HyperV CSV Stuck at “Backup in Progress”

If your backup software is using Microsoft VSS to take snapshot of your cluster volumes, sometimes your CSV stuck in redirection access and telling that “Backup in Progress” even if there no running backup at that time..

1- You cannot turn off redirection mode
2- you cannot change owner of volume
3- There is no running backup jobs

Then you may delete the snapshot of the volume in order to bring that volume “Online”
so login to the hyperv node which is the owner of that volume.

Run CMD with elevated privileges.

Enter the volume which backup takes place
cd C:\ClusterStorage\Volume8

Run diskshadow utility
list the volumes which have shadow copies.
DISKSHADOW>LIST SHADOWS ALL
if you are sure about what to delete then you may delete corresponding copy or delete all as you can see below.
DISKSHADOW>DELETE SHADOWS ALL

diskshadow

 

Fortigate ASIC-offloading and SNMP Traffic Counters

A strange problem…  If you have created VLAN based interface, SNMP traffic counters returns wrong. You have to disable session offloading to NP or SP processors. Tested under 1240b.. so you may disable ASIC offloading by firewall policy for test purposes. Then you will see that SNMP traffic counters will get higher.

Also you may disable fastpath,SP load balancing, network accelerators, or NP ASIC offloading globally but it is not recommended on production systems. Be sure what you are doing.

to disable NP ASIC Offloading Globally( this is a temp command it will return defaults after reboot. )

diag npu “npu version” fastpath disable “NP ID”

npu version is np4 on 1240b .. for 3810a it is np1.
npu ID can be from get hardware npu np4 list. also you will see which ports it is enabled on.

Here is an example for policy based(more realible way :) ),

Fortigate1240b # config vdom

Fortigate1240b (vdom) # edit MytestVdom
current vf=MytestVdom:7

Fortigate1240b (MytestVdom) # config firewall policy

Fortigate1240b (policy) # edit 44

Fortigate1240b (44) # sh
config firewall policy
edit 44
set srcintf “VLAN78”
set dstintf “VLAN66_OUT”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
next
end

Fortigate1240b (44) # set auto-asic-offload disable

Fortigate1240b (44) # sh
config firewall policy
edit 44
set srcintf “VLAN78”
set dstintf “VLAN66_OUT”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
set auto-asic-offload disable
next
end

Fortigate1240b (44) #

look at the difference below after disabling offloading..

traffic-chart

PS : This is fixed with FortiOS 5.x

How to send realtime logs to FortiAnalyzer

When you configure your Fortigate box to send the logs to a Fortianalyzer box, it sends the logs in a scheduled basis. and when you test connectivity you may notice a warning saying “Logs not received” in connection status.

You should configure your fortigate box to send logs in realtime.

Go to CLI. Output should be like this.

Forti # config log fortianalyzer setting

Forti (setting) # sh
config log fortianalyzer setting
set status enable
set server 10.10.10.11
end

Forti (setting) # set upload-option realtime

Forti (setting) # end

Forti # get log fortianalyzer setting
status : enable
ips-archive : enable
max-buffer-size : 1
buffer-max-send : 1000
address-mode : static
server : 10.10.10.11
enc-algorithm : default
localid : (null)
conn-timeout : 10
monitor-keepalive-period: 5
monitor-failure-retry-period: 5
source-ip : 0.0.0.0
upload-option : realtime

Now we can test and see if it is working fine via GUI

FortiOS v5.0 at a glance..

Today I spent a few minutes to review new FortiOS major release version 5.

There are some reasonable changes at GUI.. At first sight, VDOMs are seperated from GLOBAL Menu.. A new feature we can now assign device based rules. Also Policy screen has some modifications .. Now we have to select two types of Policy before creating a new one.

Firewall and VPN.. Actually we had these ones already. But now they are more user-friendly in the GUI.
Firewall policy got three sub-types.. We have to select one of them ( Address , Identity Based or the new one “Device Identity” )..VPN policy has also 2 types. as you can guess.. SSL and IPSEC..

Device-Based rules has a simple idea behind it. You simply group devices by their MAC addresses. Indeed, we will be able to add MAC-Based Policy from now on..

In short words.. FortiOS v5.0 will not bring incredible features.. It just have some GUI modifications and some minor features against their major release.. But there should be lots of improvement in the background.. I will review it later but at first sight, v5 is disappointment for me.