If your FortiGate does not function as desired after completing the installation, try the following troubleshooting methods.

Most methods can be used for FortiGates in both NAT/Route and Transparent mode. Any exceptions are marked.

1. Use FortiExplorer if you can’t connect to the FortiGate over Ethernet.

If you can’t connect to the FortiGate GUI or CLI, you may be able to connect using FortiExplorer. See your FortiGate unit’s QuickStart Guide for details.

2. Check for equipment issues.

Verify that all network equipment is powered on and operating as expected. Refer to the QuickStart Guide for information about connecting your FortiGate to the network. You will also find detailed information about the FortiGate unit LED indicators.

3. Check the physical network connections.

Check the cables used for all physical connections to ensure that they are fully connected and do not appear damaged. Make sure that each cable connects to the correct device and the correct Ethernet port on that device. Also, check the Unit Operation widget in the Dashboard to make sure the connected interfaces are shown in green.

4. Verify that you can connect to the internal IP address of the FortiGate unit (NAT/Route mode).

Connect to the web-based manager from the FortiGate’s internal interface by browsing to its IP address. From the PC, try to ping the internal interface IP address; for example, ping 192.168.1.99.

If you cannot connect to the internal interface, verify the IP configuration of the PC. If you can ping the interface but can’t connect to the web-based manager, check the settings for administrative access on that interface.

5. Verify that you can connect to the management IP address of the FortiGate unit (Transparent mode).

From the internal network, attempt to ping the management IP address. If you cannot connect to the internal interface, verify the IP configuration of the PC and make sure the cables are connected and all switches and other devices on the network are powered on and operating. Go to the next step when you can connect to the internal interface.

6. Check the FortiGate interface configurations (NAT/Route mode).

Check the configuration of the FortiGate interface connected to the internal network, and check the configuration of the FortiGate interface that connects to the Internet to make sure Addressing Mode is set to the correct mode.

7. Verify the security policy configuration.

Verify that the internal interface to Internet-facing interface security policy has been added and is located near the top of the policy list. Check the Sessions column to ensure that traffic has been processed (if this column does not appear, right-click on the title row, select Sessions, and select Apply).

If you are using NAT/Route mode, check the configuration of the policy to make sure that NAT is turned on and that Use Destination Interface Address is selected.

8. Verify that you can connect to the Internet-facing interface’s IP address (NAT/Route mode).

Ping the IP address of the FortiGate’s Internet-facing interface. If you cannot connect to the interface, the FortiGate unit is not allowing sessions from the internal interface to the Internet-facing interface.

9. Verify the static routing configuration (NAT/Route mode).

Verify that the default route is correct. View the Routing Monitor and verify that the default route appears in the list as a static route. Along with the default route, you should see two routes shown as Connected, one for each connected FortiGate interface.

10. Verify that you can connect to the gateway provided by your ISP.

Ping the default gateway IP address from a PC on the internal network. If you cannot reach the gateway, contact your ISP to verify that you are using the correct gateway.

11. Verify that you can communicate from the FortiGate unit to the Internet.

Access the FortiGate CLI and use the command execute ping 8.8.8.8. You can also use the execute traceroute 8.8.8.8 command to troubleshoot connectivity to the Internet.

12. Verify the DNS configurations of the FortiGate unit and the PCs.

Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping www.fortinet.com. If the name cannot be resolved, the FortiGate unit or PC cannot connect to a DNS server and you should confirm that the DNS server IP addresses are present and correct.

13. Confirm that the FortiGate unit can connect to the FortiGuard network.

Once registered, the FortiGate unit obtains antivirus and application control and other updates from the FortiGuard network. Once the FortiGate unit is on your network, confirm that it can reach FortiGuard.

First, check the License Information widget to make sure that the status of all FortiGuard services matches the services that you have purchased. Go to your FortiGuard settings and expand Web Filtering and Email Filtering Options. Select Test Availability. After a minute, the GUI should show a successful connection.

14. Consider changing the MAC address of your external interface (NAT/Route mode).

Some ISPs do not want the MAC address of the device connecting to their network cable to change and so you may have to change the MAC address of the Internet-facing interface using the following CLI command:

config system interface
  edit
    set macaddr
  end
end

15. Check the FortiGate bridge table (Transparent mode).

When the FortiGate is in Transparent mode, the unit acts like a bridge sending all incoming traffic out on the other interfaces. The bridge is between interfaces on the FortiGate unit. Each bridge listed is a link between interfaces. Where traffic is flowing between interfaces, you expect to find bridges listed. If you are having connectivity issues and there are no bridges listed, that is a likely cause. Check for the MAC address of the interface or device in question.

