Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cmberry
New Contributor

Interface Setup

If my internal network uses only 1 port on the back of my 200B, is there any reason to use one of the switch ports vs a dedicated port? I am using MR2 Patch 2 on a 200B. I am having a few issues where a web page or download will lose its connection for about 1 second, and this happens all throughout the day and causes all sorts of issues. I do have a support ticket open on it, but I am looking to get opinions of whether my configuration could be causing some of the issues. Would there be an advantage to replace the internal network currently using the “switch” interface with for example “Port 14” with alias of “Internal”? The firewall comes with 192.168.1.99 preconfigured on the switch interface, so I kept it. What are your thoughts? My current setup looks like this: (Network>Interfaces)
18 REPLIES 18
rwpatterson
Valued Contributor III

I have taken my protection profiles apart piece by piece until I have found what the problem is. A pain, I agree, but at least I can get some of the benefits and just bypass the part that' s failing.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
cmberry
New Contributor

I have taken my protection profiles apart piece by piece until I have found what the problem is. A pain, I agree, but at least I can get some of the benefits and just bypass the part that' s failing.
Yup, I have attempted to do that, but I need to try again. Do you know if there is a delay between adding/removing a feature and when the firewall starts implementing the change? Meaning, do I need to wait Seconds or minutes between each change to test the results?
ede_pfau
SuperUser
SuperUser

The effect is immediate. Some features are session based so if you don' t start a new session you won' t see any changes. HTTP is a nice protocol in that respect. Did you look into timeout settings of your browsers, Firefox and IE? There are some but it depends on the version, too.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
cmberry
New Contributor

Is anyone using 4.2.2 who can confirm or deny they they seeing this problem often? Since there are no other threads on this yet, I feel a little crazy. But maybe it' s because most people here aren' t dumb enough roll out 4.2.2 in a production environment? Also, can anyone tell me if AV Engine 3.00013 (Updated 2009-08-13) is the latest? 8.13.2009 seems old, but everything else on my unit as very recent.
abelio

Hi,
ORIGINAL: cmberry But maybe it' s because most people here aren' t dumb enough roll out 4.2.2 in a production environment?
I' m running 4.2.2 in production environments, not 200B altoughm but a couple of 310B in a A-P HA and and 50/51B units How did you performed the 4.2.2 loading? Using an upgrade process? All my 4.2.2 issues went away after flash formatting and reload one ' fresh' 4.2.2 image. That' s my personal experience only, not a general advice obviously.
Also, can anyone tell me if AV Engine 3.00013 (Updated 2009-08-13) is the latest? 8.13.2009 seems old, but everything else on my unit as very recent.
Use CLI command: " get system fortiguard-service status" to get actual values about your installed engine versions and AV/attack definitions regards

regards




/ Abel

regards / Abel
TopJimmy

ORIGINAL: cmberry Also, can anyone tell me if AV Engine 3.00013 (Updated 2009-08-13) is the latest? 8.13.2009 seems old, but everything else on my unit as very recent.
I' m running 4.1.7 on my cluster of 800' s (A-P) and I show version 3.013 for the AV Engine. Checking the " Whats New" page (updated daily I think) at FortiGuard it shows this:
Fortinet Antivirus Definition Update 12.403 Release Time: Wed Sep 29 08:22:19 PDT 2010 FortiGate 2.50 (engine 2.006) FortiGate 2.80 (engine 3.003) FortiGate_US 2.80 (engine 2.006) FortiGate 3.00 (engine 3.010) FortiGate 4.00 (engine 3.013) FortiClient (engine 4.133) FortiMail 2.00 (engine 2.91) FortiMail 3.00 (engine 3.24) FortiMail 4.00 (engine 3.120)
check it here: http://www.fortiguard.com/antivirus/whatsnew.html Looks like that is the latest version for the engine on FGT' s regardless of the 4.0 build number.
-TJ
-TJ
cmberry
New Contributor

How did you performed the 4.2.2 loading? Using an upgrade process? All my 4.2.2 issues went away after flash formatting and reload one ' fresh' 4.2.2 image. That' s my personal experience only, not a general advice obviously.
**** EDIT: I spoke too soon, my downloads are still broken. When my firewall gets the slightest bit busy, like CPU and RAM near 20%, the issue starts showing up.... ****** I did get to 4.2.2 from an upgrade path of 4.1.x and 4.0.x before that. I downloaded a fresh 4.2.2 firmware, checked the MD5 (it was correct), then downloaded and installed Tftpd32, so I could format and put on a clean 4.2.2 per your suggestion. But before I did that, I switched out the Time warner cable modem with a new (but same model), cable modem. Before I could test to see if that work, my firewall all did a push update to new AV def, 12.00351 (Updated 2010-09-14 via Push Update). Then about the same time Fortinet actually called me and we played around a bit. Long story short, my downloads *SEEM* to be working now. Don' t really know which thing I did fixed the issue, but whatever glitch I was having seem to have gone away. Wish I could pinpoint it for anyone else having the issues... Happy I dont have to format and flash via TFTP. :-) The biggest thing I did with tech support was disable " strict blocking" , then re-enabled it for both HTTP & HTTPS. Don' t know what for, but I' m working again for now. Thanks for all the suggestions and help in this matter.
cmberry
New Contributor

I wanted to update this thread with the progress I have made on this issue, in case anyone else is seeing failed downloads. After having a ticket opened for just over a month, I got the call today to confirm it is a BUG. Bug ID 0131322. I thought there was some part of the Fortinet site that shows all bugs and the details, but I was chatting with support today, and they said it is an internal only site, so let me give you the details of the bug from my point of view. After turning all UTM features off, and adding them back one at a time, and waiting at least 24hours between each feature being added, it was conclusively proven to be the Email Filter. Once the tech and I were 95% sure it was only within email, we tried removing all settings, and it then looked to be only within POP3, although I am not 100% sure on that point, since I only have pop3 and smtp, no imap. I then did rotations of email filter on/off in blocks of 24 hours, and proved it to be email filter 100% for me. Simple fact was, with email filter enabled on the policy, download failed ~99% of time. Email filter off=everything was fine. This may seem odd to you, since email filter should have nothing to do with http/http downloads. Which is what the tech thought too, and probably why the ticket was open for so long. With email filter on, the AV filter obviously looks at emails, so you could argue that it' s actually in the AV filter, but AV filter alone being on, you don' t see the failed downloads, and general choking of the firewall throughput. I am told the problem is with something called the " proxy worker" in conjunction with email scanning of POP3 email. The proxy worker crashes with 4.2.2 (and I also am pretty sure it effects 4.2.1), and this brief interruption causes downloads to fail, web pages to not load, and a variety of other brief but troublesome issues. So, at this point I am very happy to have a probably bug id, which means at some point in the future I would imagine a bug fix. Without email filtering on, I have infected and malicious emails pouring into inboxes for about 30 workers, fun fun!
ede_pfau
SuperUser
SuperUser

Thanks for the update on this issue. Just a thought: could you set up a second VDOM to only process pop3, to have it AV scanned? transparent mode, just 2 interfaces, one policy, one protection profile. Might be worth the trouble instead of having no AV on mails at all.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors