Wednesday, December 18, 2013

Fortigate tips & tricks from socpuppets

The Fortigate  series of security appliances are a unique firewall & with some cool things about them. I will show you some of those cool  things.

About socpuppests and fortinet;  I'm a consultant engineer, who has aprox 9 years dealing with the fortigate appliance and  aprox 4 years using the fortimail appliance. Not to the same duration, but I have used and managed various fortigate/fortimail  appliances with the fortianalyzer and manager products.

You can find more here about fortinet http://en.wikipedia.org/wiki/Fortinet

Cool tip/trick #1

The appliance allows both configurations operations  via the cli & WEBgui. It's structure similar to juniper in a configuration hierarchical format. The tree commands can help you find or navigate around the unit and the available command options.

Here we see the configuration tree for the snmp user creation



The same works for other commands;

ping-options


and here's our ssh and telnet



fwiw: I find the tree command useful when doing training seminars or teaching new security engineers

Cool tip/trick #2


Output from  various commands can be a burden to sort thru.

Depending on the  FortiOS version your running, you have a unix grep function that can help with parsing output or search for a particular strings. In this example  we are looking the string listed within our grep or with the -v a inverted match

( here's a few samples of how one might use the grep )








Cool tip/trick#3 


You have many means for backing up the configuration.  The execute backup command a  thumb drive comes in handy. You don't have to bother with a tftp server setup. Here we are backing up to a usb device, the full configuration and the backup filename.


NOTE:  The fortigate automount most FAT and vFAT formatted  usb drives with no problems.



Cool tip/trick#4


You  also have the means to check the drive file inventory to ensure the name is not in use, or to check if the backup was a success.


note: As you can see, this partial file of a 8gig disk has  numerous files and images.


Cool tip/trick#5


Time after time, you will have to conduct ping test across a vpn. Sourcing a packet from a particular inside interface , or setting options might be required.

Here's  the "ping"  options ;

Here's the option after modification to allow for 10 pings and then back to 5 pings;


note: With the ping options you can set the df-bit ( dont fragment ) , tos or interval. Very similar to what you can do with the unix ping command.


With the pattern options we can set payload within the icmp protocols to test for ALL-zeros if you suspect a T1 with linecoding issues. Here I'm  setting a payload of all ones.

To craft all zeros we would have use  pattern 0000. This works in the same shape and fashion of a cisco router extended ping btw or a unix ping.


Cool tip/trick#6

You can automate backups remotely, by enabling scp and using the secure copy on your backup host. This requires that you enable the scp server on the unit 1st,  and have the allowaccess ssh enable for the correct interface.

If you upload your client ssh pubkey, you can do a hands-off backup & have that kicked off via cron.

e.g


scp username@1.1.1.1:sys_config ./

 here we are backing up to my local directory from a fortigate 110C series



Cool tip/trick#7

What you can do in the GUI you can do from the cli. As a matter of fact, I prefer doing most of my configuration from within the cli.

Their's certain tasks that are ONLY available from the  cli ( enabling vdom for examples, the majority of "execute" commands to some degree ,  diagnostic debugging,  etc.....)

But have you ever wonder what the webGUI action  that equals the  cli equivalent ? Will  the diag debug cli cmd will show you the  "cli commands" for actions that you take from the gui.

diag debug enable
diag debug cli 8 

And the  follow output from my  ( config sys interface  via webGUI )



Cool tip/trick#8

What if you want to boot into the 2nd partition but you forgot what's on it? Well the following diagnosic command will show you how to  validate the partition imagefile



Cool tip/trick#9

Have you ever wonder what ports are actively open and in used by a fortigate?

The diag sys tcpsock and it's output can shed some light as to what's in service.




Cool tip/trick#10

Your auditors are arriving and what to know how many interface and what objects are in a  vdom on a multi-vdom applinace. The follow command  diag sys device list  can shed some light





Stay tune, more tips and tricks will be posted in 2014, from socpuppets :)




Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   *   *  )=
          o
       /     \

4 comments:

  1. Awesome Work! Loving the tree command. Keep the tips coming.

    ReplyDelete
  2. Awesome Work! Loving the tree command. Keep the tips coming.

    ReplyDelete
  3. Superb.

    I have another question. Seems u may knw answer. I know policy route has a preference but is there a command to know that traffic is going via policy route not via static route

    ReplyDelete
  4. I would use the cli-cmd diag debug flow for traffic of interest and monitor the route-lookup.

    ReplyDelete