Fortigate Hairpin NAT

KB ID 0001781

Problem

Imagine the following scenario, you have a PUBLIC web server and it’s either in the same network your uses are or attached to a DMZ on your FortiGate.

So above our users open a web browser and attempts to go to www.ubique.com (1) Their PC will do a DNS lookup for www.ubique.com and (in this case) a public web server returns an ip of 192.168.100.200 (2). The browser then attempts to HAIRPIN to that IP which is external to your FoirtiGate and the traffic is blocked.

FortiGate Hairpin Solution

If you have internal DNS servers you can of course solve this problem with Split DNS with a Cisco firewall, you could also solve this problem with DNS Doctoring, In fact if your from a Cisco background then even the name Hairpin is confusing because in Cisco when we mention Cisco Hair pinning we are usually talking about VPN traffic. Anyway I digress.

So to replicate the scenario above, i.e. it being broken on my LAN PC, I cannot browse to that site, and you can see my DNS is resolving to its public IP.

Polices and Objects > Virtual IPs > New > Virtual IP > Give it a Name > Interface  = any > Set External IP > Set Internal IP > Note: You don’t have to set port forwarding but I’m only using TCP 80 > OK.

I already Have a Virtual IP: If your existing web server already has a Virtual IP object MAKE SURE it’s NOT bound to the outside interface, (or you won’t be able to select it in a minute). If you can’t edit it (because it’s in use), then you might need to remove it from the existing policy, and recreate it.

Policy and Object > Firewall Policy > Create New > Give the Policy a Name > Set the incoming and outgoing interface to the internal one > Source =  All > Destination > the Virtual IP you just Created > Schedule = always > Service = HTTP  > Disable NAT > OK.

I can’t see Virtual IP in the Policy:  Then it’s either bound to an interface that ISN’T the inside one, or you have Central NAT enabled. If you don’t want to change your global NAT policy create an address object for the internal IP and use that instead.

Now the website should work

Related Articles, References, Credits, or External Links

NA

Cisco to FortiGate Command Conversion

KB ID 0001776

Problem

Bah what the hell is ‘show run‘? If you’ve spent years on Cisco IOS and ASA/Firepower, then FortiGate can be a little confusing. Hopefully this Cisco to FortiGate list below will make it a little easier.

Cisco to Fortigate Translation

Cisco Command FortiGate Command
Basic commands
show run show full-config
show version get system status
show ip interface brief show system interface
show run interface x/x show system interface <port #>
show interface x/x get hardware nic <port #> / diagnose hardware deviceinfo nic
show ip arp diagnose ip arp list
show mac address-table diagnose switch mac-address list | grep -i mac
show lldp neighbor diagnose lldprx neighbor summary
show ip nat translation get system session list
show vlan diagnose switch vlan list
show failover diagnose system ha status
copy running-configuration startup-configuration execute backup config
reload execute reboot
ping x.x.x.x execute ping x.x.x.x
Basic Routing Commands
show ip route get router info routing-table all
show ip route x.x.x.x get router info routing-table details x.x.x.x
sh ip route summary get router info routing-table all
show  run | sec route-map show router route-map
show run | sec ip prefix-list show router prefix-list
OSPF Commands
show ip ospf neighbor get router info ospf neighbor
show ip ospf neighbor details get router info ospf neighbor detail all
BGP Commands
show ip bgp summary get router info bgp summary
show run | sec router bgp show router bgp
show ip bgp neighbor x.x.x.x routes get router info bgp neighbors x.x.x.x routes
show ip bgp neighbor x.x.x.x advertised-routes get router info bgp neighbors x.x.x.x advertised-routes
show ip bgp neighbor x.x.x.x received-routes get router info bgp neighbors x.x.x.x received-routes
show ip bgp x.x.x.x get router info bgp network x.x.x.x
VPN Commands
show crypto isakmp diagnose vpn ike gateway list
show crypto ipsec sa diagnose vpn tunnel list

Please comment below if you want to add any I’ve missed.

Related Articles, References, Credits, or External Links

NA

FortiGate Sub Interfaces (VLAN Trunking)

KB ID 0001772

Problem

I was asked by a colleague at work the other day, can we replace the Cisco firewalls with FortiGate firewalls for a client? As a business we are heading towards Forti, but before I said yes I wanted to know what the firewall was actually doing before I said yes. On closer inspection the firewall in question didn’t appear to be doing anything too scary, but I did notice that the LAN interface was sub-interfaced to the various internal VLANs. I didn’t know how FortiGate handled this, so I fired it up on the test bench to test FortiGate Sub Interfaces.

So I needed to create TWO sub interfaces on the FortiGate (on port3).

Creating FortiGate Sub Interfaces

Simply put, on a FortiGate if you want what a Cisco engineer would refer to as a ‘sub interface‘, then you simply add a VLAN interface to a physical interface. Like so, Network > Interfaces > {Physical Interface} > Create New > Interface.

Give the new interface a name (and alias if required) > Interface Type should be VLAN > Select the parent physical interface > Add the VLAN ID (Tag) and specify an IP address of the interface.

Just for testing I’ll allow PING, on the VLAN interface also > OK.

Repeat the procedure to add further sub interfaces (VLANs).

Remember this is just a ‘Router on a stick‘ configuration, to further allow traffic to the internet, (or between VLANs) you still need to add that traffic to the firewall policy to let the traffic through, (it is a firewall after all!)

Setting up Switches for FortiGate Sub Interfaces?

I’ve probably got this covered elsewhere on the site, but the core switch is Cisco so I just created a trunk port, and allowed ALL VLANs, (because I’m lazy, in production, you might want to lock that down a little!)

[box]

!
interface Ethernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Ethernet0/1
 switchport access vlan 150
 switchport mode access
!
interface Ethernet0/2
 switchport access vlan 200
 switchport mode access
!
interface Ethernet0/3
 switchport access vlan 150
 switchport mode access
!
interface Ethernet1/0
 switchport access vlan 200
 switchport mode access
 no cdp enable
!

[/box]

My Switch isn’t Cisco it’s HP/Aruba! Then you simply TAG the VLANs required to the uplink see this article.

Related Articles, References, Credits, or External Links

NA

FortiGate HTTPS Error

KB ID Article

Problem

While attempting to connect to a FortiGate firewall (with Firefox over HTTPS) you may see this error;

Secure Connection Failed

An error occurred during a connection to {x.x.x.x} SSL received a record that exceeded the maximum permissible length error code : SSL_ERROR_RX_RECORD_TOO_LONG

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem

Solution: SSL_ERROR_RX_RECORD_TOO_LONG

My colleague went all round the houses trying to fix this, then asked If I knew what was wrong, annoyingly one Google search gave me the answer;

You can only manage the FortiGate via HTTP when using an evaluation licence!

Related Articles, References, Credits, or External Links

NA

Fortigate Load Balancing

KB ID 0001762

Problem

I’ve been getting through my NSE4, and one of todays topics was NAT, just as an offhand comment the ‘narrator‘ (I say narrator because it’s a monotonous robot AI voice,) mentioned Fortigate Load Balancing.

In the past (with my Cisco hat on) when I’ve been asked about load balancing, I’ve said ‘If you want to load balance, buy a load balancer‘. But the Fortigate does try to be ‘all things to all men‘ so I wondered just how good a load balancer can it be?

Turns out, quite a decent one, if you just want simple http round robin, it does that, it you want weighted traffic routing, or host health monitoring, or HTTP cookie persistence, and even SSL offload. It’s as good as anything I’ve ever worked on before. Here’s my Fortigate ‘Test Bench‘, you will see I’ve added three web servers (on the right) called Red, Green, and Blue (the significance of which will become apparent). Note: Yes there’s another web server at the bottom, (I’m too lazy to remove it from the lab!)

I’m going to setup simple round robin load balancing between these three web servers, and I’m going to get the Fortigate to monitor their health by simply making sure they respond to ping packets. (Note: it can monitor http availability or something a little better if you wish).

