Imagine the following scenario, you have a PUBLIC web server and it’s either in the same network your uses are or attached to a DMZ on your FortiGate.
So above our users open a web browser and attempts to go to www.ubique.com (1) Their PC will do a DNS lookup for www.ubique.com and (in this case) a public web server returns an ip of 192.168.100.200 (2). The browser then attempts to HAIRPIN to that IP which is external to your FoirtiGate and the traffic is blocked.
FortiGate Hairpin Solution
If you have internal DNS servers you can of course solve this problem with Split DNS with a Cisco firewall, you could also solve this problem with DNS Doctoring, In fact if your from a Cisco background then even the name Hairpin is confusing because in Cisco when we mention Cisco Hair pinning we are usually talking about VPN traffic. Anyway I digress.
So to replicate the scenario above, i.e. it being broken on my LAN PC, I cannot browse to that site, and you can see my DNS is resolving to its public IP.
Polices and Objects > Virtual IPs > New > Virtual IP > Give it a Name > Interface = any > Set External IP > Set Internal IP > Note: You don’t have to set port forwarding but I’m only using TCP 80 > OK.
I already Have a Virtual IP: If your existing web server already has a Virtual IP object MAKE SURE it’s NOT bound to the outside interface, (or you won’t be able to select it in a minute). If you can’t edit it (because it’s in use), then you might need to remove it from the existing policy, and recreate it.
Policy and Object > Firewall Policy > Create New > Give the Policy a Name > Set the incoming and outgoing interface to the internal one > Source = All > Destination > the Virtual IP you just Created > Schedule = always > Service = HTTP > Disable NAT > OK.
I can’t see Virtual IP in the Policy: Then it’s either bound to an interface that ISN’T the inside one, or you have Central NAT enabled. If you don’t want to change your global NAT policy create an address object for the internal IP and use that instead.
Now the website should work
Related Articles, References, Credits, or External Links
Bah what the hell is ‘show run‘? If you’ve spent years on Cisco IOS and ASA/Firepower, then FortiGate can be a little confusing. Hopefully this Cisco to FortiGate list below will make it a little easier.
Cisco to Fortigate Translation
Cisco Command
FortiGate Command
Basic commands
show run
show full-config
show version
get system status
show ip interface brief
show system interface
show run interface x/x
show system interface <port #>
show interface x/x
get hardware nic <port #> / diagnose hardware deviceinfo nic
show ip arp
diagnose ip arp list
show mac address-table
diagnose switch mac-address list | grep -i mac
show lldp neighbor
diagnose lldprx neighbor summary
show ip nat translation
get system session list
show vlan
diagnose switch vlan list
show failover
diagnose system ha status
copy running-configuration startup-configuration
execute backup config
reload
execute reboot
ping x.x.x.x
execute ping x.x.x.x
Basic Routing Commands
show ip route
get router info routing-table all
show ip route x.x.x.x
get router info routing-table details x.x.x.x
sh ip route summary
get router info routing-table all
show run | sec route-map
show router route-map
show run | sec ip prefix-list
show router prefix-list
OSPF Commands
show ip ospf neighbor
get router info ospf neighbor
show ip ospf neighbor details
get router info ospf neighbor detail all
BGP Commands
show ip bgp summary
get router info bgp summary
show run | sec router bgp
show router bgp
show ip bgp neighbor x.x.x.x routes
get router info bgp neighbors x.x.x.x routes
show ip bgp neighbor x.x.x.x advertised-routes
get router info bgp neighbors x.x.x.x advertised-routes
show ip bgp neighbor x.x.x.x received-routes
get router info bgp neighbors x.x.x.x received-routes
show ip bgp x.x.x.x
get router info bgp network x.x.x.x
VPN Commands
show crypto isakmp
diagnose vpn ike gateway list
show crypto ipsec sa
diagnose vpn tunnel list
Please comment below if you want to add any I’ve missed.
Related Articles, References, Credits, or External Links
I was asked by a colleague at work the other day, can we replace the Cisco firewalls with FortiGate firewalls for a client? As a business we are heading towards Forti, but before I said yes I wanted to know what the firewall was actually doing before I said yes. On closer inspection the firewall in question didn’t appear to be doing anything too scary, but I did notice that the LAN interface was sub-interfaced to the various internal VLANs. I didn’t know how FortiGate handled this, so I fired it up on the test bench to test FortiGate Sub Interfaces.
So I needed to create TWO sub interfaces on the FortiGate (on port3).
Creating FortiGate Sub Interfaces
Simply put, on a FortiGate if you want what a Cisco engineer would refer to as a ‘sub interface‘, then you simply add a VLAN interface to a physical interface. Like so, Network > Interfaces > {Physical Interface} > Create New > Interface.
Give the new interface a name (and alias if required) > Interface Type should be VLAN > Select the parent physical interface > Add the VLAN ID (Tag) and specify an IP address of the interface.
Just for testing I’ll allow PING, on the VLAN interface also > OK.
Repeat the procedure to add further sub interfaces (VLANs).
Remember this is just a ‘Router on a stick‘ configuration, to further allow traffic to the internet, (or between VLANs) you still need to add that traffic to the firewall policy to let the traffic through, (it is a firewall after all!)
Setting up Switches for FortiGate Sub Interfaces?
I’ve probably got this covered elsewhere on the site, but the core switch is Cisco so I just created a trunk port, and allowed ALL VLANs, (because I’m lazy, in production, you might want to lock that down a little!)
While attempting to connect to a FortiGate firewall (with Firefox over HTTPS) you may see this error;
Secure Connection Failed
An error occurred during a connection to {x.x.x.x} SSL received a record that exceeded the maximum permissible length error code : SSL_ERROR_RX_RECORD_TOO_LONG
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem
Solution: SSL_ERROR_RX_RECORD_TOO_LONG
My colleague went all round the houses trying to fix this, then asked If I knew what was wrong, annoyingly one Google search gave me the answer;
You can only manage the FortiGate via HTTP when using an evaluation licence!
Related Articles, References, Credits, or External Links
I’ve been getting through my NSE4, and one of todays topics was NAT, just as an offhand comment the ‘narrator‘ (I say narrator because it’s a monotonous robot AI voice,) mentioned Fortigate Load Balancing.
In the past (with my Cisco hat on) when I’ve been asked about load balancing, I’ve said ‘If you want to load balance, buy a load balancer‘. But the Fortigate does try to be ‘all things to all men‘ so I wondered just how good a load balancer can it be?
Turns out, quite a decent one, if you just want simple http round robin, it does that, it you want weighted traffic routing, or host health monitoring, or HTTP cookie persistence, and even SSL offload. It’s as good as anything I’ve ever worked on before. Here’s my Fortigate ‘Test Bench‘, you will see I’ve added three web servers (on the right) called Red, Green, and Blue (the significance of which will become apparent). Note: Yes there’s another web server at the bottom, (I’m too lazy to remove it from the lab!)
I’m going to setup simple round robin load balancing between these three web servers, and I’m going to get the Fortigate to monitor their health by simply making sure they respond to ping packets. (Note: it can monitor http availability or something a little better if you wish).
Solution
This tripped me up for a while! Load balancing is a feature, you need to turn it on first, System > Feature Visibility > Load Balancing > Enable.
Policy & Objects > Health Check > Create New > Give it a name > Type = Ping > Interval = 10 > Timeout = 2 > Retry = 3 > OK
Now create a Virtual Server (not a VIP!) Policy & Objects > Virtual Servers > Create New > Name = Give it a sensible name > Type = HTTP > Interface = Your Outside/WAN interface > Virtual Server IP (Externally!) > Virtual Server Port = 80 > Load Balancing method = Round Robin > Persistence = HTTP cookie > Heath Check = Select the one you created above.
Scroll down > Real Servers > Create New.
Add in the first (internal server IP) > Port = 80 > Max connections = 0 (that’s unlimited) > OK.
Repeat the process to add the remaining servers > OK.
FortiGate Load Balancing: Enable Firewall Policy
Now you need to ‘allow’ traffic in (it is a firewall after all!) Policy & Objects > Firewall Policy (or IPv4 policy on older firewalls) > Create New > Name = Give it a sensible name > Incoming Interface = Outside > Outgoing Interface = Inside > STOP Change Inspection Mode to PROXY Based > Destination = Your Virtual Server (it’s not visible unless you have enabled proxy based!) > Schedule = Always > Service = All > Action = Accept > NAT = Enabled > You may also enable AV inspection > OK.
FortiGate Load Balancing:Testing and Tweaking
So from ‘Outside’ let’s hit our load balanced page.
