(FCSS NW) - Network Security Support Engineer FortiOS 7.4 - Study Guide
(FCSS NW) - Network Security Support Engineer FortiOS 7.4 - Study Guide
© FORTINET
https://training.fortinet.com
https://docs.fortinet.com
https://kb.fortinet.com
https://fusecommunity.fortinet.com/home
Fortinet Forums
https://forum.fortinet.com
https://support.fortinet.com
FortiGuard Labs
https://www.fortiguard.com
https://www.fortinet.com/nse-training
https://home.pearsonvue.com/fortinet
https://helpdesk.training.fortinet.com/support/home
4/29/2024
DO NOT REPRINT
© FORTINET
TABLE OF CONTENTS
01 Troubleshooting Concepts 4
02 System Resources 33
03 Sessions, Traffic Flow, and Networking 78
04 Security Fabric 119
05 Firewall Authentication 147
06 FSSO 188
07 Security Profiles 225
08 High Availability 278
09 IPSec 308
10 IPsec―IKEv2 336
11 Routing 358
12 BGP 392
13 OSPF 427
Solution Slides 463
Dynamic Routing Supplement 513
Troubleshooting Concepts
DO NOT REPRINT
© FORTINET
FortiGate 7.4
Last Modified: 25 April 2024
In this lesson, you will learn about troubleshooting concepts related to FortiGate.
DO NOT REPRINT
© FORTINET
Objectives
• Describe network troubleshooting concepts and approaches
• Set up a baseline before anything happens
• Learn the diagnostic steps that you should perform when a problem occurs
• Use GUI and CLI monitoring tools
• Use logs to monitor activity and status
• Use CLI commands to monitor and assess FortiGate health
• Use real-time CLI debug commands
• Use application layer test commands
• Use the CLI GREP command
After completing this lesson, you should be able to achieve the objectives shown on this slide.
DO NOT REPRINT
© FORTINET
Before a Failure Happens
• Establish a baseline
• If you establish normal operation parameters for your system before a problem occurs, it will help
reduce the complexity of the issue when you start troubleshooting.
Normal
• Define normal operation
• CPU usage
• Memory usage
• Traffic levels
• Know your network
• How the traffic flows
• Which protocols and TCP/UDP ports are being used
• What normal traffic patterns and distribution looks like
Traffic spikes
Good administrators know their network. This network knowledge includes an understanding of the normal
behavior related to traffic volume, network applications, traffic flows, and CPU and memory utilization. So,
when a problem occurs, administrators can identify where the abnormal behavior is happening. Having this
knowledge expedites the troubleshooting process and helps the administrator to isolate the cause of the
problem.
FortiGate devices operate at all layers of the OSI model. For this reason, troubleshooting problems can be
complex. If you establish what normal operating parameters are or establish a baseline for your system before
a problem occurs, it will help reduce the complexity of the issue when you are troubleshooting.
DO NOT REPRINT
© FORTINET
Monitor the Network
• CPU, memory, inbound and outbound traffic on ports, and so on
• All show traffic trends and indicate any changes in traffic behavior
• Common tools for monitoring:
• SNMP FortiGate
• Logging
• FortiAnalyzer
You can use many different tools to gather statistics and information while the network is operating normally:
SNMP, logging, and the monitors located on the FortiGate GUI.
DO NOT REPRINT
© FORTINET
Keep Your Network Documentation Up-to-Date
• Define normal operation
• Logical and physical connections (network diagram)
• Firmware and OS versions
• IP addresses
• Configuration backups
• Document network changes
• How were the changes tested? Was there a procedure to follow?
• Take note of starting and ending time of activities during a maintenance window
• Track access details
• Document who has access to devices, such as administrator privileges
• Define your teams so you know who is from network security, operations, the database team and
understand their responsibilities
• Take note of your emergency contact list (time is always a factor)
It is also a good idea to keep you network documentation up-to-date. Network diagrams should include
physical connections, interface names, and subnets. Good network documentation also includes change
control records to track details relating to changes in the network, such as who made the change, when the
change was made, and what the change was.
DO NOT REPRINT
© FORTINET
When Failure Happens―Troubleshooting Mantras
• What changed?
• Change control
• Notifications of changes
• Networking and routing
• What do you know?
• Check logs and baselines to determine when the network was last operational, and so on
• Prework pays off (SNMP, statistics, trends, and so on)
• Define the problem and isolate it
• Focus on the main problem and work each problem separately
• Keep breaking down segments and test each segment separately
If a problem occurs, the first step is to define it precisely. For example, if the problem is defined as “web
filtering is not working”, the scope is too imprecise. There are too many potential causes, and troubleshooting
could take a long time. So, you must ask questions to gather and understand the details of the problem. Is the
problem happening with one website? Are all users experiencing the problem? Is it happening randomly? Can
you reproduce the problem?
If you ask and answer the proper questions, you can define the problem precisely, with details. For example,
you could refine your problem to “web filtering is not blocking website X for user Y”. Having this level of detail
provides you with a better place to start the troubleshooting process.
The following questions can help determine the scope of the problem and isolate it:
• What is the problem?
• Has the configuration ever worked?
• Can you reproduce the problem at will, or is it intermittent?
• What has changed?
• What applications, users, or operating systems does the problem affect?
DO NOT REPRINT
© FORTINET
Troubleshooting Approach Methods
Work the problem following the TCP/IP model
One general approach to troubleshooting network issues is to follow the TCP/IP model and work the problem
either from the top layer to the bottom, or from the bottom layer to the top.
When you work from the bottom to the top, you check the physical layer first. After you determine that a layer
is operating properly, you move to the next layer, and so on, until you find the layer where the problem is
happening.
When you approach the problem from the top down, you check the application layer first. If a layer is not
working properly, you move to the layer below to rule out issues in the lower layers.
DO NOT REPRINT
© FORTINET
A Typical Scenario and Possible Issues
Possible issues:
• Layer 1
• Interface administrative access
• Errors
• MTU size
• HA issues
• Layer 2
• STP
• VLAN tagging
• Forwarding domains
• ARP table
• Layer 3
• Routing
• Layer 4
• Policy routing
In a typical network, you can approach troubleshooting by systematically reviewing the settings of each layer
of the network. Working through the problem using the TCP/IP model or OSI model is one approach that you
can take when reviewing issues. As you gain more experience, you may try to resolve issues by forming a
hypothesis and then going through the resolution step by step. Issues are often very specific. For example, in
a routing issue, static routes take precedence over dynamic routing protocols. In a case like this, having a
good understanding of the routing flowchart will be very important when troubleshooting the issue. Of course,
it is also very important to understand the nuances of routing protocols. When OSPF is used, the hello timers
and dead interval must match on both ends, to form a neighbor relationship. In addition, the MTU size must
match. In FortiOS, other unique parameters and settings must be configured correctly in order for some
features to work as expected.
DO NOT REPRINT
© FORTINET
Gathering Facts
Another step you can take to narrow down the issue and identify the source is to analyze what could trigger
the issue. Figuring out how to reproduce the issue can be a very useful tool for gathering data.
After you identify how to trigger the issue, as a next step, you can analyze which tools you can use to collect
debug data, for example, sniffer and CLI debug commands, logs, GUI widgets, and so on.
DO NOT REPRINT
© FORTINET
In this section, you will learn about the troubleshooting tools available on the GUI.
DO NOT REPRINT
© FORTINET
Status Page
Dashboard > Status
The status dashboard is the FortiGate GUI welcome screen. Some of the widgets on the status dashboard
contain information that is useful for troubleshooting, such as the CPU, Memory, and Sessions widgets.
Other default dashboards include Security, Network, Assets & Identities, and WiFi. You can configure
custom widgets as well. These widgets can deliver useful information for monitoring and troubleshooting
FortiGate.
DO NOT REPRINT
© FORTINET
FortiView Monitors
In addition to the dashboards, the GUI includes FortiView, where you can monitor screens for specific
features. For example, the FortiView Policies monitor lists the most active firewall policies. Another example
is the Routing monitor, which lists the routes that are active in the routing table.
DO NOT REPRINT
© FORTINET
Log Messages
Log&Report
Another important tool for troubleshooting is the FortiGate logs. The log viewer includes a filter setting that you
can use to display only the log entries related to a specific username, IP address, URL, or event type.
Other logs, like system events, can provide a source of data about the FortiGate status when performing
analysis of FortiGate.
DO NOT REPRINT
© FORTINET
Log Settings and Effects
Antivirus,
Policy log
web filtering, Behavior
setting
email filtering
No log Disabled No forward traffic or security logs
No log Enabled No forward traffic or security logs
Log security Disabled No forward traffic or security logs
events
Log security Enabled • Security events in forward traffic log
events • Forward traffic log if packets caused a
security event
Log all sessions Disabled Forward traffic log for every session
This table lists the expected log behavior associated with the different logging settings.
Moving from left to right, the first column shows the possible values for the log setting in the firewall policies:
no log, log security events, or log all sessions.
The second column indicates if the antivirus, web filtering, or email filtering log setting is enabled or disabled.
Remember, DLP and IPS profiles always generate logs in the security log section.
The last column shows the expected behavior. If you enable any profiles and your policy and logging is not
enabled, you will not get logs of any kind—even when a profile is blocking traffic. So, if you apply a security
profile, it’s important to consider the logging settings.
DO NOT REPRINT
© FORTINET
In this section, you will learn about CLI troubleshooting commands that you can use to gather data to
diagnose an issue on FortiGate.
DO NOT REPRINT
© FORTINET
Gathering Data―Fundamental Health Assessment
FortiGate includes a number of CLI commands that help you monitor the current status of FortiGate and start
diagnosing an issue.
Some commands, such as diagnose sys top, are useful to monitor process activity in real time.
While collecting debug data, execute tac report is a very useful command to collect initial data.
DO NOT REPRINT
© FORTINET
Gathering Data―Fundamental Health Assessment (Contd)
It is very useful for an administrator to be familiar with the fundamental debug commands used during
troubleshooting sessions. This helps to speed up the diagnosis and troubleshooting of a FortiGate.
DO NOT REPRINT
© FORTINET
Real-Time Application Debug
• To enable most of the real-time debugs:
# diagnose debug application <daemon_name> <debug_level>
# diagnose debug enable
• Some applications (daemons) that can be debugged in real time:
• sslvpnd SSL VPN
• iked IPsec VPN
• authd User authentication
• updated FortiGuard updates
• dhcpsd DHCP server
• Debug level:
• 0: Disable the specific debug
• Other values: output varies depending on the daemon
• -1: Enable all outputs
The real-time debug commands generate information in real time about what a specific FortiGate process or
feature is doing.
The debug level is a bitmask value that specifies which types of messages are displayed. This depends on
each process. For all cases though, a debug level of 0 means no output (disabled), and a debug level of -1
means enabling all possible message types.
DO NOT REPRINT
© FORTINET
Real-Time Application Debug (Contd)
• Use IPsec real time debug:
# diagnose debug application ike -1
# diagnose debug enable
• Enable timestamp:
# diagnose debug console timestamp enable
This slide shows the two commands that you can use to enable all the IPsec real-time debug output. You can
also enable the option to prepend the system time to each debug line.
It is important to disable any real-time debug application after you use it. Debug applications consume
FortiGate resources and some could be CPU-intensive.
DO NOT REPRINT
© FORTINET
Application Layer Test Commands
ISFW # diagnose test application
smtp SMTP proxy.
pop3 POP3 proxy.
imap IMAP proxy.
nntp NNTP proxy.
harelay HA relay daemon.
hasync HA sync daemon.
hatalk HA talk daemon.
sessionsync Session sync daemon.
forticldd FortiCloud daemon.
miglogd Miglog logging daemon.
syslogd Syslog daemon.
locallogd Locallogd daemon.
fgtlogd Fgtlog daemon.
urlfilter URL filter daemon.
wf_monitor WF monitor.
ovrd Override daemon.
iotd IoT device info daemon.
ipsmonitor IPS monitor.
ipsengine IPS sensor.
--More--
Application layer test commands do not display information in real time. They display statistics and
configuration information about a feature or process. You can also use some of these commands to restart a
process or execute a change in its operation.
DO NOT REPRINT
© FORTINET
Application Layer Test Commands (Contd)
ISFW # diagnose test application ipsmonitor
IPS Engine Test Usage:
This command can be useful when troubleshooting intrusion prevention system (IPS) issues. You can use the
command to display IPS engine information, turn the IPS engine on or off, bypass the IPS engine, or restart all
IPS engines.
DO NOT REPRINT
© FORTINET
Packet Sniffer
• Packet sniffer command:
• #diagnose sniffer packet <interface> <filter> <verbose> <count> <a>
• You can find more filtering options and their descriptions here:
• https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-
packet-sniffer/ta-p/194222
FortiGate includes the sniffer command, which is a useful tool when you need to to dig deeper to diagnose the
source of the issue.
The sniffer command can sniff packets on physical or virtual interfaces. If you set the sniffer command to any,
it can sniff all available interfaces simultaneously.
You can use a filter to customize and narrow down the packets that you want to capture. The sniffer filter uses
Berkeley Packet Filters syntax.
The example on this slide shows a filtering example for the packet sniffer that captures all TCP packets with
the SYN flag set. You can create this filter by finding the flag bit position in the TCP header and combining it
with tcpdump. You can find additional filtering options by visiting the link at the bottom of this slide.
The number four at the end of the packet sniffer command indicates the verbosity level. In this example, the
packet capture prints the header of the packets along with interface name. There are six verbosity levels you
can choose from.
You will learn about these verbosity levels and other advanced packet capture options in a later lesson.
DO NOT REPRINT
© FORTINET
GREP Utility
Usage: grep [-ilHhnqvscABC] PATTERN [FILE...]
Options:
-i Ignore case distinctions
-l List names of files that match
-H Prefix output lines with filename where match was found
-h Suppress the prefixing filename on output
-n Print line number with output lines
-q Quiet
-v Select non-matching lines
-s Suppress file open/read error messages
-c Only print count of matching lines
-A Print NUM lines of trailing context
-B Print NUM lines of leading context
-C Print NUM lines of output context
ISFW #
Some CLI debug commands generate a lot of output. If you know that the required information is contained in
one specific line of the output, and if you know a keyword that you can use to find that line, you can use the
GREP utility. The GREP utility displays only the lines from the output that match a text string. Using the GREP
utility, you can reduce the output to only the one line (that contains exactly the information that you need),
instead of a long list of entries. This slide list all of the options available when using the GREP utility.
DO NOT REPRINT
© FORTINET
GREP Utility (Contd)
ISFW # show | grep -f port1
config system interface
edit "port1" <---
set vdom "root"
set ip 10.9.31.115 255.255.240.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 1
next
edit "port10" <---
set vdom "root"
set type physical
set snmp-index 10
next
end
config router static
edit 1
set gateway 172.16.20.254
set device "port1" <---
next
end
ISFW #
When you display the FortiGate configuration using the CLI, you can use the GREP utility with the option –f.
It will display only the configuration sections or tables where the text string matches at least one value. This is
useful, for example, when you need to find all the references to a specific object. In the example shown on this
slide, the –f option is being used to find all the references to the port1 interface. The output shows the two
tables where port1 is referenced: the definition of the interface itself, and a static route where port1 is the
assigned device interface.
DO NOT REPRINT
© FORTINET
GREP Utility (Contd)
ISFW # diagnose sys session list | grep -B 1 -A 1 local
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log local nds
statistic(bytes/packets/allow_err): org=19728/274/1 reply=0/0/0
tuples=2
--
npu_state=00000000
no_ofld_reason: local
--
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log local nds
statistic(bytes/packets/allow_err): org=19728/274/1 reply=0/0/0
tuples=2
--
npu_state=00000000
no_ofld_reason: local
The command on this slide will print all local sessions that diagnose sys session list includes in its
output.
The GREP utility filters for local, which is a session flag, and then prints the leading line and the trailing line
for each occurrence.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario
• IPSec VPN is configured between two
FortiGate devices
• The tunnel does not come up 10.0.1.206 10.0.1.69
FortiGate A FortiGate B
When troubleshooting the scenario shown on this slide, which approach would you take?
FortiGate A is trying to establish an IPSec VPN tunnel with FortiGate B. You have access to both FortiGate
devices.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario (Contd)
• Ensure that packets arrive at FortiGate B
10.0.1.206 10.0.1.69
FortiGate A FortiGate B
Your first step should be to confirm that IKE packets sent from FortiGate A arrive at FortiGate B, and that
there is bidirectional communication. The best tool to use for this is the packet sniffer.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario (Contd)
• Use the real-time application IKE debug
10.0.1.206 10.0.1.69
FortiGate A FortiGate B
FortiGate B # diagnose debug application ike -1
FortiGate B # diagnose debug enable
---omitted---
ike V=root:0:ToFortiGateA:40:4: peer proposal is: peer:0:10.0.40.0-10.0.40.255:0, me:0:10.0.20.0-10.0.20.255:0
ike V=root:0:ToFortiGateA:40:ToFortiGateA:4: trying
ike V=root:0:ToFortiGateA:40:4: no matching phase2 found
ike V=root:0:ToFortiGateA:40:4: failed to get responder proposal
ike V=root:0:ToFortiGateA:40: error processing quick-mode message from 10.0.1.206 as responder
261.535586 port1 in 10.0.1.206.500 -> 10.0.1.69.500: udp 556
FortiGate B # diagnose debug disable
FortiGate B # diagnose debug reset
If IKE packets from FortiGate A are arriving at FortiGate B, then your second step should be to use the real-
time application IKE debug.
In this scenario, you can see that there is a possible mismatch in the quick mode selector configuration.
Ensure that the quick mode selectors match on both FortiGate devices.
To preserve resources, always disable the debug when you are finished troubleshooting.
DO NOT REPRINT
© FORTINET
Review
Describe network troubleshooting concepts and approaches
Set up a baseline before anything happens
Learn the diagnostic steps that you should perform when a problem
occurs
Use GUI and CLI monitoring tools
Use logs to monitor activity and status
Use CLI commands to monitor and assess FortiGate health
Use real-time CLI debug commands
Use application layer test commands
Use the CLI GREP command
After completing this lesson, you should be able to achieve the objectives shown on this slide.
DO NOT REPRINT
© FORTINET
FortiOS 7.4
Last Modified: 25 April 2024
DO NOT REPRINT
© FORTINET
Objectives
• Describe how FortiOS processes a packet
• Describe how FortiOS uses memory
• Diagnose high memory and high CPU problems
• Optimize memory usage
• Diagnose conserve mode
• Troubleshoot unexpected reboots and frozen devices
• Use the crash log for diagnostics
After completing this lesson, you should be able to achieve the objectives shown on this slide.
By demonstrating a competent understanding of FortiOS system resources, you will be able to identify how
FortiOS processes packets and uses memory. You will be able to also diagnose high resource utilization, and
conserve mode issues and optimize memory usage.
DO NOT REPRINT
© FORTINET
DO NOT REPRINT
© FORTINET
Parallel Path Processing
• Parallel path processing (PPP) chooses from a group of parallel options to identify the
optimal path for processing a packet
• FortiGate can offload and accelerate many processes in hardware
• Content processors (CP8 or CP9) offload some unified threat management (UTM) and next-generation
firewall (NGFW) processing and cryptographic operations
• Network processors (NP6 or NP7) offload traffic that does not require UTM or NGFW processing
• FortiGate hardware and software configuration affect the path that a packet takes
PPP uses the firewall policy configuration to choose from a group of parallel options to identify the optimal
path for processing a packet. The path identified by PPP is made up of the various processes the packet must
pass through. Hardware, such as CP8, CP9, or network processors, can offload and accelerate many of these
processes. FortiGate hardware and software configuration affect the path that a packet takes. The next few
slides provide flowcharts displaying examples of packet processing in several scenarios. Note that these
examples do not cover all possible scenarios, nor do they show every step or process packets are subjected
to during inspection. The purpose of these slides is to provide common examples of packet flow on FortiGate.
DO NOT REPRINT
© FORTINET
Life of a Packet—Initial Session Packets
Kernel
Admission
1. Forwarding
Network interface Quarantine control 2. Source NAT
CPU
IPsec VPN
Access Control FortiTelemetry encryption NP6/7
NP6/7
List (ACL)
User
Host Protection Traffic shaping
authentication
Engine (HPE) (captive portal)
Kernel WAN
IP integrity 1. Destination NAT
optimization
header checking 2. Routing, RPF check, and
SD-WAN
3. Stateful inspection/policy
lookup/session management
IPsec VPN 4. Session helpers Network interface
decryption 5. User authentication
CPU
6. Device identification
7. SSL VPN
8. Local management traffic
UTM/NGFW
1. Flow-based inspection CP8/9
Optional/Configurable
2. Proxy-based inspection
3. Explicit web proxy CPU Mandatory
4. Botnet check
© Fortinet Inc. All Rights Reserved. 5
This slide shows the steps that the first packets of a session go through as they enter, pass though, and exit
FortiGate. This scenario is for FortiGate with secure processing units (SPUs).
FortiGate performs some security inspections early in the life of the packet, such as ACL, HPE, and IP
integrity header checking. FortiGate does this to make sure the packets are within acceptable parameters
before allowing the packet to move through the rest of the processes. These inspections are handled by the
network processor in order to minimize impact on the FortiGate CPU.
Each version of the network processor has criteria that defines which traffic can be offloaded. The network
processor enhances overall performance by allowing offloaded sessions to bypass the FortiGate CPU after
the session is established and the session key is installed in the network processor. The network processor
can also handle IPsec VPN encryption and decryption operations, where the configured encryption and
hashing algorithms are supported in hardware.
The content processor functions like a coprocessor for the FortiGate CPU to improve overall system
performance by offloading certain tasks, such as pattern matching for flow-based UTM inspection with the
intrusion prevention system (IPS) engine, SSL/TLS decryption and encryption for deep SSL inspection, and
IPsec encryption and decryption operations for supported algorithms.
Note that the packet processing for virtual FortiGate devices is identical with the only difference being that the
CPU handles all processes instead of being able to offload some of them to network and content processors.
DO NOT REPRINT
© FORTINET
Life of a Packet—Offloaded Non-UTM Sessions
Network interface
IP integrity
NP6/7
header checking
WAN
IPsec VPN optimization
decryption
Network interface
IPsec VPN
encryption
Traffic shaping
Optional/Configurable
Mandatory
© Fortinet Inc. All Rights Reserved. 6
This slide shows how subsequent packets in an established session where UTM/NGFW inspection is not
configured are handled by FortiGate after being offloaded to a network processor. After the session key is
installed in the network processor, subsequent packets for the offloaded session skip routing and kernel
processors, bypassing the FortiGate CPU, and are forwarded out the egress interface by the network
processor. An important consideration is the impact offloading has on troubleshooting. When a session is
offloaded to the network processor, you are unable to view these accelerated packets through the diagnose
sniffer packet or diagnose debug flow CLI commands or the packet capture feature on the GUI.
DO NOT REPRINT
© FORTINET
Life of a Packet—NTurbo/Flow-Based UTM Sessions
Network interface
IP integrity
NP6/7
header checking
IPS Engine WAN
CPU
optimization
IPsec VPN Flow-based
decryption UTM/NGFW
IPSA CP8/9
Network interface
IPsec VPN Single-pass rule
encryption matching
Traffic shaping
Optional/Configurable
Mandatory
© Fortinet Inc. All Rights Reserved. 7
This slide shows how subsequent packets in an established session with flow-based UTM/NGFW configured
are handled by FortiGate where NTurbo and IPS Acceleration (IPSA) are supported and enabled.
NTurbo is a feature that enables flow-based UTM/NGFW sessions to be accelerated by NP6 or NP7 network
processors to and from the IPS engine.
IPSA is a feature that allows basic or advanced pattern matching operations required for flow-based security
profile inspection to be offloaded to CP8 or CP9 content processors. When IPSA is enabled, flow-based
pattern matching databases are compiled and downloaded to the content processors from the IPS engine and
IPS database.
After the session key is installed in the network processor, subsequent packets for the accelerated session
skip routing and kernel processors but UTM/NGFW operations are still handled by the CPU with IPSA
offloading pattern matching to the CP8 or CP9 content processors.
DO NOT REPRINT
© FORTINET
Life of a Packet—Proxy-Based UTM Sessions
Network interface
CPU
IPS Engine
Traffic shaping
Single-Pass IPS,
NP6/7
ACL Application Control,
Botnet, and SSL
CP8/9 Inspection WAN
optimization
IP integrity
header checking
CPU Proxy
VoIP Inspection Network interface
IPsec VPN Data Loss Prevention
decryption (DLP)
Antispam
Web Filtering
Antivirus
IPsec VPN
NP6/7 encryption
Optional/Configurable
Mandatory
© Fortinet Inc. All Rights Reserved. 8
This slide shows how subsequent packets in an established session with proxy-based UTM/NGFW configured
are handled by FortiGate.
The network processor does not offload sessions where proxy-based features are configured, so the
FortiGate CPU handles packet processing and inspection through a combination of the IPS engine and the
FortiOS proxy. The network processor still conducts some early security inspections before handing off the
packets to the IPS engine and can still be leveraged for IPsec tunnel decryption and encryption.
The FortiGate CPU can leverage the content processors to handle SSL/TLS encryption and decryption—if
SSL deep inspection is configured. Note that the packet flow is modified when SSL deep inspection is
configured.
DO NOT REPRINT
© FORTINET
Memory Architecture
In this section, you will learn about how FortiGate uses memory.
DO NOT REPRINT
© FORTINET
FortiOS Architecture
Configuration layer
CLI GUI API FortiManager
User space
Application Application Application Application
process process process process
Kernel
Device Device Device Device Device
driver driver driver driver driver
Hardware
To understand how FortiGate uses its memory, you must understand the architecture of FortiOS. The heart of
FortiOS is its kernel. The kernel is where FortiGate makes some of the most basic and important decisions,
such as how to route a packet, or when to offload a session to an NPU processor. FortiOS runs on hardware.
The device drivers bridge the kernel with the hardware. The user space is located above the kernel. Several
application processes or daemons run in the user space. Above the kernel and the user space is the
configuration layer.
DO NOT REPRINT
© FORTINET
FortiGate Memory Segmentation
• Kernel accesses the entire system memory directly
# diagnose hardware sysinfo memory
MemTotal: 2040588 kB
MemFree: 1275900 kB
MemAvailable: 1248372 kB
Free MemFree:
Buffers: 196 kB 1275900kB
Cached: 269208 kB
SwapCached: 0 kB
MemTotal:
... 2040588kB
Used memory
FortiOS is a 64-bit architecture, therefore the kernel doesn't need to use memory paging to access the whole
memory space. All the memory space is directly accessible by the kernel.
DO NOT REPRINT
© FORTINET
How the FortiGate Memory Is Used
• System I/O cache
• Kernel memory slabs
• Buffers
• Process memory
• Shared memory
DO NOT REPRINT
© FORTINET
System I/O Cache
• Speeds up hard disk and flash disk writing and reading operations:
• Logging
• WAN optimization
• Explicit proxy
• Made of pages (4K size) of disk block (1K size)
• Two types of pages:
• Active
• Recently accessed
• Inactive
• Not used after some time
• Might be reclaimed by the kernel in case of shortage
There are no direct reads and writes made to hard disks or flash disks. Each access is done through a cache
held in memory—the system I/O cache.
The system I/O cache is used to speed up access to information stored in the hard and flash disk memories.
Some processes, such as logging, WAN optimization, and explicit proxy store information on the hard disk, so
they get the performance boost provided by this memory allocation.
An I/O cache page is labeled as active when it has been recently used or modified. It enters the inactive state
after it has not been used for some time. The kernel may reclaim an inactive page if needed.
DO NOT REPRINT
© FORTINET
Analyzing Memory Usage Total usable
# diagnose hardware sysinfo memory memory
MemTotal: 2040588 kB
Amount of physical
MemFree: 1278940 kB memory not used
MemAvailable: 1253524 kB by the system
Buffers: 668 kB
Amount of memory
Cached: 271412 kB
allocated for I/O
SwapCached: 0 kB cache
Active: 307256 kB
Memory used in a
Inactive: 50232 kB particular process—
---omitted--- user space
Slab: 89216 kB Currently unused
---omitted--- cache page
Memory used by
system kernel to
store information—
kernel space
Use the command shown on this slide to display the total amount of memory allocated for the I/O cache. This
command is useful when troubleshooting high memory issues to determine where memory is being allocated.
For example, a lot of memory allocated to Active might indicate a user process that is using a lot of
resources. Similarly, if Slab uses a lot of memory, you can investigate the slabs or kernel memory to see
which object is the culprit.
DO NOT REPRINT
© FORTINET
Slabs
• Collection of objects with a common purpose and a fixed size
• Used by kernel
• Examples:
Slab Usage
tcp_session TCP session
ip_session Non-TCP session
ip_dst_cache Route cache
buffer_head Read/write data from disk, flash
inode_cache Information about files and directories
dentry_cache Cache for file system directory entries
arp_cache Cache for ARP
The kernel memory slabs are collections of objects with a common purpose. They are used by the kernel to
store information in memory.
This slide shows an example of some slabs. There are slabs for storing information about the TCP sessions.
The entries in the route cache are also stored in memory slabs.
DO NOT REPRINT
© FORTINET
Slabs (Contd)
# diagnose hardware sysinfo slab
slabinfo - version: 2.1
...
ext4_groupinfo_4k 256 280 144 28 1 : tunables 120 60 8 : slabdata 10 10 0
tcp_session 4 10 1600 5 2 : tunables 24 12 8 : slabdata 2 2 0
ip_session 2 10 1408 5 2 : tunables 24 12 8 : slabdata 2 2 0
fib6_nodes 10 32 128 32 1 : tunables 120 60 8 : slabdata 1 1 0
ip6_mrt_cache 0 0 448 9 1 : tunables 54 27 8 : slabdata 0 0 0
RAWv6 20 21 1152 7 2 : tunables 24 12 8 : slabdata 3 3 0
UDPv6 14 15 1408 5 2 : tunables 24 12 8 : slabdata 3 3 0
tw_sock_TCPv6 0 0 240 17 1 : tunables 120 60 8 : slabdata 0 0 0
request_sock_TCPv6 0 0 312 13 1 : tunables 54 27 8 : slabdata 0 0 0
...
Active Available Object size
objects objects
Total slab size = available objects x object size
To check how much memory is being allocated to kernel slabs, use the command diagnose hardware
sysinfo slab.
The first column shows the slab name. The second column shows the total amount of active objects, then the
number of available objects, and then the size of each object.
This amount changes depending on resource usage. For example, if tcp sessions increase on FortiGate, so
will the available objects for that slab.
You can calculate the total amount of memory allocated to each slab type by multiplying the number of
available objects by their size.
DO NOT REPRINT
© FORTINET
High CPU and Memory Troubleshooting
# diagnose sys top
Run Time: 0 days, 0 hours and 18 minutes
0U, 0N, 1S, 95I, 0WA, 0HI, 0SI, 0ST; 16063T, 12523F
pyfcgid 248 S 2.9 3.8 9
newcli 251 R 0.1 1.0 5
merged_daemons 185 S 0.1 0.7 6
miglogd 177 S 0.0 6.8 0
pyfcgid 249 S 0.0 3.0 2
pyfcgid 246 S 0.0 2.8 5
reportd 197 S 0.0 2.7 2
Process
cmdbsvr 113 S 0.0 2.4 7
name
Next, examine the output for diagnose sys top. It lists processes that use the most CPU or memory.
Some common processes include:
To sort the list by highest CPU usage, press c. To sort by highest RAM usage, press m.
DO NOT REPRINT
© FORTINET
Most Common Processes
Name Description
cmdbsrv Applies configuration changes
miglogd Logs collection and automation stitches
httpsd GUI access
sslvpnd SSL VPN
updated FortiGuard updates
wad WAN optimization, explicit proxy, proxy-based inspection for
HTTP and HTTPS, and FTP
scanunitd File scanning
iked IPsec
hatalk, hasync High Availability (HA) protocol and synchronization
urlfilter FortiGuard web filtering
authd User authentication
fssod FSSO
proxyworker Proxy-based inspection for IMAP, POP, SMTP
The table on this slide shows some of the most common processes.
DO NOT REPRINT
© FORTINET
Process States Review
• States:
• S: sleeping D
• R: running R
• D: do not disturb
• Z: zombie Z
• Normal states:
• S, R, and D (for a short time)
• Abnormal state:
• Z and D (if not for a short time)
S
The command diagnose sys top shows the state of each process. A process can be in one of four states:
sleeping (S), running (R), do not disturb (D), or zombie (Z).
The S and R states are normal. It is also normal if a process goes briefly to the D state. The Z state is not
normal. Also, it is not normal if a process stays in the D state for a long time. This usually indicates that the
process is not working correctly.
DO NOT REPRINT
© FORTINET
Shared Memory
• Allocated dynamically
• Allows the sharing of information among multiple processes
Above the kernel layer, there are multiple application processes or daemons running. The operating system
allocates separate blocks of memory to each process. A process can access the memory that was allocated
to it, but it cannot access the memory that was allocated to any other process. So, a process cannot share
information with another process by reading or writing data into the memory allocated to that other process.
For that purpose, the operating system dynamically allocates shared memory (SHM). Multiple processes can
access the SHM, allowing them to share information.
DO NOT REPRINT
© FORTINET
In this section, you will learn about general system troubleshooting commands.
DO NOT REPRINT
© FORTINET
System Information
# get system status
Version: FortiGate-VM64-AWS v7.4.1,build2463,230830 (GA.F)
Security Level: 1
Secure Boot: Disabled
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07) ....
Extreme DB: 1.00000(2018-04-09 18:07) VM Resources: 1 CPU, 1992 MB RAM
AV AI/ML Model: 0.00000(2001-01-01 00:00) Log hard disk: Available
IPS-DB: 6.00741(2015-12-01 02:30) Hostname: FGTAWSNYWSIEXN29
IPS-ETDB: 6.00741(2015-12-01 02:30) Private Encryption: Disable
APP-DB: 6.00741(2015-12-01 02:30) Operation Mode: NAT
FMWP-DB: 0.00000(2001-01-01 00:00) Current virtual domain: root
IPS Malicious URL Database: 1.00001(2015-01-01 01:01) Max number of virtual domains: 2
IoT-Detect: 0.00000(2022-08-17 17:31) Virtual domains status: 1 in NAT mode, 0 in TP mode
OT-Detect-DB: 0.00000(2001-01-01 00:00) Virtual domain configuration: disable
OT-Patch-DB: 0.00000(2001-01-01 00:00) FIPS-CC mode: disable
OT-Threat-DB: 6.00741(2015-12-01 02:30) Current HA mode: standalone
IPS-Engine: 7.00509(2023-08-10 23:14) Branch point: 2463
Serial-Number: FGTAWSNYWSIEXN29 Release Version Information: GA
License Status: Valid FortiOS x86-64: Yes
.... System time: Thu Dec 28 10:35:56 2023
Last reboot reason: warm reboot
The command shown on this slide is usually one of the first debug commands that you use when
troubleshooting. The output shows the firmware version, FortiGuard database versions, license status,
operation mode, number of VDOMs, and system time.
DO NOT REPRINT
© FORTINET
Resource Use
# get system performance status
CPU states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU0 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
Memory: 2040588k total, 782364k used (38.3%), 1098544k free (53.8%), 159680k freeable (7.9%)
---omitted---
Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes,
0 sessions per second in last 30 minutes
Maximal session setup rate: 1 sessions per second in last 1 minute, 1 sessions per second in last 10 minutes,
5 sessions per second in last 30 minutes
Average NPU sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30
minutes
Maximal NPU sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30
minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 3 days, 2 hours, 22 minutes
The command shown on this slide displays overall memory and CPU use. It also shows session creation rate,
number of viruses caught, and number of attacks blocked by the IPS. The last line displays the system
uptime. This output gives you a quick view of how much traffic the device is handling.
DO NOT REPRINT
© FORTINET
Conserve Mode
In this section, you will examine conserve mode, now that you have a better understanding of how FortiGate
uses memory.
DO NOT REPRINT
© FORTINET
Conserve Mode
• Triggered based on memory use
• Prevents using so much memory that FortiGate becomes unresponsive
• FortiGate leaves conserve mode as memory use goes below set threshold
• Three memory thresholds that you can configure on the CLI
• Extreme: threshold at which FortiGate starts dropping new sessions
• Red: threshold at which FortiGate enters conserve mode
• Green: threshold at which FortiGate exits conserve mode
# config system global
... Default
set memory-use-threshold-extreme 95 threshold values
set memory-use-threshold-red 88
set memory-use-threshold-green 82
...
end
Conserve mode is a protection mechanism that is triggered when FortiGate doesn’t have enough memory
available to handle traffic. Content inspection (especially proxy-based) increases memory use beyond simple
firewall policies. In other words, when antivirus is enabled, FortiGate is more likely to use more memory,
which can cause FortiGate to enter conserve mode. You can identify whether antivirus or any other process is
using too much memory by running the CLI command diagnose sys top.
FortiGate has only one conserve mode. It is triggered based on memory usage. There are three memory
thresholds that you can configure on the CLI:
• Extreme: The threshold at which FortiGate starts dropping new sessions.
• Red: The threshold at which FortiGate enters conserve mode.
• Green: The threshold at which FortiGate exits conserve mode.
You can use the commands shown on this slide to change the default conserve mode threshold values.
DO NOT REPRINT
© FORTINET
Conserve Mode Logs
# execute log filter category 1
# execute log display
1: date=2023-12-28 time=16:58:37 eventtime=1667433517502192693 tz="-0700"
logid="0100022011" type="event" subtype="system" level="critical" vd="root"
logdesc="Memory conserve mode entered" service="kernel" conserve="on" total=969
MB used=691 MB red="853 MB" green=”795 MB" msg="Kernel enters memory conserve
mode
This slide shows the entries that are generated in the event logs when FortiGate enters memory conserve
mode. If the GUI is under a heavy load, it may be unresponsive, making the GUI logs inaccessible. In this
case, you can view the logs in the CLI using the commands shown on this slide. You can also view the crash
log on the CLI for conserve mode messages. This slide shows an example of a typical conserve mode crash
log entry.
DO NOT REPRINT
© FORTINET
Conserve Mode Diagnostics
# diagnose hardware sysinfo conserve
Use the command shown on this slide to identify whether a FortiGate device is currently in conserve mode.
DO NOT REPRINT
© FORTINET
What Happens During Conserve Mode?
Which actions does FortiGate take to preserve memory while in conserve mode?
DO NOT REPRINT
© FORTINET
What Happens During Conserve Mode? (Contd)
• For traffic that requires any proxy-based inspection (and if memory usage has not
exceeded the extreme threshold):
The av-failopen setting defines the action that is applied to any proxy-based inspected traffic, while
Fortigate is in conserve mode (and as long as the memory usage does not exceed the extreme threshold).
This setting also applies to flow-based antivirus inspection. You can configure one of three different actions:
• off: All new sessions with content scanning enabled are not passed but FortiGate processes the current
active sessions.
• pass (default): All new sessions pass without inspection until FortiGate switches back to non-conserve
mode.
• one-shot: Similar to pass in that traffic passes without inspection. However, it will keep bypassing the
antivirus proxy even after it leaves conserve mode. Administrators must either change this setting, or
restart FortiGate to restart the antivirus scanning
However, if memory usage exceeds the extreme threshold, new sessions are always dropped, regardless of
the FortiGate configuration.
DO NOT REPRINT
© FORTINET
Fail-Open Session Setting
• The following setting controls how FortiOS handles a session when it exhausts available
sockets to process proxy-based inspection:
Another undesirable state for FortiGate is the av-fail-open session mode. This mode kicks in, not
during a high-memory situation, but when a proxy on FortiGate runs out of available sockets to process more
proxy-based inspected traffic.
If av-failopen-session is enabled, FortiGate allows all the sessions. Otherwise, by default, it blocks new
sessions that require proxy-based inspection until new sockets become available.
DO NOT REPRINT
© FORTINET
Memory Tension Drops
• Kernel deletes oldest sessions if it cannot allocate more memory pages
• No direct link with conserve mode
FortiGate has one more mechanism to free memory when there is not much available. If the kernel cannot
allocate more memory pages, it deletes the oldest sessions. The command shown on this slide displays the
numbers of sessions deleted by the kernel because of this mechanism.
DO NOT REPRINT
© FORTINET
Ephemeral Drops
• A session is categorized as ephemeral when one of the following is true:
• A TCP session is not fully established
• A UDP with only a single packet is received
• These types of open sessions are common types of DoS attacks
• To protect memory use, FortiOS sets a limit on the total number of ephemeral sessions
(based on the model)
# diagnose sys session stat
misc info: session_count=184 setup_rate=0 exp_count=0 reflect_count=0
clash=0 memory_tension_drop=0 ephemeral=0/196608 removeable=0 extreme_low_mem=0
npu_session_count=61 nturbo_session_count=0
delete=0, flush=87, dev_down=16/120 ses_walkers=0
TCP sessions:
38 in ESTABLISHED state
1 in CLOSE_WAIT state
FortiGate has a mechanism to protect memory use against some forms of DoS attacks. FortiGate categorizes
an entry in the session table as an ephemeral session when it is a TCP session that is not fully established
(three-way handshake not completed), or it is a UDP session with only one packet received. During some
DoS attacks, the number of these types of sessions tends to increase abnormally, potentially consuming the
device memory. FortiGate sets a hard limit on the maximum number of ephemeral sessions that can exist at
the same time in the session table.
DO NOT REPRINT
© FORTINET
In this section, you will learn how to optimize memory use by fine-tuning the FortiGate configuration.
DO NOT REPRINT
© FORTINET
Memory Use Optimization
• Disable features that are not required:
• Inspection of specific protocols (HTTP, FTP, SMTP, POP, IMAP)
• Logging to memory
• DHCP server
• Some IPS signatures
• Reduce the maximum file size to inspect (default 10 MB):
config firewall profile-protocol-options
edit <profile_name>
config [http|ftp|pop3|smtp|imap]…
set oversize-limit <MB>
end
Many FortiGate processes, such as DLP or antivirus scanning, are memory intensive. So, memory
optimization is important, especially in small devices, to guarantee that these processes do not force
FortiGate into memory conserve mode. This slide shows some recommendations for optimizing memory use.
These tips might significantly increase the available memory in a device that is frequently entering conserve
mode.
The first and most logical step is to disable features that are not required. For example, if the network already
has a FortiMail device for antispam, an administrator does not need to configure antispam on FortiGate. Also,
usually not all IPS signatures are required.
Another recommendation is to reduce the maximum file size to inspect, which is set to 10 MB by default. You
can reduce this value to 2 or 3 MB without significantly reducing the virus catching rate, because a typical
virus size is less than 1 MB.
DO NOT REPRINT
© FORTINET
Memory Use Optimization (Contd)
• Reduce the FortiGuard cache TTL • Reduce the DNS cache (default 1800
(default 3600 and 1800 seconds): seconds):
config system fortiguard config system dns
set webfilter-cache-ttl 500 set dns-cache-ttl 300
set antispam-cache-ttl 500 end
end
Additionally, you can reduce the amount of memory allocated to some caches, such as the ones for
FortiGuard and DNS.
The FortiGate session table can also consume an important portion of memory, especially in networks with a
high rate of traffic. By default, a session without traffic remains in the table for up to one hour.
Although a TTL this high might be required by some applications, in most networks, you can reduce the
session TTL. When you reduce the TTL, FortiGate ages out idle sessions much more quickly, increasing the
amount of available memory.
There are four places in the FortiGate configuration where you can reduce the session TTL. Two of them are:
• Globally, for all the traffic
• On an IP protocol and port number basis
DO NOT REPRINT
© FORTINET
Memory Use Optimization (Contd)
• Reduce the session TTL (default 3600 seconds)
• For each firewall policy:
config firewall policy
edit <id> Security Profiles > Application Control
set session-ttl 300
The other two places where you can reduce the session TTL are:
• For each firewall policy
• For each application control
If an application requires a high session TTL, you can reduce the TTL globally to 5 minutes. However, you can
also set it to a higher number for the specific application port number, firewall policy, or with an application
control application override entry by setting the session-ttl option using the CLI.
DO NOT REPRINT
© FORTINET
Memory Use Optimization (Contd)
• Reduce TCP session timers:
config system global
set tcp-halfclose-timer 30 (default 120)
set tcp-halfopen-timer 8 (default 10)
set tcp-timewait-timer 1 (default 1)
end
SYN
tcp-halfopen-timer
SYN / ACK
ACK
FIN
tcp-halfclose-timer
FIN / ACK
tcp-timewait-timer
You can also reduce most TCP session timers from their default values without causing problems to the
applications. This slide shows some recommended values that are equal to or below the default values. Use
these recommended values to optimize the memory use.
The tcp-halfopen-timer controls for how long, after a SYN packet, a session without SYN/ACK remains
in the table.
The tcp-halfclose-timer controls for how long, after a FIN packet, a session without FIN/ACK remains
in the table.
The tcp-timewait-timer controls for how long, after a FIN/ACK packet, a session remains in the table. A
closed session remains in the session table for a few seconds more to allow any out-of-sequence packet.
DO NOT REPRINT
© FORTINET
DO NOT REPRINT
© FORTINET
Console Logging
• Available only on some models
• Records console CLI output in a 4 MB log file on flash memory
• Useful for troubleshooting unexpected restarts and unresponsive devices
• Can be displayed on the CLI or downloaded from the GUI
• To enable or disable console logging (disabled by default):
# diagnose debug comlog < enable | disable >
• To read console logging:
# diagnose debug comlog read
• To clear console logging:
# diagnose debug comlog clear
• To display the console logging settings:
# diagnose debug comlog info
On some FortiGate models, you can configure the device to store all console logs in the flash memory. This is
especially useful when troubleshooting unexpected restarts and devices that randomly become unresponsive.
