Subido por andresojeda

Hatsize-Troubleshooting-Guide-FGT-5.6

Anuncio
Hatsize Troubleshooting Guide
for FortiGate 5.6
Fortinet Training
http://www.fortinet.com/training
Fortinet Document Library
http://docs.fortinet.com
Fortinet Knowledge Base
http://kb.fortinet.com
Fortinet Forums
https://forum.fortinet.com
Fortinet Support
https://support.fortinet.com
FortiGuard Labs
http://www.fortiguard.com
Fortinet Network Security Expert Program (NSE)
https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
Feedback
Email: courseware@fortinet.com
2/14/2018
TABLE OF CONTENTS
Introduction
Who Do I Ask for Support?
How to Contact Hatsize for Support
How to Contact Fortinet for Support
How to Restore a VM to Its Initial State
How to Power Cycle a VM
Solutions to Common Problems
Lab in Use
No Access to One of the VMs
Slow Access and/or VM Disconnections
FortiGate License Problems
Web Filtering License Status Unavailable
No Internet Access
No Access to Remote-FortiGate from Local-Windows
4
5
6
6
7
8
9
9
10
10
11
12
13
14
Introduction
This document offers some procedures and basic tips for troubleshooting the most common problems when
working with the FortiOS lab environment hosted by Hatsize. It also describes how to escalate problems that you
cannot solve by yourself.
The environment covered in this guide is used for the following Fortinet courses:
l
FortiGate Security 5.6
l
FortiGate Infrastructure 5.6
This document is intended for Fortinet instructors and ATCs that use the lab environments hosted at Hatsize to
deliver the courses listed above.
4
Hatsize Troubleshooting Guide for FortiGate 5.6
Fortinet Technologies Inc.
Who Do I Ask for Support?
To get the fastest resolution, use the appropriate support channel.
You and your students can quickly resolve many common issues on your own. Try common solutions
in Solutions to Common Problems on page 9 first. If this does not solve the problem, escalate to Tier 2. Some
specific remote problems do require Tier 2 support.
Depending on the type of issue as shown below, the best Tier 2 escalation team to contact is either Hatsize
support or Fortinet's Courseware team.
Figure 1 - Support Flow
Hatsize Troubleshooting Guide for FortiGate 5.6
Fortinet Technologies Inc.
5
How to Contact Hatsize for Support
Who Do I Ask for Support?
How to Contact Hatsize for Support
To contact Hatsize about issues with the remote lab environment, such VMs not starting or disconnecting, use
the Support button in the remote lab portal. Optionally, send an email to:
fortinetsupport@hatsize.com
Include this information:
l
l
Number of students with the problem
Hatsize username and password of the student having the problem. If the problem is happening with more than one
student, provide credentials for only one of them.
l
System checker results
l
Solutions already attempted
How to Contact Fortinet for Support
To contact Fortinet about issues with the VM configurations or licensing, email:
courseware@fortinet.com
Include this information:
l
Instructor contact information, including phone number and email
l
Name of the Fortinet course
Example: FortiGate Security, FortiGate Infrastructure
l
Name of the Hatsize course (or event), as listed in the Hatsize portal:
l
Number of students with the problem
l
l
6
Hatsize username and password of the student having the problem. If the problem is happening with more than one
student, provide credentials for only one of them.
Solutions already attempted
Hatsize Troubleshooting Guide for FortiGate 5.6
Fortinet Technologies Inc.
How to Restore a VM to Its Initial State
Some lab issues can be solved most quickly by restoring a virtual machine (VM) to its initial state.
To restore a VM to its initial state
1. From the Lab Overview dashboard, in the VM's widget, select System > Revert to Initial State.
The remote lab restores the VM's initial snapshot, and reboots using the initial configuration.
2. Wait up to five minutes for the VM to reboot.
You should be able to connect to the VM again after the reboot has successfully completed.
Do not reboot multiples VMs simultaneously, as it might cause CPU spikes in the host
servers, creating delays and disconnection.
Hatsize Troubleshooting Guide for FortiGate 5.6
Fortinet Technologies Inc.
7
How to Power Cycle a VM
Some lab issues can be solved most quickly by restarting a VM.
To power cycle a VM
1. From the Lab Overview dashboard, in the VM's widget, select System > Power Cycle.
2. Wait up to five minutes for the VM to reboot.
You should be able to connect to the VM again after the reboot has successfully completed.
Do not reboot multiples VMs simultaneously, as it might cause CPU spikes in the host
servers, creating delays and disconnection.
8
Hatsize Troubleshooting Guide for FortiGate 5.6
Fortinet Technologies Inc.
Solutions to Common Problems
This section includes solutions to common problems.
Lab in Use
Complete the following procedure if the lab shows it is currently in use.
To resolve a Lab in Use issue
1. Check that another student is not logged in using the same account.
2. Wait a few minutes.
The server might take some time to make the lab available again after the other student has disconnected.
3. As an instructor, you can also disconnect the user yourself by going back to the Training Schedule page:
a. Select View Class Info for the course.
b. Click Disconnect User beside the user experiencing the issue.
Hatsize Troubleshooting Guide for FortiGate 5.6
Fortinet Technologies Inc.
9
No Access to One of the VMs
Solutions to Common Problems
4. Clear the browser cache and restart the browser.
5. Try a different browser (Firefox is recommended).
6. If the problem persists, contact Fortinet for support.
No Access to One of the VMs
Complete the following procedure if the lab shows a connection error.
To resolve a connection error
1. The VM might be rebooting. Wait a few minutes and try again.
2. Clear the browser cache and restart the browser.
3. Try a different browser (Firefox is recommended).
4. Power cycle the VM from the Lab Overview dashboard.
5. Restore the VM to its initial state from the Lab Overview dashboard.
6. If problem persists, contact Hatsize for support.
Slow Access and/or VM Disconnections
Complete the following procedure if the lab access is slow or you are experiencing VM disconnections.
To resolve slow access and/or VM disconnections
1. Check that the student's computer is connected via Ethernet cable, not wireless.
Wi-Fi and mobile connections are usually not reliable and fast enough. The Course Descriptions document
contains system requirements that specifically mention this.
2. Close any unnecessary applications running in the background of the student's computer, and make sure that
software does not interfere with the connection to the lab, especially any antivirus or host firewall software such as
FortiClient.
3. Check that the student is connecting to the Internet using a low-latency broadband connection. To test the
Internet connection to Hatsize, run a continuous ping to one of the following IP addresses (depending on your
geographical location):
10
Hatsize Troubleshooting Guide for FortiGate 5.6
Fortinet Technologies Inc.
Solutions to Common Problems
FortiGate License Problems
Location
IP Address
Americas
207.228.103.178
Europe / Middle East / Africa
89.202.107.2
Asia / Pacific
27.111.210.161
There should be 0.05% packet loss or less. Average total latency should be around 80 msec or lower.
Minimum and maximum latencies should be very close for all packets (that is, low jitter).
If it is not, ask the local network administrator. They may need to examine routers and switches on the LAN,
or contact the ISP. If the ISP does not have a good connection to the Internet backbone, switch to another
location with a good ISP if possible.
4. Follow the steps in the Lab Guide to run the system checker, which tests software compatibility and connection
speed and latency.
l
l
If the connection from your local network to the remote lab gateway is poor or software incompatible, contact
your local network administrator.
If the system checker reports that your connection is good, but you are still experiencing slow VMs or VM
disconnections, contact Hatsize for support.
FortiGate License Problems
Do not upload licenses. They are built into the lab.
If you upload your own licenses, FortiManager will not be able to validate them. This
license validation failure will lock the FortiGate VMs.
In each student lab environment, a FortiManager is acting as a local FortiGuard server. The FortiManager
validates the FortiGate licenses and replies to web filtering rating requests coming from the FortiGate devices.
FortiManager is configured in "closed network mode", providing FortiGuard services to local FortiGates without
requiring Internet access.
When you begin the lab, licenses should show as valid, indicated by the Licenses and Virtual Machine widgets
on the FortiOS dashboard.
Hatsize Troubleshooting Guide for FortiGate 5.6
Fortinet Technologies Inc.
11
Web Filtering License Status Unavailable
Solutions to Common Problems
If either the license or registration status shows as Invalid, Unreachable, or Duplicated, complete the following
procedure.
To resolve FortiGate license issues
1. If the license problem is with Local-FortiGate, restore the initial states for these VMs:
l
Local-FortiGate
l
FortiManager
2. If the license problem is with Remote-FortiGate, restore the initial states for these VMs:
l
Remote-FortiGate
l
FortiManager
l
Linux
If you need to restore FortiManager to the intial state, only do so once, as it is the
same FortiManager serving license requirements for both FortiGate devices in the lab.
Web Filtering License Status Unavailable
This is expected when the FortiGate does not have any firewall policy using a web filtering profile. So for most
labs and as the initial state of your lab, it is normal.
12
Hatsize Troubleshooting Guide for FortiGate 5.6
Fortinet Technologies Inc.
Solutions to Common Problems
No Internet Access
To refresh the web filter license status
1. On the Local-Windows VM, log in to the Local-FortiGate GUI at 10.0.1.254 as admin and leave the password
field empty.
2. Click System > FortiGuard.
3. Scroll to the bottom of the page, and then, next to Filtering Services Availability, click Check Again to force
an update.
4. Click OK to confirm.
You should see a confirmation message indicating that the web filtering service is available.
No Internet Access
Complete the following to resolve Internet access issues.
To resolve Internet access issues
1. Check the Internet access from the Linux VM:
a. Log into the Linux VM using the username student with password password.
b. Right-click anywhere on the desktop, and select Open Terminal to open a terminal window.
Hatsize Troubleshooting Guide for FortiGate 5.6
Fortinet Technologies Inc.
13
No Access to Remote-FortiGate from Local-Windows
Solutions to Common Problems
c. Type the following command to test the Internet access:
ping 4.2.2.1
d. If there is no Internet access, restore the Linux VM to its initial state and repeat the test. If the problem
persists, contact Hatsize for assistance.
2. Check the DNS and Internet access from the Local-Windows VM:
a. Open a command prompt window and execute the following command:
ping www.fortinet.com
b. If there is no Internet or DNS access from the Local-FortiGate GUI, restore the configuration backup located
inside the following folder:
Resources\initial-lab-environment-configs\local-initial.conf
c. If the problem persists, restore the Local-FortiGate, Local-Windows, and Linux VMs to their initial states.
No Access to Remote-FortiGate from Local-Windows
Complete the following to resolve access issues between Remote-FortiGate and Local-Windows.
To resolve access to Remote-FortiGate from Local-Windows
1. Check connectivity from the Local-Windows VM to the Linux VM that is acting as a router:
a. From the Local-Windows VM, execute the following prompt command:
ping 10.200.1.254
b. If there is no access, from the Local-FortiGate GUI, restore the configuration backup file located inside the
following folder:
Resources\initial-lab-environment-configs\local-initial.conf
2. Check connectivity from the Linux VM to the Remote-FortiGate:
a. Log in to the Linux VM using the username student with the password password.
b. Right-click anywhere on the desktop, and select Open Terminal to open a terminal window.
c. Type the following command to test the Internet access:
ping 10.200.3.1
d. If there is no reply, restore the Remote-FortiGate to its initial state.
e. If the problem persists, restore the Linux VM to its initial state.
3. Check the connectivity from Local-Windows to the Remote-FortiGate:
a. From the Local-Windows VM, execute the following prompt command:
14
Hatsize Troubleshooting Guide for FortiGate 5.6
Fortinet Technologies Inc.
Solutions to Common Problems
No Access to Remote-FortiGate from Local-Windows
ping 10.200.3.1
b. If there is no access, from the Local-FortiGate GUI, restore the configuration backup file located inside the
following folder:
Resources\initial-lab-environment-configs\local-initial.conf
c. If the problem persists, restore the Linux VMs to their initial state.
Hatsize Troubleshooting Guide for FortiGate 5.6
Fortinet Technologies Inc.
15
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Descargar