My Network Security Journal: 2025

Sunday, March 2, 2025

Change the VLAN ID in a FortiGate Interface

Here's a Fortinet technical guide in changing the interface VLAN ID in a FortiGate firewall. I tried changing the VLAN ID (565 > 555) using the CLI first but received an error below. So I used the web GUI instead.

FW01_PRI (inet) # config system interface

FW01_PRI (interface) # edit "po1.565"

FW01_PRI (po1.565) # show

config system interface

edit "po1.565"

set vdom "inet"

set ip 172.x.x.x 255.255.255.248

set allowaccess ping

set alias "inside-inet"

set device-identification enable

set role lan

set snmp-index 151

set interface "po1"

set vlanid 565

end

FW01_PRI (po1.565) # set vlanid 555

FW01_PRI (po1.565) # end

VLAN ID, VLAN protocol, or physical interface cannot be changed once a VLAN has been created.

object set operator error, -522 discard the setting

Command fail. Return code -522

To change the interface VLAN ID, go to Network > Interfaces > select interface > VLAN ID > Edit.

Type the new VLAN ID > click Next.

Review settings > click Update.

Click OK to proceed.

The new VLAN ID got reflected afterwards. This is applicable if it's a new interface/config and there are no dependencies on the interface.

I tried changing the interface VLAN ID (90 > 100) of a production FortiGate with Firewall Policies and VPN tunnel dependencies but got a "Failed" status.

To quickly update the interface VLAN ID, download the config file, edit the VLAN ID using notepad then upload/restore in the FortiGate. It's advisable to perform this in a maintenance window since FortiGate will need a reboot.

Tuesday, February 4, 2025

Create a Custom ICMP Service in a FortiGate Firewall

I had to configure a firewall policy in a FortiGate firewall and wanted to restrict the ICMP or ping service since the default type is ANY (ALL_ICMP). You can refer to the different ICMP types and codes in the IANA website. For an ICMP echo reply, you'll use a type and code of 0.

It's always best practice to clone the original service to prevent any disruption whenever there's a new firmware update (if there's a change in a command/feature). To clone a Ping service, search and right-click PING > Clone.

Type a Name > change the Type and Code.

For an ICMP time exceeded, it uses a Type of 11 and Code of 0.

Wednesday, January 8, 2025

FortiGate Direct Firmware Upgrade

You can "safely" upgrade the FortiOS directly to the target firmware code if it's brand new and since it still has a default configuration. You only follow the upgrade path if there's an existing configuration and the upgrade process will handle the changes in the command line or features (if there's any).

I upgraded a brand new standalone FortiGate and it was shipped with a default 6.4 firmware.

FortiGate-xxF login: admin

Password:

You are forced to change your password. Please input a new password.

New Password:

Confirm Password:

Welcome!

FortiGate-xxF # get system status

Version: FortiGate-xxF v6.4.4,build5543,201214 (GA)

Firmware Signature: certified

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 6.00741(2015-12-01 02:30)

APP-DB: 6.00741(2015-12-01 02:30)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

Serial-Number: FGxxFT923901234

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

BIOS version: 05000011

System Part-Number: P25132-01

Log hard disk: Available

Hostname: FortiGate-xxF

Private Encryption: Disable

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Branch point: 1803

Release Version Information: GA

FortiOS x86-64: Yes

I uploaded the target firmware and the direct upgrade only took around 4 minutes to complete. I proceeded with the configuration afterwards.