Hier kommt ein kurzer Guide wie man ein Site-to-Site VPN zwischen einer FortiGate Firewall und einer AVM FRITZ!Box aufbaut. Anhand von Screenshots zeige ich die Einrichtung der FortiGate, während ich für die FRITZ!Box ein Template der *.cfg Konfigurationsdatei bereitstelle.

Labor

Mein Labor sah wie folgt aus:

Die FRITZ!Box ist eine 7390 mit FRITZ!OS 06.30, während die Fortinet Firewall eine FortiWiFi 90D mit Version 5.2.2 ist. Wie im Internet üblich ist die FortiGate mit einer statischen IP-Adresse versehen (obgleich 1 zu 1 geNATet), während sich die FRITZ!Box hinter einer dynamischen IP verbirgt. Mit einem dynamischen DNS Dienst ist immerhin ein FQDN für die FRITZ!Box verfügbar.

Sehr praktisch bei FortiOS ist ja, dass bei IKE auch dann der Main Mode verwendet werden kann, wenn die Gegenstelle lediglich über eine dynamische IP (mit einem DynDNS Namen) verfügt. Sprich: Es ist nicht der Aggressive Mode nötig, um ein VPN zu bauen, und vorallem kann der Tunnelaufbau auch von der FortiGate selbst initiiert werden. (Exakt vergleichbar mit der Juniper SSG, die das genau so kann, siehe hier.)

FortiGate

Folgende Schritte sind seitens der FortiGate nötig. In den Beschriftungen unterhalb der Screenshots stehen weitere Details:

FRITZ!Box

Für die FRITZ!Box muss folgendes Template angepasst werden. Gelb markiert sind all die Zeilen, die zwingend angepasst werden müssen. Die Proposals für Phase 1 und 2 können natürlich auch anders gewählt werden, solange das Pendant bei der FortiGate stimmt (siehe hier für mehr Details bezüglich der Proposals der FRITZ!Box).

Hinweis: Dieses Template unterscheidet sich in einer Kleinigkeit von quasi allen anderen Templates, die hier auf meinem Blog sind: Es ist sowohl die localid als auch die remoteid vom Typ “fqdn”. In vielen anderen Beispielen habe ich hier bei der remoteid den Typ “ipaddr” gehabt. Dieser lässt sich auf der FortiGate leider nicht einstellen, da dort unter Verwendung einer IP-Adresse trotzdem ein String versendet wird. Daher ist hier bei der FRITZ!Box zwingend der fqdn nötig.

vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "fortigate-vpn";
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 80.154.108.233;
                remote_virtualip = 0.0.0.0;
                localid {
                        fqdn = "fritzbox.webernetz.net";
                }
                remoteid {
                        fqdn = "blubb";
                }
                mode = phase1_mode_idp;
                phase1ss = "dh14/aes/sha";
                keytype = connkeytype_pre_shared;
                key = "RX-2RUz2UKpFiPXi6B6DJss5TWbW-DzvTMwc";
                cert_do_server_auth = no;
                use_nat_t = no;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.29.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 192.168.161.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
                accesslist = "permit ip any 192.168.161.0 255.255.255.0";
        }  ike_forward_rules =	"udp 0.0.0.0:500 0.0.0.0:500", 
								"udp 0.0.0.0:4500 0.0.0.0:4500";
	}

Es läuft …

wenn es grün leuchtet.

Wer mehr Infos zur VPN-Verbindung möchte, kann auf der FortiGate zum Beispiel mit den folgenden Befehlen Details herausfinden:

fd-wv-fw04 # get vpn ike gateway fritzbox

vd: root/0
name: fritzbox
version: 1
interface: wan1 6
addr: 172.16.1.6:500 -> 77.1.138.66:500
created: 1484s ago
peer-id: fritzbox.webernetz.net
peer-auth: no
IKE SA  created: 1/1  established: 1/1  time: 2260/2260/2260 ms
IPsec SA  created: 1/1  established: 1/1  time: 2190/2190/2190 ms

  id/spi: 27873 c0946dbb7e367bbf/98f5902234833225
  direction: initiator
  status: established 1484-1482s ago = 2260ms
  proposal: aes-256-sha1
  key: c24d006dcddd88db-561bdd168fb5ece9-fd87c497587cb16c-b0ccbb1302b38310
  lifetime/rekey: 3600/1817
  DPD sent/recv: 00016e13/00000000

fd-wv-fw04 #
fd-wv-fw04 #
fd-wv-fw04 # get vpn ipsec tunnel name fritzbox

gateway
  name: 'fritzbox'
  type: route-based
  local-gateway: 172.16.1.6:0 (static)
  remote-gateway: 77.1.138.66:0 (static)
  mode: ike-v1
  interface: 'wan1' (6)
  rx  packets: 2  bytes: 236  errors: 0
  tx  packets: 2  bytes: 168  errors: 3
  dpd: enabled/negotiated  idle: 5000ms  retry: 3  count: 0
  selectors
    name: 'fritzbox'
    auto-negotiate: disable
    mode: tunnel
    src: 0:192.168.161.0/255.255.255.0:0
    dst: 0:192.168.29.0/255.255.255.0:0
    SA
      lifetime/rekey: 3600/2121
      mtu: 1438
      tx-esp-seq: 3
      replay: enabled
      inbound
        spi: c97b3074
        enc:     aes  2cdc2d66d55ce60a9d0653e47045dc09495210ff01e4e164317407d19d8abd12
        auth:   sha1  a18c972688001670905a0de1d85e6383e79d4aad
      outbound
        spi: 4e200a54
        enc:     aes  d7a420011bf1b1e7408915e60a02e9eed4fdee6124bd9266d43a5e2f4e3f4ea2
        auth:   sha1  58f2788cf82545e5938a95fd421f5ab9828505b3
      NPU acceleration: encryption(outbound) decryption(inbound)

fd-wv-fw04 #
fd-wv-fw04 #
fd-wv-fw04 # get router info routing-table static
S*      0.0.0.0/0 [10/0] via 172.16.1.1, wan1
S       192.168.29.0/24 [10/0] is directly connected, fritzbox
S       192.168.121.0/24 [10/0] is directly connected, fd-wv-fw02
S       192.168.131.0/24 [10/0] is directly connected, fd-wv-fw03

This is a small example on how to configure policy routes (also known as policy-based forwarding or policy-based routing) on a Fortinet firewall, which is really simple at all. Only one single configuration page and you’re done.

(Compared to my other PBR/PBF tutorials from Juniper ScreenOS and Palo Alto Networks, there is only one screenshot needed to explain the policy route. Ok, it is not that flexible, but easy.)

In my lab, I have a static default route to the wan1 interface. On the wan2 interface, there is a simple DSL connection to the Internet which shall be used for http/https traffic from the users. That is: Everything from the users IP segment (192.168.161.0/24) to the destination ports 80 and 443 shall be forwarded to this DSL connection. But an exemption is still needed: If the destination is on the internal LAN, the connection should not be policy routed. (Of course, appropriate policies must be in place, too.) The configuration is done under Router -> Static -> Policy Routes:

That’s it. In the Forward Traffic Log, it is easy to see which destination interface is used, dependent on the destination port:

Similar to my test lab for OSPFv2, I am testing OSPFv3 for IPv6 with the following devices: Cisco ASA, Cisco Router, Fortinet FortiGate, Juniper SSG, Palo Alto, and Quagga Router. I am showing my lab network diagram and the configuration commands/screenshots for all devices. Furthermore, I am listing some basic troubleshooting commands. In the last section, I provide a Tcpdump/Wireshark capture of an initial OSPFv3 run.

I am not going into deep details of OSPFv3 at all. But this lab should give basic hints/examples for configuring OSPFv3 for all of the listed devices.

Lab

This is my test lab. All devices are directly connected via a layer 2 switch:

General Information

• Everything takes place in area 0.0.0.0 (backbone area)
• Juniper SSG should be the DR: interface priority set to 100.
• Palo Alto should be the BDR: interface priority set to 50.
• Router-ID is always set manually according to my IPv4 sheme: 172.16.1.x, where x = the interface-ID from the IPv6 addresses (from ::1 to ::6).
• Cost for the interfaces as seen in the figure.
• Passive-interface on all user/access interfaces.
• Redistribution of the remote access VPN clients on the Cisco ASA (AnyConnect).
• No authentication is used .

The following devices are in alphabetic order. Beneath each screenshot is a detailed description of the the configuration that is shown.

During the tests, a single Cisco AnyConnect client was connected and therefore redistributed with a /128 IPv6 address prefix. The Quagga router was added to this lab after most of the listings were saved. That is: The Quagga router (172.16.1.8) is not shown on any other firewalls/routers.

Cisco ASA

The Cisco ASA 5505 is running version 9.2(4). Following are the configuration and monitoring screenshots:

This are the relevant CLI commands for the OSPFv3 config:

interface Vlan130
 ipv6 address 2003:51:6012:130::1/64
 ipv6 address autoconfig
 ipv6 enable
 ipv6 ospf cost 100
 ipv6 ospf 1 area 0
 ipv6 ospf encryption null
!
ipv6 router ospf 1
 router-id 172.16.1.3
 passive-interface insideASA130
 passive-interface insideASA131
 log-adjacency-changes
 redistribute static metric 1000
!

While this CLI commands can be used to show the OPSFv3 runtime values:

fd-wv-fw03# show ipv6 ospf

 Routing Process "ospfv3 1" with ID 172.16.1.3
 Event-log enabled, Maximum number of events: 1000, Mode: cyclic
 It is an autonomous system boundary router
 Redistributing External Routes from,
    static with metric 1000
 Initial SPF schedule delay 5000 msecs
 Minimum hold time between two consecutive SPFs 10000 msecs
 Maximum wait time between two consecutive SPFs 10000 msecs
 Minimum LSA interval 5 secs
 Minimum LSA arrival 1000 msecs
 LSA group pacing timer 240 secs
 Interface flood pacing timer 33 msecs
 Retransmission pacing timer 66 msecs
 Number of external LSA 1. Checksum Sum 0x4dac
 Number of areas in this router is 1. 1 normal 0 stub 0 nssa
 Graceful restart helper support disabled
 Reference bandwidth unit is 100 mbps
    Area BACKBONE(0)
        Number of interfaces in this area is 2
        SPF algorithm executed 11 times
        Number of LSA 19. Checksum Sum 0xa3f76
        Number of DCbitless LSA 6
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

fd-wv-fw03#
fd-wv-fw03#
fd-wv-fw03# show ipv6 ospf neighbor


Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
     172.16.1.1 100   2WAY/DROTHER    0:00:36                880 outside
     172.16.1.2 50    FULL/DR         0:00:34                 16 outside
     172.16.1.5 1     FULL/BDR        0:00:30                  3 outside
     172.16.1.6 1     2WAY/DROTHER    0:00:31                  6 outside
fd-wv-fw03#
fd-wv-fw03#
fd-wv-fw03# show ipv6 ospf database


            OSPFv3 Router with ID (172.16.1.3) (Process ID 1)

                Router Link States (Area 0)

ADV Router       Age         Seq#        Fragment ID  Link count  Bits
      172.16.1.1   1608      0x80000122             1           1 None
      172.16.1.2    636      0x80000124             0           1 E
      172.16.1.3   1461      0x80000102             0           1 E
      172.16.1.5     74      0x80000102             0           1 None
      172.16.1.6   1371      0x80000122             0           1 None

                Net Link States (Area 0)

ADV Router       Age         Seq#        Link ID    Rtr count
      172.16.1.2    634      0x80000122          16 5

                Link (Type-8) Link States (Area 0)

ADV Router       Age         Seq#        Link ID    Interface
      172.16.1.3    430      0x80000008          15 insideASA130
      172.16.1.1   1653      0x8000011d         880 outside
      172.16.1.2   1310      0x8000011e          16 outside
      172.16.1.3    945      0x80000101          14 outside
      172.16.1.5     74      0x80000101           3 outside
      172.16.1.6   1441      0x8000011d           6 outside

                Intra Area Prefix Link States (Area 0)

ADV Router       Age         Seq#        Link ID    Ref-lstype  Ref-LSID
      172.16.1.1   1648      0x80000242           1 0x2001      0
      172.16.1.2    637      0x80000124           1 0x2001      0
      172.16.1.2    629      0x80000129      458752 0x2002      16
      172.16.1.2    637      0x8000011f      589824 0x2002      257
      172.16.1.3    946      0x80000101           0 0x2001      0
      172.16.1.5   1327      0x80000006           0 0x2001      0
      172.16.1.6   1370      0x80000120           2 0x2001      0

                Type-5 AS External Link States

ADV Router       Age         Seq#       Prefix
      172.16.1.3    606      0x80000001  2003:51:6012:133:feed:cafe:0:10/128
fd-wv-fw03#
fd-wv-fw03#
fd-wv-fw03# show ipv6 ospf database self-originate


            OSPFv3 Router with ID (172.16.1.3) (Process ID 1)

                Router Link States (Area 0)

ADV Router       Age         Seq#        Fragment ID  Link count  Bits
      172.16.1.3   1495      0x80000102             0           1 E

                Link (Type-8) Link States (Area 0)

ADV Router       Age         Seq#        Link ID    Interface
      172.16.1.3    464      0x80000008          15 insideASA130
      172.16.1.3    979      0x80000101          14 outside

                Intra Area Prefix Link States (Area 0)

ADV Router       Age         Seq#        Link ID    Ref-lstype  Ref-LSID
      172.16.1.3    979      0x80000101           0 0x2001      0

                Type-5 AS External Link States

ADV Router       Age         Seq#       Prefix
      172.16.1.3    639      0x80000001  2003:51:6012:133:feed:cafe:0:10/128
fd-wv-fw03#
fd-wv-fw03#

Cisco Router

I am running a Cisco 2811 router with version 15.1(4)M9. The configuration commands are the following: (Just for fun I set the OSPF process to “17”.)

interface FastEthernet0/0
 ipv6 address 2003:51:6012:101::5/64
 ipv6 enable
 ipv6 nd ra suppress
 ipv6 ospf 17 area 0.0.0.0
!
interface FastEthernet0/1
 ipv6 address 2003:61:6012:102::1/64
 ipv6 enable
 ipv6 ospf 17 area 0.0.0.0
!
ipv6 router ospf 17
 router-id 172.16.1.5
 auto-cost reference-bandwidth 10000
 passive-interface default
 no passive-interface FastEthernet0/0

And the show commands:

fd-wv-ro03#show ipv6 ospf
 Routing Process "ospfv3 17" with ID 172.16.1.5
 Event-log enabled, Maximum number of events: 1000, Mode: cyclic
 Initial SPF schedule delay 5000 msecs
 Minimum hold time between two consecutive SPFs 10000 msecs
 Maximum wait time between two consecutive SPFs 10000 msecs
 Minimum LSA interval 5 secs
 Minimum LSA arrival 1000 msecs
 LSA group pacing timer 240 secs
 Interface flood pacing timer 33 msecs
 Retransmission pacing timer 66 msecs
 Number of external LSA 1. Checksum Sum 0x004DAC
 Number of areas in this router is 1. 1 normal 0 stub 0 nssa
 Graceful restart helper support enabled
 Reference bandwidth unit is 10000 mbps
    Area BACKBONE(0.0.0.0)
        Number of interfaces in this area is 2
        SPF algorithm executed 23 times
        Number of LSA 19. Checksum Sum 0x098B75
        Number of DCbitless LSA 6
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

fd-wv-ro03#
fd-wv-ro03#
fd-wv-ro03#show ipv6 ospf neighbor

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
172.16.1.1      100   FULL/DROTHER    00:00:35    880             FastEthernet0/0
172.16.1.2       50   FULL/DR         00:00:32    16              FastEthernet0/0
172.16.1.3        1   FULL/DROTHER    00:00:38    14              FastEthernet0/0
172.16.1.6        1   FULL/DROTHER    00:00:30    6               FastEthernet0/0
fd-wv-ro03#
fd-wv-ro03#
fd-wv-ro03#show ipv6 ospf database

            OSPFv3 Router with ID (172.16.1.5) (Process ID 17)

                Router Link States (Area 0.0.0.0)

ADV Router       Age         Seq#        Fragment ID  Link count  Bits
 172.16.1.1      622         0x80000123  1            1           None
 172.16.1.2      1455        0x80000124  0            1           E
 172.16.1.3      243         0x80000103  0            1           E
 172.16.1.5      892         0x80000102  0            1           None
 172.16.1.6      389         0x80000123  0            1           None

                Net Link States (Area 0.0.0.0)

ADV Router       Age         Seq#        Link ID    Rtr count
 172.16.1.2      1453        0x80000122  16         5

                Link (Type-8) Link States (Area 0.0.0.0)

ADV Router       Age         Seq#        Link ID    Interface
 172.16.1.5      131         0x80000007  4          Fa0/1
 172.16.1.1      667         0x8000011E  880        Fa0/0
 172.16.1.2      330         0x8000011F  16         Fa0/0
 172.16.1.3      1766        0x80000101  14         Fa0/0
 172.16.1.5      892         0x80000101  3          Fa0/0
 172.16.1.6      459         0x8000011E  6          Fa0/0

                Intra Area Prefix Link States (Area 0.0.0.0)

ADV Router       Age         Seq#        Link ID    Ref-lstype  Ref-LSID
 172.16.1.1      662         0x80000244  1          0x2001      0
 172.16.1.2      1455        0x80000124  1          0x2001      0
 172.16.1.2      1448        0x80000129  458752     0x2002      16
 172.16.1.2      1455        0x8000011F  589824     0x2002      257
 172.16.1.3      1766        0x80000101  0          0x2001      0
 172.16.1.5      131         0x80000007  0          0x2001      0
 172.16.1.6      388         0x80000121  2          0x2001      0

                Type-5 AS External Link States

ADV Router       Age         Seq#       Prefix
 172.16.1.3      1426        0x80000001  2003:51:6012:133:FEED:CAFE:0:10/128
fd-wv-ro03#
fd-wv-ro03#
fd-wv-ro03#show ipv6 ospf database self-originate

            OSPFv3 Router with ID (172.16.1.5) (Process ID 17)

                Router Link States (Area 0.0.0.0)

ADV Router       Age         Seq#        Fragment ID  Link count  Bits
 172.16.1.5      898         0x80000102  0            1           None

                Link (Type-8) Link States (Area 0.0.0.0)

ADV Router       Age         Seq#        Link ID    Interface
 172.16.1.5      137         0x80000007  4          Fa0/1
 172.16.1.5      898         0x80000101  3          Fa0/0

                Intra Area Prefix Link States (Area 0.0.0.0)

ADV Router       Age         Seq#        Link ID    Ref-lstype  Ref-LSID
 172.16.1.5      137         0x80000007  0          0x2001      0
fd-wv-ro03#
fd-wv-ro03#
fd-wv-ro03#show ipv6 route
IPv6 Routing Table - default - 15 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       D - EIGRP, EX - EIGRP external, NM - NEMO, ND - Neighbor Discovery
       l - LISP
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S   ::/0 [1/0]
     via 2003:51:6012:101::1
C   2003:51:6012:101::/64 [0/0]
     via FastEthernet0/0, directly connected
L   2003:51:6012:101::5/128 [0/0]
     via FastEthernet0/0, receive
O   2003:51:6012:110::/64 [110/200]
     via FE80::219:E2FF:FEA1:F98A, FastEthernet0/0
O   2003:51:6012:120::/64 [110/110]
     via FE80::B60C:25FF:FE05:8E10, FastEthernet0/0
O   2003:51:6012:121::/64 [110/110]
     via FE80::B60C:25FF:FE05:8E10, FastEthernet0/0
O   2003:51:6012:123::/64 [110/110]
     via FE80::B60C:25FF:FE05:8E10, FastEthernet0/0
O   2003:51:6012:124::/64 [110/110]
     via FE80::B60C:25FF:FE05:8E10, FastEthernet0/0
O   2003:51:6012:125::/64 [110/110]
     via FE80::B60C:25FF:FE05:8E10, FastEthernet0/0
O   2003:51:6012:130::/64 [110/200]
     via FE80::2A94:FFF:FEA8:772D, FastEthernet0/0
OE2 2003:51:6012:133:FEED:CAFE:0:10/128 [110/1000]
     via FE80::2A94:FFF:FEA8:772D, FastEthernet0/0
O   2003:51:6012:160::/64 [110/200]
     via FE80::A5B:EFF:FE3C:115D, FastEthernet0/0
C   2003:61:6012:102::/64 [0/0]
     via FastEthernet0/1, directly connected
L   2003:61:6012:102::1/128 [0/0]
     via FastEthernet0/1, receive
L   FF00::/8 [0/0]
     via Null0, receive
fd-wv-ro03#
fd-wv-ro03#

Fortinet FortiGate

Unfortunately the FortiGate has no possibility to configure anything of OSPFv3 via the GUI. Everything must be done via the CLI. (And this is called a “Next-Generation Firewall”???)

These are the configuration commands for my lab:

config router ospf6
    set auto-cost-ref-bandwidth 10000
    set router-id 172.16.1.6
        config area
            edit 0.0.0.0
            next
        end
        config ospf6-interface
            edit "wan1"
                set interface "wan1"
            next
            edit "fg-trust"
                set interface "fg-trust"
            next
        end
    set passive-interface "fg-trust"

And the following shows the get commands:

fd-wv-fw04 # get router info6 ospf status
 Routing Process "OSPFv3 (*null*)" with ID 172.16.1.6
 Process uptime is 50 days 22 hours 5 minutes
 SPF schedule delay 5 secs, Hold time between SPFs 10 secs
 Minimum LSA interval 5 secs, Minimum LSA arrival 1 secs
 Number of incomming current DD exchange neighbors 0/5
 Number of outgoing current DD exchange neighbors 0/5
 Number of external LSA 1. Checksum Sum 0x4BAD
 Number of AS-Scoped Unknown LSA 0
 Number of LSA originated 23
 Number of LSA received 37398
 Number of areas in this router is 2
    Area BACKBONE(0)
        Number of interfaces in this area is 2(2)
        SPF algorithm executed 15 times
        Number of LSA 13.  Checksum Sum 0x5C289
        Number of Unknown LSA 0
    Area 0.0.0.51 (Inactive)
        Number of interfaces in this area is 0(0)
        SPF algorithm executed 33 times
        Number of LSA 0.  Checksum Sum 0x0000
        Number of Unknown LSA 0



fd-wv-fw04 #
fd-wv-fw04 #
fd-wv-fw04 # get router info6 ospf neighbor
OSPFv3 Process (*null*)
Neighbor ID     Pri   State           Dead Time   Interface  Instance ID
172.16.1.1      100   2-Way/DROther   00:00:36    wan1       0
172.16.1.2       50   Full/DR         00:00:31    wan1       0
172.16.1.3        1   2-Way/DROther   00:00:32    wan1       0
172.16.1.5        1   Full/Backup     00:00:37    wan1       0


fd-wv-fw04 #
fd-wv-fw04 #
fd-wv-fw04 # get router info6 ospf database

            OSPFv3 Router with ID (172.16.1.6) (Process *null*)

                Link-LSA (Interface wan1)

Link State ID   ADV Router      Age  Seq#       CkSum  Prefix
0.0.3.112       172.16.1.1      1496 0x8000011e 0x6247      1
0.0.0.16        172.16.1.2      1158 0x8000011f 0x4293      1
0.0.0.14        172.16.1.3       578 0x80000102 0xf084      1
0.0.0.3         172.16.1.5      1722 0x80000101 0xf2b9      1
0.0.0.6         172.16.1.6      1287 0x8000011e 0xf486      1

                Link-LSA (Interface fg-trust)

Link State ID   ADV Router      Age  Seq#       CkSum  Prefix
0.0.0.63        172.16.1.6      1261 0x8000011e 0xca19      1

                Router-LSA (Area 0.0.0.0)

Link State ID   ADV Router      Age  Seq#       CkSum    Link
0.0.0.1         172.16.1.1      1451 0x80000123 0x197c      1
0.0.0.0         172.16.1.2       484 0x80000125 0x2b24      1
0.0.0.0         172.16.1.3      1073 0x80000103 0x9562      1
0.0.0.0         172.16.1.5      1722 0x80000102 0xea19      1
0.0.0.0         172.16.1.6      1217 0x80000123 0x84d4      1

                Network-LSA (Area 0.0.0.0)

Link State ID   ADV Router      Age  Seq#       CkSum
0.0.0.16        172.16.1.2       482 0x80000123 0xb390

                Intra-Area-Prefix-LSA (Area 0.0.0.0)

Link State ID   ADV Router      Age  Seq#       CkSum  Prefix  Reference
0.0.0.1         172.16.1.1      1491 0x80000244 0x6d9e      2  Router-LSA
0.0.0.1         172.16.1.2       484 0x80000125 0x265e      5  Router-LSA
0.7.0.0         172.16.1.2       477 0x8000012a 0xb764      1  Network-LSA
0.9.0.0         172.16.1.2       484 0x80000120 0x4fc3      1  Network-LSA
0.0.0.0         172.16.1.3       578 0x80000102 0x972f      1  Router-LSA
0.0.0.0         172.16.1.5       961 0x80000007 0x518b      1  Router-LSA
0.0.0.2         172.16.1.6      1216 0x80000121 0x422d      1  Router-LSA

                AS-external-LSA

Link State ID   ADV Router      Age  Seq#       CkSum
0.0.0.0         172.16.1.3       321 0x80000002 0x4bad E2


fd-wv-fw04 #
fd-wv-fw04 #
fd-wv-fw04 # get router info6 ospf route
OSPFv3 Process (*null*)
Codes: C - connected, D - Discard, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2

   Destination                                   Metric
     Next-hop
C  2003:51:6012:101::/64                             10
     directly connected, wan1, Area 0.0.0.0
O  2003:51:6012:110::/64                            110
     via fe80::219:e2ff:fea1:f98a, wan1, Area 0.0.0.0
O  2003:51:6012:120::/64                             20
     via fe80::b60c:25ff:fe05:8e10, wan1, Area 0.0.0.0
O  2003:51:6012:121::/64                             20
     via fe80::b60c:25ff:fe05:8e10, wan1, Area 0.0.0.0
O  2003:51:6012:123::/64                             20
     via fe80::b60c:25ff:fe05:8e10, wan1, Area 0.0.0.0
O  2003:51:6012:124::/64                             20
     via fe80::b60c:25ff:fe05:8e10, wan1, Area 0.0.0.0
O  2003:51:6012:125::/64                             20
     via fe80::b60c:25ff:fe05:8e10, wan1, Area 0.0.0.0
O  2003:51:6012:130::/64                            110
     via fe80::2a94:fff:fea8:772d, wan1, Area 0.0.0.0
E2 2003:51:6012:133:feed:cafe:0:10/128          10/1000
     via fe80::2a94:fff:fea8:772d, wan1
C  2003:51:6012:160::/64                            100
     directly connected, fg-trust, Area 0.0.0.0
O  2003:61:6012:102::/64                            110
     via fe80::21a:6cff:fea1:2b98, wan1, Area 0.0.0.0

fd-wv-fw04 #
fd-wv-fw04 #

Furthermore, the GUI can at least show the routing table:

Juniper ScreenOS

My SSG 5 runs at version 6.3.0r19. Unlike OSPF for IPv4, in which the “enable” checkmark for each interface is inside the interface configuration section, OSPFv3 is completely configured inside the virtual routers menu:

The config commands via the CLI are the following:

set vrouter trust-vr protocol ospfv3 enable
set vrouter trust-vr protocol ospfv3 area 0.0.0.0
set interface ethernet0/5.10 protocol ospfv3 area 0.0.0.0
set interface ethernet0/5.10 protocol ospfv3 passive
set interface ethernet0/5.10 protocol ospfv3 enable
set interface ethernet0/5.10 protocol ospfv3 cost 100
set interface ethernet0/6 protocol ospfv3 area 0.0.0.0
set interface ethernet0/6 protocol ospfv3 enable
set interface ethernet0/6 protocol ospfv3 priority 100
set interface ethernet0/6 protocol ospfv3 cost 100

And the get commands for displaying the runtime values are this:

fd-wv-fw01-> get vrouter trust-vr protocol ospfv3
VR: trust-vr RouterId: 172.16.1.1
----------------------------------
Status:                                 enabled
State:                                  internal router
Number of areas:                        1
Number of LSA(s):                       20
Number of AS-flooding-scope LSA(s):     1
Area 0.0.0.0
        Total number of interfaces is 2, Active number of interfaces is 2
        Intra-SPF algorithm executed 25 times
        Last Intra-SPF executed before 03:30:25
        Number of LSA(s) is 19

Inter-SPF algorithm executed: 27 times
Last Inter-SPF executed before 01:01:30
Extern-SPF algorithm executed: 28 times
Last Extern-SPF executed before 01:01:30
fd-wv-fw01->
fd-wv-fw01->
fd-wv-fw01-> get vrouter trust-vr protocol ospfv3 neighbor
VR: trust-vr RouterId: 172.16.1.1
----------------------------------
                Neighbor(s) on interface ethernet0/5.10 (Area 0.0.0.0)

                Neighbor(s) on interface ethernet0/6 (Area 0.0.0.0)
RouterId        Nbr-saw-DR      Nbr-saw-BDR     Nbr-If-Id  Opt      Pri State   (Down, Up)
------------------------------------------------------------------------------
172.16.1.3      172.16.1.2      172.16.1.5      0x0000000e --V6|E|R 1   2WAY    (+2    -0)
172.16.1.6      172.16.1.2      172.16.1.5      0x00000006 --V6|E|R 1   2WAY    (+2    -0)
172.16.1.2      172.16.1.2      172.16.1.5      0x00000010 --V6|E|R 50  FULL    (+6    -0)
172.16.1.5      172.16.1.2      172.16.1.5      0x00000003 --V6|E|R 1   FULL    (+6    -0)

fd-wv-fw01->
fd-wv-fw01->
fd-wv-fw01-> get vrouter trust-vr protocol ospfv3 database
VR: trust-vr RouterId: 172.16.1.1
----------------------------------


As-External-LSA
--------------------------------------------------------------------------------
Link-State-Id     Adv-Router-Id      Age      Sequence#    CheckSum
--------------------------------------------------------------------------------
0x00000000        172.16.1.3         1786     0x80000002   0x4bad


Router-LSA for area 0.0.0.0
--------------------------------------------------------------------------------
Link-State-Id     Adv-Router-Id      Age      Sequence#    CheckSum
--------------------------------------------------------------------------------
0x00000000        172.16.1.5         1169     0x80000103   0xe81a
0x00000000        172.16.1.6         884      0x80000124   0x82d5
0x00000001        172.16.1.1         1111     0x80000124   0x177d
0x00000000        172.16.1.3         516      0x80000104   0x9363
0x00000000        172.16.1.2         149      0x80000126   0x2925


Network-LSA for area 0.0.0.0
--------------------------------------------------------------------------------
Link-State-Id     Adv-Router-Id      Age      Sequence#    CheckSum
--------------------------------------------------------------------------------
0x00000010        172.16.1.2         147      0x80000124   0xb191


Intra-Area-Prefix-LSA for area 0.0.0.0
--------------------------------------------------------------------------------
Link-State-Id     Adv-Router-Id      Age      Sequence#    CheckSum
--------------------------------------------------------------------------------
0x00000000        172.16.1.5         417      0x80000008   0x4f8c
0x00000002        172.16.1.6         884      0x80000122   0x402e
0x00000001        172.16.1.1         1152     0x80000246   0x69a0
0x00000000        172.16.1.3         13       0x80000103   0x9530
0x00000001        172.16.1.2         150      0x80000126   0x245f
0x00070000        172.16.1.2         143      0x8000012b   0xb565
0x00090000        172.16.1.2         150      0x80000121   0x4dc4


Link-LSA for link ethernet0/5.10, area 0.0.0.0
--------------------------------------------------------------------------------
Link-State-Id     Adv-Router-Id      Age      Sequence#    CheckSum
--------------------------------------------------------------------------------
0x00000368        172.16.1.1         1157     0x8000011f   0xac59


Link-LSA for link ethernet0/6, area 0.0.0.0
--------------------------------------------------------------------------------
Link-State-Id     Adv-Router-Id      Age      Sequence#    CheckSum
--------------------------------------------------------------------------------
0x00000003        172.16.1.5         1171     0x80000102   0xf0ba
0x00000006        172.16.1.6         956      0x8000011f   0xf287
0x00000370        172.16.1.1         1158     0x8000011f   0x6048
0x0000000e        172.16.1.3         14       0x80000103   0xee85
0x00000010        172.16.1.2         826      0x80000120   0x4094

-----------------------
 printed 20 LSA(s).
fd-wv-fw01->
fd-wv-fw01->
fd-wv-fw01-> get vrouter trust-vr protocol ospfv3 database self-originate
VR: trust-vr RouterId: 172.16.1.1
----------------------------------


Router-LSA for area 0.0.0.0
--------------------------------------------------------------------------------
Link-State-Id     Adv-Router-Id      Age      Sequence#    CheckSum
--------------------------------------------------------------------------------
0x00000001        172.16.1.1         1129     0x80000124   0x177d


Intra-Area-Prefix-LSA for area 0.0.0.0
--------------------------------------------------------------------------------
Link-State-Id     Adv-Router-Id      Age      Sequence#    CheckSum
--------------------------------------------------------------------------------
0x00000001        172.16.1.1         1169     0x80000246   0x69a0


Link-LSA for link ethernet0/5.10, area 0.0.0.0
--------------------------------------------------------------------------------
Link-State-Id     Adv-Router-Id      Age      Sequence#    CheckSum
--------------------------------------------------------------------------------
0x00000368        172.16.1.1         1174     0x8000011f   0xac59


Link-LSA for link ethernet0/6, area 0.0.0.0
--------------------------------------------------------------------------------
Link-State-Id     Adv-Router-Id      Age      Sequence#    CheckSum
--------------------------------------------------------------------------------
0x00000370        172.16.1.1         1175     0x8000011f   0x6048

-----------------------
 printed 4 LSA(s).
fd-wv-fw01->
fd-wv-fw01->
fd-wv-fw01-> get vrouter trust-vr route protocol ospfv3
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP/RIPng P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF/OSPFv3 E1: OSPF external type 1
E2: OSPF/OSPFv3 external type 2 trailing B: backup route

Total 19/max entries

         ID                                   IP-Prefix       Interface
                                                Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
         56                       2003:51:6012:101::/64          eth0/6
                                                     ::   O   60    100     Root
*        67         2003:51:6012:133:feed:cafe:0:10/128          eth0/6
                               fe80::2a94:fff:fea8:772d  E2  200   1000     Root
         54                       2003:51:6012:110::/64       eth0/5.10
                                                     ::   O   60    100     Root
*        57                       2003:51:6012:121::/64          eth0/6
                              fe80::b60c:25ff:fe05:8e10   O   60    110     Root
*        58                       2003:51:6012:120::/64          eth0/6
                              fe80::b60c:25ff:fe05:8e10   O   60    110     Root
*        59                       2003:51:6012:123::/64          eth0/6
                              fe80::b60c:25ff:fe05:8e10   O   60    110     Root
*        60                       2003:51:6012:125::/64          eth0/6
                              fe80::b60c:25ff:fe05:8e10   O   60    110     Root
*        61                       2003:51:6012:124::/64          eth0/6
                              fe80::b60c:25ff:fe05:8e10   O   60    110     Root
*        64                       2003:51:6012:130::/64          eth0/6
                               fe80::2a94:fff:fea8:772d   O   60    200     Root
*        66                       2003:61:6012:102::/64          eth0/6
                               fe80::21a:6cff:fea1:2b98   O   60    200     Root
*        63                       2003:51:6012:160::/64          eth0/6
                                fe80::a5b:eff:fe3c:115d   O   60    200     Root

