差異處

這裏顯示兩個版本的差異處。

--- tech:fortigate_tips [2018/06/18 08:23] – Jonathan Tsai
+++ tech:fortigate_tips [2025/10/17 11:05] (目前版本) – [設定 HA] jonathan
@@ 行 1: / 行 1: @@
+====== 有關 FortiGate 防火牆相關設定 ======
+  * 設備型號 : FortiGate 40C (v5.2.13,build762)
+  * WAN1 : 220.100.100.100 GW: 220.100.100.254
+  * LAN(Internal) : 192.168.0.1
+===== 基本設定 =====
+  * 設定 WAN1 (wan1)
+  * 設定 LAN (intrtnal)
+  * 設定 Default Route
+    * System -> Network -> Routing
+      * Create New :
+        * Destination IP/Mask : 0.0.0.0/0.0.0.0
+        * Device : wain1
+        * Gateway : 220.100.100.254
+    * Policy & Objects -> Policy -> IPV4
+      * Create New :
+        * Incoming Interface : internal
+        * Source Address : all
+        * Outgoing Interface : wan1
+        * Destination Address : all
+        * Schedule : always
+        * Service : ALL
+        * Action : ACCEPT
+===== 設定 Port Mapping =====
+  * 預計設定 WAN1 的 Port 80 / 443 -> 192.168.0.200:80 / 443
+  * 定義 VIP : Polocy & Objects -> Objects -> Virtual IPs
+    - 建立 VIP : web-http 與 web-https ++看畫面|{{:tech:2018052301.png}}++
+    - 建立 VIP Group : webserver-group ++看畫面| \\ {{:tech:2018052302.png}} \\ {{:tech:2018052303.png}}++
+    - 完成 VIP 建立 ++看畫面|{{:tech:2018052304.png}}++
+    - 確認與建立 Services : HTTP/HTTPS ++看畫面|{{:tech:2018052305.png}}++
+  * 定義 Policy : Policy & Objects -> Policy -> IPv4
+    - 建立 wan1->internal port mapping Policy ++看畫面|{{:tech:2018052401.png}}++
+    - 完成 wan1->internal port mapping Policy ++看畫面|{{:tech:2018052402.png}}++
+<note>
+  * 如果 Policy 中有啟動 NAT 轉過去的內部 Server 來源 IP 就會是 Fortigate 的 IP
+    * Exp. Fortigate 的 internal IP 是 192.168.0.1 在 21/May/2018:11:29:57 切換成有 NAT 的規則, 結果 Web Server Log 內看到的來源 IP 都變成 192.168.0.1 ++看畫面|{{:tech:2018052403.png}}++
+</note>
+===== 針對 Port Mapping (WAN 連入 Internal) (Virtual IP) 特定來源(黑名單)IP 設定技巧 =====
+  * 透過 UI 設定 WAN -> Internal 的 Deny 規則後, 是無法實際阻擋特定來源 IP
+  * 但使用命令方式, 針對這 Policy 編號進行設定, 增加 "set match-vip enable" 才能真正阻擋.
+  * 參考 - http://kb.fortinet.com/kb/documentLink.do?externalID=FD33338
+===== 設定 SSL VPN =====
+  * 建立使用者 :
+    - User & Device -> User -> User Group
+      * Create New :
+        * Name : vpn-user
+        * Type : Firewall
+    - User & Device -> User -> User Definition
+      * Create New :
+        - User Type : Local User
+        - Login Credentials :
+          * User Name : vpnuser1
+          * Password : password1
+        - Contact Info :
+          * Email Address  : [email protected]
+        - Extra Info :
+          * [V] Enable
+          * [ ] Two-factor Authentication
+          * [V] User Group : vpn-user
+  * VPN -> SSL -> Portals
+    * Create New((免費只能建立一組, 預設是 full-access)) :
+      * Name : ichiayi-sslvpn
+      * [V] Enable Tunnel Mode
+        * [V] Enable Split Tunneling
+          * Routing Address : SSLVPN_TUNNEL_ADDR1
+        * Source IP Pooles : SSLVPN_TUNNEL_ADDR1
+      * Client Options : [V] A;ways Up (Keep Alive)
+      * [V] Enable Web Mode
+      * Portal Message : Welcome to SSL VPN Service
+<note>
+  * 設定帳號一次只能一個連線 :
+    * VPN -> SSL -> Portals -> 選擇指定的項目 Exp. full-access -> Edit
+    * [V] Limit Users to One SSL-VPN Connection at a Time
+    * ++點這裡看參考畫面|{{:tech:2018060501.png}}++
+</note>
+===== 防止暴力登入 SSL VPN 方式 =====
+  * 參考 - https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-limit-SSL-VPN-login-attempts-and-block/ta-p/194229?externalID=FD48714
+  * 當 Log & Report 的 VPN Events 出現大量 ssl-login-fail , sslvpn_login_unknown_user 狀況
+  * 設定當 SSL VPN 登入失敗超過 x 次就鎖定 n 秒, 來降低嘗試暴力登入的狀況 Exp. 失敗超過 3 次, 就鎖 3600 秒<cli>
+config vpn ssl settings
+    set login-attempt-limit 3
+    set login-block-time 3600
+end
+</cli>
+===== 當出現 CPU 100% 時釐清問題方式 =====
+  - 看哪個服務造成 <cli>diagnose sys top -d 3</cli> Exp. <cli>
+FortiGate # diagnose sys top -d 3
+Run Time:  443 days, 19 hours and 44 minutes
+U, 0N, 3S, 80I; 1838T, 1135F
+         sslvpnd    10073      R      93.2     1.5
+          newcli    24900      R       1.4     1.0
+       ipsengine      158      S <     0.0     4.0
+Run Time:  443 days, 19 hours and 44 minutes
+U, 0N, 3S, 71I; 1838T, 1135F
+         sslvpnd    10073      S      92.2     1.5
+          httpsd    24886      S       3.9     1.5
+          httpsd    23905      S       1.3     1.6
+FortiGate #
+</cli>釐清是 sslvpnd 造成
+  - 先刪除這程序 <cli>diagnose sys kill 11 {pid}</cli>Exp. <cli>diagnose sys kill 11 10073</cli>
+  - 針對這程序進行處理, Exp. 遭受攻擊 : 找出並封鎖攻擊來源
+===== IPSec - L2TP 用戶撥入 VPN 設定 =====
+  * 參考 - http://kb.fortinet.com/kb/viewContent.do?externalId=FD36253
+===== 設定多條 WAN 備援方式 =====
+  * 參考 - http://cookbook.fortinet.com/redundant-internet-connections-54/
+===== 路由偵錯檢測方式 =====
+  * 參考 - http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD37024&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=43706420&stateId=1%200%2043708158
+  * 連上 Fortigate 查看有經過這 FW 的 IP 流量訊息 Exp. 192.168.0.250 <code sh>
+diag debug reset
+diag debug flow filter clear
+diagnose sniffer packet any "host 192.168.0.250 and icmp" 4
+</code>
+  * 可以在外部 192.168.1.140 的 Windows 10 PC 執行 ping 與 tracert , 只要有經過 Fortigate 就會顯示流量訊息
+    * ping 範例 ++PC 端 |<cli>
+C:\Users\jonathan>ping 192.168.0.250
+Ping 192.168.0.250 (使用 32 位元組的資料):
+回覆自 192.168.0.250: 位元組=32 時間=38ms TTL=62
+回覆自 192.168.0.250: 位元組=32 時間=41ms TTL=62
+</cli> ++ ++Fortigate 端 |<cli>
+TPFortiGate40C-1 # diag debug reset
+TPFortiGate40C-1 # diag debug flow filter clear
+TPFortiGate40C-1 # diagnose sniffer packet any "host 192.168.0.250 and icmp" 4
+interfaces=[any]
+filters=[host 192.168.0.250 and icmp]
+.053098 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
+.053240 internal out 192.168.1.140 -> 192.168.0.250: icmp: echo request
+.053447 internal in 192.168.0.250 -> 192.168.1.140: icmp: echo reply
+.053555 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: echo reply
+.036276 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
+.036615 internal out 192.168.1.140 -> 192.168.0.250: icmp: echo request
+.036885 internal in 192.168.0.250 -> 192.168.1.140: icmp: echo reply
+.037006 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: echo reply
+packets received by filter
+packets dropped by kernel
+</cli>++
+    * tracert 範例 ++PC 端 |<cli>
+C:\Users\jonathan>tracert 192.168.0.250
+在上限 30 個躍點上追蹤 192.168.0.250 的路由
+     1 ms     1 ms     1 ms  192.168.1.254
+    11 ms    10 ms    10 ms  192.168.0.254
+    14 ms    16 ms    15 ms  192.168.0.250
+追蹤完成。
+</cli>++  ++Fortigate 端 |<cli>
+TPFortiGate40C-1 # diagnose sniffer packet any "host 192.168.0.250 and icmp" 4
+interfaces=[any]
+filters=[host 192.168.0.250 and icmp]
+.541353 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
+.541438 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
+.076119 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
+.076201 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
+.555745 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
+.555828 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
+.573750 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
+.583995 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
+.595516 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
+.118851 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
