Troubleshooting Guide for FortiGate Firewalls

Here's a comprehensive list of troubleshooting commands for FortiGate firewalls, grouped by category, to help you quickly diagnose and resolve issues:

General System References:

Show FortiGate Details: Use this command to view the current firewall version, IPS/Virus/App-DB versions, serial number, and other system details.

FG-maattoos# get system status

Check CPU, Memory, and Load Usage: Monitor the system's resource utilization to ensure optimal performance.

FG-maattoos# get system performance status

Check WHO is using CPU, Memory: Identify processes or users consuming high CPU or memory.

FG-maattoos# diag sys top-all

Show Hardware Acceleration: Verify the hardware acceleration settings of your firewall.

FG-maattoos# get system npu

FG-maattoos# get system np6xlite

Check HA Status: Verify the high availability (HA) status of your FortiGate cluster.

FG-maattoos# get system ha status

FG-maattoos# diagnose sys ha status

Check Session Table: View the session table of the firewall to check the maximum sessions against used sessions.

FG-maattoos# diagnose sys session full-stat

Show Interface Settings: Check the configuration of a specific interface for issues.

FG-maattoos# diagnose hardware deviceinfo nic port1

Check IP Addresses: View all assigned IP addresses on the firewall.

FG-maattoos# diag ip address list

Show ARP Entries: Display ARP (Address Resolution Protocol) entries on the firewall.

FG-maattoos# get system arp

Get Routing Table: Check the routing table of the firewall.

FG-maattoos# get router info routing-table all

FortiGate VPN Troubleshoot Guide:

Get VPN Tunnel List: View a list of active VPN tunnels.

FG-maattoos# diagnose vpn tunnel list

Enable VPN Debugging for a Specific VPN: Debug and troubleshoot specific VPN tunnels.

diagnose debug enable

diagnose debug console timestamp enable

diagnose vpn ike log filter name <VPN-name>

diagnose debug application ike -1

diag vpn tunnel up IPSEC_PHASE2 IKE_Phase1

Authentication Debugging:

RADIUS: Test RADIUS authentication and connectivity.

#diagnose test authserver radius-direct <RADIUS_IP> <RADIUS_PORT> <RADIUS_PASSWORD>

#diagnose test authserver radius <RADIUS_NAME> <protocol-chap|pap|mschap|mschap2> <username> <password>

FSSO: Debug FSSO (Fortinet Single Sign-On) authentication.

#diag debug authd fsso summary

#diag debug enable

#diag debug authd fsso list

#diag debug authd fsso server-status

Restart FortiGate Daemons:

Restart IPS Monitor Daemon: Restart the IPS (Intrusion Prevention System) monitor daemon.

FG-maattoos# diag test application ipsmonitor 99

Packet Sniffing and Flow Monitor:

Sniffing Traffic: Capture and analyze network traffic for troubleshooting purposes.

#diag sniffer packet any <'filter'> 6 0 a

Session Flows: Monitor and analyze session flows on the firewall.

#diag debug enable

#diag debug flow filter <filter>

#diag debug flow trace start 100

Use these commands carefully and refer to Fortinet documentation for more detailed information. Happy troubleshooting!

FortiGate Firmware Update Restrictions Without Support Contract: What You Need to Know

If you're managing a FortiGate device without an active support contract, there are important limitations to consider when it comes to firmware updates. While it's understandable that firmware development requires funding, the latest FortiOS 7.4.2 update introduces some significant restrictions that go beyond the norm.

Previously, FortiGate devices without support contracts could not upgrade to higher major or minor versions but could still upgrade to higher patch builds. However, with FortiOS 7.4.2, even downgrading to previous versions within the same major version is no longer possible. This means you can't revert to an earlier version, even if you encounter issues or compatibility problems with the latest update.

Furthermore, as of February 8, 2024, upgrading within the same minor release (e.g., from 7.4.2 to 7.4.3) is also blocked for devices without active support contracts.

To work around these restrictions, you can boot from the secondary partition or format the boot device and upload a new firmware image via TFTP.

Downgrade Commands:

To boot from the secondary partition:

# exec set-next-reboot secondary

# exec reboot

Solution

 

The following CLI command lists the FortiOS image files installed in both partitions:

 

FGT # diag sys flash list
Partition    Image                       TotalSize(KB)   Used(KB)  Use%    Active
1            FGT61E-6.04-FW-build1778-201021    253920      87604   35%    Yes   
2            FGT61E-6.04-FW-build1803-201209    253920      88660   35%    No  
3            ETDB-84.00660                     3021708     200120    7%    No   
Image build at Dec  9 2020 22:27:52 for b1803

 

As per the above output, partition 1 can be seen to be active and holds the current firmware (6.4.3, while the secondary is on 6.4.4).

Backup the configuration first before reverting to the previous firmware by using the following commands through the CLI and select which firmware should be used at the next reboot:

 

FGT # execute set-next-reboot {primary | secondary} <-----In this example it will be secondary.
FGT # execute set-next-reboot secondary
Default image is changed to image# 2.

 

Primary and Secondary simply refer to partition number 1 or partition number 2 respectively. Partition number 3 can be ignored.

Once the secondary partition that is to be used to boot the device has been selected, reboot the FortiGate.

This can be done using the command:

 

FGT # execute reboot

 

The CLI command can then be used to verify that the FortiGate has rebooted from the secondary partition (see the example below):

 

FGT # diag sys flash list
Partition    Image                       TotalSize(KB)   Used(KB)  Use%    Active
1            FGT61E-6.04-FW-build1778-201021    253920      87604   35%    No   
2            FGT61E-6.04-FW-build1803-201209    253920      88660   35%    Yes  
3            ETDB-84.00660                     3021708     200120    7%    No   
Image build at Dec  9 2020 22:27:52 for b1803

 

VDOM administrators do not have permission to run this command. It must be executed by a super administrator.
After an upgrade, this will automatically change (here from 6.4.4 to 6.4.5):

 

FGT # diag sys flash list
Partition    Image                       TotalSize(KB)   Used(KB)  Use%    Active
1            FGT61E-6.04-FW-build1828-210217    253920      87396   34%    Yes   
2            FGT61E-6.04-FW-build1803-201209    253920      88660   35%    No  
3            ETDB-84.00660                     3021708     157240    7%    No   
Image build at Feb 17 2021 20:43:28 for b1828

 

Note:

1. Rebooting the FortiGate from the other partition will cause the loss of any configuration changes that were made since the upgrade. It is preferable to use Notepad++ with Compare Plugins to quickly highlight the difference between the backup configuration before reloading and the backup of the currently running configuration. 
   
   
2. In HA environments, the command needs to be applied to each unit in the cluster individually. This is not synchronized and will not automatically take effect on other units in the cluster.
   
   
3. FortiToken licenses once added to any of the units, are kept and shared between the units of the cluster. Therefore, a reboot (or shutdown) of a unit in HA should not impact the operation or usage of FortiTokens through the remaining unit. When a downgrade is performed as above, the unit will load the previous configuration (with FortiTokens in the same state and assigned as they were before the last upgrade). This may be useful when the token licenses are not validated correctly following an upgrade.

To format the boot device and upload a new firmware image via TFTP, you can refer to the FortiGate documentation for detailed instructions.

Disclaimer: This information is provided for informational purposes only. The author is not responsible for any consequences that may occur. Readers should proceed with their own responsibility and refer to official FortiGate documentation for guidance.

It's essential for FortiGate users to be aware of these restrictions and plan their firmware updates accordingly, especially if they do not have an active support contract. Ensuring compatibility and stability with each update is crucial, as reverting to a previous version may not always be an option.

Important Note: Please check your secondary backup before upgrading, as it may be an old one. After downgrading and upgrading to 7.4.3, please restore the active backup to the new partition

Checkpoint 3-Tier Architecture

 Before starting to explore Checkpoint NGX Firewall technologies, it is critical to comprehend Checkpoint 3-Tier architecture. This architecture describes the relationships between the components of Checkpoint, as well as how they work together as a harmonious unit. Each element has its own specific responsibilities.

Checkpoint 3-Tier Architecture

Checkpoint is a Next Generation Firewall which has three basic pillars 

• Security Management Server
• Security Gateway (Enforcement Module)
• SmartConsole 

Let’s understand, how these components work together as a harmonious unit:

• Security Admin access SmartConsole and initiate communication with Security Management Gateway.
• Security Admin makes the changes in firewall policy and install policy.
• Security Management Server validate and verify the changes and confirms if change is error free and forward change policy package to Security Gateway
• Security Gateway fetch the changes and apply it to firewall packet flow which is passing through the gateway.

Security Management Server  (SMS)

As its name implies, Security Management Server is a server component. As being a server component its work is to store firewall policies, repository of policies, rules, NAT policies, VPN configuration, user-database, user-groups, user permissions, authentications, storage of certificates.

SMS distributes policies and rules to multiple or single gateway. Single Smart Center Server can manage multiple gateways.

SMS can act like a log server which means it can store logs, those are generated by firewall.

Installation Platform -> SMS can be deployed on below platforms.

Key job performs by Security Management Gateway

• Store policies, act as a database
• Store log and log files
• Maintain and store Firewall database
• Deployed on Linux, Windows, and Gaia OS
• Single Security Management Gateway can manage multiple Gateways.

Management Gateway has below featured blades

• Network Policy Management — Security Gateway policies are created and managed by Network Policy Management
• Endpoint Policy Management — Endpoint Policies are created and managed by it
• Logging & Status – Logs are managed by Logging and Status
• Workflow — Audit and approval of management policy
• User Directory — Authentication and user database manages by it
• Provisioning — Maintenance tool
• Compliance — Audit and apply compliance as per rules and regulations
• SmartEvent — Logs and Events management 

Security Gateway

Security Gateway is also known as Enforcement Module. You will see it very commonly when people call it an Enforcement Module.

Its work is to regulate the policy, Security Gateway receives policies from Smart Center Server and applies policies in order of top-to-bottom against every packet that the firewall receives in inbound/outbound direction.

Once a rule is defined in the firewall, the gateway acts as a decision maker which can protect the traffic as per defined rule.

Key Jobs perform by Security Gateway

1. All inbound and outbound traffic of Next Generation firewalls are inspected on Gateway.
2. Gateway verifies the packet and compares it with security policy and then applies security policy accordingly.
3. Network defence is done by Security Gateway.
4. Gateway protects the traffic by applying 3-way handshake OR stateful inspection.
5. Installation can be done -> Linux, Windows, and Gaia OS

Below is the list of Security Blades which are available in Security Gateway. Security Blades are the feature of the firewall. For example, URL filtering, IPS, Anti-virus etc.

Smart Console

To manage Smart Center Server, the admin needs GUI to access the application or features. Smart Console is the platform which is used to access the features of Next Generation Firewall.

Smart Console can only be accessible from Windows, it does not support Gaia OS.

First policies are configured by using SmartDashboard and further saved in the Smart Management Server.

Below packages are downloaded as a SmartConsole package:

1. Smart Dashboard
2. Smart View Tracker
3. Smart View Monitor
4. Smart Update
5. Smart Log
6. Smart Event
7. Smart Provisioning 
8. Smart Reporter 
9. Smart Endpoint 
10. Smart Domain Manager
11. Smart Event Intro
12. Secure Client Packaging Tool

Deployment Option

Based on Checkpoint product we can choose deployment options 

1. Check Point Security Appliance. Hardware and software options are required to run Check Point Network Security System.
2. Open Server. Gaia OS can be installed on any of the compatible server 
3. A Virtual Machine. Gaia can be configured on virtual machines, cloud-based platforms like VMware, cloud platforms: AWS, Azure, Google Cloud, Alibaba, and Oracle.

Another method to deploy the device in network

1. Standalone -> Single device in which Security Gateway and SMS are installed on same machine.
2. Distributed -> Console and Security Gateway are using different machines or server.

Distributed Deployment is the commonly used approach in the network.

You may further need to explore SmartConsole deployment, Smart Management Server features and deployment and Security Gateway components. These topics will help you to understand the Checkpoint 3-Tier architecture.