FortiGate – FortiGuard Servers with SD-WAN

Posted on by Jon Klinect

We’ve started rolling out SD-WAN setups at all our sites with redundant internet connections. Had a couple of them run into issues connecting to FortiGuard and had to contact support. Here is the CLI they ran.

config system fortiguard
    set fortiguard-anycast disable
    set protocol udp
    set port 53
    set sdns-server-ip "208.91.112.220" 
    set interface-select-method sdwan
end

This disables the anycast settings, sets the port and protocol and configures FortiGuard to use the SD-WAN interface. What I found out later is that when you disable anycast, you also need to specify an SDNS server for the firewall to update all the security profiles from. The US server is 208.91.112.220.

You also need to update the FortiGate DNS servers to use the SD-WAN connection.

config system dns
    set primary 208.91.112.53
    set secondary 208.91.112.52
    set interface-select-method sdwan
end

FortiGate – DHCP Domain Name

Posted on by Jon Klinect

We have a couple sites that are small and DHCP is run from the FortiGate firewall, but since we run Windows Active Directory, we need to add the domain to the DHCP server.

Conf sys dhcp server
Show  (find your subnet)
Edit # (where # is your DHCP server number for the subnet you're editing)
Set domain domain.local
Next
end

FortiClient – SSL VPN Profiles

Posted on by Jon Klinect

If you’re like me, over time you’ve build up SSL VPN connections to various sites or clients. If you need to transfer these to another system or just want to back them up in case you need them, here are the locations in the windows Registry you can back them up from.

User entries:

Computer\HKEY_CURRENT_USER\Software\Fortinet\FortiClient\Sslvpn\Tunnels

System entries:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels

You can backup all of them by exporting the Tunnels folder, or individual connections per site.

FortiSwitch – Configure Static IP

Posted on by Jon Klinect

I have a couple FortiSwitches that I’ve had to manage as standalone, but for some reason it always gives me issues assigning the static IP address through the Web UI. Here is the CLI for assigning a static IP.

Config system interface 
Edit internal 
Set mode static 
Set ip x.x.x.x x.x.x.x 
Set allowaccess https ssh ping

FortiLink Managed Switches over Wireless P2P Bridge

Posted on by Jon Klinect

I have a couple remote buildings at work that we were previously managing the FortiSwitches in standalone mode, which worked, but we didn’t get the ease of managing everything from the FortiGate like we did with most of our switches.

Took a couple months of searching around (in between other projects and tasks), but I finally managed to get this to work.

Once you know what port on the FortiLink managed switch you are going to use, login to the CLI for the switch and run these commands:

config switch physical-port
edit port#
set fortilink-p2p enable
next
end

Then, before connecting the remote switch to the P2P bridge connection, run the following CLI commands:

config system global
set switch-mgmt-mode fortilink
end
Prompt to reboot, hit Y


config switch global
set fortilink-p2p-native-vlan 4094
end
config switch physical-port
edit port#
set fortilink-p2p enable
next
end

After this is done, plugin the P2P cable, give it a couple minutes to load. You will then see the remote switch show up in Managed Switches awaiting to be authorized.