Category: Fortinet

Australian FTTP via Telstra not connecting to FortiGate

John Leave a comment

We recently had a customer take advantage of a free upgrade from FTTN (Fibre to the Node) to FTTP (Fibre to the Premise) for their NBN (National Broadband Network) service. However during cut-over the FortiGate wasn’t picking up connectivity on the WAN port, this had the on-site guy stumped for 10 minutes until we jumped on and took a look. In HFC days, you’d sometimes have to “spoof” the MAC address to get it working – but in this case it was something else… Ethernet auto-negotiate.

We hard-coded the WAN port to 100 full duplex and it kicked in like a charm. The following command lets you edit an interface and set the speed accordingly.

edit WAN1
set speed 100full
end

While it’s not something I’ve experienced with Enterprise Ethernet installations, this also rings true in certain cases of fibre installs we would sometimes see customer NTDs or NTU (such as Cisco or MRV) also not connect for similar reasons, so liasing with the ISP we’d ensure both sides of the cable are set to the same setting.

Fix FortiGate HA out of sync

John Leave a comment

Sometimes after performing a Firmware upgrade on FortiGate HA pairs, I find that after sometime the cluster still stays out of sync and won’t synchronise. I usually find this is because the checksums of the config files on each or some members are different. To quickly check if this is the case, fire up the CLI and run the following command that will output the HA checksum.
# diag sys ha checksum cluster
If the output don’t match and we’re happy with the configuration of the primary we can issue a checksum recalculate by issuing the following command
# diag sys ha checksym recalculate
Just entering the command without options recalculates all checksums. You can specify a VDOM name to just recalculate the checksums for that VDOM.

SAML SSO for FortiWeb Admin interface

John Leave a comment

I was recently engaged with a large health-care provider in deploying a set of FortiWeb VMs to protect a number of web applications. Part of this deployment included setting up Single-Sign on for the admin interface using Microsoft Entra ID (Azure AD). While the process is fairly straightforward it is a little confusing at some points, so I’ve wrote this just in case you or I need this again.
Start off by creating an Enterprise Application in Microsoft Entra, browse the gallery and use the pre-built FortiWeb Web Application Firewall (which is used client based web authentication) – instead we’ll use it to configure the admin login. Enable Single sign-on and enter the Basic SAML configuration details as follows:

Identifier (Entity ID): http://10.0.0.1/metadata
Reply URL (Assertion Consumer Service URL): https://10.0.0.1:4443/saml/?acs
Sign on URL: https://10.0.0.1:4443/saml/login

The important part here is that the identifier runs on http and without the admin port, where as your reply and sign on URLs will need to go via https to the admin port.  Copy the Login URL (the logout URL is almost always the same…) and Microsoft Entra Identifier as we’ll need these shortly.  Add yourself or test user we’ll be logging in with.  We can now move onto configuring the FortiWeb.

Login and navigate to Security Fabric > Fabric Connectors and click on the FortiGate and select edit.  Once in, we’ll enable Single Sign-On mode toggle and enter some details as follows:

SP Address: IP of FortiWeb (primary if HA)
Default Login Page: Leave as Normal
Default SSO Admin Profile: admin_no_access
IDP Entity ID: paste the Entra Identifier here
IDP Single Sign-On URL: paste the Login URL here
IDP Signle Logout URL: paste the Login url here

Unlike a FortiGate we don’t need to specify or upload an IDP certificate.  Also for Default SSO admin profile this means you’ll need to create the user and manually set the profile – otherwise any user who logs in will get this profile such as prof_admin automatically. Once done you should have something similar to the image.  Click OK to save the configuration.

Now, hopefully you’ve set it to admin_no_access – so let’s create a user by going to System > Admin > Administrators, under Create New, click SSO Admin.  For the username enter the user principal name of the Entra user and click OK.

You should now be ready to test the SAML sign in.  Fire up an incognito browser and once you hit the login page, you should see the text or via Single Sign-On next to the Login button. If you get an error on the FortiWeb side or sent back to the login page, you can do some additional debugging to check Assertions and the like via the console by using the following debug commands (excuse my shorthand of diagnose debug)

# di de app samld 7
# di de en

Once you are done inspecting, make sure to disable diagnose mode

# di de di

Enjoy.

Set a Default Tab for FortiClient EMS

John Leave a comment

XML Editor in EMSIt’s been a while, but I am working on deploying an updated version of FortiClient for and company which is managed via EMS and InTune. One thing that bugs me (and many) is by default, the client UI will load into the Zero Trust Telemetry tab and the option to change the Default tab will be greyed out for the end user when managed. There is no UI setting in EMS but you can easily set the Default Tab by using the XML editor for the specific profile under Endpoint Profiles > Manage Profiles, edit the Profile and then select XML Configuration. Once there, hit Edit and add the following line under the System and UI tags.

<default_tab>VPN</default_tab>

You can also use any of the following values under the default_tab element to set the default tab accordingly.

AV: Antivirus
WF: Parental Control/Web Filtering
FW: Application Firewall
VPN: Remote Access
VULN: Vulnerability Scan

If you want to know what else you can configure via XML for the FortiClient via EMS, see the Fortinet FortiClient XML Guide here (or local mirror FortiClient_6.0.4_XML_Reference.pdf ).

How to spoof or mimic a hardware or MAC Address of another device on an interface on a FortiGate

John Leave a comment

I was recently out at a client and they were in the process of getting another link installed, which happened to be Cable internet which they were using for redundancy.  We put their cable modem in Bridge mode but the connection wasn’t coming up after connecting everything up.  Most cable providers authenticate with certificates and the hardware address of the router so this made me thinking that we needed to make their provider think the FortiGate was their original modem.  So firing up an SSH session I logged in and issued the following commands;

FGT40C # config system interface
FGT40C (interface) # edit wan2
FGT40C (wan2) # set macaddr xx:xx:xx:xx:xx:xx
FGT40C (interface) # end

Now you will want to replace the interface, in this case wan2 with your interface and the mac address with the hardware address you want to spoof or mimic.

I gave the cable modem a power cycle for good measure and the connection came up.

Configure a login banner or disclaimer on a FortiGate for Terminal and HTTP admin logins

John Leave a comment

If like me you work in an environment where you have people who are attempting to circumvent your network security it helps to have a banner or disclaimer to warn them about the trouble they will get into if they’re caught. By default when you attempt to login to a FortiGate there is no warning message or login banner.

To enable the banner or disclaimer on a FortiGate (there is both a pre and post login disclaimer you can use) we firstly need to log into the CLI of the FortiGate and enter the following commands to enable the banner. You can substitute pre with post if you wish;

FG621B # config system global
FG621B (global) # set pre-login-banner enable
FG621B (global) # end

Now log into the web ui of FortiOS and go into System > Config > Replacement Messages once there we need to switch to the extended view and the login banners should be at the top of the list, you can edit the default message if you wish, once done click on Save.

Once you try and get the FortiGate via Terminal or Web Management you should get prompted with the Disclaimer message.

FortiAnalyzer shows xx of xx database tables need to be upgraded

John Leave a comment

So I was recently presented with a message after a firmware upgrade that a number of database tables needed to be upgraded.  I searched the Fortinet knowledge base but found nothing. After a discussion with a Support Rep from Fortinet we quickly found the solution and being that it is a very common issue I thought I would post the steps on here for the general public.

Log onto your Analyzer and follow the below instructions.

– System – > Config -> SQL Database set the location to “Disabled”
– run on the CLI “execute sql-local remove-db” and confirm
– On the CLI run “execute reset sqllog transfer”
– SQL Database reactivate

Depending on how large your logs are the remove-db command make take several minutes.