FortiOS 6.2: Upgrade Notes

As with every software product, even the latest and greatest releases have some known glitches. That’s one of the reasons why you should review the release notes as part of the upgrade process.

But even then you might face a not-yet-documented issue. You’ll find some notable examples below.

FortiAPs won’t connect anymore (6.2.1)

Some customers have reported, that their FortiAPs won’t connect anymore after upgrading to FortiOS 6.2.1. Fortinet has confirmed that this is a know issue only when using trusted hosts to restrict the administrative access to the FortiGate.

The official workaround is to add the FortiAP’s IP or subnet as an additional trusted host entry on one of the admin users:

config system admin 
   edit "adminuser"
     set trusthostx 10.33.33.3 255.255.255.255 <-- IP Address of the FortiAP
   next
 end

RADIUS Server behind VPN-Tunnel not working (6.2.1)

When using a RADIUS server behind an IPsec-tunnel, you most likely had to configure the source-ip in the radius configuration (normally to the internal address of the firewall). A bug in FortiOS 6.2.1 prevents this from working. As a workaround you’ll have to use an ip address owned by the outgoing interface.

config user radius
  edit "nps-server"
    set source-ip "192.168.101.99" <-- IP Address of the outgoing (IPsec)interface
  next
end 

What’s new with FortiOS 6.2: Update issue with certificate for WebUI

Recently we have had a few support cases where a customer was unable to log in to the firewall via WebUI after the firmware update. But SSH access worked fine.

It turned out that during the update process the server certificate used for the WebUI is lost.

Config with v6.0.4 (it does not happen with „self-signed“ only):

config system global
set admin-server-cert "self-signed"
end
„What’s new with FortiOS 6.2: Update issue with certificate for WebUI“ weiterlesen

Fortinet Wireless FAQ

Die Fortinet WiFi Produkte erfreuen sich schon länger zunehmender Beliebtheit. Dies nicht zuletzt, weil die FortiAP und Controller je länger je angewandtere Technologien bieten und daher unterdessen praktisch alle vorstellbaren Einsatzszenarien abdecken.

Da mit dem Featureset zugleich auch die Komplexität der Systeme mit wächst, möchten wir ihnen mit diesem Artikel einen Überblick über die Technologie, die Funktionalität  und deren Einschränkungen verschaffen.

„Fortinet Wireless FAQ“ weiterlesen

Migrate Fortigate Configurations with FortiConverter

Fortinet has published a very nice and helpful tool for converting firewall configs from other vendors into a Fortigate configuration file. Also an old Fortigate config file can be used as the source file.

So if you are going to replace an old Fortigate model with a new one and you want use the old config file (instead of configuring the new Fortigate from the scratch) you can use the FortiConverter as an alternative to the procedure we have described in one of our former blog post „How to transfer a FortiGate configuration file to a new FortiGate unit of a different model“.

„Migrate Fortigate Configurations with FortiConverter“ weiterlesen

FortiGate SSLVPN Update-Empfehlung

Auf dem FortiGate wurden einige Schwachstellen im SSLVPN Portal bekannt. Diese reichen von Weiterleitungen durch Cross-Site-Scripts (XSS) bis hin zum Download Systemdateien und das Zurücksetzen von Benutzerkennwörtern.

FortiGate SSL VPN web portal login redir XSS vulnerability (FG-IR-17-242, CVE-2017-14186)
Unauthenticated SSL VPN users password modification (FG-IR-18-389, CVE-2018-13382)
FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests (FG-IR-18-384, CVE-2018-13379)

„FortiGate SSLVPN Update-Empfehlung“ weiterlesen

Offene Ports an der FortiGate

Die FortiGate ist ein genialer Kommunikationsspezialist in vielfacher Hinsicht. Gleichzeitig ist es aber auch ein Türsteher und Wächter erster Güte. Von Zeit zu Zeit stellt sich nun die Frage, welcher dieser Qualitäten der Vorrang eingeräumt werden soll. Natürlich mögen wir alle die eierlegende Woll-Milch-Sau, auch wenn wir uns oft darüber amüsieren. Jedoch sind in gewissen Situationen Qualitäten gefragt, welche eine eierlegende Woll-Milch-Sau nicht bieten kann. Die FortiGate schon.

„Offene Ports an der FortiGate“ weiterlesen