Fortinet got quite an advanced IPv6 implementation. Unfortunately it is not possible to assign an IPS sensor to a policy in the current releases. The good thing is, you can do it anyway. But you have to create an interface policy on the command line:

This is how it works:

config firewall interface-policy6
    edit 1
        set interface "port5"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set service6 "HTTP"
        set ips-sensor-status enable
        set ips-sensor "WEB-ips"
    next
end

Like that you create a sensor per interface and not per policy. Much better then nothing, right?

IPv6 uses provider aggregated IP addresses. In the documentation you can read, how easy it is to do address renumbering.

You can specify a general prefix on a device. If you need to change the address, you have to change the global prefix only, and all addresses got the new prefix on this device.

On cisco devices it is:

ipv6 general-prefix PROD 2001:DB8:1234::/48
!
interface Vlan1
 description Management Network
 ipv6 address PROD ::1:0:0:0:2E1/64
 ipv6 enable
!
interface Vlan2
 description Management Network
 ipv6 address PROD ::2:0:0:0:FF/64
 ipv6 enable
!

Now you change the address of the generel-prefix PROD and all your IP addresses on this device are changed.

If you create a Fortigate HA Cluster, you got an option “Reserve Management Port for Cluster Member” which you can activate. If active you can select an interface for this option.

This is a nice feature.

Like that you can assign an IP address to an interface, which is not synchronized. Every machine got it’s own IP address. This is very helpful, if you got virtual clusters with different masters. It also helps to monitor the CPU and memory of a subordinate device.

Again, there is much more you can do on the command line, then on the guy:

First you activate the feature:

config system ha
     set ha-mgmt-status enable
     set ha-mgmt-interface wan2
     set ha-mgmt-interface-gateway 10.11.101.100
end

Then you assign an individual IP address to every node in the cluster:

config system interface
	edit wan2
	set ip 10.11.101.101/24
	set allow access https ping ssh snmp
end

config system interface
	edit wan2
	set ip 10.11.101.102/24
	set allow access https ping ssh snmp
end

That’s it. Now you can easily access every single machine in the cluster.

Apple Lion’s new feature “resume” can be nice, but it can be very annoying.

Instead of disabling it for all applications, you can get used to close an application with <cmd>+<alt>+Q. Like this, the application starts clean again after a restart.

Fortigate got some very good diagnostics on there firewalls. There is a hole branch of the command tree, that starts with

diagnose or short diag

On of the commands often used is

diagnose sys top [refresh] [num of procs]

This command keeps running like the ‘top’ command on Unix like systems. As options you can specify the refresh time in seconds and the number of processes to be displayed.

The output on Fortinet is something like:

Run Time:  1 days, 11 hours and 5 minutes
0U, 2S, 97I; 440T, 124F, 138KF
          newcli    22601      R       1.1     3.2
            sshd    22593      S       1.1     2.5
          ospf6d       42      S       0.1     0.5
       ipsengine      355      S <     0.0    29.8
          httpsd       81      S       0.0     4.3
         cmdbsvr       20      S       0.0     4.3
          httpsd       90      S       0.0     4.2
          httpsd       40      S       0.0     3.6
           fgfmd       78      S       0.0     3.2
       scanunitd      639      S <     0.0     3.2
          newcli    22597      S       0.0     3.2

While the line ‘Run Time’ is quite obvious, the next line is quite cryptic.

The next line, with 0U, 2S, 97I … means

U – Userspace CPU usage in %

S – CPU usage in % of System processes (Kernel)

I – CPU idle in %

The second part of this line informs about memory usage:

440T – you got a total of 440MB memory

124F – there are still 124MB free memory

138KF – the amount of shared memory pages used

The line ‘newcli 22601 R 1.1 3.2‘ tells you:

newcli – the name of the process

22601 – the process ID

R – Running, can also be S like sleeping

1.1 – using 1.1% CPU

3.2 – using 3.2% of the memory