Bert Zefat's Tech Blog

After upgrading from 5.2.x or 5.4.x to 5.6.2 it is possible that FortiClient VPN connected clients can not access a remote site over VPN anymore from the FortiGate that they are connecting to.
The local LAN is accessible, but the remote LAN is not.

It seems there is a routing issue in the 5.6.2 OS. If you do

# execute traceroute <ip-address>

you will see the first IP adres beeing an IP address that is not defined in the Dail-up FortiGate.

You must add a static route at the remote site with the IP range of the IPsec client IP adresses.

With

# diagnose sniffer packet <interface> 'host <ip adress>'

you must see a ping request and reply on both the source FortiGate and the remote FortiGate.

Tags: Fortigate, Security by Bert Zefat
No Comments »

config system interface
  edit port1
    set ip 192.168.0.100 255.255.255.0
    append allowaccess http
end

config router static 
  edit 1 
    set device port1 
    set gateway
end

Tags: Fortigate, Security by Bert Zefat
No Comments »

To get the update from a FortiGate via the CLI:

get sys perf stat

Tags: Fortigate, Security by Bert Zefat
No Comments »

To change from the Primary to the Secondary Fortigate:

execute ha manage 1

To change from the Secondary to the Primary:

execute ha manage 0

Tags: Fortigate, Security by Bert Zefat
No Comments »

There are 3 steps involved in this process.

1. Complete the prerequisites
2. Change the mode from Switch mode to interface mode
3. Configure the network and allow access to a particular network port.

FGxxxxxxxxxxxxxx # config system global
FGxxxxxxxxxxxxxx # set internal–switch-mode interface
FGxxxxxxxxxxxxxx # end
Changing switch mode will reboot the system!
Do you want to continue? (y/n) y

FGxxxxxxxxxxxxxx #

Tags: Fortigate, Security by Bert Zefat
No Comments »

A good practice to enhance firewall security is to rename the default administrator account of the box. On Fortigate, default administrator username is admin. If you leave your admin as ‘admin’, then the leftover part of the brute-force password cracking is just a piece of cake.

You need to finish these steps within command line mode. The best way to manage Fortinet devices is using SSH or Serial terminal. If you need help of how to connect to a Fortinet box using Serial terminal, click here.

Fortinet will prevent you from changing your currently logged in account. I assume that you are logged in under the default “admin”. You could not rename “admin” to “yourname” if you are logging under “admin”, it’s reasonable, isn’t it?

• So, the first step is to create a new administrator account.
• Next step is to login using the new account.
• Final step is from the new account, execute the rename command to change “admin” to something else.

Create new administrator account on Fortinet

Do these steps while you are already in privilege mode (logged in as “admin”):

CUSTOMER_FW01# config system admin
 CUSTOMER_FW01(admin) # edit newadmin
 new entry ‘newadmin’ added

CUSTOMER_FW01(newadmin) # set password Myn3w-password
CUSTOMER_FW01(newadmin) # set accprofile super_admin
CUSTOMER_FW01(newadmin) # end
CUSTOMER_FW01# exit
 Auto backup config …
 login.c-__config

CUSTOMER_FW01login: newadmin
 Password: **************
 Welcome !

CUSTOMER_FW01#

Rename Fortinet default “admin”

To rename your Fortinet default “admin”, follow these steps:

CUSTOMER_FW01 # config system admin
CUSTOMER_FW01 (admin) # rename admin to nimda
CUSTOMER_FW01 (admin) #

Tags: Fortigate, Security by Bert Zefat
No Comments »