In this post we will look at attaching a predefined threat profile for the cisco IPS. 1st let's look a sensor with the default "none" threat profile.
Next here's the list of threat-profile that are shown via the list threat-profile cmd
The defaults of Data_Center , Edge, SCADA & Web_Applications exists.
So we will apply the Edge to our sensor and recheck that the configuration was applied.
NOTE: as you can see, the virtual sensor vs0 has the defined threat profile "Edge" attached to the signature definition "sig0"
And lastly, if you have a standby ASA, don't forget to make the same changes on this unit.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( + - )=
o
/ \
Tuesday, November 25, 2014
Monday, November 24, 2014
My SixXS ipv6 tunnel setup attempts
SixXS has been a major player within the IPv6 tunneling creation, with over 40+ pops worldwide accept africa, they have one the biggest tunnel-broker service outside of Hurricane Electric. You can find more here; https://www.sixxs.net/
When you 1st go to the account creation page you have to fill out a multi-line account request to include your ful-name EUI format phone #, address etc... Most of this is populated in their WHOIS server that they manage.
Once you get your account acceptance email, than you will have to wait approx 1 -2 days for approval.
and;
note: The one negative about SixXS, if you loose your "usernanme" you can not conduct a simple password recovery. You need to supply the username and email-address for recovery. HE does not have the limitation btw.
After approval, you can select a tunnel and pop for servicing the tunnel. The tunnel pop selection should be based on distance to the PoP from your service router or firewall. But you should click on the pop to see and get details of the pop. Look at the establishment date, number or prefix and type of prefixes served from that pop.
( example chi equinix location )
note: I circled key items to review above
After, you have selected the pop and have supplied your tunnel information, than you can proceed with configuration of your end device.
As of today's date, I still have not been successful in obtaining a Ipv6 tunnel via SixXS. And y 1st attempt was done like 2 months ago.
Stay tune.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( + - )=
o
/ \
When you 1st go to the account creation page you have to fill out a multi-line account request to include your ful-name EUI format phone #, address etc... Most of this is populated in their WHOIS server that they manage.
Once you get your account acceptance email, than you will have to wait approx 1 -2 days for approval.
and;
note: The one negative about SixXS, if you loose your "usernanme" you can not conduct a simple password recovery. You need to supply the username and email-address for recovery. HE does not have the limitation btw.
After approval, you can select a tunnel and pop for servicing the tunnel. The tunnel pop selection should be based on distance to the PoP from your service router or firewall. But you should click on the pop to see and get details of the pop. Look at the establishment date, number or prefix and type of prefixes served from that pop.
( example chi equinix location )
note: I circled key items to review above
After, you have selected the pop and have supplied your tunnel information, than you can proceed with configuration of your end device.
As of today's date, I still have not been successful in obtaining a Ipv6 tunnel via SixXS. And y 1st attempt was done like 2 months ago.
Stay tune.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( + - )=
o
/ \
A look at the Fortinet beta program
Fortinet has been offering a beta program for development of their FortiOS software. This beta program is suppose to help identify bugs and features improvements prior to introduction of new features and functions in a major code release.
To Participate you must have a fortinet firewall that's under contract as listed by their agreement cause;
Anybody can submit a request and entrance into the beta program or forward arequest to another user. The beta team will review to see if they meet the criteria under their acceptance cause.
Once you have been accepted, you can now download code for your registered devices.
It's advise able not to install beta-code on production critical devices.
Beta code is just that Beta. So expect mis-behavior and performance impacts. So YMMV and use at your risk surely applies here. If your network become unstable or breaks, don't blame fortinet.
Once you have download the code and upgraded a unit, your system will state the build as being beta.
NOTE: The code will not expire nor have any limitations
To be a good beta tester , you should develop a plan to record events and create a diary of events and issues that you find. By doing so and contacting the beta admins and forums, you can now gain information and provide your findings to the team & beta community.
It's crucial to complain to the team on both positive or negative findings so they can be made aware of issues that you find.
http://support.fortinet.com/forum/
Without the feedback, they will not know of any issues that you may have found. I don't know of any other security provider that offers a beta release and welcomes a selected group of testers invited to the general public.
Ken Felix
Freelance Network/Security Engineer
kfelix -<a-t> socpuppets-<d-o-t>- com
To Participate you must have a fortinet firewall that's under contract as listed by their agreement cause;
Anybody can submit a request and entrance into the beta program or forward arequest to another user. The beta team will review to see if they meet the criteria under their acceptance cause.
Once you have been accepted, you can now download code for your registered devices.
It's advise able not to install beta-code on production critical devices.
Beta code is just that Beta. So expect mis-behavior and performance impacts. So YMMV and use at your risk surely applies here. If your network become unstable or breaks, don't blame fortinet.
Once you have download the code and upgraded a unit, your system will state the build as being beta.
NOTE: The code will not expire nor have any limitations
To be a good beta tester , you should develop a plan to record events and create a diary of events and issues that you find. By doing so and contacting the beta admins and forums, you can now gain information and provide your findings to the team & beta community.
It's crucial to complain to the team on both positive or negative findings so they can be made aware of issues that you find.
http://support.fortinet.com/forum/
Without the feedback, they will not know of any issues that you may have found. I don't know of any other security provider that offers a beta release and welcomes a selected group of testers invited to the general public.
Ken Felix
Freelance Network/Security Engineer
kfelix -<a-t> socpuppets-<d-o-t>- com
Sunday, November 23, 2014
Google Nexus Android 5.0 lollipop
I was surprised to see that the 5.0 andorid OS was recently released. So I've start my 5.0 upgrade. A associate has upgrade his Nexus5 phone with 5.0.
http://www.android.com/versions/lollipop-5-0/
Outside the new interface & desktop icons, the screen interface looks much better.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
http://www.android.com/versions/lollipop-5-0/
Outside the new interface & desktop icons, the screen interface looks much better.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
Friday, November 21, 2014
Hush now ( alternative email security in a pinch )
If you ever needs to send something via email and have no security enabled mail client, than hush mail might be beneficial for you. https://www.hushmail.com/
After building an account, you can craft a email and set the passphrase that you will share with the recipient via an out-of-band ( OOB ) channel like SMS, voice call, etc...
note: please don't use test1234567890 as a pass-phrase ;)
The email receiver will get an email message with a direct link to the encrypted email message in his inbox. This provide 100% security to the content since you download the message over a HTTPs session.
If the email was intercepted and if the a login/brute force attack was taken, the mail will be automatically delete after 5 failures.
e.g
and then the mail is deleted;
This service is great for those that don't know how to implement PGP and keys management. I still will suggest that you use local encryption if you need 100% secure email communications.
You can read about the legal issues with hushmail at the below link.
http://en.wikipedia.org/wiki/Hushmail
example of a simple composing
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( $ $ )=
o
/ \
After building an account, you can craft a email and set the passphrase that you will share with the recipient via an out-of-band ( OOB ) channel like SMS, voice call, etc...
note: please don't use test1234567890 as a pass-phrase ;)
The email receiver will get an email message with a direct link to the encrypted email message in his inbox. This provide 100% security to the content since you download the message over a HTTPs session.
If the email was intercepted and if the a login/brute force attack was taken, the mail will be automatically delete after 5 failures.
e.g
and then the mail is deleted;
This service is great for those that don't know how to implement PGP and keys management. I still will suggest that you use local encryption if you need 100% secure email communications.
You can read about the legal issues with hushmail at the below link.
http://en.wikipedia.org/wiki/Hushmail
example of a simple composing
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( $ $ )=
o
/ \
Thursday, November 20, 2014
NXOS md5 file verification nx3500 switch
In this short post, I will show the internal file verification command usage. The command
show version image <storage_device:image_name>
You can execute this on any image listed on the device. The result is either a pass or fail.
E.g
Ken Felix
Freelance Network/Security Engineer
kfelix -a-t socpuppets-d-o-t- com
show version image <storage_device:image_name>
You can execute this on any image listed on the device. The result is either a pass or fail.
E.g
Ken Felix
Freelance Network/Security Engineer
kfelix -a-t socpuppets-d-o-t- com
^ ^
=( ^ ^ )=
o
/ \
Wednesday, November 19, 2014
A HOWTO: Fortigate ipv6 snmp configurations
In this post, we will look at the basic ipv6 snmp communities settings that's required.
1st my big warning, you need to configure the communities hosts6 via the cli. The address input via the WebGUI as of 5.2.2 is only for a ipv4 address. There's no provisions for doing this under the WebGUI. You typically will list the SNMP management hosts(s) in this section.
The basic snmp configuration would look similar to the following screen
Config > snmp
Now let's looking at my final ipv6 cfg for snmp queries. ( CLI )
NOTE: remember to enable snmp under the allowaccess for both ipv6 config.
e.g set ip6-allowaccess ping https ssh
Now to query a ipv6 snmp enabled fortigate, you need to include single quotation for the ipv6 address & within your snmpwalk/set/get.
e.g1
e.g2
If you run into problems a combination of diag sniffer packet, diag debug app snmpd -1 or diag debug flow filter6 161 could shed some light into the issues.
Here's a snapshot on what happens if you don't allowaccess the snmp services;
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( $ $ )=
o
/ \
1st my big warning, you need to configure the communities hosts6 via the cli. The address input via the WebGUI as of 5.2.2 is only for a ipv4 address. There's no provisions for doing this under the WebGUI. You typically will list the SNMP management hosts(s) in this section.
The basic snmp configuration would look similar to the following screen
Config > snmp
Now let's looking at my final ipv6 cfg for snmp queries. ( CLI )
NOTE: remember to enable snmp under the allowaccess for both ipv6 config.
e.g set ip6-allowaccess ping https ssh
Now to query a ipv6 snmp enabled fortigate, you need to include single quotation for the ipv6 address & within your snmpwalk/set/get.
e.g1
e.g2
If you run into problems a combination of diag sniffer packet, diag debug app snmpd -1 or diag debug flow filter6 161 could shed some light into the issues.
Here's a snapshot on what happens if you don't allowaccess the snmp services;
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( $ $ )=
o
/ \
5.2.2 fortios ugrades b642
5.2.2 was release in the last 24hrs { 11-18-2014 } .
So we are evaluating this newly release version. The release notes indicated a few minor fixes and nothing really big on a the "what's new " front. One thing that caught my eye.
Which was funny since I'm doing some testing with that particular modem. So it good to see it's included in 5.2.2.
As with any upgrade, do a system backup before any upgrades. It's also a good ideal to have a fall back image handy if things goes sour.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( $ $ )=
o
/ \
So we are evaluating this newly release version. The release notes indicated a few minor fixes and nothing really big on a the "what's new " front. One thing that caught my eye.
Which was funny since I'm doing some testing with that particular modem. So it good to see it's included in 5.2.2.
As with any upgrade, do a system backup before any upgrades. It's also a good ideal to have a fall back image handy if things goes sour.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( $ $ )=
o
/ \
Friday, November 14, 2014
How to craft a signatures with GNU gpg by socpuppets
With GNU gpg, you can craft an embedded signature within the data or "de-attach" signature. I will demonstrate the two methods. Where and how you would use the two is up to you.
1st the de-attached signature which probably the one I use the most. Your data can be compressed after signature creation, if so desired and to save space. The signature is publicly available for any persons that wish to verify the file integrity.
cli gpg -b <file.name>
This does 2 things;
1: it make a digital signature based off you private-key
2: it does NOT make any modifications to the original data
NOTE: the signature is always created from the original filename and the added suffix "sig" to the newly created signature file.
Next we will make a embedded signature. This requires the "-s" switch option. So we will take the same file & create our sign+encryption.
cli gpg -s <filename>
Now we should notice a few things,
1: we have a new file name file.txt.gpg ( data that's encrypted )
2: original data is still present
3: original datafile has not been modififed ( even the earlier sig file is still present )
So now we will delete the original data "file.txt" and then decrypt our file.txt.gpg and then compare the md5-hash and you will find we have the original file again.
Notice that our data md5 hash matches, after the decryption?
( message digest 96c23e49e65c7fd37d612b369d6a1657 )
A few things to take away here;
1: the m5 128bit hash still matches after the decryption
2: the original data was decrypted
3: the file was compared against the embedded signature to our key
NOTE: If we would have used the "-v" we would have gotten more verbose information & output
So easy, that a monkey or caveman can do it!
