Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[SOLVED] UTM Updates with private IP on WAN interface.
Hi all,
I have difficulties in cases where the FGT' s WAN port had no public IP address but a private one (having the FGT behind an Metropolitan Network; with private address).
I have found different topics for this problem but i was not able to find the solution / best way for a Fortigate 310B in V5 build 291.
Here is the topology (i can' t connect to the MAN/WAN equipments):
MAN <--> 310B is interconnected by static routes.
WAN <--> MAN (10.63.32.13) <---> (10.63.32.14) WAN MY-FG310B <---> Internal Networks, DMZ....
Default route on the Fortigate unit is 0.0.0.0/0.0.0.0 dst 10.63.32.13 on WAN Port.
10.63.32.14 can' t be routed/NAT-ed over internet; I have already ask to my provider.
Using source-ip command in CLI:
Works for DNS lookup, Sflow, NTP.... using " source-ip A.B.C.D" where source-ip is one of my public ip located on port2 " DMZ" .
Unfortunatly i was not able to update. If I trace packet for DNS or NTP, my source ip is A.B.C.D (well) but for a force update my source ip is 10.63.32.14.
NTP Exemple (work):
# diagnose sniffer packet any ' host 145.238.203.14' 4 0.634692 port1 out A.B.C.D.123 -> 145.238.203.14.123: udp 48 0.646904 port1 in 145.238.203.14.123 -> A.B.C.D.123: udp 48UPDATE Exemple (don' t work)
#diagnose sniffer packet any ' host 208.91.112.68' 4 8.432481 port1 out 10.63.32.14.7033 -> 208.91.112.68.443: syn 4151528419 11.431059 port1 out 10.63.32.14.7033 -> 208.91.112.68.443: syn 4151528419 17.431062 port1 out 10.63.32.14.7033 -> 208.91.112.68.443: syn 4151528419I can resolve but not go out:
firewall-a # execute traceroute update.fortiguard.net traceroute to update.fortiguard.net (96.45.33.88), 32 hops max, 72 byte packets 1 10.63.32.13 1.740 ms 1.705 ms 1.600 ms 2 *Normal; 10.63.32.0 is not routed over internet. Is there a mistake in my config? What can I do for this? Using a radius proxy server: To forward requests from my 310B directly on update.fortiguard.net:443 via DMZ interface (which is routed on internet, of course). I was not able to configure it over Apache2, I have no answers from the update.fortiguard.net server. My fault? Using VDom Maybe is this the only way to solve my problem? I have no Fortigate v5 for tests but if it' s the only one solution, via internal FGT routing, I will try. Let me know if it' s the solution for me. Using Local-in policy I Think this is not the solution, i have just read the docs and I think that it can' t resolve this kind of problems. Thanks for your suggestions; Sorry for my poor English. Regards, Adrien
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
and welcome to the forums.
This one is difficult. I find it peculiar that the default route does not point to the internet but the MAN. How is surfing possible at all then?
What I am thinking of is RPF, reverse path checking which the FGT performs. In short, all incoming traffic for which there is no route is discarded silently.
Unfortunately, there is only 1 default route per system or VDOM. So a second VDOM combined with some routing with the aim to get the updates via the DMZ port would be a (faint) hope. But this needs more scrutinizing.
In the meantime, you could open a support call with TAC to get help from them as well.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ede,
Thanks for your fast reply.
In fact the MAN router route my Public /24 (issue from my 310B DMZ interface) into BGP. 10.63.32 is used only for management (Metropolitan side) and interconnections.
I Have a possible solution (already done for an other site where i have never found the solution... But today I ask to the forum ;) ) who consist of divide my /24 DMZ subnet and then give one of my public IP to the WAN Interface. Lot of work...
and need modification to the MAN Router to change default gateway to my Fortigate.
If there is no other solutions I will do the same for this 310B, but i' m surprised that there is no other ways.
Regards,
Adrien
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
firewall-a # execute traceroute update.fortiguard.net traceroute to update.fortiguard.net (96.45.33.88), 32 hops max, 72 byte packets 1 10.63.32.13 1.740 ms 1.705 ms 1.600 ms 2 *So how does the fgt get to internet if the 10net is not NAT' d by the SP? Some where down the line, something/somewhere is doing a source-nat.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Emnoc;
This is my problem, provider don' t NAT the 10.63.32 ip address.
Is it possible to do this in FGT " localhost" : Route update.fortiguard.net traffic to DMZ Gateway via static route and after NAT 10.63.32 in a rule DMZ->WAN
I' m trying but not sure that is possible.
Thanks for your help;
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So in your traceroute, your lookup work , was that a foreign dns-server or what device handled your lookup?