Total number of ospfv3 routes: 11
fd-wv-fw01->
fd-wv-fw01->

Palo Alto

This is the Palo Alto guide. I am using a PA-200 with version 7.0.2. To my mind, this is the best OSPFv3 GUI from all firewalls in my lab. Here we go:

To show some runtime stats on the CLI, use this show commands:

weberjoh@fd-wv-fw02> show routing protocol ospfv3 summary

Router ID 172.16.1.2, instance 0 in virtual router default
  OSPFv3 is up, oper status active
  ABR: no, ASBR: yes, Allow transit traffic: yes
  reject-default-route: yes , redist-default-route: n/a
  originated LSA count: 3497, received LSA count: 6676
  num AS-scoped LSA: 0, AS-external LSA count: 1
  num update pending: 0, num update merged: 1
  SPF calc delay: 5.00, min lsa interval : 5.00
  external refresh interval: 1800

weberjoh@fd-wv-fw02>
weberjoh@fd-wv-fw02>
weberjoh@fd-wv-fw02> show routing protocol ospfv3 neighbor

Neighbor ID 172.16.1.1, in virtual router default
  Neighbor Link-local addr fe80:0:0:0:219:e2ff:fea1:f98a,Neighbor If ID 880
  Through local Interface ethernet1/1, local IF ID 16
  Area 0.0.0.0, instance ID 0, status up
  priority 100, state full, event count 10
  Options 0x13, V6(1),E(1),MC(0),N(0),R(1),DC(0)
  Retransmission queue length 0, Waiting on 0 LSA request
  Dead time is 38 sec
  Graceful restart helper status: not helping, time remaining: 0
  Graceful restart helper exit reason: none
Neighbor ID 172.16.1.3, in virtual router default
  Neighbor Link-local addr fe80:0:0:0:2a94:fff:fea8:772d,Neighbor If ID 14
  Through local Interface ethernet1/1, local IF ID 16
  Area 0.0.0.0, instance ID 0, status up
  priority 1, state full, event count 6
  Options 0x13, V6(1),E(1),MC(0),N(0),R(1),DC(0)
  Retransmission queue length 0, Waiting on 0 LSA request
  Dead time is 31 sec
  Graceful restart helper status: not helping, time remaining: 0
  Graceful restart helper exit reason: none
Neighbor ID 172.16.1.5, in virtual router default
  Neighbor Link-local addr fe80:0:0:0:21a:6cff:fea1:2b98,Neighbor If ID 3
  Through local Interface ethernet1/1, local IF ID 16
  Area 0.0.0.0, instance ID 0, status up
  priority 1, state full, event count 6
  Options 0x13, V6(1),E(1),MC(0),N(0),R(1),DC(0)
  Retransmission queue length 0, Waiting on 0 LSA request
  Dead time is 37 sec
  Graceful restart helper status: not helping, time remaining: 0
  Graceful restart helper exit reason: none
Neighbor ID 172.16.1.6, in virtual router default
  Neighbor Link-local addr fe80:0:0:0:a5b:eff:fe3c:115d,Neighbor If ID 6
  Through local Interface ethernet1/1, local IF ID 16
  Area 0.0.0.0, instance ID 0, status up
  priority 1, state full, event count 6
  Options 0x13, V6(1),E(1),MC(0),N(0),R(1),DC(0)
  Retransmission queue length 0, Waiting on 0 LSA request
  Dead time is 29 sec
  Graceful restart helper status: not helping, time remaining: 0
  Graceful restart helper exit reason: none

weberjoh@fd-wv-fw02>
weberjoh@fd-wv-fw02>
weberjoh@fd-wv-fw02> show routing protocol ospfv3 dumplsdb

** OSPF AS-Scope link state database
 VIRTUAL ROUTER: default (id 1)
 VR Type       Adv Router ID   LS id           Seq ID     Cksum  Age   Size
  1 External   172.16.1.3      0.0.0.1         0x80000003 0x3FB7 638   44
     Flags [External Type 2], metric 1000
        2003:51:6012:133:feed:cafe:0:10/128
** OSPF Area Scope link state database
 VIRTUAL ROUTER: default (id 1)
 VR Type       Adv Router ID   LS id           Seq ID     Cksum  Age   Size
  1 Router     172.16.1.1      0.0.0.1         0x8000017B 0x68D4 1698  40
      Options [V6, External, Router], RLA-Flags [none]
      Neighbor Network-ID 172.16.1.2
      Neighbor Interface-ID 0.0.0.16, Interface ID 0.0.3.112
      type 2, metric 100
  1 Router     172.16.1.2      0.0.0.0         0x8000017D 0x7A7C 1131  40
      Options [V6, External, Router], RLA-Flags [External]
      Neighbor Network-ID 172.16.1.2
      Neighbor Interface-ID 0.0.0.16, Interface ID 0.0.0.16
      type 2, metric 10
  1 Router     172.16.1.3      0.0.0.0         0x80000152 0xF6B1 884   40
      Options [V6, External, Router, Demand Circuit], RLA-Flags [External]
      Neighbor Network-ID 172.16.1.2
      Neighbor Interface-ID 0.0.0.16, Interface ID 0.0.0.14
      type 2, metric 100
  1 Router     172.16.1.5      0.0.0.0         0x80000152 0x4A69 296   40
      Options [V6, External, Router, Demand Circuit], RLA-Flags [none]
      Neighbor Network-ID 172.16.1.2
      Neighbor Interface-ID 0.0.0.16, Interface ID 0.0.0.3
      type 2, metric 100
  1 Router     172.16.1.6      0.0.0.0         0x8000017C 0xD12E 68    40
      Options [V6, External, Router], RLA-Flags [none]
      Neighbor Network-ID 172.16.1.2
      Neighbor Interface-ID 0.0.0.16, Interface ID 0.0.0.6
      type 2, metric 10
  1 Network    172.16.1.2      0.0.0.16        0x8000017B 0x3E8  1129  44
      Options [V6, External, Router, Demand Circuit]
      Connected Routers:
        172.16.1.1
        172.16.1.3
        172.16.1.5
        172.16.1.6
        172.16.1.2
  1 IntraArPfx 172.16.1.1      0.0.0.1         0x800002F4 0xC4F  1737  56
      Prefixes 2:
        2003:51:6012:110:0:0:0:0/64, metric 100
        2003:51:6012:101:0:0:0:0/64, metric 100
  1 IntraArPfx 172.16.1.2      0.0.0.1         0x8000017D 0x75B6 1131  92
      Prefixes 5:
        2003:51:6012:123:0:0:0:0/64, metric 10
        2003:51:6012:120:0:0:0:0/64, metric 10
        2003:51:6012:125:0:0:0:0/64, metric 10
        2003:51:6012:121:0:0:0:0/64, metric 10
        2003:51:6012:124:0:0:0:0/64, metric 10
  1 IntraArPfx 172.16.1.2      0.7.0.0         0x80000182 0x7BC  1124  44
      Prefixes 1:
        2003:51:6012:101:0:0:0:0/64, metric 0
  1 IntraArPfx 172.16.1.2      0.9.0.0         0x80000178 0x9E1C 1131  44
      Prefixes 1:
        2003:51:6012:120:0:0:0:0/64, metric 0
  1 IntraArPfx 172.16.1.3      0.0.0.0         0x80000151 0xF87E 884   44
      Prefixes 1:
        2003:51:6012:130:0:0:0:0/64, metric 100
  1 IntraArPfx 172.16.1.5      0.0.0.0         0x80000056 0xB2DA 1272  44
      Prefixes 1:
        2003:61:6012:102:0:0:0:0/64, metric 100
  1 IntraArPfx 172.16.1.6      0.0.0.2         0x8000017A 0x8F86 67    44
      Prefixes 1:
        2003:51:6012:160:0:0:0:0/64, metric 100
** OSPF Link Scope link state database
 VIRTUAL ROUTER: default (id 1)
 VR Type       Adv Router ID   LS id           Seq ID     Cksum  Age   Size
  1 Link       172.16.1.1      0.0.3.112       0x80000176 0xB19F 1742  56
      Options [V6, External, Router]
      Priority 100, Link-local address fe80:0:0:0:219:e2ff:fea1:f98a,
      Prefixes 1:
        2003:51:6012:101:0:0:0:0/64
  1 Link       172.16.1.2      0.0.0.16        0x80000178 0x8FEC 5     56
      Options [V6, External, Router]
      Priority 50, Link-local address fe80:0:0:0:b60c:25ff:fe05:8e10,
      Prefixes 1:
        2003:51:6012:101:0:0:0:0/64
  1 Link       172.16.1.3      0.0.0.14        0x80000151 0x52D3 884   56
      Options [V6, External, Router, Demand Circuit]
      Priority 1, Link-local address fe80:0:0:0:2a94:fff:fea8:772d,
      Prefixes 1:
        2003:51:6012:101:0:0:0:0/64
  1 Link       172.16.1.5      0.0.0.3         0x80000151 0x520A 296   56
      Options [V6, External, Router, Demand Circuit]
      Priority 1, Link-local address fe80:0:0:0:21a:6cff:fea1:2b98,
      Prefixes 1:
        2003:51:6012:101:0:0:0:0/64
  1 Link       172.16.1.6      0.0.0.6         0x80000177 0x42DF 137   56
      Options [V6, External, Router]
      Priority 1, Link-local address fe80:0:0:0:a5b:eff:fe3c:115d,
      Prefixes 1:
        2003:51:6012:101:0:0:0:0/64
  1 Link       172.16.1.2      0.0.1.1         0x80000178 0x92A3 5     56
      Options [V6, External, Router]
      Priority 100, Link-local address fe80:0:0:0:b60c:25ff:fe05:8e13,
      Prefixes 1:
        2003:51:6012:120:0:0:0:0/64
weberjoh@fd-wv-fw02>
weberjoh@fd-wv-fw02>
weberjoh@fd-wv-fw02> show routing route type ospf

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp


VIRTUAL ROUTER: default (id 1)
  ==========
destination                                 nexthop                                 metric flags      age   interface          next-AS
[IPv4 routes omitted]
2003:51:6012:101::/64                       ::                                      10       Oi       675410 ethernet1/1
2003:51:6012:110::/64                       fe80::219:e2ff:fea1:f98a                110    A Oi       674960 ethernet1/1
2003:51:6012:120::/64                       ::                                      10       Oi       945349 ethernet1/4.120
2003:51:6012:121::/64                       ::                                      10       Oi       945349 ethernet1/4.121
2003:51:6012:123::/64                       ::                                      10       Oi       945349 ethernet1/3
2003:51:6012:124::/64                       ::                                      10       Oi       945349 ethernet1/4.124
2003:51:6012:125::/64                       ::                                      10       Oi       945349 ethernet1/4.125
2003:51:6012:130::/64                       fe80::2a94:fff:fea8:772d                110    A Oi       672653 ethernet1/1
2003:51:6012:133:feed:cafe:0:10/128         fe80::2a94:fff:fea8:772d                1000   A O2       4598  ethernet1/1
2003:51:6012:160::/64                       fe80::a5b:eff:fe3c:115d                 110    A Oi       673436 ethernet1/1
2003:61:6012:102::/64                       fe80::21a:6cff:fea1:2b98                110    A Oi       172024 ethernet1/1
total routes shown: 38

weberjoh@fd-wv-fw02>

Quagga Router

Finally, I plugged in a Quagga router into my lab. It is running on a Ubuntu 14.04.3 LTS 64-bit server with version 0.99.22.4.

