Frequently Answered Questions (FAQ)

Questions come into the Technical Documentation Team all of the time. Some are comments on the websites and some are sent in to the techdocs@fortinet.com email address. Some of them find their way to us through less direct methods.  As you can imagine occasionally some of them are similar or at the very least show a trend. Rather than write repeated emails on these topics we are building a Frequently Answered Questions page to collect some of the information that doesn’t really fit the format of a recipe.



Technical Documentation Team

Should I contact the Technical Documentation Team about my technical issue?

The two primary ways of contacting the Technical Documentation Team directly are through the Comments sections on the websites and the techdocs@fortinet.com email address. Both of these are intended primarily for asking questions or giving feedback about the documentation itself.

Troubleshooting a specific issue, is something that is more effectively done by the Technical Assistance Center. The have the proper tools and the practical experience to deal with real world situations in a timely fashion. If you are unsure about how to work with support, detailed information can be found here.


Can you recommend a product for…?

Our default stance on making recommendations about third party products is that we try not to do it. There are a few reasons for this:

  • The vendors that we don’t recommend get upset with us.
  • We are a team of writers. Our duties do not leave us enough time to be familiar with a significant enough portion of third party products to recommend any one over the other.
  • If we did have a preference for a particular product, it would be due to our own set of circumstances and variables.

There is a caveat to this policy. We will occasionally use a third party product in the making of documentation. There are a number of possible reasons that we could have chosen that particular product:

  •  When ever possible we try to use products that we believe are in common usage; hopefully so common that it is considered something of an industry standard.
  • At the time of making the documentation, it might have been the product that we had access to. This is not intended as a recommendation.

Documentation Websites

Can I get a hardcopy version of the Fortinet Cookbook/ FortiOS Handbook ?

We do not currently provide hardcopy versions of the current content of our websites. At one time, hardcopy versions of the cookbook and the FortiOS handbook were available. These were provided through lulu.com and you may even find some of our old documents there still. However, whether it was due to the frequency of online content updates or maybe hardcopy books just fell out of favour, the service wasn’t popular enough to warrant continuing with the service.

Why aren’t there manuals for specific models?

There are Quick Start Guides(QSG) for specific models of devices, but these tend to focus on the physical differences between the devices, not the operating system that is used to configure them. The QSGs are found on the Fortinet Docs website under the Hardware tab. For instance, the QSG for FortiGates/FortiOS can be found here.

All of the models of a particular type of Fortinet device have a similar feature set. The most fundamental difference between any two models of a device is the version of the firmware that is installed. Once you know the firmware version you can look up the administration guides or handbooks, which are divided by firmware version on the docs website or you can search by topic and firmware version on the Cookbook website.

It is true that some models will not have all of the possible features due to things like resource limitations on the device but whether or not a model has a feature can be looked up on the Feature Matrix. An example the the Feature Matrix for FortiGates running 5.2.4 can be found here.

Why isn’t there more information on what the output from the Diagnose wiki website means?

The Diagnose wiki site is one that is perpetually in a sort of “beta” status. The commands are not intended to be part of official public documentation because they are intended for TAC and Development personnel rather than end users. A number of the commands are commonly used by TAC personnel with customers, so over time there is an awareness of them. Rather than have users try to use the commands based solely on memory and potentially cause a serious issue by entering an unintended command or the wrong syntax, the wiki was set as a very basic reference source for the people that commonly use the commands.

As stated before , the commands are intended to be used by the TAC and Development so they can be less static than other CLI commands and can change without notice. This is why the site is essentially “use at your own risk” information. Some of the commands and the information they generate is only useful for developers. The rest of the commands are intended to be used by TAC personnel.

There are a few reasons that the site may not contain in depth information on each of the commands:

  • To give an in-depth meaning to all of the possible outputs would require what would in essence be an entire course and library on networking and the protocols used in firewalls and networking.
  • There are outputs that will need to be interpreted based on the context of the environment and the configurations of the devices in question.
  • Because a lot of the commands are created by Development for Development, the output of a command and its meaning can be changed without warning.
  • Beyond the basic listing of commands and their syntax, the site is primarily updated by users
  • At its core, the diagnose command structure is intended to be used by people that already know what the outputs mean and the wiki is just a “cheat sheet” to list the commands.

If you need assistance in troubleshooting something or need interpretation of some specific output the best option is to contact TAC.

Why isn’t my unit listed on the Product Life Cycle Page?

The Product Life Cycle page is often used and recommended to see if a device is still supported and what is the latest firmware that can be installed on it. People with newer devices will notice that their specific model may not be on the list.Product Life Cycle - FortiGates

Currently, devices don’t get put on the list until a firm End of Sale date has been determined. Fortinet policy specifies that the devices can be purchased for another 90 days after the End of Sale date announcement has been made. But once the announcement is made, then the other life cycle milestones also start getting set. So chances are that if you do see your device on the Product Life Cycle page, even if it is still supported, it is one of the older models that is no longer or soon to be not for sale.

This may leave some people at loose ends trying to figure out a way to determine if their device is still supported or what the most current firmware they can install is.

Is the device still supported?

If the device is not on the list, it means that it is still available for sale and therefore still supported.

What’s the latest version of the firmware that can be installed?

The Product Life Cycle page can still be of use.

  1. Go to the Product Life Cycle page
  2. Select the Software tab at the top of the page
  3. Scroll down to the Firmware that you will be installing; for example: FortiOS
  4. After the listing of the version numbers and their corresponding Life Cycle dates there are some paragraphs detailing which models support the various firmware versions

If that doesn’t work there is the more tedious method of going to the individual firmware download pages and seeing if the firmware for the specific model is listed.

I normally narrow my search by first checking the initial firmware for each version, and once I find a version that doesn’t support the model, I check the last build of the previous version and work backwards.

Example:

Looking for the latest firmware for the FortiGate 80C

  • Check 5.0.0 – Listed
  • Check 5.2.0 – Listed
  • Check 5.4.0 – Not listed
  • Check 5.2.8 – Listed

I can plan for upgrades to 5.2.x. Unless something out of the ordinary happens, if the model is supported for the initial release of a firmware version, it will continue to be supported for that version.

Are all comments on the site published?

A post was made on this subject, so rather than duplicate effort, a link to the post is provided.

Comment Policy


Interfaces

I entered a diagnostic command in the CLI, but it wont stop outputting information or seems to be stuck in a process. How do I get it to stop outputting information?

Diagnostic commands are something that should be used under the supervision of TAC personal or by experienced users that know what to expect from the commands, but if you have inadvertently entered a command that is continually outputting information or seems to be stuck in a process, in most cases the use of the hotkey combination of ctrl+c will stop the process and allow you in start inputting commands again.


Blocking Traffic

How do I block [students|employees] from using a [Security|Privacy|VPN] service to bypass the firewall policies to reach banned sites?

Most of the services that promote being able to securely and privately access content online use a proxy technology of some kind. If you are trying to block someone from accessing banned-site.com the firewall doesn’t catch the traffic because as far as the firewall knows, that’s not where the traffic is headed. The traffic is bypassing the firewall policies that block access to the website by actually going to a proxy server which sets up a session to banned-site.com on behalf of the user so the users traffic is never actually going directly to or from banned-site.com.

The solution is not to block the destination, but the application being used to circumvent the blocking of the destination. This can be done using Application Control profiles. With Application Control profiles, you can block the use of some specific services or you can use the category option to block proxy services in general.

One of the more well know of these services is called Ultrasurf. We have some more detailed information on it located at here. As an example of the specifics on how to block Ultrasurf there is a recipe located here. Just use the signature of the proxy services that you want to block. If you are looking for even more information on how Application Control works you can find it in the Application Control chapter of the Security Profiles Chapter of the FortiOS Administration Guide for whichever firmware version you are using.

 

Modems

How do I know if my modem is compatible?

There are actually two compatibility matrices, one for the FortiGate and the second for the FortiExtender. These may not contain the same modems so check the correct one for your situation.

A list of compatible modems can also be found on the FortiGate itself. If it hasn’t already been done, make sure that the FortiGate has the modem interface is enabled by entering the CLI commands:

config system modem

set status enable

end

 You may need to log out of the FortiGate and log back in to see the modem configuration page. Depending on the version of FortiOS, it could be at:

System > Network > Modem

Or

Network > Modem

 In the Modem configuration Window you can get the list by:

  1.  Selecting [Configure Modem]
  2. Expanding the list of Supported FortiGate Modems

How can I get a modem added to the Modem Compatibility Matrix

Getting a new modem added to the compatibility matrix requires a New Feature Request (NFR).  This can be done either by submitting a ticket through TAC or making a request to a Sales Engineer (SE).

What do I do if I can’t find a modem on the Modem Compatibility Matrix?

Here are a few links to check out if you want to try connecting a modem not on the matrix:

Upgrades

I have upgraded from X directly to Y on a FortiGate directly. Is this OK?. If this is not OK, what should I do next?

Assuming that going from build X to build Y, according to the path is not OK, there may be some mitigating factors. If it is a new device, depending on how many changes you made to the configuration file after the initial install and before the upgrade, the impact could be minimal. One of the purposes of the upgrade path is to make sure that there are no compatibility errors or conflicts between the configuration file and the firmware. A background aspect of the upgrade process is making changes to configuration file based on the changes to the firmware between versions. If one of these changes is missed there could be an issue later on when you start using a feature that has the wrong syntax in the configuration file or the configuration refers to a command that has changed or is no longer there. Regardless of the immediate impact, in order to prevent possible impact later, the second part of the question comes into play.

What to do next? If it is a new device, the simplest approach is to execute factoryreset in the CLI to verify that there is a clean configuration file. Then proceed configuring the device as normal. If this is a device that has been around for a long time and there are numerous configuration settings, make a copy of the config file and after the factory reset manually enter the configurations. You can use the GUI to introduce the settings one by one or you could use some of the CLI techniques found in this post, http://cookbook.fortinet.com/transferring-configuration-file-one-model-another/.