A FortiGate cluster can have a firmware upgrade applied in a similar way as you would upgrade a single standalone FortiGate router. To upgrade firmware in a FortiGate HA cluster you simply download the Firmware image you wish to apply then log into the FortiGate and navigate to the System Information section on the Dashboard. In the System Information window the Firmware version is stated, next to this you can click Upgrade, select the downloaded firmware and click OK.
We’ve had an issue for the past couple of weeks logged with the Fortinet support desk for a FortiGate 40c locking up and requiring a restart daily. This router was running 4.0 MR3 Patch6. Even trying to schedule a daily restart didn’t help as the router locked up each day before 24 hours had passed.
One of my colleagues got me to look at an issue he was having today with a FortiGate reverting to Standalone mode when configuring HA (High Availability) clustering in the GUI. He had checked the usual requirements – same firmware, same VDOM mode etc.
First thing I did was try to configure this via the CLI using:
config system ha
set mode a-p
When I noticed the set mode command was missing in the CLI.
It was then that I recalled this normally happens when an interface is configured for PPPoE or DHCP. In order to allow a FortiGate router to participate in HA all interfaces must be manually configured with IP Addressing. Sure enough, dmz2, an unused interface was configured for DHCP. Setting this to manual and leaving the ip of 0.0.0.0 on the interface then allowed us to finalise the HA configuration in the GUI.
Setting the timezone on a Fortigate router is important for correct NTP operation and is critical if you schedule a daily reboot of your Fortigate router. This can be set within the System Information section on the dashboard, or in the CLI. An example of setting the timezone via the CLI for New Zealand is below :
config system global set timezone 71 end
In order to do this you will need to know your timezone code and substitute it for 71 in the example above. A list of Fortigate timezones inuse on 4.0 MR3 patch 5 is below:
I ran into an issue recently whereby a bug in the firmware for a Fortigate 50B caused the router to enter conserve mode after an uptime of more than 6-7 days. We’ve since updated to MR3 patch 5 and have found the memory leak has been resolved. Below is the command that can be used to schedule a daily restart of a Fortigate router:
Configuring SSL-VPN tunnel mode on Fortinet routers is relatively straightforward, and comprises of four main steps:
- Configuring the SSL-VPN settings
- Configuring a firewall policy
- Configuring a static route for the SSL-VPN range
This guide is applicable to FortiOS 4.0MR3 patch 5
The best way to avoid Fortinet bricking itself after an update is to completely clear the unit prior to upgrade and upgrade the unit from scratch.
From around OS version 4.0 MR3 Fortinet have recently changed the way their units:
- Store the firmware image
- Store dynamic data (e.g. DHCP Leases, Logs)
- Store the bootloader
As a result firmware upgrades using the GUI to update the from prior firmware versions to the current MR3 patch level will result in a unit that has a very high chance of failure upon future remote firmware updates. Doing the below procedure ensures that all of these are up to date.
Today I implemented a Firewall policy using the recently added Fortinet geography filtering.
For those that haven’t used this, you can specify the source or destination address to be a geographic region rather than by IP address or domain name. You can then apply policies to the geographic region to block traffic, or allow access only from that region.
In my case this was a policy that allowed all New Zealand IP Addresses to access a service on a client site – problem was this didn’t work from our offices which have a NZ IP Address but worked from everywhere else in NZ . The following handy command saved the day :