Deprecated: Hook custom_css_loaded is deprecated since version jetpack-13.5! Use WordPress Custom CSS instead. Jetpack no longer supports Custom CSS. Read the WordPress.org documentation to learn how to apply custom styles to your site: https://wordpress.org/documentation/article/styles-overview/#applying-custom-css in /srv/www/srvfail.com/public_html/wp-includes/functions.php on line 6078
FortiGate Archives ⋆ SysAdminStuff

How to make port forwarding or Static NAT on Fortigate

This is a repost of a post from an old blog, made on December 28, 2011, that used to be on:

http://adminramble.com/fortigate-port-forwarding/

Original post:

On FortiGate devices Static NAT or Port Forwarding is made through the Virtual IP feature.

To map a port on an outside address to a internal ip you need to do two things:

  • Create a Virtual IP entry
  • Create a firewall policy for the virtual ip to allow traffic inside the network
HOW TO CREATE A VIRTUAL IP ENTRY THROUGH WEB INTERFACE ON FORTIGATE:
  • Go to Firewall > Virtual IP > Virtual IP
  • Click on Create New and make a new vip e.g. 10.10.10.10_rdp
  • select external interface on which you will be receiving traffic, e.g. wan1
  • if not set, set type to Static NAT, and put an external address (you can either put one of the public addresses you have by you ISP or, if you have dynamic or a single IP address, you can leave 0.0.0.0 as external address)
  • set mapped ip address, in this case it’s 10.10.10.10, and tick port forwarding
  • select TCP and on external service port put the port on which you are listening, e.g. 3389 for Remote Desktop access
  • on Map to Port put the service port on the inside address, e.g. 3389 if you’re using standard RDP access, and press OK to make the Virtual IP
HOW TO CREATE FIREWALL POLICY FOR VIRTUAL IP ON FORTIGATE:
  • Go to Firewall > Policy > Policy and select Create New
  • Set Source Interface/Zone to listening interface, e.g. wan1
  • set source address to all, and Destination interface to interface connected to the mapped ip network, e.g. internal
  • set destination address to the Virtual IP name, e.g. 10.10.10.10_rdp
  • leave schedule always (unless you only wanted to be accessible at certain times), service ANY and action ACCEPT
  • click OK to make the firewall policy

Some FortiGate commands you might need

This is a repost of a post from an old blog, made on December 27, 2011, that used to be on:

http://adminramble.com/fortigate-useful-commands/

Original post:

I been using FortiGate devices for a few months now, and I have mostly been doing the administration through the web interface, but even that will require you to do some stuff through CLI.

Here are some of the commands you might need.

(If you don’t have a CLI on your dashboard, you can add it by clicking on plus sign on a Widget button on top of your dashboard and selecting a CLI Console from it.)

To execute all of this commands you need to click with your mouse inside the CLI Console widget so you can type in it.

 HOW TO PING OR TRACEROUTE AN ADRESS FROM A FORTIGATE UNIT:
  • type “execute ping” or “execute traceroute” followed by an address you want to ping e.g.“execute ping 10.10.10.10″
HOW TO SHUTDOWN OR REBOOT A FORTIGATE UNIT FROM A CLI:
  • type “execute shutdown” or “execute reboot”
HOW TO CHANGE AN ADMIN USER PASSWORD:
  • type “config system admin”
  • type “edit” followed by a user you want to reset the password for, e.g. “edit Joe”
  • type “set password” followed by a new password, e.g. “set password NewPass1
  • type “end” to finish the procedure
HOW TO RESET A LOST PASSWORD ON A FORTIGATE UNIT:
  • start some terminal emulator and connect to the device using a a console cable. Depending on which device you use it will be a RJ-45 to Serial or Serial to Serial cable
  • Reboot the device and immediately it starts up login with user “maintainer” and password “bcpb%deviceserialnumber%” e.g. “bcpbFGT60C1A01102345″ (This should be done inside 14 seconds i think, i took me a few tries before i managed to do it, also the serial number is case sensitive)
  • change the user password as described above
    config system admin
    edit %user%
    set password %password%
    end
HOW TO RESET FORTIGATE TO FACTORY DEFAULTS:
  • type “execute factoryreset”

FortiGate and iPad dial-up VPN IPsec phase 2 error: no matching gateway for new request

This is a repost of a post from an old blog, made on July 12, 2012, that used to be on:

http://wp.me/p25nt4-6A

http://adminramble.com/fortigate-ipad-dial-up-vpn-ipsec-phase-2-error-matching-gateway-request/

Original post:

I was asked at work to connect the iPad of one of the employees to our company VPN on FortiGate and it took me some time to set it up right.

I was always getting “The VPN server did not respond” message on the iPad when trying to connect to the IPsec VPN. At the same time the log on the FortiGate would get IPsec phase 2 error messages with negotiate_error as Status and “no matching gateway for new request” as error reason.

After some searching on Google it turned out to be the problem with the peer ID settings on FortiGate and Group Name settings on iPad, they were not matched.

The group name on the iPad must match the peer ID on FortiGate, In my case that meant that my group name on iPad had to be the same as the username, because on Fortigate I had set the IPsec Phase 1 to accept peer ID from the dialup group.

So if you are having problems with setting the IPsec VPN between iPad or iPhone and FortiGate, and are having the same errors as me try one of these as solution:

  • either change your Phase 1 so it accepts any peer ID
  • either change your iPad group name in IPsec config to match the username you are using, if your Fortigate is set to accept peer ID in dialup group
  • either set Phase 1 on Fortigate to accept specific peer ID, for example “ipad” and set that as the group name on you iPad

Here is a Fortinet article on setting the iPhone and iPad Dialup User IPSec VPN

Common FortiClient SSL VPN errors

This is a repost of a post from an old blog, made on July 13, 2012, that used to be on:

http://wp.me/p25nt4-71

http://adminramble.com/common-forticlient-ssl-vpn-errors/

Original post:

I see from the stats that one of the posts with the most visits is the one about the FortiClient SSL VPN error “the vpn server may be unreachable. (-5)” so i decided to add another post describing some of the most common errors that may come up when connecting to FortiGate with SSL VPN.

  1. Connecting process stops at 10, error “Unable to establish the VPN connection. The VPN server may be unreachable.”

    This is most commonly caused by, either the firewall blocking any kind of traffic towards the VPN server IP address or the FortiClient application itself by the firewall on the host or on the network, or either by routing errors towards the IP address of the VPN server.
    The problem can usually be solved by adjusting the host or network firewall rules on the client side.
    Sometimes in rare cases I have found the problem is caused by error on the FortiGate device, in this case no one is able to connect to the VPN neither using SSL VPN or IPsec but the internal networks can go to all local networks and the external internet connection. In that case a simple reboot of the device solves the problem.
  2. Connecting process stops at 80, error “Unable to logon to the server. Your username or password may not be configured properly for this connection. (-12)”

    As the error states itself the most common problem is that either the username or the password isn’t matching the one of the device.
    Other problems might be:
    – the user is not in the correct user group that has VPN access (either the local firewall group or the LDAP server group if you’re using one)
    – there isn’t a corresponding firewall policy rule that allows access for the user group to any of the internal networks. You need to have the rule from the wan interface to one of the internal interfaces with action SSL-VPN and select the group of users which will have access, check if your user is in correct group.
    – you might be trying to connect to VPN from the wrong side of the interface (from one of your internal networks or from the network of one of the sites you already have a site to site connection.
    – UPDATE: Special characters are being used in the password. (See this serverfault thread)
  3. Connecting process stops at 40, error “Unable to establish the VPN connection. The VPN server may be unreachable -5”

    As you can see in one of my earlier posts “the vpn server may be unreachable. (-5)”,  the problem can sometimes be caused by some sort of VNC server on the machine.
    Other possible problems can be:
    – the firewall rules on local machine, or on the network gateway ( I have rarely found      this to be the problem with this error)
    – problems with the FortiGate device, in most of the time the device would be the problem and the problem would go away after the reboot of the FortiGate device, but would come again after the few days. In this case the problem would most of the time be with the extensive logging of the traffic and the events on the device. So try to remove  traffic logging on some of the rules or events.

How to setup FortiGate to use 3G USB mobile internet modem as the WAN connection

This is a repost of a post from an old blog, made on August 10, 2012, that used to be on:

http://wp.me/p25nt4-8d

http://adminramble.com/setup-fortigate-3g-usb-mobile-internet-modem-wan-connection/

Original post

I was setting up a FortiGate device today to use a 3G modem as an Internet connection instead of a standard WAN interface so here is a little tutorial how to do it.

I was using:

  • FortiGate 50B device with FortiOS v4.0,build0320,110419 (MR2 Patch 6)
  • Huawei Mobile Connect E169 HSDPA USB stick with a SIM card for a Vodafone Mobile Connect services

Configuration steps:

  • connect the modem in the USB port on the FortiGate device and enable the modem with the following command:
    config system modem
        set status enable
    end
  • Detect the custom vendor and product ID of the USB modem with the following command:
    diagnose sys modem wireless-id

    you should get something like this:
    vendor: 0x12d1, product: 0x1003, registered: yes

    0x12d1 is the vendor ID for the Huawei, and 0x1003 is the product ID for Huawei E169, for Huawei E367a the product ID should be 0x1446 and for Huawei E367b 0x1506

  • Configure your modem interface with the following commands:
    config system modem
        set status enable
        set pin-init "at+cpin=YOUR_SIM_CARD_PIN#"
        set auto-dial enable
        set wireless-custom-vendor-id 0x12d1 (HUAWEI ID)
        set wireless-custom-product-id 0x1003 (E169 ID)
        set phone1 "*99***1#"(VODAFONE NUMBER)
        set extra-init1 "at+cgdcont=1,\"ip\",\"data.vip.hr(YOUR APN)\""
    end
  • Dial the modem with:
    execute modem dial

If you are using the web interface of your FortiGate device, when you enable the modem interface you will get Modem option under System > Network section on the left side menu. You can set up some of the options, like phone or Extra Initialization String there too. Also you can condial or hang-up your 3g connection from there too.

These are the pages I referenced when I was setting up my modem connection: