Hatsize Troubleshooting Guide for FortiGate 5.6 Fortinet Training http://www.fortinet.com/training Fortinet Document Library http://docs.fortinet.com Fortinet Knowledge Base http://kb.fortinet.com Fortinet Forums https://forum.fortinet.com Fortinet Support https://support.fortinet.com FortiGuard Labs http://www.fortiguard.com Fortinet Network Security Expert Program (NSE) https://www.fortinet.com/support-and-training/training/network-security-expert-program.html Feedback Email: [email protected] 2/14/2018 TABLE OF CONTENTS Introduction Who Do I Ask for Support? How to Contact Hatsize for Support How to Contact Fortinet for Support How to Restore a VM to Its Initial State How to Power Cycle a VM Solutions to Common Problems Lab in Use No Access to One of the VMs Slow Access and/or VM Disconnections FortiGate License Problems Web Filtering License Status Unavailable No Internet Access No Access to Remote-FortiGate from Local-Windows 4 5 6 6 7 8 9 9 10 10 11 12 13 14 Introduction This document offers some procedures and basic tips for troubleshooting the most common problems when working with the FortiOS lab environment hosted by Hatsize. It also describes how to escalate problems that you cannot solve by yourself. The environment covered in this guide is used for the following Fortinet courses: l FortiGate Security 5.6 l FortiGate Infrastructure 5.6 This document is intended for Fortinet instructors and ATCs that use the lab environments hosted at Hatsize to deliver the courses listed above. 4 Hatsize Troubleshooting Guide for FortiGate 5.6 Fortinet Technologies Inc. Who Do I Ask for Support? To get the fastest resolution, use the appropriate support channel. You and your students can quickly resolve many common issues on your own. Try common solutions in Solutions to Common Problems on page 9 first. If this does not solve the problem, escalate to Tier 2. Some specific remote problems do require Tier 2 support. Depending on the type of issue as shown below, the best Tier 2 escalation team to contact is either Hatsize support or Fortinet's Courseware team. Figure 1 - Support Flow Hatsize Troubleshooting Guide for FortiGate 5.6 Fortinet Technologies Inc. 5 How to Contact Hatsize for Support Who Do I Ask for Support? How to Contact Hatsize for Support To contact Hatsize about issues with the remote lab environment, such VMs not starting or disconnecting, use the Support button in the remote lab portal. Optionally, send an email to: [email protected] Include this information: l l Number of students with the problem Hatsize username and password of the student having the problem. If the problem is happening with more than one student, provide credentials for only one of them. l System checker results l Solutions already attempted How to Contact Fortinet for Support To contact Fortinet about issues with the VM configurations or licensing, email: [email protected] Include this information: l Instructor contact information, including phone number and email l Name of the Fortinet course Example: FortiGate Security, FortiGate Infrastructure l Name of the Hatsize course (or event), as listed in the Hatsize portal: l Number of students with the problem l l 6 Hatsize username and password of the student having the problem. If the problem is happening with more than one student, provide credentials for only one of them. Solutions already attempted Hatsize Troubleshooting Guide for FortiGate 5.6 Fortinet Technologies Inc. How to Restore a VM to Its Initial State Some lab issues can be solved most quickly by restoring a virtual machine (VM) to its initial state. To restore a VM to its initial state 1. From the Lab Overview dashboard, in the VM's widget, select System > Revert to Initial State. The remote lab restores the VM's initial snapshot, and reboots using the initial configuration. 2. Wait up to five minutes for the VM to reboot. You should be able to connect to the VM again after the reboot has successfully completed. Do not reboot multiples VMs simultaneously, as it might cause CPU spikes in the host servers, creating delays and disconnection. Hatsize Troubleshooting Guide for FortiGate 5.6 Fortinet Technologies Inc. 7 How to Power Cycle a VM Some lab issues can be solved most quickly by restarting a VM. To power cycle a VM 1. From the Lab Overview dashboard, in the VM's widget, select System > Power Cycle. 