Skip to main content


Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:

The host1 has a default gateway on R1 (, but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flow from host2…
Recent posts

High Availability - Cisco ASA vs Fortigate

I participated in a discussion about a High Availability feature on Cisco ASA and FortiGate. We were talking about active-active, active-passive and active-standby modes. What was funny, we talked about the same features using different names. Yes, Cisco and Fortinet, they use different names for the same features. Let me explain it to avoid similar misunderstanding.

1) Cisco ASA 

They are two modes available:

a) active/standby - the method is available only in standalone mode. The concept is simple: you have two devices: a primary and a secondary. When it possible the primary is an active device and the secondary a standby. Only one device (active) processes traffic and the standby waits passively, monitoring the status of the active one. When failure happens (failure of the device, an interface, etc.), it triggers a fail-over and the secondary (standby)  becomes the active one (secondary/active).

b) active/active - this mode is only available in multi-context mode. You have to decide w…

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol (FGCP) or Virtual Router Redundancy Protocol (VRRP). FGCP has two modes: 'override' disabled (default) and 'override' enabled. I'm not going to explain how to set up HA as you can find many resources on Fortinet websites:

Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit:

1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter
2) HA uptime - an unit with higher uptime wins b…

Data Leak Prevention (DLP) on Fortigate

Today I would like to present one interesting feature you may find on your Fortigate - Data Leak Prevention. I know there are much better, dedicated solutions on the market but in certain situations the DLP feature available on FortiOS is good enough.

Why you should use it?

This is very important to say: the DLP in such deployment (on Fortigate) can't protect your data against every data leak. Users in your network with his/her mobile can easily take a photo of any document. Why we should still consider it? It is a good (and easy to deploy) method to prevent users' mistakes. It happened hundreds of time when a user attached a wrong file. Sound familiar? Using the DLP you can create policies which stop such leak. Let me show you how you can configure it.

Step #1

First, you have to check if DLP is enabled in a "Feature Visibility" and "Security Features" section:

When you do not see the feature, make sure your Fortigate works in a proxy-based inspection mode:

How to increase network resiliency?

Network design is not fixed process. Every time when we add or change something in the network, we should analyze if the network is still resilient, as it was in the original design. Let's analyze below scenario:

Firewall - Fortigate 5.x
Core switch - Nexus 5k NX-OS 7.X  Routing between core and firewalls - static

With direct connection between FW01-Core01 and FW02-Core02 we can detect link failure easily. Firewalls here are in HA Active-Passive mode, what means the secondary box doesn't process any traffic. In case of Port1, Port2 or device failure - the secondary takes its role and sends ARP updates to the core switch. The same situation when Core01 or Core02 fails, FW01/02 can notice it and triggers failover.

Let's imagine your are tasked to put IDS between core switches and perimeter firewalls, like on the diagram below:

What is wrong with this scenario? Let's think if following failure scenarios are backed up:

1) FW01/Port1/Port2 failure - with port failure FW01 t…

Nexus and VTP

I would like to work today with Nexus5k in VTP Server mode and see what steps are necessary to recover configuration from the backup.

This is the platform I have in my lab:

N5548A# sh ver
Cisco Nexus Operating System (NX-OS) Software
TAC support:
Copyright (c) 2002-2013, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at

  BIOS:      version 3.6.0
  loader:    version N/A
  kickstart: version 6.0(2)N2(3)
  system:    version 6.0(2)N2(3)
  Power Sequencer Firmware:
             Module 1: version v3.0
             Module 2: version v1.0
             Module 3: version v5.0
  Microcontroller Firmware:        version v1.2.0.1