After the upgrade to K.15.06.0008 there is now a OSPF error on the HPN Switches when OSPF is enabled:
OSPF: RECV: Packet received on interface vl1 has its MD5 key expired: Extending life of last accepted key"
After downgrading back to firmware K.15.06.0008 the errors are cleared.
The HP Support know and reproduced this issues.
Freitag, 27. Januar 2012
Configure a Fortigate Active-Passive Cluster
First Step on the Master Firewall:
Under System => Config => HA configure the Active-Passive Mode. In the Cluster Settings you can give a Group Name and a Password. In the port list you have to select the Heartbeat Interface. The Heartbeat Interface is the HA-Uplink.
Second Step on the Backup Firewall:
Make the same configuration on the Backup Firewall. But you have to give a less priority. Now switch off the Slave Firewall
Thrid Step:
Take a cross-over Cable for the HA-Ports and switch on the slave Firewall. Now check the HA Configuration on the Firewall.
Information about the Heartbeat Interface from Fortinet:
The FGCP heartbeat operates on TCP port 702. The time interval between HA heartbeats is 200 ms. The IP address used for the HA heartbeat (10.0.0.1, 10.0.0.2 etc) is an independent IP address not assigned to any FortiGate interface. You can view HA heartbeat sessions from the web-based manager System > Status > Session page. HA heartbeat sessions appear as TCP sessions between the HA heartbeat interface IP addresses that use port 702 as the destination port.
Under System => Config => HA configure the Active-Passive Mode. In the Cluster Settings you can give a Group Name and a Password. In the port list you have to select the Heartbeat Interface. The Heartbeat Interface is the HA-Uplink.
Second Step on the Backup Firewall:
Make the same configuration on the Backup Firewall. But you have to give a less priority. Now switch off the Slave Firewall
Thrid Step:
Take a cross-over Cable for the HA-Ports and switch on the slave Firewall. Now check the HA Configuration on the Firewall.
Information about the Heartbeat Interface from Fortinet:
The FGCP heartbeat operates on TCP port 702. The time interval between HA heartbeats is 200 ms. The IP address used for the HA heartbeat (10.0.0.1, 10.0.0.2 etc) is an independent IP address not assigned to any FortiGate interface. You can view HA heartbeat sessions from the web-based manager System > Status > Session page. HA heartbeat sessions appear as TCP sessions between the HA heartbeat interface IP addresses that use port 702 as the destination port.
Fortigate config-save Timeout
With the following command a fortigate can revert to the old configuration after a timeout. This command is usefull for a remote configuration on the extern interface.
#config system global
#cfg-revert-timeout
#end
With this command you can save the the configruation in the manual and in the revert mode.
#exec cfg save
In the manual- and revert Mode can you revert to the saved configuration with the following command:
#exec cfg reload
#config system global
#cfg-revert-timeout
#end
With this command you can save the the configruation in the manual and in the revert mode.
#exec cfg save
In the manual- and revert Mode can you revert to the saved configuration with the following command:
#exec cfg reload
FortiOS v4.3.1 - IPSec VPN Problem with Interface Mode
After the Update with the FortiOS v4.3.1 the "mode-cfg" will be set to enable. After that, the Interface Mode IPSec VPN doesn't work anymore.
In the Release Notes you can read the following:
Description: Option “mode-cfg” was turn on by default and thus can cause phase1 mismatch during tunnel initialization when interface mode IPSec Phase1 was configured via Web UI.Bug ID: 146113
Workaround: Use the CLI command “config vpn ipsec phase1-interface>set mode-cfg disable” to disable it.
Status: To be fixed in a future release.
CLI:
config vpn ipsec phase1-interface
edit
set mode-cfg disable
end
In the Release Notes you can read the following:
Description: Option “mode-cfg” was turn on by default and thus can cause phase1 mismatch during tunnel initialization when interface mode IPSec Phase1 was configured via Web UI.Bug ID: 146113
Workaround: Use the CLI command “config vpn ipsec phase1-interface>set mode-cfg disable” to disable it.
Status: To be fixed in a future release.
CLI:
config vpn ipsec phase1-interface
edit
set mode-cfg disable
end
White List for the Fortigate webfilter
When you like to make a simple Whitelist for a Fortigate with FortiOS V4.0 MR3 you can do the following. You can create under the menu UTM => Web Filter => URL Filter a new list. I called this list „White List“. You can add new URL for this List. To allow this URL you have to set the Action Exempt. Add all the URL’s you like to access if they are blocked by a category.
Now you can add the „White List“ to a Web Filter Profile.
Under Pofle choose your Web Filter Profile and add the Filter to the list. In the Profile Overview the URL List is under the blocking Category. It doesn’t matter because the firewall checks first the URL List before it checks the Category List. Consequently the URL’s in the URL List are always allowed.
Now you can add the „White List“ to a Web Filter Profile.
Under Pofle choose your Web Filter Profile and add the Filter to the list. In the Profile Overview the URL List is under the blocking Category. It doesn’t matter because the firewall checks first the URL List before it checks the Category List. Consequently the URL’s in the URL List are always allowed.
Abonnieren
Posts (Atom)