FortiGate: Change the HTTPS Fortigate Management Port

KB ID 0001723

Problem

Like all firewalls that have ‘web management’ the default ports are 80 and 443 for insecure and secure management. IF you have secure (https) management on the outside interface of your firewall on the normal TCP port of 443. Then you can’t use the same interface to terminal SSLVPNs. So you will need to change the FortiGate Management Port.

You can set SSL-VPN to use a different port of course, but for your remote workers who may be in hotels, or in locations where only web (port 80) and secure web/HTTP (port 443) are only allowed that’s going to be a problem.

The lesser of the two evils is to change the secure web management port to something that is not 443!

Changing the Fortigate Management Port (HTTPS)

Note: I’m talking about changing the TCP port, NOT the physical management port, if that’s what you are trying to do, then you simply enable that on the INTERFACE on the firewall like so;

FortiGate Change Management Port via CLI

Firstly to find out/check the port that https is currently configured on use;

[box]

show full | grep admin-sport

[/box]

Then to change the port number (in this case to 4433) use;

[box]

config system global
set admin-sport 4433

[/box]

FortiGate Change Management Port via GUI

System > Settings  > Administration Settings > HTTPS Port.

Change the port number accordingly > Apply  >After a while it will try and reconnect and probably fail, (that’s OK).

Reconnect to the firewall using https://{IP-or-Hostname}:{Port-Number}

Related Articles, References, Credits, or External Links

NA

ADPREP /FORESTPREP error “There is a schema conflict with Exchange 2000”

KB ID 0000257

Problem

Seen when running “adprep /forestprep” to raise the domain schema to Windows Server 2003.

Error:
Adprep was unable to extend the schema.
[Status/Consequence]
There is a schema conflict with Exchange 2000. The schema is not upgraded.
[User Action]
The schema conflict must be resolved before running adprep. Resolve the schema
conflict, allow the change to replicate between all replication partners, and the
n run Adprep. For information on resolving the conflict, see Microsoft Knowledge
Base article Q325379.

Solution

1. Open notepad.

2. Copy in the following text (up to and including the hyphen at the end, and with no extra spaces) into notepad,

[box]

dn: CN=ms-Exch-Assistant-Name,CN=Schema,CN=Configuration,DC=Xchangetype: Modifyreplace:LDAPDisplayNameLDAPDisplayName: msExchAssistantName-
dn: CN=ms-Exch-LabeledURI,CN=Schema,CN=Configuration,DC=Xchangetype: Modifyreplace: LDAPDisplayNameLDAPDisplayName: msExchLabeledURI-
dn: CN=ms-Exch-House-Identifier,CN=Schema,CN=Configuration,DC=Xchangetype: Modifyreplace: LDAPDisplayNameLDAPDisplayName: msExchHouseIdentifier-
dn:changetype: Modifyadd: schemaUpdateNowschemaUpdateNow: 1-

[/box]

3. Save the file as “%userprofile%InetOrgPersonPrevent.ldf”, set the “Save as Type” field to “All Files”, and finally set the “encoding” to “unicode”.

4. CLick Start > Run >cmd {enter}

5. At command line issue the following command. (Note you will need to change the domain name to match your own).

[box] ldifde -i -f inetorgpersonprevent.ldf -v -c DC=X “dc=domainc,dc=com” [/box]

6. At this point you may see the following error.

Error: Add error on line 1: Unwilling To Perform The server side error is “Schema update is not allowed on this DC. Either the registry key is not set or the DC is not the schema FSMO Role Owner.” 0 entries modified successfully. An error has occurred in the program

If you do see this error click here, If not then you should see it say “The command completed successfully.”

 

Related Articles, References, Credits, or External Links

NA

IP Address Conflicts with VMware ESX and Cisco ASA

KB ID 0000635

Problem

My colleague was setting up a DMZ server for one of our clients, it was a virtual server that was presented to the DMZ of a Cisco ASA 5510. Every time he gave it a static IP address it popped up an IP address conflict (no matter what the IP address was).

Windows has detected an IP address conflict
Another computer on this network has the same IP address as this computer. Contact your network administrator for help resolving this issue. More details are available in the Windows event log.

He asked me to set up DHCP for the DMZ to see if that would cure the problem, which I did. However that also refused to work either.

Windows IP Configuration
An error occurred while renewing interface Local Area Connection : The DHCP client has obtained an IP address that is already in use on the network. The local interface will be disabled until the DHCP client can obtain a new address.
An error occurred while releasing interface. Loopback Pseudo-Interface 1 : The system cannot find the file specified.

Solution

Turns out this is a known problem, and is pretty easy to rectify.

Option 1 (On the ASA)

1. Connect to the ASA via command line, log in and then go to enable mode

[box]

Password:******
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********

[/box]

2. Enter configure terminal mode then disable proxy ARP on the interface that’s presented to the problem network, (in this case the interface is called DMZ).

[box]

PetesASA# configure terminal
PetesASA(config)# sysopt noproxyarp DMZ

[/box]

3. Save the changes.

[box]

PetesASA# >write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#

[/box] Note: You can also disable proxy arp in the nat tranlation, with the no-proxy-arp like so; [box] PetesASA(config)# nat (inside,DMZ) source static Inside-LAN Inside-LAN destination static Inside-LAN Inside-LAN no-proxy-arp [/box]

Option 2 (On the affected machine)

Note: This is is for Windows based clients. 1. Start > Run > regedit {Enter}. 2. Navigate to;

[box]

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

[/box]

3. Create a new DWORD value called ‘ArpRetryCount’ and set its value to 0 (Zero).

4. Reboot.

Related Articles, References, Credits, or External Links

NA