Firewall configuration backups can save hours of reconfiguration when one of your firewalls goes nuked due to any reason whatsoever.
for /f ” eol=# tokens=1-4 delims=,” %%i in (fgts.txt) do CALL :oneaddr %%i %%j %%k %%l
cd c:Program FilesPuTTY
pscp -pw %3 %2@%1:sys_config C:backup%4-%DATE%-%TIME::=%.conf
config system global
set admin-scp enable
A few days back one of my clients had doubts whether the port he required was forwarded correctly on the FGT.
diag debug enable
diag debug flow filter dport 80(the destination port which you have configured in VIP)
diag debug flow filter saddr
diag debug flow show console enable
diag debug flow trace start 100(this I guess is the number of packets or hits..will have to look this up)
diag debug reset
diad debug disable
diag debug flow filter clear
BSH # id=36871 trace_id=525 msg=”vd-root received a packet(proto=6, z.z.z.z:52957->x.x.x.x:80) from wan2.”
id=36871 trace_id=525 msg=”allocate a new session-0036f1c2″
id=36871 trace_id=525 msg=”find SNAT: IP-18.104.22.168(from IPPOOL), port-80″
id=36871 trace_id=525 msg=”VIP-22.214.171.124:80, outdev-wan2″
id=36871 trace_id=525 msg=”DNAT x.x.x.x:80->126.96.36.199:80″
id=36871 trace_id=525 msg=”find a route: gw-188.8.131.52 via internal”
id=36871 trace_id=525 msg=”Allowed by Policy-2:”
ReferenceSearch enginesContent servers
I was stuck with the last one—content server. None of the URLs above actually fall into it and the street view was still jumbled up.
diag debug enablediagnose debug urlfilter src-addr <Your LAN PC IP here>diag debug flow show console enablediag debug flow trace start 100 (the no. of lines you want to be traced)
diag debug resetdiag debug disable
You will see the destination URL in the log and then again check the Fortiguard category or just allow the URL.
A few months back I was in hell over blocking Youtube for one of my clients.
I blocked it on webfilter with certificate SSL inspection turned on and later even applied application control to it, in the end — the page opened straight away like nothing exists in between.
Later the good old fortinet TAC put me out of misery and showed my how YouTube slid past by the SSL certificate inspection as knife through butter because some of google’s websites now use a very different form of SSL — QUIC.
Look in the lock icon to the left of your address bar to see this:
Says right there the connection uses QUIC.
I’d just recommend you make this a part of your base configuration and always disable QUIC. This interferes with not only for webfilter and app control but say you want to do some email filtering, blocking gmail attachments or even stop google drive the traffic will just slip by with QUIC enabled.