My Network Security Journal

Thursday, June 5, 2025

Hardening a FortiGate Firewall using Copilot AI

I used the Microsoft Copilot AI tool to help generate a list or steps in "hardening" a FortiGate firewall. Below are the results of this query.

Hardening a FortiGate firewall involves configuring it to maximize security, reduce attack surfaces, and ensure best practices are followed. Here's a comprehensive guide to help you harden your FortiGate firewall:

🔐 1. Update Firmware

Always run the latest stable firmware to patch known vulnerabilities.
Regularly check Fortinet’s support site for updates.

🔧 2. Disable Unused Services

Disable services like Telnet, HTTP, SNMP, and FTP if not in use.
Use secure alternatives (e.g., SSH instead of Telnet, HTTPS instead of HTTP).

🔒 3. Secure Administrative Access

Restrict access to the management interface by IP.
Use HTTPS and SSH only for admin access.
Change default ports for admin access (e.g., from 443 to a non-standard port).
Enable two-factor authentication (2FA) for all admin accounts.
Limit login attempts and enable account lockout.

🛡️ 4. Configure Firewall Policies Carefully

Use the principle of least privilege—only allow necessary traffic.
Enable logging on all policies for auditing.
Use application control, web filtering, and IPS where appropriate.

🧱 5. Enable Intrusion Prevention System (IPS)

Apply IPS profiles to relevant policies.
Regularly update IPS signatures.

🧬 6. Use Antivirus and Anti-Malware

Enable antivirus scanning on applicable policies.
Use FortiGuard services for real-time protection.

🌐 7. DNS and Web Filtering

Use FortiGuard DNS filtering to block malicious domains.
Apply web filtering profiles to control access to risky or inappropriate content.

📊 8. Monitor and Log Activity

Enable logging to a remote syslog server or FortiAnalyzer.
Regularly review logs for suspicious activity.
Set up alerts for critical events.

🧾 9. Backup Configuration

Regularly back up your configuration.
Store backups securely and offline if possible.

🧰 10. Use Virtual Domains (VDOMs)

Segment networks using VDOMs for better isolation and control.

Saturday, May 3, 2025

Enable Overlap IP Address in a FortiGate VDOM

Here's a Fortinet link to enable an overlap IP address in a FortiGate VDOM. I've subnetted a public IP address range and allocated a /31 subnet for the point-to-point WAN link to an ISP. I wasn't able to configure the /31 public IP address since it had a subnet overlap in another interface.

FGT (interface) # edit "npu0_vlink0.10"
new entry 'npu0_vlink0.10' added

FGT (npu0_vlink0.10) # set vdom "isp"

FGT (npu0_vlink0.10) # set ip 46.40.14.8 255.255.255.254
Subnets overlap between 'npu0_vlink0.10' with primary IP of 'po1.10'
node_check_object fail! for ip 46.40.14.8 255.255.255.254

value parse error before '255.255.255.254'
Command fail. Return code -54

I had to configure the set allow-subnet-overlap enable command under the VDOM setting and I was able to apply the /31 public WAN IP address afterwards.

FGT # config vdom

FGT(vdom) # edit isp
current vf=isp:4

FGT(isp) # config system setting

FGT(settings) # set allow
allow-linkdown-path     Enable/disable link down path.
allow-subnet-overlap    Enable/disable allowing interface subnets to use overlapping IP addresses.

FGT(settings) # set allow-subnet-overlap
enable     Enable overlapping subnets.
disable    Disable overlapping subnets.

FGT(settings) # set allow-subnet-overlap enable

FGT(settings) # end

Sunday, April 6, 2025

Configure Cisco Router Crypto Map Based IKEv2

I had to reconfigure an old Cisco 800 router from a "legacy" Crypto Map (Policy Based) IKE Version 1 to a more secure IKE Version 2. Refer to this link for IKEv2 in a Cisco router. The "newer" approach or implementation for IKEv2 in a Cisco router should be Route Based VPN (VTI) configuration.

These are the configurations for IKEv2 in a Cisco router. Make sure the remote device has an identical IKEv2 configuration.

crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-128
integrity sha1
group 14 5

crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL

crypto ikev2 keyring IKEV2-KEYRING
peer ASAFW
address 89.123.4.5
pre-shared-key local cisco123
pre-shared-key remote cisco123

crypto ikev2 profile IKEV2-PROFILE
match fvrf any
match address local 161.51.1.20
match identity remote address 89.123.4.5 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local IKEV2-KEYRING

ip access-list extended IKEV2-ACL
permit ip host 10.30.2.90 host 172.16.100.210

crypto ipsec transform-set IKEV2-TSET esp-aes 256 esp-sha256-hmac

crypto map CMAP_IKEV2 10 ipsec-isakmp
set peer 89.123.4.5
set security-association lifetime seconds 86400
set transform-set IKEV2-TSET
set set pfs group14
set ikev2-profile IKEV2-PROFILE
match address IKEV2-ACL

interface FastEthernet4
crypto map CMAP_IKEV2

c800#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
c800(config)#crypto ikev2 proposal IKEV2-PROPOSAL
IKEv2 proposal should have atleast an encryption algorithm, an integrity algorithm and a dh group configured
c800(config-ikev2-proposal)#encryption ?
3des         3DES
aes-cbc-128 AES-CBC-128
aes-cbc-192 AES-CBC-192
aes-cbc-256 AES-CBC-256

c800(config-ikev2-proposal)#encryption aes-cbc-128
c800(config-ikev2-proposal)#integrity ?
md5     Message Digest 5
sha1    Secure Hash Standard
sha256 Secure Hash Standard 2 (256 bit)
sha384 Secure Hash Standard 2 (384 bit)
sha512 Secure Hash Standard 2 (512 bit)

c800(config-ikev2-proposal)#integrity sha1
c800(config-ikev2-proposal)#group ?
1   DH 768 MODP
14 DH 2048 MODP
15 DH 3072 MODP
16 DH 4096 MODP
19 DH 256 ECP
2   DH 1024 MODP
20 DH 384 ECP
24 DH 2048 (256 subgroup) MODP
5   DH 1536 MODP

c800(config-ikev2-proposal)#group 14 5   // YOU CAN SPECIFY MULTIPLE DH GROUP
kellog-mvpn-gw01(config-ikev2-proposal)#exit
c800(config)#
c800(config)#crypto ikev2 policy ?
WORD Name of IKEv2 policy

c800(config)#crypto ikev2 policy IKEV2-POLICY
IKEv2 policy should have atleast one complete proposal attached
c800(config-ikev2-policy)#proposal ?
WORD Specify the name of proposal to be attached

c800(config-ikev2-policy)#proposal IKEV2-PROPOSAL
c800(config-ikev2-policy)#exit
c800(config)#
c800(config)#crypto ikev2 keyring ?
WORD Name of IKEv2 Keyring

c800(config)#crypto ikev2 keyring IKEV2-KEYRING
c800(config-ikev2-keyring)#?
IKEv2 Keyring commands:
exit Exit from crypto ikev2 keyring sub mode
no    Negate a command or set its defaults
peer Configure a Peer and associated keys

c800(config-ikev2-keyring)#peer ?
WORD Name of the peer block

c800(config-ikev2-keyring)#peer ASAFW
c800(config-ikev2-keyring-peer)#?
Crypto IKEv2 Keyring Peer submode commands:
address         Specify IPv4 address of peer
description     Specify a description of this peer
exit            Exit from crypto ikev2 keyring peer sub mode
hostname        Hostname of peer
identity        Specify IKE identity to use
no              Negate values of a command
pre-shared-key specify the pre-shared key

c800(config-ikev2-keyring-peer)#?
Crypto IKEv2 Keyring Peer submode commands:
address         Specify IPv4 address of peer
description     Specify a description of this peer
exit            Exit from crypto ikev2 keyring peer sub mode
hostname        Hostname of peer
identity        Specify IKE identity to use
no              Negate values of a command
pre-shared-key specify the pre-shared key

c800(config-ikev2-keyring-peer)#address ?
A.B.C.D             IPv4 Address
X:X:X:X::X/<0-128> IPv6 prefix

c800(config-ikev2-keyring-peer)#address 89.123.4.5

c800(config-ikev2-keyring-peer)#pre-shared-key ?
0       Specifies an UNENCRYPTED password will follow
6       Specifies an ENCRYPTED password will follow
LINE    The UNENCRYPTED (cleartext) user password
local   specify signing key
remote specify verifying key

c800(config-ikev2-keyring-peer)#pre-shared-key local cisco123
c800(config-ikev2-keyring-peer)#pre-shared-key remote cisco123
c800(config-ikev2-keyring-peer)#exit
c800(config-ikev2-keyring)#exit
c800(config)#crypto ikev2 profile ?
WORD Name of IKEv2 Profile

c800(config)#crypto ikev2 profile IKEV2-PROFILE
% IKEv2 profile MUST have match identity or match certificate statements
c800(config-ikev2-profile)#?
IKEv2 profile commands:
aaa               Specify AAA related configs
authentication    Set authentication method
description       Specify a description of this profile
dpd               Enable IKE liveness check for peers
exit              Exit from crypto ikev2 profile sub mode
identity          Specify IKE identity to use
ivrf              I-VRF of the profile
keyring           Specify keyring to use
lifetime          Set lifetime for ISAKMP security association
match             Match values of peer
nat               NAT-transparency
no                Negate a command or set its defaults
pki               Specify certificate authorities to trust
virtual-template Specify the virtual-template for dynamic interface creation.

c800(config-ikev2-profile)#match ?
address      IP address
certificate Peer certificate attributes
fvrf         fvrf of the profile
identity     IKE identity

c800(config-ikev2-profile)#match identity ?
remote Remote identity

c800(config-ikev2-profile)#match identity remote ?
address IP Address(es)
email    Fully qualified email string
fqdn     Fully qualified domain name string
key-id   key-id opaque string

c800(config-ikev2-profile)#match identity remote address ?
A.B.C.D             IP address prefix
X:X:X:X::X/<0-128> IPv6 address/prefix-length

c800(config-ikev2-profile)#match identity remote address 89.123.4.5 ?
A.B.C.D specify mask
<cr>

c800(config-ikev2-profile)#match identity remote address 89.123.4.5 255.255.255.255
c800(config-ikev2-profile)#authentication ?
local   Set local authentication method
remote Set remote authentication method

c800(config-ikev2-profile)#authentication local ?
ecdsa-sig ECDSA Signature
pre-share Pre-Shared Key
rsa-sig    Rivest-Shamir-Adleman Signature

c800(config-ikev2-profile)#authentication local pre-share
c800(config-ikev2-profile)#authentication remote pre-share
c800(config-ikev2-profile)#keyring ?
WORD Keyring name
aaa   AAA based pre-shared keys

c800(config-ikev2-profile)#keyring IKEV2-KEYRING ?
<cr>

c800(config-ikev2-profile)#keyring IKEV2-KEYRING
c800(config-ikev2-profile)#exit
c800(config)#crypto ipsec transform-set ?
WORD Transform set tag

c800(config)#crypto ipsec transform-set IKEV2-TSET ?
ah-md5-hmac      AH-HMAC-MD5 transform
ah-sha-hmac      AH-HMAC-SHA transform
ah-sha256-hmac   AH-HMAC-SHA256 transform
ah-sha384-hmac   AH-HMAC-SHA384 transform
ah-sha512-hmac   AH-HMAC-SHA512 transform
comp-lzs         IP Compression using the LZS compression algorithm
esp-3des         ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes          ESP transform using AES cipher
esp-des          ESP transform using DES cipher (56 bits)
esp-gcm          ESP transform using GCM cipher
esp-gmac         ESP transform using GMAC cipher
esp-md5-hmac     ESP transform using HMAC-MD5 auth
esp-null         ESP transform w/o cipher
esp-seal         ESP transform using SEAL cipher (160 bits)
esp-sha-hmac     ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth

c800(config)#crypto ipsec transform-set IKEV2-TSET esp-aes ?
128              128 bit keys.
192              192 bit keys.
256              256 bit keys.
ah-md5-hmac      AH-HMAC-MD5 transform
ah-sha-hmac      AH-HMAC-SHA transform
ah-sha256-hmac   AH-HMAC-SHA256 transform
ah-sha384-hmac   AH-HMAC-SHA384 transform
ah-sha512-hmac   AH-HMAC-SHA512 transform
comp-lzs         IP Compression using the LZS compression algorithm
esp-md5-hmac     ESP transform using HMAC-MD5 auth
esp-sha-hmac     ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
<cr>

c800(config)#crypto ipsec transform-set IKEV2-TSET esp-aes 256 ?
ah-md5-hmac      AH-HMAC-MD5 transform
ah-sha-hmac      AH-HMAC-SHA transform
ah-sha256-hmac   AH-HMAC-SHA256 transform
ah-sha384-hmac   AH-HMAC-SHA384 transform
ah-sha512-hmac   AH-HMAC-SHA512 transform
comp-lzs         IP Compression using the LZS compression algorithm
esp-md5-hmac     ESP transform using HMAC-MD5 auth
esp-sha-hmac     ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
<cr>

c800(config)#crypto ipsec transform-set IKEV2-TSET esp-aes 256 esp-sha256-hmac
c800(cfg-crypto-trans)#exit
c800(config)#crypto map CMAP_IKEV2 ?
<1-65535>       Sequence to insert into crypto map entry
client          Specify client configuration settings
gdoi            Configure crypto map gdoi features
isakmp          Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address   Interface to use for local address for this crypto map
redundancy      High availability options for this map

c800(config)#crypto map CMAP_IKEV2 10 ?
gdoi          GDOI
ipsec-isakmp IPSEC w/ISAKMP
ipsec-manual IPSEC w/manual keying
<cr>

c800(config)#crypto map CMAP_IKEV2 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
c800(config-crypto-map)#?
Crypto Map configuration commands:
default        Set a command to its defaults
description    Description of the crypto map statement policy
dialer         Dialer related commands
exit           Exit from crypto map configuration mode
match          Match values.
no             Negate a command or set its defaults
qos            Quality of Service related commands
reverse-route Reverse Route Injection.
set            Set values for encryption/decryption

c800(config-crypto-map)#set ?
identity              Identity restriction.
ikev2-profile         Specify ikev2 Profile
ip                    Interface Internet Protocol config commands
isakmp-profile        Specify isakmp Profile
nat                   Set NAT translation
peer                  Allowed Encryption/Decryption peer.
pfs                   Specify pfs settings
reverse-route         Reverse Route Injection.
security-association Security association parameters
transform-set         Specify list of transform sets in priority order

c800(config-crypto-map)#set peer ?
A.B.C.D IP address of peer
WORD     Host name of the peer

c800(config-crypto-map)#set peer 89.123.4.5
c800(config-crypto-map)#set transform-set IKEV2-TSET
c800(config-crypto-map)#set ikev2-profile ?
WORD Name the ikev2 profile

c800(config-crypto-map)#set ikev2-profile IKEV2-PROFILE
c800(config-crypto-map)#match address ?
<100-199>    IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD         Access-list name

c800(config-crypto-map)#match address 100
c800(config-crypto-map)#set security-association ?
idle-time Automatically delete IPSec SAs after a given idle period.
level      specify a security association granularity level for identities
lifetime   security association lifetime
replay     Set replay checking.

c800(config-crypto-map)#set security-association lifetime ?
kilobytes Volume-based key duration
seconds    Time-based key duration

c800(config-crypto-map)#set security-association lifetime seconds ?
<120-86400> Security association duration in seconds

c800(config-crypto-map)#set security-association lifetime seconds 86400
c800(config-crypto-map)#end
c800#write memory
Building configuration...
[OK]

c800#show run | section crypto
crypto pki token default removal timeout 0
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-128
integrity sha1
group 14 5
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
crypto ikev2 keyring IKEV2-KEYRING
peer SVG2-CUSTFW01
   address 89.123.4.5
   pre-shared-key local cisco123
   pre-shared-key remote cisco123
!
crypto ikev2 profile IKEV2-PROFILE
match fvrf any
match identity remote address 89.123.4.5 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring IKEV2-KEYRING
crypto isakmp keepalive 60
crypto ipsec transform-set IKEV2-TSET esp-aes 256 esp-sha256-hmac
crypto map CMAP_IKEV2 10 ipsec-isakmp
set peer 89.123.4.5
set security-association lifetime seconds 86400
set transform-set IKEV2-TSET
set ikev2-profile IKEV2-PROFILE
match address IKEV2-ACL

Then just swap the IKEv1 Crypto Map under the WAN interface during a scheduled downtime.

interface FastEthernet4

no crypto map CMAP_IKEv1

crypto map CMAP_IKEV2

I wasn't able to establish IKEv2 in the remote FW, so I ran some debug. I noticed that I forgot to apply the VPN class resource in the FW context.

VPN-FW# debug crypto ?

ca          Set PKI debug levels
condition   Set IPSec/ISAKMP debug filters
engine      Set crypto engine debug levels
goid        Set crypto map GOID debug levels
ke-common Set IKE common debug levels
ikev1       Set IKEV1 debug levels
ikev2       Set IKEV2 debug levels
ipsec       Set IPSec debug levels

VPN-FW# debug crypto ikev2 ?

ha        debug the ikev2 ha
platform debug the ikev2 platform
protocol debug the ikev2 protocol
timers    debug the ikev2 timers

VPN-FW# debug crypto ikev2 protocol
%ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = CRYPTO_MAP. Map Sequence Number = 5.

%ASA-4-752011: IKEv1 Doesn't have a transform set specified

%ASA-4-751019: Local:89.123.4.5:500 Remote:194.17.12.7:500 Username:Unknown IKEv2 Failed to obtain an Other VPN license. Maximum license limit 0 exceeded.

FW/admin# changeto system
FW# configure terminal
FW(config)# context VPN-FW

FW(config-ctx)# member VPN-CLASS

I'm also unable to establish an IKEv2 SA with the remote device (checked multiple times) using "stronger" IKEv2 proposals, i.e. AES-256 and SHA-256. I suspect it might be a router IOS bug or unsupported "stronger" IKEv2 proposal, so I just used AES-128 and SHA-1 instead. I used the show crypto ikev2 sa command to verify IKEv2 SA.

800#debug crypto ikev2 ?
detail debug level 5 - all other details, including state transition
error   debug level 1 - debug messages signalling an error
event   debug level 3 - description of packet, contents and policy matching
packet debug level 4 - packet dump debugging
terse   debug level 2 - message exchange debugs
<cr>

800#debug crypto ikev2 detail

Apr 24 18:06:33.143: IKEv2:New ikev2 sa request admitted
Apr 24 18:06:33.143: IKEv2:Incrementing incoming negotiating sa count by one
Apr 24 18:06:33.143: SA Next payload: KE, reserved: 0x0, length: 652

Apr 24 18:06:33.147: IKEv2: last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4

Apr 24 18:06:33.147: IKEv2:    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC

Apr 24 18:06:33.147: IKEv2:    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256

Apr 24 18:06:33.147: IKEv2:    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256

Apr 24 18:06:33.147: IKEv2:    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14

Apr 24 18:06:33.147:
Apr 24 18:06:33.147: IKEv2: last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4

Apr 24 18:06:33.147: IKEv2:    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC

Apr 24 18:06:33.147: IKEv2:    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1

Apr 24 18:06:33.147: IKEv2:    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96

Apr 24 18:06:33.147: IKEv2:    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14

Apr 24 18:06:33.147:
Apr 24 18:06:33.147: IKEv2: last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 3, Protocol id: IKE, SPI size: 0, #trans: 4

Apr 24 18:06:33.147: IKEv2:    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC

Apr 24 18:06:33.147: IKEv2:    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256

Apr 24 18:06:33.147: IKEv2:    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256

Apr 24 18:06:33.147: IKEv2:    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14

Apr 24 18:06:33.147:
Apr 24 18:06:33.147: IKEv2: last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 4, Protocol id: IKE, SPI size: 0, #trans: 5

Apr 24 18:06:33.147: IKEv2:    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC

Apr 24 18:06:33.147: IKEv2:    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1

Apr 24 18:06:33.147: IKEv2:    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96

