BGP between Cisco Nexus and Fortigate

It is not uncommon to find that different vendors have slightly different implementations when it comes to standards technologies that should work seamless.

I recently came across a BGP capability negotiation problem between a Nexus 7000 and a client Fortigate. Today’s post is not teaching about any new technologies, but instead showing the troubleshooting methodology I used to find the problem.

The setup is simple. A Nexus 7000 and a Fortigate connected via nexus layer2 hosting infrastructure, to peer with BGP.
At face value the eBGP session between Nexus 7000 and the Fortigate never came up:

N7K# sh ip bgp summary | i 10.5.0.20
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.5.0.20   4 65123     190     190        0    0    0 0:12:30  Idle

The first steps should verify the obvious.

Configuration! This check should included checking the ASNs, the peering IP addresses, source-interfaces and passwords matching.

Continue reading “BGP between Cisco Nexus and Fortigate” →

Fortigate Limitation

I discovered a real annoying limitation to the Fortigate firewalls today. And although this limitation wont be encountered on a daily basis, I know this is not a unusual setup, and above that I know that Cisco Pix Firewall support this, as I have done this before.

Suppose the the following scenario:

fortilimit

Suppose traffic from the Big Bad Internet is destined to company BOB’s application server at 170.1.1.1:8081.

On the Fortigate you create a port-nat to the server’s internal address of 192.168.102.1.

Continue reading “Fortigate Limitation” →

Fortigate tcp dump

In order to see a tcp dump of information flowing through a fortigate, the diagnose sniffer command can be used from cli. The command syntax:

diagnose sniffer packet {interface | all} ‘net z.z.z.z/p and/or host x.x.x.x and/or port yyy’ [options]

You can narrow your search by filtering on any or the following:

net/prefix : print a whole netblock
host          : print only one host
port          : print only a specific port number
and/or      : allows additional options

The Options field at the end are as follow:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name

Option ‘4’ is particularly useful, in that it shows the associated interface for the directional traffic

Examples:

diagnose sniffer packet any ‘net 10.0.0.0/8 and host 172.16.16.14 and port 3389’

diagnose sniffer packet any ‘host 10.4.131.97 and host 172.16.16.14 and port 3389’ 4

Fortigate Commands

I configure/support Fortigate firewalls on a daily basis, the baby 60DSL’s, the 200A’s, but mostly the big 3016B’s.

Although I do use the Fortimanager front-end extensively for revision history, I still prefer and often do work from the command line, so I tought I’ll share the commands I use often.

Monitoring commands:

show

Show global or vdom config

sh system interface

Equivalent to show run interface

diagnose hardware deviceinfo nic

Equivalent to show interface

get system status

show version information

sh firewall policy 6

show firewall rule numer 6

sh router policy

Show Policy Routing rules

diagnose system session list

Show the excisting translations

diagnose system session clear

Clears all xlate/translations

diagnose ip arp list

Shows the arp table of connected hosts

get router info routing-table all

Equivalent to ‘show ip route’

diagnose system top

Show System Processes running with PIDs

diagnose system kill 9 <id>

Kill the specific PID

diag test auth ldap <server_name> <username> <password>

Ldap test query from the Forti to the AD

Tag: Fortigate