Все статьи из KB Fortinet по списку

https://pub.kb.fortinet.com/index/index.html

Fortigate IP-in-IP over IPSec Tunnel

http://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD40290&languageId=

Technical Note: How the FortiGate behaves when asymmetric routing is enabled

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD39943&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=27692425&stateId=1%200%2027694157

Technical Note: Building a Layer-2 VPN with VxLAN over IPsec

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD40170&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=27692425&stateId=1%200%2027694157

Technical Note: How to setup redundant point-to-point IPSec VPN using multi-home BGP links

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD35166&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=27692425&stateId=1%200%2027690965

Technical Note: How to configure L2TP using interface/route based IPsec VPN:

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD41147&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=26850343&stateId=1%200%2026848963

перезапуск процессов на Fortigate

FGT80C # diagnose test application
smtp              SMTP proxy.
ftpd              FTP proxy.
pop3              POP3 proxy.
imap              IMAP proxy.
nntp              NNTP proxy.
scanunit          Scanning unit.
harelay           HA relay daemon.
hasync            HA sync daemon.
hatalk            HA talk daemon.
sessionsync       session sync daemon.
forticldd         FortiCloud daemon.
miglogd           Miglog logging daemon.
urlfilter         URL filter daemon.
ovrd              Override daemon.
ipsmonitor        ips monitor
ipsengine         ips sensor
ipldbd            IP load balancing daemon.
ddnscd            DDNS client daemon.
snmpd             SNMP daemon.
dnsproxy          DNS proxy.
sflowd            sFlow daemon.
init              init process.
l2tpcd            L2TP client daemon.
dhcprelay         DHCP relay daemon.
pptpcd            PPTP client.
wccpd             WCCP daemon.
wad               WAD related processes.
radiusd           RADIUS daemon.
wpad              WPA daemon.
fsd               FortiExplorer daemon.
ipsufd            IPS urlfilter daemon.
lted              USB LTE daemon.
forticron         Forticron daemon.
uploadd           Upload daemon.
quarantined       Quarantine daemon.
dhcp6c            DHCP6 client daemon.
info-sslvpnd      SSL-VPN info daemon.
dsd               DLP Statistics daemon.
lnkmtd            Link monitor daemon.
dhcp6r            DHCP6 relay daemon.
netxd             VMWare NetX service manager daemon.
fnbamd            Fortigate non-blocking auth daemon.
mrd               Mobile router daemon.
zebos_launcher    ZEBOS Launcher daemon
radius-das        Radius-das daemon.
csfd              Security Fabric daemon.
fsvrd             FortiService daemon.
radvd             radvd daemon.
fcnacd            FortiClient NAC daemon.
sdncd             SDN Connector daemon.

FGT80C # diagnose test application ipsmonitor

IPS Engine Test Usage:

    1: Display IPS engine information

    2: Toggle IPS engine enable/disable status

    3: Display restart log

    4: Clear restart log

    5: Toggle bypass status

    6: Submit attack characteristics now

   10: IPS queue length

   11: Clear IPS queue length

   12: IPS L7 socket statistics

   13: IPS session list

   14: IPS NTurbo statistics

   15: IPSA statistics

   16: Display device identification cache

   17: Clear device identification cache

   18: Display session info cache

   19: Clear session info cache

   21: Reload FSA malicious URL database

   22: Reload whitelist URL database

   24: Display Flow AV statistics

   25: Reset Flow AV statistics

   96: Toggle IPS engines watchdog timer

   97: Start all IPS engines

   98: Stop all IPS engines

   99: Restart all IPS engines and monitor

First steps to troubleshoot connectivity problems to or through a FortiGate with sniffer, debug flow, session list, routing table

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30038&sliceId=2&docTypeID=DT_KCARTICLE_1_1&dialogID=25408103&stateId=1%200%2025406686

Fortinet Auto Discovery VPN (ADVPN)

http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD39360

http://cookbook.fortinet.com/configuring-advpn-in-fortios-5-4-dynamic-hub-and-spoke-vpns/#comment-3708628335


http://cookbook.fortinet.com/configuring-advpn-fortios-5-4-redundant-hubs-expert/

How to mix ADVPN-aware and non-ADVPN-aware spokes within the same ADVPN Hub-and-Spoke architecture

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD40359

Fortigate & Conserve mode

FGT80C # diagnose hardware sysinfo conserve

memory conserve mode: off

total RAM: 499 MB

memory used: 430 MB 86% of total RAM

memory used threshold extreme: 473 MB 95% of total RAM

memory used threshold red: 438 MB 88% of total RAM

memory used threshold green: 409 MB 82% of total RAM

FortiOS Dual WAN Scenarion - static & PBR, and WAN LB

Technical Note: Dual WAN scenario (static and policy routes) and wan-load-balance

http://kb.fortinet.com/kb/documentLink.do?externalID=FD36462

Тюнинг потребления ресурсов в FortiOS

Несмотря на то, что в статье описана древняя версия FortiOS 4.0, все сказанное актуально и для более старших версий FortiOS, особенно под большой нагрузкой и большом количестве включенных опций:

http://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD33078&languageId=
http://kb.fortinet.com/kb/documentLink.do?externalID=FD33103