Once FortiGate stores the logs, you can display them on the CLI or download them from the GUI for further
analysis.
This slide shows the commands for enabling, displaying, and clearing the console logs.
DO NOT REPRINT
© FORTINET
Troubleshooting Unexplained Restarts
• A crash dump message is usually generated through the console
• After an unexpected restart, check:
• Logs
• Console logs (available in some models)
• Crash log
• If the model does not support console logs, keep a laptop connected to the console port
and capture the crash dump message
A crash dump message is usually generated through the console port when the device crashes. Crash dump
messages can provide useful information to Fortinet developers. If the problem is a FortiGate device that is
restarting unexpectedly, you should check the logs, the console logs, and the crash log. If the FortiGate model
doesn’t support a console log, keep a laptop connected to the console port and wait until another crash
happens.
DO NOT REPRINT
© FORTINET
Troubleshooting a Device That Freezes
• Keep a laptop connected to the console port
• After the device freezes, push the NMI button while the laptop is connected to generate
the crash dump
• Not all FortiGate models have an NMI button
FortiGate freezes when it stops handling traffic, you cannot connect to it, and you can’t access its console
port. Only power cycling fixes the issue. In these cases, you could capture any crash dump message in the
console port. Additionally, and in the case of models with more than one CPU, you can enable the NMI
watchdog feature, which automatically causes a crash in the system (and forces the crash dump) when no
new daemons have been scheduled in the last 10 minutes. This is an indication that the device is not
operating normally and might be frozen.
Some FortiGate models also have an external NMI button. If the device freezes and no crash dump message
was generated, you can press the NMI button to force a crash and generate a crash dump message.
DO NOT REPRINT
© FORTINET
Crash Log
# diagnose debug crashlog read
...
18: 2023-12-28 02:37:33 <02382> firmware FortiGate-VM64-AWS v7.4.1,build2463b2463,230830
(GA.F)
19: 2023-12-28 02:37:33 (Release) Application name
20: 2023-12-28 02:37:33 <02382> application miglogd
21: 2023-12-28 02:37:33 <02382> *** signal 11 (Segmentation fault) received ***
22: 2023-12-28 02:37:33 <02382> Register dump:
Termination signal
23: 2023-12-28 02:37:33 <02382> RAX: 0000000000000001 RBX: 00000000012f7330
24: 2023-12-28 02:37:33 <02382> RCX: 00007f376a5f5016 RDX: 0000000000000400
25: 2023-12-28 02:37:33 <02382> R08: 00007f373989f000 R09: 00007f373989fb90
26: 2023-12-28 02:37:33 <02382> R10: 000000000000021c R11: 0000000000000246
27: 2023-12-28 02:37:33 <02382> R12: 0000000000000000 R13: 0000000000000002
28: 2023-12-28 02:37:33 <02382> R14: 0000000000000002 R15: 0000000000000000
29: 2023-12-28 02:37:33 <02382> RSI: 00000000114a0a40 RDI: 0000000000000019
30: 2023-12-28 02:37:33 <02382> RBP: 00007ffee55f3750 RSP: 00007ffee55f3718
31: 2023-12-28 02:37:33 <02382> RIP: 00007f376a5f5016 EFLAGS: 0000000000000246
32: 2023-12-28 02:37:33 <02382> CS: 0033 FS: 0000 GS: 0000
33: 2023-12-28 02:37:33 <02382> Trap: 0000000000000000 Error: 0000000000000000
34: 2023-12-28 02:37:33 <02382> OldMask: 0000000000000000
...
Each time an application crashes, or closes, an entry is generated in the crash log. When an application
crashes, the entry contains the name of the application, the time it crashed, and the termination signal.
This slide shows a sample of a crash in the crash log. In this example, the application that failed was the
miglogd process, which handles logging. The termination signal is 11, which is a segmentation fault.
DO NOT REPRINT
© FORTINET
Termination Signals
• Any time a process closes, a crash log is generated
# diagnose sys kill <termination_signal> <process_id>
Signal number Description
4 Illegal instruction
6 Abort command from FortiOS
7 Bus error
9 Unconditional kill
11 Invalid memory reference
14 Alarm clock
15 Graceful kill
The table shown on this slide contains the most common termination signal numbers. Any administrator can
manually terminate a process by using the command shown on this slide, followed by the termination signal
number and the process ID. The command diagnose sys top lists the process ID numbers. Manually
terminating a process is not usually required under normal circumstances. If you must terminate a process,
use the termination signal 9. Improperly terminating a process can make a FortiGate system unstable.
Note that not all the signal numbers generate a crash log.
Processes can also be killed through the GUI under admin > System > Process Monitor. If you want to
generate a crash log, select Kill&Trace in the Kill Process field.
DO NOT REPRINT
© FORTINET
Crash Log Tips
• In most cases, entries in the crash log are normal
• Consider a crash log to be suspicious when:
• It happens at the same time as abnormal FortiGate behavior
• For example, unexpected system restarts
• The crashed process is related to the FortiGate feature that failed
• For example, a crash in the sslvpnd process when all SSL VPN connections went down
• The crash log can provide information to Fortinet developers about the cause of the
crash
In most cases, entries in the crash log are normal. You can consider a crash log entry to be suspicious if it
happens at the same time as a failure in a FortiGate feature, or abnormal behavior by FortiGate.
For example, a crash log entry that is generated when the device unexpectedly restarts, might provide
information about the cause. A crash in the sslvpnd process when all SSL VPN users get disconnected is
also relevant. The crash log includes the details about the crash and information that can be used by Fortinet
support to identify which code triggered the problem.
DO NOT REPRINT
© FORTINET
Review
Describe how FortiOS processes a packet
Describe how FortiOS uses memory
Diagnose high memory and high CPU problems
Optimize memory usage
Diagnose conserve mode
Troubleshoot unexpected reboots and frozen devices
Use the crash log for diagnostics
This slide shows the objectives that you covered in this lesson.
By mastering the objectives covered in this lesson, you learned how to use and optimize FortiOS system
resources.
DO NOT REPRINT
© FORTINET
FortiOS 7.4
Last Modified: 25 April 2024
In this lesson, you will learn about traffic and session monitoring.
DO NOT REPRINT
© FORTINET
Objectives
• Analyze the information in the session table
• Understand the various session flags
• Capture traffic using the built-in sniffer
• Analyze the output of the debug flow
• Describe hardware offloading implications
• Configure and troubleshoot session helpers
After completing this lesson, you should be able to achieve the objectives shown on this slide.
By demonstrating competence in traffic and session monitoring, you will be able to interpret the information in
the session table, capture traffic using the built-in sniffer, analyze the output of the debug flow, and configure
and troubleshoot session helpers.
DO NOT REPRINT
© FORTINET
Session Table
DO NOT REPRINT
© FORTINET
Session Table Summary
# get sys session status
The total number of IPv4 sessions for the current VDOM: 11
The FortiGate session table contains detailed information about every IP connection that crosses or
terminates at FortiGate. You can use the commands shown on this slide to display the total number of
sessions in an active VDOM, and to view a brief summary of each session. The session list command
lists one session on each line, and includes information such as protocol, source IP address, destination IP
address, and port. You can use the grep utility with this command to list only the sessions for a specific IP
address.
DO NOT REPRINT
© FORTINET
Session Table Details
• Clear any previous filter
# diagnose sys session filter clear
• Set the filter
# diagnose sys session filter ?
...
src Source IP address.
nsrc NAT'd source ip address.
dst Destination IP address.
proto Protocol number.
...
• List all entries matching the configured filter
# diagnose sys session list
To display detailed information about sessions, use the command shown on this slide. It is recommended that
you set the session filter first, because an unfiltered output displays all the details about all the existing
sessions. For high-end devices, a list of all existing sessions could be in the thousands, or even millions. You
can filter the output by policy ID, source IP address, source port, destination IP address, and destination port.
Note that there are many more options for the session filter than the ones shown on this slide.
DO NOT REPRINT
© FORTINET
Clearing Session Table Entries
• Some configuration changes, such as security profile changes or session helper
changes, apply only to new sessions
• In those cases, you can clear existing sessions, so changes apply once new sessions
are created
• Set the filter
# diagnose sys session filter ?
• Check the filter
# diagnose sys session filter
• Clear all entries matching the configured filter
# diagnose sys session clear
Some configuration changes, such as security profile changes or session helper changes, apply only to new
sessions. Existing sessions keep using the previous configuration until they expire or are terminated. This is
important to remember when troubleshooting problems. After a security profile change, you should clear any
sessions related to that change, and generate new sessions.
Use the command shown on this slide to remove all sessions that match the session filter. You must be
careful with this command because it can potentially clear all the existing sessions if no filter has been set.
Before clearing out any sessions, use appropriate filters.
DO NOT REPRINT
© FORTINET
Sessions―TCP Example
# diagnose sys session list
session info: proto=6 proto_state=11 duration=1 expire=3599 timeout=3600 refresh_dir=both
flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=medium prio=3 guarantee 0Bps max 134217728Bps traffic 232868Bps drops 0B
reply-shaper=medium prio=3 guarantee 0Bps max 134217728Bps traffic 232868Bps drops 0B
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty ndr npu f00 app_valid
statistic(bytes/packets/allow_err): org=1720/9/1 reply=10804/13/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=7->31/31->7 gwy=10.1.0.254/10.9.31.117
hook=post dir=org act=snat 10.9.31.117:45388->200.8.57.5:443(10.1.0.3:45388)
hook=pre dir=reply act=dnat 200.8.57.5:443->10.1.0.3:45388(10.9.31.117:45388)
hook=post dir=reply act=noop 200.8.57.5:443->10.9.31.117:45388(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=14720 confiauth_info=0 chk_client_info=0 vd=0
serial=0002932f tos=ff/ff app_list=2000 app=34050 url_cat=0
sdwan_mbr_seq=1 sdwan_service_id=1
rpdb_link_id=80000000 ngfwid=n/a
npu_state=0x003c94 ips_offload
npu info: flag=0x81/0x81, offload=8/8, ips_offload=1/1, epid=16/16, ipid=64/88,
vlan=0x0000/0x0000
vlifid=64/88, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=0/0
This slide shows an example output detailing information for a single session table entry. The slide highlights
the following information:
Use the CLI command diagnose sys session list for IPv4 traffic, and the command diagnose sys
session6 list for IPv6 traffic.
The output for both commands is similar (it displays the same fields, in the same order).
DO NOT REPRINT
© FORTINET
Sessions—TCP Protocol States
• proto_state=11
• First digit (from left to right): server-side state SYN
• 0 if no inspection, non-zero if proxy or flow
• Second digit (from left to right): client-side state 2
SYN / ACK
TCP state Value
NONE 0 ACK 3
ESTABLISHED 1
SYN_SENT 2
SYN & SYN/ACK 3 1
FIN_WAIT 4
TIME_WAIT 5 FIN
CLOSE 6
4
CLOSE_WAIT 7 FIN / ACK
LAST_ACK 8
LISTEN 9 5
The protocol state in the session table is a two-digit number. For TCP, the first number (from left to right) is
related to the server-side state and is 0 when the session is not subject to any inspection (flow or proxy). If
flow or proxy inspection is done, then the first digit is different from 0. The second digit is the client-side state.
The table and flow graph shown on this slide correlate the digit value with the different TCP session states.
The values apply for both server-side and client-side states. For example, for the client-side state, when
FortiGate receives the SYN packet, the second digit is 2. It changes to 3 when FortiGate receives the
SYN/ACK packet. Similarly, for the server-side state, the first digit is 2 after FortiGate sends the SYN packet,
and then changes to 3 after FortiGate sends the SYN/ACK packet. In addition, proto_state=11 means that
the TCP three-way handshake for both server-side and client-side is completed (ESTABLISHED).
When a session is closed by both the sender and receiver, FortiGate keeps that session in the session table
for a few seconds, to allow for any out-of-order packets that might arrive after the FIN/ACK packet. This is the
state value 5.
DO NOT REPRINT
© FORTINET
Sessions—ICMP and UDP Protocol States
• Even though UDP is stateless, FortiGate still uses two proto_state values:
UDP
UDP state Value
UDP
UDP traffic one way only 0 00
UDP traffic both ways 1
UDP
UDP
• ICMP has no state
• proto_state is always 00 UDP 01
UDP
For UDP, the session state can have only two values: 00 when traffic is only one way, and 01 when traffic is
two ways. For ICMP, the protocol state is always 00.
DO NOT REPRINT
© FORTINET
Sessions—Some Common Flags
Flag Description
log Session is being logged
local Session is to/from local stack
ndr Session will be checked by IPS signature
nds Session will be checked by IPS anomaly
npu Session can be offloaded to NPU
wccp Web caching
npd Session cannot be offloaded to NPU
redir Session is being processed by an application layer proxy
authed Session was successfully authenticated
auth Session requires (or required) authentication
This table shows the meaning of the most important session flags. For example, the log flag indicates that
the session is being logged. The local flag indicates that the session originates from FortiGate or terminates
on FortiGate.
DO NOT REPRINT
© FORTINET
May Dirty Sessions
• New firewall sessions created after matching a firewall policy with accept action
• A firewall policy lookup is performed (top-down)
• Flagged as may_dirty
• Lookup process
• First original packet (route and firewall policy lookup)
• First reply packet (route lookup only)
• No additional lookups unless session is flagged as dirty
When working with FortiGate, it’s important to understand the concept of may_dirty and dirty sessions.
The may_dirty sessions are firewall sessions that were created after matching a firewall policy with
accept as the action. For FortiGate to identify the matching policy, it performs a firewall policy lookup,
selecting the first matching policy in the configuration from the top down. Most firewall sessions contain the
may_dirty flag. However, some sessions such as expectation sessions, do not contain the may_dirty flag
because they are not created as a result of matching a firewall policy.
For new sessions, FortiGate performs route and firewall policy lookups upon receiving the first packet (in the
original direction). FortiGate also performs a route lookup—but not a firewall policy lookup—for the first reply
packet. FortiGate then saves the information that results from the route lookup—the outgoing interface and
gateway to use—and the firewall policy lookup—policy ID, address translation, inspection, authentication,
logging, and so on—to the session.
FortiGate doesn’t perform additional lookups for the session unless the session is flagged as dirty.
DO NOT REPRINT
© FORTINET
Dirty Sessions
By default, FortiGate flags all may_dirty sessions as dirty if there is a routing, firewall policy, or interface
change. The FortiGate must reevaluate every dirty session. During reevaluation, it checks both directions of
the dirty session.
DO NOT REPRINT
© FORTINET
Dirty Sessions (Contd)
After a routing change, the routing information of impacted sessions is flushed. The default reevaluation
process following a routing change for sessions without source NAT (SNAT) is as follows:
• If the impacted session is offloaded to the network processing unit (NPU), FortiGate instructs the NPU to
send the next packet from each direction of the session to the CPU. This ensures that the session is
handled by the CPU, and thus reevaluated. If the session is not offloaded to the NPU, then the packets are
always handled by the CPU, and this step is not required.
• In the original direction, FortiGate performs route and firewall policy lookups for the first packet.
• In the reply direction, FortiGate performs only a route lookup for the first packet.
• FortiGate updates the session with the new routing and firewall policy information and removes the dirty
flag.
• If the matching firewall policy action is still accept, FortiGate forwards the packet.
• If the matching firewall policy action is deny, FortiGate flags the session as block, drops the packet, and
retains the session in the session table until it expires. FortiGate also drops any additional packets that
match the session .
• FortiGate eventually offloads allowed sessions again to the NPU, if they still meet the NPU offloading
requirements.
DO NOT REPRINT
© FORTINET
Dirty Sessions (Contd)
• Before the route change (may_dirty flag)
session info: proto=1 proto_state=00 duration=4 expire=55 timeout=0 refresh_dir=both flags=00000000 socktype=0
sockport=0 av_idx=0 use=3
state=log may_dirty npu f00
orgin->sink: org pre->post, reply pre->post dev=7->19/19->7 gwy=100.64.1.1/10.0.1.101
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
• After reevaluation (no dirty flag; outgoing interface and gateway are updated)
session info: proto=1 proto_state=00 duration=53 expire=56 timeout=0 refresh_dir=both flags=00000000 socktype=0
sockport=0 av_idx=0 use=3
state=log may_dirty npu f00
orgin->sink: org pre->post, reply pre->post dev=7->20/20->7 gwy=100.64.1.9/10.0.1.101
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
This slide shows the transition of an ICMP session from may_dirty to dirty, and then back to may_dirty,
following a route change. Note that only relevant lines of the session are displayed.
Before the route change, the session is flagged as may_dirty. The session output shows the index number
of the outgoing interface in use (19), as well as the gateway information (gwy).
After the route change, the session is flagged as dirty. Note that the may_dirty flag is still there, and the
dirty flag is just added. The gateway information is also flushed.
After reevaluation, the dirty flag is removed, and the index number of the outgoing interface and the
gateway information are updated based on the new route.
Note that the firewall policy (policy_id) didn’t change. This is because the firewall policy lookup during
reevaluation resulted in the same firewall policy, but this is not always the case.
DO NOT REPRINT
© FORTINET
Routing Changes and SNAT Sessions
• By default, SNAT sessions are not flagged as dirty after a routing change
• Exception: route in use is removed from the forwarding information base (FIB)
• Force reevaluation of SNAT sessions after a routing change (default = disable):
config system global
set snat-route-change enable | disable
end
• If SNAT IP changes during reevaluation, packet is dropped, and session is cleared
id=20085 trace_id=51 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=1, 10.0.1.101:13106-
>8.8.8.8:2048) from port5. type=8, code=0, id=13106, seq=3."
id=20085 trace_id=51 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-00008483, original
direction"
id=20085 trace_id=51 func=vf_ip_route_input_common line=2589 msg="Match policy routing id=2131230721: to 8.8.8.8
via ifindex-4"
id=20085 trace_id=51 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-192.2.0.10 via
port2"
id=20085 trace_id=51 func=get_new_addr line=1229 msg="find SNAT: IP-192.2.0.9(from IPPOOL), port-13106"
id=20085 trace_id=51 func=fw_strict_dirty_session_check line=264 msg="SNAT IP 192.2.0.1 != 192.2.0.9, drop"
• Enable snat-route-change if using the same IP pool for old and new path
Different SNAT IP address; drop the
packet and clear the session
© Fortinet Inc. All Rights Reserved. 15
By default, SNAT sessions are not flagged as dirty following a routing change that impacts the session.
This is true if the route in use is still in the FIB. However, if the route is removed from the FIB, then FortiGate
flags the session as dirty, flushes the outgoing interface and gateway information, and then reevaluates the
session on the next packet received.
To force the reevaluation of SNAT sessions following a related routing change, regardless of whether the
route in use is still in the FIB or not, enable the snat-route-change setting, as shown on this slide.
Note that during reevaluation of SNAT sessions, if the new route and firewall policy lookup results in a change
of the SNAT IP address, then FortiGate drops the packet and clears the session. This means that the
impacted application could have to initiate a new connection to resume network connectivity, especially if the
application is TCP-based.
This slide shows the debug flow output for an SNAT session during reevaluation. Because the SNAT IP
address of the new path (192.2.0.9) is different from the SNAT IP address of the current path
(192.2.0.1), FortiGate drops the packet and clears the session. This also means that, from a connectivity
point of view, it makes sense to enable snat-route-change only when the new path for the session uses
the same SNAT IP address, which can be achieved using IP pools.
DO NOT REPRINT
© FORTINET
Firewall Policy Changes and Sessions
• Firewall policy changes can lead to high CPU utilization
• Select which sessions in the VDOM are flagged as dirty (default = check-all):
config system settings
set firewall-session-dirty check-all | check-new | check-policy-option
end
• check-all: All impacted sessions are flagged as dirty
• check-new: New sessions are flagged as dirty and existing sessions are not affected
• check-policy-option: Follow firewall policy-level configuration
• Firewall policy-level configuration (default = check-all):
config firewall policy
edit <id>
set firewall-session-dirty check-all | check-new
next
end
When you make a change to a firewall policy, all existing sessions with the flag may-dirty change to status
dirty. FortiGate then performs a firewall policy lookup for the first packet received for each existing session;
it updates the session table entry and resets the flag to may-dirty. Then, it processes the next packets
based on the new firewall settings.
If the firewall handles a huge number of sessions, flagging the sessions as dirty, and performing a firewall
policy lookup for the sessions may result in high CPU utilization. To prevent this, you can configure FortiGate
to flag only new sessions as dirty by setting firewall-session-dirty to check-new. The result is that
FortiGate evaluates only new sessions against the new firewall policy configuration.
The firewall-session-dirty setting is available on the VDOM and firewall policy levels. It is set to
check-all by default, which instructs FortiGate to flag all sessions as dirty. To instruct FortiGate to follow
the firewall policy-level setting, you must set the VDOM-level setting to check-policy-option. Note that
the firewall policy-level setting is available only if the VDOM-level setting is set to check-policy-option.
DO NOT REPRINT
© FORTINET
Firewall Policy Changes and Sessions (Contd)
• Session is flagged as persistent
config system settings
set firewall-session-dirty check-new
end
This slide shows the details of an established SSH session when firewall-session-dirty is set to
check-new.
Note the presence of the persistent flag in the session, and the absence of the may_dirty flag, which
indicates that FortiGate does not perform a new firewall policy lookup if there is a configuration change.
DO NOT REPRINT
© FORTINET
In this section, you will learn about two useful troubleshooting tools: the built-in sniffer and the debug flow, and
how they are affected by hardware acceleration.
DO NOT REPRINT
© FORTINET
Advanced Packet Capture Options
# diagnose sniffer packet <interface> '<filter>' <level> <count>
<tsformat> <frame size>
• <count> stops packet capture after this many packets
• <tsformat> changes the timestamp format
• a – Absolute UTC time
• l – Local time
• <frame size> sets frame size that is printed before truncation (defaults to interface
MTU)
Level IP headers IP payload Ethernet headers Port names
1
2
3
4
5
6
Now you will learn about the built-in sniffer. When you enable this tool, you can choose from six verbosity
levels. The table on this slide shows the information displayed for each level. Level 4 is usually used to check
how the traffic is flowing and that FortiGate is not dropping packets. Level 3 or level 6 are usually used to
convert the output to packet capture (PCAP) format, which you can later analyze with a tool, such as
Wireshark.
DO NOT REPRINT
© FORTINET
Advanced Packet Capture Options―Output
# diagnose sniffer packet any 'host 8.8.8.8 and icmp’ 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 8.8.8.8 and icmp] any to capture all
interfaces
11.208116 lan in 10.1.10.1 -> 8.8.8.8: icmp: echo request
11.208370 wan1 out 172.20.121.11 -> 8.8.8.8: icmp: echo request
11.216576 wan1 in 8.8.8.8 -> 172.20.121.11: icmp: echo reply
11.216680 lan out 8.8.8.8 -> 10.1.10.1: icmp: echo reply
4 packets received by filter Number of packets matching the filter that
0 packets dropped by kernel could not be captured by the sniffer;
therefore, you must use a more specific
filter
Hub # diagnose sniffer packet any ‘icmp' 4 3 a
Using Original Sniffing Mode How many packets to
interfaces=[any] count
filters=[host 8.8.8.8 and icmp]
2023-12-30 18:04:48.722396 lan in 10.1.10.1 -> 8.8.8.8: icmp: echo request
2023-12-30 18:04:48.722549 wan1 out 172.20.121.11 -> 8.8.8.8: icmp: echo request
2023-12-30 18:04:48.730349 wan1 in 8.8.8.8 -> 172.20.121.11: icmp: echo reply
Timestamp
To sniff traffic in all interfaces, use the keyword any as the interface name.
Stop the sniffer by pressing Ctrl+C and check for dropped packets. If packets were dropped during the
sniffer process, it means that not all the traffic that matched the sniffer filter could be captured. So, you might
need to capture the traffic again using a stricter filter.
If you do not specify an option for the timestamp, the debug shows the time, in seconds, since it started
running. As you learned earlier in the lesson, you can prepend the local system time to easily correlate a
packet with another recorded event.
DO NOT REPRINT
© FORTINET
GUI Packet Capture
On the GUI under Network > Diagnostics > Sniffer, you can perform the same function as described on the
previous slide without using a CLI command. In FortiOS version 7.4 and later, you can run multiple packet
captures simultaneously to capture ingress and egress traffic at the same time. You can also save the
captured packets as a PCAP.
DO NOT REPRINT
© FORTINET
Debug Flow
• Shows kernel decisions
• Multistep command
• Enable display of function names:
# diagnose debug flow show function-name enable
• Enable display of firewall policy matching decisions:
# diagnose debug flow show iprope enable
• Specify the filter:
# diagnose debug flow filter [filter]
• Enable output:
# diagnose debug enable
• Start the trace:
# diagnose debug flow trace start <count>
• Stop the trace:
# diagnose debug flow trace stop
The debug flow is also called the internal sniffer because it works similarly to the built-in sniffer, but the output
shows step-by-step, and with details, what the kernel is doing with each packet.
DO NOT REPRINT
© FORTINET
Debug Flow Example SYN
ACK
id=65308 trace_id=23 func=print_pkt_detail line=5885 msg="vd-root:0 received a packet(proto=6, 10.0.10.183:50212-
>31.13.68.35:443) tun_id=0.0.0.0 from port2. flag [.], seq 903440373, ack 2086754627, win 1027"
id=65308 trace_id=23 func=resolve_ip_tuple_fast line=5973 msg="Find an existing session, id-00000199, original
direction"
id=65308 trace_id=23 func=npu_handle_session44 line=1327 msg="Trying to offloading session from port2 to port1,
skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x00000100"
id=65308 trace_id=23 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=00000100"
id=65308 trace_id=23 func=__ip_session_run_tuple line=3451 msg="SNAT 10.0.10.183->10.0.1.206:50212"
This slide shows an example of a debug flow output. In this example, the debug flow has captured the three
packets of a TCP three-way handshake. The output for the SYN packet shows when the kernel creates a new
session (with its session ID), finds the route to the destination, and applies NAT. It also shows the ID of the
policy that matches this traffic.
The output of the SYN/ACK and ACK packets shows the session ID and NAT information.
This tool is useful for many troubleshooting cases, such as when you need to understand why a packet is
taking a specific route, or why a specific NAT IP address is applied.
DO NOT REPRINT
© FORTINET
Common Debug Flow Blocking Messages
• Denied by forward policy check (policy 0)
• No firewall policy allows the traffic
• A firewall policy allows the traffic, but a disclaimer is enabled—you must accept the disclaimer first
• Denied by quota check
• Packet dropped because of traffic shaping
• No matching IPsec selector, drop
• Packet dropped because source or destination IP address is not included in IPsec phase 2 quick-mode
selectors
The debug flow can also help you identify why FortiGate is dropping packets. In those cases, the debug flow
usually shows an error message explaining why a packet was dropped.
This slide shows three messages that you commonly see in debug flow output when FortiGate is dropping
packets:
• Denied by forward policy check (policy 0) indicates that either no firewall policy allows the
traffic, or that a disclaimer has not yet been accepted.
• Denied by quota check indicates that the packet was dropped because of a traffic shaper that has
exceeded one of its thresholds.
• No matching IPsec selector, drop means that the source or destination IP address of the traffic
trying to cross the VPN tunnel is not included in the IPsec phase 2 quick-mode selectors.
DO NOT REPRINT
© FORTINET
Common Debug Flow Blocking Messages (Contd)
• reverse path check fail, drop
• Packet dropped because of the reverse path forwarding check
• iprope_in_check() check failed, drop
• Packet is destined to a FortiGate IP address (management traffic) but:
• The service is not enabled
• The service is using a different TCP port
• The source IP address is not included in the trusted host list
• The packet matches a local-in policy with action deny
This slide shows two more common debug flow error messages. The first error message indicates that the
packet failed the reverse path forwarding check.
DO NOT REPRINT
© FORTINET
GUI Debug Flow
Just like with the sniffer tool, you can run the debug flow from the GUI. Once completed, you can save the
output as a CSV file.
DO NOT REPRINT
© FORTINET
Hardware Acceleration Considerations
• After you disable hardware acceleration, the CPU processes all packets
• Sniffer and debug flow will now pick up the packets
For the packet sniffer and debug flow to pick up traffic, all packets must arrive at the CPU.
This can be accomplished by disabling hardware acceleration. You can disable hardware acceleration at the
firewall level or the global level.
You should disable hardware acceleration only for troubleshooting purposes. Permanently disabling hardware
acceleration significantly decreases the performance of a FortiGate.
Once disabled, the CPU processes all packets, and the sniffer and debug flow can display traffic flow
information.
DO NOT REPRINT
© FORTINET
Disabling Hardware Acceleration—Firewall Policy
You can disable hardware acceleration for a single firewall policy by setting auto-asic-offload to
disable. This can be useful when the scope of troubleshooting traffic is known to be specific to one firewall
policy.
DO NOT REPRINT
© FORTINET
Disabling Hardware Acceleration—Global
• Disable Network Processor 6 (NP6) offloading for all traffic—diagnose:
diagnose npu <processor-name> fastpath disable <id>
• <processor-name> can be np6, np6xlite, or np6lite
• <id> is the ID of the NPU processor.
• Find the processor IDs using #diagnose npu np6 port-list
Chip XAUI Ports QSGMII Max Cross-chip
Speed offloading
------ ---- ------- ------ ----- ----------
np6_0 0 port1 NA 1G Yes
0 port5 NA 1G Yes
0 port17 NA 1G Yes
...
NP6 ID. Output taken from an FGT1500D
• Use the diagnose command. Depending on the FortiGate model, one or more NP6 units must be
disabled. In this example, the partial output of diagnose npu np6 port-list on a FortiGate 1500D is
shown. Since this is a diagnose command, fastpath is automatically reenabled when the FortiGate reboots.
• Use the config command. Fastpath is enabled by default. This disables all network processor offloading
for all traffic. This command applies to both NP6 and NP7.
Disabling hardware acceleration globally at the device level can have a significant impact on CPU
performance. You should disable hardware acceleration only for troubleshooting purposes. Reenable
hardware acceleration after you have completed troubleshooting.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario
• HTTPS management access is enabled on
FortiGate A
• Admin is unable to log in to FortiGate A
using HTTPS HTTPS management
What is your approach for the troubleshooting scenario shown on this slide?
The administrator is trying to access FortiGate A using HTTPS but is unable to do so. SSH access is working.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario (Contd)
• Ensure that packets arrive at FortiGate A
HTTPS management
Admin FortiGate A
FortiGate A # diagnose sniffer packet any "host 157.97.134.79 and port 443" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 157.97.134.79 and port 443]
16.507720 port1 in 157.97.134.79.20096 -> 10.0.1.206.443: syn 835638812
16.514996 port1 in 157.97.134.79.20110 -> 10.0.1.206.443: syn 3059129326
17.510046 port1 in 157.97.134.79.20096 -> 10.0.1.206.443: syn 835638812
17.521376 port1 in 157.97.134.79.20110 -> 10.0.1.206.443: syn 3059129326
Your first step should be to confirm that HTTPS packets that the administrator sent arrive at FortiGate A and
that communication is bidirectional. The best tool to use for this is the packet sniffer. You can see that
FortiGate A is not returning a SYN/ACK packet to the administrator.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario (Contd)
• Use the debug flow HTTPS management
Admin FortiGate A
FortiGate A # diagnose debug flow filter addr 157.97.134.79
FortiGate A # diagnose debug flow filter port 443
FortiGate A # diagnose debug flow show function-name enable
show function name
FortiGate A # diagnose debug flow trace start 10
FortiGate A # diagnose debug enable
Now you must find out why the FortiGate is not responding. The best tool to use for this is the debug flow.
The FortiGate is dropping the traffic with the error message "iprope_in_check() check failed on
policy 0, drop"
Earlier in this lesson, you learned that this error message can have several meanings, including:
• The service is not enabled
• The service is using a different port
• The source IP address is not included in the trusted hosts list
• The packet matches a local-in policy with the action deny
In this scenario, the HTTPS management port was changed from 443 to 10443. Browse to the FortiGate on
TCP port 10443 to resolve the issue.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario (Contd)
FortiGate A # diagnose sys session filter
session filter: HTTPS management
---omitted---
source ip: 157.97.134.79-157.97.134.79
---omitted---
dest port: any Admin FortiGate A
---omitted---
No session was established, so the session table has no entry for the TCP port 443 traffic.
The only session established from the administrator IP address is the SSH session used for troubleshooting.
DO NOT REPRINT
© FORTINET
In this section, you will learn how FortiGate can create sessions for traffic that is expected but hasn’t yet
arrived.
DO NOT REPRINT
© FORTINET
Session Helper Example―Active FTP Case
Client
10.0.1.10 Server
1027 1026 21 20
data control TCP control channel connection
control data
To understand what a session helper does, look at the example shown on this slide of a network protocol that
might have problems when a network device is performing NAT. The example shows the FTP protocol
working in active mode.
Any FTP file transfer is composed of two TCP sessions: one for the control channel and one for data transfer.
The control channel is always initiated from the client to the server and is used to send the FTP commands.
The FTP commands allow the client to move through the server folder, specify the type of file transfer, and
initiate the data channel for uploading or downloading a file.
FTP has two modes: active and passive. The mode determines which device initiates the data channel. In
passive mode, the client initiates the data channel. In active mode, the client sends the port command
through the control channel. The command includes the client IP address and the TCP port for the incoming
data channel. Then, the server initiates the TCP session to the IP address and port number specified by the
port command.
DO NOT REPRINT
© FORTINET
Active FTP With NAT and No Session Helper
• Router performing NAT of 10.0.1.10 to 10.200.1.1
FTP payload
Data channel to
10.0.1.10, TCP port 55402
cannot be established
Active FTP does not work if the control channel crosses a network device performing NAT, and that does not
have a session helper. In the example shown on this slide, an FTP client is connecting to an active mode FTP
server. A router in the middle is performing NAT on the client IP address 10.0.1.10 to the NAT IP address
10.200.1.1.
After the control channel is up, the client sends the port command with its IP address, 10.0.1.10, as the
destination for the data channel.
When that FTP packet crosses the router, the source IP address in the IP header is changed from
10.0.1.10 to 10.200.1.1. However, the IP address in the FTP port command is not translated to
10.200.1.1.
After the server receives that FTP command, it tries to bring up the TCP session for the data channel. It sends
the SYN packet to the IP address 10.0.1.10. This address is probably not routable because it is a private IP
address behind a device performing NAT.
DO NOT REPRINT
© FORTINET
Active FTP With NAT and Session Helper
• FortiGate performing NAT of 10.0.1.10 to 10.200.1.1
IP address inside
the payload is
Firewall creates an expected translated
session to allow the traffic that
comes to port 60428
The FTP session helper fixes this problem by replacing the router with a FortiGate.
When the packet with the FTP port command arrives at FortiGate, FortiGate not only translates the source
IP address in the IP header, but the session helper also translates the IP address inside the FTP port
command. If the source port is also translated in the TCP header, the session helper also does the same in
the port command.
Another important function of the session helper is to temporarily create an expected session (or pinhole) for
the data channel connection that comes from the server. This means that the administrator does not need to
manually create firewall policies to allow these incoming TCP sessions (which use random TCP port
numbers). The session helper automatically creates the session and opens the door for the incoming
connection.
After that, the server connects the data channel to the correct IP address: 10.200.1.1. That incoming TCP
connection is allowed by the expected session that the session helper created previously, even when no
firewall policy allows it.
DO NOT REPRINT
© FORTINET
Active FTP With NAT and Session Helper (Contd)
id=13 trace_id=1098 msg="vd-root received a packet(proto=6, 10.0.1.10:55402->93.157.14.94:21) from Internal
id=13 trace_id=1098 msg="Find an existing session, id-008423f4, original direction"
id=13 trace_id=1098 msg="SNAT 10.0.1.10->10.200.1.1:60428"
id=13 trace_id=1098 msg="run helper-ftp(dir=original)"
In this slide, you can see the debug flow message that is shown when a session helper is being used. In this
example, the run helper-ftp message indicates that the FTP session helper is being used.
You can also see that FortiGate created an expectation session and opened the pin-hole port for the
expected return traffic from the server with the IP address 93.157.14.94.
DO NOT REPRINT
© FORTINET
Active FTP―Sniffer Before FortiGate
This slide shows a packet capture of the previous FTP traffic before the port command reaches FortiGate.
You can see the original client IP address, 10.0.1.10.
DO NOT REPRINT
© FORTINET
Active FTP―Sniffer After FortiGate
This slide shows another packet capture, this time after the port command crosses FortiGate. The session
helper has translated the IP address inside the port command to 10.200.1.1.
DO NOT REPRINT
© FORTINET
Review
Analyze the information in the session table
Understand the various session flags
Capture traffic using the built-in sniffer
Analyze the output of the debug flow
Describe hardware offloading implications
Configure and troubleshoot session helpers
This slide shows the objectives that you covered in this lesson.
By mastering the objectives covered in this lesson, you learned about traffic and session monitoring.
DO NOT REPRINT
© FORTINET
FortiOS 7.4
Last Modified: 25 April 2024
In this lesson, you will learn about the Fortinet Security Fabric.
DO NOT REPRINT
© FORTINET
Objectives
• Understand what the Security Fabric is
• Troubleshoot FortiGate-to-FortiGate downstream communication and performance
issues
• Troubleshoot resource issues that the Security Fabric daemon causes
• Diagnose automation stitches
After completing this lesson, you should be able to achieve the objectives shown on this slide.
By demonstrating competence in the Security Fabric, you will be able to describe what the Security Fabric is,
the protocols it operates on, and how to troubleshoot common communication and resource issues. You will
also learn how to diagnose automation stitches.
DO NOT REPRINT
© FORTINET
In this section, you will get a quick overview of the Security Fabric.
DO NOT REPRINT
© FORTINET
What Is the Security Fabric?
• Intelligent architecture interconnecting security
solutions
• Detects, blocks, and remediates attacks
across the entire attack surface
• Broad protection and visibility throughout the
entire network
• Supports all system types
• Hardware
• Virtual
• Cloud-based
The Security Fabric provides an intelligent architecture that allows security devices to communicate with each
other. This integrated approach allows for the detection, monitoring, and remediation of attacks across the
entire attack surface.
Hardware, virtual, and cloud-based systems are supported, delivering broad protection and visibility
throughout the network.
DO NOT REPRINT
© FORTINET
Security Fabric Components
• Core
• Root FortiGate
• Downstream FortiGate
• FortiAnalyzer or Fortinet Cloud Logging Service
At the core of the solution, the mandatory products are two or more FortiGate devices in NAT mode and a
logging system. The logging system must be FortiAnalyzer, FortiAnalyzer Cloud, or FortiGate Cloud.
Note that all FortiGate devices must operate in NAT mode in order to participate in the Security Fabric.
To add more visibility and control, Fortinet recommends adding FortiManager, FortiAP, FortiClient,
FortiSandbox, FortiMail, and FortiSwitch. You can extend the solution by adding other network security
devices.
DO NOT REPRINT
© FORTINET
Security Fabric Communications
• FortiTelemetry
• Uses TCP port 8013
• Connection is always established by downstream FortiGate
• Must be manually enabled on a FortiGate interface under Administrative Access
• Neighbor Discovery
• Uses UDP port 8014
• Sends broadcast messages every 60 seconds
• Responsible for security logging behavior
The Security Fabric uses two Fortinet proprietary protocols: FortiTelemetry and Neighbor Discovery.
The default TCP port 8013 for FortiTelemetry can be changed if necessary. In order for a downstream
FortiGate to join the Security Fabric, it must initiate the session to the upstream FortiGate through TCP port
8013. For an upstream FortiGate to be able to accept connections from a downstream FortiGate, the Security
Fabric Connection setting must be enabled on the network interface (on the GUI under Administrative
Access).
UDP port 8014 is used for the Neighbor Discovery protocol. This protocol and port are used to exchange
informational updates, such as topology changes, among Security Fabric member nodes. It is also used to
control logging behavior so that the same traffic is not logged multiple times. Only FortiGate, or the device
connected to the source of the session, creates the log. Unlike the FortiTelemetry port, the Neighbor
Discovery port cannot be changed.
DO NOT REPRINT
© FORTINET
In this section, you will learn about FortiGate-to-FortiGate communications within the Security Fabric, as well
as how to diagnose and troubleshoot potential issues.
DO NOT REPRINT
© FORTINET
Identifying Downstream Communication Issues
• Unable to connect to root FortiGate
• Potential issues:
• Administrative access disabled for Security Fabric on upstream FortiGate
• FortiOS firmware mismatch
• Device has not been authorized yet on
root FortiGate
• Wrong IP address configured for root
FortiGate
• FortiGate not in NAT mode
• TCP port 8013 blocked
• UDP port 8014 blocked
The screenshot on this slide shows a communication issue between an upstream FortiGate and a
downstream FortiGate. Some common causes of this issue include:
• The Security Fabric Connection setting has not been enabled on the upstream FortiGate GUI (under
Administrative Access).
• The FortiGate devices in the Security Fabric are not using the same firmware.
• The device has not been authorized on the root FortiGate yet.
• The wrong root FortiGate IP address is configured on the downstream FortiGate.
• The FortiGate is not configured in NAT mode.
• TCP port 8013 is blocked. You can use the diagnose sniffer command to verify this.
DO NOT REPRINT
© FORTINET
Troubleshooting Downstream Communication Issues
• Unsuccessful connection
• FortiTelemetry disabled
# diagnose sniffer packet any "tcp port 8013 or udp port 8014" 4
FortiTelemetry disabled
Using Original Sniffing Mode
interfaces=[any]
filters=[tcp port 8013 or udp port 8014]
47.220358 port1 in 192.168.1.112.11234 -> 192.168.1.111.8013: syn 1204417526
48.215338 port1 in 192.168.1.112.11234 -> 192.168.1.111.8013: syn 1204417526
50.218552 port1 in 192.168.1.112.11234 -> 192.168.1.111.8013: syn 1204417526
54.222117 port1 in 192.168.1.112.11234 -> 192.168.1.111.8013: syn 1204417526
The first step in troubleshooting communication issues related to the Security Fabric is to run a sniffer on TCP
port 8013 or UDP port 8014. In this example, the downstream FortiGate with the IP address 192.168.1.112
is unable to establish a connection with the upstream FortiGate configured with 192.168.1.111. Since you
can see the traffic arriving at the upstream FortiGate, TCP port 8013 is not blocked along the way. Instead,
FortiTelemetry has not been enabled on the appropriate interface.
DO NOT REPRINT
© FORTINET
Troubleshooting Downstream Communication Issues (Contd)
• Unsuccessful connection
• Downstream device not authorized
# diagnose sys csf authorization pending-list
Serial IP Address HA-Members Appliance Path
-----------------------------------------------------------------------------------------------------------
FGVMULTM23000469 FGVMULTM23000469 fortigate FGVMULTM22000957:FGVMULTM23000469
# diagnose sniffer packet any "tcp port 8013 or udp port 8014" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[tcp port 8013 or udp port 8014]
47.220358 port1 in 192.168.1.112.11234 -> 192.168.1.111.8013: syn 1204417526
48.215338 port1 in 192.168.1.112.11234 -> 192.168.1.111.8013: syn 1204417526
50.218552 port1 in 192.168.1.112.11234 -> 192.168.1.111.8013: syn 1204417526
54.222117 port1 in 192.168.1.112.11234 -> 192.168.1.111.8013: syn 1204417526
Another example of a similar symptom could be that the downstream device has not yet been authorized on
the root FortiGate. You can verify whether there is a pending authorization using the command shown on this
slide. You can accept a pending authorization using the command: diagnose sys csf authorization
accept <Serial Number of FortiGate>. You can also deny the pending authorization by replacing
accept with deny in the command. You also have the option to view pending authorization requests in the
GUI under System > Firmware & Registration.
DO NOT REPRINT
© FORTINET
Troubleshooting Downstream Communication Issues (Contd)
• Successful connection
• FortiTelemetry enabled
# diagnose sniffer packet any "tcp port 8013 or udp port 8014" 4 FortiTelemetry must be
manually enabled
Using Original Sniffing Mode
interfaces=[any]
filters=[tcp port 8013 or udp port 8014]
9.369595 port1 in 192.168.1.112.16173 -> 192.168.1.111.8013: psh 2385744074 ack 216959785
9.369720 port1 out 192.168.1.111.8013 -> 192.168.1.112.16173: psh 216959785 ack 2385744169
9.370018 port1 in 192.168.1.112.16173 -> 192.168.1.111.8013: ack 216959880
12.371901 port1 in 192.168.1.112.16173 -> 192.168.1.111.8013: psh 2385744169 ack 216959880
12.371983 port1 out 192.168.1.111.8013 -> 192.168.1.112.16173: psh 216959880 ack 2385744264
12.372127 port1 in 192.168.1.112.16173 -> 192.168.1.111.8013: ack 216959975
After you select the Security Fabric Connection checkbox, and then apply the changes, FortiTelemetry
becomes active on the FortiGate interface, which allows incoming Security Fabric connection requests to be
accepted. The downstream FortiGate has successfully established a connection with the upstream FortiGate.
DO NOT REPRINT
© FORTINET
Troubleshooting Downstream Communication Issues (Contd)
• Non-root FortiGate
# diagnose test application csfd 1 Downstream info
Dump CSF daemon info device total: 1
group name:
group pwd: * # 1
status: Active sn: FGVMULTM23000472
auth by cert: n id: 2
ip: 192.168.1.112
Upstream info port: 11405
sn: FGVMULTM22000957 status: link-ok SSL-ok hello-ok auth-ok
id: 1 no response: 0
ip: 192.168.1.108 SLBC member: n
port: 8013
status: link-ok SSL-ok hello-ok auth-ok
no response: 0
SLBC member: n
Use the command diagnose test app csfd 1 to confirm that two or more devices in the Security Fabric
are communicating properly. The command lists Security Fabric statistics, such as all upstream and
downstream devices, including their IP address, serial number, and status. In the example on this slide, the
command was run on a FortiGate connected to an upstream FortiGate as well as a downstream FortiGate.
