FortiGate PPPoE inside a VLAN

Some providers (like init7.ch which already uses the Swisscom XGS-PON) do encapsulate their PPPoE traffic into a VLAN Tag (802.1Q or Q-Tagged). The reason for this is, that in the majority of the cases the provider is using a layer 2 network (last mile) of another provider, which uses VLAN tagging to differentiate the traffic to different service providers.

The configuration of the FortiGate is not too complicated in those cases. It is even possible to make the whole configuration directly off the WebGUI.

«FortiGate PPPoE inside a VLAN» weiterlesen

Windows update breaks SSO event log readers (FSSO, PAN UIA, WG ELM)

Microsoft has released KB5003646 on the 6th of June 2021. Part of this update is a security hardening measurement to align with recommendations as a conclusion out of CVE-2021-31958.

As a known issue of this KB5003646, microsoft has noted in the release notes: «After installing this or later updates, apps accessing event logs on remote devices might be unable to connect.»

This is exactly what is happening on Fortinet FSSO (FSSO with FortiGate, as well as FSSO over the FortiAuthenticator) and Palo Alto Networks User-ID Agent. They are not working anymore after the installation of Update KB5003646.

«Windows update breaks SSO event log readers (FSSO, PAN UIA, WG ELM)» weiterlesen

FortiGuard DNS Rating Server (SDNS) unavailable

Last update from 12.05.2021 at 09:40 Swiss local time: We have noticed an improvement in the situation. Some rare rating timeouts still show up from time to time, but the majority of requests are being answered correctly. Also the DNS servers are working as usual again.

We have noticed an increase of support requests regarding the FortiGuard DNS rating service (SDNS) today. Therefore we want to inform you about the following issue.

«FortiGuard DNS Rating Server (SDNS) unavailable» weiterlesen

Fortigate und Swisscom TV – zum dritten

Unser letzter Beitrag zur Konfiguration einer Fortigate, um zuhause auch Swisscom TV durch die Fortigate zu bekommen, ist schon eine zeitlang her. Deswegen hier mal wieder ein aktueller Beitrag mit einer Fortigate auf FOS 7.0.0 (der auch mit 6.4.5 getestet wurde).

In diesem Beispiel hängt die Swisscom TV Box am DMZ Port der Fortigate und bezieht von dort eine DHCP Adresse, welche per DHCP Reservation fixiert wird:

«Fortigate und Swisscom TV – zum dritten» weiterlesen

 1,107 total views,  4 views today

Exchange Pwn2Own Vulnerability April 2021 (Yes, a new one – it’s not Hafnium anymore!)

Let’s mention the important things first: Please patch you vulnerable Exchange 2013, 2016 and 2019 immediately! The page msxfaq has published an infosite to this vulnerability including the instructions how to fix your Exchange.

Some security researchers have demonstrated three high risk vulnerabilities for exchange server systems. Microsoft has published information about the vulnerability today and even has a patch for the problem already in place.

«Exchange Pwn2Own Vulnerability April 2021 (Yes, a new one – it’s not Hafnium anymore!)» weiterlesen

FortiGate hardware acceleration step-by-step troubleshooting

One of the very powerful features of FortiGate hardware appliances is the hardware acceleration chipset included in the hardware platform. This allows to forward traffic in specific situations directly from the incoming interface to the outgoing interface without passing the CPU of the system. This can safe a huge amount of system load on your FortiGate.

In most cases, hardware acceleration is working flawlessly. But in some very rare cases, hardware acceleration may cause problems. Or the hardware acceleration is not working at all and the packets have to be handled by the CPU of your FortiGate.

This guide will lead you through the important troubleshooting steps.

«FortiGate hardware acceleration step-by-step troubleshooting» weiterlesen