Upgrade firmware in a FortiGate HA Cluster

A FortiGate cluster can have a firmware upgrade applied in a similar way as you would upgrade a single standalone FortiGate router. To upgrade firmware in a FortiGate HA cluster you simply download the Firmware image you wish to apply then log into the FortiGate and navigate to the System Information section on the Dashboard. In the System Information window the Firmware version is stated, next to this you can click Upgrade, select the downloaded firmware and click OK.

Read More

Like it? Share it! Print it!Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Print this page
Print

FortiGate reverting to Standalone mode when configuring HA

One of my colleagues got me to look at an issue he was having today with a FortiGate reverting to Standalone mode when configuring HA (High Availability) clustering in the GUI. He had checked the usual requirements – same firmware, same VDOM mode etc.

First thing I did was try to configure this via the CLI using:

config system ha
set mode a-p
end

When I noticed the set mode command was missing in the CLI.

It was then that I recalled this normally happens when an interface is configured for PPPoE or DHCP. In order to allow a FortiGate router to participate in HA all interfaces must be manually configured with IP Addressing. Sure enough, dmz2, an unused interface was configured for DHCP. Setting this to manual and leaving the ip of 0.0.0.0 on the interface then allowed us to finalise the HA configuration in the GUI.

Like it? Share it! Print it!Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Print this page
Print

Setting the timezone on a Fortigate router

Setting the timezone on a Fortigate router is important for correct NTP operation and is critical if you schedule a daily reboot of your Fortigate router. This can be set within the System Information section on the dashboard, or in the CLI. An example of setting the timezone via the CLI for New Zealand is below :

config system global
 set timezone 71
end

In order to do this you will need to know your timezone code and substitute it for 71 in the example above. A list of Fortigate timezones inuse on 4.0 MR3 patch 5 is below:
Read More

Like it? Share it! Print it!Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Print this page
Print

Schedule a daily restart of a Fortigate router

I ran into an issue recently whereby a bug in the firmware for a Fortigate 50B caused the router to enter conserve mode after an uptime of more than 6-7 days. We’ve since updated to MR3 patch 5 and have found the memory leak has been resolved. Below is the command that can be used to schedule a daily restart of a Fortigate router:
Read More

Like it? Share it! Print it!Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Print this page
Print

Avoid Fortinet bricking itself after an update

The best way to avoid Fortinet bricking itself after an update is to completely clear the unit prior to upgrade and upgrade the unit from scratch.

From around OS version 4.0 MR3 Fortinet have recently changed the way their units:

  • Store the firmware image
  • Store dynamic data (e.g. DHCP Leases, Logs)
  • Store the bootloader

As a result firmware upgrades using the GUI to update the from prior firmware versions to the current MR3 patch level will result in a unit that has a very high chance of failure upon future remote firmware updates. Doing the below procedure ensures that all of these are up to date.
Read More

Like it? Share it! Print it!Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Print this page
Print
Fortigate Geography

Fortinet Geography Filtering

Today I implemented a Firewall policy using the recently added Fortinet geography filtering.

Fortigate Geography

For those that haven’t used this, you can specify the source or destination address to be a geographic region rather than by IP address or domain name. You can then apply policies to the geographic region to block traffic, or allow access only from that region.

In my case this was a policy that allowed all New Zealand IP Addresses to access a service on a client site – problem was this didn’t work from our offices which have a NZ IP Address but worked from everywhere else in NZ . The following handy command saved the day :
Read More

Like it? Share it! Print it!Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Print this page
Print