I hope this demonstration has been helpful. You can learn more about GNU PGP implementation at the following link;
http://en.wikipedia.org/wiki/GNU_Privacy_Guard
and about PGP in general here;
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( $ $ )=
o
/ \
1st the de-attached signature which probably the one I use the most. Your data can be compressed after signature creation, if so desired and to save space. The signature is publicly available for any persons that wish to verify the file integrity.
cli gpg -b <file.name>
This does 2 things;
1: it make a digital signature based off you private-key
2: it does NOT make any modifications to the original data
NOTE: the signature is always created from the original filename and the added suffix "sig" to the newly created signature file.
Next we will make a embedded signature. This requires the "-s" switch option. So we will take the same file & create our sign+encryption.
Now we should notice a few things,
1: we have a new file name file.txt.gpg ( data that's encrypted )
2: original data is still present
3: original datafile has not been modififed ( even the earlier sig file is still present )
So now we will delete the original data "file.txt" and then decrypt our file.txt.gpg and then compare the md5-hash and you will find we have the original file again.
Notice that our data md5 hash matches, after the decryption?
( message digest 96c23e49e65c7fd37d612b369d6a1657 )
A few things to take away here;
1: the m5 128bit hash still matches after the decryption
2: the original data was decrypted
3: the file was compared against the embedded signature to our key
NOTE: If we would have used the "-v" we would have gotten more verbose information & output
So easy, that a monkey or caveman can do it!
I hope this demonstration has been helpful. You can learn more about GNU PGP implementation at the following link;
http://en.wikipedia.org/wiki/GNU_Privacy_Guard
and about PGP in general here;
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( $ $ )=
o
/ \
Verifying file signature using GNUgpg
In this post, you will see just how easy it is for file & signature verifications using GNU gpg. A little background;
Typically the author of the file, will make the signature publicly available. So by downloading the signature, we can validate the actual datafile that was signed.
When using gpg, and when the key is not on your key-ring, then gpg is smart enough to retrieve the key that's listed in the signature file. You can display this action if you use the "-v" verbose switch.
note: if you are on a restricted network or behind a firewall the port could be blocked for the key-server.
To verify a pgp signature you need the following;
1: the data to be verified
2: the signature file
3: the public-key of the author for the datafile
If any of the three are missing, you can't continue. If one of the three was tampered with, you verification would fail!
Here's an example of a verification process against a linux kernel filename = linux-2.2.0.tar
note: if the file is compressed and ends with either a gz or bz2 extension, you need to un-compress the data before the verification. Linux Kernel sources are always signed b4 compression btw and I don't think that will ever change.
note: Once the key has been imported, any other following verifications would use the local cached key. If you want to delete the key , use the cli cmd gpg --delete-keys <key id>
So now you see just how easy it is to verify a signature using gpg. It's so simple, that even a caveman or monkey can do it.
Now, I will modify the signature to show you how any corruption or tampering will invalidation the verification. I used the unix vi cmd to change one character with in the pgp signature file, and now will attempt a new verification.
So with PKI, we have failsafes that if either ; 1> the datafile or 2> signature been tampered with, the verification process would fail. Even if we re-imported the key, and start fresh from the top, the verification will still fail.
( the modified PGP signature used for this last sample & with the "I" on the 1st line change to uppercase )
I hope this demonstration has been helpful. You can learn more about GNU PGP implementation at the following link;
http://en.wikipedia.org/wiki/GNU_Privacy_Guard
and about PGP in general here;
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
- The GNU PGP implementation has been around for a decade +
- it uses PKI
- keys are retrieved via public key-servers
- A file signed via a key, can be Digitally verified for tampering or corruption
- it also validates the author is actually the author
Typically the author of the file, will make the signature publicly available. So by downloading the signature, we can validate the actual datafile that was signed.
When using gpg, and when the key is not on your key-ring, then gpg is smart enough to retrieve the key that's listed in the signature file. You can display this action if you use the "-v" verbose switch.
note: if you are on a restricted network or behind a firewall the port could be blocked for the key-server.
To verify a pgp signature you need the following;
1: the data to be verified
2: the signature file
3: the public-key of the author for the datafile
If any of the three are missing, you can't continue. If one of the three was tampered with, you verification would fail!
Here's an example of a verification process against a linux kernel filename = linux-2.2.0.tar
note: if the file is compressed and ends with either a gz or bz2 extension, you need to un-compress the data before the verification. Linux Kernel sources are always signed b4 compression btw and I don't think that will ever change.
note: Once the key has been imported, any other following verifications would use the local cached key. If you want to delete the key , use the cli cmd gpg --delete-keys <key id>
So now you see just how easy it is to verify a signature using gpg. It's so simple, that even a caveman or monkey can do it.
Now, I will modify the signature to show you how any corruption or tampering will invalidation the verification. I used the unix vi cmd to change one character with in the pgp signature file, and now will attempt a new verification.
So with PKI, we have failsafes that if either ; 1> the datafile or 2> signature been tampered with, the verification process would fail. Even if we re-imported the key, and start fresh from the top, the verification will still fail.
( the modified PGP signature used for this last sample & with the "I" on the 1st line change to uppercase )
I hope this demonstration has been helpful. You can learn more about GNU PGP implementation at the following link;
http://en.wikipedia.org/wiki/GNU_Privacy_Guard
and about PGP in general here;
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
Thursday, November 13, 2014
How to digitally sign and verify with ecdsa keypairs
In this post we will take a ecdsa key-pair and create a ecdsa signature and verify our data. I will also demonstrate what happen if the date is compromised.
1st here's the ecdsa key-pairs that I created earlier.
NOTE: So the file name myfileforblog.txt will be the file we sign and will validate.
Here's the files types in my directory
Next, we will do a signature creation and then verification.
And finally, let's make a modification to the "data file named myfileforblog.txt" and re-verify.
NOTE: It will now fail due to the whitespace added to the bottom of the file
So basically we can easily craft ecdsa signatures and with providing the pubic-key and the data.signature, any person can validate the signature of the datafile for integrity or corruption.
Here's a sample we re-direct the output of unix ls into openssl from the /usr/bin directory
If the validation fails we can assume;
1: the wrong signature was provided
2: data was corrupt
3: signature was tampered with
4: the hash was not match or correct
NOTE: if the verification passes, than we know the file and signature are correct and matches the owner public-key.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( + - )=
o
/ \
1st here's the ecdsa key-pairs that I created earlier.
NOTE: So the file name myfileforblog.txt will be the file we sign and will validate.
Here's the files types in my directory
Next, we will do a signature creation and then verification.
And finally, let's make a modification to the "data file named myfileforblog.txt" and re-verify.
NOTE: It will now fail due to the whitespace added to the bottom of the file
So basically we can easily craft ecdsa signatures and with providing the pubic-key and the data.signature, any person can validate the signature of the datafile for integrity or corruption.
Here's a sample we re-direct the output of unix ls into openssl from the /usr/bin directory
If the validation fails we can assume;
1: the wrong signature was provided
2: data was corrupt
3: signature was tampered with
4: the hash was not match or correct
NOTE: if the verification passes, than we know the file and signature are correct and matches the owner public-key.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( + - )=
o
/ \
Wednesday, November 12, 2014
Fortigate identity policies trouble-shooting
With fwpolicies that uses identity-based , you have a few means for diagnostics.
The 1st thing you need to do is to ensure that the expected-traffic is matching the policy that a user is having problems authenticating with. And ensure that traffic is arriving to the fortigate firewall. The easiest way for determining this;
diag debug flow
or
diag sniffer packet
The former is more acceptable.
If traffic is NOT hitting your policy, than "Stop" and don't proceed until you ensure that any other network routing or filtering problems has been fixed.
I 've seen now on 1-to-2 dozen occasions or more, that a firewall engineer stumbles around just to find out a inside interior firewall or router ACL was preventing the traffic destine to the identity-based firewall policies.
NOTE: With the diag debug flow, if you see "Denied by forward policy check", than that means you hit a policy with the action either set to disable or you have no policy to begin with.
If you are seeing a policy-id match that matches your traffic, the following will be logged via the diag debug flow. This will show the policy-id that's being matched, now you can dive in and find the problem.
e.g
msg="Allowed by Policy-124:"
Next, is this the policy-id that you have identity-based authentication set for? And does the group have the proper user defined ?
config firewall policy
edit 124
set srcintf "wan1"
set dstintf "port1"
set srcaddr "all"
set dstaddr "XXX_XXX_XXX_XXX"
set action accept
set identity-based enable
config identity-based-policy
edit 1
set schedule "always"
set groups "consultant"
set service "TELNET"
next
end
next
end
Next, you will need to inspect the user and the user-group that's defined for the above firewall-policy-id. Here it would be my group named "consultant" and it has one member "kfelixsslvpn"
config user group
edit "consultant"
set sslvpn-portal "full-access"
set member "kfelixsslvpn"
next
end
and
config user local
edit "kfelixsslvpn"
set type password
set passwd ENC VLrvImdmeB0GbZs5ZG+D5Wzhyhy0xNHyfo0lnX0YmATrFc2pAiZ7T8dcAbOfbi+k2WA1i3ydO2m4jyHLusuWU0kVJot8e518qzyIqzi1IvewXug1
next
end
In my case we are using local authentication So this user is authenticated locally against the user database. If the user doesn't exist or does not exist for the group, you will fail authentication. Also if the password is incorrect, you will fail authentication.
So if you suspect problems with the end-user, have her/him double check the login/password or create a new password for the login.
If the user is authenticated off-appliance, you need to diagnostic the remote authentication services.
( radius, ldap, etc... ). Most AAA authentication platforms have local tools for testing user validation or credentials. Research your platform for any local tools or diagnostics.
NOTE: If you see a group with multiple users & only ONE user is having problems that you can narrow down your diagnostics with just that "user".
Lastly, you can use the displayed output when your intercepted for authentication. If your getting that the authentication block that you know the identity policy is being matched.
You can also use the diag debug app authd -1 to report the status also.
( telnet )
( http )
So based on the policy and identity the fortigate will challenge the user with a login.
config firewall policy
edit 124
set srcintf "wan1"
set dstintf "port1"
set srcaddr "all"
set dstaddr "XXX_XXX_XXX_XXX"
set action accept
set identity-based enable
config identity-based-policy
edit 1
set schedule "always"
set groups "consultant"
set service "HTTP"
next
end
next
end
With authentication & identity-based policies, if the original session was via an un-encrypted services , than the authentication would also be un-encrypted.
What this means, my above HTTP identity-based policy would authenticated me via "HTTP" and not "HTTPs". The fortigate is actually intercepting the traffic src/dst and spoof'ing the challenge on behalf of the destination. Your NOT authenticating via the target but via the firewall and the packet spoof'ing.
Here's a tshark decode
This is bad thing ( lack of security ) but for diagnostics, you can packet capture the traffic and inspect the user credentials that's being presented.
A few useful authentication commands;
Diagnostic
diag debug reset
dag debug en
diag debug application authd -1
Operations & monitoring
diag firewall iprope authuser
diag firewall iprope resetauth
The former shows who authentication & from where. It will now show what policy-id trigger the authentication. The latter clears all authentications. Use with caution.
diag firewall auth list
This will show you details about the user, timeout and policy-id that was triggered.
For my very last item, you can adjust the authentication timeout. This can be done from the webGu.
user > device > authentication> setting
or via the CLI;
config user setting
set auth-cert "self-sign"
set auth-timeout 436
end
NOTE: default timeout == 300secs
And for stricter and harsher controls, you can set the authenticating parameters for blackout and the max failed-attempts. This is great protection for any brute-force login attacks.
config user setting
set auth-blackout-time 5
set auth-invalid-max 3 < after 3 failures blacklist at above value 5mins.
end
NOTE: various fortiOS exhibits failures on the blackout time value and it's ignored YMMV
I hope this gives you some ideals on identity-based authentications. IMHO security methods exist such as 802.1x, FSSO , Radius SSO, Proxies or a combination with identity-based.
The 1st thing you need to do is to ensure that the expected-traffic is matching the policy that a user is having problems authenticating with. And ensure that traffic is arriving to the fortigate firewall. The easiest way for determining this;
diag debug flow
or
diag sniffer packet
The former is more acceptable.
If traffic is NOT hitting your policy, than "Stop" and don't proceed until you ensure that any other network routing or filtering problems has been fixed.
I 've seen now on 1-to-2 dozen occasions or more, that a firewall engineer stumbles around just to find out a inside interior firewall or router ACL was preventing the traffic destine to the identity-based firewall policies.
NOTE: With the diag debug flow, if you see "Denied by forward policy check", than that means you hit a policy with the action either set to disable or you have no policy to begin with.
If you are seeing a policy-id match that matches your traffic, the following will be logged via the diag debug flow. This will show the policy-id that's being matched, now you can dive in and find the problem.
e.g
msg="Allowed by Policy-124:"
Next, is this the policy-id that you have identity-based authentication set for? And does the group have the proper user defined ?
config firewall policy
edit 124
set srcintf "wan1"
set dstintf "port1"
set srcaddr "all"
set dstaddr "XXX_XXX_XXX_XXX"
set action accept
set identity-based enable
config identity-based-policy
edit 1
set schedule "always"
set groups "consultant"
set service "TELNET"
next
end
next
end
Next, you will need to inspect the user and the user-group that's defined for the above firewall-policy-id. Here it would be my group named "consultant" and it has one member "kfelixsslvpn"
config user group
edit "consultant"
set sslvpn-portal "full-access"
set member "kfelixsslvpn"
next
end
and
config user local
edit "kfelixsslvpn"
set type password
set passwd ENC VLrvImdmeB0GbZs5ZG+D5Wzhyhy0xNHyfo0lnX0YmATrFc2pAiZ7T8dcAbOfbi+k2WA1i3ydO2m4jyHLusuWU0kVJot8e518qzyIqzi1IvewXug1
next
end
In my case we are using local authentication So this user is authenticated locally against the user database. If the user doesn't exist or does not exist for the group, you will fail authentication. Also if the password is incorrect, you will fail authentication.
So if you suspect problems with the end-user, have her/him double check the login/password or create a new password for the login.
If the user is authenticated off-appliance, you need to diagnostic the remote authentication services.
( radius, ldap, etc... ). Most AAA authentication platforms have local tools for testing user validation or credentials. Research your platform for any local tools or diagnostics.
NOTE: If you see a group with multiple users & only ONE user is having problems that you can narrow down your diagnostics with just that "user".
Lastly, you can use the displayed output when your intercepted for authentication. If your getting that the authentication block that you know the identity policy is being matched.
You can also use the diag debug app authd -1 to report the status also.
( telnet )
( http )
So based on the policy and identity the fortigate will challenge the user with a login.
edit 124
set srcintf "wan1"
set dstintf "port1"
set srcaddr "all"
set dstaddr "XXX_XXX_XXX_XXX"
set action accept
set identity-based enable
config identity-based-policy
edit 1
set schedule "always"
set groups "consultant"
set service "HTTP"
next
end
next
end
With authentication & identity-based policies, if the original session was via an un-encrypted services , than the authentication would also be un-encrypted.
What this means, my above HTTP identity-based policy would authenticated me via "HTTP" and not "HTTPs". The fortigate is actually intercepting the traffic src/dst and spoof'ing the challenge on behalf of the destination. Your NOT authenticating via the target but via the firewall and the packet spoof'ing.
Here's a tshark decode
No pun intended , but the user credentials clearly are in the clear ( username = sssss password = ssssssss )
A few useful authentication commands;
Diagnostic
diag debug reset
dag debug en
diag debug application authd -1
Operations & monitoring
diag firewall iprope authuser
diag firewall iprope resetauth
The former shows who authentication & from where. It will now show what policy-id trigger the authentication. The latter clears all authentications. Use with caution.
diag firewall auth list
This will show you details about the user, timeout and policy-id that was triggered.
For my very last item, you can adjust the authentication timeout. This can be done from the webGu.
user > device > authentication> setting
or via the CLI;
config user setting
set auth-cert "self-sign"
set auth-timeout 436
end
NOTE: default timeout == 300secs
And for stricter and harsher controls, you can set the authenticating parameters for blackout and the max failed-attempts. This is great protection for any brute-force login attacks.
config user setting
set auth-blackout-time 5
set auth-invalid-max 3 < after 3 failures blacklist at above value 5mins.
end
NOTE: various fortiOS exhibits failures on the blackout time value and it's ignored YMMV
I hope this gives you some ideals on identity-based authentications. IMHO security methods exist such as 802.1x, FSSO , Radius SSO, Proxies or a combination with identity-based.
Ken Felix
Freelance Network/Security Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( # # )=
@
/ \
Freelance Network/Security Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( # # )=
@
/ \