Wednesday, March 13, 2024

Fortigate as a explicit proxy v7.2.x

In this post, we will explore explicit proxy setup and diagnostics in v7.2 since it has some simple changes

  • this is non-authentication proxy
  • I have the proxy client ranges limited to a single PC for this blog posting
  • http/https  
  • port 3128 

Okay let's enable proxy on an SDWAN interface and globally 

config system interface

    edit "wan2"

        set vdom "root"

        set ip 20.14.20.2 255.255.255.240

        set allowaccess ping  

        set type physical

        set explicit-web-proxy enable

        set alias "internet2 XO"

        set role wan

        set snmp-index 4

    next

end


and


config web-proxy explicit

    set status enable

    set ftp-over-http enable

    set http-incoming-port 3128

    set https-incoming-port 3128

    set pac-file-server-status enable

    set pac-file-server-port 7888

    set pac-file-name "socpuppetproxyaccessconf"

end



Now for our policy creation, the fortiOS uses proxy-policy 


config firewall proxy-policy

    edit 1

        set proxy explicit-web

        set dstintf "upg-zone-wan2"

        set srcaddr "HOME_PC"

        set dstaddr "all"

        set service "webproxy"

        set action accept

        set schedule "always"

        set logtraffic all

    next

end



Diagnostics tips


If you are getting timeout , any by using the "diag sniffer packet any "port 3128"  you see no packets, your problem is way before the proxy. Fix your local issues 1st. 

This is most likely a local firewall, downstream firewall/filters, or filtering. Also ensure the client has the right proxy IP and port#.


Helpful diagnostics cmds

diagnose wad stats common.ses_stats

diag wad worker policy # p_id:xxxx ( the xxxx would be your policy id )

diag wad session list 

diag wad debug enable all # this will generate a lot of messages





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \



Thursday, February 1, 2024

Generating HTTP request to a website by using openssl

 Have you ever been on a system with no GUI, no text browser, wget, or CuRL but need to test HTTP access? 

If you have openssl you can craft a GET or HEAD request and generate HTTP traffic

example

   echo -e "HEAD / HTTP/1.1\r\nHost: www.example.com\r\nUser-Agent: SocPuppets\r\nConnection: Close\r\n\r\n" | openssl s_client  -quiet  -state -connect www.example.com:443  




 So if you ever need to test HTTPS access and the device has no standard web-browser use openssl.




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Wednesday, December 13, 2023

PANOS decryption tip

I was troubleshooting something with an org a while back where they needed to do decryption for just one "URL", but the  FQDN IP address matching matches numerous sites.

So let's use example.com which has the following;

www.example.com

www.example.net.

www.example.org

and www.example.edu

all map to the same single IP. address; 93.184.216.34

kfelix@kfelixs-MacBook-Air ~ % host www.example.com 

www.example.com has address 93.184.216.34

www.example.com has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

kfelix@kfelixs-MacBook-Air ~ % host www.example.net

www.example.net has address 93.184.216.34

www.example.net has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

kfelix@kfelixs-MacBook-Air ~ % host www.example.org

www.example.org has address 93.184.216.34

www.example.org has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

kfelix@kfelixs-MacBook-Air ~ % host www.example.edu

www.example.edu has address 93.184.216.34

www.example.edu has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

kfelix@kfelixs-MacBook-Air ~ % 


So let's say you want to decrypt traffic to www.example.com and not the others. 


Do not use a decryption rule with an IP or FQDN address object in the decryption n rule. 


You should use a "custom URL" list. Here are a few screenshots of how that would look from the web UI


1st the wrong method was deployed ( they had used an address object FQDN ) 




Now the method was changed to use a custom URL list the destination field for IP was left as an ANY.






Now www.exmple.net was not decrypted when user-initiated traffic to that "URL" based on traffic log



But https://www.exmple.com was decrypted when user-initiated traffic to that "URL"









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Tuesday, November 28, 2023

Certificate types

 In this blog, we will look at 4 certificate types.


1st up PEM which is a base64 format. This format can include a certificate and key and if the key is included and it's protected it would have the wording "private-key" in the file format.

e.g

"-----BEGIN PRIVATE KEY-----" 

dddddddjhfjkfjfkfjfkskdjdkjkdjdd

djkdjkjdkdjdkjfkjfkrjfkerjkejfejfioewjfewijfewq

djeqfjeqkwjhfkqejfkejfkjfkeqjefq

"-----END PRIVATE KEY-----"

Next up PFX ( privacy exchange is also known as PKCS12. Same as above it can have certificate(s) and key and the file format is binary. You will need a passcode to decode it. It's a common exported format in winOS or MacOSX. The extension for the file format would be .pfx 

Last, we have DER ( Digital Encoding Rules ) it's also binary and you will commonly see these with the name ending in .der

We also have PKCS#7 but it's rarely used and typically does not contain any keying information.




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Saturday, November 11, 2023

howto use FortiOS api user with certificates ( fortios api )

I worked with an issue a few months back where someone had changed the client key and did not update their Postman or the API clients

1st if using the Postman app you need to add the certificate and key files into your setting > certificates

https://en.wikipedia.org/wiki/Postman_(software)


e.g

passphrase in real life should be something much stronger than test1234

 


here's a simple API call for path ; api/v2/cmdb/system/global





using curl, you can simulate the above by calling up the API user cert/key files on the cmd-cli while inputting the passphrase


example1

curl -v --cacert ./rootCA_crt.pem --cert ./api.crt --key ./api.key -k   "https://api.socpuppets.com/api/v2/cmdb/system/global?access_token=j1dc14rbyftN44QzdqhjN70sGcGsw8" --tlsv1.2

kfelix@kfelixs-MacBook-Air ca_test 


example2 ( bundle cert+key into one file  and use -E ) 



curl - -E api.bundle -k  "https://api.socpuppets.com/api/v2/cmdb/system/global?access_token=j1dc14rbyftN44QzdqhjN70sGcGsw8" --tlsv1.2 


example3 cert+key bundle, but supply the passphrase on the cmd-cli in one pass



curl - -E api.bundle:test1234 -k  "https://api.socpuppets.com/api/v2/cmdb/system/global?access_token=j1dc14rbyftN44QzdqhjN70sGcGsw8" --tlsv1.2 





Always ensure the API client key passphrase is secured and strong.

use the following debug on the FortiGate if you suspect a bad certificate during mTLS

   diag debug reset 

   diag debug en

   diag debug application httpsd -1


You should see lines similar to the following;

( my apiuser name = apiuserken ) 

[httpsd 6544 - 1699755801     info] fweb_debug_init[430] -- User-Agent: "PostmanRuntime/7.35.0"

[httpsd 6544 - 1699755801     info] fweb_debug_init[432] -- Handler "api_cmdb_v2-handler" assigned to request

[httpsd 6544 - 1699755801     info] _peer_auth_certificate_valid[180] -- Api-key + certificate login successful for apiuserken via pki peer apiuserken

[httpsd 6544 - 1699755801  warning] api_access_check_for_api_key[687] -- API Key request authorized for apiuserken from 9.4.19.7.

[httpsd 6544 - 1699755801     info] api_store_parameter[323] -- add API parameter 'access_token' (type=string)

[httpsd 6544 - 1699755801     info] api_cmdb_request_init_by_path[1800] -- new CMDB query (path='system',name='global')

[httpsd 6544 - 1699755801     info] api_generate_and_add_etag[1826] -- Per VDOM ETags: [ "vdom: r


typical API user configuration enabled for PKI


longisland # show user group api-pki

config user group

    edit "api-pki"

        set member "apiuserken"

    next

end


longisland # show user peer apiuserken

config user peer

    edit "apiuserken"

        set mandatory-ca-verify disable

        set ca "ACME_CA_Cert_1"

    next

end


longisland # show sys api-user apiuserken 

config system api-user

    edit "apiuserken"

        set api-key ENC SH2pULD0pHAvU3P/IVgWdW8cDJhxFURU+rNuid335YYU9v65WAXRL/eYm4rSmU=

        set accprofile "super_admin"

        set vdom "root"

        set peer-auth enable

        set peer-group "api-pki"

    next

end














NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \