what I’m setting up!) So to get onto their servers I had to setup a port forward for RDP. WARNING: Port forwarding RDP from ALL / Any is a BAD IDEA...
Replacing Cisco Firewalls with Fortinet Firewalls
KB ID 0001741 Replacing Cisco If you’ve been following articles on the site you will know that the focus of the firewall related output is shifting from Cisco ASA / Cisco FirePOWER to Fortinet (FortiGate) firewalls. This article is so you can make an informed choice about what you want to replace your Cisco firewall with. Note: I’m starting with SOHO and Small Business sized firewalls, but I will extend this to...