Friday, August 18, 2017

FortiOS long vdom names

Long vdoms name is a feature support in the most current  FortiOS version. Previous you where limited to 11 characters in a vdom name.

Now the long vdom-name you can craft  extremely long names. Take these screen shots;






The negatives to long names; " if you ever downgrade to a older fortiOS version, this could cause problems.

Ken Felix






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Tuesday, August 15, 2017

howto validate that your fortigate AVprofile is working

When you have enabled AV ( AntiVirus ) scan enable on a fortigate, you should  test against any one of the EICAR  test files.

1st here's the default AV profile on a typical firewall.






When the  AVprofile has detected a  virus it will throw a similar  formatted log_message



You can test both HTTP and HTTPS when you have  ssl-inspection enabled.


 

Note, this is a sure way to  test that your ssl-inspection is also working  btw



If you have  NO ssl-inspection profile enable, the fortigate-firewall will let you  download the  EICAR  test.file over  a secure protocol like  HTTPs with no warning. Here's a source for  text and zip or double-zip files.

http://www.rexswain.com/eicar.html




e.g ( with no ssl-inspection  the EICAR  test file  was downloaded )





Security  best practice mandate you should have AV enabled and  ssl-inspection profile for protecting local lan users if end-point  protection has not been installed.






Here's how a firewall policy will look like from the  CLI  & that's enabled for  AV-profile and with SSL inspections.




A feedback page will  be displayed  to the end-user who hit's the policy and a simple link provided  if he/she want to  investigate what and why  the content was blocked in regards to AV.



( https test EICAR  file  source )

https://secure.eicar.org/eicar.com


If your using the fortigate as an explicit -proxy, please ensure you have AVprofiles in use and in  proxy-mode.


example



Ken Felix






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Friday, August 11, 2017

conserve mode FortiGates

Within in the Fortigate models, you have a conserve mode. This is a simple method that FortiOS triggers in order to try to  protect  the systems.

Almost all security profiles are handle in shared memory. Any time this memory is exhausted or nearly exhausted the  unit will go into  conserver mode and deactivate certain scan profiles.

You can easy check if your  unit is in conserve mode by the following diagnostic command;

diagnostic hardware sysinfo shm | grep conser



You can also review logs , if this event happens it will be recorded as a "critical" event .

e.g





Okay to  avoid this, we need to understand the following;


  • Combinations of AV-profile  scanning with  proxy/flow mode can cause havoc conserve-mode
  •  excess traffic and utm-function can cause  kernel conserve mode
  • it best to be aware of running  multiple  scan mode flow or proxy
  • Limit what fwpolicies have  AV-profiles
  • Upgrade the unit if it's under-size  and if repetitive  conserve-mode events happens


So to ensure you don't enter conserver mode you need to reduce logging-to-memory.

Various fortigate-models  uses a certain  % of the shared-memory or physical-memory thresholds  to determine when it goes into  conserve-mode . The FTNT support-team  can provide you these values upon request.

It's best to optimized the firewall just for the UTM features that you  required and disable all other utm and profiles from the firewall-policies.






 
Ken Felix
 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

deleting the root vdom ..you can't do it!




Working with various IT/Security outfits over the past few years and  with numerous  Sec-Engineers  to Directors, a lot of them get hung up over the vdom name of  "root". I've even  had  numerous  request for removing the root vdom or renaming it.

Image result for rolleyes



 
In one of my last encounter , they actually  had me open a ticket with  FTNT  & who the engineer made a wild claim that  he think it could be deleted.

In fact this is NOT true! Or I have yet to be proven wrong.


Here's some screenshot of a  wasted of time with "attempting" to remove the vdom name "root", after deleting all policies, creating a a new vdom, deleting any bindings to  root-vdom ( interfaces, admin-accounts,   dhcp-server , fortianalyzer, fortimanager , central-management  etc......)









So the conclusion;


1: the root-vdom  can not be deleted

2: it's just a name-vdom use it as-is or do use it

3: trying to rename vdom-root or deleting it,  is amounting to  trying to rename or deleting the   windowOS  system32 directory or the  unix "/"  directory 


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Monday, August 7, 2017

Fortigate Explicit Proxy with webfiltering

In the school for both public/private sector  the Web-Proxy and URL filtering is a must. This is ensure pupils are restricted to what content they can access.

Here  will show a top-view of a multiple explicit-proxy setup where user groups are defined to  grant users access based on the web_profile that's applied.












































You could have multiple   web_profiles define for various groups .


In the above , we will allow the  grade_levels network ranges to the explicit proxies address which happens to be  loopbacks.

A firewall policy(s) will be required to allow the networks to the proxy address.

This policy will allow the  web_client to use the proxy, all outbound traffic to the internet will be be_blocked, in fact you will NOT need a policy from the loopback address, the fortigate allows this proxy_initiated traffic automatically

1st ( example of a web_client allowances to the web_proxy )


config firewall policy
    edit 0
        set dstintf "loop1"
        set srcintf "LAN1" "LAN2"
        set srcaddr "LANNET01" "LANNET02"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "WEB_PROXY" "PING"
        set comments " !!!!!ALLOW  EXPLICIT  PROXY TO THE CLIENTS school!!!!"
    next

    edit 0
        set dstintf "loop0"
        set srcintf  "LAN3"
        set srcaddr "LANNET03" 
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "WEB_PROXY" "PING"
        set comments " !!!!!ALLOW  EXPLICIT  PROXY TO THE CLIENTS school!!!!"
    next

 end


The above will allow the   src_networks to the respective  proxy_address. You can assign these  address via a GPO for windows clients or statically for others.


Now, that on the loopback interfaces we only need to turn n web_proxy servers


config sys int 
    edit loop0 
           set explicit-web-proxy  enable
    next 
    edit loop1 
           set explicit-web-proxy  enable
    end



The above will  allow the web_clients to reach  the web_proxy services at the 2 loop-backs.


Now, since we have the policies in place and web_proxy enabled, you can optional configure web_proxy profiles and  global  settings.

We will now a web_filter profiles, it might be a combination of categories and static_filters.



In order to use a url-filter for explicit proxy , it MUST BE SET as proxy-mode








Now with all of the above you can define  explict_firewall policies similar to the following;


config firewall explicit-proxy-policy
    edit 1
        set proxy web
        set dstintf "wan1"
        set srcaddr "SCHOOL EDU_NET_RANGE"
        set dstaddr "all"
        set service "WEB_PROXY"
        set action accept
        set identity-based enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                    set utm-status enable
                    set group  "proxy_user0"
                    set webfilter-profile "SCHOOL"
                    set profile-protocol-options "default2"
                    set ssl-ssh-profile "certificate-inspection"
                next
                edit 2
                    set schedule "always"
                    set users "proxy_user1"
                next
                edit 3
                    set schedule "always"
                    set  group  "School_Resource_Group"
                next      
                edit 4
                    set schedule "always"
                    set group  "K-12students"
                    set utm-status enable
                    set webfilter-profile "SCHOOLK12"
                    set profile-protocol-options "default2"
                    set ssl-ssh-profile "certificate-inspection"
                next
            end
    next
end





Each Id_Policy rule could be  a different authentication type or a method  ( local user, RADIUS,LDAP, etc...). Using a RADIUS or LDAP-aaS  solution could also be deployed.



For example, you might use a RADIUS-aaS for one group of users, a static user  for diagnostics, and the student and faculty body authenticated via  MS-AD credentials.


Be aware of the id_rule ordering and what and how a user can authenticate.







The explicit proxy allows for  great means for controlling and inspecting user requests. The Fortigate is a simple  firewall to  execute web_filter from   domain and *wildcard syntax matches, plus category  based filtering.


Each  identity rule could have it's own  web_profile  to match the web_clients authorizations.


Examples

  •   police/resource officer  has allowance to all site to include social media to investigate threats
  •   where K-5 has  a restrict  profile that allows   sites that are educational approved or static entries
  •   8-12 are allow the same plus any SAT or assessment  systems in a static url list
  •    The Information Team has  access to  IT sites for upload/downloads, securiy related matter
  •    Guess uses have basic   access for sites deem approved.

To test the proxy I've found chrome launched manually is a great method. You  could use a static pac.file or just call up the proxy-server

( launching chrome )


( sample pac.file )




Based on your webfilter  category or static URLs and the action you can test for allow or block.  based on that user_group and the action allowed for the URL , you will either be allowed or deny. If denied, you will have a response page similar to below.


If you failed AUTHENTICATION, the proxy will provide a login_failure message.



 


If you do you Chrome, alway check for the proxy settings that the "SYSTEM"  has enabled



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \


Wednesday, August 2, 2017

FortiOS GEOIP tips

The GEO-IP is a feature in fortigate , very simple to use and here's some  tips and tricks for  getting around it.

Here's a few things to considered;


  • Updates are pushed via an active  fortiguard subscriptions to the fortigates under contract
  • It does not support ipv6  GEOIP database at this time
  • There's no manual updates you  can push
  • You can craft  firewall address objects with custom GEOIP data
  • Keep in mind you can't assign a IANA assigned 2 letter GEO id for custom  firewall address



TIP#1

To get the  current   versions of geoip

diag autoupdate versions



IP Geography DB
---------
Version: 1.054
Contract Expiry Date: n/a
Last Update Date: Tue Aug 30 14:10:59 2016




TIP#2


To execute  update request from  command line

diag debug reset
diag debug enable
diag debug application  update -1
execute  update-geo-ip
diag debug  reset 
diag debug disable


TIP#3

To find  network ranges per country

FW01 $ diag firewall ipgeo ip-list ST
         45.42.228.0 - 45.42.228.127
        46.36.203.71 - 46.36.203.75
       104.167.215.0 - 104.167.215.255
         154.72.12.0 - 154.72.15.255
       197.159.160.0 - 197.159.191.255
Country name:ST Total IP Range:5




TIP#4

To find   what country a ipv4 address belongs to;

diag firewall ipgeo ip2country 169.254.23.22
169.254.23.22 is in country:ZZ







Ken   Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

log forecasting trending fortianalyzer

fortianalyzer

The number of log messages per/sec and sze of the log message will determine just how much data storage you will need. Yes it's really that easy but how can you get a base line.


As  you have more logging enable ( fwpolicy l, ocal-in , local-out , systems  ) this will directly impact the log-disk-size

Take a local FAZ event log, they do a great job showing just how much disksize was used and per-day.


Using the above you  can set forecast for logdisk size based on current log-rates. I see so many orgs that enable the "log all" approach and don't realize just how much of a resource impact that it makes.

As you have more policies, more traffic, more end-nodes, etc..... log rate can easily climb.




Ken   Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^      ^
=(  #  #  )=
        o 
      /    \



Turn Around Explicit Proxy on the public_internet

While working outside of the USA, I 've found issues with  accessing various internet sites that where being blocked based on geoip filtering. So I finally  put together a format that works by  using a USA based fortigate as a explicit proxy.

In the past I've used  the simple polipo and squid proxies which works great but requires slightly more configuration effort on the enduser. The forage has a simple proxy function that can easily be deploy with or without authentication.


In this post, I will show you how to use a fortigate sitting at a remote-location as a explicit proxy. Doing this will allow you  navigate  any geoip filter that might prevent  access based on the country of  the enduser web client.

Take this topology where various  web clients are actually off the local corporate network.






Here, the wan1 public address will be enabled for explicit proxy. We  will use  authentication  via LDAP for the actual users.



1st ( enable explicit proxy  and set up a profile )




NOTE: the  realm "SOCPUPPETS_PROXY_EXP" will be presented  in the web-browser  authentication input box.


e.g



Now we only need a  policy and with configured identity-policy , here we have a user kfelix ( authenticated locally ) and  group named "PROXYUSERS" which are authenticate by LDAP. You could even used radius.






Lastly,  you can use any of the  whatismybrowser sending websites   to insect VIA headers after configuring your  web-client





If you don't want the  default.fqdn line just set the proxy_strings in the explicit proxy global settings.


config web-proxy global
    set proxy-fqdn "socpuppets_proxy.socpuppets.com"
end



e.g



In the explicit policy if you set the src_address to a specific address(es) and some one of that range tries access thru the proxy, they will receive a similar reject message.


The above is a solid method securing   Explicit proxy access. You can even chain  forward-proxy if you have existing proxies that are blocked based on geoip lookups.

Enjoy ;)





Ken   Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

Howto test for tls v1.3 supported client

SSLLAB is widely used for testing  web-servers for supported features but the  web-client can be check for various  SSL supported functions

https://www.ssllabs.com/ssltest/viewMyClient.html






If a forward-proxy is involved, this could  effect the  client support features and test results







Ken   Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \