Fortinet black logo

Administration Guide

Home FortiRecorder 6.0.0 Administration Guide
6.0.0
7.2.0
7.0.3
7.0.2
7.0.1
7.0.0
6.4.0
6.0.0
2.7.2
2.7.1
2.7.0
2.6.0

Configuring Network Settings

Configuring Network Settings

Configuring the interface

Each of the FortiRecorder appliance’s physical network adapter ports (or, for FortiRecorder-VM, vNICs) have a default IP address and netmask. If these IP addresses and netmasks are not compatible with the design of your unique network, you must configure them.

Network Interface*

IP Address

Netmask

port1

192.168.1.99

255.255.255.0

port2

192.168.2.99

255.255.255.0

port3

192.168.3.99

255.255.255.0

port4

192.168.4.99

255.255.255.0

*The number of network interfaces may vary by model.

To connect to the CLI and web UI, you should configure the following FortiRecorder network settings:

  • Interface: you must configure at least one network interface on your FortiRecorder appliance (usually port1) with an IP address and netmask so that it can receive your connections.
  • Static route: Depending on your network, you also usually must configure a static route so that the FortiRecorder can connect to the Internet, your computer, and FortiCam cameras.
  • DNS server: FortiRecorder appliances require connectivity to DNS servers for DNS lookups. The appliance will query the DNS servers whenever it needs to resolve a domain name into an IP address, such as for NTP servers defined by their domain names.

To configure a network interface’s IP address

  1. Log in to the admin administrator account.
  2. Go to System > Network > Interface.
  3. Double-click the row to select the physical network interface that you want to modify.
  4. If you want to manually assign an IP address and subnet mask to this network interface, select Manual and then provide the IP address and netmask in IP/Netmask. IPv4 and IPv6 subnet masks should be provided in CIDR format, e.g. /24 instead of 255.255.255.0. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet.

    Otherwise, select DHCP and enable Connect to server to retrieve a DHCP lease when you save this configuration. If you want the FortiRecorder appliance to also retrieve DNS and default route (“gateway”) settings, also enable Retrieve default gateway and DNS from server.

    Caution

    If you use DHCP on an interface and there are cameras connected to the interface, you must make sure the IP address will not change on that interface because the cameras need to communicate with the FortiRecorder and thus need to be aware of the IP address of the FortiRecorder.
    Caution

    Retrieve default gateway and DNS from server will overwrite the existing DNS and default route, if any.
  5. Configure the following settings:

    Setting Name

    Description

    Discover cameras on this port

    Enable to send multicast camera discovery traffic from this network interface. For more information, see “Connecting FortiRecorder to the cameras”.

    Access

    Enable the types of administrative access that you want to permit to this interface.

    Caution: Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiRecorder appliance.

    Access: HTTPS

    Enable to allow secure HTTPS connections to the web UI through this network interface. To configure the listening port number, see “Configuring system timeout, ports, and public access”. To upload a certificate, see “Replacing the default certificate for the web UI”.

    Access: PING

    Enable to allow:

    • ICMP type 8 (ECHO_REQUEST) or type 30
    • UDP ports 33434 to 33534 CS: Verify.

    for ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST, FortiRecorder will reply with ICMP type 0 (ECHO_RESPONSE).

    Note: Disabling PING only prevents FortiRecorder from receiving ICMP type 8 (ECHO_REQUEST) or type 30 and traceroute-related UDP.

    It does not disable FortiRecorder CLI commands such as execute ping or execute traceroute that send such traffic.

    Access: HTTP

    Enable to allow HTTP connections to the web UI through this network interface. To configure the listening port number, see “Configuring system timeout, ports, and public access”.

    Caution: HTTP connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiRecorder appliance.

    Access: SSH

    Enable to allow SSH connections to the CLI through this network interface.

    Access: SNMP

    Enable to allow SNMP queries to this network interface, if queries have been configured and the sender is a configured SNMP manager. To configure the listening port number and configure queries and traps, see “SNMP traps & queries”.

    Access: TELNET

    Enable to allow Telnet connections to the CLI through this network interface.

    Caution: Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiRecorder appliance.

    Access: FRC-Central

    Enable to allow access from FortiRecorder Central.

    MTU

    Enable to change the maximum transmission unit (MTU) value, then enter the maximum packet or Ethernet frame size in bytes.

    If network devices between the FortiRecorder unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.

    The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value. For example, RFC 2516 prescribes a value of 1492 for PPPoE.

    This option is available only for network interfaces that are directly associated with a physical link.

    Administrative Status

    Select either:

    • Up — Enable (that is, bring up) the network interface so that it can send and receive traffic.
    • Down — Disable (that is, bring down) the network interface so that it cannot send or receive traffic.
  6. Select OK.
    If you were connected to the web UI through this network interface, you are now disconnected from it.
  7. To access the web UI again, in your web browser, modify the URL to match the new IP address of the network interface. For example, if you configured the network interface with the IP address 10.10.10.5, you would browse to: https://10.10.10.5

    If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiRecorder appliance, you may also need to modify the IP address and subnet of your computer to match the FortiRecorder appliance’s new IP address.

Configuring routing

To add a static route

Note

If you used DHCP and Retrieve default gateway and DNS from server when configuring your network interfaces, skip this step — the default route was configured automatically.
  1. Log in to the admin administrator account. Other accounts may not have permissions necessary to change this setting.
  2. Go to System > Network > Routing.
  3. Select New.
  4. Configure the following settings:

    Setting Name

    Description

    Destination IP/netmask

    Type the destination IP address and network mask of packets that will be subject to this static route, separated by a slash ( / ).

    The value 0.0.0.0/0 results in a default route, which matches all packets.

    Interface

    Select the desired port number from the dropdown menu.

    Gateway

    Type the IP address of the next-hop router where the FortiRecorder appliance will forward packets subject to this static route. This router must know how to route packets to the destination IP addresses that you have specified in Destination IP/netmask, or forward packets to another router with this information.

    For a direct Internet connection, this will be the router that forwards traffic towards the Internet, and could belong to your ISP.

    Note: The gateway IP address must be in the same subnet as a network interface’s IP address. Failure to do so will cause FortiRecorder to delete all static routes, including the default gateway.
  5. Select OK.

    The FortiRecorder appliance should now be reachable to connections with networks indicated by the mask. When you add a static route through the web UI, the FortiRecorder appliance evaluates the route to determine if it represents a different route compared to any other route already present in the list of static routes. If no route having the same destination exists in the list of static routes, the FortiRecorder appliance adds the static route, using the next unassigned route index number.
    Note

    For small networks with only a few devices, often you will only need to configure one route: a default route that forwards packets to your router that is the gateway to the Internet.

    If you have redundant gateway routers (e.g. dual Internet/ISP links), or a larger network with multiple routers (e.g. each of which should receive packets destined for a different subset of IP addresses), you may need to configure multiple static routes.
  6. To verify connectivity, from a computer on the route’s network destination, attempt to ping one of FortiRecorder’s network interfaces that should be reachable from that location. If the connectivity test fails, you can use the CLI commands to determine if a complete route exists from the FortiRecorder to the host: execute ping <destination_ipv4> and to determine the point of connectivity failure: execute traceroute <destination_ipv4>.
  7. Enable PING on the FortiRecorder’s network interface and use the equivalent tracert or traceroute command on the computer (depending on its operating system) to test routability for traffic traveling in the opposite direction: from the host to the FortiRecorder.
    If these tests fail, or if you do not want to enable PING, first examine the static route configuration on both the host and FortiRecorder.

    To display the cached routing table, enter the CLI command:

    diagnose netlink rtcache list

    You may also need to verify that the physical cabling is reliable and not loose or broken, that there are no IP address or MAC address conflicts or blacklisting, and otherwise rule out problems at the physical, network, and transport layer.

    If these tests succeed, a route exists, but you cannot connect using HTTP or HTTPS, an application-layer problem is preventing connectivity.

    Verify that you have enabled HTTPS and/or HTTP on the network interface. Also examine routers and firewalls between the host and the FortiRecorder appliance to verify that they permit HTTP and/or HTTPS connectivity between them. Finally, you can also use the CLI command:

    diagnose system top 5 30

    to verify that the daemons for the web UI and CLI, such as sshd, newcli, and httpd are running and not overburdened. For details, see the FortiWeb CLI Reference.

