FortiGate

Addresses and Policies

Make sure when adding any policy or address it is also added to the policy or address that you are trying to affect.

CLI Commands

Ping - can also be used as nslookup

1
exec ping 

FQDN addresses

Check for resolved IP addresses for all FQDN addresses in CLI:

1
diagnose firewall fqdn list

==Add Bulk IPs to fortigate via CLI== check this guide: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Creation-and-addition-of-bulk-IP-address-objects/ta-p/241823

Troubleshooting VPN connections

info video for troubleshooting VPN connections https://www.youtube.com/watch?v=CXWoTZ5t8XI&t=2923s

TLS Session Timeout

If no data is transferred for a TLS session seen by the firewall it will timeout and can cause a socket error on the application using the TLS connection. To fix this the TLS time to live timeout needs to be changed on the policy that allows the traffic. This needs to be done with a CLI command:

1
2
3
4
5
6
7
config vdom
edit 
config firewall policy
edit 
set session-ttl 28800
next
end

the session-ttl is in seconds. This can be changed back to the global default by setting it back to 0

VPN Tunnel Troubleshooting CLI

Use the following command in the CLI to test each phase 2 on a VPN tunnel:

1
2
3
4
5
6
diagnose vpn ike log-filter dst-addr4  
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

diagnose debug disable

Azure Web Application Firewall Blocklist