Howto download the junos pkg install file directly to the SRXappliance

 You can use  curl to download the junos kg directly from junos-softdownloads. You need to 1st find your software and gather the download link

click the "copy" button to get the full https link URLK. You will need this for curl

Next, just use the cli "curl" with the -o <filename> option to download the file via the link

If you have a local proxy and if the firewall is not directly attached to the internet make sure to use the -x proxy option with curl and provide the details for the proxy.

example

curl -o junospkg.tgz   -x 192.0.1.1:8081  -U kfelix:mypassword  -k "https:<download link>

Ken Felix 

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

howto set ssh public-key ansible and fortios

 In this post I will demo how to create an account and set the ssh-public-key. The key must be escaped before the string "" 

example:

      \" \"

Here's the play ;

And after execution, you will find the ssh-pub-key set for the name admin account

Ken Felix 

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

Ansible setup example FortiOS

 Here's a simple ansible setup playbook example

1st /etc/hosts has our address defined  these will be the address that we will configured the. dns name will be the system hostname

1.1.1.2 brooklyn

1.1.1.22 manhattan

1.1.1.32 bronx

1.1.1.9  queens

1.1.1.1 statenisland

Now we craft a inventory file that our playbook will call on;

[fgt]

manhattan ansible_user=ansible ansible_password=test1234

queens ansible_user=ansible ansible_password=test1234

statenisland ansible_user=ansible ansible_password=test1234

bronx ansible_user=ansible ansible_password=test1234

brooklyn ansible_user=ansible ansible_password=test1234

#ansible_user=ansible ansible_password=test1234 ansible_port=2022

#access_token=hnhjh05tyx5h3r15d64Gm6Nh15tjpm

#ansible_httpapi_password=hhhjh05tyx5h3r15d64Gm6Nh15tjpm

[fgt:vars]

 ansible_network_os=fortinet.fortios.fortios

# ansible_httpapi_password=hhhjh05tyx5h3r15d64Gm6Nh15tjpm

The Playbook 

---

- hosts: fgt

  collections:

  - fortinet.fortios

  gather_facts: false

  connection: httpapi

  vars:

    vdom: "root"

    ansible_httpapi_use_ssl: yes

    ansible_httpapi_validate_certs: no

    ansible_httpapi_port: 443

    ansible_python_interpreter: virt1/bin/python

  tasks:

  - name: Setup_Console

    fortios_system_console:

      vdom: "{{ vdom  }}"

      system_console:

        output: "more"

        baudrate: 19200

  - name: Setup_Global

    fortios_system_global:

       vdom:  "{{ vdom }}"

       system_global:

         hostname: "{{ ansible_host }}"

         admin_login_max: "6"

         login_timestamp: "enable"

         cfg_save: "automatic"

         timezone: "08"

         admin_ssh_port: "2022"

         admin_scp: "enable"

         gui_certificates: "enable"

  - name: Setup_NTP

    fortios_system_ntp:

        vdom: "{{ vdom }}"

        system_ntp:

          interface:

            - interface_name: wan2

          syncinterval: "15"

          type: "fortiguard"

          ntpsync: "enable"

  - name: Setup_AlertEmail

    fortios_alertemail_setting:

        vdom: "{{ vdom }}"

        alertemail_setting:

          mailto1: "soc@socpuppets.com"

          username: "noc@socpuppets.com"

  - name: Alias_Status

    fortios_system_alias:

        vdom:  "{{ vdom }}"

        state: "present"

        system_alias:

          name: "status"

          command: "get system status"

  - name: Alias_Route

    fortios_system_alias:

        vdom:  "{{ vdom }}"

        state: "present"

        system_alias:

          name: "status"

          command: "get router info routing-table  all"

  - name: Alias_Route

    fortios_system_alias:

        vdom:  "{{ vdom }}"

        state: "present"

        system_alias:

          name: "fwp"

          command: "show firewall policy"

  - name: Alias_IKE

    fortios_system_alias:

        vdom:  "{{ vdom }}"

        state: "present"

        system_alias:

          name: "ike"

          command: "diag vpn ike gateway list"

  - name: Alias_IPSEC

    fortios_system_alias:

        vdom:  "{{ vdom }}"

        state: "present"

        system_alias:

          name: "ipsec"

          command: "diag vpn tunnel list"

  - name: Syslog_Remote

    fortios_log_syslogd_setting:

        vdom:  "{{ vdom }}"

        log_syslogd_setting:

          facility: "local0"

          format: "cef"

          mode: "udp"

          port: "514"

          server: "192.168.1.199"

          status: "enable"

  - name: Wldcard FQDN1

    fortios_firewall_wildcard_fqdn_custom:

      vdom:  "{{ vdom }}"

      state: "present"

      firewall_wildcard_fqdn_custom:

        name: "example.net"

        wildcard_fqdn: "*.example.net"

  - name: Wldcard FQDN2

    fortios_firewall_wildcard_fqdn_custom:

      vdom:  "{{ vdom }}"

      state: "present"

      firewall_wildcard_fqdn_custom:

        name: "example.org"

        wildcard_fqdn: "*.example.org"

  - name: Wldcard FQDN3

    fortios_firewall_wildcard_fqdn_custom:

      vdom:  "{{ vdom }}"

      state: "present"

      firewall_wildcard_fqdn_custom:

        name: "example.com"

        wildcard_fqdn: "*.example.com"

  - name: Setup_SNMP

    fortios_system_snmp_community:

      vdom:  "{{ vdom }}"

      state: "present"

      system_snmp_community:

         name: snmp1communityRW

         id: "1"

  - name: Setup_SNMP_SYSINFO

    fortios_system_snmp_sysinfo:

      vdom:  "{{ vdom }}"

      system_snmp_sysinfo:

        contact_info: "soc@socpuppets.com"

        location: "{{ ansible_host }}"

        status: "enable"

NOTE:  fortinet dev and the community has these warnings in all documents to start using httpapi

Remember you need to upgrade your python, our cloud ansible configurator sits in OCN and runs python3 in a virtenv

So in this setup a tech will take the model fortigate, configured the WAN interface and set the ansible  user credentials into the unit.  They will call into the provisioning team to have the new name and address set into /etc/host and the ansible inventory file. Afterwards we can run the play and setup the fortigate with our basic details.

YMMV but the API interface and ansible can speed up tasks, and reduce the total amount of labor effort. It also can help you to standardize configuration values across devices.

Ken Felix 

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

ANSIBLE for fortigate devices setups

 Here's a simple play that sets our org wide settings for all new fortigates. 

(virt1) [opc@ansible-cloud ~]$ cat fgtsetup.yml

---

- hosts: fgt

  collections:

  - fortinet.fortios

  gather_facts: false

  connection: httpapi

  vars:

    vdom: "root"

    ansible_httpapi_use_ssl: yes

    ansible_httpapi_validate_certs: no

    ansible_httpapi_port: 443

    ansible_python_interpreter: virt1/bin/python

  tasks:

  - name: Setup_Console

    fortios_system_console:

      vdom: "{{ vdom  }}"

      system_console:

        output: "more"

        baudrate: 19200

  - name: Setup_Global

    fortios_system_global:

       vdom:  "{{ vdom }}"

       system_global:

         hostname: "BROOKLYNCNTAL"

         admin_login_max: "6"

         login_timestamp: "enable"

         cfg_save: "automatic"

         timezone: "08"

         admin_ssh_port: "2022"

         admin_scp: "enable"

         gui_certificates: "enable"

  - name: Setup_NTP

    fortios_system_ntp:

        vdom: "{{ vdom }}"

        system_ntp:

          interface:

            - interface_name: wan2

          syncinterval: "15"

          type: "fortiguard"

          ntpsync: "enable"

  - name: Setup_AlertEmail

    fortios_alertemail_setting:

        vdom: "{{ vdom }}"

        alertemail_setting:

          mailto1: "soc@socpuppets.com"

          username: "noc@socpuppets.com"

In our inventory file we define the fortigate address and these various variables

[fgt]

192.0.2.1 ansible_user=ansible ansible_password=test1234

192.0.2.2 ansible_user=ansible ansible_password=setup

192.0.2.3 ansible_user=ansible ansible_password=password123

192.0.2.4 ansible_user=ansible ansible_password=password0987654321

[fgt:vars]

 ansible_network_os=fortinet.fortios.fortios

# ansible_httpapi_password=hhhjh05tyx5h3r15d64Gm6Nh15tjpm

To call  our setup we just run the command and let the play execute the tasks.

example;

And lastly, we install our standard admin accounts;

(virt1) [opc@ansible-cloud ~]$ cat fgtaddadmin.yml

---

- hosts: fgt

  collections:

  - fortinet.fortios

  gather_facts: false

  connection: httpapi

  vars:

    vdom: "root"

    ansible_httpapi_use_ssl: yes

    ansible_httpapi_validate_certs: no

    ansible_httpapi_port: 443

    ansible_python_interpreter: virt1/bin/python

  tasks:

  - name: Configure primary admin

    fortios_system_admin:

      vdom:  "{{ vdom }}"

      state: "present"

      system_admin:

        accprofile: "super_admin"

        vdom:

         - name: "root"

        comments: "socpuppet admin account do not delete"

        name: "socadmin2"

        password: "testing1234"

  - name: Configure primary admin

    fortios_system_admin:

      vdom:  "{{ vdom }}"

      state: "present"

      system_admin:

        accprofile: "auditor"

        vdom:

         - name: "root"

        comments: "socpuppet PCI account do not delete"

        name: "auditor"

        password: "pciblahbl"

if you loose the admin account password and still have  the "ansible user account". You can always re-add the account. This makes for a great password recovery options.

Ken Felix 

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

HOWTO user ansible with fortios

 To use ansible with the fortiosapi module you need to install the module and ensure that you have it installed;

pip install fortiosapi 

pip list | grep forti

Your install output should look like the following;

example

Now you can write your 1st playbook. Here's a simple playbook that was defined to check status

And the output when it ran;

Here's a simple group creation;

If you have problem executing use the ANSIBLE_DEBUG=1 while execution of the playbook

example;

    ANSIBLE_DEBUG=1 ansible-playbook fortios1.yml

you can also step thru the play using the switch --step when playing the playbook

Reference my earlier posts on fortios API and examples

https://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html

https://socpuppet.blogspot.com/2019/09/howto-use-fortios-apiuser.html

Ken Felix 

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

HOWTO: Audit unused fwpolicy on fortios via snmp

The firewall once configured for SNMP has a simple oid that will list the counters by packets for a given policy. You can snmpget the oid for the fwpolicyId or walk the whole tree.

.1.3.6.1.4.1.12356.101.5.1.2.1.1.2

So you can see that the firewall homefgt has 4 policyID 24/25/1/2 but only policy id #1 is taking traffic.

by querying the fwpolicy oid for statistics you can quickly ascertain what fwpolicyId by # is being used or not used.

If your only interesteding in un-used fwPolicyId # just do something like this and grep out the policy #

snmpwalk -v2c -c mycommunity 192.168.1.99 .1.3.6.1.4.1.12356.101.5.1.2.1.1.2 | egrep "Counter32: 0"

The output will clearly show you zero matched policies that you could dump to a sheet for later exploration and analysis.

For snmpv3. here's a working example;

Keep in mind, no matched for a policy that been installed for some considerable time is a good indicator of one of the following;

• policyid seq and order is incorrect
• service is wrong for that policy
• policy is written wrong with regards to src/dst address and src/dst interface|zone

The manual method for counting policy match is by the execution of the diag firewall iprope  show 001000004 <policyid>  command.

example;

diagnose firewall iprope show 00100004 2

idx=2 pkts/bytes=420878/339340862 asic_pkts/asic_bytes=405523/337996081 nturbo_pkts/nturbo_bytes=0/0 flag=0x0 hit count:3895

    first:2020-07-07 20:58:07 last:2020-07-07 21:41:01

 established session count:236

    first est:2020-07-07 20:58:07 last est:2020-07-07 21:41:01

The above could be tiring some if you had hundreds or thousands of fwPolicy and only need to see the ones not being matched.

Ken Felix 

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

Checkpoint HA probe show HA down Cores did not match on nodes

I ran into a Checkpoint Security gateway HA issues where the XLcore did not match on the two security-gateways


Here's what happens, this is a VM and it has multiple vCPU. The primary and secondary node matches from a vmWare perspective but the configuration details did not.

the cpconfig also provided a clue based on the line option did not exist on the primary sec-gw, if you do not have the correct Cores listed the option 10 will not be presented

So the file /etc/fw.boot/boot.conf has to match on members

As you can clearly see, they did not. I had to unix-vi that file and reboot node cpsg101 and re-execute a "cphaprob state" command to  verify after the reboot


ID         Unique Address  Assigned Load   State          Name

1 (local)  10.1.20.5    100%            ACTIVE          cpsg101
2              10.1.20.6    0%              STANDBY            cpsg102


I hope this can help some one if you  do not have a healthy HA state.

Ken Felix 

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \