Posts

EIGRP ROUTE FILTERING METHODS

 EIGRP Route Filtering - Distribute lists: Access list, Prefix list - Administrative Distance - Passive Interface EIGRP specific Route Filtering - Distribute Lists with Route-Maps - Route Tag Enhancements - Per Neighbor Prefix Limits - EIGRP is a Distance Vector IGP protocol. We can apply route filtering in anywhere where we want to be in Topology.

FortiGate-100D: EXT2-fs(sdb1):previous I/O error to superblock detection

When you are facing the issues that the kernel errors something like firewall is rebooting auto or outage of power supply accidently. So all the LAN interfaces shut down in the firewall. Problem: The errors will be like this: EXT2-fs(sdb1):previous I/O error to superblock detected. EXT2-fs(sdb1):previous I/O error to superblock detected. EXT2-fs(sdb1):previous I/O error to superblock detected. Troubleshooting Commands: 1) Try to get the debug logs https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-download-debug-log-file-at-different/ta-p/193211 2) Get the result details #get hardware status #get system status #get system performance status # diagnose sys flash list # diagnose autoupdate status # diagnose autoupdate versions # diag debug crashlog read # diagnose hardware sysinfo memory # diagnose hardware sysinfo shm # diagnose hardware sysinfo slab # diagnose debug crashlog read # diagnose hardware deviceinfo disk # diagnose sys session stat Resolution: The issue is res...

Ether Channel

  Layer 2 Ether Channel 1) Static Etherchannel SW(config-if-rang)#channel-group 1 mode on - Both switches have to configure using ON/ON - No negotation - Interface type must be the same(ethernet/giga) - Speed duplex must be the same (full/half) 2) LACP- Multi Vendor - Both switches must be Active/Active or Active/Passive - SW(config-if-range)#channel-group 1 mode Active 3) PAGP- Cisco Property - Both Switches must be Desirable(initiate)/Auto(response) Or Disable/Disable SW(config-if-range)#channel-group 1 mode desirable Layer 3 Ether Channel - Assign the ip address to the port channel group. SW(config-if-rang)#no switchport SW(config-if-rang)#channel-group 1 mode on SW(config-if-rang)#int po1 SW(config-if-rang)#ip add 10.10.10.1 255.255.255.252

Check the cisco device MAC address and IP address

 To check the cisco device MAC address and IP address C2960#sh mac address-table interface gi1/0/3  and C2960#sh mac address-table address 2894.0f64.0340  Mac Address Table ------------------------------------------- Vlan    Mac Address       Type        Ports ----    -----------       --------    -----  413    2894.0f64.0340    DYNAMIC     Gi1/0/3 ========================================================= C2960#sh ip arp 2894.0f64.0340 Protocol  Address          Age (min)  Hardware Addr   Type   Interface Internet  191.65.230.30          154   2894.0f64.0340  ARPA   Vlan413

Downgrade from FortiGate Firewall Firmware Version 7.0.5 to 7.0.4

Image
 Downgrade from 7.0.5 to 7.0.4    Requriement: Backup must have  Fortigate# diag sys flash list  In here: Image 304 is Version 7.0.7 and Image 301 is Version 7.0.4 FortiGate# exec set-next-reboot primary It will change to "Active-Yes". Downgrade Firmware Scenario-2 Version 6.4.7 Version 7.0.5 Version 7.2.0 Requirement: Backup config on 6.4.7 needed. 1)  Pre-download the firmware version from the support portal 2)  Directly downgrade it from the GUI firmware version 6.4.7. 3)  After downgrade and completely wipe off the config using 4)  FortiGate # exec factoryreset>Yes.  5) Restore the config Backup on version 6.4.7

Change the email alert interval from 15 mins to 60mins in FortiGate Firewall

To change the email alert interval from 15 mins to 60mins in FortiGate Firewall, 1. View the current setting: FW100F# config alertemail setting FW100F(setting) # show config alertemail setting     set username "myo@photostrikers.com"     set mailto1 "myo@photostrikers.com"     set email-interval 15     set HA-logs enable     set antivirus-logs enable     set violation-traffic-logs enable     set FDS-license-expiring-warning enable     set FDS-license-expiring-days 7 end 2. Edit the email-interval setting FW100F#config alertemail setting FW100F(setting)#set email-interval 60 FW100F(setting)#end

FortiGate HA Syncs Issues

 Try to get the output the following commands in both Primary and Secondary Firewalls. 1. Connect the Putty or CLI      - get system ha status     - get system status     - diag system ha history read     - diag debug crashlog read | grep 2022     - config system ha     - show full 2. Running Debug     - diag debug reset     - diag debug application hasync -1     - diag debug application hatalk -1     - diag debug console timestamp enable     - diag debug enable Note: Keep run the debug to produce the output for 20-30mins. 3. To stop debug:     - diag debug disable https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-HA-synchronization-issue-cluster-out-of-sync/ta-p/193422