Optimization of fortigate IPS

1. IPS signature need select according to infrastructure environment 
   Eg:-  if  we are not have Linux servers this ips signature can disable (default behavior of ips is to monitor TCP/IP packet)
2. Interzone to interzone or inside interfaces to inside interfaces traffic don't call ips profile. this will affect fortigate memory /CPU
3. Only allow/call ips security profile (in firewall rule) from inside zone to outside zone 
4. Always create global profile and call in other VDOMs
5. Always trigger IPS engine update manually using #execute update-ips from global mode (if the updates are not coming from fortiguard cloud) 

• Always check the fortigate OS compatibility with IPS engine .
  
  
  
  
  
  
• In this case the IPS engine is outdated with version 6.4.2 fortigate OS built (above picture)
• Ones upgraded the ips we must restart the IPS engine using
  
  
  # diag test app ipsmonitor 99 (from global mode cli)
  
  #diag autoupdate versions | grep "IPS Attack" -A 6 (this command will help us to see the updated version from cli )
  
  

IPS Attack Engine
---------
Version: 6.00036
Contract Expiry Date: Sat Jan 16 2021
Last Updated using manual update on Mon Aug 31 14:17:05 2020
Last Update Attempt: Mon Oct  5 22:49:27 2020
Result: No Updates

How to troubleshoot the IPS issues in fortigate firewalls

 How to find problem with IPS in fortigate firewall?

In our case issues is High memory utilization in the devices so start the capture memory process first.

1^st step

#diagnose hardware sysinfo memory

Run Time:  41 days, 16 hours and 7 minutes

4U, 0N, 1S, 94I, 0WA, 0HI, 1SI, 0ST; 3615T, 764F

       ipsengine    23181      S <    12.7     3.6   ( Noticed that the IPS engine is taking lot of memory)

       ipsengine    23183      S <     4.9     3.7

       ipsengine    23180      S <     4.9     3.7

       scanunitd     3505      S <     4.9     0.6

       ipsengine    23179      S <     2.9     3.7

         miglogd      262      S       0.9     1.9

                                 

2d step

# diag debug crashlog read          >>>>Not able to find anything related to ips engine

 
3d step

n0_fw (global) # get sys fortiguard-service status

NAME               VERSION LAST UPDATE          METHOD    EXPIRE

AV Engine           6.149  2020-05-29 21:34:00  manual    2025-08-11 23:59:59

Virus Definitions   89.7121  2021-11-23 10:04:37  scheduled 2025-08-11 23:59:59

Extended set        89.7121  2021-11-23 10:04:37  scheduled 2025-08-11 23:59:59

Flow-based Virus Definitions  89.7121  2021-11-23 10:04:37  scheduled 2025-08-11 23:59:59

Attack Definitions  6.741  2015-12-01 02:30:00  manual    2025-08-11 23:59:59  Find this outdated

Attack Extended Definitions  18.200  2021-11-22 20:05:11  scheduled 2025-08-11 23:59:59

IPS Malicious URL Database  3.195  2021-11-22 20:05:11  scheduled 2025-08-11 23:59:59

IPS/FlowAV Engine   6.071  2021-02-17 20:28:04  scheduled 2025-08-11 23:59:59

IPS Config Script   1.009  2019-06-06 14:02:00  manual    2025-08-11 23:59:59

Application Definitions  18.199  2021-11-18 20:07:31  scheduled 2025-08-11 23:59:59

Industrial Attack Definitions  6.741  2015-12-01 02:30:00  manual    n/a

  

4^th step

(Solution for this we need update the IPS from cli using below command)

#execute update-ips  (In global mode)

Note: Performing the activity of upgrading IPS engine will terminate all TCP sessions. This will have impact to firewall. Make sure that you schedule this activity

 Few more commands to trouble shoot the IPS engine

diagnose test application ipsmonitor 5 (This command will help us to bypass the IPS for monitoring)

diagnose ips packet status (This will help to check ips packet counters/monitor the traffic for ips)

dia ips session list

dia test application ipsmonitor 13 >     This will  soft restart the ips 

diagnose ips packet status

diag ips session performance

diag ips session performance

diag ips signature status

diag ips  packet status

n0_fwl_i (global) # dia ips session list

Total TCP sessions: 165

SESSION id:105637489 serial:754130096 proto:6 group:0 age:6 idle:6 flag:0x200027

        feature:0x202 encap:0 ignore:1,0 ignore_after:0,204800

  C-212.224.76.233:44882, S-94.154.20.19:80

  state: C-ESTABLISHED/731/0/0/0/0, S-ESTABLISHED/0/0/0/0/0 pause:0, paws:0

  expire: 24

  app: unknown:0 last:0 unknown-size:0

  cnfm: http

  set: http sip rtsp

  asm: http

n0_fwl1_i (global) # dia test application ipsmonitor 13

Session List: pid=23179

vf=4 proto=6 194.154.20.10:49770->92.168.217.1:3306

vf=4 proto=6 82.4.241.19:39352->94.154.20.7:443

Total session :26660

n0_fwl1_i (global) # diag ips session performance

PERFORMANCE STATISTICS

name           :       sess |       pkts   cycles |       pkts   cycles

decoder        :          0 | 1007720701        0 |          0        0

session        :          0 | 1007720701        0 |          0        0

protocol       :          0 |  969665012        0 |          0        0

application    :          0 | 1544856777        0 |   63603439        0

detect         :          0 |          0        0 |          0        0

match          :          0 | 2096202687        0 |          0        0

NC match       :          0 | 2931515123        0 |          0        0

Cross Tag      :          0 |  107154002        0 |          0        0

-------------------------------------------------------------------------

How to extend the Mpls network to spoke devices using Juniper Mx480 and Juniper Srx340

We can extend the MPLS backbone to spoke router which we install newly below is the configuration 

Head end   Juniper MX480 < > Spoke device Juniper SRX340

Step by step process 

1. Create the Bgp community.
2. Create the bgp group for bgp peer .
3. Create write the policy for routes to come in and out .
4. Create routing instance and assign interface.
   
5. Check the bgp peer is ping reachable. 

Head end configuration 

------------------------------------------------------

Bgp configuration 

set protocols bgp group SR2_TC1 type external

set protocols bgp group SR2_TC1 hold-time 30

set protocols bgp group SR2_TC1 advertise-inactive

set protocols bgp group SR2_TC1 log-updown

set protocols bgp group SR2_TC1 family inet labeled-unicast

set protocols bgp group SR2_TC1 family inet-vpn unicast

set protocols bgp group SR2_TC1 export BGP-export-l3vpn

set protocols bgp group SR2_TC1 export DEFAULT-ONLY

set protocols bgp group SR2_TC1 peer-as 4099.35

set protocols bgp group SR2_TC1 neighbor 94.54.4.242

BGP Community 

set policy-options community cust-svcs-1121_export members target:503:101121

set policy-options community cust-svcs-1121_import members target:4100:101121

set policy-options community cust_fwl_1121_export members target:503:101279

set policy-options community cust_fwl_1121_import members target:4100:101279

Only adv the default 

set policy-options policy-statement DEFAULT-ONLY term default-only from route-filter 0.0.0.0/0 exact

set policy-options policy-statement DEFAULT-ONLY term default-only then accept

set policy-options policy-statement DEFAULT-ONLY term reject-others then reject

L3VPN routes policy 

set policy-options policy-statement BGP-export-l3vpn term T1 from family inet-vpn

set policy-options policy-statement BGP-export-l3vpn term T1 then accept

set policy-options policy-statement BGP-export-l3vpn term T2 from family route-target

set policy-options policy-statement BGP-export-l3vpn term T2 then accept

Spoke site 

set protocols bgp group SR2_TC1 type external

set protocols bgp group SR2_TC1 hold-time 30

set protocols bgp group SR2_TC1 family inet labeled-unicast

set protocols bgp group SR2_TC1 family inet-vpn unicast

set protocols bgp group SR2_TC1 export bgp-export

set protocols bgp group SR2_TC1 peer-as 5503

set protocols bgp group SR2_TC1 neighbor 94.54.4.241

set protocols bgp group SR2_TC1 neighbor 94.54.4.243

set protocols mpls traffic-engineering mpls-forwarding

Route policy to adv the routes

set policy-options policy-statement bgp-export term T1 from protocol direct

set policy-options policy-statement bgp-export term T1 from route-filter 94.154.4.26/32 exact   (Loopback ip address of router)

set policy-options policy-statement bgp-export term T1 then accept

set policy-options policy-statement bgp-export term T2 then reject

Policy community 

set policy-options policy-statement VRF_1121_export term VRF_1121_export then community add cust-svcs-1121_import

set policy-options policy-statement VRF_1121_export term VRF_1121_export then next term

set policy-options policy-statement VRF_1121_export term VRF_1121_export-1 then community add cust_fwl_1121_import

set policy-options policy-statement VRF_1121_export term VRF_1121_export-1 then accept

set policy-options policy-statement VRF_1121_import term SVC_cust_fwl_1121 from protocol bgp

set policy-options policy-statement VRF_1121_import term SVC_cust_fwl_1121 from community cust_fwl_1121_export

set policy-options policy-statement VRF_1121_import term SVC_cust_fwl_1121 then accept

set policy-options policy-statement VRF_1121_import term SVC_cust_services_1121 from community cust-svcs-1121_export

set policy-options policy-statement VRF_1121_import term SVC_cust_services_1121 then accept