Solution

This tripped me up for a while! Load balancing is a feature, you need to  turn it on first, System > Feature Visibility > Load Balancing > Enable.

FortiGate Load Balancing: Create a Health Check

Cisco Types: Think of this as a tracked SLA

Policy & Objects > Health Check > Create New > Give it a name > Type = Ping > Interval = 10 > Timeout = 2 > Retry = 3 > OK

Now create a Virtual Server (not a VIP!) Policy  & Objects > Virtual Servers > Create New  > Name = Give it a sensible name > Type = HTTP > Interface = Your Outside/WAN interface  > Virtual Server IP (Externally!) > Virtual Server Port = 80 > Load Balancing method = Round Robin > Persistence = HTTP cookie > Heath Check = Select the one you created above.

Scroll down > Real Servers > Create New.

Add in the first (internal server IP) > Port = 80 > Max connections  = 0 (that’s unlimited) > OK.

Repeat the process to add the remaining servers > OK.

FortiGate Load Balancing: Enable Firewall Policy

Now you need to ‘allow’ traffic in (it is a firewall after all!) Policy & Objects > Firewall Policy (or IPv4 policy on older firewalls) > Create New > Name = Give it a sensible name > Incoming Interface = Outside > Outgoing Interface = Inside > STOP Change Inspection Mode to PROXY Based > Destination = Your Virtual Server (it’s not visible unless you have enabled proxy based!) > Schedule = Always > Service = All > Action = Accept > NAT = Enabled > You may also enable AV inspection > OK.

FortiGate Load Balancing:Testing and Tweaking

So from ‘Outside’ let’s hit our load balanced page.

That’s great but if you hit refresh a few times nothing changes (in production nothing would change anyway, but to prove my back end servers are getting used and load balanced, each of mine serves a different coloured page (hence the red, green and blue server names). The reason I’m only seeing the blue one, is because we enabled ‘HTTP cookie Persistence‘ let’s just nip back onto the firewall and disable that (set it to None > OK).

Now when I refresh by browser I can see it cycling though the back end servers.

FortiGate SSL Offload

To use and process SSL requires some CPU power, some websites (like this one) serve their webpages protected by https and the certificate that enables that lives on the web server, for sites like mine that are getting about 12k hits a day that’s fine but if you are getting hundreds of thousands of hits a minute that’s a MASSIVE drain on CPU resources. That’s what SSL offload is all about, getting another device (in this case the Fortigate) to do all the heavy lifting for you. Then the back end servers can get on with the job of serving web pages. 

Upload the Certificate to the FortiGate

For HTTPS you will need a web certificate that will be trusted by your visitors. I’m lazy and tight so I’ll just create one in Microsoft Certificate Services, but in Production you will need Publicly Signed Certificate. System > Certificates (if you can’t see certificates) > Import > Local Certificate.

Mine’s in PFX format so I need to select PKCS#12 > upload the certificate and supply a password > OK

FortiGate: Enable SSL Offload

On your Virtual Server, change the Type to HTTPS > Virtual ServerPort to 443 > Certificate to the one you just uploaded > OK.

We are now serving pages securely even though the web servers are not configured for https.

Related Articles, References, Credits, or External Links

NA

What is SD-WAN?

KB ID 0001752

SD-WAN?

What is SD-WAN? A (Software Defined Wide Area Network) is a solution that unlike previous WAN architectures, (the type you typically see on a Visio diagram with maybe some MPLS, leased lines, and maybe some Optical DWDM etc. in them).

SD-WAN gives you a more ‘Layered‘ approach, that directs USERS to APPLICATIONS based on POLICIES

For example, let’s say your main business CRM is a SaaS solution like SalesForce, it’s secured by https, it’s trusted, instead of sending that traffic from all your sites to the Datacenter (where your corporate firewall is) then sending it onwards, why not utilise the local internet connection on each of your sites? Now all that bandwidth is not needed on the the connection to your DC, or more importantly isn’t slowing down the accounts application that’s got it’s database ‘back-end’ in the Datacenter. 

In the example below, you can see the topology is very similar. Users in Office 1, who need to go to Microsoft Office 365 (for example) can use their local internet connection. Users in Office 3 have a 5G connection on their router, and SD-WAN has calculated that using that connection is more efficient way to get to Office 365.

But it does not stop there, (hence me saying it’s more layered). To access a corporate application in the Datacenter, you can see in this example the leased line from Office 1 to the Datacenter , is running slowly and is contended, SD-WAN can calculate that if it uses its local internet connection to spin up a dynamic VPN to the Datacenter, the ‘User Experience‘ will be a lot better. Likewise for users in Office 3 SD-WAN  can calculate if it spins up a Dynamic VPN to the Corporate HQ, then onwards via MPLS it’s the ‘best‘ route (based on the policies you have specified).

I like the way Juniper describe this as “Elastic Traffic Management” what it gives you, is a collection of Virtual Network Overlays for the routing of different applications.

What SD-WAN ISN’T

I was talking to a client a few weeks ago and they said;

“We are retiring our MPLS network and moving to SD-WAN”

SD-WAN is not a replacement for MPLS! Yes it can provide similar ‘connectivity’ functions. But you need to apply some common sense, if all your company sites need to speak to each other, (phone systems anyone?) Then you’re potentially replacing dedicated bandwidth with a VPN connections, (because SD-WAN will build dynamic VPNs between endpoints). So yes you can replace a lot of CPE routers, or MPLS connections or leased lines on some of your less trafficked sites. But your large offices and data centres may still need fast reliable (read expensive) links, because SD-WAN is the control plane that will steer your applications over your network, but if those links are a ‘wet piece of string’ then performance will not be great.

The best explanation I can give is SD-WAN is a WAN overlay solution, to improve user experience, and add some dynamic resiliency. Or if you are a network engineer think of it like ‘DMVPN with Intelligence‘.

What is SD-WAN, (Isn’t it Just SDN But for WANs?)

That’s a sensible assumption to make, and you can draw a lot of parallels. I prefer to think of them as two different things that share some similarities. (Central control plane, intelligence, and application based routing). But SDN is designed for Data Centers, SD-WAN covers DCs and branch sites. Also SD-WAN has the concept of “Zero Touch Provisioning”, (1. Ship your devices to site, 2. Connect them to the internet, 3. They ‘call home’ 4. They download their configs and policies automatically).

What is SD-WAN and How Do I Deploy SD-WAN?

That depends on which ‘Vendor’ you want to work with, whoever you choose, the deployment will involve deploying new (or updated) Endpoint Devices (typically routers or firewalls) and an SD-WAN Control Plane. The control plane can be an appliance (or several appliances,) or ‘Cloud Based‘. I’ve looked at three solutions. FortiGate, Meraki, and Cisco, (yes I know Cisco own Meraki). Which solution you choose will (normally) depend on what you are happy to support. Of the three I prefer FortiGate, it’s not as simple as Meraki, but if you are replacing your edge devices the cost, throughput, connectivity options make it the most sensible option. Cisco is typically ‘Ciscoesque‘, i.e.  I spent about 9 days watching videos about their SD-WAN solution, it only works with ‘some’ of their endpoints (routers) and you need to put some thought into the deployment and design of the control plane. If you have a lot of in house Cisco guys and typically only ever buy Cisco, then, your hands are tied.

Related Articles, References, Credits, or External Links

NA

FortiClient: Unlicensed VPN access is available until..

KB ID 0001745

Problem

I got an email from a client I deployed SSL VPN for, (a couple of weeks ago), one of his users was seeing this;

 

Unlicensed VPN access is available until {Date} {Time}

Solution: Unlicensed VPN access is available until…

At first I was confused, unlike other vendors SSL VPN is not a licensed requirement? As it turns out in my instructions, I’d written ‘Download the Forticliet” when I should have said ‘scroll to the bottom and download the ‘FortiClient VPN’ version’.

That will teach me!

Related Articles, References, Credits, or External Links

NA

FortiGate Certificates Missing?

KB ID 0001743

Problem

Nice quick easy one today, while setting up SSL VPNs for a client I needed to import their Root CA certificate, and found  the Fortigate Certificates Missing? Usually they are under System > Certificates. But the tab was simply not there?

Solution: Fortigate Certificates Missing

Fortunately it was simple to fix, it’s a ‘feature‘ you simply need to ‘enable‘. Go to System > Feature Visibility > Enable Certificates, et voila!

If only all my problems were that simple!

Related Articles, References, Credits, or External Links

NA

FortiGate Port Forwarding

KB ID 0001742

Problem

I was back on the tools again today setting up FortiGate Port Forwarding! This was for one of our partners that I have to do some remote work for, so I temporarily needed to get onto their servers. Normally I’d just SSL VPN in, (but that’s what I’m setting up!) So to get onto their servers I had to setup a port forward for RDP.

WARNING: Port forwarding RDP from ALL / Any is a BAD IDEA (Cryptolocker anyone?) So if you must port forward RDP, then lock it down to a particular source IP like I’m about to do.

Fortigate Port Forwarding

The Process is;

  1. Setup a ‘Virtual IP’ (with port forward enabled)
  2. Create a ‘Virtual IP Group
  3. Allow traffic to the Virtual IP Group.

FortiGate Port Forwarding: Create a Virtual IP

Policy and Objects  >Virtual IPs > Create New > Virtual IP.

Give it a sensible name > Set the interface to the outside/WAN interface > External IP set to the public IP address of the firewall* > Mapped IP address, set to the internal IP address of the server you are forwarding to > Enable ‘Port forwarding’ > Select TCP or UDP > Type in the port(s) you want to forward. Forwarding a range of ports is much easier on a FortiGate than ‘some other’ vendors! > OK.

*Note: I’m assuming if you are port forwarding you only have one public IP, (or you’ve ran out). 

FortiGate Port Forwarding: Create a Virtual IP Group

From the Virtual IP menu > Create New > Virtual IP Group.

Give the group a name > Select the outside/WAN interface > Add in the Virtual IP you created above > OK.

FortiGate Port Forwarding: Fortigate Add an ‘Address’

If you are port forwarding something  like HTTP/HTTPS to a web server, or SMTP to a mail server you can skip this step. As per my warning above I’m restricting public access to one single public IP (mine). For most port forwarding scenarios you would set the source to ‘ALL‘.

Anyway for completeness here’s how to create an Address object. Policy & Objects > Addresses > Create New > Address.

Give it a recognisable name > Type=Subnet > Type the IP into the IP range box > Set the interface to outside/WAN > OK.

FortiGate Port Forwarding: Allow Port Forwarded Traffic

Policy and Objects > IPv4 Policy (or Firewall Policy on the newer firmware) > Create New.

  • Name: Something identifiable
  • Incoming Interface: Outside / WAN
  • Source: For RDP specify the single address you created above for all other port forwarding simply use ALL instead.
  • Destination: Your Virtual IP Group
  • Schedule: Always
  • Service: RDP (or the port you are forwarding if different)
  • Allow: Accept

Click OK.

FortiGate Port Forwarding: Troubleshooting Port Forwarding

You can see what’s going on by using the packet sniffer in the firewall.

[box]

diagnose sniffer packet {interface} 'host {External IP} and port {Port Number}' 4

e.g.

diagnose sniffer packet wan 'host 234.234.234.234 and port 3389' 4

[/box]

Note: In the example above I’m getting no return (ACK) traffic, (because the Windows firewall was on and dropping the traffic!) I diagnosed that by attempting to ping the server from the firewall (execute ping {internal IP address}) and failing to see a response!

Related Articles, References, Credits, or External Links

Fortigate: One to One (Static NAT)

Replacing Cisco Firewalls with Fortinet Firewalls

KB ID 0001741

Replacing Cisco

If you’ve been following articles on the site you will know that the focus of the firewall related output is shifting from Cisco ASA / Cisco FirePOWER to Fortinet (FortiGate) firewalls.

This article is so you can make an informed choice about what you want to replace your Cisco firewall with.

Note: I’m starting with SOHO and Small Business sized firewalls, but I will extend this to ‘Enterprise sized’ firewalls as I have the time.

Replacing Cisco SOHO Small Business Firewalls with FortiGate

If ever there was something that was incorrectly sold it was likely a SOHO Cisco firewall. The problem was, back in the day of the ASA5505 the only alternative was a ASA5510 and that was four times the price, plus the 5505 had a built in switch which saved you having to buy one of those as well. Even now (in 2021) these things are ubiquitous, I see them balanced in wall mounted comms cabinets, and sat in data centres and popped under peoples desks.

To make matters worse it’s replacement the ASA5506-X was a decent firewall but it wasn’t also a switch! (Cisco half heartedly tried to fix this and made it worse). To add insult to injury if you paid for the NGFW Firepower option Cisco just disabled it without warning in version 9.10.(1)

Then we got the FPR1010 this comes in two flavours, the ASA Code version which I deploy, and the FDM version which is bobbins! (I get 10 questions a day on the site to help people set them up). This (at time of writing) is a relatively new firewall but I’ll include it for completeness, (and article longevity).

High Availability: Seriously? I see this more often than I should! Don’t be deploying home sized firewalls and wanting Enterprise solutions! Stop it now. On a serous note, all the little ASA/FPR support it, but they all need additional licensing to do so. 

Stats: Remember when comparing the stats, we are comparing (mostly) old hardware against brand new (purpose built) hardware so the FortiGates will always look better on paper.

Cisco ASA5505, 5506-X and FPR1010 Specifications

Fortigate 40F, 60F, and 80F Specifications

Replacing Cisco SOHO Firewalls Conclusion

  • Unless you need 10Gb connectivity (on your WAN) then go for the 60F, if you need all those 1Gb ports and you want it to function as a switch.
  • If you don’t need so many LAN ports then go for the 40F (Note: even with 1x WAN port you can deploy SDWAN by using another interface!)

Replacing Cisco Medium Business / Small enterprise Firewalls with FortiGate

This is a difficult one to call, you can’t really say FortiGate model X is a direct comparison for Cisco model Y. To size a FortiGate firewall you need to 

First: Decide what throughput you need (remember to factor in NGFW/IDS/ATP and possibly HTTPS Throughput this will be LOWER than the max throughput!)

Second: Decide what connectivity you want.

FortiGate throughput for these classes of firewalls falls into roughly three different categories;

  1. 10Gbps Throughput (1Gbps HTTPS Inspection throughput) to 27Gbps Throughput (4Gbps HTTPS throughput) = 100 and 200 Series.
  2. 32Gbps Throughput (3.9Gbps HTTPS Inspection throughput) to 36Gbps Throughput (5.7Gbps HTTPS throughput) = 300, 400 and 500 Series.
  3. 36Gbps Throughput (8Gbps HTTPS Inspection throughput) to 52Gbps Throughput (3.9Gbps HTTPS throughput) = 600, 800 and 900 Series.

Note: If the figures dont overlap neatly, thats because these are a mixture of D, E and F Releases.

Cisco ASA5500 and 5500-X  Specifications

Cisco Firepower 1100 to 2100 Series Specifications

Fortigate 100 to 900 Series Specifications

Replacing Cisco Bonuses

  • Remote VPN: You don’t need to buy additional remote VPN (AnyConnect) licences any more. With FortiGate remote SSL VPN is built in, and the client numbers are impressive.
  • Failover: Is supported even for Active / Active and good old Active / Passive. and Clustering.
  • SDWAN: You now have this capability if you require it.
  • Redundant Power Supply: Is on all FortiGate models in this class.

If anyone wants to add any real world experiences or comments, please do so below.

Related Articles, References, Credits, or External Links

NA