Archive for the ‘Fortigate’ Category

Posted by keith.wirch at August 18, 2017

Category: Fortigate, Quick Notes

There isn’t really a way to create a GRE Tunnel in the Fortigate GUI but you can through a CLI.  I find this process to be FortiOS version agnostic.  Take the image below as reference.

Here is the CLI for Site 1:

config system global
edit "GRE-to-Site2"
set interface "wan"
set remote-gw 2.2.2.2    # Remote Firewall WAN IP
set local-gw 1.1.1.1    # Local Firewall IP
next
end

Once the GRE Tunnel is configured, you need to setup the actual interface as shown.

config system interface
edit "GRE-to-Site2"
set vdom "root"
set ip 192.168.6.1 255.255.255.255    # Local GRE Tunnel IP
set allowaccess ping    # Might just need ping for troubleshooting.
set type tunnel
set remote-ip 192.168.6.2    # GRE Tunnel IP for the Remote side
set interface "wan"
next
end

I will not cover it in the guide but you do need to create a route for 10.30.2.0/24 via the GRE tunnel.  Refer to Fortigate Documentation for creating a Static Route.  Do not forget to create a Firewall Policy to allow the traffic to traverse the tunnel.  Been there…  *shakes head*

Here is the CLI for Site 2:

The CLI here is very similar to Site 1.  Just flipped a little.

config system gre-tunnel
edit "GRE-to-Site1"
set interface "wan"
set remote-gw 1.1.1.1    # Remote Firewall WAN IP
set local-gw 2.2.2.2    # Local Firewall WAN IP
next
end

Now configure the actual interface since the GRE tunnel config is made.

config system interface
edit "GRE-to-Site1"
set vdom "root"
set ip 192.168.6.2 255.255.255.255    # Local GRE Tunnel IP
set allowaccess ping    # Ping can be helpful for troubleshooting
set type tunnel
set remote-ip 192.168.6.1    # Remote Firewall GRE Tunnel IP
set interface "wan"
next
end

Again, do not forget to create your routs and firewall policies to allow the traffic to flow.

NOTE:  I find GRE tunnels to be the PERFECT opportunity to use 169.254.0.0/16 addresses.  Use them on the actual tunnel IPs since they are not routeable and link-local according to RFC 5735.

Posted by keith.wirch at November 6, 2016

Category: Fortigate, Networking, Quick Notes

Here is some quick notes about working with DHCP in a Fortigate firewall.  It is pretty common to have to work with them when you have a small office firewall.  I would not recommend using the DHCP Sever service on these firewalls in a large production environment.  Microsoft makes a pretty good one as a role in their server.

Showing/Clearing a DHCP Lease List

exec dhcp lease-list  #show current list on DHCP lease
execute dhcp lease-clear <ip address> #clear the DHCP lease of a specific ip
execute dhcp lease-clear all  #clear all the DHCP leases

Setting DHCP reservation on FortiOS 5.x

config system dhcp server  #Brings you into config mode of DHCP
edit 1 #This number will depend on what scope you are add the res too.  Use "show" to display them all.
config reserved-address
edit 1  #Increment this number for each reservation you need
set ip <ip address>
set mac <MAC Formatted 99:99:99:33:33:33>

Setting DHCP reservation on Pre-FortiOS5.x

config system dhcp reserved-address
edit "My_Reservation"
set ip <ip address>
set mac <MAC Formatted 99:99:99:33:33:33>
next
end