Configuring DNS settings

To configure DNS settings

Note

If you will use the settings DHCP and Retrieve default gateway and DNS from server when you configure your network interfaces, skip this — DNS is configured automatically.
  1. Log in to the admin administrator account. Other accounts may not have permissions necessary to change this setting.
  2. Go to System > Network > DNS and enter the IP addresses of a primary and secondary DNS server. Your Internet service provider (ISP) may supply IP addresses of DNS servers, or you may want to use the IP addresses of your own DNS servers.
    Note

    Incorrect DNS settings or unreliable DNS connectivity can cause issues with other features, including the NTP system time. For improved performance, use DNS servers on your local network.
  3. Select Apply.
  4. To verify your DNS settings, in the CLI, enter the following commands: execute traceroute www.fortinet.com
    Note

    DNS tests may not succeed if you have not yet completed “To add a static route”.
  5. If the DNS query for the domain name succeeds, you should see results that indicate that the host name resolved into an IP address, and the route from FortiRecorder to that IP address:

    traceroute to www.fortinet.com (192.0.43.10), 30 hops max, 60 byte packets

    1 172.20.130.2 (172.20.130.2) 0.426 ms 0.238 ms 0.374 ms

    2 static-209-87-254-221.storm.ca (209.87.254.221) 2.223 ms 2.491 ms 2.552 ms

    3 core-g0-0-1105.storm.ca (209.87.239.161) 3.079 ms 3.334 ms 3.357 ms

    ...

    16 43-10.any.icann.org (192.0.43.10) 57.243 ms 57.146 ms 57.001 ms

    If the DNS query fails, you will see an error message such as:

    www.fortinet.com: Temporary failure in name resolution

    Cannot handle "host" cmdline arg `www.fortinet.com' on position 1 (argc 3)

    Verify your DNS server IPs, routing, and that your firewalls or routers do not block or proxy UDP port 53.

Configuring the DHCP server

If you need the FortiRecorder DHCP service to connect cameras to the FortiRecorder, you can configure the DHCP server on the interface that the cameras connect to. For information about DHCP service and camera connection, see “Camera connection” on page 40.

To configure FortiRecorder's DHCP server via the web UI

  1. Go to System > Network > DHCP.
  2. Click New.
  3. Mark the check box for Enable DHCP server.
  4. Configure the following settings:

    Setting Name

    Description

    Interface

    Select the name of the network interface where this DHCP server will listen for requests from DHCP clients.

    Gateway

    Type the IP address that DHCP clients will use as their next-hop router.

    On smaller networks, this is usually the same router that FortiRecorder uses. It could be your office’s router, or cable/DSL modem.

    DNS options

    Select either:

    • Default — Leave DHCP clients’ DNS settings at their default values.
    • Specify — Configure DHCP clients with the DNS servers that you specify in DNS server 1 and DNS server 2.

    DNS server 1

    Type the IP address of a DNS server that DHCP clients can use to resolve domain names. For performance reasons, if you have one, it is preferable to use a DNS server on your local network.

    This setting is available only if DNS options is set to Specify.

    DNS server 2

    Type the IP address of an alternative DNS server that DHCP clients can use to resolve domain names. For performance reasons, if you have one, it is preferable to use a DNS server on your local network.

    This setting is available only if DNS options is set to Specify.

    Domain

    Optional. Type the domain name, if any, that DHCP clients will use when resolving host names on the local domain. CS: Verify. Could be the domain assigned to the client for its own FQDN.

    Netmask

    Type the subnet mask that DHCP clients will use in conjunction with the IP address that is assigned by FortiRecorder’s DHCP server.

    Conflicted IP timeout (Seconds)

    Type the maximum amount of time that the DHCP server will wait for an ICMP ECHO (ping) response from an IP before it determines that it is not used, and therefore safe to allocate to a DHCP client that is requesting an IP address. The default is 1,800 seconds (3 minutes).

    To ensure that the DHCP server does not cause IP address conflicts with misconfigured computers that are accidentally using the pool of IP addresses used for DHCP, when a client request a new DHCP lease, the built-in DHCP server will ping an unused IP address in the pool first. If the ping test is successful, then a misconfigured computer is currently using that IP, and allocating it also to the DHCP client would cause an IP address conflict. To prevent this, the DHCP server will temporarily abandon that IP (mark it as used by a static host) and look for an other, available IP to give to the DHCP client. (It will not try abandoned IPs again until the pool is exhausted.) However, before the DHCP server can determine if the ping test is successful, the it must first wait to see if there is any reply. This slows down the search for an available IP address, and in rare cases, could cause a significant delay before the DHCP client receives its assigned IP address and other network settings. If your network is smaller or typically has low latency to ping replies, you can safely decrease this setting’s value to improve DHCP speed and performance. In most cases, 3 seconds is enough.

    Lease time (Seconds)

    Type the maximum amount of time that the DHCP client can use the IP address assigned to it by the server. When the lease expires, the DHCP client must either request a new IP address from the DHCP server or renew its existing lease. Otherwise, the DHCP server may attempt to assign it to the next DHCP client that requests an IP. The default is 604,800 seconds (7 days).

    If you have more or almost as many DHCP clients (cameras) as the number of IP addresses available to give to DHCP clients, you can decrease the lease. This will free up IP addresses from inactive clients so that IPs are available to give to clients that are currently in need of IP addresses. Keep in mind, however, that if the DHCP server is attached to your overall network rather than directly to cameras, this will slightly increase traffic volume and slightly decrease performance.

    DHCP IP Range

    To configure the DHCP lease pool — the range of IP addresses that the DHCP server can assign to its clients — click New and configure the first and last IP address in the range. To avoid DHCP pool exhaustion that can occur in some cases, the pool should be slightly larger than the total number of clients.

    If you need to exclude some IP addresses from this range (e.g. printers permanently occupy static IPs in the middle of the range), also configure DHCP Excluded Range.

    Tip: The built-in DHCP server can provide IP addresses to the computers on your network too, not just to cameras.

    DHCP Excluded Range

    To configure IPs that should be omitted from the DHCP pool and never given to DHCP clients (such if there are printers with manually assigned static IP addresses in the middle of your DHCP range), click New.

    Reserved IP Address

    To bind specific MAC addresses to a specific DHCP lease, guaranteeing that the DHCP server will never assign it to another DHCP client, click New.

    Caution: Reserved leases cannot prevent misconfigured computers from taking the IP address, causing an IP address conflict, and breaking the FortiRecorder’s connection with the camera. See “Resolving IP address conflicts”.

    Tip: To mimic a static IP address for your cameras, yet still provide the benefit that IP addresses are still centrally managed and configured on your DHCP server, configure reserved IP addresses.
  5. Select Create.

    As cameras join the network, they should appear in the list of DHCP clients on Monitor > DHCP > DHCP.

Using traffic capture

When troubleshooting networks, traffic capture helps to look inside the contents of the packets to determine if the packets, route, and destination are correct. Traffic capture can also be called packet sniffing, a network tap, or logic analyzing. Packet sniffing provides information on the network at a low level, which helps troubleshoot problems, such as:

  • finding missing traffic
  • seeing if sessions are setting up properly
  • locating ARP problems such as broadcast storm sources and causes
  • confirming which address a computer is using on the network if they have multiple addresses or are on multiple networks
  • confirming routing is working as you expect
  • intermittent missing PING packets.

If you are running a constant traffic application such as ping, traffic capture detects if the traffic is reaching its destination, how the port enters and exits the FortiRecorder unit, if the ARP resolution is correct, and if the traffic is returning to the source as expected. Traffic capture also verifies that the NAT is translating addresses or routing traffic as expected.

Before using traffic capture you should have a good sense of what you are looking for, since If you try traffic capture without a plan to narrow your search, you could end up with too much data to effectively analyze.

To capture the traffic

  1. Go to System > Network > Traffic Capture.
  2. Select New.
  3. Enter a description for the file generated from the captured traffic.
  4. Enter the time period for performing the packet capture.
  5. Specify which interface you want to capture.
  6. If you want to limit the scope of traffic capture, in the IP/HOST field, enter a maximum of 3 IP addresses or host names for which you want to capture.
  7. Select the filter for the traffic capture:
    • Use protocol: Only UDP or TCP traffic on the specified port number will be captured.
    • Capture all: All network traffic will be captured.
  8. For Exclusion, enter the IP addresses/host names and port numbers for which do not want to capture.
  9. Select Create.
Previous
Next

Configuring Network Settings

Configuring the interface

Each of the FortiRecorder appliance’s physical network adapter ports (or, for FortiRecorder-VM, vNICs) have a default IP address and netmask. If these IP addresses and netmasks are not compatible with the design of your unique network, you must configure them.

Network Interface*

IP Address

Netmask

port1

192.168.1.99

255.255.255.0

port2

192.168.2.99

255.255.255.0

port3

192.168.3.99

255.255.255.0

port4

192.168.4.99

255.255.255.0

*The number of network interfaces may vary by model.

To connect to the CLI and web UI, you should configure the following FortiRecorder network settings:

  • Interface: you must configure at least one network interface on your FortiRecorder appliance (usually port1) with an IP address and netmask so that it can receive your connections.
  • Static route: Depending on your network, you also usually must configure a static route so that the FortiRecorder can connect to the Internet, your computer, and FortiCam cameras.
  • DNS server: FortiRecorder appliances require connectivity to DNS servers for DNS lookups. The appliance will query the DNS servers whenever it needs to resolve a domain name into an IP address, such as for NTP servers defined by their domain names.

To configure a network interface’s IP address

  1. Log in to the admin administrator account.
  2. Go to System > Network > Interface.
  3. Double-click the row to select the physical network interface that you want to modify.
  4. If you want to manually assign an IP address and subnet mask to this network interface, select Manual and then provide the IP address and netmask in IP/Netmask. IPv4 and IPv6 subnet masks should be provided in CIDR format, e.g. /24 instead of 255.255.255.0. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet.

    Otherwise, select DHCP and enable Connect to server to retrieve a DHCP lease when you save this configuration. If you want the FortiRecorder appliance to also retrieve DNS and default route (“gateway”) settings, also enable Retrieve default gateway and DNS from server.

    Caution

    If you use DHCP on an interface and there are cameras connected to the interface, you must make sure the IP address will not change on that interface because the cameras need to communicate with the FortiRecorder and thus need to be aware of the IP address of the FortiRecorder.
    Caution

    Retrieve default gateway and DNS from server will overwrite the existing DNS and default route, if any.
  5. Configure the following settings:

    Setting Name

    Description

    Discover cameras on this port

    Enable to send multicast camera discovery traffic from this network interface. For more information, see “Connecting FortiRecorder to the cameras”.

    Access

    Enable the types of administrative access that you want to permit to this interface.

    Caution: Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiRecorder appliance.

    Access: HTTPS

    Enable to allow secure HTTPS connections to the web UI through this network interface. To configure the listening port number, see “Configuring system timeout, ports, and public access”. To upload a certificate, see “Replacing the default certificate for the web UI”.

    Access: PING

    Enable to allow:

    • ICMP type 8 (ECHO_REQUEST) or type 30
    • UDP ports 33434 to 33534 CS: Verify.

    for ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST, FortiRecorder will reply with ICMP type 0 (ECHO_RESPONSE).

    Note: Disabling PING only prevents FortiRecorder from receiving ICMP type 8 (ECHO_REQUEST) or type 30 and traceroute-related UDP.

    It does not disable FortiRecorder CLI commands such as execute ping or execute traceroute that send such traffic.

    Access: HTTP

    Enable to allow HTTP connections to the web UI through this network interface. To configure the listening port number, see “Configuring system timeout, ports, and public access”.

    Caution: HTTP connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiRecorder appliance.

    Access: SSH

    Enable to allow SSH connections to the CLI through this network interface.

    Access: SNMP

    Enable to allow SNMP queries to this network interface, if queries have been configured and the sender is a configured SNMP manager. To configure the listening port number and configure queries and traps, see “SNMP traps & queries”.

    Access: TELNET

    Enable to allow Telnet connections to the CLI through this network interface.

    Caution: Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiRecorder appliance.

    Access: FRC-Central

    Enable to allow access from FortiRecorder Central.

    MTU

    Enable to change the maximum transmission unit (MTU) value, then enter the maximum packet or Ethernet frame size in bytes.

    If network devices between the FortiRecorder unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.

    The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value. For example, RFC 2516 prescribes a value of 1492 for PPPoE.

    This option is available only for network interfaces that are directly associated with a physical link.

    Administrative Status

    Select either:

    • Up — Enable (that is, bring up) the network interface so that it can send and receive traffic.
    • Down — Disable (that is, bring down) the network interface so that it cannot send or receive traffic.
  6. Select OK.
    If you were connected to the web UI through this network interface, you are now disconnected from it.
  7. To access the web UI again, in your web browser, modify the URL to match the new IP address of the network interface. For example, if you configured the network interface with the IP address 10.10.10.5, you would browse to: https://10.10.10.5

    If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiRecorder appliance, you may also need to modify the IP address and subnet of your computer to match the FortiRecorder appliance’s new IP address.

Configuring routing

To add a static route

Note

If you used DHCP and Retrieve default gateway and DNS from server when configuring your network interfaces, skip this step — the default route was configured automatically.
  1. Log in to the admin administrator account. Other accounts may not have permissions necessary to change this setting.
  2. Go to System > Network > Routing.
  3. Select New.
  4. Configure the following settings:

    Setting Name

    Description

    Destination IP/netmask

    Type the destination IP address and network mask of packets that will be subject to this static route, separated by a slash ( / ).

    The value 0.0.0.0/0 results in a default route, which matches all packets.

    Interface

    Select the desired port number from the dropdown menu.

    Gateway

    Type the IP address of the next-hop router where the FortiRecorder appliance will forward packets subject to this static route. This router must know how to route packets to the destination IP addresses that you have specified in Destination IP/netmask, or forward packets to another router with this information.

    For a direct Internet connection, this will be the router that forwards traffic towards the Internet, and could belong to your ISP.

    Note: The gateway IP address must be in the same subnet as a network interface’s IP address. Failure to do so will cause FortiRecorder to delete all static routes, including the default gateway.
  5. Select OK.

    The FortiRecorder appliance should now be reachable to connections with networks indicated by the mask. When you add a static route through the web UI, the FortiRecorder appliance evaluates the route to determine if it represents a different route compared to any other route already present in the list of static routes. If no route having the same destination exists in the list of static routes, the FortiRecorder appliance adds the static route, using the next unassigned route index number.
    Note

    For small networks with only a few devices, often you will only need to configure one route: a default route that forwards packets to your router that is the gateway to the Internet.

    If you have redundant gateway routers (e.g. dual Internet/ISP links), or a larger network with multiple routers (e.g. each of which should receive packets destined for a different subset of IP addresses), you may need to configure multiple static routes.
  6. To verify connectivity, from a computer on the route’s network destination, attempt to ping one of FortiRecorder’s network interfaces that should be reachable from that location. If the connectivity test fails, you can use the CLI commands to determine if a complete route exists from the FortiRecorder to the host: execute ping <destination_ipv4> and to determine the point of connectivity failure: execute traceroute <destination_ipv4>.
  7. Enable PING on the FortiRecorder’s network interface and use the equivalent tracert or traceroute command on the computer (depending on its operating system) to test routability for traffic traveling in the opposite direction: from the host to the FortiRecorder.
    If these tests fail, or if you do not want to enable PING, first examine the static route configuration on both the host and FortiRecorder.

    To display the cached routing table, enter the CLI command:

    diagnose netlink rtcache list

    You may also need to verify that the physical cabling is reliable and not loose or broken, that there are no IP address or MAC address conflicts or blacklisting, and otherwise rule out problems at the physical, network, and transport layer.

    If these tests succeed, a route exists, but you cannot connect using HTTP or HTTPS, an application-layer problem is preventing connectivity.

    Verify that you have enabled HTTPS and/or HTTP on the network interface. Also examine routers and firewalls between the host and the FortiRecorder appliance to verify that they permit HTTP and/or HTTPS connectivity between them. Finally, you can also use the CLI command:

    diagnose system top 5 30

    to verify that the daemons for the web UI and CLI, such as sshd, newcli, and httpd are running and not overburdened. For details, see the FortiWeb CLI Reference.

Configuring DNS settings

To configure DNS settings

Note

If you will use the settings DHCP and Retrieve default gateway and DNS from server when you configure your network interfaces, skip this — DNS is configured automatically.
  1. Log in to the admin administrator account. Other accounts may not have permissions necessary to change this setting.
  2. Go to System > Network > DNS and enter the IP addresses of a primary and secondary DNS server. Your Internet service provider (ISP) may supply IP addresses of DNS servers, or you may want to use the IP addresses of your own DNS servers.
    Note

    Incorrect DNS settings or unreliable DNS connectivity can cause issues with other features, including the NTP system time. For improved performance, use DNS servers on your local network.
  3. Select Apply.
  4. To verify your DNS settings, in the CLI, enter the following commands: execute traceroute www.fortinet.com
    Note

    DNS tests may not succeed if you have not yet completed “To add a static route”.
  5. If the DNS query for the domain name succeeds, you should see results that indicate that the host name resolved into an IP address, and the route from FortiRecorder to that IP address:

    traceroute to www.fortinet.com (192.0.43.10), 30 hops max, 60 byte packets

    1 172.20.130.2 (172.20.130.2) 0.426 ms 0.238 ms 0.374 ms

    2 static-209-87-254-221.storm.ca (209.87.254.221) 2.223 ms 2.491 ms 2.552 ms

    3 core-g0-0-1105.storm.ca (209.87.239.161) 3.079 ms 3.334 ms 3.357 ms

    ...

    16 43-10.any.icann.org (192.0.43.10) 57.243 ms 57.146 ms 57.001 ms

    If the DNS query fails, you will see an error message such as:

    www.fortinet.com: Temporary failure in name resolution

    Cannot handle "host" cmdline arg `www.fortinet.com' on position 1 (argc 3)

    Verify your DNS server IPs, routing, and that your firewalls or routers do not block or proxy UDP port 53.

Configuring the DHCP server

If you need the FortiRecorder DHCP service to connect cameras to the FortiRecorder, you can configure the DHCP server on the interface that the cameras connect to. For information about DHCP service and camera connection, see “Camera connection” on page 40.

To configure FortiRecorder's DHCP server via the web UI

  1. Go to System > Network > DHCP.
  2. Click New.
  3. Mark the check box for Enable DHCP server.
  4. Configure the following settings:

    Setting Name

    Description

    Interface

    Select the name of the network interface where this DHCP server will listen for requests from DHCP clients.

    Gateway

    Type the IP address that DHCP clients will use as their next-hop router.

    On smaller networks, this is usually the same router that FortiRecorder uses. It could be your office’s router, or cable/DSL modem.

    DNS options

    Select either:

    • Default — Leave DHCP clients’ DNS settings at their default values.
    • Specify — Configure DHCP clients with the DNS servers that you specify in DNS server 1 and DNS server 2.

    DNS server 1

    Type the IP address of a DNS server that DHCP clients can use to resolve domain names. For performance reasons, if you have one, it is preferable to use a DNS server on your local network.

    This setting is available only if DNS options is set to Specify.

    DNS server 2

    Type the IP address of an alternative DNS server that DHCP clients can use to resolve domain names. For performance reasons, if you have one, it is preferable to use a DNS server on your local network.

    This setting is available only if DNS options is set to Specify.

    Domain

    Optional. Type the domain name, if any, that DHCP clients will use when resolving host names on the local domain. CS: Verify. Could be the domain assigned to the client for its own FQDN.

    Netmask

    Type the subnet mask that DHCP clients will use in conjunction with the IP address that is assigned by FortiRecorder’s DHCP server.

    Conflicted IP timeout (Seconds)

    Type the maximum amount of time that the DHCP server will wait for an ICMP ECHO (ping) response from an IP before it determines that it is not used, and therefore safe to allocate to a DHCP client that is requesting an IP address. The default is 1,800 seconds (3 minutes).

    To ensure that the DHCP server does not cause IP address conflicts with misconfigured computers that are accidentally using the pool of IP addresses used for DHCP, when a client request a new DHCP lease, the built-in DHCP server will ping an unused IP address in the pool first. If the ping test is successful, then a misconfigured computer is currently using that IP, and allocating it also to the DHCP client would cause an IP address conflict. To prevent this, the DHCP server will temporarily abandon that IP (mark it as used by a static host) and look for an other, available IP to give to the DHCP client. (It will not try abandoned IPs again until the pool is exhausted.) However, before the DHCP server can determine if the ping test is successful, the it must first wait to see if there is any reply. This slows down the search for an available IP address, and in rare cases, could cause a significant delay before the DHCP client receives its assigned IP address and other network settings. If your network is smaller or typically has low latency to ping replies, you can safely decrease this setting’s value to improve DHCP speed and performance. In most cases, 3 seconds is enough.

    Lease time (Seconds)

    Type the maximum amount of time that the DHCP client can use the IP address assigned to it by the server. When the lease expires, the DHCP client must either request a new IP address from the DHCP server or renew its existing lease. Otherwise, the DHCP server may attempt to assign it to the next DHCP client that requests an IP. The default is 604,800 seconds (7 days).

    If you have more or almost as many DHCP clients (cameras) as the number of IP addresses available to give to DHCP clients, you can decrease the lease. This will free up IP addresses from inactive clients so that IPs are available to give to clients that are currently in need of IP addresses. Keep in mind, however, that if the DHCP server is attached to your overall network rather than directly to cameras, this will slightly increase traffic volume and slightly decrease performance.

    DHCP IP Range

    To configure the DHCP lease pool — the range of IP addresses that the DHCP server can assign to its clients — click New and configure the first and last IP address in the range. To avoid DHCP pool exhaustion that can occur in some cases, the pool should be slightly larger than the total number of clients.

    If you need to exclude some IP addresses from this range (e.g. printers permanently occupy static IPs in the middle of the range), also configure DHCP Excluded Range.

    Tip: The built-in DHCP server can provide IP addresses to the computers on your network too, not just to cameras.

    DHCP Excluded Range

    To configure IPs that should be omitted from the DHCP pool and never given to DHCP clients (such if there are printers with manually assigned static IP addresses in the middle of your DHCP range), click New.

    Reserved IP Address

    To bind specific MAC addresses to a specific DHCP lease, guaranteeing that the DHCP server will never assign it to another DHCP client, click New.

    Caution: Reserved leases cannot prevent misconfigured computers from taking the IP address, causing an IP address conflict, and breaking the FortiRecorder’s connection with the camera. See “Resolving IP address conflicts”.

    Tip: To mimic a static IP address for your cameras, yet still provide the benefit that IP addresses are still centrally managed and configured on your DHCP server, configure reserved IP addresses.
  5. Select Create.

    As cameras join the network, they should appear in the list of DHCP clients on Monitor > DHCP > DHCP.

Using traffic capture

When troubleshooting networks, traffic capture helps to look inside the contents of the packets to determine if the packets, route, and destination are correct. Traffic capture can also be called packet sniffing, a network tap, or logic analyzing. Packet sniffing provides information on the network at a low level, which helps troubleshoot problems, such as:

  • finding missing traffic
  • seeing if sessions are setting up properly
  • locating ARP problems such as broadcast storm sources and causes
  • confirming which address a computer is using on the network if they have multiple addresses or are on multiple networks
  • confirming routing is working as you expect
  • intermittent missing PING packets.

If you are running a constant traffic application such as ping, traffic capture detects if the traffic is reaching its destination, how the port enters and exits the FortiRecorder unit, if the ARP resolution is correct, and if the traffic is returning to the source as expected. Traffic capture also verifies that the NAT is translating addresses or routing traffic as expected.

Before using traffic capture you should have a good sense of what you are looking for, since If you try traffic capture without a plan to narrow your search, you could end up with too much data to effectively analyze.

To capture the traffic

  1. Go to System > Network > Traffic Capture.
  2. Select New.
  3. Enter a description for the file generated from the captured traffic.
  4. Enter the time period for performing the packet capture.
  5. Specify which interface you want to capture.
  6. If you want to limit the scope of traffic capture, in the IP/HOST field, enter a maximum of 3 IP addresses or host names for which you want to capture.
  7. Select the filter for the traffic capture:
    • Use protocol: Only UDP or TCP traffic on the specified port number will be captured.
    • Capture all: All network traffic will be captured.
  8. For Exclusion, enter the IP addresses/host names and port numbers for which do not want to capture.
  9. Select Create.
Previous
Next