fortigate log 保留天數調整

 fortigate log 預設保留7天，如果容量夠的話，可以設定保留久一點，若有發生異常，可以查到比較久以前的紀錄。

直接在指令模式下分別輸入下列三個指令就行了，其中第二行就是設定日誌保留的天數，下面的範例是設成30天。

config log disk setting

set maximum-log-age 30     

end

FortiGate logs are stored by default for 7 days. If you have enough disk space, you can configure them to be stored for a longer period of time. This will allow you to view older logs in case of an incident.

To configure FortiGate logs, enter the following three commands in command mode. The second command sets the number of days that logs are stored. In the example below, logs are stored for 30 days.

config log disk setting

set maximum-log-age 30

end

FORTIGATE自動備份設定檔

Fortigate現在的系統已有自動化備份的功能了，設定方式就直接看下圖說明

先到自動化動作

新增一個觸發器

在觸發器的項目中，找到預約行程

設定要執行的時間，就完成觸發器的新增。

再去新增一個動作

選擇cli腳本

加入腳本內容，下面四個選項要自行調整

1-輸入ftp的存放位置，並自行取一個備份檔的名稱

2-ftp server的ip

3-ftp登入帳號

4-ftp登入密碼

動作完成後，最後就是建立一個自動化動作，把剛剛的觸發器跟動作加進來，就完成了。

Fortigate now has a built-in feature for automated backups. The configuration process is in the following steps:

Go to "Automation Actions."

Add a new trigger.

In the trigger options, select "Scheduled Task."

Set the desired execution time for the trigger, and the addition of the trigger is complete.

Add a new action.

Choose "CLI Script" as the action type.

Include the script content, adjusting the following four options:

Enter the FTP storage location and assign a backup file name.

Specify the FTP server's IP address.

Provide the FTP login username.

Enter the FTP login password.

Once the action is configured, proceed to create an automation action by adding the previously created trigger and action.

The setup process is now complete.

Please refer to the accompanying image for detailed instructions.

fortigate 外到內 政策沒用

 在fortigate的防火牆上，外到內的部份有設兩條政策

政策1:外部特定IP->內部ALL->全部服務==>封鎖

政策2:外部特定IP->內部特定主機->全部服務==>封鎖

結果這個外部特定IP居然沒有在政策1就被封鎖，而是在比對到政策2時才封鎖，非常奇怪，詢問廠商才得知設定上有個地方有特別注意。

在設定外對內的政策時，因為有些內部主機有提供對外服務，有使用虛擬IP(VIP)這個功能，所以外對內的政策，內部是指定ALL的情況下，需要透過指令模式，在這個政策上加一個set match-vip enable，這個封鎖到透過VIP連進來的外部主機。

這就是為何第1條政策無效，但第2條有效的原因。

On the Fortigate firewall, there are two policies defined for inbound traffic from the outside to the inside network:

Policy 1: External specific IP -> Internal ALL -> All services ==> Block

Policy 2: External specific IP -> Internal specific host -> All services ==> Block

However, it was discovered that the external specific IP was not blocked by Policy 1 but was blocked when matched with Policy 2, which seemed strange. Upon contacting the vendor, it was revealed that there was a particular setting that required attention.

When configuring the inbound policies from external to internal, there were internal hosts that provided services to the outside using Virtual IP (VIP) functionality. Therefore, in the case where the internal field is set to ALL, an additional command "set match-vip enable" needs to be added to this policy in command mode. This command ensures that external hosts connecting through VIP are also blocked.

This explains why Policy 1 was ineffective while Policy 2 remained effective.

Fortigate VPN token有時後會沒用

 在fortigate上設定好ad帳號登入vpn，要啟用token驗證，才能連線。

但有些使用者設定好，手機上的程式也啟用了，登入vpn時就不會跳出要輸入token code，就直接登入成功了。

後來才發現是登入帳號大小寫的問題，有的人帳號是用大寫，就不需要輸入token code，用小寫才需要。

後來發現是我們在設定vpn的權限時，一開始是還沒用token時，直接把ad群組加入vpn的設定中。

現在因為要用token，需要把個別的ad帳號加到用戶名單，再加到vpn設定中。

所以vpn的設定裡就會有兩個不同的帳號來源，這時後只要把在vpn設定裡的ad群組拿掉，就行了。

user登入後，就只能接受跟用戶名單裡大小寫都要相符的帳號做登入。

Fortigate VPN Token Sometimes Doesn't Work

When setting up an AD account for VPN login on Fortigate, token authentication needs to be enabled to establish a connection.

However, some users have successfully configured their accounts and activated the token authentication on their mobile devices, but when they log in to the VPN, they are not prompted to enter the token code. Instead, they are logged in directly.

Later, we realized that the issue was related to the case sensitivity of the login credentials. Some users had their usernames in uppercase, which bypassed the need for a token code, while lowercase usernames required it.

We discovered that when initially setting up VPN permissions, before using tokens, we directly added the AD group to the VPN configuration.

Now, with the token requirement, individual AD accounts need to be added to the user list and then included in the VPN configuration.

As a result, the VPN configuration will have two different sources for account information. To resolve this, we simply need to remove the AD group from the VPN configuration.

After this change, users will only be able to log in with usernames that match the case sensitivity specified in the user list.

fortiVPN 使用token登入錯誤 : fortitoken clock drift detected

 結果是安裝fortitoken mobile的手機時間錯誤，把時間調對就好了。

fortiVPN login error with token: fortitoken clock drift detected.

 The issue was caused by incorrect time settings on the mobile device where fortitoken mobile was installed. Simply adjusting the time resolved the problem.

Forti VPN連不上-- 'The server you want to connect to requests identification. Please choose a certificate and try again ( -5)'

 原本很舊的Forti防火牆升級後，有一些人的VPN就無法連線了，本來以為跟client端的vpn程式版本有關，因為公司內有4、5、6、7四種版本。

但後來發現這4個版本也都有不同的使用者可連上VPN，所以不是這個問題。

所以就用就錯誤訊息去查

後來是直接去IE的網際網路選項中，在進階設定裡把TLS1.1跟1.2打勾，就可以解決這個問題了。

Forti VPN cannot connect - 'The server you want to connect to requests identification. Please choose a certificate and try again (-5)'.

After upgrading an outdated Forti firewall, some people were unable to connect to the VPN. Initially, I thought it might be related to different versions of the VPN client software (versions 4, 5, 6, and 7) used within the company.

However, I later discovered that users with all four versions were able to connect to the VPN, so that wasn't the issue.

To troubleshoot, I investigated the error message further.

Eventually, I found that the solution was to go to the Internet Options in Internet Explorer and enable TLS 1.1 and 1.2 in the advanced settings. This resolved the problem.

Fortigate 免費的2個token刪除後無法加回..無法存取forti care

 Fortigate 本身就有含兩個token授權，可以指派其兩個帳號，做雙因子驗證使用。

在測試時，設備本身有簽維護，但版本很舊，在設定時發生一些狀況，後來就把它給刪了，想說應該可以重新加回來，上網找了一下，可以用全都是0的預設設號匯入就行了。

結果~不行，然後有一個按鈕是寫重新下載授權，按下去就跳出無法存取forti care，一整個搞不定。

明明就有維護，還不給我存取，最後就依廠商建議，系統太舊原廠不支援，升級到最新試試，就可以了。

After deleting the two free tokens on FortiGate, I couldn't add them back, and I couldn't access FortiCare.

FortiGate itself comes with two token licenses, allowing for the assignment of two accounts for two-factor authentication purposes.

During testing, the device had an existing maintenance agreement, but it was running on a very outdated version. While configuring it, some issues occurred, so I decided to delete it, thinking that I could add it back later. I searched online and found that I could import a default configuration with all zeros.

However, it didn't work. There was a button labeled "Re-download License," but when I clicked it, it showed an error message saying it couldn't access FortiCare. It was quite frustrating.

Despite having an active maintenance agreement, I was denied access. Finally, following the vendor's suggestion, I upgraded the system to the latest version, and that resolved the issue.

Fortigate 內部無法直接連線外部虛擬IP

 在防火牆設定好要對外服務主機的外部IP後。從外部網路連線時，沒問題。

但如果從內部網路去連線這個外部IP，卻是不通的。

原因就出在設定虛擬IP時，有一個欄位"介面"，若沒有指定，就無法從內部做連線。

只要設定好這個虛擬IP所在的介面，就沒問題了。

Fortigate cannot directly connect to an external virtual IP internally.

After configuring the firewall to use an external IP for a specific service host, there is no issue connecting from an external network.

However, if an internal network tries to connect to this external IP, it will not work.

The reason for this lies in the configuration of the virtual IP. There is a field called "Interface" that needs to be specified. Without specifying the interface, internal connections cannot be established.

Once the interface for the virtual IP is properly configured, the issue should be resolved, and internal connections to the external IP will work correctly.

Forti SSLVPN 禁止特定IP連線

 Forti 防火牆上的SSLVPN連線功能，在GUI的設定介面裡，可以設定只允許特定IP連線，屬於白名單的方式。

可是公司的人會去其他國家出差，所以也無法確定到底哪些外部IP會連進來做SSLVPN的連線。 禁止特定IP連線。

然後又發現有特定的IP一直試著用不同帳密在TRY SSLVPN連線，實在有點擔心。

後來發現是有設定可以把白名單的限制方式，改成黑名單，但這要用指令來開啟

#config vpn ssl settings

     set source-address-negate enable

設定好之後，原本在GUI上啟用的白名單連線，就會變成是黑名單的效果了，只是在GUI的畫面上，上面還是一樣是寫允許清單，而不是禁止清單。

Forti SSLVPN Blocking Specific IP Connections

The SSLVPN connection feature on the Forti firewall allows you to set up a whitelist of specific IP addresses that are allowed to connect through the GUI configuration interface.

However, in our company, employees often travel to different countries, making it difficult to determine which external IP addresses will be used for SSLVPN connections. Therefore, we want to block specific IP connections.

We also noticed that there were certain IP addresses continuously attempting to connect through SSLVPN using different credentials, which raised some concerns.

Eventually, we discovered a configuration option that allows us to change the whitelist restriction to a blacklist, but it requires using commands.

#config vpn ssl settings

 set source-address-negate enable

After setting this up, the whitelist connections that were previously enabled in the GUI will effectively become a blacklist. However, in the GUI interface, it will still indicate "Allow List" instead of "Block List."

Forti SSLVPN 程式離線安裝

 Forti防火牆上的sslvpn 連線程式，可以上forti的網站下載。

但下載下來的安裝程式並不是完整的，執行時才會再連上網下載真正的安裝程式到電腦的一個暫存資料夾，載完後才執行安裝，有點浪費時間，而且一定要有網路功能，才能進行安裝。

所以就想找能不能有一個實際的安裝檔，這時就要這麼做

一開始先找一台電腦，照上面的方式，下載最新的安裝程式，執行後會再下載真正的安裝程式，下載好後就會進行安裝，跳出安裝畫面。

這時請到本機的 %LocalAppData%\Temp directory 資料夾中，會看到sslvpn 連線程式的真正安裝檔，檔名會叫"FortiClientVPN...."之類的，蠻好找的，把這個檔案複製出來。

之後其他台電腦要裝，就直接用這個檔案來裝就行了。

Forti SSLVPN program offline install

The SSL VPN client program on the Forti firewall can be downloaded from Forti's website.

However, the downloaded installation program is not complete. It only connects to the internet during execution to download the actual installation files into a temporary folder on the computer. After the files are fully downloaded, the installation process begins. This method is time-consuming and requires an internet connection to complete the installation.

Therefore, the goal is to find an actual installation file. Here's how to do it:

Start by using a computer to download the latest installation program following the aforementioned steps. After executing it, the program will initiate the download of the actual installation files. Once the download is complete, the installation process will begin, and an installation window will appear.

At this point, navigate to the "%LocalAppData%\Temp" directory on your local machine. You will find the actual installation file for the SSL VPN client program there. It will have a filename similar to "FortiClientVPN...." and should be easily identifiable. Simply copy this file.

For installing on other computers, you can directly use this copied file for installation.

Fortinet VPN 程式開啟錯誤 a javascript error occurred in the main process

 一台新的win10電腦在安裝完fortinet sslvpn的連線程式後，開啟都會有java的錯誤

請安裝 Microsoft Visual C++ Redistributable ，把最近的版本裝一下就ok了。

https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170 

Fortinet VPN Program Error: A JavaScript error occurred in the main process.

After installing the Fortinet SSL VPN client program on a new Windows 10 computer, an error related to JavaScript occurs every time it is launched.

To resolve this issue, please install Microsoft Visual C++ Redistributable by installing the latest available version.

You can download the latest supported version of Microsoft Visual C++ Redistributable from the following link:

https://docs.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-170

Fortigate 雙因子認證設定

 Fortigate 防火牆預設，有包含2個token的授權。這個token可以用來做為雙因子認證，像是user在連線sslvpn時，除了帳密外，還要多輸入一組token值，才能登入，這個token值是會一直變動的，來增加系統的安全性。

token有分實體的跟軟體式的，預設的這兩個授權就要用軟體式的來做，整個流程如下:

先建立好登入帳號，可能是ad上帳號或是firewall上的本機帳號，然後啟用雙因子認證的功能，指派其中一個token給這個帳號，之後這個帳號要登sslvpn或web console時，就都會多一個token碼的認證，然後按下"發送啟動碼"。

因為剛剛有執行發送啟動碼，所以他的mail裡會收到一封激活的信，然後在這個使用者的手機上裝FortiToken Mobile這個程式，開啟程式後就會有兩個選項讓你做激活的動作，看是要描激活信中的條碼或輸入激活碼都行。

輸入完之後，這個程式就會跳出一組數字，並倒數，倒數完數字就會變另一組，使用者在登入vpn或web時，在輸入完自己的帳號密碼後，就會多一個欄位要輸入app裡面的這個數字，輸入對了才能成功登入vpn或web，這就是token的設定與用法。

Fortigate 啟動切分隧道 設定

因為最近居家辦公的人變多了，Fortigate VPN流量變大，所以就決定要啟動切分隧道的設定。

這個功能不啟動的時後，外部電腦透過VPN連到公司內部時，如果這時後他在上外部的網站，流量也都會透過VPN在出去，多繞了一圈，所以啟用切分隧道就可以讓外部網站的流量不用先流進公司再出去。

啟用切分隧道後，要指定路由地址，這個就是指你哪些網段要透過VPN來連線，有需要讓使用者連到的網段就都加進去。

加完按確定時，會跳出錯誤。

錯誤訊息顯示ID 88號這個策略的目的地址設定all會有問題。所以就要去修改這條策略的目的地址。

修改的方式有兩種，一個就是把目的地址不要設成all，改成要連線的目的。

如果你的目的就是無法確定，那就是直接把這條政策刪掉。

改完後在重新啟用切分隧道就可以成功了。

這時後連上VPN，可以上外部網站查一下目前的外部IP，就會顯示自己現在外部網路的IP，而不是公司的對外IP。

Fortigate 開關機方式

Fortigate 防火牆，是有一個實體的開機/關機的開關，如果今天在開關關閉的情況下，將開關開啟，防火牆就會通電，並且系統就啟動了。

如果要關機的話，是不能直接把開關關閉，這樣系統可能會有問題，而是要透過指令或是GUI管理介面去點選關機，但關機後，因為實體的開關還是開啟的，所以這時後防火牆是硬體還是帶電的，在防火牆的實體面板上，power燈還是會亮綠燈，但其他燈號會全滅，而且系統是連不上的。

這時後如果想要啟用系統，就必須把電源線拔掉再插回去，或是將實體開關做關閉再開啟的動作，讓硬體有斷電再通電，系統才會啟動。

Fortigate 5.0 VPN設定失敗 沒有"Enable IPsec interface mode"

不同版本的Fortigate 防火牆，裡面的設定畫面都有點不同。

在5.0的版本裡，要設定site to site VPN，不像比較新的版本直接有範例可以套用，要自己手動設定。

在設定時，參照網路上的說明，有一個"Enable IPsec interface mode"要打勾，但卻找不到這個選項，後來設定好也一直沒辦法連線成功。

原來是這個功能被隱藏了，如果要啟動的話，要到設定裡把功能打開才可以，官方的網站有也有教學可以參考(https://kb.fortinet.com/kb/viewContent.do?externalId=FD35007)。

Fortigate 執行ping跟tracert

內部網路連不到外部網路，就要一段一段查，看斷在哪。

在windows或switch上指令差不多，但在forite防火牆上卻不一樣，如果要從防火牆上去ping或tracert其他ip，直接在web console上就有指令可以下，指令是

execute ping x.x.x.x

execute traceroute x.x.x.x

FORTIGATE IPSEC 啟用與停用

在FORTIGATE 建了site to site vpn後，有時後太久沒用，會自動停用，如果需要啟用的話，要到"監測"的頁籤裡去啟動，有夠難找的。

FortiClient SSLVPN 連線失敗 The VPN server may be unreachable (-5)

公司有不同的廠，都是用forti的防火牆，最近在使用fortigate的sslvpn功能時，連上A廠的vpn，正常，連B廠的vpn，會出現  The VPN server may be unreachable (-5)的錯誤，但只有少數的電腦有這些問題，所以判斷問題是在電腦本身的設定上。

直接用電腦去ping vpn的ip，或是直接telnet vpn的port，都是通的，所以這個錯誤訊息只是僅供參考。
後來在查了一下，剛好有查到解法，其實是在IE的設定裡，關於TLS的功能沒啟用到相對應的版本造成的，就到設定中把TLS去啟用就行了，至於要啟用哪一個版，就自行去測試吧，因為自己使用的跟網路上查到的是不一樣的。

Fortigate 不同型號 Site to site VPN設定

最近在做fortigate site to site VPN的設定，設定方式網路上的查的到，這邊就不說了，主要是要講幾個設定上的心得
1 可以不同型號的兩台fortigate做vpn連線。
2 設定完如果無法啟動，請確認兩邊的設定要互相符合，像是密鑰，遠端地址，本端地址都要對應起來。

3 VPN建立後，就算沒成功，路由跟policy都會個動產生，不用自己手動新增。
4 設定過程不會造成斷線。