Professional Documents
Culture Documents
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-authentication-54/Auth_Access.htm
Windows AD SSO
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-authentication-54/SSO-
WindowsAD.htm
URL Filtering:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/Web_Filter/Static
%20URL%20Filter.htm
Install FortiAnalyzer/Manager
The following section defines the SCSI controller for the virtual machine, and this is where the problem
lies.
<Item>
<rasd:Address>0</rasd:Address>
<rasd:Caption>scsiController0</rasd:Caption>
<rasd:Description>SCSI Controller</rasd:Description>
<rasd:ElementName>scsiController0</rasd:ElementName>
<rasd:InstanceID>5</rasd:InstanceID>
<rasd:ResourceSubType>VirtualSCSI</rasd:ResourceSubType>
<rasd:ResourceType>6</rasd:ResourceType>
</Item>
<Item>
<rasd:Address>0</rasd:Address>
<rasd:Caption>scsiController0</rasd:Caption>
<rasd:Description>SCSI Controller</rasd:Description>
<rasd:ElementName>scsiController0</rasd:ElementName>
<rasd:InstanceID>5</rasd:InstanceID>
<rasd:ResourceSubType>lsilogic</rasd:ResourceSubType>
<rasd:ResourceType>6</rasd:ResourceType>
</Item>
1. Policy Trace
Use the follwing command to trace a specific traffic on which firewall policy that it will be
matching:
#diag firewall iprope lookup <src_ip> <src_port> <dst_ip> <dst_port> <protocol> <Source
interface>
Example scenario:
Note that it is possible to trace the different matching of firewall policy with the different
protocol.
The first trace traffic is hitting implicit deny rule (policy id 0) as firewall policy id 2 will only
be match for traffic with TCP protocol.
This command allows to easily trace the matching firewall policies even if there are long list
of firewall policies configured.
Use the command as below to trace the best route for a specific traffic:
#get router info routing-table details <destination ip address>
Example:
# get router info routing-table details 8.8.8.8
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* 10.47.3.254, via port1
2. SSL VPN
diagnose debug application sslvpn -1
diagnose debug enable
As you can see, the SSL_accept state is failed that mean that no suitable algorithm suits has been
found between the client en the server. The only solution I found at the moment is to configure
the Fortigate so that it allows these weaker cryptographic suites. For this, you must change the
“algorithm” parameter in the SSL VPN configuration on the Fortigate CLI with the following
commands:
3. HA CLI Tshoot
https://kb.fortinet.com/kb/documentLink.do?externalID=FD31379
hi guys,
i am having the same issue with my lab on VM workstation, with the same error message.
but now it is solved for me.
this is my config :
on Fortigate :
FortiGate-VM64-1 # config log fortianalyzer setting
FortiGate-VM64-1 (setting) # set status enable
FortiGate-VM64-1 (setting) # set server 172.16.10.250
FortiGate-VM64-1 (setting) # set reliable enable
FortiGate-VM64-1 (setting) # get
status : enable
ips-archive : enable
server : 172.16.10.250
certificate-verification: enable
serial :
access-config : enable
enc-algorithm : low
ssl-min-proto-version: default
conn-timeout : 10
monitor-keepalive-period: 5
monitor-failure-retry-period: 5
certificate :
source-ip :
upload-option : 5-minute
reliable : enable
on FAZ:
FAZVM64 # config system global
(global)# set enc-algorithm low
(global)# set ssl-low-encryption enable
(global)# set oftp-ssl-protocol tlsv1.0
(global)# end
enc-algorithm setting change will cause all existing FGFM tunnel/WebService connection reset.
Do you want to continue? (y/n)y
killall: fgfmsd: no process killed
killall: fgfmsd: no process killed
FAZVM64 #
i hope this work with you ,, ;)
Thank You
regards
Genar
https://forum.fortinet.com/tm.aspx?m=177802
https://forum.fortinet.com/tm.aspx?m=173981
Optional Commands
get sys perf status <---------------- repeat 10 times
diag sys session stat <---------------- repeat 10 times
diag hard sysinfo memory
diag hard sysinfo shm
diag debug crashlog read
get sys performance firewall statistics
diag sys top 2 20 <---------------- let it run for 10 seconds and quit with Q
diag sys top 5 99 <---------------- let it run for 10 seconds and quit with Q
diag sys top-sum '-s mem'
diag sys flash list
Diagnose session
https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042
https://kb.fortinet.com/kb/documentLink.do?externalID=FD36530