Tag Archives: fortigate

How to block default in Fortigate via BGP

Problem:

Solution:

config router access-list
edit “Block_Def_Route”
config rule
edit 1
set action deny
set exact-match enable
next
edit 2
set exact-match disable
next
end
next
end

config router bgp
config neighbor
edit “10.40.15.1”
set distribute-list-in “Block_Def_Route”
set remote-as 6167
set route-map-out “Verizon_Prepend1”
next
edit “10.40.16.1”
set distribute-list-in “Block_Def_Route”
set remote-as 6167
set route-map-out “Verizon_Prepend”
next
end
end

Advertisements

How to fix: iprope_in_check() c heck failed on policy 0, drop

The above line is a debug error code I grabbed from one of our Forti units.

My issue was very simple.

One policy which was SNATing traffic through a tunnel, was simply not catching any hits so the packets were being dropped. I pulled many hairs on this one until some angel on the Israeli Fortigate Facebook page helped me figure it out.

If you are receiving this line then you are probably like me, trying to direct traffic of an IP that is ALREADY ASSIGNED IN YOUR NETWORK – outwards. That’s right. Look at your router’s interfaces addresses including DMZ\MGMT etc. You are likely to find something similar there.

How to disable SSL-VPN on FortiOS 5.0

Well,

If your system is vulnerable to a Hearbleed Attack and you cant afford to upgrade the firmware right now, simply disable the FMG access and specifically SSL-VPN.

FMG can be easily disabled from the Interface Menu.

SSL-VPN on the other hand takes some CLI fiddling.

I wasnt able to find this anywhere for some reason but thankfully someone helped me out:

 

config vpn ssl settings
set sslvpn-enable disable
end

 

This will completely stop and close down the ssl-vpn port you have available (usualy 10443).