Fortigate Webfilter Error

 

If you get an error while browsing the internet saying:

“Web Page Blocked, an error occurred while trying to rate the website using the webfiltering service.

Web filter service error: no response from urlfilter”

then most likely the Fortigate Firewall needs a restart because of a firmware update.

In Fortigate Cluster settings you have to restart all Members of the Fortigate HA-Cluster.

How to issue a certificate on Microsoft IIS CA for a fortigate Unit

When you generate a CA signing request on a fortigate Unit you can download the request and issue it on a Microsoft based Certification Authority

But sometime you get an error like this on:

 

The request contains no certificate template information 0x80094801 (-2146875391).
Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the Certificate Template request attribute.

This is because the cert-request does not contain the „Webserver“ template information as Microsoft wants it.

But you can handle this error by using the commandline if your IIS-based webrequest-site (certsrv) is not working

Just type the following:
certreq -submit -attrib „CertificateTemplate:Webserver“ <certrequest.req-file>

where <certrequest.req-file> is the filename of the previously generated and downloaded request from the fortigate unit
the default file-ending from fortigate is „*.csr“.
Just change is to .req
After entering the command you can choose the CA who should issue the request and then you will get a file saving dialog.
Enter a filename and chose a location for saving the issued certificate

Now you can import the issued certificate on you fortigate Unit and use it for admin-HTTPs-page or SSL-VPN

How to change global and SSL-VPN Certificate on Fortinet Units

 use putty to ssh to the Fortigate or Fortimail unit and tpye:

for changing the admin-website certificate type:

config system global
         set admin-server-cert <certname>
end

The certificate has to be installed previously and can be a public or self-signed cert from an inhouse CA

for changing the SSL-VPN certifcate type:

config vpn ssl settings
       set servercert „<certname>“
end

where <certname> is the name of the SSL-certificate previously imported to the unit

HA Management on Fortigate Firewalls

To Switch between two or more Fortigate HA Units you need the following commands in the shell

execute ha manage 0
execute ha manage 1
execute ha manage <id>

where <id> is the unit number

to show the actual state of the HA tpye:
get system status
get system ha

to diag the synchronization type the following and then compare the output:
diagnose sys ha showcsum

to manually start a sync type:
execute ha synchronize config

How to setup LDAP based SSL-VPN User authentication on Fortigate v4.x

 To enable LDAP based user-authentication on a fortigate Unit with Firmware 4.x and newer we need at least 3 different settings

1. Define LDAP server

 config user ldap
    edit „LDAP-DC01“     //LDAP-Config-Name (Not the Servername)
        set server „10.10.0.110“  //LDAP-Server IP or FQDN (must be resolveable by Fortigate)
        set cnid „cn“     //searchtype
        set dn „DC=domain,DC=intra“  //Searchpoint where start searching for Users and Groups
        set type regular    //enables Search trough AD starting at the Searchpoint
        set username „fortildap@domain.intra“ //Username of an AD-User, use format: User@domain.tld
        set password ENC XXXXXXX  //User-PW
        set filter “     //obsolet with FW 4.0 and above
    next
end

2. Define usergroup using the LDAP server

config user group
    edit „SSL-VPN-LDAP-User“    //New Group
        set sslvpn-portal „SSL-VPN-AdminUser“ //Portal allowed for the Users
            set member „LDAP-DC01“    //Used LDAP-Config-Name
            config match      //Matching filter
                edit 1
                    set server-name „LDAP-DC01“ //LDAP-Config-Name
                    set group-name „CN=GRP-SSL-VPN-allow,OU=2ndOU,OU=1stOU,DC=domain,DC=intra“ //Group defind in the Active Directory for allowed SSL-Users
                next
            end
    next
end

3. define a firewall policy

edit
        set srcintf „wan1“    //Source Network
        set dstintf „internal“ //Destination Network
            set srcaddr „all“ //Source Network any-IP
            set dstaddr „Subnet-Intranet“ //Destination Network Subnet-Object
        set action ssl-vpn  //SSl-VPN Authentication Policy-type
            config identity-based-policy
                edit
                    set schedule „always“  //schedule-times
                        set groups „SSL-VPN-LDAP-User“ //User-Group definded under config user group
                        set service „ANY“    //Allowed services
                next
            end
next

UPDATE:

To authenticate with the Logon-Name instead the Full Name you can set the cnid (searchtype)  in the „config user ldap“ settings as shown next:
Change
set cnid „cn“ 
to
set cnid “sAMAccountName”

Howto setup Daily restart on Fortigate

Um eine Fortigate täglichen neustarten zu lassen ist folgende Einstellung in der Commandline notwendig.
Grund für diese Einstellung kann zum Beispiel ein Umgehen der 24 Stunden Zwangstrennung vom DSL-Provider zu einer unerwünschten Uhrzeit sein:

Bei diesem Beispiel wird der Neustart um 4 Uhr Nachts lokaler Systemzeit durchgeführt

config system global
set daily-restart enable
set restart-time 04:00
end