Wednesday, September 26, 2018

FortiOS API and policy creations

I had an earlier  email dialog from a user that found my API blog  that I posted earlier and he had a question on adding a new policy within FortiOS




Note , the POST action creates the policy and PUT  modifies any existing items. You need to ensure you  select the right policyid#.

Be very very very careful to ensure you do NOT modify or DELETE a policyid#  that was not correct.

What  a lot of org that uses API automations they  run the   script to backup the firewall 1st or list out all policies and then  execute  the changes regardless if it's and ADD DELETE or MODIFY { POST DELETE  PUT }


Also make sure you  place sanity  checks

      * if your going blacklist on add entries to the address group with a /32 subnet value


      * check your feeds and  scripts to ensure you do not  mistakenly  add your own blocks or trusted networks
      *  be very careful with  DELETE operations

      *  make sys-config backups before and after the  operations are ran


      *  !!!! YMMV  and use extreme caution until you get it all under control  !!!!


!!!!Any API call that's a GET is a Read-Only and will cause zero harm!!!!















NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
  
Posted by at No comments:

Sunday, September 16, 2018

using curl to find support options

The http.request.method  OPTIONS is not  widely used or known but can be used in some case to find support  request methods that a webserver can support and for that URI

Here's an example of a  OPTIONS  request-method for  http://www.example.com/


example1



So in the above we know  "OPTIONS" "GET" "HEAD" "POST" are  the only supported  methods  "


And here's another example

example2



example3


Keep in mind a lot of web-server are not configured for  this function and not recognize this  request method.

In some cases if you send a request method not recognized, the  web-server will send a http.status.code 405   {  HTTP/1.1 405 Method Not Allowed }  and  actually  indicate what is supported.




or

The new trend is to send  back a html body that tells you the request.method is not supported or some other fancy information.


<HTML><HEAD>
<TITLE>Unsupported Request</TITLE>

</HEAD><BODY>

----------------------or----------------
<HTML><HEAD>
<TITLE>Bad Request</TITLE>
</HEAD><BODY>
<H1>Bad Request</H1>
Your browser sent a request that this server could not understand.<P>
Reference&#32;&#35;7&#46;827008d1&#46;1537091841&#46;0
</BODY>
--------------------or-----------------
<html>
<head><title>405 Not Allowed</title></head>
<body bgcolor="white">
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx</center>
</body>
</html>

 You might get lucky!









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----@---- socpuppets ---  "*"---com
     ^      ^
=(  @  @ )=
         o

        /  \

Posted by at No comments:

Saturday, September 15, 2018

Forcepoint SMC logserver rollup script

The forcepoint Security Management  Center allows for you to query logs. One issues, logs can  easily be pruned but no on board features   for log rollup to a remote-server like a  SFTP/SCP.


Here's a quick script that will allow you  to run a script via  cron job and on a  regular interval to   rollup logs from the SMC logServer to a remote  scp. This a bash script





/bin/bash 
#
# kfelix@socpuppets.com 
######## LOG ROLLER  IT ON UP  ########
# rev 1.0
#
   D=`date +Y%y_Moth%m_Day%d_%s`
# 
   H1="<insert the  rollup SFTP/SCP server name here >
   H2="<insert the  rollup SFTP/SCP server name here >

#  find all  files older than 180days in the /usr/local/forcepoint/smc/data/storage/

  LOG_DIR="/usr/local/forcepoint/smc/data/stor
age/"

   find $LOG_DIR -name "*.arch"  -mtime +180 > /tmp/logsarchs 

#  take  archive list and create  tarball.gz 
   tar czvf ROLLUP.$D.tar.gz --files-from  /tmp/logsarchs 

# delete  listed files 

   cat /tmp/logsarchs | xargs rm -f 

#  delete  logsarchs catalog text file

   rm /tmp/logsarchs
#
#  install at least two rollup destinations

   scp ./ROLLUP.$D.tar.gz  rollupusername:userpassword@$H1/ 
   scp ./ROLLUP.$D.tar.gz  rollupusername:userpassword@$H2/

#
# rm  old archive  gz tarball to  clear up  space

   rm -i  ROLLUP.$D.tar.gz



This can help  on  storage issues or before you have storage issues. You could even  set a trigger based on the diskutilizaion  % and have the script fire off if the   disk% is 75% or more

e.g



 C=` df -H | grep centos | awk '{  print $5 }' | cut -d % -f 1 `

if [ $C -lt 75 ]; then    

   exit 

 elif [ $C -gt 75 ] ; then 

echo " Disk Usage is High  at   $C%  utilization  on $HOSTNAME " |  mail  -s " LogRoller SMC "  socteam_maillist@socpuppets.com   



  D=`date +Y%y_Moth%m_Day%d_%s`
#
   H1="<insert the  rollup SFTP/SCP server name here >
   H2="<insert the  rollup SFTP/SCP server name here >

#  find all  files older than 180days in the /usr/local/forcepoint/smc/data/storage/

  LOG_DIR="/usr/local/forcepoint/smc/data/stor
age/"

   find $LOG_DIR -name "*.arch"  -mtime +180 > /tmp/logsarchs

#  take  archive list and create  tarball.gz
   tar czvf ROLLUP.$D.tar.gz --files-from  /tmp/logsarchs

# delete  listed files

   cat /tmp/logsarchs | xargs rm -f

#  delete  logsarchs catalog text file

   rm /tmp/logsarchs
#
#  install at least two rollup destinations

   scp ./ROLLUP.$D.tar.gz  rollupusername:userpassword@$H1/
   scp ./ROLLUP.$D.tar.gz  rollupusername:userpassword@$H2/

#
# rm  old archive  gz tarball to  clear up  space


   rm -i  ROLLUP.$D.tar.gz

fi



Remember a  predefine alert exists for local Management  disk usage  if the  LogServer is local to the MgtServer








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----@---- socpuppets ---  "*"---com
     ^      ^
=(  @  @ )=
         o

        /  \
Posted by at No comments:

Thursday, September 13, 2018

Squid Proxy redirection Forcepoint NGFW

Here's a  Forcepoint  SQUID  redirection for the NGFW



  • SMC v6.4.4
  • NGFW v6.4.1
  • SQUID v3.5.20



1st you need to  define a  proxy-server element under Configuration>  network > servers 







In your  access.rule you only need to  set the HTTP/HTTPS and  direct to the  squid  server.





The   squid access.log and  NGFW log Browser  can be monitored.




squid.conf









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----@---- socpuppets ---  "*"---com
     ^      ^
=(  @  @ )=
         o

        /  \
Posted by at No comments:

Wednesday, September 12, 2018

Squid for FortiOS


# squid
#
wccp2_router 192.168.1.100

 wccp2_forwarding_method gre

 wccp2_return_method gre

 wccp2_service standard 0 password=FortinetWEbberCache


#fortigate  WCCPcfg

config system interface
    edit "port1"
        set vdom "root"
        set ip 192.168.1.100 255.255.254.0
        set allowaccess ping   ssh https 
        set type physical
        set wccp enable  
    next
end

 config system wccp
    edit "0"   
        set router-id 192.168.1.100  
        set server-list 192.168.1.99  
        set authentication enable  
        set password FortinetWEbberCache
end
config firewall policy
    edit 0
        set srcintf "LANLOCAL"
        set dstintf "EXTWANLEVEL3"
            set srcaddr "LOCALLAN_NET-GROUPS"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "HTTP"
        set wccp enable  
        set comments "HTTP TRAFFIC TO INTERCEPT FROM ALLOWED LAN USERS"
        set nat enable
    next
       edit 0 
        set srcintf "port1"
        set dstintf "EXTWANLEVEL3"
            set srcaddr "squidproxy"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "DNS" "HTTP" "PING"
        set comments "SQUID PROXY"
        set nat enable
    next 
       edit 0
        set srcintf "LANLOCAL"
        set dstintf "EXTWANLEVEL3"
            set srcaddr "LOCALLAN_NET-GROUPS"
            set dstaddr "all"
        set action deny
        set schedule "always"
            set service "HTTP"
        set comments "SAFEGUARD TO DROP ANY NONE PROXY"
 end





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \
Posted by at No comments:

Tuesday, September 11, 2018

DNS flagday edns

EDNS  is one of these tricky items that can  bring a lot of dns  answers . Per   DNS standards RFCs


DNS-server should not  flake out if a EDNS version options are sent and yet EDNS is not supported but in a lot of cases this  is not the case.

dnsflagday has a  test and compliance that you can run against any domain and get the  compliance results. They also have great collections and statistics.


running the test is simple, just add you domain



A pass or fail ( see fail below )




Details of the test results  are provided on  failures




So what do you do if you have a failure? Easy, you  upgrade your dns-server !


Alternative; you can  use the edns compliance checker at this URL link

https://ednscomp.isc.org/ednscomp/a768f12b06


NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \
Posted by at No comments:

Friday, August 31, 2018

forcepoint API

In my day job I have support cases for host of issues. Here's is a short blog of some  basic  Forcepoint NGFW   API information.  1st the API interface is simple to enable on the SMC MgtServer under the server "properties" settings.


Here, I've have selected the port 8080 from the default 8082 and enabled the API
You do NOT need to reboot the MgtServer



You will need a API  client-user define ( the standard admin_users  are not API users ). After you  have crafted  a API client a authenticationkey will be display ( it's critical that you record that key , you will not see it again ).

To login,  the  API needs the  key and provided via a http.request.method POST in a simple call


curl -k -v -d '{"authenticationkey":"n7d3hj3k39l@se3ydieke"}' -H "Content-Type: application/json" -X POST https://mysmcserver.socpuppets.com:8080/login

If the key was correct, you should receive a status. response 200 and the SMC console will show the user logged on as a status "online"



The logout is similar but uses the http.request.method PUT

curl -k -v -d '{"authenticationkey":"n7d3hj3k39l@se3ydieke"}' -H "Content-Type: application/json" -X PUT https://mysmcserver.socpuppets.com:8080/login


To discovery entry points you  can use the API discovery at or whatever services port you have enabled

https://x.x.x.x:8080/api

example
As you can clearly see we have  5.10, 6.2, 6.3    support for this SMC v 6.3.8 . You can call these  versions up to see what entries are allowed


 {output truncated }


You can request  various  entry points by issuance of a  http.request.method GET

examples to follow below.


When constructing POST I prefer json  structure of a KEY and  Attribute Value

e.g


 { "name":"the_name_here", "address":"1.1.1.1"}


NOTE: ensure you set the application type as json if your using json, xml is also supported.
Keep in mind the  API client access is controlled by the role you define for the account



When initial login, you need to be aware that the JSESSSIONID cookie value is used for admin.session tracking with HTTP. With  HTTPS you can use the cookie or  SSLsession for tracking



Here's a few basic   API  examples







and yes the API supports IPv6













NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \




Posted by at No comments:
Subscribe to: Posts (Atom)