FortiGuard DNS Rating Server (SDNS) unavailable

Last update from 12.05.2021 at 09:40 Swiss local time: We have noticed an improvement in the situation. Some rare rating timeouts still show up from time to time, but the majority of requests are being answered correctly. Also the DNS servers are working as usual again.

We have noticed an increase of support requests regarding the FortiGuard DNS rating service (SDNS) today. Therefore we want to inform you about the following issue.

The FortiGuard SDNS servers are not available as usual at the moment. This problem concerns at least fortiOS 6.0, 6.2, 6.4 and 7.0. You can confirm this issue on your FortiGate by:

  • Check the «Webfilter» log for messages like «rating timeout», «A rating error occurs» or «all Fortiguard servers failed to respond» messages in the «error» column.
  • Check the «DNS Query» log for «no available FortiGuard SDNS servers» or «DNS query timeout» messages in the «error» column.

We have also noticed, that:

  • The command «diag debug rating» shows no problems.
  • The «Test Connectivity» Button under «System» and «FortiGuard» in the WebGUI does still indicate a normal functional state.
  • Some systems that are sized a little too small may run into performance issues.

At the moment we can recommend you the following workarounds:

  • Enable the option «Allow websites when a rating error occurs» in your Webfilter and DNS Filter profiles.

We will update this blog post as soon as we have any news to communicate.

Fortigate und Swisscom TV – zum dritten

Unser letzter Beitrag zur Konfiguration einer Fortigate, um zuhause auch Swisscom TV durch die Fortigate zu bekommen, ist schon eine zeitlang her. Deswegen hier mal wieder ein aktueller Beitrag mit einer Fortigate auf FOS 7.0.0 (der auch mit 6.4.5 getestet wurde).

In diesem Beispiel hängt die Swisscom TV Box am DMZ Port der Fortigate und bezieht von dort eine DHCP Adresse, welche per DHCP Reservation fixiert wird:

«Fortigate und Swisscom TV – zum dritten» weiterlesen

 581 total views,  46 views today

Exchange Pwn2Own Vulnerability April 2021 (Yes, a new one – it’s not Hafnium anymore!)

Let’s mention the important things first: Please patch you vulnerable Exchange 2013, 2016 and 2019 immediately! The page msxfaq has published an infosite to this vulnerability including the instructions how to fix your Exchange.

Some security researchers have demonstrated three high risk vulnerabilities for exchange server systems. Microsoft has published information about the vulnerability today and even has a patch for the problem already in place.

«Exchange Pwn2Own Vulnerability April 2021 (Yes, a new one – it’s not Hafnium anymore!)» weiterlesen

FortiGate hardware acceleration step-by-step troubleshooting

One of the very powerful features of FortiGate hardware appliances is the hardware acceleration chipset included in the hardware platform. This allows to forward traffic in specific situations directly from the incoming interface to the outgoing interface without passing the CPU of the system. This can safe a huge amount of system load on your FortiGate.

In most cases, hardware acceleration is working flawlessly. But in some very rare cases, hardware acceleration may cause problems. Or the hardware acceleration is not working at all and the packets have to be handled by the CPU of your FortiGate.

This guide will lead you through the important troubleshooting steps.

«FortiGate hardware acceleration step-by-step troubleshooting» weiterlesen

Exchange Hafnium Vulnerability March 2021

Let’s mention the important things first: Please patch you vulnerable Exchange 2013, 2016 and 2019 immediately! The page msxfaq has published an infosite to this vulnerability including the instructions how to fix your Exchange.

Even though we, as Boll Engineering AG, are not associated in any way with the affected product, a lot of our customer reported, that they have vulnerable systems in place and may be affected by this bug. We have been asked if IPS signatures and WAF patches are already implemented. Therefore we decided to post this blog to raise the awareness of this vulnerability once more, even after the broad press has already published a lot of releases regarding this matter.

This blog post regards the following CVE reports:

«Exchange Hafnium Vulnerability March 2021» weiterlesen

How to transfer a FortiGate configuration to a newer model

During the lifecycle of firewalls, they are often replaced with a newer model, but you would like to keep the configuration. In this case, there are several possibilities, which we present in this blog post:

1. FortiConverter Service
2. FortiConverter Tool
3. Partial Config Transfer
4. Full Config Transfer

Den deutschen Artikel dazu finden Sie hier: So übertragen Sie eine FortiGate Konfiguration auf ein neueres Modell

«How to transfer a FortiGate configuration to a newer model» weiterlesen

So übertragen Sie eine FortiGate Konfiguration auf ein neueres Modell

Im Laufe des Lebenszyklus von Firewalls werden diese oftmals ersetzt mit einem neueren Modell, die Konfiguration möchte man aber gerne übernehmen. Für diesen Fall gibt es verschiedene Möglichkeiten, die wir in diesem Blog Beitrag vorstellen:

1. FortiConverter Service
2. FortiConverter Tool
3. Partielle Konfigübernahme
4. Volle Konfigübernahme

English article can be found here: How to transfer a FortiGate configuration to a newer model

«So übertragen Sie eine FortiGate Konfiguration auf ein neueres Modell» weiterlesen