The configuration commands inside the ospf6d are the following (I have not found the “auto-cost reference-bandwidth” command, though it is listed in the official documentation.):

interface eth0
 ipv6 ospf6 cost 10
!
interface eth1
 ipv6 ospf6 cost 10
 ipv6 ospf6 passive
!
router ospf6
 router-id 172.16.1.8
 interface eth0 area 0.0.0.0
 interface eth1 area 0.0.0.0

The show commands are listed below. Note that all OSPFv3 related commands are executed inside the ospf6d instance, while the routing table is shown inside the zebra instance:

Quagga-OSPFv3# show ipv6 ospf6
 OSPFv3 Routing Process (0) with Router-ID 172.16.1.8
 Running 00:17:15
 Number of AS scoped LSAs is 0
 Number of areas in this router is 1
 Area 0.0.0.0
     Number of Area scoped LSAs is 17
     Interface attached to this area: eth0 eth1
Quagga-OSPFv3#
Quagga-OSPFv3#
Quagga-OSPFv3# show ipv6 ospf6 neighbor
Neighbor ID     Pri    DeadTime  State/IfState         Duration I/F[State]
172.16.1.1      100    00:00:34   Full/BDR             00:17:17 eth0[DROther]
172.16.1.2       50    00:00:30   Full/DR              00:17:18 eth0[DROther]
172.16.1.3        1    00:00:39 Twoway/DROther         00:17:24 eth0[DROther]
172.16.1.5        1    00:00:37 Twoway/DROther         00:17:24 eth0[DROther]
172.16.1.6        1    00:00:34 Twoway/DROther         00:17:17 eth0[DROther]
Quagga-OSPFv3#
Quagga-OSPFv3#
Quagga-OSPFv3# show ipv6 ospf6 database

        Area Scoped Link State Database (Area 0.0.0.0)

Type         LSId            AdvRouter        Age   SeqNum Cksm  Len Duration
Router       0.0.0.1         172.16.1.1      1024 80000277 6dd2   40 00:17:02
Router       0.0.0.0         172.16.1.2      1025 80000278 8179   40 00:17:03
Router       0.0.0.0         172.16.1.3      1275 8000022b 428c   40 00:17:27
Router       0.0.0.0         172.16.1.5       340 80000053 4b68   40 00:05:37
Router       0.0.0.0         172.16.1.6       613 80000270 e624   40 00:10:10
Router       0.0.0.0         172.16.1.8      1048 80000001 87f6   40 00:17:27
Network      0.0.0.16        172.16.1.2      1025 80000276 ff26   48 00:17:03
Intra-Prefix 0.0.0.1         172.16.1.1      1024 800004e5 2444   56 00:17:02
Intra-Prefix 0.0.0.1         172.16.1.2      1025 80000278 7cb3   92 00:17:03
Intra-Prefix 0.7.0.0         172.16.1.2      1025 8000027d 0eb9   44 00:17:03
Intra-Prefix 0.9.0.0         172.16.1.2      1742 8000026a b710   44 00:17:27
Intra-Prefix 0.0.0.0         172.16.1.3      1275 8000022a 4459   44 00:17:27
Intra-Prefix 0.0.0.0         172.16.1.5       340 80000132 f7b8   44 00:05:37
Intra-Prefix 0.0.0.2         172.16.1.6       612 8000026f a27d   44 00:10:09
Intra-Prefix 0.0.0.0         172.16.1.8      1048 80000003 8e38   44 00:17:27

        I/F Scoped Link State Database (I/F eth0 in Area 0.0.0.0)

Type         LSId            AdvRouter        Age   SeqNum Cksm  Len Duration
Link         0.0.3.112       172.16.1.1      1251 80000268 ca93   56 00:17:27
Link         0.0.0.16        172.16.1.2       618 8000026a a8e0   56 00:10:16
Link         0.0.0.14        172.16.1.3      1275 8000022a 9dae   56 00:17:27
Link         0.0.0.3         172.16.1.5       340 8000022b 9be5   56 00:05:37
Link         0.0.0.6         172.16.1.6       753 80000269 5bd3   56 00:12:30
Link         0.0.0.2         172.16.1.8      1055 80000001 b5ee   56 00:17:34

        I/F Scoped Link State Database (I/F eth1 in Area 0.0.0.0)

Type         LSId            AdvRouter        Age   SeqNum Cksm  Len Duration
Link         0.0.0.3         172.16.1.8      1055 80000001 75a4   56 00:17:34

        AS Scoped Link State Database

Type         LSId            AdvRouter        Age   SeqNum Cksm  Len Duration

Quagga-OSPFv3#
Quagga-OSPFv3#
Quagga-OSPFv3# show ipv6 ospf6 database self-originated

        Area Scoped Link State Database (Area 0.0.0.0)

Type         LSId            AdvRouter        Age   SeqNum Cksm  Len Duration
Router       0.0.0.0         172.16.1.8      1365 80000001 87f6   40 00:22:45
Intra-Prefix 0.0.0.0         172.16.1.8      1365 80000003 8e38   44 00:22:45

        I/F Scoped Link State Database (I/F eth0 in Area 0.0.0.0)

Type         LSId            AdvRouter        Age   SeqNum Cksm  Len Duration
Link         0.0.0.2         172.16.1.8      1372 80000001 b5ee   56 00:22:51

        I/F Scoped Link State Database (I/F eth1 in Area 0.0.0.0)

Type         LSId            AdvRouter        Age   SeqNum Cksm  Len Duration
Link         0.0.0.3         172.16.1.8      1372 80000001 75a4   56 00:22:51

        AS Scoped Link State Database

Type         LSId            AdvRouter        Age   SeqNum Cksm  Len Duration

Quagga-OSPFv3#
Quagga-OSPFv3#
---------------------------------------
Quagga-Zebra# show ipv6 route
Codes: K - kernel route, C - connected, S - static, R - RIPng,
       O - OSPFv6, I - IS-IS, B - BGP, A - Babel,
       > - selected route, * - FIB route

K>* ::/0 via 2003:51:6012:101::1, eth0
C>* ::1/128 is directly connected, lo
O   2003:51:6012:101::/64 [110/10] is directly connected, eth0, 00:24:25
C>* 2003:51:6012:101::/64 is directly connected, eth0
O>* 2003:51:6012:120::/64 [110/20] via fe80::b60c:25ff:fe05:8e10, eth0, 00:24:25
O>* 2003:51:6012:121::/64 [110/20] via fe80::b60c:25ff:fe05:8e10, eth0, 00:24:25
O>* 2003:51:6012:123::/64 [110/20] via fe80::b60c:25ff:fe05:8e10, eth0, 00:24:25
O>* 2003:51:6012:124::/64 [110/20] via fe80::b60c:25ff:fe05:8e10, eth0, 00:24:25
O>* 2003:51:6012:125::/64 [110/20] via fe80::b60c:25ff:fe05:8e10, eth0, 00:24:25
O>* 2003:51:6012:130::/64 [110/110] via fe80::2a94:fff:fea8:772d, eth0, 00:24:25
O>* 2003:51:6012:160::/64 [110/110] via fe80::a5b:eff:fe3c:115d, eth0, 00:24:25
O   2003:51:6012:180::/64 [110/10] via ::1, lo, 00:24:30
C>* 2003:51:6012:180::/64 is directly connected, eth1
O>* 2003:61:6012:102::/64 [110/110] via fe80::21a:6cff:fea1:2b98, eth0, 00:24:25
C * fe80::/64 is directly connected, eth1
C>* fe80::/64 is directly connected, eth0
Quagga-Zebra#
Quagga-Zebra#

Wireshark Dump

I captured all OSPF packets while I restarted (reload) the Cisco router. The pcapng therefore contains all five types of OSPFv3 packets (Hello, DBD, LSR, LSU, LSAack). Here it is for download:

OSPFv3 Capture 41.66 KB

Download Wireshark Capture

As an example, these are the messages after the Cisco router has booted (red marked area). After some database description packets (DBD), the router requested (LSR) many details. After that, the designated router (DR) sent many link-state updates (LSU) which contain the link-state advertisements (LSA). The yellow highlighted section shows a LSA for one of the intra-area-prefix LSAs:

Two-factor authentication is quite common these days. That’s good. Many service providers offer a second authentication before entering their systems. Beside hardware tokens or code generator apps, the traditional SMS on a mobile phone can be used for the second factor.

The FortiGate firewalls from Fortinet have the SMS option built-in. No feature license is required for that. Great. The only thing needed is an email-to-SMS provider for sending the text messages. The configuration process on the FortiGate is quite simple, however, both the GUI as well as the CLI are needed for that job. (Oh Fortinet, why aren’t you improving your GUI?)

Here is a step-by-step configuration tutorial for the two-factor authentication via SMS from a FortiGate firewall. My test case was the web-based SSL VPN portal.

The second factor is sent via SMS. More precisely: via email2sms. That is: The FortiGate sends an email to <phone-number>@email2sms-provider.tld with the authentication code. In order to use this feature, an email server as well as an SMS service must be configured. I am not using the “FortiGuard Messaging Service” for this test but a “Custom” Email-2-SMS service from the Internet (just found via Google).

I am using a FortiWiFi 90D with FortiOS 5.2.4, build688.

Email Service

The SMTP server should be configured anyway in order to receive alert emails from the FortiGate. If it is not configured yet, it is done under System -> Config -> Advanced -> Email Service:

SMS Service

The SMS service settings are directly below the email service. Only a name and the “Domain” must be entered. This was a bit confusing for me as I saw it the first time since no other options can be set. But in fact, the FortiGate will send all SMS to <number@domain>. So it really does not need any more information. The correct domain for the mail2sms gateway is listed on the service you chose on the Internet. (I am using websms.com, a German provider.)

User

The most annoying point is to activate the two-factor SMS authentication for the user since it cannot be done through the GUI. Furthermore, if you add users, the GUI from FortiGate is not consistent in storing the phone number for local users. (As with almost all cases, the GUI from Fortinet is not that good.) So take care!

The phone number can be entered via the GUI, as well as the “Custom” SMS provider, but the only option for the “Enable Two-factor Authentication” is the Token, which we won’t use here:

Use the CLI in order to configure the following command for each user (line 3):

fd-wv-fw04 # config user local
fd-wv-fw04 (local) # edit weberjoh2
fd-wv-fw04 (weberjoh2) # set two-factor sms
fd-wv-fw04 (weberjoh2) # next

After that, the two factor auth method “sms” is shown in the summary as well as under the users details:

That’s all for the config.

Test

My use case for the two-factor authentication is the web-based SSL VPN. Following are the screenshots I’ve made during the logon process, as well as the log events:

The corresponding log messages on the CLI look like this:

23: date=2015-12-03 time=17:23:16 logid=0100038411 type=event subtype=system level=notice vd="root" logdesc="Two-factor authentication code sent" user="weberjoh2" action="send authentication code" msg="Send two-factor authentication token code 047548 to 004********211@email2sms.websms.com"

24: date=2015-12-03 time=17:23:16 logid=0101039943 type=event subtype=vpn level=information vd="root" logdesc="SSL VPN new connection" action="ssl-new-con" tunneltype="ssl" tunnelid=0 remip=87.159.185.106 tunnelip=(null) user="N/A" group="N/A" dst_host="N/A" reason="N/A" msg="SSL new connection"

I like it. Easy to use, even for non-technical persons.

Links

• Fortinet: Technical Note: SMS Two Factor Authentication in FortiGate
• Wikipedia: Two-factor authentication

It’s really great that the FortiGate firewalls have a DHCPv6 server implemented. With this mandatory service, IPv6-only networks can be deployed directly behind a FortiGate because the stateless DHCPv6 server provides the DNS server addresses. (This is unlike Palo Alto or Cisco which have no DHCPv6 server implemented.)

However, the configuration on the FortiGate is really bad because nothing of the IPv6 features can be set via the GUI. (And this is called a Next-Generation Firewall? Not only the features count, but also the usability!) Everything must be done through the CLI which is sometimes hard to remember. Therefore I am publishing this memo of the appropriate CLI configuration commands.

Coming from Cisco devices (which only have the CLI ;)), the structure of the command line interface from Fortinet is quite different. That’s ok but I need some memos for that. What I really don’t like are the inconsistencies within the CLI, e.g. sometimes it’s called “ipv6”, sometimes “ip6”. Oh oh. At least the IPv6 policies can be configured through the GUI.

I am running a FortiWiFi 90D with FortiOS v5.2.4, build688.

End-User Interface

A basic end-user interface needs an IPv6 address, router advertisements with the O-flag (for using stateless DHCPv6), as well as an advertised prefix with the O- and A-flag. Furthermore, a stateless DHCPv6 server provides the DNS server addresses. Here we go:

config system interface
    edit "fg-trust3"
            config ipv6
                set ip6-allowaccess ping https ssh
                set ip6-address 2003:51:6012:162::1/64
                set ip6-send-adv enable
                set ip6-other-flag enable
                    config ip6-prefix-list
                        edit 2003:51:6012:162::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                    end
            end
    next
end
config system dhcp6 server
    edit 1
        set domain "webernetz.net"
        set interface "fg-trust3"
        set dns-server1 2001:4860:4860::8888
        set dns-server2 2001:4860:4860::4444
    next
end

Of course, there are much more options to fine-tune the timers, etc. But the just listed commands are the very basic configuration steps to make it running.

For your interest, this is how my IPv6-only network on a Windows 7 machine looks like with the just proposed settings:

Routing

For routing IPv6 traffic within the network, static routes or OSPFv3 are quite common. The commands for those are the following. (Have a look at my OSPFv3 blog post which lists the appropriate commands for many other firewall and router devices.)

config router static6
    edit 1
        set gateway 2003:51:6012:101::1
        set device "wan1"
    next
end
config router ospf6
    set auto-cost-ref-bandwidth 10000
    set router-id 172.16.1.6
        config area
            edit 0.0.0.0
            next
        end
        config ospf6-interface
            edit "wan1"
                set interface "wan1"
            next
            edit "fg-trust3"
                set interface "fg-trust3"
            next
        end
    set passive-interface "fg-trust3"
end

Show and Get and Diagnose

To verify the working settings of the FortiGate, this CLI commands can be used:

fd-wv-fw04 # diagnose ipv6 address list
dev=73 devname=fg-trust3 flag=P scope=0 prefix=64 addr=2003:51:6012:162::1
dev=70 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1
dev=68 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1
dev=63 devname=fg-trust flag=P scope=0 prefix=64 addr=2003:51:6012:160::1
dev=59 devname=root flag=P scope=254 prefix=128 addr=::1
dev=6 devname=wan1 flag=P scope=0 prefix=64 addr=2003:51:6012:101::6
dev=6 devname=wan1 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fe3c:115d
dev=73 devname=fg-trust3 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fe3c:115c
dev=63 devname=fg-trust flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fe3c:115c

fd-wv-fw04 # diagnose ipv6 neighbor-cache list
ifindex=6 ifname=wan1 ff02::5 33:33:00:00:00:05 state=00000040 use=241 confirm=8282556 update=8276556 ref=1
ifindex=6 ifname=wan1 ff02::6 33:33:00:00:00:06 state=00000040 use=455 confirm=6566 update=566 ref=1
ifindex=59 ifname=root :: 00:00:00:00:00:00 state=00000040 use=8278891 confirm=8284891 update=8278891 ref=10
ifindex=73 ifname=fg-trust3 ff02::c 33:33:00:00:00:0c state=00000040 use=261418 confirm=267418 update=261418 ref=1
ifindex=6 ifname=wan1 2003:51:6012:101::1 00:19:e2:a1:f9:8a state=00000002 use=151 confirm=470 update=470 ref=2
ifindex=73 ifname=fg-trust3 2003:51:6012:162:8458:5fee:7eb2:77d4 00:0c:29:15:f8:40 state=00000002 use=2076 confirm=2016 update=2016 ref=2
ifindex=6 ifname=wan1 fe80::20c:29ff:fe63:2159 00:0c:29:63:21:59 state=00000004 use=6676402 confirm=6676402 update=2760067 ref=1
ifindex=6 ifname=wan1 fe80::219:e2ff:fea1:f98a 00:19:e2:a1:f9:8a state=00000002 use=0 confirm=77 update=77 ref=3

fd-wv-fw04 # get router info6 routing-table
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       I - IS-IS, B - BGP
       * - candidate default

Timers: Uptime

S*      ::/0 [10/0] via 2003:51:6012:101::1, wan1, 23:00:41
C       ::1/128 via ::, root, 23:00:49
O       2003:50:aa3d:1dfe:b2c6:9aff:fefd:ca97/128 [110/10010] via fe80::219:e2ff:fea1:f98a, wan1, 22:59:59
C       2003:51:6012:101::/64 via ::, wan1, 23:00:49
O       2003:51:6012:110::/64 [110/110] via fe80::219:e2ff:fea1:f98a, wan1, 22:59:59
O       2003:51:6012:130::/64 [110/110] via fe80::2a94:fff:fea8:772d, wan1, 22:59:59
C       2003:51:6012:160::/64 via ::, fg-trust, 23:00:49
C       2003:51:6012:162::/64 via ::, fg-trust3, 15:34:22
O       2003:51:6012:180::/64 [110/20] via fe80::20c:29ff:fe63:2159, wan1, 22:59:59
C       fe80::/10 via ::, fg-trust3, 15:34:22

This blog post is a list of common troubleshooting commands I am using on the FortiGate CLI. It is not complete nor very detailled, but provides the basic commands for troubleshooting network related issues that are not resolvable via the GUI. I am not focused on too many memory, process, kernel, etc. details. These must only be used if there are really specific problems. I am more focused on the general troubleshooting stuff.

Coming from Cisco, everything is “show”. With Fortinet, you have the choice between “show | get | diagnose | execute“. Not that easy to remember. Likewise the “sys | system” keyword. It is always “diagnose sys” but “execute system”.

Entering the correct vdom/gobal Config

Remember to enter the correct vdom or global configuration tree before configuring anything:

config global
config vdom
	edit <vdom-name>

To show the running configuration (such as “show run”), simply type in:

show

To show the entire running configuration with default values, use:

show full-configuration

To find a CLI command within the configuration, you can use the pipe sign “|” with “grep” (similar to “include” on Cisco devices). Note the “-f” flag to show the whole config tree in which the keywords was found, e.g.:

show | grep -f ipv6
show full-configuration | grep -f ipv6

General Information

The very basics:

get system interface physical	#overview of hardware interfaces
get hardware nic <nic-name>		#details of a single network interface, same as: diagnose hardware deviceinfo nic <nic-name>
fnsysctl ifconfig <nic-name>	#kind of hidden command to see more interface stats such as errors
get system status				#==show version
get system performance status	#CPU and network usage
diagnose sys top				#top with all forked processed
diagnose sys top-summary		#top easier, incl. CPU and mem bars. Forks are displayed by [x13] or whatever
execute dhcp lease-list
diagnose ip arp list
diagnose ipv6 address list
diagnose ipv6 neighbor-cache list
diagnose sys ntp status
diagnose autoupdate versions	#lists the attack definition versions, last update, etc.
diagnose log test				#generated all possibe log entries
diagnose test application dnsproxy 6	#shows the IP addresses of FQDN objects
diagnose debug crashlog read	#shows crashlog, a status of 0 indicates a normal close of a process!

General Network Troubleshooting

Which is basically ping and traceroute:

execute ping-options ?
execute ping-options source <ip-address-of-the-interface>
execute ping <hostname|ip>
execute ping6-options ?
execute ping6 <hostname|ip>
execute traceroute <hostname|ip>
execute tracert6 <hostname|ip>

Routing

get router info routing-table all	#routing table
get router info6 routing-table		#IPv6 without the "all" keyword
get router info kernel				#Forwarding Information Base
get router info6 kernel
get router <routing-protocol>		#basic information about the enabled routing protocol
diagnose firewall proute list		#policy-based routing
diagnose firewall proute6 list
diagnose ip rtcache list			#route cache = current sessions w/ routing information

High Availability

diagnose sys ha status
execute ha manage ?					#switch to the CLI of a secondary unit
execute ha manage <device-index>
diagnose sys ha showcsum			#verify the checksum of all synchronized peers

Session Table

Display the current active sessions:

get system session list				#rough view with NAT, only IPv4
diagnose sys session filter clear
diagnose sys session filter ?
diagnose sys session filter dst 8.8.8.8
diagnose sys session filter dport 53
diagnose sys session list

Sniffer

Sniff packets like tcpdump does. This can be used for investigating connection problems between two hosts. (There are no details of the firewall policy decisions. Use the debug flow (next paragraph) for anaysis about firewall policies, etc.)

diagnose sniffer packet <interface|any> '<tcpdump-filter>' <verbose> <count> <time-format>

with:

verbose:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
count: number of packets
time-format:
a: UTC time
l: local time

Examples:

diagnose sniffer packet any 'host 8.8.8.8' 4 4 l
diagnose sniffer packet any 'host 8.8.8.8 and dst port 53' 4 10 a
diagnose sniffer packet wan1 'dst port (80 or 443)' 2 50 l

Flow

If you want to see the FortiGate details about a connection, use this kind of debug. E.g., it shows the routing decision and the policy, which allowed the connection.

diagnose debug reset
diagnose debug flow filter ?
diagnose debug flow filter saddr 172.16.27.148
diagnose debug flow filter daddr 8.8.8.8
diagnose debug flow show console enable
diagnose debug enable
diagnose debug flow trace start 10	#display the next 10 packets, after that, disable the flow:
diagnose debug disable

Example:

fd-wv-fw04 # diagnose debug reset

fd-wv-fw04 # diagnose debug flow filter daddr 8.8.8.8

fd-wv-fw04 # diagnose debug flow show console enable
show trace messages on console

fd-wv-fw04 # diagnose debug enable

fd-wv-fw04 # diagnose debug flow trace start 20
id=20085 trace_id=11 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=17, 192.168.160.10:55859->8.8.8.8:53) from fg-trust. "
id=20085 trace_id=11 func=init_ip_session_common line=4569 msg="allocate a new session-0001f004"
id=20085 trace_id=11 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-172.16.1.1 via wan1"
id=20085 trace_id=11 func=fw_forward_handler line=671 msg="Allowed by Policy-16:"
id=20085 trace_id=11 func=__ip_session_run_tuple line=2601 msg="run helper-dns-udp(dir=original)"
id=20085 trace_id=12 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=17, 192.168.160.10:63624->8.8.8.8:53) from fg-trust. "
id=20085 trace_id=12 func=init_ip_session_common line=4569 msg="allocate a new session-0001f005"
id=20085 trace_id=12 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-172.16.1.1 via wan1"
id=20085 trace_id=12 func=fw_forward_handler line=671 msg="Allowed by Policy-16:"
id=20085 trace_id=12 func=__ip_session_run_tuple line=2601 msg="run helper-dns-udp(dir=original)"

fd-wv-fw04 # diagnose debug disable

VPN

To show details about IKE/IPsec connections, use these commands:

get vpn ike gateway <name>
get vpn ipsec tunnel name <name>
get vpn ipsec tunnel details
diagnose vpn tunnel list
diagnose vpn ipsec status		#shows all crypto devices with counters that are used by the VPN
get router info routing-table all

And to debug IKE/IPsec sessions, use the VPN debug:

diagnose debug reset
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter ?
diagnose vpn ike log-filter dst-addr4 1.2.3.4
diagnose debug app ike 255		#shows phase 1 and phase 2 output
diagnose debug enable			#after enough output, disable the debug:
diagnose debug disable

Log

For investigating the log entries (similar to the GUI), use the following filters, etc.:

execute log filter reset
execute log filter category event
execute log filter field			#press enter for options
execute log filter field dstport 8001
execute log filter view-lines 1000
execute log filter start-line 1
execute log display

Defaults

Just a reminder for myself:

• IP: 192.168.1.99
• Login: admin
• Password: <blank>

To change the IP address of the mgmt interface (or any other) via the CLI, these commands can be used:

config system interface
edit mgmt
set ip 192.168.1.1 255.255.255.0
set allowaccess ping https ssh
next
end

Links

• Fortinet: FortiOS 5.2 CLI Reference
• itsecworks: Fortigate troubleshooting commands

A few weeks ago I constructed an MRTG/Routers2 template for the Fortinet FortiGate firewalls. I am using it for monitoring the FortiGate from my MRTG/Routers2 server. With the basic MRTG tool “cfgmaker” all graphs for the interfaces are generated automatically. My template is an add-on that appends graphs for CPU, memory, and disk usage, as well as connections and VPN statistics. Furthermore, it implements the ping statistics graph and a “short summary”, which only shows the system relevant graphs.

Similar to all my other MRTG/Routers2 templates I constructed the configuration lines after investigating the MIBs from Fortinet via the MIB Browser. The MIBs can be downloaded directly from the FortiGate GUI under System -> Config -> SNMP. Great.

Note that this template is built upon a single vdom environment. I was running a FortiWiFi 90D with FortiOS v5.2.4, build688. Depending on the number of vdoms or processors, some of the OIDs in the template must be adjusted, e.g. the CPU usage or the VPN statistics.

cfgmaker Configuration

The first step is the generation of the basic *.cfg file for MRTG/Routers2. It adds all currently known interfaces from the FortiGate with their names. (Even the “zone” interfaces as well as the VPN IPsec tunnel interfaces, which is great!) Note that I am using a few more options such as the “show-op-down” or other global options. Please use Google if you don’t know their meaning.

sudo cfgmaker --snmp-options=:::::2 --show-op-down --zero-speed=100000000 --global "routers.cgi*Icon: firewall3-sm.gif" --global "routers.cgi*GraphStyle[_]: mirror" --output=NAMEOFTHEFIREWALL.cfg COMMUNITY@IPADDRESS

You can delete all global options (expect the ones just created with the cfgmaker command) within the cfg file because they are not needed if running Routers2.

Template

The following template adds the OIDs/graphs for the usage of the CPU, memory, and disk. It also shows the connections (All and IPv6) as well as the VPN stats. (Note that the MIB allows for even more stats such as byte counts for each policy or counts for AV/IPS/whatever features. However, I have not implemented them here.) I am using the same coloring style as in all my other MRTG/Routers2 templates.

You can download my *.cfg template and follow the first comments inside the file which give hints about what to change (search and replace) in order to make the configuration usable for your environment:

MRTG-Routers2 Template Fortinet FortiGate 8.45 KB

Download cfg

Sample Graphs

After all, these graphs are generated:

Especially, I am loving the connections graphs, which show the count for all (=IPv4 and IPv6) and IPv6-only connections. Great for a comparison of both protocols.

I am still a bit confused about the different switch types a FortiGate firewall is able to handle. While there are a lot of information on the Internet about the “internal-switch-mode” of “switch/interface“, I have not found any good information about the differences between the “Hardware/Software/VLAN” switch types that are configured via the GUI or via the “virtual-switch-vlan enable” CLI command. Though I still don’t know exactly all differences, I am trying to explain some of them here.

Possibilities

This table lists the possible switch types. The first column shows the configured switch mode (

set internal-switch-mode {interface|switch}

set virtual-switch-vlan {enable|disable}

Mode: Switch or Interface

This is explained on many pages on the Internet and even on some official Fortinet documentations such as here. Mostly, you want the “interface” mode in which you can configure every interface on a FortiGate to be an unique layer-3 interface. Currently, when a FortiGate is factory reset, the default is “interface” mode:

config system global
    set internal-switch-mode interface

Type: Software, Hardware, or VLAN

Now it’s getting a bit more interesting. As we have seen already, the software switch is present in any scenario, while the other ones are only possible in the “interface” mode. In any case, each created switch type must be configured with an IP address.

• Software Switch: This is a logical (!) bound of interfaces of different types. It can be used if physical interfaces and WiFi interfaces/SSIDs/etc. should be bound together. (I am not sure, but it sounds like this switch type is controlled merely by the CPU. Maybe it’s not that fast compared to the hardware switch?)
• Hardware Switch: A hardware switch bounds hardware interfaces together that are physically present on the same integrated switch. This is hardware dependent. Not all FortiGate firewalls can be configured in the same way for hardware switches.
• VLAN Switch: This is a type of hardware switch that adds the VLAN ID to it. With this feature it is possible to create a hardware switch within an already present VLAN on the network. This VLAN can be connected through another interface port in trunk mode to transport this VLAN to some other layer-2 switches.

I hope this bring a bit more understanding? Please write a comment if I missed something or explained something wrong.

This is a step-by-step tutorial for configuring a high availability cluster (active-standby) with two FortiGate firewalls. Since almost all firewall vendors have different principles for their HA cluster, I am also showing a common network scenario for Fortinet.

I am using two FortiWiFi 90D firewalls with software version v5.2.5,build701. The official Fortinet documentation for “High Availability with two FortiGates” can be found here.

Network Layout

Basically, all interfaces must be connected with layer-2 switches among both firewalls. (In my lab, these are the wan1 and internal1 ports.) Furthermore, two directly connected interfaces should be used for the HA heartbeats. If the firewall has no dedicated HA interfaces, any unused interfaces can be used instead. (In my lab, I am using ports internal13 and internal14 for the heartbeats on my FortiWiFi-90D firewalls.)

The crucial point is the out-of-band management for accessing both firewalls independent of their HA state. Fortinet has the feature of the “Management Port for Cluster Member“, which must be set during the initial HA process. This interface must be unused to that point and can be configured later with an IP address within the same IP subnet as an already used interface. (In my lab, I am using the internal12 ports for the management ports.)

Screenshot Guide

Note: Before cabling the HA cluster, you should configure both units and then power off (!) the secondary one. Then connect the HA heartbeat interfaces and power on the secondary unit again. This ensures that the primary unit will stay the primary (since it has the longer uptime) and syncs its configuration to the secondary one.

Following are the screenshots for this HA cluster guide. Note the descriptions under each screenshot:

The following two pictures show the physical units after the HA configuration. On the first picture, the HA cluster was not cabled, while on the second, it was. Note the green HA LED:

Via the CLI, the

diagnose ha sys status

fd-wv-fw04b $ diagnose sys ha status
HA information
Statistics
        traffic.local = s:0 p:18860 b:1708434
        traffic.total = s:0 p:19031 b:1726842
        activity.fdb  = c:0 q:0

Model=90, Mode=2 Group=0 Debug=0
nvcluster=1, ses_pickup=1, delay=0

HA group member information: is_manage_master=0.
FWF90D3Z13005629, 1.  Slave:128 fd-wv-fw04b
FWF90D3Z13006159, 0. Master:128 fd-wv-fw04

vcluster 1, state=standby, master_ip=169.254.0.1, master_id=0:
FWF90D3Z13005629, 1.  Slave:128 fd-wv-fw04b(prio=1, rev=0)
FWF90D3Z13006159, 0. Master:128 fd-wv-fw04(prio=0, rev=255)

Triggered by a customer who had problems getting enough speed through an IPsec site-to-site VPN tunnel between FortiGate firewalls I decided to test different encryption/hashing algorithms to verify the network throughput. I used two FortiWiFi 90D firewalls that have an official IPsec VPN throughput of 1 Gbps. Using Iperf I measured the transfer rates with no VPN tunnel as well as with different IPsec proposals.

I first ran into really slow performances which were related to the default “Software Switch” on the FortiGate. After deleting this type of logical switch, the VPN throughput was almost as expected.

Lab

My lab consists of the following components:

Both FortiWiFi 90D firewalls had the firmware version v5.2.5, build701. The two notebooks were booted with Knoppix 7.6.1 and used Iperf version 2.0.5. The “left” machine ran as the server with either:

iperf -s
iperf -s -u

while the “right” machine started Iperf with the following commands for different TCP and UDP tests:

iperf -c 192.168.10.10 -r
iperf -c 192.168.10.10 -r -P 8
iperf -c 192.168.10.10 -r -u -b 1000M

I tested the throughput without a VPN at all (only routing) and with a few different proposals (see table below). The Diffie-Hellman group for PFS was always set to 14. This is not related to the test results because it is only used for the key establishment and not for the actual symmetric encryption of the traffic.

I also switched the offloading of encryption to “enable” (refer to the Hardware Acceleration Guide), which did not change anything, either.

config system npu
    set enc-offload-antireplay enable
end

Furthermore, I tested the differences between a normal TCP test and the manual set of the TCP window size and buffer length with “-w 512k -l 512k”, such as shown here or here. But this made no differences, too, since Knoppix Linux seems to auto set the window size pretty optimal.

Results

These are the results. The first four tests are without a VPN. While the first two are without routing (simply plugged in both clients into the same software switch on the FortiGate), tests 3 & 4 are routed through the FortiGates. This was the first time at which I was really shocked about the bad performance of only 180 Mbit/s routing speed. Furthermore, almost all IPsec proposals ran at a speed of 86 MBit/s, which is only 9 % of the IPsec throughput listed in the data sheet.

The software switch was the problem!

After hours of investigating the slow VPN speed results, I tested the VPN without the software switch on the network ports side, which led to the following results (first column with a “Hardware Switch”, second column with a single interface):

Now the speed was quite acceptable, for the mere routing as well as for the VPN throughput. 940 MBit/s for routing through both FortiGate is almost realistic for TCP, and about 830 MBit/s for VPN encryption/decryption is realistic, too.

Here are the “single interface” results in a graph. Only the 3DES tests are a bit slower than all the other ones:

Conclusion

Well, it was my fault that I left the default software switch in place. I should have know better. However, it was the default setting on this FortiWiFi devices.

At the end, the VPN throughput between those FortiGates was really acceptable.

I was interested in the performance of my FortiGate firewall when comparing IPv4 and IPv6 traffic. Therefore I built a small lab consisting a FortiWiFi 90D firewall and two Linux clients running Iperf. I tested the network throughput for both Internet Protocols in both directions within three scenarios: 1) both clients plugged into the same “hardware switch” on the FortiGate, 2) different subnets with an “allow any any” policy without any further security profiles, and finally, 3) activating antivirus, application control, IPS, and SSL inspection.

Laboratory

Both clients (notebooks) booted with the live Linux Knoppix in version 7.6.1. The FortiWiFi 90D ran at software version v.5.2.5, build701. The security policies for tests 2 and 3 looked like that:

I started Iperf on one of the notebooks in server mode (with either IPv4 or IPv6),

iperf -s
iperf -s -V

and ran the other notebook as the client: (Yes, I really used the 2001:db8::/32 for testing purposes this time.)

iperf -c 192.168.47.11 -r
iperf -c 2001:db8:47:0:221:70ff:fee9:bb47 -V -r

A complete run of Iperf is listed in the following:

knoppix@Microknoppix:~$ iperf -c 2001:db8:47:0:221:70ff:fee9:bb47 -V -r
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
------------------------------------------------------------
Client connecting to 2001:db8:47:0:221:70ff:fee9:bb47, TCP port 5001
TCP window size: 43.8 KByte (default)
------------------------------------------------------------
[  5] local 2001:db8:48:0:16fe:b5ff:feb2:3fe8 port 51318 connected with 2001:db8:47:0:221:70ff:fee9:bb47 port 5001
[ ID] Interval       Transfer     Bandwidth
[  5]  0.0-10.0 sec   184 MBytes   154 Mbits/sec
[  4] local 2001:db8:48:0:16fe:b5ff:feb2:3fe8 port 5001 connected with 2001:db8:47:0:221:70ff:fee9:bb47 port 41070
[  4]  0.0-10.2 sec  53.1 MBytes  43.6 Mbits/sec

Here is a screenshot of the FortiGate Traffic Forward log that shows some IPv4 and IPv6 runs:

Results

These are the results:

1. When plugged into the same hardware switch on the FortiGate unit (no routing, only layer 2), the speed for both protocols was almost the same and very good (around 930 MBit/s).
2. When routed through the FortiGate, IPv4 had almost the same speed while IPv6 dramatically dropped its rate to about 150-180 MBit/s (yellow and green bars).
3. With activated antivirus scanning, etc., the Rx path was at about 40 MBit/s which is perfect due to the official data sheets that list 41 Mbit/s for mixed IPS throughput. However, the Tx path was the same for IPv6 with only about 150 MBit/s.