DO NOT REPRINT
© FORTINET
Troubleshooting Downstream Communication Issues (Contd)
• Root FortiGate
On this slide, you can see the differences when the command is run on the root FortiGate. The group name is
shown, and no upstream information is available, because this FortiGate sits at the top of the topology.
DO NOT REPRINT
© FORTINET
Upstream and Downstream FortiGate
# diagnose sys csf upstream
Upstream Information:
Serial Number:FGVMULTM22000957
IP:192.168.1.108
Connecting interface:port1
Connection status:Authorized
Use the commands shown on this slide on a non-root FortiGate to view detailed information about upstream
and downstream devices.
DO NOT REPRINT
© FORTINET
Detailed Summary of Connected Devices
# diagnose sys csf global
Current vision:
[
{
"path":" FGVMULTM22000957 ",
"mgmt_ip_str":"",
"mgmt_port":0,
"object_unification":1,
"serial":" FGVMULTM22000957 ",
"host_name":"FGT-1",
"firmware_version_major":7,
"firmware_version_minor":4,
"firmware_version_patch":2,
"firmware_version_build":2571,
"firmware_version_branch":2571,
...
The command diagnose sys csf global shows a summary of all connected devices in the Security
Fabric.
DO NOT REPRINT
© FORTINET
Performance Issues
In this section, you will learn how to troubleshoot performance issues related to the Security Fabric.
DO NOT REPRINT
© FORTINET
Real-Time Application Debug
• csfd is the daemon responsible for anything related to the Security Fabric
• Useful to troubleshoot issues such as a frozen GUI
# diagnose debug application csfd -1
Serial number of
# diagnose debug enable downstream device
...
<2490-U> 04 __nstd_recv()-621:
<2490-U> 10000000 conn_msg_type_check()-521: 192.168.1.112:11670 r_hdr.len:2842
hdr_type:NSTD_MSG_TREE_UPD path_len:0 ttl:0
<2490-U> 80 tree_updater_validate_tree_upd()-48: received update from downstream: FGVMULTM23000472
<2490-U> 10000000 nstd_recv_hd()-653: Forwarding NSTD_MSG_TREE_UPD pkt from 192.168.1.112:11670 to
priv
<2490-U> 10 daemon_send_internal_msg_ex()-211: Sending internal msg NSTD_INTERNAL_MSG_EXTERNAL_PKT
data_len=2842
<2490-U> 04 nstd_chan_data_ep_hd()-194: IP and connecting TCP port
of downstream device
...
Use the real-time application debug shown on this slide to troubleshoot issues as they are occurring.
For example, if the GUI lags during login, run the debug before navigating to the FortiGate management IP.
This same debug can also be used to troubleshoot communication issues. In this output, you can see
communication with the downstream FortiGate. The downstream FortiGate always establishes the Security
Fabric session with the upstream FortiGate. This is why the TCP source port in this example is 11405, not
8013.
DO NOT REPRINT
© FORTINET
High CPU Usage Caused by csfd
• Outputs to gather if csfd causes high CPU
• Helpful for Fortinet Support
# diagnose debug application csf -1
Can be gathered using the
# diagnose debug enable command diagnose sys
top
When csfd causes high CPU usage, use the same real-time debug. In addition, it is helpful to gather the
output that the three additional diagnose commands shown on this slide provide. All three commands dump
CPU information about the csfd process, which can reveal a potential bug.
You can find the process ID of csfd by running the diagnose sys top command.
DO NOT REPRINT
© FORTINET
High Memory Usage Caused by csfd
• Outputs to gather if csfd causes high memory usage
When troubleshooting high memory usage issues caused by csfd with Fortinet Support, you should collect
the output of the commands shown. Each command output contains valuable information about the cause of
the high memory use. Note that the diagnose test application command is not a real-time debug and
therefore will not cause additional performance impacts on FortiGate.
DO NOT REPRINT
© FORTINET
Automation Stitches
In this section, you will learn about automation stitches and how to troubleshoot them.
DO NOT REPRINT
© FORTINET
Automation Stitches—Overview
• Automate actions among different systems in the Security Fabric
• Decreases response times to security events
• Can be configured only on the root FortiGate
• Events within the entire Security Fabric can be monitored
• Consists of a trigger and an action or actions
• Trigger: an event that triggers an action, such as a failed login attempt
• Action: the resulting response to the trigger, such as a notification email sent to
the administrator
• You can set a minimum interval to avoid too many notifications
• Use CLI commands to test, log, and display settings and statistics
• Can be run from any FortiGate in the Security Fabric
Administrator-defined automated workflows (called stitches) use if/then logic to cause FortiOS to automatically
respond to an event in a preprogrammed way. Because this workflow is part of the Security Fabric, you can
set up stitches for any device in the Security Fabric. If you configure stitches in a Security Fabric, you must
configure them on the root FortiGate. You configure stitches to run on all FortiGate devices in the Security
Fabric or a subset of FortiGate devices. Stitches configured on the root FortiGate are pushed to the relevant
downstream FortiGate devices. The root FortiGate does not need to be operational for previously configured
stitches to function on downstream FortiGate devices.
Each automation stitch pairs an event trigger and one or more actions, which allows you to monitor your
network and take appropriate action when the Security Fabric detects a threat or other actionable event. You
can use automation stitches to detect events from many sources. Some examples include high CPU,
conserve mode, High Availability (HA) failover, reboot, FortiOS event logs with customizable filters, indicators
of compromise (IoCs), and event handlers from FortiAnalyzer.
You can configure the Minimum interval (seconds) setting to make sure you don’t receive repeat
notifications about the same event.
There are several CLI commands available to test, log, and display settings and statistics. These commands
will be covered in this lesson.
DO NOT REPRINT
© FORTINET
Testing Automation Stitches
• Manually test an automation stitch
# diagnose automation test
Usage: diag automation test [stitch name] [log]
You can use the diagnose automation test command to manually test an automation stitch. The
resulting output reveals whether or not the test was successful. Reasons for a failed test include the wrong
stitch name was used or the stitch was unable to perform one or more actions.
DO NOT REPRINT
© FORTINET
Troubleshooting Automation Stitches
• Real-time application debug
# diagnose debug application autod -1
Debug messages will be on for 30 minutes.
The real-time application debug shown on this slide can be used to troubleshoot automation stitches as they
are running.
DO NOT REPRINT
© FORTINET
Automation Stitch Log Dumping
• Enable log dumping to view log statistics
# diagnose test application autod 1
autod(pid:2226) log packet dump enabled
Use the diagnose test application autod 1 command to toggle log dumping. Executing the
command once enables the log dump. Executing it again outputs the dump, while simultaneously disabling it.
This may be useful if you want to save all automation stich logs to a file or free up log space on the FortiGate
hard drive.
DO NOT REPRINT
© FORTINET
View Automation Stitch Settings
# diagnose test application autod 2
csf: enabled root: yes sync connection: connected
version:1704703038 sync time:Mon Jan 8 10:35:09 2024
• Output
total of aactivated:
stitches failed test2
stitch: ConfigurationChange
destinations: all
trigger: Configuration Change
type:config change
The diagnose test application autod 2 command displays the settings for all automation stitches.
DO NOT REPRINT
© FORTINET
View Automation Stitch Statistics
# diagnose test application autod 3
alert mail log count: 0
stitch: ConfigurationChange
• Output of ahit:
local failed test
3 relayed to: 0 relayed from: 0
last trigger:Mon Jan 8 10:41:02 2024
last relay:
actions:
Backup Config Disk:
done: 3 relayed to: 0 relayed from: 0
last trigger:Mon Jan 8 10:41:02 2024
last relay:
The diagnose test application autod 3 command provides detailed statistics on every automation
stitch configured in the Security Fabric.
DO NOT REPRINT
© FORTINET
View Running Automation Stitches
# diagnose test application autod 5
• Outputstitches:
running of a failed
3 test
The output of the diagnose test application autod 5 command shows the number of stitches
currently running. It also shows how many stitches have been successfully or unsuccessfully completed.
DO NOT REPRINT
© FORTINET
Review
Understand what the Security Fabric is
Troubleshoot FortiGate-to-FortiGate downstream communication and
performance issues
Troubleshoot resource issues that the Security Fabric daemon causes
Diagnose automation stitches
This slide shows the objectives that you covered in this lesson.
By mastering the objectives covered in this lesson, you learned what the Security Fabric is, the protocols it
operates on, and how to troubleshoot common communication and resource issues. You also learned how to
diagnose automation stitches.
DO NOT REPRINT
© FORTINET
FortiGate 7.4
Last Modified: 25 April 2024
In this lesson, you will learn about firewall authentication and how to troubleshoot issues.
DO NOT REPRINT
© FORTINET
Objectives
• Understand user authentication logs
• Monitor authenticated users
• Understand LDAP, RADIUS, and SAML troubleshooting tools
• Understand LDAP and RADIUS common problems and solutions
After completing this lesson, you should be able to achieve the objectives shown on this slide.
By demonstrating competence in understanding firewall authentication, you will be able to understand how to
monitor the status of authenticated users and troubleshoot the most common problems with local, LDAP,
RADIUS, and SAML authentication.
DO NOT REPRINT
© FORTINET
In this section, you will learn about local authentication troubleshooting commands.
DO NOT REPRINT
© FORTINET
Diagnostic Steps for Authentication Issues
• FortiGate using LDAP, NTLM, RADIUS, and so on
• Can users authenticate?
• Are users being given the correct permissions?
• What do the event logs show?
• Was authentication successful at first but problems occurred later?
• Is the username correct?
• What do the logs show?
• Is traffic being blocked?
• Are users being treated with the correct profiles?
• What do the server logs show?
• FortiGate bases decisions on server responses
When a problem occurs, the first thing you should do is define the problem. The first step in troubleshooting
authentication problems is to collect specific information so you can narrow the scope of the problem. Is the
problem occurring for more than one user? Is the problem related to user authentication and not to user
permissions?
The first place you should check is the logs. What do they show? Is the username correct? Is the traffic being
blocked after the authentication? What user profile is assigned to the user?
In the case of remote server authentication (such as RADIUS or LDAP), you should also check the logs on the
server side. In remote server authentication cases, FortiGate authentication depends on the server response.
If the RADIUS credentials are invalid, what do the RADIUS server logs show? Is the user account still active
on the RADIUS server?
DO NOT REPRINT
© FORTINET
User Authentication Monitor
Dashboard > Firewall User Monitor
This slide shows an example of the Firewall User Monitor. A log and event can be generated each time a
user authentication action is successful or fails. This FortiView menu is not included on the GUI menu by
default―you must enable it.
DO NOT REPRINT
© FORTINET
Monitoring Authenticated Users
• On the GUI:
• On the CLI:
ISFW # diagnose firewall auth filter [source | policy | user | group | method]
10.1.10.1, User1
src_mac: 02:09:0f:00:08:01
type: fw, id: 0, duration: 8962, idled: 56
expire: 243, allow-idle: 300
packets: in 10656 out 6419, bytes: in 9571640 out 923906
user_id: 16777219
group_id: 2
group_name: Local_Group
----- 1 listed, 0 filtered ------
You can check the list of active users on the GUI or CLI. On the CLI, the command is diagnose firewall
auth list. You can filter the output with the command diagnose firewall auth filter. In the
example on this slide, you can see some of the filter options that are available.
DO NOT REPRINT
© FORTINET
Session for an Authenticated User
ISFW # diagnose sys session list
Any session for traffic coming from an authenticated user contains the authed flag. Additionally, the
username is added to the session information.
DO NOT REPRINT
© FORTINET
Authentication Real-Time Debug
There is a real-time debug for troubleshooting problems that are related to any user authentication methods:
local, remote, and even FSSO. The debug command is diagnose debug application authd.
DO NOT REPRINT
© FORTINET
In this section, you will learn about troubleshooting commands and common issues with LDAP authentication.
DO NOT REPRINT
© FORTINET
LDAP Directory Tree Example
dc=example,dc=com
ou= hr ou= it
uid= abush
uid= apiquet uid: jsmith
email:
[email protected]
objectClass:
inetOrgPerson
The hierarchy of an LDAP schema does not need to resemble the organization. However, the naming
conventions and group structure is usually a close match to the company hierarchy.
This slide shows the root or DC. In any LDAP schema, this is where an LDAP tree always starts.
After that, the groups (or branches) are defined using C, OU, or O. The exact behavior and options used
depend on the schema and what exactly is being defined. Branches may contain objects and each object
contains attributes. Objects are uniquely identified by their distinguished names (DNs). The full DN specifies
where the object is, and the name and value of an attribute that can be used to find it.
DO NOT REPRINT
© FORTINET
Regular Bind Flow―Group Query
Bind request
Bind DN: cn=administrator,cn=Users,dc=TAC,dc=ottawa,dc=fortinet,dc=com
Step 1 Bind<admin_password>
Search request
Step 2
FortiGate device
LDAP server
Filter: sAMAccountName=jsmith
SearchResEntry
DN: cn=John Smith,cn=Users,dc=TAC,dc=ottawa,dc=fortinet,dc=com
Unbind Request
Bind request
Bind DN: cn=John Smith,cn=Users,dc=TAC,dc=ottawa,dc=fortinet,dc=com
Step 3 Bind <user_password>
Step 4
© Fortinet Inc. All Rights Reserved. 11
There are three different methods, or bind types, that FortiGate can use to access an LDAP server: simple,
anonymous, and regular. In this lesson, you will learn about regular bind, which is the most complex, versatile,
and commonly used method.
There are four steps to LDAP authentication using regular bind. First, FortiGate logs in to (binds to) the LDAP
server using an LDAP administrator account. At this point, FortiGate knows only the username, but it doesn't
know the branch where the user is located. During the second step, FortiGate does a search query in the
LDAP database to find the user’s location―in other words, the user’s DN. If the user is found, the server
replies with the user’s DN. After that, FortiGate logs out of (unbinds from) the LDAP server.
The third step is another bind, but this time using the user credentials. FortiGate sends the DN, which it
learned in the previous step, and password.
The last step is to get the user group information. How this is done depends on the type of LDAP server, but it
is generally achieved through an LDAP query.
When you are isolating an issue with LDAP, the first step is to determine which of these four steps is failing.
DO NOT REPRINT
© FORTINET
Regular Bind Configuration
User & Authentication > LDAP Servers
Most LDAP authentication issues are caused by misconfigurations. So, you will learn how to check if the
regular-bind LDAP configuration is correct. You will analyze a use case in which an LDAP server is based on
Windows AD, which is the most common use case.
DO NOT REPRINT
© FORTINET
Windows AD Regular Bind Configuration
• To see the DN, run either of these two commands from the server command prompt:
• > dsquery user –name <full_user_name>
• > dsquery user –samid <login_username>
• For example, for the following output:
• > dsquery user –samid jsmith
• “cn=John Smith,cn=users,dc=california,dc=fortinet,dc=com”
• Configure the DN as:
• dc=california,dc=fortinet,dc=com
How do you check if the DN is configured correctly? You can run either of these two commands in the
Windows AD server command prompt:
• dsquery user –name <full_user_name>
• dsquery user –samid <login_username>
The output displays the user DN. The DN configuration specifies a parent branch that all users are located
under. FortiGate searches users in any sub-branch below the parent branch. In the example on this slide, the
DN settings are: dc=california,dc=fortinet,dc=com.
DO NOT REPRINT
© FORTINET
Windows AD Regular Bind Configuration (Contd)
• To see the user DN (or bind DN), run either of these two commands from the server
command prompt:
• > dsquery user –name <admin_full_user_name>
• > dsquery user –samid <admin_login_username>
• Copy and paste the full administrator DN
The user DN (or bind DN) setting is the full DN of the LDAP admin account.
You can use the Windows LDAP server command (dsquery) to find that information.
DO NOT REPRINT
© FORTINET
Windows AD Regular Bind Configuration (Contd)
You can simply copy and paste the full DN output from the server command prompt to the FortiGate
configuration.
DO NOT REPRINT
© FORTINET
Windows AD Regular Bind Configuration (Contd)
cn for full name,
or sAMAccountName for login-name
Output of:
dsquery user –name <full_user_name>
dsquery user –samid <user_login_name>
Output of:
dsquery user –name <full_admin_user_name>
dsquery user –samid <admin_login_name>
Administrator password
© Fortinet Inc. All Rights Reserved. 16
This slide shows a summary of how to correctly configure regular bind for Windows AD. A different type of
LDAP server might require a different approach.
You usually set the Common Name Identifier to CN or sAMAccountName. If you set it to CN, users must
authenticate using their full names (for example, John Smith). If you set it to sAMAccountName, users must
authenticate using their login names (for example, jsmith).
You can find the DN that you must type in the Distinguished Name field by querying the user’s DN with the
Windows AD command dsquery.
You can find the information that you must type in the Username field by querying the administrator DN with
the same Windows AD command dsquery.
DO NOT REPRINT
© FORTINET
Authentication Test Command
The CLI includes an LDAP authentication test command, which is diagnose test authserver ldap. If
both the credentials and LDAP configuration are correct, you receive an authentication confirmation, as well
as a list of the user groups for that user.
You can run this test command as soon as you complete the LDAP server configuration—even before you
add any user groups, or authentication firewall policies to FortiGate. The command tests only the LDAP server
configuration and LDAP communication between FortiGate and the server.
DO NOT REPRINT
© FORTINET
Real-Time Debug
There is a real-time debug for LDAP and RADIUS. This slide shows a sample of the output you will see when
the configuration is correct.
A start_search_dn message indicates that FortiGate is performing step two: searching for the user in the
LDAP tree. This message includes the base branch (distinguished name setting) and the name of the
attribute used to locate the user (common name identifier setting).
If the LDAP server finds the user, the output shows Found DN, followed by the user’s full DN.
DO NOT REPRINT
© FORTINET
Real Time Debug (Contd)
ISFW # fnbamd_ldap.c[280] get_all_dn-Found 1 DN's
fnbamd_ldap.c[314] start_next_dn_bind-Trying DN 1:CN=John
Smith,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com
fnbamd_ldap.c[1399] fnbamd_ldap_get_result-Going to USERBIND state
fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 8781845
fnbamd_ldap.c[520] start_multi_attribute_lookup-Adding attr 'memberOf'
fnbamd_ldap.c[536] start_multi_attribute_lookup-base:'CN=John
Smith,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com' filter:cn=* Bind user credentials
…
fnbamd_ldap.c[569] get_member_of_groups-Get the memberOf groups.
fnbamd_ldap.c[593] get_member_of_groups- attr='memberOf', found 2 values
fnbamd_ldap.c[600] get_member_of_groups-
val[0]='CN=SSLVPN,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com'
fnbamd_ldap.c[600] get_member_of_groups-
val[1]='CN=TAC,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com'
fnbamd_ldap.c[1477] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1586] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[2081] fnbamd_auth_poll_ldap-Result for ldap svr 10.10.181.10
is SUCCESS User groups found
© Fortinet Inc. All Rights Reserved. 19
After that, FortiGate performs the third step: binding using the user credentials.
Finally, the output shows the fourth step: getting the list of user groups.
DO NOT REPRINT
© FORTINET
Sniffer
• diagnose sniffer packet any “port 389” 3
• If the bind fails, the LDAP server returns an error code
• 0x525 - user not found
• 0x52e - invalid credentials
• 0x530 - not permitted to logon at this time
• 0x531 - not permitted to logon from this workstation
• 0x532 - password expired
• 0x533 - account disabled
• 0x701 - account expired
• 0x773 - user must reset password
• 0x775 - account locked out
If there is a problem with the first step (admin bind) or the third step (user bind), you can sniff the traffic
between the FortiGate and the LDAP server to get the error code. The error code states explicitly why the
binding is failing.
The error codes shown on this slide are samples of generic LDAP error codes and specific to Active Directory.
DO NOT REPRINT
© FORTINET
Common Problems―Wrong Bind Password
ISFW # fnbamd_fsm.c[1274] handle_req-Rcvd auth req 6750209 for jsmith in Lab
opt=27 prot=0
fnbamd_ldap.c[637] resolve_ldap_FQDN-Resolved address 10.10.181.10, result
10.10.181.10
fnbamd_ldap.c[1255] fnbamd_ldap_get_result-Not ready yet
fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 6750209
fnbamd_ldap.c[1321] fnbamd_ldap_get_result-
Error in ldap_result: 49 (Invalid credentials)
fnbamd_ldap.c[1603] fnbamd_ldap_get_result-Auth denied
fnbamd_auth.c[2074] fnbamd_auth_poll_ldap-Result for ldap svr 10.10.181.10 is
denied
fnbamd_comm.c[116] fnbamd_comm_send_result-Sending result 1 for req 6750209
Now, you will learn about some of the most common bind issues, and how to identify them in the output of the
real-time debug.
If you see the invalid credentials error right after an authentication attempt, this means a problem occurred in
step one. There is probably an issue with the administrator account credentials.
DO NOT REPRINT
© FORTINET
Common Problems―User Not Found
ISFW # fnbamd_fsm.c[1274] handle_req-Rcvd auth req 6750221 for jsmith in Lab
opt=27 prot=0
fnbamd_ldap.c[637] resolve_ldap_FQDN-Resolved address 10.10.181.10, result
10.10.181.10
fnbamd_ldap.c[232] start_search_dn-base:'DC=fortinet,DC=com'
filter:sAMAccountName=jsmith
fnbamd_ldap.c[1351] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 6750221
fnbamd_ldap.c[275] get_all_dn-Found no DN
fnbamd_ldap.c[298] start_next_dn_bind-No more DN left
fnbamd_ldap.c[1603] fnbamd_ldap_get_result-Auth denied
fnbamd_auth.c[2074] fnbamd_auth_poll_ldap-Result for ldap svr 10.10.181.10 is
denied
fnbamd_comm.c[116] fnbamd_comm_send_result-Sending result 1 for req 6750221
The message No more DN left indicates that a problem occurred in step two. The LDAP server couldn't
find the user in the LDAP tree.
DO NOT REPRINT
© FORTINET
Common Problems―Wrong User Password
ISFW # fnbamd_fsm.c[1274] handle_req-Rcvd auth req 6750221 for jsmith in Lab
opt=27 prot=0
fnbamd_ldap.c[637] resolve_ldap_FQDN-Resolved address 10.10.181.10, result
10.10.181.10
fnbamd_ldap.c[232] start_search_dn-base:'DC=fortinet,DC=com'
filter:sAMAccountName=jsmith
fnbamd_ldap.c[1351] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1833] poll_ldap_servers-Continue pending for req 6750221
fnbamd_ldap.c[275] get_all_dn-Found no DN
fnbamd_ldap.c[298] start_next_dn_bind-No more DN left
fnbamd_ldap.c[1603] fnbamd_ldap_get_result-Auth denied
fnbamd_auth.c[2074] fnbamd_auth_poll_ldap-Result for ldap svr 10.10.181.10 is
denied
fnbamd_comm.c[116] fnbamd_comm_send_result-Sending result 1 for req 6750221
If the output shows that the user was found, but an Auth denied message appears below, this indicates that
a problem occurred in step three. Either the user credentials are wrong or the user account is not active.
DO NOT REPRINT
© FORTINET
Common Problems―Groups Not Found
In some LDAP implementations, the user group information is not used. All LDAP users have the same
privileges, regardless of their AD group memberships. In those implementations, you can ignore this error
message.
DO NOT REPRINT
© FORTINET
Tips for Troubleshooting LDAP Authentication
• Is the admin bind not working?
• Check the bind name with these commands:
• > dsquery user –name <admin_full_user_name>
• > dsquery user –samid <admin_login_name>
• Check the bind password
• Sniff the error code coming from the server
• Could the LDAP server find the user?
• If the common name identifier is set to sAMAccountName, use the login name
• If it is cn, use the full name
• Check the distinguished name with this command:
• > dsquery user –name <full_user_name>
What do you do if the problem occurs in step one (admin bind is not working)?
• Use the dsquery query command to check the administrator DN.
• Check the admin password.
• Sniff the error code coming from the server.
What do you do if the problem occurs in step two (LDAP server could not find the user)?
• If the common name identifier is set to sAMAccountName, the user must use their login name. If it is set to
cn, the user must use their full name.
• Check the distinguished name setting with the dsquery command.
DO NOT REPRINT
© FORTINET
In this section, you will learn about RADIUS authentication troubleshooting commands.
DO NOT REPRINT
© FORTINET
RADIUS Overview
• Standard protocol that provides authentication, authorization, and accounting (AAA)
services
Access-Request
Access-Accept
or
Access-Reject
User FortiGate or RADIUS server
Access-Challenge
Normal authentication queries with the RADIUS protocol begin with an Access-Request being sent from the
FortiGate to the RADIUS server. A valid response to this query is Access-Accept or Access-Reject (yes or no,
effectively).
If two-factor authentication is enabled on the server, the response is an Access-Challenge message, which
means that the server is essentially looking for more information.
DO NOT REPRINT
© FORTINET
Testing RADIUS Queries
• On the CLI:
Just like there is for LDAP, there is a CLI test command for RADIUS. To respond, you must provide not only
the credentials for a test user, but also the authentication scheme. FortiGate supports the following RADIUS
schemes: CHAP, PAP, MS-CHAP, and MS-CHAPv2.
Also, just like it does for LDAP, this command tests only the FortiGate RADIUS server configuration. It does
not require any user group or firewall policy in the FortiGate configuration.
DO NOT REPRINT
© FORTINET
RADIUS Real-Time Debug
ISFW # diagnose debug application fnbamd -1
ISFW # diagnose debug enable
Username
fnbamd_fsm.c[1819] handle_req-Rcvd auth req 2 for student in RadiusServer opt=29 prot=1
fnbamd_fsm.c[336] __compose_group_list_from_req-Group 'RadiusServer'
fnbamd_pop3.c[573] fnbamd_pop3_start-student
fnbamd_cfg.c[443] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server
'RadiusServer' Scheme
fnbamd_radius.c[1006] fnbamd_radius_auth_send-Compose RADIUS request
fnbamd_radius.c[1195] fnbamd_radius_auth_send-Sent radius req to server 'RadiusServer':
IP=172.25.188.164 code=1 id=1 len=92 user="student" using CHAP
fnbamd_auth.c[268] radius_server_auth-Timer of rad 'RadiusServer' is added
fnbamd_fsm.c[428] create_auth_session-Total 1 server(s) to try
fnbamd_auth.c[1990] fnbamd_auth_handle_radius_result-Timer of rad 'RadiusServer' is deleted
fnbamd_auth.c[2016] fnbamd_auth_handle_radius_result-->Result for radius svr 'RadiusServer'
172.25.188.164(0) is 0
fnbamd_auth.c[2044] fnbamd_auth_handle_radius_result-Skipping group matching
fnbamd_fsm.c[825] find_matched_usr_grps-Skipped group matching
fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 0 for req 2
fnbamd_fsm.c[568] destroy_auth_session-delete session 2
0: Authentication successful
1: Authentication failed
© Fortinet Inc. All Rights Reserved. 29
RADIUS is either a one-step or two-step process (depending on the use of two-factor authentication). It is not
as long as the four-step process that happens with LDAP regular bind. So, the output of the real-time debug is
usually shorter.
DO NOT REPRINT
© FORTINET
Sniffer on RADIUS Traffic
• Sniff UDP port 182 for authentication or port1813 for accounting
• i.e.: diagnose sniffer packet any “port 1812” 3
• Sniffer can capture various types of RADIUS data, including:
• User credentials
• RADIUS attributes
• Authentication requests, responses, and accounting information
• Timing and frequency of authentication requests and responses
When troubleshooting issues with RADIUS authentication or accounting, using a sniffer can be useful for
analyzing packets and identifying the root cause.
The initial step in using a sniffer is to assess whether RADIUS traffic is flowing uninterrupted between
FortiGate and the RADIUS server.
RADIUS typically uses port 1812 for authentication and port 1813 for accounting.
Sniffer output with a verbose level of 3 can be converted for analysis in Wireshark.
A sniffer can capture various types of data from RADIUS traffic, such as:
Analyzing the timing and frequency of RADIUS requests and responses can help you better understand the
authentication process.
DO NOT REPRINT
© FORTINET
In this section, you will learn about SAML authentication troubleshooting commands.
DO NOT REPRINT
© FORTINET
Security Assertion Markup Language (SAML) Overview
SAML is an open standard for exchanging authentication and authorization data between one IdP and one or
more SPs. Both parties exchange messages using the XML protocol as transport.
DO NOT REPRINT
© FORTINET
SAML Authentication Flow
Client SP IdP
Request resource
Builds auth
request
HTTP redirect
Follows redirect
Process auth
request
Send login form
Post form
Builds auth
response
HTTP post/redirect
HTTP post/redirect
Process auth
Redirect resource response
SAML authentication flow involves a series of steps to enable secure and standardized authentication.
Understanding the SAML authentication flow is crucial for effective troubleshooting and diagnostics when
encountering issues during the process. This knowledge will help you to identify at which step the issue is
taking place, if it involves the client, SP, IdP, or whether it is a factor unrelated to SAML, for example, traffic is
blocked.
The slide shows an example of a standard SAML authentication flow using a browser.
DO NOT REPRINT
© FORTINET
SAML Configuration as SP and IdP
FGT configured as SP FAC configured as IdP
As part of the troubleshooting process, it’s important to review the SAML configuration on the devices
configured as the SP and IdP.
In this slide, you can see sample configurations of a FortiGate acting as the SP and a FortiAuthenticator
acting as the IdP.
As we discussed in the previous slide, the client interacts with both the SP and IdP to collect authentication
information. A discrepancy between them will cause the authentication attempt to fail.
DO NOT REPRINT
© FORTINET
SAML Configuration as SP and IdP (Contd)
FGT: SAML Attributes FAC: SAML Attributes
SAML attributes are pieces of information about a user that are exchanged between IdPs and SPs during the
SAML authentication process. These attributes are included in the SAML assertion, which is built by the IdP
as part of the authentication process. The SAML assertion contains information about the user, such as their
identity, attributes, and authentication method.
While troubleshooting SAML issues, it is important to identify and compare the attributes configured as part of
the authentication process on both the SP and IdP. Verifying that these attributes match between the SP and
IdP configurations can help you to solve authentication problems.
DO NOT REPRINT
© FORTINET
SAML and SSO on FortiGate
• SAML configuration uses the ports of the service that it authenticates, for example:
• HTTPS authentication: default port 1003
• SAML config setting sample:
set single-logout-url "https://10.1.10.254:1003/remote/saml/logout/
A useful characteristic of SAML is that enables SSO on multiple FortiGate features, allowing users to access
multiple services with a single authentication.
You can configure SAML for multiple FortiGate features, such as:
• Administrator login
• SSL VPN
• Outbound firewall authentication
• Proxy policies
• Wireless (captive portal)
• IPsec VPN
When you configure SAML to perform authentication on one of these features, the SAML configuration
includes the port of that feature. If it’s used for HTTPS authentication, which by default uses port 1003, then
SAML configuration uses that port. For SSL VPN, the SAML configuration uses the port assigned to that
service, port 10443.
DO NOT REPRINT
© FORTINET
SAML Troubleshooting―Check Metadata
• Diagnostic and debug commands:
• SSL VPN metadata
diagnose vpn ssl saml-metadata
ISFW # diagnose vpn ssl saml-metadata FAC_SSL
<?xml version="1.0"?><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="http://10.1.10.254:10443/remote/saml/metadata/"> <SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <AssertionConsumerService isDefault="true" index="0"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://10.1.10.254:10443/remote/saml/login/"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://10.1.10.254:10443/remote/saml/logout/"/> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified</NameIDFormat> </SPSSODescriptor></EntityDescriptor>
In some instances, you might need to download metadata to apply to the IdP.
For that purpose, FortiGate has diagnostic commands for SSL VPN and administrator login.
This slide shows output samples when using these diagnostic commands.
DO NOT REPRINT
© FORTINET
SAML Troubleshooting―Real-Time Debug
• FortiGate SAML daemon real-time debug
• diagnose debug application samld -1
• Better used in combination with the feature that applies this authentication method:
• sslvpnd
• iked
• cw-acd
• wad
• Debugging an SSL VPN with SAML authentication
ISFW # diagnose debug console timestamp enable
ISFW # diagnose debug application samld -1
ISFW # diagnose debug application sslvpn -1
ISFW # diagnose debug enable
You can use this CLI command to debug the SAML daemon in real time:
You must use the real-time SAML debug command in combination with the debug commands of the features
on which the SAML authentication takes place, that is:
DO NOT REPRINT
© FORTINET
SAML Troubleshooting – Real-Time Debug (Contd)
• SAML daemon real-time debug output: request from the client to the IdP based on
information configured on FortiGate (SP)
Request from client SP system time stamped
based on info from SP to auth request Auth Request ID IdP SSO URL
When troubleshooting SAML authentication, the debug output provides multiple sections to analyze, including
key sections and fields collected from the IdP and SP configurations.
The SP Login Dump section contains the client’s request based on information provided by the service
provider. In this sample, a FortiGate is acting as the SP.
• The Auth Request ID, which is included in the response from the IdP
• The IdP SSO URL, from the setting idp-single-sign-on-url in the FortiGate configuration
• The FortiGate system time stamped on the authentication request; a time mismatch between the SP and
IdP, could cause authentication to fail
• The SP SSO URL, from the setting single-sign-on-url in the FortiGate configuration
• The IdP Entity ID, from the setting id-entity-id in the FortiGate configuration
• The SP Entity ID, from the setting entity-id setting in the FortiGate configuration
You can review fields from the SP Login Dump section to detect discrepancies with the information provided
by the device acting as the IdP.
DO NOT REPRINT
© FORTINET
SAML Troubleshooting – Real-Time Debug (Contd)
• SAML daemon real-time debug output: response from the client to the FortiGate based
on info received and configured on the IdP
Response from client to SP based IdP system time
on info from IdP stamped
This section provides the client authentication request to FortiGate acting as the SP, based on information
received from the IdP, which on this sample is FortiAuthenticator.
• The IdP system time. A mismatch with the SP system time could cause the authentication to fail
• The IdP Entity ID, which matches the IdP setting configured on FortiAuthenticator
• The Auth Request ID that the SP sent
• The authentication request with a 5-minute offset
• The SP Entity ID, which provides the audience to which this authentication request will be successful
• This debug section shows the attributes that the IdP is analyzing to allow or deny the authentication
request
The information collected from both the SP and the IdP can be useful in diagnosing an authentication issue.
DO NOT REPRINT
© FORTINET
Review
Understand user authentication logs
Monitor authenticated users
Understand LDAP, RADIUS, and SAML troubleshooting tools
Understand LDAP and RADIUS common problems and solutions
This slide shows the objectives that you covered in this lesson.
By mastering the objectives covered in this lesson, you learned about firewall authentication and how to
troubleshoot issues.
DO NOT REPRINT
© FORTINET
FortiGate 7.4
Last Modified: 25 April 2024
In this lesson, you will review Fortinet Single Sign-On (FSSO) operation and learn about tools and tips for
troubleshooting FSSO problems.
DO NOT REPRINT
© FORTINET
Objectives
• Understand FortiGate-to-collector agent connectivity
• Understand collector agent-to-DC connectivity
• Track login events on the DC, collector agent, and FortiGate
• List active FSSO users
• Troubleshoot agentless polling mode
• Understand common problems and solutions
After completing this lesson, you should be able to achieve the objectives shown on this slide.
By demonstrating a competent understanding of FSSO and its components, you will be able to understand
how to track user login events, list authenticated FSSO users, and troubleshoot common FSSO authentication
issues.
DO NOT REPRINT
© FORTINET
In this section, you will learn about FSSO modes, its components, and how they interact.
DO NOT REPRINT
© FORTINET
FSSO Modes
• Agent-based FSSO
• Login events pushed to the collector agent in real time
• Agentless FSSO
• NetAPI
• Polls NetSessionEnum API
• WinSecLog
• Polls all security event logs
• Polls can be done directly from FortiGate (agentless polling)
• WMI
• Polls specific security event logs
Note: The poll interval times are estimated and depend on the number of servers and network latency
FSSO enables FortiGate to leverage your network’s existing authentication system for firewall authentication.
Once a user logs in, they can access other network resources without having to authenticate again.
The two most common FSSO methods are domain controller (DC) agent and polling.
DC agent mode requires one collector agent. It also requires DC agents installed in all Windows DCs. The DC
agents detect the login events and "push" this information to the collector agent. The collector agent forwards
the login events to FortiGate, together with the workstation IP address and user's group information.
Polling mode does not require a DC agent to be installed. In polling mode, the collector agent frequently polls
each DC to get the latest login events. There are three types of polling mode:
Poll intervals are estimated times that depend on the number of servers and network latency.
If a standalone collector agent is used, all three types of polling modes are supported. Alternatively, polling
can be performed directly from FortiGate (agentless polling mode), so a standalone collector agent is not
required. However, FortiGate acting as a collector agent supports only the WinSecLog polling type.
DO NOT REPRINT
© FORTINET
FSSO Components
Sending and
User login Collecting Gathering receiving
event login info user group authentication
memberships details
• Phase 1: This phase starts when a user authenticates on a workstation and triggers a user login event. In
this phase, FSSO detects the login event and records the workstation name, domain, and user.
• Phase 2: In this phase, FSSO receives login information from sources such as DC agents, NTLM, API
polling mode, Win Sec, or TS/CITRIX. After collecting the login information, FortiGate operating in standard
or advanced mode, performs an administrative domain (AD) query to gather user group membership
information. In the case of eDirectory, FortiGate uses native API or LDAP to collect this information. This
phase resolves the workstation name to an IP address and determines which user groups the user belongs
to.
• Phase 3: In this phase, user login information, including the IP address and groups list, is sent to FortiGate.
• Phase 4: In this phase, FortiGate receives the authentication details and creates one or more log entries
for this login event.
DO NOT REPRINT
© FORTINET
FSSO Components (Contd)
FortiGate
Windows DC
TCP 445
without agent
(polling)
TCP 8000
TCP 445
Windows server with
collector agent
Terminal or Citrix
Windows domain server with TS agent
controller with DC agent
This slide shows how FSSO traffic flows and which ports are used.
When polling mode is used, polling is performed by either the FortiGate or the collector agent. In both cases,
TCP port 445 is used.
By default, the communication between the collector agent and FortiGate uses port TCP 8000. The
communication between the DCs and the collector agent uses, also by default, UDP port 8002.
FSSO identifies each user based on the source IP address of the traffic. Each active FSSO user is associated
with one or more IP addresses. Each IP address is associated with only one user. This creates conflicts in
networks that use terminal or Citrix servers, where more than one user shares the same IP address. For
those cases, you can install a terminal server (TS) agent. The TS agent provides the collector agent and
FortiGate with not only the source IP address of each user, but also with the source TCP/UDP ports they are
using. So, multiple users sharing the same IP address can be identified by combining the source IP address
with the source port. The communication between the TS agent and the collector agent also uses UDP port
8002.
DO NOT REPRINT
© FORTINET
Group Membership Check
Login detected
Use LDAP or
API for no User group no
Ignore user?
directory in cache?
access
yes
yes
yes
Send login to
FortiGate
Each time the collector agent receives a login event, it checks if the user is in the ignore list.
If it is, the login event is discarded. After that, the collector agent checks if the user's group information is still
in the cache.
If it is not, the collector agent performs either an LDAP or an API query to get the group information from
Windows AD. Once the collector agent knows the user groups, it checks if any of them are included in the list
of monitored groups.
If none of the groups are included, the login event is not forwarded to FortiGate. If at least one group is
included, the login event is forwarded to FortiGate.
DO NOT REPRINT
© FORTINET
Workstation Check
CA adds workstation IP
Login detected to the bottom of the
workstation check poll
An external collector agent periodically checks if each active FSSO user is still logged in. It does this by
polling all known active workstations, based on a configurable interval.
How this checking is done depends on the FSSO mode. For WMI polling mode, the collector agent checks the
WMI service. For all the other modes, the collector agent checks the HKEY_USERS hive through remote
registry services.
If a workstation does not respond to these checks, the collector agent starts a timer (dead entry timeout
interval). After the timer expires, the workstation is set to “not verified” status and the collector agent assumes
that the user has logged out.
DO NOT REPRINT
© FORTINET
IP Address Change Verification
Yes
You can also configure the external collector agent to periodically check if the IP address of an active FSSO
user has changed. This might happen, for example, when a user switches from a wired to a wireless network.
When you enable this collector agent feature, the collector agent periodically uses the DNS server to resolve
the workstation name.
If the DNS server replies with a new IP address, the collector agent sends a logout event to FortiGate,
followed by a login event, with the new IP address.
Therefore, it is important for the DNS server to be immediately and automatically updated each time a user
changes their IP address.
DO NOT REPRINT
© FORTINET
Additional Requirements
• TCP ports 139 and 445 must be open between the collector agent and all workstations
• Remote registry service must be up and running on each workstation
• Collector agent periodically verifies that user is still logged in to the workstation
• Ensure that workstations have proper DNS registration and that the DNS server is
updated whenever the IP address changes
There are three important requirements for any FSSO network, and most of the FSSO problems happen when
one of these requirements is not fulfilled.
The collector agent frequently polls each active workstation. For this polling to work properly, TCP ports 139
and 445 must be open between the collector agent and the workstations. Firewalls must allow this traffic.
Additionally, the remote registry service must be up and running on the workstations.
DNS is used to get the user’s IP address. So, administrators must ensure that each workstation name is
registered in the DNS server with the correct and up-to-date IP address.
DO NOT REPRINT
© FORTINET
FSSO Troubleshooting
In this section, you will learn how to diagnose FSSO issues and use troubleshooting commands.
DO NOT REPRINT
© FORTINET
FSSO Troubleshooting Checklist
• Is the TCP connection between FortiGate and the collector agent established?
• Is the collector agent properly monitoring all DCs?
• Is the domain controller generating the login events?
• Is the collector agent getting login events?
• Does the collector agent list the active FSSO users?
• Is FortiGate receiving login events?
• Does FortiGate list the active FSSO users?
• Are the user's group information and authentication rules properly configured?
What steps should an administrator take when troubleshooting an FSSO problem? This slide offers a general
checklist.
In this lesson, you will learn how to perform the recommended troubleshooting steps.
DO NOT REPRINT
© FORTINET
Recommended Troubleshooting Steps FSSO config backup:
Before you start troubleshooting, it is recommended that you gather configuration and topology information.
Identify which FSSO version is in place, how many DCs are in the network, the FortiGate configuration file,
and so on.
If an issue occurs, the diagnose debug auth fsso list command can show the user information that
the collector agent is sending to FortiGate.
DO NOT REPRINT
© FORTINET
Recommended Troubleshooting Steps—CA Logs
As part of the initial troubleshooting steps, make some changes to the collector agent logging settings to
ensure that all the required debug information is captured. First, in the Log level field, select Information.
Second, increase the setting in the Log file size limit (MB) field. If the log file limit is too low, especially in big
FSSO networks, you might not have time to see the relevant debug information, because it will be overridden
quickly by new log events.
Third, you can optionally record the login events in a different file by selecting Log logon events in separate
logs.
DO NOT REPRINT
© FORTINET
Tracking a Specific User
• Perform the user login
• Check which DC recorded the login event:
• echo %logonserver% using cmd.exe
• Check the login event using the Windows event viewer
• In the collector agent:
• Check logs and the list of active FSSO users
• Check that the user group is listed in the group filter
• FortiGate:
• Check logs to verify that the login event was received
• Check the list of active FSSO users
• Generate traffic from the user workstation and verify that the user is listed in the FortiGate user monitor
If the FSSO issue can be reproduced, there are different tools that you can use to track the login event as it
travels from the DC, to the collector agent, and then to FortiGate. Follow these steps:
1. Perform the login.
2. Check which DC received the login using the Windows command: echo %logonserver%.
3. Go to that DC and use the Windows event viewer to find the generated login event.
4. Check the collector agent logs and the list of active FSSO users.
5. Check that at least one user's group is listed as monitored in the group filter.
6. Go to FortiGate and check that the login event was received.
7. List the active FSSO users.
8. Generate traffic from the user workstation and verify that it is added to the FortiGate user monitor.
DO NOT REPRINT
© FORTINET
Checking FortiGate-to-Collector Agent Connectivity
By clicking Show Service Status on the collector agent GUI, you can check the connectivity between
FortiGate and the collector agent. The window displays the serial numbers of all the active FortiGate devices.
DO NOT REPRINT
© FORTINET
Checking FortiGate-to-Collector Agent Connectivity (Contd)
• Connection successful:
Collector Agent logs:
… accepting one FortiGate connection on sock:924, addr:10.0.1.254
… find free connection slot 0, sock:0, sendqueue:0
… send HELLO
…
… Bytes received from FortiGate: 96
… process HELLO
… option:00000020 version:v5.0.618-0618
… FortiGate connection accepted, auth OK.
… FortiGate:FGVM010000030272 connected on socket (924)
When a FortiGate successfully connects to a collector agent, the collector agent logs show these messages.
Additionally, you can confirm a successful connection while running the FSSO real-time debug on FortiGate.
You can also check the FSSO process debug output on FortiGate by entering the command diagnose
debug application authd 8256.
DO NOT REPRINT
© FORTINET
Checking FortiGate-to-Collector Agent Connectivity (Contd)
• Heartbeats between FortiGate and the collector agent:
Collector Agent logs:
… send heart beat, sock:924 len:16 SN:FGVMxxxxxxxxxxx
… send_to_FGT() called:sock:924 sendbuf:7fdd60 sendlen:16
…
…send ok: release send rec and content:7f97a0
…process_server_send_events returns, packet sent:1
…1 FortiGate connected
While the TCP session between FortiGate and the collector agent is up, the collector agent sends heartbeat
messages to FortiGate. Both the collector agent logs and the FortiGate real-time debug show this heartbeat
interchange.
DO NOT REPRINT
© FORTINET
FortiGate-to-Collector Agent Connectivity Issues
• FortiGate real-time debug output:
… server authentication failed, aborting
• Check the pre-shared password:
… disconnecting
… error occurred in read: Connection refused
• Check that FortiGate and the collector agent are using the same TCP port, and that this traffic is not
being blocked
• Sniffer the traffic between FortiGate and the collector agent:
… error occurred in read: No route to host
• Check that the IP address of the collector agent is reachable from FortiGate
The error server authentication failed, aborting in the FortiGate real-time debug might indicate
a mismatch in the password shared between the collector agent and FortiGate.
The error connection refused might indicate that the TCP communication between FortiGate and the
collector agent is blocked by a firewall or another device.
The error no route to host might indicate that the IP address of the collector agent is not routable from
FortiGate.
DO NOT REPRINT
© FORTINET
Collector Agent-to-DC Connectivity
If you click Show Monitored DCs on the collector agent GUI, you can check the communication between the
collector agent and each DC. The table includes the time when the last login event was received from each
DC.
DO NOT REPRINT
© FORTINET
DC Login Events
• Use Windows Event Viewer
• Search event IDs 4768, 672, 680, and 4776 with audit success
The Event Viewer is a Windows tool that displays all the server logs. You can use it to search for login event
logs.
DO NOT REPRINT
© FORTINET
Login Event
• FortiGate real-time debug:
_process_logon[Win-Student]: STUDENT(192.168.3.1) logged on with session
id(0), port_range_sz=0
_process_logon-884: can not find such a user, try to add it
• Collector agent logs:
… logon event(33): len:72 dc_ip:10.0.1.10 time:1423064066 len:55 data:WIN-
INTERNAL.trainingAD.training.lab/TRAININGAD/student ip:192.168.3.1:10.0.1.10
… get global group for:student
… get global group for:student DC:\\Win-Internal.trainingAD.training.lab
… Global group(s):
… -- Domain Users
… Entries enumerated: 1
… get local group for:student
… get local group for:student, DC:\\Win-Internal.trainingAD.training.lab
… local group(s):
… -- Users
… Entries enumerated: 1
… ad_user_get_groups_str():TRAININGAD/Domain Users+TRAININGAD/Users
The FortiGate FSSO real-time debug generates messages each time a login event arrives. They include the
name and IP address of the user, together with the workstation name and user's group information.
DO NOT REPRINT
© FORTINET
Listing Active FSSO Users
You can check the list of logged-in users by clicking Show Logon Users. A status of OK indicates that the
user is active. A user goes to not verified status when they log out, or when there is a problem in the polling
done by the collector agent to the workstation.
DO NOT REPRINT
© FORTINET
Listing Active FSSO Users
ISFW # diagnose debug authd fsso filter ?
clear Clear all filters.
Source Source IP address.
user User name.
group Group name.
server FSSO agent name.
----FSSO logons----
IP: 192.168.3.1 User: STUDENT Groups: TRAININGAD/USERS Workstation: WIN-
INTERNAL.TRAININGAD.TRAINING.LA
IP: 10.0.1.10 User: STUDENT Groups: TRAININGAD/USERS Workstation: WIN-
INTERNAL.TRAININGAD.TRAINING.LA
Total number of logons listed: 2, filtered: 0
To get the list of active users from FortiGate, use the command diagnose debug authd fsso list. You
can set up a filter first with the command diagnose debug authd fsso filter.
DO NOT REPRINT
© FORTINET
Other FortiGate FSSO Commands
• Ask the collector agent to resend the active users list to FortiGate:
• # diagnose debug authd fsso refresh-logons
• Clear login information in FortiGate:
• # diagnose deb authd fsso clear-logons
• Users must logoff/logon
• Ask the collector agent to resend the monitored groups list to FortiGate:
• # diagnose debug authd fsso refresh-groups
• List the monitored groups:
• # get user adgrp
The CLI command diagnose debug authd fsso refresh-logons refreshes the active FSSO user list
on FortiGate by asking the collector agent to resend the active users list.
The CLI command diagnose debug authd fsso clear-logons flushes the list of active FSSO users
on FortiGate.
The CLI command diagnose debug authd fsso refresh-groups refreshes the user group
information on FortiGate by asking the collector agent to resend this information.
To list the monitored user groups, use the command get user adgrp.
DO NOT REPRINT
© FORTINET
Other Troubleshooting Commands
• Use these commands on cmd.exe
• Query the DN from the LDAP server:
dsquery user –name <user_name> - shows DN name
dsquery user -name <user_name> | dsget user –memberof - shows user group
memeberships
You can execute the commands from a Windows command prompt. They can be useful while diagnosing
FSSO issues and analyzing data on the server side.
On a Windows server, you can use the command, dsquery user -name to query the DN. You can run this
command from the LDAP server’s command prompt.
When you use the command wmic, it should return the username of the user currently logged in to the remote
workstation.
You can use the command netstat to verify that port 8000 is open.
DO NOT REPRINT
© FORTINET
In this section, you will learn about the FSSO agentless method and specific troubleshooting commands for
this mode.
DO NOT REPRINT
© FORTINET
Agentless Polling Mode
ISFW # diagnose debug fsso-polling detail
AD Server Status:
ID=1, name(10.0.1.10),ip=10.0.1.10,source(security),users(0)
port=auto username=administrator
read log offset=251636, latest logon timestamp: Wed Feb 1 09:47:31 2023
polling frequency: every 10 second(s) success(246), fail(0)
LDAP query: success(0), fail(0)
LDAP max group query period(seconds): 0
most recent connection status: connected
refresh completes. All logon users are obsolete. Please re-logon to make them available.
ISFW # diagnose sniffer packet any 'host 10.124.2.18 and tcp port 445'
The command diagnose debug fsso-polling detail displays the status and some statistics related
to the polls done by the FortiGate on each DC.
The command diagnose debug fsso-polling refresh-user flushes the information about all active
FSSO users.
In agentless polling mode, FortiGate frequently polls all workstations (as a standalone collector agent does) to
check which users are still logged in. You can sniffer this traffic on port 445.
DO NOT REPRINT
© FORTINET
Agentless Polling Mode
# diagnose debug application fssod -1
# diagnose debug enable
[fsso_svr.c:save_result:579] event_id=4768, logon=bobby, domain=FSSO
workstation=, ip=10.124.2.90 port=49215, time=1372061722
• Common errors:
• FortiGate cannot resolve the active directory server name:
failed to resolve server(<server name>)
• FortiGate and AD system times must be in sync so that statistics can be calculated correctly:
No memory alloc
There is a specific FortiGate daemon that handles the polling mode. It is the fssod daemon. To enable
agentless polling mode real-time debug use the command:
diagnose debug application fssod -1.
The slide shows the most common real-time debug errors and the possible causes.
DO NOT REPRINT
© FORTINET
Common Problems
In this section, you will learn about the most common FSSO issues.
DO NOT REPRINT
© FORTINET
Common Problems
• Collector agent does not have the login information:
• Verify that the collector agent is monitoring all DCs
• Check that the collector agent is receiving login events from the DCs
• Test the user account and check the collector agent logs
• Collector agent has the login information, but FortiGate does not:
• Check that FortiGate is connected to the collector agent
• Run the real-time debug while testing the user account
What should you do if the collector agent does not have login information?
• Verify that the collector agent is monitoring all DCs.
• Check that the collector agent is receiving login events from the DCs.
• Test the user account and check the collector agent logs.
What should you do if the collector agent has the login information, but FortiGate does not?
• Check that FortiGate is connected to the collector agent.
• -
Run the real time debugs while testing the user account.
DO NOT REPRINT
© FORTINET
Common Problems (Contd)
• User is listed as active on FortiGate, but cannot browse the internet:
• Check the user’s IP address in the list of active FSSO users
• Check the user's group information
• Check the firewall policies
• Check the collector agent logs
• FortiGate is randomly blocking some users:
• Check that the collector agent service is not crashing
• Check for crashes in any of the FortiGate processes
• Check that the connectivity between FortiGate and the collector agent is stable
• Try to reproduce and check the collector agent logs
If an FSSO user is listed as active on FortiGate, but it cannot browse the internet, you should first confirm that
the correct IP address is listed on FortiGate. Also check the user's group information, firewall policies, and
collector agent logs.
If FortiGate is randomly blocking some users, you should check that the collector agent service, or any
FortiGate process, is not crashing. Confirm that the connection between FortiGate and collector agent is up
and stable. Try to reproduce the problem and then check the collector agent logs.
DO NOT REPRINT
© FORTINET
DNS Resolution Errors
• DNS cannot resolve the workstation name
• The collector agent logs show:
… failed to resolve workstation name to ip: WORKSTATION01
… DnsQuery() failed for WORKSTATION01, error code:9003
DNS resolution is essential for FSSO operation. If a collector agent cannot resolve a workstation name, the
user will not be listed as active and the collector agent logs will show the errors shown on this slide.
DO NOT REPRINT
© FORTINET
Login Override
• The collector agent ignores login events from anonymous accounts and accounts with
names starting with ‘$’
• However, some applications generate login events with different system accounts,
overriding the user login event:
• Microsoft MOM
• RDP
• Solution:
• Find the account in the collector agent logs that is overriding the user
• Add the account to the collector agent ignore user list
Another common problem that occurs with FSSO authentication happens when applications generate login
events with an AD account that is different from the users’ accounts.
In these cases, the login event overrides the user information for a workstation IP address and a different user
is listed as active for the IP address.
The collector agent is coded to ignore any login events for anonymous accounts, and accounts with a name
starting with '$' (which are system accounts). If any application is using an account that is overriding the user
information, the solution is to add that account to the ignore user list.
DO NOT REPRINT
© FORTINET
Not Verified Status on the Collector Agent
• The collector agent cannot verify if the user is still logged in
• The following entries are generated in the collector agent logs:
• Common causes:
• A firewall is blocking traffic to port 139 and 445
• The workstation remote registry service is not running
Active users with a status of “not verified” are also a common problem. That status is normal after a user has
logged out. However, it is not normal for a user that is still logged in. This means that polling from the collector
agent to the workstation is failing. In these cases, check the collector agent logs. They provide more
information about the cause of the problem.
DO NOT REPRINT
© FORTINET
No Internet After IP Address Change
• This problem might happen when:
• A workstation is moved between LAN and Wi-Fi
• A workstation has come out of hibernate mode
• Check the workstation name DNS resolution
• The collector agent relies on DNS to get an accurate IP address
• Workaround:
• Configure FSSO guest users
• Solution:
• Configure DNS server to automatically get IP address updates
• For multihomed scenarios (both wired and wireless connections are up), the DNS server should be able
to return both IP addresses
What should you do if a user loses internet access after their IP address changes?
This might happen when the user moves back and for from a wired to a wireless network. It might also
happen when a workstation comes out of hibernate mode and gets a new IP address from the DHCP server.
The first step is to check the DNS resolution. When a user changes their IP address, the DNS server must be
updated with the new IP address information. If that is not possible, one workaround is to configure FSSO
guest access. So, users whose IP addresses have changed can still have some (probably limited) access to
some network resources.
For the cases where a workstation was assigned more than one IP address (for example, one address for the
wired network and another one for the wireless), the DNS server should be able to return all those IP
addresses when resolving the workstation name. The user is then listed multiple times in the FSSO active
user list, one time for each IP address.
DO NOT REPRINT
© FORTINET
Review
Understand FortiGate-to-collector agent connectivity
Understand collector agent-to-DC connectivity
Track login events on the DC, collector agent, and FortiGate
List active FSSO users
Troubleshoot agentless polling mode
Understand common problems and solutions
This slide shows the objectives that you covered in this lesson.
By mastering the objectives covered in this lesson, you learned about FSSO modes, the most common FSSO
issues, and how to troubleshoot them.
DO NOT REPRINT
© FORTINET
FortiGate 7.4
Last Modified: 25 April 2024
In this lesson, you will learn how to troubleshoot some of the security profile features.
DO NOT REPRINT
© FORTINET
Objectives
• Troubleshoot the most common FortiGuard problems
• Describe the steps of FortiGate packet inspection
• Troubleshoot web filtering problems
• Fix certificate warnings during full SSL inspection
• Investigate virus infections
• Monitor the intrusion prevention system (IPS)
After completing this lesson, you should be able to achieve the objectives shown on this slide.
By demonstrating competence in understanding security profiles, you will be able to understand how to
troubleshoot FortiGuard and web filtering issues. You will also learn how to fix certificate warning problems,
and monitor IPS and antivirus events.
DO NOT REPRINT
© FORTINET
FortiGuard
In this section, you will learn about how FortiGuard and FortiGate communicate. You will also learn
troubleshooting commands.
DO NOT REPRINT
© FORTINET
FDN Status on FortiGate
• Check FortiGuardDistribution Network (FDN) status on FortiGate in the FortiGuard settings
System > FortiGuard
You can check the status of FortiGuard licenses and the communication to FortiGuard on the FortiGate GUI.
You can also check the versions of the locally installed databases for each of the FortiGuard services.
DO NOT REPRINT
© FORTINET
FortiGuard Web Filtering and Antispam
fortiguard.net
FortiGuard server 1
3. FortiGate submits a license 4. Server
check and server list request status and list 5. FortiGate submits queries
to one of the servers
2. DNS replies
with the IP address
FortiGuard server 2
DNS
• FortiGate submits a DNS lookup to get the IP address for one of these names:
• service.fortiguard.net: UDP and worldwide servers
• securewf.fortiguard.net: HTTPS and worldwide servers
• usservice.fortiguard.net: UDP and USA-based-only servers
• ussecurewf.fortiguard.net: HTTPS and USA-based-only servers
To learn how to troubleshoot FortiGuard problems, you must understand how FortiGuard communication
works. The communication between FortiGate and FortiGuard for web filtering and antispam is different from
the communication for antivirus and IPS. First, you will look at how FortiGuard web filtering and antispam
work:
1. FortiGate contacts the DNS server to resolve the FortiGuard service name.
2. FortiGate gets a list of IP addresses for servers that it can contact to validate the FortiGuard license.
3. FortiGate contacts one of those servers to check the license and request a list of servers to submit web
filtering and antispam rating queries to.
4. FortiGate gets the list of servers.
5. FortiGate starts sending rating queries to one of the servers in the list.
6. If the server it contacted does not reply in 2 seconds, FortiGate contacts the next server on the list.
• service.fortiguard.net: FortiGate is configured to use UDP and communicate with servers located
worldwide.
• securewf.fortiguard.net: FortiGate is configured to use HTTPS and communicate with servers
located worldwide.
• usservice.fortiguard.net: FortiGate is configured to use UDP and communicate with servers
located only in the USA.
• ussecurewf.fortiguard.net: FortiGate is configured to use HTTPS and communicate with servers
located only in the USA.
DO NOT REPRINT
© FORTINET
FortiGuard and FortiGate Connection Security Steps
Finished
Encrypted communication
When the FortiGate establishes a connection with a FortiGuard server, it is crucial to verify the authenticity of
the server as a genuine FortiGuard server. Therefore, FortiGuard servers offer the security steps shown on
this slide.
FortiGuard servers use an Online Certificate Status Protocol (OCSP) stapling check. This involves appending
a time-stamped OCSP status of the server certificate from the OCSP server to the TLS response.
This process guarantees that FortiGate can efficiently validate the FortiGuard server certificate during the TLS
handshake.
DO NOT REPRINT
© FORTINET
FortiGuard Antivirus and IPS
Pull method Persistent connection
method
fortiguard.net
3. FortiGate periodically checks fortiguard.net
for updates in the databases 4. FortiGate
downloads
updated 3. FortiGate 4. FortiGuard
databases forms notifies that
2. DNS replies persistent there is a new
with the IP address secure update through
connection to the persistent
FortiGuard connection
DNS
5. FortiGate
forms a
separate
secure
connection to
1. FortiGate submits a DNS A record download the
lookup for update
update.fortiguard.net
Now, you will look at how antivirus and IPS work. How FortiGuard communication works for antivirus and IPS
depends on the method used: pull or persistent connection. Note that the persistent connection method is
available only on FortiGate models that are 2U and above, and is displayed on the FortiGate GUI as
Immediately download updates.
The first two steps used in the pull method are also used in the persistent connection method: FortiGate gets
a list of IP addresses from a DNS server for the domain name update.fortiguard.net. After that,
FortiGate forms an HTTPS connection with FortiGuard. Once this connection is established, FortiGuard uses
this connection to send notifications each time there are new updates. FortiGate then proceeds to form a
separate secure connection to FortiGuard to download the update.
DO NOT REPRINT
© FORTINET
FortiGuard Troubleshooting—Web Filtering and Antispam
FortiGate # diagnose debug rating
Locale : English
Service : Web-filter
Status : Enable
License : Contract
Service : Antispam
Status : Disable
Service : Virus Outbreak Prevention
Status : Disable
Num. of servers : 6
Protocol : https Round trip delay Server time zone Consecutive requests Historical requests sent
Port : 443 sent with no reply with no reply; resets
Anycast : Enable upon device reboot
Default servers : Included
-=Server List (Thu Mar 2 18:01:32 20XX) -=-
IP Weight RTT Flags TZ FortiGuard-requests Curr Lost Total Lost
173.243.141.16 0 21 D 0 2 0 0
173.243.140.16 0 28 DI 0 5 0 0
2620:101:9000:140:173:243:140:16 0 0 DF 0 2 2 2
The command shown on this slide displays the list of servers for web filtering and antispam queries. For each
IP address, the table shows:
• The round trip delay
• The server time zone
• The number of recent and consecutive queries without reply
• The historical total number of queries without reply—these values reset when the device restarts.
DO NOT REPRINT
© FORTINET
FortiGuard Weight Calculation
• Initial value is the delta between FortiGuard server time zone and FortiGate system time
zone, multiplied by 10
• Weight increases with each packet lost
• Weight decreases over time if no packets are lost, but never goes below the initial value
• FortiGate uses server with lowest weight
• If weights are the same, FortiGate uses lowest RTT
FortiGate uses the following method to select the server to send the rating requests to:
• FortiGate initially uses the delta between the server time zone and the FortiGate system time zone,
multiplied by 10.
• This is the initial weight of the server. To lower the possibility of using a remote server, the weight
is not allowed to drop below the initial weight.
• The weight increases with each packet lost.
• The weight decreases over time if there are no packets lost.
• FortiGate uses the server with the lowest weight as the one for the rating queries. If two or more servers
have the same weight, FortiGate uses the server with the lowest round-trip time (RTT).
DO NOT REPRINT
© FORTINET
FortiGuard Common Issues—Web Filtering and Antispam
• Some ISPs block nonstandard traffic over port 53
• Solution: Use port 8888
• Some ISPs block port 8888 traffic
• Solution: Use port 53
• Some ISPs block traffic based on the source port
• Solution:
config sys global
set ip-src-port-range 1031-4999
end
In many cases, ISPs cause problems related to FortiGuard. Some ISPs block traffic that is not DNS or that
contains large packets on port 53. In those cases, the solution is to switch FortiGuard traffic from port 53 to
port 8888.
Other ISPs (or upstream firewalls) block traffic to port 8888. In those cases, the solution is to use port 53.
When anycast is enabled, which it is by default, the protocol is HTTPS and the port is 443.
There are also a few cases where ISPs block traffic based on source ports. Changing the source port range
for FortiGuard to the range shown on this slide usually fixes the issue.
DO NOT REPRINT
© FORTINET
FortiGuard Flags
• I = Initial
• Server contacted to request contract information and updates
• D = Default
• IP addresses of servers received from DNS resolution
• S = Serving
• IP addresses of servers received from FortiManager
• T = Timing
• Actively timing this connection
• Server remains in this state for 15 seconds (default) before being considered as failed
• F = Failed
• Server connection has failed
• FortiGate pings every 15 minutes to check if server is active
The output of the diagnose debug rating command displays flags beside some of the server names:
• I = The server initially contacted to validate the license and get the server list (usually only one server has
this flag)
• D = The IP address FortiGate got when resolving the service.fortiguard.net name (usually two or
three servers have this flag, if the administrator didn't overwrite the FortiGuard FQDN or IP address in the
FortiGate configuration)
• S = The IP address FortiGate got from FortiManager
• T = The server is not replying to FortiGate queries
• F = The server is down
DO NOT REPRINT
© FORTINET
FortiGuard Troubleshooting—Antivirus and IPS
• FortiGate uses port TCP 443 to get updates
• Can be configured to connect through a web proxy:
• When connecting through a web proxy, FortiGate can access FortiGuard without DNS
resolution
For antivirus and IPS, communication between FortiGate and FortiGuard happens much less frequently. In
the case of web filtering and antispam, FortiGate contacts FortiGuard each time it needs to rate a website or
email (if the information is not in the FortiGate cache).
In the case of the pull method for antivirus and IPS, by default, FortiGate contacts FortiGuard at an interval
calculated based on the FortiGate model and the percentage of valid subscriptions. The update interval is less
than 1 hour to check and download any new version of the antivirus or IPS databases and engines. This is
done using port TCP 443.
This slide shows the commands you use if FortiGate must connect through a web proxy. Usually, clients
connecting through a web proxy do not contact the DNS server to resolve names, because it is the web proxy
that does this. When connecting through a web proxy, FortiGate can access FortiGuard without DNS
resolution.
DO NOT REPRINT
© FORTINET
FortiGuard Troubleshooting—Antivirus and IPS (Contd)
• Automatic and manual updates are different:
• Automatic updates download the portions of the databases that have changed since the last update
• Manual updates download the whole database if a new version is available
• Autoupdate status
# diagnose autoupdate status
FDN availability: available at Thu Jan 18 22:09:06 2024
last successful time: Thu Jan 18 22:09:06 2024
Scheduled update: enable
Virus definitions update: enable
IPS definitions update: enable
Web proxy tunneling: disable
Both the antivirus and IPS databases can be updated either automatically or manually. Automatic updates
download the portions of the databases that have changed since the last update. Manual updates download
the whole database if there is a new version available.
Sometimes you can fix FortiGuard problems by performing a manual update, which forces FortiGuard to
download and reinstall the entire database. For example, if the antivirus database is corrupted, a manual
update might fix the problem.
The diagnose autoupdate status command provides a summary of the FortiGuard configuration on
FortiGate.
DO NOT REPRINT
© FORTINET
FortiGuard Update Status
# diagnose autoupdate versions • List includes, but is not
AV Engine limited to:
--------- • Antivirus
Version: 7.00021
Contract Expiry Date: Sat Nov 8 2025 • IPS engine
Last Updated using manual update on Fri Oct 27 05:53:16 2023 • Mobile malware definitions
Last Update Attempt: Wed Mar 22 09:04:04 2023
Result: No Updates • Attack definitions
• IPS malicious URL
Virus Definitions
--------- database
Version: 91.01264 signed • Botnet definitions
Contract Expiry Date: Sat Nov 8 2025
Last Updated using manual update on Wed Mar 22 05:53:16 2023 • Device and OS
Last Update Attempt: Wed Mar 22 10:04:04 2023 identification
Result: No Updates • Internet service
Extended set • IP address geography
--------- • FortiGuard security rating
Version: 91.01264
Contract Expiry Date: Sat Nov 8 2025 • Certificate bundle
Last Updated using manual update on Wed Mar 22 05:53:16 2023 • Malicious certificate
Last Update Attempt: Wed Mar 22 10:04:04 2023
Result: Updates Installed
The command shown on this slide lists all the FortiGuard databases and engines that are installed. The
information includes the version, contract expiration date, time it was updated, and what happened during the
last update.
DO NOT REPRINT
© FORTINET
FortiGuard Real-Time Debug—Antivirus and IPS
• Enable real-time debug:
• # diagnose debug application update -1
• # diagnose debug enable
• # execute update-now
If there are problems updating the antivirus or IPS databases, or if there are problems validating the license,
you can use the FortiGuard real-time debug:
diagnose debug application update -1
diagnose debug enable
After you enable the debug, you can force a manual update using the execute update-now command.
DO NOT REPRINT
© FORTINET
FortiGuard Troubleshooting Tips
• Can the management VDOM access the internet?
• FortiGuard traffic originates from the management VDOM
• Does DNS work?
• Antivirus and IPS (update.fortiguard.net)
• Web filtering and AS (service.fortiguard.net)
• Updates to FortiGuard contracts are not instantaneous
• It usually takes 1 to 2 hours to update a contract on all FortiGuard servers
• In some cases, it can take up to 24 hours
Remember that FortiGuard traffic always originates from the management VDOM. So, the management
VDOM (which is root by default) must have internet access.
Correct DNS access from the management VDOM is also important. FortiGate must be able to resolve the
following names:
• update.fortiguard.net
• service.fortiguard.net
Also, keep in mind that, although it usually takes 1 to 2 hours to update a contract on all the servers, in some
cases, it can take up to 24 hours. So, if you have just changed or renewed your FortiGuard contract, and you
do not see the change on FortiGate, you may need to wait a bit longer to give FortiGuard time to synchronize
the information on all servers.
DO NOT REPRINT
© FORTINET
Life of a Packet
DO NOT REPRINT
© FORTINET
Life of a Packet—Ingress
Ingress
failed
yes failed failed
Packet dropped
Inbound VPN
yes Traffic
Web proxy terminating at
DNS the FortiGate?
Admin access
no
To routing and
firewall policy
On the following slides, we willre going to analyze how FortiGate processes a packet from when it arrives to
when it leaves.
DO NOT REPRINT
© FORTINET
Life of a Packet—Routing and Firewall Policy
From ingress
no no
Packet dropped
Identify traffic
session helper
To protection
profile inspection
DO NOT REPRINT
© FORTINET
Life of a Packet—Protection Profile Inspection
yes
Handle SSL
DO NOT REPRINT
© FORTINET
Life of a Packet—Egress
yes
Encryption
Egress
DO NOT REPRINT
© FORTINET
Web Filtering
In this section, you will learn troubleshooting commands for web filtering.
DO NOT REPRINT
© FORTINET
Web Filter Log—GUI
• Action Log & Report > Security Events
• Profile used
• Category
• URL
Similar to other UTM features, one of the best troubleshooting tools for web filtering is the FortiGate logs.
FortiGate can generate a log each time a website is blocked. The log lists the URL, category, action taken,
and so on.
DO NOT REPRINT
© FORTINET
FortiGuard Web Filtering Real-Time Debug
# diagnose debug urlfilter src-addr <source_IP>
# diagnose debug application urlfilter -1
# diagnose debug enable
Another tool you can use to troubleshoot web filtering is the web filter real-time debug. You can use the
commands shown on this slide.
This slide shows an example of real-time debug output when the URL to categorize isn't in the FortiGuard
cache. The output shows the URL, category, source, destination IP addresses, and service.
DO NOT REPRINT
© FORTINET
FortiGuard Web Filtering Cache
# diagnose webfilter fortiguard cache dump
To list the contents of the FortiGuard web filtering cache, use the diagnose webfilter fortiguard
cache dump command. For each URL, the output lists its rating by domain name and IP address. The rating
by domain name is the first two digits of the first number from left to right—it is the category ID represented in
hexadecimal. The rating by IP address is the first two digits of the second number—it is also the category ID
represented in hexadecimal.
The get webfilter categories command lists all the categories with their respective ID numbers. In
this list, the IDs are represented in decimal. So, if you want to find the category name for a URL in the cache,
use the first command to list the cache, and then convert the ID number from hexadecimal to decimal. Then,
use the second command to find the category name for that ID number.
DO NOT REPRINT
© FORTINET
FortiGuard—Web Filtering Service
• FortiGuard Web Filter Lookup
The www.fortiguard.com website includes a Web Filtering service. This service is designed to assist you
to identify the category and rating of a URL.
Using the information that the FortiGuard Web Filtering service provides you can gain insights into the content
and reputation of URLs.
This service is useful to analyze whether the category-based filter in the web filter profile is allowing or
blocking a specific URL as expected.
DO NOT REPRINT
© FORTINET
Web Filtering Troubleshooting Tips
• Get specifics
• Which URLs?
• Is it random or consistent?
• Who is affected? All users or specific users?
• Is there anything in any of the logs?
• Was something blocked intentionally?
• Is authentication involved?
• Double-check that the user is being handled correctly
• Attempt reproduction
• You can reproduce most web filtering issues using the same settings
• Run the real-time debug commands while reproducing the problem
DO NOT REPRINT
© FORTINET
Web Filtering Troubleshooting Tips (Contd)
• Ensure web filtering isn't globally disabled:
• Problems connecting to FortiGuard and the device entering conserve mode can cause
intermittent web filtering issues
Additional tips:
• Check that web filtering isn't disabled globally.
• If users are having intermittent issues:
• Check that the communication with FortiGuard is stable (check the web filtering statistics).
• Check also that the device is not entering conserve mode.
DO NOT REPRINT
© FORTINET
SSL Inspection
In this section, you will learn about SSL inspection modes and how to handle certificate warnings.
DO NOT REPRINT
© FORTINET
SSL Certificate Inspection and Full SSL Inspection
• SSL certificate inspection relies on extracting the FQDN of the URL from either :
• TLS extension server name indication (SNI)
• SSL certificate common name (CN)
Issuer:
Verisign
Issued to:
www.example.com
Public key:
Example
https://www.example.com
Public key:
Private key:
Example.com
Example.com
Encrypted data
There are two SSL inspection modes: SSL certificate inspection and full SSL inspection. When using SSL
certificate inspection, FortiGate is not decrypting the traffic. It is only inspecting the server digital certificates
and the server name indication (SNI) field, which are interchanged before the encryption.
First, FortiGate tries to get the URL from the SNI field. The SNI field is a TLS extension that contains the
complete URL that the user is connecting to. It is supported by most modern browsers.
If the SNI field is not present (because the web client may not support it), FortiGate proceeds to inspect the
server digital certificate.
DO NOT REPRINT
© FORTINET
Full SSL Inspection
• FortiGate requires a private key to decrypt and inspect SSL traffic
• Intercepts traffic coming from the server and re-signs it with its certificate and key
• Certificate FortiGate provides must be issued to the destination domain name
https://www.example.com
Private key: Private key:
example.com Public key:
example.com FortiGate
Issuer: Issuer:
Public CA FortiGate CA
Issued to: Issued to:
www.example.com www.example.com
Public key: Public key:
example.com FortiGate
With full SSL inspection, FortiGate decrypts (and reencrypts) the SSL traffic.
Under normal circumstances (without full SSL inspection), encrypted traffic cannot be inspected, because the
firewall does not have the key required to decrypt the data.
For full SSL inspection, the FortiGate must be located in the middle of the communication between the user’s
browser and the website. When the browser connects to the website, the web server sends its certificate,
which contains its public key.
The FortiGate intercepts the web server certificate and generates a new one. The new certificate is issued by
the certificate authority (CA) installed on the FortiGate, which is not a well-known public CA. The FortiGate
also generates a new pair of public and private keys.
DO NOT REPRINT
© FORTINET
Certificate Warnings During Full SSL Inspection
• During full SSL inspection, browsers might display a warning because they do not trust
the CA
• This is a consequence of how SSL and digital certificates work (not a FortiGate
limitation)
When you enable SSL inspection, browsers display a certificate warning each time a user connects to an
HTTPS site. This occurs because the certificates that the browsers receive are now signed by FortiGate,
which is a CA that the browsers do not trust.
This is not a limitation of FortiGate, but a consequence of how digital certificates are designed to work.
DO NOT REPRINT
© FORTINET
Full SSL Inspection and HSTS
• Some clients have specific requirements for SSL
• PKP: Public Key Pinning
• Example: Chrome requires a Google certificate when accessing any Google site
• HSTS: HTTPS Strict Transport Security
• Possible solutions: Certificate does not
match requirements
• Exempt those websites from full SSL inspection (incorrect CA)
• Use SSL certificate inspection instead
Issuer:
Issuer:
Certificate Internet
FortiGate CA
Authority
Issued to:
Issued to:
www.example.com
www.example.com
Public key:
Public key:
FortiGate
example.com
https://www.example.com
Replacing the certificate for the traffic can cause problems. Some software and servers have specific
limitations on the certificates that are allowed to be used.
HSTS and PKP are security features designed to detect man-in-the-middle SSL attacks by making sure that
any certificate presented when accessing a server resource is signed by a specific CA.
If the browser detects any other CA, it simply refuses to continue the SSL handshake and prevents access to
the website.
The solutions available for these issues are limited. One option is to bypass SSL inspection for that traffic.
Another option is to use SSL certificate inspection instead.
DO NOT REPRINT
© FORTINET
Antivirus
In this section, you will learn how to verify the antivirus status and detections.
DO NOT REPRINT
© FORTINET
Antivirus Order of Operations
Machine-
Virus Grayware
learning
scan scan
detection
This slides shows the order of execution of antivirus inspection. First, the device performs a virus scan, then a
grayware scan, and finally machine-learning detection.
The latest FortiOS versions do not have the previous heuristic settings. Instead, they have a machine-
learning-detection setting, which is an AI-based malware detection feature.
DO NOT REPRINT
© FORTINET
Antivirus Log Example
Log & Report > Security Events
One of the best tools for troubleshooting antivirus issues is the FortiGate logs. This is a sample of a log
generated when FortiGate detects a virus. You can see the name of the file, time, and name of the virus.
DO NOT REPRINT
© FORTINET
How to Investigate an Infection
• If a workstation is infected, where should you start investigating?
• Get specifics:
• Which antivirus software detected it? Which virus did it detect?
• Virus names are not standard between vendors
• How did the virus get inside the network?
• Through email, website, USB stick, or demo CD?
What should you do if FortiGate detects a virus on a workstation? Again, the first step is to get specific
information. Which antivirus software detected the virus? What is the name of the virus? How did it get inside
the network? If the virus came, for example, from a CD or USB stick, the infected file did not go through the
FortiGate.
DO NOT REPRINT
© FORTINET
How to Investigate an Infection (Contd)
• Test to see if antivirus is operating correctly
• eicar.org, the standard antivirus test file
• Could FortiGate have detected the virus?
• If undetected, submit to FortiGuard with details
• Test sample file on FortiGuard website
• https://www.fortiguard.com/faq/onlinescanner
• If detected, check which FortiGate antivirus database contains it
Test whether FortiGate antivirus is correctly inspecting the user traffic. On a user workstation, navigate to
eicar.org and try to download the EICAR sample file.
If you have a sample of the virus, submit it to FortiGuard and check if it is present in any of the FortiGate virus
databases. If it is, check the name of the antivirus database where it is present. Does your FortiGate have that
database installed?
DO NOT REPRINT
© FORTINET
How to Investigate an Infection—Check the Antivirus Database
• Choose the antivirus database:
config antivirus setting
set use-extreme-db {enable|disable}
end
• Extended database
• Default
• Currently spreading viruses plus recent viruses that are no longer active
• Available on all models
• Extreme database
• Includes the extended database, plus a large collection of zoo viruses
• Available on higher end models
FortiGate has two antivirus databases: extended and extreme. The extended database is the default. Not all
FortiGate models support the extreme database.
DO NOT REPRINT
© FORTINET
How to Investigate an Infection (Contd)
• Examine protocol settings for infection vector
• SSL requires deep inspection
• Archives are examined to certain limits
• Maximum number of subdirectories and nested archives
• Password-protected archives cannot be scanned
DO NOT REPRINT
© FORTINET
How to Investigate an Infection (Contd)
• NGFW—Learn Mode
• config system settings
set ngfw-mode policy-based
end
Scanunit support is included on the NGFW GUI under Security Policy > Learn Mode.
The learning mode enhances file detection capabilities by using the scanunit robust file detection.
Learning mode works by allowing all traffic while logging everything to gather security information. It
generates a learning report using the collected information, and this helps to detect malicious files more
accurately.
DO NOT REPRINT
© FORTINET
IPS Troubleshooting
DO NOT REPRINT
© FORTINET
IPS Engine
• There are two IPS-related daemons:
• ipsengine handles inspection and detection tasks
• ipshelper handles actions whose results can be shared by different daemons, to reduce load
On some FortiGate models, it is normal to see multiple instances of the ipsengine daemon running.
DO NOT REPRINT
© FORTINET
IPS Fail Open
• Fail open is triggered when one of these two events happen:
• The IPS socket buffer is full and new packets can’t be added for inspection
• The FortiGate is in conserve mode
IPS goes into fail open mode when the IPS socket buffer doesn't have enough available memory for new
packets. The IPS also goes into fail open mode when the FortiGate is in conserve mode. What happens
during that state depends on the IPS configuration. If the fail-open setting is enabled, some new packets
(depending on the system load) might pass through without being inspected. If it is disabled, new packets
might be dropped.
DO NOT REPRINT
© FORTINET
Monitoring IPS Fail Open Events
• IPS fail open event details can be seen in the crash log
# diagnose debug crashlog read
...
7: 2021-06-06 11:44:54 <05688> IPS enter fail open mode: engines=4 socketsize=1048576
8: 2021-09-06 11:44:54 packet_action=drop
...
20: 2021-06-06 11:45:53 <05688> IPS exit fail open mode
• The packet_action value indicates whether new packets are dropped or passed
through
• The crash log also indicates when IPS has exited fail open mode
The IPS fail open event generates a log in the crash log. The log indicates if new packets are dropped or
passed through.
DO NOT REPRINT
© FORTINET
Monitoring IPS Fail Open Events (Contd)
• IPS fail open entry log
date=2023-06-06 time=14:14:29 logid="0100022700" type="event"
subtype="system" level="critical" vd="root" eventtime=1540790069
logdesc="IPS session scan paused" action="drop" msg="IPS session scan,
enter fail open mode"
IPS fail open entry and exit events also generate event logs.
DO NOT REPRINT
© FORTINET
Frequent IPS Fail Open Events
• Try to identify a pattern
• Traffic volume increases?
• Create IPS profiles specifically for the traffic type
• Profile to protect Windows servers doesn’t need Linux or Solaris signatures
• Disable IPS on internal-to-internal policies
Frequent IPS fail open events usually indicate that the IPS is not able to keep up with the traffic demands. So,
try to identify patterns. Has the traffic volume increased recently? Have throughput demands increased?
Tune and optimize your IPS configuration: Create IPS profiles specific to the type of traffic being inspected,
and disable IPS profiles on policies that don’t need them.
DO NOT REPRINT
© FORTINET
IPS Engine Role in Identifying Protocols
• Firewall policies use protocol options to instruct Policy & Objects > Protocol Options
FortiGate how to handle mapping destination
ports to upper-layer protocols (HTTP, SMTP,
FTP, and so on)
• Type a specific port number to direct traffic on
that destination port to the relevant processes,
based on the inspection mode of that policy
(flow or proxy)
• When you enable the Any setting for a
protocol, the IPS engine inspects all destination
ports to determine whether the traffic is, in fact,
that protocol
• Using the Any setting for one or more protocols
creates more CPU load and can affect how
FortiGate processes traffic when a fail open
event occurs
© Fortinet Inc. All Rights Reserved. 48
The Protocol Options settings, which are configurable within each firewall policy, can impact the
performance of a FortiGate due to the need for the IPS engine to identify the protocol where particular
protocol-to-port mappings are not explicitly set.
When a policy is set to proxy-based inspection, the settings in Protocol Options instruct the FortiGate to
direct specified destination ports to their respective proxy processes, except when Any is set for an enabled
protocol.
In this scenario, the FortiGate must send the traffic to the IPS engine to be processed by the CPU, in order to
identify the protocol before directing it to the proxy process. This is significant, because it can affect how traffic
is processed during an IPS fail open event for both proxy-based and flow-based traffic.
Protocol port mapping works only with proxy-based inspection. Flow-based inspection inspects all ports
regardless of the protocol port mapping configuration.
DO NOT REPRINT
© FORTINET
IPS and High CPU Usage
• Temporary spikes in CPU usage are normal
• Usually caused by a configuration change
• diagnose sys top will show all ipsengine instances spike to 99% temporarily
• Continuous high CPU use by IPS engines might be caused by an infinite loop in packet
parsing
• Symptoms might not affect all of the ipsengine instances
• FortiGate VMs with 8 or more vCPUs can use the extended database, which delivers
better protection and performance
• config ips global
set database [regular|extended]
set ips-reserve-cpu [enable|disable]
Short spikes in the CPU usage by IPS processes could be caused by firewall policy or profile changes. These
spikes are usually normal. Spikes might happen when FortiGate has hundreds of policies and profiles, or
many VDOMs. Continuous high CPU usage by the IPS engines is not normal, and you should investigate it.
A newly introduced capability enables the configuration of FortiGate VMs with eight or more vCPUs to use the
complete extended database. The slim-extended database, a more compact variant of the full extended
database, encompasses key active IPS signatures and is tailored for customers prioritizing performance.
DO NOT REPRINT
© FORTINET
IPS and High CPU Usage (Contd)
# diagnose test application ipsmonitor ?
If the IPS caused high CPU usage problems, you can use the diagnose test application
ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass
mode.
In this mode, the IPS is still running, but it is not inspecting traffic. If the CPU usage decreases after that, it
usually indicates that the volume of traffic being inspected is too high for that particular FortiGate model.
If the CPU usage remains high after you enable IPS bypass mode, it usually indicates a problem in the IPS
engine that you must report to Fortinet Support.
If you enable IPS bypass mode, remember to disable it after you finish troubleshooting, using option 5.
Another recommendation to keep in mind is if you need to restart the IPS, don't use the diagnose sys
kill command. Instead, use option 99, as shown on this slide. This guarantees that all IPS-related
processes will restart correctly.
DO NOT REPRINT
© FORTINET
False Positives
• Check that the IPS signature database is up to date
• Determine which signature is triggering the false positive
• Use IP exemptions on the signature as a temporary bypass for the affected endpoints
• If all factors are verified (that is, correct policy match, correct IPS profile match), then
collect multiple sniffer samples of the traffic
• Provide the sniffer samples and the matching logs to the FortiGuard team for further
investigation
support.fortinet.com
If the IPS is generating false positives, first determine which signature is generating them. You can use IP
exemptions as a solution. Additionally, you can provide sniffer samples and the matching logs to the
FortiGuard team for further investigation.
DO NOT REPRINT
© FORTINET
False Negatives
• False negatives are more difficult to find
• Verify:
• Is the IPS signature database up to date?
• Is traffic hitting the correct policy or IPS profile? (use sniffer and debug flow, if necessary)
• Is the IPS using high CPU or memory? Is it crashing?
• Is the signature action set correctly?
• Collect multiple sniffer samples, along with details of the application traffic, and provide
them to the Fortinet IPS team for investigation
False negatives are more difficult to discover and troubleshoot. Check the following:
• Traffic is hitting the correct policy or IPS profile (use the sniffer and debug flow, if necessary).
• CPU and memory use is normal.
• IPS engines aren’t crashing.
• IPS configuration is correct.
Again, after you verify all of those factors, you can collect sniffer samples and, along with details of the
application traffic, provide all the information to the Fortinet IPS team for investigation.
DO NOT REPRINT
© FORTINET
Review
Troubleshoot the most common FortiGuard problems
Describe the steps of FortiGate packet inspection
Troubleshoot web filtering problems
Fix certificate warnings during full SSL inspection
Investigate virus infections
Monitor the IPS
This slide shows the objectives that you covered in this lesson.
By mastering the objectives covered in this lesson, you learned how to troubleshoot some features of security
profiles.
DO NOT REPRINT
© FORTINET
FortiGate 7.4
Last Modified: 25 April 2024
In this lesson, you will learn how to monitor the status of a high availability (HA) cluster, configure session
synchronization, and use the troubleshooting steps and commands for HA issues.
DO NOT REPRINT
© FORTINET
Objectives
• Check the status of the HA configuration
• Monitor an HA cluster
• Configure session synchronization
• Troubleshoot common HA issues
After completing this lesson, you should be able to achieve the objectives shown on this slide.
By demonstrating competence in understanding HA, you will know how to monitor the status of an HA cluster,
configure session synchronization, and diagnose and resolve HA cluster issues.
DO NOT REPRINT
© FORTINET
In this section, you will learn how to monitor the HA configuration status among devices in the HA cluster.
DO NOT REPRINT
© FORTINET
Processes Involved
• HA framework
• hatalk: cluster management and failure monitoring
• hasync: synchronization of configuration files, upgrade process, IKE notification, external files, ARP
table, and FIB
• Kernel
• Generation of heartbeat packets
• Updating synchronized session on secondary
The process hatalk monitors cluster management and failure monitoring. The process hasync handles the
synchronization of configuration files, the upgrade process, IKE notifications, external files, the address
resolution protocol (ARP) table, and the forwarding information base (FIB).
The hasync process engages other processes to fulfill its purpose, like configuration daemons cmdb,
update, iked, authd, and snmpd.
DO NOT REPRINT
© FORTINET
Heartbeats—Generating Heartbeat Packets
• Heartbeat packets are generated by the kernel
• Higher priority in scheduler compared to other processes
• Higher priority on kernel for HA packets on egress
• Higher priority on NP6 queues for HA packets
• Heartbeat packet generation load distributed on multiple CPU cores
HA heartbeats are generated by the kernel. This gives this traffic priority over other types of packets. HA
heartbeat packets are prioritized to guarantee the health of the HA cluster and traffic flow.
The command diagnose sys ha heartbeat displays how many CPU cores handle the heartbeats and
their distribution.
DO NOT REPRINT
© FORTINET
Heartbeats—Receiving and Processing Heartbeat Packets
• HA heartbeat
• Heartbeat packets received by the network interface card (NIC) configured as hbdev
• Kernel processing
• Separates user traffic from heartbeats based on packet ethertype
• Stores heartbeat data in a received buffer in memory
• Notifies HA daemon hatalk through a signal of the presence of heartbeat packets to process
The hbdev interface is configured under config system ha which assigns the interface that will transmit
and receive the HA heartbeats.
As part of the kernel processing of heartbeat packets, the kernel signals to the hatalk daemon the presence
of heartbeat packets to process.
The process hatalk applies a timestamp to the HA packets that process and perform a diff time function
to monitor if it has reached the hb-lost-threshold that could trigger an HA heartbeat timeout.
HA heartbeat packets consume more bandwidth if the heartbeat interval is shorter than its default value, but if
the heartbeat interval is very long, the cluster is not as sensitive to topology changes and other network
changes.
DO NOT REPRINT
© FORTINET
Checking the Status of HA on the GUI
System > HA
Cluster members
are synchronized
If the HA cluster forms successfully, the GUI displays all the FortiGate members with their host names, serial
numbers, role, uptime, and synchronization status.
DO NOT REPRINT
© FORTINET
Checking the Synchronization Status on the GUI
System > HA
Tooltip displays which
parts of the configuration
are out of sync
If the HA cluster forms, but the configurations are not synchronized, the GUI tooltip for the cluster members
displays the portions of their configuration that are out of sync.
DO NOT REPRINT
© FORTINET
Connecting to the CLI on a Secondary Device
• Using the CLI of the primary device, you can connect to the CLIs of any secondary
devices
# execute ha manage <HA_unit_index> <Admin_Username>
• To list the index numbers for each device, use a question mark
# execute ha manage ?
<id> please input peer box index.
<0> Subsidiary unit FGVM01000001xxxx
When troubleshooting HA, you may need to connect to the CLI of another member from the CLI of the
member you are currently connected to. You do this by using the execute ha manage command to connect
to the other member.
For example, when you connect to the cluster over SSH using any of the cluster virtual IP addresses, you
connect to the primary member. If you then want to connect to another member, you can use the execute
ha manage command to access its CLI.
This command requires you to indicate the ID of the member you want to connect to and the username you
will use to log in. To get the list of member IDs, you can add a question mark to the end of the execute ha
manage command, as shown on this slide.
Note that when you switch to the CLI of another member, FortiGate establishes an SSH session to that
member over the heartbeat interface. The SSH session is then encapsulated in Ethernet frame type 0x8893.
DO NOT REPRINT
© FORTINET
HA Status
# diagnose sys ha status
HA information
Statistics
Heartbeat
traffic.local = s:0 p:980056 b:152606366
traffic.total = s:0 p:980087 b:152619104
activity.ha_id_changes = 2
activity.fdb = c:0 q:0
[Debug_Zone HA information]
HA group member information: is_manage_primary=1.
FGVM010000077649: Primary, serialno_prio=1, usr_priority=128, hostname=NGFW-1
FGVM010000077650: Secondary, serialno_prio=0, usr_priority=120, hostname=NGFW-2
[Kernel HA information]
vcluster 1, state=work, primary_ip=169.254.0.2, primary_id=0:
FGVM010000077649: Primary, ha_prio/o_ha_prio=0/0
FGVM010000077650: Secondary, ha_prio/o_ha_prio=1/1
Using the CLI, you can get more information about the status of HA. For example, the command shown on
this slide displays heartbeat traffic statistics, as well as the serial number and HA priority of each FortiGate.
This command also shows the IP address of the heartbeat interface that is automatically assigned to the
primary FortiGate.
DO NOT REPRINT
© FORTINET
HA Status (Contd)
# get sys ha status
HA Health Status: OK
Model: FortiGate-VM64
How the primary
Mode: HA A-P
Group: 0 device is selected
Debug: 0
Cluster Uptime: 0 days 0:15:10
Cluster state change time: 2023-07-29 12:34:01
Primary selected using:
<2023/07/29 12:34:01> FGVM010000077649 is selected as the primary because it has the
largest value of override priority.
ses_pickup: disable System usage stats
override: enable
Configuration Status:
from all cluster
FGVM010000077649(updated 4 seconds ago): in-sync members
FGVM010000077650(updated 3 seconds ago): in-sync
System Usage stats:
FGVM010000077649(updated 4 seconds ago):
sessions=16, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=81%
FGVM010000077650(updated 3 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=78%
...
You can use the command shown on this slide to display the following information:
• HA health status
• Cluster uptime
• Criteria used to select the primary device
• Override status
• Status of the monitored interfaces
• Status of the HA ping servers
DO NOT REPRINT
© FORTINET
Checking the HA Time Difference
# diagnose sys ha dump-by vcluster
<hatalk> HA information.
How many times the
vcluster_nr=1
device uptime has been
vcluster_0: start_time=1588188799(2022-07-29 12:33:19), reset with the
state/o/chg_time=2(work)/2(work)/1588188801(2023-07-29 diagnose sys ha
12:33:21) reset-uptime
command
mondev: port1(prio=50,is_aggr=0,status=1)
port2(prio=50,is_aggr=0,status=1)
'FGVM010000077649': ha_prio/o=0/0, link_failure=0,
pingsvr_failure=0, flag=0x00000001, uptime/reset_cnt=0/1
'FGVM010000077650': ha_prio/o=1/1, link_failure=0,
pingsvr_failure=0, flag=0x00000000, uptime/reset_cnt=196/0
Device uptime
The HA uptime is one of the variables used to elect the primary device. Depending on other variables and
configurations, the devices might compare their system uptimes to elect the primary. If that happens, and if
there is one member whose system uptime is 5 minutes more than the system uptimes of all the other
devices, that member is elected as the primary. You can use this command to compare the system uptimes of
all the devices in a cluster.
The reset_cnt value shows you how many times the HA uptime has been reset with the diagnose sys
ha reset-uptime command.
DO NOT REPRINT
© FORTINET
Checking the Configuration Synchronization
Run this command
# diagnose sys ha checksum show on all HA members
is_manage_primary()=1, is_root_primary()=1
debugzone
global: ee 89 a1 71 0b c5 2a ed 99 f3 a8 4a 27 6f 1b 5c
root: 86 54 58 00 9a 6c ef 30 19 62 a3 c9 84 a8 c6 8a Checksum
all: 94 52 d7 bf e5 29 d0 9a 58 d2 47 f4 f5 d0 a7 94 numbers must
match between
debugzone and
checksum checksum zone
global: ee 89 a1 71 0b c5 2a ed 99 f3 a8 4a 27 6f 1b 5c
root: 86 54 58 00 9a 6c ef 30 19 62 a3 c9 84 a8 c6 8a
all: 94 52 d7 bf e5 29 d0 9a 58 d2 47 f4 f5 d0 a7 94
A good indication of the health of an HA cluster is the status of the configuration synchronization. To verify
that all the secondary configurations are synchronized with the primary configuration, you can use the
command shown on this slide on all the HA devices. If a secondary FortiGate displays the same sequence of
numbers as the primary, its configuration is synchronized. Also, and as long as there are no configuration
changes happening, on each of the devices, the debugzone and the checksum zone must display the same
sequence of numbers. In this lesson, you will learn some tips for troubleshooting when this is not the case.
The checksum zone contains the checksum of the configuration that is running on the device. The
debugzone is where configuration changes are first stored before they are applied to the running
configuration. So during a configuration change, you might see that the debugzone checksum differs from
the checksum for a short time, while the configuration changes are copied to the running configuration. After
configuration changes have been copied, both checksums should match again.
DO NOT REPRINT
© FORTINET
Checking the Configuration Synchronization (Contd)
# diagnose sys ha checksum cluster Alternatively, you can use this
================== FGVM010000077649 ================== command on the primary device
is_manage_primary()=1, is_root_primary()=1
debugzone
global: ee 89 a1 71 0b c5 2a ed 99 f3 a8 4a 27 6f 1b 5c Primary
root: 86 54 58 00 9a 6c ef 30 19 62 a3 c9 84 a8 c6 8a
all: 94 52 d7 bf e5 29 d0 9a 58 d2 47 f4 f5 d0 a7 94
checksum
global: ee 89 a1 71 0b c5 2a ed 99 f3 a8 4a 27 6f 1b 5c
root: 86 54 58 00 9a 6c ef 30 19 62 a3 c9 84 a8 c6 8a
all: 94 52 d7 bf e5 29 d0 9a 58 d2 47 f4 f5 d0 a7 94
================== FGVM010000077650 ==================
is_manage_primary()=0, is_root_primary()=0
debugzone
global: ee 89 a1 71 0b c5 2a ed 99 f3 a8 4a 27 6f 1b 5c Secondary
root: 86 54 58 00 9a 6c ef 30 19 62 a3 c9 84 a8 c6 8a
all: 94 52 d7 bf e5 29 d0 9a 58 d2 47 f4 f5 d0 a7 94
checksum
global: ee 89 a1 71 0b c5 2a ed 99 f3 a8 4a 27 6f 1b 5c
root: 86 54 58 00 9a 6c ef 30 19 62 a3 c9 84 a8 c6 8a
all: 94 52 d7 bf e5 29 d0 9a 58 d2 47 f4 f5 d0 a7 94
Instead of using the checksum show command on each of the cluster devices, you can use the command
shown on this slide on only the primary device. It shows the checksum for all the cluster members. This
command is easier to use; however, if there are communication problems between one of the secondary
devices and the primary, you might need to use the checksum show command instead.
DO NOT REPRINT
© FORTINET
Checking the Configuration Synchronization (Contd)
• Checksums are organized in sections and subsections
• Drill down in sections, as needed
FGT # diagnose sys ha checksum show FGT # diagnose sys ha checksum show global
is_manage_primary()=1, is_root_primary()=1 system.global: cddd94f9d0caa0d8fbeeca1fe7f737d8
debugzone system.accprofile:
fbae998d6f14e2b8f76c53a500b2feb9
global: ee 89 a1 71 0b c5 2a ed 99 f3 a8 4a 27 6f 1b 5c system.npu: 00000000000000000000000000000000
root: 86 54 58 00 9a 6c ef 30 19 62 a3 c9 84 a8 c6 8a system.np6: 80585c5bff0110a4a5c60ada8729321f
all: 94 52 d7 bf e5 29 d0 9a 58 d2 47 f4 f5 d0 a7 94 system.vdom-link:
checksum 00000000000000000000000000000000
global: ee 89 a1 71 0b c5 2a ed 99 f3 a8 4a 27 6f 1b 5c wireless-controller.inter-
root: 86 54 58 00 9a 6c ef 30 19 62 a3 c9 84 a8 c6 8a controller:00000000000000000000000000000000
wireless-controller.global:
all: 94 52 d7 bf e5 29 d0 9a 58 d2 47 f4 f5 d0 a7 94 00000000000000000000000000000000
The command checksum show allows you to drill down to different levels.
It can provide a general checksum at the global level, including all the VDOMs configured on FortiGate, as
well as provide the checksum for a specific VDOM or the checksum of a specific configuration section from a
VDOM.
These different levels can be very useful while troubleshooting an HA cluster, when you need to identify which
setting is triggering an out-of-sync issue.
DO NOT REPRINT
© FORTINET
Session Synchronization
In this section, you will learn about session synchronization among devices in an HA cluster.
DO NOT REPRINT
© FORTINET
HA Session Synchronization
• Primary sessions replicated to the secondary
• Optional, disabled by default
• Only TCP/SCTP sessions
• Multicast sessions can be configured for session fail over
• UTM proxy-based sessions are not synchronized
• Flow-based sessions are synchronized but fail over without UTM
• Optionally synchronize connectionless sessions (ICMP/UDP)
• Optionally synchronize only sessions with duration > 30 seconds
• Don’t waste resources on short-lived sessions
By default, HA session synchronization is disabled. Most sessions can be resumed as a normal result of how
TCP/IP communications resume communication after a network interruption. You should balance the traffic
requirements and performance impact before enabling session pickup.
If you enable HA synchronization, a number of session requirements and limitations take place because the
primary device synchronizes sessions with the secondary device. Under ideal conditions, all TCP sessions
should be resumed.
Optionally, you can enable session synchronization for connectionless ICMP/UDP, and short-lived sessions.
DO NOT REPRINT
© FORTINET
HA Session Synchronization―When?
• New session creation
• Primary synchronizes new session to secondary
• State update
• TCP/SCTP sessions are updated on secondary upon a state change
• Session deletion
• When deleted on primary, primary notifies secondary to clear the session
There are some criteria that the primary device follows when synchronizing a session to a secondary device.
By default, once session-pickup is enabled, as soon as a new TCP session is added to the primary device
session table, that session is synchronized to all devices in the cluster. This synchronization happens as
quickly as possible to keep the session tables synchronized.
Other events that trigger the session table synchronization from the primary device to the other devices in the
cluster occur if there is a session state update or if a session is deleted.
Most of the session synchronization communication comes from the primary to the rest of the devices in the
cluster; secondary devices send queries to the primary device about session timer updates.
DO NOT REPRINT
© FORTINET
Session Synchronization
FGT # get sys ha status
HA Health Status: OK
Model: FortiGate-VM64-KVM
Mode: HA A-P
Group Name: Fortinet
Group ID: 0
Debug: 0
Cluster Uptime: 3 days 4:27:18
….
ses_pickup: enable, ses_pickup_delay=disable
…
HBDEV stats:
FGVM010000077649(updated 4 seconds ago):
port7: physical/00, up, rx-bytes/packets/dropped/errors=640288234/1655487/0/0, tx=797573613/1767346/0/0
FGVM010000077650(updated 1 seconds ago):
port7: physical/00, up, rx-bytes/packets/dropped/errors=797593897/1767528/0/0, tx=640291890/1655362/0/0
…
By default, session synchronization activity takes place over the HA heartbeat link using TCP/703 and
UDP/703 packets.
The command get sys ha status displays if session pickup is enabled. The HBDev stats section
should show that the received (RX) and transmitted (TX) counters are incrementing.
If there is a large number of session synchronizations, this could cause network congestion and impact the
HA cluster communication. One option is to select one or more ports to use for synchronizing sessions, which
can improve HA heartbeat traffic and the performance of the HA cluster.
DO NOT REPRINT
© FORTINET
Checking HA Session Synchronization
# diagnose sys session list Check the session table of the primary device
session info: proto=6 proto_state=01 duration=73 expire=3597 timeout=3600 flags=00000000
socktype=00000000 sockport=0 av_idx=0 use=3
origin-shaper= HA ID of the device
processing this traffic Session has been
reply-shaper=
synchronized to all
per_ip_shaper= secondary devices
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty synced none app_ntf
statistic(bytes/packets/allow_err): org=822/11/1 reply=9037/15/1 tuples=2
tx speed(Bps/kbps): 7/0 rx speed(Bps/kbps): 16/0
orgin->sink: org pre->post, reply pre->post dev=4->2/2->4 gwy=100.64.1.254/10.0.1.10
hook=post dir=org act=snat 10.0.1.10:65464->54.192.15.182:80(100.64.1.1:65464)
hook=pre dir=reply act=dnat 54.192.15.182:80->100.64.1.1:65464(10.0.1.10:65464)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=00000098 tos=ff/ff ips_view=0 app_list=0 app=0 url_cat=0
rpdb_link_id= 00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x040000
© Fortinet Inc. All Rights Reserved. 20
You can check the session table of the primary device to see which sessions have been synchronized to the
secondary devices. They are the ones with the synced flag. Additionally, and in the case of all sessions, the
ha_id field shows the HA member ID of the device that is processing the traffic.
DO NOT REPRINT
© FORTINET
HA Troubleshooting
In this section, you will learn about some HA troubleshooting steps and commands.
DO NOT REPRINT
© FORTINET
Types of Failover
• Loss of keepalive packets
• Primary fails to reply
• A monitored interface becomes disconnected
• The new primary is the device with the fewest failed monitored interfaces
• Port monitoring takes precedence over device priority
• Remote link failover
• Uses detect (ping) servers to test IP connectivity
• Pings originated only from the primary
• If it does not get a reply, the cluster renegotiates the primary
• Solid state disk (SSD) failover
• An SSD fails
• Only for devices with SSDs
• Memory utilization threshold
• Configurable memory utilization threshold, sample rate, and monitor period
• Memory utilization checked at configured sample rate and, if above configured threshold for entire
monitor period, a failover is triggered
• When the secondary devices stop receiving the heartbeat hello packets from the primary.
• When the link status of a monitored interface on the primary FortiGate goes down. You can configure an
HA cluster to monitor one or more interfaces. If a monitored interface on the primary FortiGate is
unplugged, or its link status goes down, a new primary FortiGate is elected.
• When a server (IP address) stops replying to the ping that the primary sent. You can configure an HA
cluster to periodically send a ping to one or more servers to test the connectivity between the primary
device and the network services. The primary FortiGate fails if the accumulated penalty of all failed
interfaces reaches the configured threshold.
• When FortiOS detects a failure in an SSD. It triggers a failover if FortiOS detects Ext-fs errors on an SSD
on the primary FortiGate.This is only available for devices with SSDs.
• When memory-based failover is enabled and the configured conditions for utilization exceed the threshold
during each sample over the monitor period.
There are multiple events that might trigger an HA failover, such as a hardware or software failure on the
primary FortiGate or an issue on one of the interfaces on the primary. When a failover occurs, an event log is
generated.
DO NOT REPRINT
© FORTINET
HA Logs Sample
• Primary device fails and is removed from the cluster
• These messages are recorded by a secondary device, which becomes the new primary
device:
If a failover happens, the best tool to use to get information about the failover is the FortiGate logs. If the
failover happened because the primary device failed, the secondary device logs should show these log
entries.
DO NOT REPRINT
© FORTINET
HA Logs Sample (Contd)
• Link failure of a monitored interface
• These log messages, recorded by the primary device, show the monitored port1
interface:
If a new primary was elected because one or more monitored interfaces failed, the former primary displays
logs similar to the ones shown on this slide. In the example shown on this slide, the primary device is
reporting a problem with the monitored interface port1.
DO NOT REPRINT
© FORTINET
HA History
• Provides information about past HA events
Another useful way to determine the reason for an HA failover is by running the command shown on this slide.
This command provides details about past HA events, which allows administrators to identify the reason for
previous failover events. This is a useful HA command, especially when HA logs are not available.
DO NOT REPRINT
© FORTINET
HA Split-Brain Scenario
• When FortiGate devices configured in an HA cluster lose communication with each other
on the heartbeat interface, each FortiGate assumes the role of the primary device
• Split-brain symptoms
• Administrative access works intermittently
• Traffic is dropped
• When accessing through FortiGate using the CLI, #get sys ha status shows each FortiGate as the
primary
• Possible causes
• Incomplete firmware upgrade
• Loss of the heartbeat links
• Congestion or latency in the heartbeat links
An HA split-brain scenario occurs when the FortiGate devices in an HA cluster lose heartbeat communication
through the heartbeat links. Because of the lost communication, each FortiGate assumes the role of the
primary device.
When this issue occurs, the results are very evident because traffic flow is impacted. While experiencing a
split-brain issue, the administrative access to the devices in the cluster is intermittent; console access might
be required to troubleshoot the device and perform configuration changes, if required.
This issue could be triggered by a faulty physical port or cable, a failed firmware upgrade, or a congested
heartbeat link.
DO NOT REPRINT
© FORTINET
HA Split-Brain Scenario—Troubleshooting Steps
• Verify all HA cluster members are running the same firmware version
• # get system status
• Use the sniffer command to verify heartbeat packets are exchanged successfully:
• That is, # diagnose sniffer packet any "ether proto 0x8890"4 (NAT/route mode
heartbeat)
There are some basic HA troubleshooting steps to verify the HA cluster health and get the cluster out of this
situation:
1. Verify that all devices in the cluster are running the same firmware version.
2. Check that the configuration is synchronized.
3. Verify the status of the heartbeat ports.
4. Verify that the Ethernet packets are transmitted and received successfully between the cluster members.
Following these steps will help to diagnose the root cause that triggered this behavior.
DO NOT REPRINT
© FORTINET
HA Troubleshooting Tips
• If a device can’t join a cluster, follow these steps:
1. Verify that the HA settings match
2. Verify that the firmware and hardware match
3. Verify physical layer connections
4. Use the HA real-time debug
diagnose debug application hatalk -1
diagnose debug application hasync -1
diagnose debug enable
• If the checksums between the debugzone and checksum zones do not match, you can
force the recalculation
# diagnose sys ha checksum recalculate [<vdom_name> | global]
If the problem is that the checksums between the debugzone and checksum zones don’t match, you can try
to fix it by forcing the recalculation.
DO NOT REPRINT
© FORTINET
HA Heartbeat Troubleshooting Tips
• High session synchronization traffic might delay heartbeats
• Solutions:
• Separate session synchronization and heartbeat traffic:
config system ha
set session-sync-dev <port_name_1> [port_name_2] …
end
• Delay new session synchronization by 30 seconds. Short-lived sessions won't be synchronized, which results in
less session traffic:
config system ha
set session-pickup-delay enable
end
Traffic from session synchronization is bandwidth intensive. If the session creation rate is high, session
synchronization traffic can interfere with heartbeat traffic, creating delays in heartbeat replies. There are two
configuration changes that you can make that might help:
• Use a different interface from the heartbeat interface for session synchronization.
• Delay the synchronization of new sessions by 30 seconds, so short-lived sessions are not synchronized.
High CPU issues can also create HA heartbeat problems. In those cases, troubleshoot and fix the high CPU
problem first, before you check the HA status.
DO NOT REPRINT
© FORTINET
Review
Check the status of the HA configuration
Monitor an HA cluster
Configure session synchronization
Troubleshoot common HA issues
This slide shows the objectives that you covered in this lesson.
By mastering the objectives covered in this lesson, you learned how to monitor an HA cluster and steps to
troubleshoot FortiGate devices running in HA.
DO NOT REPRINT
© FORTINET
FortiGate 7.4
Last Modified: 25 April 2024
DO NOT REPRINT
© FORTINET
Objectives
• Manage IPsec VPN tunnels
• Use debug commands for phase 1 and phase 2
• Diagnose IPsec traffic issues with debug flow commands
• Use a sniffer to debug IPsec traffic
• Monitor and troubleshoot IPsec traffic on hardware offload
After completing this lesson, you should be able to achieve the objectives shown on this slide.
By demonstrating a competent understanding of IPsec, you will be able to manage, monitor, diagnose, debug,
and troubleshoot IPsec.
DO NOT REPRINT
© FORTINET
In this section, you will learn the CLI commands used to monitor the status and statistics of IPsec VPNs.
DO NOT REPRINT
© FORTINET
IPsec SA Management
The command diagnose vpn tunnel offers options for shutting down, activating, or flushing a VPN tunnel.
DO NOT REPRINT
© FORTINET
IPsec SA
# diagnose vpn tunnel list name Hub2Spoke1 Lists specified tunnel
list IPsec tunnel by names in vd 0 information only
------------------------------------------------------
name=Hub2Spoke1 ver=1 serial=2 10.10.1.1:0->10.10.2.2:0
bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=8 ilast=11 olast=3 auto-discovery=0
stat: rxp=513 txp=129 rxb=459050 txb=93
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=36 DPD information
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Hub2Spoke1 proto=0 sa=1 ref=2 serial=1
src: 0:192.168.1.0/255.255.255.0:0 Antireplay is enabled
dst: 0:10.10.20.0/255.255.255.0:0
SA: ref=7 options=2e type=00 soft=0 mtu=1438 expire=41195/0B replaywin=1024 seqno=9d esn=0
replaywin_lastseq=00000200
life: type=01 bytes=0/0 timeout=43150/43200
dec: spi=01e54b14 esp=aes key=16 914dc5d092667ed436ea7f6efb867976 SA information
ah=sha1 key=20 a81b019d4cdfda32ce51e6b01d0b1ea42a74adce
enc: spi=3dd3545f esp=aes key=16 017b8ff6c4ba21eac99b22380b7de74d
ah=sha1 key=20 edd8141f4956140eef703d9042621d3dbf5cd961
dec:pkts/bytes=513/458986, enc:pkts/bytes=250/26848 Hardware offload
npu_flag=03 npu_rgwy=10.10.2.2 npu_lgwy=10.10.1.1 npu_selid=1 information
The command diagnose vpn tunnel list displays the current IPsec security association (SA)
information for all active tunnels.
The command diagnose vpn tunnel list name <tunnel name> provides SA information about a
specific tunnel.
DO NOT REPRINT
© FORTINET
IPsec Tunnel Details
Hub # get vpn ipsec tunnel details
gateway
name: 'Hub2Spoke1'
type: route-based
local-gateway: 10.10.1.1:0 (static)
Phase 1 details
remote-gateway: 10.10.2.2:0 (static)
mode: ike-v1
interface: 'wan2' (6)
rx packets: 1025 bytes: 524402 errors: 0
tx packets: 641 bytes: 93 errors: 0
dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
selectors
name: 'Hub2Spoke1'
auto-negotiate: disable
mode: tunnel Quick mode selectors
src: 0:192.168.1.0/0.0.0.0:0
dst: 0:10.10.20.0/0.0.0.0:0
SA
lifetime/rekey: 43200/32137 Tunnel MTU
mtu: 1438
tx-esp-seq: 2ce
replay: enabled
inbound
spi: 01e54b14 Phase 2 SAs for each
enc: aes-cb 914dc5d092667ed436ea7f6efb867976 direction
auth: sha1 a81b019d4cdfda32ce51e6b01d0b1ea42a74adce
outbound
spi: 3dd3545f
enc: aes-cb 017b8ff6c4ba21eac99b22380b7de74d
auth: sha1 edd8141f4956140eef703d9042621d3dbf5cd961
Hardware acceleration
NPU acceleration: encryption(outbound) decryption(inbound)
The command get vpn ipsec tunnel details provides detailed information about the active IPsec
tunnels.
To view detailed information about each tunnel, use the command diagnose vpn ipsec tunnel detail.
The output shows traffic counters; negotiated quick mode selectors; and negotiated encryption, authentication,
and keys.
DO NOT REPRINT
© FORTINET
IKE Gateway List
Hub # diagnose vpn ike gateway list name Hub2Spoke1
vd: root/0
name: Hub2Spoke1
version: 1
interface: wan2 6
addr: 10.10.1.1:500 -> 10.10.2.2:500
When phase 1 was
created: 3196s ago created
auto-discovery: 0
IKE SA: created 1/1 established 1/1 time 6020/6020/6020 ms
IPsec SA: created 1/1 established 1/1 time 40/40/40 ms
The command diagnose vpn ike gateway list also provides some details about a tunnel.
The command diagnose vpn ike gateway clear closes a phase 1. Be careful when using this
command because it has a global effect. This means that running it without specifying the phase 1 name
results in all phase 1s of all VDOMs being cleared.
DO NOT REPRINT
© FORTINET
Additional IPsec Debug Commands
Hub # get vpn ipsec stats tunnel
tunnels
total: 1
static/ddns: 1 Number of tunnels
dynamic: 0 currently active
manual: 0
errors: 0
selectors
total: 1
up: 1
The command get vpn ipsec stats tunnel provides some global overall counters related to all the
VPNs that are currently active.
The other two commands shown on this slide provide summarized information about the VPNs.
DO NOT REPRINT
© FORTINET
In this section, you will learn the CLI commands used to debug phase 1 and 2 negotiations.
DO NOT REPRINT
© FORTINET
IKE Filter Options
# diagnose vpn ike log filter
list Display the current filter.
clear Erase the current filter.
name Phase1 name to filter by.
loc-addr4 IPv4 local gateway address range to filter by.
mloc-addr4 Multiple IPv4 local gateway address to filter by.
rem-addr4 IPv4 remote gateway address range to filter by.
mrem-addr4 Multiple IPv4 remote gateway address to filter by.
loc-addr6 IPv6 local gateway address range to filter by.
mloc-addr6 Multiple IPv6 local gateway address to filter by.
rem-addr6 IPv6 remote gateway address range to filter by.
mdst-addr6 multiple IPv6 remote gateway addresses to filter by.
dst-port Destination port range to filter by.
vd Index of virtual domain. -1 matches all.
interface Interface that IKE connection is negotiated over.
negate Negate the specified filter parameter.
The IKE daemon handles all IPsec connections on FortiGate. It’s important to familiarize yourself with the
available filter options. You use these options to filter the output of the IKE real-time debug, so that only the
information that is relevant to you is displayed.
The most common filter option is rem-addr4, which you use to filter the output by the IP address of the
remote peer. Also, multiple addresses are supported. Filtering by name is helpful when the remote peer IP
address is unknown.
DO NOT REPRINT
© FORTINET
IKE Real-Time Debug
# diagnose debug application ike <bitmask>
# diagnose debug enable
• Bitmask value: -1 is recommended
• You should enable the timestamp when Bitmask Description
troubleshooting IKE issues: 1 Major errors
# diagnose debug console timestamp enable 2 Configuration changes
4 Connections attempts
8 Phase 1 and 2 negotiation messages
16 NAT-T messages
32 Dead peer detection messages
64 Encryption and decryption keys
128 Encrypted traffic payload
After setting the filter, enable the IKE real-time debug using the commands shown on this slide.
The table shown on this slide includes the type of output that is enabled by each bit in the bitmask. The most
common value for the bitmask is -1 (all outputs enabled). It shows the dead peer detection (DPD) packets and
all the information required for troubleshooting IPsec negotiation problems.
DO NOT REPRINT
© FORTINET
Debugging Main Mode
# diagnose debug application ike -1
# diagnose debug enable
...
ike 0: comes 10.10.2.2:500->10.10.1.1:500,ifindex=6....
ike 0: IKEv1 exchange=Identity Protection id=76a2fb2b18d6fee7/0000000000000000 len=716
ike 0:...:92: responder: main mode get 1st message...
ike 0:...:92: VID RFC 3947 4A131C81070358455C5728F20E95452F
... First main mode
ike 0:...:92: negotiation result message
ike 0:...:92: proposal id = 1:
ike 0:...:92: protocol id = ISAKMP:
ike 0:...:92: trans_id = KEY_IKE.
ike 0:...:92: encapsulation = IKE/none
Phase 1 proposal
ike 0:...:92: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:...:92: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:...:92: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:...:92: type=OAKLEY_GROUP, val=MODP2048.
ike 0:...:92: ISAKMP SA lifetime=86400
Proposal chosen and
... matched tunnel Hub2Spoke1
ike 0:...:92: SA proposal chosen, matched gateway Hub2Spoke1
ike 0: found Hub2Spoke1 10.10.1.1 6 -> 10.10.2.2:500
Now, you will look at the output of the IKE real-time debug during a main-mode negotiation. Main mode
requires the interchange of six packets. The real-time debug shows when the first packet (first main mode
message) arrives. Then, the debug shows the negotiated settings for phase 1. A message is generated after
FortiGate identifies the VPN configuration to use (with the name of the VPN).
DO NOT REPRINT
© FORTINET
Debugging Main Mode (Contd)
ike 0:Hub2Spoke1:92: peer is FortiGate/FortiOS (v6 b1579) Remote peer device
... information
ike 0:Hub2Spoke1:92: sent IKE msg (ident_r1send): 10.10.1.1:500->10.10.2.2:500, len=192, id=76a2fb2b18d6fee7/399d6ddd6e830672
ike 0: comes 10.10.2.2:500->10.10.1.1:500,ifindex=6....
ike 0: IKEv1 exchange=Identity Protection id=76a2fb2b18d6fee7/399d6ddd6e830672 len=380
ike 0:Hub2Spoke1:92: responder:main mode get 2nd message... Second main mode
ike 0:Hub2Spoke1:92: NAT not detected message
ike 0:Hub2Spoke1:92: sent IKE msg (ident_r2send): 10.10.1.1:500->10.10.2.2:500, len=380, id=76a2fb2b18d6fee7/399d6ddd6e830672
ike 0: comes 10.10.2.2:500->10.10.1.1:500,ifindex=6....
ike 0: IKEv1 exchange=Identity Protection id=76a2fb2b18d6fee7/399d6ddd6e830672 len=108
ike 0:Hub2Spoke1:92: responder: main mode get 3rd message...
Third main mode
...
message
ike 0:Hub2Spoke1:92: received p1 notify type INITIAL-CONTACT
ike 0:Hub2Spoke1:92: peer identifier IPV4_ADDR 10.10.2.2
Authentication
ike 0:Hub2Spoke1:92: PSK authentication succeeded
successful
ike 0:Hub2Spoke1:92: authentication OK
ike 0:Hub2Spoke1:92: sent IKE msg (ident_r3send): 10.10.1.1:500->10.10.2.2:500, len=92, id=76a2fb2b18d6fee7/399d6ddd6e830672
...
ike 0:Hub2Spoke1:92: established IKE SA 76a2fb2b18d6fee7/399d6ddd6e830672
ike 0:Hub2Spoke1:92: processing INITIAL-CONTACT Phase 1 is up
...
Next, the output shows the remote peer information. The second and third main mode messages arrive. After
the authentication is successful and the pre-shared key matches, a final message is generated to indicate that
phase 1 is up.
DO NOT REPRINT
© FORTINET
Debugging Aggressive Mode
ike 0: comes 10.10.2.2:500->10.10.1.1:500,ifindex=6....
ike 0: IKEv1 exchange=Aggressive id=3c6c62a443611a29/0000000000000000 len=776
ike 0:...:96: responder: aggressive mode get 1st message...... First aggressive mode
ike 0:...:96: VID FORTIGATE 8299031757A36082C6A621DE00050428 message
ike 0::96: peer identifier IPV4_ADDR 10.10.2.2
ike 0:...:96: negotiation result
ike 0:...:96: proposal id = 1:
ike 0:...:96: protocol id = ISAKMP:
ike 0:...:96: trans_id = KEY_IKE.
ike 0:...:96: encapsulation = IKE/none IKE proposal
ike 0:...:96: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:...:96: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:...:96: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:...:96: type=OAKLEY_GROUP, val=MODP2048.
ike 0:...:96: ISAKMP SA lifetime=86400
ike 0:...:96: SA proposal chosen, matched gateway Hub2Spoke1
Proposal chosen for
ike 0: found Hub2Spoke1 10.10.1.1 6 -> 10.10.2.2:500... Hub2Spoke1
ike 0:Hub2Spoke1:96: responder: aggressive mode get 2nd response...
...
ike 0:Hub2Spoke1:96: PSK authentication succeeded
ike 0:Hub2Spoke1:96: authentication OK
Authentication successful
ike 0:Hub2Spoke1:96: NAT not detected
ike 0:Hub2Spoke1:96: established IKE SA 3c6c62a443611a29/dccee519f2e8b9b9 Phase 1 is up
ike 0:Hub2Spoke1: carrier up
This slide shows the output of the real-time debug for phase 1 aggressive mode. It displays the three
aggressive mode packets exchanged, and the proposals.
DO NOT REPRINT
© FORTINET
Debugging XAuth
ike 0:DialUP_0:13: initiating XAUTH.
ike 0:DialUP_0:13: sending XAUTH request CFG_REQUEST sent
ike 0:DialUP_0:13: sent IKE msg (cfg_send): 10.200.1.1:500->10.200.3.1:500, len=76,
id=2d5d8e9aa17045c4/e93fbb0a30d4b217:bd294d3e
CFG_REPLY received
ike 0:DialUP_0:13: peer has not completed XAUTH exchange
ike 0: comes 10.200.3.1:500->10.200.1.1:500,ifindex=2....
ike 0: IKEv1 exchange=Mode config id=2d5d8e9aa17045c4/e93fbb0a30d4b217:bd294d3e len=92
ike 0:DialUP_0:13: received XAUTH_USER_NAME 'fortinet' length 8
ike 0:DialUP_0:13: received XAUTH_USER_PASSWORD length 8
ike 0:DialUP_0: XAUTH user "fortinet"
CFG_SET sent
ike 0:DialUP: auth group VPN
ike 0:DialUP_0: XAUTH succeeded for user "fortinet" group "VPN"
ike 0:DialUP_0:13: sent IKE msg (cfg_send): 10.200.1.1:500->10.200.3.1:500, len=68,
CFG_ACK received
id=2d5d8e9aa17045c4/e93fbb0a30d4b217:3639b66f
ike 0: comes 10.200.3.1:500->10.200.1.1:500,ifindex=2....
ike 0: IKEv1 exchange=Mode config id=2d5d8e9aa17045c4/e93fbb0a30d4b217:3639b66f len=68
The IKE real-time debug shows, after phase 1, the exchange of extended authentication (XAuth) packets. On
this slide, you can see the CFG_REQUEST packet. You can also see the CFG_REPLY, showing the XAuth user
and group name.
After that, the IKE real-time debug shows the CFG_SET and CFG_ACK.
DO NOT REPRINT
© FORTINET
Debugging IKE Mode Configuration CFG_REQUEST received
...
ike 0: comes 172.31.18.81:500->172.31.224.125:500,ifindex=5....
ike 0: IKEv1 exchange=Mode config id=bc69d3c493f5/9137d875a2c420c6:c4ad
ike 0:vpn_0:4: mode-cfg type 1 request 0:''
ike 0:vpn_0:4: mode-cfg using allocated IPv4 10.255.255.100
ike 0:vpn_0:4: mode-cfg assigned (1) IPv4 address 10.255.255.100
ike 0:vpn_0:4: mode-cfg type 2 request 0:''
ike 0:vpn_0:4: mode-cfg assigned (2) IPv4 netmask 255.255.255.0
ike 0:vpn_0:4: mode-cfg type 3 request 0:'' CFG_REPLY sent
ike 0:vpn_0:4: mode-cfg send (3) IPv4 DNS(1) 10.185.0.200
ike 0:vpn_0:4: sent IKE msg (cfg_send): 172.31.224.125:500->172.31.18.81:500,
ike 0: comes 172.31.18.81:500->172.31.224.125:500,ifindex=5....
...
After the XAuth exhange, the remote site proceeds to request and receive the IP address settings through IKE
mode configuration.
DO NOT REPRINT
© FORTINET
Debugging Phase 2
ike 0:comes 10.10.2.2:500->10.10.1.1:500,ifindex=6....
ike 0:IKEv1 exchange=Quick id=3c6c62a443611a29/dccee519f2e8b9b9:8f32bfcc len=588
ike 0:Hub2Spoke1:96:551: responder received first quick-mode message
...
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: my proposal: Local gateway proposal(s)
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: proposal id = 1:
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: protocol id = IPsec_ESP:
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: PFS DH group = 14
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: type = AUTH_ALG, val=SHA1
...
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: incoming proposal: Remote gateway proposal(s)
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: proposal id = 1:
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: protocol id = IPsec_ESP:
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: PFS DH group = 14
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: type = AUTH_ALG, val=SHA1
...
The debug shows the phase 2 proposal from the local gateway, and the phase 2 proposal coming to the
remote gateway. In this case, both proposals (local and remote) match.
DO NOT REPRINT
© FORTINET
Debugging Phase 2 (Contd) Negotiated phase 2
proposal
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: negotiation result
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: proposal id = 1:
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: protocol id = IPsec_ESP:
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: PFS DH group = 14
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: type = AUTH_ALG, val=SHA1
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: set pfs=MODP2048
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: using tunnel mode.
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: replay protection enabled
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: SA life soft seconds=43153.
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: SA life hard seconds=43200.
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: IPsec SA selectors #src=1 #dst=1
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: src 0 7 0:192.168.1.0-192.168.1.255:0
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: dst 0 7 0:10.10.20.0-10.10.20.255:0
...
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: add IPsec SA: SPIs=01e54b23/3dd3546b
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: added IPsec SA: SPIs=01e54b23/3dd3546b
ike 0:Hub2Spoke1:96:Hub2Spoke1:551: sending SNMP tunnel UP trap
Phase 2 is up
Next, the output shows the negotiated phase 2 settings. The last messages confirm that phase 2 is up.
DO NOT REPRINT
© FORTINET
In this section, you will learn how to configure and monitor IPsec encryption and decryption on hardware
offload.
DO NOT REPRINT
© FORTINET
Hardware Offloading Requirements
• You can offload IPsec encryption and decryption to hardware on some FortiGate models
• Hardware offloading capabilities and supported algorithms vary by processor type and
model
• By default, offloading is enabled for supported algorithms
• You can manually disable offloading
config vpn ipsec phase1-interface
edit <tunnel_name>
set npu-offload enable | disable
next
end
On some FortiGate models, you can offload the encryption and decryption of IPsec traffic to hardware. The
supported algorithms depend on the model and type of processor on the device that is offloading the
encryption and decryption.
By default, hardware offloading is enabled for the supported algorithms. This slide shows the commands you
can use to disable hardware offloading per tunnel, if necessary.
DO NOT REPRINT
© FORTINET
Session NPU-Flag Field
• IPsec SAs have an NPU-flag field
# diagnose vpn tunnel list name Hub2Spoke1
list IPsec tunnel by names in vd 0
...
npu_flag=03 npu_rgwy=10.10.2.2 npu_lgwy=10.10.1.1
npu_selid=1
All IPsec SAs have an npu_flag field that indicates the offloading status. In the case of IPsec traffic, the
FortiGate session table also includes that field.
First, when phase 2 comes up, the IPsec SAs are created and loaded to the kernel. As long as there is no
traffic crossing the tunnel, the SAs are not copied to the network processing unit (NPU), and the npu_flag
shows 00. The value of that field also remains 00 when IPsec offloading is disabled.
Second, if the first IPsec packet that arrives is an outbound packet that can be offloaded, the outbound SA is
copied to the NPU and the npu_flag changes to 01. However, if the first IPsec packet is inbound and can be
offloaded, the inbound SA is copied to the NPU and the npu_flag changes to 02.
After both SAs are copied to the NPU, the npu_flag changes to 03.
The value 20 in the npu_flag field indicates that hardware offloading is unavailable because of an
unsupported cipher or hash-based message authentication code (HMAC) algorithm.
DO NOT REPRINT
© FORTINET
Hardware Offloading Statistics
• IPsec SAs have an NPU-flag field
# diagnose vpn ipsec status
This command shows the number of packets encrypted and decrypted by software (CPU), and by each type
of processor unit on FortiGate.
DO NOT REPRINT
© FORTINET
IPsec Troubleshooting
In this section, you will learn IPsec troubleshooting steps and commands.
DO NOT REPRINT
© FORTINET
IPsec Connection Steps
1. Interesting traffic triggers the VPN negotiation
2. Phase 1 comes up
• Single bidirectional IKE SA
When isolating IPsec problems, it is useful to understand that an IPsec connection can be described as a
multistep process:
1. Interesting traffic triggers the VPN negotiation. Traffic is called interesting when it must travel through an
IPsec tunnel (encrypted and encapsulated) to reach a remote network.
2. Phase 1 comes up.
3. If XAuth is required, one side authenticates.
4. If one side requires IP settings, the other side sends the required settings through the IKE mode
configuration.
5. One or more phase 2s go up. Two IPsec SAs are negotiated for each phase 2.
6. Traffic crosses the tunnel.
If you have an IPsec issue, you should identify in which of these steps the problem occurred.
DO NOT REPRINT
© FORTINET
Debug Flow of Tunnel Traffic
Hub # id=20085 trace_id=5 func=print_pkt_detail line=4742 msg="vd-root received a
packet(proto=1, 192.168.1.111:1->10.10.20.111:2048) from lan. type=8, code=0, id=1, seq=165."
id=20085 trace_id=5 func=init_ip_session_common line=4893 msg="allocate a new session-001efeca“
Now assume that when phase 1 comes up, phase 2 also comes up, but, for some reason, the traffic is not
crossing the tunnel.
If the VPN is up but the traffic can’t cross the tunnel, you should use the debug flow. If possible, run it on both
gateways. This will let you know if the local gateway is dropping the packets or not routing the packets
through the tunnel, or if the remote gateway is dropping the packets.
This slide shows an example output of the debug flow for traffic that is crossing an IPsec tunnel. The output
shows the following:
• Packet arriving
• Packet being allowed by a firewall policy
• Packet entering the tunnel
• Packet being encrypted and sent
If the traffic is not crossing the tunnel because of a routing misconfiguration, the output of the debug flow
shows it. The debug flow also displays if the traffic drops and why (for example, when packets don’t match the
quick mode selector).
DO NOT REPRINT
© FORTINET
Capturing IKE Traffic
Protocol NAT and NAT-T No NAT
IKE Initially UDP port 500 UDP port 500
UDP port 4500 after NAT is detected
ESP Encapsulated in UDP port 4500 IP protocol 50
• No NAT
• IKE traffic
# diagnose sniffer packet <port> 'host <remote-gw> and udp port 500'
• ESP traffic
# diagnose sniffer packet any 'host <remote-gw> and esp'
• With NAT and NAT-T
• IKE and ESP traffic
# diagnose sniffer packet any 'host <remote-gw> and (udp port 500 or udp port 4500)‘
• IKE and IKE NAT-T UDP port numbers configurable from the CLI
# config system settings
set ike-port <1024 – 65535>
end
If you need to capture IPsec traffic, remember that the IP protocol and UDP port numbers depend on network
address translation traversal (NAT-T) and the use of network address translation (NAT).
If there is no FortiGate located in the middle that is running NAT, IKE traffic uses UDP port 500 and
encapsulating security payload (ESP) traffic uses IP protocol 50. This slide shows the two sniffer filters that
the sniffer command must use to capture each of those traffic protocols.
