diagnose debug config-error-log read
Monday, 30 December 2019
Tuesday, 24 December 2019
migrate line
1. change ip address
2. static route
3. vpn
4. virtual ip , existing public ip
5. email public ip
2. static route
3. vpn
4. virtual ip , existing public ip
5. email public ip
Tuesday, 17 December 2019
VPN dial up
must use if fortigate behind nat either public ip or private ip
from the log source is fortigate public ip
and remote ip is gateway fortigate public ip , means isp do nat or have mikrotik
and remote ip is gateway fortigate public ip , means isp do nat or have mikrotik
Thursday, 5 December 2019
checklist fortigate
1. interface
pppoe - want distance priority
vlan - wireless
unifi password
if have phone eg DVG5004S can't bypass tm wireless router. must DMZ to wan fortigate ip.
wan fortigate ip using private ip. Can't use wireless router
2. dns
fortiddns
3. static route
policy route
2. system
2.1 add itwin admin
2.2 firmware - start from lowest version
2.3 register fortiguard
3. policy
want user authentication
3.2 add all subnet, group ip address
3.3 security profile, app and web
3.4 vip
4. vpn
4.1 request info ipsec , gw ip, local and dest address, phase1 , phase 2
4.2 sslvpn - group user
4.3 sslvpn portal must change ip address if required
5. user
5.1 user and group
5.
2. user authentication
Tuesday, 3 December 2019
fortigate route, priotiry dhcp, pppoe
fortigate use distance >> route
1. it will check distance if same route higher distance will appear in table route
show table route
Get router info routing-table all
2. then it will check priority , priority will appear in table route but lower priority will appear
pppoe, dhcp priority is default 0
- route not selected can be using by route policy
pppoe, dhcp changed, in CLI go to the interface and “set priority xx”
1. it will check distance if same route higher distance will appear in table route
show table route
Get router info routing-table all
2. then it will check priority , priority will appear in table route but lower priority will appear
pppoe, dhcp priority is default 0
- route not selected can be using by route policy
pppoe, dhcp changed, in CLI go to the interface and “set priority xx”
configure system interface
edit XXX XXX = interface name
set priority YY YY = priority value
end
sophos reset and default password
1. console
2. login admin password reset
choose no 4
default admin / admin
2. login admin password reset
choose no 4
default admin / admin
Thursday, 28 November 2019
Interface vlan
Vlan200 will work as L2. Must connect to trunk(tagged) allow vlan200
Vlan routing fortigate will route
Wednesday, 27 November 2019
Add new line internet
1. Ip
2. Role lan, wan
3. Interface
4. Distance
5. Policy route
6. Static route
Saturday, 9 November 2019
dhcp problem and view data
Please run the following on the CLI and share with me the
output:
1. config system dhcp server
edit 1
get
end
2. Identify the multiple IP for one device at DHCP
monitor, then run
get system arp |
grep -IP address of the same iPhone-
Example:
get system arp
| grep 192.168.0.1
get system arp
| grep 192.168.0.2
get system arp
| grep 192.168.0.3
Friday, 8 November 2019
virtual IP, for connect from outside
interface - which have internet line
external ip - public ip or wan ip
map ip- private ip
enable port fowarding [optional]
protocol
external port
map to port - internal port
Thursday, 7 November 2019
local user authentication
max 4320 minutes (72 hours)
https://kb.fortinet.com/kb/viewContent.do?externalId=FD30760
1. create group
1.1 create user
2. authentication setting timeout(minute)
disable redirect
create policy
address+group or user
Error authentication fail
Check username & ip in policy
Change password
Restart n reset browser
user authentication
One error that can occur happens when the site you attempt to connect to uses HTTP Strict Transport Security (HSTS). If this is the case, you may get an error message that is impossible to override:
If this message appears, the best thing to do is browse to a different site and re-attempt user authentication. Once your user credentials have been accepted by the FortiGate, you can access the site that was previously blocked (unless that site is blocked by web filtering).
Browsers sometimes recognize that authentication is required and will display a different HSTS error message that allows you access the login page:
firewall will use port 1003If this error appears, you have the option to open the login page and enter your credentials.
Another error can occur when the common name of the certificate used for HTTPS encryption not matching the URL of the site you are attempting to access:
If this message appears, the best thing to do is browse to a different site and re-attempt user authentication. Once your user credentials have been accepted by the FortiGate, you can access the site that was previously blocked (unless that site is blocked by web filtering).
https://fgt.example.com:1003
Subscribe to:
Comments (Atom)