Skip to main content

IPv6 security – IPv6 First Hop Security – Binding Table – part three.

Similar to IPv4, where we can create a binding table with all hosts connected, for IPv6 we can enable the IPv6 Binding Table. The table is populated by ND, DHCP registration process or static entries.

               Gi1/0/1   Gi1/0/2           
      /----\      \  ----- /       /----\ 
     |  R4  |-------| sw1 |-------|  R5  |
      \----/         -----         \----/ 
                       |\      
                       | Gi1/0/3        
                    /----\   
                   |  R6  |
                    \----/

I enable IPv6 and apply ND policy with port role as a ‘router’. R4:

R4#sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::223:4FF:FE8E:5E08 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:10:10:10::4, subnet is 2001:10:10:10::/64 
  Joined group address(es):
    FF02::1
    FF02::1:FF00:4
    FF02::1:FF8E:5E08
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
R4#

R5:
 
R5#sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::21C:58FF:FE9E:2B00 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:10:10:10::5, subnet is 2001:10:10:10::/64 
  Joined group address(es):
    FF02::1
    FF02::1:FF00:5
    FF02::1:FF9E:2B00
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
R5#

R6:
 
R6#sh ipv6 interface 
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::21C:58FF:FEF4:AEE0 
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:10:10:10::6, subnet is 2001:10:10:10::/64 
  Joined group address(es):
    FF02::1
    FF02::1:FF00:6
    FF02::1:FFF4:AEE0
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
R6#

Let’s ping all routers and check their neighbor tables:

R4#sh ipv6 neighbors 
IPv6 Address                              Age Link-layer Addr State Interface
2001:10:10:10::5                            0 001c.589e.2b00  REACH Fa0/0
2001:10:10:10::6                            0 001c.58f4.aee0  REACH Fa0/0
FE80::21C:58FF:FEF4:AEE0                    0 001c.58f4.aee0  REACH Fa0/0
FE80::21C:58FF:FE9E:2B00                    0 001c.589e.2b00  REACH Fa0/0
R5#sh ipv6 neighbors         
IPv6 Address                              Age Link-layer Addr State Interface
2001:10:10:10::4                            3 0023.048e.5e08  STALE Fa0/0
2001:10:10:10::6                            0 001c.58f4.aee0  REACH Fa0/0
FE80::223:4FF:FE8E:5E08                     3 0023.048e.5e08  STALE Fa0/0
R6#sh ipv6 neighbors 
IPv6 Address                              Age Link-layer Addr State Interface
2001:10:10:10::5                            0 001c.589e.2b00  STALE Fa0/0
2001:10:10:10::4                            4 0023.048e.5e08  STALE Fa0/0
FE80::223:4FF:FE8E:5E08                     4 0023.048e.5e08  STALE Fa0/0
FE80::21C:58FF:FE9E:2B00                    0 001c.589e.2b00  STALE Fa0/0

Let’s check the binding table on SW1:

SW1#sh ipv6 neighbors binding vlanid 20
vlanDB has 6 entries for vlan 20, 6 dynamic 
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   
    IPv6 address                            Link-Layer addr Interface vlan prlvl  age   state    Time left
ND  FE80::223:4FF:FE8E:5E08                 0023.048E.5E08  Gi1/0/1     20  0011  120s  REACHABLE  194 s            
ND  FE80::21C:58FF:FEF4:AEE0                001C.58F4.AEE0  Gi1/0/3     20  0011  127s  REACHABLE  180 s            
ND  FE80::21C:58FF:FE9E:2B00                001C.589E.2B00  Gi1/0/2     20  0011  120s  REACHABLE  188 s            
ND  2001:10:10:10::6                        001C.58F4.AEE0  Gi1/0/3     20  0011  142s  REACHABLE  158 s            
ND  2001:10:10:10::5                        001C.589E.2B00  Gi1/0/2     20  0011  135s  REACHABLE  171 s            
ND  2001:10:10:10::4                        0023.048E.5E08  Gi1/0/1     20  0011  130s  REACHABLE  179 s            

SW1#
SW1#sh ipv6 neighbors binding vlanid 20 details 
vlanDB has 6 entries for vlan 20, 6 dynamic 


 Binding table configuration:
 ----------------------------
 max/box  : 2
 max/vlan : no limit
 max/port : 2
 max/mac  : no limit

 Binding table current counters:
 ------------------------------
 dynamic  : 6
 local    : 0
 total    : 6

 Binding table counters by state:
 ----------------------------------
 STALE      : 6
   total    : 6

Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    IPv6 address                            Link-Layer addr Interface vlan prlvl  age   state    Time left        Filter Policy (feature)
ND  FE80::223:4FF:FE8E:5E08                 0023.048E.5E08  Gi1/0/1     20  0011    8mn STALE      90311 s           no  ROUTER-POLICY (NDP inspection)
ND  FE80::21C:58FF:FEF4:AEE0                001C.58F4.AEE0  Gi1/0/3     20  0011    5mn STALE      89229 s           no  ROUTER-POLICY (NDP inspection)
ND  FE80::21C:58FF:FE9E:2B00                001C.589E.2B00  Gi1/0/2     20  0011    5mn STALE      86953 s           no  ROUTER-POLICY (NDP inspection)
ND  2001:10:10:10::6                        001C.58F4.AEE0  Gi1/0/3     20  0011    5mn STALE      88042 s           no  ROUTER-POLICY (NDP inspection)
ND  2001:10:10:10::5                        001C.589E.2B00  Gi1/0/2     20  0011    5mn STALE      88554 s           no  ROUTER-POLICY (NDP inspection)
ND  2001:10:10:10::4                        0023.048E.5E08  Gi1/0/1     20  0011    9mn STALE      86353 s           no  ROUTER-POLICY (NDP inspection)

SW1#

Now I change/add IP addresses on R4:
 
SW1#sh ipv6 neighbors binding interface gig1/0/1         
portDB has 2 entries for interface Gi1/0/1, 2 dynamic (limit 2)
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    IPv6 address                            Link-Layer addr Interface vlan prlvl  age   state    Time left
ND  FE80::223:4FF:FE8E:5E08                 0023.048E.5E08  Gi1/0/1     20  0011   10mn STALE      90194 s          
ND  2001:10:10:10::4                        0023.048E.5E08  Gi1/0/1     20  0011   11mn STALE      86236 s          

SW1#

We see we are able to add new IP address and the bindings table is updated:
 
SW1#
Mar 30 02:25:53.281: %SISF-6-ENTRY_CREATED: Entry created A=2001:20:20:20::4 V=20 I=Gi1/0/1 P=0011 M=
Mar 30 02:25:53.281: %SISF-6-ENTRY_CHANGED: Entry changed A=2001:20:20:20::4 V=20 I=Gi1/0/1 P=0011 M=
Mar 30 02:25:54.279: %SISF-6-ENTRY_CHANGED: Entry changed A=2001:20:20:20::4 V=20 I=Gi1/0/1 P=0011 M=0023.048E.5E08
SW1# 
 
SW1#sh ipv6 neighbors binding interface gig1/0/1 
portDB has 3 entries for interface Gi1/0/1, 3 dynamic (limit 2)
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    IPv6 address                            Link-Layer addr Interface vlan prlvl  age   state    Time left
ND  FE80::223:4FF:FE8E:5E08                 0023.048E.5E08  Gi1/0/1     20  0011   13mn STALE      90053 s          
ND  2001:20:20:20::4                        0023.048E.5E08  Gi1/0/1     20  0011   20s  REACHABLE  288 s            
ND  2001:10:10:10::4                        0023.048E.5E08  Gi1/0/1     20  0011   13mn STALE      86095 s          

SW1#
Mar 30 02:26:39.225: %SISF-6-ENTRY_CREATED: Entry created A=2001:30:30:30::4 V=20 I=Gi1/0/1 P=0011 M=
Mar 30 02:26:39.225: %SISF-6-ENTRY_CHANGED: Entry changed A=2001:30:30:30::4 V=20 I=Gi1/0/1 P=0011 M=
Mar 30 02:26:40.232: %SISF-6-ENTRY_CHANGED: Entry changed A=2001:30:30:30::4 V=20 I=Gi1/0/1 P=0011 M=0023.048E.5E08
SW1#                                             
SW1# 
 
SW1#sh ipv6 neighbors binding interface gig1/0/1 
portDB has 4 entries for interface Gi1/0/1, 4 dynamic (limit 2)
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    IPv6 address                            Link-Layer addr Interface vlan prlvl  age   state    Time left
ND  FE80::223:4FF:FE8E:5E08                 0023.048E.5E08  Gi1/0/1     20  0011   13mn STALE      90014 s          
ND  2001:30:30:30::4                        0023.048E.5E08  Gi1/0/1     20  0011   14s  REACHABLE  290 s            
ND  2001:20:20:20::4                        0023.048E.5E08  Gi1/0/1     20  0011   60s  REACHABLE  249 s            
ND  2001:10:10:10::4                        0023.048E.5E08  Gi1/0/1     20  0011   14mn STALE      86055 s          

SW1#

Now, I remove the ND policy from Gig1/0/1 and enable ND inspection on the interface:

SW1#sh run int gig1/0/1                
Building configuration...

Current configuration : 140 bytes
!
interface GigabitEthernet1/0/1
 switchport access vlan 20
 switchport mode access
 ipv6 nd inspection vlan 20
 ipv6 snooping vlan 20
end

SW1#

Let’s create static bindings:
 
SW1#
!
ipv6 neighbor binding reachable-lifetime 50
ipv6 neighbor binding logging
ipv6 neighbor binding max-entries 2 vlan-limit 2
ipv6 neighbor binding vlan 20 FE80::223:4FF:FE8E:5E08 interface Gi1/0/1 0023.048e.5e08 tracking enable
ipv6 neighbor binding vlan 20 2001:10:10:10::20 interface Gi1/0/1 0023.048e.5e08 tracking enable
ipv6 neighbor tracking 
!  
 
and if the static entry appears:
 
SW1#sh ipv6 neighbors binding 
Binding Table has 6 entries, 4 dynamic (limit 2)
Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    IPv6 address                            Link-Layer addr Interface vlan prlvl  age   state    Time left
S   FE80::223:4FF:FE8E:5E08                 0023.048E.5E08  Gi1/0/1     20  0100   15s  REACHABLE  36 s             
ND  FE80::21C:58FF:FEF4:AEE0                001C.58F4.AEE0  Gi1/0/3     20  0011   47s  REACHABLE  4 s try 0        
ND  FE80::21C:58FF:FE9E:2B00                001C.589E.2B00  Gi1/0/2     20  0011   43mn STALE      88731 s          
S   2001:10:10:10::20                       0023.048E.5E08  Gi1/0/1     20  0100   32s  REACHABLE  19 s try 0       
ND  2001:10:10:10::6                        001C.58F4.AEE0  Gi1/0/3     20  0011    1s  REACHABLE  50 s try 0       
ND  2001:10:10:10::5                        001C.589E.2B00  Gi1/0/2     20  0011   43mn STALE      86340 s          

Let’s try to add a new IP:
 
R4(config-if)#ipv6 address 2001:10:10:10::14/64

And check what’s happen when we ping R6:
 
