Thursday, April 19, 2018

A look at the new FortiOS v6.0

In this blog we will look at the FortiOS  v6.0



1st up  static web-filter. This list is still easy to craft and to apply in a  HTTP  fwpolicy. Typically you will define  URL filters ( static ) or use the categories  an against  a ANY dst-addr. 


If you want to  block HTTPS, you will need to  enable a SSL inspection profile


Here snippet of the categories

note: take note of the movie-theater  like ratings

The firewall.policy lookup is cool for searching  fw.policies

NOTE:  I seen it in the beta release,  and very glad it made it into the final build









Policy matches are highlighted in this off  artdeco-pinkish tone ;






The fortigate URL block message is still about the same. 

My images did not load btw for firefox & safari. Vivaldi loaded just  ( investigate the url.fortinet.net  hyperlink in the standard block page )






Here's  a Fw.policy modified for example.com  HTTP/HTTPS




Firewall policy statistics are properly displayed


Custom ssh ins profiles are quick and simple to deploy.






So far  My  FortiOS v6.0 seems to be okay









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


x509 certificate oids

In this blog we will look at common  oid for  certificates. These are defined and well known. 1st  these are defined under x509 v3 extension fields. The ISO ( International Standards Organization )  has set oid that are defined.

These are  a few common oids (  see  highlight arrows )





To find the certificate type and oid, most browsers let's you expand  the certificate details. Here's our friends at the NSA.gov



The 1.3.6.1.5.5.7  falls under PKIX


OID value: 1.3.6.1.5.5.7
OID description:
Top of the PKIX OID tree


And the next .3 is for    "extended key purpose"


Subsidiary references (single level)

 http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html


NOTE: the listing is not completed and numerous other  oid exist for  extended key usage








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \



Monday, April 16, 2018

Verizon UM290 FortiOS v6.0

Here's a blog outlining  a simple setup using a 4G  Verizon  external modem with a FW50E and with  FortiOS v6.0


1st it  makes since to  check the modem and usb port using the fnsysctl cmd and the diag cmd to send AT cmds

   








Next, the basic modem configurations;





The interface for the  modem will be  name "wwan" and a default is applied once connected and the device is enable

( aka wwan interface )

config system lte-modem
    set status enable
    set extra-init ''
    set authtype none
    set apn ''
    set modem-port 255
end






The log file will display a  message similar to the following



last make sure you have a firewall-policy, use  whatismyaddress to validate











NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

How to validate a client is sending the SNI in TLS

Almost all  modern browsers uses TLS extensions and the most common one is known as Server Name Indication

https://en.wikipedia.org/wiki/Server_Name_Indication


You can use the SNI field before any  TLS decryption to determine what website the client is selecting. In this example, I'm using example.com



Various  inspections methods are available to filter on  just the  SNI  information and does not  need full TLS/SSL decryption in order to block HTTPS traffic for various sites. in fact you can  select various website to   decrypted based on HTTPS SNI  information.



So if a webclient turns off SNI, you will either need to do the following

1: place a strict deny when no SNI is present  at the client.hello

or 

2:  perform MiTM decryption to witness the http.host header and take action when matched


To   check if your browser does NOT  use SNI, launch a session to https://www.mnot.net and if you get the   "upgrade to a modern" browser than that means you webclient does not support SNI.


e.g ( using curl with -k and without  )



here's a wireshark snippet of SNI and none-SNI



Ken






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 

Monday, April 9, 2018

F5 edge client network-access error



When configuring  a  f5 APMnetwork-access and for client using the webinterface, it's common to see the following error message.



The reason for this error is related to  the fact a webtop advance resource is not applied. In order to have the network-access icon, you need a webtop resource applied.

e.g



The f5 policy need to ensure that webtop advance resource is applied.






Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Sunday, April 8, 2018

fortiOS set logtraffic-start enable

In this blog, I will demo what happens if you enable "set logtraffic-start enable" on a firewall policy.

Here's the firewall policy in question.



And in this simple log you will see a message with the "start" and "close". This reflects the start of the session and closure for sessionid 899 for a curl ifconfig.co from my host computer




So at the conclusion, the firewall will log the sent/recv details and duration for the  session. The start action is initialized upon the start.


NOTE: without logtraffic-start the default behavior is to log when the session closes







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Monday, April 2, 2018

FortiOS v6.0

So the new  fortiOS was just released.  Upgrade has been  very straight and simple. The WebGui interface has not change that much.




Time will  tell how fast and far  it will go with functions. The release notes where  quite clear and seems to be  security fabric driven.

As with previous fortiOS release numerous  issues has been report in the 1st weeks. Hopefully  FTNT has gotten a better handle in the newly released v6.0.

You learn more via;



I'm going to  highlight my  two  most favorite topics

And lastly the  support for dynamic BLs is a much needed features that should be beneficial for all in the entOrg/SOC/MSSP  arenas.









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \