The fortiexplorer is a WebGUI terminal utility that allows direct access to certain models of fortinet gear
( I'm posting a link to the it's " so easy a six year old can set it ! " )
http://www.fortinet.com/videos/fortigate_fortiexplorer_so_easy_six_year_old_can_set_it.html
Some firewall administrators hate it ( fortiexplorer ) and wants a real db9 or rj45 console. Others ( like me ) thinks it's good in that you don't need a USB2Serial adapter.
I can ship a fortigate device to a customer site, and not have to rely on having a usb2serial adapter available. The local staff can easily setup a fortigate to give me remote access, like in 5mins or the time it takes to install the fortiexplorer application and connect just one cable to a usb port on a laptop/desktop..
Keep in mind, even cisco has the usb-mini console integrated into some of their gear also. But unlike Fortinet, they still offer the RJ45 interfaces. How long will they keep this up? is TBD
Okay here's the problem. You installed fortiexplorer and it does NOT find any device!
( frustrating to say the least )
So what's the problem ?
Here's one of the easiest missed item. Has the console been disabled ? You can only check this from what I can tell, only from ssh/telnet access. I don't think there's a WebGUI method
NOTE: So as you can see, it was disabled.
As soon as you enable it, you will now see your device if you properly have the cables conneced or reconnect.
Pay attention to the big warning if you should disable the console.
I personally think fortinet screwed up on this feature. Why would you want to disable the console, does not make any sense, nor should not have been a feature imho.
If you disable this or if the FortiOS comes with the console disable, this could become a chicken and egg on how do you re-enable it or diagnose the problem, or conduct a factory-reset.
I understand from a remote security access & the need to disable consoles on some security appliances, but a console should have an active login/account/timeout setup & configured. This would ensure no "unauthorized " remote user can access the devices. Or if he/she walks away, that the console login timeouts.
I was told by a source within Fortinet, that this was feature was requested by various security & gov agencies to ensure that a lost or remote device, could not be compromised.
I personally think this is not needed, since fortinet has done a great job with one-way hashing of key critical passphrases such as;
- VPN-PSK
- user-administrators
- etc....
So enjoy and make sure that you check that console !
No comments:
Post a Comment