If you getting error during config restore
then type
# diagnose debug config-error-log read
then type
# diagnose debug config-error-log read
Monday, April 28, 2014
Wednesday, March 26, 2014
avoid FortiGate entering conserve mode
That is status field from the “Alert message control” on System Dashboard. that status indicates the critical level from FortiGate device if it has entered conserve mode.
This problem happens when shared memory goes over 80%, to exit this conserve mode you have to wait (or kill some of the processes) until the memory goes under 70%. A FortiGate goes into the conserve mode state as a self protection measure when a memory shortage appears on the system. When entering conserve mode the FortiGate activates protection measures in order to recover memory space. When enough memory is recovered, the system is leaving/exiting the conserve mode state and releases the protection measures.
Antivirus fail-open is a safeguard feature that determines the behavior of the FortiGate AntiVirus system, when it becomes overloaded with high traffic.
to mitigate this you have more type of options:
# set av-failopen { off | on-shot | pass | idledrop}
Below we will describe what all of them do:
a. Off – if the FortiGate enters conserve mode, the FortiGate will stop accepting new AV sessions, but will continue to process currently active sessions
b. One-shot – if the FortiGate enters conserve mode, all new connections will bypass the AV system, but currently sessions will continue to be processed. This is the same as the “pass” options, but it will NOT turn off once the condition causing the av-failopen has stopped
c. Idle-drop – will drop connection based on the clients that has the most opened connection
d. Pass – this is the default option
Please keep in mind that with one-shot and pass option, NO content filtering of the traffic is done. The data stream could contain malicious content.
Below are some commands to troubleshoot when the system enters conserve mode:
a. Check if the system is in Conserve Mode:
# diagnose hardware sysinfo shm
SHM counter: 67
SHM allocated: 1556480
SHM total: 101220352
conservemode: 0 [conservemode 0 means not in conserve mode, 1 means on conserve mode, 2 means on kernel conserve mode]
shm last entered: n/a
system last entered: n/a
SHM FS total: 106827776
SHM FS free: 105205760
SHM FS avail: 105205760
SHM FS alloc: 1622016
b. Check if there any errors on the interfaces:
#diagnose hardware deviceinfo nic
So, If this problem occurs somehow we need to reduce shared memory usage on Fortigate, some optimization which I have try to improve performance on this box is:
Session timer optimizations
# config system global
set tcp-halfclose-timer 30 [ default 120 s ]
set tcp-halfopen-timer 30 [ default 60 s ]
set tcp-timewait-timer 0 [ default 120 s ]
set udp-idle-timer 60 [ default 120 s ]
end
# config system session-ttl
set default 300 [ default 300 ]
config port
edit 0
set protocol 17
set timeout 10
set end-port 53
set start-port 53
end
end
Reduce the FortiGuard services for the cache
# config system fortiguard
set webfilter-cache-ttl 500 [ default 3600 ]
set antispam-cache-ttl 500 [ default 1800 ]
end
DNS cache optimization
# config system dns
set dns-cache-limit 300 [ default: 5000 ]
end
Reduce memory caching in some features (Explicit proxy, FortiGuard Antispam/Webfiltering)
on FortiOS 5.0: System > Config > Features [ enable/disable ]
Turn off all non mandatory features such as Logging, archiving, data leak prevention, IPS
Display CPU/Memory usage:
# get system performance top <delay> <max_lines>
or
# diag sys top <delay> <max_lines>
And to kill process:
# diagnose sys kill 9
Restart any applications:
# diagnose test application <application> <option>
Restart IPS engine:
# diagnose test application ipsengine 99
Turn off DHCP-server services
# config sys dhcp server
delete (reference number for dhcp-server)
end
Reduce the maximum file size for antivirus scanning
On FortiOS 5.0: Go to Policy > Proxy Options > Common Options > Change: Amount (bytes)
On FortiOS 4.0: Go to Firewall > Policy > Protocol Options > reduce the file size threshold
This problem happens when shared memory goes over 80%, to exit this conserve mode you have to wait (or kill some of the processes) until the memory goes under 70%. A FortiGate goes into the conserve mode state as a self protection measure when a memory shortage appears on the system. When entering conserve mode the FortiGate activates protection measures in order to recover memory space. When enough memory is recovered, the system is leaving/exiting the conserve mode state and releases the protection measures.
