Fortigate HA reverts back to standalone

When you confiugre HA Cluster with Fortigate it reverts backto standalone mode but accepts the other changes like heartbeats,groupname etc…
Then I realised that the all network interfaces must be configured to manual. If you have any DHCP or PPPOE configuration on your interfaces Fortigate doesnt accept HA modes and reverts back to Standalone mode.There is no error message or warning..

Fortigate ASIC-offloading and SNMP Traffic Counters

A strange problem…  If you have created VLAN based interface, SNMP traffic counters returns wrong. You have to disable session offloading to NP or SP processors. Tested under 1240b.. so you may disable ASIC offloading by firewall policy for test purposes. Then you will see that SNMP traffic counters will get higher.

Also you may disable fastpath,SP load balancing, network accelerators, or NP ASIC offloading globally but it is not recommended on production systems. Be sure what you are doing.

to disable NP ASIC Offloading Globally( this is a temp command it will return defaults after reboot. )

diag npu “npu version” fastpath disable “NP ID”

npu version is np4 on 1240b .. for 3810a it is np1.
npu ID can be from get hardware npu np4 list. also you will see which ports it is enabled on.

Here is an example for policy based(more realible way :) ),

Fortigate1240b # config vdom

Fortigate1240b (vdom) # edit MytestVdom
current vf=MytestVdom:7

Fortigate1240b (MytestVdom) # config firewall policy

Fortigate1240b (policy) # edit 44

Fortigate1240b (44) # sh
config firewall policy
edit 44
set srcintf “VLAN78”
set dstintf “VLAN66_OUT”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”

Fortigate1240b (44) # set auto-asic-offload disable

Fortigate1240b (44) # sh
config firewall policy
edit 44
set srcintf “VLAN78”
set dstintf “VLAN66_OUT”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
set auto-asic-offload disable

Fortigate1240b (44) #

look at the difference below after disabling offloading..


PS : This is fixed with FortiOS 5.x

How to send realtime logs to FortiAnalyzer

When you configure your Fortigate box to send the logs to a Fortianalyzer box, it sends the logs in a scheduled basis. and when you test connectivity you may notice a warning saying “Logs not received” in connection status.

You should configure your fortigate box to send logs in realtime.

Go to CLI. Output should be like this.

Forti # config log fortianalyzer setting

Forti (setting) # sh
config log fortianalyzer setting
set status enable
set server

Forti (setting) # set upload-option realtime

Forti (setting) # end

Forti # get log fortianalyzer setting
status : enable
ips-archive : enable
max-buffer-size : 1
buffer-max-send : 1000
address-mode : static
server :
enc-algorithm : default
localid : (null)
conn-timeout : 10
monitor-keepalive-period: 5
monitor-failure-retry-period: 5
source-ip :
upload-option : realtime

Now we can test and see if it is working fine via GUI

FortiOS v5.0 at a glance..

Today I spent a few minutes to review new FortiOS major release version 5.

There are some reasonable changes at GUI.. At first sight, VDOMs are seperated from GLOBAL Menu.. A new feature we can now assign device based rules. Also Policy screen has some modifications .. Now we have to select two types of Policy before creating a new one.

Firewall and VPN.. Actually we had these ones already. But now they are more user-friendly in the GUI.
Firewall policy got three sub-types.. We have to select one of them ( Address , Identity Based or the new one “Device Identity” )..VPN policy has also 2 types. as you can guess.. SSL and IPSEC..

Device-Based rules has a simple idea behind it. You simply group devices by their MAC addresses. Indeed, we will be able to add MAC-Based Policy from now on..

In short words.. FortiOS v5.0 will not bring incredible features.. It just have some GUI modifications and some minor features against their major release.. But there should be lots of improvement in the background.. I will review it later but at first sight, v5 is disappointment for me.

How to debug fortigate OSPF

you may debbug your ospf configuration with the following commands

FortiOS 4.0

Forti# diagnose ip router ospf all enable
Forti# diagnose ip router ospf level info

other options are below
critical critical level
error error level
info information level
none none level
warn warning level

Forti# diagnose debug enable

to cancel the output just run “diagnose debug disable” while output flows on your screen.

MySQL Master/Slave Management with mysql-master-ha

I decided to take care of my blog. I lost my previous blog backup. How feckless I am! So, I decided to write my first post about High Availability.. ;)
At first sight, you may say “I can do master/slave configuration with 4-5 easy step.” Then you may ask “What is the benefit of mysql-master-ha? ”

Developer of mysql-master-ha says;
“A primary objective of MHA is automating master failover and slave promotion within short (usually 10-30 seconds) downtime, without suffering from replication consistency problems, without spending money for lots of new servers, without performance penalty, without complexity (easy-to-install), and without changing existing deployments.”

Also some featured topics about it.
* Automated master monitoring and failover
* Interactive (manual) Master Failover
* Non-interactive master failover
* Online switching master to a different host
Continue reading “MySQL Master/Slave Management with mysql-master-ha”