Apr 24 18:06:33.147: IKEv2:    last transform: 0x3, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14

Apr 24 18:06:33.147: IKEv2:    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

Apr 24 18:08:35.111: IKEv2:Couldn't find matching SA
Apr 24 18:08:35.111: IKEv2:Detected an invalid IKE SPI

Apr 24 18:08:35.111: IKEv2:Couldn't find matching SA

Apr 24 18:08:35.111: IKEv2:A supplied parameter is incorrect

800#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 161.51.1.20/500 89.123.4.5/500 none/none READY

Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:14, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 86400/2665 sec

IPv6 Crypto IKEv2 SA

Sunday, March 2, 2025

Change the VLAN ID in a FortiGate Interface

Here's a Fortinet technical guide in changing the interface VLAN ID in a FortiGate firewall. I tried changing the VLAN ID (565 > 555) using the CLI first but received an error below. So I used the web GUI instead.

FW01_PRI (inet) # config system interface

FW01_PRI (interface) # edit "po1.565"

FW01_PRI (po1.565) # show

config system interface

edit "po1.565"

set vdom "inet"

set ip 172.x.x.x 255.255.255.248

set allowaccess ping

set alias "inside-inet"

set device-identification enable

set role lan

set snmp-index 151

set interface "po1"

set vlanid 565

end

FW01_PRI (po1.565) # set vlanid 555

FW01_PRI (po1.565) # end

VLAN ID, VLAN protocol, or physical interface cannot be changed once a VLAN has been created.

object set operator error, -522 discard the setting

Command fail. Return code -522

To change the interface VLAN ID, go to Network > Interfaces > select interface > VLAN ID > Edit.

Type the new VLAN ID > click Next.

Review settings > click Update.

Click OK to proceed.

The new VLAN ID got reflected afterwards. This is applicable if it's a new interface/config and there are no dependencies on the interface.

I tried changing the interface VLAN ID (90 > 100) of a production FortiGate with Firewall Policies and VPN tunnel dependencies but got a "Failed" status.

To quickly update the interface VLAN ID, download the config file, edit the VLAN ID using notepad then upload/restore in the FortiGate. It's advisable to perform this in a maintenance window since FortiGate will need a reboot.

Tuesday, February 4, 2025

Create a Custom ICMP Service in a FortiGate Firewall

I had to configure a firewall policy in a FortiGate firewall and wanted to restrict the ICMP or ping service since the default type is ANY (ALL_ICMP). You can refer to the different ICMP types and codes in the IANA website. For an ICMP echo reply, you'll use a type and code of 0.

It's always best practice to clone the original service to prevent any disruption whenever there's a new firmware update (if there's a change in a command/feature). To clone a Ping service, search and right-click PING > Clone.

Type a Name > change the Type and Code.

For an ICMP time exceeded, it uses a Type of 11 and Code of 0.

Wednesday, January 8, 2025

FortiGate Direct Firmware Upgrade

You can "safely" upgrade the FortiOS directly to the target firmware code if it's brand new and since it still has a default configuration. You only follow the upgrade path if there's an existing configuration and the upgrade process will handle the changes in the command line or features (if there's any).

I upgraded a brand new standalone FortiGate and it was shipped with a default 6.4 firmware.

FortiGate-xxF login: admin

Password:

You are forced to change your password. Please input a new password.

New Password:

Confirm Password:

Welcome!

FortiGate-xxF # get system status

Version: FortiGate-xxF v6.4.4,build5543,201214 (GA)

Firmware Signature: certified

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 6.00741(2015-12-01 02:30)

APP-DB: 6.00741(2015-12-01 02:30)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

Serial-Number: FGxxFT923901234

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

BIOS version: 05000011

System Part-Number: P25132-01

Log hard disk: Available

Hostname: FortiGate-xxF

Private Encryption: Disable

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Branch point: 1803

Release Version Information: GA

FortiOS x86-64: Yes

I uploaded the target firmware and the direct upgrade only took around 4 minutes to complete. I proceeded with the configuration afterwards.

FortiGate-xxF # get system status

Version: FortiGate-xxF v7.xx,buildxx (GA.M)

Security Level: 2

Firmware Signature: certified

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

AV AI/ML Model: 0.00000(2001-01-01 00:00)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 6.00741(2015-12-01 02:30)

APP-DB: 6.00741(2015-12-01 02:30)

FMWP-DB: 0.00000(2001-01-01 00:00)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

IoT-Detect: 0.00000(2022-08-17 17:31)

Serial-Number: FGxxFT923901234

BIOS version: 05000011

System Part-Number: P25132-01

Log hard disk: Available

Hostname: FortiGate-xxF

Private Encryption: Disable

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Branch point: 1706

Release Version Information: GA

FortiOS x86-64: Yes

System time: Mon Oct 7 03:14:05 2024

Last reboot reason: warm reboot

Friday, December 6, 2024

Troubleshoot FortiGuard Server Connectivity

Here's a Fortinet link in troubleshooting FortiGuard server connectivity over the Internet. I was configuring a new FortiGate firewall in Multiple VDOM mode but I can't ping or perform a license update to the FortiGuard server (a cloud service over the Internet).

FGT # config vdom

FGT (vdom) # edit root

current vf=root:0

FGT (root) # execute ping update.fortiguard.net

Unable to resolve hostname.

The FortiGate uses FortiGuard public DNS server IP: 96.45.45.45 and 96.45.46.46 by default. To change DNS server settings, go to Network > DNS > select: Specify > type the usable public DNS server IP (Google DNS 8.8.8.8 or your private DNS server) > enable/toggle: DNS (UDP/53) > click Apply.

FGT (root) # execute ping service.fortiguard.net

PING guard.fortinet.net (208.184.237.61): 56 data bytes

64 bytes from 208.184.237.61: icmp_seq=0 ttl=47 time=255.0 ms

64 bytes from 208.184.237.61: icmp_seq=1 ttl=47 time=254.7 ms

64 bytes from 208.184.237.61: icmp_seq=2 ttl=47 time=254.7 ms

64 bytes from 208.184.237.61: icmp_seq=3 ttl=47 time=254.7 ms

64 bytes from 208.184.237.61: icmp_seq=4 ttl=47 time=254.7 ms

--- guard.fortinet.net ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 254.7/254.7/255.0 ms

FGT (root) # execute ping update.fortiguard.net

PING fds1.fortinet.com (12.34.97.16): 56 data bytes

64 bytes from 12.34.97.16: icmp_seq=0 ttl=46 time=332.9 ms

64 bytes from 12.34.97.16: icmp_seq=1 ttl=46 time=333.5 ms

64 bytes from 12.34.97.16: icmp_seq=2 ttl=46 time=333.4 ms

64 bytes from 12.34.97.16: icmp_seq=3 ttl=46 time=333.5 ms

64 bytes from 12.34.97.16: icmp_seq=4 ttl=46 time=337.0 ms

--- fds1.fortinet.com ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 332.9/334.0/337.0 ms

FGT (root) # execute ping guard.fortinet.net

PING guard.fortinet.net (208.184.237.61): 56 data bytes

64 bytes from 208.184.237.61: icmp_seq=0 ttl=47 time=254.9 ms

64 bytes from 208.184.237.61: icmp_seq=1 ttl=47 time=254.6 ms

64 bytes from 208.184.237.61: icmp_seq=2 ttl=47 time=254.5 ms

64 bytes from 208.184.237.61: icmp_seq=3 ttl=47 time=254.5 ms

64 bytes from 208.184.237.61: icmp_seq=4 ttl=47 time=254.5 ms

--- guard.fortinet.net ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 254.5/254.6/254.9 ms

The FortiCare (support and warranty), Next Generation Firewall licenses (Intrusion Prevention, Antivirus and Web filtering) were updated/enabled after a few minutes.

The Internet Service Database (ISDB) objects were updated as well. You can view these under Policy & Objects > Internet Service Database.

The ISDB is a comprehensive list of public IP addresses (Geolocation based), service/port numbers, reputation, popularity (Facebook, Amazon, Microsoft, etc.) which can be used in creating a firewall policy or security profile (Antivirus, Web filter, Application Control, etc.) in a FortiGate firewall.