Out of morbid curiosity (and lack of IPv4 public address space available to me), I decided I wanted to enable IPv6 in my lab. However, before taking the plunge there, I would try it out on my residential ADSL line, I use the same brand of firewall there as in my lab so the experience […]
Setting up Duo 2FA for Fortigate admin authentication
I protect any account I have with two factor auth, at least the ones that support it (this site for example has 2FA for admin logon), it’s not that inconvenient (especially not with Authy/Duo) and greatly increases security of your critical accounts. Let’s start with the endgame: However, I haven’t protected my publicly accessible firewall […]
Specifying outbound NAT address for policy on a Fortigate
Sometimes you need your devices (say an SMTP server) to have a specific outbound public IP for things like reverse-DNS look-ups to ensure mail delivery and reputation, or maybe you want traffic from particular devices or policies to go out an IP for means of tracking. It is not immediately obvious on Fortigates how to […]
Fortigate Unnumbered IP against PPPoE Interface
Ran into some very strange behaviour on a BT Business Fiber connection with PPPoE and static IPs assigned by the ISP on a Fortigate firewall. A site-to-site IPSec VPN was required, however the tunnel kept terminating as BT assign a dynamic address with the PPPoE connection, then the static IPs are typically ingested through the […]
Fortigate High Availability – Active/Active – Part 2 – Implementation
In Part 1 we got the prerequisites sorted out for the HA (removed all PPPoE or DHCP address assignment from the FG boxes and VLANed a switch to split the inputs between both boxes). Part 2 is considerably easier, the cabling had been done for the VLANs now we had to designate 2x ports as […]
Fortigate High Availability – Active/Active – Part 1 – Preparation
I recently set up 2x Fortigate 200B units to run in HA Active/Active mode, this posed a number of challenges: HA doesn’t work if any interfaces use PPPoE or have an address assigned via DHCP How do I effectively split our network communications between both units? Challenge 1 The main problem was that both the […]
Changing Fortigate from Switch mode to Interface mode
Fortigate units (the big ones at least) come configured in what is called “switch mode” meaning it groups a number of interfaces together and makes them act as a switch, serves DHCP over these interfaces, etc. Most companies don’t like to use this – instead if we want to up our throughput for a given […]
Enabling disk logging on Fortigates
Fortigate’s logging typically isn’t the best – but it’s bad when you have no logs at all, which seems to be the default. To enable logging Why not follow @mylesagray on Twitter for more like this!
Syslogd on FortiOS 5.0.4
Again, Fortigate’s documentation falls down at the simplest of things, this time, syslogging – To get your Fortigate to log to a syslogger (like Kiwi/Splunk) you’ll need to go in via the CLI as they have removed this option from the GUI as of FortiOS v5.0. Log in via shell and enter the following: config […]
Change MTU to support Jumbo Frames in FortiOS
This info is quite hard to come across and Fortigate don’t have it in their GUI from FortiOS v5.0+, SSH into your Fortigate’s CLI and enter the following (it can be done on both software aggregated and standard interfaces): config system interface edit [interfacename] set mtu-override enable set mtu 9208 end end Confirm your MTU […]