+.119128 internal out 192.168.1.140 -> 192.168.0.250: icmp: echo request
+.120764 internal in 192.168.0.250 -> 192.168.1.140: icmp: echo reply
+.120917 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: echo reply
+.132986 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
+.133519 internal out 192.168.1.140 -> 192.168.0.250: icmp: echo request
+.135474 internal in 192.168.0.250 -> 192.168.1.140: icmp: echo reply
+.135559 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: echo reply
+.151568 TPtoTN1 in 192.168.1.140 -> 192.168.0.250: icmp: echo request
+.152277 internal out 192.168.1.140 -> 192.168.0.250: icmp: echo request
+.152673 internal in 192.168.0.250 -> 192.168.1.140: icmp: echo reply
+.152749 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: echo reply
+.208985 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
+.209067 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
+.743512 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
+.743598 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
+.209075 internal in 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
+.209157 TPtoTN1 out 192.168.0.250 -> 192.168.1.140: icmp: 192.168.0.250 udp port 137 unreachable
+packets received by filter
+packets dropped by kernel
+</cli>++
+===== FortiGate 60D 特別設定 =====
+==== 端對端 VPN 使用 traceroute 非預期出現 DMZ IP ====
+  * 參考 - http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36799&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=116930985&stateId=0%200%20116932943 <cli>
+traceroute 192.168.1.5
+traceroute to 192.168.1.5 (192.168.1.5), 30 hops max, 60 byte packets
+  192.168.0.254 (192.168.0.254)  4.692 ms  4.602 ms  4.524 ms
+  60-248-245-172.HINET-IP.hinet.net (60.248.245.172)  14.593 ms  14.556 ms  14.483 ms
+  192.168.1.5 (192.168.1.5)  20.283 ms  20.285 ms  20.261 ms
+</cli>
+  * 只要設定 VPN 虛擬介面的 IP 即可解決 Exp. 192.168.101.254 ++看畫面|{{:tech:2018082301.png}}++ <cli>
+traceroute 192.168.1.5
+traceroute to 192.168.1.5 (192.168.1.5), 30 hops max, 60 byte packets
+  192.168.0.254 (192.168.0.254)  4.586 ms  4.502 ms  4.412 ms
+  192.168.101.254 (192.168.101.254)  15.170 ms  15.092 ms  13.887 ms
+  192.168.1.5 (192.168.1.5)  16.199 ms  16.203 ms  16.184 ms
+</cli>
+===== FortiGate 40C 特別設定 =====
+==== 啟動 SNMP ====
+  * https://note.chiatse.com/2017/05/08/fortigate-40c-snmp-enable-from-cli/
+==== 建立 VLAN ====
+  * http://kb.fortinet.com/kb/viewContent.do?externalId=FD33738
+  * https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-1q-on-a/ta-p/193893
+==== 設定 HA ====
+  * 參考手冊 - [[https://docs.fortinet.com/uploaded/files/3997/fortigate-ha-56.pdf|fortigate-ha-56.pdf]]
+  * 設定前確認
+    - 兩台 FortiGate 的 Firmware 版本必須相同 Exp. v5.2.13,build762
+    - 兩台 FortiGate 的網路介面要先設定成固定 IP (不要 DHCP / PPPoE), 如果設定 Active-Passive 模式等 HA 建立完成後可再改回 DHCP or PPPoE((fortigate-ha-56.pdf Page.28))
+    - 兩台 FortiGate 的設定幾乎相同 (Exp. 只有 hostname / Internal IP 不同 / wan IP 不同)
+    - 尚未設定 VDOM / HA ++CLI 語法|<code sh>get system ha status</code><file>
+ichiayi-02-FG40C # get system ha status
+Model: FortiGate-40C
+Mode: standalone
+Group: 0
+Debug: 0
+ses_pickup: disable
+number of vcluster: 0
+</file>++
+  * 預計設定的 HA 架構與模式
+    * 設定 HA 的模式 : FGCP Active-Active HA (這模式最多可以設定到四台 FortiGate((fortigate-ha-56.pdf Page.24)))
+    * 配置架構圖
+<mermaid>
+graph TD
+    Internet["Internet"]
+    Router["VDSL Router"]
+    FG1["Fortigate 40c<br/>ichiayi-01-FG40C"]
+    FG2["Fortigate 40c<br/>ichiayi-02-FG40C"]
+    Switch["Internal Switch"]
+    PC1["PC or NB"]
+    AP["Wi-Fi AP"]
+    PC2["PC or NB"]
+    Internet <-->|"WAN"| Router
+    Router -->|"Static IP (wan1)"| FG1
+    Router -->|"Static IP (wan1)"| FG2
+    FG1 <-->|"wan2 HA 連線"| FG2
+    FG1 -->|"Internal"| Switch
+    FG2 -->|"Internal"| Switch
+    Switch --> PC1
+    Switch --> AP
+    Switch --> PC2
+    style Internet fill:#e1f5ff,stroke:#333,stroke-width:3px
+    style Router fill:#fff4e1,stroke:#333,stroke-width:2px
+    style FG1 fill:#cce5ff,stroke:#333,stroke-width:2px
+    style FG2 fill:#d4f1d4,stroke:#333,stroke-width:2px
+    style Switch fill:#ffe1e1,stroke:#333,stroke-width:2px
+    style PC1 fill:#f0f0f0,stroke:#333,stroke-width:2px
+    style AP fill:#fff0cc,stroke:#333,stroke-width:2px
+    style PC2 fill:#f0f0f0,stroke:#333,stroke-width:2px
+</mermaid>
+  * 設定方式
+    - 每一台都登入啟用 HA ++CLI 語法|<code sh>
+config system ha
+set group-id 10
+set mode a-a
+set hbdev wan2 50
+set group-name ichiayi_cluster
+set load-balance-all enable
+set password **Password**
+end
+</code>++
+    - 設定好 fortigate 應該會自動重開機
+    - 經過一小段時間 HA 燈號會亮起 (如果是綠燈表示 HA 正常, 橘燈表示 HA 異常)
+    - 檢查 HA 相關資訊狀態 ++CLI 語法|<code sh>
+get system ha status
+</code><file>
+Model: FortiGate-40C
+Mode: a-a
+Group: 10
+Debug: 0
+ses_pickup: disable
+load_balance: enable
+load_balance_udp: disable
+schedule: Round robin.
+upgrade_mode: unset
+Master:128 ichiayi-01-FG40C FGT40C391xxxxxx5 1
+Slave :128 ichiayi-02-FG40C FGT40C391xxxxxx1 0
+number of vcluster: 1
+vcluster 1: work 169.254.0.2
+Master:0 FGT40C391xxxxxx5
+Slave :1 FGT40C391xxxxxx1
+</file><code sh>
+get system ha</code><file>
+ichiayi-01-FG40C # get system ha
+group-id            : 10
+group-name          : ichiayi_cluster
+mode                : a-a
+password            : *
+hbdev               : "wan2" 50
+session-sync-dev    :
+route-ttl           : 10
+route-wait          : 0
+route-hold          : 10
+sync-config         : enable
+encryption          : disable
+authentication      : disable
+hb-interval         : 2
+hb-lost-threshold   : 6
+helo-holddown       : 20
+gratuitous-arps     : enable
+arps                : 5
+arps-interval       : 8
+session-pickup      : disable
+update-all-session-timer: disable
+session-sync-daemon-number: 1
+link-failed-signal  : disable
+uninterruptible-upgrade: enable
+ha-mgmt-status      : disable
+ha-eth-type         : 8890
+hc-eth-type         : 8891
+l2ep-eth-type       : 8893
+ha-uptime-diff-margin: 300
+vcluster2           : disable
+vcluster-id         : 1
+override            : disable
+priority            : 128
+schedule            : round-robin
+monitor             :
+pingserver-monitor-interface:
+pingserver-failover-threshold: 0
+pingserver-slave-force-reset: enable
+pingserver-flip-timeout: 60
+load-balance-all    : enable
+</file><code sh>
+get system status</code><file>
+ichiayi-01-FG40C # get system status
+Version: FortiGate-40C v5.2.13,build0762,171212 (GA)
+Virus-DB: 52.00006(2017-09-28 20:11)
+Extended DB: 1.00000(2012-10-17 15:46)
+IPS-DB: 12.00234(2017-09-28 01:27)
+IPS-ETDB: 0.00000(2001-01-01 00:00)
+Serial-Number: FGT40C391xxxxxx5
+Botnet DB: 1.00000(2012-05-28 22:51)
+BIOS version: 04000006
+System Part-Number: P08924-05
+Log hard disk: Not available
+Internal Switch mode: switch
+Hostname: ichiayi-01-FG40C
+Operation Mode: NAT
+FIPS-CC mode: disable
+Current HA mode: a-a, master
+Branch point: 762
+Release Version Information: GA
+System time: Sat Jun 16 16:17:52 2018
+</file>
+++
+    - 連上 Slave 檢查 HA 相關狀態 ++CLI 語法|<code sh>
+execute ha manage 0
+</code><file>
+ichiayi-01-FG40C # execute ha manage 0
+ichiayi-02-FG40C login: admin
+Password: ********
+Welcome !
+</file><code sh>
+get system status
+</code><file>
+ichiayi-02-FG40C # get system status
+Version: FortiGate-40C v5.2.13,build0762,171212 (GA)
+Virus-DB: 52.00006(2017-09-28 20:11)
+Extended DB: 1.00000(2012-10-17 15:46)
+IPS-DB: 12.00234(2017-09-28 01:27)
+IPS-ETDB: 0.00000(2001-01-01 00:00)
+Serial-Number: FGT40C391xxxxxx1
+Botnet DB: 1.00000(2012-05-28 22:51)
+BIOS version: 04000009
+System Part-Number: P08924-09
+Log hard disk: Not available
+Internal Switch mode: switch
+Hostname: ichiayi-02-FG40C
+Operation Mode: NAT
+FIPS-CC mode: disable
+Current HA mode: a-a, backup
+Branch point: 762
+Release Version Information: GA
+System time: Sat Jun 16 16:20:05 2018
+</file>++
+    - <del>如果沒問題, 就可以將 wan1 改成 PPPoE 模式, 以及 Internal 啟動 DHCP Server</del>((Active-Active 模式 wan1 介面無法使用 PPPoE ))
+  * 如果對自動選擇的 Master 不滿意, 可以透過設定 priority 來指定(越大的數值優先當 Master) ++Exp. CLI語法| 連入後先將 Master 設定 200<code sh>
+config system ha
+set priority 200
+end
+</code>切換到 Slave 設定 255(最大值)<code sh>
+execute ha manage 1
+config system ha
+set priority 255
+end
+</code>會斷掉一下, 重新登入後可以看到已經切換<file>
+TPFortiGate40C-1 # get system ha status
+Model: FortiGate-40C
+Mode: a-a
+Group: 10
+Debug: 0
+ses_pickup: disable
+load_balance: enable
+load_balance_udp: disable
+schedule: Round robin.
+upgrade_mode: unset
+Master:255 TPFortiGate40C-1 FGT40C391xxxxxx7 1
+Slave :200 TPFortiGate40C-2 FGT40C391xxxxxx1 0
+number of vcluster: 1
+vcluster 1: work 169.254.0.2
+Master:0 FGT40C391xxxxxx7
+Slave :1 FGT40C391xxxxxx1
+<file>
+</file>++
+  * 取消(解除) HA 設定
+    * 直接連入要移除的那台 fortigate 執行系統重設 ++CLI語法|<code sh>
+exec factoryreset </code><file>
+ichiayi-02-FG40C # exec factoryreset
+This operation will reset the system to factory default!
+Do you want to continue? (y/n)y
+</file>++
+    * 連入將 ha mode 設定 standlone ++CLI語法|<code sh>
+config system ha
+set mode standalone
+end
+</code>++ 這樣設定之後, 就解除掉 HA 模式, 每一台 fortigate 的 internal / wan1 IP 都相同, 所以可以透過 Internal IP 連入的是 master 那台, 若想在遠端以原本 Internal IP 連上其他 slave 必須將可連入的 fortigate 修改 Internal IP 就能用原本 Internal IP 連入.
+===== 參考網址 =====
+  * https://www.mobile01.com/topicdetail.php?f=110&t=4237563
+  * http://my-fish-it.blogspot.tw/2017/01/ss-fortigate-543-firewall-tunnel-ssl-vpn.html
+  * https://blog.imprezagt1031.idv.tw/2015/12/04/fortigate-5-2-sslvpn-%E8%A8%AD%E5%AE%9A/
+  * https://forum.fortinet.com/tm.aspx?m=95662
+  * http://cookbook.fortinet.com/high-availability-two-fortigates-56/
+  * http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_FGCP_best_practices.htm
+  * http://cookbook.fortinet.com/redundant-internet-connections-54/
+  * http://kb.fortinet.com/kb/documentLink.do?externalID=FD33338
+{{tag>firewall fortigate}}