2. Wait up to five minutes for the VM to reboot. You should be able to connect to the VM again after the reboot has successfully completed. Do not reboot multiples VMs simultaneously, as it might cause CPU spikes in the host servers, creating delays and disconnection. 8 Hatsize Troubleshooting Guide for FortiGate 5.6 Fortinet Technologies Inc. Solutions to Common Problems This section includes solutions to common problems. Lab in Use Complete the following procedure if the lab shows it is currently in use. To resolve a Lab in Use issue 1. Check that another student is not logged in using the same account. 2. Wait a few minutes. The server might take some time to make the lab available again after the other student has disconnected. 3. As an instructor, you can also disconnect the user yourself by going back to the Training Schedule page: a. Select View Class Info for the course. b. Click Disconnect User beside the user experiencing the issue. Hatsize Troubleshooting Guide for FortiGate 5.6 Fortinet Technologies Inc. 9 No Access to One of the VMs Solutions to Common Problems 4. Clear the browser cache and restart the browser. 5. Try a different browser (Firefox is recommended). 6. If the problem persists, contact Fortinet for support. No Access to One of the VMs Complete the following procedure if the lab shows a connection error. To resolve a connection error 1. The VM might be rebooting. Wait a few minutes and try again. 2. Clear the browser cache and restart the browser. 3. Try a different browser (Firefox is recommended). 4. Power cycle the VM from the Lab Overview dashboard. 5. Restore the VM to its initial state from the Lab Overview dashboard. 6. If problem persists, contact Hatsize for support. Slow Access and/or VM Disconnections Complete the following procedure if the lab access is slow or you are experiencing VM disconnections. To resolve slow access and/or VM disconnections 1. Check that the student's computer is connected via Ethernet cable, not wireless. Wi-Fi and mobile connections are usually not reliable and fast enough. The Course Descriptions document contains system requirements that specifically mention this. 2. Close any unnecessary applications running in the background of the student's computer, and make sure that software does not interfere with the connection to the lab, especially any antivirus or host firewall software such as FortiClient. 3. Check that the student is connecting to the Internet using a low-latency broadband connection. To test the Internet connection to Hatsize, run a continuous ping to one of the following IP addresses (depending on your geographical location): 10 Hatsize Troubleshooting Guide for FortiGate 5.6 Fortinet Technologies Inc. Solutions to Common Problems FortiGate License Problems Location IP Address Americas 207.228.103.178 Europe / Middle East / Africa 89.202.107.2 Asia / Pacific 27.111.210.161 There should be 0.05% packet loss or less. Average total latency should be around 80 msec or lower. Minimum and maximum latencies should be very close for all packets (that is, low jitter). If it is not, ask the local network administrator. They may need to examine routers and switches on the LAN, or contact the ISP. If the ISP does not have a good connection to the Internet backbone, switch to another location with a good ISP if possible. 4. Follow the steps in the Lab Guide to run the system checker, which tests software compatibility and connection speed and latency. l l If the connection from your local network to the remote lab gateway is poor or software incompatible, contact your local network administrator. If the system checker reports that your connection is good, but you are still experiencing slow VMs or VM disconnections, contact Hatsize for support. FortiGate License Problems Do not upload licenses. They are built into the lab. If you upload your own licenses, FortiManager will not be able to validate them. This license validation failure will lock the FortiGate VMs. In each student lab environment, a FortiManager is acting as a local FortiGuard server. The FortiManager validates the FortiGate licenses and replies to web filtering rating requests coming from the FortiGate devices. FortiManager is configured in "closed network mode", providing FortiGuard services to local FortiGates without requiring Internet access. When you begin the lab, licenses should show as valid, indicated by the Licenses and Virtual Machine widgets on the FortiOS dashboard. Hatsize Troubleshooting Guide for FortiGate 5.6 Fortinet Technologies Inc. 11 Web Filtering License Status Unavailable Solutions to Common Problems If either the license or registration status shows as Invalid, Unreachable, or Duplicated, complete the following procedure. To resolve FortiGate license issues 1. If the license problem is with Local-FortiGate, restore the initial states for these VMs: l Local-FortiGate l FortiManager 2. If the license problem is with Remote-FortiGate, restore the initial states for these VMs: l Remote-FortiGate l FortiManager l Linux If you need to restore FortiManager to the intial state, only do so once, as it is the same FortiManager serving license requirements for both FortiGate devices in the lab. Web Filtering License Status Unavailable This is expected when the FortiGate does not have any firewall policy using a web filtering profile. So for most labs and as the initial state of your lab, it is normal. 12 Hatsize Troubleshooting Guide for FortiGate 5.6 Fortinet Technologies Inc. Solutions to Common Problems No Internet Access To refresh the web filter license status 1. On the Local-Windows VM, log in to the Local-FortiGate GUI at 10.0.1.254 as admin and leave the password field empty. 2. Click System > FortiGuard. 3. Scroll to the bottom of the page, and then, next to Filtering Services Availability, click Check Again to force an update. 4. Click OK to confirm. You should see a confirmation message indicating that the web filtering service is available. No Internet Access Complete the following to resolve Internet access issues. To resolve Internet access issues 1. Check the Internet access from the Linux VM: a. Log into the Linux VM using the username student with password password. b. Right-click anywhere on the desktop, and select Open Terminal to open a terminal window. Hatsize Troubleshooting Guide for FortiGate 5.6 Fortinet Technologies Inc. 13 No Access to Remote-FortiGate from Local-Windows Solutions to Common Problems c. Type the following command to test the Internet access: ping 4.2.2.1 d. If there is no Internet access, restore the Linux VM to its initial state and repeat the test. If the problem persists, contact Hatsize for assistance. 2. Check the DNS and Internet access from the Local-Windows VM: a. Open a command prompt window and execute the following command: ping www.fortinet.com b. If there is no Internet or DNS access from the Local-FortiGate GUI, restore the configuration backup located inside the following folder: Resources\initial-lab-environment-configs\local-initial.conf c. If the problem persists, restore the Local-FortiGate, Local-Windows, and Linux VMs to their initial states. No Access to Remote-FortiGate from Local-Windows Complete the following to resolve access issues between Remote-FortiGate and Local-Windows. To resolve access to Remote-FortiGate from Local-Windows 1. Check connectivity from the Local-Windows VM to the Linux VM that is acting as a router: a. From the Local-Windows VM, execute the following prompt command: ping 10.200.1.254 b. If there is no access, from the Local-FortiGate GUI, restore the configuration backup file located inside the following folder: Resources\initial-lab-environment-configs\local-initial.conf 2. Check connectivity from the Linux VM to the Remote-FortiGate: a. Log in to the Linux VM using the username student with the password password. b. Right-click anywhere on the desktop, and select Open Terminal to open a terminal window. c. Type the following command to test the Internet access: ping 10.200.3.1 d. If there is no reply, restore the Remote-FortiGate to its initial state. e. If the problem persists, restore the Linux VM to its initial state. 3. Check the connectivity from Local-Windows to the Remote-FortiGate: a. From the Local-Windows VM, execute the following prompt command: 14 Hatsize Troubleshooting Guide for FortiGate 5.6 Fortinet Technologies Inc. Solutions to Common Problems No Access to Remote-FortiGate from Local-Windows ping 10.200.3.1 b. If there is no access, from the Local-FortiGate GUI, restore the configuration backup file located inside the following folder: Resources\initial-lab-environment-configs\local-initial.conf c. If the problem persists, restore the Linux VMs to their initial state. Hatsize Troubleshooting Guide for FortiGate 5.6 Fortinet Technologies Inc. 15 No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet Inc., as stipulated by the United States Copyright Act of 1976. Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