Вывод - при ограниченных ресурсах нужно включать фичи с умом, чтобы система не стала сама себя защищать при помощи Kernel Conserve Mode

Fortigate 80C - get hardware status

FGT80C # get hardware status

Model name: FortiGate-80C

ASIC version: CP6

ASIC SRAM: 64M

CPU: Celeron (Covington)

Number of CPUs: 1

RAM: 499 MB

Compact Flash: 493 MB /dev/sda

Hard disk: not available

USB Flash: not available

Network Card chipset: mvl_sw Ethernet driver1.0 (rev.

FortiOS versions, builds and dates

Version 5

MR2
Build 0688, P4 (07/22/2015)
Build 0670, P3 (05/18/2015)
Build 0642, P2 (11/18/2014)
Build 0618, P1 (09/15/2014)
Build 0589, GA (06/14/2014)
GA
Build 0318, P12 (05/15/2015)
Build 0311, P11 (01/23/2015)
Build 0305, P10 (12/16/2015)
Build 0292, P9 (08/01/2014)
Build 0291, P8 (07/29/2014)
Build 3608, P7 (04/10/2014) See note 1 at the bottom
Build 0271, P6 (01/25/2014)
Build 0252, P5 (11/01/2013)
Build 0228, P4 (08/08/2013)
Build 0208, P3 (06/03/2013)
Build 0198, P3, Beta 1 (05/22/2013) pulled by Fortinet
Build 0179, P2 (03/2013)
Build 0147, P1 (12/2012)
Build 0128, First release (11/2012)

---

Version 4

MR 3 End of Support Date for Version 4.0 MR3 = March 19, 2014 (unless device does not support FortiOS version 5.0)
Build 0689, P18 (08/06/2014)
Build 0688, P17 (07/14/2014)
Build 0686, P16 (07/03/2014)
Build 0672, P15 (09/05/2013)
Build 0665, P14 (05/17/2013)
Build 0664, P13 (04/30/2013) pulled by Fortinet
Build 0656, P12 (02/27/2013)
Build 0646, P11 (11/2012)
Build 0639, P10 (09/2012)
Build 0637, P9 (08/22/2012)
Build 0632, P8 (07/05/2012)
Build 0535, P7 (05/2012)
Build 0521, P6 (03/2012)
Build 0513, P5 (02/2012)
Build 0511, P4 (01/2012)
Build 0496, P3 (11/2011)
Build 0482, P2 (09/2011)
Build 0458, P1 (06/2011)
Build 0441, First release (03/18/2011)
MR 2 (End of Support Date for Version 4.0 MR2 = April 1, 2013)
Build 0356, P15 (02/21/2013)
Build 0353, P14 (01/09/2013)
Build 0349, P13 (09/04/2012)
Build 0346, P12 (06/06/2012)
Build 0342, P11 (02/27/2012)
Build 3118, P10 (01/17/2012) with MS hotfix
Build 0338, P10 (12/06/2011)
Build 0334, P9 (10/2011)
Build 0328, P8 (07/2011)
Build 0324, P7 (05/2011)
Build 0320, P6 (04/2011)
Build 0315, P5 (04/2011)
Build 0313, P4 (03/2011)
Build 0303, P3 (12/14/2010)
Build 0291, P2 (08/2010)
Build 0279, P1 (05/2010)
Build 0272, First release
MR 1 (End of Support Date for Version 4.0 MR1 = August 24, 2012)
Build 0217, P10 (06/16/2011)
Build 0213, P9 (01/28/2011) pulled by Fortinet
Build 0209, P8 (09/29/2010) pulled by Fortinet
Build 0207, P7 pulled by Fortinet
Build 0205, P6 pulled by Fortinet
Build 0204, P5 pulled by Fortinet
Build 0196, P4 pulled by Fortinet
Build 0194, P3 pulled by Fortinet
Build 0192, P2 pulled by Fortinet
Build 0185, P1 pulled by Fortinet
Build 0178, First release
GA (End of Support Date for Version 4.0 = February 24, 2012)
Build 0113, P4 (12/02/2009)
Build 0106, P3 (06/16/2009)
Build 0099, P2 (04/07/2009)
Build 009x, P1 (2009) pulled by Fortinet
Build 0092, First release (02/20/2009)

---

Version 3

MR 7 (End of Support Date for Version 3.0 MR7 = July 18, 2011)
Build 0754, P10 (10/27/2010)
Build 0753, P9 (02/17/2010)
Build 0752, P8 (12/23/2009)
Build 0750, P7 (10/09/2009)
Build 0744, P6 (06/30/2009)
Build 0741, P5 (04/08/2009)
Build 0740, P4
Build 0737, P3 (03/03/2009)
Build 0733, P2 (11/21/2008)
Build 0730, P1 (09/19/2008)
Build 0726, First release (07/16/2008)
MR 6 (End of Support Date for Version 3.0 MR6 = February 4, 2011)
Build 0678, P6
Build 0677, P5
Build 0673, P4 (10/27/2008)
Build 0670, P3 (07/29/2008)
Build 0668, P2 (05/14/2008)
Build 0662, P1 (03/17/2008)
Build 0660, First release (02/01/2008)
MR 5 (End of Support Date for Version 3.0 MR5 = July 3, 2010)
Build 0576, P7
Build 0575, P6
Build 0574, P5 (02/20/2008)
Build 0572, P4 (11/26/2007)
Build 0568, P3 (10/18/2007)
Build 5101, P2 (09/05/2007) Memory Optimized for smaller models
Build 0565, P2 (09/05/2007)
Build 0564, P1 (08/17/2007)
Build 0559, First release
Build 0552, CR3
Build 0547, CR2
MR 4 (End of Support Date for Version 3.0 MR4 = December 29, 2009)
Build 0483, P5 (07/03/2007)
Build 0480, P4 (03/30/2007)
Build 0479, P3
Build 0477, P2
Build 0475, P1
Build 0474, First release
Build 0468, CR2
MR 3 (End of Support Date for Version 3.0 MR3 = October 2, 2009)
Build 0418, P14
Build 0416, P12
Build 8552, P11 (09/01/2007) Memory Optimized for smaller models
Build 0416, P11 (09/01/2007)
Build 8509, P10 (07/05/2007) Memory Optimized for smaller models
Build 0415, P10 (07/05/2007)
Build 8468, P9 (05/04/2007) Memory Optimized for smaller models
Build 0413, P9 (05/04/2007)
Build 0411, P8 (03/30/2007)
Build 0410, P7 (03/08/2007)
Build 0406, P6 (01/26/2007)
Build 0405, P5 (01/05/2007)
Build 0404, P4
Build 0403, P3 (11/06/2006)
Build 0402, P2
Build 0401, P1
Build 0400, First release (10/02/2006)
Build 0394, CR2
Build 0388, CR1
MR 2 (The versions below are beyond end of support dates)
Build 0319
Build 0318 (06/30/2006)

---

Version 2.8

MR 12
Build 520, P1
Build 519
MR 11
Build 490

---

 

NOTES

Note 1: These are all patches for the Heartbleed SSL bug, based on build 0271 (P6)

• Build 4429 for FGT100D, FGT140D, FGT140D_POE
• Build 4439 for FGT 280D_POE
• Build 3483 for FGT 3600C

Как перевести SSL VPN на Fortigate c TCP на UDP (DTLS)

config vpn ssl settings
    set dtls-tunnel enable/disable
end

неплохая статья о проблемах решений TCP over TCP (что в частном случае и представляет собой SSL VPN (IP over HTTPS)):

http://sites.inka.de/bigred/devel/tcp-tcp.html

Как включить белый список HTTPS ресурсов, обновляемый Fortiguard для исключения SSL Inspection в Fortigate

config firewall ssl-ssh-profile

edit deep-inspection

set whitelist enable

end

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/SSL_SSH_Inspection/Secure%20whitelist%20database.htm

Как поменять сертификат страницы с ошибкой при Full SSL Inspection в FortiOS ?

FortiOS 5.4 and later:

config user setting 
# get
auth-type : http https ftp telnet 
auth-cert : Fortinet_Factory 
auth-ca-cert : 
auth-secure-http : disable 
auth-http-basic : disable 
auth-timeout : 5 
auth-timeout-type : idle-timeout 
auth-portal-timeout : 3 
radius-ses-timeout-act: hard-timeout 
auth-blackout-time : 0 
auth-invalid-max : 5 
auth-lockout-threshold: 3 
auth-lockout-duration: 0 
auth-ports:

The certificate Fortinet_Factory is used by default. To avoid errors, you can either change this certificate to the certificate used for SSL inspection or you can install this certificate on all client devices. Which solution you choose depends on your own environment and what certificates you are already using.

http://cookbook.fortinet.com/certificate-errors-blocked-websites/

Как разобрать internal коммутатор на отдельные порты в Low End Fortigate

https://www.cyrill-gremaud.ch/how-to/break-internal-default-member-on-fortios-5-4-x-on-low-end-models/

Аутентификация в Proxy сервисе для FortiOS 5.6

Немало скажем они переделали в 5.6, теперь настраивается все иначе:
http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-firewall/Concepts%20-%20Web%20Proxy/Proxy%20Authentication.htm