Friday, October 9, 2020

HOWTO: debug bgp on fortios

 BGP configuration seems difficult but in reality it's a  simple routing protocol. To proper debug  bgp on fortios you need to do a few primary actions.


To test layer2/3 connection ;

x.x.x.x == the remote -bgp speaker

    execute ping x.x.x.x

You probably want to set ping-options and the source

To verify tcp.port 179 is open,

   execute telnet x.x.x.x 179 

 Next, you can enable bgp protocol debug options





It's wise to set level to info and if you have numerous bgp peers you might have a lot of information. For a new turn up that's giving you issues, use "diag ip router bgp all enable"  for example.


Most bgp issues always fall back on typo( wrong peer, wrong AS,etc...) or layer2/3 issue. Keep in mind if you have filters, tcp.port destination 179 needs to be allowed in and out.

If you do get a ESTABLISHMENT and then the session dies, that could be a maximum-received prefix limits reach and the bgp-session tcp-reset when this happens.






Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Posted by at No comments:

Friday, October 2, 2020

Fortios Ansible plugins

 



FTNT has a list of quite a few plugins that can be configured via ansible. A lot of the low level configuration can be done with in a CM tool like ansible. FortiManager is also a good alternative that's documented and supported by FTNT.

https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/index.html

https://www.fortinet.com/products/management/fortimanager



The key things to look at, you need to be running the latest python version natively or in a python virtenv. In any RHEL  distro you can't really delete python2 per-se since  "yum" is py2 only.

If you haveboth  py2/3 you have to ensure ansible is set for version 3 if you want the best results.

extra things to considers

  • ANSIBLE_DEBUG=1 for any issues and use -vvv for extra verbosity. 
  • You are only limited by your imagination and what the limits of the plugins. 
  • You should study the FTNT developer network documents


Ken Felix 

NSE ( network security expert) and Route/Switching Engineer Protecting networks
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o

        /  \



Posted by at No comments:

Wednesday, September 2, 2020

Howto download the junos pkg install file directly to the SRXappliance

 You can use  curl to download the junos kg directly from junos-softdownloads. You need to 1st find your software and gather the download link



click the "copy" button to get the full https link URLK. You will need this for curl

Next, just use the cli "curl" with the -o <filename> option to download the file via the link



If you have a local proxy and if the firewall is not directly attached to the internet make sure to use the -x proxy option with curl and provide the details for the proxy.


example


curl -o junospkg.tgz   -x 192.0.1.1:8081  -U kfelix:mypassword  -k "https:<download link>





Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Posted by at No comments:

Tuesday, September 1, 2020

howto set ssh public-key ansible and fortios

 In this post I will demo how to create an account and set the ssh-public-key. The key must be escaped before the string "" 

example:


      \" \"


Here's the play ;



And after execution, you will find the ssh-pub-key set for the name admin account





Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Posted by at No comments:

Sunday, August 2, 2020

Ansible setup example FortiOS

 Here's a simple ansible setup playbook example


1st /etc/hosts has our address defined  these will be the address that we will configured the. dns name will be the system hostname

1.1.1.2 brooklyn

1.1.1.22 manhattan

1.1.1.32 bronx

1.1.1.9  queens

1.1.1.1 statenisland


Now we craft a inventory file that our playbook will call on;


[fgt]

manhattan ansible_user=ansible ansible_password=test1234

queens ansible_user=ansible ansible_password=test1234

statenisland ansible_user=ansible ansible_password=test1234

bronx ansible_user=ansible ansible_password=test1234

brooklyn ansible_user=ansible ansible_password=test1234


#ansible_user=ansible ansible_password=test1234 ansible_port=2022

#access_token=hnhjh05tyx5h3r15d64Gm6Nh15tjpm

#ansible_httpapi_password=hhhjh05tyx5h3r15d64Gm6Nh15tjpm


[fgt:vars]

 ansible_network_os=fortinet.fortios.fortios

# ansible_httpapi_password=hhhjh05tyx5h3r15d64Gm6Nh15tjpm


The Playbook 

---

- hosts: fgt

  collections:

  - fortinet.fortios

  gather_facts: false

  connection: httpapi


  vars:

    vdom: "root"

    ansible_httpapi_use_ssl: yes

    ansible_httpapi_validate_certs: no

    ansible_httpapi_port: 443

    ansible_python_interpreter: virt1/bin/python

  tasks:

  - name: Setup_Console

    fortios_system_console:

      vdom: "{{ vdom  }}"

      system_console:

        output: "more"

        baudrate: 19200

  - name: Setup_Global

    fortios_system_global:

       vdom:  "{{ vdom }}"

       system_global:

         hostname: "{{ ansible_host }}"

         admin_login_max: "6"

         login_timestamp: "enable"

         cfg_save: "automatic"

         timezone: "08"

         admin_ssh_port: "2022"

         admin_scp: "enable"

         gui_certificates: "enable"

  - name: Setup_NTP

    fortios_system_ntp:

        vdom: "{{ vdom }}"

        system_ntp:

          interface:

            - interface_name: wan2

          syncinterval: "15"

          type: "fortiguard"

          ntpsync: "enable"

  - name: Setup_AlertEmail

    fortios_alertemail_setting:

        vdom: "{{ vdom }}"

        alertemail_setting:

          mailto1: "soc@socpuppets.com"

          username: "noc@socpuppets.com"

  - name: Alias_Status

    fortios_system_alias:

        vdom:  "{{ vdom }}"

        state: "present"

        system_alias:

          name: "status"

          command: "get system status"

  - name: Alias_Route

    fortios_system_alias:

        vdom:  "{{ vdom }}"

        state: "present"

        system_alias:

          name: "status"

          command: "get router info routing-table  all"

  - name: Alias_Route

    fortios_system_alias:

        vdom:  "{{ vdom }}"

        state: "present"

        system_alias:

          name: "fwp"

          command: "show firewall policy"

  - name: Alias_IKE

    fortios_system_alias:

        vdom:  "{{ vdom }}"

        state: "present"

        system_alias:

          name: "ike"

          command: "diag vpn ike gateway list"

  - name: Alias_IPSEC

    fortios_system_alias:

        vdom:  "{{ vdom }}"

        state: "present"

        system_alias:

          name: "ipsec"

          command: "diag vpn tunnel list"

  - name: Syslog_Remote

    fortios_log_syslogd_setting:

        vdom:  "{{ vdom }}"

        log_syslogd_setting:

          facility: "local0"

          format: "cef"

          mode: "udp"

          port: "514"

          server: "192.168.1.199"

          status: "enable"


  - name: Wldcard FQDN1

    fortios_firewall_wildcard_fqdn_custom:

      vdom:  "{{ vdom }}"

      state: "present"

      firewall_wildcard_fqdn_custom:

        name: "example.net"

        wildcard_fqdn: "*.example.net"

  - name: Wldcard FQDN2

    fortios_firewall_wildcard_fqdn_custom:

      vdom:  "{{ vdom }}"

      state: "present"

      firewall_wildcard_fqdn_custom:

        name: "example.org"

        wildcard_fqdn: "*.example.org"

  - name: Wldcard FQDN3

    fortios_firewall_wildcard_fqdn_custom:

      vdom:  "{{ vdom }}"

      state: "present"

      firewall_wildcard_fqdn_custom:

        name: "example.com"

        wildcard_fqdn: "*.example.com"

  - name: Setup_SNMP

    fortios_system_snmp_community:

      vdom:  "{{ vdom }}"

      state: "present"

      system_snmp_community:

         name: snmp1communityRW

         id: "1"

  - name: Setup_SNMP_SYSINFO

    fortios_system_snmp_sysinfo:

      vdom:  "{{ vdom }}"

      system_snmp_sysinfo:

        contact_info: "soc@socpuppets.com"

        location: "{{ ansible_host }}"

        status: "enable"




NOTE:  fortinet dev and the community has these warnings in all documents to start using httpapi





Remember you need to upgrade your python, our cloud ansible configurator sits in OCN and runs python3 in a virtenv





So in this setup a tech will take the model fortigate, configured the WAN interface and set the ansible  user credentials into the unit.  They will call into the provisioning team to have the new name and address set into /etc/host and the ansible inventory file. Afterwards we can run the play and setup the fortigate with our basic details.


YMMV but the API interface and ansible can speed up tasks, and reduce the total amount of labor effort. It also can help you to standardize configuration values across devices.



Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Posted by at No comments:

Wednesday, July 15, 2020

ANSIBLE for fortigate devices setups

 Here's a simple play that sets our org wide settings for all new fortigates. 



(virt1) [opc@ansible-cloud ~]$ cat fgtsetup.yml

---

- hosts: fgt

  collections:

  - fortinet.fortios

  gather_facts: false

  connection: httpapi


  vars:

    vdom: "root"

    ansible_httpapi_use_ssl: yes

    ansible_httpapi_validate_certs: no

    ansible_httpapi_port: 443

    ansible_python_interpreter: virt1/bin/python

  tasks:

  - name: Setup_Console

    fortios_system_console:

      vdom: "{{ vdom  }}"

      system_console:

        output: "more"

        baudrate: 19200

  - name: Setup_Global

    fortios_system_global:

       vdom:  "{{ vdom }}"

       system_global:

         hostname: "BROOKLYNCNTAL"

         admin_login_max: "6"

         login_timestamp: "enable"

         cfg_save: "automatic"

         timezone: "08"

         admin_ssh_port: "2022"

         admin_scp: "enable"

         gui_certificates: "enable"

  - name: Setup_NTP

    fortios_system_ntp:

        vdom: "{{ vdom }}"

        system_ntp:

          interface:

            - interface_name: wan2

          syncinterval: "15"

          type: "fortiguard"

          ntpsync: "enable"

  - name: Setup_AlertEmail

    fortios_alertemail_setting:

        vdom: "{{ vdom }}"

        alertemail_setting:

          mailto1: "soc@socpuppets.com"

          username: "noc@socpuppets.com"

In our inventory file we define the fortigate address and these various variables


[fgt]

192.0.2.1 ansible_user=ansible ansible_password=test1234

192.0.2.2 ansible_user=ansible ansible_password=setup

192.0.2.3 ansible_user=ansible ansible_password=password123

192.0.2.4 ansible_user=ansible ansible_password=password0987654321


[fgt:vars]

 ansible_network_os=fortinet.fortios.fortios

# ansible_httpapi_password=hhhjh05tyx5h3r15d64Gm6Nh15tjpm


To call  our setup we just run the command and let the play execute the tasks.


example;



And lastly, we install our standard admin accounts;

(virt1) [opc@ansible-cloud ~]$ cat fgtaddadmin.yml

---

- hosts: fgt

  collections:

  - fortinet.fortios

  gather_facts: false

  connection: httpapi


  vars:

    vdom: "root"

    ansible_httpapi_use_ssl: yes

    ansible_httpapi_validate_certs: no

    ansible_httpapi_port: 443

    ansible_python_interpreter: virt1/bin/python

  tasks:

  - name: Configure primary admin

    fortios_system_admin:

      vdom:  "{{ vdom }}"

      state: "present"

      system_admin:

        accprofile: "super_admin"

        vdom:

         - name: "root"

        comments: "socpuppet admin account do not delete"

        name: "socadmin2"

        password: "testing1234"


  - name: Configure primary admin

    fortios_system_admin:

      vdom:  "{{ vdom }}"

      state: "present"

      system_admin:

        accprofile: "auditor"

        vdom:

         - name: "root"

        comments: "socpuppet PCI account do not delete"

        name: "auditor"

        password: "pciblahbl"


if you loose the admin account password and still have  the "ansible user account". You can always re-add the account. This makes for a great password recovery options.




Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Posted by at No comments:

Tuesday, July 14, 2020

HOWTO user ansible with fortios

 To use ansible with the fortiosapi module you need to install the module and ensure that you have it installed;


pip install fortiosapi 

pip list | grep forti


Your install output should look like the following;


example



Now you can write your 1st playbook. Here's a simple playbook that was defined to check status





And the output when it ran;



Here's a simple group creation;



If you have problem executing use the ANSIBLE_DEBUG=1 while execution of the playbook


example;

    ANSIBLE_DEBUG=1 ansible-playbook fortios1.yml



you can also step thru the play using the switch --step when playing the playbook



Reference my earlier posts on fortios API and examples


https://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html

https://socpuppet.blogspot.com/2019/09/howto-use-fortios-apiuser.html



Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \
Posted by at No comments:
Subscribe to: Posts (Atom)