Tag Archives: what os does fortigate use

Hardware acceleration

Hardware acceleration

NP6 diagnose commands and get command changes (288738)

You can use the get hardware npu np6 command to display information about the NP6 processors in your FortiGate and the sessions they are processing. This command contains a subset of the options available from the diagnose npu np6 command. The command syntax is:

get hardware npu np6 {dce <np6-id> | ipsec-stats | port-list | session-stats <np6-id> |

sse-stats <np6-id> | synproxy-stats}

<np6-id> identifies the NP6 processor. 0 is np6_0, 1 is np6_1 and so on. dce show NP6 non-zero sub-engine drop counters for the selected NP6. ipsec-stats show overall NP6 IPsec offloading statistics.

port-list show the mapping between the FortiGate’s physical ports and its NP6 processors.

session-stats show NP6 session offloading statistics counters for the selected NP6.

sse-stats show hardware session statistics counters.

synproxy-stats show overall NP6 synproxy statistics for TCP connections identified as being syn proxy DoS attacks.

 

NP6 session accounting enabled when traffic logging is enabled in a firewall policy (268426)

By default, on a FortiGate unit with NP6 processors, when you enable traffic logging in a firewall policy this also enables NP6 per-session accounting. If you disable traffic logging this also disables NP6 per-session accounting. This behavior can be changed using the following command:

config system np6 edit np6_0

set per-session-accounting {disable | all-enable | enable-by-log}

end

By default, per-session-accounting is set to enable-by-log, which results in per-session accounting being turned on when you enable traffic logging in a policy. You can disable per-session accounting or set all- enable to enable per-session accounting whether or not traffic logging is enabled. Note that this configuration is set separately for each NP6 processor.

When offloaded sessions appear on the FortiView All Sessions console they include an icon identifying them as

NP sessions:

You can hover over the NP icon to see some information about the offloaded sessions.

 

Determining why a session is not offloaded (245447)

You can use the diagnose sys session list command to get information about why a session has not been offloaded to an NP4 or NP6 processor.

If a session has not been offloaded the session information displayed by the command includes no_ofld_ reason followed by information to help you determine the cause. To take a simple example, an HTTPS session connecting to the GUI could have a field similar to no_ofld_reason: local. This means the session is a local session that is not offloaded.

The no_ofld_reason field only appears if the session is not offloaded and includes information to help determine why the session is not offloaded. For example,

no_ofld_reason: redir-to-av redir-to-ips non-npu-intf

Indicates that the session is not offloaded because it was redirected to virus scanning (redir-to-av), IPS (redir-to-ips), and so on.

IPsec pass-through traffic is now offloaded to NP6 processors (253221)

IPsec traffic that passes through a FortiGate without being unencrypted is now be offloaded to NP6 processors.

 

Disabling offloading IPsec Diffie-Hellman key exchange (269555)

You can use the following command to disable using ASIC offloading to accelerate IPsec Diffie-Hellman key exchange for IPsec ESP traffic. By default hardware offloading is used. For debugging purposes or other reasons you may want this function to be processed by software.

Use the following command to disable using ASIC offloading for IPsec Diffie Hellman key exchange:

config system global

set ipsec-asic-offload disable end

 

FortiGate3700DX TP2 processors support GTP offloading (294212)

The FortiGate-3700DX contains two TP2 processors that provide GTP offloading. GTPu traffic is forwarded from NP6 processors to TP2 processors. The TP2 processors filter the encapsulated traffic and send the approved GTPu traffic back to the NP6.

 

FortiGate VM

FortiGate VM

You can reset FortiGate VMs to factory defaults without deleting the VM license (280471)

New command , execute factoryreset keepvmlicense, resets FortiGate VMs to factory defaults without deleting the VM license.

FortiGate VM Single Root I/O Virtualization (SR-IOV) support (275432)

SR-IOV is a specification that allows a PCIe device to be treated as multiple separate PCIe devices.This feature will enable better performance with Intel based servers across multiple VM platforms, including Citrix and AWS. In fact, AWS has optimized some instance types to take advantage of this feature.

 

VM License Check Time Extension (262494)

VM license check time has been extended from 24 hours to 5 days.

 

Integrate VMtools Into FortiGate-VM for VMware (248842)

The following VMtools sub set of features has been integrated into the FortiGate-VM for VMWare images:

  • Start
  • Stop
  • Reboot
  • IP state in vCenter

 

Source Of Information

Just to prevent any confusion. Administration Guides, Release Notes, and Data Sheets are directly from Fortinet. Apparently, someone believed that I was trying to pass this as my own original insight. Let’s face it, this site is 2 months old. There is no way I put over 2,000 pages of original content on this site in that time frame. Lets not be silly. That being said, original Fortinet GURU specific content is in fact posted here and will grow as the site develops. We take our experiences and post them here to provide insight while at the same time post reference material from Fortinet. Not everyone knows how to get their hands on the official Fortinet text and this site helps people find that information via the internet.

So in case anyone else out there is butt hurt, Nope, not all of this is mine, in fact, a very small bit of it so far is. I’m also not going to reinvent the wheel. Fortinet invented this stuff and developed documentation that explains in a pretty good manner how to handle various situations. I guess I could just read each paragraph and then reword it but that’s retarded.

So there you have it folks. The Administration Guides for each product, Release notes, and various other items that look like they are straight from Fortinet it is because they are. I thought that was pretty obvious but some people just need that shit spelled out. I am in no way trying to take credit for their work nor am I interested in you not visiting their sites. That is why I have them linked from the side bar and much of the content on this site has links to Fortinet directly in the content!

Fortinet GURU Community

I am seriously considering opening up a forum for visitors to surf and ask questions on. I know, I know, Fortinet already has a support forum. Yeah, well I want one that is better. There, I said it. Anyways, comment below and let me know what your thoughts are on this. I think it would, at the very least, be fun. A community of assholes that love working on Fortinet gear and getting the most out of their equipment. What could go wrong?

I deserve more Fortinet SWAG

I feel as though I do a lot for Fortinet. True, I don’t work directly for them. I do help their customers utilize their hardware though. Oh well, Saturday night rants for grown men aren’t that interesting. A big Fortinet banner would look fly as hell in my office though. I tried to steal some from the Fortinet Global Partner Conference back in 2015…..but let’s face it. I was entirely too drunk the entire trip to pull that off.

Route based VPN is WAY better than Policy based VPN

I am in the middle of helping a client absorb one of their clients. This involves moving all of the client’s client’s (redundant I know) IPSec tunnels into my clients FortiGate. This is all fine and dandy. I do IPSec tunnels all the time. Unfortunately for me though, my client’s client utilizes policy based VPN’s which work fine I suppose but jesus they are annoying. Yes, I know they do things just fine. Yes, I know they have their place. I may just be an old dog set in my ways but to me…..Route based IPSec tunnels is bae, Route based IPSec tunnels is life.

Firewall

Firewall

 

Display change in Policy listing (284027)

Alias names for interfaces, if used now appear in the headings for the Interface Pair View or what used to be called the Section View.

 

RPC over HTTP traffic separate (288526)

How protocol options profiles and SSL inspection profiles handle RPC (Remote Procedure Calls) over HTTP traffic can now be configured separately from normal HTTP traffic.

 

CLI syntax changes

config firewall profile-protocol-options edit 0

set rpc-over-http {disable | enable}

end

 

config firewall ssl-ssh-profile edit deep-inspection

set rpc-over-http {disable | enable}

end

 

Disable Server Response Inspection supported (274458)

Disable Server Response Inspection (DSRI) option included in Firewall Policy (CLI only) to assist performance when only using URL filtering as it allows the system to ignore the http server responses.

CLI syntax for changing the status of the DSRI setting:

conf firewall policy|policy6 edit NNN

set dsri enable/disable end

conf firewall interface-policy|interface-policy6 edit NNN

set dsri enable/disable end

conf firewall sniffer edit NNN

set dsri enable/disable end

 

Policy counter improvements (277555 260743 172125)

  • implicit deny policy counter added
  • first-hit time tracked for each policy
  • “Hit count” is tracked for each policy (total number of new sessions since last reset)
  • Most counters now persist across reboots

 

Bidirectional Forwarding Detection (BFD) (247622)

Bidirectional Forwarding Detection (BFD) protocol support has been added to Protocol Independent Multicast (PIM), to detect failures between forwarding engines.

 

TCP sessions can be created without TCP syn flag checking (236078)

A Per-VDOM option is avaialble to enable or disable the creation of TCP sessions without TCP syn flag checking

 

Mirroring of traffic decrypted by SSL inspection (275458)

This feature sends a copy of traffic decrypted by SSL inspection to one or more FortiGate interfaces so that it can be collected by raw packet capture tool for archiving and analysis.

This feature is available if the inspection mode is set to flow-based. Use the following command to enable this feature in a policy. The following command sends all traffic decrypted by the policy to the FortiGate port1 and port2 interfaces.

conf firewall policy edit 1

set ssl-mirror enable/disable set ssl-mirror-intf port1 port2

next

 

Support for full cone NAT (269939)

Full cone NAT maps a public IP address and port to a LAN IP address and port. This means that a device on the Internet can send data to the internal LAN IP address and port number by directing it a the external IP address and port number. Sending to the correct IP address but a different port will cause the communication to fail. This type of NAT is also known as port forwarding.

Full cone NATing is configured only in the CLI. It is done by properly configuring an IP pool for the NATing of an external IP address. The two important settings are:

  • set type – it must be set to port-block-allocation to use full cone
  • set permit-any-host – enabling it is what enables full cone NAT An example fo the IP pool configuration would be:

config firewall ippool edit “full_cone-pool1”

set type port-block-allocation set startip 10.1.1.1

set endip 10.1.1.1

set permit-any-host enable end

 

Enable or disable inspecting IPv4 and IPv6 ICMP traffic (258734)

There is now a system setting that determines if ICMP traffic can pass through a Fortigate even if there is no existing sesson.

config sytem settings

set asymroute-icmp enable set asymroute6-imap enable

end

When feature enabled:

  • Allows ICMP or ICMPv6 reply traffic can pass through firewall when there is no session existing – asmetric routing case.
  • Prevents TCP ACK messages from passing through the firewall when there is no session existing.

 

When feature disabled:

Prevents ICMP or ICMPv6 replies from passing through firewall when there is no session existing.

Explicit web proxy

Explicit web proxy

New explicit proxy firewall address types (284753)

New explicit proxy firewall address types improve granularity over header matching for explicit web proxy policies. You can enable this option using the Show in Address List button on the Address and Address Group New/Edit forms under Policy & Objects > Addresses.

The following new address types have been added:

  • URL Pattern – destination address
  • Host Regex Match – destination address
  • URL Category – destination address (URL filtering)
  • HTTP Method – source address
  • User Agent – source address
  • HTTP Header – source address
  • Advanced (Source) – source address (combines User Agent, HTTP Method, and HTTP Header)
  • Advanced (Destination) – destination address (combines Host Regex Match and URL Category)

 

Disclaimer messages can be added to explicit proxy policies (273208)

Disclaimer options are now available for each explicit proxy policy or split policy of ID-based policy. This feature allows you to create user exceptions for specific URL categories (including warning messages) based on user groups.

The Disclaimer Options are configured under Policy & Objects > Explicit Proxy Policy. You can also configure a disclaimer for each Authentication Rule by setting Action to Authenticate.