Using a 3G/4G mobile internet modem as a WAN connection on a Fortigate firewall

Today, i'm testing a Fortigate security appliance in combination with a 4G USB mobile internet modem. My testing environment is set up with the following specs:

• Fortigate 60D with firmware 5.0 patch 9
• Huawei E398

Here are the steps which has worked for me to successfully setup the USB 4G modem.

Now the first thing to do, is to enable the modem.

FGT60D # config system modem
FGT60D (modem) # set status enable
FGT60D (modem) # end

Now a good thing to do is to check if the modem is detected successfully. To check is I used the following commands:

FGT60D # diagnose sys modem detect
modem is attached.
dialtone is detected.

FGT60D # diagnose sys modem external-modem
External modem vendor: Huawei
External modem vendor id: 12d1
External modem model : E392/E397/E398/E353/E3276
External modem product id: 1506

In some cases, I noticed that no modem was detected. I removed the modem from the USB port and insert it back again. After that the modem was detected. In some cases I needed to reboot the Fortigate unit to get it activated again :-(. I don't know for sure what the reason for this is, but I decided to let it go for now...

After this, when you look at the web GUI under System > Network > Modem, you can see the following:

As you can see, the modem is detected successfully, but it's still inactive. Now let's activate it. You need to enter some commands to get this done. Some parameters are specific to the mobile provider you have. In this case, the settings (APN) are from the dutch provider KPN Mobile. In my case, I want to use the 4G connection when my primary WAN connection goes down.

config system modem
    set status enable
    set pin-init "AT+CPIN=****"
    set mode redundant
    set interface "wan1"
    set phone1 "*99#"
    set extra-init1 "at+cgdcont=1,\"ip\",\"portalmmm.nl\""

You need to enter the correct APN for portalmmm.nl. If everything goed well, you can check the 4G connection with the following commands.

FGT60D # diagnose sys modem query
USB status: Connected
manufacturer: Huawei Technologies Co., Ltd.
model: E398
IMEI number: ******
SIM state: Valid
service status: Valid Service
signal level: 4/4
network name: KPN
network type: UTRAN
location area code:
active profile(AT&V):
<<output omitted>>

Now all should work! You can check if the modem interface comes UP and gets it's Connected state:

Don't forget to configure a policy rule with NAT to allow traffic to the internet through the modem interface.

That's all folks!

Managing certificate requests with OpenSSL

Generate a 2048 bits private key.

$ openssl genrsa -des3 -out private.key 2048

Generate the CSR with the newly created private key with a SHA-2 hash. Compatiblity about the SHA-2 hash can be read here.

$ openssl req -sha256 -new -key private.key -out cert.csr

Create a file which holds the public and private key (password protected).

$ openssl pkcs12 –export –inkey private.key –in signed-csr.cer –out cert.p12

check the CSR:

$ openssl req -text -noout -in csr.req

Generate a self-signed certificate with a lifetime of 1 year:

$ openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout my_key.pem -out my_cert.pem

When you want to make a PFX file, and you want to include the whole trusted CA chain in it, you can do this with the following steps:

1) Make a pem file with all upstream trusted Intermediate's and Root CA in it
2) Use OpenSSL to generate the pkcs12 with the newly pem file included

Step 1: Use an advanced text editor (I use Notepad++) to copy the chain into 1 pem file. Copy first the Intermediate CA in it, and directly after that the Root CA. Save the file. I saved the file as trusted_chain.pem.

Step 2: Use the following OpenSSL command to generate the pksc12 file with the whole chain in it:

$ openssl pkcs12 -export -out incl_chain.pfx -in certificate.pem -certfile trusted_chain.pem

In this example, the private key is included in certificate.pem.