Category Archives: 4. Security Appliance

Understanding Firewall, Configuration, Setup and Design.

Troubleshooting Palo Alto Networks Hardware Issues

Troubleshooting Palo Alto Networks Hardware Issues
Hardware issues can vary from power supplies, fans, and disk drives. This document provides a guide to detect, determine and validate common hardware issues. Possible recovery actions are also provided, where applicable.

This document covers:

Accessory failures (power supply, fans, fan tray)
Disk problems
ECC errors (memory)
Using maintenance mode
General boot problems
owner: sdarapuneni

https://drive.google.com/open?id=1PHQ9co2VZPjlJNFnysTiFdvZUk84Y98a

https://live.paloaltonetworks.com/t5/Learning-Articles/Troubleshooting-Palo-Alto-Networks-Hardware-Issues/ta-p/62083

Fortigate Netflow & Sflow

Take note that netflow is only configurable on the CLI. So we need to make sure that telnet, shh or CLI console is working.

• Configuring the Netflow collector IP:
Config system network
Set collector-ip 192.168.131.93 (Solarwinds)
Set source-ip 172.30.34.131
Set active-flow-timeout 1

Enabling Netflow on the interface:
Config system interface
Edit NET-406 (Internet)
Set netflow-sampler both (RX/TX)

• NTA default port 2055 should be allowed on collector.
• Add Fortigate device and specific port in NTA device,
• Verification:
Show system interface NET-406
Show system netflow
Diagnose sniffer packet 2055

config system sflow
set collector-ip 10.0.0.50
set collector-port 6343
end

Then for each interface:

config sys interface
edit
set sflow-sampler enable
set sample-rate 512
set sample-direction both
set polling-interval 30
next
end

http://kb.fortinet.com/kb/documentLink.do?externalID=FD32024

Fortigate Syslog servers

Configuring logging to multiple Syslog servers
When configuring multiple Syslog servers (or one Syslog server), you can configure reliable
delivery of log messages from the Syslog server. Configuring of reliable delivery is available only
in the CLI.
If VDOMs are enabled, each VDOM will use the default FortiAnalyzer/Syslog server, but an
individual override can be enabled in the CLI, allowing you to specify a different
FortiAnalyzer/Syslog server for that VDOM.
To enable logging to multiple Syslog servers

1. Log in to the CLI.
Enter the following commands:
config log syslogd setting
set csv {disable | enable}
set facility
set port
set reliable {disable | enable}
set server
set status {disable | enable}
end
Fortinet Technologies Inc. Page 47 FortiOS™ Handbook – Logging and Reporting for FortiOS 5.0

2. Enter the following commands to configure the second Syslog server:
config log syslogd2 setting
set csv {disable | enable}
set facility
set port
set reliable {disable | enable}
set server
set status {disable | enable}
end

3. Enter the following commands to configure the third Syslog server:
config log syslogd3 setting
set csv {disable | enable}
set facility
set port
set reliable {disable | enable}
set server
set status {disable | enable}
end

Most FortiGate features are, by default, enabled for logging. You can disable individual
FortiGate features you do not want the Syslog server to record, as in this example:

config log syslogd filter
set traffic {enable | disable}
set web {enable | disable}
set url-filter {enable | disable}
end

To enable/disable override settings per-VDOM
config log fortianalyzer override-filter
set override {enable | disable}

end

config log fortianalyzer override-setting
set override {enable | disable}

end

config log syslogd override-filter
set override {enable | disable}

end

config log syslogd override-setting
set override {enable | disable}

end

Click to access fortigate-loggingreporting-509.pdf

Fortinet Management via WAN Port

Step 1: Allow HTTPS on Management Interface
On GUI, Network > Interfaces, on Administrative Access section, allow HTTPS

Step 2: Permit Public IP Addresses
On GUI, System > Administrators, enable Restrict login to trusted hosts and specify your Public IP addresses from where you will access. Do not forget to add your Internal hosts, otherwise you lose connectivity to firewall from Internal hosts.

Step 3: Change default https port to 444
On GUI, System > Settings > FortiCloud and change the default https port from 443 to 444.

Fresh from the box Fortigate

1. Register your device.
http://help.fortinet.com/coyotepoint/10-3-2/Content/Install/E300_Register.htm

2. Run HQIP Test.
http://wiki.diagnose.fortinet.com/index.php/Running_an_HQIP_(Hardware_Quick_Inspection_Package)_test

Download HQIP:
https://support.fortinet.com/Download/HQIPImages.aspx

Steps:
https://samuellasmana.wordpress.com/2015/06/01/how-to-perform-hqip-test/

3. Migrate your configuration from old appliance if needed.
Options are:
1. Forticonverter.
2. Modify Configuration header.
3. Manually putting the configurations.

VPN Troubleshooting | Juniper (Netos)

https://kb.juniper.net/InfoCenter/index?page=content&id=KB6283

Paris-> get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000001 1.1.1.1 500 esp:3des/sha1 883ebdb7 expir unlim I/I 1 0

Paris-> get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000001 1.1.1.1 500 esp:3des/sha1 883ebdb8 3596 unlim A/- 1 0

In the case of multiple VPN Tunnels, search through the Gateway column for the IP address of the Remote Gateway of the tunnel in question.

The Sta field shows two things:

The first character displays whether the VPN tunnel is Active or Inactive.
The second character (after the slash) displays the Link status thru the VPN Monitor feature.
Here are the possible values of the sta field:

I/I: VPN tunnel is Inactive
A/-: VPN tunnel is Active, and VPN Monitor is not configured
A/U: VPN tunnel is Active, and the link (detected thru VPN Monitor) is UP
A/D: VPN tunnel is Active, but the link (detected thru VPN Monitor) is DOWN. VPN Monitor is not getting a response to its pings. This could be happening because the device that is being pinged is down or has ping disabled. This could also be happening if the other side of the VPN is not a NetScreen/Juniper Firewall.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB6134