Manually changing your MAC Computers Address

• Right-click ‘My Computer’ on your desktop and select Manage
• Go to Device Manager
• Select Network Adapters
• Select and double click on the adapter for which you want to change MAC address
• You will find a properties window with multiple tab. Select Advance tab
• From Property, find Network Address
• Now select value and put your 12 digit hexadecimal number
• Press OK and exit.

diagnose debug flow

FGT # diagnose debug flow filter daddr <dst_server_ip>
FGT # diagnose debug flow show  console enable
FGT  # diagnose debug enable
FGT # diagnose debug  flow trace  start 1000


id=36870 trace_id=400 msg="vd-root received a packet(proto=17, 192.168.3.20:1470-><dns_server_ip>:53) from to_client."
id=36870 trace_id=400 msg="allocate a new session-00002a55"
id=36870 trace_id=400 msg="find a route: gw-172.16.0.254 via to_server"
id=36870 trace_id=400 msg="find SNAT: IP-172.16.0.100, port-36150"
id=36870 trace_id=400 msg="Denied by end point ip filter check"


Once the test is complete, the debug outputs should be disabled by using the commands:

   # diag debug flow trace stop
   # diag debug reset
   # diag debug disable

FortiOS 5 Advanced Email server Settings (Fortigate firewall) change SMTP port

FG300Cxxxxxxxx # get system email-server
type                : custom
reply-to            : irfan@abcd.com
server              : smtp.abcd.com
port                : 25
source-ip           : 0.0.0.0
source-ip6          : ::
authenticate        : enable
username            : irfan.m@cisinlabs.com
password            : *
security            : none

-----------------------------------------------------------------------------------------
FG300Cxxxxxxxx # config system email-server

FG300Cxxxxxxxx (email-server) # set port 587

FG300Cxxxxxxxx (email-server) # end

FG300Cxxxxxxxx #

-------------------------------------------------------------------------------------------

FG300Cxxxxxxxx # get system email-server
type                : custom
reply-to            : irfan@abcd.com
server              : smtp.abcd.com
port                : 587
source-ip           : 0.0.0.0
source-ip6          : ::
authenticate        : enable
username            : irfan.m@cisinlabs.com
password            : *
security            : none 

Configuring MAC address filtering on a FortiGate - IP/MAC binding

Description

In normal operation, FortiGate firewalls offer network control, packet filtering, based on elements such as source and destination IP addresses.  This is done using Firewall policies.

A FortiGate firewall can be configured to restrict access by workstation MAC address.  When binding and IP address to a specific MAC address a higher level of control and reporting can be obtained.  This allows for greater security as a trusted address that may have been spoofed will be verified against a MAC address to ensure permissions.

This procedure will only help when devices being restricted reside on the same network segment as a FortiGate interface.   When routers are involved, source MAC addresses will be overridden and this check will no longer apply.

The following is a brief description on how this can be done.

Scope

MAC / IP Binding / Filtering

Solution

The feature used in this procedure is called  IP/MAC binding.  Using CLI, an Administrator may configure manual binding table and configure which MAC address corresponds to which IP address.
This is only recommended in small to medium networks.  Extra caution is required to implement in large networks.  As mentioned earlier, if any routing takes place before sending traffic to a FortiGate the issue of source MAC address being replaced with that of a router is a real concern.

Note:  If IP/MAC binding is enabled, and the IP address of a host with an IP or MAC address in the IP/MAC table is changed, or a new computer is added to the network, it is necessary to update the IP/MAC table.  If this is not done, the new or changed hosts will not have access to or through the FortiGate unit depending on the settings configured.

Caution:  If a client receives an IP address from the FortiGate unit DHCP server, the client's MAC address is automatically registered in the IP/MAC binding table.  This can simplify IP/MAC binding configuration, but can also neutralize protection offered by IP/MAC binding if untrusted hosts are allowed to access the DHCP server.  Use caution when enabling and providing access to the DHCP server.

Syntax:

config firewall ipmacbinding setting
set bindthroughfw {enable | disable}  - this is enabling IPMAC binding to get through a Firewall.
set bindtofw {enable | disable}  - this will check an IP MAC binding combination to allow access TO the firewall
set undefinedhost {allow | block} - this defines how the Firewall will treat traffic that has not been bound
end

Syntax:

config firewall ipmacbinding table
edit <index_int> - the number in the IP/MAC binding table
set ip <address_ipv4> - IP address value
set mac <address_hex>  - MAC address value
set name <name_str> - the name which may be used for this binding
set status {enable | disable} - is the binding now enabled
endSyntax:

config system interface
edit <interface name>
set ipmac {enable | disable }   - enable to enable mac binding on interface
next
end

CFG_CMDBAPI_ERR error fortigate

When CFG_CMDBAPI_ERR appears, use this command :

diagnose test application ipsmonitor 99

This command restarts the ipsmonitor which is the problem.

Allowing DNS queries to only one approved DNS server fortigate V4 MR3

Allowing DNS queries to only one approved DNS server

 

 http://www.youtube.com/watch?feature=player_embedded&v=rKnL3tQuISg

ping-options setting fortigate V4 MR3

#execute ping-options view-settings

Ping Options:
    Repeat Count: 100
    Data Size: 56
    Timeout: 2
    Interval: 1
    TTL: 64
    TOS: 0
    DF bit: unset
    Source Address: auto
    Pattern:
    Pattern Size in Bytes: 0
    Validate Reply: no

DNS caching & webfilter-caching Fortigate V4 MR3

show dns settings

#config system dns
       show system dns

----------------------------------------------------


#config system dns
       set dns-cache-limit 999999999
    set dns-cache-ttl 7200
end

--------------------------------------------------------


show webfilter settings

#config system fortiguard
      show system fortiguard

-------------------------------------------------------

# config system fortiguard
    set webfilter-cache-ttl 86400
end

DNS cache clear Fortigate v4 MR3 Patch 10

FGT # diag test application dnsproxy ?

1. Clear dns cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN

To clear the DNS cache : 


#diag test application dnsproxy 1



This will simply reload and requery the FQDN :

FGT # diag test application dnsproxy 4
FGT # diag test application dnsproxy 5  

Denial-of-Service (DoS)

A Denial of Service (DoS) attack disrupts service to users and is usually done by consuming network bandwidth or overloading a computer's resources. One of the signs to recognize if you are being attacked is when your connection (either Internet or network) slows down for no apparent reason. Another sign of a DoS attack is when you are unable to connect to a server or a web page that is usually available.

cron daily restart of the FortiGate

The FortiGate allows to program a daily restart at a fixed hour.


config system global
    set daily-restart enable
    set restart-time 05:06
end

How to set a FortiGate to send the real time log to a FortiAnalyzer

how to enable a FortiGate unit to send the real time log to a FortiAnalyzer unit.

This only applies to a FortiGate unit that has storage or hard disk which can set to be the real time or store-and-upload.   For a FortiGate unit that does not have storage or hard disk, it will be set to be the real time by default.

The following CLI command can be used to set the FortiGate unit to send the real time log to a FortiAnalyzer.

# config log fortianalyzer setting
# set upload-option realtime
# end  

SQL logging on FortiGate with flash disk at 4.0 MR3 patch7

Description

After upgrade of a FortiGate with internal flash disk to 4.0 MR3 patch7, it may be noticed that even if the SQL quota was not set then the SQL log will only go up to a certain size and the log message "Sql Log is 99% full. System will overwrite old logs now.” may be seen.

Scope

SQL logging.

Solution

This is due to a change in the way SQL logging is performed on the local log disk.

In 4.0 MR3 patch7, all FortiGate untis with a flash disk will move the SQL logging to memory and the maximum size is 10% of the available memory. For example a FortiGate 100D having 2GB of RMA would have a maximum SQL log size of 200MB.

The command # dia hardware sysinfo memory can be used to check the total memory of the FortiGate.

Authentication keepalive page Fortigate

Description

This article explains how to configure the keepalive page to show on a user PC when the user accesses to the internet.

Solution

The authentication keepalive page can be enabled by the CLI command:

# config system global # set auth-keepalive enable # end

The authentication keepalive page is disabled by default.  When enabled the following HTML page will be displayed and the firewall authentication keepalive will prevent sessions from ending when the authentication timeout ends.