Monday, June 30, 2014

Fortigate IPS rule for blocking unauthorized clients sources for recursive lookups

Here's a Howto  for blocking  persistent  dns clients that's trying to use your dns server for recursive lookup,  by using the fortigate IPS UTM feature.

Some times you have a mis-configured dns clients. Other times, you  have someone trying todo your  DNS server harm.

Here's a quick means for dropping a client that's trying to use your dns-server in a bad way. Typically these client will received a "DNS response such as the following"

Domain Name System (response)
    [Request In: 9]
    [Time: 0.000181000 seconds]
    Transaction ID: 0xec12
    Flags: 0x8115 (Standard query response, Refused)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...1 .... = Non-authenticated data: Acceptable
        .... .... .... 0101 = Reply code: Refused (5)

So we will write  a rule triggering off this DNS response of "refused" flags 0x8115.

1st here's the rule;

 edit "DNS-refused"
        set signature "F-SBID( --attack_id 1616;  --revision 2; --name \"DNSQueryArefused\";  --protocol udp; --pattern |8115|; --flow from_server,reversed; --rate 30,60; --track dst_ip; --log dns_query;)"

2nd here my  IPS sensor;

3rd,  here's  the  firewall policy and protection profile applied to my DNS server policy;

 The  IPS sensor is enabled in my  protection profile name "DNS-refusal-policy"

     set ips-sensor-status enable
     set ips-sensor "DNS-refusal"

NOTE:  The referenced "DNS-refusal-policy"_fwpolicy   has the dst address names DNS1 and DNS2 are my  firewall address for the name-servers. I could have also included a adress group.

lastly, we can monitor via the GUI or command line for logs messages;

KeyPoints to take away;
  •  the fortigate has the ability to  write custom sigantures.
  •  this ad-hoc method is simple to deploy
  •  in a true DNS flood, this will not do anything to save your bandwdith
  •  Adjust the quarantine time to best suit you needs
  •  always monitor the  logs, graphs and performance impact
  •  use tshark and  display filter to see the dns query/response
  • you can log the query with the --log query  option for later analysis

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- Socpuppets ---dot---com

   ^    ^
=( ~ ~ )=
     /  \

Saturday, June 28, 2014

Stopping the whoopsie on linux . oops!

If you see a linux ps named whoopsie have no fear  you can  stop this

ps -ax | grep whoopsie

sudo  ps -ax | grep whoopsie
[sudo] password for kfelix:
Warning: bad ps syntax, perhaps a bogus '-'? See
  942 ?        Ssl    6:21 whoopsie
13741 pts/0    S+     0:00 grep --color=auto whoopsie


edit the file  /etc/default/whoopsie  and change the "true" to "false"




Kill the process

sudo pkill -9  whoopsie

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- Socpuppets ---dot---com

   ^    ^
=( -  - )=
     /  \

Wednesday, June 25, 2014

Fortinet FortiOS 5.2 upgrades woes

This is a quick informal update on the new Fortinet FortiOS5.2  & the problems that I found over the first few days leading into my  5.2 GA upgrades attempts.

A lot of person are complaining of CLI console being disable after going to 5.2. I too just now found this to be true.  I did a few 60D and 90D with no problems,  and recently a  FGT110C. The console is flatout dead on the latter.

note: I had to reformat and reload the image via tftp which was horrible.

Various other problems that's being a big pain in the A$$;

The SSLVPN enabling per interface  has been a struggle and any modfications with the listening-ports nunbers can cause the  fortigate to randomly select  the numbers. So always review the configuration via cli. This new  one page WebGUI configuration page, was suppose to make things simpler,  but I have to disagree

Speaking of randomness, my FWF60D in my lab has started to revert back to it's old name. I haven't figure that one out. Maybe it has a mind of it own.

(misc )

Various other statistics like modem & fortiview  statistics are not resetting or display weirdness. I have a ip/127.0.0.x  present in my  fortiview viewer that I'm trying to figure out :)

NOTE: I was really hoping  fortiview would have a view by application and  GEO-ip

Wifi access on MacOSX seems to be problemantic upon re-establishments & we didn't have these issues before 5.2 or pre 5.X versions. It's more problematic on MACOSX 10.8.x than 10.9, so this leads me to start  using  the WifiDiagnostic utility. But so far I haven't found  the cause(s).

Also no macosx 5.2 sslvpn client. We have windows and linux covered , but Macosx missed  the boat and that just plain sucks

And the last big PITA, the WebGUI is way much slower. It has nothing todo with the firewall loading or the appliance  size. Example, a firewall with just  under  <40 sessions ( most of that is DNS and the Admin access ), and  some simple pages take a considerable time to load.
 NOTE:My FWF50B running a  3.0MR7p9 is faster :)

Stay tune, I'm sure more things will probably be found. I hope fortinet didn't rush this out the door to get the code out in the wild .

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- Socpuppets ---dot---com

   ^    ^
=( ~ ~ )=
     /  \

Tuesday, June 24, 2014

Using a fortigate firewall to find and monitor for older WindowsOS by writing a IPS rule

In this blog we will look at one method for finding older windows clients. Windows has involved from  the simple MS-DOS to now Window8. Older  clients should be terminated  from operating on a modern network due to the security risk and lack of support by MS. The unsupported window hosts should also be tracked and monitor and remediated by upgrading to a modern OS.

Sometimes within the IT/desktop support teams, they need assistance with tracking these older, &  non-compliant hosts. A NAC profiler or IPS can assist with this operations. In this post we will use the IPS feature on a fortigate appliance  in order to find the older suspected hosts.

1st how do we find older machines?

You can use the  User-Agent found in the  client browser or  by TCP fingerprinting

NOTE: we will use the  User-Agent in this blog

1st, how can we see our user-agent? 

A few sites exist  to help you to immediately. Follow this link;

( here's my  mac-computer user agent )

 ( here's an Android  google tablet )

 ( here's a Windows8 client )

A proper formated User-Agent string typically has the following fields;

The Mozilla Version  type
Product Type

So if a web client makes an connection to a webserver, it's user-agent string should be in the http-header.

( using curl on a unix host &  with the -v option  will show you a typical http header )

The above is a simple HTTP-get against worldwide technology webserver ( Information in this header for both server and client, provides the based on how  HTTP works.

Okay, so now we know a client has a user-agent, but is it required? 

Will the simple answer is both a yes and no. No where in HTTP RFCs , does it  states you have to have a User-Agent or a proper formatted User-Agent for HTTP to work. But some sites will not work or behave improperly & if you have a wrong or improper User-Agent.

Here's a few good example;

A  DDoS provider like Prolexic  Technologies that I used to work for , has their DDoS protection gear set to drop  client_side http_request if they have no User-Agent presented in  the  HTTP-Header.

The google mail system uses the  User-Agent to properly format the http data-presentation  for a desktop vrs mobile device web-browser such as  iphone/table/etc.... ( you can use the http user-agent  switcher dd-on that's available in  Firefox to demo straight this  behavior )

Some webserver behavior could be different based on the platform type ( in the User-Agent ) and might fail to serve you active pages if you are using the wrong browser.

note:   When I worked in the financial sector, we would inspect the User-Agent in the client  browser and the  ServerLoadBalancer (SLB ) would redirect you to a page that basically said your browser was unsupported and provide the link to the IE browser download.

Some SLB will filter and drop known good or bad  webcrawler

Some SLB, WebSecurityAppliances or Proxies, will drop unrecognized User-Agent

NOTE: un recognized User-Agent is sometime a sign of bad  activities about to happen or is happening against your webserver

So how can we track and monitor for older machine types?

Easy, we  build a few IPS custom signatures and monitor  our client outbound  traffic to HTTP webservers ( tcp/80 ). You could also filter these clients if you had a proxy device or a webfiltering  firewall. ( very easy to do in Squid btw )

Here's a snapshot of just a few older windows clients custom IPS rules that was done on a fortigate 100A

And we apply these into our  IPS UTM policy

And we build a new protection profile that reference the name IPS UTM  policy & just this single UTM feature  of IPS.

And finally you apply a new firewall policy rule, make it the 1st in the picking order and apply that protection profile to the rule(s) that you want inspection for.

The cool thing about this method, you can be specific on the client SRC networks. Maybe you suspect one dept or subnet has older hosts. So you apply the rule matching that client's source subnet.

After you apply the rule and with the protection profile, you sit back and monitor any matches. The log Access > Attack logs, will show you just who matches the rules.

This method is not fool-proof due to the client could  switch it's User-Agent or Use some type of Proxy or if the connection is HTTPs we will not see the http-header due to the encryption provided by SSL/TLS.


Keep this thoughts in mind;

  •    you can either used the IPS pass+log and monitor for these clients
  •    or be aggressive and drop these clients ( this is good for forcing the older and outdated  clients to contact the IT dept for help/assistance  )
  •    The User-Agent can be forged
  •    You can do the same thing, but inbound to your Server or VIP to drop bad or unsupported clients attempting to access your website
  •  You an use the  IPS log viewer if you enable packet capture to run analysis and fine tune the signatures
( snippet of a packet capture  in hex+ascii )

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- Socpuppets ---dot---com

   ^    ^
=( ~ ~ )=
     /  \

Sunday, June 22, 2014

Fortiexplorer can't access CLI usb port ( problem and solution )

Here's a problem that can comes up with  the new crop of  current model of fortigates.  This problem can easily be missed and cause a host of access problems for CLI access.

The fortiexplorer is a WebGUI terminal utility that allows direct access to certain models of fortinet gear

( I'm posting a link to the it's " so easy a six year old can set it ! " )

Some firewall administrators  hate it ( fortiexplorer )  and wants a real db9 or rj45 console.  Others ( like me ) thinks it's good in that you don't need a USB2Serial adapter.

I can ship a fortigate device to a customer site, and not have to rely on having a usb2serial adapter  available. The local staff can easily  setup a fortigate to give me remote access, like in  5mins or the time it takes to install the fortiexplorer application and connect just one cable to a usb port on a laptop/desktop..

Keep in mind,  even cisco has the usb-mini console integrated into some of their gear also. But unlike Fortinet,  they still offer the RJ45 interfaces. How long will they keep this up? is TBD

Okay here's the problem. You installed fortiexplorer and it does NOT find any device!
( frustrating to say the least )

So what's the problem ?

Here's one of the easiest missed item. Has the console been disabled ? You can only check this from what I can tell, only from  ssh/telnet  access. I don't think there's a WebGUI method

NOTE: So as you can see, it was disabled.

As soon as you enable it, you will now see your device if you properly have the cables conneced or reconnect.

Pay attention to the big warning if you should disable the console.

I personally think fortinet screwed up on this feature.  Why would you want to disable the console, does not make any sense,  nor should not have been a feature imho.

If you disable this or if the FortiOS comes with the console disable, this could become a chicken and egg on how do you re-enable it or diagnose the problem, or conduct a factory-reset.

I understand from a remote security access & the need to disable consoles on some security appliances, but a console should have an  active  login/account/timeout setup & configured. This would ensure no "unauthorized " remote user can access the devices. Or if he/she walks away, that the console login timeouts.

I was told  by a source within Fortinet, that this was feature was requested by various security & gov agencies to ensure that a lost or remote device, could not be compromised.

I personally think this is not needed, since fortinet has done a great job with one-way hashing of key critical passphrases such as;

  • user-administrators
  • etc....

So enjoy and make sure that you check that console !

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- Socpuppets ---dot---com

   ^    ^
=( $ $ )=
     /  \

Tuesday, June 17, 2014

What language does your firewall speak? ( fortigate )

In this blog we will look at the  language support within the  fortigate  security appliance WebGUI.

Fortinet is why cool in that they realize the word speaks more than one language. Here's the  language support as of 5.2 FortiOS

Not bad :)   

Okay so let's look at some of the landing page after the initial  logon;




Chinese-Traditional ( btw their's no such thing as chinese )



So  there you have it. Almost all of the top international languages  are supported in a fortigate firewall.  This is a key selling point if you are a international business imho. Or if  you work in a environment that's multi-lingo.

I 'm consulting currently in a mix environment where over 5 languages are spoken on a day-2-day basis. Spanish & French and English being the top 3 and a few speakers from China. A multi-lingo firewall is a must and Fortinet would really shine if they could suppor language selection per administrator user account or profile.

They do  have a guest-user support and with multiple languages support. I will post about this, &  on my next posting.

One other sore spot, the fortigates don't seem to be to speedy when using a language that's not the default of  "English". Page loading times are noticeably slower. This might be due to the oddness of the language and graphic that needs to be displayed.

So what language do you speak ? Entonces, quĂ© idioma habla?  qu'est-ce que vous parlez?

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- Socpuppets ---dot---com

   ^    ^
=( * * )=
     /  \

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- Socpuppets ---dot---com

Per VDOM session limits fortigates

In this blog we will look at some of the reasons for resources limits within a vdom and for multi-tenant operations.

In a Enterprise, SP or MSSP arena, it's common for a firewall to be virtualize into multiple compartments for multiple user and operating groups ( aka vdoms  virtua-domains  ). The resources within the hardware, can now be defined per-vdom to ensure that one operating-group do not exhaust and hog up the hardware real resources.

The fortigate has global-resources definitions  that 's globally defined ;

e.g  ( fortigate in a multi-vdom )

NOTE:  All fortigate models have certain max values depending on the model type. This values are typically listed on fortinet website or in their support practices  and guides.


And covers any of the following;
  •   the number of fwpolicies
  •   max number of sessions
  •   interfaces
  •   ssl/ipsec vpns counts
  •   etc....
To ensure one particular vdom does not exhaust all of the resources, we define  limits by editing the  vdom resources usages;

After clicking the vdom and the edit tab, you can now define set limits;

NOTE: In  the above photo, I've set hard limits of  1x fwpolicy and 1x user, which we later try to exceed.

Limits can be set per vdom regardless the operation mode ( nat or transparent ).  The above  resource configuration is broken down into Maximum , Guaranteed,  and Current counters.

Now whenever you try to configure anything pass the set limits, you will see a simple denial and warning;

WebGUI & cli

note: As you can see, the unit and this particular vdom  has  reached it's defined max limits for local-user and fwpolicies count.

Another reason for resources limits, pertain to the categorizing of the product in tiers. This is a common  method in the MSSP arena.

Example, you might offer  set services-levels  & multi-tier for managed security services

(e.g  one of the MSSP I consult with that uses fortigates & a tiered-structure and pricing model  )
  • Platinum  ( 50k sesssions, 1000 fwpolicies, 20 vpn tunnels , etc )   $500 /mrc
  • Gold  ( 20k sesssions,  500 fwpolicies, 10 vpn tunnels , etc )  $200 /mrc
  • Silver ( 10k sesssions, 250 fwpolicies,  5 vpn tunnels , etc ) $100 /mrc
  • Bronze  ( 5k sesssions,  50 fwpolicies,  0 vpn tunnels , etc ) $50 /mrc
Now you can ensure your customers are following your price service structure/model. If they need to move up to next tier to take advantage of more sessions or vpns, you can make the adjustment and charge more. This along with bandwidth allocation,  is how a MSSP makes money in the managed services arena.

The last and finally reason for limits. Some times bad things happen within client machines. A group of machines could be infected or part of a botnet, and these malicious agents could easy exhaust your sessions resources if you don't install preventive measures.

Take this example, Here's a fortigate broken into 3 vdoms and customer#3 has  a host of windows desktops that are infected bot-agents.

If these should go unchecked and with no set-limits/restriction, they could easily eat resources and prevent  vdom1-2  from functioning or gaining internet access. Defining and capping  sessions and  other limits,  can ensure that all  vdom customer #1-2 will have internet access and are not overran by the rampart clients located in the  vdom#3

NOTE:  with out  resource limits set per-vdom, vdom#3 could easily exhaust all of the hardware  security appliance resources.

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- Socpuppets ---dot---com

   ^    ^
=( $ $ )=
     /  \