Thursday, December 18, 2014

sys diag kill command does not kill processes on a Fortigate

I recently had a Fortigate 1500D become bogged down due to the reporting daemon (reportd) utilizing 100% CPU.  I will not go into a lot of detail about diagnosing performance issues, as that is not the topic of this post.  Suffice to say that you’ll need to run the following commands to determine which process is misbehaving:

#get sys perf status
#diag sys top
#diag hard sys mem

Typically one would kill and respawn the offending process with the following command, where process_id is obtained via the diag sys top command.

#diag sys kill 11 process_id

Unfortunately in this case the kill command did not actually kill the process, and a reboot was not an option.  Fortunately I once had a remote session with Fortinet TAC where I saw them using some hitherto unknown (to me) commands.  So what follows is an unsupported way to absolutely kill processes dead.

The command we use is fnsysctl.  This command allows us access to a subset of Linux utilities, like cat, ls, kill etc.  In this case we’re interested in the kill command:

#fnsysctl kill –9 process_id

I have never had this command fail to kill a process, although I would recommend only using it as a last resort.

Happy Hunting!

Monday, December 15, 2014

Fortigate SSL VPN on multiple interfaces

There is an potential issue when setting up SSL VPN to listen on multiple interfaces on FortiOS 5.2.2 (have not tested on earlier versions).  When you create the first SSL VPN listener the Fortigate will automatically create a policy to allow SSL VPN traffic.  Due to the way the information is presented one can be excused for thinking the unit will do it for additional listeners as well.  The screenshot below shows how it looks when SSL VPN is enabled on multiple interfaces via the GUI:

 image

These are the relevant bits taken from the configuration file:

config vpn ssl settings
    set idle-timeout 900
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set source-interface "MTN" "MTC"
    set source-address "all"
    set source-address6 "all"
    set default-portal "tunnel-access"
        config authentication-rule
            edit 1
                set source-interface "MTN"
                set source-address "all"
                set groups "VPN"
                set portal "full-access"
            next
        end
end

From the above it is clear that the listener has been added, but the authentication rule has not been updated.  The fix is simple, just add an additional authentication rule via the CLI:

config vpn ssl settings
config authentication-rule
            edit 2
                set source-interface "MTC"
                set source-address "all"
                set groups "VPN"
                set portal "full-access"
            next
        end
end

Your SSL VPN clients will now be able to connect on all interfaces specified in the GUI.