We have adapted our CheatSheet for FortiOS version 7.0 and added new commands. The Cheat Sheet is divided into different sections. Depending on the topic, you can find the necessary commands to display more information or find problems.
We hope that this will contribute to quick solutions of existing problems.
135 total views, 4 views today
On Mai 2021, Let’s Encrypt issued a note about the expiration of their DST Root CA X3:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Now that this root certificate has expired (2021-09-30), your systems might issue a warning when connecting to sites using Let’s Encrypt certificates.
To fix this glitch on a general client, follow the instructions of the link above:
119 total views, 5 views today
Since last week, we observed a lot of failed SSL-VPN login events on various FortiGate setups.
Most of the administrators saw a rised number of the following log messages in the «VPN Event Log» on the FortiGate / FortiAnalyzer.
And no, there’s no spelling mistakes in the title… That’s the way the log message is named:
date=2021-08-23 time=11:22:33 logid="0101039426" type="event" subtype="vpn" level="alert" vd="root" eventtime=1629710539 logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=11.22.33.44 user="administrador" group="N/A" dst_host="N/A" reason="sslvpn_login_permission_denied" msg="SSL user failed to logged in"«FortiGate lots of «SSL user failed to logged in» events» weiterlesen
141 total views, 3 views today
Some providers (like init7.ch which already uses the Swisscom XGS-PON) do encapsulate their PPPoE traffic into a VLAN Tag (802.1Q or Q-Tagged). The reason for this is, that in the majority of the cases the provider is using a layer 2 network (last mile) of another provider, which uses VLAN tagging to differentiate the traffic to different service providers.
The configuration of the FortiGate is not too complicated in those cases. It is even possible to make the whole configuration directly off the WebGUI.
«FortiGate PPPoE inside a VLAN» weiterlesen66 total views, 4 views today
In the context of SSL VPN, we sometimes receive the question, if it’s possible to assign IP-addresses using an external DHCP server. Unfortunatly this is not possible on the FortiGate.
«FortiGate SSL VPN: Assign IP-Addresses using an external DHCP Server» weiterlesen
Your VoIP provider should give you the information, if the SIP ALG on the Fortigate is needed or not.
In the default setting of a Fortigate the SIP ALG is active.
«Disable the SIP ALG/Session Helper on the Fortigate» weiterlesen
Unser letzter Beitrag zur Konfiguration einer Fortigate, um zuhause auch Swisscom TV durch die Fortigate zu bekommen, ist schon eine zeitlang her. Deswegen hier mal wieder ein aktueller Beitrag mit einer Fortigate auf FOS 7.0.0 (der auch mit 6.4.5 getestet wurde).
In diesem Beispiel hängt die Swisscom TV Box am DMZ Port der Fortigate und bezieht von dort eine DHCP Adresse, welche per DHCP Reservation fixiert wird:
«Fortigate und Swisscom TV – zum dritten» weiterlesen1,492 total views, 3 views today
Let’s mention the important things first: Please patch you vulnerable Exchange 2013, 2016 and 2019 immediately! The page msxfaq has published an infosite to this vulnerability including the instructions how to fix your Exchange.
Even though we, as Boll Engineering AG, are not associated in any way with the affected product, a lot of our customer reported, that they have vulnerable systems in place and may be affected by this bug. We have been asked if IPS signatures and WAF patches are already implemented. Therefore we decided to post this blog to raise the awareness of this vulnerability once more, even after the broad press has already published a lot of releases regarding this matter.
This blog post regards the following CVE reports:
«Exchange Hafnium Vulnerability March 2021» weiterlesen
Im Laufe des Lebenszyklus von Firewalls werden diese oftmals ersetzt mit einem neueren Modell, die Konfiguration möchte man aber gerne übernehmen. Für diesen Fall gibt es verschiedene Möglichkeiten, die wir in diesem Blog Beitrag vorstellen:
1. FortiConverter Service
2. FortiConverter Tool
3. Partielle Konfigübernahme
4. Volle Konfigübernahme
English article can be found here: How to transfer a FortiGate configuration to a newer model
«So übertragen Sie eine FortiGate Konfiguration auf ein neueres Modell» weiterlesen
The good news first: If you’re currently using the FortiClient to establish a Dialup IPsec VPN (Aggressive, PSK based), the same configuration should also work with the native macOS client.
«FortiGate: IPsec VPN with native macOS client» weiterlesen
