Fortigate and SNMP graphs are broken

For some time I have suspected that Fortigate firewalls does not return the right SNMP value for traffic statistics on VLAN interfaces.

I asked Fortinet support. This is the answer I got:

Actually this is due to NP2 accelerated traffic. Only part of this traffic is seen by the main CPU (mainly the first and last packets of the session) and therefore traffic statistics for vlan interfaces can only report these packets which are seen by the main CPU.

Statistics on physical ports and aggregate ports are correctly collected because these are low-level statistics. Many vlan interfaces can be bound to the same physical or aggregate port. So, dispatching traffic statistics between these vlan can only be done if the traffic goes through the main CPU.

FortiOS allows to disable NP2 acceleration (for tests purposes). As soon as NP2 acceleration is disabled then statistics on vlan interfaces is consistent with the actual traffic.

There is no way to collect these statistics from the NP2. It can't be fixed.

My question is why support SNMP when it is broken???

Whats new in FortiOS 4.0

Fortigate just announced their new FortiOS 4.0. Some of the features seems very promising.

The first thing I notice is that not all devices can run FortiOS 4.0. If you have an old firewall (probably FG60) you need to upgrade the hardware before you upgrade the software. This basically means that you will have to buy a new firewall.

There also are some new features that will require an upgrade of the firewall - and a hard drive.

Here are the good news:

• In source and destination interface and zone you now now have an "any" policy. Using this policy your rule can apply to all your interfaces or zones.
• DoS rules are added outside of the IPS engine.
• Traffic shaping policy is now moved outside of the firewall policy. This is good as you now can apply a max for all traffic (sessions) on a shaper, like limiting SMTP to only use a maximum of 200kB. In previous versions the shaper shaped down to 200kB per session.
• HTTP proxy. Probably useless if you do not have an hard drive on your firewall.
• The virtual servers concept  is improved. Better check of available servers and limiting of concurrent sessions.
• The SSL VPN is improved. With customized portals.
• WAN optimization. This is only for a few firewalls. But when it works it competes with Riverbed (read about my review here).
• Data leak prevention. This are statically configured rules that blocks [IM,HTTP,FTP,NNTP] traffic if the traffic matches something static.
• Application control. Have still not found its purpose...
• Extended AV database. It is probably better than the normal AV database...
• On the protection profile you can now add more ports for a given protocol. Data leak prevention policies are also configured here.

And the bad news:

• PPTP VPN is removed.
• Dynamic routing for IPv6 is still not implemented. (At least in the GUI.)
• Some VPN monitoring tools have moved. You will learn again where to find it. Hint: User\Monitor from the context menu.

Technorati tags: fortinet, fortigate

FortiOS 4.0

Finally a new main version of FortiOS has arrived.

Fortigate HA error codes

Have you ever had problems when syncing HA configuration? And have you ever had trouble understanding what is wrong?

This article from Fortinet knowledge base tells you what these codes mean!

OIDs for Fortigtate firewalls

Fortinet firewalls can be monitored using any SNMP capable device. You can look into CPU usage, memory usage, number of sessions, utilization on interfaces and so forth.

But it is not always easy to know how to do this. I needed to monitor CPU, memory and # of sessions on a firewall. Here are the OIDs to do so. Tested on FortiOS 3.0

CPU load	1.3.6.1.4.1.12356.1.8.0
Memory usage	1.3.6.1.4.1.12356.1.9.0
Number of current sessions	1.3.6.1.4.1.12356.1.10.0

These values can be added directly to SNMP tools such as PRTG and MRTG.

Fortigate with high CPU time

I recently had an incident with a customer firewall where the CPU load averaged at about 93% as seen from the GUI. The network monitoring tools (that is Smokeping) also reported higher response time than normal even though network throughput seemed to be normal. There were no indications about any packet loss in the network during the period.

The solution used was to boot the firewall. The Fortigate firewalls seems not to have an easy way to find out what processes use CPU time.

The customer runs two firewalls in a HA configuration. As so there were almost no downtime during the reboot. I had 6 packets that did not get through during the reboot.

Tags

• Fortigate
• Fortinet

Fortigate FortiOS 3.0 MR4 is out

FortiOS 3.0 MR4 (build 474) is now out. This is the changes I've found when looking through the GUI.

Full details are found here.

• Support for VoIP - SIP and SCCP.
• The dashboard is now configurable. You can add content and remove content (web parts) as you wish.
• You can add secondary IP addresses to an interface - each with its own ping server (to check for bad gateways.)
• HA mode now allows you to configure interface priority for heartbeat. This feature went out in the original 3.0 release.
• You now can backup your configuration using SCP.
• You can now "Submit attack characteristics to FortiGuard Service Network to help improve IPS signature quality".
• You now can add "remote" types of certificates. I'm not quite sure what I can use to for yet. But I belive it's used to verify the certificate for the other party in a secure setup.
• You now can add client sertificates as users. This could be done in the CLI on previous releases, but now it seems to  support some kind of user authentication as well. I have not tried out this feature yet, but I'm looking forward to do so.
• The reboot/shutdown/reset swithces are now placed on top of the dashboard making it much easier to to these commonly used administrative tasks.

Tags: fortinet, fortigate

New stuff in Fortigate 3.0 MR3

I've just installed FortiOS 3.0 build 400 on my firewall at home. The upgrade went without any problems.

 

There are some new features that I like. They are as follows;

• Telnet (CLI) access from the WEB GUI. You can now access the CLI from the Status screen.
• Support for multiple sources, destinations and rules. On previous releases I had to make several rules if I wanted more than one source in my ruleset.
• Support for secondary IP addresses from the web GUI.
• Support for RDP and VNC connections from SSL VPN
• You can define interface to match for an address.
• There is something called VIP Group. You can create virtual IP groups to facilitate firewall policy traffic control. For example, on the DMZ interface, if you have two email servers that use Virtual IP mapping, you can put these two VIPs into one VIP group and create one external-to-DMZ policy, instead of two policies, to control the traffic.

There are probably other changes but I have not found them yet :)

A day out with Fortinet

Today I've been to Stockholm and Vaxholm Fortress on a seminar with Fortinet. Fortinet is the number one in their segment of unified threat management. I took this as a daytrip, and this was a long daytrip. I just got home now (23:00) and left home at 05:00 this morning.

 

The day started out fine. We took RIB boats out to Vaxholm from Stockholm. It was a 33 feet RIB with 2x250Hk engines. The trip took one hour, with some unnecessary - but fun - driving. On our way back we took and old steam boat back to the city. At least they told us it was a steam boat. None of us belived so :)

 

In the sessions they talked about threats in the future and what Fortinet do to meet these theats. Pishing was given much focus.

They informed us about some new units on the seminar today. The units are described below.

Fortigate 50B - a unit with 3 or 4 switched ports and two other ports. No other details were given.

 

Fortigate 224B

A 24x10/100+2x10/100/1000+2xWAN port switch. This switch is supposed to do wirespeed IDS/IDP and can disconnect clients if they misbehave. This unit targets threats inside your LAN. Unfortunately the unit only checks for viruses as the other Fortigate units do. That is SMTP, POP3, IMAP, HTTP and FTP. NFS, filesharing and other similar traffic is not checked. This is Fortinet's first product for theath management on a LAN. I think much more exiting products will evolve from this.

 

FortiAnalyzer 100B

A new analyzer. Not much talk about this unit.

 

FortiMail 100

A new spam solution for the SMB marked. This unit is priced to about US$1500 I think. It can handle up to 57000 emails/hour.

 

In the end this was an interesting day.