Conclusion

Of course, these results are only true for this single FWF-90D firewall. It only has an NP4-lite processor which is not capable of IPv6. Bigger firewalls with the newer NP6 claim that they have the same speed for IPv4 as for IPv6. Hopefully they will. The measured IPv6 throughput with this firewall is obviously not that good!

Raw Values

On the FortiGate firewall, address objects and virtual IPs (VIPs) can be set up with an interface. For address objects this has no technical relevance – the address objects simply only appear on policies if the appropriate interface is selected. But for virtual IPs, this setting has relevance on how connections are NATed. This can be problematic.

In common situations, you have only one ISP connection on which you want to set up a destination NAT (DNAT) for incoming connections. No problem there. You can select the untrust interface in the virtual IP object. If you have two ISP connections, e.g., a good one (ISP1) and a cheap one (ISP2), you MUST select the interface in the virtual IP object if it references a static IP address of ISP1. Otherwise it will be used on all outgoing connections which won’t work with ISP2.

The following example shows a virtual IP object with a static IP address of 80.154.108.233 and a misconfigured interface of “Any”. Using outgoing connections to ISP1, there are no problems (label 1 on the screenshot). But after setting up a policy route to route http traffic to ISP2, the same source NAT IP will be used which obviously didn’t work (label 2). After setting the interface to “wan1” in the virtual IP object, outgoing connections to ISP2 are correctly NATed to the outgoing interface address while outgoing connections to ISP1 are still NATed to the virtual IP (label 3). Tested with a FortiGate 100D with software version v5.2.5, build701.

Problem

However, one problem remains unsolved: If you have more than one interface on which the virtual IP must be used (e.g., for ISP1 and for a site-to-site VPN connection that also talks to the NATed IP), while some connections are policy routed to ISP2.

In this situation, you MUST set the interface inside the virtual IP to “Any”, which will not work with ISP2. One idea might be to to configure several virtual IPs with the same external/mapped IPs with different interfaces, but this is not possible to configuration restrictions. In this case, some more security policy entries with IP pools can be used to solve the problem.

(By the way: A problem we won’t have with IPv6 anymore.)

Migrating from Juniper ScreenOS firewalls to FortiGates, there are some differences to note with static NATs, i.e., Mapped IPs (MIPs) on a Netscreen and Virtual IPs (VIPs) on a FortiGate. While the Juniper MIPs on an interface are always used by the firewall whenever a packet traverses the interface, the virtual IP objects on a FortiGate must be used at least once in the security policy before they are really used by the firewall.

Issue

I faced an issue (or let’s say, a configuration mistake) with some Virtual IP (VIP) objects: (Tested with a FortiGate 500D with firmware version v5.2.7, build718.)

• Many VIPs were configured but not all of them were used in the security policy, i.e., had a reference counter of 0.
• A global rule allows basic Internet usage with source-NAT of “Use Outgoing Interface Address”.
• Only those servers which VIP was used in the policy (even though on other rules!) used the correct virtual IP for outgoing connections.
• All servers which VIP was not used in the policy simply used the mere interface IP address.
• Note that in any case a global policy rule was used for outgoing connections, not that one which used the VIP object. That is, the VIP must only be referenced once in the complete security policy and is then used for all outgoing connections, regardless of the used policy rule.

(On a Juniper SSG firewall, the MIPs were used for all outgoing connections, no matter if there even existed one policy referring to this MIP.)

Workaround

I created a workaround for this case. I configured a dummy rule for incoming connections to this VIP in order to reference the VIP object at least once in the security policy rule set. Therefore all outgoing connections from the internal servers are correctly source-NATed to their corresponding virtual IPs. With this workaround, all global policy rules must not be altered to use different IP pools or the like.

Let’s have a look at the following screenshots. See the descriptions below them:

Note that the “Central NAT” could probably solve this issue but would require some other configurations. Each inside host would need its own IP pool with one single untrust IP address referenced in this central NAT rule. Furthermore, each security policy would need a clone of itself, one with the “Central NAT” and one with the “Use Outgoing Interface Address”.

The “set nat-source-vip {disable|enable}” CLI config within the “config firewall vip” is not helping here. It was no difference between an enabled or disabled command.

Links

• Fortinet Forum: Virtual IP (VIP) outbound nat doesn’t work by default?
• TravelingPacket: Creating a Fortigate Virtual IP – External to internal Port Forwarding

I really like the FortiGate firewalls. They are easy to manage and have lots of functionality. However, I am also aware of some other firewall products and therefore have some feature requests to Fortinet that are not currently implemented in their firewalls. I am sometimes forwarding these FRs to the Fortinet support or to an SE, but they are not really interested in that. ;( So here is a list of my ideas that could improve the firewall. Hopefully/maybe some of them will be implemented one day…

This is a living list. I’ll update it every time I discover something new.

• [IPv6] One single policy rule set for both protocols (IPv4 and IPv6), not different policies. (Really a major design flaw!)
• [MGMT] I want to be able to ping the wan interface from any without allowing ssh access from any, too. Currently, if I am allowing an administrator to come from ::0/0 (or 0.0.0.0/0), both, ping and ssh (etc.) are allowed.
• [MGMT] Configuration Revisions: It would be great to have a list of the last x full-configurations or configuration steps that were done on the firewall. Even better, a compare feature between two configurations, e.g., the one from yesterday compared to the one from last week.
• [VPN] There is no way to find out the actual used Diffie-Hellman groups for either phase 1 of IKE or phase 2 (PFS) of IPsec. The only way to find out which proposal is chosen, the tunnel must be set “down” while capturing the IKE/IPsec packets on the CLI. There should be a “get …” command that shows not only the used symmetric ciphers and algorithms, but also the used DH groups.
• [USER] The great two-factor authentication, e.g., via SMS, is only working for users with their phone number configured locally on the FortiGate. This feature is not available for users within LDAP groups, even though their numbers are present at the AD. That is, if the 2FA features must be used, every (!) user must be created locally on the FortiGate, too.
• [DNS] The FortiGate can be used as a DNS proxy. It forwards DNS queries to its recursive DNS server. It would be great if it could also do iterative DNS queries with DNSSEC validation. This would increase some kind of security (authentication) for all users behind a FortiGate.
• [GUI] IPv6 settings through the GUI, e.g., router advertisements, DHCPv6, OSPFv6. Currently, only the mere IPv6 address can be entered.
• [GUI] Fields for more than one Syslog server.
• [GUI] The Log Config -> Alert E-mail page is only visible if an SMTP server is specified under System -> Config -> Advanced. This is really confusing when searching after the alert email settings.
• [GUI] The Security Log should be visible anytime, not only after security events. It is confusing that it is hidden by default.
• [GUI] It is great to “select columns to display” within the policies. However, after each logout the columns are set to its default values. Why?
• [GUI] Missing option within the user definition to “Enable Two-factor Authentication” for SMS. This must be done via the CLI. You can configure a SMS number but not enable it for two-factor authentication. Where is the sense?

GUI, GUI, GUI

One of my main problems with FortiGate is the GUI. There are so many features that are not accessible through the GUI. (Even though everything is enabled within System -> Config -> Features.) Some really good technical persons might be able to configure everything through the CLI, but I am selling firewalls to “normal” IT guys that also manage Windows AD, AV, APT, MDM, routers, mail, DNS, end users, etc. Everything that’s not included in the GUI is simply not present.

Fortinet, why aren’t you improving your GUI?

This is a really cool and easy to use feature of the FortiGate firewall: the traffic shaper. Once an application category uses too much traffic, the bandwidth consumption can be decreased with it. Just about three clicks:

In my case, a customer had an ISP connection of 20 Mbps. Sometimes, the replication of Lotus Notes takes all of this bandwidth which results in packet delay for all other sessions. We decided to limit the “collaboration” application category to a max bandwidth of 10 M. Immediately, the ISP connection was not slowed down anymore.

The following screenshots show how to configure a traffic shaper and how to use it on an application category. The third screenshots shows the overall bandwidth (interface history of wan1) which dropped from 20 to 10 Mbps. Perfect.

A few weeks ago I swapped a FortiGate 100D firewall to a 90D firewall. The 100D was defective and needed to be replaced. Since the customer only has a 20 Mbps ISP connection, I thought that a FortiGate 90D would fit for the moment, since it has a firewall throughput of 3,5 Gbps, compared to the lower value of 2,5 Gbps from the 100D.

Indeed, it worked. However, the CPU usage increase was huge, almost related to the NGFW throughput. Here are some graphs:

I migrated exactly the same configuration from the 100D to the 90D. Both devices running software version 5.2.7. There are about 100 devices surfing in the web. Around 10 VPN connections, and as already noted, only 20 Mbps to the Internet. Here are the graphs for CPU, connections, and wan1 usage over the last few weeks. Obviously, neither the connections nor the wan1 usage increased, but the CPU is almost always peaking at 100 % during working time. Even the average usage is about 50-70 %. (And even though only 10 Mbps are used!):

A look at the CLI (which is only a short time snapshot) looks like that:

FortiGate-90D # diagnose sys top-summary
   PID      RSS  ^CPU% MEM%   FDS     TIME+  NAME
 * 79       27M   44.3  1.5    15  17:18.77  reportd
   90       29M   22.3  1.6    15  00:04.99  sshd [x4]
   65      105M   12.4  5.7    46  00:15.90  ipsmonitor [x3]
   78       63M   11.3  3.5    14  51:24.34  sqldb
   479      44M    7.1  2.4  2259  55:50.97  proxyd [x3]
   62       23M    2.3  1.3    16  00:26.64  httpsd [x4]
   481      30M    0.4  1.7    20  08:50.22  urlfilter
   482      10M    0.0  0.6    14  00:00.20  ovrd
   485      14M    0.0  0.8    14  00:06.65  dsd
   287      10M    0.0  0.6    12  00:01.57  radvd
   38       24M    0.0  1.3    13  07:36.66  cmdbsvr
   296      14M    0.0  0.8    29  12:00.68  iked
   480      40M    0.0  2.2    31  04:37.14  scanunitd [x3]
   171      10M    0.0  0.6     8  00:00.00  getty
   2479     43M    0.0  2.4    12  00:31.70  pyfcgid [x4]
   48       11M    0.0  0.6    87  00:05.59  zebos_launcher [x12]
   59       10M    0.0  0.6    12  00:00.49  uploadd
   60       33M    0.0  1.8    55  28:54.36  miglogd [x2]
   61       10M    0.0  0.6     8  00:01.10  kmiglogd
   68       10M    0.0  0.6    11  00:11.12  merged_daemons
   CPU [|||||||||||||||||||||||||||||||||||     ]  89.0%
   Mem [||||||||||||||||||||||                  ]  56.0%  1045M/1834M
   Processes: 20 (running=1 sleeping=86)

I even had some situations, in which I got an “Error 500: Internal Server Error” when trying to change some address objects. Is this normal? Until the defective FortiGate 100D firewall (which ONLY showed such errors due to a hard disk error), I did not see these:

–> After a second look at the Fortinet Product Matrix, I gathered the big difference: While the FortiGate 100D has a “NGFW Throughput” of 210 Mbps, the 90D only has 25 Mbps! That is, I am not surprised anymore.

And I learned something (again) today: It does NOT depend on the “Firewall Throughput”, but on the IPS/SSL/Application/NFGW/Threat Throughput!