To list the existing bridge instances on the FortiGate unit, use the following CLI command:

  diagnose netlink brctl name host root.b
  show bridge control interface root.b host.
  fdb: size=2048, used=25, num=25, depth=1
  Bridge root.b host table
  port no device devname mac addr ttl attributes
  3 4 wan1 00:09:0f:cb:c2:77 88
  3 4 wan1 00:26:2d:24:b7:d3 0
  3 4 wan1 00:13:72:38:72:21 98
  4 3 internal 00:1a:a0:2f:bc:c6 6
  1 6 dmz 00:09:0f:dc:90:69 0 Local Static
  3 4 wan1 c4:2c:03:0d:3a:38 81
  3 4 wan1 00:09:0f:15:05:46 89
  3 4 wan1 c4:2c:03:1d:1b:10 0
  2 5 wan2 00:09:0f:dc:90:68 0 Local Static

If your device’s MAC address is not listed, the FortiGate unit cannot find the device on the network. Check the device’s network connections and make sure they are connected and operational.

16. Either reset the FortiGate unit to factory defaults or contact the technical assistance center.

If all else fails, reset the FortiGate unit to factory defaults using the CLI command execute factoryreset. When prompted, type y to confirm the reset.

You can also contact the technical assistance center. For contact information, go to support.fortinet.com.

The post Troubleshooting your FortiGate installation appeared first on Fortinet Cookbook.

This section contains tips to help you with some common challenges of using FortiGuard.

FortiGuard services appear as expired/unreachable.

Verify that you have registered your FortiGate unit, purchased FortiGuard services and that the services have not expired at support.fortinet.com.

Services are active but still appear as expired/unreachable.

Verify that the FortiGate unit can communicate with the Internet by accessing FortiGate CLI and using the command execute ping 8.8.8.8. You can also use the execute traceroute 8.8.8.8 command to troubleshoot connectivity to the Internet.

The FortiGate is connected to the Internet but can’t communicate with FortiGuard.

If you have not done so already, verify your DNS settings and ensure that an unblocked port is being used for FortiGuard traffic.

If the FortiGate interface connected to the Internet gets its IP address using DHCP, go to System > Network > Interfaces and edit the Internet-facing interface. Ensure that
Override internal DNS is selected.

Communication errors remain.

FortiGate units contact the FortiGuard Network by sending UDP packets with typical source ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets would then have a destination port of 1027 or 1031. If your ISP blocks UDP packets in this port range, the FortiGate unit cannot receive the FDN reply packets.

To avoid port blocking, you can configure your FortiGate unit to use higher-numbered ports, such as 2048-20000, using the following CLI command:

config system global
set ip-src-port-range 2048-20000
end

Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use.

The post FortiGuard troubleshooting appeared first on Fortinet Cookbook.

This section contains information to help you determine which internal switch mode your FortiGate should use, a decision that should be made before the FortiGate is installed.

What is the internal switch mode?

The internal switch mode determines how the FortiGate’s physical ports are managed by the FortiGate. The two main modes are Switch mode and Interface mode.

What are Switch mode and Interface mode and why are they used?

In Switch mode, all the internal interfaces are part of the same subnet and treated as a single interface, called either lan or internal by default, depending on the FortiGate model. Switch mode is used when the network layout is basic, with most users being on the same subnet.

In Interface mode, the physical interfaces of the FortiGate unit are handled individually, with each interface having its own IP address. Interfaces can also be combined by configuring them as part of either hardware or software switches, which allow multiple interfaces to be treated as a single interface. This mode is ideal for complex networks that use different subnets to compartmentalize the network traffic.

Which mode is your FortiGate in by default?

The default mode that a FortiGate starts in varies depending on the model. To determine which mode your FortiGate unit is in, go to System > Network > Interfaces. Locate the
lan or internal interface. If the interface is listed as a Physical Interface in the Type column, then your FortiGate is in Switch mode. If the interface is a Hardware Switch, then your FortiGate is in Interface mode.

How do you change the mode?

If you need to change the mode your FortiGate unit is in, first make sure none of the physical ports that make up the lan or internal interface are referenced in the FortiGate configuration (for example, in a policy or DHCP server). If you FortiGate model has a Switch Controller, you may need to disable it before you can change the internal switch mode.

Go to System > Dashboard > Status and enter either of the following commands into the CLI Console:

1. Command to change the FortiGate to switch mode:
   config system global
     set internal-switch-mode switch
exit
2. Command to change the FortiGate to interface mode:
   config system global
     set internal-switch-mode interface
exit

The post Choosing your FortiGate’s switch mode appeared first on Fortinet Cookbook.

This section contains tips to help you with some common challenges of FortiGate logging.

No log messages appear in the GUI.

Ensure that logging is enabled in both the Log Settings and the policy used for the traffic you wish to log, as logging will not function unless it is enabled in both places.

If logging is enabled in both places, check that the policy in which logging is enabled is the policy being used for your traffic. Also make sure that the policy is getting traffic by going to the policy list and adding the Sessions column to the list.

Logs from a FortiAnalyzer, FortiManager, or from FortiCloud do not appear in the GUI.

Ensure that the correct log source has been selected in the Log Settings, under GUI Preferences.

If logs still do not appear, use the following CLI command:

config system global
  set gui-lines-per-page 20
end

The FortiGate unit’s performance level has decreased since enabling disk logging.

If enabling disk logging has impacted overall performance, change the log settings to either send logs to a FortiAnalyzer unit, a FortiManager unit, or to FortiCloud.

Logging to a FortiAnalyzer unit is not working as expected.

The firmware for the FortiGate and FortiAnalyzer units may not be compatible. Check the firmware release notes, found at support.fortinet.com, to see if this is the case.

The post Troubleshooting FortiGate logging appeared first on Fortinet Cookbook.

This section contains tips to help you with some common challenges of FortiGate web filtering.

The Web Filter option does not appear in the GUI.

Go to Feature Select and enable Web Filter.

New Web Filter profiles cannot be created.

Go to Feature Select and enable Multiple Security Profiles.

Web Filtering has been configured but is not working.

Make sure that web filtering is enabled in a policy. If it is enabled, check that the policy is the policy being used for the correct traffic. Also check that the policy is getting traffic by going to the policy list and adding the Sessions column to the list.

An active FortiGuard Web Filtering license displays as expired/unreachable.

If this occurs, make sure web filtering is enabled in one of your security policies. The FortiGuard service will sometimes show as expired when it is not being used, to save CPU cycles.

If web filtering is enabled in a policy, go to your FortiGuard settings and expand Web Filtering. Under Port Selection, select Use Alternate Port (8888). Select Apply to save the changes. Check whether the license is shown as active. If it is still inactive/expired, switch back to the default port and check again.

The post Troubleshooting web filtering appeared first on Fortinet Cookbook.

There are certain pieces of documentation that you hope you will never have to find because it means that if you need to find them, then something has gone seriously wrong. One of those documents is the instructions for using the HQIP test.

If you haven’t heard of it, HQIP stands for Hardware Quick Inspection Package and its a firmware image that a Fortinet customer can use to run diagnostic tests on your hardware. HQIP firmware images are available for most of our products.

If your looking to use the HQIP test then chances are that your Fortinet device is having serious problems and you want to verify that the issue is hardware based rather than something that can be fixed with a configuration change or some new firmware. The last think you need at this point is a difficult time tracking down the instructions for finding and using this test, so it was decided that a post directing people to its location was worth while.

Location

The HQIP test documentation is located on the Fortinet Diagnose Wiki.

There are a few reasons for its choice of location.

1. Diagnostics is the purpose of the site. The site is devoted to the explanation of diagnostic commands so instructions on a diagnostic tool fit right in.
2. Easy collaborative editing of wiki content. There are a large number of Fortinet product lines and models within those lines. There are a number of variations in wiring configurations and new ones being discovered so a wiki page that makes adding additions and changes easy is a big plus. In fact, if you want to contribute all it takes is to create an account on the site and get your privileges elevated to include editing pages.

The HQIP page is likely to be one of those documents that is in a constant state of evolution so feedback and contributions from users will make for better content for the next people that find they need to use this document.

Looking for help with HQIP wiring diagrams

One of the pieces of information that users will most likely appreciate is the submission of wiring diagrams for the network interfaces loop-back test. A section has been created on the HQIP page for these diagrams. It includes the FortiGate 60C diagram as a basic template. Using the ASCII diagrams that are put out by the HQIP test, such as the one below, we can then make a more visually appealing image.

   [1]+-+ [3]+-+ [WAN1]+-+ [DMZ] [WAN2]
   [2]  | [4]  | [5]     |   |      |
    +   |  +   |  +      |   |      |
    +---+  +---+  +------+   +------+ 

 We are still working on the graphic template but we’re think about something along these lines.

The post HQIP test documentation appeared first on Fortinet Cookbook.

This section contains tips to help you with some common challenges of IPsec VPNs.

diagnose vpn tunnel list

diagnose debug flow

diagnose debug application ike -1
diagnose debug enable

diagnose debug reset
diagnose debug disable

diag vpn ike log filter name <phase1-name> 
diag debug app ike -1
diag debug enable

ike 0:TRX:322: PSK auth failed: probable pre-shared key mismatch
ike Negotiate SA Error:

diag debug app ike -1
diag debug enable

responder received SA_INIT msg
incoming proposal:
proposal id = 1:
   protocol = IKEv2:
      encapsulation = IKEv2/none
      type=ENCR, val=AES_CBC (key_len = 256)
      type=INTEGR, val=AUTH_HMAC_SHA_96
      type=PRF, val=PRF_HMAC_SHA
      type=DH_GROUP, val=1536.
proposal id = 2:
   protocol = IKEv2:
      encapsulation = IKEv2/none
      type=ENCR, val=3DES_CBC
      type=INTEGR, val=AUTH_HMAC_SHA_2_256_128
      type=PRF, val=PRF_HMAC_SHA2_256
      type=DH_GROUP, val=1536.
proposal id = 1:
   protocol = IKEv2:
      encapsulation = IKEv2/none
      type=ENCR, val=AES_CBC (key_len = 128)
      type=INTEGR, val=AUTH_HMAC_SHA_96
      type=PRF, val=PRF_HMAC_SHA
      type=DH_GROUP, val=1536.

diagnose vpn ike restart
diagnose vpn ike gateway clear

diagnose debug disable

diagnose vpn ike log-filter clear

diagnose vpn ike log-filter dst-addr4 10.11.101.10.

diagnose debug app ike 255
diagnose debug enable

diagnose debug disable

IPsec SA connect 26 10.12.101.10->10.11.101.10:500
config found
created connection: 0x2f55860 26 10.12.101.10->10.11.101.10:500
IPsec SA connect 26 10.12.101.10->10.11.101.10:500 negotiating
no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
initiator: main mode is sending 1st message...
cookie 3db6afe559e3df0f/0000000000000000
out [encryption]
sent IKE msg (ident-i1send): 10.12.101.10:500->10.11.101.10:500, len=264, id=3db6afe559e3df0f/0000000000000000
diaike 0: comes 10.12.101.1:500->10.11.101.1:500,ifindex=26....

config sys global
   set ipsec-asic-offload [enable|disable]
end

The post IPsec VPN troubleshooting appeared first on Fortinet Cookbook.

This page contains tips to help you with some common challenges for SSL VPN.

• Enter the following to display debug messages for SSL VPN:

diagnose debug application sslvpn -1

This command enables debugging of SSL VPN with a debug level of -1. The -1 debug level produces detailed results.

• Enter the following command to verify the debug configuration:

diagnose debug info
debug output: disable
console timestamp: disable
console no user log message: disable
sslvpn debug level: -1 (0xffffffff)
CLI debug level: 3

This output verifies that SSL VPN debugging is enabled with a debug level of -1, and shows what filters are in place. The output above indicates that debug output is disabled, so debug messages are not displayed. The output also indicates that debugging has not been enabled for any software systems.

• Enter the following to enable displaying debug messages:

diagnose debug enable

To view the debug messages, log into the SSL VPN portal. The CLI displays debug output similar to the following:

FGT60C3G10002814 # [282:root]SSL state:before/accept initialization (172.20.120.12)
[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)
[282:root]SSL state:SSLv3 write finished B (172.20.120.12)
[282:root]SSL state:SSLv3 flush data (172.20.120.12)
[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)
[282:root]SSL state:SSLv3 read finished A (172.20.120.12)
[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)
[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

• Enter the following to stop displaying debug messages:

diagnose debug disable

The following is a list of potential issues. The suggestions below are not exhaustive, and may not reflect your network topology.

There is no response from the SSL VPN URL.

• Go to VPN > SSL-VPN Settings and check the SSL VPN port assignment. Also, verify that the SSL VPN policy is configured correctly.
• Check the URL you are attempting to connect to. It should follow this pattern:

https://<FortiGate IP>:<Port>/remote/login

• Ensure that you are using the correct port number in the URL.

FortiClient cannot connect.

Read the Release Notes to ensure that the version of FortiClient you are using is compatible with your version of FortiOS.

Tunnel-mode connection shuts down after a few seconds.

This issue can occur when there are multiple interfaces connected to the Internet (for example, a dual WAN). Upgrade to the latest firmware then use the following CLI command:

config vpn ssl settings
   set route-source-interface enable
end

When you attempt to connect using FortiClient or in Web mode, you are returned to the login page, or you receive the following error message: “Unable to logon to the server. Your user name or password may not be configured properly for this connection. (-12).”

• Ensure that cookies are enabled in your browser.
• If you are using a remote authentication server, ensure that the FortiGate is able to communicate with it.
• Access to the web portal or tunnel will fail if Internet Explorer has the privacy Internet Options set to High. If set to High, Internet Explorer will block cookies that do not have a compact privacy policy, and that use personally identifiable information without your explicit consent.

You receive an error message stating: “Destination address of Split Tunneling policy is invalid.“

The SSL VPN security policy uses the ALL address as its destination. Change the address to that of the protected network instead.

The tunnel connects but there is no communication.

Go to Network > Static Routes and ensure that there is a static route to direct packets destined for the tunnel users to the SSL VPN interface.

You can connect remotely to the VPN tunnel but are unable to access the network resources.

Go to Policy & Objects > IPv4 Policy and examine the policy allowing VPN access to the local network. If the destination address is set to all, create a firewall address for the internal network. Change the destination address and attempt to connect remotely again.

Users are unable to download the SSL VPN plugin.

Go to VPN > SSL-VPN Portals to make sure that the option to Limit Users to One SSL-VPN Connection at a Time is disabled. This allows users to connect to the resources on the portal page while also connecting to the VPN through FortiClient.

Users are being assigned to the wrong IP range.

Ensure that the same IP Pool is used in VPN Portal and VPN Settings to avoid conflicts. If there is a conflict, the portal settings will be used.

Sending tunnel statistics to FortiAnalyzer

By default, logged events include tunnel-up and tunnel-down status events. Other events, by default, will appear in the FortiAnalyzer report as “No Data Available”. More accurate results require logs with action=tunnel-stats, which is used in generating reports on the FortiAnalyzer (rather than the tunnel-up and tunnel-down event logs). The FortiGate does not, by default, send tunnel-stats information.

To allow VPN tunnel-stats to be sent to FortiAnalyzer, configure the FortiGate unit as follows using the CLI:

config system settings
   set vpn-stats-log ipsec ssl
   set vpn-stats-period 300
end

The post SSL VPN troubleshooting appeared first on Fortinet Cookbook.

If you have purchased FortiGuard services and registered your FortiGate, it should automatically connect to FortiGuard and display license information about your services. In this example, you will verify whether the FortiGate unit is communicating with FortiGuard. If the FortiGate cannot connect, you will troubleshoot the connection.

_{Find this recipe for other FortiOS versions
5.2 | 5.4}

1. Verifying the connection
Go to the Dashboard and find the License Information widget. An icon appears beside each FortiGuard service, indicating its current status:  : the service is active and the FortiGate is connected to FortiGuard network. : the FortiGate unit cannot connect to FortiGuard network or the FortiGate unit is not registered. : the subscription has not been activated or is expired. To add/renew a subscription, go to Fortinet Support.
You can also view FortiGuard license information by going to System > FortiGuard.
2. Troubleshooting communication errors
If a service that you subscribe to is shown as unavailable, there are several things you can do to troubleshoot the connection.
Go to Network > DNS and ensure that the primary and secondary DNS servers are correct and the FortiGate is Connected to FortiGuard.
To test if your DNS can reach FortiGuard, go to the Dashboard and enter the following command into the CLI Console: execute ping guard.fortinet.net If the connection is successful, the CLI Console should display a similar output as the example below: PING guard.fortinet.net (208.91.112.198): 56 data bytes 64 bytes from 208.91.112.198: icmp_seq=0 ttl=59 time=60.0 ms 64 bytes from 208.91.112.198: icmp_seq=1 ttl=59 time=50.0 ms 64 bytes from 208.91.112.198: icmp_seq=2 ttl=59 time=50.0 ms 64 bytes from 208.91.112.198: icmp_seq=3 ttl=59 time=50.0 ms 64 bytes from 208.91.112.198: icmp_seq=4 ttl=59 time=50.0 ms --- guard.fortinet.net ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 50.0/52.0/60.0 ms
To test if the FortiGuard services are reachable, go to System > FortiGuard. Under Filtering, check Filtering Services Availability. If you don’t see a , select Check Again.
If FortiGuard services can still not be reached, your ISP may be blocking access to port 53 (used for DNS). Change the FortiGuard Filtering Port to the alternate port (8888). Select Apply and see if the services become available.
If your FortiGate is still unable to connect to FortiGuard, you can find more troubleshooting methods and other information in the FortiGuard section of the FortiOS 5.4 Handbook.
3. Results
Go to the Dashboard and view the License Information widget. Any subscribed services should have a beside it.
Go to System > FortiGuard. Features and services you are subscribed to should have a beside it.

For further reading, check out FortiGuard in the FortiOS 5.4 Handbook.

The post Setting up FortiGuard services appeared first on Fortinet Cookbook.

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting access problems, such as an administrator account that can’t connect to the basic web UI or problems logging in as an administrator.

The post FortiMail Troubleshooting: Access Difficulty appeared first on Fortinet Cookbook.

In this video, you will learn how to troubleshoot a site-to-site IPsec VPN that provides transparent communication between a Headquarters FortiGate and Branch office FortiGate. This video will show you how to diagnose common problems when your tunnel connection fails, and how to adjust your settings when the tunnel drops on and off. This video includes common Preshared Secret Key issues, Security Association or “SA” proposal errors, quick mode selector issues, and more. By the end of this tutorial you should have a better understanding of how to use these debug commands for basic troubleshooting.This video is recorded on FortiOS 5.2.6, and although the GUI options may vary, the troubleshooting tips and CLI commands are relevant for most recent builds.

The recipe for this video is available here.

Watch more videos

The post IPsec VPN Troubleshooting (Video) appeared first on Fortinet Cookbook.

The troubleshooting collection of recipes seeks to assist you in determining why your FortiMail unit is behaving unexpectedly.

It includes general troubleshooting methods and specific troubleshooting tips to help you understand and rectify any problems you may have with your unit. 

This recipe covers everything you need to understand your current problem. Before beginning any actual troubleshooting, you first have to identify the problem.

The post FortiMail Troubleshooting: Defining the Problem appeared first on Fortinet Cookbook.

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting problems you may experience in rare cases when powering up your FortiMail unit.

If the following suggestions do not remedy the issue, please be sure to contact customer support.

When you cannot connect to the FortiMail unit through the network using CLI or the web UI, connect a PC directly to the FortiMail unit’s management console using a serial connection. (The cable varies with the FortiMail model. See the model’s quickstart guide for details.)

Open a terminal emulation interface, such as HyperTerminal, to act as the console. The issues covered in this section all refer to various potential bootup issues.

Once you have a direct console connection to the FortiMail unit, work through the following questions and keep a copy of the console’s output messages.

The post FortiMail Troubleshooting: Bootup Issues appeared first on Fortinet Cookbook.

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting resource issues, such as slow performance.

The post FortiMail Troubleshooting: Slow Performance appeared first on Fortinet Cookbook.

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting HA issues, such as a active-passive HA cluster failure and unviewable mail queues.

The post FortiMail Troubleshooting: HA Issues appeared first on Fortinet Cookbook.

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting connection issues.

The post FortiMail Troubleshooting: Server Connection Issues appeared first on Fortinet Cookbook.

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting connection issues, such as an administrator account unable to connect to the basic mode of the web interface.

The post FortiMail Troubleshooting: UI Connection Problems appeared first on Fortinet Cookbook.

This post is intended to help you find and fix some common and not so common FortiGate Clustering Protocol (FGCP) HA problems.

1. Before you set up a cluster
Before you set up an FortiGate FGCP cluster ask yourself these questions: Do all the FortiGates have the same hardware version and the same hardware configuration? Do all the FortiGates have the same firmware build? Are all the FortiGates set to the same operating mode (NAT or Transparent)? Are all the FortiGates operating in single VDOM mode? If the FortiGates are operating in multiple VDOM mode do they all have the same VDOM configuration? In some cases you may be able to form a cluster if your FortiGates have different firmware builds, different VDOM configurations, and are in different operating modes. However, if you encounter problems when forming a cluster you may be able to resolve them by installing the same firmware build on each unit and giving them the same VDOM configuration and operating mode. If possible you could also reset them all to factory defaults and start over.
2. Troubleshooting hardware revisions
Many FortiGate platforms have gone through multiple hardware versions and in some cases the hardware changes may prevent cluster formation. If you run into this problem you can use the following command on each FortiGate in the cluster to cause the cluster to ignore different hardware versions: execute ha ignore-hardware-revision enable This command is only available on FortiGates that have had multiple hardware revisions. So if the command isn’t present then hardware version issues should not prevent cluster formation. By default the command is set to prevent cluster formation between FortiGates with different hardware revisions. You can enter the following command to view its status: execute ha ignore-hardware-revision status Usually the incompatibility is caused by different hardware versions having different hard disks and enabling this command disables each FortiGate’s hard disks. As a result of disabling hard disks the cluster will not support logging to the hard disk or WAN Optimization. If the FortiGates do have compatible hardware versions or if you want to run a FortiGate in standalone mode you can enter the following command to disable ignoring the hardware revision and enable the hard disks: execute ha ignore-hardware-revision disable Affected models include but are not limited to: FortiGate-100D FortiGate-300C FortiGate-600C FortiGate-800C FortiGate-80C and FortiWiFi-80C FortiGate-60C
3. Troubleshooting the initial cluster configuration
This step describes how to check a cluster when it first starts up to make sure that it is configured and operating correctly. This section assumes you have already configured your HA cluster and it appears to be up and running normally. To verify that a cluster can process traffic and react to a failure: Add a basic security policy configuration and send network traffic through the cluster to confirm connectivity. For example, if the cluster is installed between the Internet and an internal network, set up a basic internal to external security policy that accepts all traffic. Then from a PC on the internal network, browse to a website on the Internet or ping a server on the Internet to confirm connectivity. From your management PC, set ping to continuously ping through the cluster, and then start a large download, or in some other way establish ongoing traffic through the cluster. While traffic is going through the cluster, disconnect the power from one of the cluster units. You could also shut down or restart a cluster unit. Traffic should continue with minimal interruption. Start up or reconnect the cluster unit that you disconnected. The FortiGate should re-join the cluster with little or no affect on traffic. Disconnect a cable from one of the HA heartbeat interfaces. The cluster should keep functioning, using the other HA heartbeat interface. If you have port monitoring enabled, disconnect a network cable from a monitored interface. Traffic should continue with minimal interruption.
4. Verifying the cluster configuration from the GUI
If a cluster is formed you can do the following to verify its status and configuration.
Log into the cluster GUI. Verify that the System Information widget lists all of the cluster units.
Check the Unit Operation widget to verify that the correct cluster unit interfaces are connected.
Go to System > HA or on the System Information dashboard widget select HA Status > Configure and verify that all of the cluster units are displayed on the  HA Cluster list.
From the cluster members list, edit the primary unit (master) and verify the cluster configuration.
5. Troubleshooting the cluster configuration from the GUI
Try this if the FortiGates don’t successfully form a cluster: Connect to each cluster unit GUI and verify that the HA configurations are the same. The HA configurations of all cluster units must be identical. Even though the HA configuration is very simple you can easily make a small mistake that prevents a FortiGate from joining a cluster. (I speak form personal experience here.) If the configurations are the same, try re-entering the HA password on each cluster unit in case you made an error typing the password when configuring one of the cluster units. Check that the correct interfaces of each cluster unit are connected. Check the cables and interface LEDs. Use the Unit Operation dashboard widget, system network interface list, or cluster members list to verify that each interface that should be connected actually is connected. If a link is down re-verify the physical connection. Try replacing network cables or switches as required.
6. Verifying the cluster configuration from the CLI
If a cluster is formed you can do the following to verify its status and configuration. Log into each cluster unit CLI. You can use the GUI CLI console, SSH, or a direct console port connection. Enter the command get system status. Look for the current HA mode in the command output. If the cluster is operating correctly and you have connected to the primary unit you should see something like this: Current HA mode: a-a, master You can connect to the backup or subordinate unit using a console port or by connecting to the console CLI and using the execute ha manage command to connect to the backup unit. If the cluster is operating correctly you will see something like this: Current HA mode: a-a, backup If the FortiGate is not operating in HA mode the get system status command output is something like this: Current HA mode: standalone Verify that the get system ha status command displays all of the cluster units. For example, for a cluster of three FortiGate units, the command output should contain something like this: Master: 5001d-slot3     , FG-5KD3914800344 Slave : 5001d-slot5     , FG-5KD3914800353 Slave : 5001d-slot4     , FG-5KD3914800284 Enter the get system ha command to verify that the HA configuration is correct and the same for each cluster unit. get system ha group-id : 0 group-name : External-HA-cluster mode : a-p password : * hbdev : "port3" 50 "port4" 50 . . .
7. Troubleshooting the cluster configuration from the CLI
If the FortiGates don’t successfully form a cluster, try using the following command to re-enter the cluster password.  Do this for each cluster unit in case you made an error typing the password when configuring one of the cluster units. config system ha set password <password> end Check that the correct interfaces of each cluster unit are connected. Check the cables and interface LEDs. Use the get hardware nic <interface_name> command to confirm that each interface is connected. If the interface is connected the command output should contain a Link: up entry similar to the following: get hardware nic port1 . . . Link: up . . . If the link is down, re-verify the physical connection. Try replacing network cables or switches as required.

More troubleshooting information

Much of the information in the  HA guide can be useful for troubleshooting HA clusters. Here are some links to sections with more information.

• If sessions are lost after a failover you may need to change route-ttl to keep synchronized routes active longer. See Synchronizing kernel routing tables.
• In rare cases, sometimes after a cluster unit has been replaced it is possible that a cluster will not form because the disk partition sizes of the cluster units are different. You can use the following command to check the disk storage checksum of each cluster unit. If the checksums are different then contact Fortinet support for help in setting up compatible storage partitions.

diagnose sys ha showcsum 1 system | grep storage

• To control which cluster unit becomes the primary unit, you can change the device priority and enable override. See Controlling primary unit selection using device priority and override.
• Changes made to a cluster can be lost if override is enabled. See Configuration changes can be lost if override is enabled.
• When override is enabled, after a failover traffic may be disrupted if the primary unit rejoins the cluster before the session tables are synchronized or for other reasons such as if the primary unit is configured for DHCP or PPPoE. See Delaying how quickly the primary unit rejoins the cluster when override is enabled.
• In some cases, age differences among cluster units result in the wrong cluster unit becoming the primary unit. For example, if a cluster unit set to a high priority reboots, that unit will have a lower age than other cluster units. You can resolve this problem by resetting the age of one or more cluster units. See Primary unit selection and age. You can also adjust how sensitive the cluster is to age differences. This can be useful if large age differences cause problems. See Cluster age difference margin (grace period) and Changing the cluster age difference margin.
• If one of the cluster units needs to be serviced or removed from the cluster for other reasons, you can do so without affecting the operation of the cluster. See Disconnecting a cluster unit from a cluster.
• The web-based manager and CLI will not allow you to configure HA if you have enabled FGSP HA. See FortiGate Session Life Support Protocol (FGSP).
• The GUI and CLI will not allow you to configure HA if one or more FortiGate unit interfaces is configured as a PPTP or L2TP client.
• The FGCP is compatible with DHCP and PPPoE but care should be taken when configuring a cluster that includes a FortiGate interface configured to get its IP address with DHCP or PPPoE. Fortinet recommends that you turn on DHCP or PPPoE addressing for an interface after the cluster has been configured. See FortiGate HA compatibility with DHCP and PPPoE.
• Some third-party network equipment may prevent HA heartbeat communication, resulting in a failure of the cluster or the creation of a split brain scenario. For example, some switches use packets with the same Ethertype as HA heartbeat packets use for internal functions and when used for HA heartbeat communication the switch generates CRC errors and the packets are not forwarded. See Heartbeat packet Ethertypes.
• Very busy clusters may not be able to send HA heartbeat packets quickly enough, also resulting in a split brain scenario. You may be able to resolve this problem by modifying HA heartbeat timing. See Modifying heartbeat timing.
• Very busy clusters may suffer performance reductions if session pickup is enabled. If possible you can disable this feature to improve performance. If you require session pickup for your cluster, several options are available for improving session pickup performance. See Improving session synchronization performance.
• If it takes longer than expected for a cluster to failover you can try changing how the primary unit sends gratuitous ARP packets. See Changing how the primary unit sends gratuitous ARP packets after a failover on page 1.
• You can also improve failover times by configuring the cluster for subsecond failover. See Subsecond failover and Failover performance on page 1.
• When you first put a FortiGate unit in HA mode you may loose connectivity to the unit. This occurs because HA changes the MAC addresses of all FortiGate unit interfaces, including the one that you are connecting to. The cluster MAC addresses also change if you change some HA settings such as the cluster group ID. The connection will be restored in a short time as your network and PC updates to the new MAC address. To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all ARP table entries). You may be able to delete the arp table of your management PC from a command prompt using a command similar to arp -d.
• Since HA changes all cluster unit MAC addresses, if your network uses MAC address filtering you may have to make configuration changes to account for the HA MAC addresses.
• A network may experience packet loss when two FortiGate HA clusters have been deployed in the same broadcast domain. Deploying two HA clusters in the same broadcast domain can result in packet loss because of MAC address conflicts. The packet loss can be diagnosed by pinging from one cluster to the other or by pinging both of the clusters from a device within the broadcast domain. You can resolve the MAC address conflict by changing the HA Group ID configuration of the two clusters. The HA Group ID is sometimes also called the Cluster ID. See Diagnosing packet loss with two FortiGate HA clusters in the same broadcast domain.
• The cluster CLI displays slave is not in sync messages if there is a synchronization problem between the primary unit and one or more subordinate units. See How to diagnose HA out of sync messages.
• If you have configured dynamic routing and the new primary unit takes too long to update its routing table after a failover you can configure graceful restart and also optimize how routing updates are synchronized. See Configuring graceful restart for dynamic routing failover and Synchronizing kernel routing tables.
• Some switches may not be able to detect that the primary unit has become a subordinate unit and will keep sending packets to the former primary unit. This can occur after a link failover if the switch does not detect the failure and does not clear its MAC forwarding table. See Updating MAC forwarding tables when a link failover occurs.
• If a link not directly connected to a cluster unit (for example, between a switch connected to a cluster interface and the network) fails you can enable remote link failover to maintain communication. See Remote link failover.
• If you find that some cluster units are not running the same firmware build you can reinstall the correct firmware build on the cluster to upgrade all cluster units to the same firmware build. See Synchronizing the firmware build running on a new cluster unit.

The post FGCP High Availability Troubleshooting appeared first on Fortinet Cookbook.

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting a wide variety of antispam issues you may encounter when using FortiMail, such as low spam detection, email users being spammed by DSN, and SMTP failure.

The post FortiMail Troubleshooting: Antispam Issues appeared first on Fortinet Cookbook.

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting SMTP problems, such as recipient verification failure and 451 error messages.

The post FortiMail Troubleshooting: SMTP Failure appeared first on Fortinet Cookbook.