Antivirus fail-open is a safeguard feature that determines the behavior of the FortiGate AntiVirus system, when it becomes overloaded with high traffic.
to mitigate this you have more type of options:
# set av-failopen { off | on-shot | pass | idledrop}
Below we will describe what all of them do:
a. Off – if the FortiGate enters conserve mode, the FortiGate will stop accepting new AV sessions, but will continue to process currently active sessions
b. One-shot – if the FortiGate enters conserve mode, all new connections will bypass the AV system, but currently sessions will continue to be processed. This is the same as the “pass” options, but it will NOT turn off once the condition causing the av-failopen has stopped
c. Idle-drop – will drop connection based on the clients that has the most opened connection
d. Pass – this is the default option
Please keep in mind that with one-shot and pass option, NO content filtering of the traffic is done. The data stream could contain malicious content.
Below are some commands to troubleshoot when the system enters conserve mode:
a. Check if the system is in Conserve Mode:
# diagnose hardware sysinfo shm
SHM counter: 67
SHM allocated: 1556480
SHM total: 101220352
conservemode: 0 [conservemode 0 means not in conserve mode, 1 means on conserve mode, 2 means on kernel conserve mode]
shm last entered: n/a
system last entered: n/a
SHM FS total: 106827776
SHM FS free: 105205760
SHM FS avail: 105205760
SHM FS alloc: 1622016
b. Check if there any errors on the interfaces:
#diagnose hardware deviceinfo nic
So, If this problem occurs somehow we need to reduce shared memory usage on Fortigate, some optimization which I have try to improve performance on this box is:
Session timer optimizations
# config system global
set tcp-halfclose-timer 30 [ default 120 s ]
set tcp-halfopen-timer 30 [ default 60 s ]
set tcp-timewait-timer 0 [ default 120 s ]
set udp-idle-timer 60 [ default 120 s ]
end
# config system session-ttl
set default 300 [ default 300 ]
config port
edit 0
set protocol 17
set timeout 10
set end-port 53
set start-port 53
end
end
Reduce the FortiGuard services for the cache
# config system fortiguard
set webfilter-cache-ttl 500 [ default 3600 ]
set antispam-cache-ttl 500 [ default 1800 ]
end
DNS cache optimization
# config system dns
set dns-cache-limit 300 [ default: 5000 ]
end
Reduce memory caching in some features (Explicit proxy, FortiGuard Antispam/Webfiltering)
on FortiOS 5.0: System > Config > Features [ enable/disable ]
Turn off all non mandatory features such as Logging, archiving, data leak prevention, IPS
Display CPU/Memory usage:
# get system performance top <delay> <max_lines>
or
# diag sys top <delay> <max_lines>
And to kill process:
# diagnose sys kill 9
Restart any applications:
# diagnose test application <application> <option>
Restart IPS engine:
# diagnose test application ipsengine 99
Turn off DHCP-server services
# config sys dhcp server
delete (reference number for dhcp-server)
end
Reduce the maximum file size for antivirus scanning
On FortiOS 5.0: Go to Policy > Proxy Options > Common Options > Change: Amount (bytes)
On FortiOS 4.0: Go to Firewall > Policy > Protocol Options > reduce the file size threshold
Friday, February 28, 2014
Configuring dhcpv6 on fortinet fortigate firewall
How to configure the external Interface:
config system interface
edit "wan1"
set alias "External"
config ipv6
set ip6-address xxxx:xxx:xxx:113::2/64
set ip6-allowaccess ping
set ip6-manage-flag enable
set ip6-other-flag enable
end
next
How to configure the static6 route:
config router static6
edit 1
set device "wan1"
set gateway xxxx:xxx:xxx:113::1
next
end
How to configure the Internal Interface:
config system interface
edit "Internal"
config ipv6
set ip6-mode static
set ip6-address xxxx:xxx:xxx:cccc::1/64
set ip6-allowaccess ping
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
set ip6-max-interval 600
set ip6-min-interval 198
set ip6-link-mtu 0
set ip6-reachable-time 0
set ip6-retrans-time 3000
set ip6-default-life 1800
set ip6-hop-limit 0
set autoconf disable
set dhcp6-relay-service disable
end
next
How to configure the DHCP server.
config system dhcp6 server
edit 1
set dns-service specify
set enable enable
set interface "wan2"
config ip-range
edit 1
set end-ip xxxx:xxx:xxx:cccc::6000
set start-ip xxxx:xxx:xxx:cccc::1000
next
end
set lease-time 10800
set option1 0
set option2 0
set option3 0
set rapid-commit disable
set subnet xxxx:xxx:xxx:cccc::/64
set dns-server1 2001:4860:4860::8888
set dns-server2 2001:4860:4860::4444
set dns-server3 ::
next
end
With this configuration, the hosts will get and surf on the Internet with an IP betweenxxxx:xxx:xxx:cccc::1000 and xxxx:xxx:xxx:cccc::6000.
There are others DHCPv6 configuration may interest you. You can configure a prefix-list on the interface.
config system interface
edit "Internal"
config ipv6
set ip6-address xxxx:xxx:xxx:cccc::1/64
set ip6-allowaccess ping
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
set ip6-retrans-time 3000
config ip6-prefix-list
edit xxxx:xxx:xxx:cccc::/64
set autonomous-flag enable
set onlink-flag enable
set preferred-life-time 600
set valid-life-time 600
next
end
end
With this configuration, the client host will have three IPv6 address, two of them auto generated with the prefix-list and another IP given by the DHCP server. The client host will surf on the internet with the first one and get the DNS options given by the DHCP.
You can see the IP leases with the next command:
execute dhcp6 lease-list
Interface DUID IAID IP Expiry
wan2 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx 1 xx:xx:xx:cccc::1000 Fri May 31 15:49:27 2013
Then you need to create policy rules in order to allow permitted traffic.
Thursday, February 27, 2014
Configure IPv6 sit-tunnel in Fortigate FortiOS 5
Overview
Even though I am a couple of years too late for World IPv6 Launch, I've finally decided to implement IPv6 at home. The following step by step guide, should help anyone with access to similar hardware in implementing this solution.
Prerequisites
You will require the following:
Properly functioning IPv4 broadband Internet connection and LAN/WLAN at home.
FortiGate firewall running FortiOS 5.0 (I've used v5.0,build0208 GA Patch 3) with IPv6 and Advanced Routing features enabled.
A free account with Hurricane Electric IPv6 Tunnel Broker and DNS services.
An Internet domain registered with an IPv6 capable domain name registrar (e.g. Gandi).
The following steps should hopefully guide you in setting up a tunneled, but fully functional IPv4/IPv6 configuration, which will further enable you to switch off IPv4 entirely and use NAT64 to continue accessing IPv4 resources from your IPv6-only network.
Configuration
In the subsequent sections, the following example parameters are used. Make sure to substitute your own settings:
LAN firewall interface: internal
WAN firewall interface: external
Client IPv6 Address: 2001:470:1234:567::2/64
Routed /64 subnet: 2001:470:890a:bcd::/64
LAN IPv6 interface IP: 2001:470:890a:bcd::1/64
DHCP6 scope: 2001:470:890a:bcd::1000/112
IPv6 Tunnel
The first step is to establish a tunnel to your IPv6 provider, which in this case will be tunnelbroker.net.
First, allow tunnelbroker.net ICMP (ping) access to your IPv4 public IP:
Also make sure your external interface allows ping access:
Next, create a regular tunnel following https://tunnelbroker.net/new_tunnel.php link. Once you've created the tunnel, configure your firewall as follows:
Test your work so far, by pinging your server's IPv6 tunnel end-point IP:
Also try pinging an external IPv6 IP (e.g. Google):
Public DNS
If you have a dynamic IPv4 IP assigned to you by your Internet service provider, you would probably want a DNS name automatically updated, when it changes.
Using the HE portal, on your Tunnel Details page, click "Edit" next to "rDNS delegation" and click the link titled "Delegate to dns.he.net".
Next, head to dns.he.net and add a new domain, which you have registered with an IPv6 compliant registrar (check with the registra if they support "IPv6 glue records").
Edit the newly added domain zone, create a new A host record (e.g. myip.mydomain.com), making sure to tick "Enable entry for dynamic dns" and set the TTL to 5 minutes.
Click the DDNS icon next to you new record and generate a new API key.
Got to the "Advanced" tab of the tunnelbroker.net tunnel management portal and register your hostname and API key.
Last, go to your domain name registrar's admin portal and delegate your entire domain or a sub-domain to HE.net's name servers (there are five).
Dynamic DNS (DDNS)
Since I do not have a static IP address with my Internet service provider, I've configured FortiOS to update my external IPv4 address, when it changes using dyn.com as follows:
The problem with this approach however, is that your IPv6 tunnel provider doesn't know about those changes and cannot update your tunnel's public IPv4 address. So, every time you reboot your DSL/cable modem and get a new IP, your IPv6 tunnel will be down.
FotiOS currently only supports the following DDNS services:
Note, HE.net is not on the list and since there is no generic dyndns2 protocol option, there is no way to tell your FortiGate firewall to automatically update your tunnel end-point IP.
Internal LAN
Now, configure your LAN interface(s) to support IPv6:
Some notes on important flags:
ip6-send-adv enables router advertisement messages.
autonomous-flag enables stateless IPv6 configuration (dynamically generated IPv6 addresses within the prefix).
ip6-manage-flag means that there is a DHCP6 server on the network handing out IPs (stateful).
ip6-other-flag means the DHCP6 server is also handing out DNS information, etc.
onlink-flag basically means the prefix is on a local (layer 2) network.
Note, since we are using a stateful configuration where DHCP6 hands out IPv6 addresses, we disable the autonomous-flag to stop a second stateless IPv6 address being assigned.
Configure IPv6 address objects, which you will use later on in your IPv6 firewall policies:
Configure IPv6 firewall policies to allow access from your internal network and also to allow ICMP (ping) from hosts on the internet:
Test you work so far, by pinging your LAN IPv6 IP using an online ping tool while watching the tunnel interface with the packet sniffer:
DHCP6/DNS
We will be using DHCP6 to hand out IPv6 IPs as well as DNS server information.
Configure local DNS server on the internal firewall interface, which will be handed out by your DHCP server(s):
Configure DHCP6 server:
Assuming you are also running DHCP on your IPv4 network, you may also want to update it to use the local DNS server:
Renew your DHCP lease on your IPv6 client and check to make sure it obtained a correct IPv6 address from your DHCP6 server:
Note, you will also see a link-local IPv6 address, which is randomly generated.
Next, make sure the local DNS server on the firewall is handed out by your DHCP6 server:
You can also check the leases on the firewall, to see what IPs your IPv6 clients have been issued:
Now you should be able to ping an external IPv6 IP from your IPv6 enabled client:
NAT64/DNS64 (Optional)
NAT64 is used in pure IPv6 networks to allow access to IPv4 resources. In practical terms, it means you can switch off IPv4 on your internal network and continue accessing IPv4 sites on the Internet via your IPv6 tunnel. For compatibility reasons however, you would probably want to operate a mixed IPv4/IPv6 environment, until at least your Internet provider is able to support IPv6 natively.
First, re-configure your system settings to use DNS resolvers other than FortiGuard (e.g. Google and HE.net):
I found, that when the internal FortiGate DNS server is forwarding to the default FortiGuard DNS resolvers upstream, it completely breaks NAT64.
Next, enable and configure NAT64:
Note, we are disabing the automatic synthesis of IPv6 addresses, since we dont want a synthetic address generated if a host already has an IPv6 address. In this case, an address will by synthethised only if the host does not have an IPv6 AAAA record.
Add an IP pool abd firewall policy to support NAT(ing) of IPv6 addresses to IPv4:
Now, switch off IPv4 support on your client and make sure you can no longer access an IPv4 only site (e.g. Fortinet):
This is expected, since we have turned off IPv4, but told cURL to specifically use it to access the web site.
Next, try to resolve the IPv4 only site using an external DNS server (e.g. Google):
Note that there are no IPv6 host records (AAAA) returned for www.fortinet.com.
Now try to resolve the same name using your internal DNS server, running on the firewall, which is now DNS64 enabled:
Note an IPv6 address is synthesised from the NAT64 Well-Known Prefix (64:ff9b::/96).
Finally, check to make sure you can access the web site using IPv6:
Testing
To test your IPv6 setup, head to test-ipv6.com, which should get you a similar result.
Even though I am a couple of years too late for World IPv6 Launch, I've finally decided to implement IPv6 at home. The following step by step guide, should help anyone with access to similar hardware in implementing this solution.
Prerequisites
You will require the following:
Properly functioning IPv4 broadband Internet connection and LAN/WLAN at home.
FortiGate firewall running FortiOS 5.0 (I've used v5.0,build0208 GA Patch 3) with IPv6 and Advanced Routing features enabled.
A free account with Hurricane Electric IPv6 Tunnel Broker and DNS services.
An Internet domain registered with an IPv6 capable domain name registrar (e.g. Gandi).
The following steps should hopefully guide you in setting up a tunneled, but fully functional IPv4/IPv6 configuration, which will further enable you to switch off IPv4 entirely and use NAT64 to continue accessing IPv4 resources from your IPv6-only network.
Configuration
In the subsequent sections, the following example parameters are used. Make sure to substitute your own settings:
LAN firewall interface: internal
WAN firewall interface: external
Client IPv6 Address: 2001:470:1234:567::2/64
Routed /64 subnet: 2001:470:890a:bcd::/64
LAN IPv6 interface IP: 2001:470:890a:bcd::1/64
DHCP6 scope: 2001:470:890a:bcd::1000/112
IPv6 Tunnel
The first step is to establish a tunnel to your IPv6 provider, which in this case will be tunnelbroker.net.
First, allow tunnelbroker.net ICMP (ping) access to your IPv4 public IP:
config system accprofile
edit "no_access"
next
end
config system admin
edit "HE"
set trusthost1 66.220.2.74 255.255.255.255
set accprofile "no_access"
set vdom "root"
set password "your_own_secret"
next
end Also make sure your external interface allows ping access:
config system interface
# your external interface name may be different
edit "external"
set allowaccess ping ...
next
end Next, create a regular tunnel following https://tunnelbroker.net/new_tunnel.php link. Once you've created the tunnel, configure your firewall as follows:
config system sit-tunnel
edit "HE"
set destination 216.66.80.26
set interface "external"
set ip6 "client IPv6 address/mask from HE portal (e.g. 2001:470:1234:567::2/64)"
next
end
config router static6
edit 1
set device "HE"
next
end Test your work so far, by pinging your server's IPv6 tunnel end-point IP:
# exec ping6 2001:470:1234:567::1
PING 2001:470:1234:567::1(2001:470:1234:567::1) 56 data bytes
64 bytes from 2001:470:1234:567::1: icmp_seq=1 ttl=64 time=13.4 ms
64 bytes from 2001:470:1234:567::1: icmp_seq=2 ttl=64 time=13.2 ms
...Also try pinging an external IPv6 IP (e.g. Google):
# exec ping6 ipv6.google.com
PING ipv6.google.com(2a00:1450:4009:802::1012) 56 data bytes
64 bytes from 2a00:1450:4009:802::1012: icmp_seq=1 ttl=59 time=14.3 ms
64 bytes from 2a00:1450:4009:802::1012: icmp_seq=2 ttl=59 time=14.0 ms
... Public DNS
If you have a dynamic IPv4 IP assigned to you by your Internet service provider, you would probably want a DNS name automatically updated, when it changes.
Using the HE portal, on your Tunnel Details page, click "Edit" next to "rDNS delegation" and click the link titled "Delegate to dns.he.net".
Next, head to dns.he.net and add a new domain, which you have registered with an IPv6 compliant registrar (check with the registra if they support "IPv6 glue records").
Edit the newly added domain zone, create a new A host record (e.g. myip.mydomain.com), making sure to tick "Enable entry for dynamic dns" and set the TTL to 5 minutes.
Click the DDNS icon next to you new record and generate a new API key.
Got to the "Advanced" tab of the tunnelbroker.net tunnel management portal and register your hostname and API key.
Last, go to your domain name registrar's admin portal and delegate your entire domain or a sub-domain to HE.net's name servers (there are five).
Dynamic DNS (DDNS)
Since I do not have a static IP address with my Internet service provider, I've configured FortiOS to update my external IPv4 address, when it changes using dyn.com as follows:
config system ddns
edit 1
set ddns-server dyndns.org
set ddns-domain "myhost.dyndns.org"
set ddns-username "my username"
set ddns-password "my password"
set monitor-interface "external"
next
end The problem with this approach however, is that your IPv6 tunnel provider doesn't know about those changes and cannot update your tunnel's public IPv4 address. So, every time you reboot your DSL/cable modem and get a new IP, your IPv6 tunnel will be down.
FotiOS currently only supports the following DDNS services:
FortiGuardDDNS FortiGuard DDNS service.
dhs.org members.dhs.org
dipdns.net dipdnsserver.dipdns.com
dyndns.org members.dyndns.org and dnsalias.com
dyns.net www.dyns.net
easydns.com members.easydns.com
genericDDNS Generic DDNS based on RFC2136.
now.net.cn ip.todayisp.com
ods.org ods.org
tzo.com rh.tzo.com
vavic.com Peanut Hull Note, HE.net is not on the list and since there is no generic dyndns2 protocol option, there is no way to tell your FortiGate firewall to automatically update your tunnel end-point IP.
Internal LAN
Now, configure your LAN interface(s) to support IPv6:
config system interface
# your internal interface name may be different
edit "internal"
...
config ipv6
set ip6-allowaccess ping https ssh snmp
set ip6-address "first IPv6/mask in the routed/64 prefix from HE portal (e.g. 2001:470:890a:bcd::1/64)"
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
config ip6-prefix-list
edit "routed/64 IPv6 prefix from HE portal e.g. 2001:470:890a:bcd::/64"
set autonomous-flag disable
set onlink-flag enable
next
end
end
next
end Some notes on important flags:
ip6-send-adv enables router advertisement messages.
autonomous-flag enables stateless IPv6 configuration (dynamically generated IPv6 addresses within the prefix).
ip6-manage-flag means that there is a DHCP6 server on the network handing out IPs (stateful).
ip6-other-flag means the DHCP6 server is also handing out DNS information, etc.
onlink-flag basically means the prefix is on a local (layer 2) network.
Note, since we are using a stateful configuration where DHCP6 hands out IPv6 addresses, we disable the autonomous-flag to stop a second stateless IPv6 address being assigned.
Configure IPv6 address objects, which you will use later on in your IPv6 firewall policies:
config firewall address6
edit "all"
next
edit "net_2001:470:890a:bcd::/64"
set ip6 2001:470:890a:bcd::/64
next
end Configure IPv6 firewall policies to allow access from your internal network and also to allow ICMP (ping) from hosts on the internet:
config firewall policy6
edit 1
set srcintf "HE"
set dstintf "internal"
set srcaddr "all"
set dstaddr "net_2001:470:890a:bcd::/64"
set action accept
set schedule "always"
set service "ALL_ICMP6"
next
edit 2
set srcintf "internal"
set dstintf "HE"
set srcaddr "net_2001:470:890a:bcd::/64"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end Test you work so far, by pinging your LAN IPv6 IP using an online ping tool while watching the tunnel interface with the packet sniffer:
# diag sniffer packet HE "icmp6" 4
interfaces=[HE]
filters=[icmp6]
pcap_lookupnet: HE: no IPv4 address assigned
4.211481 HE -- 2001:1640:3::3 -> 2001:470:890a:bcd::1: icmp6: echo request seq 1
4.211575 HE -- 2001:470:890a:bcd::1 -> 2001:1640:3::3: icmp6: echo reply seq 1
... DHCP6/DNS
We will be using DHCP6 to hand out IPv6 IPs as well as DNS server information.
Configure local DNS server on the internal firewall interface, which will be handed out by your DHCP server(s):
config system dns-server
edit "internal"
next
end Configure DHCP6 server:
config system dhcp6 server
edit 1
set interface "internal"
config ip-range
edit 1
set end-ip 2001:470:890a:bcd::ffff
set start-ip 2001:470:890a:bcd::1000
next
end
set lease-time 3600
set rapid-commit enable
set subnet 2001:470:890a:bcd::/112
set dns-server1 2001:470:890a:bcd::1
next
end Assuming you are also running DHCP on your IPv4 network, you may also want to update it to use the local DNS server:
config system dhcp server
edit 1
set dns-service local
next
end Renew your DHCP lease on your IPv6 client and check to make sure it obtained a correct IPv6 address from your DHCP6 server:
$ ifconfig
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet6 addr: 2001:470:890a:bcd::1000/128 Scope:Global
inet6 addr: fe80::ba27:ebff:fee9:d775/64 Scope:Link
... Note, you will also see a link-local IPv6 address, which is randomly generated.
Next, make sure the local DNS server on the firewall is handed out by your DHCP6 server:
$ grep 2001 /etc/resolv.conf
nameserver 2001:470:890a:bcd::1 You can also check the leases on the firewall, to see what IPs your IPv6 clients have been issued:
BeastGate # exec dhcp6 lease-list
Interface DUID IAID IP Expiry
internal:xx:xx:xx:xx:xx:xx 15 2001:470:890a:bcd::1000 Mon Jun 24 10:48:27 2013 Now you should be able to ping an external IPv6 IP from your IPv6 enabled client:
$ ping6 -c 2 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:890a:bcd::1000 --> 2a00:1450:4009:809::1012
16 bytes from 2a00:1450:4009:809::1012, icmp_seq=0 hlim=58 time=22.427 ms
16 bytes from 2a00:1450:4009:809::1012, icmp_seq=1 hlim=58 time=31.112 ms NAT64/DNS64 (Optional)
NAT64 is used in pure IPv6 networks to allow access to IPv4 resources. In practical terms, it means you can switch off IPv4 on your internal network and continue accessing IPv4 sites on the Internet via your IPv6 tunnel. For compatibility reasons however, you would probably want to operate a mixed IPv4/IPv6 environment, until at least your Internet provider is able to support IPv6 natively.
First, re-configure your system settings to use DNS resolvers other than FortiGuard (e.g. Google and HE.net):
config system dns
set primary 8.8.8.8
set secondary 8.8.4.4
set ip6-primary 2001:470:20::2
set ip6-secondary 2001:4860:4860::8888
end I found, that when the internal FortiGate DNS server is forwarding to the default FortiGuard DNS resolvers upstream, it completely breaks NAT64.
Next, enable and configure NAT64:
config system nat64
set status enable
set always-synthesize-aaaa-record disable
end Note, we are disabing the automatic synthesis of IPv6 addresses, since we dont want a synthetic address generated if a host already has an IPv6 address. In this case, an address will by synthethised only if the host does not have an IPv6 AAAA record.
Add an IP pool abd firewall policy to support NAT(ing) of IPv6 addresses to IPv4:
config firewall ippool
edit "nat64-exit-pool"
next
end
config firewall policy64
edit 1
set srcintf "internal"
set dstintf "external"
set srcaddr "net_2001:470:890a:bcd::/64"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set ippool enable
set poolname "nat64-exit-pool"
next
endNow, switch off IPv4 support on your client and make sure you can no longer access an IPv4 only site (e.g. Fortinet):
$ curl -I -4 www.fortinet.com
curl: (7) Failed to connect to 66.171.121.34: No route to host This is expected, since we have turned off IPv4, but told cURL to specifically use it to access the web site.
Next, try to resolve the IPv4 only site using an external DNS server (e.g. Google):
$ dig aaaa www.fortinet.com @8.8.8.8
...
;; QUESTION SECTION:
;www.fortinet.com. IN AAAA Note that there are no IPv6 host records (AAAA) returned for www.fortinet.com.
Now try to resolve the same name using your internal DNS server, running on the firewall, which is now DNS64 enabled:
$ dig aaaa www.fortinet.com
...
;; QUESTION SECTION:
;www.fortinet.com. IN AAAA
;; ANSWER SECTION:
www.fortinet.com. 2339 IN AAAA 64:ff9b::42ab:7922
...Note an IPv6 address is synthesised from the NAT64 Well-Known Prefix (64:ff9b::/96).
Finally, check to make sure you can access the web site using IPv6:
$ curl -I -6 www.fortinet.com
HTTP/1.1 200 OK
Date: Sun, 23 Jun 2013 17:24:26 GMT
Server: Apache/2.2.3 (Red Hat)
... Testing
To test your IPv6 setup, head to test-ipv6.com, which should get you a similar result.
Monday, February 17, 2014
Configure Ethernet speed, duplex and negotiation settings
Incorrect Ethernet settings between two devices can result in an unreliable (excessive error count) connection or in no connection at all. The 'no connection' condition is easily noticed.
However, the 'unreliable' condition is the most difficult to detect since a connection is established, but with errors which can disturb normal traffic. For example, intermittent access, slow performance, or connection timeouts.
Symptoms include:
Collision counter is incrementing on the interface.
High rate of duplicate ACK packets.
Large jumps in Sequence Numbers, as retransmitted packets fill in holes.
Collision counter is incrementing on the interface.
High rate of duplicate ACK packets.
Large jumps in Sequence Numbers, as retransmitted packets fill in holes.
To determine if there are excessive or unwanted errors, use the following debug commands to view the Ethernet statistics:
FortiOS v4.0 & 5.0:
> diagnose netlink device list
> diagnose hardware deviceinfo nic <interface>
> diagnose hardware deviceinfo nic <interface>
where
<interface> can be internal, external, dmz, wan1, port1, port2, and so on.
Note: Please be sure to repeat the latter command to show how the interface statistics are changing over time.
The symptoms of duplicate ACKs and sequence number jumps will be revealed by analyzing a packet capture.
In a fully switched environment and in full-duplex operation, there should be no collisions detected. There can be collisions in a half-duplex operation. The various error counters should also be 'zero', or should not increase over a relatively short period of time. Even the slightest errors may cause unexpected traffic problems with the FortiGate firewall and the web-filtering/anti-virus/anti-Spam detection features.
Preventing Ethernet speed/duplex mismatches
Use the following practical tips to prevent a potential Ethernet speed/duplex mismatch.
- Manually configure both sides to the same mode when you can.
- When allowing auto-negotiation do it carefully referring to the list below:a. NIC set for auto, switch set for auto.
Result: Assuming these are fully 802.3u compliant and both their maximum capabilities are 100/full-duplex, they should both run at 100Mbps full duplex.
b. NIC set to 100Mbps/full-duplex, switch set for auto.
Result: Duplex mismatch. With no auto-negotiation from the NIC, the switch reverts to its default setting of 100Mbps/half-duplex.
c. NIC set for auto, switch set for 100Mbps/full-duplex.
Result: Duplex mismatch. With no auto-negotiation from the switch, the NIC reverts to its default setting of 100Mbps/half-duplex.
d. NIC set to 100Mbps/full-duplex, switch set for 100Mbps/full-duplex.
Result: Correct manual configuration.
e. NIC set to 100Mbps/half-duplex, switch set for auto.
Result: With no auto-negotiation from the NIC, the switch defaults to 100Mbps/half-duplex. A valid combination results, but only if the switch's default duplex matches the NIC setting.
f. NIC set to 10Mbps/half-duplex, switch set for auto.
Result: The switch can detect the NLP from the NIC and sets itself for 10Mbps and with no auto-negotiation (FLP) from the NIC, the switch defaults to half-duplex. A valid combination results, but only if the switch's default duplex matches the NIC setting.
g. NIC set to 10Mbps/half-duplex, switch set for 100Mbps/half-duplex.
Result: No link. Neither side will establish a link to an incorrect manual speed configuration. Auto-negotiation has been disabled on both link partners by manually configuring them.
h. NIC set auto, switch set for 10Mbps/half-duplex.
Result: Link is established in a valid configuration. The NIC sees the NLP from the switch and sets itself for 10Mbps and with no auto-negotiation (FLP) from the switch, the NIC defaults to half-duplex. A valid combination results, but only if the NIC's default duplex matches the switch settings.
About auto negotiation
The IEEE 802.3u 100BaseTX auto negotiation specification uses a modified version of the link integrity test defined for 10BaseT devices. The link integrity test for 10BaseT devices uses the Normal Link Pulse (NLP), a burst pulse every 16 (+/- 8) microseconds. For 10/100 Mbps auto negotiation, a Fast Link Pulse (FLP) is used. The FLP includes the same NLP burst every 16 (+/- 8) msec for backward compatibility plus additional pulses every 62.5 (+/- 7) microseconds. The FLP burst generates code words that are used for compatibility exchanges (duplex settings) between link partners. If a device (such as an Ethernet switch) sends FLP, but only receives NLP from it's link partner (such as a server or workstation), it will stop sending FLP and enable standard 10BaseT operation. For example, with one device (the server) manually configured for 100Mbps full duplex, and the other (the Ethernet switch) set for auto-negotiation, the switch will not be receiving the FLP and will revert to its default settings of 100Mbps half duplex. Now you have a server running half duplex and the switch port running at full duplex.
Monday, December 23, 2013
Manually changing your MAC Computers Address
- Right-click ‘My Computer’ on your desktop and select Manage
- Go to Device Manager
- Select Network Adapters
- Select and double click on the adapter for which you want to change MAC address
- You will find a properties window with multiple tab. Select Advance tab
- From Property, find Network Address
- Now select value and put your 12 digit hexadecimal number
- Press OK and exit.
Wednesday, September 25, 2013
diagnose debug flow
FGT # diagnose debug flow filter daddr <dst_server_ip>
FGT # diagnose debug flow show console enable
FGT # diagnose debug enable
FGT # diagnose debug flow trace start 1000
id=36870 trace_id=400 msg="vd-root received a packet(proto=17, 192.168.3.20:1470-><dns_server_ip>:53) from to_client."
id=36870 trace_id=400 msg="allocate a new session-00002a55"
id=36870 trace_id=400 msg="find a route: gw-172.16.0.254 via to_server"
id=36870 trace_id=400 msg="find SNAT: IP-172.16.0.100, port-36150"
id=36870 trace_id=400 msg="Denied by end point ip filter check"
Once the test is complete, the debug outputs should be disabled by using the commands:
# diag debug flow trace stop
# diag debug reset
# diag debug disable
FGT # diagnose debug flow show console enable
FGT # diagnose debug enable
FGT # diagnose debug flow trace start 1000
id=36870 trace_id=400 msg="vd-root received a packet(proto=17, 192.168.3.20:1470-><dns_server_ip>:53) from to_client."
id=36870 trace_id=400 msg="allocate a new session-00002a55"
id=36870 trace_id=400 msg="find a route: gw-172.16.0.254 via to_server"
id=36870 trace_id=400 msg="find SNAT: IP-172.16.0.100, port-36150"
id=36870 trace_id=400 msg="Denied by end point ip filter check"
Once the test is complete, the debug outputs should be disabled by using the commands:
# diag debug flow trace stop
# diag debug reset
# diag debug disable
Subscribe to:
Posts (Atom)