One of the very powerful features of FortiGate hardware appliances is the hardware acceleration chipset included in the hardware platform. This allows to forward traffic in specific situations directly from the incoming interface to the outgoing interface without passing the CPU of the system. This can safe a huge amount of system load on your FortiGate.
In most cases, hardware acceleration is working flawlessly. But in some very rare cases, hardware acceleration may cause problems. Or the hardware acceleration is not working at all and the packets have to be handled by the CPU of your FortiGate.
This guide will lead you through the important troubleshooting steps.
During the lifecycle of firewalls, they are often replaced with a newer model, but you would like to keep the configuration. In this case, there are several possibilities, which we present in this blog post:
Im Laufe des Lebenszyklus von Firewalls werden diese oftmals ersetzt mit einem neueren Modell, die Konfiguration möchte man aber gerne übernehmen. Für diesen Fall gibt es verschiedene Möglichkeiten, die wir in diesem Blog Beitrag vorstellen:
Öfters sehen wir Fragen oder Probleme zur korrekten Subnettierung von Netzen. Mit dem folgenden Raster kann man schnell und einfach die richtige Anzahl Host oder die Subnetzmaske herausfinden.
Die erste Adresse des Subnetz nennt man Netzadresse. Diese kann nicht für Hosts verwendet werden (Bsp. 192.168.10.0 bei einem Subnetz von 255.255.255.0 oder /24)
Ebenso die letzte Adresse des Subnetz. Diese ist die Broadcast Adresse und steht Clients nicht zur Verfügung (Bsp. 192.168.10.255 bei einem Subnetz von 255.255.255.0 oder /24)
Die verbleibenden IP Adressen können von Hosts genutzt werden (Anzahl Hosts in der Tabelle, also 256-2= 254 bei einem Subnetz von 255.255.255.0 oder /24)
Bekommt man nun zum Beispiel die Angabe, dass ein Provider Subnetz 6 nutzbare IP Adressen hat, entspricht dies in der Tabelle einer Subnetzmaske von 255.255.255.248 oder /29. Die nutzbaren IP Adressen sind dann zum Beispiel 8.65.34.25 bis 8.65.34.30. Die .24 ist die Netzadresse, die .31 die Broadcast Adresse. Meistens ist es dann so, dass der Router selber die .25 bekommt, die Firewall die .26. Die weiteren nutzbaren Adressen sind dann .27 bis .30.
With the possibility to include external lists from third parties via the feature «External Dynamic List EDL», this opens up many possibilities to restrict your own security policies even better and to prevent access to the TOR network.
In the following tutorial I will show you how to configure the list of TOR exit nodes, which can be found at https://check.torproject.org/torbulkexitlist as a list of IP addresses.
1. Create External Dynamic IP List
First, create a new EDL. Objects > External Dynamic Lists > Add
The list of TOR Exit Nodes and further information can be found here:
As type you should choose the «IP List» selection. This assumes a list with one IP per line. If you look at the provided IP list, this is the case:
2. Download the CA Certificate from the website as .pem format.
Since the list is provided via HTTPS and therefore signed with a certificate, the Palo Alto Firewall must trust the CA certificate which signed the server certificate. This is solved via the import of the CA certificate into the firewall.
Please use your browser capabilities to display and download the CA certificate.
3. Add the CA certificate to firewall’s the certificate list
After you have downloaded the CA certificate, you can upload it to the firewall’s certificate store.
4. Create a certificate profile and add the Tor_CA certificate
Now that the certificate has been uploaded to the firewall’s certificate store, it can be used in a certificate profile.
5. Add certificate profile in EDL list
Now the certificate profile with the CA certificate can be used in the configuration of the EDL list.
Also note the update frequency of the list, if the list contains new values. The new entries are added automatically with the update, and a Commit is not necessary.
6. Add EDL in Security Policy
Now everything is prepared and the EDL list can be inserted in the security policy as source or destination address object.
It makes sense to use a security policy with the action Block at the beginning of your security policies.
Policies > Security > Add
7. Commit changes
Save the changes so that they become active.
8. Verify if EDL list contains entries
After the initial synchronization of the list, you can check its content as follows.
Objects > External Dynamic Lists > Edit Tor Exit nodes > List Entries and Exceptions Check if list contains entries:
The good news first: If you’re currently using the FortiClient to establish a Dialup IPsec VPN (Aggressive, PSK based), the same configuration should also work with the native macOS client.
QuoVadis hat letztes Jahr ihre Kunden angeschrieben, dass die «QuoVadis Swiss Advanced CA G3» per 31.12.2020 revoziert wird.
Damit signierte Nachrichten beim Empfänger weiterhin als gültig angezeigt werden, müssen die S/MIME Benutzerzertifikate auf der SEPPmail von der «QuoVadis Swiss Advanced CA G4» ausgestellt sein.
Use the latest versions of Kaspersky Endpoint Security for Windows, as they contain the latest fixes and improvements, including performance related.
We recommend you to use all protection components with default settings. They provide the optimal balance between protection level and performance recommended by our experts.
Check KES for Windows policy and make sure that general performance settings are enabled (KES policy –> General –> Application settings):
SD-WAN is a cool feature to configure redundant internet access. But it was designed with load-balancing in mind and this brings some challenges to specific use cases. As an example, while you can use SD-WAN rules to define the preferred path for a specific application/system, it won’t prevent that the traffic is routed over another interface in case of an outage.