( sorry for my confusion )
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the (new) option " source-ip" that you can use in the application CLI sub-menu.
If i use source-ip directive for the DNS, I can use an ip of my choice (The IP of DMZ interface in my case) to go out. This is why I can resolve, using an internal DNS or an external one. (For exemple the 8.8.8.8 from google works too, cause i go out with the specified source-ip).
In my comprehension of the Admin book, ther is no equivalent for updates.
It exist for Sflow, NTP, DNS, Syslog, Analyzer (I log to an external Analyzer with success).... but not for my problem and not for " execute" command (that why traceroute don' t work but lookup work).
I hope that my explanation is clear.
Regards;
Adrien
EDIT:
Here the config for accessing Analyzer (Internet)
config log fortianalyzer setting set status enable set server MYANALYZER set enc-algorithm enable set source-ip MY-IP-DMZ-INTERFACE endor other exemple who' s working, DNS:
config system dns set primary 8.8.8.8 set secondary 208.91.112.52 set source-ip MY-IP-DMZ-INTERFACE end
firewall-a # get system source-ip status The following services force their communication to use a specific source IP address: service=NTP source-ip=MY-IP-DMZ-INTERFACE service=DNS source-ip=MY-IP-DMZ-INTERFACE service=FortiAnalyzer #1 source-ip=MY-IP-DMZ-INTERFACE service=Syslog #1 source-ip=MY-IP-DMZ-INTERFACEEDIT 2: Here is the related documentation: FortiOS source-ip But i have not the exemple line of the docs:
FortiGuard Updates (AV/IPS): x.x.x.x FortiGuard Queries (WebFilter/SpamFilter): x.x.x.xImpossible to find/activate it in my CLI. Is Fortiguard is the updates that i' m looking (i think)? (I have no " FortiCloud" , " FortiManager" , just a full UTM licence(bundle)).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay here' s what I came up with?
Under 5.2GA you can set the update-source. Now I know that doesn' t help yuo but I checked a few devices I have and none have that option
config system fortiguard
set source-ip 0.0.0.0
end
Than you can diag debug en ; diag debug app update -1 ; execute update-now
As long as you have HTTPS outbound to the fds services you should update;
upd_fds.c[228] extract_fds_info-SEQ TZ IP:PORT TYPE
upd_fds.c[302] extract_fds_info- 0 000 208.91.112.68:443 3
upd_fds.c[302] extract_fds_info- 1 -005 208.91.112.69:443 3
upd_fds.c[302] extract_fds_info- 2 009 208.91.112.70:443 3
upd_fds.c[302] extract_fds_info- 3 -005 209.222.136.6:443 3
upd_fds.c[302] extract_fds_info- 4 009 61.204.170.252:443 3
upd_fds.c[302] extract_fds_info- 5 -008 208.91.112.71:443 3
upd_fds.c[302] extract_fds_info- 6 000 208.91.112.72:443 3
upd_fds.c[302] extract_fds_info- 7 -005 208.91.112.73:443 3
upd_fds.c[302] extract_fds_info- 8 -005 208.91.112.75:443 3
upd_fds.c[302] extract_fds_info- 9 -008 208.91.112.78:443 3
upd_fds.c[302] extract_fds_info- 10 -008 208.91.112.79:443 3
upd_fds.c[302] extract_fds_info- 11 009 208.91.112.80:443 3
upd_fds.c[302] extract_fds_info- 12 009 208.91.112.81:443 3
upd_fds.c[302] extract_fds_info- 13 009 208.91.112.82:443 3
upd_fds.c[302] extract_fds_info- 14 009 208.91.112.83:443 3
upd_fds.c[302] extract_fds_info- 15 -005 96.45.32.80:443 3
upd_fds.c[302] extract_fds_info- 16 -005 96.45.32.81:443 3
upd_fds.c[302] extract_fds_info- 17 -005 64.26.151.39:443 3
upd_fds.c[302] extract_fds_info-
Make sure DNS is working correctly
;)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As per CLI-Reference guide of FortiOS 5.0 in Whats-New section this should be available in FortiOS 5.0.
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dipen;
I' m not able to find this information in Whats-New section; FortiOS5 or FortiOS5.2
5.0.7: http://docs.fortinet.com/uploaded/files/1094/fortigate-whats-new-50.pdf
5.2 http://docs.fortinet.com/uploaded/files/1912/fortigate-whats-new-52.pdf
They are new available option for netflow, and for updates via FortiManager that I don' t use. Nothing about source-ip for UTM updates.
I have missed something? Thanks.
Regards,
Adrien