BGP Community 

set policy-options community cust-svcs-1121_export members target:503:101121

set policy-options community cust-svcs-1121_import members target:4100:101121

set policy-options community cust_fwl_1121_export members target:503:101279

set policy-options community cust_fwl_1121_import members target:4100:101279

Route-instances configuration

set routing-instances Monitoring-LCN-1121 interface ae1.55

set routing-instances Monitoring-LCN-1121 instance-type vrf

set routing-instances Monitoring-LCN-1121 route-distinguisher 94.54.4.26:8757

set routing-instances Monitoring-LCN-1121 vrf-import VRF_1121_import

set routing-instances Monitoring-LCN-1121 vrf-export VRF_1121_export

set routing-instances Monitoring-LCN-1121 vrf-table-label

Cheat sheet FortiGate For Troubleshooting

 L3 Diagnose Commands 
-------------------------------------
 · Diagnose Ip Arp List
 · Debug Flow
 · Diagnose Debug Flow Show Console Enable
 · Diagnose Debug Enable
 · Diag Debug Flow Trace Start 
 · Diagnose Debug Flow Trace Stop
 · Diagnose Debug 
 
--------------------------------------------
CPU Usage Diagnose Commands
--------------------------------------------
 · Get System Performance Status
 · Diagnose Sys Top 1
 · Diagnose Sys Top
 · Diagnose Sys Top-Summary
 · Diagnose Hardware Test Suite All
 
--------------------------------------
Crash Logs Diagnose Commands
--------------------------------------
 · Diagnose Debug  Crashlog Read
----------------------------------------------------
Fortigate Hardware Diagnose Commands 
----------------------------------------------------
 · Get Hardware Status
 · Get Hardware Npu Mp6 Port-List
Network Process Work In Interface Level  L1 Issues
-------------------------------------------------
 · Diagnose Sys Session List
 · Diag Netlink Aggregate Name Agg1
 · Diagnose Npu Spm List
Firewall Disk Space Or To Format The Firewall Disk 
--------------------------------------------------------- 
 · Get Hardware Status
 · Execute Disk List
 · Execute Disk Format
CPU Use And Memory 
--------------------------------------------------------
CPU#    Diagnose Hardware Sysinfo Cpu
Mem#    Diagnose Hardware Sysinfo Memory

Log
------
Diagnose Log Test  ( Test If The Logs Are Generating) 
Execute Backup Disk Alllogs {FTP}Tftp |USB)
Note:- User-Anonymize We Can Set The Log For Users 
---------------------------------------------------

Basic Commands
-----------------------------------------------
Administrative User Only 
----------------------------------
Get System Status
Show Full Configuration System Interface <Port>
Show System Interface <Port>
How Do You Restrict Logins To FortiGate To Be Only From Specific IP Addresses?
 A. Disable HTTPS Access On Interface
 B. Configure Trusted Host
User Administrator
---------------------------------------------
System > Admin Profiles  (Ro View The Admin Profile)
Network > Interfaces  >Address >Administrator Access 
Transparent Mode MAC Table 
--------------------------------------------
Diagnose Netlink Brct1 Name Host < VDOM1>.B
Debug Commands Routing Table Display 
--------------------------------------------------------
 • Get Router Info Routing-Table All 
 • Get Router Info Routing-Table Database  : To See The Inactive Routes From Routing Table
 • Diagnose Firewall Proute List   : - To View Policy Routing Table 

RPF Checks
--------------------------------------- 
 • Strict-Src-Check Disable (Loose RPF )(Default)
 • Strict-Src-Check Enble  (Strict RPF)
 • Set Strict-Src-Check Disable 
Packet Capture In Fortigate 
 • Diagnose Sniffer Packet <Interface> <Filter><Timestamp><Frame Size>
 • Ctrl +C To Stop The Packet Capture 
 • Diagnose Sniffer Packet Any 'Host 192.168.1.254 And Icmp" 3
 • Diagnose Sniffer Packet Any 'Port 443' 4   (It Will Show In/Out Packet

Backup User to pull the configuration from fortigate using SSL keys

In configuration we are setting up 2 trust host to pull the configuration using any backup 

software "Rancid" or scripts.

 fwl1(backup) # show

config system admin
    edit "backup"
        set trusthost1 1.2.4.107 255.255.255.255
        set trusthost2 1.28.49.1 255.255.255.255
        set accprofile "super_admin"
        set vdom "root"
        set ssh-public-key1 "ssh-rsa M+hK0a60Hw== rancid"  >>>Full key need to put here
        set ssh-public-key2 "ssh-rsa +Yptf rancid" >>>>>>>>>>>>full key need put here
        
    next
end

How to set the debug file in juniper device for ospf

How to set the debug file in juniper device for ospf 

set protocols ospf traceoptions file ospf-log

set protocols ospf traceoptions file size 10k

set protocols ospf traceoptions file files 5

set protocols ospf traceoptions flag lsa-ack

set protocols ospf traceoptions flag database-description

set protocols ospf traceoptions flag hello

set protocols ospf traceoptions flag lsa-update

set protocols ospf traceoptions flag lsa-request

set protocols ospf traceoptions flag error

 show log ospf-log | last 10

Feb  6 05:35:09.041161 OSPF hello from 194.154.4.28 (IFL 81, area 0.0.0.0) absorbed

Feb  6 05:35:09.046626 OSPF periodic xmit from 194.154.4.232 to 224.0.0.5 (IFL 81 area 0.0.0.0)

Feb  6 05:35:09.926405 OSPF periodic xmit from 194.154.4.232 to 224.0.0.5 (IFL 81 area 0.0.0.0)

Feb  6 05:35:09.951517 OSPF hello from 194.154.4.28 (IFL 81, area 0.0.0.0) absorbed

Feb  6 05:35:10.712453 OSPF hello from 194.154.4.28 (IFL 81, area 0.0.0.0) absorbed

Feb  6 05:35:10.893468 OSPF periodic xmit from 194.154.4.232 to 224.0.0.5 (IFL 81 area 0.0.0.0)

NOTE

The Routing Engine copies the forwarding table to the Packet Forwarding Engine, the part of the router that is responsible for forwarding packets. To display the entries in the Packet Forwarding Engine's forwarding table, use the show pfe route command.

root@> show pfe route summary

================ master ================


IPv4 Route Tables:
Index         Routes     Size(b)
--------  ----------  ----------
Default          109       10024
1                 12        1100
2                  6         548
3                  9         824
5                  5         456

MPLS Route Tables:
Index         Routes     Size(b)
--------  ----------  ----------
Default            5         456
7                  1          88

IPv6 Route Tables:
Index         Routes     Size(b)
--------  ----------  ----------
Default            4         388
1                  4         388
5                  4         388

CLNP Route Tables:
Index         Routes     Size(b)
--------  ----------  ----------
Default            1          88
5                  1          88

MSTP-instance Route Tables:
Index         Routes     Size(b)
--------  ----------  ----------
Default            1          88


root@>

Fortigate Vdom

VDOM administration

Super _admin profile can have access to all VDOM

Policy- based routes configuration in

Network > policy routes

Enable the ipv6 / or any other feature

System>Feature visibility    (to view the feature set)

Fortigate ECMP

Config system settings

Set v4-ecmp-mode [source-ip-based ] by default
---------------------------------------------------------------------
Learning mode :- in Fortinet Enable devices detection on the source interfaces

Traffic shapers  :- - Shared traffic

For mapping the more than one services we can create  :- services object


Session table in fortigate

Session diagnose (output)

Session table >   Fortiview > all sessions

TCP default TTL vale for session table on firewall

3600 sec default vale

Firewall services> firewall policies >global sessions

Clear any previous filters
------------------------------------------------------------
Diagnose sys session filter clear
Diagnose sys session list
Diagnose sys session clear


Eg :- Diagnose sys session filter dst 10.200.1.254
Diag sys session filter dport 80
Diag sys session list


Show the routing table
------------------------------------------
Get router info routing-table all 

What criteria are used to install routes in the "bgp.l3vpn.0" routing table?

Nice one

What criteria are used to install routes in the "bgp.l3vpn.0" routing table?


https://kb.juniper.net/InfoCenter/index?page=content&id=KB1534

Steps to create VPNv4 routes in Juniper

Steps to create VPNv4 routes in Juniper 

(CE)-----(PE-A)-------(OSPF-MPLS-LDP-IBGP--VPNv4PEERING)----(PE-B)--(CE)

1, Create a routing path between PE to PE(using IGP or IBGP)

2, Create VPN VRF instances in PE routers (eg VRF_Customer1)

3, Create the L3vpn BGP peer 

4, Create a policy for import and export to filter the VPNV4 routes from neighbors 

Create a policy in PE's and bring them to VRF instances

PE-A                                                        PE-B

------------                                            ---------------------------

Import : 100300                              Export 100300

Export :100301                              Import 100301   

Use policy to redistribute routes from OSPF to BGP 

Import and Export VRF in juniper

Import and Export VRF in juniper 

--------------------------------------------

The simple explanation for Import and Export routing instances.

So the export targets from the services vrf need to be the import target in customer vrf and import target from the services vrf will be the export targets in customer vrf. 

The export command in juniper

VRF Export if you see in any juniper devices it means it is exporting(giving) the routes to VRF/VR/Other routing tables etc.... 

In summary, it is giving its routes to other routing tables.

Import command in juniper 

VRF Import if you see in juniper devices it means it importing(accepting)the routes from neighbor devices or VR, VRF etc...

In summary, it is taking the routes from Peer devices