That’s great but if you hit refresh a few times nothing changes (in production nothing would change anyway, but to prove my back end servers are getting used and load balanced, each of mine serves a different coloured page (hence the red, green and blue server names). The reason I’m only seeing the blue one, is because we enabled ‘HTTP cookie Persistence‘ let’s just nip back onto the firewall and disable that (set it to None > OK).
Now when I refresh by browser I can see it cycling though the back end servers.
FortiGate SSL Offload
To use and process SSL requires some CPU power, some websites (like this one) serve their webpages protected by https and the certificate that enables that lives on the web server, for sites like mine that are getting about 12k hits a day that’s fine but if you are getting hundreds of thousands of hits a minute that’s a MASSIVE drain on CPU resources. That’s what SSL offload is all about, getting another device (in this case the Fortigate) to do all the heavy lifting for you. Then the back end servers can get on with the job of serving web pages.
Upload the Certificate to the FortiGate
For HTTPS you will need a web certificate that will be trusted by your visitors. I’m lazy and tight so I’ll just create one in Microsoft Certificate Services, but in Production you will need Publicly Signed Certificate. System > Certificates (if you can’t see certificates) > Import > Local Certificate.
Mine’s in PFX format so I need to select PKCS#12 > upload the certificate and supply a password > OK
FortiGate: Enable SSL Offload
On your Virtual Server, change the Type to HTTPS > Virtual ServerPort to 443 > Certificate to the one you just uploaded > OK.
We are now serving pages securely even though the web servers are not configured for https.
Related Articles, References, Credits, or External Links
What is SD-WAN? A (Software Defined Wide Area Network) is a solution that unlike previous WAN architectures, (the type you typically see on a Visio diagram with maybe some MPLS, leased lines, and maybe some Optical DWDM etc. in them).
SD-WAN gives you a more ‘Layered‘ approach, that directs USERS to APPLICATIONS based on POLICIES.
For example, let’s say your main business CRM is a SaaS solution like SalesForce, it’s secured by https, it’s trusted, instead of sending that traffic from all your sites to the Datacenter (where your corporate firewall is) then sending it onwards, why not utilise the local internet connection on each of your sites? Now all that bandwidth is not needed on the the connection to your DC, or more importantly isn’t slowing down the accounts application that’s got it’s database ‘back-end’ in the Datacenter.
In the example below, you can see the topology is very similar. Users in Office 1, who need to go to Microsoft Office 365 (for example) can use their local internet connection. Users in Office 3 have a 5G connection on their router, and SD-WAN has calculated that using that connection is more efficient way to get to Office 365.
But it does not stop there, (hence me saying it’s more layered). To access a corporate application in the Datacenter, you can see in this example the leased line from Office 1 to the Datacenter , is running slowly and is contended, SD-WAN can calculate that if it uses its local internet connection to spin up a dynamic VPN to the Datacenter, the ‘User Experience‘ will be a lot better. Likewise for users in Office 3 SD-WAN can calculate if it spins up a Dynamic VPN to the Corporate HQ, then onwards via MPLS it’s the ‘best‘ route (based on the policies you have specified).
I like the way Juniper describe this as “Elastic Traffic Management” what it gives you, is a collection of Virtual Network Overlays for the routing of different applications.
What SD-WAN ISN’T
I was talking to a client a few weeks ago and they said;
“We are retiring our MPLS network and moving to SD-WAN”
SD-WAN is not a replacement for MPLS! Yes it can provide similar ‘connectivity’ functions. But you need to apply some common sense, if all your company sites need to speak to each other, (phone systems anyone?) Then you’re potentially replacing dedicated bandwidth with a VPN connections, (because SD-WAN will build dynamic VPNs between endpoints). So yes you can replace a lot of CPE routers, or MPLS connections or leased lines on some of your less trafficked sites. But your large offices and data centres may still need fast reliable (read expensive) links, because SD-WAN is the control plane that will steer your applications over your network, but if those links are a ‘wet piece of string’ then performance will not be great.
The best explanation I can give is SD-WAN is a WAN overlay solution, to improve user experience, and add some dynamic resiliency. Or if you are a network engineer think of it like ‘DMVPN with Intelligence‘.
What is SD-WAN, (Isn’t it Just SDN But for WANs?)
That’s a sensible assumption to make, and you can draw a lot of parallels. I prefer to think of them as two different things that share some similarities. (Central control plane, intelligence, and application based routing). But SDN is designed for Data Centers, SD-WAN covers DCs and branch sites. Also SD-WAN has the concept of “Zero Touch Provisioning”, (1. Ship your devices to site, 2. Connect them to the internet, 3. They ‘call home’ 4. They download their configs and policies automatically).
What is SD-WAN and How Do I Deploy SD-WAN?
That depends on which ‘Vendor’ you want to work with, whoever you choose, the deployment will involve deploying new (or updated) Endpoint Devices (typically routers or firewalls) and an SD-WAN Control Plane. The control plane can be an appliance (or several appliances,) or ‘Cloud Based‘. I’ve looked at three solutions. FortiGate, Meraki, and Cisco, (yes I know Cisco own Meraki). Which solution you choose will (normally) depend on what you are happy to support. Of the three I prefer FortiGate, it’s not as simple as Meraki, but if you are replacing your edge devices the cost, throughput, connectivity options make it the most sensible option. Cisco is typically ‘Ciscoesque‘, i.e. I spent about 9 days watching videos about their SD-WAN solution, it only works with ‘some’ of their endpoints (routers) and you need to put some thought into the deployment and design of the control plane. If you have a lot of in house Cisco guys and typically only ever buy Cisco, then, your hands are tied.
Related Articles, References, Credits, or External Links
I got an email from a client I deployed SSLVPN for, (a couple of weeks ago), one of his users was seeing this;
Unlicensed VPN access is available until {Date} {Time}
Solution: Unlicensed VPN access is available until…
At first I was confused, unlike other vendors SSL VPN is not a licensed requirement? As it turns out in my instructions, I’d written ‘Download the Forticliet” when I should have said ‘scroll to the bottom and download the ‘FortiClient VPN’ version’.
That will teach me!
Related Articles, References, Credits, or External Links
Nice quick easy one today, while setting up SSLVPNs for a client I needed to import their Root CA certificate, and found the Fortigate Certificates Missing? Usually they are under System > Certificates. But the tab was simply not there?
Solution: Fortigate Certificates Missing
Fortunately it was simple to fix, it’s a ‘feature‘ you simply need to ‘enable‘. Go to System > Feature Visibility > Enable Certificates, et voila!
If only all my problems were that simple!
Related Articles, References, Credits, or External Links
I was back on the tools again today setting up FortiGate Port Forwarding! This was for one of our partners that I have to do some remote work for, so I temporarily needed to get onto their servers. Normally I’d just SSLVPN in, (but that’s what I’m setting up!) So to get onto their servers I had to setup a port forward for RDP.
WARNING: Port forwarding RDP from ALL / Any is a BAD IDEA (Cryptolocker anyone?) So if you must port forward RDP, then lock it down to a particular source IP like I’m about to do.
Fortigate Port Forwarding
The Process is;
Setup a ‘Virtual IP’ (with port forward enabled)
Create a ‘Virtual IP Group‘
Allow traffic to the Virtual IP Group.
FortiGate Port Forwarding: Create a Virtual IP
Policy and Objects >Virtual IPs > Create New > Virtual IP.
Give it a sensible name > Set the interface to the outside/WAN interface > External IP set to the public IP address of the firewall* > Mapped IP address, set to the internal IP address of the server you are forwarding to > Enable ‘Port forwarding’ > Select TCP or UDP > Type in the port(s) you want to forward. Forwarding a range of ports is much easier on a FortiGate than ‘some other’ vendors! > OK.
*Note: I’m assuming if you are port forwarding you only have one public IP, (or you’ve ran out).
FortiGate Port Forwarding: Create a Virtual IP Group
From the Virtual IP menu > Create New > Virtual IP Group.
Give the group a name > Select the outside/WAN interface > Add in the Virtual IP you created above > OK.
FortiGate Port Forwarding: Fortigate Add an ‘Address’
If you are port forwarding something like HTTP/HTTPS to a web server, or SMTP to a mail server you can skip this step. As per my warning above I’m restricting public access to one single public IP (mine). For most port forwarding scenarios you would set the source to ‘ALL‘.
Anyway for completeness here’s how to create an Address object. Policy & Objects > Addresses > Create New > Address.
Give it a recognisable name > Type=Subnet > Type the IP into the IP range box > Set the interface to outside/WAN > OK.
FortiGate Port Forwarding: Allow Port Forwarded Traffic
Policy and Objects > IPv4 Policy (or Firewall Policy on the newer firmware) > Create New.
Name: Something identifiable
Incoming Interface: Outside / WAN
Source: For RDP specify the single address you created above for all other port forwarding simply use ALL instead.
Destination: Your Virtual IP Group
Schedule: Always
Service: RDP (or the port you are forwarding if different)
Allow: Accept
Click OK.
FortiGate Port Forwarding: Troubleshooting Port Forwarding
You can see what’s going on by using the packet sniffer in the firewall.
[box]
diagnose sniffer packet {interface} 'host {External IP} and port {Port Number}' 4
e.g.
diagnose sniffer packet wan 'host 234.234.234.234 and port 3389' 4
[/box]
Note: In the example above I’m getting no return (ACK) traffic, (because the Windows firewall was on and dropping the traffic!) I diagnosed that by attempting to ping the server from the firewall (execute ping {internal IP address}) and failing to see a response!
Related Articles, References, Credits, or External Links
If you’ve been following articles on the site you will know that the focus of the firewall related output is shifting from Cisco ASA / Cisco FirePOWER to Fortinet (FortiGate) firewalls.
This article is so you can make an informed choice about what you want to replace your Cisco firewall with.
Note: I’m starting with SOHO and Small Business sized firewalls, but I will extend this to ‘Enterprise sized’ firewalls as I have the time.
Replacing Cisco SOHO Small Business Firewalls with FortiGate
If ever there was something that was incorrectly sold it was likely a SOHO Cisco firewall. The problem was, back in the day of the ASA5505 the only alternative was a ASA5510 and that was four times the price, plus the 5505 had a built in switch which saved you having to buy one of those as well. Even now (in 2021) these things are ubiquitous, I see them balanced in wall mounted comms cabinets, and sat in data centres and popped under peoples desks.
Then we got the FPR1010 this comes in two flavours, the ASA Code version which I deploy, and the FDM version which is bobbins! (I get 10 questions a day on the site to help people set them up). This (at time of writing) is a relatively new firewall but I’ll include it for completeness, (and article longevity).
High Availability: Seriously? I see this more often than I should! Don’t be deploying home sized firewalls and wanting Enterprise solutions! Stop it now. On a serous note, all the little ASA/FPR support it, but they all need additional licensing to do so.
Stats: Remember when comparing the stats, we are comparing (mostly) old hardware against brand new (purpose built) hardware so the FortiGates will always look better on paper.
Cisco ASA5505, 5506-X and FPR1010 Specifications
Fortigate 40F, 60F, and 80F Specifications
Replacing Cisco SOHO Firewalls Conclusion
Unless you need 10Gb connectivity (on your WAN) then go for the 60F, if you need all those 1Gb ports and you want it to function as a switch.
If you don’t need so many LAN ports then go for the 40F (Note: even with 1x WAN port you can deploy SDWAN by using another interface!)
Replacing Cisco Medium Business / Small enterprise Firewalls with FortiGate
This is a difficult one to call, you can’t really say FortiGate model X is a direct comparison for Cisco model Y. To size a FortiGate firewall you need to
First: Decide what throughput you need (remember to factor in NGFW/IDS/ATP and possibly HTTPS Throughput this will be LOWER than the max throughput!)
Second: Decide what connectivity you want.
FortiGate throughput for these classes of firewalls falls into roughly three different categories;
10Gbps Throughput (1Gbps HTTPS Inspection throughput) to 27Gbps Throughput (4Gbps HTTPS throughput) = 100 and 200 Series.
32Gbps Throughput (3.9Gbps HTTPS Inspection throughput) to 36Gbps Throughput (5.7Gbps HTTPS throughput) = 300, 400 and 500 Series.
36Gbps Throughput (8Gbps HTTPS Inspection throughput) to 52Gbps Throughput (3.9Gbps HTTPS throughput) = 600, 800 and 900 Series.
Note: If the figures dont overlap neatly, thats because these are a mixture of D, E and F Releases.
Cisco ASA5500 and 5500-X Specifications
Cisco Firepower 1100 to 2100 Series Specifications
Fortigate 100 to 900 Series Specifications
Replacing Cisco Bonuses
Remote VPN: You don’t need to buy additional remote VPN (AnyConnect) licences any more. With FortiGate remote SSL VPN is built in, and the client numbers are impressive.
Failover: Is supported even for Active / Active and good old Active / Passive. and Clustering.
SDWAN: You now have this capability if you require it.
Redundant Power Supply: Is on all FortiGate models in this class.
If anyone wants to add any real world experiences or comments, please do so below.
Related Articles, References, Credits, or External Links