This is how it works:

config firewall interface-policy6
    edit 1
        set interface "port5"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set service6 "HTTP"
        set ips-sensor-status enable
        set ips-sensor "WEB-ips"
    next
end

Like that you create a sensor per interface and not per policy. Much better then nothing, right?

You can specify a general prefix on a device. If you need to change the address, you have to change the global prefix only, and all addresses got the new prefix on this device.

On cisco devices it is:

ipv6 general-prefix PROD 2001:DB8:1234::/48
!
interface Vlan1
 description Management Network
 ipv6 address PROD ::1:0:0:0:2E1/64
 ipv6 enable
!
interface Vlan2
 description Management Network
 ipv6 address PROD ::2:0:0:0:FF/64
 ipv6 enable
!

Now you change the address of the generel-prefix PROD and all your IP addresses on this device are changed.

This is a nice feature.

Like that you can assign an IP address to an interface, which is not synchronized. Every machine got it’s own IP address. This is very helpful, if you got virtual clusters with different masters. It also helps to monitor the CPU and memory of a subordinate device.

Again, there is much more you can do on the command line, then on the guy:

First you activate the feature:

config system ha
     set ha-mgmt-status enable
     set ha-mgmt-interface wan2
     set ha-mgmt-interface-gateway 10.11.101.100
end

Then you assign an individual IP address to every node in the cluster:

config system interface
	edit wan2
	set ip 10.11.101.101/24
	set allow access https ping ssh snmp
end

config system interface
	edit wan2
	set ip 10.11.101.102/24
	set allow access https ping ssh snmp
end

That’s it. Now you can easily access every single machine in the cluster.

Instead of disabling it for all applications, you can get used to close an application with <cmd>+<alt>+Q. Like this, the application starts clean again after a restart.

diagnose or short diag

On of the commands often used is

diagnose sys top [refresh] [num of procs]

This command keeps running like the ‘top’ command on Unix like systems. As options you can specify the refresh time in seconds and the number of processes to be displayed.

The output on Fortinet is something like:

Run Time:  1 days, 11 hours and 5 minutes
0U, 2S, 97I; 440T, 124F, 138KF
          newcli    22601      R       1.1     3.2
            sshd    22593      S       1.1     2.5
          ospf6d       42      S       0.1     0.5
       ipsengine      355      S <     0.0    29.8
          httpsd       81      S       0.0     4.3
         cmdbsvr       20      S       0.0     4.3
          httpsd       90      S       0.0     4.2
          httpsd       40      S       0.0     3.6
           fgfmd       78      S       0.0     3.2
       scanunitd      639      S <     0.0     3.2
          newcli    22597      S       0.0     3.2

While the line ‘Run Time’ is quite obvious, the next line is quite cryptic.

The next line, with 0U, 2S, 97I … means

U – Userspace CPU usage in %

S – CPU usage in % of System processes (Kernel)

I – CPU idle in %

The second part of this line informs about memory usage:

440T – you got a total of 440MB memory

124F – there are still 124MB free memory

138KF – the amount of shared memory pages used

The line ‘newcli 22601 R 1.1 3.2‘ tells you:

newcli – the name of the process

22601 – the process ID

R – Running, can also be S like sleeping

1.1 – using 1.1% CPU

3.2 – using 3.2% of the memory

ipv6 unicast-routing
interface tunnel0
  description IPv6 uplink to SixXS
  no ip address
  ipv6 enable
  ipv6 nd suppress-ra (<12.4)
  ipv6 nd ra suppress (>=12.4)
  ipv6 address [Your IPv6 Endpoint]/[Prefix Length]
  ipv6 mtu 1280 (or other MTU value)
  tunnel source [Your IPv4 Endpoint]
  tunnel destination [PoP IPv4 Endpoint]
  tunnel mode ipv6ip
!
ipv6 route 2000::/3 [PoP IPv6 Endpoint]

In Terminal edit the file /etc/sysctl.conf

sudo vi /etc/sysctl.conf

Don’t worry if the file does not exist, and add the following line:

net.inet6.ip6.use_tempaddr=1

Reboot your Mac. Now your Mac generates at least with every restart a temporary address.

The configuration on the Fortigate for the sit-tunnel looks like this:

config system sit-tunnel
edit "sixxs-tun"
    set destination 12.34.56.78
    set interface wan1
    set ip6 2001:dead:babe:c5::2/64
    set source 98.76.54.32
end
config system interface
edit "sixxs-tun"
    config ipv6
        set ip6-allowaccess ping
    end
end
config router static6
edit 1
    set device "sixxs-tun"
end

The IP address 12.34.56.78 is the remote tunnel address of your POP.

The IP address 98.76.54.32 is the IP address of your external IPv4 interface.

The IP address 2001:dead:babe:c5::2/64 is the IPv6 address, you got from your tunnel provider.

Now you can use the interface sixxs-tun as your IPv6 connection and gateway.

dscacheutil -flushcache

Now you could search and download some Terminal Software. But it is much easier. Use screen. screen is already built in. You have nothing to compile, nothing to add, just use it like this:

screen /dev/tty.Keyserial1 9600

When you finished your work just close screen with “ctrl-a k“.