How to configure an Automation Stitch (email alert) for CPU threshold on a Fortigate.

This is a quick reference on how to configure an Automation Stitch for CPU threshold on a Fortigate.

Please note that I configured this on Fortigate Firmware 6.2.7. You will also need to ensure that SMTP is setup on the Fortigate.

1. Configure CPU Threshold

This is the value at which point the Fortigate will generate a log for CPU usage.

conf system global
set cpu-use-threshold 50

2. Configure Automation Stitch

2.1 GUI

2.1.1 Create New

This can be found under Security Fabric / Automation

2.1.2 Select Trigger for Email

In this case CPU Usage Statistics which is under FortiOS Event Log option.

2.1.3 Select Email

Add the email address that you want the alerts sending to.

2.2 CLI

Configure the SMTP server email configured in step 1 as the “email-from”

config system automation-action
    edit "Nameofstitch_email"
        set action-type email
        set email-to "youremail@gmail.com"
        set email-from "yourgmail@gmail.com"
        set email-subject "configuration change"
        set email-body "%%log%%"
        set minimum-interval 60
        set delay 0
        set required disable
    next
end

4. Test

In order to test this you will need to generate enough traffic to peak the CPU past the minimum 50% . You could use a network stress tester to achieve this. Adding logging, UTM and turning off the CPU offloading on the firewall policy will increase CPU usage.

Thank you for reading and please feel free to leave any feedback.

Checklist for Fortigate admin access over SSL-VPN

This is a Checklist for Fortigate admin access over SSL-VPN

1. Trusted hosts

Ensure that the SSL-VPN source address or SSL-VPN address pool is on the trusted host list for admin access to the Fortigate.

config system admin
    edit "admin" 
        set trusthost5 10.212.134.0 255.255.255.0
        set accprofile "super_admin"
        set vdom "root"
        set password yourpassword
    next
end

2. Allowaccess on Interface

Ensure you have allowed the service or port access on the interface using the following command “set allowaccess ping https ssh” under the interface configuration.

config system interface
    edit "vlan100"
        set vdom "root"
        set ip 10.100.0.254 255.255.255.0
        set allowaccess ping https ssh
        set vlanforward enable
        set device-identification enable
        set role lan
        set snmp-index 12
        set interface "internal5"
        set vlanid 100
    next
end

3. Firewall policy

Ensure you have a firewall policy from the SSL-VPN interface to the LAN to where you intend to connect to.

config firewall policy
    edit 3
        set name "SSL_VPN_LAN"
        set srcintf "ssl.root"
        set dstintf "vlan100"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "SSL_VPN"
    next

4. Routing table

Ensure you have a route to the Firewall interface. You may have split-tunneling specifying the routable addresses by SSL-VPN any route not specified will route locally via users local internet breakout. 10.100.0.0/24 is the LAN network directly connected to the firewall. You can specify just the individual firewall interface address if you wanted to.

config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set web-mode enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set split-tunneling-routing-address "10.100.0.0/24"
        config bookmark-group
            edit "gui-bookmarks"
            next
        end
    next
end

If using Windows you can check the routing table by running the command route print.

C:\WINDOWS\system32>route print

Please let me know what you thought of the guide and if it worked, what issues you ran into or if anything wasn’t clear. Thank you for reading.

How to configure a SSL-VPN with certificate authentication on a Fortigate.

This is a detailed guide on how to configure a SSL VPN with certificate authentication on a Fortigate. We will be using OPENSSL to generate the CA and certificates.

1. Generate the CA or root certificate (Certificate Authority)

You will need to generate a root certificate to sign the Server and Client certificate. You will need to install the CA and Server Certificate on the Fortigate and the Client PKCS#12 certificate on the end user computer where the Forticlient VPN application is installed. This will create a chain of trust called public key infrastructure (PKI).

1.1 Create the directories to hold the CA certificate.

sudo mkdir /etc/ssl/CA
sudo mkdir /etc/ssl/newcerts

1.2 Create additional CA files

The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, and another file to record which certificates have been issued:

sudo sh -c "echo '01' > /etc/ssl/CA/serial"
sudo touch /etc/ssl/CA/index.txt

1.3 Edit the config file – nano /etc/ssl/openssl.cnf

This specifies the file locations for OPENSSL.

nano /etc/ssl/openssl.cnf
dir             = /etc/ssl              # Where everything is kept
database        = $dir/CA/index.txt     # database index file.
certificate     = $dir/certs/cacert.pem # The CA certificate
serial          = $dir/CA/serial        # The current serial number
private_key     = $dir/private/cakey.pem# The private key

1.4 Generate Root Certificate

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Please note that your Organization Name (O) needs to match on all your certificates that will be forming the chain of trust.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

You will need to ensure that your organization unit name (OU) is unique on each certificate in terms of the above. Steps 2 and 3 cover the Certificate Signing Request of both Server and Client where you will need to take into account these values.

1.5 Install the Root Certificate and Key

sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

2. Generate Server CSR (Certificate Signing Request) and Key

2.1 Generate Server Key

openssl genrsa -des3 -out server.key 2048

The next set of commands is so that you don’t have to enter a passphrase to generate the CSR (Certificate Signing Request)

openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

2.2 Generate Server CSR

Please note the following need to be accurate for it to work – the organization (o) need to match on all 3 certificates

openssl req -new -key server.key -out server.csr

3. Generate Client CSR (Certificate Signing Request) and key

Repeat step 2 – replacing the word server with client. You should have the following files.

root@dhcp-server:/home/david# ls
client.csr  client.key server.csr  server.key

4. Sign both the Server and Client CSR’s

This will create the server and client certificate.

sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf
sudo openssl ca -in client.csr -config /etc/ssl/openssl.cnf

You will now have both the .crt files

root@dhcp-server:/home/david# ls
client.crt  client.key  server.crt  server.key

5. Generate the .pfx file or pkcs12 Client certificate

This will be installed on the host where application is installed

openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile client.crt

You should now have the following files:

root@dhcp-server:/home/david# ls
client.crt  client.key  client.pfx  server.crt  server.key

6. Copy the CA certificate back to your home directory

cp /etc/ssl/certs/cacert.pem /home/david/

You will now have all the files you need for certificate authentication.

root@dhcp-server:/home/david# ls
cacert.pem  client.crt  client.key  client.pfx  server.crt  server.key

7. Install the Client certificate on the users computer

Copy the client.pfx to the users computer and double click the file. Using the Windows certificate wizard install the certificate to the personal certificate store.

8. Import CA Certificate to Fortigate

Import the cacert.pem file to your Fortigate. Under System/Certificates – Click Import and then CA Certificate. Then you will need to Click File and then the Upload button. You will now see the certificate installed

You will now see the certificate installed under Remote CA Certificates.

9. Import Server Certificate to Fortigate

You will need both server.crt and server.key for this. Again click Import and then time click local certificate. Upload the server and key file to the Fortigate as per below. Alternately you could generate the PKCS#12 or .pfx file (as was done withe client certificate).

You will now see the certificate on the Fortigate under local certificates. Please refer to the picture in step 8.

PLEASE NOTE: The following steps will assume that you have a working SSL VPN configuration and will not go through in detail the workings of a SSL-VPN setup.

10. Configure PKI user

10.1 You will need to specify a username, your CA certificate, and subject.

config user peer
    edit "yourusername"
        set ca "CA_Cert_1"
        set subject "C"
    next
end

10.2 Obtaining the subject from the certificate

root@dhcp-server:/home/david# openssl x509 -noout -in client.crt -subject
subject=C = UK, ST = Some-State, O = SecNetLinux, OU = Client, CN = Client

Once this has been completed you will see the PKI option on the GUI and can then put the PKI users that you have created into the corresponding SSLVPN groups.

10.3 Add two factor authentication

11. Configure the SSL-VPN settings

You will set the server certificate which you uploaded earlier ( set servercert “SSLSERVER” ) and also set the reqclientcert to enable. I have also set the default-portal to web-access although we will be using Forticlient.

config vpn ssl settings
    set reqclientcert enable
    set servercert "SSLSERVER"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set source-interface "wan1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
    config authentication-rule
        edit 1
            set groups "SSL_VPN"
            set portal "full-access"
        next
    end
end

Again I have not gone through too much detail regarding the SSL-VPN setup. You will need make sure you have your firewall policies, portal mappings etc in place for this to work. This guide assumes you have a working SSL-VPN configuration in place and that you are adding additional authentication.

12. Configure Forticlient

You will see once you have successfully installed the Client certificate as per step 7 it will populate the drop down next to Client Certificate.

13. Troubleshooting Commands on the Fortigate

diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application sslvpn -1
diagnose debug enable

Please let me know what you thought of the guide and if it worked, what issues you ran into or if anything wasn’t clear. Thank you for reading.

How to run a packet capture on a Fortigate (CLI)

This is a quick reference guide showing how to run a packet capture on a Fortigate. it is important to remember that the packet capture will only show packets that are being handled via the Kernal (Not being offloaded to an ASIC) you can however disable this on the policy as follows:

1 – Disable ASIC offload for traffic (Optional)

I have put optional as you don’t need to but ensures you get the packets to look at.

config firewall policy
edit <policy id>
set auto-asic-offload disable
end

2 – Setup the capture

The syntax is a spin off tcpdump, essentially it is tcpdump under the hood but most filters will work. the syntax is as follows, options and verbose level are optional. I ussually use verbose 4 so I can see the interface names

diagnose sniffer packet <interface> "<options>" <verbose level> <count> <timestamp format>

all flags / options apart from interface are optional

interface – The actual interface you want the sniffer to run on or capture packets on, you can use the word any for all interfaces or specify the name of the interface

options – The tcpdump filter options you want to use, these must be surrounded by double or single quotes

verbose level – This can be a number between 1 and 6 and is defined as follows:

1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name

count – limit of packets you want to count, when this number is reached sniffer will stop, use 0 for unlimited

timestamp format – The format for timestamp, by default it is the number in seconds and milliseconds from when you started the capture to when the displayed packet is recieved on the listening interface. Other options are a or l, a for absolute time and l for local time.

3 – example 1 – all icmp

This example is to capture all icmp traffic and show the interface name

diagnose sniffer packet any "icmp" 4

I setup a test ping to the Fortigate whilst the sniffer was running

Brierley-FW01 # diagnose sniffer packet any "icmp" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[icmp]
2.216830 port2 in 172.16.10.200 -> 172.16.10.2: icmp: echo request
2.216853 port2 out 172.16.10.2 -> 172.16.10.200: icmp: echo reply
3.221063 port2 in 172.16.10.200 -> 172.16.10.2: icmp: echo request
3.221086 port2 out 172.16.10.2 -> 172.16.10.200: icmp: echo reply
4.233794 port2 in 172.16.10.200 -> 172.16.10.2: icmp: echo request
4.233816 port2 out 172.16.10.2 -> 172.16.10.200: icmp: echo reply
5.244740 port2 in 172.16.10.200 -> 172.16.10.2: icmp: echo request
5.244761 port2 out 172.16.10.2 -> 172.16.10.200: icmp: echo reply

So with the verbose 4 flag I can see the request is coming in on port 2 (The icmp echo request) and the reply is being sent out via port 2. This makes sense as I a pinging the interface itself. I also get the timestamp right at the beginning which is by default relative to the time you started sniffing, so in my case, it was 2.216830 seconds after I entered the command that I received the echo request. You can change this so it shows an actual timestamp.

Brierley-FW01 # diagnose sniffer packet any "icmp" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[icmp]
2021-01-25 09:39:15.604359 port2 in 172.16.10.200 -> 172.16.10.2: icmp: echo request
2021-01-25 09:39:15.604412 port2 out 172.16.10.2 -> 172.16.10.200: icmp: echo reply
2021-01-25 09:39:16.608767 port2 in 172.16.10.200 -> 172.16.10.2: icmp: echo request
2021-01-25 09:39:16.608788 port2 out 172.16.10.2 -> 172.16.10.200: icmp: echo reply
2021-01-25 09:39:17.619909 port2 in 172.16.10.200 -> 172.16.10.2: icmp: echo request
2021-01-25 09:39:17.619931 port2 out 172.16.10.2 -> 172.16.10.200: icmp: echo reply
2021-01-25 09:39:18.630056 port2 in 172.16.10.200 -> 172.16.10.2: icmp: echo request
2021-01-25 09:39:18.630079 port2 out 172.16.10.2 -> 172.16.10.200: icmp: echo reply

Same example however I add an additional flag which again is optional. 0 for the number of packets (Which means unlimited) and l for local time, this uses the time local to the Firewall defined under system time.
You can now see I have some output with an actual timestamp.

Other examples

These are some examples for the filter (The bit between the quotes) common ones which are good and I use most times. Obviously you can get extremely complex with it but here are a few examples

By ip address (Either source or destination)

diagnose sniffer packet any "host 10.1.1.1" 4

Replace 10.1.1.1 with the IP address.

By network

so if you want to sniff track to or from 10.1.1.0/24 you would use this

diagnose sniffer packet any "net 10.1.1.0/24" 4

Replace the network with any you need

By port number

This is useful if you are looking for traffic on a certain port

diagnose sniffer packet any "port 2222" 4

Again replace the port number with whatever port you need. This is for both TCP & UDP.

source or destination

Use this if you want to see traffic as the source or the destination. Useful if you only want initiatng traffic to be shown.

diagnose sniffer packet any "src 10.1.1.1" 4
diagnose sniffer packet any "dst 10.1.1.1" 4

Protocol

You can filter by protocol e.g. tcp, udp icmp and so on

diagnose sniffer packet any "tcp" 4

This for example would show only TCP traffic

Using AND

So if you need source = 10.1.1.1 and destination = 8.8.8.8 and its icmp you could string them together.

AND logic says both must be true.

diagnose sniffer packet any "src 10.1.1.1 and dst 8.8.8.8 and icmp

Using OR

The logic of or is if one of the statement is true, whereas AND you need both to be true.

diagnose sniffer packet any "src 10.1.1.1 or src 10.1.1.2" 4

So if the source is either 10.1.1.1 or 10.1.1.2 this also means if there is traffic from both of these then it will show as the filter is run against each packet.

Combining AND and OR

So lets say you need the source is 10.1.1.1 or 10.1.1.2 and the port is 22 and the protocol is tcp you would have to use brackets as follows.

diagnose sniffer packet any "(src 10.1.1.1 or src 10.1.1.2) and (port 22 and tcp)" 4

Notice how I put them in brackets, this bit is done first so I am saying source is 10.1.1.1 or 10.1.1.2 AND port is 22 and its tcp.

If you don’t use brackets its will still take it as a valid filter but it won’t yield what you want it to.

Using ! to negate

You can negate most things, so anything but this , not this.
So all ports except port 22 would be

diagnose sniffer packet any "!port 22" 4

Again you could add multiple to this list.

Thoughts?

So that’s a brief info into what you could potentially use the Fortigate’s built in packet capture for.
It comes in handy when troubleshooting a firewall issue. Couple this with a packet flow (More on that another time) and you can debug most situations for firewall policies.
It is also useful for routing , you may sometimes receive the traffic on the incorrect interface which will cause the reverse path lookup to fail as an anti-spoofing mechanism that most stateful firewall’s incorporate.

Thanks for reading, if you have any questions about this or need some help on a specific filter please feel free to leave a comment or get in touch.
If you are interested in looking more into the filters then look at tcpdump most of these will work.

How to configure route leaking between VRFs Fortigate CLI

This is a detailed guide on how to configure route leaking between VRFs on a Fortigate using the CLI

In this scenario I will be leaking the default route into another VRF.

You will need to configure a BGP neighbor in order for this to work. This can be any BGP neighbor. In this example I have connected another router to the dmz interface and configured BGP so that a neighbor relationship will form over this link.

1. Configure Vdom-mode

You will need to set the Fortigate to multi-vdom mode so that you can create two Inter-vdom links and put them in the two separate VRF’s. Multi-vdom means that you can create more than one Virtual Firewall on a single box. The Inter-vdom links that you create will remain in the root vdom.

config system global
    set vdom-mode multi-vdom

2. Allow overlapping of subnets

By default the Fortigate will not allow you to configure duplicate or overlapping networks on the same vdom. The two Inter-vdom links will be on the same subnet.

configure vdom
edit root
config system settings
    set allow-subnet-overlap enable

3. Configure Inter-Vdom Links

Configure the two Inter-Vdom Links in the same subnet. You will see that the links are put in their respective vrfs with the following commands set vrf (<0> to <31>).

config vdom
edit root
config system interface
edit "npu0_vlink0"
        set vdom "root"
        set vrf 1
        set ip 10.200.0.1 255.255.255.0
        set allowaccess ping https ssh snmp http
        set type physical
        set snmp-index 13
    next
    edit "npu0_vlink1"
        set vdom "root"
        set vrf 2
        set ip 10.200.0.2 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
        set type physical
        set snmp-index 14

You will need to put your physical or virtual interfaces into their respective VRF’s – for example:

config system interface
edit "wan1"
        set vdom "root"
        set vrf 1
        set ip x.x.x.x 255.255.255.252
next 
  edit "vlan100"
        set vdom "root"
        set vrf 2
        set ip 10.100.0.254 255.255.255.0
end

You will see that I have put my wan interface in into one of the VRF’s. This is because I am going to leak the default route from vrf 1 into vrf 2 so that vlan 100 will have internet access.

4. Configure prefix-list

Configure the prefix-list of the routes that you are wanting to leak. In this case I will be leaking the source subnet 10.100.0.0/24 (so the return route) of VRF 2 and the default route in VRF 1.

config router prefix-list
    edit "1"
        config rule
            edit 1
                set prefix 0.0.0.0 0.0.0.0
                unset ge
                unset le
            next
        end
    next
    edit "2"
        config rule
            edit 1
                set prefix 10.100.0.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
end

5. Configure route-map

The route map is used to identify the subnets used in the VRF Leaking and matched against the prefix-list in the previous step.

config router route-map
 edit "VRF1Routes"
        config rule
            edit 1
                set match-ip-address "1"
                unset set-ip-nexthop
                unset set-ip6-nexthop
                unset set-ip6-nexthop-local
                unset set-originator-id
            next
        end
    next
    edit "VRF2Routes"
        config rule
            edit 1
                set match-ip-address "2"
                unset set-ip-nexthop
                unset set-ip6-nexthop
                unset set-ip6-nexthop-local
                unset set-originator-id
            next
        end
    next
end

6. Configure VRF Leaking

I have included my full BGP configuration. As mentioned at the beginning the BGP neighbour connects to the dmz interface and you will need to specify this in your BGP configuration with the following command set update-source “yourinterface”. In order for the VRF leaking to work you need any up neighbour. Under the config vrf-leak the edit <no.> is the ” vrf Origin VRF ID <0 – 31>”. Under the config target the edit is the target or destination vrf “vrf Target VRF ID <0 – 31>”. Make sure that you assign the correct route map to each.

config router bgp
    set as 65536
    set router-id 1.1.1.1
    config neighbor
        edit "192.168.1.254"
            set remote-as 65535
            set update-source "dmz"
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
    end
    config redistribute "static"
        set status enable
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end
    config redistribute6 "isis"
    end
    config vrf-leak
        edit "2"
            config target
                edit "1"
                    set route-map "VRF2Routes"
                    set interface "npu0_vlink1"
                next
            end
        next
        edit "1"
            config target
                edit "2"
                    set route-map "VRF1Routes"
                    set interface "npu0_vlink0"
                next
            end
        next
    end
end

7. Check the routing table

get router info routing-table all

## lines omitted for brevity ##

Routing table for VRF=1
S*      0.0.0.0/0 [10/0] via 10.50.0.254, wan1
B       10.100.0.0/24 [20/0] via 10.200.0.2, npu0_vlink0, 05:18:07
C       10.200.0.0/24 is directly connected, npu0_vlink0

Routing table for VRF=2
B*      0.0.0.0/0 [20/0] via 10.200.0.1, npu0_vlink1, 05:15:02
C       10.100.0.0/24 is directly connected, vlan100
C       10.200.0.0/24 is directly connected, npu0_vlink1
C       192.168.1.0/24 is directly connected, dmz
B       192.168.2.0/24 [20/0] via 192.168.1.254, dmz, 03:00:13

8. Configure firewall policies

This is an example of a firewall policy setup. You will need to configure a policy from the physical or VLAN interface to the VDOM-Link in VRF 2 and then a policy from the VDOM-Link to the WAN interface in VRF 1. I have also configure policies for a VIP (Virtual IP ) for connecting via Public IP to the server.

9. Test

david@WonderSH:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  _gateway (10.100.0.254)  0.587 ms  0.319 ms  0.326 ms
 2  10.200.0.1 (10.200.0.1)  0.354 ms  0.367 ms  0.351 ms
 3  vodafone.connect (10.50.0.254)  5.202 ms  4.974 ms  4.777 ms

If you feel that there is anything you can add or have a question please feel free to leave a comment below.

How to configure an Automation Stitch (email alert) on a Fortigate using Gmail SMTP.

This is a quick reference on how to configure an Automation Stitch on a Fortigate using Gmail SMTP.

Please note that I configured this on Fortigate Firmware 6.2.7

1. Configure SMTP server on Fortigate.

Probably easiest to just copy and paste the below into the CLI (with your details) – otherwise you can find the settings under system/settings on the GUI. You will need to add the gmail account that will act as the serving account for the alerts emails.

config system email-server
    set server "smtp.gmail.com"
    set port 465
    set authenticate enable
    set username "yourgmail@gmail.com"
    set password yourpassword
    set security smtps
end

2. Allow Fortigate access to GMAIL account.

You will need to go into your Gmail account – and allow access as per screenshot. (turn on Less secure app access).

3. Configure Automation Stitch

3.1 GUI

3.1.1 Create New

This can be found under Security Fabric / Automation

3.1.2 Select trigger for email

3.1.3 Select Email

Add the email address that you want the alerts sending to.

3.2 CLI

Configure the SMTP server email configured in step 1 as the “email-from”

config system automation-action
    edit "Nameofstitch_email"
        set action-type email
        set email-to "youremail@gmail.com"
        set email-from "yourgmail@gmail.com"
        set email-subject "configuration change"
        set email-body "%%log%%"
        set minimum-interval 60
        set delay 0
        set required disable
    next
end

4. Test

You will need to test this by doing the action for what the stitch is setup up for. You can set it up to alert for admin successful logout or reboot for example and test this way.

Thank you for reading and please feel free to leave any feedback.

How to configure BGP over IPSEC VPN Fortigate CLI.

This is a quick reference on how to configure BGP over IPSEC VPN Fortigate CLI.

1. Scenario

2. Configure Firewall “BGP1”

2.1 Configure VPN IPSEC phase1-interface

config vpn ipsec phase1-interface

edit "BGP_1"
        set interface "port1"
        set peertype any
        set proposal des-md5 des-sha1
        set remote-gw 10.0.0.6
        set psksecret yourpassword                                                                         
end

2.2 Configure VPN IPSEC phase2-interface

config vpn ipsec phase2-interface

 edit "BGP_1"
        set phase1name "BGP_1"
        set proposal des-md5 des-sha1
        set src-subnet 0.0.0.0 0.0.0.0
        set dst-subnet 0.0.0.0 0.0.0.0
    next
end

2.3 Configure firewall policies

config firewall policy

edit 1
        set name "BGP-VPN"
        set srcintf "BGP_1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next

edit 2
        set name "BGP-VPN"
        set srcintf "port2"
        set dstintf "BGP_1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

2.4 Edit VPN interface

You will need to configure an IP address on either end of the tunnel including the corresponding remote IP address of the remote device.

config system interface
    edit "BGP_1"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.2 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
end

2.5 Configure BGP

Configure the IP address of the remote ends IPSEC VPN interface as the neighbour address as per step 2.4.

config router bgp
    set as 1111
    set router-id 1.1.1.1
    config neighbor
        edit "1.1.1.2"
            set remote-as 1112
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
    end
    config redistribute "static"
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end
    config redistribute6 "isis"
    end
end


3. Configure Firewall BGP2

3.1 Configure VPN IPSEC phase1-interface

config vpn ipsec phase1-interface
edit "BGP_1"
        set interface "port1"
        set peertype any
        set proposal des-md5 des-sha1
        set remote-gw 10.0.0.2
        set psksecret yourpassword                                                                          
    next
end

3.2 Configure VPN IPSEC phase2-interface

config vpn ipsec phase2-interface

 edit "BGP_1"
        set phase1name "BGP_1"
        set proposal des-md5 des-sha1
        set src-subnet 0.0.0.0 0.0.0.0
        set dst-subnet 0.0.0.0 0.0.0.0
    next
end

3.3 Configure firewall policies


config firewall policy

edit 1
        set name "BGP-VPN"
        set srcintf "BGP_1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next

    edit 2
        set name "BGP-VPN"
        set srcintf "port2"
        set dstintf "BGP_1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

3.4 Edit VPN interface

config system interface
   edit "BGP_1"
        set vdom "root"
        set ip 1.1.1.2 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.1 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
end

3.5 Configure BGP

config router bgp
    set as 1112
    set router-id 1.1.1.2
    config neighbor
        edit "1.1.1.1"
            set remote-as 1111
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
    end
    config redistribute "static"
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end
    config redistribute6 "isis"
    end
end

4. Diagnosis

4.1 Check the VPN tunnel is up

If the phase 2 tunnel is down you will see no SA’s (security associations) – for example sa=0

BGP2 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=BGP_1 ver=1 serial=1 10.0.0.6:0->10.0.0.2:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=16 ilast=7 olast=7 ad=/0
stat: rxp=287 txp=277 rxb=34664 txb=19048
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=BGP_1 proto=0 sa=1 ref=2 serial=2
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=30202 type=00 soft=0 mtu=1446 expire=40274/0B replaywin=2048
       seqno=116 esn=0 replaywin_lastseq=00000120 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42932/43200
  dec: spi=e7bd5aa2 esp=des key=8 5fed049f153a3bc1
       ah=md5 key=16 9fb00da00bba3e3ea0a7f456d04b8b84
  enc: spi=11c9c117 esp=des key=8 585db5038f75e4b2
       ah=md5 key=16 5fd1f5e42993cdf31243f2869cdf5bec
  dec:pkts/bytes=287/19656, enc:pkts/bytes=277/33496
run_tally=1

4.2 Check the BGP neighbour is up

BGP2 # get router info bgp summary
BGP router identifier 1.1.1.2, local AS number 1112
BGP table version is 2
2 BGP AS-PATH entries
0 BGP community entries

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.1         4       1111       9       8        1    0    0 00:06:06        4

Total number of neighbors 1

4.3 Check the BGP routing table


BGP2 # get router info routing-table bgp

Routing table for VRF=0
B       10.0.0.0/30 [20/0] via 1.1.1.1, BGP_1, 00:04:23
B       192.168.1.0/24 [20/0] via 1.1.1.1, BGP_1, 00:04:23

4.4 Ping test from host to host

PC2> ping 192.168.1.1

84 bytes from 192.168.1.1 icmp_seq=1 ttl=62 time=21.280 ms
84 bytes from 192.168.1.1 icmp_seq=2 ttl=62 time=19.798 ms
84 bytes from 192.168.1.1 icmp_seq=3 ttl=62 time=20.844 ms
84 bytes from 192.168.1.1 icmp_seq=4 ttl=62 time=30.281 ms
84 bytes from 192.168.1.1 icmp_seq=5 ttl=62 time=22.197 ms

Thank you for reading and please feel free to leave any feedback.

How to configure OSPF over IPSEC VPN Fortigate CLI.

This is a quick reference on how to configure OSPF over IPSEC VPN Fortigate CLI.

1. Scenario

2. Configure Firewall OSPF1

2.1 Configure VPN IPSEC phase1-interface

config vpn ipsec phase1-interface

edit "OSPF_1"
        set interface "port1"
        set peertype any
        set proposal des-md5 des-sha1
        set remote-gw 10.0.0.6
        set psksecret yourpassword                                                                         
end

2.2 Configure VPN IPSEC phase2-interface

config vpn ipsec phase2-interface

 edit "OSPF_1"
        set phase1name "OSPF_1"
        set proposal des-md5 des-sha1
        set src-subnet 0.0.0.0 0.0.0.0
        set dst-subnet 0.0.0.0 0.0.0.0
    next
end

2.3 Configure firewall policies

config firewall policy

edit 1
        set name "OSPF-VPN"
        set srcintf "OSPF_1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next

edit 2
        set name "OSPF-VPN"
        set srcintf "port2"
        set dstintf "OSPF_1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

2.4 Edit VPN interface

You will need to add an IP address and remote IP address to the IPSEC VPN interface so that OSPF can send multicast traffic over the IPSEC tunnel.

config system interface
    edit "OSPF_1"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.2 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
end

2.5 Configure OSPF

Under network configuration ensure that the network subnet covers what you have configured on the IPSEC VPN interface. The network statement is used to tell OSPF which interface/s to send out OSPF information.

config router ospf
    set router-id 1.1.1.1
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "VPN_OSPF"
            set interface "OSPF_1"
            set dead-interval 40
            set hello-interval 10
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 1.1.1.0 255.255.255.252
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end
    config redistribute "isis"
    end
end

3. Configure Firewall OSPF2

3.1 Configure VPN IPSEC phase1-interface

config vpn ipsec phase1-interface
edit "OSPF_1"
        set interface "port1"
        set peertype any
        set proposal des-md5 des-sha1
        set remote-gw 10.0.0.2
        set psksecret yourpassword                                                                          
    next
end

3.2 Configure VPN IPSEC phase2-interface

config vpn ipsec phase2-interface

 edit "OSPF_1"
        set phase1name "OSPF_1"
        set proposal des-md5 des-sha1
        set src-subnet 0.0.0.0 0.0.0.0
        set dst-subnet 0.0.0.0 0.0.0.0
    next
end

3.3 Configure firewall policies


config firewall policy

edit 1
        set name "OSPF-VPN"
        set srcintf "OSPF_1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next

    edit 2
        set name "OSPF-VPN"
        set srcintf "port2"
        set dstintf "OSPF_1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

3.4 Edit VPN interface

config system interface
   edit "OSPF_1"
        set vdom "root"
        set ip 1.1.1.2 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.1 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
end

3.5 Configure OSPF

config router ospf
    set router-id 1.1.1.2
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "VPN_OSPF"
            set interface "OSPF_1"
            set dead-interval 40
            set hello-interval 10
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 1.1.1.0 255.255.255.252
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end
    config redistribute "isis"
    end
end

4. Diagnosis

4.1 Check the VPN tunnel is up

If the phase 2 tunnel is down you will see no SA’s (security associations) – for example sa=0

OSPF2 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=OSPF_1 ver=1 serial=1 10.0.0.6:0->10.0.0.2:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=16 ilast=7 olast=7 ad=/0
stat: rxp=287 txp=277 rxb=34664 txb=19048
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=OSPF_1 proto=0 sa=1 ref=2 serial=2
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=30202 type=00 soft=0 mtu=1446 expire=40274/0B replaywin=2048
       seqno=116 esn=0 replaywin_lastseq=00000120 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42932/43200
  dec: spi=e7bd5aa2 esp=des key=8 5fed049f153a3bc1
       ah=md5 key=16 9fb00da00bba3e3ea0a7f456d04b8b84
  enc: spi=11c9c117 esp=des key=8 585db5038f75e4b2
       ah=md5 key=16 5fd1f5e42993cdf31243f2869cdf5bec
  dec:pkts/bytes=287/19656, enc:pkts/bytes=277/33496
run_tally=1

4.2 Check the OSPF neighbour

OSPF1 # get router info ospf neighbor

OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.2           1   Full/ -         00:00:34    1.1.1.2         OSPF_1

4.3 Check the OSPF routing table

OSPF1 # get router info routing-table ospf

Routing table for VRF=0
O E2    10.0.0.4/30 [110/10] via 1.1.1.2, OSPF_1, 00:47:16
O E2    192.168.2.0/24 [110/10] via 1.1.1.2, OSPF_1, 00:47:16

4.4 Ping test from host to host

PC2> ping 192.168.1.1

84 bytes from 192.168.1.1 icmp_seq=1 ttl=62 time=21.280 ms
84 bytes from 192.168.1.1 icmp_seq=2 ttl=62 time=19.798 ms
84 bytes from 192.168.1.1 icmp_seq=3 ttl=62 time=20.844 ms
84 bytes from 192.168.1.1 icmp_seq=4 ttl=62 time=30.281 ms
84 bytes from 192.168.1.1 icmp_seq=5 ttl=62 time=22.197 ms

Thank you for reading and please feel free to leave any feedback.

How to configure DHCP over IPSEC Dialup VPN using a Fortigate and Ubuntu DHCP server.

This is a detailed guide on how to configure DHCP over IPSEC Dialup VPN using a Fortigate and Ubuntu DHCP server.

1.Configure Ubuntu DHCP Server

1.1 Install ISC-DHCP

sudo apt-get install isc-dhcp-server -y

1.2 Configure DHCP Server

1.2.1 Check listening interface

You will need take note of the name of the interface that will be listening for DHCP requests as well as the IP Network address.

root@dhcp-server:~# ifconfig
ens18: flags=4163  mtu 1500
        inet 10.60.0.1  netmask 255.255.255.0  broadcast 10.60.0.255
        inet6 fe80::7ca8:39ff:fe64:268  prefixlen 64  scopeid 0x20
        ether 7e:a8:39:64:02:68  txqueuelen 1000  (Ethernet)
        RX packets 726  bytes 835486 (835.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 362  bytes 42915 (42.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

1.2.2 Assign interface to listen for DHCP requests

Add the interface to the following file: /etc/default/isc-dhcp-server scroll down to INTERFACESv4=”” and add your interface as per the example below.

root@dhcp-server:~# nano /etc/default/isc-dhcp-server
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)

# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf

# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid

# Additional options to start dhcpd with.
#       Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""

# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
#       Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="ens18"
INTERFACESv6=""

1.2.3 Configure /etc/dhcp/dhcpd.conf

You will need to first configure a DHCP scope for the listening interface even if you are not going to serve IP addresses to the connected subnet. If you do not configure a scope for the listening interface the DHCP service will not start. In the below example I have set the scope to include only existing interface IP address (range 10.60.0.1 10.60.0.1;)

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# Attention: If /etc/ltsp/dhcpd.conf exists, that will be used as
# configuration file instead of this file.
#

# option definitions common to all supported networks...

subnet 10.60.0.0 netmask 255.255.255.0 {
   authoritative;
   range 10.60.0.1 10.60.0.1;
   default-lease-time 3600;
   max-lease-time 3600;
   option subnet-mask 255.255.255.0;
   option broadcast-address 10.0.0.255;
   option routers 10.60.0.1;
   option domain-name-servers 8.8.8.8;
   option domain-name "example.com";
}

Next you configure the IPSEC DHCP range beneath the above configuration.

# Subnet of client machines
subnet 192.168.50.0 netmask 255.255.255.0 {
        range dynamic-bootp             192.168.50.10 192.168.50.100;
        option subnet-mask              255.255.255.0;
        default-lease-time              21600;
        max-lease-time                  43200;
        option domain-name-servers      8.8.8.8, 8.8.8.4;
        option routers                  192.168.50.1;
        option broadcast-address        192.168.50.255;
        filename "pxelinux.0";
        allow unknown-clients;
}
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)

1.2.4 Start the DHCP server

 sudo service isc-dhcp-server restart
 sudo service isc-dhcp-server start
 sudo service isc-dhcp-server stop 

2. Configure the Fortigate User and User Group

Depending on your setup you may be using remote authentication such as LDAP or Radius. In this scenario we will be using a local account.

2.1 Configure User Account

config user local
edit "yourusername"
        set type password
        set passwd yourpasswordhere

2.2 Configure user group and assign user

config user group
    edit "YOURVPNGROUP"
        set member "yourusername"
    next
end

3. Configure Fortigate Dialup IPSEC VPN

3.1 Configure VPN IPSEC phase 1

config vpn ipsec phase1-interface
    edit "YOURPHASE1NAME"
        set type dynamic
        set interface "wan1"
        set mode aggressive
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set dhgrp 5
        set xauthtype auto
        set authusrgrp "YOURVPNGROUP"
        set psksecret "YOURPSK"
        set dpd-retryinterval 60
    next
end

3.2 Configure VPN IPSEC phase 2

config vpn ipsec phase2-interface
    edit "YOURPHASE2NAME"
        set phase1name "YOURPHASE1NAME"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set dhgrp 5
        set dhcp-ipsec enable
    next
end

4. Configure Fortigate IPSEC interface to enable DHCP

Configure the IP address of the DHCP server (DHCP Relay IP address). You will also have to assign an IP address to the IPSEC interface so that the DHCP server can see the traffic leaving an interface of a particular network and assign the client an IP address from that respective subnet.

config system interface
    edit "YOURPHASE1NAME"
        set vdom "root"
        set dhcp-relay-service enable
        set ip 192.168.50.1 255.255.255.255
        set type tunnel
        set snmp-index 9
        set dhcp-relay-ip "10.60.0.1"
        set dhcp-relay-type ipsec
        set interface "wan1"
    next
end

5. Configure Fortigate Firewall Policy

Please note: Split tunneling is configured on the VPN client and not on the firewall. The below example is no split-tunnel: So the destination is both WAN (internet) and LAN (private Network)

   edit 7
        set name "IPSEC->LAN"
        set uuid b74553a4-4f47-51eb-47af-9d6c15bb5f15
        set srcintf "YOURPHASE1NAME"
        set dstintf "internal5"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set nat disable
    next
    edit 8
        set name "VPN-WAN"
        set uuid f2837a40-4f6a-51eb-28e0-cad297096df6
        set srcintf "YOURPHASE1NAME"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set nat enable

6. Configure Forticlient

You can leave all the IPSEC VPN settings as default for negotiation etc. You will need to add your connection name, Remote Gateway (Public IP address of Fortigate), Pre-Shared Key, Username. In addition to this you will need select the radial button for DHCP over IPSEC. If you are wanting the internet connection to be local and not via the fortigate you will need to select enable IPv4 Split Tunnel and add the relevant networks that are to be routable over the VPN.

Thank you for reading – please do not hesitate to leave a comment if you have any questions.

How to send logs to a syslog server on Observium using a Fortigate as the syslog client

This is a detailed guide on how to send logs to a syslog server on Observium using a Fortigate as the syslog client.

1.Configure rsyslogd for Observium

1.1 Check version of rsyslogd

Make sure you have rsyslog installed and the that it is current. This guide is for Rsyslog version 8 and later.

rsyslogd -v

1.2 Enable remote logging

Remove the comment (remove #) from the following lines: module(load=”imtcp”) and input(type=”imtcp” port=”514″)

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

1.3 Create directory /etc/rsyslog.d/30-observium.conf

Create directory /etc/rsyslog.d/30-observium.conf and add the following lines to the file.

#---------------------------------------------------------
# send remote logs to observium

# provides UDP syslog reception
module(load="imudp")

input(type="imudp"
      port="514"
      ruleset="observium")

## provides TCP syslog reception (uncomment if required)
#module(load="imptcp")
#
#input(type="imptcp"
#      port="514"
#      ruleset="observium")

module(load="omprog")

# observium syslog template
template(name="observium"
         type="string"
         string="%fromhost%||%syslogfacility%||%syslogpriority%||%syslogseverity%||%syslogtag%||%$year%-%$month%-%$day% %timereported:8:25%||%msg%||%programname%\n")

# observium RuleSets
ruleset(name="observium") {
    action(type="omprog"
           binary="/opt/observium/syslog.php"
           template="observium")
    stop
}

#---------------------------------------------------------

1.4 Restart rsyslog

Restart rsyslog for the configuration to be applied.

service rsyslog restart

2. Configure SNMP on the Fortigate.

2.1 Add SNMP string and SNMP server (Observium Server IP) to Fortigate

The name in this instance is the community string to authenticate the agent and server “SNMPGUIDE!”.

config system snmp community
    edit 1
        set name "SNMPGUIDE!"
            config hosts
                edit 1
                    set ip 91.203.x.x 255.255.255.255
                next
            end
        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open faz-disconnect wc-ap-up wc-ap-down
    next
end

2.2 Allow access for SNMP on Fortigate interface.

You will need to set allowaccess for SNMP on the fortigate’s interface.

config system interface
    edit "wan1"
        set vdom "root"
        set ip 192.168.1.150 255.255.255.0
        set allowaccess ping https ssh snmp

2.3 Add Observium IP address to trusted host of the Fortigate

config system admin
    edit "admin"
        set trusthost4 91.203.x.x 255.255.255.255

3. Add SNMP string and SNMP agent (Fortigate IP) to Observium

Under devices click new device. Add the end-point IP address of the Fortigate and the community string.

If all is well you should see confirmation that the device has been added successfully.

4. Configure the syslog server on Fortigate

config log syslogd setting
    set status enable
    set server "91.203.x.x"
    set port 514
   

5. Test

6. Troubleshoot

6.1 Make sure all settings match as per above IP addresses and community strings.

6.2 Ensure traffic is being sent and reaching it’s destination.

Fortigate Sniffer

diagnose sniffer packet any "port 514"
diagnose sniffer packet any "port 161"
diagnose sniffer packet any "host 91.203.x.x"

Syslog Server

root@Syslog:~# tcpdump -i eth0 -port 514
root@Syslog:~# tcpdump -i eth0 -port 161

You can specify a different port if your server is listening on a different port.

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Thank you for reading and please feel free to leave any feedback.