If NAT-T is enabled, and there is a FortiGate located in the middle that is running NAT, the sniffer command
must use a different filter. In this case, IKE traffic uses port UDP 500, but switches to UDP port 4500 during
the tunnel negotiation. Additionally, ESP traffic is encapsulated inside the UDP 4500 channel.
Note that port 500 and port 4500 are the default UDP port numbers for IKE and IKE NAT-T, respectively. You
can configure these ports using the command config system settings and options set ike-port
<value>.
DO NOT REPRINT
© FORTINET
Common IPsec Problems
Problem Output of IKE debug Common causes Common solutions
Tunnel is not coming up Error: negotiation failure IPsec configuration mismatch Verify phase 1 and phase
2 configurations between
both peers
Tunnel is up but traffic Error in debug flow: no Quick mode selectors Verify quick mode
doesn’t pass through it matching IPsec selector, mismatch selectors are correct
drop
NAT is enabled Disable NAT on the VPN
firewall policy
Routing issue Route missing or pointing to Verify route is correctly
wrong device defined
This slide shows a summary of the most common IPsec problems and solutions.
If the tunnel doesn’t come up, use the IKE real-time debug. In such cases, an error message usually appears.
When the tunnel is unstable, you usually see that DPD packets are being lost, which indicates that the
problem might be on the internet service provider (ISP) side.
If the tunnel is up but traffic isn’t passing through it, use the debug flow. One of the peers might be dropping
packets or routing traffic incorrectly. Another possibility is that the packets don’t match the quick mode
selectors, so FortiGate drops the packets.
DO NOT REPRINT
© FORTINET
Review
Manage IPsec VPN tunnels
Use debug commands for phase 1 and phase 2
Diagnose IPsec traffic issues with debug flow commands
Use a sniffer to debug IPsec traffic
Monitor and troubleshoot IPsec traffic on hardware offload
This slide shows the objectives that you covered in this lesson.
By mastering the objectives covered in this lesson, you learned how to manage, monitor, diagnose, debug,
and troubleshoot IPsec.
DO NOT REPRINT
© FORTINET
FortiGate 7.4
Last Modified: 25 April 2024
In this lesson, you will learn you will learn about IPsec IKEv2.
DO NOT REPRINT
© FORTINET
Objectives
• Compare IKEv1 and IKEv2
• Understand the reasons to keep IKEv1
• Understand IKEv2 at a high level
• Understand IKE negotiation exchange
• Learn about IKEv2 monitor, debug, and troubleshooting commands
• Understand the IKEv2 negotiation process
After completing this lesson, you should be able to achieve the objectives shown on this slide.
By demonstrating a competent understanding of IPsec IKEv2, you will be able to explain the differences and
advantages of IKEv2 and its negotiation process.
DO NOT REPRINT
© FORTINET
In this section, you will learn about the differences between IKEv1 and IKEv2.
DO NOT REPRINT
© FORTINET
IKEv1—An Outdated Version
Although IKEv1 is still widely used, you must consider multiple factors when deciding whether to continue
using IKEv1 or replace it. Notably, IKEv1 development ceased over a decade ago—and unmaintained code
can result in security vulnerabilities. IKEv1 has been moved to historic status and some of its RFC
specifications have become obsolete.
Some algorithms used in IKEv1 are no longer actively deployed or researched, which presents an unknown
security risk that you should avoid. Some IKEv1 functionalities never reached the standard state and some do
not even have an RFC.
DO NOT REPRINT
© FORTINET
Reasons to Continue Using IKEv1
• Need for RADIUS or LDAP authentication of a FortiGate device acting as dial-up client
• Need for multiple stages of authentication:
• In a dial-up user scenario, sometimes the requirement is to first authenticate the IPsec endpoints (for
example, FortiGate and FortiClient) with certificates, and to also authenticate the user against a
corporate RADIUS/LDAP/AD server
• Another consideration:
• IKEv1 is still widely used in multiple platforms and FortiOS has more than 20 years of exposure
Even though IKEv1 is deprecated, it can still fulfill some system requirements:
• When RADIUS or LDAP authentication is required for a FortiGate device acting as a dial-up client:
Because FortiOS doesn't have an Extensible Authentication Protocol (EAP) client, a FortiGate device
cannot authenticate itself against a RADIUS or LDAP server. In this case, IKEv1 must be used.
• When multiple stages of authentication are required: Although IKEv2 can provide a solution to this
requirement, it requires multiple authentication exchanges or EAP chaining with tunnel-based EAP (TEAP).
FortiOS has used IKEv1 for more than 20 years, which has driven fixes and optimizations.
DO NOT REPRINT
© FORTINET
IKEv2 Overview
• The key exchange and security association (SA) management protocols IKEv1 and
IKEv2 are incompatible
• IKEv2 specifications:
• RFC 4306 (2005), RFC 5996 (2010), RFC 7296 (2014)
• IKEv1 specifications:
• The core functionalities of IKEv1 are defined in multiple RFCs: RFC 2407 IPsec DOI for ISAKMP, RFC
2408 ISAKMP, RFC2409 IKEv1, RFC 2412 Oakley, and so on
• Additional major IKEv1 functionalities—NAT-T, DPD, mode cfg, xauth, and so on—are
defined in other RFCs
IKEv1 and IKEv2 are incompatible protocols that achieve the same goal, but in different ways.
IKE version 2 does not interoperate with IKE version 1, but they both have enough of the header format in
common that both versions can unambiguously run over the same UDP port.
While the core IKEv1 functionalities are defined through multiple RFCs, the main IKEv2 RFC covers, in a
single document, many of the same functionalities, like network address translation-transversal (NAT-T),
mode-cfg, EAP, dead peer detection (DPD), and so on.
DO NOT REPRINT
© FORTINET
IKEv2 Advantages
IKEv2:
• Is actively being worked on by the IPsec Maintenance and Extensions (ipsecme)
working group
• Requires fewer messages and fewer round trips for negotiation
• Is a reliable request and response protocol
• Fragmentation is standardized, has a configurable master terminal unit (MTU), and
begins fragmentation with the first message
• Defines rekey logic for IKE/IPsec SA more accurately than the IKEv1 logic
• Includes denial-of-service (DoS) protection
DO NOT REPRINT
© FORTINET
IKEv2 Advantages (Contd)
IKEv2:
• Uses standard EAP authentication methods
• Uses asymmetric authentication
• Has traffic selector flexibility
• Has an overlay network ID
• Requires matching dial-up phase 1 by ID (replaces ID matching by security-weak
IKEv1—dial-up aggressive mode pre-shared key)
• Requires IKE SA session resumption (RFC 5723)
• Requires IKE quick crash detection method (RFC 6290) with other vendors
IKEv2 provides flexibility for traffic selectors. You can specify the payload type for each traffic selector, rather
than overloading them with ID payloads.
IKEv2 also supports a setup with an overlay network ID, SA session resumption, and quick crash detection.
DO NOT REPRINT
© FORTINET
Summary of versions
Feature IKEv1 IKEv2
Exchange modes • Main • One exchange procedure only
• Total messages: 9 (6 for phase 1, 3 for phase 2) • Total messages: 4 (one child SA only)
• Aggressive
• Total messages: 6 (3 for phase 1, 3 for phase 2)
Authentication Symmetric Asymmetric
methods
NAT-T Supported as extension (RFC 3947 and RFC 3948) Built-in feature
Reliability Unreliable—messages are not acknowledged Reliable—messages are acknowledged
Dial-up phase 1 • Peer ID + aggressive mode + PSK • Peer ID
matching by ID • Peer ID + main mode + certificate signature • Network ID
Traffic selector Not supported Supported
flexibility
This slide offers a summary of the comparison of IPsec features in IKEv1 and IKEv2.
Regarding exchange modes, in IKEv1, aggressive mode offers the advantage of reducing the number of
exchanges in Phase 1. In contrast, IKEv2 does not use main or aggressive modes; however, its equivalent to
Phase 1 could require as few as two exchanges.
In the authentication feature, in IKEv1 the authentication must be symmetric. IKEv2 provides flexibility,
allowing the initiator and responder to use different authentication methods during the negotiation.
As part of the improvements on IKEv2, it’s that NAT-T is a built-in feature. NAT-T is not natively supported in
IKEv1. NAT-T feature was later included to enable IKEv1 to work through NAT devices.
Another of the improvements on IKEv2 is the traffic selector flexibility, which allows for more granular control
over which traffic is protected by the IPsec tunnel. IKEv2 also supports the dynamic update of traffic selectors
after the child SA has been established.
DO NOT REPRINT
© FORTINET
In this section, you will learn about the steps IKEv2 exchange uses to negotiate an IPsec tunnel.
DO NOT REPRINT
© FORTINET
IKEv2—A Request and Response Protocol
• IKEv2 is a “request and response” protocol
Unlike IKEv1, IKEv2 is a reliable protocol: The initiator retransmits a request until it either receives a
corresponding response or it deems the IKE SA to have failed. In the latter case, the initiator discards the IKE
SA and any child SAs negotiated with the unresponsive peer.
IKEv1 has a clearly demarcated phase 1 exchange, which contains six packets, followed by a phase 2
exchange of three packets. The IKEv2 exchange is variable. At best, it can exchange as few as four packets.
At worst, this can increase to as many as 30 packets, depending on the complexity of authentication.
After the initial exchange takes place, any subsequent traffic then triggers the CREATE_CHILD_SA
exchange, which is the equivalent of the phase 2 exchange in IKEv1.
DO NOT REPRINT
© FORTINET
IKEv2 Negotiation Steps
• Phase 1: settings for the negotiation of an IKEv2 SA
• Phase 2: settings for the negotiation of a child (IPsec) SA
• IKEv2 exchanges:
• Initial exchanges
• IKE_SA_INIT
• IKE_AUTH
• CREATE_CHILD_SA
• INFORMATIONAL
IKEv2 does not use the concept of phase 1 or phase 2, but the FortiOS CLI and GUI commands and
terminology are IKEv1-centric, so you do use those concepts and terminology when you configure IKEv2
settings.
The setting configuration for IKEv2 SA takes place in phase 1. The setting configuration for a child SA takes
place in phase 2.
There are four exchanges during the IKEv2 negotiation. The initial exchanges are: IKE_SA_INIT and
IKE_AUTH.
IKE_SA_INIT exchange:
• Negotiates the security settings to protect the IKE traffic.
• Enables DoS protection (cookie mechanism).
IKE_Auth exchange:
• Performs the mutual authentication of two IKE endpoints.
• Configures settings like IP/mask, DNS, and so on.
• Sets up the piggyback of a child SA. Negotiates IP flow and security settings for the IPsec SA.
Create_Child_SA exchange:
• Creates a new child SA or rekeys an existing child SA.
• Rekeys an IKE SA.
Informational exchange:
• Conveys control messages between the IKE endpoints.
DO NOT REPRINT
© FORTINET
IKEv2 Exchange Process—IKE_SA_INIT
Message 0
State:INIT_REQUEST State:WAIT_INIT_REQUEST
• Formulate initial IKEv2 request
• Insert initiator SPI (cookie) State:SEND_INIT_RESPONSE
• Insert proposal(s) Calculate Diffie-Hellman • Choose a proposal
key pair. Send a Nonce • Pick Diffie-Hellman key pair
• Calculate Diffie-Hellman secret and a nonce
• Prepare reply
State:WAIT_INIT_RESPONSE • Insert Responder SPI
Communication using IKE always begins with IKE_SA_INIT and IKE_AUTH exchanges (known in IKEv1 as
phase 1). SA_INIT is the first round trip of an IKEv2 initial exchange. An SA_INIT exchange usually takes one
round trip.
The exchange is extended to two round trips, if the responder requests another key exchange
(INVALID_KE_PAYLOAD notification), or if the DoS protection (cookie notification) starts.
If both key exchange renegotiation and DoS protection are completed, the exchange increases to three round
trips.
DO NOT REPRINT
© FORTINET
IKEv2 Exchange Process—IKE_AUTH
Message 2
State: SEND_AUTH_REQUEST State: WAIT_AUTH_REQUEST
• Calculate Diffie-Hellman secret
State: SEND_AUTH_RESPONSE
• Calculate all keying material
• Authenticates the initiator
• Send Identity and Authentication
• Accept CHILD_SA proposal
• Send parameters for CHILD_SA
• Install traffic protection
• Send CHILD_SA parameters
State: WAIT_AUTH_RESPONSE
IKE_AUTH (authentication) takes place after SA_INIT and is the last stage of the initial exchange.
It is protected by the cryptographic algorithms and the keys from the SA_INIT.
The peers exchange their identities—ID initator (IDi) or ID responder (IDr)—and provide the proof of their
claimed identity (AUTH).
When EAP is not used, IKE_AUTH consists of a single request and response exchange. When EAP is used,
IKE_AUTH consists of multiple request and response exchanges. The number of exchanges depends on the
EAP method being used.
By default, a piggyback child (IPsec) SA is negotiated along with the IKEv2 SA during IKE_AUTH.
If additional IPsec SAs are needed (for example, if multiple FortiOS phase 2s are configured), they are
negotiated during subsequent CREATE_CHILD_SA exchanges.
DO NOT REPRINT
© FORTINET
IKEv2 Exchange Process—CREATE_CHILD_SA
Message 4
State: SEND_CHILD_SA_REQUEST State: WAIT_CHILD_SA_REQUEST
• Request a rekey of an SPI
• Calculate Deffie-Hellman key State:SEND_CHILD_SA_RESPONSE
• Send a new nonce • Identify SPI to be rekeyed
• Generate new keying material
State:WAIT_CHILD_SA_RESPONSE • Create a new nonce
• Send CHILD_SA parameters
State: START_IPSEC_SA_PROTECTION
• Calculate new keying material State: START_IPSEC_SA_PROTECTION
• Install the new SA
This exchange consists of a single request and response pair, and was referred to as a phase 2 exchange in
IKEv1. It can be initiated by either end of the IKE_SA after the initial exchanges are completed. All messages
following the initial exchange are cryptographically protected using the cryptographic algorithms and keys
negotiated in the first two messages of the IKE exchange. All subsequent messages include an encrypted
payload, even if they are referred to in the text as "empty". Either endpoint may initiate a CREATE_CHILD_SA
exchange, so in this exchange the term "initiator" refers to the endpoint initiating this exchange.
DO NOT REPRINT
© FORTINET
IKEv2 Exchange Process—Informational
ike 0:VPN_IKEv2: flushed
ike 0:VPN_IKEv2:23:15: send informational
ike 0:VPN_IKEv2:23: enc 00000008010000000706050403020107
ike 0:VPN_IKEv2:23: out
FEB3C69DA9149605A972D6C2F62325E62E20250000000000000000482A00002C91D7CAA1AEBD29EF598DDC
9C2E1284EC3087D91EF7D5FD489173A6B6413AE3008CA1547DEAC32403
ike 0:VPN_IKEv2:23: sent IKE msg (INFORMATIONAL): 100.64.4.1:500->100.64.5.1:500,
len=72, vrf=0, id=feb3c69da9149605/a972d6c2f62325e6
ike 0:VPN_IKEv2: deleted
At various points during the operation of an IKE_SA, peers may need to convey control messages to each
other regarding errors or notifications of certain events. To accomplish this, IKE defines an informational
exchange. Informational exchanges must occur only after the initial exchanges and are cryptographically
protected with the negotiated keys.
DO NOT REPRINT
© FORTINET
In this section, you will learn the commands used to monitor an IKEv2 tunnel and the commands used to
debug and troubleshoot IKEv2.
DO NOT REPRINT
© FORTINET
IKEv2 Commands to Monitor, Debug, and Troubleshoot
• List the IKE SA and child (IPsec) SA:
# diagnose vpn ike gateway list
# diagnose vpn ike gateway clear
# diagnose vpn tunnel list
The commands to monitor, debug, and troubleshoot IKEv2 are the same as IKEv1.
The command diagnose vpn ike gateway list provides some details about a tunnel. The command
diagnose vpn ike gateway clear closes a phase 1. You can use this command to force a tunnel
negotiation while troubleshooting, but you must use it with caution.
The command diagnose vpn tunnel list displays the current IPsec SA information for all active
tunnels.
In order to debug the connection of an IPsec IKEv2, use the diagnose debug application ike
command, like you would in IKEv1, and apply a filter with diagnose vpn ike log filter to gather the
debug output of a specific tunnel.
DO NOT REPRINT
© FORTINET
IKEv2 Debug Output
ike 0:VPN_IKEv2:24: sent IKE msg (SA_INIT): 100.64.4.1:500->100.64.5.1:500, len=372, vrf=0, id=c5e
ike 0: comes 100.64.5.1:500->100.64.4.1:500,ifindex=4,vrf=0....
ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=c5ebafc5b4cf6357/00ec9960f1210499 len=356
...
ike 0:VPN_IKEv2:24: initiator received SA_INIT response
ike 0:VPN_IKEv2:24: processing notify type NAT_DETECTION_SOURCE_IP
....
ike 0:VPN_IKEv2:24: processing notify type FRAGMENTATION_SUPPORTED
ike 0:VPN_IKEv2:24: incoming proposal:
ike 0:VPN_IKEv2:24: proposal id = 1:
ike 0:VPN_IKEv2:24: protocol = IKEv2:
ike 0:VPN_IKEv2:24: encapsulation = IKEv2/none
.....
ike 0:VPN_IKEv2:24: IKE SA c5ebafc5b4cf6357/00ec9960f1210499 SK_ar
After you enable the debug command diagnose debug application ike and an IPsec negotiation
starts, you can analyze the IKEv2 negotiation process.
In the initial negotiation, you can see the SA_INIT exchange. This slide shows that the SA_INIT was sent and
that the initiator received the SA_INIT response.
DO NOT REPRINT
© FORTINET
IKEv2 Debug Output (Contd)
ike 0:VPN_IKEv2:24: initiator preparing AUTH msg
ike 0:VPN_IKEv2:24: sending INITIAL-CONTACT
ike 0:VPN_IKEv2:24: enc 2900000C010000006440040127000008000040002900002802000000F837C56D0B9EB4B490D
ike 0:VPN_IKEv2:24: out C5EBAFC5B4CF635700EC9960F12104992E20230800000001000000D8230000BC5E711388CE7
F78171665CABAD9FE75EC6FE143E5CFB4CC0770FE3E579B34DDEA528EF193DA286ADD9A65DF2E912C763CB3B21960BD124
…
ike 0:VPN_IKEv2:24: sent IKE msg (AUTH): 100.64.4.1:500->100.64.5.1:500, len=216, vrf=0, id=c5ebafc
ike 0: comes 100.64.5.1:500->100.64.4.1:500,ifindex=4,vrf=0....
ike 0: IKEv2 exchange=AUTH_RESPONSE id=c5ebafc5b4cf6357/00ec9960f1210499:00000001 len=208
ike 0: in C5EBAFC5B4CF635700EC9960F12104992E20232000000001000000D0240000B46447F251559A0F10EEE6844B7
…
ike 0:VPN_IKEv2:24: dec C5EBAFC5B4CF635700EC9960F12104992E20232000000001000000B4240000042700000C010
…
ike 0:VPN_IKEv2:24: initiator received AUTH msg
ike 0:VPN_IKEv2:24: peer identifier IPV4_ADDR 100.64.5.1
ike 0:VPN_IKEv2:24: auth verify done
ike 0:VPN_IKEv2:24: initiator AUTH continuation
ike 0:VPN_IKEv2:24: authentication succeeded
ike 0:VPN_IKEv2:24: processing notify type MESSAGE_ID_SYNC_SUPPORTED
ike 0:VPN_IKEv2:24: established IKE SA c5ebafc5b4cf6357/00ec9960f1210499
ike 0:VPN_IKEv2:24: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
ike 0:VPN_IKEv2: set oper up
After a successful SA_INIT exchange, the IKE_AUTH exchange takes place. The debug output shows the
messages received and this response.
This slide shows the AUTH exchange sent by the initiator and the responses that it receives.
DO NOT REPRINT
© FORTINET
IKEv2 Debug Output (Contd)
ike 0:VPN_IKEv2: schedule auto-negotiate
ike 0:VPN_IKEv2:24:16: peer proposal:
ike 0:VPN_IKEv2:24:16: TSr_0 0:10.1.2.0-10.1.2.255:0
ike 0:VPN_IKEv2:24:16: TSi_0 0:10.1.1.0-10.1.1.255:0
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: comparing selectors
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: matched by rfc-rule-2
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: phase2 matched by subset
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: accepted proposal:
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: TSr_0 0:10.1.2.0-10.1.2.255:0
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: TSi_0 0:10.1.1.0-10.1.1.255:0
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: autokey
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: incoming child SA proposal:
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: proposal id = 1:
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: protocol = ESP:
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: encapsulation = TUNNEL
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: type=ENCR, val=3DES_CBC
…
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: IPsec SA selectors #src=1 #dst=1
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: src 0 7 0:10.1.1.0-10.1.1.255:0
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: dst 0 7 0:10.1.2.0-10.1.2.255:0
…
ike 0:VPN_IKEv2:24:VPN_IKEv2:16: sending SNMP tunnel UP trap
ike shrank heap by 159744 bytes
After successful IKE_SA_INIT and IKE_AUTH exchanges, the CHILD_SA exchange takes place.
In this exchange, the peers negotiate the CHILD_SA and the traffic selectors —traffic selector responder (TSr)
and traffic selector initiator (TSi).
DO NOT REPRINT
© FORTINET
Review
Compare IKEv1 with IKEv2
Understand the reasons to keep IKEv1
Understand IKEv2 at a high level
Understand IKE negotiation exchange
Learn about IKEv2 monitor, debug, and troubleshooting commands
Understand the IKEv2 negotiation process
This slide shows the objectives that you covered in this lesson.
By mastering the objectives covered in this lesson, you learned about the improvements made to IKEv2, its
negotiation process, and how to debug an IPsec tunnel using the IKEv2 protocol.
DO NOT REPRINT
© FORTINET
FortiOS 7.4
Last Modified: 25 April 2024
In this lesson, you will learn about advanced routing concepts. You will also learn useful troubleshooting
commands to debug routing issues.
DO NOT REPRINT
© FORTINET
Objectives
• Describe how FortiGate routes traffic
• Diagnose routing problems caused by the reverse path forwarding (RPF) check
• Identify sessions that will be routed through a different path after a routing table change
• Use debug commands to troubleshoot routing problems
After completing this lesson, you should be able to achieve the objectives shown on this slide.
By demonstrating competence in routing, you will be able to describe how FortiGate routes traffic, diagnose
routing problems caused by RPF checks, identify sessions that are routed through a different path, and use
debug commands to troubleshoot routing problems.
DO NOT REPRINT
© FORTINET
In this section, you will learn about general routing concepts and troubleshooting.
DO NOT REPRINT
© FORTINET
Route Lookup
• For any session, FortiGate performs two routing table lookups:
• On the first packet that the originator sends
• On the first reply packet that the responder sends
• Routing information is written to the session table and route cache (route cache
removed from Linux kernel version 3.6 and later)
• Exception: After a routing change, route information is flushed from affected sessions
and route cache entries
• Additional routing table lookups are required after a routing change
FortiGate is a stateful device, so it decodes a lot of information at the beginning of a session, based on the
first packets. For any traffic session, FortiGate usually performs only two routing lookups: one on the first
packet that the originator sends and another one on the first reply packet that the responder sends. After that,
all the routing information is written in the FortiGate session table. However, after a change to the routing
table, the route information is flushed from the affected entries in the session table. So, FortiGate performs
additional routing table lookups in order to repopulate the session table with the new routing information.
Note that the route cache has been removed from the route lookup process from Linux kernel version 3.6 and
later.
DO NOT REPRINT
© FORTINET
Route Lookup Process Regular
Forward
Match traffic
Start of route lookup policy Action? Forward packet
routes
No match
SD-WAN Match
rules
No match
diagnose ip rtcache list
Route Match
get router info routing-table all cache
No match
Connected
Static Match
Routing table FIB
Dynamic
No match
get router info kernel
Drop packet
© Fortinet Inc. All Rights Reserved. 5
The flowchart on this slide describes the route lookup process in FortiOS. Note that policy routes can be
regular policy routes, internet service database (ISDB) routes, or SD-WAN rules.
First, FortiGate checks the policy routes. The first type of policy routes that FortiGate checks are the regular
policy routes. If there is a match, and the selected action is Forward Traffic, FortiGate routes the packet
accordingly, as long as the policy route passes the forwarding information base (FIB) validation process. If the
selected action is Stop Policy Routing, FortiGate moves on to check its route cache if applicable.
If the packet doesn’t match any of the regular policy routes, FortiGate moves on to check the ISDB routes
first, and then the SD-WAN rules.
Next, FortiGate checks the FIB, which is the table that is used to perform standard routing. The FIB can be
described as the routing table from the kernel point of view and is built mostly from routes in the routing table,
but also from system-specific entries that FortiOS requires. If the packet doesn’t match any of the routes in the
FIB, FortiGate drops the packet and sends an ICMP destination network unreachable message to the sender.
This slide also shows the FortiOS CLI commands you can use to display the policy routes, route cache entries
(if applicable), routing table entries, and FIB entries.
DO NOT REPRINT
© FORTINET
Route Selection Process
1. Most specific route
2. Lowest distance
3. Lowest metric (dynamic routes)
4. Lowest priority (static routes)
5. ECMP (static, BGP, and OSPF routes)
This slide shows the process for selecting which route to use, if there is more than one route to a destination.
First, FortiGate uses the most specific route, which is the one with the longest netmask (smallest subnet). If
there are two or more routes with the same longest netmask, the device selects the one with the shortest
distance. After that, FortiGate uses the lowest metric as the tiebreaker for dynamic routes. In the case of static
routes, FortiGate uses the lowest priority instead. If there are multiple routes with the same netmask, distance,
metric, and priority, FortiGate shares the traffic among all of them. This is called equal-cost multi-path
(ECMP). ECMP is supported for static, BGP, and OSPF routes.
DO NOT REPRINT
© FORTINET
Static Routes
• FortiGate places a configured static route in the routing table if the route meets the
following requirements:
• The outgoing interface is up
• There is no duplicate route with a lower distance
• The link health monitor (if configured) is up
FortiGate adds a static route to the routing table only if the route meets all of the following requirements:
• The outgoing interface is up.
• There is no duplicate route with a shorter distance.
• The link health monitor (if configured) is up.
DO NOT REPRINT
© FORTINET
RPF
• Protects against IP spoofing attacks and routing loops
• Checks the source IP address
• Is carried out on the first packet when the session is created
• If the check fails, the debug flow shows:
• reverse path check fail, drop
• Feasible or strict:
• # config system settings
• # set strict-src-check disable/enable
Now, you will learn about an important routing concept: the RPF check.
The RPF check protects against IP spoofing attacks and routing loops by checking the route to the source IP
address. This check is performed on only the first packet, when the session is being created. If the check fails,
the packet is dropped and the debug flow shows this error: reverse path check fail, drop.
There are two types of RPF, feasible and strict. You can configure the desired behavior using the commands
shown on this slide.
DO NOT REPRINT
© FORTINET
RPF—Feasible Path Example
• FortiGate checks for route matching source address and incoming interface
• RPF check results:
• User A: Pass. Default route through wan1
• User B: Fail. No route to 95.56.234.24 through wan2
• User C: Fail. No route to 10.0.4.63 through port1
User A
71.234.149.16
101.0.1.0/24
wan1
10.0.3.0/24
port1 201.0.2.0/24
wan2 User B
10.0.4.0/24 95.56.234.24
The example on this slide shows FortiGate using the feasible path RPF check mode. When FortiGate
performs the RPF check, it checks the routing table for a route that matches the source address and incoming
interface of the first original packet.
Based on the topology and routing table shown on this slide, the RPF check results for traffic sourced from
each user are as follows:
• User A: Pass. There is a default route through wan1. This means that all packets received at wan1 pass
the RPF check, regardless of the source address.
• User B: Fail. FortiGate doesn’t have a route to 95.56.234.24 through wan2 in its routing table.
• User C: Fail. FortiGate doesn’t have a route to 10.0.4.63 through port1 in its routing table.
DO NOT REPRINT
© FORTINET
RPF—Feasible Path Example (Contd)
• Solution:
• For user B, add a second static default route, with the same distance, through wan2
• Use different priority values if you don’t want ECMP
• For user C, add a static route to 10.0.4.0/24 through port1
User A
71.234.149.16
101.0.1.0/24
wan1
10.0.3.0/24
port1 201.0.2.0/24
wan2 User B
10.0.4.0/24 95.56.234.24
If you consider the packets from user B and user C to be legitimate packets, you can solve the RPF check fail
issue by making sure the routing table contains routes for the return path.
In the example shown on this slide, the administrator adds two new static routes. The static route through
wan2 is a duplicate default route of wan1, but has a lower priority. The two default routes are not ECMP
routes because of the priority difference, but FortiGate keeps both routes in the routing table. The result is that
packets from user B now pass the RPF check.
The static route through port1 references the 10.0.4.0/24 subnet. The subnet includes the user C
address (10.0.4.63), and as a result, packets from user C also pass the RPF check.
DO NOT REPRINT
© FORTINET
RPF—Strict Example
• FortiGate also checks if the return path is the best route
• RPF check results:
• User A: Pass. Best route to 71.234.149.16 through wan1 (default route)
• User B: Fail. Best route to 95.56.234.24 through wan1
• User C: Pass. Best route to 10.0.4.63 through port1
User A
71.234.149.16
101.0.1.0/24
wan1
10.0.3.0/24
port1 201.0.2.0/24
wan2 User B
10.0.4.0/24 95.56.234.24
FGT # get router info routing-table all
...
S* 0.0.0.0/0 [10/0] via 101.0.1.254, wan1, [1/0]
[10/0] via 201.0.2.254, wan2, [5/0]
S 10.0.4.0/24 [10/0] via 10.0.3.254, port1 [1/0]
C 101.0.1.0/24 is directly connected, wan1
User C C 201.0.2.0/24 is directly connected, wan2
10.0.4.63 C 10.0.3.0/24 is directly connected, port1
S 95.56.234.0/24 [10/0] via 101.0.1.254, wan1[1,0]
© Fortinet Inc. All Rights Reserved. 11
The example on this slide shows FortiGate using the strict RPF check mode. In strict mode, FortiGate also
checks if the matching route is the best route to the source.
Based on the topology and routing table shown on this slide, the RPF check results for traffic sourced from
each user are as follows:
• User A: Pass. There is a default route through wan1. The route is also the best (and only) route to
71.234.149.16.
• User B: Fail. There is a default route through wan2. However, there is a better (more specific) static route
to 95.56.234.24 through wan1.
• User C: Pass. FortiGate has a route to 10.0.4.63 through port1 in its routing table. Although the default
routes through wan1 and wan2 are also valid routes for 10.0.4.63, the best route to user C is the route
through port1.
Like the feasible path example, you can solve the RPF fail issue for user B by making the respective changes
in the routing table so the best route to user B is through wan2.
DO NOT REPRINT
© FORTINET
Return Packet Routing
• FortiGate remembers the interface to the source for the return packets
• Return packets are routed through that interface, even if there is a better route through a
different interface
• This ensures the same route path is used for both directions (symmetric routing)
Content inspection requires that routing be kept as symmetric as possible; that is, traffic must follow the same
path both ways. There are multiple scenarios where asymmetric routing prevents FortiGate from inspecting
traffic content. So, FortiGate routes traffic symmetrically. This means that, in some network topologies,
FortiGate might not route the return traffic through the best path, but through the same path that the
originating traffic used. For that purpose, FortiGate remembers the interface to the source and uses that
interface to route the return packets, even when a better route using a different interface exists.
DO NOT REPRINT
© FORTINET
Return Packet Routing Example
• The first routing lookup happens with the first ICMP packet
ICMP echo
request port2
10.1.0.1/24 10.2.0.1/24
with default gateway
10.1.0.254
port1 port3 port1
10.1.0.2/24 10.3.0.2/24 10.3.0.1/24
10.4.0.1/24
Now, you will analyze the network topology shown on this slide. The local network 10.1.0.0/24 has three
network devices: a local workstation, a local router, and FortiGate port1. Also, FortiGate port2 is directly
connected to the local router (using the subnet 10.2.0.0/24).
There is a remote router connected to FortiGate port3 and, behind that, a remote server (10.4.0.1). So, any
traffic destined to the remote server must be routed through FortiGate. One important detail to note in this
network is that the local workstation default gateway is 10.1.0.254. This means that if you send an ICMP
echo request from the local workstation to the remote server, the packet goes to the local router first, then to
FortiGate, then to the remote router, and finally to the destination.
DO NOT REPRINT
© FORTINET
Return Packet Routing Example (Contd)
• Routing information is added to the FortiGate session
session info: proto=1 proto_state=00 duration=2 expire=57 timeout=0 refresh_dir=both flags=00000000
socktype=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper= Source interface
per_ip_shaper=
and destination
interface
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 Gateway to
state=may_dirty f00 destination
statistic(bytes/packets/allow_err): org=60/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 29/0 rx speed(Bps/kbps): 29/0
orgin->sink: org pre->post, reply pre->post dev=6->9/9->6 gwy=10.3.0.1/0.0.0.0
hook=pre dir=org act=noop 10.1.0.1:1->10.4.0.1:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.4.0.1:1->10.1.0.1:0(0.0.0.0:0) Gateway to source has not
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 been identified yet, so it is
serial=00004e30 tos=ff/ff app_list=0 app=0 url_cat=0
displayed as 0.0.0.0
rpdb_link_id= 00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x040000 # diagnose netlink interface list
no_ofld_reason: npu-flag-off ...
if=port2 family=00 type=768 index=6 mtu=1420 link=0 master=0
if=port3 family=00 type=768 index=9 mtu=1420 link=0 master=0
...
© Fortinet Inc. All Rights Reserved. 14
FortiGate creates an entry in the session table. This entry contains information about the source interface. To
view this information, use the diagnose sys session list command.
FortiGate does a first routing lookup to find the next hop to the destination. That IP address is also stored in
the session information.
Because there is no ICMP echo reply yet, the next hop to the source is still unknown (it is 0.0.0.0). It is
identified in the second routing lookup that occurs with the first reply packet.
DO NOT REPRINT
© FORTINET
Return Packet Routing Example (Contd)
• The return packet is routed through port2, even though port1 is the better route
ICMP echo
reply port2
10.1.0.1/24 10.2.0.1/24
with default gateway
10.1.0.254
port1 port3 port1
10.1.0.2/24 10.3.0.2/24 10.3.0.1/24
10.4.0.1/24
So, in this case, the device routes the packet through port2 toward the local router, even though there is a
better route to the destination through port1. Because there is already a session entry, when FortiGate
receives the ICMP echo reply, it uses the interface to the source. The FortiGate routing table shows port1 as
the best route to 10.1.0.1 (locally connected), but it still uses port2. The objective is to keep the traffic flow
symmetric.
DO NOT REPRINT
© FORTINET
Return Packet Routing Example (Contd)
• A second routing lookup is done to find the gateway to the source
FortiOS performs a second routing lookup, this time to find the next hop (or gateway) to the source. That IP
address is added to the session, which was previously set to 0.0.0.0.
DO NOT REPRINT
© FORTINET
Return Packet Routing Example (Contd)
• If the session originated from the other side, the packet is routed through port1
What happens if the traffic originates from the server side instead?
Say that the ping is sent from the remote server to the local workstation. In this case, when the ICMP echo
request arrives at FortiGate, there is no session yet. So, FortiGate uses the best route to 10.1.0.1, which is
through port1.
The example shown on this slide shows how FortiGate might, in some network topologies, route packets to
the same destination differently, depending on who initiated the session.
DO NOT REPRINT
© FORTINET
Return Packet Routing Example (Contd)
• The return packet arrives through a different interface (port2), but FortiGate accepts it
# diagnose sniffer packet any "host 10.4.0.1 and icmp" 4
430.637135 port3 in 10.4.0.1 -> 10.1.0.1: icmp: echo request
430.637180 port1 out 10.4.0.1 -> 10.1.0.1: icmp: echo request
430.637309 port2 in 10.1.0.1 -> 10.4.0.1: icmp: echo reply
430.637319 port3 out 10.1.0.1 -> 10.4.0.1: icmp: echo reply
Take a look at the reply traffic in the example shown on this slide. Use the sniffer tool to view the traffic flow.
Because the local workstation default gateway is 10.1.0.254, the ICMP echo reply goes to the local router
first. Then, the packet arrives at FortiGate port2. The result is asymmetric routing: the return traffic is following
a different path than the originating traffic. The return packet is arriving at port2 instead of port1 (where the
originating traffic was sent).
In these particular cases, FortiGate accepts this asymmetry, no packets are dropped, and security inspection
is not affected.
DO NOT REPRINT
© FORTINET
Asymmetric Routing
• The server sends an echo request to the PC
• The PC responds with an echo reply
• The echo reply is dropped—no session is matched
• All subsequent echo replies are also blocked
FortiGate routing table
Subnet Interface Type
10.1.0.0/24 port1 Connected
port2 10.3.0.0/24 port3 Connected
10.2.0.2/24
10.4.0.0/24 port3 Static
ICMP echo
10.1.0.1/24 reply Packet is dropped
with default gateway port2
10.2.0.1/24
10.1.0.2 X
port1 port3 port1
10.1.0.2/24 10.3.0.2/24 10.3.0.1/24
10.4.0.1/24
This slide shows an example in which asymmetric routing is not allowed by FortiOS.
1. The server sends an echo request to the PC through port 2 of the local router, effectively bypassing
FortiGate.
2. When it receives the echo request, the PC responds with an echo reply through its default gateway,
10.1.0.2, which is port1 on FortiGate.
3. Because there is no existing session, the echo reply is dropped.
4. All subsequent echo replies are also blocked.
By default, if an echo request does not pass through FortiGate, but the response does, the packet is dropped.
DO NOT REPRINT
© FORTINET
Asymmetric Routing (Contd)
• Allowing asymmetric routing:
config system settings
set asymroute enable
end
ICMP echo
10.1.0.1/24 reply
with default gateway port2
10.1.0.2 10.2.0.1/24
port1 port3 port1
10.1.0.2/24 10.3.0.2/24 10.3.0.1/24
10.4.0.1/24
There are scenarios in which it might make sense to allow this type of asymmetric routing. Example cases
include when you are troubleshooting, or when you cannot resolve asymmetric routing issues by ensuring that
both ingress and egress traffic pass through FortiGate.
Enabling asymmetric routing causes FortiOS to be unable to inspect all traffic. Malicious traffic could pass
through FortiGate undetected and compromise the network.
Using the commands on this slide, the default routing behavior explained on the previous slide is changed to
the following:
1. The server’s ICMP request bypasses FortiGate reaching the PC.
2. The PC’s echo reply passes through FortiGate. No session is matched. However, the packet is not
dropped. Instead, the packet is passed to the CPU of FortiGate and is then forwarded using the FIB.
3. All subsequent echo replies are handled the same way as in step 2.
4. FortiGate essentially acts as a router. No security inspection is performed.
If you use asymmetric routing for troubleshooting purposes, remember to disable it after you resolve the issue.
DO NOT REPRINT
© FORTINET
Routing Changes Without SNAT
• After a routing change, routing information is flushed from the affected sessions where
source NAT (SNAT) is not applied
• Routing lookups are done again for the next packets
• The session is flagged as dirty
• Example of a session just after a routing change
When FortiGate is not applying source network address translation (SNAT), when the routing table changes,
FortiGate removes the routing information from the sessions that are affected by the change. FortiGate
performs two more routing lookups for the next packets to learn the new routing information and store it in the
routing table.
This slide shows an example of a session just after a routing change. The gateways in both directions change
to 0.0.0.0/0 and the interfaces to 0, indicating that FortiGate must learn this information again. Additionally,
the dirty flag is added.
DO NOT REPRINT
© FORTINET
Routing Changes Without SNAT (Contd)
• You can modify the default behavior on the CLI
Default setting
config system interface
edit <interface>
set preserve-session-route { enable | disable }
next
end
• disable: FortiGate flushes all routing information from the session table after a route change, and
performs a new routing lookup for new packets
• enable: FortiGate marks existing session routing information as persistent, and applies only the
modified routes to new sessions
You can configure session route persistence at the interface level using the commands shown on this slide.
The default value is disable. If you enable this setting, sessions passing through that interface continue to
pass without being affected by the routing changes. The routing changes apply only to new sessions.
If the route is removed from the FIB, then FortiGate must flag the session as dirty, flush its gateway
information, and reevaluate the session.
DO NOT REPRINT
© FORTINET
Routing Changes Without SNAT (Contd)
• Session is flagged as route_preserve
config system interface
edit "T_INET_0"
set preserve-session-route enable
next
end
This slide shows the details of an ICMP session established through an interface (T_INET_0) that has the
setting preserve-session-route enabled. Note that only relevant lines of the session are displayed.
Also, note the presence of the route_preserve flag in the session. You can find out the interface name by
using the diagnose netlink interface list command.
DO NOT REPRINT
© FORTINET
ECMP Acceleration With Auxiliary Session
• When you enable this setting, FortiGate accelerates ECMP traffic to the NP6 processor
config system settings
set auxiliary-session [disable | enable]
end
• Two sessions are created in case of a route change: the main session and auxiliary
session
• FortiGate can offload the main session and auxiliary session to the NP6 processor, if the
policy allows offloading
When you enable auxiliary-session, the FortiGate kernel creates a new auxiliary session and attaches it
to the main session. For each traffic path (incoming and outgoing), FortiGate continues to create a new
auxiliary session.
By default, the system CPU handles dirty sessions that are triggered by reply interface changes. Therefore,
hardware offloading is not used. For this reason, a large amount of traffic that these dirty sessions handle may
result in high CPU usage and poor performance.
Enabling auxiliary-session under config system settings solves this, by offloading asymmetric
sessions to hardware by creating an auxiliary session (also known as a reflect session). Symmetric traffic
matches the main session, and asymmetric traffic matches the auxiliary session. Both sessions can be
offloaded to hardware. For FortiGate VMs, although hardware offload does not apply, performance is
improved because FortiGate does not have to reevaluate the asymmetric traffic.
Because a new session is created for each route change, the session table could potentially grow significantly
in size.
DO NOT REPRINT
© FORTINET
ECMP Acceleration With Auxiliary Session (Contd)
port1 port3
port2 port4
Router Router
Client Server
Packet 1 from port1 to port3
Main Session
Packet 2 from port4 to port1
Auxiliary Session 1
Packet 3 from port1 to port4
Auxiliary Session 1
Packet 4 from port2 to port3
Auxiliary Session 2
Packet 5 from port3 to port2
Auxiliary Session 2
Packet 6 from port4 to port2
Auxiliary Session 3
Packet 7 from port2 to port4
Auxiliary Session 3
Packet 8 from port3 to port1
Main Session
In the example shown on this slide, ECMP is configured for both the client and the server. FortiGate uses
ECMP through port1 and port2 to the client, and ECMP through port3 and port4 to the server.
Based on this example, you can see how sessions are handled on FortiGate:
1. Initially, traffic flows from port1 to port3. FortiGate creates a new session: the main session.
2. The reply from the server is received on port4 and forwarded out port1. FortiGate creates auxiliary
session 1 and attaches it to the main session.
3. The next packet from the client is received on port1 and forwarded out port4. FortiGate matches auxiliary
session 1.
4. Additional traffic from the client is received on port2 and leaves through port3. FortiGate creates auxiliary
session 2 and attaches it to the main session.
5. The server reply is received on port3 and leaves through port2. FortiGate matches auxiliary session 2.
6. The second reply is received on port4 and forwarded out port2. FortiGate creates auxiliary session 3 and
attaches it to the main session.
7. The last packet from the client flows from port2 to port4. FortiGate matches auxiliary session 3.
8. Finally, the server reply is received on port3 and leaves through port1. FortiGate matches the main
session.
FortiGate can offload all these sessions, if the policy allows offloading.
DO NOT REPRINT
© FORTINET
Routing Table
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Priority/Weight
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.200.1.254, port1, [10/2]
C 10.0.1.0/24 is directly connected, port3
B 10.0.3.0/24 [200/10] via 10.0.1.200 (recursive is directly connected, port3), 23:21:46, [1,0]
O 10.0.4.0/24 [110/2] via 10.0.1.200, port3, 17:29:25, [1,0]
R 10.0.5.0/24 [120/2] via 10.0.1.200, port3, 00:05:29, [1,0] Priority/Weight
C 10.200.1.0/24 is directly connected, port1
C 10.200.2.0/24 is directly connected, port2 Distance/Metric
C 172.16.100.0/24 is directly connected, port8
Source
The CLI command shown on this slide displays all entries in the routing table. The routing table displays the
routes that make it to the FIB—that is, the best active routes to a destination.
The column on the left indicates the route source. Route attributes are shown inside square brackets. The first
number, in the first pair of attributes, is distance, which applies to both dynamic and static routes. The second
number is metric, which applies to dynamic routes only.
Static routes and dynamic routes also have priority and weight attributes, which are shown as the last pair of
attributes for the respective route. In the case of dynamic routes, the weight is always 0.
This command doesn't show standby or inactive routes, which are present in the routing table database only.
For example, when two static routes to the same destination subnet have different distances, the one with the
lower distance is installed in the routing table, and the one with the higher distance is installed in the routing
table database.
DO NOT REPRINT
© FORTINET
Routing Table Database
# get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
> - selected route, * - FIB route, p - stale info Active route
If you want to view active, standby, and inactive routes, use the CLI command shown on this slide to display
the routing table database entries.
In the example shown on this slide, the command shows two standby routes: one static and the other BGP.
Both standby routes are standby because there are better routes—lower distance—to the same destination.
The better routes show an asterisk beside the route source to indicate they are FIB entries, and therefore, are
used for routing traffic.
The output also shows one inactive route. Routes are marked as inactive when the corresponding interface is
administratively down, its link is down, or when the link health monitor detected it as down and the update
static route action is enabled.
DO NOT REPRINT
© FORTINET
FIB
# get router info kernel Priority
This low-level command shows the FIB, which is the routing information that the kernel uses to route traffic.
All active routes in the routing table must be present in the FIB. Additionally, the FIB may contain routes that
are not in the routing table, but that FortiGate automatically added, such as routes that are dynamically added
to reach SSL VPN users.
DO NOT REPRINT
© FORTINET
Policy Route Table
# diagnose firewall proute list
list route policy info(vf=root):
id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=7 dport=0-65535
path(1) oif=21(T_MPLS_0)
source(1): 10.0.1.0-10.0.1.255
destination(1): 10.0.0.0-10.255.255.255 This is a regular policy route (ID ≤ 65535)
hit_count=18 last_used=2022-02-23 05:47:21
FortiOS maintains a policy route table that you can view by entering the diagnose firewall proute
list command.
There are three types of policy routes displayed in the policy route table: regular policy routes, ISDB routes,
and SD-WAN rules. Follow these rules to identify each type of policy route in the table:
• Regular policy routes are assigned an ID no higher than 65535. In the output shown on this slide, the first
entry is assigned ID 1, which makes it a regular policy route.
• ISDB routes and SD-WAN rules are assigned an ID higher than 65535. However, SD-WAN rule entries
include the vwl_service field, and ISDB route entries do not. The vwl_service field indicates the ID
and the name of the rule from the SD-WAN configuration perspective. In the output shown on this slide, the
second entry is an ISDB route and the third entry is an SD-WAN rule.
Note that although IDs for regular policy routes are in the 1 to 65535 range, the maximum number of regular
policy routes that you can configure are much lower and varies among FortiGate models. For example, you
can configure up to 512 regular policy routes on a FortiGate 300D. For more information about the maximum
supported values per FortiGate model, refer to the FortiOS Maximum Values Table on docs.fortinet.com.
Alternatively, you can enter the print tablesize command on the FortiGate CLI to get the maximum
values for your FortiGate.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario
• User is unable to ping 8.8.8.8
• User can ping other public IP addresses
• What is your approach?
What is your approach for the troubleshooting scenario shown on this slide?
The user is trying to ping 8.8.8.8 but is unable to do so. The user can ping various other public IP
addresses.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario (Contd)
• Ensure that packets arrive at FortiGate A
Your first step should be to confirm that ICMP packets that the user sent arrive at FortiGate A and that there is
bidirectional communication. The best tool to use for this is the packet sniffer. You can see that FortiGate is
not receiving any echo replies.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario (Contd)
• Use the debug flow
Now, you must find out why FortiGate is not responding. The best tool to use for this is the debug flow.
The FortiGate is dropping the traffic with the error message: "Denied by forward policy check
(policy 0)”
However, the actual reason why FortiGate is not responding, is because FortiGate is performing policy
routing, which you can determine based on the the message: "Match policy routing id=1: to
10.40.0.15 via ifindex-15”.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario (Contd)
• Check the policy route configuration
Looking at the policy route configuration reveals a policy route that forces traffic over port3 instead of the
WAN port. Deleting the policy route solves this issue.
DO NOT REPRINT
© FORTINET
Review
Describe how FortiGate routes traffic
Diagnose routing problems caused by the RPF check
Identify sessions that will be routed through a different path after a
routing table change
Use debug commands to troubleshoot routing problems
This slide shows the objectives that you covered in this lesson.
By mastering the objectives covered in this lesson, you learned about advanced routing concepts and useful
troubleshooting commands to debug routing issues.
DO NOT REPRINT
© FORTINET
FortiOS 7.4
Last Modified: 25 April 2024
In this lesson, you will learn about the border gateway protocol (BGP) and how to monitor it and troubleshoot
common issues.
DO NOT REPRINT
© FORTINET
Objectives
• Review BGP and its components
• Understand BGP monitoring commands
• Explore BGP troubleshooting
After completing this lesson, you should be able to achieve the objectives shown on this slide.
By demonstrating competence in BGP, you will be able to monitor and check the status of BGP
communication, as well as troubleshoot the most common BGP issues.
DO NOT REPRINT
© FORTINET
BGP Review
DO NOT REPRINT
© FORTINET
Autonomous System
• Set of routers and networks under the same, consistent administration
• An autonomous system (AS) administrator can choose any internal routing architecture
• OSPF, RIP, and so on
• Each AS is identified by a unique number
An AS is a set of routers and networks under the same administration. Each AS is identified by a unique
number, and usually runs an interior gateway protocol (IGP), such as OSPF or RIP.
DO NOT REPRINT
© FORTINET
BGP Components
• Speaker or peer
• Router that transmits and receives BGP messages, and acts on those messages
• Session
• Connection between two peers
A BGP speaker or peer is a router that sends and receives BGP routing information. The connection between
two BGP peers is called a BGP session.
DO NOT REPRINT
© FORTINET
RIBs
• Routes are stored in routing information bases (RIBs)
• RIB-in
• Routing information learned from inbound update messages
• Contains unprocessed routing information advertised to the local BGP speaker by its peers
• Local RIB
• Routing information that the BGP speaker selects after applying its local policies to the RIB-in
• RIB-out
• Routing information that the local BGP speaker selects to advertise to its peers
DO NOT REPRINT
© FORTINET
RIBs (Contd)
Redistribute
RIP OSPF
This slide shows a flowchart that summarizes the BGP process. The BGP router stores the BGP routes it
receives from other routers in the RIB-in table. The BGP router applies a filter, and the resulting routes are
stored in the local RIB table. Then, the BGP router adds routes that were redistributed from the routing table
and applies another filter (outbound). The BGP router advertises the resulting routes.
DO NOT REPRINT
© FORTINET
BGP Attributes
• BGP processes routes based on path information
• A path is a route to a destination
• Paths are described by a set of attributes, including an AS list
• The attributes help routers select the route to each destination
BGP routes traffic based on AS paths. Each AS path includes attributes, which BGP uses to select the best
route to each destination. One of the attributes is AS_Path, which contains the ASs through which the traffic
must pass to reach the destination.
DO NOT REPRINT
© FORTINET
BGP Attributes (Contd)
• BGP path attribute categories
• Well-known mandatory
Supported attributes
• Attributes are mandatory
• Well-known discretionary ORIGIN Well-known mandatory
• Attributes may or may not be included AS_PATH Well-known mandatory
• Optional transitive NEXT_HOP Well-known mandatory
• Attributes may or may not be accepted and
can be passed outside of the local AS MULTI_EXIT_DISC Optional non-transitive
• Optional non-transitive LOCAL_PREF Well-known discretionary
• Attributes may or may not be accepted and ATOMIC_AGGREGATE Well-known discretionary
can’t be passed outside of the local AS
AGGREGATOR Optional transitive
COMMUNITY Optional transitive
This slide shows a list of the BGP attributes, and their attribute types, that FortiGate supports.
DO NOT REPRINT
© FORTINET
Route Selection Tie Breakers
1. Highest weight
2. Highest local preference
3. Route originated by the local router (next hop = 0.0.0.0)
4. Shortest AS path
5. Lowest origin type
6. Lowest multi-exit discriminator (MED)
7. Prefer external paths (EBGP) over internal paths (IBGP)
8. Path through closest IGP neighbor
9. Oldest route for EGBP paths
10.Lowest neighbor BGP router ID
11.Lowest neighbor IP address
FortiGate uses some of the BGP attributes during the route selection process. If all the attributes for multiple
routes to the same destination match, and if ECMP is enabled, FortiGate shares the traffic among up to 10
BGP routes. If you don’t enable ECMP, FortiGate uses the route that goes to the router with the lowest BGP
router ID.
DO NOT REPRINT
© FORTINET
BGP Monitoring
In this section, you will learn about tools and tips for troubleshooting BGP.
DO NOT REPRINT
© FORTINET
BGP States
• Idle: Initial state Idle
• Connect: Waiting for a successful three-way start
TCP connection connect retry timeout
error
• Active: Unable to establish the TCP session Connect
TCP failure
TCP
• OpenSent: Waiting for an OPEN message Active established
from the peer
error
OpenSent
• OpenConfirm: Waiting for the keepalive TCP established
receive
message from the peer open reply
• Established: Peers have successfully error
OpenConfirm
exchanged OPEN and keepalive messages
receive
keepalive
error
Established
This slide shows a flow chart of the BGP neighbor states and how they change:
• Idle: Initial state
• Connect: Waiting for a successful three-way TCP connection
• Active: Unable to establish the TCP session
• OpenSent: Waiting for an OPEN message from the peer
• OpenConfirm: Waiting for the keepalive message from the peer
• Established: Peers have successfully exchanged OPEN and keepalive messages
DO NOT REPRINT
© FORTINET
BGP Summary
# get router info bgp summary
This slide shows the debug command you usually use first, to get an overview of the BGP status and the
status of all its neighbors. This slide shows the local router ID and AS. For each neighbor, the output also
displays the following:
• The AS
• Packet counters
• How long the neighbor has been up
The State/PfxRcd column lists the neighbor state and number of prefixes, once established. If the state is
not established, this column displays the BGP state. If the state is established, this column displays the
number of prefixes that the local FortiGate received from that neighbor.
DO NOT REPRINT
© FORTINET
BGP Neighbors
# get router info bgp neighbors
VRF 0 neighbor table:
BGP neighbor is 100.64.1.254, remote AS 100, local AS 65100, external link
BGP version 4, remote router ID 100.64.1.254
BGP state = Established, up for 00:49:26
Last read 00:00:26, hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received (old and new)
Graceful restart helper
Address family IPv4 Unicast: advertised and received
Address family VPNv4 Unicast: advertised
Address family IPv6 Unicast: advertised
Address family VPNv6 Unicast: advertised
Address family L2VPN EVPN: advertised
Received 12 messages, 0 notifications, 0 in queue
Sent 12 messages, 7 notifications, 0 in queue
...
You can use the command shown on this slide to get detailed information about each BGP neighbor. The
information includes the peer IP address, the peer router ID, the remote AS, the BGP state, various timers,
and message counters.
DO NOT REPRINT
© FORTINET
BGP Neighbors (Contd)
...
For address family: IPv4 Unicast
BGP table version 1, neighbor version 1
Index 1, Offset 0, Mask 0x2
Community attribute sent to this neighbor (both)
1 accepted prefixes, 1 prefixes in rib
1 announced prefixes
...
The information also shows the number of prefixes announced and accepted, the number of times the session
has dropped, and the last time the session was reset.
DO NOT REPRINT
© FORTINET
Prefixes Advertised by the Local FortiGate
# get router info bgp neighbors 100.64.2.254 advertised-routes
This slide shows the command you can use to get details about the prefixes the local router is advertising.
The Status codes information identifies the codes associated with a routing entry. For each prefix, the
command displays the following:
• Next hop IP address
• Local preference
• Weight
• AS path
DO NOT REPRINT
© FORTINET
Prefixes Advertised by a Neighbor
# get router info bgp neighbors 100.64.2.254 route
This slide shows the command you can use to display the routes that a neighbor advertises.
DO NOT REPRINT
© FORTINET
Prefixes Advertised by All BGP Peers
# get router info bgp network
VRF 0 BGP table version is 1, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
You can use the get router info bgp network command to display the BGP database. The BGP
database lists all prefixes that all neighbors advertise, as well as the local router.
Also highlighted on this slide are the origin codes used for the BGP table. i for IGP indicates the network
command was used to advertise a route. This applies to the last route in the table, 10.20.30.0/24. All other
advertised routes are tagged with ?, which indicates that the route was advertised from another routing
protocol using redistribution. e for EGP is used only for legacy route advertisement and is rarely seen.
DO NOT REPRINT
© FORTINET
BGP Event Logging
• BGP event logging displays routing events
• Neighbor down or up
• RIB update
• BGP message exchange
• Errors connecting to neighbors
• Enabled by default
# config router bgp
set log-neighbour-change disable
end
FortiGate can log routing events, which enables you to get information that used to be available only when
you ran the BGP real-time debug. By default, BGP event logging is enabled. You can disable BGP event
logging by using the commands shown on this slide.
DO NOT REPRINT
© FORTINET
BGP Event Logging (Contd)
Log & Report > System Events > Router Events
You can view BGP-related router events on the GUI. You can click any logged entry to view the details.
DO NOT REPRINT
© FORTINET
BGP Troubleshooting
In this section, you will learn about common BGP issues and how to solve them.
DO NOT REPRINT
© FORTINET
BGP Troubleshooting Tips
• Is there an active route to the remote peer?
• Check whether TCP port 179 is blocked
• Check the status of the TCP session
• Check the status of the BGP session
• Check the prefixes received and advertised
DO NOT REPRINT
© FORTINET
Real-Time Debug
• Enable real-time BGP debug:
# diagnose ip router bgp all enable
# diagnose ip router bgp level info
# diagnose debug enable
• Disable real-time BGP debug: diagnose debug reset does
# diagnose ip router bgp all disable not stop BGP real-time debug
# diagnose ip router bgp level none
# diagnose debug disable
This slide shows the commands you can use to enable and disable the BGP real-time debug. Note that this
example enables debug output from event and level information.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 1—No Active Route
BGP: 172.16.54.116-Outgoing [FSM] State: Idle Event: 3
BGP: 172.16.54.116-Outgoing [NETWORK] FD=26, Sock Status: 113-No route to host
BGP: 172.16.54.116-Outgoing [FSM] State: Connect Event: 18
One common issue is that there is no route to the BGP neighbor in the FortiOS forwarding information base
(FIB). If that is the case, the real-time BGP application debug will output the message shown on this slide:
Sock Status: 113-No route to host. You can also verify this using the get router info bgp
summary and get router info bgp neighbor commands. Both outputs show that the status is
Active, meaning the TCP three-way handshake could not be established. The solution is to ensure there is
an active route to the IP address of the BGP neighbor.
DO NOT REPRINT
© FORTINET
BGP Neighbor Establishment
BGP: [NETWORK] Accept Thread: Incoming conn from host 100.64.2.254 (FD=27 VRF=0)
BGP: 100.64.2.254-Outgoing [FSM] State: Connect Event: 14
BGP: 100.64.2.254-Outgoing [FSM] InConnReq: Accepting...
BGP: 100.64.2.254-Outgoing [NETWORK] FD=27, Sock Status: 0-Success
BGP: 100.64.2.254-Outgoing [FSM] State: Connect Event: 17
BGP: 100.64.2.254-Outgoing [ENCODE] Msg-Hdr: Type 1
BGP: 100.64.2.254-Outgoing [ENCODE] Open: Ver 4 MyAS 65100 Holdtime 180
BGP: 100.64.2.254-Outgoing [ENCODE] Open: Msg-Size 61
BGP: 100.64.2.254-Outgoing [DECODE] Msg-Hdr: type 1, length 59
BGP: 100.64.2.254-Outgoing [DECODE] Open: Optional param len 30
BGP: 100.64.2.254-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 2 BGP state
BGP: 100.64.2.254-Outgoing [DECODE] Open Cap: Cap Code 128, Cap Len 0 messages
BGP: 100.64.2.254-Outgoing [DECODE] Open Cap: RR Cap(old) for all address-families
BGP: 100.64.2.254-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 2
BGP: 100.64.2.254-Outgoing [DECODE] Open Cap: Cap Code 2, Cap Len 0
BGP: 100.64.2.254-Outgoing [DECODE] Open Cap: RR Cap(new) for all address-families
BGP: 100.64.2.254-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
BGP: 100.64.2.254-Outgoing [DECODE] Open Cap: Cap Code 65, Cap Len 4
BGP: 100.64.2.254-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 4
BGP: 100.64.2.254-Outgoing [DECODE] Open Cap: Cap Code 64, Cap Len 2
BGP: 100.64.2.254-Outgoing [DECODE] Cap GR: Restart Flag Off, Restart Time 120
BGP: 100.64.2.254-Outgoing [FSM] State: OpenSent Event: 19
BGP: 100.64.2.254-Outgoing [ENCODE] Msg-Hdr: Type 4
BGP: 100.64.2.254-Outgoing [ENCODE] Keepalive: 294 KAlive msg(s) sent
This slide and the next slide show examples of real-time debug outputs from the successful establishment of a
BGP session. In this example, the output shows when the session goes to the OpenSent state.
DO NOT REPRINT
© FORTINET
BGP Neighbor Establishment (Contd)
...
BGP: 100.64.2.254-Outgoing [DECODE] Msg-Hdr: type 4, length 19
BGP: 100.64.2.254-Outgoing [DECODE] KAlive: Received!
BGP: 100.64.2.254-Outgoing [DECODE] Msg-Hdr: type 4, length 19
BGP: 100.64.2.254-Outgoing [DECODE] KAlive: Received! BGP state
BGP: 100.64.2.254-Outgoing [FSM] State: OpenConfirm Event: 26 messages
BGP: 100.64.2.254-Outgoing [FSM] State: Established Event: 26
id=20300 logdesc="BGP neighbor status changed" msg="BGP: %BGP-5-ADJCHANGE: VRF 0 neighbor 100.64.2.254 Up "
BGP: 100.64.2.254-Outgoing [FSM] State: Established Event: 34
BGP: 100.64.2.254-Outgoing [DECODE] Msg-Hdr: type 2, length 65
BGP: 100.64.2.254-Outgoing [DECODE] Update: Starting UPDATE decoding... Bytes To Read (46), msg_size (46)
BGP: 100.64.2.254-Outgoing [DECODE] Update: NLRI Len(6)
BGP: 100.64.2.254-Outgoing [FSM] State: Established Event: 27
BGP: 100.64.2.254-Outgoing [RIB] Update: Received Prefix 0.0.0.0/0
BGP: BGP VRF 0 leaking 0.0.0.0/0 afi 1, safi 1 Prefixes
BGP: VRF 0 NSM announce: 0.0.0.0/0 received
BGP: 100.64.2.254-Outgoing [RIB] Update: Prefix 8.8.8.8/32 denied due to filter from peer
This slide shows the real-time debug output containing the OpenConfirm state after the keepalive
message is received from the neighbor, as well as the establishment of the connection.
The output also lists the prefixes FortiGate received after the BGP session was established.
DO NOT REPRINT
© FORTINET
Restart BGP
# execute router clear bgp
all Clear all BGP peers.
as Clear BGP peer by AS number.
dampening Clear route flap dampening information.
external Clear all external peers.
flap-statistics Clear route flap statistics.
ip Clear BGP peer by IP address.
ipv6 Clear BGP peer by IPv6 address.
You can use the command shown on this slide to restart a BGP session between two peers. You can also use
this command to execute a BGP soft reset, which forces both peers to exchange their complete BGP routing
tables.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 2—Prefix Not Received
FGT-A # get router info bgp summary
...
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.37.202 4 65110 2500 2552 5 0 0 1d11h33m 0
Local subnet is a
/24 mask
In the troubleshooting example shown on this slide, FGT-A is not receiving the prefix that FGT-B advertised.
The issue in this scenario is that the subnet mask of the prefix is misconfigured on FGT-B, prompting FortiOS
to not advertise the network to other BGP peers.
DO NOT REPRINT
© FORTINET
Prefix Not Received—Solution 1
FGT-B # show router bgp
...
config network Prefix modified to
correct subnet
edit 1
mask
set prefix 172.16.54.0 255.255.255.0
next
end
There are two ways to fix the issue in troubleshooting scenario 2. The first way is to change the prefix
manually to represent the network assigned to port3 on FGT-B. This is the recommended method. Changing
the subnet mask from 255.255.0.0 to 255.255.255.0 allows FGT-B to advertise the prefix to its peers.
DO NOT REPRINT
© FORTINET
Prefix Not Received—Solution 2
FGT-B # show router bgp
...
config network Disable import
edit 1 check
set prefix 172.16.0.0 255.255.0.0
set network-import-check disable
next
end
The other option is to disable the set network-import-check. This is the safety mechanism that
prevented FortiOS from advertising the falsely configured route. Disabling this mechanism is generally not
recommended because this mechanism is what ensures that only the correct networks are advertised, which
avoids routing issues.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 3—Prefix Not Accepted
FGT-A # get router info bgp summary
...
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.37.202 4 65110 19 18 0 0 0 00:04:04 0
FGT-B # show router bgp
...
config network
edit 1
Advertised network
set prefix 172.16.54.0 255.255.255.0 is correctly
next configured
end
FGT-A # show router bgp
config neighbor
edit "192.168.37.202"
set prefix-list-in "Prefix-172.16.54.0/24"
set remote-as 65110 Prefix list
next configured on
FGT-A
end
In the scenario shown on this slide, FGT-A does not receive the expected prefix from FGT-B. FGT-A has been
configured with a prefix-list-in, which controls whether networks that neighbors advertise are accepted
into the routing table.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 3—Prefix Not Accepted (Contd)
Action is deny. Any
FGT-A # config router prefix-list advertised subnet within
edit "Prefix-172.16.54.0/24" 172.16.0.0/16 is not
config rule accepted
edit 2 Full /16 subnet
set action deny includes the
set prefix 172.16.0.0 255.255.0.0 172.16.54.0/24
unset ge network
unset le
next
end
next
end
A closer look into the prefix configuration reveals that any peer advertised network within the
172.16.0.0/16 subnet is not accepted into the BGP database.
DO NOT REPRINT
© FORTINET
Prefix Not Accepted—Solution
FGT-A # config router prefix-list
edit "Prefix-172.16.54.0/24"
config rule
edit 2
set action deny
set prefix 172.16.0.0 255.255.0.0
unset ge
unset le
next
edit 3 Expected advertised
set prefix 172.16.54.0 255.255.255.0 network from FGT-B
unset ge
unset le
next
end
next
end
The preferred solution is to add an additional rule, specifically allowing the 172.16.54.0 prefix in the same
prefix-list. Unlike firewall policies, the list is not evaluated from the top down. Every rule in the list is
inspected.
DO NOT REPRINT
© FORTINET
Prefix Not Accepted—Solution (Contd)
FGT-A # get router info bgp summary
...
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.37.202 4 65110 46 46 0 0 0 00:06:19 1
After configuring the additional rule, the prefix is accepted and added into the BGP database.
DO NOT REPRINT
© FORTINET
Review
Review BGP and its components
Understand BGP monitoring commands
Explore BGP troubleshooting
This slide shows the objectives that you covered in this lesson.
By mastering the objectives covered in this lesson, you learned about BGP components and commands, and
how to troubleshoot common issues with BGP.
DO NOT REPRINT
© FORTINET
FortiOS 7.4
Last Modified: 25 April 2024
In this lesson, you will learn about OSPF and how to monitor and troubleshoot it.
DO NOT REPRINT
© FORTINET
Objectives
• Understand OSPF components and adjacencies
• Monitor the status of an OSPF network
• Troubleshoot common OSPF problems
After completing this lesson, you should be able to achieve the objectives shown on this slide.
By demonstrating competence in understanding OSPF, you will be able to understand, monitor, and
troubleshoot OSPF.
DO NOT REPRINT
© FORTINET
OSPF Review
DO NOT REPRINT
© FORTINET
OSPF Overview
• Link state protocol
• Advantages:
• Scalable to large networks
• Faster convergence than distance-vector routing protocols
• Relatively quiet during steady-state conditions
• Periodic refresh every 30 minutes
• Otherwise, updates only sent when there are changes
• Disadvantages:
• May require planning and tuning to optimize performance
• May be difficult to troubleshoot in large networks
With a link state protocol like OSPF, every router has a complete view of the network topology. Advantages of
OSPF include scalability and fast convergence. Every 30 minutes, routers advertise their OSPF information
again. Between these 30-minute intervals, routers send updates only if they detect topology changes. So, it is
a relatively quiet protocol, as long as the network topology is stable. In large networks, using OSPF requires
good planning and may be difficult to troubleshoot.
DO NOT REPRINT
© FORTINET
OSPF Components
• Link state database (LSDB): Each router maintains identical databases describing the
network topology
• From the LSDB, and using Dijkstra’s algorithm, each router builds a tree with the
shortest paths
• The tree gives an OSPF route to each destination
• OSPF can inject routes into the IP routing table
Each router in the same area has identical and synchronized databases. You will learn about OSPF areas
later in this lesson. An OSPF router uses the information in the LSDB and Dijkstra's algorithm to generate an
OSPF tree, which contains the shortest path from the local router to each other router and network. This tree
gives the best route to each destination, which is the information that OSPF can inject into the device routing
table.
DO NOT REPRINT
© FORTINET
Link State Advertisement
• Routers exchange link state advertisements (LSAs) to maintain consistent databases
• Network changes generate LSAs
• The LSDBs are composed of all received LSAs
• A link state update consists of an OSPF header and a string of LSAs
• Each LSA has its own header
• Routers acknowledge the receipt of LSAs
OSPF Number of
IP header LSA 1 LSA 2 … LSA n
header LSAs
LSAs contain the topology information that OSPF peers exchange. The LSDB of a router is populated with
information from the local LSAs and all the LSAs received from other routers.
DO NOT REPRINT
© FORTINET
Forming an Adjacency
• Down: Initial state
• Init: A hello packet was seen from a non- Down
adjacent neighbor Hello Down
Init Hello Init
• 2-way: Communication is bidirectional
between the two routers 2-way DB description 2-way
ExStart
• ExStart: A primary and secondary DB description
Exchange
relationship is negotiated Link state request
Loading
• Exchange: Database description packets Link state update
are exchanged Link state ack
• Loading: LSA information is exchanged Link state request
• Full: LSDBs are identical Link state update
Link state ack
Full Hello Full
Hello
A session between two OSPF peers is called an adjacency. This slide shows the initial interchange between
two peers that are forming an adjacency. Any new adjacency goes through different states: Init, 2-way,
ExStart, Exchange, Loading, and Full. The Full state indicates that the adjacency has successfully formed,
and that both routers have identical copies of the LSDB.
DO NOT REPRINT
© FORTINET
Adjacency Requirements
• Primary IP addresses of peers are in the same subnet with the same mask
• Interfaces of peers are the same type and in the same OSPF area
• Hello and dead intervals of peers must match
• Each peer has a unique router ID
• OSPF IP maximum transmission units (MTUs) match
• OSPF authentication, if enabled, is successful
This slide lists the requirements for two peers to form an OSPF adjacency. If any of the requirements are not
met, the adjacency fails and will not reach the Full state.
DO NOT REPRINT
© FORTINET
OSPF Monitoring
In this section, you will learn the commands necessary for monitoring OSPF.
DO NOT REPRINT
© FORTINET
OSPF Status
# get router info ospf status
Routing Process "ospf 0" with ID 0.0.0.2
Process uptime is 2 hours 32 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Do not support Restarting
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Refresh timer 10 secs
Number of incomming current DD exchange neighbors 0/5
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 1. Checksum 0x00533A
Number of opaque AS LSA 0. Checksum 0x000000
...
The command shown on this slide provides detailed information about the OSPF process.
DO NOT REPRINT
© FORTINET
OSPF Status (Contd)
....
Number of non-default external LSA 1 Shows number of fully
adjacent neighbors
External LSA database is unlimited.
Number of LSA originated 36
Number of LSA received 13
Number of areas attached to this router: 1
Area 0.0.0.0 (BACKBONE) Backbone router
Number of interfaces in this area is 3(3)
Number of fully adjacent neighbors in this area is 2
Area has no authentication
SPF algorithm last executed 00:02:38.780 ago
SPF algorithm executed 32 times
Number of LSA 5. Checksum 0x028b9c
The command on this slide shows information about each area the router belongs to.
DO NOT REPRINT
© FORTINET
OSPF Interfaces
Spoke1 # get router info ospf interface
wan1 is up, line protocol is up
Internet Address 10.10.2.2/24, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 0.0.0.2, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1 DR: Designated router
BDR: Backup designated
router
Designated Router (ID) 0.0.0.2, Interface Address 10.10.2.2
DROther: Neither DR
nor BDR
Backup Designated Router (ID) 0.0.0.1, Interface Address 10.10.2.1
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
For OSPF information about each interface, use the command shown on this slide. It shows:
• Network type, in this case broadcast multiaccess
• If the interface is a DR or a BDR
• DR and BDR IDs and IP addresses
• Number of adjacencies and traffic statistics
DO NOT REPRINT
© FORTINET
OSPF Neighbors
Spoke1 # get router info ospf neighbor
This represents a
point-to-point network
The command on this slide shows a summary of the statuses of all the OSPF neighbors. For each neighbor, it
displays the adjacency state and whether the interface is a DR, a BDR, or neither (DROther). The response
displays a dash after the state if the neighbor is in a point-to-point network.
DO NOT REPRINT
© FORTINET
OSPF LSDB
Spoke1 # get router info ospf database brief
The command shown on this slide provides a summary of all the LSDB entries on FortiGate, ordered by LSA
types. It shows the type 1 LSAs (router link states) first, then the type 2 LSAs (net link states), and finally type
5 LSAs (AS external link advertisement). You can view detailed information about each type 1 link ID with the
commands shown on the following slides.
DO NOT REPRINT
© FORTINET
LSA Details
Spoke1 # get router info ospf database router lsa
Use the command shown on this slide to see details about type 1 LSAs. The link state IDs correspond
to the Link ID provided by the get router info ospf database brief command.
DO NOT REPRINT
© FORTINET
LSA Details (Contd)
...
Link connected to: a Transit Network
(Link ID) Designated Router address: 10.10.2.2
(Link Data) Router Interface address: 10.10.2.1
Number of TOS metrics: 0
TOS 0 Metric: 1
LS age: 72
Options: 0x2 (*|-|-|-|-|-|E|-)
Flags: 0x0
LS Type: router-LSA
Link State ID: 0.0.0.2
Advertising Router: 0.0.0.2
LS Seq Number: 8000000b
Checksum: 0x7526
Length: 60
Number of Links: 3
...
This slide shows a sample of more output from the command get router info ospf database
router lsa.
DO NOT REPRINT
© FORTINET
Self-Originated LSAs
Spoke1 # get router info ospf database self-originate
The command shown on this slide lists the LSAs that originated on the local FortiGate with router ID 0.0.0.2.
DO NOT REPRINT
© FORTINET
OSPF Troubleshooting
In this section, you will learn about the tools and tips to troubleshoot OSPF issues.
DO NOT REPRINT
© FORTINET
OSPF Troubleshooting Tips
• Do peers have an IP address within the same subnet?
• Is IP protocol 89 blocked?
• Do the hello and dead intervals match?
• Is the router ID unique?
• Do the MTUs match?
• Is authentication enabled?
DO NOT REPRINT
© FORTINET
OSPF Troubleshooting
• Enable real-time debug
# diagnose ip router ospf all enable
# diagnose ip router ospf level info
# diagnose debug enable
• Disable real-time debug diagnose debug reset does
# diagnose ip router ospf all disable not stop OSPF real-time debug
# diagnose ip router ospf level none
# diagnose debug disable
• Restart OSPF process
# execute router clear ospf process
• By default, routing real-time debugs stop running after you restart the routing process
• Enable the zl flag to have the real-time debug persist after the process restart:
# diagnose ip router zl enable
The OSPF real-time debug displays information about adjacency establishments and OSPF errors. It also
shows information about network topology changes.
You can enable the zl flag for the real-time debug to persist after a routing-process restart.
DO NOT REPRINT
© FORTINET
Sample Debug Output
OSPF: SEND[Hello]: To 224.0.0.5 via port3:10.1.0.254, length 52
OSPF: -----------------------------------------------------
OSPF: Header
OSPF: Version 2
OSPF: Type 1 (Hello)
OSPF: Packet Len 52
OSPF: Router ID 0.0.0.1
OSPF: Area ID 0.0.0.0
OSPF: Checksum 0xe78d
OSPF: AuType 0
OSPF: Hello
OSPF: NetworkMask 255.255.255.0 Hello packet sent
OSPF: HelloInterval 10 to OSPF multicast
OSPF: Options 0x2 (*|-|-|-|-|-|E|-) address
OSPF: RtrPriority 1
OSPF: RtrDeadInterval 40
OSPF: DRouter 10.1.0.254
OSPF: BDRouter 10.1.0.1
OSPF: # Neighbors 2
OSPF: Neighbor 0.0.0.3
OSPF: Neighbor 0.0.0.4
...
This is a sample output generated by the OSPF real-time debug. This sample shows the Hello packet being
sent.
DO NOT REPRINT
© FORTINET
Sample Debug Output (Contd)
...
OSPF: RECV[Hello]: From 0.0.0.4 via port3:10.1.0.254 (10.1.0.100 -> 224.0.0.5)
OSPF: Header
OSPF: Version 2
OSPF: Type 1 (Hello)
OSPF: Packet Len 52
OSPF: Router ID 0.0.0.4
OSPF: Area ID 0.0.0.0 Hello packet is
OSPF: Checksum 0xe78d received from
OSPF: AuType 0
OSPF: Hello
neighbor connected
OSPF: NetworkMask 255.255.255.0 to wan2
OSPF: HelloInterval 10
OSPF: Options 0x2 (*|-|-|-|-|-|E|-)
OSPF: RtrPriority 1
OSPF: RtrDeadInterval 40
OSPF: DRouter 10.1.0.254
OSPF: BDRouter 10.1.0.1
OSPF: # Neighbors 2
OSPF: Neighbor 0.0.0.3
OSPF: Neighbor 0.0.0.1
OSPF: NFSM[port3:10.1.0.254-0.0.0.4]: Full (HelloReceived)
OSPF: NFSM[port3:10.1.0.254-0.0.0.4]: nfsm_ignore called
OSPF: NFSM[port3:10.1.0.254-0.0.0.4]: Full (2-WayReceived)
...
This is another sample output generated by the OSPF real-time debug. This sample shows the Hello packet
being received.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 1—Failed Adjacency Output
OSPF: SEND[Hello]: To 224.0.0.5 via port2:192.168.37.114, OSPF: RECV[Hello]: From 0.0.0.112 via port2:192.168.37.114
length 44 (192.168.37.115 -> 224.0.0.5)
OSPF: ---------------------------------------------------- OSPF: ----------------------------------------------------
- -
OSPF: Header OSPF: Header
OSPF: Version 2 OSPF: Version 2
OSPF: Type 1 (Hello) OSPF: Type 1 (Hello)
OSPF: Packet Len 44 OSPF: Packet Len 48
OSPF: Router ID 0.0.0.111 OSPF: Router ID 0.0.0.112
OSPF: Area ID 0.0.0.0 OSPF: Area ID 0.0.0.0
OSPF: Checksum 0xfc2e OSPF: Checksum 0x2f85
OSPF: AuType 1 OSPF: AuType 0
OSPF: Simple Password fortinet OSPF: Hello
OSPF: Hello OSPF: NetworkMask 255.255.255.0
OSPF: NetworkMask 255.255.255.0 OSPF: HelloInterval 10
OSPF: HelloInterval 10 OSPF: Options 0x2 (*|-|-|-|-|-|E|-)
OSPF: Options 0x2 (*|-|-|-|-|-|E|-) OSPF: RtrPriority 1
OSPF: RtrPriority 1 OSPF: RtrDeadInterval 40
OSPF: RtrDeadInterval 40 OSPF: DRouter 192.168.37.114
OSPF: DRouter 0.0.0.0 OSPF: BDRouter 192.168.37.115
OSPF: BDRouter 0.0.0.0 OSPF: # Neighbors 1
OSPF: # Neighbors 0 OSPF: Neighbor 0.0.0.111
OSPF: ----------------------------------------------------
-
OSPF: RECV[Hello]: From 0.0.0.112 via
port2:192.168.37.114: Authentication type mismatch
This slide shows a sample output of the OSPF real-time debug when adjacency fails. In this case, OSPF
authentication fails. We can see the DR sending a Hello message with AuType 1, indicating authentication
is configured and required for successful adjacency. In the received HELLO messages from the neighbor
router, the AuType is 0. As such, the error message in the received HELLO indicates that there is an
authentication type mismatch. In this case, the authentication method must match on both sides to establish
adjacency.
DO NOT REPRINT
© FORTINET
Failed Adjacency Error Messages
• Authentication Error
• Authentication type is the same, but passwords do not match
This slide shows additional error messages that are helpful for troubleshooting common adjacency issues.
Authentication error indicates that the authentication type is the same for both peers, but the
passwords configured are not. A hello or dead interval timer mismatch can be confirmed by the error
messages HelloInterval mismatch and RouterDeadInterval mismatch respectively. The error
message: MTU size is too large, indicates an MTU mismatch.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 2—Advertised Route Not in
Routing Table
FGT-A # show router ospf
config router ospf
set router-id 0.0.0.112
config area
edit 0.0.0.0
next
end
...
config redistribute "static" Static routes are
set status enable being
end redistributed
...
end
In the scenario shown on this slide, FGT-A is configured to redistribute all static routes. Note that default static
routes are not advertised by default. In this case, only the 8.8.8.8/32 route is advertised.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 2—Advertised Route Not in Routing
Table (Contd)
FGT-B # get router info routing-table all
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 192.168.1.1, port1, [1/0]
C 10.23.23.0/24 is directly connected, port4
8.8.8.8/32 is being
successfully advertised
and injected into the LSDB
The routing table on FGT-B shows that the advertised route 8.8.8.8/32 is missing in the routing table.
However, you can confirm that the route is being advertised successfully by looking at the LSDB using the
command get router info ospf database brief. This also verifies successful OSPF adjacency
between FGT-A and FGT-B.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 2—Advertised Route Not in Routing
Table (Contd)
FGT-B # show router ospf
config router ospf
set router-id 0.0.0.113
set distribute-list-in ”Deny-8.8.8.0/24"
config area
edit 0.0.0.0
next
end
...
end
The issue in scenario 2 is that FGT-B is configured with a distribute-list-in that denies any subnet
within the 8.8.8.0/24 network to be injected into the routing table. The distribute-list-in is configured
under config router ospf. The list itself is configured under config router prefix-list.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 2—Advertised Route Not in Routing
Table—Solution
FGT-B # show router prefix-list
config router prefix-list
edit "Deny-8.8.8.0/24 "
config rule
edit 1
set action deny
set prefix 8.8.8.0 255.255.255.0
unset ge
unset le
next
edit 2
set prefix 8.8.8.8 255.255.255.255
unset ge
unset le
next
end Allow the 8.8.8.8/32
next subnet
end
The recommended way to solve this is by adding another rule to the prefix list that applies to the OSPF
configuration. In this case, the change is made to the Deny-8.8.8.0/24 prefix list. To have FortiOS inject
the route from the LSDB into the routing table, you must add the subnet 8.8.8.8/32. Unlike firewall policies, the
list is not evaluated from the top down. Every rule within the list is inspected.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 2—Advertised Route Not in Routing
Table (Confirmation)
8.8.8.8/32 is now injected
FGT-B # get router info routing-table all into the routing table
...
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 192.168.1.1, port1, [1/0]
O E2 8.8.8.8/32 [110/10] via 192.168.37.202, port2, 00:18:50, [1/0]
C 10.23.23.0/24 is directly connected, port4
The routing table shown on this slide confirms that the advertised route from FGT-A has been successfully
injected. You can also see that the distribution-list-in command has no impact on the LSDB.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 3—Topology
FGT-A
ABR
Area
0.0.0.0
Area
0.0.0.5
FGT-B
FGT-C
ASBR
In the scenario on this slide, FGT-A is an area border router (ABR) that has interfaces in OSPF areas 0.0.0.0
and 0.0.0.5. FGT-C acts as an autonomous system border router (ABSR), importing static routes into OSPF.
FGT-B is an internal router with all its interfaces belonging to area 0.0.0.5.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 3—Routes Not Received from ABR
FGT-A # get router info ospf status
Routing Process "ospf 0" with ID 0.0.0.1
Process uptime is 2 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Do not support Restarting
This router is an ABR, ABR Type is Standard (RFC2328)
---omitted---
The omitted output on FGT-A from the command get router info ospf database brief shows the
type 5 LSAs received from FGT-C (router ID 0.0.0.3) in OSPF area 0.0.0.0.
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 3—Routes Not Received from ABR
(Contd)
FGT-B # get router info ospf database brief
Viewing the LSDB summary on FGT-B shows that none of the type 5 LSAs are forwarded from FGT-A to
FGT-B. There are no AS external link states. What could be the reason for this?
DO NOT REPRINT
© FORTINET
Troubleshooting Scenario 3—Routes Not Received from ABR
(Solution)
FGT-B # show router ospf
config router ospf
set router-id 0.0.0.10
config area
edit 0.0.0.5
set type stub
next
end
config network
edit 1
set prefix 100.64.1.0 255.255.255.0
set area 0.0.0.5
next
end
---omitted---
end
The reason that no type 5 LSAs are received in the LSDB of FortiGate B, is because area 0.0.0.5 is
configured as a stub area. Stub areas block LSAs of type 5. The solution is to either change the type for area
0.0.0.5 to a regular area, or configure static routes on FGT-B to mimic the routes advertised by the ASBR.
DO NOT REPRINT
© FORTINET
OSPF Logging
• FortiGate logs OSPF routing events, such as:
• Neighbor down or up
• OSPF message exchange
• Negotiation errors
• Enabled by default under:
# config router ospf
set log-neighbour-change enable
...
end
By default, FortiGate logs the most important OSPF routing events, such as:
• Neighbor down or up
• OSPF message exchange
• Negotiation errors
DO NOT REPRINT
© FORTINET
OSPF Logging (Contd) Log & Report > System Events > Router Events
You can view OSPF-related router events on the GUI. You can click any logged entry to view the details.
DO NOT REPRINT
© FORTINET
Review
Understand OSPF components and adjacencies
Monitor the status of an OSPF network
Troubleshoot common OSPF issues
This slide shows the objectives that you covered in this lesson.
By mastering the objectives covered in this lesson, you learned about OSPF concepts, and how to configure
and troubleshoot OSPF.
DO NOT REPRINT
© FORTINET
DO NOT REPRINT
© FORTINET
Now, you will review the solutions for the troubleshooting exercise in the Traffic and Session Monitoring lab.
DO NOT REPRINT
© FORTINET
Problems to Troubleshoot
• There are three problems that you need to troubleshoot:
• Unable to connect over Telnet to the internal segmentation firewall (ISFW) (10.1.10.254)
• No internet access
• Unable to connect over Telnet to the Linux-Router (100.64.1.254)
DO NOT REPRINT
© FORTINET
Problem 1: Unable to Connect Over Telnet to the ISFW
ISFW # diagnose sniffer packet any "port 23 and host 10.1.10.1" 4
interfaces=[any]
filters=[port 23 and host 10.1.10.1]
6.252157 port3 in 10.1.10.1.53567 -> 10.1.10.254.23: syn 3438661631
9.255609 port3 in 10.1.10.1.53567 -> 10.1.10.254.23: syn 3438661631
In the problem 1, the packets are arriving at the ISFW; however ISFW is not replying with SYN/ACK packets. The
first step is to use the sniffer command to verify that packets are arriving at the ISFW.
DO NOT REPRINT
© FORTINET
Problem 1: Unable to Connect Over Telnet to the ISFW (Contd)
ISFW # diagnose debug flow filter dport 23
ISFW # diagnose debug flow trace start 10
ISFW # diagnose debug enable
The next step is to use the debug flow, which shows the error iprope_in_check() check failed on
policy 1, drop. Because this is occurring in FortiGate management traffic, the problem could be one of the
following:
• The telnet service is not enabled on port3.
• The telnet service is using a different port.
• The source IP address is not in the trusted hosts list.
• There is a local-in firewall configured to block telnet traffic.
DO NOT REPRINT
© FORTINET
Problem 1: Unable to Connect Over Telnetto the ISFW (Contd)
• Solution:
• Delete the local-in policy configured to deny telnet requests to the unit.
ISFW (local-in-policy) # show firewall local-in-policy
config firewall local-in-policy
edit 1
set intf "port3"
set srcaddr "10.1.10." Note: User created local-in
set dstaddr "all" policies are not displayed on
set service "TELNET" the GUI. You can view them
set schedule "always" only on the CLI.
...
ISFW # config firewall local-in-policy
ISFW (local-in-policy) # delete 1
ISFW (local-in-policy) # end
The problem is that a local-in is policy blocking the telnet traffic. Removing the policy fixes the problem.
You can view manually created local-in policies only on the CLI.
DO NOT REPRINT
© FORTINET
Problem 2: Unable to Access Public Web Sites
ISFW # diagnose debug reset
ISFW # diagnose debug flow filter dport 53
ISFW # diagnose debug flow filter saddr 10.1.10.1
ISFW # diagnose debug flow trace start 10
ISFW # diagnose debug enable
In problem 2, you are unable to access public websites. Attempts to connect to yahoo.com fail; however you can
still ping IP address 8.8.8.8. This means that Client-10 does have internet connectivity, but it is unable to
resolve domain names. Confirm this by running a debug flow for UDP port 53 (DNS).
DO NOT REPRINT
© FORTINET
Problem 2: Unable to Access Public Web Sites (Contd)
• Solution:
• Allow DNS traffic in the firewall policy:
The problem is that DNS traffic is not one of the allowed services in the firewall policy. Adding the DNS service to
the firewall policy solves the problem.
DO NOT REPRINT
© FORTINET
Problem 3: Telnet Access to the Linux-Router
ISFW # diagnose sniffer packet any "port 23" 4
interfaces=[any]
filters=[port 23]
17.580187 port3 in 10.1.10.1.56730 -> 100.64.1.254.23: syn 1424159519
17.580252 port1 out 10.1.10.1.56730 -> 100.64.1.254.23: syn 1424159519
17.580818 port1 in 100.64.1.254.23 -> 10.1.10.1.56730: rst 0 ack 1424159520
17.580873 port3 out 100.64.1.254.23 -> 10.1.10.1.56730: rst 0 ack 1424159520
17.581060 port1 in 100.64.1.254.23 -> 10.1.10.1.56730: rst 0 ack 1424159520
The Linux-Router is
resetting the connection
In problem 3 use the sniffer to confirm that FortiGate is routing the packets properly. However, you can see that
the router is replying with the reset (RST) flag. The problem is not on the FortiGate side, but on the server side.
There is nothing you can do to solve this issue.
DO NOT REPRINT
© FORTINET
Now, you will review the solutions for the troubleshooting exercise in the Security Fabric lab.
DO NOT REPRINT
© FORTINET
Problems to Troubleshoot
• There are three problems that you need to troubleshoot:
• Unable to reach ISFW from NGFW-1
• Solution: Enable or create policy on NGFW-2 to allow TCP port 8013
• The Security Fabric is not enabled on ISFW port4
• Solution: Enable the Security Fabric on ISFW port4
• NGFW-1 is not authorized to take part in the Security Fabric
• Solution: NGFW-1 must be authorized on ISFW
DO NOT REPRINT
© FORTINET
Lab 5—Authentication
Now, you will review the solutions for the troubleshooting exercise in the Authentication lab.
DO NOT REPRINT
© FORTINET
Exercise 1 LDAP: Problems to Troubleshoot
• There are two problems:
• The LDAP User group is not configured on firewall policy #1, therefore the user authentication request
is not displayed.
• The password for the account student fails because there’s a local student user account, and
FortiGate doesn’t forward an authentication request to the LDAP server. Remove the local student
account.
DO NOT REPRINT
© FORTINET
Exercise 2 SAML: Problems to Troubleshoot
• Use the debug command diagnose debug application samld -1 to view this
error message:
While attempting to browse the web, authentication takes place but fails with the error message: Firewall
Authentication Failed.
Use the debug command diagnose debug application samld -1 to view this error message: Audience
is invalid!.
DO NOT REPRINT
© FORTINET
Exercise 2 SAML: Problems to Troubleshoot (Contd)
• Reviewing the SP Login Dump and Assertion Dump sections
• On section SP Login Dump you find the following:
<saml:Issuer>https://10.1.10.254:1003/remote/saml/
• On section Assertion Dump you find the following:
<saml:Audience>https://10.1.10.254:1003/remote/saml/metadata/
• There’s a mismatch in the configuration of the (SP) entity ID between service provider (SP) and
identity provider (IdP)
• Correct the configuration through CLI or GUI: https://10.1.10.254:1003/remote/saml/metadata/
As explained in the lesson, we need to verify that both the SP and IdP configuration match.
While reviewing the sections SP Login Dump and Assertion Dump, you find a mismatch on the service
provider entity ID.
Using the CLI or the GUI, you review the FortiGate configuration and find that the word metadata is missing.
DO NOT REPRINT
© FORTINET
Lab 6—FSSO
Now, you will review the solutions for the troubleshooting exercise in the FSSO lab.
DO NOT REPRINT
© FORTINET
Problems to Troubleshoot
• The user on the Client-10 VM is unable to browse the internet
• The FSSO user pushed by the script is in the FSSO group AD_USERS:
• Firewall policy #1 configured the local user group Training which is linked to the FSSO
group Users
• Solution: In the local user group Training, replace the FSSO group Users with the
FSSO group AD_Users.
The problem is that the user on the Client-10 VM is unable to browse the internet. The FSSO user pushed by the
script is in the FSSO group AD_USERS. Firewall policy #1 is configured for the local user group, Training, which
is linked to the FSSO group Users.
Solution: In the local user group Training, replace the FSSO group Users with the FSSO group AD_Users.
DO NOT REPRINT
© FORTINET
Now, you will review the solutions for the troubleshooting exercises in the Security Profiles lab.
DO NOT REPRINT
© FORTINET
Problem 1: Web Filtering
• Why isn't ISFW blocking www.eicar.org?
• The web filtering real-time debug explains why:
• The URL is in the Information and Computer Security category, not the
Security Risk category
Some users reported that www.eicar.org should be blocked because it belongs in the security risk category.
However, the output of the web filtering real-time debug shows that the URL belongs to a different category—
Information Technology—which is allowed in the FortiGate configuration.
DO NOT REPRINT
© FORTINET
Problem 2: Antivirus
• Why doesn’t the ISFW detect the virus?
• The debug flow does not show this line:
func=av_receive line=254 msg="send to application layer"
• So, the FTP proxy is not inspecting the traffic
• Reason:
• FTP traffic is using a non-standard port—222
• Solution:
• Modify the NST_Default protocol options so that FTP traffic is inspected on a non-standard port: port
222
The second problem is that ISFW is not blocking the FTP file transfer of an infected file. The debug flow does not
show the message sent to the application layer, which means that the ISFW is not inspecting the
traffic. The reason that the ISFW is not inspecting the traffic is because the FTP connection is using a
nonstandard port—port 222. Modify the NST_Default protocol options, configure the FTP to inspect traffic on the
nonstandard port 222.
DO NOT REPRINT
© FORTINET
Now, you will review the solutions for the troubleshooting exercise in the High Availability lab.
DO NOT REPRINT
© FORTINET
Problem 1: Mismatched ha-eth-type Setting
• The sniffer capture shows that Ethernet protocol 0x8890 is flowing in one direction:
from NGFW-1 to NGFW-2
NGFW-1 NGFW-2
The sniffer capture shows that Ethernet protocol 0x8890 is flowing in one direction: from NGFW-1 to NGFW-2.
This happens because a customized ha-eth-type setting is configured on NGFW-2.
DO NOT REPRINT
© FORTINET
Problem 2: Password Mismatch
• The diagnose debug application hatalk -1 debug output shows a password
mismatch issue on both FortiGate devices:
• Solution: Configure a new password for the HA configuration on both FortiGate devices
DO NOT REPRINT
© FORTINET
Lab 9—IPsec
Now, you will review the solutions for the troubleshooting exercise in the IPsec lab.
DO NOT REPRINT
© FORTINET
Problem 1: Encryption Mismatch
ike 0:755f07a141261b05/0000000000000000:45: responder: main mode get 1st message...
...
ike 0:755f07a141261b05/0000000000000000:45: incoming proposal:
ike 0:755f07a141261b05/0000000000000000:45: proposal id = 0:
ike 0:755f07a141261b05/0000000000000000:45: protocol id = ISAKMP:
ike 0:755f07a141261b05/0000000000000000:45: trans_id = KEY_IKE.
ike 0:755f07a141261b05/0000000000000000:45: encapsulation = IKE/none
ike 0:755f07a141261b05/0000000000000000:45: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:755f07a141261b05/0000000000000000:45: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:755f07a141261b05/0000000000000000:45: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:755f07a141261b05/0000000000000000:45: type=OAKLEY_GROUP, val=MODP2048.
ike 0:755f07a141261b05/0000000000000000:45: ISAKMP SA lifetime=86400
...
ike 0:755f07a141261b05/0000000000000000:45: my proposal, gw VPN:
ike 0:755f07a141261b05/0000000000000000:45: ISAKMP SA lifetime=86400
ike 0:755f07a141261b05/0000000000000000:45: proposal id = 1:
ike 0:755f07a141261b05/0000000000000000:45: protocol id = ISAKMP:
ike 0:755f07a141261b05/0000000000000000:45: trans_id = KEY_IKE.
ike 0:755f07a141261b05/0000000000000000:45: encapsulation = IKE/none
ike 0:755f07a141261b05/0000000000000000:45: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:755f07a141261b05/0000000000000000:45: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:755f07a141261b05/0000000000000000:45: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:755f07a141261b05/0000000000000000:45: type=OAKLEY_GROUP, val=MODP2048.
ike 0:755f07a141261b05/0000000000000000:45: ISAKMP SA lifetime=86400
...
ike 0:755f07a141261b05/0000000000000000:45: negotiation failure
The first problem is a misconfiguration in phase 1. One side is configured with triple data encryption standard
(3DES), and the other side is configured with advance encryption standard (AES).
DO NOT REPRINT
© FORTINET
Problem 2: Pre-Shared Key Mismatch
...
ike 0:VPN:130: responder: main mode get 3rd message...
ike 0:VPN:130: dec
E410DF2B73B8DF1C3ADBB8C4B7F264B205100201000000000000006C9135F5F081B0E42CC8D197
A5CA4A8B5D24A88B30263F5BD1100003C17E06D5A125B43693308EA1732DEFFA7A9C58891D2406
B2F425674C4F2F93C919DB36F40849C0A793682E12673D91F7A60027CC58
ike 0:VPN:130: parse error
ike 0:VPN:130: probable pre-shared secret mismatch
DO NOT REPRINT
© FORTINET
Problem 3: ISP Blocking ESP Packets
Spoke-2 # diagnose sniffer packet any "esp or icmp" 4 Spoke-2 is
interfaces=[any] sending the
packets from the
filters=[esp or icmp] correct interfaces
3.073926 VPN out 10.1.2.254 -> 10.1.1.254: icmp: echo request
3.073943 port1 out 100.64.5.1 -> 100.64.4.1: ESP(spi=0xcb35b188,seq=0x10)
4.078136 VPN out 10.1.2.254 -> 10.1.1.254: icmp: echo request
4.078164 port1 out 100.64.5.1 -> 100.64.4.1: ESP(spi=0xcb35b188,seq=0x11)
Spoke-1 is not
Spoke-1 # diagnose sniffer packet any "esp or icmp" 4
receiving them
interfaces=[any]
filters=[esp]
The third problem is that the sniffer shows that the Encapsulating Security Payload (ESP) packets from Spoke-2
are not arriving at Spoke-1. The most likely reason for this is that the ESP packets are being blocked or dropped
in transit by the Linux-Router.
DO NOT REPRINT
© FORTINET
Lab 10—IPSec-IKEv2
Now, you will review the solutions for the troubleshooting exercise in the IPSec-IKEv2 lab.
DO NOT REPRINT
© FORTINET
Problem 1: Encryption Mismatch in Phase 1
• The diagnose debug application ike -1 debug output shows a proposal
mismatch issue on both FortiGate devices:
The first problem is a misconfiguration in phase 1. One side is configured with 3DES, and the other side is
configured with AES.
DO NOT REPRINT
© FORTINET
Problem 2: DH Mismatch in Phase 2
• When IKEv2 is used, if there’s a dhgrp mismatch on the CHILD_SA, it won’t be
detected until after the rekey
• Phase 2 is configured to perform a rekey every 5 minutes
• After 5 minutes, when the rekey takes place, the mismatch will be detected, which will
bring phase 2 down
DO NOT REPRINT
© FORTINET
Lab 11—Routing
Now, you will review the solutions for the troubleshooting exercises in the Routing lab.
DO NOT REPRINT
© FORTINET
Route Changes and Source NAT Sessions
• port1 goes down and traffic is automatically routed to the secondary interface (port2)
• port1 comes back up; however, SNAT sessions continue to use port2 because the
route is still active in the routing table
• To change this behavior, do one of the following:
• Clear the existing entries in the session table
• Enable snat-route-change:
config system global
set snat-route-change enable
end
When the primary internet link goes down, the routing table changes. All routing information is flushed from the
affected sessions and traffic is routed to port2. When port1 comes back up, all source network address translation
(SNAT) sessions continue to use port2, because the port2 route is still valid and the port2 interface is still up.
Existing SNAT sessions continue to use port2 until they expire.
There is a global setting that instructs FortiGate to reroute existing SNAT sessions when a routing change occurs,
even when the less desirable route is still active. You can enable the snat-route-change setting as shown on
this slide.
DO NOT REPRINT
© FORTINET
Problem 1: Default Routes
NGFW-1 # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
> - selected route, * - FIB route, p - stale info
The default route configuration is not working as desired. The default route using port2 is inactive.
DO NOT REPRINT
© FORTINET
Problem 1: Default Routes (Contd)
• Solution:
• Change the Administrative Distance to 10
• Change the Priority value to be higher than that of port1 (10)
The port2 default route distance is higher than that of port1. For both default routes to be active, they must have
the same distance. Also, the port2 priority value is lower than that of port1. Increase the priority value of port2 to
be higher than that of port1 (for example 20).
DO NOT REPRINT
© FORTINET
Problem 2: Traffic to 100.64.3.1 Is Dropped
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 100.64.1.254, port1, [10/0]
[10/0] via 100.64.2.254, port2, [20/0]
C 10.1.0.0/24 is directly connected, port3
S 10.1.4.0/24 [10/0] via 10.1.0.100, port3, [1/0]
S 10.1.10.0/24 [10/0] via 10.1.0.1, port3, [1/0]
S 10.1.10.1/32 [10/0] via 100.64.1.254, port1, [1/0]
C 100.64.1.0/24 is directly connected, port1
C 100.64.2.0/24 is directly connected, port2
C 172.16.100.0/24 is directly connected, port8
Why is traffic destined for 100.64.3.1 dropped? The debug flow shows the reason:
DO NOT REPRINT
© FORTINET
Problem 2: Traffic to 100.64.3.1 Is Dropped (Contd)
• Solution:
• Change the RPF configuration from strict to feasible:
• config system settings
• set strict-src-check disable
• end
DO NOT REPRINT
© FORTINET
Problem 3: Traffic to 100.64.3.1 Is Using the Wrong Port
NGFW-1 # id=65308 trace_id=41 func=print_pkt_detail line=5888 msg="vd-root:0 received a
packet(proto=1, 10.1.10.1:6198->100.64.3.1:2048) tun_id=0.0.0.0 from port3. type=8, code=0,
id=6198, seq=1."
id=65308 trace_id=41 func=init_ip_session_common line=6073 msg="allocate a new session-
000015b3"
id=65308 trace_id=41 func=rpdb_srv_match_input line=1122 msg="Match policy routing id=1: to
100.64.3.1 via ifindex-4"
id=65308 trace_id=41 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000
gw-100.64.2.254 via port2"
id=65308 trace_id=41 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash,
slot=44, len=2"
id=65308 trace_id=41 func=get_new_addr line=1268 msg="find SNAT: IP-100.64.2.1(from IPPOOL),
port-6198"
id=65308 trace_id=41 func=fw_forward_handler line=995 msg="Allowed by Policy-2: SNAT"
id=65308 trace_id=41 func=ip_session_confirm_final line=3111 msg="npu_state=0x100, hook=4"
id=65308 trace_id=41 func=__ip_session_run_tuple line=3444 msg="SNAT 10.1.10.1-
>100.64.2.1:6198"
id=65308 trace_id=42 func=print_pkt_detail line=5888 msg="vd-root:0 received a
packet(proto=1, 100.64.3.1:6198->100.64.2.1:0) tun_id=0.0.0.0 from port2. type=0, code=0,
id=6198, seq=1."
Why is traffic destined for 100.64.3.1 being routed out of port2? The debug flow shows the reason. There is a
policy-based route that takes precedence over the static route configuration.
DO NOT REPRINT
© FORTINET
Problem 3: Traffic to 100.64.3.1 Is Using the Wrong Port (Contd)
• Solution:
• Remove the policy-based route
DO NOT REPRINT
© FORTINET
Problem 4: Client-10 Is Unable to Route HTTP Traffic to NGFW-1
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 100.64.1.254, port1, [10/0]
[10/0] via 100.64.2.254, port2, [20/0]
C 10.1.0.0/24 is directly connected, port3
S 10.1.4.0/24 [10/0] via 10.1.0.100, port3, [1/0]
S 10.1.10.0/24 [10/0] via 10.1.0.1, port3, [1/0]
S 10.1.10.1/32 [10/0] via 100.64.1.254, port1, [1/0]
C 100.64.1.0/24 is directly connected, port1
C 100.64.2.0/24 is directly connected, port2
C 172.16.100.0/24 is directly connected, port8
Traffic from Client-10 enters NGFW-1 on port3. However, NGFW-1 sends traffic for Client-10 out of port1,
because it is the better route. This causes asymmetric traffic. Remove the static route that points to the Client-10
IP address through port1. Client-10 is located behind NGFW-1 port3.
DO NOT REPRINT
© FORTINET
Lab 12—BGP
Now, you will review the solutions for the troubleshooting exercise in the BGP lab.
DO NOT REPRINT
© FORTINET
Problem 1: Wrong Remote AS
NGFW-1 # diagnose ip router bgp all enable
NGFW-1 # diagnose ip router bgp level info
NGFW-1 # diagnose debug enable
The BGP neighbors do not come up because NGFW-1 is configured with remote autonomous system (AS) 200
but the internet service provider (ISP) AS is 100.
DO NOT REPRINT
© FORTINET
Problem 1: Wrong Remote AS (Contd)
• Solution:
• Change the remote AS to 100
Changing the remote AS number from 200 to 100 fixes the problem.
DO NOT REPRINT
© FORTINET
Problem 2: BGP Routing
NGFW-1 # get router info routing-table all
The second problem is that NGFW-1 is receiving the prefix 8.8.8.8/32 through port2. This is causing all traffic
destined to 8.8.8.8 to be routed through port2 instead of port1.
DO NOT REPRINT
© FORTINET
Problem 2: BGP Routing (Contd)
• Solution:
• Create a prefix list blocking 8.8.8.8/32
• Apply the prefix list to the prefixes coming from the neighbor 100.64.2.254
Only the ISP administrator can fix this issue. However, while the ISP administrator fixes the problem, you can use
a prefix list to block the incoming advertisement to the subnet 8.8.8.8/32. You can also use a static route to to
configure 8.8.8.8/32 traffic to traverse port1.
DO NOT REPRINT
© FORTINET
Lab 13—OSPF
Now, you will review the solutions for the troubleshooting exercise in the OSPF lab.
DO NOT REPRINT
© FORTINET
Problem 1: Duplicate Router ID
OSPF: RECV[Hello]: From 0.0.0.2 via port3:10.1.4.254 (10.1.4.10 -> 224.0.0.5)
OSPF: Header
OSPF: Version 2
OSPF: Type 1 (Hello)
OSPF: Packet Len 44
OSPF: Router ID 0.0.0.2
OSPF: Area ID 0.0.0.0
OSPF: Checksum 0xee91
OSPF: AuType 0
OSPF: Hello
OSPF: NetworkMask 255.255.255.0
OSPF: HelloInterval 10
OSPF: Options 0x2 (*|-|-|-|-|-|E|-)
OSPF: RtrPriority 1
OSPF: RtrDeadInterval 40
OSPF: DRouter 10.1.4.10
OSPF: BDRouter 0.0.0.0
OSPF: # Neighbors 0
OSPF: RECV[Hello]: duplicate router-id 0.0.0.2 detected on port3:10.1.4.254
The OSPF real-time debug shows the first problem. The Linux server uses router ID 0.0.0.2, which is also
used by DCFW.
DO NOT REPRINT
© FORTINET
Problem 1: Duplicate Router ID (Contd)
• Solution:
• Change the DCFW router ID to 0.0.0.4
To solve this problem on the DCFW side, change the DCFW router ID from 0.0.0.2 to any other available ID.
DO NOT REPRINT
© FORTINET
Problem 2: Authentication Type Mismatch
OSPF: -----------------------------------------------------
OSPF: RECV[Hello]: From 0.0.0.2 via port3:10.1.4.254: Authentication type
mismatch
OSPF: ospf_ipc_server_accept:1200:5c create ipc_handler=0x7f0c45011100 for
sock=21
OSPF: ospf_ih_on_read:1070:5d request type=18 len=24 vfid=0 start=0 count=8000
flags=0x1
OSPF: ospf_ih_on_read:1166:5e response type=18 len=104 vfid=0 start=0 count=2
flags=0x1 total=2 ret=112
OSPF: ospf_ih_on_close:1180:5f delete ipc_handler=0x7f0c45011100 for sock=21
OSPF: RECV[Hello]: From 0.0.0.1 via port1:10.1.0.100 (10.1.0.254 -> 224.0.0.5)
OSPF: -----------------------------------------------------
The real-time OSPF debug shows the second problem, which is an authentication type mismatch.
DO NOT REPRINT
© FORTINET
Problem 2: Authentication Type Mismatch (Contd)
• Solution:
• Delete the OSPF interface configuration or modify it to not require authentication
To solve this problem on the DCFW side, delete the interface configuration or modify the interface configuration
so that it does not require any authentication.
DO NOT REPRINT
© FORTINET
Solution
DCFW # get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
0.0.0.3 1 Full/Backup 00:00:32 10.1.0.1 port1
0.0.0.1 1 Full/DR 00:00:34 10.1.0.254 port1
0.0.0.2 1 Full/DR 00:00:31 10.1.4.10 port3
After you apply the two fixes on DCFW, you should see the Linux-Router (0.0.0.0.2) adjacency form.
DO NOT REPRINT
© FORTINET
FortiOS 7.4
Last Modified: 29 April 2024
In this lesson, you will review Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP) concepts.
DO NOT REPRINT
© FORTINET
OSPF Review
DO NOT REPRINT
© FORTINET
OSPF Overview
• Link state protocol
• Advantages:
• Scalable to large networks
• Faster convergence than distance-vector routing protocols
• Relatively quiet during steady-state conditions
• Periodic refresh every 30 minutes
• Otherwise, updates sent only when there are changes
• Disadvantages:
• May require planning and tuning to optimize performance
• May be difficult to troubleshoot in large networks
With a link state protocol like OSPF, every router has a complete view of the network topology. Advantages of
OSPF include scalability and fast convergence. Every 30 minutes, routers advertise their OSPF information.
Between these 30-minute intervals, routers send updates only if they detect topology changes. So, it is a
relatively quiet protocol, as long as the network topology is stable. In large networks, using OSPF requires good
planning and it can be difficult to troubleshoot.
DO NOT REPRINT
© FORTINET
OSPF Components
• Link state database (LSDB): Each router maintains identical databases describing the
network topology
• From the LSDB, and using Dijkstra’s algorithm, each router builds a tree with the
shortest paths
• The tree gives an OSPF route to each destination
• OSPF can inject routes into the IP routing table
Each router in the same area has identical and synchronized databases. You will learn about OSPF areas later in
this lesson. An OSPF router uses the information in the LSDB and Dijkstra's algorithm to generate an OSPF tree,
which contains the shortest path from the local router to each other router and network. This tree gives the best
route to each destination, which is the information that OSPF can inject into the device routing table.
DO NOT REPRINT
© FORTINET
Link State Advertisement
• Routers exchange link state advertisements (LSAs) to maintain consistent databases
• Network changes generate LSAs
• The LSDBs are composed of all received LSAs
• A link state update consists of an OSPF header and a string of LSAs
• Each LSA has its own header
• Routers acknowledge the receipt of LSAs
OSPF Number of
IP header LSA 1 LSA 2 … LSA n
header LSAs
LSAs contain the topology information that OSPF peers exchange. The LSDB of a router is populated with
information from the local LSAs and all the LSAs received from other routers.
DO NOT REPRINT
© FORTINET
OSPF Cost
• Metric in OSPF is cost:
• 16-bit positive number (1 to 65,535)
• Routes with lowest cost are most preferred
• Routing decisions made on total cost of a path to the final destination
If there are multiple OSPF routes to the same destination subnet, OSPF selects the route with the lowest cost.
Each router interface is associated with an interface cost, which is usually related to how fast or preferable that
interface is. An OSPF route cost is the sum of the costs of all interfaces to the final destination.
DO NOT REPRINT
© FORTINET
LSDB
• Each router advertises its locally connected
subnets R1 R2
2 Net 1 2
• LSDBs in all routers contain information about the 1
network topology 3
Net 3
Link State Database (network/cost) R3
1
R2 Net 1/2, Net 2/3, Net 3/1 1 Net 2
2
R1 Net 1/2
R3 Net 3/1, Net 4/1, Net 5/2 Net 4
Net 5
R4 Net 2/3, Net 4/1
2 1 3 R4
R5 Net 5/2 R5
This slide and the next slide explain how an OSPF router builds its OSPF tree. The initial information for each
router is the locally connected networks, together with the OSPF cost for each interface. In the example shown on
this slide, the router R2 has three locally connected subnets: subnet Net 1 with a cost of 2, subnet Net 2
with a cost of 3, and subnet Net 3 with a cost of 1. Router R1 has only one subnet connected: Net 1 with a
cost of 2, and so on.
Each router starts advertising its locally connected subnets by sending LSAs.
DO NOT REPRINT
© FORTINET
OSPF Tree
• Routers use Dijkstra's algorithm to determine R1 R2
2 Net 1
the best path to each destination 2
• The best path has the lowest overall cost 1
R3 3
• The destination is either a network or a router 1 Net 3
• Routers build an OSPF tree 1
• During each iteration, the router maps all known 2 Net 2
Net 4
paths to a destination and chooses the lowest path Net 5
• The router repeats the process until it discovers the 2
best path to each destination R5 1 3 R4
R2
Net 2
Net 1 R3 Net 3
Net 5 Net 4
OSPF routers use Dijkstra’s algorithm to determine the best route to each destination. The best routes can be
represented as a tree with the local router at the root. Dijkstra’s algorithm is a recursive process that the router
repeats multiple times until it finds the best routes. For example, this slide shows the OSPF tree for router R2. It
indicates that the best route to Net 5 and Net 4 is through R3, and that Net 1, Net 2, and Net 3 are locally
connected.
DO NOT REPRINT
© FORTINET
OSPF Areas
• A logical collection of OSPF networks and routers
• Defined with a 32-bit number
• IP address format
0.0.0.10
• Single decimal format
10
You can segment an OSPF network into areas. Each area is identified by a unique number, which you can define
in decimal or IP address formats.
DO NOT REPRINT
© FORTINET
OSPF Areas (Contd)
• When a network is broken up into areas, routers maintain separate LSDBs for each area
• Advantages:
• Smaller LSDB tables
• Impact of a topology change is minimized outside the area
• You can summarize routes on the area borders
• Disadvantages:
• More complex to troubleshoot
• Network design considerations
Each area has its own separate LSDB. All routers in the same area maintain an identical copy of the LSDB of an
area. As you will learn in this lesson, a router can belong to more than one area. In those cases, the router
maintains multiple LSDBs—one LSDB for each area connected to it.
Segmenting big OSPF networks into areas reduces the sizes of the LSDB tables. Additionally, a topology change
does not impact the whole network, but only the area where the change happens.
Using OSPF areas requires good planning and may complicate the troubleshooting process.
DO NOT REPRINT
© FORTINET
Types of Areas
• Backbone area
• Must have the area ID 0.0.0.0
• All other areas must connect to the backbone area by physical or virtual links
• Distributes information between areas
• Normal area
• Similar to a backbone area in behavior
• Can be any area ID other than 0.0.0.0 Area
0.0.0.2
Area
0.0.0.0
Area
0.0.0.3
Area
0.0.0.1
All OSPF networks must have at least one area—the backbone area. The backbone area is the core of the
network, and all the other areas connect to it in a hub-and-spoke topology.
DO NOT REPRINT
© FORTINET
OSPF Router Types
• Internal router
• All connected interfaces belong to the same area
• Maintains one LSDB and one OSPF tree
• Area border router (ABR)
• A router with interfaces in multiple areas
• One LSDB and one OSPF tree for each connected area
• Always connected to the backbone
• Backbone router
• Has at least one interface in the backbone area
• Autonomous system boundary router (ASBR)
• Imports external (non-OSPF) routes into OSPF
• Has at least one source of routing information that is not of OSPF origin
An internal OSPF router has all its interfaces connected to the same area. So, it maintains only one LSDB.
On the other hand, an ABR is connected to multiple areas, so it keeps multiple LSDBs.
A backbone router has at least one interface connected to the backbone area.
DO NOT REPRINT
© FORTINET
OSPF Router Types─Example
RIP
ASBR and
backbone ABR and
backbone
Area
0.0.0.0
Area
0.0.0.3
Area
0.0.0.1
Internal and
backbone
DO NOT REPRINT
© FORTINET
Network Types
• Point-to-point
• A pair of routers connected through a point-to-point link
• Broadcast (multi-access)
• Supports more than two attached routers
• Supports the sending of a single message to all routers (multicast)
• Example: Ethernet networks
• Point-to-multipoint
• Supports more than two attached routers
• Does not support multicast
• Point-to-point networks contain only two peers, one at each end of a point-to-point link.
• Broadcast networks support more than two attached routers. They also support sending messages to
multiple recipients (broadcasting).
• Point-to-multipoint networks support more than two attached routers. However, they do not support
broadcasting.
DO NOT REPRINT
© FORTINET
Forming an Adjacency
• Down: Initial state
• Init: A hello packet is seen by a Down
nonadjacent neighbor Hello Down
Init Hello Init
• 2-way: Communication is bidirectional
between the two routers 2-way DB description 2-way
ExStart
• ExStart: The routers negotiate a primary DB description
Exchange
and secondary relationship Link state request
Loading
• Exchange: The routers exchange Link state update
database description packets Link state ack
• Loading: The routers exchange LSA Link state request
information Link state update
• Full: LSDBs are identical Link state ack
Full Hello Full
Hello
A session between two OSPF peers is called an adjacency. This slide shows the initial interchange between two
peers that are forming an adjacency. Any new adjacency goes through different states: Init, 2-way, ExStart,
Exchange, Loading, and Full. The Full state indicates that the adjacency has successfully formed, and that both
routers have identical copies of the LSDB.
DO NOT REPRINT
© FORTINET
Adjacency Requirements
• Primary IP addresses of peers are in the same subnet with the same mask
• Interfaces of peers are the same type and in the same OSPF area
• Hello and dead intervals of peers must match
• Each peer has a unique router ID
• OSPF IP maximum transmission units (MTUs) match
• OSPF authentication, if enabled, is successful
This slide lists the requirements for two peers to form an OSPF adjacency. If any of the requirements are not met,
the adjacency fails and will not reach the Full state.
DO NOT REPRINT
© FORTINET
Designated Router
• In multi-access networks, one designated router (DR) and one backup DR (BDR) are
elected
• Router priority: highest priority wins, 0 = never become a DR
• Router ID: highest ID wins
• If the DR fails, the BDR takes the DR role
• Full adjacencies are only formed to the DR and BDR to reduce resource utilization
DR BDR
In any multi-access network there is one DR and one BDR. The OSPF network elects the router with the highest
priority as the DR. If two or more routers are tied with the highest priority, the network elects the router with the
highest OSPF ID.
The BDR monitors the DR status. If the DR fails, the BDR takes the DR role.
Other routers form adjacencies only with the DR and BDR. The DR forwards the link state information from one
router to another. This simplifies the number of adjacencies required in multi-access networks.
DO NOT REPRINT
© FORTINET
OSPF Destination Addresses
• On broadcast networks, OSPF uses two multicast destination addresses
• 224.0.0.5 AllSPFRouters
• Hello packets
• Either the DR or BDR sends LSA updates and acknowledgements
• 224.0.0.6 AllDRouters
• All other routers send LSA updates and acknowledgements
• On point-to-point networks
• 224.0.0.5 AllSPFRouters
• Routers send all packets to this address
This slide shows the multicast addresses that OSPF uses in broadcast multi-access, and point-to-point networks.
Keep in mind that OSPF also uses unicast addresses for LSA retransmissions and database description packets.
DO NOT REPRINT
© FORTINET
LSA Types
• There are 11 LSA types. These are the five most common types:
• Type 1: Router link advertisement
• Describes the links of a router. Confined within an area.
• Type 2: Network link advertisement
• Describes all the routers (if more than one) in a multi-access network. Confined within an area.
• Type 3: Summary link advertisement
• Describes summarized networks within an area. Generated by an ABR.
• Type 4: AS summary link advertisement
• Describes the path to an ASBR router
• Type 5: AS external link advertisement
• Describes external destinations originated on an ASBR. Generated by the ASBR.
There are 11 LSA types. This lesson covers the following five most commonly used types:
• Type 1 describes all the links connected to a router.
• Type 2 describes all the routers (if more than one) in a multi-access network.
• Type 3 describes the networks within an area (only generated by an ABR).
• Type 4 describes the path to reach an ASBR.
• Type 5 describes the external destinations originated by an ASBR.
You will see examples of each of these five types in the next slides.
DO NOT REPRINT
© FORTINET
Router Link Advertisements (Type 1)
• Advertised by every OSPF router in an area
• Describe router network connections within that area
Area
0.0.0.0
Type 1 describes the networks connected to a router. They are advertised by all the routers in an area. Type 1
LSAs are not advertised outside the area where they originate.
DO NOT REPRINT
© FORTINET
Network Link Advertisements (Type 2)
• Advertised by every DR
• Contains the list of routers connected to a multi-access network
Area
0.0.0.0
DR
DR
Only DRs advertise Type 2 LSAs. In the example shown on this slide, the area has two multi-access networks,
each of them with one DR. The two DRs advertise type 2 LSAs, which contain information about the other routers
connected to their multi-access networks.
DO NOT REPRINT
© FORTINET
Summary Link Advertisements (Type 3)
• Generated only by ABRs
• Can be used to summarize networks
• One LSA can represent a range of networks
Summarized
Summarized Summarized Summarized
area 0 and 2
area 1 area 2 area 0 and 1
ABR ABR
Area Area
0.0.0.1 Area 0.0.0.2
0.0.0.0
Type 3 LSAs contain summarized link state information. They are advertised only by ABRs. In the example
shown on this slide, the ABR on the left sends type 3 LSAs to area 1. They contain link state information for the
summarized subnets in areas 0 and 2. This same ABR also sends type 3 LSAs to the backbone area, with a
summary of the subnets in area 1.
Something similar happens with the ABR shown on the right side of the diagram. It sends type 3 LSAs to area 2.
They contain link state information for the summarized subnets in areas 0 and 1. This same ABR also sends type
3 LSAs to the backbone area, with a summary of the subnets in area 2.
DO NOT REPRINT
© FORTINET
AS Summary Link Advertisements (Type 4)
• An ASBR announces itself by setting the E-bit in its router link advertisements
• The ABRs in the same area generate a type 4 advertisement to the other areas
Type 1 with
Type 4 E-bit
ABR ASBR
RIP
Area
0.0.0.1 Area
0.0.0.0
An ASBR advertises itself by sending type 1 LSAs. These LSAs have the E-bit on in the OSPF header. Like any
other type 1, the LSAs with the E-bit are confined to the area where they originate. However, ABRs in the same
area send a type 4 LSA to the other areas with information about how to reach the ASBR. In the example shown
on this slide, an ASBR that is redistributing RIP routes into OSPF announces itself by sending type 1 LSAs to the
backbone area. The ABR receives that LSA and sends a type 4 LSA to area 1.
DO NOT REPRINT
© FORTINET
AS External Link Advertisements (Type 5)
• OSPF views non-OSPF networks as external
• OSPF considers the following to be external:
• A directly connected interface not running OSPF
• A static route
• A route derived from a different routing protocol
Type 5 Type 5
ABR ASBR
RIP
Area
0.0.0.1 Area
0.0.0.0
The last type of LSA covered in this lesson is type 5. Type 5 LSAs are sent only by the ASBRs and are not
confined to one area. They reach all the standard areas. They contain link state information for routes
redistributed to OSPF (also called external routes).
Note that all the area examples in this lesson are standard areas. There are also stub and not-so-stubby areas
(NSSA), which are not covered in this lesson. Type 5 LSAs are not advertised to stub or NSSAs.
DO NOT REPRINT
© FORTINET
External Route Metrics Types
• Type 1
• Considered close to the AS
• Metric is based on the sum of the internal and external costs
• Type 2
• Considered far away from the AS
• Metric is based on the external cost only
• OSPF router prefers a type 1 external router over a type 2
Each external route is assigned a metric. There are two types of external-route metrics. A type 1 metric is the
sum of the external cost plus the internal cost to reach the ASBR. A type 2 metric is only the external cost (the
internal cost is not considered). If there are two external routes to the same destination, one type 1 and one type
2, an OSPF router selects the type 1 route over the type 2 route.
DO NOT REPRINT
© FORTINET
BGP Review
In this section, you will review BGP concepts and how to configure BGP on FortiGate.
DO NOT REPRINT
© FORTINET
Autonomous System
• Set of routers and networks under the same, consistent administration
• An AS administrator is free to choose any internal routing architecture
• OSPF, RIP, and so on
• Each AS is identified by a unique number
An autonomous system (AS) is a set of routers and networks under the same administration. Each AS is
identified by a unique number, and usually runs an Interior Gateway Protocol (IGP), such as OSPF or RIP.
DO NOT REPRINT
© FORTINET
BGP
• You can configure BGP to operate as EBGP or IBGP:
• EBGP advertises routing updates across multiple ASs
• IBGP advertises routing updates within the same AS
• BGP is typically used when the network requires:
• Large numbers of routes
• Strict control over which routes are announced or accepted
• BGP4 is the dominant EGP today
• Example: the internet
BGP can serve one of two purposes: external BGP (EBGP) or internal BGP (IBGP).
An exterior gateway protocol (EGP) exchanges routing information between ASs. BGP4, which runs in the
internet, is the dominant EGP protocol today. EBGP is typically used when strict control is required over a large
number of routes.
Two EBGP routers exchange AS path information for destination prefixes or subnets. When two routers start an
EBGP communication, the whole BGP routing table is exchanged. After that, the router send only network
updates.
DO NOT REPRINT
© FORTINET
BGP Components
• Speaker or peer
• Router that transmits and receives BGP messages, and acts on those messages
• Session
• Connectivity between two peers
A BGP speaker or peer is a router that sends and receives BGP routing information. The connection between two
BGP peers is called a BGP session.
DO NOT REPRINT
© FORTINET
AS Types
• Stub AS BGP is used to
communicate
• Single exit point routing updates
• Local traffic between AS
• Multihomed AS
• Multiple exit points
Provider B
• Local traffic AS 60
• Transit AS
Provider A
• Local and transit traffic AS 50
DO NOT REPRINT
© FORTINET
Route Reflectors
• Running IBGP usually requires full mesh peering
• Route reflectors (RRs) simplify the network and the configuration by:
• Reducing the number of IBGP peers
• Forwarding the routes learned from one peer to the other peers
RR 1 RR 2
When running IBGP, you usually need to configure full mesh peering between all the routers. In large networks,
full mesh peering between routers can be difficult to administer and is not scalable.
RRs help to reduce the number of IBGP sessions inside an AS. An RR forwards the routes learned from one peer
to the other peers. If you configure RRs, you don’t need to create a full mesh IBGP network. RRs pass the routing
updates to other RRs and border routers within the AS.
DO NOT REPRINT
© FORTINET
Route Reflectors (Contd)
• An RR and its clients form a cluster
• All clients in a cluster communicate with the RR only for routing updates
• The RR communicates all routing updates to peers external to the cluster
RR
Cluster 1 Cluster 2
AS 6500
Client router
In a BGP RR configuration, the AS is divided into different clusters that each include an RR and clients. The client
routers communicate route updates only to the RR in the cluster. The RR communicates with other RRs and
border routers. FortiGate can be configured as either an RR or a client.
DO NOT REPRINT
© FORTINET
RIBs
• Routes are stored in routing information bases (RIBs)
• RIB-in
• Routing information learned from inbound update messages
• Contains unprocessed routing information advertised to the local BGP speaker by its peers
• Local RIB
• Routing information that the BGP speaker selects after applying its local policies to the RIB-in
• RIB-out
• Routing information that the local BGP speaker selects to advertise to its peers
DO NOT REPRINT
© FORTINET
RIBs (Contd)
Redistribute
RIP OSPF
This slide shows a flowchart that summarizes the BGP process. The BGP router stores the BGP routes it
receives from other routers in the RIB-in table. The BGP router applies a filter, and the resulting routes are stored
in the local RIB table. Then, the BGP router adds routes that were redistributed from the routing table and applies
another filter (outbound). The BGP router advertises the resulting routes.
DO NOT REPRINT
© FORTINET
BGP Attributes
• BGP processes routes based on path information
• A path is a route to a destination
• Paths are described by a set of attributes, including an AS list
• The attributes help routers select the route to each destination
BGP routes traffic based on AS paths. Each AS path includes attributes, which BGP uses to select the best route
to each destination. One of the attributes is the AS_Path, which contains the ASs through which the traffic must
pass to reach the destination.
DO NOT REPRINT
© FORTINET
BGP Attributes (Contd)
• BGP path attribute categories
• Well-known mandatory
Supported attributes
• Attributes are mandatory
• Well-known discretionary ORIGIN Well-known mandatory
• Attributes may or may not be included AS_PATH Well-known mandatory
• Optional transitive NEXT_HOP Well-known mandatory
• Attributes may or may not be accepted and
can be passed outside of the local MULTI_EXIT_DISC Optional non-transitive
autonomous system LOCAL_PREF Well-known discretionary
• Optional non-transitive
ATOMIC_AGGREGATE Well-known discretionary
• Attributes may or may not be accepted and
can’t be passed outside of the local AGGREGATOR Optional transitive
autonomous system
COMMUNITY Optional transitive
This slide shows a list of the BGP attributes and attribute types that FortiGate supports.
DO NOT REPRINT
© FORTINET
Route Selection Tie Breakers
1. Highest weight
2. Highest local preference
3. Route originated by the local router (next hop = 0.0.0.0)
4. Shortest AS path
5. Lowest origin type
6. Lowest multi-exit discriminator (MED)
7. Prefer external paths (EBGP) over internal paths (IBGP)
8. Path through closest IGP neighbor
9. Oldest route for EGBP paths
10.Lowest neighbor BGP router ID
11.Lowest neighbor IP address
FortiGate uses some of the BGP attributes during the routing selection process. If all the attributes for multiple
routes to the same destination match, and if ECMP is enabled, FortiGate shares the traffic among up to 10 BGP
routes. If you don’t enable ECMP, FortiGate uses the route that goes to the router with the lowest BGP router ID.
DO NOT REPRINT
© FORTINET
BGP States
• Idle: Initial state Idle
• Connect: Waiting for a successful three-way start
TCP connection connect retry timeout
error
• Active: Unable to establish the TCP session Connect
TCP failure
TCP
• OpenSent: Waiting for an OPEN message Active established
from the peer
error
OpenSent
• OpenConfirm: Waiting for the keepalive TCP established
receive
message from the peer open reply
• Established: Peers have successfully error
OpenConfirm
exchanged OPEN and keepalive messages
receive
keepalive
error
Established
This slide shows a flow chart of the BGP neighbor states and how they change:
• Idle: Initial state
• Connect: Waiting for a successful three-way TCP connection
• Active: Unable to establish the TCP session
• OpenSent: Waiting for an OPEN message from the peer
• OpenConfirm: Waiting for the keepalive message from the peer
• Established: Peers have successfully exchanged OPEN and keepalive messages
DO NOT REPRINT
© FORTINET
FortiGate BGP Implementation
• Scaling capabilities
• No hard limits, system memory is the limitation
• Number of neighbors, routes, and policies have an impact on the scaling capabilities
• By default, BGP doesn’t originate any prefix
• Redistribution or policies are required
• By default, all routes received are accepted
There are three important things to consider when you implement BGP on FortiGate.
First, there are no hardcoded limits. Limitations on the number of neighbors, routes, and policies depend
exclusively on the available system memory.
Second, by default, FortiGate doesn’t originate any prefix. You must enable redistribution, or manually indicate
the prefixes that FortiGate originates.
Third, by default, FortiGate accepts all the prefixes it receives. Optionally, you can filter out or modify some
prefixes.
DO NOT REPRINT
© FORTINET
Protocol Redistribution
• A non-BGP route can be redistributed into BGP
• Optional route maps can filter out the redistribution of specific routes
# config router bgp
config redistribute "static"
set status enable
end
end
By default, FortiGate BGP doesn’t advertise prefixes. You can use the redistribution command to configure
FortiGate to advertise prefixes. You can redistribute connected and static routes, and routes learned from other
routing protocols, into BGP. Optionally, you can add route maps to filter the prefixes or modify some of their BGP
attributes.
DO NOT REPRINT
© FORTINET
Network Command
• An alternative to redistribution of protocols into BGP:
# config router bgp
config network
edit <id>
set prefix <prefix>
...
• By default, the prefix is advertised only when it matches the destination subnet of an
active route in the routing table
• To always advertise the prefix (regardless of the active routes):
# config router bgp
set network-import-check disable
end
You can also use the network command to configure FortiGate BGP to advertise prefixes. However, an exact
match of the prefix in the network command must be active in the routing table. If the routing table doesn’t
contain an active route with a destination subnet that matches the prefix, FortiGate doesn’t advertise the prefix.
You can change this behavior by disabling the network-import-check setting. After you disable the setting,
FortiGate advertises all prefixes in the BGP network table, regardless of the active routes present in the routing
table.
DO NOT REPRINT
© FORTINET
Prefix Lists
• Prefix lists can be used to filter out the subnets being advertised to and being received
from each neighbor
config router prefix-list
edit filter-subnets config router bgp
config rule config neighbor
edit 1 edit 10.3.1.254
set prefix 10.1.0.0/16 set prefix-list-in filter-subnets
set action deny next
next end
edit 2 end
set prefix 10.0.0.0/8
set action permit
next
end By default, traffic not
end matching the prefix list
end is denied
By default, the subnets under the config network command, and the subnets redistributed from other routing
protocols, are advertised to all the neighbors.
With a prefix list, you can be more selective about which prefixes to advertise to each neighbor. Additionally,
prefix lists allow you to select which prefixes you want to use from each neighbor. This example shows a prefix
list that allows the prefix 10.0.0.0/8, but blocks the prefix 10.1.0.0/16. By default, all traffic that does not
match a prefix list is denied. The prefix list is applied in the incoming direction from the neighbor 10.3.1.254.
The local FortiGate applies this filter for all prefix advertisements coming from 10.3.1.254.
When applying a prefix list, all the prefixes that don’t match an entry in the list are denied by default.
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.