100% found this document useful (1 vote)
2K views555 pages

(FCSS NW) - Network Security Support Engineer FortiOS 7.4 - Study Guide

Uploaded by

hedilon740
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
100% found this document useful (1 vote)
2K views555 pages

(FCSS NW) - Network Security Support Engineer FortiOS 7.4 - Study Guide

Uploaded by

hedilon740
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 555

DO NOT REPRINT

© FORTINET

Network Security Support


Engineer
Study Guide
FortiOS 7.4
DO NOT REPRINT
© FORTINET
Fortinet Training Institute - Library

https://training.fortinet.com

Fortinet Product Documentation

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Product Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Training Program Information

https://www.fortinet.com/nse-training

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Fortinet Training Institute Helpdesk (training questions, comments, feedback)

https://helpdesk.training.fortinet.com/support/home

4/29/2024
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

01 Troubleshooting Concepts 4
02 System Resources 33
03 Sessions, Traffic Flow, and Networking 78
04 Security Fabric 119
05 Firewall Authentication 147
06 FSSO 188
07 Security Profiles 225
08 High Availability 278
09 IPSec 308
10 IPsec―IKEv2 336
11 Routing 358
12 BGP 392
13 OSPF 427
Solution Slides 463
Dynamic Routing Supplement 513
Troubleshooting Concepts

DO NOT REPRINT
© FORTINET

Network Security Support Engineer


Troubleshooting Concepts

FortiGate 7.4
Last Modified: 25 April 2024

In this lesson, you will learn about troubleshooting concepts related to FortiGate.

Network Security Support Engineer 7.4 Study Guide 4


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Objectives
• Describe network troubleshooting concepts and approaches
• Set up a baseline before anything happens
• Learn the diagnostic steps that you should perform when a problem occurs
• Use GUI and CLI monitoring tools
• Use logs to monitor activity and status
• Use CLI commands to monitor and assess FortiGate health
• Use real-time CLI debug commands
• Use application layer test commands
• Use the CLI GREP command

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of troubleshooting concepts, you will be able to set up a


baseline and identify the GUI tools and CLI commands you should use to monitor and diagnose issues on
FortiGate.

Network Security Support Engineer 7.4 Study Guide 5


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Before a Failure Happens
• Establish a baseline
• If you establish normal operation parameters for your system before a problem occurs, it will help
reduce the complexity of the issue when you start troubleshooting.
Normal
• Define normal operation
• CPU usage
• Memory usage
• Traffic levels
• Know your network
• How the traffic flows
• Which protocols and TCP/UDP ports are being used
• What normal traffic patterns and distribution looks like

Traffic spikes

© Fortinet Inc. All Rights Reserved. 3

Good administrators know their network. This network knowledge includes an understanding of the normal
behavior related to traffic volume, network applications, traffic flows, and CPU and memory utilization. So,
when a problem occurs, administrators can identify where the abnormal behavior is happening. Having this
knowledge expedites the troubleshooting process and helps the administrator to isolate the cause of the
problem.

FortiGate devices operate at all layers of the OSI model. For this reason, troubleshooting problems can be
complex. If you establish what normal operating parameters are or establish a baseline for your system before
a problem occurs, it will help reduce the complexity of the issue when you are troubleshooting.

Network Security Support Engineer 7.4 Study Guide 6


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Monitor the Network
• CPU, memory, inbound and outbound traffic on ports, and so on
• All show traffic trends and indicate any changes in traffic behavior
• Common tools for monitoring:
• SNMP FortiGate
• Logging
• FortiAnalyzer

FortiAnalyzer FortiMonitor FortiManager

© Fortinet Inc. All Rights Reserved. 4

You can use many different tools to gather statistics and information while the network is operating normally:
SNMP, logging, and the monitors located on the FortiGate GUI.

Network Security Support Engineer 7.4 Study Guide 7


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Keep Your Network Documentation Up-to-Date
• Define normal operation
• Logical and physical connections (network diagram)
• Firmware and OS versions
• IP addresses
• Configuration backups
• Document network changes
• How were the changes tested? Was there a procedure to follow?
• Take note of starting and ending time of activities during a maintenance window
• Track access details
• Document who has access to devices, such as administrator privileges
• Define your teams so you know who is from network security, operations, the database team and
understand their responsibilities
• Take note of your emergency contact list (time is always a factor)

© Fortinet Inc. All Rights Reserved. 5

It is also a good idea to keep you network documentation up-to-date. Network diagrams should include
physical connections, interface names, and subnets. Good network documentation also includes change
control records to track details relating to changes in the network, such as who made the change, when the
change was made, and what the change was.

Network Security Support Engineer 7.4 Study Guide 8


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
When Failure Happens―Troubleshooting Mantras

• What changed?
• Change control
• Notifications of changes
• Networking and routing
• What do you know?
• Check logs and baselines to determine when the network was last operational, and so on
• Prework pays off (SNMP, statistics, trends, and so on)
• Define the problem and isolate it
• Focus on the main problem and work each problem separately
• Keep breaking down segments and test each segment separately

© Fortinet Inc. All Rights Reserved. 6

If a problem occurs, the first step is to define it precisely. For example, if the problem is defined as “web
filtering is not working”, the scope is too imprecise. There are too many potential causes, and troubleshooting
could take a long time. So, you must ask questions to gather and understand the details of the problem. Is the
problem happening with one website? Are all users experiencing the problem? Is it happening randomly? Can
you reproduce the problem?

If you ask and answer the proper questions, you can define the problem precisely, with details. For example,
you could refine your problem to “web filtering is not blocking website X for user Y”. Having this level of detail
provides you with a better place to start the troubleshooting process.

The following questions can help determine the scope of the problem and isolate it:
• What is the problem?
• Has the configuration ever worked?
• Can you reproduce the problem at will, or is it intermittent?
• What has changed?
• What applications, users, or operating systems does the problem affect?

Network Security Support Engineer 7.4 Study Guide 9


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Troubleshooting Approach Methods
Work the problem following the TCP/IP model

Bottom OSI TCP/IP Some troubleshooting tools Top


to top to bottom
Application
Application proxies, processes test and
Presentation Application
debug commands
Session
Transport TCP/UDP Sniffer, debug flow, try to connect using
telnet : telnet <IP_address> <port>

Network IP Ping, traceroute, routing table, debug flow,


sniffer
Data link Network Bridge table in TP mode, ARP table
Physical access Interface LEDs, NIC statistics

© Fortinet Inc. All Rights Reserved. 7

One general approach to troubleshooting network issues is to follow the TCP/IP model and work the problem
either from the top layer to the bottom, or from the bottom layer to the top.

When you work from the bottom to the top, you check the physical layer first. After you determine that a layer
is operating properly, you move to the next layer, and so on, until you find the layer where the problem is
happening.

When you approach the problem from the top down, you check the application layer first. If a layer is not
working properly, you move to the layer below to rule out issues in the lower layers.

Network Security Support Engineer 7.4 Study Guide 10


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
A Typical Scenario and Possible Issues
Possible issues:
• Layer 1
• Interface administrative access
• Errors
• MTU size
• HA issues
• Layer 2
• STP
• VLAN tagging
• Forwarding domains
• ARP table
• Layer 3
• Routing
• Layer 4
• Policy routing

© Fortinet Inc. All Rights Reserved. 8

In a typical network, you can approach troubleshooting by systematically reviewing the settings of each layer
of the network. Working through the problem using the TCP/IP model or OSI model is one approach that you
can take when reviewing issues. As you gain more experience, you may try to resolve issues by forming a
hypothesis and then going through the resolution step by step. Issues are often very specific. For example, in
a routing issue, static routes take precedence over dynamic routing protocols. In a case like this, having a
good understanding of the routing flowchart will be very important when troubleshooting the issue. Of course,
it is also very important to understand the nuances of routing protocols. When OSPF is used, the hello timers
and dead interval must match on both ends, to form a neighbor relationship. In addition, the MTU size must
match. In FortiOS, other unique parameters and settings must be configured correctly in order for some
features to work as expected.

Network Security Support Engineer 7.4 Study Guide 11


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Gathering Facts

• Determine the following:


• Where does this happen, when does this happen, and who does it happen to?
• Which components are involved?
• What is the affected application?
• Can you trace the problem using a packet sniffer?
• Can you trace the problem using system debugging?
• Can you obtain log files that indicate a failure has occurred?

© Fortinet Inc. All Rights Reserved. 9

Another step you can take to narrow down the issue and identify the source is to analyze what could trigger
the issue. Figuring out how to reproduce the issue can be a very useful tool for gathering data.

After you identify how to trigger the issue, as a next step, you can analyze which tools you can use to collect
debug data, for example, sniffer and CLI debug commands, logs, GUI widgets, and so on.

Network Security Support Engineer 7.4 Study Guide 12


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET

GUI Troubleshooting Tools

© Fortinet Inc. All Rights Reserved. 10

In this section, you will learn about the troubleshooting tools available on the GUI.

Network Security Support Engineer 7.4 Study Guide 13


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Status Page
Dashboard > Status

© Fortinet Inc. All Rights Reserved. 11

The status dashboard is the FortiGate GUI welcome screen. Some of the widgets on the status dashboard
contain information that is useful for troubleshooting, such as the CPU, Memory, and Sessions widgets.

Other default dashboards include Security, Network, Assets & Identities, and WiFi. You can configure
custom widgets as well. These widgets can deliver useful information for monitoring and troubleshooting
FortiGate.

Network Security Support Engineer 7.4 Study Guide 14


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
FortiView Monitors

© Fortinet Inc. All Rights Reserved. 12

In addition to the dashboards, the GUI includes FortiView, where you can monitor screens for specific
features. For example, the FortiView Policies monitor lists the most active firewall policies. Another example
is the Routing monitor, which lists the routes that are active in the routing table.

Network Security Support Engineer 7.4 Study Guide 15


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Log Messages
Log&Report

© Fortinet Inc. All Rights Reserved. 13

Another important tool for troubleshooting is the FortiGate logs. The log viewer includes a filter setting that you
can use to display only the log entries related to a specific username, IP address, URL, or event type.

Other logs, like system events, can provide a source of data about the FortiGate status when performing
analysis of FortiGate.

Network Security Support Engineer 7.4 Study Guide 16


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Log Settings and Effects
Antivirus,
Policy log
web filtering, Behavior
setting
email filtering
No log Disabled No forward traffic or security logs
No log Enabled No forward traffic or security logs
Log security Disabled No forward traffic or security logs
events
Log security Enabled • Security events in forward traffic log
events • Forward traffic log if packets caused a
security event
Log all sessions Disabled Forward traffic log for every session

Log all sessions Enabled • Security events in forward traffic log


• Forward traffic log for every session

© Fortinet Inc. All Rights Reserved. 14

This table lists the expected log behavior associated with the different logging settings.

Moving from left to right, the first column shows the possible values for the log setting in the firewall policies:
no log, log security events, or log all sessions.

The second column indicates if the antivirus, web filtering, or email filtering log setting is enabled or disabled.
Remember, DLP and IPS profiles always generate logs in the security log section.

The last column shows the expected behavior. If you enable any profiles and your policy and logging is not
enabled, you will not get logs of any kind—even when a profile is blocking traffic. So, if you apply a security
profile, it’s important to consider the logging settings.

Network Security Support Engineer 7.4 Study Guide 17


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET

Troubleshooting With CLI Commands

© Fortinet Inc. All Rights Reserved. 15

In this section, you will learn about CLI troubleshooting commands that you can use to gather data to
diagnose an issue on FortiGate.

Network Security Support Engineer 7.4 Study Guide 18


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Gathering Data―Fundamental Health Assessment

• # execute tac report


• Runs the majority of the key troubleshooting commands
• Does not take long to complete and it’s not intrusive
• # get system status
• Displays versions of firmware and FortiGuard engines, and other system information
• # get system performance status
• Displays CPU and memory states, average network usage, average sessions and session setup rate, viruses, IPS attacks blocked, and
uptime
• # diagnose sys top
• Lists the processes running on FortiGate and displays information about each process.

© Fortinet Inc. All Rights Reserved. 16

FortiGate includes a number of CLI commands that help you monitor the current status of FortiGate and start
diagnosing an issue.
Some commands, such as diagnose sys top, are useful to monitor process activity in real time.
While collecting debug data, execute tac report is a very useful command to collect initial data.

Network Security Support Engineer 7.4 Study Guide 19


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Gathering Data―Fundamental Health Assessment (Contd)

• # diagnose hardware sys conserve


• Diagnoses command to aid in conserve mode issues

• # get hardware memory


• Displays the memory stats
• # diagnose hardware deviceinfo disk
• Displays information of all disks

• # diagnose debug crashlog read


• Checks if a demon has been crashing frequently
• # diagnose sys filesystem hash (New in 7.4)
• Checks for any corrupt system files

© Fortinet Inc. All Rights Reserved. 17

It is very useful for an administrator to be familiar with the fundamental debug commands used during
troubleshooting sessions. This helps to speed up the diagnosis and troubleshooting of a FortiGate.

Network Security Support Engineer 7.4 Study Guide 20


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Real-Time Application Debug
• To enable most of the real-time debugs:
# diagnose debug application <daemon_name> <debug_level>
# diagnose debug enable
• Some applications (daemons) that can be debugged in real time:
• sslvpnd SSL VPN
• iked IPsec VPN
• authd User authentication
• updated FortiGuard updates
• dhcpsd DHCP server
• Debug level:
• 0: Disable the specific debug
• Other values: output varies depending on the daemon
• -1: Enable all outputs

© Fortinet Inc. All Rights Reserved. 18

The real-time debug commands generate information in real time about what a specific FortiGate process or
feature is doing.

The debug level is a bitmask value that specifies which types of messages are displayed. This depends on
each process. For all cases though, a debug level of 0 means no output (disabled), and a debug level of -1
means enabling all possible message types.

Network Security Support Engineer 7.4 Study Guide 21


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Real-Time Application Debug (Contd)
• Use IPsec real time debug:
# diagnose debug application ike -1
# diagnose debug enable

• Enable timestamp:
# diagnose debug console timestamp enable

• Disable real-time debug after troubleshooting:


# diagnose debug application ike 0
# diagnose debug disable

• Disable all diagnose debug applications


# diagnose debug reset

© Fortinet Inc. All Rights Reserved. 19

This slide shows the two commands that you can use to enable all the IPsec real-time debug output. You can
also enable the option to prepend the system time to each debug line.

It is important to disable any real-time debug application after you use it. Debug applications consume
FortiGate resources and some could be CPU-intensive.

Network Security Support Engineer 7.4 Study Guide 22


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Application Layer Test Commands
ISFW # diagnose test application
smtp SMTP proxy.
pop3 POP3 proxy.
imap IMAP proxy.
nntp NNTP proxy.
harelay HA relay daemon.
hasync HA sync daemon.
hatalk HA talk daemon.
sessionsync Session sync daemon.
forticldd FortiCloud daemon.
miglogd Miglog logging daemon.
syslogd Syslog daemon.
locallogd Locallogd daemon.
fgtlogd Fgtlog daemon.
urlfilter URL filter daemon.
wf_monitor WF monitor.
ovrd Override daemon.
iotd IoT device info daemon.
ipsmonitor IPS monitor.
ipsengine IPS sensor.
--More--

© Fortinet Inc. All Rights Reserved. 20

Application layer test commands do not display information in real time. They display statistics and
configuration information about a feature or process. You can also use some of these commands to restart a
process or execute a change in its operation.

Network Security Support Engineer 7.4 Study Guide 23


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Application Layer Test Commands (Contd)
ISFW # diagnose test application ipsmonitor
IPS Engine Test Usage:

1: Display IPS engine information


2: Toggle IPS engine enable/disable status
5: Toggle bypass status
99: Restart all IPS engines and monitor
--More—

ISFW # diagnose test application ipsmonitor 1


pid = 2173, engine count = 0 (+1)
0 - pid:2209:2209 cfg:1 master:0 run:1

© Fortinet Inc. All Rights Reserved. 21

This command can be useful when troubleshooting intrusion prevention system (IPS) issues. You can use the
command to display IPS engine information, turn the IPS engine on or off, bypass the IPS engine, or restart all
IPS engines.

Network Security Support Engineer 7.4 Study Guide 24


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Packet Sniffer
• Packet sniffer command:
• #diagnose sniffer packet <interface> <filter> <verbose> <count> <a>

• Filters can be used to display packets based on their content:


• Match all SYN packets:
• # diagnose sniffer packet any "tcp [13] & 2 !=0" 4
FGT-1 # diagnose sniffer packet any "tcp [13] & 2 !=0" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[tcp [13] & 2 !=0]
5.068342 port1 in 192.168.1.1.53304 -> 10.0.1.206.443: syn 3218590644
5.068397 port1 out 10.0.1.206.443 -> 192.168.1.1.53304: syn 258183964 ack 3218590645
6.098718 port1 out 10.0.1.206.12436 -> 192.168.1.1.443: syn 102390567
6.102033 port1 in 192.168.1.1.443 -> 10.0.1.206.12436: syn 3421201785 ack 102390568
6.175799 port1 out 10.0.1.206.12438 -> 192.168.1.1.443: syn 3191655178
6.178110 port1 in 192.168.1.1.443 -> 10.0.1.206.12438: syn 3006890130 ack 3191655179

• You can find more filtering options and their descriptions here:
• https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-
packet-sniffer/ta-p/194222

© Fortinet Inc. All Rights Reserved. 22

FortiGate includes the sniffer command, which is a useful tool when you need to to dig deeper to diagnose the
source of the issue.

The sniffer command can sniff packets on physical or virtual interfaces. If you set the sniffer command to any,
it can sniff all available interfaces simultaneously.

You can use a filter to customize and narrow down the packets that you want to capture. The sniffer filter uses
Berkeley Packet Filters syntax.

The example on this slide shows a filtering example for the packet sniffer that captures all TCP packets with
the SYN flag set. You can create this filter by finding the flag bit position in the TCP header and combining it
with tcpdump. You can find additional filtering options by visiting the link at the bottom of this slide.

The number four at the end of the packet sniffer command indicates the verbosity level. In this example, the
packet capture prints the header of the packets along with interface name. There are six verbosity levels you
can choose from.

You will learn about these verbosity levels and other advanced packet capture options in a later lesson.

Network Security Support Engineer 7.4 Study Guide 25


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
GREP Utility
Usage: grep [-ilHhnqvscABC] PATTERN [FILE...]
Options:
-i Ignore case distinctions
-l List names of files that match
-H Prefix output lines with filename where match was found
-h Suppress the prefixing filename on output
-n Print line number with output lines
-q Quiet
-v Select non-matching lines
-s Suppress file open/read error messages
-c Only print count of matching lines
-A Print NUM lines of trailing context
-B Print NUM lines of leading context
-C Print NUM lines of output context

ISFW # diagnose ip arp list | grep 100.64.1.254


index=3 ifname=port1 100.64.1.254 02:09:0f:00:04:01 state=00000002 use=1246 confirm=296 update
674 ref=18

ISFW #

© Fortinet Inc. All Rights Reserved. 23

Some CLI debug commands generate a lot of output. If you know that the required information is contained in
one specific line of the output, and if you know a keyword that you can use to find that line, you can use the
GREP utility. The GREP utility displays only the lines from the output that match a text string. Using the GREP
utility, you can reduce the output to only the one line (that contains exactly the information that you need),
instead of a long list of entries. This slide list all of the options available when using the GREP utility.

Network Security Support Engineer 7.4 Study Guide 26


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
GREP Utility (Contd)
ISFW # show | grep -f port1
config system interface
edit "port1" <---
set vdom "root"
set ip 10.9.31.115 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 1
next
edit "port10" <---
set vdom "root"
set type physical
set snmp-index 10
next
end
config router static
edit 1
set gateway 172.16.20.254
set device "port1" <---
next
end

ISFW #

© Fortinet Inc. All Rights Reserved. 24

When you display the FortiGate configuration using the CLI, you can use the GREP utility with the option –f.
It will display only the configuration sections or tables where the text string matches at least one value. This is
useful, for example, when you need to find all the references to a specific object. In the example shown on this
slide, the –f option is being used to find all the references to the port1 interface. The output shows the two
tables where port1 is referenced: the definition of the interface itself, and a static route where port1 is the
assigned device interface.

Network Security Support Engineer 7.4 Study Guide 27


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
GREP Utility (Contd)
ISFW # diagnose sys session list | grep -B 1 -A 1 local
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log local nds
statistic(bytes/packets/allow_err): org=19728/274/1 reply=0/0/0
tuples=2
--
npu_state=00000000
no_ofld_reason: local

--
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log local nds
statistic(bytes/packets/allow_err): org=19728/274/1 reply=0/0/0
tuples=2
--
npu_state=00000000
no_ofld_reason: local

© Fortinet Inc. All Rights Reserved. 25

The command on this slide will print all local sessions that diagnose sys session list includes in its
output.

The GREP utility filters for local, which is a session flag, and then prints the leading line and the trailing line
for each occurrence.

Network Security Support Engineer 7.4 Study Guide 28


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario
• IPSec VPN is configured between two
FortiGate devices
• The tunnel does not come up 10.0.1.206 10.0.1.69

• What is your approach?

FortiGate A FortiGate B

© Fortinet Inc. All Rights Reserved. 26

When troubleshooting the scenario shown on this slide, which approach would you take?

FortiGate A is trying to establish an IPSec VPN tunnel with FortiGate B. You have access to both FortiGate
devices.

Attempt to approach the problem by following the TCP/IP model.

Network Security Support Engineer 7.4 Study Guide 29


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario (Contd)
• Ensure that packets arrive at FortiGate B

10.0.1.206 10.0.1.69

FortiGate A FortiGate B

FortiGate B # diagnose sniffer packet any "host 10.0.1.206" 4


Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.0.1.206]
3.670081 port1 in 10.0.1.206.500 -> 10.0.1.69.500: udp 572
3.670208 port1 out 10.0.1.69.500 -> 10.0.1.206.500: udp 192
3.670650 port1 in 10.0.1.206.500 -> 10.0.1.69.500: udp 380
3.671448 port1 out 10.0.1.69.500 -> 10.0.1.206.500: udp 380

© Fortinet Inc. All Rights Reserved. 27

Your first step should be to confirm that IKE packets sent from FortiGate A arrive at FortiGate B, and that
there is bidirectional communication. The best tool to use for this is the packet sniffer.

Network Security Support Engineer 7.4 Study Guide 30


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario (Contd)
• Use the real-time application IKE debug

10.0.1.206 10.0.1.69

FortiGate A FortiGate B
FortiGate B # diagnose debug application ike -1
FortiGate B # diagnose debug enable
---omitted---
ike V=root:0:ToFortiGateA:40:4: peer proposal is: peer:0:10.0.40.0-10.0.40.255:0, me:0:10.0.20.0-10.0.20.255:0
ike V=root:0:ToFortiGateA:40:ToFortiGateA:4: trying
ike V=root:0:ToFortiGateA:40:4: no matching phase2 found
ike V=root:0:ToFortiGateA:40:4: failed to get responder proposal
ike V=root:0:ToFortiGateA:40: error processing quick-mode message from 10.0.1.206 as responder
261.535586 port1 in 10.0.1.206.500 -> 10.0.1.69.500: udp 556
FortiGate B # diagnose debug disable
FortiGate B # diagnose debug reset

© Fortinet Inc. All Rights Reserved. 28

If IKE packets from FortiGate A are arriving at FortiGate B, then your second step should be to use the real-
time application IKE debug.

In this scenario, you can see that there is a possible mismatch in the quick mode selector configuration.
Ensure that the quick mode selectors match on both FortiGate devices.

To preserve resources, always disable the debug when you are finished troubleshooting.

Network Security Support Engineer 7.4 Study Guide 31


Troubleshooting Concepts

DO NOT REPRINT
© FORTINET
Review
 Describe network troubleshooting concepts and approaches
 Set up a baseline before anything happens
 Learn the diagnostic steps that you should perform when a problem
occurs
 Use GUI and CLI monitoring tools
 Use logs to monitor activity and status
 Use CLI commands to monitor and assess FortiGate health
 Use real-time CLI debug commands
 Use application layer test commands
 Use the CLI GREP command

© Fortinet Inc. All Rights Reserved. 29

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of troubleshooting concepts, you will be able to set up a


baseline and identify the GUI tools and CLI commands you should use to monitor and diagnose issues on
FortiGate.

Network Security Support Engineer 7.4 Study Guide 32


System Resources

DO NOT REPRINT
© FORTINET

Network Security Support Engineer


System Resources

FortiOS 7.4
Last Modified: 25 April 2024

In this lesson, you will learn about FortiOS system resources.

Network Security Support Engineer 7.4 Study Guide 33


System Resources

DO NOT REPRINT
© FORTINET
Objectives
• Describe how FortiOS processes a packet
• Describe how FortiOS uses memory
• Diagnose high memory and high CPU problems
• Optimize memory usage
• Diagnose conserve mode
• Troubleshoot unexpected reboots and frozen devices
• Use the crash log for diagnostics

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of FortiOS system resources, you will be able to identify how
FortiOS processes packets and uses memory. You will be able to also diagnose high resource utilization, and
conserve mode issues and optimize memory usage.

Network Security Support Engineer 7.4 Study Guide 34


System Resources

DO NOT REPRINT
© FORTINET

The Life of a Packet

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn about the life of a packet.

Network Security Support Engineer 7.4 Study Guide 35


System Resources

DO NOT REPRINT
© FORTINET
Parallel Path Processing
• Parallel path processing (PPP) chooses from a group of parallel options to identify the
optimal path for processing a packet
• FortiGate can offload and accelerate many processes in hardware
• Content processors (CP8 or CP9) offload some unified threat management (UTM) and next-generation
firewall (NGFW) processing and cryptographic operations
• Network processors (NP6 or NP7) offload traffic that does not require UTM or NGFW processing
• FortiGate hardware and software configuration affect the path that a packet takes

© Fortinet Inc. All Rights Reserved. 4

PPP uses the firewall policy configuration to choose from a group of parallel options to identify the optimal
path for processing a packet. The path identified by PPP is made up of the various processes the packet must
pass through. Hardware, such as CP8, CP9, or network processors, can offload and accelerate many of these
processes. FortiGate hardware and software configuration affect the path that a packet takes. The next few
slides provide flowcharts displaying examples of packet processing in several scenarios. Note that these
examples do not cover all possible scenarios, nor do they show every step or process packets are subjected
to during inspection. The purpose of these slides is to provide common examples of packet flow on FortiGate.

Network Security Support Engineer 7.4 Study Guide 36


System Resources

DO NOT REPRINT
© FORTINET
Life of a Packet—Initial Session Packets
Kernel
Admission
1. Forwarding
Network interface Quarantine control 2. Source NAT
CPU

IPsec VPN
Access Control FortiTelemetry encryption NP6/7
NP6/7
List (ACL)

User
Host Protection Traffic shaping
authentication
Engine (HPE) (captive portal)

Kernel WAN
IP integrity 1. Destination NAT
optimization
header checking 2. Routing, RPF check, and
SD-WAN
3. Stateful inspection/policy
lookup/session management
IPsec VPN 4. Session helpers Network interface
decryption 5. User authentication
CPU
6. Device identification
7. SSL VPN
8. Local management traffic

UTM/NGFW
1. Flow-based inspection CP8/9
Optional/Configurable
2. Proxy-based inspection
3. Explicit web proxy CPU Mandatory
4. Botnet check
© Fortinet Inc. All Rights Reserved. 5

This slide shows the steps that the first packets of a session go through as they enter, pass though, and exit
FortiGate. This scenario is for FortiGate with secure processing units (SPUs).

FortiGate performs some security inspections early in the life of the packet, such as ACL, HPE, and IP
integrity header checking. FortiGate does this to make sure the packets are within acceptable parameters
before allowing the packet to move through the rest of the processes. These inspections are handled by the
network processor in order to minimize impact on the FortiGate CPU.

Each version of the network processor has criteria that defines which traffic can be offloaded. The network
processor enhances overall performance by allowing offloaded sessions to bypass the FortiGate CPU after
the session is established and the session key is installed in the network processor. The network processor
can also handle IPsec VPN encryption and decryption operations, where the configured encryption and
hashing algorithms are supported in hardware.

The content processor functions like a coprocessor for the FortiGate CPU to improve overall system
performance by offloading certain tasks, such as pattern matching for flow-based UTM inspection with the
intrusion prevention system (IPS) engine, SSL/TLS decryption and encryption for deep SSL inspection, and
IPsec encryption and decryption operations for supported algorithms.

Note that the packet processing for virtual FortiGate devices is identical with the only difference being that the
CPU handles all processes instead of being able to offload some of them to network and content processors.

Network Security Support Engineer 7.4 Study Guide 37


System Resources

DO NOT REPRINT
© FORTINET
Life of a Packet—Offloaded Non-UTM Sessions
Network interface

IP integrity
NP6/7
header checking
WAN
IPsec VPN optimization
decryption

Network interface
IPsec VPN
encryption

Traffic shaping

Optional/Configurable

Mandatory
© Fortinet Inc. All Rights Reserved. 6

This slide shows how subsequent packets in an established session where UTM/NGFW inspection is not
configured are handled by FortiGate after being offloaded to a network processor. After the session key is
installed in the network processor, subsequent packets for the offloaded session skip routing and kernel
processors, bypassing the FortiGate CPU, and are forwarded out the egress interface by the network
processor. An important consideration is the impact offloading has on troubleshooting. When a session is
offloaded to the network processor, you are unable to view these accelerated packets through the diagnose
sniffer packet or diagnose debug flow CLI commands or the packet capture feature on the GUI.

Network Security Support Engineer 7.4 Study Guide 38


System Resources

DO NOT REPRINT
© FORTINET
Life of a Packet—NTurbo/Flow-Based UTM Sessions
Network interface

IP integrity
NP6/7
header checking
IPS Engine WAN
CPU
optimization
IPsec VPN Flow-based
decryption UTM/NGFW

IPSA CP8/9
Network interface
IPsec VPN Single-pass rule
encryption matching

Traffic shaping

Optional/Configurable

Mandatory
© Fortinet Inc. All Rights Reserved. 7

This slide shows how subsequent packets in an established session with flow-based UTM/NGFW configured
are handled by FortiGate where NTurbo and IPS Acceleration (IPSA) are supported and enabled.

NTurbo is a feature that enables flow-based UTM/NGFW sessions to be accelerated by NP6 or NP7 network
processors to and from the IPS engine.

IPSA is a feature that allows basic or advanced pattern matching operations required for flow-based security
profile inspection to be offloaded to CP8 or CP9 content processors. When IPSA is enabled, flow-based
pattern matching databases are compiled and downloaded to the content processors from the IPS engine and
IPS database.

After the session key is installed in the network processor, subsequent packets for the accelerated session
skip routing and kernel processors but UTM/NGFW operations are still handled by the CPU with IPSA
offloading pattern matching to the CP8 or CP9 content processors.

Network Security Support Engineer 7.4 Study Guide 39


System Resources

DO NOT REPRINT
© FORTINET
Life of a Packet—Proxy-Based UTM Sessions
Network interface

CPU
IPS Engine
Traffic shaping
Single-Pass IPS,
NP6/7
ACL Application Control,
Botnet, and SSL
CP8/9 Inspection WAN
optimization
IP integrity
header checking
CPU Proxy
VoIP Inspection Network interface
IPsec VPN Data Loss Prevention
decryption (DLP)
Antispam
Web Filtering
Antivirus

IPsec VPN
NP6/7 encryption

Optional/Configurable

Mandatory
© Fortinet Inc. All Rights Reserved. 8

This slide shows how subsequent packets in an established session with proxy-based UTM/NGFW configured
are handled by FortiGate.

The network processor does not offload sessions where proxy-based features are configured, so the
FortiGate CPU handles packet processing and inspection through a combination of the IPS engine and the
FortiOS proxy. The network processor still conducts some early security inspections before handing off the
packets to the IPS engine and can still be leveraged for IPsec tunnel decryption and encryption.

The FortiGate CPU can leverage the content processors to handle SSL/TLS encryption and decryption—if
SSL deep inspection is configured. Note that the packet flow is modified when SSL deep inspection is
configured.

If the IPS engine determines that the session needs to be decrypted:


• The IPS engine sends the packet to the proxy for decryption.
• The proxy decrypts the SSL/TLS packet by offloading the operation to the content processor.
• The proxy sends the decrypted packet back to the IPS engine for IPS and application control inspection.
• The IPS engine sends the decrypted packet back to the proxy for the configured proxy-based inspection.
• The proxy encrypts the SSL/TLS packet by offloading the operation to the content processor.

Network Security Support Engineer 7.4 Study Guide 40


System Resources

DO NOT REPRINT
© FORTINET

Memory Architecture

© Fortinet Inc. All Rights Reserved. 9

In this section, you will learn about how FortiGate uses memory.

Network Security Support Engineer 7.4 Study Guide 41


System Resources

DO NOT REPRINT
© FORTINET
FortiOS Architecture
Configuration layer
CLI GUI API FortiManager

User space
Application Application Application Application
process process process process

Kernel
Device Device Device Device Device
driver driver driver driver driver

Hardware

© Fortinet Inc. All Rights Reserved. 10

To understand how FortiGate uses its memory, you must understand the architecture of FortiOS. The heart of
FortiOS is its kernel. The kernel is where FortiGate makes some of the most basic and important decisions,
such as how to route a packet, or when to offload a session to an NPU processor. FortiOS runs on hardware.
The device drivers bridge the kernel with the hardware. The user space is located above the kernel. Several
application processes or daemons run in the user space. Above the kernel and the user space is the
configuration layer.

Network Security Support Engineer 7.4 Study Guide 42


System Resources

DO NOT REPRINT
© FORTINET
FortiGate Memory Segmentation
• Kernel accesses the entire system memory directly
# diagnose hardware sysinfo memory
MemTotal: 2040588 kB
MemFree: 1275900 kB
MemAvailable: 1248372 kB
Free MemFree:
Buffers: 196 kB 1275900kB
Cached: 269208 kB
SwapCached: 0 kB
MemTotal:
... 2040588kB

Used memory

© Fortinet Inc. All Rights Reserved. 11

FortiOS is a 64-bit architecture, therefore the kernel doesn't need to use memory paging to access the whole
memory space. All the memory space is directly accessible by the kernel.

The command shown on this slide displays:


• The total amount of system memory (MemTotal)
• The total amount of free memory (MemFree)

Network Security Support Engineer 7.4 Study Guide 43


System Resources

DO NOT REPRINT
© FORTINET
How the FortiGate Memory Is Used
• System I/O cache
• Kernel memory slabs
• Buffers
• Process memory
• Shared memory

© Fortinet Inc. All Rights Reserved. 12

FortiGate allocates memory for five main purposes:


• System I/O cache
• Kernel memory slabs
• Buffers
• Process memory
• Shared memory

You will learn about each of these purposes in this lesson.

Network Security Support Engineer 7.4 Study Guide 44


System Resources

DO NOT REPRINT
© FORTINET
System I/O Cache
• Speeds up hard disk and flash disk writing and reading operations:
• Logging
• WAN optimization
• Explicit proxy
• Made of pages (4K size) of disk block (1K size)
• Two types of pages:
• Active
• Recently accessed
• Inactive
• Not used after some time
• Might be reclaimed by the kernel in case of shortage

© Fortinet Inc. All Rights Reserved. 13

There are no direct reads and writes made to hard disks or flash disks. Each access is done through a cache
held in memory—the system I/O cache.

The system I/O cache is used to speed up access to information stored in the hard and flash disk memories.
Some processes, such as logging, WAN optimization, and explicit proxy store information on the hard disk, so
they get the performance boost provided by this memory allocation.

An I/O cache page is labeled as active when it has been recently used or modified. It enters the inactive state
after it has not been used for some time. The kernel may reclaim an inactive page if needed.

Network Security Support Engineer 7.4 Study Guide 45


System Resources

DO NOT REPRINT
© FORTINET
Analyzing Memory Usage Total usable
# diagnose hardware sysinfo memory memory

MemTotal: 2040588 kB
Amount of physical
MemFree: 1278940 kB memory not used
MemAvailable: 1253524 kB by the system
Buffers: 668 kB
Amount of memory
Cached: 271412 kB
allocated for I/O
SwapCached: 0 kB cache
Active: 307256 kB
Memory used in a
Inactive: 50232 kB particular process—
---omitted--- user space
Slab: 89216 kB Currently unused
---omitted--- cache page

Memory used by
system kernel to
store information—
kernel space

© Fortinet Inc. All Rights Reserved. 14

Use the command shown on this slide to display the total amount of memory allocated for the I/O cache. This
command is useful when troubleshooting high memory issues to determine where memory is being allocated.
For example, a lot of memory allocated to Active might indicate a user process that is using a lot of
resources. Similarly, if Slab uses a lot of memory, you can investigate the slabs or kernel memory to see
which object is the culprit.

Network Security Support Engineer 7.4 Study Guide 46


System Resources

DO NOT REPRINT
© FORTINET
Slabs
• Collection of objects with a common purpose and a fixed size
• Used by kernel
• Examples:

Slab Usage
tcp_session TCP session
ip_session Non-TCP session
ip_dst_cache Route cache
buffer_head Read/write data from disk, flash
inode_cache Information about files and directories
dentry_cache Cache for file system directory entries
arp_cache Cache for ARP

© Fortinet Inc. All Rights Reserved. 15

The kernel memory slabs are collections of objects with a common purpose. They are used by the kernel to
store information in memory.

This slide shows an example of some slabs. There are slabs for storing information about the TCP sessions.
The entries in the route cache are also stored in memory slabs.

Network Security Support Engineer 7.4 Study Guide 47


System Resources

DO NOT REPRINT
© FORTINET
Slabs (Contd)
# diagnose hardware sysinfo slab
slabinfo - version: 2.1
...
ext4_groupinfo_4k 256 280 144 28 1 : tunables 120 60 8 : slabdata 10 10 0
tcp_session 4 10 1600 5 2 : tunables 24 12 8 : slabdata 2 2 0
ip_session 2 10 1408 5 2 : tunables 24 12 8 : slabdata 2 2 0
fib6_nodes 10 32 128 32 1 : tunables 120 60 8 : slabdata 1 1 0
ip6_mrt_cache 0 0 448 9 1 : tunables 54 27 8 : slabdata 0 0 0
RAWv6 20 21 1152 7 2 : tunables 24 12 8 : slabdata 3 3 0
UDPv6 14 15 1408 5 2 : tunables 24 12 8 : slabdata 3 3 0
tw_sock_TCPv6 0 0 240 17 1 : tunables 120 60 8 : slabdata 0 0 0
request_sock_TCPv6 0 0 312 13 1 : tunables 54 27 8 : slabdata 0 0 0
...
Active Available Object size
objects objects
Total slab size = available objects x object size

© Fortinet Inc. All Rights Reserved. 16

To check how much memory is being allocated to kernel slabs, use the command diagnose hardware
sysinfo slab.

The first column shows the slab name. The second column shows the total amount of active objects, then the
number of available objects, and then the size of each object.

This amount changes depending on resource usage. For example, if tcp sessions increase on FortiGate, so
will the available objects for that slab.

You can calculate the total amount of memory allocated to each slab type by multiplying the number of
available objects by their size.

Network Security Support Engineer 7.4 Study Guide 48


System Resources

DO NOT REPRINT
© FORTINET
High CPU and Memory Troubleshooting
# diagnose sys top
Run Time: 0 days, 0 hours and 18 minutes
0U, 0N, 1S, 95I, 0WA, 0HI, 0SI, 0ST; 16063T, 12523F
pyfcgid 248 S 2.9 3.8 9
newcli 251 R 0.1 1.0 5
merged_daemons 185 S 0.1 0.7 6
miglogd 177 S 0.0 6.8 0
pyfcgid 249 S 0.0 3.0 2
pyfcgid 246 S 0.0 2.8 5
reportd 197 S 0.0 2.7 2
Process
cmdbsvr 113 S 0.0 2.4 7
name

Sort by CPU: c Process CPU usage Memory


Sort by RAM: m Process ID CPU core
state (%) usage (%)

© Fortinet Inc. All Rights Reserved. 17

Next, examine the output for diagnose sys top. It lists processes that use the most CPU or memory.
Some common processes include:

• ipsengine, scanunitd, and other inspection processes


• reportd
• fgfmd for FortiManager connections
• forticron for scheduling
• Management processes (newcli, miglogd, cmdb, sshd, and httpsd)

To sort the list by highest CPU usage, press c. To sort by highest RAM usage, press m.

Network Security Support Engineer 7.4 Study Guide 49


System Resources

DO NOT REPRINT
© FORTINET
Most Common Processes
Name Description
cmdbsrv Applies configuration changes
miglogd Logs collection and automation stitches
httpsd GUI access
sslvpnd SSL VPN
updated FortiGuard updates
wad WAN optimization, explicit proxy, proxy-based inspection for
HTTP and HTTPS, and FTP
scanunitd File scanning
iked IPsec
hatalk, hasync High Availability (HA) protocol and synchronization
urlfilter FortiGuard web filtering
authd User authentication
fssod FSSO
proxyworker Proxy-based inspection for IMAP, POP, SMTP

© Fortinet Inc. All Rights Reserved. 18

The table on this slide shows some of the most common processes.

Network Security Support Engineer 7.4 Study Guide 50


System Resources

DO NOT REPRINT
© FORTINET
Process States Review
• States:
• S: sleeping D
• R: running R
• D: do not disturb
• Z: zombie Z
• Normal states:
• S, R, and D (for a short time)
• Abnormal state:
• Z and D (if not for a short time)
S

© Fortinet Inc. All Rights Reserved. 19

The command diagnose sys top shows the state of each process. A process can be in one of four states:
sleeping (S), running (R), do not disturb (D), or zombie (Z).

The S and R states are normal. It is also normal if a process goes briefly to the D state. The Z state is not
normal. Also, it is not normal if a process stays in the D state for a long time. This usually indicates that the
process is not working correctly.

Network Security Support Engineer 7.4 Study Guide 51


System Resources

DO NOT REPRINT
© FORTINET
Shared Memory
• Allocated dynamically
• Allows the sharing of information among multiple processes

# diagnose hardware sysinfo shm


SHM FS total: 1001861120 955 MB
SHM FS free: 947621888 903 MB
SHM FS avail: 947621888 903 MB
SHM FS alloc: 54239232 51 MB

© Fortinet Inc. All Rights Reserved. 20

Above the kernel layer, there are multiple application processes or daemons running. The operating system
allocates separate blocks of memory to each process. A process can access the memory that was allocated
to it, but it cannot access the memory that was allocated to any other process. So, a process cannot share
information with another process by reading or writing data into the memory allocated to that other process.
For that purpose, the operating system dynamically allocates shared memory (SHM). Multiple processes can
access the SHM, allowing them to share information.

Network Security Support Engineer 7.4 Study Guide 52


System Resources

DO NOT REPRINT
© FORTINET

General System Troubleshooting Commands

© Fortinet Inc. All Rights Reserved. 21

In this section, you will learn about general system troubleshooting commands.

Network Security Support Engineer 7.4 Study Guide 53


System Resources

DO NOT REPRINT
© FORTINET
System Information
# get system status
Version: FortiGate-VM64-AWS v7.4.1,build2463,230830 (GA.F)
Security Level: 1
Secure Boot: Disabled
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07) ....
Extreme DB: 1.00000(2018-04-09 18:07) VM Resources: 1 CPU, 1992 MB RAM
AV AI/ML Model: 0.00000(2001-01-01 00:00) Log hard disk: Available
IPS-DB: 6.00741(2015-12-01 02:30) Hostname: FGTAWSNYWSIEXN29
IPS-ETDB: 6.00741(2015-12-01 02:30) Private Encryption: Disable
APP-DB: 6.00741(2015-12-01 02:30) Operation Mode: NAT
FMWP-DB: 0.00000(2001-01-01 00:00) Current virtual domain: root
IPS Malicious URL Database: 1.00001(2015-01-01 01:01) Max number of virtual domains: 2
IoT-Detect: 0.00000(2022-08-17 17:31) Virtual domains status: 1 in NAT mode, 0 in TP mode
OT-Detect-DB: 0.00000(2001-01-01 00:00) Virtual domain configuration: disable
OT-Patch-DB: 0.00000(2001-01-01 00:00) FIPS-CC mode: disable
OT-Threat-DB: 6.00741(2015-12-01 02:30) Current HA mode: standalone
IPS-Engine: 7.00509(2023-08-10 23:14) Branch point: 2463
Serial-Number: FGTAWSNYWSIEXN29 Release Version Information: GA
License Status: Valid FortiOS x86-64: Yes
.... System time: Thu Dec 28 10:35:56 2023
Last reboot reason: warm reboot

© Fortinet Inc. All Rights Reserved. 22

The command shown on this slide is usually one of the first debug commands that you use when
troubleshooting. The output shows the firmware version, FortiGuard database versions, license status,
operation mode, number of VDOMs, and system time.

Network Security Support Engineer 7.4 Study Guide 54


System Resources

DO NOT REPRINT
© FORTINET
Resource Use
# get system performance status
CPU states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU0 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
Memory: 2040588k total, 782364k used (38.3%), 1098544k free (53.8%), 159680k freeable (7.9%)
---omitted---
Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes,
0 sessions per second in last 30 minutes
Maximal session setup rate: 1 sessions per second in last 1 minute, 1 sessions per second in last 10 minutes,
5 sessions per second in last 30 minutes
Average NPU sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30
minutes
Maximal NPU sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30
minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 3 days, 2 hours, 22 minutes

© Fortinet Inc. All Rights Reserved. 23

The command shown on this slide displays overall memory and CPU use. It also shows session creation rate,
number of viruses caught, and number of attacks blocked by the IPS. The last line displays the system
uptime. This output gives you a quick view of how much traffic the device is handling.

Network Security Support Engineer 7.4 Study Guide 55


System Resources

DO NOT REPRINT
© FORTINET

Conserve Mode

© Fortinet Inc. All Rights Reserved. 24

In this section, you will examine conserve mode, now that you have a better understanding of how FortiGate
uses memory.

Network Security Support Engineer 7.4 Study Guide 56


System Resources

DO NOT REPRINT
© FORTINET
Conserve Mode
• Triggered based on memory use
• Prevents using so much memory that FortiGate becomes unresponsive
• FortiGate leaves conserve mode as memory use goes below set threshold
• Three memory thresholds that you can configure on the CLI
• Extreme: threshold at which FortiGate starts dropping new sessions
• Red: threshold at which FortiGate enters conserve mode
• Green: threshold at which FortiGate exits conserve mode
# config system global
... Default
set memory-use-threshold-extreme 95 threshold values
set memory-use-threshold-red 88
set memory-use-threshold-green 82
...
end

© Fortinet Inc. All Rights Reserved. 25

Conserve mode is a protection mechanism that is triggered when FortiGate doesn’t have enough memory
available to handle traffic. Content inspection (especially proxy-based) increases memory use beyond simple
firewall policies. In other words, when antivirus is enabled, FortiGate is more likely to use more memory,
which can cause FortiGate to enter conserve mode. You can identify whether antivirus or any other process is
using too much memory by running the CLI command diagnose sys top.

FortiGate has only one conserve mode. It is triggered based on memory usage. There are three memory
thresholds that you can configure on the CLI:
• Extreme: The threshold at which FortiGate starts dropping new sessions.
• Red: The threshold at which FortiGate enters conserve mode.
• Green: The threshold at which FortiGate exits conserve mode.
You can use the commands shown on this slide to change the default conserve mode threshold values.

Network Security Support Engineer 7.4 Study Guide 57


System Resources

DO NOT REPRINT
© FORTINET
Conserve Mode Logs
# execute log filter category 1
# execute log display
1: date=2023-12-28 time=16:58:37 eventtime=1667433517502192693 tz="-0700"
logid="0100022011" type="event" subtype="system" level="critical" vd="root"
logdesc="Memory conserve mode entered" service="kernel" conserve="on" total=969
MB used=691 MB red="853 MB" green=”795 MB" msg="Kernel enters memory conserve
mode

# diagnose debug crashlog read


...
32: 2023-12-28 16:58:37 service=kernel conserve=on total="969 MB" used="691 MB"
red="853 MB"
33: 2023-12-28 16:58:37 green="795 MB" msg="Kernel enters memory conserve
mode"...

© Fortinet Inc. All Rights Reserved. 26

This slide shows the entries that are generated in the event logs when FortiGate enters memory conserve
mode. If the GUI is under a heavy load, it may be unresponsive, making the GUI logs inaccessible. In this
case, you can view the logs in the CLI using the commands shown on this slide. You can also view the crash
log on the CLI for conserve mode messages. This slide shows an example of a typical conserve mode crash
log entry.

Network Security Support Engineer 7.4 Study Guide 58


System Resources

DO NOT REPRINT
© FORTINET
Conserve Mode Diagnostics
# diagnose hardware sysinfo conserve

memory conserve mode: off


total RAM: 3039 MB
memory used: 817 MB 26% of total RAM
memory freeable: 582 MB 19% of total RAM
memory used + freeable threshold extreme: 2887 MB 95% of total RAM
memory used threshold red: 2675 MB 88% of total RAM
memory used threshold green: 2492 MB 82% of total RAM

© Fortinet Inc. All Rights Reserved. 27

Use the command shown on this slide to identify whether a FortiGate device is currently in conserve mode.

Network Security Support Engineer 7.4 Study Guide 59


System Resources

DO NOT REPRINT
© FORTINET
What Happens During Conserve Mode?

• FortiOS activates protection measures to recover memory space:

• System configuration cannot be changed

• FortiGate skips quarantine actions (including FortiSandbox analysis)

© Fortinet Inc. All Rights Reserved. 28

Which actions does FortiGate take to preserve memory while in conserve mode?

FortiGate activates the following protection measures to recover memory space:


• FortiGate does not accept configuration changes because they might increase memory usage.
• FortiGate does not run any quarantine action, including forwarding suspicious files to FortiSandbox.

Network Security Support Engineer 7.4 Study Guide 60


System Resources

DO NOT REPRINT
© FORTINET
What Happens During Conserve Mode? (Contd)
• For traffic that requires any proxy-based inspection (and if memory usage has not
exceeded the extreme threshold):

config system global


set av-failopen [off | pass | one-shot]
end
• off: All new sessions with content scanning enabled are not passed
• pass (default): All new sessions pass without inspection
• one-shot: Similar to pass in that traffic is not inspected. However, it will keep bypassing the antivirus proxy
even after leaving conserve mode. Administrators must either change this setting, or restart the device, to
restart the antivirus scanning

• The av-failopen setting also applies to flow-based antivirus inspection


• If memory usage exceeds the extreme threshold, all new sessions that require
inspection (flow-based or proxy-based) are blocked

© Fortinet Inc. All Rights Reserved. 29

The av-failopen setting defines the action that is applied to any proxy-based inspected traffic, while
Fortigate is in conserve mode (and as long as the memory usage does not exceed the extreme threshold).
This setting also applies to flow-based antivirus inspection. You can configure one of three different actions:

• off: All new sessions with content scanning enabled are not passed but FortiGate processes the current
active sessions.
• pass (default): All new sessions pass without inspection until FortiGate switches back to non-conserve
mode.
• one-shot: Similar to pass in that traffic passes without inspection. However, it will keep bypassing the
antivirus proxy even after it leaves conserve mode. Administrators must either change this setting, or
restart FortiGate to restart the antivirus scanning

However, if memory usage exceeds the extreme threshold, new sessions are always dropped, regardless of
the FortiGate configuration.

Network Security Support Engineer 7.4 Study Guide 61


System Resources

DO NOT REPRINT
© FORTINET
Fail-Open Session Setting
• The following setting controls how FortiOS handles a session when it exhausts available
sockets to process proxy-based inspection:

config system global


set av-failopen-session [enable | disable]

• enable = Sessions are allowed


• disable(default) = Block all new sessions that require proxy-based inspection

© Fortinet Inc. All Rights Reserved. 30

Another undesirable state for FortiGate is the av-fail-open session mode. This mode kicks in, not
during a high-memory situation, but when a proxy on FortiGate runs out of available sockets to process more
proxy-based inspected traffic.

If av-failopen-session is enabled, FortiGate allows all the sessions. Otherwise, by default, it blocks new
sessions that require proxy-based inspection until new sockets become available.

Network Security Support Engineer 7.4 Study Guide 62


System Resources

DO NOT REPRINT
© FORTINET
Memory Tension Drops
• Kernel deletes oldest sessions if it cannot allocate more memory pages
• No direct link with conserve mode

# diagnose sys session stat


misc info: session_count=184 setup_rate=0 exp_count=0 reflect_count=0
clash=0 memory_tension_drop=0 ephemeral=0/196608 removeable=0 extreme_low_mem=0
npu_session_count=61 nturbo_session_count=0
delete=0, flush=87, dev_down=16/120 ses_walkers=0
TCP sessions:
38 in ESTABLISHED state
1 in CLOSE_WAIT state

© Fortinet Inc. All Rights Reserved. 31

FortiGate has one more mechanism to free memory when there is not much available. If the kernel cannot
allocate more memory pages, it deletes the oldest sessions. The command shown on this slide displays the
numbers of sessions deleted by the kernel because of this mechanism.

Network Security Support Engineer 7.4 Study Guide 63


System Resources

DO NOT REPRINT
© FORTINET
Ephemeral Drops
• A session is categorized as ephemeral when one of the following is true:
• A TCP session is not fully established
• A UDP with only a single packet is received
• These types of open sessions are common types of DoS attacks
• To protect memory use, FortiOS sets a limit on the total number of ephemeral sessions
(based on the model)
# diagnose sys session stat
misc info: session_count=184 setup_rate=0 exp_count=0 reflect_count=0
clash=0 memory_tension_drop=0 ephemeral=0/196608 removeable=0 extreme_low_mem=0
npu_session_count=61 nturbo_session_count=0
delete=0, flush=87, dev_down=16/120 ses_walkers=0
TCP sessions:
38 in ESTABLISHED state
1 in CLOSE_WAIT state

© Fortinet Inc. All Rights Reserved. 32

FortiGate has a mechanism to protect memory use against some forms of DoS attacks. FortiGate categorizes
an entry in the session table as an ephemeral session when it is a TCP session that is not fully established
(three-way handshake not completed), or it is a UDP session with only one packet received. During some
DoS attacks, the number of these types of sessions tends to increase abnormally, potentially consuming the
device memory. FortiGate sets a hard limit on the maximum number of ephemeral sessions that can exist at
the same time in the session table.

Network Security Support Engineer 7.4 Study Guide 64


System Resources

DO NOT REPRINT
© FORTINET

Memory Use Optimization

© Fortinet Inc. All Rights Reserved. 33

In this section, you will learn how to optimize memory use by fine-tuning the FortiGate configuration.

Network Security Support Engineer 7.4 Study Guide 65


System Resources

DO NOT REPRINT
© FORTINET
Memory Use Optimization
• Disable features that are not required:
• Inspection of specific protocols (HTTP, FTP, SMTP, POP, IMAP)
• Logging to memory
• DHCP server
• Some IPS signatures
• Reduce the maximum file size to inspect (default 10 MB):
config firewall profile-protocol-options
edit <profile_name>
config [http|ftp|pop3|smtp|imap]…
set oversize-limit <MB>
end

© Fortinet Inc. All Rights Reserved. 34

Many FortiGate processes, such as DLP or antivirus scanning, are memory intensive. So, memory
optimization is important, especially in small devices, to guarantee that these processes do not force
FortiGate into memory conserve mode. This slide shows some recommendations for optimizing memory use.
These tips might significantly increase the available memory in a device that is frequently entering conserve
mode.

The first and most logical step is to disable features that are not required. For example, if the network already
has a FortiMail device for antispam, an administrator does not need to configure antispam on FortiGate. Also,
usually not all IPS signatures are required.

Another recommendation is to reduce the maximum file size to inspect, which is set to 10 MB by default. You
can reduce this value to 2 or 3 MB without significantly reducing the virus catching rate, because a typical
virus size is less than 1 MB.

Network Security Support Engineer 7.4 Study Guide 66


System Resources

DO NOT REPRINT
© FORTINET
Memory Use Optimization (Contd)

• Reduce the FortiGuard cache TTL • Reduce the DNS cache (default 1800
(default 3600 and 1800 seconds): seconds):
config system fortiguard config system dns
set webfilter-cache-ttl 500 set dns-cache-ttl 300
set antispam-cache-ttl 500 end
end

• Reduce the session time to live (TTL)


• Globally for TCP (default to 3600 seconds): • For each service:
config system session-ttl config system session-ttl
set default 300 config port
edit <id>
• Globally for UDP (default to 180 seconds): set protocol <IP_protocol>
config system global set start-port <start_port>
set udp-idle-timer 90 set end-port <end_port>
set timeout 300

© Fortinet Inc. All Rights Reserved. 35

Additionally, you can reduce the amount of memory allocated to some caches, such as the ones for
FortiGuard and DNS.

The FortiGate session table can also consume an important portion of memory, especially in networks with a
high rate of traffic. By default, a session without traffic remains in the table for up to one hour.

Although a TTL this high might be required by some applications, in most networks, you can reduce the
session TTL. When you reduce the TTL, FortiGate ages out idle sessions much more quickly, increasing the
amount of available memory.

There are four places in the FortiGate configuration where you can reduce the session TTL. Two of them are:
• Globally, for all the traffic
• On an IP protocol and port number basis

Network Security Support Engineer 7.4 Study Guide 67


System Resources

DO NOT REPRINT
© FORTINET
Memory Use Optimization (Contd)
• Reduce the session TTL (default 3600 seconds)
• For each firewall policy:
config firewall policy
edit <id> Security Profiles > Application Control
set session-ttl 300

• Per application control


config application list
edit <name>
config entries
edit <id>
set session-ttl 300
end
end

Policy & Objects > Firewall Policy

© Fortinet Inc. All Rights Reserved. 36

The other two places where you can reduce the session TTL are:
• For each firewall policy
• For each application control

If an application requires a high session TTL, you can reduce the TTL globally to 5 minutes. However, you can
also set it to a higher number for the specific application port number, firewall policy, or with an application
control application override entry by setting the session-ttl option using the CLI.

Network Security Support Engineer 7.4 Study Guide 68


System Resources

DO NOT REPRINT
© FORTINET
Memory Use Optimization (Contd)
• Reduce TCP session timers:
config system global
set tcp-halfclose-timer 30 (default 120)
set tcp-halfopen-timer 8 (default 10)
set tcp-timewait-timer 1 (default 1)
end

SYN
tcp-halfopen-timer
SYN / ACK

ACK

FIN
tcp-halfclose-timer
FIN / ACK

tcp-timewait-timer

© Fortinet Inc. All Rights Reserved. 37

You can also reduce most TCP session timers from their default values without causing problems to the
applications. This slide shows some recommended values that are equal to or below the default values. Use
these recommended values to optimize the memory use.

The tcp-halfopen-timer controls for how long, after a SYN packet, a session without SYN/ACK remains
in the table.

The tcp-halfclose-timer controls for how long, after a FIN packet, a session without FIN/ACK remains
in the table.

The tcp-timewait-timer controls for how long, after a FIN/ACK packet, a session remains in the table. A
closed session remains in the session table for a few seconds more to allow any out-of-sequence packet.

Network Security Support Engineer 7.4 Study Guide 69


System Resources

DO NOT REPRINT
© FORTINET

Troubleshooting System Crashes

© Fortinet Inc. All Rights Reserved. 38

In this section, you will learn how to troubleshoot system crashes.

Network Security Support Engineer 7.4 Study Guide 70


System Resources

DO NOT REPRINT
© FORTINET
Console Logging
• Available only on some models
• Records console CLI output in a 4 MB log file on flash memory
• Useful for troubleshooting unexpected restarts and unresponsive devices
• Can be displayed on the CLI or downloaded from the GUI
• To enable or disable console logging (disabled by default):
# diagnose debug comlog < enable | disable >
• To read console logging:
# diagnose debug comlog read
• To clear console logging:
# diagnose debug comlog clear
• To display the console logging settings:
# diagnose debug comlog info

© Fortinet Inc. All Rights Reserved. 39

On some FortiGate models, you can configure the device to store all console logs in the flash memory. This is
especially useful when troubleshooting unexpected restarts and devices that randomly become unresponsive.
Once FortiGate stores the logs, you can display them on the CLI or download them from the GUI for further
analysis.

This slide shows the commands for enabling, displaying, and clearing the console logs.

Network Security Support Engineer 7.4 Study Guide 71


System Resources

DO NOT REPRINT
© FORTINET
Troubleshooting Unexplained Restarts
• A crash dump message is usually generated through the console
• After an unexpected restart, check:
• Logs
• Console logs (available in some models)
• Crash log
• If the model does not support console logs, keep a laptop connected to the console port
and capture the crash dump message

© Fortinet Inc. All Rights Reserved. 40

A crash dump message is usually generated through the console port when the device crashes. Crash dump
messages can provide useful information to Fortinet developers. If the problem is a FortiGate device that is
restarting unexpectedly, you should check the logs, the console logs, and the crash log. If the FortiGate model
doesn’t support a console log, keep a laptop connected to the console port and wait until another crash
happens.

Network Security Support Engineer 7.4 Study Guide 72


System Resources

DO NOT REPRINT
© FORTINET
Troubleshooting a Device That Freezes
• Keep a laptop connected to the console port

• In multi-CPU platforms, enable non-maskable interrupt (NMI) watchdog:


# diagnose sys nmi-watchdog enable
• (Crashes the system if it has not scheduled any daemon in 10 minutes)

• After the device freezes, push the NMI button while the laptop is connected to generate
the crash dump
• Not all FortiGate models have an NMI button

© Fortinet Inc. All Rights Reserved. 41

FortiGate freezes when it stops handling traffic, you cannot connect to it, and you can’t access its console
port. Only power cycling fixes the issue. In these cases, you could capture any crash dump message in the
console port. Additionally, and in the case of models with more than one CPU, you can enable the NMI
watchdog feature, which automatically causes a crash in the system (and forces the crash dump) when no
new daemons have been scheduled in the last 10 minutes. This is an indication that the device is not
operating normally and might be frozen.

Some FortiGate models also have an external NMI button. If the device freezes and no crash dump message
was generated, you can press the NMI button to force a crash and generate a crash dump message.

Network Security Support Engineer 7.4 Study Guide 73


System Resources

DO NOT REPRINT
© FORTINET
Crash Log
# diagnose debug crashlog read
...
18: 2023-12-28 02:37:33 <02382> firmware FortiGate-VM64-AWS v7.4.1,build2463b2463,230830
(GA.F)
19: 2023-12-28 02:37:33 (Release) Application name
20: 2023-12-28 02:37:33 <02382> application miglogd
21: 2023-12-28 02:37:33 <02382> *** signal 11 (Segmentation fault) received ***
22: 2023-12-28 02:37:33 <02382> Register dump:
Termination signal
23: 2023-12-28 02:37:33 <02382> RAX: 0000000000000001 RBX: 00000000012f7330
24: 2023-12-28 02:37:33 <02382> RCX: 00007f376a5f5016 RDX: 0000000000000400
25: 2023-12-28 02:37:33 <02382> R08: 00007f373989f000 R09: 00007f373989fb90
26: 2023-12-28 02:37:33 <02382> R10: 000000000000021c R11: 0000000000000246
27: 2023-12-28 02:37:33 <02382> R12: 0000000000000000 R13: 0000000000000002
28: 2023-12-28 02:37:33 <02382> R14: 0000000000000002 R15: 0000000000000000
29: 2023-12-28 02:37:33 <02382> RSI: 00000000114a0a40 RDI: 0000000000000019
30: 2023-12-28 02:37:33 <02382> RBP: 00007ffee55f3750 RSP: 00007ffee55f3718
31: 2023-12-28 02:37:33 <02382> RIP: 00007f376a5f5016 EFLAGS: 0000000000000246
32: 2023-12-28 02:37:33 <02382> CS: 0033 FS: 0000 GS: 0000
33: 2023-12-28 02:37:33 <02382> Trap: 0000000000000000 Error: 0000000000000000
34: 2023-12-28 02:37:33 <02382> OldMask: 0000000000000000
...

© Fortinet Inc. All Rights Reserved. 42

Each time an application crashes, or closes, an entry is generated in the crash log. When an application
crashes, the entry contains the name of the application, the time it crashed, and the termination signal.

This slide shows a sample of a crash in the crash log. In this example, the application that failed was the
miglogd process, which handles logging. The termination signal is 11, which is a segmentation fault.

Network Security Support Engineer 7.4 Study Guide 74


System Resources

DO NOT REPRINT
© FORTINET
Termination Signals
• Any time a process closes, a crash log is generated
# diagnose sys kill <termination_signal> <process_id>
Signal number Description
4 Illegal instruction
6 Abort command from FortiOS
7 Bus error
9 Unconditional kill
11 Invalid memory reference
14 Alarm clock
15 Graceful kill

Choose Kill &


Trace for crash
log output

© Fortinet Inc. All Rights Reserved. 43

The table shown on this slide contains the most common termination signal numbers. Any administrator can
manually terminate a process by using the command shown on this slide, followed by the termination signal
number and the process ID. The command diagnose sys top lists the process ID numbers. Manually
terminating a process is not usually required under normal circumstances. If you must terminate a process,
use the termination signal 9. Improperly terminating a process can make a FortiGate system unstable.

Note that not all the signal numbers generate a crash log.

Processes can also be killed through the GUI under admin > System > Process Monitor. If you want to
generate a crash log, select Kill&Trace in the Kill Process field.

Network Security Support Engineer 7.4 Study Guide 75


System Resources

DO NOT REPRINT
© FORTINET
Crash Log Tips
• In most cases, entries in the crash log are normal
• Consider a crash log to be suspicious when:
• It happens at the same time as abnormal FortiGate behavior
• For example, unexpected system restarts
• The crashed process is related to the FortiGate feature that failed
• For example, a crash in the sslvpnd process when all SSL VPN connections went down

• The crash log can provide information to Fortinet developers about the cause of the
crash

© Fortinet Inc. All Rights Reserved. 44

So, how do you know if the crash log is normal or not?

In most cases, entries in the crash log are normal. You can consider a crash log entry to be suspicious if it
happens at the same time as a failure in a FortiGate feature, or abnormal behavior by FortiGate.

For example, a crash log entry that is generated when the device unexpectedly restarts, might provide
information about the cause. A crash in the sslvpnd process when all SSL VPN users get disconnected is
also relevant. The crash log includes the details about the crash and information that can be used by Fortinet
support to identify which code triggered the problem.

Network Security Support Engineer 7.4 Study Guide 76


System Resources

DO NOT REPRINT
© FORTINET
Review
 Describe how FortiOS processes a packet
 Describe how FortiOS uses memory
 Diagnose high memory and high CPU problems
 Optimize memory usage
 Diagnose conserve mode
 Troubleshoot unexpected reboots and frozen devices
 Use the crash log for diagnostics

© Fortinet Inc. All Rights Reserved. 45

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to use and optimize FortiOS system
resources.

Network Security Support Engineer 7.4 Study Guide 77


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET

Network Security Support Engineer


Sessions, Traffic Flow, and Networking

FortiOS 7.4
Last Modified: 25 April 2024

In this lesson, you will learn about traffic and session monitoring.

Network Security Support Engineer 7.4 Study Guide 78


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Objectives
• Analyze the information in the session table
• Understand the various session flags
• Capture traffic using the built-in sniffer
• Analyze the output of the debug flow
• Describe hardware offloading implications
• Configure and troubleshoot session helpers

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in traffic and session monitoring, you will be able to interpret the information in
the session table, capture traffic using the built-in sniffer, analyze the output of the debug flow, and configure
and troubleshoot session helpers.

Network Security Support Engineer 7.4 Study Guide 79


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET

Session Table

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn about session table entries.

Network Security Support Engineer 7.4 Study Guide 80


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Session Table Summary
# get sys session status
The total number of IPv4 sessions for the current VDOM: 11

# get sys session list


PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT
tcp 3522 10.1.10.1:41418 100.64.1.1:41418 172.217.0.106:443 -
udp 151 10.1.0.1:4387 100.64.1.1:64803 208.91.112.220:53 -
udp 28 10.1.0.1:1687 100.64.1.1:62103 208.91.112.52:53 -
udp 61 100.64.1.1:3075 - 208.91.112.53:53 -
udp 55 100.64.1.1:3075 - 208.91.112.52:53 -
udp 172 10.1.10.1:123 100.64.1.1:60539 209.121.129.48:123 -
udp 152 10.1.0.1:4387 100.64.1.1:64803 173.243.138.221:53 -
udp 152 10.1.0.1:4387 100.64.1.1:64803 45.75.200.89:53 -
udp 171 10.1.10.1:123 100.64.1.1:60539 208.81.1.197:123 -
udp 104 10.1.0.1:1420 - 10.1.0.254:53 -
tcp 3600 10.1.10.1:34433 - 10.1.0.254:22 -
udp 176 10.1.0.1:1900 - 10.1.0.254:53 -
tcp 3524 10.1.10.1:59972 100.64.1.1:59972 172.217.0.110:80 -
tcp 119 10.1.10.1:42824 100.64.1.1:42824 72.21.91.29:80 -
tcp 3517 10.1.10.1:42816 100.64.1.1:42816 72.21.91.29:80 -
udp 171 10.1.10.1:123 100.64.1.1:60539 144.217.65.184:123 -

© Fortinet Inc. All Rights Reserved. 4

The FortiGate session table contains detailed information about every IP connection that crosses or
terminates at FortiGate. You can use the commands shown on this slide to display the total number of
sessions in an active VDOM, and to view a brief summary of each session. The session list command
lists one session on each line, and includes information such as protocol, source IP address, destination IP
address, and port. You can use the grep utility with this command to list only the sessions for a specific IP
address.

Network Security Support Engineer 7.4 Study Guide 81


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Session Table Details
• Clear any previous filter
# diagnose sys session filter clear
• Set the filter
# diagnose sys session filter ?
...
src Source IP address.
nsrc NAT'd source ip address.
dst Destination IP address.
proto Protocol number.
...
• List all entries matching the configured filter
# diagnose sys session list

© Fortinet Inc. All Rights Reserved. 5

To display detailed information about sessions, use the command shown on this slide. It is recommended that
you set the session filter first, because an unfiltered output displays all the details about all the existing
sessions. For high-end devices, a list of all existing sessions could be in the thousands, or even millions. You
can filter the output by policy ID, source IP address, source port, destination IP address, and destination port.
Note that there are many more options for the session filter than the ones shown on this slide.

Network Security Support Engineer 7.4 Study Guide 82


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Clearing Session Table Entries
• Some configuration changes, such as security profile changes or session helper
changes, apply only to new sessions
• In those cases, you can clear existing sessions, so changes apply once new sessions
are created
• Set the filter
# diagnose sys session filter ?
• Check the filter
# diagnose sys session filter
• Clear all entries matching the configured filter
# diagnose sys session clear

© Fortinet Inc. All Rights Reserved. 6

Some configuration changes, such as security profile changes or session helper changes, apply only to new
sessions. Existing sessions keep using the previous configuration until they expire or are terminated. This is
important to remember when troubleshooting problems. After a security profile change, you should clear any
sessions related to that change, and generate new sessions.

Use the command shown on this slide to remove all sessions that match the session filter. You must be
careful with this command because it can potentially clear all the existing sessions if no filter has been set.
Before clearing out any sessions, use appropriate filters.

Network Security Support Engineer 7.4 Study Guide 83


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Sessions―TCP Example
# diagnose sys session list
session info: proto=6 proto_state=11 duration=1 expire=3599 timeout=3600 refresh_dir=both
flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=medium prio=3 guarantee 0Bps max 134217728Bps traffic 232868Bps drops 0B
reply-shaper=medium prio=3 guarantee 0Bps max 134217728Bps traffic 232868Bps drops 0B
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty ndr npu f00 app_valid
statistic(bytes/packets/allow_err): org=1720/9/1 reply=10804/13/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=7->31/31->7 gwy=10.1.0.254/10.9.31.117
hook=post dir=org act=snat 10.9.31.117:45388->200.8.57.5:443(10.1.0.3:45388)
hook=pre dir=reply act=dnat 200.8.57.5:443->10.1.0.3:45388(10.9.31.117:45388)
hook=post dir=reply act=noop 200.8.57.5:443->10.9.31.117:45388(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=14720 confiauth_info=0 chk_client_info=0 vd=0
serial=0002932f tos=ff/ff app_list=2000 app=34050 url_cat=0
sdwan_mbr_seq=1 sdwan_service_id=1
rpdb_link_id=80000000 ngfwid=n/a
npu_state=0x003c94 ips_offload
npu info: flag=0x81/0x81, offload=8/8, ips_offload=1/1, epid=16/16, ipid=64/88,
vlan=0x0000/0x0000
vlifid=64/88, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=0/0

© Fortinet Inc. All Rights Reserved. 7

This slide shows an example output detailing information for a single session table entry. The slide highlights
the following information:

• The IP protocol number and the protocol state


• The length of time until the session expires (if no more traffic matches the session)
• New in FortiOS 7.4, the refresh_dir argument specifies in which direction existing sessions are
refreshed. In this example, it is for both directions. Configuring this option can help prevent potential
denial of service (DoS) attacks.
• Traffic shaping counters
• Session flags
• Received and transmitted packet and byte counters
• The original and reply direction of the traffic. If the device is using NAT, this portion shows the type of
NAT (source or destination) for each traffic direction, and the NAT IP address.
• The ID of the matching policy
• Counters for hardware acceleration—The presence of the npu info field indicates the session has
been offloaded to hardware acceleration.

Use the CLI command diagnose sys session list for IPv4 traffic, and the command diagnose sys
session6 list for IPv6 traffic.

The output for both commands is similar (it displays the same fields, in the same order).

Network Security Support Engineer 7.4 Study Guide 84


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Sessions—TCP Protocol States
• proto_state=11
• First digit (from left to right): server-side state SYN
• 0 if no inspection, non-zero if proxy or flow
• Second digit (from left to right): client-side state 2
SYN / ACK
TCP state Value
NONE 0 ACK 3
ESTABLISHED 1
SYN_SENT 2
SYN & SYN/ACK 3 1
FIN_WAIT 4
TIME_WAIT 5 FIN
CLOSE 6
4
CLOSE_WAIT 7 FIN / ACK
LAST_ACK 8
LISTEN 9 5

© Fortinet Inc. All Rights Reserved. 8

The protocol state in the session table is a two-digit number. For TCP, the first number (from left to right) is
related to the server-side state and is 0 when the session is not subject to any inspection (flow or proxy). If
flow or proxy inspection is done, then the first digit is different from 0. The second digit is the client-side state.

The table and flow graph shown on this slide correlate the digit value with the different TCP session states.
The values apply for both server-side and client-side states. For example, for the client-side state, when
FortiGate receives the SYN packet, the second digit is 2. It changes to 3 when FortiGate receives the
SYN/ACK packet. Similarly, for the server-side state, the first digit is 2 after FortiGate sends the SYN packet,
and then changes to 3 after FortiGate sends the SYN/ACK packet. In addition, proto_state=11 means that
the TCP three-way handshake for both server-side and client-side is completed (ESTABLISHED).

When a session is closed by both the sender and receiver, FortiGate keeps that session in the session table
for a few seconds, to allow for any out-of-order packets that might arrive after the FIN/ACK packet. This is the
state value 5.

Network Security Support Engineer 7.4 Study Guide 85


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Sessions—ICMP and UDP Protocol States
• Even though UDP is stateless, FortiGate still uses two proto_state values:

UDP
UDP state Value
UDP
UDP traffic one way only 0 00
UDP traffic both ways 1
UDP

UDP
• ICMP has no state
• proto_state is always 00 UDP 01

UDP

© Fortinet Inc. All Rights Reserved. 9

For UDP, the session state can have only two values: 00 when traffic is only one way, and 01 when traffic is
two ways. For ICMP, the protocol state is always 00.

Network Security Support Engineer 7.4 Study Guide 86


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Sessions—Some Common Flags
Flag Description
log Session is being logged
local Session is to/from local stack
ndr Session will be checked by IPS signature
nds Session will be checked by IPS anomaly
npu Session can be offloaded to NPU
wccp Web caching
npd Session cannot be offloaded to NPU
redir Session is being processed by an application layer proxy
authed Session was successfully authenticated
auth Session requires (or required) authentication

© Fortinet Inc. All Rights Reserved. 10

This table shows the meaning of the most important session flags. For example, the log flag indicates that
the session is being logged. The local flag indicates that the session originates from FortiGate or terminates
on FortiGate.

Network Security Support Engineer 7.4 Study Guide 87


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
May Dirty Sessions
• New firewall sessions created after matching a firewall policy with accept action
• A firewall policy lookup is performed (top-down)
• Flagged as may_dirty
• Lookup process
• First original packet (route and firewall policy lookup)
• First reply packet (route lookup only)
• No additional lookups unless session is flagged as dirty

© Fortinet Inc. All Rights Reserved. 11

When working with FortiGate, it’s important to understand the concept of may_dirty and dirty sessions.

The may_dirty sessions are firewall sessions that were created after matching a firewall policy with
accept as the action. For FortiGate to identify the matching policy, it performs a firewall policy lookup,
selecting the first matching policy in the configuration from the top down. Most firewall sessions contain the
may_dirty flag. However, some sessions such as expectation sessions, do not contain the may_dirty flag
because they are not created as a result of matching a firewall policy.

For new sessions, FortiGate performs route and firewall policy lookups upon receiving the first packet (in the
original direction). FortiGate also performs a route lookup—but not a firewall policy lookup—for the first reply
packet. FortiGate then saves the information that results from the route lookup—the outgoing interface and
gateway to use—and the firewall policy lookup—policy ID, address translation, inspection, authentication,
logging, and so on—to the session.

FortiGate doesn’t perform additional lookups for the session unless the session is flagged as dirty.

Network Security Support Engineer 7.4 Study Guide 88


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Dirty Sessions

• A session is flagged as dirty after a routing, firewall policy, or interface change


• Each direction of a dirty session must be reevaluated
• Session routing information is flushed (routing change)

© Fortinet Inc. All Rights Reserved. 12

By default, FortiGate flags all may_dirty sessions as dirty if there is a routing, firewall policy, or interface
change. The FortiGate must reevaluate every dirty session. During reevaluation, it checks both directions of
the dirty session.

Network Security Support Engineer 7.4 Study Guide 89


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Dirty Sessions (Contd)

• Default reevaluation process after a routing change (no SNAT):


• Next packet in each direction goes to the CPU (applies only to NPU-offloaded sessions)
• Original direction: route and firewall policy lookups for first packet
• Reply direction: only route lookup for first packet
• FortiGate updates the session with new routing and firewall policy information, and removes the dirty
flag
• If the action is still accept, FortiGate forwards the packet
• If the new action of the matching firewall is deny, then:
• FortiGate flags the session as block, and drops the packet
• The session remains in the session table until it expires
• FortiGate drops further packets matching the session
• FortiGate eventually offloads sessions again to hardware

© Fortinet Inc. All Rights Reserved. 13

After a routing change, the routing information of impacted sessions is flushed. The default reevaluation
process following a routing change for sessions without source NAT (SNAT) is as follows:

• If the impacted session is offloaded to the network processing unit (NPU), FortiGate instructs the NPU to
send the next packet from each direction of the session to the CPU. This ensures that the session is
handled by the CPU, and thus reevaluated. If the session is not offloaded to the NPU, then the packets are
always handled by the CPU, and this step is not required.
• In the original direction, FortiGate performs route and firewall policy lookups for the first packet.
• In the reply direction, FortiGate performs only a route lookup for the first packet.
• FortiGate updates the session with the new routing and firewall policy information and removes the dirty
flag.
• If the matching firewall policy action is still accept, FortiGate forwards the packet.
• If the matching firewall policy action is deny, FortiGate flags the session as block, drops the packet, and
retains the session in the session table until it expires. FortiGate also drops any additional packets that
match the session .
• FortiGate eventually offloads allowed sessions again to the NPU, if they still meet the NPU offloading
requirements.

Network Security Support Engineer 7.4 Study Guide 90


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Dirty Sessions (Contd)
• Before the route change (may_dirty flag)
session info: proto=1 proto_state=00 duration=4 expire=55 timeout=0 refresh_dir=both flags=00000000 socktype=0
sockport=0 av_idx=0 use=3
state=log may_dirty npu f00
orgin->sink: org pre->post, reply pre->post dev=7->19/19->7 gwy=100.64.1.1/10.0.1.101
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0

• After the route change (dirty flag; gateway is flushed)


session info: proto=1 proto_state=00 duration=30 expire=29 timeout=0 refresh_dir=both flags=00000000 socktype=0
sockport=0 av_idx=0 use=3
state=log dirty may_dirty npu f00
orgin->sink: org pre->post, reply pre->post dev=7->19/19->7 gwy=0.0.0.0/0.0.0.0
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0

• After reevaluation (no dirty flag; outgoing interface and gateway are updated)
session info: proto=1 proto_state=00 duration=53 expire=56 timeout=0 refresh_dir=both flags=00000000 socktype=0
sockport=0 av_idx=0 use=3
state=log may_dirty npu f00
orgin->sink: org pre->post, reply pre->post dev=7->20/20->7 gwy=100.64.1.9/10.0.1.101
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0

© Fortinet Inc. All Rights Reserved. 14

This slide shows the transition of an ICMP session from may_dirty to dirty, and then back to may_dirty,
following a route change. Note that only relevant lines of the session are displayed.

Before the route change, the session is flagged as may_dirty. The session output shows the index number
of the outgoing interface in use (19), as well as the gateway information (gwy).

After the route change, the session is flagged as dirty. Note that the may_dirty flag is still there, and the
dirty flag is just added. The gateway information is also flushed.

After reevaluation, the dirty flag is removed, and the index number of the outgoing interface and the
gateway information are updated based on the new route.

Note that the firewall policy (policy_id) didn’t change. This is because the firewall policy lookup during
reevaluation resulted in the same firewall policy, but this is not always the case.

Network Security Support Engineer 7.4 Study Guide 91


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Routing Changes and SNAT Sessions
• By default, SNAT sessions are not flagged as dirty after a routing change
• Exception: route in use is removed from the forwarding information base (FIB)
• Force reevaluation of SNAT sessions after a routing change (default = disable):
config system global
set snat-route-change enable | disable
end
• If SNAT IP changes during reevaluation, packet is dropped, and session is cleared
id=20085 trace_id=51 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=1, 10.0.1.101:13106-
>8.8.8.8:2048) from port5. type=8, code=0, id=13106, seq=3."
id=20085 trace_id=51 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-00008483, original
direction"
id=20085 trace_id=51 func=vf_ip_route_input_common line=2589 msg="Match policy routing id=2131230721: to 8.8.8.8
via ifindex-4"
id=20085 trace_id=51 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-192.2.0.10 via
port2"
id=20085 trace_id=51 func=get_new_addr line=1229 msg="find SNAT: IP-192.2.0.9(from IPPOOL), port-13106"
id=20085 trace_id=51 func=fw_strict_dirty_session_check line=264 msg="SNAT IP 192.2.0.1 != 192.2.0.9, drop"

• Enable snat-route-change if using the same IP pool for old and new path
Different SNAT IP address; drop the
packet and clear the session
© Fortinet Inc. All Rights Reserved. 15

By default, SNAT sessions are not flagged as dirty following a routing change that impacts the session.
This is true if the route in use is still in the FIB. However, if the route is removed from the FIB, then FortiGate
flags the session as dirty, flushes the outgoing interface and gateway information, and then reevaluates the
session on the next packet received.

To force the reevaluation of SNAT sessions following a related routing change, regardless of whether the
route in use is still in the FIB or not, enable the snat-route-change setting, as shown on this slide.

Note that during reevaluation of SNAT sessions, if the new route and firewall policy lookup results in a change
of the SNAT IP address, then FortiGate drops the packet and clears the session. This means that the
impacted application could have to initiate a new connection to resume network connectivity, especially if the
application is TCP-based.

This slide shows the debug flow output for an SNAT session during reevaluation. Because the SNAT IP
address of the new path (192.2.0.9) is different from the SNAT IP address of the current path
(192.2.0.1), FortiGate drops the packet and clears the session. This also means that, from a connectivity
point of view, it makes sense to enable snat-route-change only when the new path for the session uses
the same SNAT IP address, which can be achieved using IP pools.

Network Security Support Engineer 7.4 Study Guide 92


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Firewall Policy Changes and Sessions
• Firewall policy changes can lead to high CPU utilization
• Select which sessions in the VDOM are flagged as dirty (default = check-all):
config system settings
set firewall-session-dirty check-all | check-new | check-policy-option
end
• check-all: All impacted sessions are flagged as dirty
• check-new: New sessions are flagged as dirty and existing sessions are not affected
• check-policy-option: Follow firewall policy-level configuration
• Firewall policy-level configuration (default = check-all):
config firewall policy
edit <id>
set firewall-session-dirty check-all | check-new
next
end

© Fortinet Inc. All Rights Reserved. 16

When you make a change to a firewall policy, all existing sessions with the flag may-dirty change to status
dirty. FortiGate then performs a firewall policy lookup for the first packet received for each existing session;
it updates the session table entry and resets the flag to may-dirty. Then, it processes the next packets
based on the new firewall settings.

If the firewall handles a huge number of sessions, flagging the sessions as dirty, and performing a firewall
policy lookup for the sessions may result in high CPU utilization. To prevent this, you can configure FortiGate
to flag only new sessions as dirty by setting firewall-session-dirty to check-new. The result is that
FortiGate evaluates only new sessions against the new firewall policy configuration.

The firewall-session-dirty setting is available on the VDOM and firewall policy levels. It is set to
check-all by default, which instructs FortiGate to flag all sessions as dirty. To instruct FortiGate to follow
the firewall policy-level setting, you must set the VDOM-level setting to check-policy-option. Note that
the firewall policy-level setting is available only if the VDOM-level setting is set to check-policy-option.

Network Security Support Engineer 7.4 Study Guide 93


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Firewall Policy Changes and Sessions (Contd)
• Session is flagged as persistent
config system settings
set firewall-session-dirty check-new
end

# diagnose sys session list


session info: proto=6 proto_state=01 duration=3 expire=3598 timeout=3600 refresh_dir=both flags=00000000
socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log npu f00 persistent
statistic(bytes/packets/allow_err): org=3369/19/1 reply=3797/17/1 tuples=2
tx speed(Bps/kbps): 1011/8 rx speed(Bps/kbps): 1140/9
orgin->sink: org pre->post, reply pre->post dev=7->19/19->7 gwy=100.64.1.1/10.0.1.101
hook=pre dir=org act=noop 10.0.1.101:47774->10.1.0.7:22(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.0.7:22->10.0.1.101:47774(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
serial=000f884f tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=3 sdwan_service_id=2
rpdb_link_id=ff000002 ngfwid=n/a
npu_state=00000000

© Fortinet Inc. All Rights Reserved. 17

This slide shows the details of an established SSH session when firewall-session-dirty is set to
check-new.

Note the presence of the persistent flag in the session, and the absence of the may_dirty flag, which
indicates that FortiGate does not perform a new firewall policy lookup if there is a configuration change.

Network Security Support Engineer 7.4 Study Guide 94


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET

Sniffer and Debug Flow

© Fortinet Inc. All Rights Reserved. 18

In this section, you will learn about two useful troubleshooting tools: the built-in sniffer and the debug flow, and
how they are affected by hardware acceleration.

Network Security Support Engineer 7.4 Study Guide 95


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Advanced Packet Capture Options
# diagnose sniffer packet <interface> '<filter>' <level> <count>
<tsformat> <frame size>
• <count> stops packet capture after this many packets
• <tsformat> changes the timestamp format
• a – Absolute UTC time
• l – Local time
• <frame size> sets frame size that is printed before truncation (defaults to interface
MTU)
Level IP headers IP payload Ethernet headers Port names
1 
2  
3   
4  
5   
6    

© Fortinet Inc. All Rights Reserved. 19

Now you will learn about the built-in sniffer. When you enable this tool, you can choose from six verbosity
levels. The table on this slide shows the information displayed for each level. Level 4 is usually used to check
how the traffic is flowing and that FortiGate is not dropping packets. Level 3 or level 6 are usually used to
convert the output to packet capture (PCAP) format, which you can later analyze with a tool, such as
Wireshark.

Network Security Support Engineer 7.4 Study Guide 96


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Advanced Packet Capture Options―Output
# diagnose sniffer packet any 'host 8.8.8.8 and icmp’ 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 8.8.8.8 and icmp] any to capture all
interfaces
11.208116 lan in 10.1.10.1 -> 8.8.8.8: icmp: echo request
11.208370 wan1 out 172.20.121.11 -> 8.8.8.8: icmp: echo request
11.216576 wan1 in 8.8.8.8 -> 172.20.121.11: icmp: echo reply
11.216680 lan out 8.8.8.8 -> 10.1.10.1: icmp: echo reply
4 packets received by filter Number of packets matching the filter that
0 packets dropped by kernel could not be captured by the sniffer;
therefore, you must use a more specific
filter
Hub # diagnose sniffer packet any ‘icmp' 4 3 a
Using Original Sniffing Mode How many packets to
interfaces=[any] count
filters=[host 8.8.8.8 and icmp]
2023-12-30 18:04:48.722396 lan in 10.1.10.1 -> 8.8.8.8: icmp: echo request
2023-12-30 18:04:48.722549 wan1 out 172.20.121.11 -> 8.8.8.8: icmp: echo request
2023-12-30 18:04:48.730349 wan1 in 8.8.8.8 -> 172.20.121.11: icmp: echo reply

Timestamp

© Fortinet Inc. All Rights Reserved. 20

To sniff traffic in all interfaces, use the keyword any as the interface name.

Stop the sniffer by pressing Ctrl+C and check for dropped packets. If packets were dropped during the
sniffer process, it means that not all the traffic that matched the sniffer filter could be captured. So, you might
need to capture the traffic again using a stricter filter.

If you do not specify an option for the timestamp, the debug shows the time, in seconds, since it started
running. As you learned earlier in the lesson, you can prepend the local system time to easily correlate a
packet with another recorded event.

Network Security Support Engineer 7.4 Study Guide 97


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
GUI Packet Capture

© Fortinet Inc. All Rights Reserved. 21

On the GUI under Network > Diagnostics > Sniffer, you can perform the same function as described on the
previous slide without using a CLI command. In FortiOS version 7.4 and later, you can run multiple packet
captures simultaneously to capture ingress and egress traffic at the same time. You can also save the
captured packets as a PCAP.

Network Security Support Engineer 7.4 Study Guide 98


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Debug Flow
• Shows kernel decisions
• Multistep command
• Enable display of function names:
# diagnose debug flow show function-name enable
• Enable display of firewall policy matching decisions:
# diagnose debug flow show iprope enable
• Specify the filter:
# diagnose debug flow filter [filter]
• Enable output:
# diagnose debug enable
• Start the trace:
# diagnose debug flow trace start <count>
• Stop the trace:
# diagnose debug flow trace stop

© Fortinet Inc. All Rights Reserved. 22

Another useful FortiGate troubleshooting tool is the debug flow.

The debug flow is also called the internal sniffer because it works similarly to the built-in sniffer, but the output
shows step-by-step, and with details, what the kernel is doing with each packet.

Network Security Support Engineer 7.4 Study Guide 99


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Debug Flow Example SYN

id=65308 trace_id=21 func=print_pkt_detail line=5885 msg="vd-root:0 received a packet(proto=6, 10.0.10.183:50212-


>31.13.68.35:443) tun_id=0.0.0.0 from port2. flag [S], seq 903440372, ack 0, win 62727"
id=65308 trace_id=21 func=init_ip_session_common line=6071 msg="allocate a new session-00000199, tun_id=0.0.0.0"
id=65308 trace_id=21 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-10.0.1.1 via port1"
id=65308 trace_id=21 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=2"
id=65308 trace_id=21 func=get_new_addr line=1264 msg="find SNAT: IP-10.0.1.206(from IPPOOL), port-50212"
id=65308 trace_id=21 func=fw_forward_handler line=1009 msg="Allowed by Policy-2: SNAT"
id=65308 trace_id=21 func=ip_session_confirm_final line=3112 msg="npu_state=0x100, hook=4"
id=65308 trace_id=21 func=__ip_session_run_tuple line=3451 msg="SNAT 10.0.10.183->10.0.1.206:50212" SYN/ACK

id=65308 trace_id=22 func=print_pkt_detail line=5885 msg="vd-root:0 received a packet(proto=6, 31.13.68.35:443-


>10.0.1.206:50212) tun_id=0.0.0.0 from port1. flag [S.], seq 2086754626, ack 903440373, win 65535"
id=65308 trace_id=22 func=resolve_ip_tuple_fast line=5973 msg="Find an existing session, id-00000199, reply
direction"
id=65308 trace_id=22 func=__ip_session_run_tuple line=3464 msg="DNAT 10.0.1.206:50212->10.0.10.183:50212"
id=65308 trace_id=22 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-0.0.0.0 via port2"

ACK
id=65308 trace_id=23 func=print_pkt_detail line=5885 msg="vd-root:0 received a packet(proto=6, 10.0.10.183:50212-
>31.13.68.35:443) tun_id=0.0.0.0 from port2. flag [.], seq 903440373, ack 2086754627, win 1027"
id=65308 trace_id=23 func=resolve_ip_tuple_fast line=5973 msg="Find an existing session, id-00000199, original
direction"
id=65308 trace_id=23 func=npu_handle_session44 line=1327 msg="Trying to offloading session from port2 to port1,
skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x00000100"
id=65308 trace_id=23 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=00000100"
id=65308 trace_id=23 func=__ip_session_run_tuple line=3451 msg="SNAT 10.0.10.183->10.0.1.206:50212"

© Fortinet Inc. All Rights Reserved. 23

This slide shows an example of a debug flow output. In this example, the debug flow has captured the three
packets of a TCP three-way handshake. The output for the SYN packet shows when the kernel creates a new
session (with its session ID), finds the route to the destination, and applies NAT. It also shows the ID of the
policy that matches this traffic.

The output of the SYN/ACK and ACK packets shows the session ID and NAT information.

This tool is useful for many troubleshooting cases, such as when you need to understand why a packet is
taking a specific route, or why a specific NAT IP address is applied.

Network Security Support Engineer 7.4 Study Guide 100


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Common Debug Flow Blocking Messages
• Denied by forward policy check (policy 0)
• No firewall policy allows the traffic
• A firewall policy allows the traffic, but a disclaimer is enabled—you must accept the disclaimer first
• Denied by quota check
• Packet dropped because of traffic shaping
• No matching IPsec selector, drop
• Packet dropped because source or destination IP address is not included in IPsec phase 2 quick-mode
selectors

© Fortinet Inc. All Rights Reserved. 24

The debug flow can also help you identify why FortiGate is dropping packets. In those cases, the debug flow
usually shows an error message explaining why a packet was dropped.

This slide shows three messages that you commonly see in debug flow output when FortiGate is dropping
packets:
• Denied by forward policy check (policy 0) indicates that either no firewall policy allows the
traffic, or that a disclaimer has not yet been accepted.
• Denied by quota check indicates that the packet was dropped because of a traffic shaper that has
exceeded one of its thresholds.
• No matching IPsec selector, drop means that the source or destination IP address of the traffic
trying to cross the VPN tunnel is not included in the IPsec phase 2 quick-mode selectors.

Network Security Support Engineer 7.4 Study Guide 101


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Common Debug Flow Blocking Messages (Contd)
• reverse path check fail, drop
• Packet dropped because of the reverse path forwarding check
• iprope_in_check() check failed, drop
• Packet is destined to a FortiGate IP address (management traffic) but:
• The service is not enabled
• The service is using a different TCP port
• The source IP address is not included in the trusted host list
• The packet matches a local-in policy with action deny

© Fortinet Inc. All Rights Reserved. 25

This slide shows two more common debug flow error messages. The first error message indicates that the
packet failed the reverse path forwarding check.

The second error message usually indicates one of the following:


• The packet is destined to a FortiGate IP address (for example, management traffic), but the service is not
enabled
• The service is using a different port
• The source IP address is not included in the trusted list
• The packet matches a local-in policy with the action deny

Network Security Support Engineer 7.4 Study Guide 102


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
GUI Debug Flow

Save capture as CSV


file

© Fortinet Inc. All Rights Reserved. 26

Just like with the sniffer tool, you can run the debug flow from the GUI. Once completed, you can save the
output as a CSV file.

Network Security Support Engineer 7.4 Study Guide 103


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Hardware Acceleration Considerations

• The sniffer or debug flow doesn't pick up offloaded traffic

• You can temporarily disable network processors (NPs)


• Only for troubleshooting purposes
• For a single firewall
• For the entire NPU

• After you disable hardware acceleration, the CPU processes all packets
• Sniffer and debug flow will now pick up the packets

© Fortinet Inc. All Rights Reserved. 27

For the packet sniffer and debug flow to pick up traffic, all packets must arrive at the CPU.

This can be accomplished by disabling hardware acceleration. You can disable hardware acceleration at the
firewall level or the global level.

You should disable hardware acceleration only for troubleshooting purposes. Permanently disabling hardware
acceleration significantly decreases the performance of a FortiGate.

Once disabled, the CPU processes all packets, and the sniffer and debug flow can display traffic flow
information.

Network Security Support Engineer 7.4 Study Guide 104


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Disabling Hardware Acceleration—Firewall Policy

• You can disable hardware acceleration for a single firewall policy:


# config firewall policy
# edit <ID>
# set auto-asic-offload disable
# end

• Reenable hardware acceleration after troubleshooting:


# config firewall policy
# edit <ID>
# set auto-asic-offload enable
# end

© Fortinet Inc. All Rights Reserved. 28

You can disable hardware acceleration for a single firewall policy by setting auto-asic-offload to
disable. This can be useful when the scope of troubleshooting traffic is known to be specific to one firewall
policy.

You can also disable hardware acceleration globally.

Network Security Support Engineer 7.4 Study Guide 105


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Disabling Hardware Acceleration—Global
• Disable Network Processor 6 (NP6) offloading for all traffic—diagnose:
diagnose npu <processor-name> fastpath disable <id>
• <processor-name> can be np6, np6xlite, or np6lite
• <id> is the ID of the NPU processor.
• Find the processor IDs using #diagnose npu np6 port-list
Chip XAUI Ports QSGMII Max Cross-chip
Speed offloading
------ ---- ------- ------ ----- ----------
np6_0 0 port1 NA 1G Yes
0 port5 NA 1G Yes
0 port17 NA 1G Yes
...
NP6 ID. Output taken from an FGT1500D

• Disable NP6/NP7 offloading for all traffic–configure:


config system npu
set fastpath disable
end

© Fortinet Inc. All Rights Reserved. 29

You can disable hardware acceleration globally in two ways:

• Use the diagnose command. Depending on the FortiGate model, one or more NP6 units must be
disabled. In this example, the partial output of diagnose npu np6 port-list on a FortiGate 1500D is
shown. Since this is a diagnose command, fastpath is automatically reenabled when the FortiGate reboots.
• Use the config command. Fastpath is enabled by default. This disables all network processor offloading
for all traffic. This command applies to both NP6 and NP7.

Disabling hardware acceleration globally at the device level can have a significant impact on CPU
performance. You should disable hardware acceleration only for troubleshooting purposes. Reenable
hardware acceleration after you have completed troubleshooting.

Network Security Support Engineer 7.4 Study Guide 106


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario
• HTTPS management access is enabled on
FortiGate A
• Admin is unable to log in to FortiGate A
using HTTPS HTTPS management

• Admin can log in to FortiGate using SSH


• What is your approach? Admin FortiGate A

© Fortinet Inc. All Rights Reserved. 30

What is your approach for the troubleshooting scenario shown on this slide?

The administrator is trying to access FortiGate A using HTTPS but is unable to do so. SSH access is working.

What is your approach to start solving this issue?

Network Security Support Engineer 7.4 Study Guide 107


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario (Contd)
• Ensure that packets arrive at FortiGate A

HTTPS management

Admin FortiGate A

FortiGate A # diagnose sniffer packet any "host 157.97.134.79 and port 443" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 157.97.134.79 and port 443]
16.507720 port1 in 157.97.134.79.20096 -> 10.0.1.206.443: syn 835638812
16.514996 port1 in 157.97.134.79.20110 -> 10.0.1.206.443: syn 3059129326
17.510046 port1 in 157.97.134.79.20096 -> 10.0.1.206.443: syn 835638812
17.521376 port1 in 157.97.134.79.20110 -> 10.0.1.206.443: syn 3059129326

© Fortinet Inc. All Rights Reserved. 31

Your first step should be to confirm that HTTPS packets that the administrator sent arrive at FortiGate A and
that communication is bidirectional. The best tool to use for this is the packet sniffer. You can see that
FortiGate A is not returning a SYN/ACK packet to the administrator.

Network Security Support Engineer 7.4 Study Guide 108


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario (Contd)
• Use the debug flow HTTPS management

Admin FortiGate A
FortiGate A # diagnose debug flow filter addr 157.97.134.79
FortiGate A # diagnose debug flow filter port 443
FortiGate A # diagnose debug flow show function-name enable
show function name
FortiGate A # diagnose debug flow trace start 10
FortiGate A # diagnose debug enable

FortiGate A # id=65308 trace_id=1 func=print_pkt_detail line=5888 msg="vd-root:0 received a


packet(proto=6, 157.97.134.79:9940->10.0.1.206:443) tun_id=0.0.0.0 from port1. flag [S], seq 478129234,
ack 0, win 65535"
id=65308 trace_id=1 func=init_ip_session_common line=6073 msg="allocate a new session-000001f5"
id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=80000000 gw-0.0.0.0 via
root"
id=65308 trace_id=1 func=fw_local_in_handler line=618 msg="iprope_in_check() check failed on policy 0,
drop"
id=65308 trace_id=2 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=6,
157.97.134.79:9944->10.0.1.206:443) tun_id=0.0.0.0 from port1. flag [S], seq 1363265181, ack 0, win 65535"

© Fortinet Inc. All Rights Reserved. 32

Now you must find out why the FortiGate is not responding. The best tool to use for this is the debug flow.
The FortiGate is dropping the traffic with the error message "iprope_in_check() check failed on
policy 0, drop"

Earlier in this lesson, you learned that this error message can have several meanings, including:
• The service is not enabled
• The service is using a different port
• The source IP address is not included in the trusted hosts list
• The packet matches a local-in policy with the action deny

In this scenario, the HTTPS management port was changed from 443 to 10443. Browse to the FortiGate on
TCP port 10443 to resolve the issue.

Network Security Support Engineer 7.4 Study Guide 109


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario (Contd)
FortiGate A # diagnose sys session filter
session filter: HTTPS management
---omitted---
source ip: 157.97.134.79-157.97.134.79
---omitted---
dest port: any Admin FortiGate A
---omitted---

FortiGate A # diagnose sys session list


session info: proto=6 proto_state=01 duration=296 expire=3586 timeout=3600 refresh_dir=both flags=00000000
socktype=0 sockport=0 av_idx=0 use=3
---omitted---
state=local may_dirty
statistic(bytes/packets/allow_err): org=30641/401/1 reply=32244/281/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->in, reply out->post dev=3->6/6->3 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 157.97.134.79:51969->10.0.1.206:22(0.0.0.0:0)
hook=post dir=reply act=noop 10.0.1.206:22->157.97.134.79:51969(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4294967295 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=0000019f tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local
total session: 1

© Fortinet Inc. All Rights Reserved. 33

No session was established, so the session table has no entry for the TCP port 443 traffic.
The only session established from the administrator IP address is the SSH session used for troubleshooting.

Network Security Support Engineer 7.4 Study Guide 110


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET

Application Layer Gateway

© Fortinet Inc. All Rights Reserved. 34

In this section, you will learn how FortiGate can create sessions for traffic that is expected but hasn’t yet
arrived.

Network Security Support Engineer 7.4 Study Guide 111


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Session Helper Example―Active FTP Case
Client
10.0.1.10 Server

1027 1026 21 20
data control TCP control channel connection
control data

Open the data channel to IP address 10.0.1.10, TCP port 1027


port 10,0,1,10,4,3

TCP data channel connection

Data traffic to 10.0.1.10, port 1027

© Fortinet Inc. All Rights Reserved. 35

To understand what a session helper does, look at the example shown on this slide of a network protocol that
might have problems when a network device is performing NAT. The example shows the FTP protocol
working in active mode.

Any FTP file transfer is composed of two TCP sessions: one for the control channel and one for data transfer.
The control channel is always initiated from the client to the server and is used to send the FTP commands.
The FTP commands allow the client to move through the server folder, specify the type of file transfer, and
initiate the data channel for uploading or downloading a file.

FTP has two modes: active and passive. The mode determines which device initiates the data channel. In
passive mode, the client initiates the data channel. In active mode, the client sends the port command
through the control channel. The command includes the client IP address and the TCP port for the incoming
data channel. Then, the server initiates the TCP session to the IP address and port number specified by the
port command.

Network Security Support Engineer 7.4 Study Guide 112


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Active FTP With NAT and No Session Helper
• Router performing NAT of 10.0.1.10 to 10.200.1.1

FTP payload

Open the data channel to IP Open the data channel to IP


address 10.0.1.10, TCP port address 10.200.1.1, TCP port
55402 55402
port 10,0,1,10,216,106 Router port 10,0,1,10,216,106
port1 port2
10.0.1.254 10.200.1.1
Client Server
10.0.1.10 93.157.14.94

Data channel to
10.0.1.10, TCP port 55402
cannot be established

© Fortinet Inc. All Rights Reserved. 36

Active FTP does not work if the control channel crosses a network device performing NAT, and that does not
have a session helper. In the example shown on this slide, an FTP client is connecting to an active mode FTP
server. A router in the middle is performing NAT on the client IP address 10.0.1.10 to the NAT IP address
10.200.1.1.

After the control channel is up, the client sends the port command with its IP address, 10.0.1.10, as the
destination for the data channel.

When that FTP packet crosses the router, the source IP address in the IP header is changed from
10.0.1.10 to 10.200.1.1. However, the IP address in the FTP port command is not translated to
10.200.1.1.

After the server receives that FTP command, it tries to bring up the TCP session for the data channel. It sends
the SYN packet to the IP address 10.0.1.10. This address is probably not routable because it is a private IP
address behind a device performing NAT.

The file transfer fails.

Network Security Support Engineer 7.4 Study Guide 113


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Active FTP With NAT and Session Helper
• FortiGate performing NAT of 10.0.1.10 to 10.200.1.1
IP address inside
the payload is
Firewall creates an expected translated
session to allow the traffic that
comes to port 60428

Open the data channel to IP Open the data channel to IP


address 10.0.1.10, TCP port address 10.200.1.1, TCP port
55402 FortiGate 60428
port 10,0,1,10,216,106 port 10,200,1,1,236,12
port1 port2
10.0.1.254 10.200.1.1
Client Server
10.0.1.10 Data traffic to 10.0.1.10, Data traffic to 10.200.1.1, 93.157.14.94
TCP port 55042 TCP port 60428

Incoming data traffic is


allowed even when no
firewall policy is
explicitly configured

© Fortinet Inc. All Rights Reserved. 37

The FTP session helper fixes this problem by replacing the router with a FortiGate.

When the packet with the FTP port command arrives at FortiGate, FortiGate not only translates the source
IP address in the IP header, but the session helper also translates the IP address inside the FTP port
command. If the source port is also translated in the TCP header, the session helper also does the same in
the port command.

Another important function of the session helper is to temporarily create an expected session (or pinhole) for
the data channel connection that comes from the server. This means that the administrator does not need to
manually create firewall policies to allow these incoming TCP sessions (which use random TCP port
numbers). The session helper automatically creates the session and opens the door for the incoming
connection.

After that, the server connects the data channel to the correct IP address: 10.200.1.1. That incoming TCP
connection is allowed by the expected session that the session helper created previously, even when no
firewall policy allows it.

Network Security Support Engineer 7.4 Study Guide 114


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Active FTP With NAT and Session Helper (Contd)
id=13 trace_id=1098 msg="vd-root received a packet(proto=6, 10.0.1.10:55402->93.157.14.94:21) from Internal
id=13 trace_id=1098 msg="Find an existing session, id-008423f4, original direction"
id=13 trace_id=1098 msg="SNAT 10.0.1.10->10.200.1.1:60428"
id=13 trace_id=1098 msg="run helper-ftp(dir=original)"

FGT_A # diagnose sys session list expectation


session info: proto=6 proto_state=00 duration=6 expire=23 timeout=3600 refresh_dir=both flags=00000000
sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=1 tunnel=/
state=new npu acct-ext complex
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
orgin->sink: org pre->post, reply pre->post dev=5->7/7->5 gwy=10.1.1.2/172.17.97.3

hook=pre dir=org act=dnat 93.157.14.94:0->10.200.1.1:60428(10.0.1.10:55402)


hook=pre dir=org act=noop 0.0.0.0:0->0.0.0.0:0(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=25 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=008423f4 tos=ff/ff ips_view=0 app_list=0 app=0
---omitted---

© Fortinet Inc. All Rights Reserved. 38

In this slide, you can see the debug flow message that is shown when a session helper is being used. In this
example, the run helper-ftp message indicates that the FTP session helper is being used.

You can also see that FortiGate created an expectation session and opened the pin-hole port for the
expected return traffic from the server with the IP address 93.157.14.94.

Network Security Support Engineer 7.4 Study Guide 115


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Active FTP―Sniffer Before FortiGate

© Fortinet Inc. All Rights Reserved. 39

This slide shows a packet capture of the previous FTP traffic before the port command reaches FortiGate.
You can see the original client IP address, 10.0.1.10.

Network Security Support Engineer 7.4 Study Guide 116


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Active FTP―Sniffer After FortiGate

© Fortinet Inc. All Rights Reserved. 40

This slide shows another packet capture, this time after the port command crosses FortiGate. The session
helper has translated the IP address inside the port command to 10.200.1.1.

Network Security Support Engineer 7.4 Study Guide 117


Sessions, Traffic Flow, and Networking

DO NOT REPRINT
© FORTINET
Review
 Analyze the information in the session table
 Understand the various session flags
 Capture traffic using the built-in sniffer
 Analyze the output of the debug flow
 Describe hardware offloading implications
 Configure and troubleshoot session helpers

© Fortinet Inc. All Rights Reserved. 41

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about traffic and session monitoring.

Network Security Support Engineer 7.4 Study Guide 118


Security Fabric

DO NOT REPRINT
© FORTINET

Network Security Support Engineer


Security Fabric

FortiOS 7.4
Last Modified: 25 April 2024

In this lesson, you will learn about the Fortinet Security Fabric.

Network Security Support Engineer 7.4 Study Guide 119


Security Fabric

DO NOT REPRINT
© FORTINET
Objectives
• Understand what the Security Fabric is
• Troubleshoot FortiGate-to-FortiGate downstream communication and performance
issues
• Troubleshoot resource issues that the Security Fabric daemon causes
• Diagnose automation stitches

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in the Security Fabric, you will be able to describe what the Security Fabric is,
the protocols it operates on, and how to troubleshoot common communication and resource issues. You will
also learn how to diagnose automation stitches.

Network Security Support Engineer 7.4 Study Guide 120


Security Fabric

DO NOT REPRINT
© FORTINET

Security Fabric Overview

© Fortinet Inc. All Rights Reserved. 3

In this section, you will get a quick overview of the Security Fabric.

Network Security Support Engineer 7.4 Study Guide 121


Security Fabric

DO NOT REPRINT
© FORTINET
What Is the Security Fabric?
• Intelligent architecture interconnecting security
solutions
• Detects, blocks, and remediates attacks
across the entire attack surface
• Broad protection and visibility throughout the
entire network
• Supports all system types
• Hardware
• Virtual
• Cloud-based

© Fortinet Inc. All Rights Reserved. 4

The Security Fabric provides an intelligent architecture that allows security devices to communicate with each
other. This integrated approach allows for the detection, monitoring, and remediation of attacks across the
entire attack surface.

Hardware, virtual, and cloud-based systems are supported, delivering broad protection and visibility
throughout the network.

Network Security Support Engineer 7.4 Study Guide 122


Security Fabric

DO NOT REPRINT
© FORTINET
Security Fabric Components
• Core
• Root FortiGate
• Downstream FortiGate
• FortiAnalyzer or Fortinet Cloud Logging Service

• Recommended—adds significant visibility or


control
Core
• FortiManager, FortiAP, FortiSwitch, FortiClient,
FortiSandbox, FortiMail
Recommended
• Extended—integrates with fabric, but may not
apply to everyone Extended
• Other Fortinet products and third-party products using
the API

© Fortinet Inc. All Rights Reserved. 5

At the core of the solution, the mandatory products are two or more FortiGate devices in NAT mode and a
logging system. The logging system must be FortiAnalyzer, FortiAnalyzer Cloud, or FortiGate Cloud.
Note that all FortiGate devices must operate in NAT mode in order to participate in the Security Fabric.

To add more visibility and control, Fortinet recommends adding FortiManager, FortiAP, FortiClient,
FortiSandbox, FortiMail, and FortiSwitch. You can extend the solution by adding other network security
devices.

Network Security Support Engineer 7.4 Study Guide 123


Security Fabric

DO NOT REPRINT
© FORTINET
Security Fabric Communications
• FortiTelemetry
• Uses TCP port 8013
• Connection is always established by downstream FortiGate
• Must be manually enabled on a FortiGate interface under Administrative Access

• Neighbor Discovery
• Uses UDP port 8014
• Sends broadcast messages every 60 seconds
• Responsible for security logging behavior

© Fortinet Inc. All Rights Reserved. 6

The Security Fabric uses two Fortinet proprietary protocols: FortiTelemetry and Neighbor Discovery.

The default TCP port 8013 for FortiTelemetry can be changed if necessary. In order for a downstream
FortiGate to join the Security Fabric, it must initiate the session to the upstream FortiGate through TCP port
8013. For an upstream FortiGate to be able to accept connections from a downstream FortiGate, the Security
Fabric Connection setting must be enabled on the network interface (on the GUI under Administrative
Access).

UDP port 8014 is used for the Neighbor Discovery protocol. This protocol and port are used to exchange
informational updates, such as topology changes, among Security Fabric member nodes. It is also used to
control logging behavior so that the same traffic is not logged multiple times. Only FortiGate, or the device
connected to the source of the session, creates the log. Unlike the FortiTelemetry port, the Neighbor
Discovery port cannot be changed.

Network Security Support Engineer 7.4 Study Guide 124


Security Fabric

DO NOT REPRINT
© FORTINET

Downstream Communication Issues

© Fortinet Inc. All Rights Reserved. 7

In this section, you will learn about FortiGate-to-FortiGate communications within the Security Fabric, as well
as how to diagnose and troubleshoot potential issues.

Network Security Support Engineer 7.4 Study Guide 125


Security Fabric

DO NOT REPRINT
© FORTINET
Identifying Downstream Communication Issues
• Unable to connect to root FortiGate
• Potential issues:
• Administrative access disabled for Security Fabric on upstream FortiGate
• FortiOS firmware mismatch
• Device has not been authorized yet on
root FortiGate
• Wrong IP address configured for root
FortiGate
• FortiGate not in NAT mode
• TCP port 8013 blocked
• UDP port 8014 blocked

© Fortinet Inc. All Rights Reserved. 8

The screenshot on this slide shows a communication issue between an upstream FortiGate and a
downstream FortiGate. Some common causes of this issue include:
• The Security Fabric Connection setting has not been enabled on the upstream FortiGate GUI (under
Administrative Access).
• The FortiGate devices in the Security Fabric are not using the same firmware.
• The device has not been authorized on the root FortiGate yet.
• The wrong root FortiGate IP address is configured on the downstream FortiGate.
• The FortiGate is not configured in NAT mode.
• TCP port 8013 is blocked. You can use the diagnose sniffer command to verify this.

Network Security Support Engineer 7.4 Study Guide 126


Security Fabric

DO NOT REPRINT
© FORTINET
Troubleshooting Downstream Communication Issues
• Unsuccessful connection
• FortiTelemetry disabled

# diagnose sniffer packet any "tcp port 8013 or udp port 8014" 4
FortiTelemetry disabled
Using Original Sniffing Mode
interfaces=[any]
filters=[tcp port 8013 or udp port 8014]
47.220358 port1 in 192.168.1.112.11234 -> 192.168.1.111.8013: syn 1204417526
48.215338 port1 in 192.168.1.112.11234 -> 192.168.1.111.8013: syn 1204417526
50.218552 port1 in 192.168.1.112.11234 -> 192.168.1.111.8013: syn 1204417526
54.222117 port1 in 192.168.1.112.11234 -> 192.168.1.111.8013: syn 1204417526

© Fortinet Inc. All Rights Reserved. 9

The first step in troubleshooting communication issues related to the Security Fabric is to run a sniffer on TCP
port 8013 or UDP port 8014. In this example, the downstream FortiGate with the IP address 192.168.1.112
is unable to establish a connection with the upstream FortiGate configured with 192.168.1.111. Since you
can see the traffic arriving at the upstream FortiGate, TCP port 8013 is not blocked along the way. Instead,
FortiTelemetry has not been enabled on the appropriate interface.

Network Security Support Engineer 7.4 Study Guide 127


Security Fabric

DO NOT REPRINT
© FORTINET
Troubleshooting Downstream Communication Issues (Contd)
• Unsuccessful connection
• Downstream device not authorized
# diagnose sys csf authorization pending-list
Serial IP Address HA-Members Appliance Path
-----------------------------------------------------------------------------------------------------------
FGVMULTM23000469 FGVMULTM23000469 fortigate FGVMULTM22000957:FGVMULTM23000469

# diagnose sniffer packet any "tcp port 8013 or udp port 8014" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[tcp port 8013 or udp port 8014]
47.220358 port1 in 192.168.1.112.11234 -> 192.168.1.111.8013: syn 1204417526
48.215338 port1 in 192.168.1.112.11234 -> 192.168.1.111.8013: syn 1204417526
50.218552 port1 in 192.168.1.112.11234 -> 192.168.1.111.8013: syn 1204417526
54.222117 port1 in 192.168.1.112.11234 -> 192.168.1.111.8013: syn 1204417526

© Fortinet Inc. All Rights Reserved. 10

Another example of a similar symptom could be that the downstream device has not yet been authorized on
the root FortiGate. You can verify whether there is a pending authorization using the command shown on this
slide. You can accept a pending authorization using the command: diagnose sys csf authorization
accept <Serial Number of FortiGate>. You can also deny the pending authorization by replacing
accept with deny in the command. You also have the option to view pending authorization requests in the
GUI under System > Firmware & Registration.

Network Security Support Engineer 7.4 Study Guide 128


Security Fabric

DO NOT REPRINT
© FORTINET
Troubleshooting Downstream Communication Issues (Contd)
• Successful connection
• FortiTelemetry enabled

# diagnose sniffer packet any "tcp port 8013 or udp port 8014" 4 FortiTelemetry must be
manually enabled
Using Original Sniffing Mode
interfaces=[any]
filters=[tcp port 8013 or udp port 8014]
9.369595 port1 in 192.168.1.112.16173 -> 192.168.1.111.8013: psh 2385744074 ack 216959785
9.369720 port1 out 192.168.1.111.8013 -> 192.168.1.112.16173: psh 216959785 ack 2385744169
9.370018 port1 in 192.168.1.112.16173 -> 192.168.1.111.8013: ack 216959880
12.371901 port1 in 192.168.1.112.16173 -> 192.168.1.111.8013: psh 2385744169 ack 216959880
12.371983 port1 out 192.168.1.111.8013 -> 192.168.1.112.16173: psh 216959880 ack 2385744264
12.372127 port1 in 192.168.1.112.16173 -> 192.168.1.111.8013: ack 216959975

© Fortinet Inc. All Rights Reserved. 11

After you select the Security Fabric Connection checkbox, and then apply the changes, FortiTelemetry
becomes active on the FortiGate interface, which allows incoming Security Fabric connection requests to be
accepted. The downstream FortiGate has successfully established a connection with the upstream FortiGate.

Network Security Support Engineer 7.4 Study Guide 129


Security Fabric

DO NOT REPRINT
© FORTINET
Troubleshooting Downstream Communication Issues (Contd)
• Non-root FortiGate
# diagnose test application csfd 1 Downstream info
Dump CSF daemon info device total: 1
group name:
group pwd: * # 1
status: Active sn: FGVMULTM23000472
auth by cert: n id: 2
ip: 192.168.1.112
Upstream info port: 11405
sn: FGVMULTM22000957 status: link-ok SSL-ok hello-ok auth-ok
id: 1 no response: 0
ip: 192.168.1.108 SLBC member: n
port: 8013
status: link-ok SSL-ok hello-ok auth-ok
no response: 0
SLBC member: n

© Fortinet Inc. All Rights Reserved. 12

Use the command diagnose test app csfd 1 to confirm that two or more devices in the Security Fabric
are communicating properly. The command lists Security Fabric statistics, such as all upstream and
downstream devices, including their IP address, serial number, and status. In the example on this slide, the
command was run on a FortiGate connected to an upstream FortiGate as well as a downstream FortiGate.

Network Security Support Engineer 7.4 Study Guide 130


Security Fabric

DO NOT REPRINT
© FORTINET
Troubleshooting Downstream Communication Issues (Contd)
• Root FortiGate

# diagnose test application csfd 1 Downstream info


Dump CSF daemon info device total: 1
group name: NST-SecFabric
group pwd: * # 1
status: Active sn: FGVMULTM23000469
accept auth by cert: y id: 2
forticloud account enforcement: y ip: 192.168.1.111
port: 22271
Upstream info status: link-ok SSL-ok hello-ok auth-ok
N/A no response: 0
SLBC member: n

© Fortinet Inc. All Rights Reserved. 13

On this slide, you can see the differences when the command is run on the root FortiGate. The group name is
shown, and no upstream information is available, because this FortiGate sits at the top of the topology.

Network Security Support Engineer 7.4 Study Guide 131


Security Fabric

DO NOT REPRINT
© FORTINET
Upstream and Downstream FortiGate
# diagnose sys csf upstream
Upstream Information:
Serial Number:FGVMULTM22000957
IP:192.168.1.108
Connecting interface:port1
Connection status:Authorized

# diagnose sys csf downstream


1: FGVMULTM23000472 (192.168.1.112) Management-IP: 192.168.1.112
Management-port:0 parent: FGVMULTM23000469
path:FGVMULTM23000469:FGVMULTM23000472
data received: Y downstream intf:port1 upstream intf:port1 upstream
vdom:root
admin-port:443 authorizer:FGVMULTM22000957

© Fortinet Inc. All Rights Reserved. 14

Use the commands shown on this slide on a non-root FortiGate to view detailed information about upstream
and downstream devices.

Network Security Support Engineer 7.4 Study Guide 132


Security Fabric

DO NOT REPRINT
© FORTINET
Detailed Summary of Connected Devices
# diagnose sys csf global
Current vision:
[
{
"path":" FGVMULTM22000957 ",
"mgmt_ip_str":"",
"mgmt_port":0,
"object_unification":1,
"serial":" FGVMULTM22000957 ",
"host_name":"FGT-1",
"firmware_version_major":7,
"firmware_version_minor":4,
"firmware_version_patch":2,
"firmware_version_build":2571,
"firmware_version_branch":2571,
...

© Fortinet Inc. All Rights Reserved. 15

The command diagnose sys csf global shows a summary of all connected devices in the Security
Fabric.

Network Security Support Engineer 7.4 Study Guide 133


Security Fabric

DO NOT REPRINT
© FORTINET

Performance Issues

© Fortinet Inc. All Rights Reserved. 16

In this section, you will learn how to troubleshoot performance issues related to the Security Fabric.

Network Security Support Engineer 7.4 Study Guide 134


Security Fabric

DO NOT REPRINT
© FORTINET
Real-Time Application Debug
• csfd is the daemon responsible for anything related to the Security Fabric
• Useful to troubleshoot issues such as a frozen GUI
# diagnose debug application csfd -1
Serial number of
# diagnose debug enable downstream device
...
<2490-U> 04 __nstd_recv()-621:
<2490-U> 10000000 conn_msg_type_check()-521: 192.168.1.112:11670 r_hdr.len:2842
hdr_type:NSTD_MSG_TREE_UPD path_len:0 ttl:0
<2490-U> 80 tree_updater_validate_tree_upd()-48: received update from downstream: FGVMULTM23000472
<2490-U> 10000000 nstd_recv_hd()-653: Forwarding NSTD_MSG_TREE_UPD pkt from 192.168.1.112:11670 to
priv
<2490-U> 10 daemon_send_internal_msg_ex()-211: Sending internal msg NSTD_INTERNAL_MSG_EXTERNAL_PKT
data_len=2842
<2490-U> 04 nstd_chan_data_ep_hd()-194: IP and connecting TCP port
of downstream device
...

© Fortinet Inc. All Rights Reserved. 17

Use the real-time application debug shown on this slide to troubleshoot issues as they are occurring.
For example, if the GUI lags during login, run the debug before navigating to the FortiGate management IP.

This same debug can also be used to troubleshoot communication issues. In this output, you can see
communication with the downstream FortiGate. The downstream FortiGate always establishes the Security
Fabric session with the upstream FortiGate. This is why the TCP source port in this example is 11405, not
8013.

Network Security Support Engineer 7.4 Study Guide 135


Security Fabric

DO NOT REPRINT
© FORTINET
High CPU Usage Caused by csfd
• Outputs to gather if csfd causes high CPU
• Helpful for Fortinet Support
# diagnose debug application csf -1
Can be gathered using the
# diagnose debug enable command diagnose sys
top

# diagnose sys process dump <csfd pid>


# diagnose sys process pstack <csfd pid>
# diagnose sys process trace <csfd pid>

© Fortinet Inc. All Rights Reserved. 18

When csfd causes high CPU usage, use the same real-time debug. In addition, it is helpful to gather the
output that the three additional diagnose commands shown on this slide provide. All three commands dump
CPU information about the csfd process, which can reveal a potential bug.

You can find the process ID of csfd by running the diagnose sys top command.

Network Security Support Engineer 7.4 Study Guide 136


Security Fabric

DO NOT REPRINT
© FORTINET
High Memory Usage Caused by csfd
• Outputs to gather if csfd causes high memory usage

# diagnose test application csfd 1 – show stats


# diagnose test application csfd 4 – start diagnostics collection
# diagnose test application csfd 7 – print diagnostics stats
# diagnose test application csfd 15 – show query cache status
# diagnose test application csfd 45 – show worker process information
# diagnose test application csfd 60 – show MAC cache status
# diagnose test application csfd 150 – Dump registered elements
# diagnose test application csfd 195 – List of open sockets
# diagnose test application csfd 212 – List unconfirmed outgoing msgs
# diagnose test application csfd 225 – Dump table counts

© Fortinet Inc. All Rights Reserved. 19

When troubleshooting high memory usage issues caused by csfd with Fortinet Support, you should collect
the output of the commands shown. Each command output contains valuable information about the cause of
the high memory use. Note that the diagnose test application command is not a real-time debug and
therefore will not cause additional performance impacts on FortiGate.

Network Security Support Engineer 7.4 Study Guide 137


Security Fabric

DO NOT REPRINT
© FORTINET

Automation Stitches

© Fortinet Inc. All Rights Reserved. 20

In this section, you will learn about automation stitches and how to troubleshoot them.

Network Security Support Engineer 7.4 Study Guide 138


Security Fabric

DO NOT REPRINT
© FORTINET
Automation Stitches—Overview
• Automate actions among different systems in the Security Fabric
• Decreases response times to security events
• Can be configured only on the root FortiGate
• Events within the entire Security Fabric can be monitored
• Consists of a trigger and an action or actions
• Trigger: an event that triggers an action, such as a failed login attempt
• Action: the resulting response to the trigger, such as a notification email sent to
the administrator
• You can set a minimum interval to avoid too many notifications
• Use CLI commands to test, log, and display settings and statistics
• Can be run from any FortiGate in the Security Fabric

© Fortinet Inc. All Rights Reserved. 21

Administrator-defined automated workflows (called stitches) use if/then logic to cause FortiOS to automatically
respond to an event in a preprogrammed way. Because this workflow is part of the Security Fabric, you can
set up stitches for any device in the Security Fabric. If you configure stitches in a Security Fabric, you must
configure them on the root FortiGate. You configure stitches to run on all FortiGate devices in the Security
Fabric or a subset of FortiGate devices. Stitches configured on the root FortiGate are pushed to the relevant
downstream FortiGate devices. The root FortiGate does not need to be operational for previously configured
stitches to function on downstream FortiGate devices.

Each automation stitch pairs an event trigger and one or more actions, which allows you to monitor your
network and take appropriate action when the Security Fabric detects a threat or other actionable event. You
can use automation stitches to detect events from many sources. Some examples include high CPU,
conserve mode, High Availability (HA) failover, reboot, FortiOS event logs with customizable filters, indicators
of compromise (IoCs), and event handlers from FortiAnalyzer.

You can configure the Minimum interval (seconds) setting to make sure you don’t receive repeat
notifications about the same event.

There are several CLI commands available to test, log, and display settings and statistics. These commands
will be covered in this lesson.

Network Security Support Engineer 7.4 Study Guide 139


Security Fabric

DO NOT REPRINT
© FORTINET
Testing Automation Stitches
• Manually test an automation stitch
# diagnose automation test
Usage: diag automation test [stitch name] [log]

FGTVM-1 # diagnose automation test ConfigurationChange


automation test is done. stitch:ConfigurationChange

• Output of a failed test


# diagnose automation test HAFailOver
automation test failed(1). stitch:HAFailOver

© Fortinet Inc. All Rights Reserved. 22

You can use the diagnose automation test command to manually test an automation stitch. The
resulting output reveals whether or not the test was successful. Reasons for a failed test include the wrong
stitch name was used or the stitch was unable to perform one or more actions.

Network Security Support Engineer 7.4 Study Guide 140


Security Fabric

DO NOT REPRINT
© FORTINET
Troubleshooting Automation Stitches
• Real-time application debug
# diagnose debug application autod -1
Debug messages will be on for 30 minutes.

# diagnose debug enable

# diagnose automation test ConfigurationChange


pid:2226-__handle_msg()-414: Subscriber:4 received package. pubid:0 pkgid:131 pkg_index:191
pid:2226-__handle_pkg_logs()-356: Subscriber:4 processing package size:1110 logs:1 pickup:1
auto_event_pub_handle_log()-366: publish 32102 to subscr-node
pid:2226-__subscr_close_cur_pkg()-140: close package size:1110 logs:1
__dump_action_msg()-26: System will backup config, msg: Autod backup config by stitch:
ConfigurationChange

© Fortinet Inc. All Rights Reserved. 23

The real-time application debug shown on this slide can be used to troubleshoot automation stitches as they
are running.

Network Security Support Engineer 7.4 Study Guide 141


Security Fabric

DO NOT REPRINT
© FORTINET
Automation Stitch Log Dumping
• Enable log dumping to view log statistics
# diagnose test application autod 1
autod(pid:2226) log packet dump enabled

# diagnose test application autod 1


autod(pid:2226) log packet dump disabled

autod logs dumping summary:


• Outputlogid:32102
of a failed test
count:1
logid:40704 count:1
logid:46600 count:1

autod dumped total:3 logs, num of logids:3

© Fortinet Inc. All Rights Reserved. 24

Use the diagnose test application autod 1 command to toggle log dumping. Executing the
command once enables the log dump. Executing it again outputs the dump, while simultaneously disabling it.
This may be useful if you want to save all automation stich logs to a file or free up log space on the FortiGate
hard drive.

Network Security Support Engineer 7.4 Study Guide 142


Security Fabric

DO NOT REPRINT
© FORTINET
View Automation Stitch Settings
# diagnose test application autod 2
csf: enabled root: yes sync connection: connected
version:1704703038 sync time:Mon Jan 8 10:35:09 2024

• Output
total of aactivated:
stitches failed test2
stitch: ConfigurationChange
destinations: all
trigger: Configuration Change
type:config change

local hit: 3 relayed to: 0 relayed from: 0


actions:
Backup Config Disk type:system-action interval:0
delay:0 required:yes

stitch: Firmware upgrade notification


destinations: all
trigger: Auto Firmware upgrade
type:logid

© Fortinet Inc. All Rights Reserved. 25

The diagnose test application autod 2 command displays the settings for all automation stitches.

Network Security Support Engineer 7.4 Study Guide 143


Security Fabric

DO NOT REPRINT
© FORTINET
View Automation Stitch Statistics
# diagnose test application autod 3
alert mail log count: 0

stitch: ConfigurationChange

• Output of ahit:
local failed test
3 relayed to: 0 relayed from: 0
last trigger:Mon Jan 8 10:41:02 2024
last relay:
actions:
Backup Config Disk:
done: 3 relayed to: 0 relayed from: 0
last trigger:Mon Jan 8 10:41:02 2024
last relay:

stitch: Firmware upgrade notification

local hit: 0 relayed to: 0 relayed from: 0


last trigger: last relay:
actions:
Email Notification:
done: 0 relayed to: 0 relayed from: 0

© Fortinet Inc. All Rights Reserved. 26

The diagnose test application autod 3 command provides detailed statistics on every automation
stitch configured in the Security Fabric.

Network Security Support Engineer 7.4 Study Guide 144


Security Fabric

DO NOT REPRINT
© FORTINET
View Running Automation Stitches
# diagnose test application autod 5

runned stitches: total:8 done:8 drop:0

• Outputstitches:
running of a failed
3 test

Currently running stitches

© Fortinet Inc. All Rights Reserved. 27

The output of the diagnose test application autod 5 command shows the number of stitches
currently running. It also shows how many stitches have been successfully or unsuccessfully completed.

Network Security Support Engineer 7.4 Study Guide 145


Security Fabric

DO NOT REPRINT
© FORTINET
Review
 Understand what the Security Fabric is
 Troubleshoot FortiGate-to-FortiGate downstream communication and
performance issues
 Troubleshoot resource issues that the Security Fabric daemon causes
 Diagnose automation stitches

© Fortinet Inc. All Rights Reserved. 28

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned what the Security Fabric is, the protocols it
operates on, and how to troubleshoot common communication and resource issues. You also learned how to
diagnose automation stitches.

Network Security Support Engineer 7.4 Study Guide 146


Firewall Authentication

DO NOT REPRINT
© FORTINET

Network Security Support Engineer


Firewall Authentication

FortiGate 7.4
Last Modified: 25 April 2024

In this lesson, you will learn about firewall authentication and how to troubleshoot issues.

Network Security Support Engineer 7.4 Study Guide 147


Firewall Authentication

DO NOT REPRINT
© FORTINET
Objectives
• Understand user authentication logs
• Monitor authenticated users
• Understand LDAP, RADIUS, and SAML troubleshooting tools
• Understand LDAP and RADIUS common problems and solutions

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding firewall authentication, you will be able to understand how to
monitor the status of authenticated users and troubleshoot the most common problems with local, LDAP,
RADIUS, and SAML authentication.

Network Security Support Engineer 7.4 Study Guide 148


Firewall Authentication

DO NOT REPRINT
© FORTINET

Firewall Authentication Troubleshooting

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn about local authentication troubleshooting commands.

Network Security Support Engineer 7.4 Study Guide 149


Firewall Authentication

DO NOT REPRINT
© FORTINET
Diagnostic Steps for Authentication Issues
• FortiGate using LDAP, NTLM, RADIUS, and so on
• Can users authenticate?
• Are users being given the correct permissions?
• What do the event logs show?
• Was authentication successful at first but problems occurred later?
• Is the username correct?
• What do the logs show?
• Is traffic being blocked?
• Are users being treated with the correct profiles?
• What do the server logs show?
• FortiGate bases decisions on server responses

© Fortinet Inc. All Rights Reserved. 4

When a problem occurs, the first thing you should do is define the problem. The first step in troubleshooting
authentication problems is to collect specific information so you can narrow the scope of the problem. Is the
problem occurring for more than one user? Is the problem related to user authentication and not to user
permissions?

The first place you should check is the logs. What do they show? Is the username correct? Is the traffic being
blocked after the authentication? What user profile is assigned to the user?

In the case of remote server authentication (such as RADIUS or LDAP), you should also check the logs on the
server side. In remote server authentication cases, FortiGate authentication depends on the server response.
If the RADIUS credentials are invalid, what do the RADIUS server logs show? Is the user account still active
on the RADIUS server?

Network Security Support Engineer 7.4 Study Guide 150


Firewall Authentication

DO NOT REPRINT
© FORTINET
User Authentication Monitor
Dashboard > Firewall User Monitor

© Fortinet Inc. All Rights Reserved. 5

This slide shows an example of the Firewall User Monitor. A log and event can be generated each time a
user authentication action is successful or fails. This FortiView menu is not included on the GUI menu by
default―you must enable it.

Network Security Support Engineer 7.4 Study Guide 151


Firewall Authentication

DO NOT REPRINT
© FORTINET
Monitoring Authenticated Users
• On the GUI:

• On the CLI:
ISFW # diagnose firewall auth filter [source | policy | user | group | method]

ISFW # diagnose firewall auth list

10.1.10.1, User1
src_mac: 02:09:0f:00:08:01
type: fw, id: 0, duration: 8962, idled: 56
expire: 243, allow-idle: 300
packets: in 10656 out 6419, bytes: in 9571640 out 923906
user_id: 16777219
group_id: 2
group_name: Local_Group
----- 1 listed, 0 filtered ------

© Fortinet Inc. All Rights Reserved. 6

You can check the list of active users on the GUI or CLI. On the CLI, the command is diagnose firewall
auth list. You can filter the output with the command diagnose firewall auth filter. In the
example on this slide, you can see some of the filter options that are available.

Network Security Support Engineer 7.4 Study Guide 152


Firewall Authentication

DO NOT REPRINT
© FORTINET
Session for an Authenticated User
ISFW # diagnose sys session list

session info: proto=6 proto_state=01 duration=157 expire=3559 timeout=3600 flags=00000000


socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper= Username authed flag
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=User1 state=log may_dirty authed f00 acct-ext
statistic(bytes/packets/allow_err): org=2137/14/1 reply=1663/12/1 tuples=2
tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 1/0
orgin->sink: org pre->post, reply pre->post dev=5->3/3->5 gwy=10.1.0.254/10.1.10.1
hook=pre dir=org act=noop 10.1.10.1:34830->35.241.9.150:443(0.0.0.0:0)
hook=post dir=reply act=noop 35.241.9.150:443->10.1.10.1:34830(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=14735 auth_info=2 chk_client_info=0 vd=0
serial=0000352e tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/anpu_state=0x000100
no_ofld_reason: npu-flag-off

© Fortinet Inc. All Rights Reserved. 7

Any session for traffic coming from an authenticated user contains the authed flag. Additionally, the
username is added to the session information.

Network Security Support Engineer 7.4 Study Guide 153


Firewall Authentication

DO NOT REPRINT
© FORTINET
Authentication Real-Time Debug

ISFW # diagnose debug application authd -1

[authd_http_wait_auth:2552]: src 10.1.10.1 flag 00018800


[authd_fnbam_auth_user:1397]: called
authd_fnbam_auth_user: username=User1, policy_id=0
authd_fnbam_locked_out: username=User1, src_addr=10.1.10.1, n_failures=0, record_ttl=-25512
[_authd_fnbam_auth_user:1310]: called
_authd_fnbam_auth: Start authpid=183, auth_rsp_data=(nil)pid=183, user=User1User1(Local_Group)
authentication successful: timeout=300 group_id=( 16777219 2 )

© Fortinet Inc. All Rights Reserved. 8

There is a real-time debug for troubleshooting problems that are related to any user authentication methods:
local, remote, and even FSSO. The debug command is diagnose debug application authd.

Network Security Support Engineer 7.4 Study Guide 154


Firewall Authentication

DO NOT REPRINT
© FORTINET

LDAP Authentication Troubleshooting

© Fortinet Inc. All Rights Reserved. 9

In this section, you will learn about troubleshooting commands and common issues with LDAP authentication.

Network Security Support Engineer 7.4 Study Guide 155


Firewall Authentication

DO NOT REPRINT
© FORTINET
LDAP Directory Tree Example

dc=example,dc=com

c=usa c=france c=canada

ou= hr ou= it

uid= abush
uid= apiquet uid: jsmith
email:
[email protected]
objectClass:
inetOrgPerson

DN: uid= jsmith, ou=it, c=france, dc=example, dc=com

© Fortinet Inc. All Rights Reserved. 10

Now you will review the LDAP protocol.

The hierarchy of an LDAP schema does not need to resemble the organization. However, the naming
conventions and group structure is usually a close match to the company hierarchy.

This slide shows the root or DC. In any LDAP schema, this is where an LDAP tree always starts.
After that, the groups (or branches) are defined using C, OU, or O. The exact behavior and options used
depend on the schema and what exactly is being defined. Branches may contain objects and each object
contains attributes. Objects are uniquely identified by their distinguished names (DNs). The full DN specifies
where the object is, and the name and value of an attribute that can be used to find it.

Network Security Support Engineer 7.4 Study Guide 156


Firewall Authentication

DO NOT REPRINT
© FORTINET
Regular Bind Flow―Group Query
Bind request
Bind DN: cn=administrator,cn=Users,dc=TAC,dc=ottawa,dc=fortinet,dc=com
Step 1 Bind<admin_password>

Bind Response Success

Search request
Step 2
FortiGate device

Base Object: dc=fortinet,dc=com


Scope: wholeSubtree

LDAP server
Filter: sAMAccountName=jsmith

SearchResEntry
DN: cn=John Smith,cn=Users,dc=TAC,dc=ottawa,dc=fortinet,dc=com

Unbind Request

Unbind Response Success

Bind request
Bind DN: cn=John Smith,cn=Users,dc=TAC,dc=ottawa,dc=fortinet,dc=com
Step 3 Bind <user_password>

Bind response success

Step 4
© Fortinet Inc. All Rights Reserved. 11

There are three different methods, or bind types, that FortiGate can use to access an LDAP server: simple,
anonymous, and regular. In this lesson, you will learn about regular bind, which is the most complex, versatile,
and commonly used method.

There are four steps to LDAP authentication using regular bind. First, FortiGate logs in to (binds to) the LDAP
server using an LDAP administrator account. At this point, FortiGate knows only the username, but it doesn't
know the branch where the user is located. During the second step, FortiGate does a search query in the
LDAP database to find the user’s location―in other words, the user’s DN. If the user is found, the server
replies with the user’s DN. After that, FortiGate logs out of (unbinds from) the LDAP server.

The third step is another bind, but this time using the user credentials. FortiGate sends the DN, which it
learned in the previous step, and password.

The last step is to get the user group information. How this is done depends on the type of LDAP server, but it
is generally achieved through an LDAP query.

When you are isolating an issue with LDAP, the first step is to determine which of these four steps is failing.

Network Security Support Engineer 7.4 Study Guide 157


Firewall Authentication

DO NOT REPRINT
© FORTINET
Regular Bind Configuration
User & Authentication > LDAP Servers

© Fortinet Inc. All Rights Reserved. 12

Most LDAP authentication issues are caused by misconfigurations. So, you will learn how to check if the
regular-bind LDAP configuration is correct. You will analyze a use case in which an LDAP server is based on
Windows AD, which is the most common use case.

Misconfigurations usually occur in one of these LDAP settings:


• Common Name Identifier
• Distinguished Name
• Username
• Password

Network Security Support Engineer 7.4 Study Guide 158


Firewall Authentication

DO NOT REPRINT
© FORTINET
Windows AD Regular Bind Configuration
• To see the DN, run either of these two commands from the server command prompt:
• > dsquery user –name <full_user_name>
• > dsquery user –samid <login_username>
• For example, for the following output:
• > dsquery user –samid jsmith
• “cn=John Smith,cn=users,dc=california,dc=fortinet,dc=com”
• Configure the DN as:
• dc=california,dc=fortinet,dc=com

© Fortinet Inc. All Rights Reserved. 13

How do you check if the DN is configured correctly? You can run either of these two commands in the
Windows AD server command prompt:
• dsquery user –name <full_user_name>
• dsquery user –samid <login_username>

The output displays the user DN. The DN configuration specifies a parent branch that all users are located
under. FortiGate searches users in any sub-branch below the parent branch. In the example on this slide, the
DN settings are: dc=california,dc=fortinet,dc=com.

Network Security Support Engineer 7.4 Study Guide 159


Firewall Authentication

DO NOT REPRINT
© FORTINET
Windows AD Regular Bind Configuration (Contd)

• To see the user DN (or bind DN), run either of these two commands from the server
command prompt:
• > dsquery user –name <admin_full_user_name>
• > dsquery user –samid <admin_login_username>
• Copy and paste the full administrator DN

© Fortinet Inc. All Rights Reserved. 14

The user DN (or bind DN) setting is the full DN of the LDAP admin account.

You can use the Windows LDAP server command (dsquery) to find that information.

Network Security Support Engineer 7.4 Study Guide 160


Firewall Authentication

DO NOT REPRINT
© FORTINET
Windows AD Regular Bind Configuration (Contd)

• For example, for the following output:


• > dsquery user –samid administrator
• cn=Administrator,cn=users,dc=tac,dc=ottawa,dc=fortinet,dc=com
• Configure the user DN as:
• cn=Administrator,cn=users,dc=tac,dc=ottawa,dc=fortinet,dc=com

© Fortinet Inc. All Rights Reserved. 15

You can simply copy and paste the full DN output from the server command prompt to the FortiGate
configuration.

Network Security Support Engineer 7.4 Study Guide 161


Firewall Authentication

DO NOT REPRINT
© FORTINET
Windows AD Regular Bind Configuration (Contd)
cn for full name,
or sAMAccountName for login-name

Output of:
dsquery user –name <full_user_name>
dsquery user –samid <user_login_name>

Output of:
dsquery user –name <full_admin_user_name>
dsquery user –samid <admin_login_name>

Administrator password
© Fortinet Inc. All Rights Reserved. 16

This slide shows a summary of how to correctly configure regular bind for Windows AD. A different type of
LDAP server might require a different approach.

You usually set the Common Name Identifier to CN or sAMAccountName. If you set it to CN, users must
authenticate using their full names (for example, John Smith). If you set it to sAMAccountName, users must
authenticate using their login names (for example, jsmith).

You can find the DN that you must type in the Distinguished Name field by querying the user’s DN with the
Windows AD command dsquery.

You can find the information that you must type in the Username field by querying the administrator DN with
the same Windows AD command dsquery.

Finally, the password setting is the LDAP administrator password.

Network Security Support Engineer 7.4 Study Guide 162


Firewall Authentication

DO NOT REPRINT
© FORTINET
Authentication Test Command

ISFW # diagnose test authserver ldap <server_name> <user> <password>

authenticate 'jsmith' against 'Lab' succeeded!

Group membership(s) - CN=SSLVPN,CN=Users,DC=California,DC=fortinet,DC=com


CN=TAC,CN=Users,DC=California,DC=fortinet,DC=com

© Fortinet Inc. All Rights Reserved. 17

The CLI includes an LDAP authentication test command, which is diagnose test authserver ldap. If
both the credentials and LDAP configuration are correct, you receive an authentication confirmation, as well
as a list of the user groups for that user.

You can run this test command as soon as you complete the LDAP server configuration—even before you
add any user groups, or authentication firewall policies to FortiGate. The command tests only the LDAP server
configuration and LDAP communication between FortiGate and the server.

Network Security Support Engineer 7.4 Study Guide 163


Firewall Authentication

DO NOT REPRINT
© FORTINET
Real-Time Debug

ISFW # diagnose debug application fnbamd -1


ISFW # diagnose debug enable
fnbamd_fsm.c[1274] handle_req-Rcvd auth req 8781845 for jsmith in Lab opt=27
prot=0
fnbamd_ldap.c[637] resolve_ldap_FQDN-Resolved address 10.10.181.10, result
10.10.181.10
fnbamd_ldap.c[232] start_search_dn-base:'DC=TAC,DC=ottawa,DC=fortinet,DC=com'
filter:sAMAccountName=jsmith
fnbamd_ldap.c[1351] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 8781845
fnbamd_ldap.c[266] get_all_dn-Found DN 1:CN=John
Smith,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com

User found Searching for sAMAccountName=jsmith

© Fortinet Inc. All Rights Reserved. 18

There is a real-time debug for LDAP and RADIUS. This slide shows a sample of the output you will see when
the configuration is correct.

A start_search_dn message indicates that FortiGate is performing step two: searching for the user in the
LDAP tree. This message includes the base branch (distinguished name setting) and the name of the
attribute used to locate the user (common name identifier setting).

If the LDAP server finds the user, the output shows Found DN, followed by the user’s full DN.

Network Security Support Engineer 7.4 Study Guide 164


Firewall Authentication

DO NOT REPRINT
© FORTINET
Real Time Debug (Contd)
ISFW # fnbamd_ldap.c[280] get_all_dn-Found 1 DN's
fnbamd_ldap.c[314] start_next_dn_bind-Trying DN 1:CN=John
Smith,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com
fnbamd_ldap.c[1399] fnbamd_ldap_get_result-Going to USERBIND state
fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 8781845
fnbamd_ldap.c[520] start_multi_attribute_lookup-Adding attr 'memberOf'
fnbamd_ldap.c[536] start_multi_attribute_lookup-base:'CN=John
Smith,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com' filter:cn=* Bind user credentials

fnbamd_ldap.c[569] get_member_of_groups-Get the memberOf groups.
fnbamd_ldap.c[593] get_member_of_groups- attr='memberOf', found 2 values
fnbamd_ldap.c[600] get_member_of_groups-
val[0]='CN=SSLVPN,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com'
fnbamd_ldap.c[600] get_member_of_groups-
val[1]='CN=TAC,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com'
fnbamd_ldap.c[1477] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1586] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[2081] fnbamd_auth_poll_ldap-Result for ldap svr 10.10.181.10
is SUCCESS User groups found
© Fortinet Inc. All Rights Reserved. 19

After that, FortiGate performs the third step: binding using the user credentials.

Finally, the output shows the fourth step: getting the list of user groups.

Network Security Support Engineer 7.4 Study Guide 165


Firewall Authentication

DO NOT REPRINT
© FORTINET
Sniffer
• diagnose sniffer packet any “port 389” 3
• If the bind fails, the LDAP server returns an error code
• 0x525 - user not found
• 0x52e - invalid credentials
• 0x530 - not permitted to logon at this time
• 0x531 - not permitted to logon from this workstation
• 0x532 - password expired
• 0x533 - account disabled
• 0x701 - account expired
• 0x773 - user must reset password
• 0x775 - account locked out

© Fortinet Inc. All Rights Reserved. 20

If there is a problem with the first step (admin bind) or the third step (user bind), you can sniff the traffic
between the FortiGate and the LDAP server to get the error code. The error code states explicitly why the
binding is failing.

The error codes shown on this slide are samples of generic LDAP error codes and specific to Active Directory.

Network Security Support Engineer 7.4 Study Guide 166


Firewall Authentication

DO NOT REPRINT
© FORTINET
Common Problems―Wrong Bind Password
ISFW # fnbamd_fsm.c[1274] handle_req-Rcvd auth req 6750209 for jsmith in Lab
opt=27 prot=0
fnbamd_ldap.c[637] resolve_ldap_FQDN-Resolved address 10.10.181.10, result
10.10.181.10
fnbamd_ldap.c[1255] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 6750209
fnbamd_ldap.c[1321] fnbamd_ldap_get_result-
Error in ldap_result: 49 (Invalid credentials)
fnbamd_ldap.c[1603] fnbamd_ldap_get_result-Auth denied
fnbamd_auth.c[2074] fnbamd_auth_poll_ldap-Result for ldap svr 10.10.181.10 is
denied
fnbamd_comm.c[116] fnbamd_comm_send_result-Sending result 1 for req 6750209

© Fortinet Inc. All Rights Reserved. 21

Now, you will learn about some of the most common bind issues, and how to identify them in the output of the
real-time debug.

If you see the invalid credentials error right after an authentication attempt, this means a problem occurred in
step one. There is probably an issue with the administrator account credentials.

Network Security Support Engineer 7.4 Study Guide 167


Firewall Authentication

DO NOT REPRINT
© FORTINET
Common Problems―User Not Found
ISFW # fnbamd_fsm.c[1274] handle_req-Rcvd auth req 6750221 for jsmith in Lab
opt=27 prot=0
fnbamd_ldap.c[637] resolve_ldap_FQDN-Resolved address 10.10.181.10, result
10.10.181.10
fnbamd_ldap.c[232] start_search_dn-base:'DC=fortinet,DC=com'
filter:sAMAccountName=jsmith
fnbamd_ldap.c[1351] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 6750221
fnbamd_ldap.c[275] get_all_dn-Found no DN
fnbamd_ldap.c[298] start_next_dn_bind-No more DN left
fnbamd_ldap.c[1603] fnbamd_ldap_get_result-Auth denied
fnbamd_auth.c[2074] fnbamd_auth_poll_ldap-Result for ldap svr 10.10.181.10 is
denied
fnbamd_comm.c[116] fnbamd_comm_send_result-Sending result 1 for req 6750221

© Fortinet Inc. All Rights Reserved. 22

The message No more DN left indicates that a problem occurred in step two. The LDAP server couldn't
find the user in the LDAP tree.

Network Security Support Engineer 7.4 Study Guide 168


Firewall Authentication

DO NOT REPRINT
© FORTINET
Common Problems―Wrong User Password
ISFW # fnbamd_fsm.c[1274] handle_req-Rcvd auth req 6750221 for jsmith in Lab
opt=27 prot=0
fnbamd_ldap.c[637] resolve_ldap_FQDN-Resolved address 10.10.181.10, result
10.10.181.10
fnbamd_ldap.c[232] start_search_dn-base:'DC=fortinet,DC=com'
filter:sAMAccountName=jsmith
fnbamd_ldap.c[1351] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 6750221
fnbamd_ldap.c[275] get_all_dn-Found no DN
fnbamd_ldap.c[298] start_next_dn_bind-No more DN left
fnbamd_ldap.c[1603] fnbamd_ldap_get_result-Auth denied
fnbamd_auth.c[2074] fnbamd_auth_poll_ldap-Result for ldap svr 10.10.181.10 is
denied
fnbamd_comm.c[116] fnbamd_comm_send_result-Sending result 1 for req 6750221

© Fortinet Inc. All Rights Reserved. 23

If the output shows that the user was found, but an Auth denied message appears below, this indicates that
a problem occurred in step three. Either the user credentials are wrong or the user account is not active.

Network Security Support Engineer 7.4 Study Guide 169


Firewall Authentication

DO NOT REPRINT
© FORTINET
Common Problems―Groups Not Found

ISFW # fnbamd_ldap.c[569] get_member_of_groups-Get the memberOf groups.


fnbamd_ldap.c[588] get_member_of_groups-attr='groups' - found 0 values
fnbamd_ldap.c[1477] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1586] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[2081] fnbamd_auth_poll_ldap-Result for ldap svr 10.10.181.10 is
SUCCESS
fnbamd_auth.c[2102] fnbamd_auth_poll_ldap-Skipping group matching
fnbamd_comm.c[116] fnbamd_comm_send_result-Sending result 0 for req 6750226

© Fortinet Inc. All Rights Reserved. 24

The error message get_member_of_groups-attr=<attribute_name> - found 0 values indicates


that a problem occurred in step four. The user credentials are correct, but no user group information was
found.

In some LDAP implementations, the user group information is not used. All LDAP users have the same
privileges, regardless of their AD group memberships. In those implementations, you can ignore this error
message.

Network Security Support Engineer 7.4 Study Guide 170


Firewall Authentication

DO NOT REPRINT
© FORTINET
Tips for Troubleshooting LDAP Authentication
• Is the admin bind not working?
• Check the bind name with these commands:
• > dsquery user –name <admin_full_user_name>
• > dsquery user –samid <admin_login_name>
• Check the bind password
• Sniff the error code coming from the server
• Could the LDAP server find the user?
• If the common name identifier is set to sAMAccountName, use the login name
• If it is cn, use the full name
• Check the distinguished name with this command:
• > dsquery user –name <full_user_name>

© Fortinet Inc. All Rights Reserved. 25

What do you do if the problem occurs in step one (admin bind is not working)?
• Use the dsquery query command to check the administrator DN.
• Check the admin password.
• Sniff the error code coming from the server.

What do you do if the problem occurs in step two (LDAP server could not find the user)?
• If the common name identifier is set to sAMAccountName, the user must use their login name. If it is set to
cn, the user must use their full name.
• Check the distinguished name setting with the dsquery command.

Network Security Support Engineer 7.4 Study Guide 171


Firewall Authentication

DO NOT REPRINT
© FORTINET

RADIUS Authentication Troubleshooting

© Fortinet Inc. All Rights Reserved. 26

In this section, you will learn about RADIUS authentication troubleshooting commands.

Network Security Support Engineer 7.4 Study Guide 172


Firewall Authentication

DO NOT REPRINT
© FORTINET
RADIUS Overview
• Standard protocol that provides authentication, authorization, and accounting (AAA)
services

Access-Request

Access-Accept
or
Access-Reject
User FortiGate or RADIUS server
Access-Challenge

© Fortinet Inc. All Rights Reserved. 27

Normal authentication queries with the RADIUS protocol begin with an Access-Request being sent from the
FortiGate to the RADIUS server. A valid response to this query is Access-Accept or Access-Reject (yes or no,
effectively).

If two-factor authentication is enabled on the server, the response is an Access-Challenge message, which
means that the server is essentially looking for more information.

Network Security Support Engineer 7.4 Study Guide 173


Firewall Authentication

DO NOT REPRINT
© FORTINET
Testing RADIUS Queries
• On the CLI:

ISFW # diagnose test authserver radius <server_name> <scheme> <user> <password>

• Supported schemes are:


• chap
• pap
• mschap
• mschap2

© Fortinet Inc. All Rights Reserved. 28

Just like there is for LDAP, there is a CLI test command for RADIUS. To respond, you must provide not only
the credentials for a test user, but also the authentication scheme. FortiGate supports the following RADIUS
schemes: CHAP, PAP, MS-CHAP, and MS-CHAPv2.

Also, just like it does for LDAP, this command tests only the FortiGate RADIUS server configuration. It does
not require any user group or firewall policy in the FortiGate configuration.

Network Security Support Engineer 7.4 Study Guide 174


Firewall Authentication

DO NOT REPRINT
© FORTINET
RADIUS Real-Time Debug
ISFW # diagnose debug application fnbamd -1
ISFW # diagnose debug enable
Username
fnbamd_fsm.c[1819] handle_req-Rcvd auth req 2 for student in RadiusServer opt=29 prot=1
fnbamd_fsm.c[336] __compose_group_list_from_req-Group 'RadiusServer'
fnbamd_pop3.c[573] fnbamd_pop3_start-student
fnbamd_cfg.c[443] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server
'RadiusServer' Scheme
fnbamd_radius.c[1006] fnbamd_radius_auth_send-Compose RADIUS request
fnbamd_radius.c[1195] fnbamd_radius_auth_send-Sent radius req to server 'RadiusServer':
IP=172.25.188.164 code=1 id=1 len=92 user="student" using CHAP
fnbamd_auth.c[268] radius_server_auth-Timer of rad 'RadiusServer' is added
fnbamd_fsm.c[428] create_auth_session-Total 1 server(s) to try
fnbamd_auth.c[1990] fnbamd_auth_handle_radius_result-Timer of rad 'RadiusServer' is deleted
fnbamd_auth.c[2016] fnbamd_auth_handle_radius_result-->Result for radius svr 'RadiusServer'
172.25.188.164(0) is 0
fnbamd_auth.c[2044] fnbamd_auth_handle_radius_result-Skipping group matching
fnbamd_fsm.c[825] find_matched_usr_grps-Skipped group matching
fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 0 for req 2
fnbamd_fsm.c[568] destroy_auth_session-delete session 2
0: Authentication successful
1: Authentication failed
© Fortinet Inc. All Rights Reserved. 29

RADIUS is either a one-step or two-step process (depending on the use of two-factor authentication). It is not
as long as the four-step process that happens with LDAP regular bind. So, the output of the real-time debug is
usually shorter.

Network Security Support Engineer 7.4 Study Guide 175


Firewall Authentication

DO NOT REPRINT
© FORTINET
Sniffer on RADIUS Traffic
• Sniff UDP port 182 for authentication or port1813 for accounting
• i.e.: diagnose sniffer packet any “port 1812” 3
• Sniffer can capture various types of RADIUS data, including:
• User credentials
• RADIUS attributes
• Authentication requests, responses, and accounting information
• Timing and frequency of authentication requests and responses

© Fortinet Inc. All Rights Reserved. 30

When troubleshooting issues with RADIUS authentication or accounting, using a sniffer can be useful for
analyzing packets and identifying the root cause.

The initial step in using a sniffer is to assess whether RADIUS traffic is flowing uninterrupted between
FortiGate and the RADIUS server.

RADIUS typically uses port 1812 for authentication and port 1813 for accounting.

Sniffer output with a verbose level of 3 can be converted for analysis in Wireshark.

A sniffer can capture various types of data from RADIUS traffic, such as:

• User credentials: usernames and passwords, if transmitted in clear text


• RADIUS attributes: user roles, access permissions, and other attributes
• Packet payload: authentication requests, responses, and accounting information
• Timing information: the timing and frequency of RADIUS requests and responses

Analyzing the timing and frequency of RADIUS requests and responses can help you better understand the
authentication process.

Network Security Support Engineer 7.4 Study Guide 176


Firewall Authentication

DO NOT REPRINT
© FORTINET

SAML Authentication Troubleshooting

© Fortinet Inc. All Rights Reserved. 31

In this section, you will learn about SAML authentication troubleshooting commands.

Network Security Support Engineer 7.4 Study Guide 177


Firewall Authentication

DO NOT REPRINT
© FORTINET
Security Assertion Markup Language (SAML) Overview

• SAML serves as an open standard designed for exchanging authentication between an


identity provider (IdP) and one or more service providers (SP).

• SAML key components:


• IdP
• SP
• Assertion
• SAML protocol
• Bindings

© Fortinet Inc. All Rights Reserved. 32

SAML is an open standard for exchanging authentication and authorization data between one IdP and one or
more SPs. Both parties exchange messages using the XML protocol as transport.

SAML key components:


• IdP: A common setup is to use FortiAuthenticator as the IdP.
• SP: FortiGate can be configured as either an IdP or an SP.
• Assertion: An XML-based statement containing information about a user.
• SAML protocol: Defines the rules for communication between the IdP and the SP.
• Bindings: Define how SAML protocol messages are transmitted over different communication channels.

Network Security Support Engineer 7.4 Study Guide 178


Firewall Authentication

DO NOT REPRINT
© FORTINET
SAML Authentication Flow
Client SP IdP

Request resource
Builds auth
request
HTTP redirect
Follows redirect
Process auth
request
Send login form
Post form
Builds auth
response
HTTP post/redirect

HTTP post/redirect
Process auth
Redirect resource response

© Fortinet Inc. All Rights Reserved. 33

SAML authentication flow involves a series of steps to enable secure and standardized authentication.

Understanding the SAML authentication flow is crucial for effective troubleshooting and diagnostics when
encountering issues during the process. This knowledge will help you to identify at which step the issue is
taking place, if it involves the client, SP, IdP, or whether it is a factor unrelated to SAML, for example, traffic is
blocked.

The slide shows an example of a standard SAML authentication flow using a browser.

Network Security Support Engineer 7.4 Study Guide 179


Firewall Authentication

DO NOT REPRINT
© FORTINET
SAML Configuration as SP and IdP
FGT configured as SP FAC configured as IdP

© Fortinet Inc. All Rights Reserved. 34

As part of the troubleshooting process, it’s important to review the SAML configuration on the devices
configured as the SP and IdP.

In this slide, you can see sample configurations of a FortiGate acting as the SP and a FortiAuthenticator
acting as the IdP.

As we discussed in the previous slide, the client interacts with both the SP and IdP to collect authentication
information. A discrepancy between them will cause the authentication attempt to fail.

Network Security Support Engineer 7.4 Study Guide 180


Firewall Authentication

DO NOT REPRINT
© FORTINET
SAML Configuration as SP and IdP (Contd)
FGT: SAML Attributes FAC: SAML Attributes

© Fortinet Inc. All Rights Reserved. 35

SAML attributes are pieces of information about a user that are exchanged between IdPs and SPs during the
SAML authentication process. These attributes are included in the SAML assertion, which is built by the IdP
as part of the authentication process. The SAML assertion contains information about the user, such as their
identity, attributes, and authentication method.

While troubleshooting SAML issues, it is important to identify and compare the attributes configured as part of
the authentication process on both the SP and IdP. Verifying that these attributes match between the SP and
IdP configurations can help you to solve authentication problems.

Network Security Support Engineer 7.4 Study Guide 181


Firewall Authentication

DO NOT REPRINT
© FORTINET
SAML and SSO on FortiGate

• FortiGate supports SAML for authentication on these features:


• Administrator login
• SSL VPN
• Outbound firewall authentication
• Proxy policies
• Wireless (captive portal)
• IPsec VPN

• SAML configuration uses the ports of the service that it authenticates, for example:
• HTTPS authentication: default port 1003
• SAML config setting sample:
set single-logout-url "https://10.1.10.254:1003/remote/saml/logout/

© Fortinet Inc. All Rights Reserved. 36

A useful characteristic of SAML is that enables SSO on multiple FortiGate features, allowing users to access
multiple services with a single authentication.

You can configure SAML for multiple FortiGate features, such as:

• Administrator login
• SSL VPN
• Outbound firewall authentication
• Proxy policies
• Wireless (captive portal)
• IPsec VPN

When you configure SAML to perform authentication on one of these features, the SAML configuration
includes the port of that feature. If it’s used for HTTPS authentication, which by default uses port 1003, then
SAML configuration uses that port. For SSL VPN, the SAML configuration uses the port assigned to that
service, port 10443.

Network Security Support Engineer 7.4 Study Guide 182


Firewall Authentication

DO NOT REPRINT
© FORTINET
SAML Troubleshooting―Check Metadata
• Diagnostic and debug commands:
• SSL VPN metadata
diagnose vpn ssl saml-metadata
ISFW # diagnose vpn ssl saml-metadata FAC_SSL
<?xml version="1.0"?><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="http://10.1.10.254:10443/remote/saml/metadata/"> <SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <AssertionConsumerService isDefault="true" index="0"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://10.1.10.254:10443/remote/saml/login/"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://10.1.10.254:10443/remote/saml/logout/"/> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified</NameIDFormat> </SPSSODescriptor></EntityDescriptor>

• Administrator access metadata


diagnose sys saml metadata

ISFW # diagnose system saml metadata


************ SP Metadata ************<?xml version="1.0"?><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="http://10.1.10.254/metadata/"> <SPSSODescriptor WantAuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <AssertionConsumerService isDefault="true" index="0"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://10.1.10.254/saml/?acs"/> <SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://10.1.10.254/saml/?sls"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat> </SPSSODescriptor></EntityDescriptor>

© Fortinet Inc. All Rights Reserved. 37

In some instances, you might need to download metadata to apply to the IdP.

For that purpose, FortiGate has diagnostic commands for SSL VPN and administrator login.

This slide shows output samples when using these diagnostic commands.

Network Security Support Engineer 7.4 Study Guide 183


Firewall Authentication

DO NOT REPRINT
© FORTINET
SAML Troubleshooting―Real-Time Debug
• FortiGate SAML daemon real-time debug
• diagnose debug application samld -1
• Better used in combination with the feature that applies this authentication method:
• sslvpnd
• iked
• cw-acd
• wad
• Debugging an SSL VPN with SAML authentication
ISFW # diagnose debug console timestamp enable
ISFW # diagnose debug application samld -1
ISFW # diagnose debug application sslvpn -1
ISFW # diagnose debug enable

© Fortinet Inc. All Rights Reserved. 38

You can use this CLI command to debug the SAML daemon in real time:

diagnose debug application samld -1

You must use the real-time SAML debug command in combination with the debug commands of the features
on which the SAML authentication takes place, that is:

• Proxy policies: wad


• SSL VPN: sslvpnd
• IPsec: iked
• Wireless: cw-acd

Network Security Support Engineer 7.4 Study Guide 184


Firewall Authentication

DO NOT REPRINT
© FORTINET
SAML Troubleshooting – Real-Time Debug (Contd)
• SAML daemon real-time debug output: request from the client to the IdP based on
information configured on FortiGate (SP)
Request from client SP system time stamped
based on info from SP to auth request Auth Request ID IdP SSO URL

**** SP Login Dump ****<lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0"


xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_EEC718A47FB37B472B205B11153ED409"
Version="2.0" IssueInstant="2024-02-21T00:58:44Z" Destination="https://10.1.10.2/saml-idp/nst/login/"
SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
SP SSO URL
AssertionConsumerServiceURL="https://10.1.10.254:1003/remote/saml/login/">
<saml:Issuer>https://10.1.10.254:1003/remote/saml/metadata/</saml:Issuer><samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
AllowCreate="true"/></samlp:AuthnRequest></lasso:Request><lasso:
RemoteProviderID>http://10.1.10.2/samlidp/nst/metadata/</lasso:RemoteProviderID><lasso:MsgUrl>https://10.
1.10.2/saml-
idp/nst/login/?SAMLRequest=jZJfT8IwFMW%2FytL30W5sAZtBwhhEEtQF0AdfTN0u0GRrZ2%2Fnn29vGWIwUeJLk97eX%2B85p01Q
1FXDJ63dqxW8tIDWe68rhbw7GJHWKK4FSuRK1IDcFnw9uVnysMd4Y7TVha7IGXKZEIhgrNSKeItsRJ5ms%4</lasso:HttpRequestMet
hod><lasso:RequestID>_EEC718A47FB37B472B205B11153ED409</lasso:RequestID></lasso:Login>

IdP Entity ID SP Entity ID

© Fortinet Inc. All Rights Reserved. 39

When troubleshooting SAML authentication, the debug output provides multiple sections to analyze, including
key sections and fields collected from the IdP and SP configurations.

The SP Login Dump section contains the client’s request based on information provided by the service
provider. In this sample, a FortiGate is acting as the SP.

In this section, we can review:

• The Auth Request ID, which is included in the response from the IdP
• The IdP SSO URL, from the setting idp-single-sign-on-url in the FortiGate configuration
• The FortiGate system time stamped on the authentication request; a time mismatch between the SP and
IdP, could cause authentication to fail
• The SP SSO URL, from the setting single-sign-on-url in the FortiGate configuration
• The IdP Entity ID, from the setting id-entity-id in the FortiGate configuration
• The SP Entity ID, from the setting entity-id setting in the FortiGate configuration

You can review fields from the SP Login Dump section to detect discrepancies with the information provided
by the device acting as the IdP.

Network Security Support Engineer 7.4 Study Guide 185


Firewall Authentication

DO NOT REPRINT
© FORTINET
SAML Troubleshooting – Real-Time Debug (Contd)
• SAML daemon real-time debug output: response from the client to the FortiGate based
on info received and configured on the IdP
Response from client to SP based IdP system time
on info from IdP stamped

**** Assertion Dump ****<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"


xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_10a5aa12ea0742b6a090e0ad4b583162"
IssueInstant="2024-02-21T01:00:00Z" Version="2.0"> IdP Entity ID
<saml:Issuer>http://10.1.10.2/saml-idp/nst/metadata/</saml:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
SPNameQualifier="https://10.1.10.254:1003/remote/saml/metadata/">aduser1</saml:NameID><saml:SubjectConfir
mation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData Auth Request ID to
InResponseTo="_EEC718A47FB37B472B205B11153ED409" NotOnOrAfter="2024-02-21T01:15:00Z" match Entity ID
Recipient="https://10.1.10.254:1003/remote/saml/login/"/></saml:SubjectConfirmation></saml:Subject><saml:
Conditions NotBefore="2024-02-21T00:45:00Z" NotOnOrAfter="2024-02-21T01:15:00Z">
<saml:AudienceRestriction><saml:Audience>https://10.1.10.254:1003/remote/saml/metadata/</saml:Audience></
saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2024-02-"
>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:Au
thnStatement><saml:AttributeStatement><saml:Attribute Name="username">
<saml:AttributeValue>aduser1</saml:AttributeValue></saml:Attribute><saml:Attribute Name="groups">
<saml:AttributeValue>AD_users</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Asse
rtion>
IdP allows 5-min SP Entity ID Attributes sent
time offset by IdP

© Fortinet Inc. All Rights Reserved. 40

Another section that is useful to review is the Assertion Dump.

This section provides the client authentication request to FortiGate acting as the SP, based on information
received from the IdP, which on this sample is FortiAuthenticator.

Some key fields in this section are:

• The IdP system time. A mismatch with the SP system time could cause the authentication to fail
• The IdP Entity ID, which matches the IdP setting configured on FortiAuthenticator
• The Auth Request ID that the SP sent
• The authentication request with a 5-minute offset
• The SP Entity ID, which provides the audience to which this authentication request will be successful
• This debug section shows the attributes that the IdP is analyzing to allow or deny the authentication
request

The information collected from both the SP and the IdP can be useful in diagnosing an authentication issue.

Network Security Support Engineer 7.4 Study Guide 186


Firewall Authentication

DO NOT REPRINT
© FORTINET
Review
 Understand user authentication logs
 Monitor authenticated users
 Understand LDAP, RADIUS, and SAML troubleshooting tools
 Understand LDAP and RADIUS common problems and solutions

© Fortinet Inc. All Rights Reserved. 41

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about firewall authentication and how to
troubleshoot issues.

Network Security Support Engineer 7.4 Study Guide 187


FSSO

DO NOT REPRINT
© FORTINET

Network Security Support Engineer


FSSO

FortiGate 7.4
Last Modified: 25 April 2024

In this lesson, you will review Fortinet Single Sign-On (FSSO) operation and learn about tools and tips for
troubleshooting FSSO problems.

Network Security Support Engineer 7.4 Study Guide 188


FSSO

DO NOT REPRINT
© FORTINET
Objectives
• Understand FortiGate-to-collector agent connectivity
• Understand collector agent-to-DC connectivity
• Track login events on the DC, collector agent, and FortiGate
• List active FSSO users
• Troubleshoot agentless polling mode
• Understand common problems and solutions

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of FSSO and its components, you will be able to understand
how to track user login events, list authenticated FSSO users, and troubleshoot common FSSO authentication
issues.

Network Security Support Engineer 7.4 Study Guide 189


FSSO

DO NOT REPRINT
© FORTINET

FSSO Modes and Components

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn about FSSO modes, its components, and how they interact.

Network Security Support Engineer 7.4 Study Guide 190


FSSO

DO NOT REPRINT
© FORTINET
FSSO Modes
• Agent-based FSSO
• Login events pushed to the collector agent in real time
• Agentless FSSO
• NetAPI
• Polls NetSessionEnum API
• WinSecLog
• Polls all security event logs
• Polls can be done directly from FortiGate (agentless polling)
• WMI
• Polls specific security event logs

Note: The poll interval times are estimated and depend on the number of servers and network latency

© Fortinet Inc. All Rights Reserved. 4

FSSO enables FortiGate to leverage your network’s existing authentication system for firewall authentication.
Once a user logs in, they can access other network resources without having to authenticate again.
The two most common FSSO methods are domain controller (DC) agent and polling.

DC agent mode requires one collector agent. It also requires DC agents installed in all Windows DCs. The DC
agents detect the login events and "push" this information to the collector agent. The collector agent forwards
the login events to FortiGate, together with the workstation IP address and user's group information.

Polling mode does not require a DC agent to be installed. In polling mode, the collector agent frequently polls
each DC to get the latest login events. There are three types of polling mode:

• NetAPI: polls NetSessionEnum API.


• WinSecLog: polls all security event logs.
• WMI: polls specific security event logs.

Poll intervals are estimated times that depend on the number of servers and network latency.

If a standalone collector agent is used, all three types of polling modes are supported. Alternatively, polling
can be performed directly from FortiGate (agentless polling mode), so a standalone collector agent is not
required. However, FortiGate acting as a collector agent supports only the WinSecLog polling type.

Network Security Support Engineer 7.4 Study Guide 191


FSSO

DO NOT REPRINT
© FORTINET
FSSO Components

Phase I Phase II Phase III Phase IV

Sending and
User login Collecting Gathering receiving
event login info user group authentication
memberships details

© Fortinet Inc. All Rights Reserved. 5

You can think of FSSO components as operating in these four phases:

• Phase 1: This phase starts when a user authenticates on a workstation and triggers a user login event. In
this phase, FSSO detects the login event and records the workstation name, domain, and user.

• Phase 2: In this phase, FSSO receives login information from sources such as DC agents, NTLM, API
polling mode, Win Sec, or TS/CITRIX. After collecting the login information, FortiGate operating in standard
or advanced mode, performs an administrative domain (AD) query to gather user group membership
information. In the case of eDirectory, FortiGate uses native API or LDAP to collect this information. This
phase resolves the workstation name to an IP address and determines which user groups the user belongs
to.

• Phase 3: In this phase, user login information, including the IP address and groups list, is sent to FortiGate.

• Phase 4: In this phase, FortiGate receives the authentication details and creates one or more log entries
for this login event.

Network Security Support Engineer 7.4 Study Guide 192


FSSO

DO NOT REPRINT
© FORTINET
FSSO Components (Contd)
FortiGate
Windows DC
TCP 445
without agent
(polling)

TCP 8000
TCP 445
Windows server with
collector agent

UDP 8002 UDP 8002

Terminal or Citrix
Windows domain server with TS agent
controller with DC agent

© Fortinet Inc. All Rights Reserved. 6

This slide shows how FSSO traffic flows and which ports are used.

When polling mode is used, polling is performed by either the FortiGate or the collector agent. In both cases,
TCP port 445 is used.

By default, the communication between the collector agent and FortiGate uses port TCP 8000. The
communication between the DCs and the collector agent uses, also by default, UDP port 8002.

FSSO identifies each user based on the source IP address of the traffic. Each active FSSO user is associated
with one or more IP addresses. Each IP address is associated with only one user. This creates conflicts in
networks that use terminal or Citrix servers, where more than one user shares the same IP address. For
those cases, you can install a terminal server (TS) agent. The TS agent provides the collector agent and
FortiGate with not only the source IP address of each user, but also with the source TCP/UDP ports they are
using. So, multiple users sharing the same IP address can be identified by combining the source IP address
with the source port. The communication between the TS agent and the collector agent also uses UDP port
8002.

Network Security Support Engineer 7.4 Study Guide 193


FSSO

DO NOT REPRINT
© FORTINET
Group Membership Check
Login detected

Use LDAP or
API for no User group no
Ignore user?
directory in cache?
access
yes
yes

User group no Discard login


monitored?

yes

Send login to
FortiGate

© Fortinet Inc. All Rights Reserved. 7

Each time the collector agent receives a login event, it checks if the user is in the ignore list.

If it is, the login event is discarded. After that, the collector agent checks if the user's group information is still
in the cache.

If it is not, the collector agent performs either an LDAP or an API query to get the group information from
Windows AD. Once the collector agent knows the user groups, it checks if any of them are included in the list
of monitored groups.

If none of the groups are included, the login event is not forwarded to FortiGate. If at least one group is
included, the login event is forwarded to FortiGate.

Network Security Support Engineer 7.4 Study Guide 194


FSSO

DO NOT REPRINT
© FORTINET
Workstation Check
CA adds workstation IP
Login detected to the bottom of the
workstation check poll

Set “not verified” status

Is workstation No Has dead Yes


responding? entry expired?
Yes No
Wait for Is SID a
workstation match?
No
check waiting Yes
time
Set “verified” status Set “not verified” status

Yes Is the poll No


over? Remove user (logout)

© Fortinet Inc. All Rights Reserved. 8

An external collector agent periodically checks if each active FSSO user is still logged in. It does this by
polling all known active workstations, based on a configurable interval.

How this checking is done depends on the FSSO mode. For WMI polling mode, the collector agent checks the
WMI service. For all the other modes, the collector agent checks the HKEY_USERS hive through remote
registry services.

If a workstation does not respond to these checks, the collector agent starts a timer (dead entry timeout
interval). After the timer expires, the workstation is set to “not verified” status and the collector agent assumes
that the user has logged out.

Network Security Support Engineer 7.4 Study Guide 195


FSSO

DO NOT REPRINT
© FORTINET
IP Address Change Verification

CA uses DNS to resolve


workstation name

Wait for IP address check Has IP No


address been
waiting time
changed?

Yes

CA sends a logout and a login,


with the new IP address
to the FGT

Yes Is the poll No


over?

© Fortinet Inc. All Rights Reserved. 9

You can also configure the external collector agent to periodically check if the IP address of an active FSSO
user has changed. This might happen, for example, when a user switches from a wired to a wireless network.
When you enable this collector agent feature, the collector agent periodically uses the DNS server to resolve
the workstation name.

If the DNS server replies with a new IP address, the collector agent sends a logout event to FortiGate,
followed by a login event, with the new IP address.

Therefore, it is important for the DNS server to be immediately and automatically updated each time a user
changes their IP address.

Network Security Support Engineer 7.4 Study Guide 196


FSSO

DO NOT REPRINT
© FORTINET
Additional Requirements
• TCP ports 139 and 445 must be open between the collector agent and all workstations
• Remote registry service must be up and running on each workstation
• Collector agent periodically verifies that user is still logged in to the workstation
• Ensure that workstations have proper DNS registration and that the DNS server is
updated whenever the IP address changes

© Fortinet Inc. All Rights Reserved. 10

There are three important requirements for any FSSO network, and most of the FSSO problems happen when
one of these requirements is not fulfilled.

The collector agent frequently polls each active workstation. For this polling to work properly, TCP ports 139
and 445 must be open between the collector agent and the workstations. Firewalls must allow this traffic.
Additionally, the remote registry service must be up and running on the workstations.

DNS is used to get the user’s IP address. So, administrators must ensure that each workstation name is
registered in the DNS server with the correct and up-to-date IP address.

Network Security Support Engineer 7.4 Study Guide 197


FSSO

DO NOT REPRINT
© FORTINET

FSSO Troubleshooting

© Fortinet Inc. All Rights Reserved. 11

In this section, you will learn how to diagnose FSSO issues and use troubleshooting commands.

Network Security Support Engineer 7.4 Study Guide 198


FSSO

DO NOT REPRINT
© FORTINET
FSSO Troubleshooting Checklist
• Is the TCP connection between FortiGate and the collector agent established?
• Is the collector agent properly monitoring all DCs?
• Is the domain controller generating the login events?
• Is the collector agent getting login events?
• Does the collector agent list the active FSSO users?
• Is FortiGate receiving login events?
• Does FortiGate list the active FSSO users?
• Are the user's group information and authentication rules properly configured?

© Fortinet Inc. All Rights Reserved. 12

What steps should an administrator take when troubleshooting an FSSO problem? This slide offers a general
checklist.

In this lesson, you will learn how to perform the recommended troubleshooting steps.

Network Security Support Engineer 7.4 Study Guide 199


FSSO

DO NOT REPRINT
© FORTINET
Recommended Troubleshooting Steps FSSO config backup:

• Configuration and topology information:


• FSSO version
• A copy of the exported configuration or FSSO registry from all
DCs (dcagent mode) Network topology information for polling
modes (including the number of DCs)
• FortiGate configuration file

Registry path sample:

• When the issue occurs, collect the following information:


• A copy of log file from all collector agents
• The workstation output under the affected user account
• # diag debug enable
• # diag debug auth fsso list

© Fortinet Inc. All Rights Reserved. 13

Before you start troubleshooting, it is recommended that you gather configuration and topology information.
Identify which FSSO version is in place, how many DCs are in the network, the FortiGate configuration file,
and so on.

If an issue occurs, the diagnose debug auth fsso list command can show the user information that
the collector agent is sending to FortiGate.

Network Security Support Engineer 7.4 Study Guide 200


FSSO

DO NOT REPRINT
© FORTINET
Recommended Troubleshooting Steps—CA Logs

Information level shows all If there are many FSSO


FSSO events events, increase the log
file size to 100 MB

You can optionally record the


login events on a different file,
for easier browsing

© Fortinet Inc. All Rights Reserved. 14

As part of the initial troubleshooting steps, make some changes to the collector agent logging settings to
ensure that all the required debug information is captured. First, in the Log level field, select Information.

Second, increase the setting in the Log file size limit (MB) field. If the log file limit is too low, especially in big
FSSO networks, you might not have time to see the relevant debug information, because it will be overridden
quickly by new log events.

Third, you can optionally record the login events in a different file by selecting Log logon events in separate
logs.

Network Security Support Engineer 7.4 Study Guide 201


FSSO

DO NOT REPRINT
© FORTINET
Tracking a Specific User
• Perform the user login
• Check which DC recorded the login event:
• echo %logonserver% using cmd.exe
• Check the login event using the Windows event viewer
• In the collector agent:
• Check logs and the list of active FSSO users
• Check that the user group is listed in the group filter
• FortiGate:
• Check logs to verify that the login event was received
• Check the list of active FSSO users
• Generate traffic from the user workstation and verify that the user is listed in the FortiGate user monitor

© Fortinet Inc. All Rights Reserved. 15

If the FSSO issue can be reproduced, there are different tools that you can use to track the login event as it
travels from the DC, to the collector agent, and then to FortiGate. Follow these steps:
1. Perform the login.
2. Check which DC received the login using the Windows command: echo %logonserver%.
3. Go to that DC and use the Windows event viewer to find the generated login event.
4. Check the collector agent logs and the list of active FSSO users.
5. Check that at least one user's group is listed as monitored in the group filter.
6. Go to FortiGate and check that the login event was received.
7. List the active FSSO users.
8. Generate traffic from the user workstation and verify that it is added to the FortiGate user monitor.

Network Security Support Engineer 7.4 Study Guide 202


FSSO

DO NOT REPRINT
© FORTINET
Checking FortiGate-to-Collector Agent Connectivity

© Fortinet Inc. All Rights Reserved. 16

By clicking Show Service Status on the collector agent GUI, you can check the connectivity between
FortiGate and the collector agent. The window displays the serial numbers of all the active FortiGate devices.

Network Security Support Engineer 7.4 Study Guide 203


FSSO

DO NOT REPRINT
© FORTINET
Checking FortiGate-to-Collector Agent Connectivity (Contd)
• Connection successful:
Collector Agent logs:
… accepting one FortiGate connection on sock:924, addr:10.0.1.254
… find free connection slot 0, sock:0, sendqueue:0
… send HELLO

… Bytes received from FortiGate: 96
… process HELLO
… option:00000020 version:v5.0.618-0618
… FortiGate connection accepted, auth OK.
… FortiGate:FGVM010000030272 connected on socket (924)

• FortiGate real-time debug connection successful:


# diagnose debug application authd 8256
# diagnose debug enable
connected_state[Win-Student]: entering CONNECTED state (vfid=0)

© Fortinet Inc. All Rights Reserved. 17

When a FortiGate successfully connects to a collector agent, the collector agent logs show these messages.

Additionally, you can confirm a successful connection while running the FSSO real-time debug on FortiGate.

You can also check the FSSO process debug output on FortiGate by entering the command diagnose
debug application authd 8256.

Network Security Support Engineer 7.4 Study Guide 204


FSSO

DO NOT REPRINT
© FORTINET
Checking FortiGate-to-Collector Agent Connectivity (Contd)
• Heartbeats between FortiGate and the collector agent:
Collector Agent logs:
… send heart beat, sock:924 len:16 SN:FGVMxxxxxxxxxxx
… send_to_FGT() called:sock:924 sendbuf:7fdd60 sendlen:16

…send ok: release send rec and content:7f97a0
…process_server_send_events returns, packet sent:1
…1 FortiGate connected

• FortiGate real-time debug:

_event_read[Win-Student]: received heartbeat 100003

© Fortinet Inc. All Rights Reserved. 18

While the TCP session between FortiGate and the collector agent is up, the collector agent sends heartbeat
messages to FortiGate. Both the collector agent logs and the FortiGate real-time debug show this heartbeat
interchange.

Network Security Support Engineer 7.4 Study Guide 205


FSSO

DO NOT REPRINT
© FORTINET
FortiGate-to-Collector Agent Connectivity Issues
• FortiGate real-time debug output:
… server authentication failed, aborting
• Check the pre-shared password:

… disconnecting
… error occurred in read: Connection refused

• Check that FortiGate and the collector agent are using the same TCP port, and that this traffic is not
being blocked
• Sniffer the traffic between FortiGate and the collector agent:
… error occurred in read: No route to host

• Check that the IP address of the collector agent is reachable from FortiGate

© Fortinet Inc. All Rights Reserved. 19

The error server authentication failed, aborting in the FortiGate real-time debug might indicate
a mismatch in the password shared between the collector agent and FortiGate.

The error connection refused might indicate that the TCP communication between FortiGate and the
collector agent is blocked by a firewall or another device.

The error no route to host might indicate that the IP address of the collector agent is not routable from
FortiGate.

Network Security Support Engineer 7.4 Study Guide 206


FSSO

DO NOT REPRINT
© FORTINET
Collector Agent-to-DC Connectivity

© Fortinet Inc. All Rights Reserved. 20

If you click Show Monitored DCs on the collector agent GUI, you can check the communication between the
collector agent and each DC. The table includes the time when the last login event was received from each
DC.

Network Security Support Engineer 7.4 Study Guide 207


FSSO

DO NOT REPRINT
© FORTINET
DC Login Events
• Use Windows Event Viewer
• Search event IDs 4768, 672, 680, and 4776 with audit success

© Fortinet Inc. All Rights Reserved. 21

The Event Viewer is a Windows tool that displays all the server logs. You can use it to search for login event
logs.

Network Security Support Engineer 7.4 Study Guide 208


FSSO

DO NOT REPRINT
© FORTINET
Login Event
• FortiGate real-time debug:
_process_logon[Win-Student]: STUDENT(192.168.3.1) logged on with session
id(0), port_range_sz=0
_process_logon-884: can not find such a user, try to add it
• Collector agent logs:
… logon event(33): len:72 dc_ip:10.0.1.10 time:1423064066 len:55 data:WIN-
INTERNAL.trainingAD.training.lab/TRAININGAD/student ip:192.168.3.1:10.0.1.10
… get global group for:student
… get global group for:student DC:\\Win-Internal.trainingAD.training.lab
… Global group(s):
… -- Domain Users
… Entries enumerated: 1
… get local group for:student
… get local group for:student, DC:\\Win-Internal.trainingAD.training.lab
… local group(s):
… -- Users
… Entries enumerated: 1
… ad_user_get_groups_str():TRAININGAD/Domain Users+TRAININGAD/Users

© Fortinet Inc. All Rights Reserved. 22

The FortiGate FSSO real-time debug generates messages each time a login event arrives. They include the
name and IP address of the user, together with the workstation name and user's group information.

Network Security Support Engineer 7.4 Study Guide 209


FSSO

DO NOT REPRINT
© FORTINET
Listing Active FSSO Users

© Fortinet Inc. All Rights Reserved. 23

You can check the list of logged-in users by clicking Show Logon Users. A status of OK indicates that the
user is active. A user goes to not verified status when they log out, or when there is a problem in the polling
done by the collector agent to the workstation.

Network Security Support Engineer 7.4 Study Guide 210


FSSO

DO NOT REPRINT
© FORTINET
Listing Active FSSO Users
ISFW # diagnose debug authd fsso filter ?
clear Clear all filters.
Source Source IP address.
user User name.
group Group name.
server FSSO agent name.

ISFW # diagnose debug authd fsso list

----FSSO logons----
IP: 192.168.3.1 User: STUDENT Groups: TRAININGAD/USERS Workstation: WIN-
INTERNAL.TRAININGAD.TRAINING.LA
IP: 10.0.1.10 User: STUDENT Groups: TRAININGAD/USERS Workstation: WIN-
INTERNAL.TRAININGAD.TRAINING.LA
Total number of logons listed: 2, filtered: 0

© Fortinet Inc. All Rights Reserved. 24

To get the list of active users from FortiGate, use the command diagnose debug authd fsso list. You
can set up a filter first with the command diagnose debug authd fsso filter.

Network Security Support Engineer 7.4 Study Guide 211


FSSO

DO NOT REPRINT
© FORTINET
Other FortiGate FSSO Commands
• Ask the collector agent to resend the active users list to FortiGate:
• # diagnose debug authd fsso refresh-logons
• Clear login information in FortiGate:
• # diagnose deb authd fsso clear-logons
• Users must logoff/logon
• Ask the collector agent to resend the monitored groups list to FortiGate:
• # diagnose debug authd fsso refresh-groups
• List the monitored groups:
• # get user adgrp

© Fortinet Inc. All Rights Reserved. 25

The CLI command diagnose debug authd fsso refresh-logons refreshes the active FSSO user list
on FortiGate by asking the collector agent to resend the active users list.

The CLI command diagnose debug authd fsso clear-logons flushes the list of active FSSO users
on FortiGate.

The CLI command diagnose debug authd fsso refresh-groups refreshes the user group
information on FortiGate by asking the collector agent to resend this information.

To list the monitored user groups, use the command get user adgrp.

Network Security Support Engineer 7.4 Study Guide 212


FSSO

DO NOT REPRINT
© FORTINET
Other Troubleshooting Commands
• Use these commands on cmd.exe
• Query the DN from the LDAP server:
dsquery user –name <user_name> - shows DN name
dsquery user -name <user_name> | dsget user –memberof - shows user group
memeberships

• Who is logged in to the workstation:


wmic /user:[email protected] /password:*** /node:“<WST IP>"
computersystem get username

• C:\netstat –a o n – shows if port 8000 is open

© Fortinet Inc. All Rights Reserved. 26

You can execute the commands from a Windows command prompt. They can be useful while diagnosing
FSSO issues and analyzing data on the server side.

On a Windows server, you can use the command, dsquery user -name to query the DN. You can run this
command from the LDAP server’s command prompt.

When you use the command wmic, it should return the username of the user currently logged in to the remote
workstation.

You can use the command netstat to verify that port 8000 is open.

Network Security Support Engineer 7.4 Study Guide 213


FSSO

DO NOT REPRINT
© FORTINET

Agentless Polling Mode

© Fortinet Inc. All Rights Reserved. 27

In this section, you will learn about the FSSO agentless method and specific troubleshooting commands for
this mode.

Network Security Support Engineer 7.4 Study Guide 214


FSSO

DO NOT REPRINT
© FORTINET
Agentless Polling Mode
ISFW # diagnose debug fsso-polling detail

AD Server Status:
ID=1, name(10.0.1.10),ip=10.0.1.10,source(security),users(0)
port=auto username=administrator
read log offset=251636, latest logon timestamp: Wed Feb 1 09:47:31 2023
polling frequency: every 10 second(s) success(246), fail(0)
LDAP query: success(0), fail(0)
LDAP max group query period(seconds): 0
most recent connection status: connected

ISFW # diagnose debug fsso-polling refresh-user

refresh completes. All logon users are obsolete. Please re-logon to make them available.

ISFW # diagnose sniffer packet any 'host 10.124.2.18 and tcp port 445'

© Fortinet Inc. All Rights Reserved. 28

The command diagnose debug fsso-polling detail displays the status and some statistics related
to the polls done by the FortiGate on each DC.

The command diagnose debug fsso-polling refresh-user flushes the information about all active
FSSO users.

In agentless polling mode, FortiGate frequently polls all workstations (as a standalone collector agent does) to
check which users are still logged in. You can sniffer this traffic on port 445.

Network Security Support Engineer 7.4 Study Guide 215


FSSO

DO NOT REPRINT
© FORTINET
Agentless Polling Mode
# diagnose debug application fssod -1
# diagnose debug enable
[fsso_svr.c:save_result:579] event_id=4768, logon=bobby, domain=FSSO
workstation=, ip=10.124.2.90 port=49215, time=1372061722

• Common errors:
• FortiGate cannot resolve the active directory server name:
failed to resolve server(<server name>)

• FortiGate and AD system times must be in sync so that statistics can be calculated correctly:

Please sync the time of Fortigate and AD server


• Check FortiGate memory usage:

No memory alloc

© Fortinet Inc. All Rights Reserved. 29

There is a specific FortiGate daemon that handles the polling mode. It is the fssod daemon. To enable
agentless polling mode real-time debug use the command:
diagnose debug application fssod -1.

The slide shows the most common real-time debug errors and the possible causes.

Network Security Support Engineer 7.4 Study Guide 216


FSSO

DO NOT REPRINT
© FORTINET

Common Problems

© Fortinet Inc. All Rights Reserved. 30

In this section, you will learn about the most common FSSO issues.

Network Security Support Engineer 7.4 Study Guide 217


FSSO

DO NOT REPRINT
© FORTINET
Common Problems
• Collector agent does not have the login information:
• Verify that the collector agent is monitoring all DCs
• Check that the collector agent is receiving login events from the DCs
• Test the user account and check the collector agent logs
• Collector agent has the login information, but FortiGate does not:
• Check that FortiGate is connected to the collector agent
• Run the real-time debug while testing the user account

© Fortinet Inc. All Rights Reserved. 31

What should you do if the collector agent does not have login information?
• Verify that the collector agent is monitoring all DCs.
• Check that the collector agent is receiving login events from the DCs.
• Test the user account and check the collector agent logs.

What should you do if the collector agent has the login information, but FortiGate does not?
• Check that FortiGate is connected to the collector agent.
• -
Run the real time debugs while testing the user account.

Network Security Support Engineer 7.4 Study Guide 218


FSSO

DO NOT REPRINT
© FORTINET
Common Problems (Contd)
• User is listed as active on FortiGate, but cannot browse the internet:
• Check the user’s IP address in the list of active FSSO users
• Check the user's group information
• Check the firewall policies
• Check the collector agent logs
• FortiGate is randomly blocking some users:
• Check that the collector agent service is not crashing
• Check for crashes in any of the FortiGate processes
• Check that the connectivity between FortiGate and the collector agent is stable
• Try to reproduce and check the collector agent logs

© Fortinet Inc. All Rights Reserved. 32

If an FSSO user is listed as active on FortiGate, but it cannot browse the internet, you should first confirm that
the correct IP address is listed on FortiGate. Also check the user's group information, firewall policies, and
collector agent logs.

If FortiGate is randomly blocking some users, you should check that the collector agent service, or any
FortiGate process, is not crashing. Confirm that the connection between FortiGate and collector agent is up
and stable. Try to reproduce the problem and then check the collector agent logs.

Network Security Support Engineer 7.4 Study Guide 219


FSSO

DO NOT REPRINT
© FORTINET
DNS Resolution Errors
• DNS cannot resolve the workstation name
• The collector agent logs show:
… failed to resolve workstation name to ip: WORKSTATION01
… DnsQuery() failed for WORKSTATION01, error code:9003

© Fortinet Inc. All Rights Reserved. 33

DNS resolution is essential for FSSO operation. If a collector agent cannot resolve a workstation name, the
user will not be listed as active and the collector agent logs will show the errors shown on this slide.

Network Security Support Engineer 7.4 Study Guide 220


FSSO

DO NOT REPRINT
© FORTINET
Login Override
• The collector agent ignores login events from anonymous accounts and accounts with
names starting with ‘$’
• However, some applications generate login events with different system accounts,
overriding the user login event:
• Microsoft MOM
• RDP
• Solution:
• Find the account in the collector agent logs that is overriding the user
• Add the account to the collector agent ignore user list

© Fortinet Inc. All Rights Reserved. 34

Another common problem that occurs with FSSO authentication happens when applications generate login
events with an AD account that is different from the users’ accounts.

In these cases, the login event overrides the user information for a workstation IP address and a different user
is listed as active for the IP address.

The collector agent is coded to ignore any login events for anonymous accounts, and accounts with a name
starting with '$' (which are system accounts). If any application is using an account that is overriding the user
information, the solution is to add that account to the ignore user list.

Network Security Support Engineer 7.4 Study Guide 221


FSSO

DO NOT REPRINT
© FORTINET
Not Verified Status on the Collector Agent
• The collector agent cannot verify if the user is still logged in
• The following entries are generated in the collector agent logs:

… name_ip_match: failed to connect to workstation: <Workstation Name>


(192.168.1.1)
… failed to connect to registry: WORKSTATION02 (192.168.12.232)

• Common causes:
• A firewall is blocking traffic to port 139 and 445
• The workstation remote registry service is not running

© Fortinet Inc. All Rights Reserved. 35

Active users with a status of “not verified” are also a common problem. That status is normal after a user has
logged out. However, it is not normal for a user that is still logged in. This means that polling from the collector
agent to the workstation is failing. In these cases, check the collector agent logs. They provide more
information about the cause of the problem.

Network Security Support Engineer 7.4 Study Guide 222


FSSO

DO NOT REPRINT
© FORTINET
No Internet After IP Address Change
• This problem might happen when:
• A workstation is moved between LAN and Wi-Fi
• A workstation has come out of hibernate mode
• Check the workstation name DNS resolution
• The collector agent relies on DNS to get an accurate IP address
• Workaround:
• Configure FSSO guest users
• Solution:
• Configure DNS server to automatically get IP address updates
• For multihomed scenarios (both wired and wireless connections are up), the DNS server should be able
to return both IP addresses

© Fortinet Inc. All Rights Reserved. 36

What should you do if a user loses internet access after their IP address changes?

This might happen when the user moves back and for from a wired to a wireless network. It might also
happen when a workstation comes out of hibernate mode and gets a new IP address from the DHCP server.

The first step is to check the DNS resolution. When a user changes their IP address, the DNS server must be
updated with the new IP address information. If that is not possible, one workaround is to configure FSSO
guest access. So, users whose IP addresses have changed can still have some (probably limited) access to
some network resources.

For the cases where a workstation was assigned more than one IP address (for example, one address for the
wired network and another one for the wireless), the DNS server should be able to return all those IP
addresses when resolving the workstation name. The user is then listed multiple times in the FSSO active
user list, one time for each IP address.

Network Security Support Engineer 7.4 Study Guide 223


FSSO

DO NOT REPRINT
© FORTINET
Review
 Understand FortiGate-to-collector agent connectivity
 Understand collector agent-to-DC connectivity
 Track login events on the DC, collector agent, and FortiGate
 List active FSSO users
 Troubleshoot agentless polling mode
 Understand common problems and solutions

© Fortinet Inc. All Rights Reserved. 37

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about FSSO modes, the most common FSSO
issues, and how to troubleshoot them.

Network Security Support Engineer 7.4 Study Guide 224


Security Profiles

DO NOT REPRINT
© FORTINET

Network Security Support Engineer


Security Profiles

FortiGate 7.4
Last Modified: 25 April 2024

In this lesson, you will learn how to troubleshoot some of the security profile features.

Network Security Support Engineer 7.4 Study Guide 225


Security Profiles

DO NOT REPRINT
© FORTINET
Objectives
• Troubleshoot the most common FortiGuard problems
• Describe the steps of FortiGate packet inspection
• Troubleshoot web filtering problems
• Fix certificate warnings during full SSL inspection
• Investigate virus infections
• Monitor the intrusion prevention system (IPS)

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding security profiles, you will be able to understand how to
troubleshoot FortiGuard and web filtering issues. You will also learn how to fix certificate warning problems,
and monitor IPS and antivirus events.

Network Security Support Engineer 7.4 Study Guide 226


Security Profiles

DO NOT REPRINT
© FORTINET

FortiGuard

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn about how FortiGuard and FortiGate communicate. You will also learn
troubleshooting commands.

Network Security Support Engineer 7.4 Study Guide 227


Security Profiles

DO NOT REPRINT
© FORTINET
FDN Status on FortiGate
• Check FortiGuardDistribution Network (FDN) status on FortiGate in the FortiGuard settings
System > FortiGuard

© Fortinet Inc. All Rights Reserved. 4

You can check the status of FortiGuard licenses and the communication to FortiGuard on the FortiGate GUI.
You can also check the versions of the locally installed databases for each of the FortiGuard services.

Network Security Support Engineer 7.4 Study Guide 228


Security Profiles

DO NOT REPRINT
© FORTINET
FortiGuard Web Filtering and Antispam
fortiguard.net
FortiGuard server 1
3. FortiGate submits a license 4. Server
check and server list request status and list 5. FortiGate submits queries
to one of the servers
2. DNS replies
with the IP address

FortiGuard server 2
DNS

1. FortiGate submits a DNS A record


lookup 6. If no reply in two seconds, FortiGate
contacts the next server on the list

• FortiGate submits a DNS lookup to get the IP address for one of these names:
• service.fortiguard.net: UDP and worldwide servers
• securewf.fortiguard.net: HTTPS and worldwide servers
• usservice.fortiguard.net: UDP and USA-based-only servers
• ussecurewf.fortiguard.net: HTTPS and USA-based-only servers

© Fortinet Inc. All Rights Reserved. 5

To learn how to troubleshoot FortiGuard problems, you must understand how FortiGuard communication
works. The communication between FortiGate and FortiGuard for web filtering and antispam is different from
the communication for antivirus and IPS. First, you will look at how FortiGuard web filtering and antispam
work:
1. FortiGate contacts the DNS server to resolve the FortiGuard service name.
2. FortiGate gets a list of IP addresses for servers that it can contact to validate the FortiGuard license.
3. FortiGate contacts one of those servers to check the license and request a list of servers to submit web
filtering and antispam rating queries to.
4. FortiGate gets the list of servers.
5. FortiGate starts sending rating queries to one of the servers in the list.
6. If the server it contacted does not reply in 2 seconds, FortiGate contacts the next server on the list.

The FortiGuard service name depends on the FortiGate configuration:

• service.fortiguard.net: FortiGate is configured to use UDP and communicate with servers located
worldwide.
• securewf.fortiguard.net: FortiGate is configured to use HTTPS and communicate with servers
located worldwide.
• usservice.fortiguard.net: FortiGate is configured to use UDP and communicate with servers
located only in the USA.
• ussecurewf.fortiguard.net: FortiGate is configured to use HTTPS and communicate with servers
located only in the USA.

Network Security Support Engineer 7.4 Study Guide 229


Security Profiles

DO NOT REPRINT
© FORTINET
FortiGuard and FortiGate Connection Security Steps

FortiGate FortiGuard server


SSL/TLS client hello OCSP status request

Server Hello with certificate and OCPS status

Client certificate, key information

Certificate verify, finished

Finished
Encrypted communication

© Fortinet Inc. All Rights Reserved. 6

When the FortiGate establishes a connection with a FortiGuard server, it is crucial to verify the authenticity of
the server as a genuine FortiGuard server. Therefore, FortiGuard servers offer the security steps shown on
this slide.

FortiGuard servers use an Online Certificate Status Protocol (OCSP) stapling check. This involves appending
a time-stamped OCSP status of the server certificate from the OCSP server to the TLS response.

This process guarantees that FortiGate can efficiently validate the FortiGuard server certificate during the TLS
handshake.

Network Security Support Engineer 7.4 Study Guide 230


Security Profiles

DO NOT REPRINT
© FORTINET
FortiGuard Antivirus and IPS
Pull method Persistent connection
method
fortiguard.net
3. FortiGate periodically checks fortiguard.net
for updates in the databases 4. FortiGate
downloads
updated 3. FortiGate 4. FortiGuard
databases forms notifies that
2. DNS replies persistent there is a new
with the IP address secure update through
connection to the persistent
FortiGuard connection
DNS
5. FortiGate
forms a
separate
secure
connection to
1. FortiGate submits a DNS A record download the
lookup for update
update.fortiguard.net

© Fortinet Inc. All Rights Reserved. 7

Now, you will look at how antivirus and IPS work. How FortiGuard communication works for antivirus and IPS
depends on the method used: pull or persistent connection. Note that the persistent connection method is
available only on FortiGate models that are 2U and above, and is displayed on the FortiGate GUI as
Immediately download updates.

The steps in the pull method are:


1. FortiGate contacts the DNS server to resolve the name update.fortiguard.net.
2. FortiGate gets a list of server IP addresses that it can contact.
3. FortiGate periodically connects to one of the servers to check for pending updates.
4. If there is an update, FortiGate downloads it.

The first two steps used in the pull method are also used in the persistent connection method: FortiGate gets
a list of IP addresses from a DNS server for the domain name update.fortiguard.net. After that,
FortiGate forms an HTTPS connection with FortiGuard. Once this connection is established, FortiGuard uses
this connection to send notifications each time there are new updates. FortiGate then proceeds to form a
separate secure connection to FortiGuard to download the update.

Network Security Support Engineer 7.4 Study Guide 231


Security Profiles

DO NOT REPRINT
© FORTINET
FortiGuard Troubleshooting—Web Filtering and Antispam
FortiGate # diagnose debug rating
Locale : English
Service : Web-filter
Status : Enable
License : Contract
Service : Antispam
Status : Disable
Service : Virus Outbreak Prevention
Status : Disable
Num. of servers : 6
Protocol : https Round trip delay Server time zone Consecutive requests Historical requests sent
Port : 443 sent with no reply with no reply; resets
Anycast : Enable upon device reboot
Default servers : Included
-=Server List (Thu Mar 2 18:01:32 20XX) -=-
IP Weight RTT Flags TZ FortiGuard-requests Curr Lost Total Lost
173.243.141.16 0 21 D 0 2 0 0
173.243.140.16 0 28 DI 0 5 0 0
2620:101:9000:140:173:243:140:16 0 0 DF 0 2 2 2

© Fortinet Inc. All Rights Reserved. 8

The command shown on this slide displays the list of servers for web filtering and antispam queries. For each
IP address, the table shows:
• The round trip delay
• The server time zone
• The number of recent and consecutive queries without reply
• The historical total number of queries without reply—these values reset when the device restarts.

Network Security Support Engineer 7.4 Study Guide 232


Security Profiles

DO NOT REPRINT
© FORTINET
FortiGuard Weight Calculation
• Initial value is the delta between FortiGuard server time zone and FortiGate system time
zone, multiplied by 10
• Weight increases with each packet lost
• Weight decreases over time if no packets are lost, but never goes below the initial value
• FortiGate uses server with lowest weight
• If weights are the same, FortiGate uses lowest RTT

© Fortinet Inc. All Rights Reserved. 9

FortiGate uses the following method to select the server to send the rating requests to:
• FortiGate initially uses the delta between the server time zone and the FortiGate system time zone,
multiplied by 10.
• This is the initial weight of the server. To lower the possibility of using a remote server, the weight
is not allowed to drop below the initial weight.
• The weight increases with each packet lost.
• The weight decreases over time if there are no packets lost.
• FortiGate uses the server with the lowest weight as the one for the rating queries. If two or more servers
have the same weight, FortiGate uses the server with the lowest round-trip time (RTT).

Network Security Support Engineer 7.4 Study Guide 233


Security Profiles

DO NOT REPRINT
© FORTINET
FortiGuard Common Issues—Web Filtering and Antispam
• Some ISPs block nonstandard traffic over port 53
• Solution: Use port 8888
• Some ISPs block port 8888 traffic
• Solution: Use port 53
• Some ISPs block traffic based on the source port
• Solution:
config sys global
set ip-src-port-range 1031-4999
end

© Fortinet Inc. All Rights Reserved. 10

In many cases, ISPs cause problems related to FortiGuard. Some ISPs block traffic that is not DNS or that
contains large packets on port 53. In those cases, the solution is to switch FortiGuard traffic from port 53 to
port 8888.

Other ISPs (or upstream firewalls) block traffic to port 8888. In those cases, the solution is to use port 53.

When anycast is enabled, which it is by default, the protocol is HTTPS and the port is 443.

There are also a few cases where ISPs block traffic based on source ports. Changing the source port range
for FortiGuard to the range shown on this slide usually fixes the issue.

Network Security Support Engineer 7.4 Study Guide 234


Security Profiles

DO NOT REPRINT
© FORTINET
FortiGuard Flags
• I = Initial
• Server contacted to request contract information and updates
• D = Default
• IP addresses of servers received from DNS resolution
• S = Serving
• IP addresses of servers received from FortiManager
• T = Timing
• Actively timing this connection
• Server remains in this state for 15 seconds (default) before being considered as failed
• F = Failed
• Server connection has failed
• FortiGate pings every 15 minutes to check if server is active

© Fortinet Inc. All Rights Reserved. 11

The output of the diagnose debug rating command displays flags beside some of the server names:

• I = The server initially contacted to validate the license and get the server list (usually only one server has
this flag)
• D = The IP address FortiGate got when resolving the service.fortiguard.net name (usually two or
three servers have this flag, if the administrator didn't overwrite the FortiGuard FQDN or IP address in the
FortiGate configuration)
• S = The IP address FortiGate got from FortiManager
• T = The server is not replying to FortiGate queries
• F = The server is down

Network Security Support Engineer 7.4 Study Guide 235


Security Profiles

DO NOT REPRINT
© FORTINET
FortiGuard Troubleshooting—Antivirus and IPS
• FortiGate uses port TCP 443 to get updates
• Can be configured to connect through a web proxy:

config system autoupdate tunneling


set address <proxy_address>
set password <password>
set port <proxy_port>
set status {enable | disable}
set username <name>
end

• When connecting through a web proxy, FortiGate can access FortiGuard without DNS
resolution

© Fortinet Inc. All Rights Reserved. 12

For antivirus and IPS, communication between FortiGate and FortiGuard happens much less frequently. In
the case of web filtering and antispam, FortiGate contacts FortiGuard each time it needs to rate a website or
email (if the information is not in the FortiGate cache).

In the case of the pull method for antivirus and IPS, by default, FortiGate contacts FortiGuard at an interval
calculated based on the FortiGate model and the percentage of valid subscriptions. The update interval is less
than 1 hour to check and download any new version of the antivirus or IPS databases and engines. This is
done using port TCP 443.

This slide shows the commands you use if FortiGate must connect through a web proxy. Usually, clients
connecting through a web proxy do not contact the DNS server to resolve names, because it is the web proxy
that does this. When connecting through a web proxy, FortiGate can access FortiGuard without DNS
resolution.

Network Security Support Engineer 7.4 Study Guide 236


Security Profiles

DO NOT REPRINT
© FORTINET
FortiGuard Troubleshooting—Antivirus and IPS (Contd)
• Automatic and manual updates are different:
• Automatic updates download the portions of the databases that have changed since the last update
• Manual updates download the whole database if a new version is available

• Some FortiGuard problems can be fixed by doing a manual update


• Example: corrupted antivirus database

• Autoupdate status
# diagnose autoupdate status
FDN availability: available at Thu Jan 18 22:09:06 2024
last successful time: Thu Jan 18 22:09:06 2024
Scheduled update: enable
Virus definitions update: enable
IPS definitions update: enable
Web proxy tunneling: disable

© Fortinet Inc. All Rights Reserved. 13

Both the antivirus and IPS databases can be updated either automatically or manually. Automatic updates
download the portions of the databases that have changed since the last update. Manual updates download
the whole database if there is a new version available.

Sometimes you can fix FortiGuard problems by performing a manual update, which forces FortiGuard to
download and reinstall the entire database. For example, if the antivirus database is corrupted, a manual
update might fix the problem.

The diagnose autoupdate status command provides a summary of the FortiGuard configuration on
FortiGate.

Network Security Support Engineer 7.4 Study Guide 237


Security Profiles

DO NOT REPRINT
© FORTINET
FortiGuard Update Status
# diagnose autoupdate versions • List includes, but is not
AV Engine limited to:
--------- • Antivirus
Version: 7.00021
Contract Expiry Date: Sat Nov 8 2025 • IPS engine
Last Updated using manual update on Fri Oct 27 05:53:16 2023 • Mobile malware definitions
Last Update Attempt: Wed Mar 22 09:04:04 2023
Result: No Updates • Attack definitions
• IPS malicious URL
Virus Definitions
--------- database
Version: 91.01264 signed • Botnet definitions
Contract Expiry Date: Sat Nov 8 2025
Last Updated using manual update on Wed Mar 22 05:53:16 2023 • Device and OS
Last Update Attempt: Wed Mar 22 10:04:04 2023 identification
Result: No Updates • Internet service
Extended set • IP address geography
--------- • FortiGuard security rating
Version: 91.01264
Contract Expiry Date: Sat Nov 8 2025 • Certificate bundle
Last Updated using manual update on Wed Mar 22 05:53:16 2023 • Malicious certificate
Last Update Attempt: Wed Mar 22 10:04:04 2023
Result: Updates Installed

© Fortinet Inc. All Rights Reserved. 14

The command shown on this slide lists all the FortiGuard databases and engines that are installed. The
information includes the version, contract expiration date, time it was updated, and what happened during the
last update.

Network Security Support Engineer 7.4 Study Guide 238


Security Profiles

DO NOT REPRINT
© FORTINET
FortiGuard Real-Time Debug—Antivirus and IPS
• Enable real-time debug:
• # diagnose debug application update -1
• # diagnose debug enable
• # execute update-now

© Fortinet Inc. All Rights Reserved. 15

If there are problems updating the antivirus or IPS databases, or if there are problems validating the license,
you can use the FortiGuard real-time debug:
diagnose debug application update -1
diagnose debug enable

After you enable the debug, you can force a manual update using the execute update-now command.

Network Security Support Engineer 7.4 Study Guide 239


Security Profiles

DO NOT REPRINT
© FORTINET
FortiGuard Troubleshooting Tips
• Can the management VDOM access the internet?
• FortiGuard traffic originates from the management VDOM
• Does DNS work?
• Antivirus and IPS (update.fortiguard.net)
• Web filtering and AS (service.fortiguard.net)
• Updates to FortiGuard contracts are not instantaneous
• It usually takes 1 to 2 hours to update a contract on all FortiGuard servers
• In some cases, it can take up to 24 hours

© Fortinet Inc. All Rights Reserved. 16

Remember that FortiGuard traffic always originates from the management VDOM. So, the management
VDOM (which is root by default) must have internet access.

Correct DNS access from the management VDOM is also important. FortiGate must be able to resolve the
following names:
• update.fortiguard.net
• service.fortiguard.net

Also, keep in mind that, although it usually takes 1 to 2 hours to update a contract on all the servers, in some
cases, it can take up to 24 hours. So, if you have just changed or renewed your FortiGuard contract, and you
do not see the change on FortiGate, you may need to wait a bit longer to give FortiGuard time to synchronize
the information on all servers.

Network Security Support Engineer 7.4 Study Guide 240


Security Profiles

DO NOT REPRINT
© FORTINET

Life of a Packet

© Fortinet Inc. All Rights Reserved. 17

In this section, you will learn how FortiGate processes a packet.

Network Security Support Engineer 7.4 Study Guide 241


Security Profiles

DO NOT REPRINT
© FORTINET
Life of a Packet—Ingress
Ingress

pass or not first


Pkt rate > no pass packet pass
DoS IP header
inbandwidth RPF check
integrity

failed
yes failed failed
Packet dropped

Inbound VPN
yes Traffic
Web proxy terminating at
DNS the FortiGate?
Admin access

no

To routing and
firewall policy

© Fortinet Inc. All Rights Reserved. 18

On the following slides, we willre going to analyze how FortiGate processes a packet from when it arrives to
when it leaves.

The process has four stages:


• Ingress
• Routing and firewall policy
• Protection profile inspection
• Egress

During the ingress stage:


• The packet arrives on the FortiGate.
• You can set a limit on the incoming bandwidth (inbandwidth parameter). If the traffic exceeds that limit, the
FortiGate drops the packet.
• The FortiGate checks the thresholds in the DoS policies.
• The next steps are the reverse path forwarding and IP header integrity checks.
• If the traffic terminates at the FortiGate (for example, management, web proxy, and DNS traffic), the
specific daemon that handles the requested feature processes the packet.
• If the traffic does not terminate at the FortiGate, it moves to the second stage, which is the routing and
firewall policy.

Network Security Support Engineer 7.4 Study Guide 242


Security Profiles

DO NOT REPRINT
© FORTINET
Life of a Packet—Routing and Firewall Policy
From ingress

Destination NAT Route to yes Allow by yes


(VIP) destination? firewall
policy?

no no

Packet dropped

Not authenticated Handle yes Requires


authentication authentication?
Authenticated
no

Identify traffic
session helper

To protection
profile inspection

© Fortinet Inc. All Rights Reserved. 19

During the routing and firewall policy stage:


• The FortiGate (if required) applies the destination NAT. The FortiGate drops the packet if there is no route
to the destination.
• Similarly, if a firewall policy denies the packet, the FortiGate does not allow it.
• If the packet is allowed, the FortiGate checks whether the policy requires authentication.
• Finally, the FortiGate proceeds to identify the traffic, which is then inspected by any session helper that is
required.

Network Security Support Engineer 7.4 Study Guide 243


Security Profiles

DO NOT REPRINT
© FORTINET
Life of a Packet—Protection Profile Inspection

From routing and SSL no Application


inspection IPS VoIP
firewall policy control
required?

yes

Handle SSL

DLP Antispam Web filtering Antivirus To egress

© Fortinet Inc. All Rights Reserved. 20

During the protection profile inspection stage:


• The FortiGate performs unified threat management (UTM) inspection.
• If the traffic is encrypted and full SSL inspection is used, the FortiGate proceeds to decrypt the traffic.
• Next, the FortiGate applies the inspection profiles in the following order: IPS, application control, VoIP,
DLP, antispam, web filtering, and antivirus.

Network Security Support Engineer 7.4 Study Guide 244


Security Profiles

DO NOT REPRINT
© FORTINET
Life of a Packet—Egress

From protection Traffic Outbound no


Source NAT
profile inspection shaping IPsec?

yes

Encryption

Egress

© Fortinet Inc. All Rights Reserved. 21

During the egress stage:


• The FortiGate applies traffic shaping and source NAT.
• Finally, if the packet must be routed through an IPsec VPN, the FortiGate encrypts it before it leaves.

Network Security Support Engineer 7.4 Study Guide 245


Security Profiles

DO NOT REPRINT
© FORTINET

Web Filtering

© Fortinet Inc. All Rights Reserved. 22

In this section, you will learn troubleshooting commands for web filtering.

Network Security Support Engineer 7.4 Study Guide 246


Security Profiles

DO NOT REPRINT
© FORTINET
Web Filter Log—GUI
• Action Log & Report > Security Events
• Profile used
• Category
• URL

© Fortinet Inc. All Rights Reserved. 23

Similar to other UTM features, one of the best troubleshooting tools for web filtering is the FortiGate logs.
FortiGate can generate a log each time a website is blocked. The log lists the URL, category, action taken,
and so on.

Network Security Support Engineer 7.4 Study Guide 247


Security Profiles

DO NOT REPRINT
© FORTINET
FortiGuard Web Filtering Real-Time Debug
# diagnose debug urlfilter src-addr <source_IP>
# diagnose debug application urlfilter -1
# diagnose debug enable

msg="received a request /tmp/.wad512_0_0.url.socket, addr_len=30:


d=training.fortinet.com:443, id=687, cat=255, vfname='root', vfid=0,
profile='default', type=0, client=10.1.10.1, url_source=1, url="/"

action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=10.1.10.1 sport=58334


dst=13.226.142.41 dport=443 service="https" cat=52 url_cat=52 ip_cat=0
hostname="training.fortinet.com" url="/"

© Fortinet Inc. All Rights Reserved. 24

Another tool you can use to troubleshoot web filtering is the web filter real-time debug. You can use the
commands shown on this slide.

This slide shows an example of real-time debug output when the URL to categorize isn't in the FortiGuard
cache. The output shows the URL, category, source, destination IP addresses, and service.

Network Security Support Engineer 7.4 Study Guide 248


Security Profiles

DO NOT REPRINT
© FORTINET
FortiGuard Web Filtering Cache
# diagnose webfilter fortiguard cache dump

Saving to file [/tmp/urcCache.txt]


Cache Contents:
-=-=-=-=-=-=-=- FortiGuard category for the
Cache Mode: TTL domain in hexadecimal
Cache DB Ver: 27.9694

Rating DB Ver DOT SLASH ORIG_FLAG T URL


00000000|00000000 27.9693 2 0 00000001 P Dhttps://172.253.122.95/
34000000|34000000 27.9693 2 0 00000001 P Dhttps://safebrowsing.googleapis.com/
29000000|29000000 27.9691 2 0 00000001 P Bhttp://34.107.221.82/
… FortiGuard category for the IP
address of the URL in
# get webfilter categories hexadecimal

g07 General Interest - Business:
31 Finance and Banking
… FortiGuard category ID in
51 Government and Legal Organizations decimal
52 Information Technology

© Fortinet Inc. All Rights Reserved. 25

To list the contents of the FortiGuard web filtering cache, use the diagnose webfilter fortiguard
cache dump command. For each URL, the output lists its rating by domain name and IP address. The rating
by domain name is the first two digits of the first number from left to right—it is the category ID represented in
hexadecimal. The rating by IP address is the first two digits of the second number—it is also the category ID
represented in hexadecimal.

The get webfilter categories command lists all the categories with their respective ID numbers. In
this list, the IDs are represented in decimal. So, if you want to find the category name for a URL in the cache,
use the first command to list the cache, and then convert the ID number from hexadecimal to decimal. Then,
use the second command to find the category name for that ID number.

Network Security Support Engineer 7.4 Study Guide 249


Security Profiles

DO NOT REPRINT
© FORTINET
FortiGuard—Web Filtering Service
• FortiGuard Web Filter Lookup

© Fortinet Inc. All Rights Reserved. 26

The www.fortiguard.com website includes a Web Filtering service. This service is designed to assist you
to identify the category and rating of a URL.

Using the information that the FortiGuard Web Filtering service provides you can gain insights into the content
and reputation of URLs.

This service is useful to analyze whether the category-based filter in the web filter profile is allowing or
blocking a specific URL as expected.

Network Security Support Engineer 7.4 Study Guide 250


Security Profiles

DO NOT REPRINT
© FORTINET
Web Filtering Troubleshooting Tips
• Get specifics
• Which URLs?
• Is it random or consistent?
• Who is affected? All users or specific users?
• Is there anything in any of the logs?
• Was something blocked intentionally?
• Is authentication involved?
• Double-check that the user is being handled correctly
• Attempt reproduction
• You can reproduce most web filtering issues using the same settings
• Run the real-time debug commands while reproducing the problem

© Fortinet Inc. All Rights Reserved. 27

Here are some tips for troubleshooting web filtering:


• Get the specifics first:
• Which URLs are having the problem?
• Is it random?
• Does it happen with all users?
• Check the logs.
• Is the problem caused by an incorrect user group configuration? Are the user access privileges correct?
• Run the real-time debug while reproducing the issue.

Network Security Support Engineer 7.4 Study Guide 251


Security Profiles

DO NOT REPRINT
© FORTINET
Web Filtering Troubleshooting Tips (Contd)
• Ensure web filtering isn't globally disabled:

# get system fortiguard disable (default): enable web filter globally


... enable: disable web filter globally
webfilter-force-off : disable
webfilter-cache : enable
webfilter-cache-ttl : 3600
webfilter-license : Contract
webfilter-expiration: Wed Nov 9 2022

• Problems connecting to FortiGuard and the device entering conserve mode can cause
intermittent web filtering issues

© Fortinet Inc. All Rights Reserved. 28

Additional tips:
• Check that web filtering isn't disabled globally.
• If users are having intermittent issues:
• Check that the communication with FortiGuard is stable (check the web filtering statistics).
• Check also that the device is not entering conserve mode.

Network Security Support Engineer 7.4 Study Guide 252


Security Profiles

DO NOT REPRINT
© FORTINET

SSL Inspection

© Fortinet Inc. All Rights Reserved. 29

In this section, you will learn about SSL inspection modes and how to handle certificate warnings.

Network Security Support Engineer 7.4 Study Guide 253


Security Profiles

DO NOT REPRINT
© FORTINET
SSL Certificate Inspection and Full SSL Inspection
• SSL certificate inspection relies on extracting the FQDN of the URL from either :
• TLS extension server name indication (SNI)
• SSL certificate common name (CN)

Issuer:
Verisign
Issued to:
www.example.com
Public key:
Example

https://www.example.com
Public key:
Private key:
Example.com
Example.com

Encrypted data

© Fortinet Inc. All Rights Reserved. 30

There are two SSL inspection modes: SSL certificate inspection and full SSL inspection. When using SSL
certificate inspection, FortiGate is not decrypting the traffic. It is only inspecting the server digital certificates
and the server name indication (SNI) field, which are interchanged before the encryption.

First, FortiGate tries to get the URL from the SNI field. The SNI field is a TLS extension that contains the
complete URL that the user is connecting to. It is supported by most modern browsers.

If the SNI field is not present (because the web client may not support it), FortiGate proceeds to inspect the
server digital certificate.

Network Security Support Engineer 7.4 Study Guide 254


Security Profiles

DO NOT REPRINT
© FORTINET
Full SSL Inspection
• FortiGate requires a private key to decrypt and inspect SSL traffic
• Intercepts traffic coming from the server and re-signs it with its certificate and key
• Certificate FortiGate provides must be issued to the destination domain name

https://www.example.com
Private key: Private key:
example.com Public key:
example.com FortiGate
Issuer: Issuer:
Public CA FortiGate CA
Issued to: Issued to:
www.example.com www.example.com
Public key: Public key:
example.com FortiGate

© Fortinet Inc. All Rights Reserved. 31

With full SSL inspection, FortiGate decrypts (and reencrypts) the SSL traffic.

Under normal circumstances (without full SSL inspection), encrypted traffic cannot be inspected, because the
firewall does not have the key required to decrypt the data.

For full SSL inspection, the FortiGate must be located in the middle of the communication between the user’s
browser and the website. When the browser connects to the website, the web server sends its certificate,
which contains its public key.

The FortiGate intercepts the web server certificate and generates a new one. The new certificate is issued by
the certificate authority (CA) installed on the FortiGate, which is not a well-known public CA. The FortiGate
also generates a new pair of public and private keys.

Network Security Support Engineer 7.4 Study Guide 255


Security Profiles

DO NOT REPRINT
© FORTINET
Certificate Warnings During Full SSL Inspection
• During full SSL inspection, browsers might display a warning because they do not trust
the CA

• To fix the warning, there are two options:


• Use the Fortinet_CA_SSLProxy certificate, and install the FortiGate CA root certificate on all browsers
• Generate a new SSL proxy certificate using a private CA, and install the respective root CA certificate
on all browsers

• This is a consequence of how SSL and digital certificates work (not a FortiGate
limitation)

© Fortinet Inc. All Rights Reserved. 32

When you enable SSL inspection, browsers display a certificate warning each time a user connects to an
HTTPS site. This occurs because the certificates that the browsers receive are now signed by FortiGate,
which is a CA that the browsers do not trust.

You can fix this warning in one of two ways:


• Download the default FortiGate certificate for SSL proxy inspection and install it on all browsers.
• Generate a new SSL proxy certificate from a private CA. Install the private CA certificate on all browsers.

This is not a limitation of FortiGate, but a consequence of how digital certificates are designed to work.

Network Security Support Engineer 7.4 Study Guide 256


Security Profiles

DO NOT REPRINT
© FORTINET
Full SSL Inspection and HSTS
• Some clients have specific requirements for SSL
• PKP: Public Key Pinning
• Example: Chrome requires a Google certificate when accessing any Google site
• HSTS: HTTPS Strict Transport Security
• Possible solutions: Certificate does not
match requirements
• Exempt those websites from full SSL inspection (incorrect CA)
• Use SSL certificate inspection instead

Issuer:
Issuer:
Certificate Internet
FortiGate CA
Authority
Issued to:
Issued to:
www.example.com
www.example.com
Public key:
Public key:
FortiGate
example.com

https://www.example.com

© Fortinet Inc. All Rights Reserved. 33

Replacing the certificate for the traffic can cause problems. Some software and servers have specific
limitations on the certificates that are allowed to be used.

HSTS and PKP are security features designed to detect man-in-the-middle SSL attacks by making sure that
any certificate presented when accessing a server resource is signed by a specific CA.

If the browser detects any other CA, it simply refuses to continue the SSL handshake and prevents access to
the website.

The solutions available for these issues are limited. One option is to bypass SSL inspection for that traffic.
Another option is to use SSL certificate inspection instead.

Network Security Support Engineer 7.4 Study Guide 257


Security Profiles

DO NOT REPRINT
© FORTINET

Antivirus

© Fortinet Inc. All Rights Reserved. 34

In this section, you will learn how to verify the antivirus status and detections.

Network Security Support Engineer 7.4 Study Guide 258


Security Profiles

DO NOT REPRINT
© FORTINET
Antivirus Order of Operations

Machine-
Virus Grayware
learning
scan scan
detection

© Fortinet Inc. All Rights Reserved. 35

This slides shows the order of execution of antivirus inspection. First, the device performs a virus scan, then a
grayware scan, and finally machine-learning detection.

The latest FortiOS versions do not have the previous heuristic settings. Instead, they have a machine-
learning-detection setting, which is an AI-based malware detection feature.

Network Security Support Engineer 7.4 Study Guide 259


Security Profiles

DO NOT REPRINT
© FORTINET
Antivirus Log Example
Log & Report > Security Events

© Fortinet Inc. All Rights Reserved. 36

One of the best tools for troubleshooting antivirus issues is the FortiGate logs. This is a sample of a log
generated when FortiGate detects a virus. You can see the name of the file, time, and name of the virus.

Network Security Support Engineer 7.4 Study Guide 260


Security Profiles

DO NOT REPRINT
© FORTINET
How to Investigate an Infection
• If a workstation is infected, where should you start investigating?
• Get specifics:
• Which antivirus software detected it? Which virus did it detect?
• Virus names are not standard between vendors
• How did the virus get inside the network?
• Through email, website, USB stick, or demo CD?

© Fortinet Inc. All Rights Reserved. 37

What should you do if FortiGate detects a virus on a workstation? Again, the first step is to get specific
information. Which antivirus software detected the virus? What is the name of the virus? How did it get inside
the network? If the virus came, for example, from a CD or USB stick, the infected file did not go through the
FortiGate.

Network Security Support Engineer 7.4 Study Guide 261


Security Profiles

DO NOT REPRINT
© FORTINET
How to Investigate an Infection (Contd)
• Test to see if antivirus is operating correctly
• eicar.org, the standard antivirus test file
• Could FortiGate have detected the virus?
• If undetected, submit to FortiGuard with details
• Test sample file on FortiGuard website
• https://www.fortiguard.com/faq/onlinescanner
• If detected, check which FortiGate antivirus database contains it

© Fortinet Inc. All Rights Reserved. 38

Test whether FortiGate antivirus is correctly inspecting the user traffic. On a user workstation, navigate to
eicar.org and try to download the EICAR sample file.

If you have a sample of the virus, submit it to FortiGuard and check if it is present in any of the FortiGate virus
databases. If it is, check the name of the antivirus database where it is present. Does your FortiGate have that
database installed?

Network Security Support Engineer 7.4 Study Guide 262


Security Profiles

DO NOT REPRINT
© FORTINET
How to Investigate an Infection—Check the Antivirus Database
• Choose the antivirus database:
config antivirus setting
set use-extreme-db {enable|disable}
end
• Extended database
• Default
• Currently spreading viruses plus recent viruses that are no longer active
• Available on all models
• Extreme database
• Includes the extended database, plus a large collection of zoo viruses
• Available on higher end models

© Fortinet Inc. All Rights Reserved. 39

FortiGate has two antivirus databases: extended and extreme. The extended database is the default. Not all
FortiGate models support the extreme database.

Network Security Support Engineer 7.4 Study Guide 263


Security Profiles

DO NOT REPRINT
© FORTINET
How to Investigate an Infection (Contd)
• Examine protocol settings for infection vector
• SSL requires deep inspection
• Archives are examined to certain limits
• Maximum number of subdirectories and nested archives
• Password-protected archives cannot be scanned

© Fortinet Inc. All Rights Reserved. 40

Remember the restrictions for antivirus inspection:


• SSL traffic requires SSL deep inspection.
• Archive files, such as zip files, are examined to certain limits, such as nested archives—this has an impact
on the CPU.
• Password-protected archives cannot be scanned.

Network Security Support Engineer 7.4 Study Guide 264


Security Profiles

DO NOT REPRINT
© FORTINET
How to Investigate an Infection (Contd)
• NGFW—Learn Mode
• config system settings
set ngfw-mode policy-based
end

© Fortinet Inc. All Rights Reserved. 41

Scanunit support is included on the NGFW GUI under Security Policy > Learn Mode.

The learning mode enhances file detection capabilities by using the scanunit robust file detection.

Learning mode works by allowing all traffic while logging everything to gather security information. It
generates a learning report using the collected information, and this helps to detect malicious files more
accurately.

Network Security Support Engineer 7.4 Study Guide 265


Security Profiles

DO NOT REPRINT
© FORTINET

IPS Troubleshooting

© Fortinet Inc. All Rights Reserved. 42

In this section, you will learn about IPS troubleshooting.

Network Security Support Engineer 7.4 Study Guide 266


Security Profiles

DO NOT REPRINT
© FORTINET
IPS Engine
• There are two IPS-related daemons:
• ipsengine handles inspection and detection tasks
• ipshelper handles actions whose results can be shared by different daemons, to reduce load

# diagnose sys top


Run Time: 5 days, 5 hours and 58 minutes
1U, 0N, 0S, 99I; OWA, OHI, OST, 1768T, 1044F
httpsd 1313 S 0.3 1.3
ipsengine 1350 S < 0.0 3.8
pyfcgid 954 S 0.0 1.5
ipshelper 71 S < 0.0 1.2
...

© Fortinet Inc. All Rights Reserved. 43

Two important types of daemons handle IPS-related tasks:


• ipsengine is the main type of daemon that handles all inspection and detection tasks.
• ipshelper handles actions whose results can be shared by different ipsengine daemons. ipshelper
also monitors configuration changes that impact IPS so it can also start or spawn additional instances of
ipsengine. For this reason, it’s normal to see ipshelper running even if you don’t have IPS configured
on FortiGate.

On some FortiGate models, it is normal to see multiple instances of the ipsengine daemon running.

Network Security Support Engineer 7.4 Study Guide 267


Security Profiles

DO NOT REPRINT
© FORTINET
IPS Fail Open
• Fail open is triggered when one of these two events happen:
• The IPS socket buffer is full and new packets can’t be added for inspection
• The FortiGate is in conserve mode

• The action the IPS takes depends on the configuration:

# config ips global


set fail-open <enable|disable>
set database extended
set traffic-submit disable
...
end

• enable: New packets might pass through without inspection


• disable: New packets might be dropped

© Fortinet Inc. All Rights Reserved. 44

IPS goes into fail open mode when the IPS socket buffer doesn't have enough available memory for new
packets. The IPS also goes into fail open mode when the FortiGate is in conserve mode. What happens
during that state depends on the IPS configuration. If the fail-open setting is enabled, some new packets
(depending on the system load) might pass through without being inspected. If it is disabled, new packets
might be dropped.

Network Security Support Engineer 7.4 Study Guide 268


Security Profiles

DO NOT REPRINT
© FORTINET
Monitoring IPS Fail Open Events
• IPS fail open event details can be seen in the crash log
# diagnose debug crashlog read
...
7: 2021-06-06 11:44:54 <05688> IPS enter fail open mode: engines=4 socketsize=1048576
8: 2021-09-06 11:44:54 packet_action=drop
...
20: 2021-06-06 11:45:53 <05688> IPS exit fail open mode

• The packet_action value indicates whether new packets are dropped or passed
through
• The crash log also indicates when IPS has exited fail open mode

© Fortinet Inc. All Rights Reserved. 45

The IPS fail open event generates a log in the crash log. The log indicates if new packets are dropped or
passed through.

Network Security Support Engineer 7.4 Study Guide 269


Security Profiles

DO NOT REPRINT
© FORTINET
Monitoring IPS Fail Open Events (Contd)
• IPS fail open entry log
date=2023-06-06 time=14:14:29 logid="0100022700" type="event"
subtype="system" level="critical" vd="root" eventtime=1540790069
logdesc="IPS session scan paused" action="drop" msg="IPS session scan,
enter fail open mode"

• IPS fail open exit log


date=2023-06-06 time=14:18:54 logid="0100022701" type="event"
subtype="system" level="critical" vd="root" eventtime=1540790334
logdesc="IPS session scan resumed" msg="IPS session scan resumed,
exit fail open mode."

© Fortinet Inc. All Rights Reserved. 46

IPS fail open entry and exit events also generate event logs.

Network Security Support Engineer 7.4 Study Guide 270


Security Profiles

DO NOT REPRINT
© FORTINET
Frequent IPS Fail Open Events
• Try to identify a pattern
• Traffic volume increases?
• Create IPS profiles specifically for the traffic type
• Profile to protect Windows servers doesn’t need Linux or Solaris signatures
• Disable IPS on internal-to-internal policies

© Fortinet Inc. All Rights Reserved. 47

Frequent IPS fail open events usually indicate that the IPS is not able to keep up with the traffic demands. So,
try to identify patterns. Has the traffic volume increased recently? Have throughput demands increased?

Tune and optimize your IPS configuration: Create IPS profiles specific to the type of traffic being inspected,
and disable IPS profiles on policies that don’t need them.

Network Security Support Engineer 7.4 Study Guide 271


Security Profiles

DO NOT REPRINT
© FORTINET
IPS Engine Role in Identifying Protocols
• Firewall policies use protocol options to instruct Policy & Objects > Protocol Options
FortiGate how to handle mapping destination
ports to upper-layer protocols (HTTP, SMTP,
FTP, and so on)
• Type a specific port number to direct traffic on
that destination port to the relevant processes,
based on the inspection mode of that policy
(flow or proxy)
• When you enable the Any setting for a
protocol, the IPS engine inspects all destination
ports to determine whether the traffic is, in fact,
that protocol
• Using the Any setting for one or more protocols
creates more CPU load and can affect how
FortiGate processes traffic when a fail open
event occurs
© Fortinet Inc. All Rights Reserved. 48

The Protocol Options settings, which are configurable within each firewall policy, can impact the
performance of a FortiGate due to the need for the IPS engine to identify the protocol where particular
protocol-to-port mappings are not explicitly set.

When a policy is set to proxy-based inspection, the settings in Protocol Options instruct the FortiGate to
direct specified destination ports to their respective proxy processes, except when Any is set for an enabled
protocol.

In this scenario, the FortiGate must send the traffic to the IPS engine to be processed by the CPU, in order to
identify the protocol before directing it to the proxy process. This is significant, because it can affect how traffic
is processed during an IPS fail open event for both proxy-based and flow-based traffic.

Protocol port mapping works only with proxy-based inspection. Flow-based inspection inspects all ports
regardless of the protocol port mapping configuration.

Network Security Support Engineer 7.4 Study Guide 272


Security Profiles

DO NOT REPRINT
© FORTINET
IPS and High CPU Usage
• Temporary spikes in CPU usage are normal
• Usually caused by a configuration change
• diagnose sys top will show all ipsengine instances spike to 99% temporarily
• Continuous high CPU use by IPS engines might be caused by an infinite loop in packet
parsing
• Symptoms might not affect all of the ipsengine instances

• FortiGate VMs with 8 or more vCPUs can use the extended database, which delivers
better protection and performance
• config ips global
set database [regular|extended]
set ips-reserve-cpu [enable|disable]

© Fortinet Inc. All Rights Reserved. 49

Short spikes in the CPU usage by IPS processes could be caused by firewall policy or profile changes. These
spikes are usually normal. Spikes might happen when FortiGate has hundreds of policies and profiles, or
many VDOMs. Continuous high CPU usage by the IPS engines is not normal, and you should investigate it.

A newly introduced capability enables the configuration of FortiGate VMs with eight or more vCPUs to use the
complete extended database. The slim-extended database, a more compact variant of the full extended
database, encompasses key active IPS signatures and is tailored for customers prioritizing performance.

Network Security Support Engineer 7.4 Study Guide 273


Security Profiles

DO NOT REPRINT
© FORTINET
IPS and High CPU Usage (Contd)
# diagnose test application ipsmonitor ?

1: Display IPS engine information Traffic does not go to


2: Toggle IPS engine enable/disable status the IPS
3: Display restart log
4: Clear restart log
5: Toggle bypass status
6: Submit attack characteristics now Traffic goes to the
IPS, but the IPS does
10: IPS queue length
not perform
11: Clear IPS queue length
inspection
12: IPS L7 socket statistics
13: IPS session list
14: IPS NTurbo statistics
15: IPSA statistics
97: Start all IPS engines
98: Stop all IPS engines
99: Restart all IPS engines and monitor

© Fortinet Inc. All Rights Reserved. 50

If the IPS caused high CPU usage problems, you can use the diagnose test application
ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass
mode.

In this mode, the IPS is still running, but it is not inspecting traffic. If the CPU usage decreases after that, it
usually indicates that the volume of traffic being inspected is too high for that particular FortiGate model.

If the CPU usage remains high after you enable IPS bypass mode, it usually indicates a problem in the IPS
engine that you must report to Fortinet Support.

If you enable IPS bypass mode, remember to disable it after you finish troubleshooting, using option 5.

Another recommendation to keep in mind is if you need to restart the IPS, don't use the diagnose sys
kill command. Instead, use option 99, as shown on this slide. This guarantees that all IPS-related
processes will restart correctly.

Network Security Support Engineer 7.4 Study Guide 274


Security Profiles

DO NOT REPRINT
© FORTINET
False Positives
• Check that the IPS signature database is up to date
• Determine which signature is triggering the false positive
• Use IP exemptions on the signature as a temporary bypass for the affected endpoints
• If all factors are verified (that is, correct policy match, correct IPS profile match), then
collect multiple sniffer samples of the traffic
• Provide the sniffer samples and the matching logs to the FortiGuard team for further
investigation

support.fortinet.com

© Fortinet Inc. All Rights Reserved. 51

If the IPS is generating false positives, first determine which signature is generating them. You can use IP
exemptions as a solution. Additionally, you can provide sniffer samples and the matching logs to the
FortiGuard team for further investigation.

Network Security Support Engineer 7.4 Study Guide 275


Security Profiles

DO NOT REPRINT
© FORTINET
False Negatives
• False negatives are more difficult to find
• Verify:
• Is the IPS signature database up to date?
• Is traffic hitting the correct policy or IPS profile? (use sniffer and debug flow, if necessary)
• Is the IPS using high CPU or memory? Is it crashing?
• Is the signature action set correctly?
• Collect multiple sniffer samples, along with details of the application traffic, and provide
them to the Fortinet IPS team for investigation

© Fortinet Inc. All Rights Reserved. 52

False negatives are more difficult to discover and troubleshoot. Check the following:
• Traffic is hitting the correct policy or IPS profile (use the sniffer and debug flow, if necessary).
• CPU and memory use is normal.
• IPS engines aren’t crashing.
• IPS configuration is correct.

Again, after you verify all of those factors, you can collect sniffer samples and, along with details of the
application traffic, provide all the information to the Fortinet IPS team for investigation.

Network Security Support Engineer 7.4 Study Guide 276


Security Profiles

DO NOT REPRINT
© FORTINET
Review
 Troubleshoot the most common FortiGuard problems
 Describe the steps of FortiGate packet inspection
 Troubleshoot web filtering problems
 Fix certificate warnings during full SSL inspection
 Investigate virus infections
 Monitor the IPS

© Fortinet Inc. All Rights Reserved. 53

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to troubleshoot some features of security
profiles.

Network Security Support Engineer 7.4 Study Guide 277


High Availability

DO NOT REPRINT
© FORTINET

Network Security Support Engineer


High Availability

FortiGate 7.4
Last Modified: 25 April 2024

In this lesson, you will learn how to monitor the status of a high availability (HA) cluster, configure session
synchronization, and use the troubleshooting steps and commands for HA issues.

Network Security Support Engineer 7.4 Study Guide 278


High Availability

DO NOT REPRINT
© FORTINET
Objectives
• Check the status of the HA configuration
• Monitor an HA cluster
• Configure session synchronization
• Troubleshoot common HA issues

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding HA, you will know how to monitor the status of an HA cluster,
configure session synchronization, and diagnose and resolve HA cluster issues.

Network Security Support Engineer 7.4 Study Guide 279


High Availability

DO NOT REPRINT
© FORTINET

HA Configuration Synchronization and Status

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn how to monitor the HA configuration status among devices in the HA cluster.

Network Security Support Engineer 7.4 Study Guide 280


High Availability

DO NOT REPRINT
© FORTINET
Processes Involved
• HA framework
• hatalk: cluster management and failure monitoring
• hasync: synchronization of configuration files, upgrade process, IKE notification, external files, ARP
table, and FIB

• Kernel
• Generation of heartbeat packets
• Updating synchronized session on secondary

• Surrounding processes around hasync


• cmdb: configuration daemon
• update
• external files
• iked, authd, and snmpd

© Fortinet Inc. All Rights Reserved. 4

The HA framework consists of two daemons: hatalk and hasync.

The process hatalk monitors cluster management and failure monitoring. The process hasync handles the
synchronization of configuration files, the upgrade process, IKE notifications, external files, the address
resolution protocol (ARP) table, and the forwarding information base (FIB).

The hasync process engages other processes to fulfill its purpose, like configuration daemons cmdb,
update, iked, authd, and snmpd.

Network Security Support Engineer 7.4 Study Guide 281


High Availability

DO NOT REPRINT
© FORTINET
Heartbeats—Generating Heartbeat Packets
• Heartbeat packets are generated by the kernel
• Higher priority in scheduler compared to other processes
• Higher priority on kernel for HA packets on egress
• Higher priority on NP6 queues for HA packets
• Heartbeat packet generation load distributed on multiple CPU cores

NGFW-1 #diagnose sys ha


heartbeat
• #diagnose sys ha heartbeat interval=20, hb_cpu_nr=4
• How many cores are used for the heartbeat? cpu=0, max_tx=80, last_tx=4295035514
• How are the heartbeats distributed on the cpu=0, max_tx=80, last_tx=4295035534
CPU cores? cpu=0, max_tx=80, last_tx=4295035474
cpu=0, max_tx=80, last_tx=4295035494

© Fortinet Inc. All Rights Reserved. 5

HA heartbeats are generated by the kernel. This gives this traffic priority over other types of packets. HA
heartbeat packets are prioritized to guarantee the health of the HA cluster and traffic flow.

The command diagnose sys ha heartbeat displays how many CPU cores handle the heartbeats and
their distribution.

Network Security Support Engineer 7.4 Study Guide 282


High Availability

DO NOT REPRINT
© FORTINET
Heartbeats—Receiving and Processing Heartbeat Packets
• HA heartbeat
• Heartbeat packets received by the network interface card (NIC) configured as hbdev

• Kernel processing
• Separates user traffic from heartbeats based on packet ethertype
• Stores heartbeat data in a received buffer in memory
• Notifies HA daemon hatalk through a signal of the presence of heartbeat packets to process

• hatalk daemon processing


• Time stamps HA packets when called by the kernel
• Run actively every 100 ms to run a diff time function comparing the received heartbeat packet
timestamp with its current time
• HA heartbeat timeout triggered if time_difference > hb-interval (default 200 ms) * hb-
lost-treshold

© Fortinet Inc. All Rights Reserved. 6

The hbdev interface is configured under config system ha which assigns the interface that will transmit
and receive the HA heartbeats.

As part of the kernel processing of heartbeat packets, the kernel signals to the hatalk daemon the presence
of heartbeat packets to process.

The process hatalk applies a timestamp to the HA packets that process and perform a diff time function
to monitor if it has reached the hb-lost-threshold that could trigger an HA heartbeat timeout.

HA heartbeat packets consume more bandwidth if the heartbeat interval is shorter than its default value, but if
the heartbeat interval is very long, the cluster is not as sensitive to topology changes and other network
changes.

Network Security Support Engineer 7.4 Study Guide 283


High Availability

DO NOT REPRINT
© FORTINET
Checking the Status of HA on the GUI
System > HA

Cluster members
are synchronized

© Fortinet Inc. All Rights Reserved. 7

If the HA cluster forms successfully, the GUI displays all the FortiGate members with their host names, serial
numbers, role, uptime, and synchronization status.

Network Security Support Engineer 7.4 Study Guide 284


High Availability

DO NOT REPRINT
© FORTINET
Checking the Synchronization Status on the GUI
System > HA
Tooltip displays which
parts of the configuration
are out of sync

Cluster members are


not synchronized

© Fortinet Inc. All Rights Reserved. 8

If the HA cluster forms, but the configurations are not synchronized, the GUI tooltip for the cluster members
displays the portions of their configuration that are out of sync.

Network Security Support Engineer 7.4 Study Guide 285


High Availability

DO NOT REPRINT
© FORTINET
Connecting to the CLI on a Secondary Device
• Using the CLI of the primary device, you can connect to the CLIs of any secondary
devices
# execute ha manage <HA_unit_index> <Admin_Username>

• To list the index numbers for each device, use a question mark
# execute ha manage ?
<id> please input peer box index.
<0> Subsidiary unit FGVM01000001xxxx

© Fortinet Inc. All Rights Reserved. 9

When troubleshooting HA, you may need to connect to the CLI of another member from the CLI of the
member you are currently connected to. You do this by using the execute ha manage command to connect
to the other member.

For example, when you connect to the cluster over SSH using any of the cluster virtual IP addresses, you
connect to the primary member. If you then want to connect to another member, you can use the execute
ha manage command to access its CLI.

This command requires you to indicate the ID of the member you want to connect to and the username you
will use to log in. To get the list of member IDs, you can add a question mark to the end of the execute ha
manage command, as shown on this slide.

Note that when you switch to the CLI of another member, FortiGate establishes an SSH session to that
member over the heartbeat interface. The SSH session is then encapsulated in Ethernet frame type 0x8893.

Network Security Support Engineer 7.4 Study Guide 286


High Availability

DO NOT REPRINT
© FORTINET
HA Status
# diagnose sys ha status
HA information
Statistics
Heartbeat
traffic.local = s:0 p:980056 b:152606366
traffic.total = s:0 p:980087 b:152619104
activity.ha_id_changes = 2
activity.fdb = c:0 q:0

Model=80005, Mode=2 Group=2 Debug=0


nvcluster=1, ses_pickup=0, delay=0 Serial numbers Assigned priorities

[Debug_Zone HA information]
HA group member information: is_manage_primary=1.
FGVM010000077649: Primary, serialno_prio=1, usr_priority=128, hostname=NGFW-1
FGVM010000077650: Secondary, serialno_prio=0, usr_priority=120, hostname=NGFW-2

[Kernel HA information]
vcluster 1, state=work, primary_ip=169.254.0.2, primary_id=0:
FGVM010000077649: Primary, ha_prio/o_ha_prio=0/0
FGVM010000077650: Secondary, ha_prio/o_ha_prio=1/1

© Fortinet Inc. All Rights Reserved. 10

Using the CLI, you can get more information about the status of HA. For example, the command shown on
this slide displays heartbeat traffic statistics, as well as the serial number and HA priority of each FortiGate.
This command also shows the IP address of the heartbeat interface that is automatically assigned to the
primary FortiGate.

Network Security Support Engineer 7.4 Study Guide 287


High Availability

DO NOT REPRINT
© FORTINET
HA Status (Contd)
# get sys ha status
HA Health Status: OK
Model: FortiGate-VM64
How the primary
Mode: HA A-P
Group: 0 device is selected
Debug: 0
Cluster Uptime: 0 days 0:15:10
Cluster state change time: 2023-07-29 12:34:01
Primary selected using:
<2023/07/29 12:34:01> FGVM010000077649 is selected as the primary because it has the
largest value of override priority.
ses_pickup: disable System usage stats
override: enable
Configuration Status:
from all cluster
FGVM010000077649(updated 4 seconds ago): in-sync members
FGVM010000077650(updated 3 seconds ago): in-sync
System Usage stats:
FGVM010000077649(updated 4 seconds ago):
sessions=16, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=81%
FGVM010000077650(updated 3 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=78%
...

© Fortinet Inc. All Rights Reserved. 11

You can use the command shown on this slide to display the following information:
• HA health status
• Cluster uptime
• Criteria used to select the primary device
• Override status
• Status of the monitored interfaces
• Status of the HA ping servers

Network Security Support Engineer 7.4 Study Guide 288


High Availability

DO NOT REPRINT
© FORTINET
Checking the HA Time Difference
# diagnose sys ha dump-by vcluster
<hatalk> HA information.
How many times the
vcluster_nr=1
device uptime has been
vcluster_0: start_time=1588188799(2022-07-29 12:33:19), reset with the
state/o/chg_time=2(work)/2(work)/1588188801(2023-07-29 diagnose sys ha
12:33:21) reset-uptime
command
mondev: port1(prio=50,is_aggr=0,status=1)
port2(prio=50,is_aggr=0,status=1)
'FGVM010000077649': ha_prio/o=0/0, link_failure=0,
pingsvr_failure=0, flag=0x00000001, uptime/reset_cnt=0/1
'FGVM010000077650': ha_prio/o=1/1, link_failure=0,
pingsvr_failure=0, flag=0x00000000, uptime/reset_cnt=196/0

Device uptime

© Fortinet Inc. All Rights Reserved. 12

The HA uptime is one of the variables used to elect the primary device. Depending on other variables and
configurations, the devices might compare their system uptimes to elect the primary. If that happens, and if
there is one member whose system uptime is 5 minutes more than the system uptimes of all the other
devices, that member is elected as the primary. You can use this command to compare the system uptimes of
all the devices in a cluster.

The reset_cnt value shows you how many times the HA uptime has been reset with the diagnose sys
ha reset-uptime command.

Network Security Support Engineer 7.4 Study Guide 289


High Availability

DO NOT REPRINT
© FORTINET
Checking the Configuration Synchronization
Run this command
# diagnose sys ha checksum show on all HA members
is_manage_primary()=1, is_root_primary()=1
debugzone
global: ee 89 a1 71 0b c5 2a ed 99 f3 a8 4a 27 6f 1b 5c
root: 86 54 58 00 9a 6c ef 30 19 62 a3 c9 84 a8 c6 8a Checksum
all: 94 52 d7 bf e5 29 d0 9a 58 d2 47 f4 f5 d0 a7 94 numbers must
match between
debugzone and
checksum checksum zone

global: ee 89 a1 71 0b c5 2a ed 99 f3 a8 4a 27 6f 1b 5c
root: 86 54 58 00 9a 6c ef 30 19 62 a3 c9 84 a8 c6 8a
all: 94 52 d7 bf e5 29 d0 9a 58 d2 47 f4 f5 d0 a7 94

All members must


have the same
sequences of
checksum numbers

© Fortinet Inc. All Rights Reserved. 13

A good indication of the health of an HA cluster is the status of the configuration synchronization. To verify
that all the secondary configurations are synchronized with the primary configuration, you can use the
command shown on this slide on all the HA devices. If a secondary FortiGate displays the same sequence of
numbers as the primary, its configuration is synchronized. Also, and as long as there are no configuration
changes happening, on each of the devices, the debugzone and the checksum zone must display the same
sequence of numbers. In this lesson, you will learn some tips for troubleshooting when this is not the case.

The checksum zone contains the checksum of the configuration that is running on the device. The
debugzone is where configuration changes are first stored before they are applied to the running
configuration. So during a configuration change, you might see that the debugzone checksum differs from
the checksum for a short time, while the configuration changes are copied to the running configuration. After
configuration changes have been copied, both checksums should match again.

Network Security Support Engineer 7.4 Study Guide 290


High Availability

DO NOT REPRINT
© FORTINET
Checking the Configuration Synchronization (Contd)
# diagnose sys ha checksum cluster Alternatively, you can use this
================== FGVM010000077649 ================== command on the primary device
is_manage_primary()=1, is_root_primary()=1
debugzone
global: ee 89 a1 71 0b c5 2a ed 99 f3 a8 4a 27 6f 1b 5c Primary
root: 86 54 58 00 9a 6c ef 30 19 62 a3 c9 84 a8 c6 8a
all: 94 52 d7 bf e5 29 d0 9a 58 d2 47 f4 f5 d0 a7 94
checksum
global: ee 89 a1 71 0b c5 2a ed 99 f3 a8 4a 27 6f 1b 5c
root: 86 54 58 00 9a 6c ef 30 19 62 a3 c9 84 a8 c6 8a
all: 94 52 d7 bf e5 29 d0 9a 58 d2 47 f4 f5 d0 a7 94
================== FGVM010000077650 ==================
is_manage_primary()=0, is_root_primary()=0
debugzone
global: ee 89 a1 71 0b c5 2a ed 99 f3 a8 4a 27 6f 1b 5c Secondary
root: 86 54 58 00 9a 6c ef 30 19 62 a3 c9 84 a8 c6 8a
all: 94 52 d7 bf e5 29 d0 9a 58 d2 47 f4 f5 d0 a7 94
checksum
global: ee 89 a1 71 0b c5 2a ed 99 f3 a8 4a 27 6f 1b 5c
root: 86 54 58 00 9a 6c ef 30 19 62 a3 c9 84 a8 c6 8a
all: 94 52 d7 bf e5 29 d0 9a 58 d2 47 f4 f5 d0 a7 94

© Fortinet Inc. All Rights Reserved. 14

Instead of using the checksum show command on each of the cluster devices, you can use the command
shown on this slide on only the primary device. It shows the checksum for all the cluster members. This
command is easier to use; however, if there are communication problems between one of the secondary
devices and the primary, you might need to use the checksum show command instead.

Network Security Support Engineer 7.4 Study Guide 291


High Availability

DO NOT REPRINT
© FORTINET
Checking the Configuration Synchronization (Contd)
• Checksums are organized in sections and subsections
• Drill down in sections, as needed
FGT # diagnose sys ha checksum show FGT # diagnose sys ha checksum show global
is_manage_primary()=1, is_root_primary()=1 system.global: cddd94f9d0caa0d8fbeeca1fe7f737d8
debugzone system.accprofile:
fbae998d6f14e2b8f76c53a500b2feb9
global: ee 89 a1 71 0b c5 2a ed 99 f3 a8 4a 27 6f 1b 5c system.npu: 00000000000000000000000000000000
root: 86 54 58 00 9a 6c ef 30 19 62 a3 c9 84 a8 c6 8a system.np6: 80585c5bff0110a4a5c60ada8729321f
all: 94 52 d7 bf e5 29 d0 9a 58 d2 47 f4 f5 d0 a7 94 system.vdom-link:
checksum 00000000000000000000000000000000
global: ee 89 a1 71 0b c5 2a ed 99 f3 a8 4a 27 6f 1b 5c wireless-controller.inter-
root: 86 54 58 00 9a 6c ef 30 19 62 a3 c9 84 a8 c6 8a controller:00000000000000000000000000000000
wireless-controller.global:
all: 94 52 d7 bf e5 29 d0 9a 58 d2 47 f4 f5 d0 a7 94 00000000000000000000000000000000

FGT # diagnose sys ha checksum show global system.global


[admin-system.global: https-redirect]='disable': 83936483dbcf877bb866238eb91d71ed
[admintimeout]='480': 241cbf1e69a211cf760bccc0fd5c1d71
[alias]='FGT6HD3916800222': b51760b4e45f2717a12fe4945118a48f
[disk-usage]='log': fd85137f0ffa9ebc62b736fa95944176
[fgd-alert-subscription]='advisory latest-threat':e15ed9aae8a488d992774994c36566b1
cddd94f9d0caa0d8fbeeca1fe7f737d8
system.accprofile: fbae998d6f14e2b8f76c53a500b2feb9

© Fortinet Inc. All Rights Reserved. 15

The command checksum show allows you to drill down to different levels.

It can provide a general checksum at the global level, including all the VDOMs configured on FortiGate, as
well as provide the checksum for a specific VDOM or the checksum of a specific configuration section from a
VDOM.

These different levels can be very useful while troubleshooting an HA cluster, when you need to identify which
setting is triggering an out-of-sync issue.

Network Security Support Engineer 7.4 Study Guide 292


High Availability

DO NOT REPRINT
© FORTINET

Session Synchronization

© Fortinet Inc. All Rights Reserved. 16

In this section, you will learn about session synchronization among devices in an HA cluster.

Network Security Support Engineer 7.4 Study Guide 293


High Availability

DO NOT REPRINT
© FORTINET
HA Session Synchronization
• Primary sessions replicated to the secondary
• Optional, disabled by default
• Only TCP/SCTP sessions
• Multicast sessions can be configured for session fail over
• UTM proxy-based sessions are not synchronized
• Flow-based sessions are synchronized but fail over without UTM
• Optionally synchronize connectionless sessions (ICMP/UDP)
• Optionally synchronize only sessions with duration > 30 seconds
• Don’t waste resources on short-lived sessions

© Fortinet Inc. All Rights Reserved. 17

By default, HA session synchronization is disabled. Most sessions can be resumed as a normal result of how
TCP/IP communications resume communication after a network interruption. You should balance the traffic
requirements and performance impact before enabling session pickup.

If you enable HA synchronization, a number of session requirements and limitations take place because the
primary device synchronizes sessions with the secondary device. Under ideal conditions, all TCP sessions
should be resumed.

Optionally, you can enable session synchronization for connectionless ICMP/UDP, and short-lived sessions.

Network Security Support Engineer 7.4 Study Guide 294


High Availability

DO NOT REPRINT
© FORTINET
HA Session Synchronization―When?
• New session creation
• Primary synchronizes new session to secondary

• State update
• TCP/SCTP sessions are updated on secondary upon a state change

• Session deletion
• When deleted on primary, primary notifies secondary to clear the session

• Secondary session timer update


• Secondary session timeout decreases slowly (no traffic seen)
• Secondary queries primary about session status right after session expiration

© Fortinet Inc. All Rights Reserved. 18

There are some criteria that the primary device follows when synchronizing a session to a secondary device.

By default, once session-pickup is enabled, as soon as a new TCP session is added to the primary device
session table, that session is synchronized to all devices in the cluster. This synchronization happens as
quickly as possible to keep the session tables synchronized.

Other events that trigger the session table synchronization from the primary device to the other devices in the
cluster occur if there is a session state update or if a session is deleted.

Most of the session synchronization communication comes from the primary to the rest of the devices in the
cluster; secondary devices send queries to the primary device about session timer updates.

Network Security Support Engineer 7.4 Study Guide 295


High Availability

DO NOT REPRINT
© FORTINET
Session Synchronization
FGT # get sys ha status
HA Health Status: OK
Model: FortiGate-VM64-KVM
Mode: HA A-P
Group Name: Fortinet
Group ID: 0
Debug: 0
Cluster Uptime: 3 days 4:27:18
….
ses_pickup: enable, ses_pickup_delay=disable

HBDEV stats:
FGVM010000077649(updated 4 seconds ago):
port7: physical/00, up, rx-bytes/packets/dropped/errors=640288234/1655487/0/0, tx=797573613/1767346/0/0
FGVM010000077650(updated 1 seconds ago):
port7: physical/00, up, rx-bytes/packets/dropped/errors=797593897/1767528/0/0, tx=640291890/1655362/0/0

• HA packet with specific ethertype 0x8892


• If session-sync-dev is specified, then packets will use this EtherType over the configured port
config system ha  set session-sync-dev port_ID

© Fortinet Inc. All Rights Reserved. 19

By default, session synchronization activity takes place over the HA heartbeat link using TCP/703 and
UDP/703 packets.

The command get sys ha status displays if session pickup is enabled. The HBDev stats section
should show that the received (RX) and transmitted (TX) counters are incrementing.

If there is a large number of session synchronizations, this could cause network congestion and impact the
HA cluster communication. One option is to select one or more ports to use for synchronizing sessions, which
can improve HA heartbeat traffic and the performance of the HA cluster.

Network Security Support Engineer 7.4 Study Guide 296


High Availability

DO NOT REPRINT
© FORTINET
Checking HA Session Synchronization
# diagnose sys session list Check the session table of the primary device
session info: proto=6 proto_state=01 duration=73 expire=3597 timeout=3600 flags=00000000
socktype=00000000 sockport=0 av_idx=0 use=3
origin-shaper= HA ID of the device
processing this traffic Session has been
reply-shaper=
synchronized to all
per_ip_shaper= secondary devices
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty synced none app_ntf
statistic(bytes/packets/allow_err): org=822/11/1 reply=9037/15/1 tuples=2
tx speed(Bps/kbps): 7/0 rx speed(Bps/kbps): 16/0
orgin->sink: org pre->post, reply pre->post dev=4->2/2->4 gwy=100.64.1.254/10.0.1.10
hook=post dir=org act=snat 10.0.1.10:65464->54.192.15.182:80(100.64.1.1:65464)
hook=pre dir=reply act=dnat 54.192.15.182:80->100.64.1.1:65464(10.0.1.10:65464)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=00000098 tos=ff/ff ips_view=0 app_list=0 app=0 url_cat=0
rpdb_link_id= 00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x040000
© Fortinet Inc. All Rights Reserved. 20

You can check the session table of the primary device to see which sessions have been synchronized to the
secondary devices. They are the ones with the synced flag. Additionally, and in the case of all sessions, the
ha_id field shows the HA member ID of the device that is processing the traffic.

Network Security Support Engineer 7.4 Study Guide 297


High Availability

DO NOT REPRINT
© FORTINET

HA Troubleshooting

© Fortinet Inc. All Rights Reserved. 21

In this section, you will learn about some HA troubleshooting steps and commands.

Network Security Support Engineer 7.4 Study Guide 298


High Availability

DO NOT REPRINT
© FORTINET
Types of Failover
• Loss of keepalive packets
• Primary fails to reply
• A monitored interface becomes disconnected
• The new primary is the device with the fewest failed monitored interfaces
• Port monitoring takes precedence over device priority
• Remote link failover
• Uses detect (ping) servers to test IP connectivity
• Pings originated only from the primary
• If it does not get a reply, the cluster renegotiates the primary
• Solid state disk (SSD) failover
• An SSD fails
• Only for devices with SSDs
• Memory utilization threshold
• Configurable memory utilization threshold, sample rate, and monitor period
• Memory utilization checked at configured sample rate and, if above configured threshold for entire
monitor period, a failover is triggered

© Fortinet Inc. All Rights Reserved. 22

There are five occurrences that can trigger a failover:

• When the secondary devices stop receiving the heartbeat hello packets from the primary.

• When the link status of a monitored interface on the primary FortiGate goes down. You can configure an
HA cluster to monitor one or more interfaces. If a monitored interface on the primary FortiGate is
unplugged, or its link status goes down, a new primary FortiGate is elected.

• When a server (IP address) stops replying to the ping that the primary sent. You can configure an HA
cluster to periodically send a ping to one or more servers to test the connectivity between the primary
device and the network services. The primary FortiGate fails if the accumulated penalty of all failed
interfaces reaches the configured threshold.

• When FortiOS detects a failure in an SSD. It triggers a failover if FortiOS detects Ext-fs errors on an SSD
on the primary FortiGate.This is only available for devices with SSDs.

• When memory-based failover is enabled and the configured conditions for utilization exceed the threshold
during each sample over the monitor period.

There are multiple events that might trigger an HA failover, such as a hardware or software failure on the
primary FortiGate or an issue on one of the interfaces on the primary. When a failover occurs, an event log is
generated.

Network Security Support Engineer 7.4 Study Guide 299


High Availability

DO NOT REPRINT
© FORTINET
HA Logs Sample
• Primary device fails and is removed from the cluster
• These messages are recorded by a secondary device, which becomes the new primary
device:

2023-08-06 14:49:44 Heartbeat device(interface) down


2023-08-06 14:50:00 Virtual cluster detected member dead
2023-08-06 14:50:02 Virtual cluster's member state moved

© Fortinet Inc. All Rights Reserved. 23

If a failover happens, the best tool to use to get information about the failover is the FortiGate logs. If the
failover happened because the primary device failed, the secondary device logs should show these log
entries.

Network Security Support Engineer 7.4 Study Guide 300


High Availability

DO NOT REPRINT
© FORTINET
HA Logs Sample (Contd)
• Link failure of a monitored interface
• These log messages, recorded by the primary device, show the monitored port1
interface:

2023-08-06 16:59:39 Link monitor: Interface port1 was turned down


2023-08-06 16:59:39 HA device(interface) fail
2023-08-06 16:59:41 Virtual cluster's member state moved

© Fortinet Inc. All Rights Reserved. 24

If a new primary was elected because one or more monitored interfaces failed, the former primary displays
logs similar to the ones shown on this slide. In the example shown on this slide, the primary device is
reporting a problem with the monitored interface port1.

Network Security Support Engineer 7.4 Study Guide 301


High Availability

DO NOT REPRINT
© FORTINET
HA History
• Provides information about past HA events

# diagnose sys ha history read


version=1.1
HA state change time: 2023-07-29 12:34:01
message_count=4/512
<2023-07-29 12:34:01> FGVM010000077648 is elected as the cluster primary of 2 members
<2023-07-29 12:34:01> new member 'FGVM010000077652' joins the cluster
<2023-07-29 12:33:22> FGVM010000077648 is elected as the cluster primary of 1 members
<2023-07-29 12:33:19> hatalk started

© Fortinet Inc. All Rights Reserved. 25

Another useful way to determine the reason for an HA failover is by running the command shown on this slide.
This command provides details about past HA events, which allows administrators to identify the reason for
previous failover events. This is a useful HA command, especially when HA logs are not available.

Network Security Support Engineer 7.4 Study Guide 302


High Availability

DO NOT REPRINT
© FORTINET
HA Split-Brain Scenario
• When FortiGate devices configured in an HA cluster lose communication with each other
on the heartbeat interface, each FortiGate assumes the role of the primary device

• Split-brain symptoms
• Administrative access works intermittently
• Traffic is dropped
• When accessing through FortiGate using the CLI, #get sys ha status shows each FortiGate as the
primary

• Possible causes
• Incomplete firmware upgrade
• Loss of the heartbeat links
• Congestion or latency in the heartbeat links

© Fortinet Inc. All Rights Reserved. 26

An HA split-brain scenario occurs when the FortiGate devices in an HA cluster lose heartbeat communication
through the heartbeat links. Because of the lost communication, each FortiGate assumes the role of the
primary device.

When this issue occurs, the results are very evident because traffic flow is impacted. While experiencing a
split-brain issue, the administrative access to the devices in the cluster is intermittent; console access might
be required to troubleshoot the device and perform configuration changes, if required.

This issue could be triggered by a faulty physical port or cable, a failed firmware upgrade, or a congested
heartbeat link.

Network Security Support Engineer 7.4 Study Guide 303


High Availability

DO NOT REPRINT
© FORTINET
HA Split-Brain Scenario—Troubleshooting Steps
• Verify all HA cluster members are running the same firmware version
• # get system status

• Verify HA configuration matches on all HA cluster members

• Verify the status of the heartbeat ports


• # show system ha
• # diagnose hardware deviceinfo nic <portID>

• Use the sniffer command to verify heartbeat packets are exchanged successfully:
• That is, # diagnose sniffer packet any "ether proto 0x8890"4 (NAT/route mode
heartbeat)

© Fortinet Inc. All Rights Reserved. 27

There are some basic HA troubleshooting steps to verify the HA cluster health and get the cluster out of this
situation:

1. Verify that all devices in the cluster are running the same firmware version.
2. Check that the configuration is synchronized.
3. Verify the status of the heartbeat ports.
4. Verify that the Ethernet packets are transmitted and received successfully between the cluster members.

Following these steps will help to diagnose the root cause that triggered this behavior.

Network Security Support Engineer 7.4 Study Guide 304


High Availability

DO NOT REPRINT
© FORTINET
HA Troubleshooting Tips
• If a device can’t join a cluster, follow these steps:
1. Verify that the HA settings match
2. Verify that the firmware and hardware match
3. Verify physical layer connections
4. Use the HA real-time debug
diagnose debug application hatalk -1
diagnose debug application hasync -1
diagnose debug enable

• If the checksums between the debugzone and checksum zones do not match, you can
force the recalculation
# diagnose sys ha checksum recalculate [<vdom_name> | global]

© Fortinet Inc. All Rights Reserved. 28

If a device can’t join a cluster, follow these steps:


1. Verify the HA settings.
2. Verify the firmware versions and hardware models.
3. Verify the physical layer connections.
4. Use the HA real-time debug while the device tries to join the cluster. Run the debug on both the primary
device and the device with the problem.

If the problem is that the checksums between the debugzone and checksum zones don’t match, you can try
to fix it by forcing the recalculation.

Network Security Support Engineer 7.4 Study Guide 305


High Availability

DO NOT REPRINT
© FORTINET
HA Heartbeat Troubleshooting Tips
• High session synchronization traffic might delay heartbeats
• Solutions:
• Separate session synchronization and heartbeat traffic:
config system ha
set session-sync-dev <port_name_1> [port_name_2] …
end
• Delay new session synchronization by 30 seconds. Short-lived sessions won't be synchronized, which results in
less session traffic:
config system ha
set session-pickup-delay enable
end

• High CPU problems can also create HA heartbeat issues

© Fortinet Inc. All Rights Reserved. 29

Traffic from session synchronization is bandwidth intensive. If the session creation rate is high, session
synchronization traffic can interfere with heartbeat traffic, creating delays in heartbeat replies. There are two
configuration changes that you can make that might help:

• Use a different interface from the heartbeat interface for session synchronization.
• Delay the synchronization of new sessions by 30 seconds, so short-lived sessions are not synchronized.

High CPU issues can also create HA heartbeat problems. In those cases, troubleshoot and fix the high CPU
problem first, before you check the HA status.

Network Security Support Engineer 7.4 Study Guide 306


High Availability

DO NOT REPRINT
© FORTINET
Review
 Check the status of the HA configuration
 Monitor an HA cluster
 Configure session synchronization
 Troubleshoot common HA issues

© Fortinet Inc. All Rights Reserved. 30

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to monitor an HA cluster and steps to
troubleshoot FortiGate devices running in HA.

Network Security Support Engineer 7.4 Study Guide 307


IPsec

DO NOT REPRINT
© FORTINET

Network Security Support Engineer


IPsec

FortiGate 7.4
Last Modified: 25 April 2024

In this lesson, you will learn about IPsec.

Network Security Support Engineer 7.4 Study Guide 308


IPsec

DO NOT REPRINT
© FORTINET
Objectives
• Manage IPsec VPN tunnels
• Use debug commands for phase 1 and phase 2
• Diagnose IPsec traffic issues with debug flow commands
• Use a sniffer to debug IPsec traffic
• Monitor and troubleshoot IPsec traffic on hardware offload

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of IPsec, you will be able to manage, monitor, diagnose, debug,
and troubleshoot IPsec.

Network Security Support Engineer 7.4 Study Guide 309


IPsec

DO NOT REPRINT
© FORTINET

Monitor IPsec VPN Tunnels

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn the CLI commands used to monitor the status and statistics of IPsec VPNs.

Network Security Support Engineer 7.4 Study Guide 310


IPsec

DO NOT REPRINT
© FORTINET
IPsec SA Management

# diagnose vpn tunnel ?

down Shut down tunnel


up Activate tunnel
list list all tunnel
dialup-list List dialup tunnel.
bundle-list List all bundles.
flush Flush tunnel SAs.
delinbsa Remove tunnel sa.
deloutbsa Remove tunnel sa.
stat Tunnel statistic info.
fec FEC statistics.

© Fortinet Inc. All Rights Reserved. 4

The command diagnose vpn tunnel offers options for shutting down, activating, or flushing a VPN tunnel.

Network Security Support Engineer 7.4 Study Guide 311


IPsec

DO NOT REPRINT
© FORTINET
IPsec SA
# diagnose vpn tunnel list name Hub2Spoke1 Lists specified tunnel
list IPsec tunnel by names in vd 0 information only
------------------------------------------------------
name=Hub2Spoke1 ver=1 serial=2 10.10.1.1:0->10.10.2.2:0
bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=8 ilast=11 olast=3 auto-discovery=0
stat: rxp=513 txp=129 rxb=459050 txb=93
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=36 DPD information
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Hub2Spoke1 proto=0 sa=1 ref=2 serial=1
src: 0:192.168.1.0/255.255.255.0:0 Antireplay is enabled
dst: 0:10.10.20.0/255.255.255.0:0
SA: ref=7 options=2e type=00 soft=0 mtu=1438 expire=41195/0B replaywin=1024 seqno=9d esn=0
replaywin_lastseq=00000200
life: type=01 bytes=0/0 timeout=43150/43200
dec: spi=01e54b14 esp=aes key=16 914dc5d092667ed436ea7f6efb867976 SA information
ah=sha1 key=20 a81b019d4cdfda32ce51e6b01d0b1ea42a74adce
enc: spi=3dd3545f esp=aes key=16 017b8ff6c4ba21eac99b22380b7de74d
ah=sha1 key=20 edd8141f4956140eef703d9042621d3dbf5cd961
dec:pkts/bytes=513/458986, enc:pkts/bytes=250/26848 Hardware offload
npu_flag=03 npu_rgwy=10.10.2.2 npu_lgwy=10.10.1.1 npu_selid=1 information

© Fortinet Inc. All Rights Reserved. 5

The command diagnose vpn tunnel list displays the current IPsec security association (SA)
information for all active tunnels.

The command diagnose vpn tunnel list name <tunnel name> provides SA information about a
specific tunnel.

Network Security Support Engineer 7.4 Study Guide 312


IPsec

DO NOT REPRINT
© FORTINET
IPsec Tunnel Details
Hub # get vpn ipsec tunnel details
gateway
name: 'Hub2Spoke1'
type: route-based
local-gateway: 10.10.1.1:0 (static)
Phase 1 details
remote-gateway: 10.10.2.2:0 (static)
mode: ike-v1
interface: 'wan2' (6)
rx packets: 1025 bytes: 524402 errors: 0
tx packets: 641 bytes: 93 errors: 0
dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
selectors
name: 'Hub2Spoke1'
auto-negotiate: disable
mode: tunnel Quick mode selectors
src: 0:192.168.1.0/0.0.0.0:0
dst: 0:10.10.20.0/0.0.0.0:0
SA
lifetime/rekey: 43200/32137 Tunnel MTU
mtu: 1438
tx-esp-seq: 2ce
replay: enabled
inbound
spi: 01e54b14 Phase 2 SAs for each
enc: aes-cb 914dc5d092667ed436ea7f6efb867976 direction
auth: sha1 a81b019d4cdfda32ce51e6b01d0b1ea42a74adce
outbound
spi: 3dd3545f
enc: aes-cb 017b8ff6c4ba21eac99b22380b7de74d
auth: sha1 edd8141f4956140eef703d9042621d3dbf5cd961
Hardware acceleration
NPU acceleration: encryption(outbound) decryption(inbound)

© Fortinet Inc. All Rights Reserved. 6

The command get vpn ipsec tunnel details provides detailed information about the active IPsec
tunnels.

To view detailed information about each tunnel, use the command diagnose vpn ipsec tunnel detail.

The output shows traffic counters; negotiated quick mode selectors; and negotiated encryption, authentication,
and keys.

Network Security Support Engineer 7.4 Study Guide 313


IPsec

DO NOT REPRINT
© FORTINET
IKE Gateway List
Hub # diagnose vpn ike gateway list name Hub2Spoke1
vd: root/0
name: Hub2Spoke1
version: 1
interface: wan2 6
addr: 10.10.1.1:500 -> 10.10.2.2:500
When phase 1 was
created: 3196s ago created
auto-discovery: 0
IKE SA: created 1/1 established 1/1 time 6020/6020/6020 ms
IPsec SA: created 1/1 established 1/1 time 40/40/40 ms

id/spi: 87 16b474c1ae9de3ca/67e428c8c7118617 Is this gateway an


direction: initiator initiator or responder?
status: established 3196-3190s ago = 6020ms
proposal: aes128-sha256
key: 34641b135ceeb2cd-c44a41d15dec439c
lifetime/rekey: 86400/82909
DPD sent/recv: 00000040/0000002e
Clear phase 1
Hub # diagnose vpn ike gateway clear <name>

© Fortinet Inc. All Rights Reserved. 7

The command diagnose vpn ike gateway list also provides some details about a tunnel.

The command diagnose vpn ike gateway clear closes a phase 1. Be careful when using this
command because it has a global effect. This means that running it without specifying the phase 1 name
results in all phase 1s of all VDOMs being cleared.

Network Security Support Engineer 7.4 Study Guide 314


IPsec

DO NOT REPRINT
© FORTINET
Additional IPsec Debug Commands
Hub # get vpn ipsec stats tunnel
tunnels
total: 1
static/ddns: 1 Number of tunnels
dynamic: 0 currently active
manual: 0
errors: 0
selectors
total: 1
up: 1

Hub # get vpn ipsec tunnel summary


'Hub2Spoke1' 10.10.2.2:0 selectors(total,up): 1/1 rx(pkt,err): 1025/0 tx(pkt,err): 769/0

Hub # get ipsec tunnel list

NAME REMOTE-GW PROXY-ID-SOURCE PROXY-ID-DESTINATION STATUS TIMEOUT


Hub2Spoke1 10.10.2.2:0 192.168.1.0/255.255.255.0 10.10.20.0/255.255.255.0 up 42844

Tunnel Status Timeout value for each


name Peer IP Quick mode selectors active tunnel

© Fortinet Inc. All Rights Reserved. 8

The command get vpn ipsec stats tunnel provides some global overall counters related to all the
VPNs that are currently active.

The other two commands shown on this slide provide summarized information about the VPNs.

Network Security Support Engineer 7.4 Study Guide 315


IPsec

DO NOT REPRINT
© FORTINET

Debug an IPsec VPN Connection

© Fortinet Inc. All Rights Reserved. 9

In this section, you will learn the CLI commands used to debug phase 1 and 2 negotiations.

Network Security Support Engineer 7.4 Study Guide 316


IPsec

DO NOT REPRINT
© FORTINET
IKE Filter Options
# diagnose vpn ike log filter
list Display the current filter.
clear Erase the current filter.
name Phase1 name to filter by.
loc-addr4 IPv4 local gateway address range to filter by.
mloc-addr4 Multiple IPv4 local gateway address to filter by.
rem-addr4 IPv4 remote gateway address range to filter by.
mrem-addr4 Multiple IPv4 remote gateway address to filter by.
loc-addr6 IPv6 local gateway address range to filter by.
mloc-addr6 Multiple IPv6 local gateway address to filter by.
rem-addr6 IPv6 remote gateway address range to filter by.
mdst-addr6 multiple IPv6 remote gateway addresses to filter by.
dst-port Destination port range to filter by.
vd Index of virtual domain. -1 matches all.
interface Interface that IKE connection is negotiated over.
negate Negate the specified filter parameter.

# diagnose vpn ike log filter clear


# diagnose vpn ike log filter rem-addr4 <remote gateway IPv4 address>

© Fortinet Inc. All Rights Reserved. 10

The IKE daemon handles all IPsec connections on FortiGate. It’s important to familiarize yourself with the
available filter options. You use these options to filter the output of the IKE real-time debug, so that only the
information that is relevant to you is displayed.

The most common filter option is rem-addr4, which you use to filter the output by the IP address of the
remote peer. Also, multiple addresses are supported. Filtering by name is helpful when the remote peer IP
address is unknown.

Network Security Support Engineer 7.4 Study Guide 317


IPsec

DO NOT REPRINT
© FORTINET
IKE Real-Time Debug
# diagnose debug application ike <bitmask>
# diagnose debug enable
• Bitmask value: -1 is recommended
• You should enable the timestamp when Bitmask Description
troubleshooting IKE issues: 1 Major errors
# diagnose debug console timestamp enable 2 Configuration changes
4 Connections attempts
8 Phase 1 and 2 negotiation messages
16 NAT-T messages
32 Dead peer detection messages
64 Encryption and decryption keys
128 Encrypted traffic payload

© Fortinet Inc. All Rights Reserved. 11

After setting the filter, enable the IKE real-time debug using the commands shown on this slide.

The table shown on this slide includes the type of output that is enabled by each bit in the bitmask. The most
common value for the bitmask is -1 (all outputs enabled). It shows the dead peer detection (DPD) packets and
all the information required for troubleshooting IPsec negotiation problems.

Network Security Support Engineer 7.4 Study Guide 318


IPsec

DO NOT REPRINT
© FORTINET
Debugging Main Mode
# diagnose debug application ike -1
# diagnose debug enable
...
ike 0: comes 10.10.2.2:500->10.10.1.1:500,ifindex=6....
ike 0: IKEv1 exchange=Identity Protection id=76a2fb2b18d6fee7/0000000000000000 len=716
ike 0:...:92: responder: main mode get 1st message...
ike 0:...:92: VID RFC 3947 4A131C81070358455C5728F20E95452F
... First main mode
ike 0:...:92: negotiation result message
ike 0:...:92: proposal id = 1:
ike 0:...:92: protocol id = ISAKMP:
ike 0:...:92: trans_id = KEY_IKE.
ike 0:...:92: encapsulation = IKE/none
Phase 1 proposal
ike 0:...:92: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:...:92: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:...:92: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:...:92: type=OAKLEY_GROUP, val=MODP2048.
ike 0:...:92: ISAKMP SA lifetime=86400
Proposal chosen and
... matched tunnel Hub2Spoke1
ike 0:...:92: SA proposal chosen, matched gateway Hub2Spoke1
ike 0: found Hub2Spoke1 10.10.1.1 6 -> 10.10.2.2:500

© Fortinet Inc. All Rights Reserved. 12

Now, you will look at the output of the IKE real-time debug during a main-mode negotiation. Main mode
requires the interchange of six packets. The real-time debug shows when the first packet (first main mode
message) arrives. Then, the debug shows the negotiated settings for phase 1. A message is generated after
FortiGate identifies the VPN configuration to use (with the name of the VPN).

Network Security Support Engineer 7.4 Study Guide 319


IPsec

DO NOT REPRINT
© FORTINET
Debugging Main Mode (Contd)
ike 0:Hub2Spoke1:92: peer is FortiGate/FortiOS (v6 b1579) Remote peer device
... information
ike 0:Hub2Spoke1:92: sent IKE msg (ident_r1send): 10.10.1.1:500->10.10.2.2:500, len=192, id=76a2fb2b18d6fee7/399d6ddd6e830672
ike 0: comes 10.10.2.2:500->10.10.1.1:500,ifindex=6....
ike 0: IKEv1 exchange=Identity Protection id=76a2fb2b18d6fee7/399d6ddd6e830672 len=380
ike 0:Hub2Spoke1:92: responder:main mode get 2nd message... Second main mode
ike 0:Hub2Spoke1:92: NAT not detected message
ike 0:Hub2Spoke1:92: sent IKE msg (ident_r2send): 10.10.1.1:500->10.10.2.2:500, len=380, id=76a2fb2b18d6fee7/399d6ddd6e830672
ike 0: comes 10.10.2.2:500->10.10.1.1:500,ifindex=6....
ike 0: IKEv1 exchange=Identity Protection id=76a2fb2b18d6fee7/399d6ddd6e830672 len=108
ike 0:Hub2Spoke1:92: responder: main mode get 3rd message...
Third main mode
...
message
ike 0:Hub2Spoke1:92: received p1 notify type INITIAL-CONTACT
ike 0:Hub2Spoke1:92: peer identifier IPV4_ADDR 10.10.2.2
Authentication
ike 0:Hub2Spoke1:92: PSK authentication succeeded
successful
ike 0:Hub2Spoke1:92: authentication OK
ike 0:Hub2Spoke1:92: sent IKE msg (ident_r3send): 10.10.1.1:500->10.10.2.2:500, len=92, id=76a2fb2b18d6fee7/399d6ddd6e830672
...
ike 0:Hub2Spoke1:92: established IKE SA 76a2fb2b18d6fee7/399d6ddd6e830672
ike 0:Hub2Spoke1:92: processing INITIAL-CONTACT Phase 1 is up
...

© Fortinet Inc. All Rights Reserved. 13

Next, the output shows the remote peer information. The second and third main mode messages arrive. After
the authentication is successful and the pre-shared key matches, a final message is generated to indicate that
phase 1 is up.

Network Security Support Engineer 7.4 Study Guide 320


IPsec

DO NOT REPRINT
© FORTINET
Debugging Aggressive Mode
ike 0: comes 10.10.2.2:500->10.10.1.1:500,ifindex=6....
ike 0: IKEv1 exchange=Aggressive id=3c6c62a443611a29/0000000000000000 len=776
ike 0:...:96: responder: aggressive mode get 1st message...... First aggressive mode
ike 0:...:96: VID FORTIGATE 8299031757A36082C6A621DE00050428 message
ike 0::96: peer identifier IPV4_ADDR 10.10.2.2
ike 0:...:96: negotiation result
ike 0:...:96: proposal id = 1:
ike 0:...:96: protocol id = ISAKMP:
ike 0:...:96: trans_id = KEY_IKE.
ike 0:...:96: encapsulation = IKE/none IKE proposal
ike 0:...:96: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:...:96: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:...:96: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:...:96: type=OAKLEY_GROUP, val=MODP2048.
ike 0:...:96: ISAKMP SA lifetime=86400
ike 0:...:96: SA proposal chosen, matched gateway Hub2Spoke1
Proposal chosen for
ike 0: found Hub2Spoke1 10.10.1.1 6 -> 10.10.2.2:500... Hub2Spoke1
ike 0:Hub2Spoke1:96: responder: aggressive mode get 2nd response...
...
ike 0:Hub2Spoke1:96: PSK authentication succeeded
ike 0:Hub2Spoke1:96: authentication OK
Authentication successful
ike 0:Hub2Spoke1:96: NAT not detected
ike 0:Hub2Spoke1:96: established IKE SA 3c6c62a443611a29/dccee519f2e8b9b9 Phase 1 is up
ike 0:Hub2Spoke1: carrier up

© Fortinet Inc. All Rights Reserved. 14

This slide shows the output of the real-time debug for phase 1 aggressive mode. It displays the three
aggressive mode packets exchanged, and the proposals.

Network Security Support Engineer 7.4 Study Guide 321


IPsec

DO NOT REPRINT
© FORTINET
Debugging XAuth
ike 0:DialUP_0:13: initiating XAUTH.
ike 0:DialUP_0:13: sending XAUTH request CFG_REQUEST sent
ike 0:DialUP_0:13: sent IKE msg (cfg_send): 10.200.1.1:500->10.200.3.1:500, len=76,
id=2d5d8e9aa17045c4/e93fbb0a30d4b217:bd294d3e
CFG_REPLY received
ike 0:DialUP_0:13: peer has not completed XAUTH exchange
ike 0: comes 10.200.3.1:500->10.200.1.1:500,ifindex=2....
ike 0: IKEv1 exchange=Mode config id=2d5d8e9aa17045c4/e93fbb0a30d4b217:bd294d3e len=92
ike 0:DialUP_0:13: received XAUTH_USER_NAME 'fortinet' length 8
ike 0:DialUP_0:13: received XAUTH_USER_PASSWORD length 8
ike 0:DialUP_0: XAUTH user "fortinet"
CFG_SET sent
ike 0:DialUP: auth group VPN
ike 0:DialUP_0: XAUTH succeeded for user "fortinet" group "VPN"
ike 0:DialUP_0:13: sent IKE msg (cfg_send): 10.200.1.1:500->10.200.3.1:500, len=68,
CFG_ACK received
id=2d5d8e9aa17045c4/e93fbb0a30d4b217:3639b66f
ike 0: comes 10.200.3.1:500->10.200.1.1:500,ifindex=2....
ike 0: IKEv1 exchange=Mode config id=2d5d8e9aa17045c4/e93fbb0a30d4b217:3639b66f len=68

© Fortinet Inc. All Rights Reserved. 15

The IKE real-time debug shows, after phase 1, the exchange of extended authentication (XAuth) packets. On
this slide, you can see the CFG_REQUEST packet. You can also see the CFG_REPLY, showing the XAuth user
and group name.

After that, the IKE real-time debug shows the CFG_SET and CFG_ACK.

Network Security Support Engineer 7.4 Study Guide 322


IPsec

DO NOT REPRINT
© FORTINET
Debugging IKE Mode Configuration CFG_REQUEST received
...
ike 0: comes 172.31.18.81:500->172.31.224.125:500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=bc69d3c493f5/9137d875a2c420c6:c4ad
ike 0:vpn_0:4: mode-cfg type 1 request 0:''
ike 0:vpn_0:4: mode-cfg using allocated IPv4 10.255.255.100
ike 0:vpn_0:4: mode-cfg assigned (1) IPv4 address 10.255.255.100
ike 0:vpn_0:4: mode-cfg type 2 request 0:''
ike 0:vpn_0:4: mode-cfg assigned (2) IPv4 netmask 255.255.255.0
ike 0:vpn_0:4: mode-cfg type 3 request 0:'' CFG_REPLY sent
ike 0:vpn_0:4: mode-cfg send (3) IPv4 DNS(1) 10.185.0.200
ike 0:vpn_0:4: sent IKE msg (cfg_send): 172.31.224.125:500->172.31.18.81:500,
ike 0: comes 172.31.18.81:500->172.31.224.125:500,ifindex=5....
...

© Fortinet Inc. All Rights Reserved. 16

After the XAuth exhange, the remote site proceeds to request and receive the IP address settings through IKE
mode configuration.

The output shows the CFG_REQUEST and CFG_REPLY packets.

Network Security Support Engineer 7.4 Study Guide 323


IPsec

DO NOT REPRINT
© FORTINET
Debugging Phase 2
ike 0:comes 10.10.2.2:500->10.10.1.1:500,ifindex=6....
ike 0:IKEv1 exchange=Quick id=3c6c62a443611a29/dccee519f2e8b9b9:8f32bfcc len=588
ike 0:Hub2Spoke1:96:551: responder received first quick-mode message
...
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: my proposal: Local gateway proposal(s)
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: proposal id = 1:
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: protocol id = IPsec_ESP:
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: PFS DH group = 14
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: type = AUTH_ALG, val=SHA1
...
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: incoming proposal: Remote gateway proposal(s)
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: proposal id = 1:
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: protocol id = IPsec_ESP:
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: PFS DH group = 14
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: type = AUTH_ALG, val=SHA1
...

© Fortinet Inc. All Rights Reserved. 17

This slide shows the phase 2 negotiation.

The debug shows the phase 2 proposal from the local gateway, and the phase 2 proposal coming to the
remote gateway. In this case, both proposals (local and remote) match.

Network Security Support Engineer 7.4 Study Guide 324


IPsec

DO NOT REPRINT
© FORTINET
Debugging Phase 2 (Contd) Negotiated phase 2
proposal
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: negotiation result
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: proposal id = 1:
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: protocol id = IPsec_ESP:
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: PFS DH group = 14
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: type = AUTH_ALG, val=SHA1
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: set pfs=MODP2048
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: using tunnel mode.
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: replay protection enabled
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: SA life soft seconds=43153.
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: SA life hard seconds=43200.
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: IPsec SA selectors #src=1 #dst=1
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: src 0 7 0:192.168.1.0-192.168.1.255:0
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: dst 0 7 0:10.10.20.0-10.10.20.255:0
...
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: add IPsec SA: SPIs=01e54b23/3dd3546b
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: added IPsec SA: SPIs=01e54b23/3dd3546b
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: sending SNMP tunnel UP trap
Phase 2 is up

© Fortinet Inc. All Rights Reserved. 18

Next, the output shows the negotiated phase 2 settings. The last messages confirm that phase 2 is up.

Network Security Support Engineer 7.4 Study Guide 325


IPsec

DO NOT REPRINT
© FORTINET

IPsec Traffic and Hardware Offload

© Fortinet Inc. All Rights Reserved. 19

In this section, you will learn how to configure and monitor IPsec encryption and decryption on hardware
offload.

Network Security Support Engineer 7.4 Study Guide 326


IPsec

DO NOT REPRINT
© FORTINET
Hardware Offloading Requirements
• You can offload IPsec encryption and decryption to hardware on some FortiGate models
• Hardware offloading capabilities and supported algorithms vary by processor type and
model
• By default, offloading is enabled for supported algorithms
• You can manually disable offloading
config vpn ipsec phase1-interface
edit <tunnel_name>
set npu-offload enable | disable
next
end

© Fortinet Inc. All Rights Reserved. 20

On some FortiGate models, you can offload the encryption and decryption of IPsec traffic to hardware. The
supported algorithms depend on the model and type of processor on the device that is offloading the
encryption and decryption.

By default, hardware offloading is enabled for the supported algorithms. This slide shows the commands you
can use to disable hardware offloading per tunnel, if necessary.

Network Security Support Engineer 7.4 Study Guide 327


IPsec

DO NOT REPRINT
© FORTINET
Session NPU-Flag Field
• IPsec SAs have an NPU-flag field
# diagnose vpn tunnel list name Hub2Spoke1
list IPsec tunnel by names in vd 0
...
npu_flag=03 npu_rgwy=10.10.2.2 npu_lgwy=10.10.1.1
npu_selid=1

NPU-Flag Value Description


npu_flag= 00 Both IPsec SAs loaded to the kernel
npu_flag= 01 Outbound IPsec SA copied to NPU
npu_flag= 02 Inbound IPsec SA copied to NPU
npu_flag= 03 Both outbound and inbound IPsec SAs copied to
NPU

npu_flag= 20 Unsupported cipher or HMAC; IPsec SA cannot be


offloaded

© Fortinet Inc. All Rights Reserved. 21

All IPsec SAs have an npu_flag field that indicates the offloading status. In the case of IPsec traffic, the
FortiGate session table also includes that field.

First, when phase 2 comes up, the IPsec SAs are created and loaded to the kernel. As long as there is no
traffic crossing the tunnel, the SAs are not copied to the network processing unit (NPU), and the npu_flag
shows 00. The value of that field also remains 00 when IPsec offloading is disabled.

Second, if the first IPsec packet that arrives is an outbound packet that can be offloaded, the outbound SA is
copied to the NPU and the npu_flag changes to 01. However, if the first IPsec packet is inbound and can be
offloaded, the inbound SA is copied to the NPU and the npu_flag changes to 02.

After both SAs are copied to the NPU, the npu_flag changes to 03.

The value 20 in the npu_flag field indicates that hardware offloading is unavailable because of an
unsupported cipher or hash-based message authentication code (HMAC) algorithm.

Network Security Support Engineer 7.4 Study Guide 328


IPsec

DO NOT REPRINT
© FORTINET
Hardware Offloading Statistics
• IPsec SAs have an NPU-flag field
# diagnose vpn ipsec status

All IPsec crypto devices in use:


NPU Host Offloading:
Encryption (encrypted/decrypted)
null :896 896
des :0 0
3des :14 14 Number of packets encrypted/decrypted by
aes :0 0 software and hardware
aes-gcm :3 3 npX = Network processor acceleration
aria :0 0 Software = No hardware acceleration

© Fortinet Inc. All Rights Reserved. 22

This command shows the number of packets encrypted and decrypted by software (CPU), and by each type
of processor unit on FortiGate.

Network Security Support Engineer 7.4 Study Guide 329


IPsec

DO NOT REPRINT
© FORTINET

IPsec Troubleshooting

© Fortinet Inc. All Rights Reserved. 23

In this section, you will learn IPsec troubleshooting steps and commands.

Network Security Support Engineer 7.4 Study Guide 330


IPsec

DO NOT REPRINT
© FORTINET
IPsec Connection Steps
1. Interesting traffic triggers the VPN negotiation
2. Phase 1 comes up
• Single bidirectional IKE SA

3. XAuth (if required)


4. IKE mode configuration (if required)
5. Phase 2 comes up
• Two IPsec SAs (one for each traffic direction) for each phase 2

6. Tunnel is established and traffic can traverse tunnel

© Fortinet Inc. All Rights Reserved. 24

When isolating IPsec problems, it is useful to understand that an IPsec connection can be described as a
multistep process:
1. Interesting traffic triggers the VPN negotiation. Traffic is called interesting when it must travel through an
IPsec tunnel (encrypted and encapsulated) to reach a remote network.
2. Phase 1 comes up.
3. If XAuth is required, one side authenticates.
4. If one side requires IP settings, the other side sends the required settings through the IKE mode
configuration.
5. One or more phase 2s go up. Two IPsec SAs are negotiated for each phase 2.
6. Traffic crosses the tunnel.

If you have an IPsec issue, you should identify in which of these steps the problem occurred.

Network Security Support Engineer 7.4 Study Guide 331


IPsec

DO NOT REPRINT
© FORTINET
Debug Flow of Tunnel Traffic
Hub # id=20085 trace_id=5 func=print_pkt_detail line=4742 msg="vd-root received a
packet(proto=1, 192.168.1.111:1->10.10.20.111:2048) from lan. type=8, code=0, id=1, seq=165."
id=20085 trace_id=5 func=init_ip_session_common line=4893 msg="allocate a new session-001efeca“

Must match quick mode selectors

id=20085 trace_id=5 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-10.10.20.111 via


Hub2Spoke1"
Traffic allowed by
id=20085 trace_id=5 func=fw_forward_handler line=691 msg="Allowed by Policy-10:“
VPN firewall policy
id=20085 trace_id=5 func=... line=122 msg="enter IPsec interface-Hub2Spoke1"
id=20085 trace_id=5 func=esp_output4 line=1149 msg="IPsec encrypt/auth"
id=20085 trace_id=5 func=IPsec_output_finish line=519 msg="send to 10.10.1.2 via intf-wan2“

Reply from remote host Traffic entering the tunnel

id=20085 trace_id=6 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 10.10.20.111:1-


>192.168.1.111:0) from Hub2Spoke1. type=0, code=0, id=1, seq=165."
id=20085 trace_id=6 func=resolve_ip_tuple_fast line=4806 msg="Find an existing session, id-001efeca, reply
direction"
...
Traffic allowed using existing
session

© Fortinet Inc. All Rights Reserved. 25

Now assume that when phase 1 comes up, phase 2 also comes up, but, for some reason, the traffic is not
crossing the tunnel.

If the VPN is up but the traffic can’t cross the tunnel, you should use the debug flow. If possible, run it on both
gateways. This will let you know if the local gateway is dropping the packets or not routing the packets
through the tunnel, or if the remote gateway is dropping the packets.

This slide shows an example output of the debug flow for traffic that is crossing an IPsec tunnel. The output
shows the following:
• Packet arriving
• Packet being allowed by a firewall policy
• Packet entering the tunnel
• Packet being encrypted and sent

If the traffic is not crossing the tunnel because of a routing misconfiguration, the output of the debug flow
shows it. The debug flow also displays if the traffic drops and why (for example, when packets don’t match the
quick mode selector).

Network Security Support Engineer 7.4 Study Guide 332


IPsec

DO NOT REPRINT
© FORTINET
Capturing IKE Traffic
Protocol NAT and NAT-T No NAT
IKE Initially UDP port 500 UDP port 500
UDP port 4500 after NAT is detected
ESP Encapsulated in UDP port 4500 IP protocol 50
• No NAT
• IKE traffic
# diagnose sniffer packet <port> 'host <remote-gw> and udp port 500'
• ESP traffic
# diagnose sniffer packet any 'host <remote-gw> and esp'
• With NAT and NAT-T
• IKE and ESP traffic
# diagnose sniffer packet any 'host <remote-gw> and (udp port 500 or udp port 4500)‘
• IKE and IKE NAT-T UDP port numbers configurable from the CLI
# config system settings
set ike-port <1024 – 65535>
end

© Fortinet Inc. All Rights Reserved. 26

If you need to capture IPsec traffic, remember that the IP protocol and UDP port numbers depend on network
address translation traversal (NAT-T) and the use of network address translation (NAT).

If there is no FortiGate located in the middle that is running NAT, IKE traffic uses UDP port 500 and
encapsulating security payload (ESP) traffic uses IP protocol 50. This slide shows the two sniffer filters that
the sniffer command must use to capture each of those traffic protocols.

If NAT-T is enabled, and there is a FortiGate located in the middle that is running NAT, the sniffer command
must use a different filter. In this case, IKE traffic uses port UDP 500, but switches to UDP port 4500 during
the tunnel negotiation. Additionally, ESP traffic is encapsulated inside the UDP 4500 channel.

Note that port 500 and port 4500 are the default UDP port numbers for IKE and IKE NAT-T, respectively. You
can configure these ports using the command config system settings and options set ike-port
<value>.

Network Security Support Engineer 7.4 Study Guide 333


IPsec

DO NOT REPRINT
© FORTINET
Common IPsec Problems
Problem Output of IKE debug Common causes Common solutions

Tunnel is not coming up Error: negotiation failure IPsec configuration mismatch Verify phase 1 and phase
2 configurations between
both peers

Error: no SA proposal IPsec configuration mismatch Verify phase 1 and phase


chosen 2 configurations between
both peers
Tunnel is unstable DPD packet lost ISP issue Check internet connection

Tunnel is up but traffic Error in debug flow: no Quick mode selectors Verify quick mode
doesn’t pass through it matching IPsec selector, mismatch selectors are correct
drop
NAT is enabled Disable NAT on the VPN
firewall policy
Routing issue Route missing or pointing to Verify route is correctly
wrong device defined

© Fortinet Inc. All Rights Reserved. 27

This slide shows a summary of the most common IPsec problems and solutions.

If the tunnel doesn’t come up, use the IKE real-time debug. In such cases, an error message usually appears.

When the tunnel is unstable, you usually see that DPD packets are being lost, which indicates that the
problem might be on the internet service provider (ISP) side.

If the tunnel is up but traffic isn’t passing through it, use the debug flow. One of the peers might be dropping
packets or routing traffic incorrectly. Another possibility is that the packets don’t match the quick mode
selectors, so FortiGate drops the packets.

Network Security Support Engineer 7.4 Study Guide 334


IPsec

DO NOT REPRINT
© FORTINET
Review
 Manage IPsec VPN tunnels
 Use debug commands for phase 1 and phase 2
 Diagnose IPsec traffic issues with debug flow commands
 Use a sniffer to debug IPsec traffic
 Monitor and troubleshoot IPsec traffic on hardware offload

© Fortinet Inc. All Rights Reserved. 28

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to manage, monitor, diagnose, debug,
and troubleshoot IPsec.

Network Security Support Engineer 7.4 Study Guide 335


IPsec―IKEv2

DO NOT REPRINT
© FORTINET

Network Security Support Engineer


IPsec―IKEv2

FortiGate 7.4
Last Modified: 25 April 2024

In this lesson, you will learn you will learn about IPsec IKEv2.

Network Security Support Engineer 7.4 Study Guide 336


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
Objectives
• Compare IKEv1 and IKEv2
• Understand the reasons to keep IKEv1
• Understand IKEv2 at a high level
• Understand IKE negotiation exchange
• Learn about IKEv2 monitor, debug, and troubleshooting commands
• Understand the IKEv2 negotiation process

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of IPsec IKEv2, you will be able to explain the differences and
advantages of IKEv2 and its negotiation process.

Network Security Support Engineer 7.4 Study Guide 337


IPsec―IKEv2

DO NOT REPRINT
© FORTINET

IKEv1 and IKEv2 Comparison

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn about the differences between IKEv1 and IKEv2.

Network Security Support Engineer 7.4 Study Guide 338


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
IKEv1—An Outdated Version

• IKEv1 has been deprecated and moved to historic status


• IKE made the following IKEv1 RFC specifications obsolete in December 2005:
RFC2409, RFC2408, and RFC2407
• IKEv2 replaced IKEv1 over 15 years ago
• IKEv1 development ceased over a decade ago
• Unmaintained code can result in security vulnerabilities; therefore, IKEv1 can be used in
packet amplification attacks
• IKEv1 uses outdated algorithms, such as RC5, IDEA, CAST, Blowfish, and others
• Some widely used IKEv1 functionalities never reached the standard state and remained
in the draft state
• IKEv1 does not have an RFC for fragmentation

© Fortinet Inc. All Rights Reserved. 4

Although IKEv1 is still widely used, you must consider multiple factors when deciding whether to continue
using IKEv1 or replace it. Notably, IKEv1 development ceased over a decade ago—and unmaintained code
can result in security vulnerabilities. IKEv1 has been moved to historic status and some of its RFC
specifications have become obsolete.

Some algorithms used in IKEv1 are no longer actively deployed or researched, which presents an unknown
security risk that you should avoid. Some IKEv1 functionalities never reached the standard state and some do
not even have an RFC.

Network Security Support Engineer 7.4 Study Guide 339


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
Reasons to Continue Using IKEv1
• Need for RADIUS or LDAP authentication of a FortiGate device acting as dial-up client
• Need for multiple stages of authentication:
• In a dial-up user scenario, sometimes the requirement is to first authenticate the IPsec endpoints (for
example, FortiGate and FortiClient) with certificates, and to also authenticate the user against a
corporate RADIUS/LDAP/AD server
• Another consideration:
• IKEv1 is still widely used in multiple platforms and FortiOS has more than 20 years of exposure

© Fortinet Inc. All Rights Reserved. 5

Even though IKEv1 is deprecated, it can still fulfill some system requirements:
• When RADIUS or LDAP authentication is required for a FortiGate device acting as a dial-up client:
Because FortiOS doesn't have an Extensible Authentication Protocol (EAP) client, a FortiGate device
cannot authenticate itself against a RADIUS or LDAP server. In this case, IKEv1 must be used.
• When multiple stages of authentication are required: Although IKEv2 can provide a solution to this
requirement, it requires multiple authentication exchanges or EAP chaining with tunnel-based EAP (TEAP).

FortiOS has used IKEv1 for more than 20 years, which has driven fixes and optimizations.

Network Security Support Engineer 7.4 Study Guide 340


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
IKEv2 Overview
• The key exchange and security association (SA) management protocols IKEv1 and
IKEv2 are incompatible
• IKEv2 specifications:
• RFC 4306 (2005), RFC 5996 (2010), RFC 7296 (2014)
• IKEv1 specifications:
• The core functionalities of IKEv1 are defined in multiple RFCs: RFC 2407 IPsec DOI for ISAKMP, RFC
2408 ISAKMP, RFC2409 IKEv1, RFC 2412 Oakley, and so on
• Additional major IKEv1 functionalities—NAT-T, DPD, mode cfg, xauth, and so on—are
defined in other RFCs

© Fortinet Inc. All Rights Reserved. 6

IKEv1 and IKEv2 are incompatible protocols that achieve the same goal, but in different ways.

IKE version 2 does not interoperate with IKE version 1, but they both have enough of the header format in
common that both versions can unambiguously run over the same UDP port.

While the core IKEv1 functionalities are defined through multiple RFCs, the main IKEv2 RFC covers, in a
single document, many of the same functionalities, like network address translation-transversal (NAT-T),
mode-cfg, EAP, dead peer detection (DPD), and so on.

Network Security Support Engineer 7.4 Study Guide 341


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
IKEv2 Advantages
IKEv2:
• Is actively being worked on by the IPsec Maintenance and Extensions (ipsecme)
working group
• Requires fewer messages and fewer round trips for negotiation
• Is a reliable request and response protocol
• Fragmentation is standardized, has a configurable master terminal unit (MTU), and
begins fragmentation with the first message
• Defines rekey logic for IKE/IPsec SA more accurately than the IKEv1 logic
• Includes denial-of-service (DoS) protection

© Fortinet Inc. All Rights Reserved. 7

There are multiple reasons to transition to IKEv2:


• IKEv2 is a robust and reliable protocol that developers are actively working on.
• IKEv2 negotiations require fewer messages, which translates into decreased latency when establishing a
tunnel. The initial exchange is two round trips (four messages), which allows the setup of a child SA to
piggyback on that exchange.
• Other new improvements are as follows:
• The negotiation of fragmentation starts with the first message.
• DoS protection.
• The rekey logic for IKE/IPSEC SA is more accurately defined.
• The cryptographic syntax for protecting the IKE messages has been replaced with one based
closely on ESP to simplify implementation and security analysis.

Network Security Support Engineer 7.4 Study Guide 342


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
IKEv2 Advantages (Contd)
IKEv2:
• Uses standard EAP authentication methods
• Uses asymmetric authentication
• Has traffic selector flexibility
• Has an overlay network ID
• Requires matching dial-up phase 1 by ID (replaces ID matching by security-weak
IKEv1—dial-up aggressive mode pre-shared key)
• Requires IKE SA session resumption (RFC 5723)
• Requires IKE quick crash detection method (RFC 6290) with other vendors

© Fortinet Inc. All Rights Reserved. 8

Other reasons to move to IKEv2 are:


• The use of standard EAP as authentication and asymmetric authentication
• The option to have matching dial-up phase 1 by ID

IKEv2 provides flexibility for traffic selectors. You can specify the payload type for each traffic selector, rather
than overloading them with ID payloads.

IKEv2 also supports a setup with an overlay network ID, SA session resumption, and quick crash detection.

Network Security Support Engineer 7.4 Study Guide 343


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
Summary of versions
Feature IKEv1 IKEv2
Exchange modes • Main • One exchange procedure only
• Total messages: 9 (6 for phase 1, 3 for phase 2) • Total messages: 4 (one child SA only)
• Aggressive
• Total messages: 6 (3 for phase 1, 3 for phase 2)
Authentication Symmetric Asymmetric
methods
NAT-T Supported as extension (RFC 3947 and RFC 3948) Built-in feature
Reliability Unreliable—messages are not acknowledged Reliable—messages are acknowledged
Dial-up phase 1 • Peer ID + aggressive mode + PSK • Peer ID
matching by ID • Peer ID + main mode + certificate signature • Network ID
Traffic selector Not supported Supported
flexibility

© Fortinet Inc. All Rights Reserved. 9

This slide offers a summary of the comparison of IPsec features in IKEv1 and IKEv2.

Regarding exchange modes, in IKEv1, aggressive mode offers the advantage of reducing the number of
exchanges in Phase 1. In contrast, IKEv2 does not use main or aggressive modes; however, its equivalent to
Phase 1 could require as few as two exchanges.

In the authentication feature, in IKEv1 the authentication must be symmetric. IKEv2 provides flexibility,
allowing the initiator and responder to use different authentication methods during the negotiation.

As part of the improvements on IKEv2, it’s that NAT-T is a built-in feature. NAT-T is not natively supported in
IKEv1. NAT-T feature was later included to enable IKEv1 to work through NAT devices.

Another of the improvements on IKEv2 is the traffic selector flexibility, which allows for more granular control
over which traffic is protected by the IPsec tunnel. IKEv2 also supports the dynamic update of traffic selectors
after the child SA has been established.

Network Security Support Engineer 7.4 Study Guide 344


IPsec―IKEv2

DO NOT REPRINT
© FORTINET

IKEv2 Exchange Process

© Fortinet Inc. All Rights Reserved. 10

In this section, you will learn about the steps IKEv2 exchange uses to negotiate an IPsec tunnel.

Network Security Support Engineer 7.4 Study Guide 345


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
IKEv2—A Request and Response Protocol
• IKEv2 is a “request and response” protocol

• IKEv2 has two initial phases of negotiation:


• IKE_SA_INIT exchange
• IKE_AUTH exchange

• Later IKEv2 exchanges


• Create_Child_SA exchange

© Fortinet Inc. All Rights Reserved. 11

Unlike IKEv1, IKEv2 is a reliable protocol: The initiator retransmits a request until it either receives a
corresponding response or it deems the IKE SA to have failed. In the latter case, the initiator discards the IKE
SA and any child SAs negotiated with the unresponsive peer.

IKEv1 has a clearly demarcated phase 1 exchange, which contains six packets, followed by a phase 2
exchange of three packets. The IKEv2 exchange is variable. At best, it can exchange as few as four packets.
At worst, this can increase to as many as 30 packets, depending on the complexity of authentication.

After the initial exchange takes place, any subsequent traffic then triggers the CREATE_CHILD_SA
exchange, which is the equivalent of the phase 2 exchange in IKEv1.

IKEv2 does not have aggressive mode or main mode.

Network Security Support Engineer 7.4 Study Guide 346


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
IKEv2 Negotiation Steps
• Phase 1: settings for the negotiation of an IKEv2 SA
• Phase 2: settings for the negotiation of a child (IPsec) SA

• IKEv2 exchanges:
• Initial exchanges
• IKE_SA_INIT
• IKE_AUTH
• CREATE_CHILD_SA
• INFORMATIONAL

© Fortinet Inc. All Rights Reserved. 12

IKEv2 does not use the concept of phase 1 or phase 2, but the FortiOS CLI and GUI commands and
terminology are IKEv1-centric, so you do use those concepts and terminology when you configure IKEv2
settings.

The setting configuration for IKEv2 SA takes place in phase 1. The setting configuration for a child SA takes
place in phase 2.

There are four exchanges during the IKEv2 negotiation. The initial exchanges are: IKE_SA_INIT and
IKE_AUTH.

IKE_SA_INIT exchange:
• Negotiates the security settings to protect the IKE traffic.
• Enables DoS protection (cookie mechanism).
IKE_Auth exchange:
• Performs the mutual authentication of two IKE endpoints.
• Configures settings like IP/mask, DNS, and so on.
• Sets up the piggyback of a child SA. Negotiates IP flow and security settings for the IPsec SA.
Create_Child_SA exchange:
• Creates a new child SA or rekeys an existing child SA.
• Rekeys an IKE SA.
Informational exchange:
• Conveys control messages between the IKE endpoints.

Network Security Support Engineer 7.4 Study Guide 347


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
IKEv2 Exchange Process—IKE_SA_INIT

Message 0
State:INIT_REQUEST State:WAIT_INIT_REQUEST
• Formulate initial IKEv2 request
• Insert initiator SPI (cookie) State:SEND_INIT_RESPONSE
• Insert proposal(s) Calculate Diffie-Hellman • Choose a proposal
key pair. Send a Nonce • Pick Diffie-Hellman key pair
• Calculate Diffie-Hellman secret and a nonce
• Prepare reply
State:WAIT_INIT_RESPONSE • Insert Responder SPI

© Fortinet Inc. All Rights Reserved. 13

Communication using IKE always begins with IKE_SA_INIT and IKE_AUTH exchanges (known in IKEv1 as
phase 1). SA_INIT is the first round trip of an IKEv2 initial exchange. An SA_INIT exchange usually takes one
round trip.

The exchange is extended to two round trips, if the responder requests another key exchange
(INVALID_KE_PAYLOAD notification), or if the DoS protection (cookie notification) starts.

If both key exchange renegotiation and DoS protection are completed, the exchange increases to three round
trips.

Network Security Support Engineer 7.4 Study Guide 348


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
IKEv2 Exchange Process—IKE_AUTH

Message 2
State: SEND_AUTH_REQUEST State: WAIT_AUTH_REQUEST
• Calculate Diffie-Hellman secret
State: SEND_AUTH_RESPONSE
• Calculate all keying material
• Authenticates the initiator
• Send Identity and Authentication
• Accept CHILD_SA proposal
• Send parameters for CHILD_SA
• Install traffic protection
• Send CHILD_SA parameters
State: WAIT_AUTH_RESPONSE

© Fortinet Inc. All Rights Reserved. 14

IKE_AUTH (authentication) takes place after SA_INIT and is the last stage of the initial exchange.
It is protected by the cryptographic algorithms and the keys from the SA_INIT.

The peers exchange their identities—ID initator (IDi) or ID responder (IDr)—and provide the proof of their
claimed identity (AUTH).

When EAP is not used, IKE_AUTH consists of a single request and response exchange. When EAP is used,
IKE_AUTH consists of multiple request and response exchanges. The number of exchanges depends on the
EAP method being used.

By default, a piggyback child (IPsec) SA is negotiated along with the IKEv2 SA during IKE_AUTH.
If additional IPsec SAs are needed (for example, if multiple FortiOS phase 2s are configured), they are
negotiated during subsequent CREATE_CHILD_SA exchanges.

By IKEv2 design, no Diffie-Hellman public key is exchanged during an IKE_AUTH exchange.


Consequently, any phase 2 Diffie-Hellman group configuration mismatch between FortiGate and the peer, is
only experienced during the first rekey (CREATE_CHILD_SA exchange) of the child SA created during
IKE_AUTH.

Network Security Support Engineer 7.4 Study Guide 349


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
IKEv2 Exchange Process—CREATE_CHILD_SA

Message 4
State: SEND_CHILD_SA_REQUEST State: WAIT_CHILD_SA_REQUEST
• Request a rekey of an SPI
• Calculate Deffie-Hellman key State:SEND_CHILD_SA_RESPONSE
• Send a new nonce • Identify SPI to be rekeyed
• Generate new keying material
State:WAIT_CHILD_SA_RESPONSE • Create a new nonce
• Send CHILD_SA parameters
State: START_IPSEC_SA_PROTECTION
• Calculate new keying material State: START_IPSEC_SA_PROTECTION
• Install the new SA

© Fortinet Inc. All Rights Reserved. 15

This exchange consists of a single request and response pair, and was referred to as a phase 2 exchange in
IKEv1. It can be initiated by either end of the IKE_SA after the initial exchanges are completed. All messages
following the initial exchange are cryptographically protected using the cryptographic algorithms and keys
negotiated in the first two messages of the IKE exchange. All subsequent messages include an encrypted
payload, even if they are referred to in the text as "empty". Either endpoint may initiate a CREATE_CHILD_SA
exchange, so in this exchange the term "initiator" refers to the endpoint initiating this exchange.

Network Security Support Engineer 7.4 Study Guide 350


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
IKEv2 Exchange Process—Informational
ike 0:VPN_IKEv2: flushed
ike 0:VPN_IKEv2:23:15: send informational
ike 0:VPN_IKEv2:23: enc 00000008010000000706050403020107
ike 0:VPN_IKEv2:23: out
FEB3C69DA9149605A972D6C2F62325E62E20250000000000000000482A00002C91D7CAA1AEBD29EF598DDC
9C2E1284EC3087D91EF7D5FD489173A6B6413AE3008CA1547DEAC32403
ike 0:VPN_IKEv2:23: sent IKE msg (INFORMATIONAL): 100.64.4.1:500->100.64.5.1:500,
len=72, vrf=0, id=feb3c69da9149605/a972d6c2f62325e6
ike 0:VPN_IKEv2: deleted

© Fortinet Inc. All Rights Reserved. 16

At various points during the operation of an IKE_SA, peers may need to convey control messages to each
other regarding errors or notifications of certain events. To accomplish this, IKE defines an informational
exchange. Informational exchanges must occur only after the initial exchanges and are cryptographically
protected with the negotiated keys.

Network Security Support Engineer 7.4 Study Guide 351


IPsec―IKEv2

DO NOT REPRINT
© FORTINET

Monitor and Debug IKEv2

© Fortinet Inc. All Rights Reserved. 17

In this section, you will learn the commands used to monitor an IKEv2 tunnel and the commands used to
debug and troubleshoot IKEv2.

Network Security Support Engineer 7.4 Study Guide 352


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
IKEv2 Commands to Monitor, Debug, and Troubleshoot
• List the IKE SA and child (IPsec) SA:
# diagnose vpn ike gateway list
# diagnose vpn ike gateway clear
# diagnose vpn tunnel list

• IKEv2 debug command is the same as the IKEv1 debug command:

# diagnose vpn ike log filter rem-addr4 <remote gateway IPv4>


# diagnose debug application ike -1
# diagnose debug enable

© Fortinet Inc. All Rights Reserved. 18

The commands to monitor, debug, and troubleshoot IKEv2 are the same as IKEv1.

The command diagnose vpn ike gateway list provides some details about a tunnel. The command
diagnose vpn ike gateway clear closes a phase 1. You can use this command to force a tunnel
negotiation while troubleshooting, but you must use it with caution.

The command diagnose vpn tunnel list displays the current IPsec SA information for all active
tunnels.

In order to debug the connection of an IPsec IKEv2, use the diagnose debug application ike
command, like you would in IKEv1, and apply a filter with diagnose vpn ike log filter to gather the
debug output of a specific tunnel.

Network Security Support Engineer 7.4 Study Guide 353


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
IKEv2 Debug Output

ike 0:VPN_IKEv2:24: sent IKE msg (SA_INIT): 100.64.4.1:500->100.64.5.1:500, len=372, vrf=0, id=c5e
ike 0: comes 100.64.5.1:500->100.64.4.1:500,ifindex=4,vrf=0....
ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=c5ebafc5b4cf6357/00ec9960f1210499 len=356
...
ike 0:VPN_IKEv2:24: initiator received SA_INIT response
ike 0:VPN_IKEv2:24: processing notify type NAT_DETECTION_SOURCE_IP
....
ike 0:VPN_IKEv2:24: processing notify type FRAGMENTATION_SUPPORTED
ike 0:VPN_IKEv2:24: incoming proposal:
ike 0:VPN_IKEv2:24: proposal id = 1:
ike 0:VPN_IKEv2:24: protocol = IKEv2:
ike 0:VPN_IKEv2:24: encapsulation = IKEv2/none
.....
ike 0:VPN_IKEv2:24: IKE SA c5ebafc5b4cf6357/00ec9960f1210499 SK_ar

© Fortinet Inc. All Rights Reserved. 19

After you enable the debug command diagnose debug application ike and an IPsec negotiation
starts, you can analyze the IKEv2 negotiation process.

In the initial negotiation, you can see the SA_INIT exchange. This slide shows that the SA_INIT was sent and
that the initiator received the SA_INIT response.

Network Security Support Engineer 7.4 Study Guide 354


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
IKEv2 Debug Output (Contd)
ike 0:VPN_IKEv2:24: initiator preparing AUTH msg
ike 0:VPN_IKEv2:24: sending INITIAL-CONTACT
ike 0:VPN_IKEv2:24: enc 2900000C010000006440040127000008000040002900002802000000F837C56D0B9EB4B490D
ike 0:VPN_IKEv2:24: out C5EBAFC5B4CF635700EC9960F12104992E20230800000001000000D8230000BC5E711388CE7
F78171665CABAD9FE75EC6FE143E5CFB4CC0770FE3E579B34DDEA528EF193DA286ADD9A65DF2E912C763CB3B21960BD124

ike 0:VPN_IKEv2:24: sent IKE msg (AUTH): 100.64.4.1:500->100.64.5.1:500, len=216, vrf=0, id=c5ebafc
ike 0: comes 100.64.5.1:500->100.64.4.1:500,ifindex=4,vrf=0....
ike 0: IKEv2 exchange=AUTH_RESPONSE id=c5ebafc5b4cf6357/00ec9960f1210499:00000001 len=208
ike 0: in C5EBAFC5B4CF635700EC9960F12104992E20232000000001000000D0240000B46447F251559A0F10EEE6844B7

ike 0:VPN_IKEv2:24: dec C5EBAFC5B4CF635700EC9960F12104992E20232000000001000000B4240000042700000C010

ike 0:VPN_IKEv2:24: initiator received AUTH msg
ike 0:VPN_IKEv2:24: peer identifier IPV4_ADDR 100.64.5.1
ike 0:VPN_IKEv2:24: auth verify done
ike 0:VPN_IKEv2:24: initiator AUTH continuation
ike 0:VPN_IKEv2:24: authentication succeeded
ike 0:VPN_IKEv2:24: processing notify type MESSAGE_ID_SYNC_SUPPORTED
ike 0:VPN_IKEv2:24: established IKE SA c5ebafc5b4cf6357/00ec9960f1210499
ike 0:VPN_IKEv2:24: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
ike 0:VPN_IKEv2: set oper up

© Fortinet Inc. All Rights Reserved. 20

After a successful SA_INIT exchange, the IKE_AUTH exchange takes place. The debug output shows the
messages received and this response.

This slide shows the AUTH exchange sent by the initiator and the responses that it receives.

Network Security Support Engineer 7.4 Study Guide 355


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
IKEv2 Debug Output (Contd)
ike 0:VPN_IKEv2: schedule auto-negotiate
ike 0:VPN_IKEv2:24:16: peer proposal:
ike 0:VPN_IKEv2:24:16: TSr_0 0:10.1.2.0-10.1.2.255:0
ike 0:VPN_IKEv2:24:16: TSi_0 0:10.1.1.0-10.1.1.255:0
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: comparing selectors
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: matched by rfc-rule-2
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: phase2 matched by subset
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: accepted proposal:
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: TSr_0 0:10.1.2.0-10.1.2.255:0
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: TSi_0 0:10.1.1.0-10.1.1.255:0
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: autokey
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: incoming child SA proposal:
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: proposal id = 1:
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: protocol = ESP:
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: encapsulation = TUNNEL
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: type=ENCR, val=3DES_CBC

ike 0:VPN_IKEv2:24:VPN_IKEv2:16: IPsec SA selectors #src=1 #dst=1
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: src 0 7 0:10.1.1.0-10.1.1.255:0
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: dst 0 7 0:10.1.2.0-10.1.2.255:0

ike 0:VPN_IKEv2:24:VPN_IKEv2:16: sending SNMP tunnel UP trap
ike shrank heap by 159744 bytes

© Fortinet Inc. All Rights Reserved. 21

After successful IKE_SA_INIT and IKE_AUTH exchanges, the CHILD_SA exchange takes place.

In this exchange, the peers negotiate the CHILD_SA and the traffic selectors —traffic selector responder (TSr)
and traffic selector initiator (TSi).

Network Security Support Engineer 7.4 Study Guide 356


IPsec―IKEv2

DO NOT REPRINT
© FORTINET
Review
 Compare IKEv1 with IKEv2
 Understand the reasons to keep IKEv1
 Understand IKEv2 at a high level
 Understand IKE negotiation exchange
 Learn about IKEv2 monitor, debug, and troubleshooting commands
 Understand the IKEv2 negotiation process

© Fortinet Inc. All Rights Reserved. 22

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about the improvements made to IKEv2, its
negotiation process, and how to debug an IPsec tunnel using the IKEv2 protocol.

Network Security Support Engineer 7.4 Study Guide 357


Routing

DO NOT REPRINT
© FORTINET

Network Security Support Engineer


Routing

FortiOS 7.4
Last Modified: 25 April 2024

In this lesson, you will learn about advanced routing concepts. You will also learn useful troubleshooting
commands to debug routing issues.

Network Security Support Engineer 7.4 Study Guide 358


Routing

DO NOT REPRINT
© FORTINET
Objectives
• Describe how FortiGate routes traffic
• Diagnose routing problems caused by the reverse path forwarding (RPF) check
• Identify sessions that will be routed through a different path after a routing table change
• Use debug commands to troubleshoot routing problems

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in routing, you will be able to describe how FortiGate routes traffic, diagnose
routing problems caused by RPF checks, identify sessions that are routed through a different path, and use
debug commands to troubleshoot routing problems.

Network Security Support Engineer 7.4 Study Guide 359


Routing

DO NOT REPRINT
© FORTINET

General Concepts and Troubleshooting

© Fortinet Inc. All Rights Reserved. 3

In this section, you will learn about general routing concepts and troubleshooting.

Network Security Support Engineer 7.4 Study Guide 360


Routing

DO NOT REPRINT
© FORTINET
Route Lookup
• For any session, FortiGate performs two routing table lookups:
• On the first packet that the originator sends
• On the first reply packet that the responder sends
• Routing information is written to the session table and route cache (route cache
removed from Linux kernel version 3.6 and later)
• Exception: After a routing change, route information is flushed from affected sessions
and route cache entries
• Additional routing table lookups are required after a routing change

© Fortinet Inc. All Rights Reserved. 4

FortiGate is a stateful device, so it decodes a lot of information at the beginning of a session, based on the
first packets. For any traffic session, FortiGate usually performs only two routing lookups: one on the first
packet that the originator sends and another one on the first reply packet that the responder sends. After that,
all the routing information is written in the FortiGate session table. However, after a change to the routing
table, the route information is flushed from the affected entries in the session table. So, FortiGate performs
additional routing table lookups in order to repopulate the session table with the new routing information.

Note that the route cache has been removed from the route lookup process from Linux kernel version 3.6 and
later.

Network Security Support Engineer 7.4 Study Guide 361


Routing

DO NOT REPRINT
© FORTINET
Route Lookup Process Regular
Forward
Match traffic
Start of route lookup policy Action? Forward packet
routes

No match Stop policy


routing
ISDB Match
diagnose firewall proute list routes

No match

SD-WAN Match
rules

No match
diagnose ip rtcache list
Route Match
get router info routing-table all cache

No match
Connected
Static Match
Routing table FIB
Dynamic
No match
get router info kernel
Drop packet
© Fortinet Inc. All Rights Reserved. 5

The flowchart on this slide describes the route lookup process in FortiOS. Note that policy routes can be
regular policy routes, internet service database (ISDB) routes, or SD-WAN rules.

First, FortiGate checks the policy routes. The first type of policy routes that FortiGate checks are the regular
policy routes. If there is a match, and the selected action is Forward Traffic, FortiGate routes the packet
accordingly, as long as the policy route passes the forwarding information base (FIB) validation process. If the
selected action is Stop Policy Routing, FortiGate moves on to check its route cache if applicable.

If the packet doesn’t match any of the regular policy routes, FortiGate moves on to check the ISDB routes
first, and then the SD-WAN rules.

Next, FortiGate checks the FIB, which is the table that is used to perform standard routing. The FIB can be
described as the routing table from the kernel point of view and is built mostly from routes in the routing table,
but also from system-specific entries that FortiOS requires. If the packet doesn’t match any of the routes in the
FIB, FortiGate drops the packet and sends an ICMP destination network unreachable message to the sender.

This slide also shows the FortiOS CLI commands you can use to display the policy routes, route cache entries
(if applicable), routing table entries, and FIB entries.

Network Security Support Engineer 7.4 Study Guide 362


Routing

DO NOT REPRINT
© FORTINET
Route Selection Process
1. Most specific route
2. Lowest distance
3. Lowest metric (dynamic routes)
4. Lowest priority (static routes)
5. ECMP (static, BGP, and OSPF routes)

© Fortinet Inc. All Rights Reserved. 6

This slide shows the process for selecting which route to use, if there is more than one route to a destination.

First, FortiGate uses the most specific route, which is the one with the longest netmask (smallest subnet). If
there are two or more routes with the same longest netmask, the device selects the one with the shortest
distance. After that, FortiGate uses the lowest metric as the tiebreaker for dynamic routes. In the case of static
routes, FortiGate uses the lowest priority instead. If there are multiple routes with the same netmask, distance,
metric, and priority, FortiGate shares the traffic among all of them. This is called equal-cost multi-path
(ECMP). ECMP is supported for static, BGP, and OSPF routes.

Network Security Support Engineer 7.4 Study Guide 363


Routing

DO NOT REPRINT
© FORTINET
Static Routes
• FortiGate places a configured static route in the routing table if the route meets the
following requirements:
• The outgoing interface is up
• There is no duplicate route with a lower distance
• The link health monitor (if configured) is up

© Fortinet Inc. All Rights Reserved. 7

FortiGate adds a static route to the routing table only if the route meets all of the following requirements:
• The outgoing interface is up.
• There is no duplicate route with a shorter distance.
• The link health monitor (if configured) is up.

Network Security Support Engineer 7.4 Study Guide 364


Routing

DO NOT REPRINT
© FORTINET
RPF
• Protects against IP spoofing attacks and routing loops
• Checks the source IP address
• Is carried out on the first packet when the session is created
• If the check fails, the debug flow shows:
• reverse path check fail, drop
• Feasible or strict:
• # config system settings
• # set strict-src-check disable/enable

© Fortinet Inc. All Rights Reserved. 8

Now, you will learn about an important routing concept: the RPF check.

The RPF check protects against IP spoofing attacks and routing loops by checking the route to the source IP
address. This check is performed on only the first packet, when the session is being created. If the check fails,
the packet is dropped and the debug flow shows this error: reverse path check fail, drop.

There are two types of RPF, feasible and strict. You can configure the desired behavior using the commands
shown on this slide.

Network Security Support Engineer 7.4 Study Guide 365


Routing

DO NOT REPRINT
© FORTINET
RPF—Feasible Path Example
• FortiGate checks for route matching source address and incoming interface
• RPF check results:
• User A: Pass. Default route through wan1
• User B: Fail. No route to 95.56.234.24 through wan2
• User C: Fail. No route to 10.0.4.63 through port1
User A
71.234.149.16
101.0.1.0/24
wan1
10.0.3.0/24
port1 201.0.2.0/24
wan2 User B
10.0.4.0/24 95.56.234.24

FGT # get router info routing-table all


...
S* 0.0.0.0/0 [10/0] via 101.0.1.254, wan1, [1/0]
C 101.0.1.0/24 is directly connected, wan1
C 201.0.2.0/24 is directly connected, wan2
User C C 10.0.3.0/24 is directly connected, port1
10.0.4.63

© Fortinet Inc. All Rights Reserved. 9

The example on this slide shows FortiGate using the feasible path RPF check mode. When FortiGate
performs the RPF check, it checks the routing table for a route that matches the source address and incoming
interface of the first original packet.

Based on the topology and routing table shown on this slide, the RPF check results for traffic sourced from
each user are as follows:

• User A: Pass. There is a default route through wan1. This means that all packets received at wan1 pass
the RPF check, regardless of the source address.
• User B: Fail. FortiGate doesn’t have a route to 95.56.234.24 through wan2 in its routing table.
• User C: Fail. FortiGate doesn’t have a route to 10.0.4.63 through port1 in its routing table.

Network Security Support Engineer 7.4 Study Guide 366


Routing

DO NOT REPRINT
© FORTINET
RPF—Feasible Path Example (Contd)
• Solution:
• For user B, add a second static default route, with the same distance, through wan2
• Use different priority values if you don’t want ECMP
• For user C, add a static route to 10.0.4.0/24 through port1
User A
71.234.149.16
101.0.1.0/24
wan1

10.0.3.0/24
port1 201.0.2.0/24
wan2 User B
10.0.4.0/24 95.56.234.24

FGT # get router info routing-table all


...
S* 0.0.0.0/0 [10/0] via 101.0.1.254, wan1, [1/0]
[10/0] via 201.0.2.254, wan2, [5/0]
S 10.0.4.0/24 [10/0] via 10.0.3.254, port1 [1/0]
User C C 101.0.1.0/24 is directly connected, wan1
10.0.4.63 C 201.0.2.0/24 is directly connected, wan2
C 10.0.3.0/24 is directly connected, port1

© Fortinet Inc. All Rights Reserved. 10

If you consider the packets from user B and user C to be legitimate packets, you can solve the RPF check fail
issue by making sure the routing table contains routes for the return path.

In the example shown on this slide, the administrator adds two new static routes. The static route through
wan2 is a duplicate default route of wan1, but has a lower priority. The two default routes are not ECMP
routes because of the priority difference, but FortiGate keeps both routes in the routing table. The result is that
packets from user B now pass the RPF check.

The static route through port1 references the 10.0.4.0/24 subnet. The subnet includes the user C
address (10.0.4.63), and as a result, packets from user C also pass the RPF check.

Network Security Support Engineer 7.4 Study Guide 367


Routing

DO NOT REPRINT
© FORTINET
RPF—Strict Example
• FortiGate also checks if the return path is the best route
• RPF check results:
• User A: Pass. Best route to 71.234.149.16 through wan1 (default route)
• User B: Fail. Best route to 95.56.234.24 through wan1
• User C: Pass. Best route to 10.0.4.63 through port1
User A
71.234.149.16
101.0.1.0/24
wan1
10.0.3.0/24
port1 201.0.2.0/24
wan2 User B
10.0.4.0/24 95.56.234.24
FGT # get router info routing-table all
...
S* 0.0.0.0/0 [10/0] via 101.0.1.254, wan1, [1/0]
[10/0] via 201.0.2.254, wan2, [5/0]
S 10.0.4.0/24 [10/0] via 10.0.3.254, port1 [1/0]
C 101.0.1.0/24 is directly connected, wan1
User C C 201.0.2.0/24 is directly connected, wan2
10.0.4.63 C 10.0.3.0/24 is directly connected, port1
S 95.56.234.0/24 [10/0] via 101.0.1.254, wan1[1,0]
© Fortinet Inc. All Rights Reserved. 11

The example on this slide shows FortiGate using the strict RPF check mode. In strict mode, FortiGate also
checks if the matching route is the best route to the source.

Based on the topology and routing table shown on this slide, the RPF check results for traffic sourced from
each user are as follows:

• User A: Pass. There is a default route through wan1. The route is also the best (and only) route to
71.234.149.16.
• User B: Fail. There is a default route through wan2. However, there is a better (more specific) static route
to 95.56.234.24 through wan1.
• User C: Pass. FortiGate has a route to 10.0.4.63 through port1 in its routing table. Although the default
routes through wan1 and wan2 are also valid routes for 10.0.4.63, the best route to user C is the route
through port1.

Like the feasible path example, you can solve the RPF fail issue for user B by making the respective changes
in the routing table so the best route to user B is through wan2.

Network Security Support Engineer 7.4 Study Guide 368


Routing

DO NOT REPRINT
© FORTINET
Return Packet Routing
• FortiGate remembers the interface to the source for the return packets
• Return packets are routed through that interface, even if there is a better route through a
different interface
• This ensures the same route path is used for both directions (symmetric routing)

© Fortinet Inc. All Rights Reserved. 12

Content inspection requires that routing be kept as symmetric as possible; that is, traffic must follow the same
path both ways. There are multiple scenarios where asymmetric routing prevents FortiGate from inspecting
traffic content. So, FortiGate routes traffic symmetrically. This means that, in some network topologies,
FortiGate might not route the return traffic through the best path, but through the same path that the
originating traffic used. For that purpose, FortiGate remembers the interface to the source and uses that
interface to route the return packets, even when a better route using a different interface exists.

Network Security Support Engineer 7.4 Study Guide 369


Routing

DO NOT REPRINT
© FORTINET
Return Packet Routing Example
• The first routing lookup happens with the first ICMP packet

FortiGate routing table


Subnet Interface Type
port2 0.0.0.0/0 port2 Static
10.2.0.2/24
10.1.0.0/24 port1 Connected
10.2.0.0/24 port2 Connected
port1
10.1.0.254/24 10.3.0.0/24 port3 Connected
10.4.0.0/24 port3 Static

ICMP echo
request port2
10.1.0.1/24 10.2.0.1/24
with default gateway
10.1.0.254
port1 port3 port1
10.1.0.2/24 10.3.0.2/24 10.3.0.1/24
10.4.0.1/24

© Fortinet Inc. All Rights Reserved. 13

Now, you will analyze the network topology shown on this slide. The local network 10.1.0.0/24 has three
network devices: a local workstation, a local router, and FortiGate port1. Also, FortiGate port2 is directly
connected to the local router (using the subnet 10.2.0.0/24).

There is a remote router connected to FortiGate port3 and, behind that, a remote server (10.4.0.1). So, any
traffic destined to the remote server must be routed through FortiGate. One important detail to note in this
network is that the local workstation default gateway is 10.1.0.254. This means that if you send an ICMP
echo request from the local workstation to the remote server, the packet goes to the local router first, then to
FortiGate, then to the remote router, and finally to the destination.

Network Security Support Engineer 7.4 Study Guide 370


Routing

DO NOT REPRINT
© FORTINET
Return Packet Routing Example (Contd)
• Routing information is added to the FortiGate session
session info: proto=1 proto_state=00 duration=2 expire=57 timeout=0 refresh_dir=both flags=00000000
socktype=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper= Source interface
per_ip_shaper=
and destination
interface
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 Gateway to
state=may_dirty f00 destination
statistic(bytes/packets/allow_err): org=60/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 29/0 rx speed(Bps/kbps): 29/0
orgin->sink: org pre->post, reply pre->post dev=6->9/9->6 gwy=10.3.0.1/0.0.0.0
hook=pre dir=org act=noop 10.1.0.1:1->10.4.0.1:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.4.0.1:1->10.1.0.1:0(0.0.0.0:0) Gateway to source has not
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 been identified yet, so it is
serial=00004e30 tos=ff/ff app_list=0 app=0 url_cat=0
displayed as 0.0.0.0
rpdb_link_id= 00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x040000 # diagnose netlink interface list
no_ofld_reason: npu-flag-off ...
if=port2 family=00 type=768 index=6 mtu=1420 link=0 master=0
if=port3 family=00 type=768 index=9 mtu=1420 link=0 master=0
...
© Fortinet Inc. All Rights Reserved. 14

FortiGate creates an entry in the session table. This entry contains information about the source interface. To
view this information, use the diagnose sys session list command.

FortiGate does a first routing lookup to find the next hop to the destination. That IP address is also stored in
the session information.

Because there is no ICMP echo reply yet, the next hop to the source is still unknown (it is 0.0.0.0). It is
identified in the second routing lookup that occurs with the first reply packet.

Network Security Support Engineer 7.4 Study Guide 371


Routing

DO NOT REPRINT
© FORTINET
Return Packet Routing Example (Contd)
• The return packet is routed through port2, even though port1 is the better route

FortiGate routing table


Subnet Interface Type
port2 0.0.0.0/0 port2 Static
10.2.0.2/24
10.1.0.0/24 port1 Connected
10.2.0.0/24 port2 Connected
port1
10.1.0.254/24 10.3.0.0/24 port3 Connected
10.4.0.0/24 port3 Static

ICMP echo
reply port2
10.1.0.1/24 10.2.0.1/24
with default gateway
10.1.0.254
port1 port3 port1
10.1.0.2/24 10.3.0.2/24 10.3.0.1/24
10.4.0.1/24

© Fortinet Inc. All Rights Reserved. 15

Now, take a look at how FortiGate routes the return packet.

So, in this case, the device routes the packet through port2 toward the local router, even though there is a
better route to the destination through port1. Because there is already a session entry, when FortiGate
receives the ICMP echo reply, it uses the interface to the source. The FortiGate routing table shows port1 as
the best route to 10.1.0.1 (locally connected), but it still uses port2. The objective is to keep the traffic flow
symmetric.

Network Security Support Engineer 7.4 Study Guide 372


Routing

DO NOT REPRINT
© FORTINET
Return Packet Routing Example (Contd)
• A second routing lookup is done to find the gateway to the source

session info: proto=1 proto_state=00 duration=41 expire=21 timeout=0 refresh_dir=both flags=00000000


socktype=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper= The gateway to the
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
source is now added
state=may_dirty f00
statistic(bytes/packets/allow_err): org=240/4/1 reply=240/4/1 tuples=2 to the FortiGate
tx speed(Bps/kbps): 11/0 rx speed(Bps/kbps): 11/0 session
orgin->sink: org pre->post, reply pre->post dev=6->9/9->6 gwy=10.3.0.1/10.2.0.2
hook=pre dir=org act=noop 10.1.0.1:1->10.4.0.1:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.4.0.1:1->10.1.0.1:0(0.0.0.0:0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=00005f6a tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id= 00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x040000
# diagnose netlink interface list
no_ofld_reason: npu-flag-off
...
if=port2 family=00 type=768 index=6 mtu=1420 link=0 master=0
if=port3 family=00 type=768 index=9 mtu=1420 link=0 master=0
...

© Fortinet Inc. All Rights Reserved. 16

FortiOS performs a second routing lookup, this time to find the next hop (or gateway) to the source. That IP
address is added to the session, which was previously set to 0.0.0.0.

Network Security Support Engineer 7.4 Study Guide 373


Routing

DO NOT REPRINT
© FORTINET
Return Packet Routing Example (Contd)
• If the session originated from the other side, the packet is routed through port1

FortiGate routing table


Subnet Interface Type
port2 0.0.0.0/0 port2 Static
10.2.0.2/24
10.1.0.0/24 port1 Connected
10.2.0.0/24 port2 Connected
port1
10.1.0.254/24 10.3.0.0/24 port3 Connected
10.4.0.0/24 port3 Static
ICMP echo
request port2
10.1.0.1/24 10.2.0.1/24
with default gateway
10.1.0.254
port1 port3 port1
10.1.0.2/24 10.3.0.2/24 10.3.0.1/24
10.4.0.1/24

© Fortinet Inc. All Rights Reserved. 17

What happens if the traffic originates from the server side instead?

Say that the ping is sent from the remote server to the local workstation. In this case, when the ICMP echo
request arrives at FortiGate, there is no session yet. So, FortiGate uses the best route to 10.1.0.1, which is
through port1.

The example shown on this slide shows how FortiGate might, in some network topologies, route packets to
the same destination differently, depending on who initiated the session.

Network Security Support Engineer 7.4 Study Guide 374


Routing

DO NOT REPRINT
© FORTINET
Return Packet Routing Example (Contd)
• The return packet arrives through a different interface (port2), but FortiGate accepts it
# diagnose sniffer packet any "host 10.4.0.1 and icmp" 4
430.637135 port3 in 10.4.0.1 -> 10.1.0.1: icmp: echo request
430.637180 port1 out 10.4.0.1 -> 10.1.0.1: icmp: echo request
430.637309 port2 in 10.1.0.1 -> 10.4.0.1: icmp: echo reply
430.637319 port3 out 10.1.0.1 -> 10.4.0.1: icmp: echo reply

FortiGate routing table


port2
Subnet Interface Type
10.2.0.2/24
0.0.0.0/0 port2 Static
ICMP echo
port1 reply 10.1.0.0/24 port1 Connected
10.1.0.254/24 10.2.0.0/24 port2 Connected
10.3.0.0/24 port3 Connected
ICMP echo 10.4.0.0/24 port3 Static
request port2
10.1.0.1/24 10.2.0.1/24
with default gateway
10.1.0.254
port1 port3 port1
10.1.0.2/24 10.3.0.2/24 10.3.0.1/24
10.4.0.1/24

© Fortinet Inc. All Rights Reserved. 18

Take a look at the reply traffic in the example shown on this slide. Use the sniffer tool to view the traffic flow.

Because the local workstation default gateway is 10.1.0.254, the ICMP echo reply goes to the local router
first. Then, the packet arrives at FortiGate port2. The result is asymmetric routing: the return traffic is following
a different path than the originating traffic. The return packet is arriving at port2 instead of port1 (where the
originating traffic was sent).

In these particular cases, FortiGate accepts this asymmetry, no packets are dropped, and security inspection
is not affected.

Network Security Support Engineer 7.4 Study Guide 375


Routing

DO NOT REPRINT
© FORTINET
Asymmetric Routing
• The server sends an echo request to the PC
• The PC responds with an echo reply
• The echo reply is dropped—no session is matched
• All subsequent echo replies are also blocked
FortiGate routing table
Subnet Interface Type
10.1.0.0/24 port1 Connected
port2 10.3.0.0/24 port3 Connected
10.2.0.2/24
10.4.0.0/24 port3 Static

port1 ICMP echo


10.1.0.254/24
request

ICMP echo
10.1.0.1/24 reply Packet is dropped
with default gateway port2
10.2.0.1/24
10.1.0.2 X
port1 port3 port1
10.1.0.2/24 10.3.0.2/24 10.3.0.1/24
10.4.0.1/24

© Fortinet Inc. All Rights Reserved. 19

This slide shows an example in which asymmetric routing is not allowed by FortiOS.
1. The server sends an echo request to the PC through port 2 of the local router, effectively bypassing
FortiGate.
2. When it receives the echo request, the PC responds with an echo reply through its default gateway,
10.1.0.2, which is port1 on FortiGate.
3. Because there is no existing session, the echo reply is dropped.
4. All subsequent echo replies are also blocked.

By default, if an echo request does not pass through FortiGate, but the response does, the packet is dropped.

Network Security Support Engineer 7.4 Study Guide 376


Routing

DO NOT REPRINT
© FORTINET
Asymmetric Routing (Contd)
• Allowing asymmetric routing:
config system settings
set asymroute enable
end

FortiGate routing table


Subnet Interface Type
10.1.0.0/24 port1 Connected
port2 10.3.0.0/24 port3 Connected
10.2.0.2/24
10.4.0.0/24 port3 Static

port1 ICMP echo


10.1.0.254/24
request

ICMP echo
10.1.0.1/24 reply
with default gateway port2
10.1.0.2 10.2.0.1/24
port1 port3 port1
10.1.0.2/24 10.3.0.2/24 10.3.0.1/24
10.4.0.1/24

© Fortinet Inc. All Rights Reserved. 20

There are scenarios in which it might make sense to allow this type of asymmetric routing. Example cases
include when you are troubleshooting, or when you cannot resolve asymmetric routing issues by ensuring that
both ingress and egress traffic pass through FortiGate.

Enabling asymmetric routing causes FortiOS to be unable to inspect all traffic. Malicious traffic could pass
through FortiGate undetected and compromise the network.

Using the commands on this slide, the default routing behavior explained on the previous slide is changed to
the following:
1. The server’s ICMP request bypasses FortiGate reaching the PC.
2. The PC’s echo reply passes through FortiGate. No session is matched. However, the packet is not
dropped. Instead, the packet is passed to the CPU of FortiGate and is then forwarded using the FIB.
3. All subsequent echo replies are handled the same way as in step 2.
4. FortiGate essentially acts as a router. No security inspection is performed.

If you use asymmetric routing for troubleshooting purposes, remember to disable it after you resolve the issue.

Network Security Support Engineer 7.4 Study Guide 377


Routing

DO NOT REPRINT
© FORTINET
Routing Changes Without SNAT
• After a routing change, routing information is flushed from the affected sessions where
source NAT (SNAT) is not applied
• Routing lookups are done again for the next packets
• The session is flagged as dirty
• Example of a session just after a routing change

session info: proto=1 proto_state=00 duration=411 expire=56 timeout=0 refresh_dir=both


flags=00000000 socktype=00000000 sockport=0 av_idx=0 use=3
origin-shaper= Interface and
reply-shaper= Dirty flag gateway
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 information
state=dirty may_dirty removed
statistic(bytes/packets/allow_err): org=17160/286/1 reply=16080/268/1 tuples=2
tx speed(Bps/kbps): 98/0 rx speed(Bps/kbps): 98/0
orgin->sink: org pre->post, reply pre->post dev=9->0/0->9 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.4.0.1:1->10.1.0.1:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.0.1:1->10.4.0.1:0(0.0.0.0:0)
...

© Fortinet Inc. All Rights Reserved. 21

When FortiGate is not applying source network address translation (SNAT), when the routing table changes,
FortiGate removes the routing information from the sessions that are affected by the change. FortiGate
performs two more routing lookups for the next packets to learn the new routing information and store it in the
routing table.

This slide shows an example of a session just after a routing change. The gateways in both directions change
to 0.0.0.0/0 and the interfaces to 0, indicating that FortiGate must learn this information again. Additionally,
the dirty flag is added.

Network Security Support Engineer 7.4 Study Guide 378


Routing

DO NOT REPRINT
© FORTINET
Routing Changes Without SNAT (Contd)
• You can modify the default behavior on the CLI
Default setting
config system interface
edit <interface>
set preserve-session-route { enable | disable }
next
end
• disable: FortiGate flushes all routing information from the session table after a route change, and
performs a new routing lookup for new packets
• enable: FortiGate marks existing session routing information as persistent, and applies only the
modified routes to new sessions

• The current route must still be present in the FIB


• Otherwise, FortiGate flags the session as dirty and reevaluates it

© Fortinet Inc. All Rights Reserved. 22

You can configure session route persistence at the interface level using the commands shown on this slide.
The default value is disable. If you enable this setting, sessions passing through that interface continue to
pass without being affected by the routing changes. The routing changes apply only to new sessions.

If the route is removed from the FIB, then FortiGate must flag the session as dirty, flush its gateway
information, and reevaluate the session.

Network Security Support Engineer 7.4 Study Guide 379


Routing

DO NOT REPRINT
© FORTINET
Routing Changes Without SNAT (Contd)
• Session is flagged as route_preserve
config system interface
edit "T_INET_0"
set preserve-session-route enable
next
end

# diagnose sys session list


session info: proto=1 proto_state=00 duration=4 expire=55 timeout=0 refresh_dir=both flags=00000000 socktype=0
sockport=0 av_idx=0 use=3
state=log may_dirty npu f00 route_preserve
orgin->sink: org pre->post, reply pre->post dev=7->19/19->7 gwy=100.64.1.1/10.0.1.101

# diagnose netlink interface list | grep index=19


if=T_INET_0 family=00 type=768 index=19 mtu=1420 link=0 master=0

© Fortinet Inc. All Rights Reserved. 23

This slide shows the details of an ICMP session established through an interface (T_INET_0) that has the
setting preserve-session-route enabled. Note that only relevant lines of the session are displayed.

Also, note the presence of the route_preserve flag in the session. You can find out the interface name by
using the diagnose netlink interface list command.

Network Security Support Engineer 7.4 Study Guide 380


Routing

DO NOT REPRINT
© FORTINET
ECMP Acceleration With Auxiliary Session
• When you enable this setting, FortiGate accelerates ECMP traffic to the NP6 processor
config system settings
set auxiliary-session [disable | enable]
end
• Two sessions are created in case of a route change: the main session and auxiliary
session
• FortiGate can offload the main session and auxiliary session to the NP6 processor, if the
policy allows offloading

© Fortinet Inc. All Rights Reserved. 24

When you enable auxiliary-session, the FortiGate kernel creates a new auxiliary session and attaches it
to the main session. For each traffic path (incoming and outgoing), FortiGate continues to create a new
auxiliary session.

By default, the system CPU handles dirty sessions that are triggered by reply interface changes. Therefore,
hardware offloading is not used. For this reason, a large amount of traffic that these dirty sessions handle may
result in high CPU usage and poor performance.

Enabling auxiliary-session under config system settings solves this, by offloading asymmetric
sessions to hardware by creating an auxiliary session (also known as a reflect session). Symmetric traffic
matches the main session, and asymmetric traffic matches the auxiliary session. Both sessions can be
offloaded to hardware. For FortiGate VMs, although hardware offload does not apply, performance is
improved because FortiGate does not have to reevaluate the asymmetric traffic.

Because a new session is created for each route change, the session table could potentially grow significantly
in size.

Network Security Support Engineer 7.4 Study Guide 381


Routing

DO NOT REPRINT
© FORTINET
ECMP Acceleration With Auxiliary Session (Contd)
port1 port3

port2 port4
Router Router
Client Server
Packet 1 from port1 to port3
Main Session
Packet 2 from port4 to port1
Auxiliary Session 1
Packet 3 from port1 to port4
Auxiliary Session 1
Packet 4 from port2 to port3
Auxiliary Session 2
Packet 5 from port3 to port2
Auxiliary Session 2
Packet 6 from port4 to port2
Auxiliary Session 3
Packet 7 from port2 to port4
Auxiliary Session 3
Packet 8 from port3 to port1
Main Session

© Fortinet Inc. All Rights Reserved. 25

In the example shown on this slide, ECMP is configured for both the client and the server. FortiGate uses
ECMP through port1 and port2 to the client, and ECMP through port3 and port4 to the server.

Based on this example, you can see how sessions are handled on FortiGate:
1. Initially, traffic flows from port1 to port3. FortiGate creates a new session: the main session.
2. The reply from the server is received on port4 and forwarded out port1. FortiGate creates auxiliary
session 1 and attaches it to the main session.
3. The next packet from the client is received on port1 and forwarded out port4. FortiGate matches auxiliary
session 1.
4. Additional traffic from the client is received on port2 and leaves through port3. FortiGate creates auxiliary
session 2 and attaches it to the main session.
5. The server reply is received on port3 and leaves through port2. FortiGate matches auxiliary session 2.
6. The second reply is received on port4 and forwarded out port2. FortiGate creates auxiliary session 3 and
attaches it to the main session.
7. The last packet from the client flows from port2 to port4. FortiGate matches auxiliary session 3.
8. Finally, the server reply is received on port3 and leaves through port1. FortiGate matches the main
session.

FortiGate can offload all these sessions, if the policy allows offloading.

Network Security Support Engineer 7.4 Study Guide 382


Routing

DO NOT REPRINT
© FORTINET
Routing Table
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Priority/Weight
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.200.1.254, port1, [10/2]
C 10.0.1.0/24 is directly connected, port3
B 10.0.3.0/24 [200/10] via 10.0.1.200 (recursive is directly connected, port3), 23:21:46, [1,0]
O 10.0.4.0/24 [110/2] via 10.0.1.200, port3, 17:29:25, [1,0]
R 10.0.5.0/24 [120/2] via 10.0.1.200, port3, 00:05:29, [1,0] Priority/Weight
C 10.200.1.0/24 is directly connected, port1
C 10.200.2.0/24 is directly connected, port2 Distance/Metric
C 172.16.100.0/24 is directly connected, port8

Source

© Fortinet Inc. All Rights Reserved. 26

The CLI command shown on this slide displays all entries in the routing table. The routing table displays the
routes that make it to the FIB—that is, the best active routes to a destination.

The column on the left indicates the route source. Route attributes are shown inside square brackets. The first
number, in the first pair of attributes, is distance, which applies to both dynamic and static routes. The second
number is metric, which applies to dynamic routes only.

Static routes and dynamic routes also have priority and weight attributes, which are shown as the last pair of
attributes for the respective route. In the case of dynamic routes, the weight is always 0.

This command doesn't show standby or inactive routes, which are present in the routing table database only.
For example, when two static routes to the same destination subnet have different distances, the one with the
lower distance is installed in the routing table, and the one with the higher distance is installed in the routing
table database.

Network Security Support Engineer 7.4 Study Guide 383


Routing

DO NOT REPRINT
© FORTINET
Routing Table Database
# get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
> - selected route, * - FIB route, p - stale info Active route

Routing table for VRF=0 Inactive route


S *> 0.0.0.0/0 [10/0] via 10.200.1.254, port1, [1/10]
S 0.0.0.0/0 [20/0] via 10.200.2.254, port2, [5/0]
Standby route
S 8.8.8.8/32 [10/0] via 172.16.100.254, port8 inactive, [1/0]
O 10.0.1.0/24 [110/1] is directly connected, port3, 00:05:47, [1/0]
C *> 10.0.1.0/24 is directly connected, port3
O 10.0.2.0/24 [110/1] is directly connected, port4, 00:05:47, [1/0]
C *> 10.0.2.0/24 is directly connected, port4
B *> 10.0.3.0/24 [200/10] via 10.0.1.200 (recursive is directly connected, port3), 00:05:40, [1/0]
O *> 10.0.4.0/24 [110/2] via 10.0.1.200, port3, 00:05:27, [1/0]
B 10.0.4.0/24 [200/10] via 10.0.1.200 (recursive is directly connected, port3), 00:05:40, [1/0]
C *> 10.200.1.0/24 is directly connected, port1
C *> 10.200.2.0/24 is directly connected, port2

© Fortinet Inc. All Rights Reserved. 27

If you want to view active, standby, and inactive routes, use the CLI command shown on this slide to display
the routing table database entries.

In the example shown on this slide, the command shows two standby routes: one static and the other BGP.
Both standby routes are standby because there are better routes—lower distance—to the same destination.
The better routes show an asterisk beside the route source to indicate they are FIB entries, and therefore, are
used for routing traffic.

The output also shows one inactive route. Routes are marked as inactive when the corresponding interface is
administratively down, its link is down, or when the link health monitor detected it as down and the update
static route action is enabled.

Network Security Support Engineer 7.4 Study Guide 384


Routing

DO NOT REPRINT
© FORTINET
FIB
# get router info kernel Priority

tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.171.128/25


pref=192.168.171.227 gwy=0.0.0.0 dev=2(port1)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.109.0/24
pref=192.168.109.130 gwy=0.0.0.0 dev=3(port2)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0
pref=0.0.0.0 gwy=192.168.171.254 dev=2(port1)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32
pref=127.0.0.1 gwy=0.0.0.0 dev=7(root)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.109.255/32
pref=192.168.109.130 gwy=0.0.0.0 dev=3(port2)

© Fortinet Inc. All Rights Reserved. 28

This low-level command shows the FIB, which is the routing information that the kernel uses to route traffic.
All active routes in the routing table must be present in the FIB. Additionally, the FIB may contain routes that
are not in the routing table, but that FortiGate automatically added, such as routes that are dynamically added
to reach SSL VPN users.

Network Security Support Engineer 7.4 Study Guide 385


Routing

DO NOT REPRINT
© FORTINET
Policy Route Table
# diagnose firewall proute list
list route policy info(vf=root):

id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=7 dport=0-65535
path(1) oif=21(T_MPLS_0)
source(1): 10.0.1.0-10.0.1.255
destination(1): 10.0.0.0-10.255.255.255 This is a regular policy route (ID ≤ 65535)
hit_count=18 last_used=2022-02-23 05:47:21

id=2113929223 static_route=7 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0


iif=0 dport=1-65535 path(1) oif=3(port1) gwy=192.2.0.2
source wildcard(1): 0.0.0.0/0.0.0.0
This is an ISDB route (ID > 65535 and no
destination wildcard(1): 0.0.0.0/0.0.0.0
vwl_service field)
internet service(1): Fortinet-FortiGuard(1245324,0,0,0)
hit_count=0 last_used=2022-02-23 06:39:07

id=2130903041(0x7f030001) vwl_service=1(Critical-DIA) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0


tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=3(port1) oif=4(port2)
source(1): 10.0.1.0-10.0.1.255
This is an SD-WAN rule (ID > 65535 and
destination wildcard(1): 0.0.0.0/0.0.0.0
the vwl_service field is present)
internet service(3): GoToMeeting(4294836966,0,0,0, 16354)
Microsoft.Office.365.Portal(4294837474,0,0,0, 41468) Salesforce(4294837976,0,0,0, 16920)
hit_count=0 last_used=2022-02-23 05:46:43

© Fortinet Inc. All Rights Reserved. 29

FortiOS maintains a policy route table that you can view by entering the diagnose firewall proute
list command.

There are three types of policy routes displayed in the policy route table: regular policy routes, ISDB routes,
and SD-WAN rules. Follow these rules to identify each type of policy route in the table:

• Regular policy routes are assigned an ID no higher than 65535. In the output shown on this slide, the first
entry is assigned ID 1, which makes it a regular policy route.

• ISDB routes and SD-WAN rules are assigned an ID higher than 65535. However, SD-WAN rule entries
include the vwl_service field, and ISDB route entries do not. The vwl_service field indicates the ID
and the name of the rule from the SD-WAN configuration perspective. In the output shown on this slide, the
second entry is an ISDB route and the third entry is an SD-WAN rule.

Note that although IDs for regular policy routes are in the 1 to 65535 range, the maximum number of regular
policy routes that you can configure are much lower and varies among FortiGate models. For example, you
can configure up to 512 regular policy routes on a FortiGate 300D. For more information about the maximum
supported values per FortiGate model, refer to the FortiOS Maximum Values Table on docs.fortinet.com.
Alternatively, you can enter the print tablesize command on the FortiGate CLI to get the maximum
values for your FortiGate.

Network Security Support Engineer 7.4 Study Guide 386


Routing

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario
• User is unable to ping 8.8.8.8
• User can ping other public IP addresses
• What is your approach?

User FortiGate A Internet


10.0.10.167/24

© Fortinet Inc. All Rights Reserved. 30

What is your approach for the troubleshooting scenario shown on this slide?

The user is trying to ping 8.8.8.8 but is unable to do so. The user can ping various other public IP
addresses.

What is your approach to start solving this issue?

Network Security Support Engineer 7.4 Study Guide 387


Routing

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario (Contd)
• Ensure that packets arrive at FortiGate A

User FortiGate A Internet


10.0.10.167/24

FortiGate A # diagnose sniffer packet any "host 8.8.8.8 and icmp" 4


Using Original Sniffing Mode
interfaces=[any]
filters=[host 8.8.8.8 and icmp]
2.317589 port2 in 10.0.10.167 -> 8.8.8.8: icmp: echo request
7.069505 port2 in 10.0.10.167 -> 8.8.8.8: icmp: echo request
12.085291 port2 in 10.0.10.167 -> 8.8.8.8: icmp: echo request
17.086651 port2 in 10.0.10.167 -> 8.8.8.8: icmp: echo request

© Fortinet Inc. All Rights Reserved. 31

Your first step should be to confirm that ICMP packets that the user sent arrive at FortiGate A and that there is
bidirectional communication. The best tool to use for this is the packet sniffer. You can see that FortiGate is
not receiving any echo replies.

Network Security Support Engineer 7.4 Study Guide 388


Routing

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario (Contd)
• Use the debug flow

User FortiGate A Internet


10.0.10.167/24
FortiGate A # diagnose debug flow filter addr 8.8.8.8
FortiGate A # diagnose debug flow filter proto 1
FortiGate A # diagnose debug flow show function-name enable
show function name
FortiGate A # diagnose debug flow trace start 10
FortiGate A # diagnose debug enable

FortiGate A # id=65308 trace_id=29 func=print_pkt_detail line=5888 msg="vd-root:0 received a


packet(proto=1, 10.0.10.167:1->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=51."
id=65308 trace_id=29 func=init_ip_session_common line=6073 msg="allocate a new session-000005b7"
id=65308 trace_id=29 func=rpdb_srv_match_input line=1122 msg="Match policy routing id=1: to 10.40.0.15 via
ifindex-15"
id=65308 trace_id=29 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-10.0.40.15
via port3"
id=65308 trace_id=29 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=47, len=1"
id=65308 trace_id=29 func=fw_forward_handler line=838 msg="Denied by forward policy check (policy 0)"

© Fortinet Inc. All Rights Reserved. 32

Now, you must find out why FortiGate is not responding. The best tool to use for this is the debug flow.
The FortiGate is dropping the traffic with the error message: "Denied by forward policy check
(policy 0)”

However, the actual reason why FortiGate is not responding, is because FortiGate is performing policy
routing, which you can determine based on the the message: "Match policy routing id=1: to
10.40.0.15 via ifindex-15”.

Network Security Support Engineer 7.4 Study Guide 389


Routing

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario (Contd)
• Check the policy route configuration

User FortiGate A Internet


10.0.10.167/24
FortiGate A # diagnose firewall proute list
list route policy info(vf=root):

id=1(0x01) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0)


iif=4(port2)
path(1): oif=15(port3) gwy=10.40.0.15 path_last_used=2024-02-13 04:45:17
source wildcard(1): 10.0.10.0/255.255.255.0
destination wildcard(1): 8.8.8.8/255.255.255.255
hit_count=24 rule_last_used=2024-02-13 04:45:17

FortiGate A # get router info routing-table all


Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 10.0.1.1, WAN, [1/0]
[5/0] via 10.0.40.15, port3, [50/0]
C 10.0.1.0/24 is directly connected, port1
C 10.0.10.0/24 is directly connected, port2
S 10.0.20.0/24 [10/0] via 10.0.10.23, port2, [1/0]
C 10.0.40.0/24 is directly connected, port3

© Fortinet Inc. All Rights Reserved. 33

Looking at the policy route configuration reveals a policy route that forces traffic over port3 instead of the
WAN port. Deleting the policy route solves this issue.

Network Security Support Engineer 7.4 Study Guide 390


Routing

DO NOT REPRINT
© FORTINET
Review
 Describe how FortiGate routes traffic
 Diagnose routing problems caused by the RPF check
 Identify sessions that will be routed through a different path after a
routing table change
 Use debug commands to troubleshoot routing problems

© Fortinet Inc. All Rights Reserved. 34

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about advanced routing concepts and useful
troubleshooting commands to debug routing issues.

Network Security Support Engineer 7.4 Study Guide 391


BGP

DO NOT REPRINT
© FORTINET

Network Security Support Engineer


BGP

FortiOS 7.4
Last Modified: 25 April 2024

In this lesson, you will learn about the border gateway protocol (BGP) and how to monitor it and troubleshoot
common issues.

Network Security Support Engineer 7.4 Study Guide 392


BGP

DO NOT REPRINT
© FORTINET
Objectives
• Review BGP and its components
• Understand BGP monitoring commands
• Explore BGP troubleshooting

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in BGP, you will be able to monitor and check the status of BGP
communication, as well as troubleshoot the most common BGP issues.

Network Security Support Engineer 7.4 Study Guide 393


BGP

DO NOT REPRINT
© FORTINET

BGP Review

© Fortinet Inc. All Rights Reserved. 3

In this section, you will review BGP and its components.

Network Security Support Engineer 7.4 Study Guide 394


BGP

DO NOT REPRINT
© FORTINET
Autonomous System
• Set of routers and networks under the same, consistent administration
• An autonomous system (AS) administrator can choose any internal routing architecture
• OSPF, RIP, and so on
• Each AS is identified by a unique number

© Fortinet Inc. All Rights Reserved. 4

An AS is a set of routers and networks under the same administration. Each AS is identified by a unique
number, and usually runs an interior gateway protocol (IGP), such as OSPF or RIP.

Network Security Support Engineer 7.4 Study Guide 395


BGP

DO NOT REPRINT
© FORTINET
BGP Components
• Speaker or peer
• Router that transmits and receives BGP messages, and acts on those messages
• Session
• Connection between two peers

© Fortinet Inc. All Rights Reserved. 5

A BGP speaker or peer is a router that sends and receives BGP routing information. The connection between
two BGP peers is called a BGP session.

Network Security Support Engineer 7.4 Study Guide 396


BGP

DO NOT REPRINT
© FORTINET
RIBs
• Routes are stored in routing information bases (RIBs)
• RIB-in
• Routing information learned from inbound update messages
• Contains unprocessed routing information advertised to the local BGP speaker by its peers
• Local RIB
• Routing information that the BGP speaker selects after applying its local policies to the RIB-in
• RIB-out
• Routing information that the local BGP speaker selects to advertise to its peers

© Fortinet Inc. All Rights Reserved. 6

A BGP router stores routing information in three logical tables:


• The RIB-in table contains all routing information received from other BGP routers before any filtering.
• The local RIB table contains that same information after the filtering.
• The RIB-out table contains the BGP routing information selected to advertise to other BGP routers.

Network Security Support Engineer 7.4 Study Guide 397


BGP

DO NOT REPRINT
© FORTINET
RIBs (Contd)

BGP Local RIB


BGP Out
RIB-out
BGP
RIB-in In filter
RX info filter TX

Redistribute

Connected and static


Routing table IS-IS
routes

RIP OSPF

© Fortinet Inc. All Rights Reserved. 7

This slide shows a flowchart that summarizes the BGP process. The BGP router stores the BGP routes it
receives from other routers in the RIB-in table. The BGP router applies a filter, and the resulting routes are
stored in the local RIB table. Then, the BGP router adds routes that were redistributed from the routing table
and applies another filter (outbound). The BGP router advertises the resulting routes.

Network Security Support Engineer 7.4 Study Guide 398


BGP

DO NOT REPRINT
© FORTINET
BGP Attributes
• BGP processes routes based on path information
• A path is a route to a destination
• Paths are described by a set of attributes, including an AS list
• The attributes help routers select the route to each destination

© Fortinet Inc. All Rights Reserved. 8

BGP routes traffic based on AS paths. Each AS path includes attributes, which BGP uses to select the best
route to each destination. One of the attributes is AS_Path, which contains the ASs through which the traffic
must pass to reach the destination.

Network Security Support Engineer 7.4 Study Guide 399


BGP

DO NOT REPRINT
© FORTINET
BGP Attributes (Contd)
• BGP path attribute categories
• Well-known mandatory
Supported attributes
• Attributes are mandatory
• Well-known discretionary ORIGIN Well-known mandatory
• Attributes may or may not be included AS_PATH Well-known mandatory
• Optional transitive NEXT_HOP Well-known mandatory
• Attributes may or may not be accepted and
can be passed outside of the local AS MULTI_EXIT_DISC Optional non-transitive
• Optional non-transitive LOCAL_PREF Well-known discretionary
• Attributes may or may not be accepted and ATOMIC_AGGREGATE Well-known discretionary
can’t be passed outside of the local AS
AGGREGATOR Optional transitive
COMMUNITY Optional transitive

© Fortinet Inc. All Rights Reserved. 9

There are four types of BGP attributes:


• Well-known mandatory
• Well-known discretionary
• Optional transitive, which can be passed from one AS to another
• Optional non-transitive, which can’t be passed from one AS to another

This slide shows a list of the BGP attributes, and their attribute types, that FortiGate supports.

Network Security Support Engineer 7.4 Study Guide 400


BGP

DO NOT REPRINT
© FORTINET
Route Selection Tie Breakers
1. Highest weight
2. Highest local preference
3. Route originated by the local router (next hop = 0.0.0.0)
4. Shortest AS path
5. Lowest origin type
6. Lowest multi-exit discriminator (MED)
7. Prefer external paths (EBGP) over internal paths (IBGP)
8. Path through closest IGP neighbor
9. Oldest route for EGBP paths
10.Lowest neighbor BGP router ID
11.Lowest neighbor IP address

© Fortinet Inc. All Rights Reserved. 10

FortiGate uses some of the BGP attributes during the route selection process. If all the attributes for multiple
routes to the same destination match, and if ECMP is enabled, FortiGate shares the traffic among up to 10
BGP routes. If you don’t enable ECMP, FortiGate uses the route that goes to the router with the lowest BGP
router ID.

Network Security Support Engineer 7.4 Study Guide 401


BGP

DO NOT REPRINT
© FORTINET

BGP Monitoring

© Fortinet Inc. All Rights Reserved. 11

In this section, you will learn about tools and tips for troubleshooting BGP.

Network Security Support Engineer 7.4 Study Guide 402


BGP

DO NOT REPRINT
© FORTINET
BGP States
• Idle: Initial state Idle
• Connect: Waiting for a successful three-way start
TCP connection connect retry timeout
error
• Active: Unable to establish the TCP session Connect
TCP failure
TCP
• OpenSent: Waiting for an OPEN message Active established
from the peer
error
OpenSent
• OpenConfirm: Waiting for the keepalive TCP established
receive
message from the peer open reply
• Established: Peers have successfully error
OpenConfirm
exchanged OPEN and keepalive messages
receive
keepalive

error
Established

© Fortinet Inc. All Rights Reserved. 12

This slide shows a flow chart of the BGP neighbor states and how they change:
• Idle: Initial state
• Connect: Waiting for a successful three-way TCP connection
• Active: Unable to establish the TCP session
• OpenSent: Waiting for an OPEN message from the peer
• OpenConfirm: Waiting for the keepalive message from the peer
• Established: Peers have successfully exchanged OPEN and keepalive messages

Network Security Support Engineer 7.4 Study Guide 403


BGP

DO NOT REPRINT
© FORTINET
BGP Summary
# get router info bgp summary

VRF 0 BGP router identifier 172.16.1.254, local AS number 65100


BGP table version is 1
2 BGP AS-PATH entries Remote AS
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd


100.64.1.254 4 100 18 20 1 0 0 00:02:55 1
100.64.2.254 4 100 18 18 1 0 0 00:02:56 2

Total number of neighbors 2

Packet count How long the Neighbor state


(received and connection and prefixes
sent) has been up received

© Fortinet Inc. All Rights Reserved. 13

This slide shows the debug command you usually use first, to get an overview of the BGP status and the
status of all its neighbors. This slide shows the local router ID and AS. For each neighbor, the output also
displays the following:
• The AS
• Packet counters
• How long the neighbor has been up

The State/PfxRcd column lists the neighbor state and number of prefixes, once established. If the state is
not established, this column displays the BGP state. If the state is established, this column displays the
number of prefixes that the local FortiGate received from that neighbor.

Network Security Support Engineer 7.4 Study Guide 404


BGP

DO NOT REPRINT
© FORTINET
BGP Neighbors
# get router info bgp neighbors
VRF 0 neighbor table:
BGP neighbor is 100.64.1.254, remote AS 100, local AS 65100, external link
BGP version 4, remote router ID 100.64.1.254
BGP state = Established, up for 00:49:26
Last read 00:00:26, hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received (old and new)
Graceful restart helper
Address family IPv4 Unicast: advertised and received
Address family VPNv4 Unicast: advertised
Address family IPv6 Unicast: advertised
Address family VPNv6 Unicast: advertised
Address family L2VPN EVPN: advertised
Received 12 messages, 0 notifications, 0 in queue
Sent 12 messages, 7 notifications, 0 in queue
...

© Fortinet Inc. All Rights Reserved. 14

You can use the command shown on this slide to get detailed information about each BGP neighbor. The
information includes the peer IP address, the peer router ID, the remote AS, the BGP state, various timers,
and message counters.

Network Security Support Engineer 7.4 Study Guide 405


BGP

DO NOT REPRINT
© FORTINET
BGP Neighbors (Contd)
...
For address family: IPv4 Unicast
BGP table version 1, neighbor version 1
Index 1, Offset 0, Mask 0x2
Community attribute sent to this neighbor (both)
1 accepted prefixes, 1 prefixes in rib
1 announced prefixes

...

Connections established 1; dropped 0


Graceful-restart Status:
Remote restart-time is 120 sec
Re-established, restarting side
Local host: 100.64.2.1, Local port: 179
Foreign host: 100.64.2.254, Foreign port: 39746
Egress interface: 4
Nexthop: 100.64.2.1
Nexthop interface: port2
Nexthop global: fe80::9:fff:fe00:702
Nexthop local: ::
BGP connection: non shared network
Last Reset: 00:08:08, due to BGP Notification sent
Notification Error Message: (OPEN Message Error/Bad Peer AS.)

© Fortinet Inc. All Rights Reserved. 15

The information also shows the number of prefixes announced and accepted, the number of times the session
has dropped, and the last time the session was reset.

Network Security Support Engineer 7.4 Study Guide 406


BGP

DO NOT REPRINT
© FORTINET
Prefixes Advertised by the Local FortiGate
# get router info bgp neighbors 100.64.2.254 advertised-routes

VRF 0 BGP table version is 1, local router ID is 172.16.1.254


Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

*> 0.0.0.0/0 100.64.2.1 xxx 0 0 100 i <-/->

Total number of prefixes 1


Local preference Route weight
Next hop IP value
AS path and
route origin
codes

© Fortinet Inc. All Rights Reserved. 16

This slide shows the command you can use to get details about the prefixes the local router is advertising.
The Status codes information identifies the codes associated with a routing entry. For each prefix, the
command displays the following:
• Next hop IP address
• Local preference
• Weight
• AS path

Network Security Support Engineer 7.4 Study Guide 407


BGP

DO NOT REPRINT
© FORTINET
Prefixes Advertised by a Neighbor
# get router info bgp neighbors 100.64.2.254 route

VRF 0 BGP table version is 1, local router ID is 172.16.1.254

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,


S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

* 0.0.0.0/0 100.64.2.254 0 0 0 100 100 100 i <-/->


*> 8.8.8.8/32 100.64.2.254 0 0 0 100 100 100 i <-/1>

Total number of prefixes 2

© Fortinet Inc. All Rights Reserved. 17

This slide shows the command you can use to display the routes that a neighbor advertises.

Network Security Support Engineer 7.4 Study Guide 408


BGP

DO NOT REPRINT
© FORTINET
Prefixes Advertised by All BGP Peers
# get router info bgp network
VRF 0 BGP table version is 1, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path


* i0.0.0.0/0 100.64.2.254 0 100 0 0 ? <-/->
*> 100.64.2.1 32768 0 ? <-/1>
*> 4.2.2.1/32 100.64.2.1 32768 0 ? <-/1>
*>i8.8.8.8/32 100.64.2.254 0 100 0 0 ? <-/1>
*>i10.20.30.0/24 172.16.54.115 0 100 0 0 i <-/1>

Advertised using the


Total number of prefixes 4 network command

© Fortinet Inc. All Rights Reserved. 18

You can use the get router info bgp network command to display the BGP database. The BGP
database lists all prefixes that all neighbors advertise, as well as the local router.

Also highlighted on this slide are the origin codes used for the BGP table. i for IGP indicates the network
command was used to advertise a route. This applies to the last route in the table, 10.20.30.0/24. All other
advertised routes are tagged with ?, which indicates that the route was advertised from another routing
protocol using redistribution. e for EGP is used only for legacy route advertisement and is rarely seen.

Network Security Support Engineer 7.4 Study Guide 409


BGP

DO NOT REPRINT
© FORTINET
BGP Event Logging
• BGP event logging displays routing events
• Neighbor down or up
• RIB update
• BGP message exchange
• Errors connecting to neighbors
• Enabled by default
# config router bgp
set log-neighbour-change disable
end

© Fortinet Inc. All Rights Reserved. 19

FortiGate can log routing events, which enables you to get information that used to be available only when
you ran the BGP real-time debug. By default, BGP event logging is enabled. You can disable BGP event
logging by using the commands shown on this slide.

Network Security Support Engineer 7.4 Study Guide 410


BGP

DO NOT REPRINT
© FORTINET
BGP Event Logging (Contd)
Log & Report > System Events > Router Events

© Fortinet Inc. All Rights Reserved. 20

You can view BGP-related router events on the GUI. You can click any logged entry to view the details.

Network Security Support Engineer 7.4 Study Guide 411


BGP

DO NOT REPRINT
© FORTINET

BGP Troubleshooting

© Fortinet Inc. All Rights Reserved. 21

In this section, you will learn about common BGP issues and how to solve them.

Network Security Support Engineer 7.4 Study Guide 412


BGP

DO NOT REPRINT
© FORTINET
BGP Troubleshooting Tips
• Is there an active route to the remote peer?
• Check whether TCP port 179 is blocked
• Check the status of the TCP session
• Check the status of the BGP session
• Check the prefixes received and advertised

© Fortinet Inc. All Rights Reserved. 22

Follow these steps to troubleshoot a BGP problem between two peers:


• Check that the local router can reach the remote peer.
• Ensure that TCP port 179 is not blocked between the peers.
• Check the TCP session.
• Check the BGP session.
• If the BGP session is established, check the prefixes received and advertised by each peer.

Network Security Support Engineer 7.4 Study Guide 413


BGP

DO NOT REPRINT
© FORTINET
Real-Time Debug
• Enable real-time BGP debug:
# diagnose ip router bgp all enable
# diagnose ip router bgp level info
# diagnose debug enable
• Disable real-time BGP debug: diagnose debug reset does
# diagnose ip router bgp all disable not stop BGP real-time debug
# diagnose ip router bgp level none
# diagnose debug disable

© Fortinet Inc. All Rights Reserved. 23

This slide shows the commands you can use to enable and disable the BGP real-time debug. Note that this
example enables debug output from event and level information.

Network Security Support Engineer 7.4 Study Guide 414


BGP

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 1—No Active Route
BGP: 172.16.54.116-Outgoing [FSM] State: Idle Event: 3
BGP: 172.16.54.116-Outgoing [NETWORK] FD=26, Sock Status: 113-No route to host
BGP: 172.16.54.116-Outgoing [FSM] State: Connect Event: 18

# get router info bgp summary


Application debug
VRF 0 BGP router identifier 1.1.1.1, local AS number 65110 output
BGP table version is 1
0 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd


172.16.54.116 4 65110 0 0 0 0 0 never Active

# get router info bgp neighbor


VRF 0 neighbor table:
BGP neighbor is 172.16.54.116, remote AS 65110, local AS 65110, internal link
BGP version 4, remote router ID 0.0.0.0
BGP state = Active

© Fortinet Inc. All Rights Reserved. 24

One common issue is that there is no route to the BGP neighbor in the FortiOS forwarding information base
(FIB). If that is the case, the real-time BGP application debug will output the message shown on this slide:
Sock Status: 113-No route to host. You can also verify this using the get router info bgp
summary and get router info bgp neighbor commands. Both outputs show that the status is
Active, meaning the TCP three-way handshake could not be established. The solution is to ensure there is
an active route to the IP address of the BGP neighbor.

Network Security Support Engineer 7.4 Study Guide 415


BGP

DO NOT REPRINT
© FORTINET
BGP Neighbor Establishment
BGP: [NETWORK] Accept Thread: Incoming conn from host 100.64.2.254 (FD=27 VRF=0)
BGP: 100.64.2.254-Outgoing [FSM] State: Connect Event: 14
BGP: 100.64.2.254-Outgoing [FSM] InConnReq: Accepting...
BGP: 100.64.2.254-Outgoing [NETWORK] FD=27, Sock Status: 0-Success
BGP: 100.64.2.254-Outgoing [FSM] State: Connect Event: 17
BGP: 100.64.2.254-Outgoing [ENCODE] Msg-Hdr: Type 1
BGP: 100.64.2.254-Outgoing [ENCODE] Open: Ver 4 MyAS 65100 Holdtime 180
BGP: 100.64.2.254-Outgoing [ENCODE] Open: Msg-Size 61
BGP: 100.64.2.254-Outgoing [DECODE] Msg-Hdr: type 1, length 59
BGP: 100.64.2.254-Outgoing [DECODE] Open: Optional param len 30
BGP: 100.64.2.254-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 2 BGP state
BGP: 100.64.2.254-Outgoing [DECODE] Open Cap: Cap Code 128, Cap Len 0 messages
BGP: 100.64.2.254-Outgoing [DECODE] Open Cap: RR Cap(old) for all address-families
BGP: 100.64.2.254-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 2
BGP: 100.64.2.254-Outgoing [DECODE] Open Cap: Cap Code 2, Cap Len 0
BGP: 100.64.2.254-Outgoing [DECODE] Open Cap: RR Cap(new) for all address-families
BGP: 100.64.2.254-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
BGP: 100.64.2.254-Outgoing [DECODE] Open Cap: Cap Code 65, Cap Len 4
BGP: 100.64.2.254-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 4
BGP: 100.64.2.254-Outgoing [DECODE] Open Cap: Cap Code 64, Cap Len 2
BGP: 100.64.2.254-Outgoing [DECODE] Cap GR: Restart Flag Off, Restart Time 120
BGP: 100.64.2.254-Outgoing [FSM] State: OpenSent Event: 19
BGP: 100.64.2.254-Outgoing [ENCODE] Msg-Hdr: Type 4
BGP: 100.64.2.254-Outgoing [ENCODE] Keepalive: 294 KAlive msg(s) sent

© Fortinet Inc. All Rights Reserved. 25

This slide and the next slide show examples of real-time debug outputs from the successful establishment of a
BGP session. In this example, the output shows when the session goes to the OpenSent state.

Network Security Support Engineer 7.4 Study Guide 416


BGP

DO NOT REPRINT
© FORTINET
BGP Neighbor Establishment (Contd)
...
BGP: 100.64.2.254-Outgoing [DECODE] Msg-Hdr: type 4, length 19
BGP: 100.64.2.254-Outgoing [DECODE] KAlive: Received!
BGP: 100.64.2.254-Outgoing [DECODE] Msg-Hdr: type 4, length 19
BGP: 100.64.2.254-Outgoing [DECODE] KAlive: Received! BGP state
BGP: 100.64.2.254-Outgoing [FSM] State: OpenConfirm Event: 26 messages
BGP: 100.64.2.254-Outgoing [FSM] State: Established Event: 26
id=20300 logdesc="BGP neighbor status changed" msg="BGP: %BGP-5-ADJCHANGE: VRF 0 neighbor 100.64.2.254 Up "
BGP: 100.64.2.254-Outgoing [FSM] State: Established Event: 34
BGP: 100.64.2.254-Outgoing [DECODE] Msg-Hdr: type 2, length 65
BGP: 100.64.2.254-Outgoing [DECODE] Update: Starting UPDATE decoding... Bytes To Read (46), msg_size (46)
BGP: 100.64.2.254-Outgoing [DECODE] Update: NLRI Len(6)
BGP: 100.64.2.254-Outgoing [FSM] State: Established Event: 27
BGP: 100.64.2.254-Outgoing [RIB] Update: Received Prefix 0.0.0.0/0
BGP: BGP VRF 0 leaking 0.0.0.0/0 afi 1, safi 1 Prefixes
BGP: VRF 0 NSM announce: 0.0.0.0/0 received
BGP: 100.64.2.254-Outgoing [RIB] Update: Prefix 8.8.8.8/32 denied due to filter from peer

© Fortinet Inc. All Rights Reserved. 26

This slide shows the real-time debug output containing the OpenConfirm state after the keepalive
message is received from the neighbor, as well as the establishment of the connection.

The output also lists the prefixes FortiGate received after the BGP session was established.

Network Security Support Engineer 7.4 Study Guide 417


BGP

DO NOT REPRINT
© FORTINET
Restart BGP
# execute router clear bgp
all Clear all BGP peers.
as Clear BGP peer by AS number.
dampening Clear route flap dampening information.
external Clear all external peers.
flap-statistics Clear route flap statistics.
ip Clear BGP peer by IP address.
ipv6 Clear BGP peer by IPv6 address.

# execute router clear bgp all


<args...> Input arguments: Resets the BGP process and
<none> requires FortiGate to establish
in BGP peering again
in prefix-filter
out
Resends
soft [in|out] complete BGP
table

© Fortinet Inc. All Rights Reserved. 27

You can use the command shown on this slide to restart a BGP session between two peers. You can also use
this command to execute a BGP soft reset, which forces both peers to exchange their complete BGP routing
tables.

Network Security Support Engineer 7.4 Study Guide 418


BGP

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 2—Prefix Not Received
FGT-A # get router info bgp summary
...
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.37.202 4 65110 2500 2552 5 0 0 1d11h33m 0

FGT-B # show router bgp


...
config network
edit 1 Prefix configured
set prefix 172.16.0.0 255.255.0.0 with /16 subnet
next mask
end

FGT-B # diagnose ip address list | grep port3


IP=172.16.54.115->172.16.54.202/255.255.255.0 index=5 devname=port3

Local subnet is a
/24 mask

© Fortinet Inc. All Rights Reserved. 28

In the troubleshooting example shown on this slide, FGT-A is not receiving the prefix that FGT-B advertised.
The issue in this scenario is that the subnet mask of the prefix is misconfigured on FGT-B, prompting FortiOS
to not advertise the network to other BGP peers.

Network Security Support Engineer 7.4 Study Guide 419


BGP

DO NOT REPRINT
© FORTINET
Prefix Not Received—Solution 1
FGT-B # show router bgp
...
config network Prefix modified to
correct subnet
edit 1
mask
set prefix 172.16.54.0 255.255.255.0
next
end

FGT-A # get router info bgp network


...
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i172.16.54.0/24 192.168.37.202 0 100 0 0 i <-/1>

Total number of prefixes 1

© Fortinet Inc. All Rights Reserved. 29

There are two ways to fix the issue in troubleshooting scenario 2. The first way is to change the prefix
manually to represent the network assigned to port3 on FGT-B. This is the recommended method. Changing
the subnet mask from 255.255.0.0 to 255.255.255.0 allows FGT-B to advertise the prefix to its peers.

Network Security Support Engineer 7.4 Study Guide 420


BGP

DO NOT REPRINT
© FORTINET
Prefix Not Received—Solution 2
FGT-B # show router bgp
...
config network Disable import
edit 1 check
set prefix 172.16.0.0 255.255.0.0
set network-import-check disable
next
end

FGT-A # get router info bgp network


...
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i172.16.54.0/24 192.168.37.202 0 100 0 0 i <-/1>

Total number of prefixes 1

© Fortinet Inc. All Rights Reserved. 30

The other option is to disable the set network-import-check. This is the safety mechanism that
prevented FortiOS from advertising the falsely configured route. Disabling this mechanism is generally not
recommended because this mechanism is what ensures that only the correct networks are advertised, which
avoids routing issues.

Network Security Support Engineer 7.4 Study Guide 421


BGP

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 3—Prefix Not Accepted
FGT-A # get router info bgp summary
...
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.37.202 4 65110 19 18 0 0 0 00:04:04 0
FGT-B # show router bgp
...
config network
edit 1
Advertised network
set prefix 172.16.54.0 255.255.255.0 is correctly
next configured
end
FGT-A # show router bgp
config neighbor
edit "192.168.37.202"
set prefix-list-in "Prefix-172.16.54.0/24"
set remote-as 65110 Prefix list
next configured on
FGT-A
end

© Fortinet Inc. All Rights Reserved. 31

In the scenario shown on this slide, FGT-A does not receive the expected prefix from FGT-B. FGT-A has been
configured with a prefix-list-in, which controls whether networks that neighbors advertise are accepted
into the routing table.

Network Security Support Engineer 7.4 Study Guide 422


BGP

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 3—Prefix Not Accepted (Contd)
Action is deny. Any
FGT-A # config router prefix-list advertised subnet within
edit "Prefix-172.16.54.0/24" 172.16.0.0/16 is not
config rule accepted
edit 2 Full /16 subnet
set action deny includes the
set prefix 172.16.0.0 255.255.0.0 172.16.54.0/24
unset ge network
unset le
next
end
next
end

© Fortinet Inc. All Rights Reserved. 32

A closer look into the prefix configuration reveals that any peer advertised network within the
172.16.0.0/16 subnet is not accepted into the BGP database.

Network Security Support Engineer 7.4 Study Guide 423


BGP

DO NOT REPRINT
© FORTINET
Prefix Not Accepted—Solution
FGT-A # config router prefix-list
edit "Prefix-172.16.54.0/24"
config rule
edit 2
set action deny
set prefix 172.16.0.0 255.255.0.0
unset ge
unset le
next
edit 3 Expected advertised
set prefix 172.16.54.0 255.255.255.0 network from FGT-B
unset ge
unset le
next
end
next
end

© Fortinet Inc. All Rights Reserved. 33

The preferred solution is to add an additional rule, specifically allowing the 172.16.54.0 prefix in the same
prefix-list. Unlike firewall policies, the list is not evaluated from the top down. Every rule in the list is
inspected.

Network Security Support Engineer 7.4 Study Guide 424


BGP

DO NOT REPRINT
© FORTINET
Prefix Not Accepted—Solution (Contd)
FGT-A # get router info bgp summary
...
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.37.202 4 65110 46 46 0 0 0 00:06:19 1

FGT-A # get router info bgp network


...
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i172.16.54.0/24 192.168.37.202 0 100 0 0 i <-/1>

Total number of prefixes 1

© Fortinet Inc. All Rights Reserved. 34

After configuring the additional rule, the prefix is accepted and added into the BGP database.

Network Security Support Engineer 7.4 Study Guide 425


BGP

DO NOT REPRINT
© FORTINET
Review
 Review BGP and its components
 Understand BGP monitoring commands
 Explore BGP troubleshooting

© Fortinet Inc. All Rights Reserved. 35

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about BGP components and commands, and
how to troubleshoot common issues with BGP.

Network Security Support Engineer 7.4 Study Guide 426


OSPF

DO NOT REPRINT
© FORTINET

Network Security Support Engineer


OSPF

FortiOS 7.4
Last Modified: 25 April 2024

In this lesson, you will learn about OSPF and how to monitor and troubleshoot it.

Network Security Support Engineer 7.4 Study Guide 427


OSPF

DO NOT REPRINT
© FORTINET
Objectives
• Understand OSPF components and adjacencies
• Monitor the status of an OSPF network
• Troubleshoot common OSPF problems

© Fortinet Inc. All Rights Reserved. 2

After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding OSPF, you will be able to understand, monitor, and
troubleshoot OSPF.

Network Security Support Engineer 7.4 Study Guide 428


OSPF

DO NOT REPRINT
© FORTINET

OSPF Review

© Fortinet Inc. All Rights Reserved. 3

In this section, you will briefly review OSPF.

Network Security Support Engineer 7.4 Study Guide 429


OSPF

DO NOT REPRINT
© FORTINET
OSPF Overview
• Link state protocol
• Advantages:
• Scalable to large networks
• Faster convergence than distance-vector routing protocols
• Relatively quiet during steady-state conditions
• Periodic refresh every 30 minutes
• Otherwise, updates only sent when there are changes

• Disadvantages:
• May require planning and tuning to optimize performance
• May be difficult to troubleshoot in large networks

© Fortinet Inc. All Rights Reserved. 4

With a link state protocol like OSPF, every router has a complete view of the network topology. Advantages of
OSPF include scalability and fast convergence. Every 30 minutes, routers advertise their OSPF information
again. Between these 30-minute intervals, routers send updates only if they detect topology changes. So, it is
a relatively quiet protocol, as long as the network topology is stable. In large networks, using OSPF requires
good planning and may be difficult to troubleshoot.

Network Security Support Engineer 7.4 Study Guide 430


OSPF

DO NOT REPRINT
© FORTINET
OSPF Components
• Link state database (LSDB): Each router maintains identical databases describing the
network topology
• From the LSDB, and using Dijkstra’s algorithm, each router builds a tree with the
shortest paths
• The tree gives an OSPF route to each destination
• OSPF can inject routes into the IP routing table

Link state Shortest path


IP routing
database Dijkstra’s algorithm first (SPF) OSPF routes
table
(LSDB) tree

© Fortinet Inc. All Rights Reserved. 5

Each router in the same area has identical and synchronized databases. You will learn about OSPF areas
later in this lesson. An OSPF router uses the information in the LSDB and Dijkstra's algorithm to generate an
OSPF tree, which contains the shortest path from the local router to each other router and network. This tree
gives the best route to each destination, which is the information that OSPF can inject into the device routing
table.

Network Security Support Engineer 7.4 Study Guide 431


OSPF

DO NOT REPRINT
© FORTINET
Link State Advertisement
• Routers exchange link state advertisements (LSAs) to maintain consistent databases
• Network changes generate LSAs
• The LSDBs are composed of all received LSAs
• A link state update consists of an OSPF header and a string of LSAs
• Each LSA has its own header
• Routers acknowledge the receipt of LSAs

OSPF Number of
IP header LSA 1 LSA 2 … LSA n
header LSAs

© Fortinet Inc. All Rights Reserved. 6

LSAs contain the topology information that OSPF peers exchange. The LSDB of a router is populated with
information from the local LSAs and all the LSAs received from other routers.

Network Security Support Engineer 7.4 Study Guide 432


OSPF

DO NOT REPRINT
© FORTINET
Forming an Adjacency
• Down: Initial state
• Init: A hello packet was seen from a non- Down
adjacent neighbor Hello Down
Init Hello Init
• 2-way: Communication is bidirectional
between the two routers 2-way DB description 2-way
ExStart
• ExStart: A primary and secondary DB description
Exchange
relationship is negotiated Link state request
Loading
• Exchange: Database description packets Link state update
are exchanged Link state ack
• Loading: LSA information is exchanged Link state request
• Full: LSDBs are identical Link state update
Link state ack
Full Hello Full
Hello

© Fortinet Inc. All Rights Reserved. 7

A session between two OSPF peers is called an adjacency. This slide shows the initial interchange between
two peers that are forming an adjacency. Any new adjacency goes through different states: Init, 2-way,
ExStart, Exchange, Loading, and Full. The Full state indicates that the adjacency has successfully formed,
and that both routers have identical copies of the LSDB.

Network Security Support Engineer 7.4 Study Guide 433


OSPF

DO NOT REPRINT
© FORTINET
Adjacency Requirements
• Primary IP addresses of peers are in the same subnet with the same mask
• Interfaces of peers are the same type and in the same OSPF area
• Hello and dead intervals of peers must match
• Each peer has a unique router ID
• OSPF IP maximum transmission units (MTUs) match
• OSPF authentication, if enabled, is successful

© Fortinet Inc. All Rights Reserved. 8

This slide lists the requirements for two peers to form an OSPF adjacency. If any of the requirements are not
met, the adjacency fails and will not reach the Full state.

Network Security Support Engineer 7.4 Study Guide 434


OSPF

DO NOT REPRINT
© FORTINET

OSPF Monitoring

© Fortinet Inc. All Rights Reserved. 9

In this section, you will learn the commands necessary for monitoring OSPF.

Network Security Support Engineer 7.4 Study Guide 435


OSPF

DO NOT REPRINT
© FORTINET
OSPF Status
# get router info ospf status
Routing Process "ospf 0" with ID 0.0.0.2
Process uptime is 2 hours 32 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Do not support Restarting
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Refresh timer 10 secs
Number of incomming current DD exchange neighbors 0/5
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 1. Checksum 0x00533A
Number of opaque AS LSA 0. Checksum 0x000000
...

© Fortinet Inc. All Rights Reserved. 10

The command shown on this slide provides detailed information about the OSPF process.

Network Security Support Engineer 7.4 Study Guide 436


OSPF

DO NOT REPRINT
© FORTINET
OSPF Status (Contd)
....
Number of non-default external LSA 1 Shows number of fully
adjacent neighbors
External LSA database is unlimited.
Number of LSA originated 36
Number of LSA received 13
Number of areas attached to this router: 1
Area 0.0.0.0 (BACKBONE) Backbone router
Number of interfaces in this area is 3(3)
Number of fully adjacent neighbors in this area is 2
Area has no authentication
SPF algorithm last executed 00:02:38.780 ago
SPF algorithm executed 32 times
Number of LSA 5. Checksum 0x028b9c

© Fortinet Inc. All Rights Reserved. 11

The command on this slide shows information about each area the router belongs to.

Network Security Support Engineer 7.4 Study Guide 437


OSPF

DO NOT REPRINT
© FORTINET
OSPF Interfaces
Spoke1 # get router info ospf interface
wan1 is up, line protocol is up
Internet Address 10.10.2.2/24, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 0.0.0.2, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1 DR: Designated router
BDR: Backup designated
router
Designated Router (ID) 0.0.0.2, Interface Address 10.10.2.2
DROther: Neither DR
nor BDR
Backup Designated Router (ID) 0.0.0.1, Interface Address 10.10.2.1
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5

Hello due in 00:00:02


Neighbor Count is 1, Adjacent neighbor count is 1 Local router is a DR
Crypt Sequence Number is 8612
Hello received 93 sent 94, DD received 6 sent 3
LS-Req received 1 sent 1, LS-Upd received 3 sent 17
Number of adjacencies
LS-Ack received 13 sent 2, Discarded 0

wan2 is up, line protocol is up


...

© Fortinet Inc. All Rights Reserved. 12

For OSPF information about each interface, use the command shown on this slide. It shows:
• Network type, in this case broadcast multiaccess
• If the interface is a DR or a BDR
• DR and BDR IDs and IP addresses
• Number of adjacencies and traffic statistics

Network Security Support Engineer 7.4 Study Guide 438


OSPF

DO NOT REPRINT
© FORTINET
OSPF Neighbors
Spoke1 # get router info ospf neighbor

OSPF process 0, VRF 0:


Neighbor ID Pri State Dead Time Address Interface
0.0.0.1 1 Full/DR 00:00:39 10.10.2.1 wan1
0.0.0.3 1 Full/DROther 00:00:37 10.10.3.2 wan2
0.0.0.10 c1 Full/ - 00:00:36 172.16.1.2 ToHub

This represents a
point-to-point network

© Fortinet Inc. All Rights Reserved. 13

The command on this slide shows a summary of the statuses of all the OSPF neighbors. For each neighbor, it
displays the adjacency state and whether the interface is a DR, a BDR, or neither (DROther). The response
displays a dash after the state if the neighbor is in a point-to-point network.

Network Security Support Engineer 7.4 Study Guide 439


OSPF

DO NOT REPRINT
© FORTINET
OSPF LSDB
Spoke1 # get router info ospf database brief

OSPF Router with ID(0.0.0.1) (Process ID 0, VRF 0)

Router Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Flag Link count


0.0.0.1 0.0.0.1 283 80000006 d0ce 0012 2
0.0.0.2 0.0.0.2 1601 8000000a 7725 0021 3
0.0.0.3 0.0.0.3 1520 80000007 4133 0012 2

Net Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Flag


10.10.2.2 0.0.0.2 143 80000002 70cb 0031
10.10.3.1 0.0.0.2 1601 80000001 8dad 0021

AS External Link States

Link ID ADV Router Age Seq# CkSum Flag Route Tag


172.20.121.0 0.0.0.1 693 80000002 513b 0012 E2 172.20.121.0/24 0

© Fortinet Inc. All Rights Reserved. 14

The command shown on this slide provides a summary of all the LSDB entries on FortiGate, ordered by LSA
types. It shows the type 1 LSAs (router link states) first, then the type 2 LSAs (net link states), and finally type
5 LSAs (AS external link advertisement). You can view detailed information about each type 1 link ID with the
commands shown on the following slides.

Network Security Support Engineer 7.4 Study Guide 440


OSPF

DO NOT REPRINT
© FORTINET
LSA Details
Spoke1 # get router info ospf database router lsa

OSPF Router with ID(0.0.0.1) (Process ID 0, VRF 0)


Router Link States (Area 0.0.0.0)
LS age: 572
Options: 0x2 (*|-|-|-|-|-|E|-)
Flags: 0x2 : ASBR
LS Type: router-LSA
Link State ID: 0.0.0.1
Advertising Router: 0.0.0.1
LS Seq Number: 80000006
Checksum: 0xd0ce
Length: 48
Number of Links: 2

Link connected to: Stub Network


(Link ID) Network/subnet number: 192.168.1.0
(Link Data) Network Mask: 255.255.255.0
Number of TOS metrics: 0
TOS 0 Metric: 1
...

© Fortinet Inc. All Rights Reserved. 15

Use the command shown on this slide to see details about type 1 LSAs. The link state IDs correspond
to the Link ID provided by the get router info ospf database brief command.

Network Security Support Engineer 7.4 Study Guide 441


OSPF

DO NOT REPRINT
© FORTINET
LSA Details (Contd)
...
Link connected to: a Transit Network
(Link ID) Designated Router address: 10.10.2.2
(Link Data) Router Interface address: 10.10.2.1
Number of TOS metrics: 0
TOS 0 Metric: 1

LS age: 72
Options: 0x2 (*|-|-|-|-|-|E|-)
Flags: 0x0
LS Type: router-LSA
Link State ID: 0.0.0.2
Advertising Router: 0.0.0.2
LS Seq Number: 8000000b
Checksum: 0x7526
Length: 60
Number of Links: 3
...

© Fortinet Inc. All Rights Reserved. 16

This slide shows a sample of more output from the command get router info ospf database
router lsa.

Network Security Support Engineer 7.4 Study Guide 442


OSPF

DO NOT REPRINT
© FORTINET
Self-Originated LSAs
Spoke1 # get router info ospf database self-originate

OSPF Router with ID(0.0.0.2) (Process ID 0, VRF 0)

Router Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Flag Link count


0.0.0.2 0.0.0.2 1700 8000000a 7725 0021 3

Net Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Flag


10.10.2.2 0.0.0.2 243 80000002 70cb 0031
10.10.3.1 0.0.0.2 1700 80000001 8dad 0021

© Fortinet Inc. All Rights Reserved. 17

The command shown on this slide lists the LSAs that originated on the local FortiGate with router ID 0.0.0.2.

Network Security Support Engineer 7.4 Study Guide 443


OSPF

DO NOT REPRINT
© FORTINET

OSPF Troubleshooting

© Fortinet Inc. All Rights Reserved. 18

In this section, you will learn about the tools and tips to troubleshoot OSPF issues.

Network Security Support Engineer 7.4 Study Guide 444


OSPF

DO NOT REPRINT
© FORTINET
OSPF Troubleshooting Tips
• Do peers have an IP address within the same subnet?
• Is IP protocol 89 blocked?
• Do the hello and dead intervals match?
• Is the router ID unique?
• Do the MTUs match?
• Is authentication enabled?

© Fortinet Inc. All Rights Reserved. 19

Follow these steps to troubleshoot an OSPF problem between two peers:


• Check that the local router can reach the remote peer. IP addresses must be in the same subnet and have
the same subnet mask.
• Ensure that IP protocol 89 is not blocked.
• Hello and dead intervals must match.
• The OSPF router ID for each peer must be unique. Duplicate router IDs are not allowed.
• Do the MTUs match?
• If authentication is enabled, the type and password must match on both sides.

Network Security Support Engineer 7.4 Study Guide 445


OSPF

DO NOT REPRINT
© FORTINET
OSPF Troubleshooting
• Enable real-time debug
# diagnose ip router ospf all enable
# diagnose ip router ospf level info
# diagnose debug enable
• Disable real-time debug diagnose debug reset does
# diagnose ip router ospf all disable not stop OSPF real-time debug
# diagnose ip router ospf level none
# diagnose debug disable
• Restart OSPF process
# execute router clear ospf process

• By default, routing real-time debugs stop running after you restart the routing process
• Enable the zl flag to have the real-time debug persist after the process restart:
# diagnose ip router zl enable

© Fortinet Inc. All Rights Reserved. 20

The OSPF real-time debug displays information about adjacency establishments and OSPF errors. It also
shows information about network topology changes.

You can enable the zl flag for the real-time debug to persist after a routing-process restart.

Network Security Support Engineer 7.4 Study Guide 446


OSPF

DO NOT REPRINT
© FORTINET
Sample Debug Output
OSPF: SEND[Hello]: To 224.0.0.5 via port3:10.1.0.254, length 52
OSPF: -----------------------------------------------------
OSPF: Header
OSPF: Version 2
OSPF: Type 1 (Hello)
OSPF: Packet Len 52
OSPF: Router ID 0.0.0.1
OSPF: Area ID 0.0.0.0
OSPF: Checksum 0xe78d
OSPF: AuType 0
OSPF: Hello
OSPF: NetworkMask 255.255.255.0 Hello packet sent
OSPF: HelloInterval 10 to OSPF multicast
OSPF: Options 0x2 (*|-|-|-|-|-|E|-) address
OSPF: RtrPriority 1
OSPF: RtrDeadInterval 40
OSPF: DRouter 10.1.0.254
OSPF: BDRouter 10.1.0.1
OSPF: # Neighbors 2
OSPF: Neighbor 0.0.0.3
OSPF: Neighbor 0.0.0.4
...

© Fortinet Inc. All Rights Reserved. 21

This is a sample output generated by the OSPF real-time debug. This sample shows the Hello packet being
sent.

Network Security Support Engineer 7.4 Study Guide 447


OSPF

DO NOT REPRINT
© FORTINET
Sample Debug Output (Contd)
...
OSPF: RECV[Hello]: From 0.0.0.4 via port3:10.1.0.254 (10.1.0.100 -> 224.0.0.5)
OSPF: Header
OSPF: Version 2
OSPF: Type 1 (Hello)
OSPF: Packet Len 52
OSPF: Router ID 0.0.0.4
OSPF: Area ID 0.0.0.0 Hello packet is
OSPF: Checksum 0xe78d received from
OSPF: AuType 0
OSPF: Hello
neighbor connected
OSPF: NetworkMask 255.255.255.0 to wan2
OSPF: HelloInterval 10
OSPF: Options 0x2 (*|-|-|-|-|-|E|-)
OSPF: RtrPriority 1
OSPF: RtrDeadInterval 40
OSPF: DRouter 10.1.0.254
OSPF: BDRouter 10.1.0.1
OSPF: # Neighbors 2
OSPF: Neighbor 0.0.0.3
OSPF: Neighbor 0.0.0.1
OSPF: NFSM[port3:10.1.0.254-0.0.0.4]: Full (HelloReceived)
OSPF: NFSM[port3:10.1.0.254-0.0.0.4]: nfsm_ignore called
OSPF: NFSM[port3:10.1.0.254-0.0.0.4]: Full (2-WayReceived)
...

© Fortinet Inc. All Rights Reserved. 22

This is another sample output generated by the OSPF real-time debug. This sample shows the Hello packet
being received.

Network Security Support Engineer 7.4 Study Guide 448


OSPF

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 1—Failed Adjacency Output
OSPF: SEND[Hello]: To 224.0.0.5 via port2:192.168.37.114, OSPF: RECV[Hello]: From 0.0.0.112 via port2:192.168.37.114
length 44 (192.168.37.115 -> 224.0.0.5)
OSPF: ---------------------------------------------------- OSPF: ----------------------------------------------------
- -
OSPF: Header OSPF: Header
OSPF: Version 2 OSPF: Version 2
OSPF: Type 1 (Hello) OSPF: Type 1 (Hello)
OSPF: Packet Len 44 OSPF: Packet Len 48
OSPF: Router ID 0.0.0.111 OSPF: Router ID 0.0.0.112
OSPF: Area ID 0.0.0.0 OSPF: Area ID 0.0.0.0
OSPF: Checksum 0xfc2e OSPF: Checksum 0x2f85
OSPF: AuType 1 OSPF: AuType 0
OSPF: Simple Password fortinet OSPF: Hello
OSPF: Hello OSPF: NetworkMask 255.255.255.0
OSPF: NetworkMask 255.255.255.0 OSPF: HelloInterval 10
OSPF: HelloInterval 10 OSPF: Options 0x2 (*|-|-|-|-|-|E|-)
OSPF: Options 0x2 (*|-|-|-|-|-|E|-) OSPF: RtrPriority 1
OSPF: RtrPriority 1 OSPF: RtrDeadInterval 40
OSPF: RtrDeadInterval 40 OSPF: DRouter 192.168.37.114
OSPF: DRouter 0.0.0.0 OSPF: BDRouter 192.168.37.115
OSPF: BDRouter 0.0.0.0 OSPF: # Neighbors 1
OSPF: # Neighbors 0 OSPF: Neighbor 0.0.0.111
OSPF: ----------------------------------------------------
-
OSPF: RECV[Hello]: From 0.0.0.112 via
port2:192.168.37.114: Authentication type mismatch

© Fortinet Inc. All Rights Reserved. 23

This slide shows a sample output of the OSPF real-time debug when adjacency fails. In this case, OSPF
authentication fails. We can see the DR sending a Hello message with AuType 1, indicating authentication
is configured and required for successful adjacency. In the received HELLO messages from the neighbor
router, the AuType is 0. As such, the error message in the received HELLO indicates that there is an
authentication type mismatch. In this case, the authentication method must match on both sides to establish
adjacency.

Network Security Support Engineer 7.4 Study Guide 449


OSPF

DO NOT REPRINT
© FORTINET
Failed Adjacency Error Messages
• Authentication Error
• Authentication type is the same, but passwords do not match

• HelloInterval mismatch/RouterDeadInterval mismatch


• Hello/dead interval timer mismatch

• MTU size is too large


• MTU mismatch

© Fortinet Inc. All Rights Reserved. 24

This slide shows additional error messages that are helpful for troubleshooting common adjacency issues.
Authentication error indicates that the authentication type is the same for both peers, but the
passwords configured are not. A hello or dead interval timer mismatch can be confirmed by the error
messages HelloInterval mismatch and RouterDeadInterval mismatch respectively. The error
message: MTU size is too large, indicates an MTU mismatch.

Network Security Support Engineer 7.4 Study Guide 450


OSPF

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 2—Advertised Route Not in
Routing Table
FGT-A # show router ospf
config router ospf
set router-id 0.0.0.112
config area
edit 0.0.0.0
next
end
...
config redistribute "static" Static routes are
set status enable being
end redistributed
...
end

FGT-A # get router info routing-table all


...
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 192.168.1.1, port1, [1/0] 8.8.8.8/32 is
S 8.8.8.8/32 [10/0] via 192.168.1.1, port1, [1/0] being
C 172.16.54.0/24 is directly connected, port3 redistributed

© Fortinet Inc. All Rights Reserved. 25

In the scenario shown on this slide, FGT-A is configured to redistribute all static routes. Note that default static
routes are not advertised by default. In this case, only the 8.8.8.8/32 route is advertised.

Network Security Support Engineer 7.4 Study Guide 451


OSPF

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 2—Advertised Route Not in Routing
Table (Contd)
FGT-B # get router info routing-table all
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 192.168.1.1, port1, [1/0]
C 10.23.23.0/24 is directly connected, port4

FGT-B # get router info ospf database brief


...
AS External Link States

Link ID ADV Router Age Seq# CkSum Flag Route Tag


8.8.8.8 0.0.0.112 1464 80000002 3106 0002 E2 8.8.8.8/32 0

8.8.8.8/32 is being
successfully advertised
and injected into the LSDB

© Fortinet Inc. All Rights Reserved. 26

The routing table on FGT-B shows that the advertised route 8.8.8.8/32 is missing in the routing table.
However, you can confirm that the route is being advertised successfully by looking at the LSDB using the
command get router info ospf database brief. This also verifies successful OSPF adjacency
between FGT-A and FGT-B.

Network Security Support Engineer 7.4 Study Guide 452


OSPF

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 2—Advertised Route Not in Routing
Table (Contd)
FGT-B # show router ospf
config router ospf
set router-id 0.0.0.113
set distribute-list-in ”Deny-8.8.8.0/24"
config area
edit 0.0.0.0
next
end
...
end

FGT-B # show router prefix-list


config router prefix-list
edit "Deny-8.8.8.0/24"
config rule
edit 1 Subnet 8.8.8.0/24 is not
set action deny injected into the routing
set prefix 8.8.8.0 255.255.255.0 table
unset ge
unset le

© Fortinet Inc. All Rights Reserved. 27

The issue in scenario 2 is that FGT-B is configured with a distribute-list-in that denies any subnet
within the 8.8.8.0/24 network to be injected into the routing table. The distribute-list-in is configured
under config router ospf. The list itself is configured under config router prefix-list.

Network Security Support Engineer 7.4 Study Guide 453


OSPF

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 2—Advertised Route Not in Routing
Table—Solution
FGT-B # show router prefix-list
config router prefix-list
edit "Deny-8.8.8.0/24 "
config rule
edit 1
set action deny
set prefix 8.8.8.0 255.255.255.0
unset ge
unset le
next
edit 2
set prefix 8.8.8.8 255.255.255.255
unset ge
unset le
next
end Allow the 8.8.8.8/32
next subnet
end

© Fortinet Inc. All Rights Reserved. 28

The recommended way to solve this is by adding another rule to the prefix list that applies to the OSPF
configuration. In this case, the change is made to the Deny-8.8.8.0/24 prefix list. To have FortiOS inject
the route from the LSDB into the routing table, you must add the subnet 8.8.8.8/32. Unlike firewall policies, the
list is not evaluated from the top down. Every rule within the list is inspected.

Network Security Support Engineer 7.4 Study Guide 454


OSPF

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 2—Advertised Route Not in Routing
Table (Confirmation)
8.8.8.8/32 is now injected
FGT-B # get router info routing-table all into the routing table
...
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 192.168.1.1, port1, [1/0]
O E2 8.8.8.8/32 [110/10] via 192.168.37.202, port2, 00:18:50, [1/0]
C 10.23.23.0/24 is directly connected, port4

FGT-B # get router info ospf database brief


...
AS External Link States

Link ID ADV Router Age Seq# CkSum Flag Route Tag


8.8.8.8 0.0.0.112 1464 80000002 3106 0002 E2 8.8.8.8/32 0

© Fortinet Inc. All Rights Reserved. 29

The routing table shown on this slide confirms that the advertised route from FGT-A has been successfully
injected. You can also see that the distribution-list-in command has no impact on the LSDB.

Network Security Support Engineer 7.4 Study Guide 455


OSPF

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 3—Topology

FGT-A
ABR

Area
0.0.0.0
Area
0.0.0.5

FGT-B
FGT-C
ASBR

© Fortinet Inc. All Rights Reserved. 30

In the scenario on this slide, FGT-A is an area border router (ABR) that has interfaces in OSPF areas 0.0.0.0
and 0.0.0.5. FGT-C acts as an autonomous system border router (ABSR), importing static routes into OSPF.
FGT-B is an internal router with all its interfaces belonging to area 0.0.0.5.

Network Security Support Engineer 7.4 Study Guide 456


OSPF

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 3—Routes Not Received from ABR
FGT-A # get router info ospf status
Routing Process "ospf 0" with ID 0.0.0.1
Process uptime is 2 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Do not support Restarting
This router is an ABR, ABR Type is Standard (RFC2328)
---omitted---

FGT-A # get router info ospf database brief


OSPF Router with ID (0.0.0.1) (Process ID 0, VRF 0) Type 5 LSAs
---omitted---
AS External Link States
Link ID ADV Router Age Seq# CkSum Flag Route Tag
10.40.1.0 0.0.0.3 583 80000006 8bdd 0002 E2 10.40.1.0/24 0
172.16.100.0 0.0.0.3 1143 80000006 554a 0002 E2 172.16.100.0/24 0

© Fortinet Inc. All Rights Reserved. 31

The omitted output on FGT-A from the command get router info ospf database brief shows the
type 5 LSAs received from FGT-C (router ID 0.0.0.3) in OSPF area 0.0.0.0.

Network Security Support Engineer 7.4 Study Guide 457


OSPF

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 3—Routes Not Received from ABR
(Contd)
FGT-B # get router info ospf database brief

OSPF Router with ID (0.0.0.10) (Process ID 0, VRF 0)

Router Link States (Area 0.0.0.5 [Stub])

Link ID ADV Router Age Seq# CkSum Flag Link count


0.0.0.1 0.0.0.1 302 80000008 13ea 0002 1
0.0.0.10 0.0.0.10 295 8000000b 8761 0021 1

Net Link States (Area 0.0.0.5 [Stub])

Link ID ADV Router Age Seq# CkSum Flag


100.64.1.1 0.0.0.1 302 80000001 feaa 0002

Summary Link States (Area 0.0.0.5 [Stub])

Link ID ADV Router Age Seq# CkSum Flag Route


0.0.0.0 0.0.0.1 320 80000005 df70 0002 0.0.0.0/0
10.1.0.0 0.0.0.1 315 80000002 fc54 0002 10.1.0.0/24
10.1.10.0 0.0.0.1 311 80000001 9aac 0002 10.1.10.0/24

© Fortinet Inc. All Rights Reserved. 32

Viewing the LSDB summary on FGT-B shows that none of the type 5 LSAs are forwarded from FGT-A to
FGT-B. There are no AS external link states. What could be the reason for this?

Network Security Support Engineer 7.4 Study Guide 458


OSPF

DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 3—Routes Not Received from ABR
(Solution)
FGT-B # show router ospf
config router ospf
set router-id 0.0.0.10
config area
edit 0.0.0.5
set type stub
next
end
config network
edit 1
set prefix 100.64.1.0 255.255.255.0
set area 0.0.0.5
next
end
---omitted---
end

© Fortinet Inc. All Rights Reserved. 33

The reason that no type 5 LSAs are received in the LSDB of FortiGate B, is because area 0.0.0.5 is
configured as a stub area. Stub areas block LSAs of type 5. The solution is to either change the type for area
0.0.0.5 to a regular area, or configure static routes on FGT-B to mimic the routes advertised by the ASBR.

Network Security Support Engineer 7.4 Study Guide 459


OSPF

DO NOT REPRINT
© FORTINET
OSPF Logging
• FortiGate logs OSPF routing events, such as:
• Neighbor down or up
• OSPF message exchange
• Negotiation errors
• Enabled by default under:
# config router ospf
set log-neighbour-change enable
...
end

© Fortinet Inc. All Rights Reserved. 34

By default, FortiGate logs the most important OSPF routing events, such as:
• Neighbor down or up
• OSPF message exchange
• Negotiation errors

Network Security Support Engineer 7.4 Study Guide 460


OSPF

DO NOT REPRINT
© FORTINET
OSPF Logging (Contd) Log & Report > System Events > Router Events

© Fortinet Inc. All Rights Reserved. 35

You can view OSPF-related router events on the GUI. You can click any logged entry to view the details.

Network Security Support Engineer 7.4 Study Guide 461


OSPF

DO NOT REPRINT
© FORTINET
Review
 Understand OSPF components and adjacencies
 Monitor the status of an OSPF network
 Troubleshoot common OSPF issues

© Fortinet Inc. All Rights Reserved. 36

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about OSPF concepts, and how to configure
and troubleshoot OSPF.

Network Security Support Engineer 7.4 Study Guide 462


Solution Slides

DO NOT REPRINT
© FORTINET

Network Security Support Engineer


Solution Slides

FortiOS 7.4 Last Modified: 25 April 2024

These slides contain the solutions to the troubleshooting exercises.

Network Security Support Engineer 7.4 Study Guide 463


Solution Slides

DO NOT REPRINT
© FORTINET

Lab 3—Traffic and Session Monitoring

© Fortinet Inc. All Rights Reserved. 2

Now, you will review the solutions for the troubleshooting exercise in the Traffic and Session Monitoring lab.

Network Security Support Engineer 7.4 Study Guide 464


Solution Slides

DO NOT REPRINT
© FORTINET
Problems to Troubleshoot
• There are three problems that you need to troubleshoot:
• Unable to connect over Telnet to the internal segmentation firewall (ISFW) (10.1.10.254)
• No internet access
• Unable to connect over Telnet to the Linux-Router (100.64.1.254)

© Fortinet Inc. All Rights Reserved. 3

Network Security Support Engineer 7.4 Study Guide 465


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 1: Unable to Connect Over Telnet to the ISFW
ISFW # diagnose sniffer packet any "port 23 and host 10.1.10.1" 4
interfaces=[any]
filters=[port 23 and host 10.1.10.1]
6.252157 port3 in 10.1.10.1.53567 -> 10.1.10.254.23: syn 3438661631
9.255609 port3 in 10.1.10.1.53567 -> 10.1.10.254.23: syn 3438661631

© Fortinet Inc. All Rights Reserved. 4

In the problem 1, the packets are arriving at the ISFW; however ISFW is not replying with SYN/ACK packets. The
first step is to use the sniffer command to verify that packets are arriving at the ISFW.

Network Security Support Engineer 7.4 Study Guide 466


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 1: Unable to Connect Over Telnet to the ISFW (Contd)
ISFW # diagnose debug flow filter dport 23
ISFW # diagnose debug flow trace start 10
ISFW # diagnose debug enable

id=20085 trace_id=4 func=print_pkt_detail line=4784 msg="vd-root received a


packet(proto=6, 10.1.10.1:53539->10.1.10.254:23) from port3. flag [S], seq 4051836222,
ack 0, win 8192“
id=20085 trace_id=4 func=init_ip_session_common line=4935 msg="allocate a new session-
0000d277“
id=20085 trace_id=4 func=vf_ip_route_input_common line=2584 msg="find a route:
flag=84000000 gw-10.1.10.254 via root“
id=20085 trace_id=4 func=fw_local_in_handler line=387 msg="iprope_in_check() check
failed on policy 1, drop"

© Fortinet Inc. All Rights Reserved. 5

The next step is to use the debug flow, which shows the error iprope_in_check() check failed on
policy 1, drop. Because this is occurring in FortiGate management traffic, the problem could be one of the
following:
• The telnet service is not enabled on port3.
• The telnet service is using a different port.
• The source IP address is not in the trusted hosts list.
• There is a local-in firewall configured to block telnet traffic.

Network Security Support Engineer 7.4 Study Guide 467


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 1: Unable to Connect Over Telnetto the ISFW (Contd)
• Solution:
• Delete the local-in policy configured to deny telnet requests to the unit.
ISFW (local-in-policy) # show firewall local-in-policy
config firewall local-in-policy
edit 1
set intf "port3"
set srcaddr "10.1.10." Note: User created local-in
set dstaddr "all" policies are not displayed on
set service "TELNET" the GUI. You can view them
set schedule "always" only on the CLI.
...
ISFW # config firewall local-in-policy
ISFW (local-in-policy) # delete 1
ISFW (local-in-policy) # end

© Fortinet Inc. All Rights Reserved. 6

The problem is that a local-in is policy blocking the telnet traffic. Removing the policy fixes the problem.

You can view manually created local-in policies only on the CLI.

Network Security Support Engineer 7.4 Study Guide 468


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 2: Unable to Access Public Web Sites
ISFW # diagnose debug reset
ISFW # diagnose debug flow filter dport 53
ISFW # diagnose debug flow filter saddr 10.1.10.1
ISFW # diagnose debug flow trace start 10
ISFW # diagnose debug enable

ISFW # id=20085 trace_id=20 func=print_pkt_detail line=4784 msg="vd-root


received a packet(proto=17, 10.1.10.1:54126->4.2.2.1:53) from port3. "
id=20085 trace_id=20 func=init_ip_session_common line=4935 msg="allocate a new
session-00011f9e"
id=20085 trace_id=20 func=vf_ip_route_input_common line=2584 msg="find a route:
flag=04000000 gw-10.1.0.254 via port1"
id=20085 trace_id=20 func=fw_forward_handler line=558 msg="Denied by forward
policy check (policy 0)"

© Fortinet Inc. All Rights Reserved. 7

In problem 2, you are unable to access public websites. Attempts to connect to yahoo.com fail; however you can
still ping IP address 8.8.8.8. This means that Client-10 does have internet connectivity, but it is unable to
resolve domain names. Confirm this by running a debug flow for UDP port 53 (DNS).

Network Security Support Engineer 7.4 Study Guide 469


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 2: Unable to Access Public Web Sites (Contd)
• Solution:
• Allow DNS traffic in the firewall policy:

Policy & Objects > Firewall Policy

Add DNS to the


allowed services

© Fortinet Inc. All Rights Reserved. 8

The problem is that DNS traffic is not one of the allowed services in the firewall policy. Adding the DNS service to
the firewall policy solves the problem.

Network Security Support Engineer 7.4 Study Guide 470


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 3: Telnet Access to the Linux-Router
ISFW # diagnose sniffer packet any "port 23" 4
interfaces=[any]
filters=[port 23]
17.580187 port3 in 10.1.10.1.56730 -> 100.64.1.254.23: syn 1424159519
17.580252 port1 out 10.1.10.1.56730 -> 100.64.1.254.23: syn 1424159519
17.580818 port1 in 100.64.1.254.23 -> 10.1.10.1.56730: rst 0 ack 1424159520
17.580873 port3 out 100.64.1.254.23 -> 10.1.10.1.56730: rst 0 ack 1424159520
17.581060 port1 in 100.64.1.254.23 -> 10.1.10.1.56730: rst 0 ack 1424159520

The Linux-Router is
resetting the connection

© Fortinet Inc. All Rights Reserved. 9

In problem 3 use the sniffer to confirm that FortiGate is routing the packets properly. However, you can see that
the router is replying with the reset (RST) flag. The problem is not on the FortiGate side, but on the server side.
There is nothing you can do to solve this issue.

Network Security Support Engineer 7.4 Study Guide 471


Solution Slides

DO NOT REPRINT
© FORTINET

Lab 4—Security Fabric

© Fortinet Inc. All Rights Reserved. 10

Now, you will review the solutions for the troubleshooting exercise in the Security Fabric lab.

Network Security Support Engineer 7.4 Study Guide 472


Solution Slides

DO NOT REPRINT
© FORTINET
Problems to Troubleshoot
• There are three problems that you need to troubleshoot:
• Unable to reach ISFW from NGFW-1
• Solution: Enable or create policy on NGFW-2 to allow TCP port 8013
• The Security Fabric is not enabled on ISFW port4
• Solution: Enable the Security Fabric on ISFW port4
• NGFW-1 is not authorized to take part in the Security Fabric
• Solution: NGFW-1 must be authorized on ISFW

© Fortinet Inc. All Rights Reserved. 11

Network Security Support Engineer 7.4 Study Guide 473


Solution Slides

DO NOT REPRINT
© FORTINET

Lab 5—Authentication

© Fortinet Inc. All Rights Reserved. 12

Now, you will review the solutions for the troubleshooting exercise in the Authentication lab.

Network Security Support Engineer 7.4 Study Guide 474


Solution Slides

DO NOT REPRINT
© FORTINET
Exercise 1 LDAP: Problems to Troubleshoot
• There are two problems:
• The LDAP User group is not configured on firewall policy #1, therefore the user authentication request
is not displayed.

• The password for the account student fails because there’s a local student user account, and
FortiGate doesn’t forward an authentication request to the LDAP server. Remove the local student
account.

© Fortinet Inc. All Rights Reserved. 13

There are two problems that you must troubleshoot:


1. Why is the user authentication request not displayed?
• Solution: The LDAP User group is not configured on firewall policy #1. Therefore, the user
authentication request is not displayed.

2. Why is FortiGate not forwarding an authentication request to the LDAP server?


• Solution: The password for the account student fails because there’s a local student user account, and
FortiGate is not forwarding an authentication request to the LDAP server. Remove the local student
account.

Network Security Support Engineer 7.4 Study Guide 475


Solution Slides

DO NOT REPRINT
© FORTINET
Exercise 2 SAML: Problems to Troubleshoot

• Use the debug command diagnose debug application samld -1 to view this
error message:

© Fortinet Inc. All Rights Reserved. 14

While attempting to browse the web, authentication takes place but fails with the error message: Firewall
Authentication Failed.

Use the debug command diagnose debug application samld -1 to view this error message: Audience
is invalid!.

Network Security Support Engineer 7.4 Study Guide 476


Solution Slides

DO NOT REPRINT
© FORTINET
Exercise 2 SAML: Problems to Troubleshoot (Contd)
• Reviewing the SP Login Dump and Assertion Dump sections
• On section SP Login Dump you find the following:
<saml:Issuer>https://10.1.10.254:1003/remote/saml/
• On section Assertion Dump you find the following:
<saml:Audience>https://10.1.10.254:1003/remote/saml/metadata/
• There’s a mismatch in the configuration of the (SP) entity ID between service provider (SP) and
identity provider (IdP)
• Correct the configuration through CLI or GUI: https://10.1.10.254:1003/remote/saml/metadata/

© Fortinet Inc. All Rights Reserved. 15

As explained in the lesson, we need to verify that both the SP and IdP configuration match.

While reviewing the sections SP Login Dump and Assertion Dump, you find a mismatch on the service
provider entity ID.

Using the CLI or the GUI, you review the FortiGate configuration and find that the word metadata is missing.

Change the FortiGate setting entity-id to: https://10.1.10.254:1003/remote/saml/metadata/.

Network Security Support Engineer 7.4 Study Guide 477


Solution Slides

DO NOT REPRINT
© FORTINET

Lab 6—FSSO

© Fortinet Inc. All Rights Reserved. 16

Now, you will review the solutions for the troubleshooting exercise in the FSSO lab.

Network Security Support Engineer 7.4 Study Guide 478


Solution Slides

DO NOT REPRINT
© FORTINET
Problems to Troubleshoot
• The user on the Client-10 VM is unable to browse the internet
• The FSSO user pushed by the script is in the FSSO group AD_USERS:

• Firewall policy #1 configured the local user group Training which is linked to the FSSO
group Users

• Solution: In the local user group Training, replace the FSSO group Users with the
FSSO group AD_Users.

© Fortinet Inc. All Rights Reserved. 17

The problem is that the user on the Client-10 VM is unable to browse the internet. The FSSO user pushed by the
script is in the FSSO group AD_USERS. Firewall policy #1 is configured for the local user group, Training, which
is linked to the FSSO group Users.

Solution: In the local user group Training, replace the FSSO group Users with the FSSO group AD_Users.

Network Security Support Engineer 7.4 Study Guide 479


Solution Slides

DO NOT REPRINT
© FORTINET

Lab 7—Security Profiles

© Fortinet Inc. All Rights Reserved. 18

Now, you will review the solutions for the troubleshooting exercises in the Security Profiles lab.

Network Security Support Engineer 7.4 Study Guide 480


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 1: Web Filtering
• Why isn't ISFW blocking www.eicar.org?
• The web filtering real-time debug explains why:

# get webfilter categories | grep 50


50 Information and Computer Security

• The URL is in the Information and Computer Security category, not the
Security Risk category

© Fortinet Inc. All Rights Reserved. 19

Some users reported that www.eicar.org should be blocked because it belongs in the security risk category.
However, the output of the web filtering real-time debug shows that the URL belongs to a different category—
Information Technology—which is allowed in the FortiGate configuration.

Network Security Support Engineer 7.4 Study Guide 481


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 2: Antivirus
• Why doesn’t the ISFW detect the virus?
• The debug flow does not show this line:
func=av_receive line=254 msg="send to application layer"
• So, the FTP proxy is not inspecting the traffic
• Reason:
• FTP traffic is using a non-standard port—222

• Solution:
• Modify the NST_Default protocol options so that FTP traffic is inspected on a non-standard port: port
222

© Fortinet Inc. All Rights Reserved. 20

The second problem is that ISFW is not blocking the FTP file transfer of an infected file. The debug flow does not
show the message sent to the application layer, which means that the ISFW is not inspecting the
traffic. The reason that the ISFW is not inspecting the traffic is because the FTP connection is using a
nonstandard port—port 222. Modify the NST_Default protocol options, configure the FTP to inspect traffic on the
nonstandard port 222.

Network Security Support Engineer 7.4 Study Guide 482


Solution Slides

DO NOT REPRINT
© FORTINET

Lab 8—High Availability

© Fortinet Inc. All Rights Reserved. 21

Now, you will review the solutions for the troubleshooting exercise in the High Availability lab.

Network Security Support Engineer 7.4 Study Guide 483


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 1: Mismatched ha-eth-type Setting
• The sniffer capture shows that Ethernet protocol 0x8890 is flowing in one direction:
from NGFW-1 to NGFW-2
NGFW-1 NGFW-2

• This happens because a customized ha-eth-type setting is configured on NGFW-2:

• Solution: On NGFW-2 set ha-eth-type to the default value: 8890

© Fortinet Inc. All Rights Reserved. 22

The sniffer capture shows that Ethernet protocol 0x8890 is flowing in one direction: from NGFW-1 to NGFW-2.
This happens because a customized ha-eth-type setting is configured on NGFW-2.

Solution: On NGFW-2, set ha-eth-type to the default value 8890.

Network Security Support Engineer 7.4 Study Guide 484


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 2: Password Mismatch
• The diagnose debug application hatalk -1 debug output shows a password
mismatch issue on both FortiGate devices:

• Solution: Configure a new password for the HA configuration on both FortiGate devices

© Fortinet Inc. All Rights Reserved. 23

Network Security Support Engineer 7.4 Study Guide 485


Solution Slides

DO NOT REPRINT
© FORTINET

Lab 9—IPsec

© Fortinet Inc. All Rights Reserved. 24

Now, you will review the solutions for the troubleshooting exercise in the IPsec lab.

Network Security Support Engineer 7.4 Study Guide 486


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 1: Encryption Mismatch
ike 0:755f07a141261b05/0000000000000000:45: responder: main mode get 1st message...
...
ike 0:755f07a141261b05/0000000000000000:45: incoming proposal:
ike 0:755f07a141261b05/0000000000000000:45: proposal id = 0:
ike 0:755f07a141261b05/0000000000000000:45: protocol id = ISAKMP:
ike 0:755f07a141261b05/0000000000000000:45: trans_id = KEY_IKE.
ike 0:755f07a141261b05/0000000000000000:45: encapsulation = IKE/none
ike 0:755f07a141261b05/0000000000000000:45: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:755f07a141261b05/0000000000000000:45: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:755f07a141261b05/0000000000000000:45: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:755f07a141261b05/0000000000000000:45: type=OAKLEY_GROUP, val=MODP2048.
ike 0:755f07a141261b05/0000000000000000:45: ISAKMP SA lifetime=86400
...
ike 0:755f07a141261b05/0000000000000000:45: my proposal, gw VPN:
ike 0:755f07a141261b05/0000000000000000:45: ISAKMP SA lifetime=86400
ike 0:755f07a141261b05/0000000000000000:45: proposal id = 1:
ike 0:755f07a141261b05/0000000000000000:45: protocol id = ISAKMP:
ike 0:755f07a141261b05/0000000000000000:45: trans_id = KEY_IKE.
ike 0:755f07a141261b05/0000000000000000:45: encapsulation = IKE/none
ike 0:755f07a141261b05/0000000000000000:45: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:755f07a141261b05/0000000000000000:45: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:755f07a141261b05/0000000000000000:45: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:755f07a141261b05/0000000000000000:45: type=OAKLEY_GROUP, val=MODP2048.
ike 0:755f07a141261b05/0000000000000000:45: ISAKMP SA lifetime=86400
...
ike 0:755f07a141261b05/0000000000000000:45: negotiation failure

© Fortinet Inc. All Rights Reserved. 25

The first problem is a misconfiguration in phase 1. One side is configured with triple data encryption standard
(3DES), and the other side is configured with advance encryption standard (AES).

Network Security Support Engineer 7.4 Study Guide 487


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 2: Pre-Shared Key Mismatch
...
ike 0:VPN:130: responder: main mode get 3rd message...
ike 0:VPN:130: dec
E410DF2B73B8DF1C3ADBB8C4B7F264B205100201000000000000006C9135F5F081B0E42CC8D197
A5CA4A8B5D24A88B30263F5BD1100003C17E06D5A125B43693308EA1732DEFFA7A9C58891D2406
B2F425674C4F2F93C919DB36F40849C0A793682E12673D91F7A60027CC58
ike 0:VPN:130: parse error
ike 0:VPN:130: probable pre-shared secret mismatch

© Fortinet Inc. All Rights Reserved. 26

The second problem is a mismatch in the pre-shared key.

Network Security Support Engineer 7.4 Study Guide 488


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 3: ISP Blocking ESP Packets
Spoke-2 # diagnose sniffer packet any "esp or icmp" 4 Spoke-2 is
interfaces=[any] sending the
packets from the
filters=[esp or icmp] correct interfaces
3.073926 VPN out 10.1.2.254 -> 10.1.1.254: icmp: echo request
3.073943 port1 out 100.64.5.1 -> 100.64.4.1: ESP(spi=0xcb35b188,seq=0x10)
4.078136 VPN out 10.1.2.254 -> 10.1.1.254: icmp: echo request
4.078164 port1 out 100.64.5.1 -> 100.64.4.1: ESP(spi=0xcb35b188,seq=0x11)

Spoke-1 is not
Spoke-1 # diagnose sniffer packet any "esp or icmp" 4
receiving them
interfaces=[any]
filters=[esp]

© Fortinet Inc. All Rights Reserved. 27

The third problem is that the sniffer shows that the Encapsulating Security Payload (ESP) packets from Spoke-2
are not arriving at Spoke-1. The most likely reason for this is that the ESP packets are being blocked or dropped
in transit by the Linux-Router.

Network Security Support Engineer 7.4 Study Guide 489


Solution Slides

DO NOT REPRINT
© FORTINET

Lab 10—IPSec-IKEv2

© Fortinet Inc. All Rights Reserved. 28

Now, you will review the solutions for the troubleshooting exercise in the IPSec-IKEv2 lab.

Network Security Support Engineer 7.4 Study Guide 490


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 1: Encryption Mismatch in Phase 1
• The diagnose debug application ike -1 debug output shows a proposal
mismatch issue on both FortiGate devices:

• Solution: Configure a matching proposal setting on both FortiGate devices

© Fortinet Inc. All Rights Reserved. 29

The first problem is a misconfiguration in phase 1. One side is configured with 3DES, and the other side is
configured with AES.

Network Security Support Engineer 7.4 Study Guide 491


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 2: DH Mismatch in Phase 2
• When IKEv2 is used, if there’s a dhgrp mismatch on the CHILD_SA, it won’t be
detected until after the rekey
• Phase 2 is configured to perform a rekey every 5 minutes
• After 5 minutes, when the rekey takes place, the mismatch will be detected, which will
bring phase 2 down

• Status of phase 1 is shown as up, but phase 2 is shown as down

• Solution: In phase 2, configure matching dhgrp settings

© Fortinet Inc. All Rights Reserved. 30

Network Security Support Engineer 7.4 Study Guide 492


Solution Slides

DO NOT REPRINT
© FORTINET

Lab 11—Routing

© Fortinet Inc. All Rights Reserved. 31

Now, you will review the solutions for the troubleshooting exercises in the Routing lab.

Network Security Support Engineer 7.4 Study Guide 493


Solution Slides

DO NOT REPRINT
© FORTINET
Route Changes and Source NAT Sessions
• port1 goes down and traffic is automatically routed to the secondary interface (port2)
• port1 comes back up; however, SNAT sessions continue to use port2 because the
route is still active in the routing table
• To change this behavior, do one of the following:
• Clear the existing entries in the session table
• Enable snat-route-change:
config system global
set snat-route-change enable
end

© Fortinet Inc. All Rights Reserved. 32

When the primary internet link goes down, the routing table changes. All routing information is flushed from the
affected sessions and traffic is routed to port2. When port1 comes back up, all source network address translation
(SNAT) sessions continue to use port2, because the port2 route is still valid and the port2 interface is still up.
Existing SNAT sessions continue to use port2 until they expire.

There is a global setting that instructs FortiGate to reroute existing SNAT sessions when a routing change occurs,
even when the less desirable route is still active. You can enable the snat-route-change setting as shown on
this slide.

Network Security Support Engineer 7.4 Study Guide 494


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 1: Default Routes
NGFW-1 # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
> - selected route, * - FIB route, p - stale info

Routing table for VRF=0


S 0.0.0.0/0 [11/0] via 100.64.2.254, port2, [5/0]
S *> 0.0.0.0/0 [10/0] via 100.64.1.254, port1, [10/0]
C *> 10.1.0.0/24 is directly connected, port3
S *> 10.1.4.0/24 [10/0] via 10.1.0.100, port3, [1/0]
S *> 10.1.10.0/24 [10/0] via 10.1.0.1, port3, [1/0]
S *> 10.1.10.1/32 [10/0] via 100.64.1.254, port1, [1/0]
C *> 100.64.1.0/24 is directly connected, port1
C *> 100.64.2.0/24 is directly connected, port2
C *> 172.16.100.0/24 is directly connected, port8

© Fortinet Inc. All Rights Reserved. 33

The default route configuration is not working as desired. The default route using port2 is inactive.

Network Security Support Engineer 7.4 Study Guide 495


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 1: Default Routes (Contd)
• Solution:
• Change the Administrative Distance to 10
• Change the Priority value to be higher than that of port1 (10)

Network > Static Routes

© Fortinet Inc. All Rights Reserved. 34

The port2 default route distance is higher than that of port1. For both default routes to be active, they must have
the same distance. Also, the port2 priority value is lower than that of port1. Increase the priority value of port2 to
be higher than that of port1 (for example 20).

Network Security Support Engineer 7.4 Study Guide 496


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 2: Traffic to 100.64.3.1 Is Dropped
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 100.64.1.254, port1, [10/0]
[10/0] via 100.64.2.254, port2, [20/0]
C 10.1.0.0/24 is directly connected, port3
S 10.1.4.0/24 [10/0] via 10.1.0.100, port3, [1/0]
S 10.1.10.0/24 [10/0] via 10.1.0.1, port3, [1/0]
S 10.1.10.1/32 [10/0] via 100.64.1.254, port1, [1/0]
C 100.64.1.0/24 is directly connected, port1
C 100.64.2.0/24 is directly connected, port2
C 172.16.100.0/24 is directly connected, port8

id=65308 trace_id=17 func=init_ip_session_common line=6073 msg="allocate a new session-


00000e32"
id=65308 trace_id=17 func=rpdb_srv_match_input line=1122 msg="Match policy routing id=1: to
100.64.3.1 via ifindex-4"
id=65308 trace_id=17 func=ip_route_input_slow line=1714 msg="reverse path check fail(by
strict-src-check),drop"
id=65308 trace_id=17 func=ip_session_handle_no_dst line=6159 msg="trace"
id=65308 trace_id=18 func=print_pkt_detail line=5888 msg="vd-root:0 received a
packet(proto=1, 10.1.10.1:6133->100.64.3.1:2048) tun_id=0.0.0.0 from port3. type=8, code=0,
id=6133, seq=594."

© Fortinet Inc. All Rights Reserved. 35

Why is traffic destined for 100.64.3.1 dropped? The debug flow shows the reason:

NGFW-1 # show system settings


config system settings
set strict-src-check enable
set sip-expectation enable
set h323-direct-model enable
set gui-dns-database enable
set gui-allow-unnamed-policy enable
end

Reverse path forwarding (RPF) is set to strict.

Network Security Support Engineer 7.4 Study Guide 497


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 2: Traffic to 100.64.3.1 Is Dropped (Contd)
• Solution:
• Change the RPF configuration from strict to feasible:
• config system settings
• set strict-src-check disable
• end

© Fortinet Inc. All Rights Reserved. 36

To change the behavior of RPF, set strict-src-check to disable.

Network Security Support Engineer 7.4 Study Guide 498


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 3: Traffic to 100.64.3.1 Is Using the Wrong Port
NGFW-1 # id=65308 trace_id=41 func=print_pkt_detail line=5888 msg="vd-root:0 received a
packet(proto=1, 10.1.10.1:6198->100.64.3.1:2048) tun_id=0.0.0.0 from port3. type=8, code=0,
id=6198, seq=1."
id=65308 trace_id=41 func=init_ip_session_common line=6073 msg="allocate a new session-
000015b3"
id=65308 trace_id=41 func=rpdb_srv_match_input line=1122 msg="Match policy routing id=1: to
100.64.3.1 via ifindex-4"
id=65308 trace_id=41 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000
gw-100.64.2.254 via port2"
id=65308 trace_id=41 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash,
slot=44, len=2"
id=65308 trace_id=41 func=get_new_addr line=1268 msg="find SNAT: IP-100.64.2.1(from IPPOOL),
port-6198"
id=65308 trace_id=41 func=fw_forward_handler line=995 msg="Allowed by Policy-2: SNAT"
id=65308 trace_id=41 func=ip_session_confirm_final line=3111 msg="npu_state=0x100, hook=4"
id=65308 trace_id=41 func=__ip_session_run_tuple line=3444 msg="SNAT 10.1.10.1-
>100.64.2.1:6198"
id=65308 trace_id=42 func=print_pkt_detail line=5888 msg="vd-root:0 received a
packet(proto=1, 100.64.3.1:6198->100.64.2.1:0) tun_id=0.0.0.0 from port2. type=0, code=0,
id=6198, seq=1."

© Fortinet Inc. All Rights Reserved. 37

Why is traffic destined for 100.64.3.1 being routed out of port2? The debug flow shows the reason. There is a
policy-based route that takes precedence over the static route configuration.

Network Security Support Engineer 7.4 Study Guide 499


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 3: Traffic to 100.64.3.1 Is Using the Wrong Port (Contd)
• Solution:
• Remove the policy-based route

Network > Policy Routes

© Fortinet Inc. All Rights Reserved. 38

Removing the policy-based route fixes the problem.

Network Security Support Engineer 7.4 Study Guide 500


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 4: Client-10 Is Unable to Route HTTP Traffic to NGFW-1
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 100.64.1.254, port1, [10/0]
[10/0] via 100.64.2.254, port2, [20/0]
C 10.1.0.0/24 is directly connected, port3
S 10.1.4.0/24 [10/0] via 10.1.0.100, port3, [1/0]
S 10.1.10.0/24 [10/0] via 10.1.0.1, port3, [1/0]
S 10.1.10.1/32 [10/0] via 100.64.1.254, port1, [1/0]
C 100.64.1.0/24 is directly connected, port1
C 100.64.2.0/24 is directly connected, port2
C 172.16.100.0/24 is directly connected, port8

© Fortinet Inc. All Rights Reserved. 39

Traffic from Client-10 enters NGFW-1 on port3. However, NGFW-1 sends traffic for Client-10 out of port1,
because it is the better route. This causes asymmetric traffic. Remove the static route that points to the Client-10
IP address through port1. Client-10 is located behind NGFW-1 port3.

Network Security Support Engineer 7.4 Study Guide 501


Solution Slides

DO NOT REPRINT
© FORTINET

Lab 12—BGP

© Fortinet Inc. All Rights Reserved. 40

Now, you will review the solutions for the troubleshooting exercise in the BGP lab.

Network Security Support Engineer 7.4 Study Guide 502


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 1: Wrong Remote AS
NGFW-1 # diagnose ip router bgp all enable
NGFW-1 # diagnose ip router bgp level info
NGFW-1 # diagnose debug enable

BGP: [RIB] Scanning BGP Network Routes...


BGP: [NETWORK] Accept Thread: Incoming conn from host 100.64.2.254 (FD=21)
BGP: 100.64.2.254-Outgoing [FSM] State: Active Event: 14
BGP: 100.64.2.254-Outgoing [FSM] InConnReq: Accepting...
BGP: 100.64.2.254-Outgoing [NETWORK] FD=21, Sock Status: 0-Success
BGP: 100.64.2.254-Outgoing [FSM] State: Active Event: 17
BGP: 100.64.2.254-Outgoing [ENCODE] Msg-Hdr: Type 1
BGP: 100.64.2.254-Outgoing [ENCODE] Open: Ver 4 MyAS 65100 Holdtime 180
BGP: 100.64.2.254-Outgoing [ENCODE] Open: Msg-Size 61
BGP: 100.64.2.254-Outgoing [DECODE] Msg-Hdr: type 1, length 45
BGP: 100.64.2.254-Outgoing [DECODE] Open: Bad Remote-AS (100), expected 200
BGP: 100.64.2.254-Outgoing [FSM] State: OpenSent Event: 22
BGP: 100.64.2.254-Outgoing [ENCODE] Msg-Hdr: Type 3
BGP: %BGP-3-NOTIFICATION: sending to 100.64.2.254 2/2 (OPEN Message Error/Bad Peer AS.) 4 data-bytes
[00 64 00 00]
BGP: [GRST] Timer Announce Defer: Check
...

© Fortinet Inc. All Rights Reserved. 41

The BGP neighbors do not come up because NGFW-1 is configured with remote autonomous system (AS) 200
but the internet service provider (ISP) AS is 100.

Network Security Support Engineer 7.4 Study Guide 503


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 1: Wrong Remote AS (Contd)
• Solution:
• Change the remote AS to 100

© Fortinet Inc. All Rights Reserved. 42

Changing the remote AS number from 200 to 100 fixes the problem.

Network Security Support Engineer 7.4 Study Guide 504


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 2: BGP Routing
NGFW-1 # get router info routing-table all

Routing table for VRF=0


Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

B* 0.0.0.0/0 [20/0] via 100.64.1.254, port1, 00:08:30


B 8.8.8.8/32 [20/0] via 100.64.2.254, port2, 00:08:28
C 10.1.0.0/24 is directly connected, port3
O 10.1.10.0/24 [110/2] via 10.1.0.1, port3, 00:51:34
C 100.64.1.0/24 is directly connected, port1
C 100.64.2.0/24 is directly connected, port2

© Fortinet Inc. All Rights Reserved. 43

The second problem is that NGFW-1 is receiving the prefix 8.8.8.8/32 through port2. This is causing all traffic
destined to 8.8.8.8 to be routed through port2 instead of port1.

Network Security Support Engineer 7.4 Study Guide 505


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 2: BGP Routing (Contd)
• Solution:
• Create a prefix list blocking 8.8.8.8/32
• Apply the prefix list to the prefixes coming from the neighbor 100.64.2.254

config router prefix-list config router bgp


edit "public" config neighbor
config rule edit "100.64.2.254"
edit 1 set prefix-list-in "public"
set prefix 0.0.0.0 0.0.0.0 set remote-as 100
next next
edit 2 end
set action deny
set prefix 8.8.8.8 255.255.255.255
next
end
next
end

© Fortinet Inc. All Rights Reserved. 44

Only the ISP administrator can fix this issue. However, while the ISP administrator fixes the problem, you can use
a prefix list to block the incoming advertisement to the subnet 8.8.8.8/32. You can also use a static route to to
configure 8.8.8.8/32 traffic to traverse port1.

Network Security Support Engineer 7.4 Study Guide 506


Solution Slides

DO NOT REPRINT
© FORTINET

Lab 13—OSPF

© Fortinet Inc. All Rights Reserved. 45

Now, you will review the solutions for the troubleshooting exercise in the OSPF lab.

Network Security Support Engineer 7.4 Study Guide 507


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 1: Duplicate Router ID
OSPF: RECV[Hello]: From 0.0.0.2 via port3:10.1.4.254 (10.1.4.10 -> 224.0.0.5)
OSPF: Header
OSPF: Version 2
OSPF: Type 1 (Hello)
OSPF: Packet Len 44
OSPF: Router ID 0.0.0.2
OSPF: Area ID 0.0.0.0
OSPF: Checksum 0xee91
OSPF: AuType 0
OSPF: Hello
OSPF: NetworkMask 255.255.255.0
OSPF: HelloInterval 10
OSPF: Options 0x2 (*|-|-|-|-|-|E|-)
OSPF: RtrPriority 1
OSPF: RtrDeadInterval 40
OSPF: DRouter 10.1.4.10
OSPF: BDRouter 0.0.0.0
OSPF: # Neighbors 0
OSPF: RECV[Hello]: duplicate router-id 0.0.0.2 detected on port3:10.1.4.254

© Fortinet Inc. All Rights Reserved. 46

The OSPF real-time debug shows the first problem. The Linux server uses router ID 0.0.0.2, which is also
used by DCFW.

Network Security Support Engineer 7.4 Study Guide 508


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 1: Duplicate Router ID (Contd)
• Solution:
• Change the DCFW router ID to 0.0.0.4

© Fortinet Inc. All Rights Reserved. 47

To solve this problem on the DCFW side, change the DCFW router ID from 0.0.0.2 to any other available ID.

Network Security Support Engineer 7.4 Study Guide 509


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 2: Authentication Type Mismatch
OSPF: -----------------------------------------------------
OSPF: RECV[Hello]: From 0.0.0.2 via port3:10.1.4.254: Authentication type
mismatch
OSPF: ospf_ipc_server_accept:1200:5c create ipc_handler=0x7f0c45011100 for
sock=21
OSPF: ospf_ih_on_read:1070:5d request type=18 len=24 vfid=0 start=0 count=8000
flags=0x1
OSPF: ospf_ih_on_read:1166:5e response type=18 len=104 vfid=0 start=0 count=2
flags=0x1 total=2 ret=112
OSPF: ospf_ih_on_close:1180:5f delete ipc_handler=0x7f0c45011100 for sock=21
OSPF: RECV[Hello]: From 0.0.0.1 via port1:10.1.0.100 (10.1.0.254 -> 224.0.0.5)
OSPF: -----------------------------------------------------

© Fortinet Inc. All Rights Reserved. 48

The real-time OSPF debug shows the second problem, which is an authentication type mismatch.

Network Security Support Engineer 7.4 Study Guide 510


Solution Slides

DO NOT REPRINT
© FORTINET
Problem 2: Authentication Type Mismatch (Contd)
• Solution:
• Delete the OSPF interface configuration or modify it to not require authentication

© Fortinet Inc. All Rights Reserved. 49

To solve this problem on the DCFW side, delete the interface configuration or modify the interface configuration
so that it does not require any authentication.

Network Security Support Engineer 7.4 Study Guide 511


Solution Slides

DO NOT REPRINT
© FORTINET
Solution
DCFW # get router info ospf neighbor

OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
0.0.0.3 1 Full/Backup 00:00:32 10.1.0.1 port1
0.0.0.1 1 Full/DR 00:00:34 10.1.0.254 port1
0.0.0.2 1 Full/DR 00:00:31 10.1.4.10 port3

© Fortinet Inc. All Rights Reserved. 50

After you apply the two fixes on DCFW, you should see the Linux-Router (0.0.0.0.2) adjacency form.

Network Security Support Engineer 7.4 Study Guide 512


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET

Network Security Support Engineer


Dynamic Routing Supplement

FortiOS 7.4
Last Modified: 29 April 2024

In this lesson, you will review Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP) concepts.

Network Security Support Engineer 7.4 Study Guide 513


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET

OSPF Review

© Fortinet Inc. All Rights Reserved. 2

In this section, you will review OSPF concepts.

Network Security Support Engineer 7.4 Study Guide 514


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
OSPF Overview
• Link state protocol
• Advantages:
• Scalable to large networks
• Faster convergence than distance-vector routing protocols
• Relatively quiet during steady-state conditions
• Periodic refresh every 30 minutes
• Otherwise, updates sent only when there are changes

• Disadvantages:
• May require planning and tuning to optimize performance
• May be difficult to troubleshoot in large networks

© Fortinet Inc. All Rights Reserved. 3

With a link state protocol like OSPF, every router has a complete view of the network topology. Advantages of
OSPF include scalability and fast convergence. Every 30 minutes, routers advertise their OSPF information.
Between these 30-minute intervals, routers send updates only if they detect topology changes. So, it is a
relatively quiet protocol, as long as the network topology is stable. In large networks, using OSPF requires good
planning and it can be difficult to troubleshoot.

Network Security Support Engineer 7.4 Study Guide 515


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
OSPF Components
• Link state database (LSDB): Each router maintains identical databases describing the
network topology
• From the LSDB, and using Dijkstra’s algorithm, each router builds a tree with the
shortest paths
• The tree gives an OSPF route to each destination
• OSPF can inject routes into the IP routing table

Link state Shortest path


IP routing
database Dijkstra’s algorithm first (SPF) OSPF routes
table
(LSDB) tree

© Fortinet Inc. All Rights Reserved. 4

Each router in the same area has identical and synchronized databases. You will learn about OSPF areas later in
this lesson. An OSPF router uses the information in the LSDB and Dijkstra's algorithm to generate an OSPF tree,
which contains the shortest path from the local router to each other router and network. This tree gives the best
route to each destination, which is the information that OSPF can inject into the device routing table.

Network Security Support Engineer 7.4 Study Guide 516


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
Link State Advertisement
• Routers exchange link state advertisements (LSAs) to maintain consistent databases
• Network changes generate LSAs
• The LSDBs are composed of all received LSAs
• A link state update consists of an OSPF header and a string of LSAs
• Each LSA has its own header
• Routers acknowledge the receipt of LSAs

OSPF Number of
IP header LSA 1 LSA 2 … LSA n
header LSAs

© Fortinet Inc. All Rights Reserved. 5

LSAs contain the topology information that OSPF peers exchange. The LSDB of a router is populated with
information from the local LSAs and all the LSAs received from other routers.

Network Security Support Engineer 7.4 Study Guide 517


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
OSPF Cost
• Metric in OSPF is cost:
• 16-bit positive number (1 to 65,535)
• Routes with lowest cost are most preferred
• Routing decisions made on total cost of a path to the final destination

© Fortinet Inc. All Rights Reserved. 6

If there are multiple OSPF routes to the same destination subnet, OSPF selects the route with the lowest cost.
Each router interface is associated with an interface cost, which is usually related to how fast or preferable that
interface is. An OSPF route cost is the sum of the costs of all interfaces to the final destination.

Network Security Support Engineer 7.4 Study Guide 518


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
LSDB
• Each router advertises its locally connected
subnets R1 R2
2 Net 1 2
• LSDBs in all routers contain information about the 1
network topology 3
Net 3
Link State Database (network/cost) R3
1
R2 Net 1/2, Net 2/3, Net 3/1 1 Net 2
2
R1 Net 1/2
R3 Net 3/1, Net 4/1, Net 5/2 Net 4
Net 5
R4 Net 2/3, Net 4/1
2 1 3 R4
R5 Net 5/2 R5

© Fortinet Inc. All Rights Reserved. 7

This slide and the next slide explain how an OSPF router builds its OSPF tree. The initial information for each
router is the locally connected networks, together with the OSPF cost for each interface. In the example shown on
this slide, the router R2 has three locally connected subnets: subnet Net 1 with a cost of 2, subnet Net 2
with a cost of 3, and subnet Net 3 with a cost of 1. Router R1 has only one subnet connected: Net 1 with a
cost of 2, and so on.

Each router starts advertising its locally connected subnets by sending LSAs.

Network Security Support Engineer 7.4 Study Guide 519


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
OSPF Tree
• Routers use Dijkstra's algorithm to determine R1 R2
2 Net 1
the best path to each destination 2
• The best path has the lowest overall cost 1
R3 3
• The destination is either a network or a router 1 Net 3
• Routers build an OSPF tree 1
• During each iteration, the router maps all known 2 Net 2
Net 4
paths to a destination and chooses the lowest path Net 5
• The router repeats the process until it discovers the 2
best path to each destination R5 1 3 R4

R2
Net 2
Net 1 R3 Net 3

Net 5 Net 4

© Fortinet Inc. All Rights Reserved. 8

OSPF routers use Dijkstra’s algorithm to determine the best route to each destination. The best routes can be
represented as a tree with the local router at the root. Dijkstra’s algorithm is a recursive process that the router
repeats multiple times until it finds the best routes. For example, this slide shows the OSPF tree for router R2. It
indicates that the best route to Net 5 and Net 4 is through R3, and that Net 1, Net 2, and Net 3 are locally
connected.

Network Security Support Engineer 7.4 Study Guide 520


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
OSPF Areas
• A logical collection of OSPF networks and routers
• Defined with a 32-bit number
• IP address format
0.0.0.10
• Single decimal format
10

© Fortinet Inc. All Rights Reserved. 9

You can segment an OSPF network into areas. Each area is identified by a unique number, which you can define
in decimal or IP address formats.

Network Security Support Engineer 7.4 Study Guide 521


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
OSPF Areas (Contd)
• When a network is broken up into areas, routers maintain separate LSDBs for each area
• Advantages:
• Smaller LSDB tables
• Impact of a topology change is minimized outside the area
• You can summarize routes on the area borders
• Disadvantages:
• More complex to troubleshoot
• Network design considerations

© Fortinet Inc. All Rights Reserved. 10

Each area has its own separate LSDB. All routers in the same area maintain an identical copy of the LSDB of an
area. As you will learn in this lesson, a router can belong to more than one area. In those cases, the router
maintains multiple LSDBs—one LSDB for each area connected to it.

Segmenting big OSPF networks into areas reduces the sizes of the LSDB tables. Additionally, a topology change
does not impact the whole network, but only the area where the change happens.

Using OSPF areas requires good planning and may complicate the troubleshooting process.

Network Security Support Engineer 7.4 Study Guide 522


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
Types of Areas
• Backbone area
• Must have the area ID 0.0.0.0
• All other areas must connect to the backbone area by physical or virtual links
• Distributes information between areas
• Normal area
• Similar to a backbone area in behavior
• Can be any area ID other than 0.0.0.0 Area
0.0.0.2

Area
0.0.0.0
Area
0.0.0.3
Area
0.0.0.1

© Fortinet Inc. All Rights Reserved. 11

All OSPF networks must have at least one area—the backbone area. The backbone area is the core of the
network, and all the other areas connect to it in a hub-and-spoke topology.

Network Security Support Engineer 7.4 Study Guide 523


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
OSPF Router Types
• Internal router
• All connected interfaces belong to the same area
• Maintains one LSDB and one OSPF tree
• Area border router (ABR)
• A router with interfaces in multiple areas
• One LSDB and one OSPF tree for each connected area
• Always connected to the backbone
• Backbone router
• Has at least one interface in the backbone area
• Autonomous system boundary router (ASBR)
• Imports external (non-OSPF) routes into OSPF
• Has at least one source of routing information that is not of OSPF origin

© Fortinet Inc. All Rights Reserved. 12

An internal OSPF router has all its interfaces connected to the same area. So, it maintains only one LSDB.

On the other hand, an ABR is connected to multiple areas, so it keeps multiple LSDBs.

A backbone router has at least one interface connected to the backbone area.

An ASBR redistributes non-OSPF routes into the OSPF network.

Network Security Support Engineer 7.4 Study Guide 524


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
OSPF Router Types─Example

RIP
ASBR and
backbone ABR and
backbone

ABR and Area


backbone 0.0.0.2

Area
0.0.0.0
Area
0.0.0.3
Area
0.0.0.1

Internal and
backbone

© Fortinet Inc. All Rights Reserved. 13

This slide shows an example of each router type.

Network Security Support Engineer 7.4 Study Guide 525


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
Network Types
• Point-to-point
• A pair of routers connected through a point-to-point link
• Broadcast (multi-access)
• Supports more than two attached routers
• Supports the sending of a single message to all routers (multicast)
• Example: Ethernet networks
• Point-to-multipoint
• Supports more than two attached routers
• Does not support multicast

© Fortinet Inc. All Rights Reserved. 14

There are three types of OSPF networks:

• Point-to-point networks contain only two peers, one at each end of a point-to-point link.
• Broadcast networks support more than two attached routers. They also support sending messages to
multiple recipients (broadcasting).
• Point-to-multipoint networks support more than two attached routers. However, they do not support
broadcasting.

Network Security Support Engineer 7.4 Study Guide 526


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
Forming an Adjacency
• Down: Initial state
• Init: A hello packet is seen by a Down
nonadjacent neighbor Hello Down
Init Hello Init
• 2-way: Communication is bidirectional
between the two routers 2-way DB description 2-way
ExStart
• ExStart: The routers negotiate a primary DB description
Exchange
and secondary relationship Link state request
Loading
• Exchange: The routers exchange Link state update
database description packets Link state ack
• Loading: The routers exchange LSA Link state request
information Link state update
• Full: LSDBs are identical Link state ack
Full Hello Full
Hello

© Fortinet Inc. All Rights Reserved. 15

A session between two OSPF peers is called an adjacency. This slide shows the initial interchange between two
peers that are forming an adjacency. Any new adjacency goes through different states: Init, 2-way, ExStart,
Exchange, Loading, and Full. The Full state indicates that the adjacency has successfully formed, and that both
routers have identical copies of the LSDB.

Network Security Support Engineer 7.4 Study Guide 527


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
Adjacency Requirements
• Primary IP addresses of peers are in the same subnet with the same mask
• Interfaces of peers are the same type and in the same OSPF area
• Hello and dead intervals of peers must match
• Each peer has a unique router ID
• OSPF IP maximum transmission units (MTUs) match
• OSPF authentication, if enabled, is successful

© Fortinet Inc. All Rights Reserved. 16

This slide lists the requirements for two peers to form an OSPF adjacency. If any of the requirements are not met,
the adjacency fails and will not reach the Full state.

Network Security Support Engineer 7.4 Study Guide 528


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
Designated Router
• In multi-access networks, one designated router (DR) and one backup DR (BDR) are
elected
• Router priority: highest priority wins, 0 = never become a DR
• Router ID: highest ID wins
• If the DR fails, the BDR takes the DR role
• Full adjacencies are only formed to the DR and BDR to reduce resource utilization

DR BDR

© Fortinet Inc. All Rights Reserved. 17

In any multi-access network there is one DR and one BDR. The OSPF network elects the router with the highest
priority as the DR. If two or more routers are tied with the highest priority, the network elects the router with the
highest OSPF ID.

The BDR monitors the DR status. If the DR fails, the BDR takes the DR role.

Other routers form adjacencies only with the DR and BDR. The DR forwards the link state information from one
router to another. This simplifies the number of adjacencies required in multi-access networks.

Network Security Support Engineer 7.4 Study Guide 529


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
OSPF Destination Addresses
• On broadcast networks, OSPF uses two multicast destination addresses
• 224.0.0.5 AllSPFRouters
• Hello packets
• Either the DR or BDR sends LSA updates and acknowledgements
• 224.0.0.6 AllDRouters
• All other routers send LSA updates and acknowledgements

• On point-to-point networks
• 224.0.0.5 AllSPFRouters
• Routers send all packets to this address

• Some OSPF packets may be unicast


• Database description (DD) packets exchanged
• LSA retransmissions

© Fortinet Inc. All Rights Reserved. 18

This slide shows the multicast addresses that OSPF uses in broadcast multi-access, and point-to-point networks.
Keep in mind that OSPF also uses unicast addresses for LSA retransmissions and database description packets.

Network Security Support Engineer 7.4 Study Guide 530


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
LSA Types
• There are 11 LSA types. These are the five most common types:
• Type 1: Router link advertisement
• Describes the links of a router. Confined within an area.
• Type 2: Network link advertisement
• Describes all the routers (if more than one) in a multi-access network. Confined within an area.
• Type 3: Summary link advertisement
• Describes summarized networks within an area. Generated by an ABR.
• Type 4: AS summary link advertisement
• Describes the path to an ASBR router
• Type 5: AS external link advertisement
• Describes external destinations originated on an ASBR. Generated by the ASBR.

© Fortinet Inc. All Rights Reserved. 19

There are 11 LSA types. This lesson covers the following five most commonly used types:
• Type 1 describes all the links connected to a router.
• Type 2 describes all the routers (if more than one) in a multi-access network.
• Type 3 describes the networks within an area (only generated by an ABR).
• Type 4 describes the path to reach an ASBR.
• Type 5 describes the external destinations originated by an ASBR.

You will see examples of each of these five types in the next slides.

Network Security Support Engineer 7.4 Study Guide 531


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
Router Link Advertisements (Type 1)
• Advertised by every OSPF router in an area
• Describe router network connections within that area

Area
0.0.0.0

© Fortinet Inc. All Rights Reserved. 20

Type 1 describes the networks connected to a router. They are advertised by all the routers in an area. Type 1
LSAs are not advertised outside the area where they originate.

Network Security Support Engineer 7.4 Study Guide 532


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
Network Link Advertisements (Type 2)
• Advertised by every DR
• Contains the list of routers connected to a multi-access network

Area
0.0.0.0
DR

DR

© Fortinet Inc. All Rights Reserved. 21

Only DRs advertise Type 2 LSAs. In the example shown on this slide, the area has two multi-access networks,
each of them with one DR. The two DRs advertise type 2 LSAs, which contain information about the other routers
connected to their multi-access networks.

Network Security Support Engineer 7.4 Study Guide 533


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
Summary Link Advertisements (Type 3)
• Generated only by ABRs
• Can be used to summarize networks
• One LSA can represent a range of networks

Summarized
Summarized Summarized Summarized
area 0 and 2
area 1 area 2 area 0 and 1

ABR ABR

Area Area
0.0.0.1 Area 0.0.0.2
0.0.0.0

© Fortinet Inc. All Rights Reserved. 22

Type 3 LSAs contain summarized link state information. They are advertised only by ABRs. In the example
shown on this slide, the ABR on the left sends type 3 LSAs to area 1. They contain link state information for the
summarized subnets in areas 0 and 2. This same ABR also sends type 3 LSAs to the backbone area, with a
summary of the subnets in area 1.

Something similar happens with the ABR shown on the right side of the diagram. It sends type 3 LSAs to area 2.
They contain link state information for the summarized subnets in areas 0 and 1. This same ABR also sends type
3 LSAs to the backbone area, with a summary of the subnets in area 2.

Network Security Support Engineer 7.4 Study Guide 534


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
AS Summary Link Advertisements (Type 4)
• An ASBR announces itself by setting the E-bit in its router link advertisements
• The ABRs in the same area generate a type 4 advertisement to the other areas

Type 1 with
Type 4 E-bit

ABR ASBR
RIP
Area
0.0.0.1 Area
0.0.0.0

© Fortinet Inc. All Rights Reserved. 23

An ASBR advertises itself by sending type 1 LSAs. These LSAs have the E-bit on in the OSPF header. Like any
other type 1, the LSAs with the E-bit are confined to the area where they originate. However, ABRs in the same
area send a type 4 LSA to the other areas with information about how to reach the ASBR. In the example shown
on this slide, an ASBR that is redistributing RIP routes into OSPF announces itself by sending type 1 LSAs to the
backbone area. The ABR receives that LSA and sends a type 4 LSA to area 1.

Network Security Support Engineer 7.4 Study Guide 535


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
AS External Link Advertisements (Type 5)
• OSPF views non-OSPF networks as external
• OSPF considers the following to be external:
• A directly connected interface not running OSPF
• A static route
• A route derived from a different routing protocol

Type 5 Type 5

ABR ASBR
RIP
Area
0.0.0.1 Area
0.0.0.0

© Fortinet Inc. All Rights Reserved. 24

The last type of LSA covered in this lesson is type 5. Type 5 LSAs are sent only by the ASBRs and are not
confined to one area. They reach all the standard areas. They contain link state information for routes
redistributed to OSPF (also called external routes).

Note that all the area examples in this lesson are standard areas. There are also stub and not-so-stubby areas
(NSSA), which are not covered in this lesson. Type 5 LSAs are not advertised to stub or NSSAs.

Network Security Support Engineer 7.4 Study Guide 536


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
External Route Metrics Types
• Type 1
• Considered close to the AS
• Metric is based on the sum of the internal and external costs
• Type 2
• Considered far away from the AS
• Metric is based on the external cost only
• OSPF router prefers a type 1 external router over a type 2

© Fortinet Inc. All Rights Reserved. 25

Each external route is assigned a metric. There are two types of external-route metrics. A type 1 metric is the
sum of the external cost plus the internal cost to reach the ASBR. A type 2 metric is only the external cost (the
internal cost is not considered). If there are two external routes to the same destination, one type 1 and one type
2, an OSPF router selects the type 1 route over the type 2 route.

Network Security Support Engineer 7.4 Study Guide 537


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET

BGP Review

© Fortinet Inc. All Rights Reserved. 26

In this section, you will review BGP concepts and how to configure BGP on FortiGate.

Network Security Support Engineer 7.4 Study Guide 538


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
Autonomous System
• Set of routers and networks under the same, consistent administration
• An AS administrator is free to choose any internal routing architecture
• OSPF, RIP, and so on
• Each AS is identified by a unique number

© Fortinet Inc. All Rights Reserved. 27

An autonomous system (AS) is a set of routers and networks under the same administration. Each AS is
identified by a unique number, and usually runs an Interior Gateway Protocol (IGP), such as OSPF or RIP.

Network Security Support Engineer 7.4 Study Guide 539


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
BGP
• You can configure BGP to operate as EBGP or IBGP:
• EBGP advertises routing updates across multiple ASs
• IBGP advertises routing updates within the same AS
• BGP is typically used when the network requires:
• Large numbers of routes
• Strict control over which routes are announced or accepted
• BGP4 is the dominant EGP today
• Example: the internet

© Fortinet Inc. All Rights Reserved. 28

BGP can serve one of two purposes: external BGP (EBGP) or internal BGP (IBGP).

An exterior gateway protocol (EGP) exchanges routing information between ASs. BGP4, which runs in the
internet, is the dominant EGP protocol today. EBGP is typically used when strict control is required over a large
number of routes.

Two EBGP routers exchange AS path information for destination prefixes or subnets. When two routers start an
EBGP communication, the whole BGP routing table is exchanged. After that, the router send only network
updates.

Network Security Support Engineer 7.4 Study Guide 540


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
BGP Components
• Speaker or peer
• Router that transmits and receives BGP messages, and acts on those messages
• Session
• Connectivity between two peers

© Fortinet Inc. All Rights Reserved. 29

A BGP speaker or peer is a router that sends and receives BGP routing information. The connection between two
BGP peers is called a BGP session.

Network Security Support Engineer 7.4 Study Guide 541


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
AS Types
• Stub AS BGP is used to
communicate
• Single exit point routing updates
• Local traffic between AS
• Multihomed AS
• Multiple exit points
Provider B
• Local traffic AS 60
• Transit AS
Provider A
• Local and transit traffic AS 50

Inside the AS, you


can choose to use
any IGP such as Customer 1
OSPF, RIP, and so AS 100
on Customer 2
AS 110
Customer 3
AS 120

© Fortinet Inc. All Rights Reserved. 30

There are three types of ASs:


• A stub AS handles and routes local traffic only and has only one connection to another AS. One example is a
company that is running BGP, and has its own AS number and one ISP connection.
• Multihomed AS also handles and routes local traffic only, but it has multiple connections to different ASs. One
example is a company that is running BGP, and has its own AS number and multiple ISP connections.
• Transit AS handles and routes local traffic as well as traffic that originates and terminates in different ASs
(transit traffic). An ISP is an example of a transit AS.

Network Security Support Engineer 7.4 Study Guide 542


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
Route Reflectors
• Running IBGP usually requires full mesh peering
• Route reflectors (RRs) simplify the network and the configuration by:
• Reducing the number of IBGP peers
• Forwarding the routes learned from one peer to the other peers

After configuring two RRs

RR 1 RR 2

With RRs, the peering


requirements are
AS 6500 reduced AS 6500

© Fortinet Inc. All Rights Reserved. 31

When running IBGP, you usually need to configure full mesh peering between all the routers. In large networks,
full mesh peering between routers can be difficult to administer and is not scalable.

RRs help to reduce the number of IBGP sessions inside an AS. An RR forwards the routes learned from one peer
to the other peers. If you configure RRs, you don’t need to create a full mesh IBGP network. RRs pass the routing
updates to other RRs and border routers within the AS.

Network Security Support Engineer 7.4 Study Guide 543


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
Route Reflectors (Contd)
• An RR and its clients form a cluster
• All clients in a cluster communicate with the RR only for routing updates
• The RR communicates all routing updates to peers external to the cluster

RR

Cluster 1 Cluster 2

AS 6500
Client router

© Fortinet Inc. All Rights Reserved. 32

In a BGP RR configuration, the AS is divided into different clusters that each include an RR and clients. The client
routers communicate route updates only to the RR in the cluster. The RR communicates with other RRs and
border routers. FortiGate can be configured as either an RR or a client.

Network Security Support Engineer 7.4 Study Guide 544


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
RIBs
• Routes are stored in routing information bases (RIBs)
• RIB-in
• Routing information learned from inbound update messages
• Contains unprocessed routing information advertised to the local BGP speaker by its peers
• Local RIB
• Routing information that the BGP speaker selects after applying its local policies to the RIB-in
• RIB-out
• Routing information that the local BGP speaker selects to advertise to its peers

© Fortinet Inc. All Rights Reserved. 33

A BGP router stores routing information in three logical tables:


• The RIB-in table contains all routing information received from other BGP routers before any filtering.
• The local RIB table contains that same information after filtering.
• The RIB-out table contains the BGP routing information selected to advertise to other BGP routers.

Network Security Support Engineer 7.4 Study Guide 545


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
RIBs (Contd)

BGP Local RIB


BGP Out
RIB-out
BGP
RIB-in In filter
RX info filter TX

Redistribute

Connected and static


Routing table IS-IS
routes

RIP OSPF

© Fortinet Inc. All Rights Reserved. 34

This slide shows a flowchart that summarizes the BGP process. The BGP router stores the BGP routes it
receives from other routers in the RIB-in table. The BGP router applies a filter, and the resulting routes are stored
in the local RIB table. Then, the BGP router adds routes that were redistributed from the routing table and applies
another filter (outbound). The BGP router advertises the resulting routes.

Network Security Support Engineer 7.4 Study Guide 546


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
BGP Attributes
• BGP processes routes based on path information
• A path is a route to a destination
• Paths are described by a set of attributes, including an AS list
• The attributes help routers select the route to each destination

© Fortinet Inc. All Rights Reserved. 35

BGP routes traffic based on AS paths. Each AS path includes attributes, which BGP uses to select the best route
to each destination. One of the attributes is the AS_Path, which contains the ASs through which the traffic must
pass to reach the destination.

Network Security Support Engineer 7.4 Study Guide 547


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
BGP Attributes (Contd)
• BGP path attribute categories
• Well-known mandatory
Supported attributes
• Attributes are mandatory
• Well-known discretionary ORIGIN Well-known mandatory
• Attributes may or may not be included AS_PATH Well-known mandatory
• Optional transitive NEXT_HOP Well-known mandatory
• Attributes may or may not be accepted and
can be passed outside of the local MULTI_EXIT_DISC Optional non-transitive
autonomous system LOCAL_PREF Well-known discretionary
• Optional non-transitive
ATOMIC_AGGREGATE Well-known discretionary
• Attributes may or may not be accepted and
can’t be passed outside of the local AGGREGATOR Optional transitive
autonomous system
COMMUNITY Optional transitive

© Fortinet Inc. All Rights Reserved. 36

There are four types of BGP attributes:


• Well-known mandatory
• Well-known discretionary
• Optional transitive, which can be passed from one AS to another
• Optional non-transitive, which can’t be passed from one AS to another

This slide shows a list of the BGP attributes and attribute types that FortiGate supports.

Network Security Support Engineer 7.4 Study Guide 548


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
Route Selection Tie Breakers
1. Highest weight
2. Highest local preference
3. Route originated by the local router (next hop = 0.0.0.0)
4. Shortest AS path
5. Lowest origin type
6. Lowest multi-exit discriminator (MED)
7. Prefer external paths (EBGP) over internal paths (IBGP)
8. Path through closest IGP neighbor
9. Oldest route for EGBP paths
10.Lowest neighbor BGP router ID
11.Lowest neighbor IP address

© Fortinet Inc. All Rights Reserved. 37

FortiGate uses some of the BGP attributes during the routing selection process. If all the attributes for multiple
routes to the same destination match, and if ECMP is enabled, FortiGate shares the traffic among up to 10 BGP
routes. If you don’t enable ECMP, FortiGate uses the route that goes to the router with the lowest BGP router ID.

Network Security Support Engineer 7.4 Study Guide 549


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
BGP States
• Idle: Initial state Idle
• Connect: Waiting for a successful three-way start
TCP connection connect retry timeout
error
• Active: Unable to establish the TCP session Connect
TCP failure
TCP
• OpenSent: Waiting for an OPEN message Active established
from the peer
error
OpenSent
• OpenConfirm: Waiting for the keepalive TCP established
receive
message from the peer open reply
• Established: Peers have successfully error
OpenConfirm
exchanged OPEN and keepalive messages
receive
keepalive

error
Established

© Fortinet Inc. All Rights Reserved. 38

This slide shows a flow chart of the BGP neighbor states and how they change:
• Idle: Initial state
• Connect: Waiting for a successful three-way TCP connection
• Active: Unable to establish the TCP session
• OpenSent: Waiting for an OPEN message from the peer
• OpenConfirm: Waiting for the keepalive message from the peer
• Established: Peers have successfully exchanged OPEN and keepalive messages

Network Security Support Engineer 7.4 Study Guide 550


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
FortiGate BGP Implementation
• Scaling capabilities
• No hard limits, system memory is the limitation
• Number of neighbors, routes, and policies have an impact on the scaling capabilities
• By default, BGP doesn’t originate any prefix
• Redistribution or policies are required
• By default, all routes received are accepted

© Fortinet Inc. All Rights Reserved. 39

There are three important things to consider when you implement BGP on FortiGate.

First, there are no hardcoded limits. Limitations on the number of neighbors, routes, and policies depend
exclusively on the available system memory.

Second, by default, FortiGate doesn’t originate any prefix. You must enable redistribution, or manually indicate
the prefixes that FortiGate originates.

Third, by default, FortiGate accepts all the prefixes it receives. Optionally, you can filter out or modify some
prefixes.

Network Security Support Engineer 7.4 Study Guide 551


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
Protocol Redistribution
• A non-BGP route can be redistributed into BGP
• Optional route maps can filter out the redistribution of specific routes
# config router bgp
config redistribute "static"
set status enable
end
end

© Fortinet Inc. All Rights Reserved. 40

By default, FortiGate BGP doesn’t advertise prefixes. You can use the redistribution command to configure
FortiGate to advertise prefixes. You can redistribute connected and static routes, and routes learned from other
routing protocols, into BGP. Optionally, you can add route maps to filter the prefixes or modify some of their BGP
attributes.

Network Security Support Engineer 7.4 Study Guide 552


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
Network Command
• An alternative to redistribution of protocols into BGP:
# config router bgp
config network
edit <id>
set prefix <prefix>
...
• By default, the prefix is advertised only when it matches the destination subnet of an
active route in the routing table
• To always advertise the prefix (regardless of the active routes):
# config router bgp
set network-import-check disable
end

© Fortinet Inc. All Rights Reserved. 41

You can also use the network command to configure FortiGate BGP to advertise prefixes. However, an exact
match of the prefix in the network command must be active in the routing table. If the routing table doesn’t
contain an active route with a destination subnet that matches the prefix, FortiGate doesn’t advertise the prefix.
You can change this behavior by disabling the network-import-check setting. After you disable the setting,
FortiGate advertises all prefixes in the BGP network table, regardless of the active routes present in the routing
table.

Network Security Support Engineer 7.4 Study Guide 553


Dynamic Routing Supplement

DO NOT REPRINT
© FORTINET
Prefix Lists
• Prefix lists can be used to filter out the subnets being advertised to and being received
from each neighbor
config router prefix-list
edit filter-subnets config router bgp
config rule config neighbor
edit 1 edit 10.3.1.254
set prefix 10.1.0.0/16 set prefix-list-in filter-subnets
set action deny next
next end
edit 2 end
set prefix 10.0.0.0/8
set action permit
next
end By default, traffic not
end matching the prefix list
end is denied

© Fortinet Inc. All Rights Reserved. 42

By default, the subnets under the config network command, and the subnets redistributed from other routing
protocols, are advertised to all the neighbors.

With a prefix list, you can be more selective about which prefixes to advertise to each neighbor. Additionally,
prefix lists allow you to select which prefixes you want to use from each neighbor. This example shows a prefix
list that allows the prefix 10.0.0.0/8, but blocks the prefix 10.1.0.0/16. By default, all traffic that does not
match a prefix list is denied. The prefix list is applied in the incoming direction from the neighbor 10.3.1.254.
The local FortiGate applies this filter for all prefix advertisements coming from 10.3.1.254.

When applying a prefix list, all the prefixes that don’t match an entry in the list are denied by default.

Network Security Support Engineer 7.4 Study Guide 554


DO NOT REPRINT
© FORTINET

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

You might also like