Fortigate 800c

0 views

Skip to first unread message

Leanne Wittlin

unread,

Aug 3, 2024, 5:20:57 PM8/3/24

to inspumimic

I am currently working on relocating a FG800C to a new office. We were running 5.0.11 and since this is a new location, I have sometime to test things I decided to try out 5.4.0. For the past 2 days the firewall has crashed and completely locked up. No WAN ping, no LAN ping, no serial console, no usb console. I know there has been some issues, but has anyone else had their firewall lock up like that?

during product update for fortios 5.4.x the speaker discouraging us to load fortios 5.4.x to Fortigate C series fortigate models. IMHO fortios 5.4.x designed for new released fortigate models which is D series

I'm going to head into the office to hookup a console cable to a PC with putty running to text file. I'm going to send the text file to a Windows compression enabled directory since I'm sure this file will get big.

Right, that's what I told them so we setup console logging. They did confirm it's very likely a bug in 5.4.0. We are going to confirm it with the console logs tonight, and if so, we are applying a 5.4.1 interim fix.

Technically the bug is anytime you *remove* an interface. Due to the nature of how IPSec VPN Dialup works it causes the bug to surface often (user disconnects, system tries to remove interface, bug happens).

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

This device template should allow NCM to download configs from fortigate 800c devices. These are slightly different from previous versions. They seem to have a prompt of "Press 'a' key to continue" after entering username/password. Once that is pressed, then it shows

The routes for the remote VPNs would be the remote peer IP address. Making a change this way would force the peers to go out the ASA for internet, and all other traffic to go to the fortigate and then out the internet.

i believe the forwarding part of the question has been answered above already but for the web filtering portion which will be done by your fortigate i would go and create your security/utm profiles first for the web filter with the desired configuration of what you would like to allow, block & or monitor. Also creating your white list that you would define and attach to each web filtering profile. Next you would create your firewall policies and after that is created you would enable the utm section of each individual policy and turn on the web filter section and choosing which web filter profile to use with that policy. A point to ponder is that web filter and UTM profiles are policy specific and not global. They need to be turned on the desired policy and you need to choose the specific profile.

But, i am not able to see the packet info/data on Log&Report->sniffer Traffic Page on Fortigate UI. Can anyone check/let me know is there any config/setting required on fortigate for it to work in sniffer mode for IDS...?

When I try to ping the fortigate unit from a MacBook Pro that is connected directly to Fortigate 800C port 3 and I gave the mac a static ip 10.2.4.22, then added VLAN 704 interface as well with ip 10.2.4.23. Now when I ping the fortigate unit the ping does not go through and fortigate unit does not show anything when I try to debug address 10.2.4.1

I also tested so that I added port 3/3.6 to VLAN 500 (same as my office switch ports have) and connected it to switch and the computer to switch as well. Still nothing. Sniffer does not show that any packets are coming in from port 3/3.6 or to ip 10.2.4.1 when the ip is given to port 3/3.6 (subinterface). When the ip is given to port 3 directly then sniffer and flow debug show me that policy is blocking the traffic.

Basically I want to make a subinterface for 10.2.4.X subnet with VLAN ID. Then add static IP's for hosts (10.2.4.X). Then I want to be able to ping FG unit from that subnet. I guess I'm going to setup a old switch for test env. and connect it to fortigate and 2 pc's to it in local network. Will also TAG the vlans. I will keep you posted.

I got it working. My bad on the ping side from MacBook to Fortigate. I did not use the right source address for ping and now everything works. The problem was I was first pinging from non VLAN interface, once I changed to VLAN source everything started to work :)