how to find long-winded sessions fortigate

When working with fwpolicies and for testing  new applications,  it's proper to use the diag system session command from the cli .

In some case, you might have a new Application that needs close monitoring or want to validate that  sessions are indeed up and for a extended time.

By using the  filter option and with the diagnostic  sys session command you can find those sessions and with other attributes ( src dst port policyid# ) you can confirm or dis-confirm issues that might be drive by firewall or applications.

e.g

the above has a filter option for 900-24400 seconds and any traffic that matches that duration would be presented




You can set other values to drill in  on traffic of interest.




Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

PANOS Security Advisor

One feature Palo Alto has is for updating end-users to security issues to "end-users". The advisory  will list the  Vulnerabilities and the impact, and workaround or correction such-as a software update.


One other cool feature, they acknowledge 3rd parties that exposes these issues.







Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

FAZ group authenication issues continual

FAZ 5.4 and 5.4.1  behavior with user-type group net a non working   WebGUI when we have a wildcard and dev-profiles.


If you recall http://socpuppet.blogspot.com/2016/06/faz-user-type-group-version-type-tacacs.html
A  FAZ appliance upgraded to 5.4.1 nets a display message in the webGUI. I'm working with FTNT support on trying to get a answer to this issue.

If you specify a group with tacacs+ radius for example, the  webGUI login will pass,  BUT the display will not display any ICONs. FTNT support has my case but are still researching the issues.


Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

HOWTO query a FortiAnalzyer dataset via cli

The fortinet fortiAnalyzer allows for you to query dataset directly via sql. The execute sql-query-dataset commands requires a dataset name and time-range.


execute sql-query-dataset < adom name> <datasetname>  <dev/faz>  < Start-Time>  < End-Time>


Any data that matches that time range will be displayed.

e.g dataset for a user login query

Now if I execute a new ssh login and then query the dataset, it will show  this activity in the named dataset.

Querying the dataset directly helps when trouble-shooting reports with  no data and to validate data-sets.


NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

manipulating multi-vdoms for sources ip ( tip )

When your operating in a multi-tenant  setup you can easily change the "src vdom" that uses for various "execute" operations such as;   ssh/telnet/traceroute/ping ,etc........just by using the  following  cli command from a vdom that you have permission.


e.g


execute enter <vdom-name>

So now you can use that vdom src_address for ssh or other options. The execute ping-options allows for you to set  the ping-request source but in a lot of instance we need to change the ssh/traceroute source for task completion.

e.g  ( execute telnet  has no option to set the source )

With the execute enter command, this allow for easy manipulation from a  vdom on where the packet originates from.



Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

FAZ VM64 upgrade 5.4.1

We have a issue with  sys admin groups with multiple tacacs+ servers so the FAZ appliance was upgraded from 5.4.0 to 5.4.1

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \