Configure Cisco Router Crypto Map Based IKEv2

I had to reconfigure an old Cisco 800 router from a legacy Crypto Based IKE Version 1 to a more secure IKE Version 2. Refer to this link for IKEv2 in a Cisco router.

These are the configuration components for IKEv2 in a Cisco router:

crypto ikev2 proposal IKEV2-PROPOSAL
 encryption aes-cbc-256
 integrity sha256
 group 14

crypto ikev2 policy IKEV2-POLICY
 proposal IKEV2-PROPOSAL

crypto ikev2 keyring IKEV2-KEYRING
 peer SVG2-CUSTFW01
  address 89.123.4.5
  pre-shared-key cisco123

crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 89.123.4.5 255.255.255.255
 authentication local pre-share
 authentication remote pre-share
 keyring local IKEV2-KEYRING


ip access-list extended IKEV2-ACL
 permit ip host 10.30.2.90 host 172.16.100.210

crypto ipsec transform-set IKEV2-TSET esp-aes 256 esp-sha256-hmac

crypto map CMAP_IKEV2 10 ipsec-isakmp
 set peer 89.123.4.5
 set security-association lifetime seconds 86400
 set transform-set IKEV2-TSET
 set ikev2-profile IKEV2-PROFILE
 match address IKEV2-ACL

interface FastEthernet4
 crypto map CMAP_IKEV2

c800#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
c800(config)#crypto ikev2 proposal IKEV2-PROPOSAL
IKEv2 proposal should have atleast an encryption algorithm, an integrity algorithm and a dh group configured
c800(config-ikev2-proposal)#encryption ?
  3des         3DES
  aes-cbc-128  AES-CBC-128
  aes-cbc-192  AES-CBC-192
  aes-cbc-256  AES-CBC-256

c800(config-ikev2-proposal)#encryption aes-cbc-256
c800(config-ikev2-proposal)#integrity ?
  md5     Message Digest 5
  sha1    Secure Hash Standard
  sha256  Secure Hash Standard 2 (256 bit)
  sha384  Secure Hash Standard 2 (384 bit)
  sha512  Secure Hash Standard 2 (512 bit)

c800(config-ikev2-proposal)#integrity sha256
c800(config-ikev2-proposal)#group ?
  1   DH 768 MODP
  14  DH 2048 MODP
  15  DH 3072 MODP
  16  DH 4096 MODP
  19  DH 256 ECP
  2   DH 1024 MODP
  20  DH 384 ECP
  24  DH 2048 (256 subgroup) MODP
  5   DH 1536 MODP

c800(config-ikev2-proposal)#group 14
kellog-mvpn-gw01(config-ikev2-proposal)#exit     
c800(config)#
c800(config)#crypto ikev2 policy ?
  WORD  Name of IKEv2 policy

c800(config)#crypto ikev2 policy IKEV2-POLICY
IKEv2 policy should have atleast one complete proposal attached
c800(config-ikev2-policy)#proposal ?
  WORD  Specify the name of proposal to be attached

c800(config-ikev2-policy)#proposal IKEV2-PROPOSAL
c800(config-ikev2-policy)#exit
c800(config)#
c800(config)#crypto ikev2 keyring ?
  WORD  Name of IKEv2 Keyring

c800(config)#crypto ikev2 keyring IKEV2-KEYRING
c800(config-ikev2-keyring)#?
IKEv2 Keyring commands:
  exit  Exit from crypto ikev2 keyring sub mode
  no    Negate a command or set its defaults
  peer  Configure a Peer and associated keys

c800(config-ikev2-keyring)#peer ?
  WORD  Name of the peer block

c800(config-ikev2-keyring)#peer ASAFW
c800(config-ikev2-keyring-peer)#?
Crypto IKEv2 Keyring Peer submode commands:
  address         Specify IPv4 address of peer
  description     Specify a description of this peer
  exit            Exit from crypto ikev2 keyring peer sub mode
  hostname        Hostname of peer
  identity        Specify IKE identity to use
  no              Negate values of a command
  pre-shared-key  specify the pre-shared key

c800(config-ikev2-keyring-peer)#?
Crypto IKEv2 Keyring Peer submode commands:
  address         Specify IPv4 address of peer
  description     Specify a description of this peer
  exit            Exit from crypto ikev2 keyring peer sub mode
  hostname        Hostname of peer
  identity        Specify IKE identity to use
  no              Negate values of a command
  pre-shared-key  specify the pre-shared key

c800(config-ikev2-keyring-peer)#address ?
  A.B.C.D             IPv4 Address
  X:X:X:X::X/<0-128>  IPv6 prefix

c800(config-ikev2-keyring-peer)#address 89.123.4.5
c800(config-ikev2-keyring-peer)#pre-shared-key ?
  0       Specifies an UNENCRYPTED password will follow
  6       Specifies an ENCRYPTED password will follow
  LINE    The UNENCRYPTED (cleartext) user password
  local   specify signing key
  remote  specify verifying key

c800(config-ikev2-keyring-peer)#pre-shared-key cisco123
c800(config-ikev2-keyring-peer)#exit
c800(config-ikev2-keyring)#exit
c800(config)#crypto ikev2 profile ?
  WORD  Name of IKEv2 Profile

c800(config)#crypto ikev2 profile IKEV2-PROFILE
% IKEv2 profile MUST have match identity or match certificate statements
c800(config-ikev2-profile)#?
IKEv2 profile commands:
  aaa               Specify AAA related configs
  authentication    Set authentication method
  description       Specify a description of this profile
  dpd               Enable IKE liveness check for peers
  exit              Exit from crypto ikev2 profile sub mode
  identity          Specify IKE identity to use
  ivrf              I-VRF of the profile
  keyring           Specify keyring to use
  lifetime          Set lifetime for ISAKMP security association
  match             Match values of peer
  nat               NAT-transparency
  no                Negate a command or set its defaults
  pki               Specify certificate authorities to trust
  virtual-template  Specify the virtual-template for dynamic interface creation.

c800(config-ikev2-profile)#match ?
  address      IP address
  certificate  Peer certificate attributes
  fvrf         fvrf of the profile
  identity     IKE identity

c800(config-ikev2-profile)#match identity ?
  remote  Remote identity

c800(config-ikev2-profile)#match identity remote ?
  address  IP Address(es)
  email    Fully qualified email string
  fqdn     Fully qualified domain name string
  key-id   key-id opaque string

c800(config-ikev2-profile)#match identity remote address ?
  A.B.C.D             IP address prefix
  X:X:X:X::X/<0-128>  IPv6 address/prefix-length

c800(config-ikev2-profile)#match identity remote address 89.123.4.5 ?
  A.B.C.D  specify mask
  <cr>

c800(config-ikev2-profile)#match identity remote address 89.123.4.5 255.255.255.255
c800(config-ikev2-profile)#authentication ?
  local   Set local authentication method
  remote  Set remote authentication method

c800(config-ikev2-profile)#authentication local ?
  ecdsa-sig  ECDSA Signature
  pre-share  Pre-Shared Key
  rsa-sig    Rivest-Shamir-Adleman Signature

c800(config-ikev2-profile)#authentication local pre-share
c800(config-ikev2-profile)#authentication remote pre-share
c800(config-ikev2-profile)#keyring ?
  WORD  Keyring name
  aaa   AAA based pre-shared keys

c800(config-ikev2-profile)#keyring IKEV2-KEYRING ?
  <cr>

c800(config-ikev2-profile)#keyring IKEV2-KEYRING
c800(config-ikev2-profile)#exit
c800(config)#crypto ipsec transform-set ?
  WORD  Transform set tag

c800(config)#crypto ipsec transform-set IKEV2-TSET ?
  ah-md5-hmac      AH-HMAC-MD5 transform
  ah-sha-hmac      AH-HMAC-SHA transform
  ah-sha256-hmac   AH-HMAC-SHA256 transform
  ah-sha384-hmac   AH-HMAC-SHA384 transform
  ah-sha512-hmac   AH-HMAC-SHA512 transform
  comp-lzs         IP Compression using the LZS compression algorithm
  esp-3des         ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes          ESP transform using AES cipher
  esp-des          ESP transform using DES cipher (56 bits)
  esp-gcm          ESP transform using GCM cipher
  esp-gmac         ESP transform using GMAC cipher
  esp-md5-hmac     ESP transform using HMAC-MD5 auth
  esp-null         ESP transform w/o cipher
  esp-seal         ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac     ESP transform using HMAC-SHA auth
  esp-sha256-hmac  ESP transform using HMAC-SHA256 auth
  esp-sha384-hmac  ESP transform using HMAC-SHA384 auth
  esp-sha512-hmac  ESP transform using HMAC-SHA512 auth

c800(config)#crypto ipsec transform-set IKEV2-TSET esp-aes ?
  128              128 bit keys.
  192              192 bit keys.
  256              256 bit keys.
  ah-md5-hmac      AH-HMAC-MD5 transform
  ah-sha-hmac      AH-HMAC-SHA transform
  ah-sha256-hmac   AH-HMAC-SHA256 transform
  ah-sha384-hmac   AH-HMAC-SHA384 transform
  ah-sha512-hmac   AH-HMAC-SHA512 transform
  comp-lzs         IP Compression using the LZS compression algorithm
  esp-md5-hmac     ESP transform using HMAC-MD5 auth
  esp-sha-hmac     ESP transform using HMAC-SHA auth
  esp-sha256-hmac  ESP transform using HMAC-SHA256 auth
  esp-sha384-hmac  ESP transform using HMAC-SHA384 auth
  esp-sha512-hmac  ESP transform using HMAC-SHA512 auth
  <cr>

c800(config)#crypto ipsec transform-set IKEV2-TSET esp-aes 256 ?
  ah-md5-hmac      AH-HMAC-MD5 transform
  ah-sha-hmac      AH-HMAC-SHA transform
  ah-sha256-hmac   AH-HMAC-SHA256 transform
  ah-sha384-hmac   AH-HMAC-SHA384 transform
  ah-sha512-hmac   AH-HMAC-SHA512 transform
  comp-lzs         IP Compression using the LZS compression algorithm
  esp-md5-hmac     ESP transform using HMAC-MD5 auth
  esp-sha-hmac     ESP transform using HMAC-SHA auth
  esp-sha256-hmac  ESP transform using HMAC-SHA256 auth
  esp-sha384-hmac  ESP transform using HMAC-SHA384 auth
  esp-sha512-hmac  ESP transform using HMAC-SHA512 auth
  <cr>

c800(config)#crypto ipsec transform-set IKEV2-TSET esp-aes 256 esp-sha256-hmac
c800(cfg-crypto-trans)#exit
c800(config)#crypto map CMAP_IKEV2 ?
  <1-65535>       Sequence to insert into crypto map entry
  client          Specify client configuration settings
  gdoi            Configure crypto map gdoi features
  isakmp          Specify isakmp configuration settings
  isakmp-profile  Specify isakmp profile to use
  local-address   Interface to use for local address for this crypto map
  redundancy      High availability options for this map

c800(config)#crypto map CMAP_IKEV2 10 ?
  gdoi          GDOI
  ipsec-isakmp  IPSEC w/ISAKMP
  ipsec-manual  IPSEC w/manual keying
  <cr>

c800(config)#crypto map CMAP_IKEV2 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
c800(config-crypto-map)#?
Crypto Map configuration commands:
  default        Set a command to its defaults
  description    Description of the crypto map statement policy
  dialer         Dialer related commands
  exit           Exit from crypto map configuration mode
  match          Match values.
  no             Negate a command or set its defaults
  qos            Quality of Service related commands
  reverse-route  Reverse Route Injection.
  set            Set values for encryption/decryption

c800(config-crypto-map)#set ?
  identity              Identity restriction.
  ikev2-profile         Specify ikev2 Profile
  ip                    Interface Internet Protocol config commands
  isakmp-profile        Specify isakmp Profile
  nat                   Set NAT translation
  peer                  Allowed Encryption/Decryption peer.
  pfs                   Specify pfs settings
  reverse-route         Reverse Route Injection.
  security-association  Security association parameters
  transform-set         Specify list of transform sets in priority order

c800(config-crypto-map)#set peer ?
  A.B.C.D  IP address of peer
  WORD     Host name of the peer

c800(config-crypto-map)#set peer 89.123.4.5
c800(config-crypto-map)#set transform-set IKEV2-TSET
c800(config-crypto-map)#set ikev2-profile ?
  WORD  Name the ikev2 profile

c800(config-crypto-map)#set ikev2-profile IKEV2-PROFILE
c800(config-crypto-map)#match address ?
  <100-199>    IP access-list number
  <2000-2699>  IP access-list number (expanded range)
  WORD         Access-list name

c800(config-crypto-map)#match address 100
c800(config-crypto-map)#set security-association ?
  idle-time  Automatically delete IPSec SAs after a given idle period.
  level      specify a security association granularity level for identities
  lifetime   security association lifetime
  replay     Set replay checking.

c800(config-crypto-map)#set security-association lifetime ?
  kilobytes  Volume-based key duration
  seconds    Time-based key duration

c800(config-crypto-map)#set security-association lifetime seconds ?
  <120-86400>  Security association duration in seconds

c800(config-crypto-map)#set security-association lifetime seconds 86400
c800(config-crypto-map)#end
c800#write memory
Building configuration...
[OK]

c800#show run | section crypto
crypto pki token default removal timeout 0
crypto ikev2 proposal IKEV2-PROPOSAL
 encryption aes-cbc-256
 integrity sha256
 group 14
crypto ikev2 policy IKEV2-POLICY
 proposal IKEV2-PROPOSAL
crypto ikev2 keyring IKEV2-KEYRING
 peer SVG2-CUSTFW01
  address 89.123.4.5
  pre-shared-key cisco123
 !
crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 89.123.4.5 255.255.255.255
 authentication local pre-share
 authentication remote pre-share
 keyring IKEV2-KEYRING
crypto isakmp keepalive 60
crypto ipsec transform-set IKEV2-TSET esp-aes 256 esp-sha256-hmac
crypto map CMAP_IKEV2 10 ipsec-isakmp
 set peer 89.123.4.5
 set security-association lifetime seconds 86400
 set transform-set IKEV2-TSET
 set ikev2-profile IKEV2-PROFILE
 match address IKEV2-ACL

Then just swap the Crypto Map under the WAN interface during a scheduled downtime.

interface FastEthernet4

 no crypto map CMAP_IKEv1

 crypto map CMAP_IKEV2

 

Change the VLAN ID in a FortiGate Interface

Here's a Fortinet technical guide in changing the interface VLAN ID in a FortiGate firewall. I tried changing the VLAN ID (565 > 555) using the CLI first but received an error below. So I used the web GUI instead.

FW01_PRI (inet) # config system interface

 

FW01_PRI (interface) # edit "po1.565"

 

FW01_PRI (po1.565) # show

config system interface

    edit "po1.565"

        set vdom "inet"

        set ip 172.x.x.x 255.255.255.248

        set allowaccess ping

        set alias "inside-inet"

        set device-identification enable

        set role lan

        set snmp-index 151

        set interface "po1"

        set vlanid 565

    next

end

 

FW01_PRI (po1.565) # set vlanid 555

 

FW01_PRI (po1.565) # end

VLAN ID, VLAN protocol, or physical interface cannot be changed once a VLAN has been created.

object set operator error, -522 discard the setting

Command fail. Return code -522

To change the interface VLAN ID, go to Network > Interfaces > select interface > VLAN ID > Edit.

Type the new VLAN ID > click Next.

Review settings > click Update.

Click OK to proceed.

The new VLAN ID got reflected afterwards. This is applicable if it's a new interface/config and there are no dependencies on the interface.

I tried changing the interface VLAN ID (90 > 100) of a production FortiGate with Firewall Policies and VPN tunnel dependencies but got a "Failed" status. 

To quickly update the interface VLAN ID, download the config file, edit the VLAN ID using notepad then upload/restore in the FortiGate. It's advisable to perform this in a maintenance window since FortiGate will need a reboot.

Create a Custom ICMP Service in a FortiGate Firewall

I had to configure a firewall policy in a FortiGate firewall and wanted to restrict the ICMP or ping service since the default type is ANY (ALL_ICMP). You can refer to the different ICMP types and codes in the IANA website. For an ICMP echo reply, you'll use a type and code of 0.

It's always best practice to clone the original service to prevent any disruption whenever there's a new firmware update (if there's a change in a command/feature). To clone a Ping service, search and right-click PING > Clone.

Type a Name > change the Type and Code.

 

For an ICMP time exceeded, it uses a Type of 11 and Code of 0.

FortiGate Direct Firmware Upgrade

You can "safely" upgrade the FortiOS directly to the target firmware code if it's brand new and since it still has a default configuration. You only follow the upgrade path if there's an existing configuration and the upgrade process will handle the changes in the command line or features (if there's any).

I upgraded a brand new standalone FortiGate and it was shipped with a default 6.4 firmware.

FortiGate-xxF login: admin

Password:

You are forced to change your password. Please input a new password.

New Password:

Confirm Password:

Welcome!

 

FortiGate-xxF # get system status

Version: FortiGate-xxF v6.4.4,build5543,201214 (GA)

Firmware Signature: certified

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 6.00741(2015-12-01 02:30)

APP-DB: 6.00741(2015-12-01 02:30)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

Serial-Number: FGxxFT923901234

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

BIOS version: 05000011

System Part-Number: P25132-01

Log hard disk: Available

Hostname: FortiGate-xxF

Private Encryption: Disable

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Branch point: 1803

Release Version Information: GA

FortiOS x86-64: Yes

 

I uploaded the target firmware and the direct upgrade only took around 4 minutes to complete. I proceeded with the configuration afterwards.

 

FortiGate-xxF # get system status

Version: FortiGate-xxF v7.xx,buildxx (GA.M)

Security Level: 2

Firmware Signature: certified

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

AV AI/ML Model: 0.00000(2001-01-01 00:00)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 6.00741(2015-12-01 02:30)

APP-DB: 6.00741(2015-12-01 02:30)

FMWP-DB: 0.00000(2001-01-01 00:00)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

IoT-Detect: 0.00000(2022-08-17 17:31)

Serial-Number: FGxxFT923901234

BIOS version: 05000011

System Part-Number: P25132-01

Log hard disk: Available

Hostname: FortiGate-xxF

Private Encryption: Disable

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Branch point: 1706

Release Version Information: GA

FortiOS x86-64: Yes

System time: Mon Oct  7 03:14:05 2024

Last reboot reason: warm reboot

 

Troubleshoot FortiGuard Server Connectivity

Here's a Fortinet link in troubleshooting FortiGuard server connectivity over the Internet. I was configuring a new FortiGate firewall in Multiple VDOM mode but I can't ping or perform a license update to the FortiGuard server (a cloud service over the Internet).

FGT # config vdom

 

FGT (vdom) # edit root

current vf=root:0

 

FGT (root) # execute ping update.fortiguard.net

Unable to resolve hostname.

 

The FortiGate uses FortiGuard public DNS server IP: 96.45.45.45 and 96.45.46.46 by default. To change DNS server settings, go to Network > DNS > select: Specify > type the usable public DNS server IP (Google DNS 8.8.8.8 or your private DNS server) > enable/toggle: DNS (UDP/53) > click Apply.

FGT (root) # execute ping service.fortiguard.net

PING guard.fortinet.net (208.184.237.61): 56 data bytes

64 bytes from 208.184.237.61: icmp_seq=0 ttl=47 time=255.0 ms

64 bytes from 208.184.237.61: icmp_seq=1 ttl=47 time=254.7 ms

64 bytes from 208.184.237.61: icmp_seq=2 ttl=47 time=254.7 ms

64 bytes from 208.184.237.61: icmp_seq=3 ttl=47 time=254.7 ms

64 bytes from 208.184.237.61: icmp_seq=4 ttl=47 time=254.7 ms

 

--- guard.fortinet.net ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 254.7/254.7/255.0 ms

 

FGT (root) # execute ping update.fortiguard.net

PING fds1.fortinet.com (12.34.97.16): 56 data bytes

64 bytes from 12.34.97.16: icmp_seq=0 ttl=46 time=332.9 ms

64 bytes from 12.34.97.16: icmp_seq=1 ttl=46 time=333.5 ms

64 bytes from 12.34.97.16: icmp_seq=2 ttl=46 time=333.4 ms

64 bytes from 12.34.97.16: icmp_seq=3 ttl=46 time=333.5 ms

64 bytes from 12.34.97.16: icmp_seq=4 ttl=46 time=337.0 ms

 

--- fds1.fortinet.com ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 332.9/334.0/337.0 ms

 

FGT (root) # execute ping guard.fortinet.net

PING guard.fortinet.net (208.184.237.61): 56 data bytes

64 bytes from 208.184.237.61: icmp_seq=0 ttl=47 time=254.9 ms

64 bytes from 208.184.237.61: icmp_seq=1 ttl=47 time=254.6 ms

64 bytes from 208.184.237.61: icmp_seq=2 ttl=47 time=254.5 ms

64 bytes from 208.184.237.61: icmp_seq=3 ttl=47 time=254.5 ms

64 bytes from 208.184.237.61: icmp_seq=4 ttl=47 time=254.5 ms

 

--- guard.fortinet.net ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 254.5/254.6/254.9 ms

 

 

The FortiCare (support and warranty), Next Generation Firewall licenses (Intrusion Prevention, Antivirus and Web filtering) were updated/enabled after a few minutes.

 

The Internet Service Database (ISDB) objects were updated as well. You can view these under Policy & Objects > Internet Service Database.

The ISDB is a comprehensive list of public IP addresses (Geolocation based), service/port numbers, reputation, popularity (Facebook, Amazon, Microsoft, etc.) which can be used in creating a firewall policy or security profile (Antivirus, Web filter, Application Control, etc.) in a FortiGate firewall.

Create a Fortinet Support Ticket

Here's a Fortinet link for device hardening and best practice in a FortiGate firewall.

To create a new Fortinet support ticket, go to this link > select Create a Ticket.

Select a Request Ticket Type (closest to your issue/inquiry). In this case, I selected Customer Service > Submit ticket.

Select a CS category. In this case I selected: Cloud Portal Query.

Put the device Serial Number > Contact Information > Ticket Information.

Add Comment to describe your issue or upload a screenshot of the error in the Attachments.

Click Finish and note the ticket number. The Fortinet ticket number and summary will be sent to your registered email.

Another way to create a Fortinet ticket is via the Asset Management portal. Click Support > FortiCare > Create a Ticket.

Click New Ticket.

Choose: Technical Support Ticket > Submit Ticket.

You can get the FortiGate serial number with the get system status CLI command:

FG# get system status

Version: FortiGate-xx v7x,buildxx

Security Level: 2

Firmware Signature: certified

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

Extreme DB: 1.00000(2018-04-09 18:07)

AV AI/ML Model: 0.00000(2001-01-01 00:00)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 6.00741(2015-12-01 02:30)

APP-DB: 6.00741(2015-12-01 02:30)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

IoT-Detect: 0.00000(2022-08-17 17:31)

Serial-Number: FGxx

BIOS version: 06000008

System Part-Number: Pxx

Log hard disk: Available

Hostname: FG

Private Encryption: Disable

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Virtual domains status: 2 in NAT mode, 0 in TP mode

Virtual domain configuration: multiple

FIPS-CC mode: disable

Current HA mode: a-p, primary

Cluster uptime: 241 days, 23 hours, 33 minutes, 20 seconds

Cluster state change time: 2024-03-06 07:04:47

Branch point: xx

Release Version Information: GA

FortiOS x86-64: Yes

System time: Fri Sep  6 03:20:07 2024

Last reboot reason: warm reboot

 

Or retrieve it via the web GUI under Dashboard > Status.

Under the Product Info > type the device SN > click Go

Fill up the required info > click Next.

Type the Comment (answer the pre-filled questionnaire) or click File Upload to upload a screenshot of the error.

It's also very useful to upload the Debug log which is similar to show tech-support in a Cisco device. Go to System > Settings > Debug logs > click Download.

It only took a few seconds to download the Debug log text file. Here's a snippet of the Debug log output:

----------------------------------------------------------------

  Serial Number: FG4Hxx   Diagnose output

----------------------------------------------------------------

 

### get system status

 

 

Version: FortiGate-xxv7x

Security Level: 2

Firmware Signature: certified

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

Extreme DB: 1.00000(2018-04-09 18:07)

AV AI/ML Model: 0.00000(2001-01-01 00:00)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 6.00741(2015-12-01 02:30)

APP-DB: 6.00741(2015-12-01 02:30)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

IoT-Detect: 0.00000(2022-08-17 17:31)

Serial-Number: FG4xx

BIOS version: 06000008

System Part-Number: P27xx

Log hard disk: Available

Hostname: xx

Private Encryption: Disable

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Virtual domains status: 2 in NAT mode, 0 in TP mode

Virtual domain configuration: multiple

FIPS-CC mode: disable

Current HA mode: a-p, primary

Cluster uptime: 241 days, 23 hours, 40 minutes, 25 seconds

Cluster state change time: 2024-03-06 07:04:47

Branch point: xx

Release Version Information: xx

FortiOS x86-64: Yes

System time: Fri Sep  6 03:27:12 2024

Last reboot reason: warm reboot

 

### get system performance status

 

 

CPU states: 1% user 0% system 0% nice 99% idle 0% iowait 0% irq 0% softirq

CPU0 states: 2% user 0% system 0% nice 98% idle 0% iowait 0% irq 0% softirq

CPU1 states: 0% user 0% system 0% nice 99% idle 0% iowait 0% irq 1% softirq

CPU2 states: 7% user 5% system 0% nice 87% idle 0% iowait 0% irq 1% softirq

CPU3 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq

CPU4 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq

CPU5 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq

CPU6 states: 0% user 0% system 0% nice 99% idle 0% iowait 0% irq 1% softirq

CPU7 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq

CPU8 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq

 

<OUTPUT TRUNCATED>

 

 

Review the ticket summary before submitting > click Confirm to proceed.

 

Cisco GRE Tunnel Keepalive

This Cisco link covers the GRE Tunnel and how a keepalive works. I got a GRE over IPSec VPN configured between Singapore and London. The GRE tunnel only goes up whenever I perform a ping. So I configured the GRE tunnel keepalive so it always stays up. The default keepalive interval is 10 seconds and 3 retries.

SIN#show run interface Tunnel40
Building configuration...

Current configuration : 314 bytes
!
interface Tunnel40
 ip address 10.16.2.194 255.255.255.252
 ip mtu 1400
 tunnel source 192.168.1.18
 tunnel destination 192.168.1.146
end

SIN#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SIN(config)#interface Tunnel40
SIN(config-if)#keepalive ?
  <0-32767>  Keepalive period (default 10 seconds)
  <cr>       <cr>

SIN(config-if)#keepalive
SIN(config-if)#end
SIN#write memory
Building configuration...
[OK]

SIN#show run interface Tunnel40
Building configuration...

Current configuration : 330 bytes
!
interface Tunnel40
 ip address 10.106.192.194 255.255.255.252
 ip mtu 1400
 keepalive 10 3
 tunnel source 192.168.1.18
 tunnel destination 192.168.1.146
end

LON#show run interface Tunnel40
Building configuration...

Current configuration : 322 bytes
!
interface Tunnel40
 ip address 10.16.2.193 255.255.255.252
 ip mtu 1400
 tunnel source 192.168.1.146
 tunnel destination 192.168.1.18
end

LON#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
LON(config)#interface Tunnel40
LON(config-if)#keepalive
LON(config-if)#end
LON#write memory
Building configuration...
[OK]

LON#show run interface Tunnel40
Building configuration...

Current configuration : 338 bytes
!
interface Tunnel40
 ip address 10.16.2.193 255.255.255.252
 ip mtu 1400
 keepalive 10 3   // DEFAULT IS 10 SECOND INTERVAL AND 3 RETRIES
 tunnel source 192.168.1.146
 tunnel destination 192.168.1.18
end

LON#ping 10.16.2.194
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.16.2.194, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 181/181/181 ms

 

I've checked the IPSec VPN was already up in the FortiGate firewall even before I did a ping.