Fortigate Troubleshooting

針對Fortigate 我自己遇到的一些問題處理

1.HA問題
2.Switch Mode Interface Mode
3.LACP 設定
4.FortiClient無法安裝
5.LDAP帳戶無法登入
6.FSSO Polling-Mode debug
7.常用指令
8.參考文件

1.HA問題

啟用HA時，發生以下錯誤訊息
Please disable switch-controller first.

目前FortiOS 5.2 不支援Switch Controller HA (5.4後將支援) ，必須先關閉Switch Controller  (此問題只有部分型號才會受影響)，指令如下:

#config system global

(global) # set switch-controller disable

(global) # end

啟用HA時，發生以下錯誤訊息
get slave and master have different hdisk status. Cannot work with HA master. Shutdown the box!

部分設備雖然型號一樣，但仍然無法建立HA Cluster，原因是設備底層的hardware reversion 不相同，必須使用以下指令來忽略 (忽略後需要重開設備)

以下機型可能會有這樣的問題產生，請注意

• FortiGate-100D
• FortiGate-300C
• FortiGate-80C and FortiWiFi-80C
• FortiGate-60C

#execute ha ignore-hardware-revision enable

2.Switch Mode Interface Mode

80C

#config system global

(global)#set internal-switch-mode interface 

(global)#end

Changing switch mode will reboot the system!
Do you want to continue? (y/n)y

若跳出以下錯誤訊息，表示有物件使用到internal port，把它給刪除既可

Interface internal is in use
attribute set operator error, -23, discard the setting
Command fail. Return code -23

這邊可以看到那些物件

60D,70D,100D 預設都使用Hardware Switch

刪除方式如下 (一樣需要確認是否有物件佔用，否則也是無法刪除)

#config system virtual-switch

刪除Name

(virtual-switch) # delete ?

*name Name of the virtual switch.
internal

(virtual-switch) # delete internal

3.LACP 設定
增加Port 1 & Port 2

設定LACP mode Passive

#config system interface

(interface) #edit LAN

設定LACP mode dynamic passive

(LAN) # set lacp-mode ?

static use static aggregation, do not send and ignore any LACP messages
passive passively use LACP to negotiate 802.3ad aggregation
active actively use LACP to negotiate 802.3ad aggregation

(LAN) # set lacp-mode passive

(LAN) # end

4.FortiClient無法安裝
安裝時發生以下狀況

直接安裝以下安全性更新KB3033929
https://www.microsoft.com/zh-TW/download/details.aspx?id=46148
安全性更新說明
https://technet.microsoft.com/library/security/3033929

5.LDAP帳戶無法登入
測試LDAP連線正常，但是實際登入時卻又無法正常登入

通常與Common Name Identifier參數有關，因為在建立AD使用者時， cn attribute並非是實際帳戶欄位，可嘗試使用sAMAccountName attribute可使用LDAP Browser確認

6.FSSO Polling-Mode debug
查詢SSO Polling mode 是否運作正常

#diag debug fsso-polling detail

AD Server Status: 
ID=1, name(10.192.1.3),ip=10.192.1.3,source(security),users(5)
port=auto username=cnlinktw\administrator
read log offset=123298750, latest logon timestamp: Fri Dec 16 10:31:28 2016

polling frequency: every 10 second(s) success(471), fail(0) 每10秒測一次
LDAP query: success(41), fail(7)
LDAP max group query period(seconds): 0
Number of users logged in:
Within 1 sec: 0(0.00%)
Within 1-5 secs: 0(0.00%)
Within 5-10 secs: 0(0.00%)
Within 10-15 secs: 0(0.00%)
Within 15-20 secs: 0(0.00%)
Within 20-25 secs: 0(0.00%)
Within 25-30 secs: 0(0.00%)
Within 30-60 secs: 0(0.00%)
Beyond 60 secs: 0(0.00%)
most recent connection status: connected
Group Filter: 塞選 Domain User
CN=Domain Users,CN=Users,DC=cnlink,DC=net,DC=tw

查詢使用者登入哪台DC

#diag debug fsso-polling user 1

7.常用指令
查看Firmware 版本、SN

#get system status | grep Version

#get system status | grep Serial

查看目前誰登入了設備

#get system admin list

設定Fail2ban機制

#config system global

嘗試登入5次錯誤就封鎖

(global) # set admin-lockout-threshold 5

每次封鎖時間 300秒

(global) #set admin-lockout-duration 300

設定管理者登入數量10

(global) #set admin-login-max 10

查看目前連線狀況，配合grep擷取你想要的資訊

#get system session list | grep udp

查看路由表

#get router info routing-table all

重啟路由　(有時候路由不生效可以嘗試看看)

#execute router restart

查詢ARP，配合grep擷取你想要的資訊

#get system arp | grep 10.0.0.100

NAT IP 查詢，當有使用VIP或者IP Pool 要特別注意
查詢NAT VIP

#show firewall vip 

查詢NAT ip pool

#show firewall ippool

設定開啟不對稱路由

#config system settings

(settings) # set asymroute enable

(settings) # end

關閉 Fortigate 使用SIP LAG

# config system settings

(settings) # set sip-helper disable

(settings) # set sip-nat-trace disable

需重新開機

設定SSLVPN  認證LDAP 若密碼到期可強制通過SSLVPN 修改密碼

# config user ldap

#set password-expiry-warning enable

#set password-renewal enable

設定SSH登入

#config system admin

(admin)#config system admin

(admin)#edit admin

(admin)#set ssh-public-key1 "ssh-rsa  XXXXXXXX"

查看CPU、記憶體、Process 狀態

#diagnose sys top

Run Time: 330 days, 12 hours and 4 minutes
0U, 0N, 2S, 98I; 499T, 269F, 83KF
 miglogd 52 S 0.4 3.4
 src-vis 76 S 0.0 7.9
 pyfcgid 1904 S 0.0 4.3
 pyfcgid 1906 S 0.0 4.3
 pyfcgid 1907 S 0.0 4.3
 pyfcgid 1908 S 0.0 4.3
 httpsd 1087 S 0.0 4.2
 httpsd 1089 S 0.0 4.2
 cmdbsvr 34 S 0.0 3.9
 httpsd 54 S 0.0 3.6
 httpsd 1086 S 0.0 3.4
 dnsproxy 84 S 0.0 3.3
 ipshelper 63 S < 0.0 2.9
 newcli 1923 R 0.0 2.7
 newcli 1911 S 0.0 2.7
 fgfmd 86 S 0.0 2.6
 cw_acd 87 S 0.0 2.3
 pimd 47 S 0.0 2.1
 forticldd 65 S 0.0 2.0
 fcnacd 67 S 0.0 1.9

Letter	Description
U	User cpu usage (%)
S	System cpu usage (%)
I	Idle cpu usage (%)
T	Total memory
F	Free memory
KF	Kernel free memory

Column #1	Column #2	Column #3	Column #4	Column #5
Process name	Process identification (PID)	One letter process status.   S: sleeping process R: running process <: high priority	CPU usage (%)	Memory usage (%)

Kill Process (類似Linux Kill)
SIGTERM (15):依照正常程序結束行程
SIGKILL (9):強制立即結束行程
SIGKILL (11):重新啟動行程

#diagnose sys kill  9 100

查看Fortigate 硬體狀態 (網卡狀態)

#get hardware nic wan1

查看Fortigate 硬體狀態 (CPU)

#get hardware cpu

查詢SSLVPN 詳細LOG

#diagnose debug application sslvpn -1

#diagnose debug enable

8.參考文件
Firmware 升級文件(Support Upgrade Guide)
http://cookbook.fortinet.com/sysadmins-notebook/supported-upgrade-paths-fortios
查詢Maximum Values Table (修改連結上的版本號，則可看到自己想要的版本號)
http://docs.fortinet.com/d/fortigate-fortios-5.2.7-maximum-values-table