#SDN #Routing #Switching #Firewall #NAC #Proxy #Mail Gateway #SDWAN

Use the following steps diag debug appl ike -1 diag debug console timestamp enable diag vpn ike filter clear diag vpn ike log-filter dst-addr4 x.x.x.x diag debug enable

Optimize the configuration with the following recommended settings. 1) Changing the IPSEngine algorithm to low and engine count to 4, makes IPS scaning slower but is less memory intensive config ips global set algorithm low set socket-size 1 end After changing the algorithm and socket size, restart the IPSEnigne using the following command diag test app ipsmonitor 99 2) If you are using extended database for virus scan,please change it to normal config antivirus settings set default-db normal end 3)Reducing some of the global timer can also reduce load, please run the following commands: config system global set tcp-halfclose-timer 60 set tcp-halfopen-timer 30 set tcp-timewait-timer 60 set udp-idle-timer 90 end 4)Also you can change the inspection mode to Flow based from proxy which would reduce the load on the box. 5)Change default session TTL: config system session-ttl set default 300 end (7)Lower AV threshold please go to Firewall->Protection Profile->profile in use->Anti-

The Fortinet platform like most other stateful firewalls keeps track of open TCP connections. Each established session is assigned a timer which gets reset every time there is activity. If the timer expires due to inactivity the session is removed from the firewall tables and you will have to re-establish the connection. The session can also be cleared without waiting for the timer to expire if the firewall sees a FIN or RST packet for a given session. Imagine you have a telnet connection on port 23 to a server in your DMZ. There is a script which executes periodically to poll some data using the telnet session. You notice that when the script hasn't executed in 60 minutes the telnet session is lost and you have to re-establish the session. The easy answer is to increase the session ttl (time-to-live or timeout). This can be done on the CLI on a global basis for all ports or only for specific ports. Keep in mind that raising the timeout values for all ports can signifi

config system gre-tunnel     edit "tunnelname"         set interface "wan1"         set local-gw 192.168.10.13         set remote-gw 192.168.1.62     next end config system interface     edit "tunnelname"         set vdom "root"         set ip 1.1.1.2 255.255.255.255         set allowaccess ping         set type tunnel         set remote-ip 1.1.1.1         set snmp-index 9          set interface "wan1"         set mtu 1500     next end Open the policies after the same.     1)    Internal  ---> Tunnel 2  2)    Tunnel    ---> Internal

/usr/bin ./snmpwalk -v 2c -c <<snmp_string>> <<ip> ---------------------------------------------------- cfgmaker --global 'WorkDir: /var/www/mrtg' --global 'Options[_]: bits,growright' --output /etc/mrtg/<<ip>>.cfg string@ip ------------------------------------------------------ perl /usr/bin/indexmaker --output /var/www/mrtg/<sitename>.htm /etc/mrtg/<<ip>>.cfg ---------------------------------------------------------- LANG=C /usr/bin/mrtg /etc/mrtg/<<ip>>.cfg ------------------------------------------------------------ crontab -e * * * * * LANG=C /usr/bin/mrtg /etc/mrtg/<<ip>>.cfg >/dev/null 2>&1 :wq ---------------------------------------------------------------

1.0 Check the basic settings and firewall states Check the system status Check the hardware performance Check the High Availability state Check the session table of the firewall 2.0 Check the interface settings Check the state, speed and duplexity an IP of the interfaces Check the ARP Table 3.0 Check the Routing Table Check the matching route 4.0 VPN Troubleshooting Change the tunnel state Check the tunnel state Check packet counters for the tunnel 5.0 Sniffer 6.0 View logging on cli Configure logging Viewing the logs 7.0 Backup and Restore ========================================================= 1.0 Check the basic settings and firewall states Check the system status to see the actual software version, operational mode, HA, etc and the system time: myfirewall1 # get sys status Version: Fortigate-50B v4.0,build0535,120511 (MR3 Patch 7) Virus-DB: 14.00000(2011-08-24 17:17) Extended DB: 14.00000(2011-08-24 17:09