SW1#
Mar 30 03:03:16.059: SISF[CLA]: Packet for: 
Mar 30 03:03:16.059: SISF[CLA]:         Protocol number: 58 value 136
Mar 30 03:03:16.059: SISF[CLA]:                 feature NDP inspection
Mar 30 03:03:16.059: SISF[CLA]:                 feature Snooping
Mar 30 03:03:16.059: SISF[SWI]: Gi1/0/1 vlan 20 Feature_0  NDP inspection priority 160
Mar 30 03:03:16.059: SISF[SWI]: Gi1/0/1 vlan 20 Feature_1  Snooping priority 128
Mar 30 03:03:16.067: SISF[MEM]: Owner is this process
Mar 30 03:03:16.067: SISF[MEM]: semaphore 6930E18 (re)locked
Mar 30 03:03:16.067: SISF[MEM]: Locking, count is now 1
Mar 30 03:03:16.067: SISF[CLA]: Packet for: 
Mar 30 03:03:16.067: SISF[CLA]:         Protocol number: 58 value 136
Mar 30 03:03:16.067: SISF[CLA]:                 feature NDP inspection
Mar 30 03:03:16.067: SISF[CLA]:                 feature Snooping
Mar 30 03:03:16.067: SISF[SWI]: Gi1/0/1 vlan 20 Feature_0  NDP inspection priority 160
Mar 30 03:03:16.067: SISF[SWI]: Gi1/0/1 vlan 20 Feature_1  Snooping priority 128
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 Parse msg  ND_NEIGHBOR_ADVERT. len 8
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 Found 1 options
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20            option 2 : ND_OPT_TARGET_LINKADDR
Mar 30 03:03:16.067: SISF[GLN]: Gi1/0/1 vlan 20 setting action to 0 pid 0
Mar 30 03:03:16.067: SISF[POL]: Vlan 20ac check(smac,lla): MATCH for 2001:10:10:10::14
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 Source and LLA match
Mar 30 03:03:16.067:  matches vlan list on policy dSISF[PRS]: Gi1/0/1 vlan 20    No RSA option
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 preference level set 5
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 (unsecure)NA without CGA option
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 Unsecure message from untrusted port
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 NDP Inspection setting sec level to INSPECT
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 Advertise from access: default action is update entry
Mar 30 03:03:16.067: SISF[GLN]: Gi1/0/1 vlan 20 setting action to 2 pid 0
Mar 30 03:03:16.067: SISF[BT ]:         Max dynamic entries 2 reached
Mar 30 03:03:16.067: SISF[GLN]: Gi1/0/1 vlan 20 setting action to 4 pid 0efault
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 NDPI rcv:  ND_NEIGHBOR_ADVERT on Gi1/0/1
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20          src 2001:10:10:10::14
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20          dst 2001:10:10:10::6
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20          Target: 2001:10:10:10::14
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20            option 2 : ND_OPT_TARGET_LINKADDR
Mar 30 03:03:16.067: SISF[PRS]: Gi1/0/1 vlan 20 Source-m
Mar 30 03:03:16.067: SISF[NDP]: Gi1/0/1 vlan 20 ! DROP:  ND_NEIGHBOR_ADVERT  src 2001:10:10:10::14 dst 2001:10:10:10::6 reason=14
Mar 30 03:03:16.067: SISF[SWI]: Gi1/0/1 vlan 20 Feature NDP inspection rc 1
Mar 30 03:03:16.067: SISF[SWI]: Gi1/0/1 vlan 20 Feature drop
Mar 30 03:03:16.067: SISF[MEM]: Unlocking, count is now 0
Mar 30 03:03:16.067: SISF[MEM]:  6930E18 semaphore system unlocked

Mar 30 03:03:17.166: SISF[NDP]: Gi1/0/1 vlan 20 ! DROP:  ND_NEIGHBOR_ADVERT  src 2001:10:10:10::14 dst 2001:10:10:10::6 reason=14
Mar 30 03:03:17.166: SISF[SWI]: Gi1/0/1 vlan 20 Feature NDP inspection rc 1
Mar 30 03:03:17.166: SISF[SWI]: Gi1/0/1 vlan 20 Feature drop
Mar 30 03:03:17.166: SISF[MEM]: Unlocking, count is now 0
Mar 30 03:03:17.166: SISF[MEM]:  6930E18 semaphore system unlocked

Mar 30 03:03:19.431: SISF[CLA]: Packet for: 
Mar 30 03:03:19.431: SISF[CLA]:         Protocol number: 58 value 136
Mar 30 03:03:19.431: SISF[CLA]:                 feature NDP inspection
Mar 30 03:03:19.431: SISF[CLA]:                 feature Snooping
Mar 30 03:03:19.431: SISF[SWI]: Gi1/0/1 vlan 20 Feature_0  NDP inspection priority 160
Mar 30 03:03:19.431: SISF[SWI]: Gi1/0/1 vlan 20 Feature_1  Snooping priority 128
Mar 30 03:03:19.456: SISF[MEM]: Owner is this process
Mar 30 03:03:19.456: SISF[MEM]: semaphore 6930E18 (re)locked
Mar 30 03:03:19.456: SISF[MEM]: Locking, count is now 1
Mar 30 03:03:19.456: SISF[CLA]: Packet for: 
Mar 30 03:03:19.456: 
Mar 30 03:03:41.569: %SYS-3-MSGLOST: 51 messages lost because of queue overflow
Mar 30 03:03:19.456: SISF[NDP]: Gi1/0/1 vlan 20 ! DROP:  ND_NEIGHBOR_ADVERT  src 2001:10:10:10::14 dst 2001:10:10:10::6 reason=14
Mar 30 03:03:19.456: SISF[SWI]: Gi1/0/1 vlan 20 Feature NDP inspection rc 1
Mar 30 03:03:19.456: SISF[SWI]: Gi1/0/1 vlan 20 Feature drop
Mar 30 03:03:19.456: SISF[MEM]: Unlocking, count is now 0
Mar 30 03:03:19.456: SISF[MEM]:  6930E18 semaphore system unlocked
Mar 30 03:03:42.575: %SYS-3-MSGLOST: 202 messages lost because of queue overflowSISF[PRS]: Gi1/0/1 vlan 20 Advertise from access: default action is update entry
Mar 30 03:03:20.396: SISF[GLN]: Gi1/0/1 vlan 20 setting action to 2 pid 0
Mar 30 03:03:20.396: SISF[BT ]:         Max dynamic entries 2 reached
Mar 30 03:03:20.396: SISF[GLN]: Gi1/0/1 vlan 20 setting action to 4 pid 0
Mar 30 03:03:20.396: SISF[NDP]: Gi1/0/1 vlan 20 ! DROP:  ND_NEIGHBOR_ADVERT  src 2001:10:10:10::14 dst 2001:10:10:10::6 reason=14
Mar 30 03:03:20.396: SISF[SWI]: Gi1/0/1 vlan 20 Feature NDP inspection rc 1
Mar 30 03:03:20.396: SISF[SWI]: Gi1/0/1 vlan 20 Feature drop
Mar 30 03:03:20.396: SISF[MEM]: Unlocking, count is now 0
Mar 30 03:03:20.396: SISF[MEM]:  6930E18 semaphore system unlocked
Mar 30 03:03:44.589: %SYS-3-MSGLOST: 494 messages lost because of queue overflow
Mar 30 03:03:21.369: SISF[MEM]: Unlocking, count is now 1
Mar 30 03:03:21.369: SISF[MEM]:  6930E18 semaphore system unlocked
Mar 30 03:03:21.369: SISF[SWI]: SVI is Vlan20

As we see the ping is blocked due to an address limit exceeded.
 
SW1#show ipv6 snooping counters interface gigabitEthernet1/0/1
Received messages on Gi1/0/1:
Protocol        Protocol message
NDP             NS[14] NA[51] 
DHCPv6          

Bridged messages from Gi1/0/1:
Protocol        Protocol message
NDP             NS[19] NA[3] 
DHCPv6          

Dropped messages on Gi1/0/1:
Feature         Protocol Msg [Total dropped]
NDP inspection  NDP      NS  [5]
                reason:  Address limit per box reached [5]

                         NA  [32]
                reason:  Address limit per box reached [32]

Snooping        NDP      NS  [3]
                reason:  Address limit per box reached [3]

                         NA  [3]
                reason:  Address limit per box reached [3]

SW1#

Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2s/ip6-15-2s-book/ip6-ra-guard.html#GUID-2EB7C149-6FF0-418F-9A68-6097DF61B03C

Comments

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an ...

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis...

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze ...