In the fortigate firewall you have a few creative ways for determining the system uptime without accessing the webgui
1: by using the hidden cli cmd fnsysctl cat /proc/uptime
requires you to convert seconds to Month/Week/Days
2: execution of the diag sys top command and looking at the system runtime
Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Monday, October 31, 2016
Friday, October 28, 2016
A quick and sure to know if a SSL certificate is a used as a CertAuthority
Under the x509 v3 we have special attributes for indicating the purpose of a certificate and if it's "CA".
By using the openssl x509 we can review what's the certificate type and if it's a CA certificate.
Take this certificate chain where we have two certificats and we want to find out which one is a CA certificate from a usage standpoint
Notice the CA: TRUE vrs the CA:FALSE if the former is set, then that's a indication it top of the chain and as a rootCA or intermediate certificate.
Take this Entrust Chain where we have a root, plus 2 intermediate certificates and finally the server
( I'm showing the CA: flags for the root and intermediates outputs truncated )
( now at the end of the chain we have the server certificate, notice the CA:FALSE )
So you have a few means for validate the certificate and it's usage.
Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
By using the openssl x509 we can review what's the certificate type and if it's a CA certificate.
Take this certificate chain where we have two certificats and we want to find out which one is a CA certificate from a usage standpoint
Notice the CA: TRUE vrs the CA:FALSE if the former is set, then that's a indication it top of the chain and as a rootCA or intermediate certificate.
Take this Entrust Chain where we have a root, plus 2 intermediate certificates and finally the server
( I'm showing the CA: flags for the root and intermediates outputs truncated )
( now at the end of the chain we have the server certificate, notice the CA:FALSE )
So you have a few means for validate the certificate and it's usage.
Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Thursday, October 27, 2016
Fortianalyzer webgui access issues
The Fortinet Analyzer is a log-event collector and analyzer that allows for generating and monitoring for system related activities such as;
traffic reports
ipsec/ssl vpn reports
admin & configuration reports
system related event
log retentions
When it ( FAZ ) works, it works great. When it give you problems it can become a big headache. Here's a big problem under FAZ 5.4.1 that has came up now a few times.
1: symptoms; " you can login into the WebGUI, but the GUI does not work"
2: ssh cli access seems okay btw
screenshots
Okay nothing from the dig sys process show anything out of the ordinary. But upon a simple execute backup, we found the filesystem read-only and the backup files.
So it looks like faze5.4.x OS is not reliable in a virtual appliance. So to get this appliance back up for service, we had to execute reboot from the cli.
After a reboot the unit is able to be backup and webgui access works.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
traffic reports
ipsec/ssl vpn reports
admin & configuration reports
system related event
log retentions
When it ( FAZ ) works, it works great. When it give you problems it can become a big headache. Here's a big problem under FAZ 5.4.1 that has came up now a few times.
1: symptoms; " you can login into the WebGUI, but the GUI does not work"
2: ssh cli access seems okay btw
screenshots
Okay nothing from the dig sys process show anything out of the ordinary. But upon a simple execute backup, we found the filesystem read-only and the backup files.
So it looks like faze5.4.x OS is not reliable in a virtual appliance. So to get this appliance back up for service, we had to execute reboot from the cli.
After a reboot the unit is able to be backup and webgui access works.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Tuesday, October 25, 2016
The webportal under 5.4.
Looking at the web portal in fortiOS v5.4., shows the site layout is now plain and simple
Very simple , not complex , and very neat .
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Very simple , not complex , and very neat .
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Monday, October 24, 2016
cisco ACS local-server
With the cisco ACS appliance the local certificate is issued at 1year. If it should expire you can easily craft a new certificate that's self-signed or a CSR.
The steps are very simple under ;
System Administration > Configuration> Local Server Certificates
1: Select the certificate type with the correct CN/lifetime
2: ensure you set the new certificate to be use for EAP and webGui
3: issue a acs stop and a acs restart after deleting the pre-existing local-server-certificate
4: confirm the new certificate is indeed being used;
e.g
mac-1093e90f35a4:~ kfelix$ gnutls-cli 10.50.2.241 | grep expires
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
- subject `CN=WTW1INFPVTAC001', issuer `CN=WTW1INFPVTAC001', RSA key 2048 bits, signed using RSA-SHA256, activated `2016-10-11 19:02:25 UTC', expires `2019-10-11 19:02:25 UTC', SHA-1 fingerprint `5a6018dbf4ae42b22e99b449aa539e767d8af6eb'
mac-1093e90f35a4:~ kfelix$
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
The steps are very simple under ;
System Administration > Configuration> Local Server Certificates
1: Select the certificate type with the correct CN/lifetime
2: ensure you set the new certificate to be use for EAP and webGui
3: issue a acs stop and a acs restart after deleting the pre-existing local-server-certificate
4: confirm the new certificate is indeed being used;
e.g
mac-1093e90f35a4:~ kfelix$ gnutls-cli 10.50.2.241 | grep expires
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
- subject `CN=WTW1INFPVTAC001', issuer `CN=WTW1INFPVTAC001', RSA key 2048 bits, signed using RSA-SHA256, activated `2016-10-11 19:02:25 UTC', expires `2019-10-11 19:02:25 UTC', SHA-1 fingerprint `5a6018dbf4ae42b22e99b449aa539e767d8af6eb'
mac-1093e90f35a4:~ kfelix$
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
PANOS product security vulnerabilities a new approach
PaloAlto sent me a email a few days ago that was quite interesting. They are publishing a list of recent product security advisories .
(e.g)
The link also directs you to the web site that list numerous issues and the PANOS versions. These post are rate to the current severity and a brief summary.
The also have a product submittal link for if you should find issues. The submittal is quite simple.
https://securityadvisories.paloaltonetworks.com/Report
So it seems like Palo Alto is taking end-user feedback and for issues found , very seriously.
(e.g)
The link also directs you to the web site that list numerous issues and the PANOS versions. These post are rate to the current severity and a brief summary.
The also have a product submittal link for if you should find issues. The submittal is quite simple.
https://securityadvisories.paloaltonetworks.com/Report
So it seems like Palo Alto is taking end-user feedback and for issues found , very seriously.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Friday, October 14, 2016
GoogleCloudCompute VPN to fortgate
In this post I will show you how to craft a vpn for a Fortigate to Google Cloud Compute Platform
The process is straight forward;
1: you need to select a Google ipv4 static address for the vpn-peers, This is the public-address that you will use and defined for the remote-gate on the fortigate
2: define ikev2 ( you can use ikev1 )
3: define a shared PreSharedKey ( watch for any typos and the psk key lengths 12-20 characters is good , try to avoid whitespaces or *!# )
4: define the local and remote subnets ( or use the 0.0.0.0/0 in the quick selectors )
Once you have done all of the above, you can configure the fortigate unit;
Phase1-interface cfg
( take note of my single proposal & dhgrp14 )
Phase2-interface cfg
( take note of my single proposal & dhgrp14 , and pfs is enabled by default )
be very very very careful of route priority if you use 0.0.0.0/0 as the proxy-id selectors set the priority for traffic you want to go over the tunnel
A bad PSK match
!!!!!!!!!!!!!!! ADVANCE BGP over IPSEC for layer3 network routing !!!!!!
You can also run BGP over the ipsec-tunnel for routing information to be shared. This is the same method that AWS uses btw and the fortigate is way much easier to configure for this approach versus other firewall vendors.
This steps are broken-down as the following;
1: define a cloud base router instance-name
2: select a private ASN for GOOGLE and your Fortigate (e.g ASN 65001 )
3: use a link-local ipv4 address for the Google and Fortigate End Points ( APIPA 169.254.0.0/16 )
4: configure the fortigate using the private-AS for the local and remote-as peer
5: monitor the vpn and bgp outputs
screenshots
google cloud platform BGP config
FGT-2-GCP configurations
The fortigate BGP configuration will require you to assign a ipv4 address on the ipsec-tunnel interface directly & with the local-remote address of the Google cloud router instance
The process is straight forward;
1: you need to select a Google ipv4 static address for the vpn-peers, This is the public-address that you will use and defined for the remote-gate on the fortigate
2: define ikev2 ( you can use ikev1 )
3: define a shared PreSharedKey ( watch for any typos and the psk key lengths 12-20 characters is good , try to avoid whitespaces or *!# )
4: define the local and remote subnets ( or use the 0.0.0.0/0 in the quick selectors )
Once you have done all of the above, you can configure the fortigate unit;
Phase1-interface cfg
( take note of my single proposal & dhgrp14 )
FGT100D (root) # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "GCP"
set interface "wan1"
set ike-version 2
set proposal aes256-sha1
set dhgrp 14
set remote-gw 130.211.107.192
set psksecret mysecrethereissogood
next
end
( take note of my single proposal & dhgrp14 , and pfs is enabled by default )
FGT100D (mycust1) # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "GCP1"
set phase1name "GCP"
set proposal aes256-sha1
set dhgrp 14
set auto-negotiate enable
next
end
Notice I'm using a quad 0s for the src/dst-subnets aka 0.0.0.0/0:0 in the above example
Here's a few screenshots of a typical GCP vpn configurations. It's so easy a caveman can do it !
The last piece you need are routes-and- firewall policies on both ends
google
Fortigate
config router static
edit 1999
set dst 10.240.0.0 255.255.0.0
set device "GCP"
set comment " my tunnel to GCP platform"
next
end
tips;
- use ikev2 for IKSAMP
- ensure dh-grp 14 only
- set propsoal for aes256-sha1
- set pfs enable
- ensure you know what interfaces you have in-use at Google Compute
For diagnostic, use the GCP log view and with the filter for ipsec.events. Look for the obvious problems or errors.
PSK mis-match
no acceptable-proposals between peers
no acceptable SA src/dst-subnets ( if you specify src/dst-subnets and not 0.0.0./0 ...THEY HAVE TO MATCH )
be very very very careful of route priority if you use 0.0.0.0/0 as the proxy-id selectors set the priority for traffic you want to go over the tunnel
A bad PSK match
A good up and working VPN GCP will look like the following and with a green-icon "check" mark.
!!!!!!!!!!!!!!! ADVANCE BGP over IPSEC for layer3 network routing !!!!!!
You can also run BGP over the ipsec-tunnel for routing information to be shared. This is the same method that AWS uses btw and the fortigate is way much easier to configure for this approach versus other firewall vendors.
This steps are broken-down as the following;
1: define a cloud base router instance-name
2: select a private ASN for GOOGLE and your Fortigate (e.g ASN 65001 )
3: use a link-local ipv4 address for the Google and Fortigate End Points ( APIPA 169.254.0.0/16 )
4: configure the fortigate using the private-AS for the local and remote-as peer
5: monitor the vpn and bgp outputs
screenshots
google cloud platform BGP config
FGT-2-GCP configurations
The fortigate BGP configuration will require you to assign a ipv4 address on the ipsec-tunnel interface directly & with the local-remote address of the Google cloud router instance
Now you can use any of the FortIOS get commands to get bgp information. Just remember the ipsec-vpn must be up before the BGP can go established and peering relations started
For Example;
FGT100D (root) # get router info bgp summary
BGP router identifier 169.254.0.2, local AS number 65102
BGP table version is 1
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
169.254.0.1 4 65100 12 12 0 0 0 00:03:07 1
Total number of neighbors 1
FGT100D (root) # get router info bgp network
BGP table version is 1, local router ID is 169.254.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.240.0.0/16 169.254.0.1 100 0 65100 ?
Total number of prefixes 1
( other useful get-commands )
get router info bgp neighbors
get router info routing bgp
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
For Example;
FGT100D (root) # get router info bgp summary
BGP router identifier 169.254.0.2, local AS number 65102
BGP table version is 1
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
169.254.0.1 4 65100 12 12 0 0 0 00:03:07 1
Total number of neighbors 1
FGT100D (root) # get router info bgp network
BGP table version is 1, local router ID is 169.254.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.240.0.0/16 169.254.0.1 100 0 65100 ?
Total number of prefixes 1
( other useful get-commands )
get router info bgp neighbors
get router info routing bgp
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Wednesday, October 12, 2016
HOWTO determine QUIC support by inspecting http.response headers
To go along with testing QUIC support in the past blog post, in either firefox or chrome browsers and websites that supports QUIC connections, they all will provide notice of support for this protocol in it's http.response headers.
examples;
firefox-browsers
notice spdy ( speedy support ) is also in the response header
chrome-browsers
If you want to disable QUIC and SDY from a client, use a proxy and drop these headers from the response
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
examples;
firefox-browsers
notice spdy ( speedy support ) is also in the response header
chrome-browsers
If you want to disable QUIC and SDY from a client, use a proxy and drop these headers from the response
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
How to force QUIC connections with Google Chrome for testing
My day job is panic'ing over QUIC udp connections & with our proxy. QUIC is not new but most network/security engineer don't understand it muchless know how to test for access w/QUIC.
Here's a simple way to force a QUIC connection & to test if your Chrome browser has support for QUIC connections to a website and if your firewall and proxy support QUIC.
1>
from the cli ( macOSX in my case ) , we set the quick enable and the server name:port that we are connecting to;
example cli command open launching chrome
2> Now you can monitor these from the chrome browser using the chrome integral URL for quic connections
insert the following in a new window tab
notice the above connections where over my t-mobile ipv6 hotspot cool ;)
This is a sure way to enable QUIC connection and to monitor them. If the site is not available for QUIC you will get the classic quic connection error in your browser indicating the protocol
e.g
You can also inspect TLS over QUIC via the "https" icon if you want to inspect SSL/TLS and QUIC support or use tshark.
( https over up port 443 )
notice udp as the transport
If SSL/TLS support is not supported or fails, you unix shell will display the following output upon launching
Ken
NSE Network Security Engineer
{ Fortigate, PaloAlto , CiscoASA }
kfelix a...t socpuppets.com
^ ^
=( @ @ )=
o
/ \
Here's a simple way to force a QUIC connection & to test if your Chrome browser has support for QUIC connections to a website and if your firewall and proxy support QUIC.
1>
from the cli ( macOSX in my case ) , we set the quick enable and the server name:port that we are connecting to;
example cli command open launching chrome
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --enable-quic --origin-to-force-quic-on<sitename:port#:80> http://<sitename>
2> Now you can monitor these from the chrome browser using the chrome integral URL for quic connections
insert the following in a new window tab
notice the above connections where over my t-mobile ipv6 hotspot cool ;)
This is a sure way to enable QUIC connection and to monitor them. If the site is not available for QUIC you will get the classic quic connection error in your browser indicating the protocol
e.g
You can also inspect TLS over QUIC via the "https" icon if you want to inspect SSL/TLS and QUIC support or use tshark.
( https over up port 443 )
notice udp as the transport
If SSL/TLS support is not supported or fails, you unix shell will display the following output upon launching
Ken
NSE Network Security Engineer
{ Fortigate, PaloAlto , CiscoASA }
kfelix a...t socpuppets.com
^ ^
=( @ @ )=
o
/ \
Thursday, October 6, 2016
howto block fortigateOS admin account access
In this quick post I will show you a 1 2 3 step in blocking the admin account. As you probably know the admin account is a factory account named in the FortiOS
1: you can delete it from config sys admin
2: if you remove it out of a fortiOS config and retore that cfg, the firewall will still re apply it.
It's like a bad rash that won't go away.
To make admin in operative you and to satisfy any security concern you need to hack it. The process is simple.
Define a noaccess profile
apply admin to the noaccess profile
set a password value of more than 32characters ( beadvise fortiOS has a password max value length )
e.g
TIP: if paranoid
next , define a two-factor with a email address that's not valid
And finally apply trusthost statements for that account to a non-used and routed address. The finally configuration would something like this.
system admin access profile with NONE
the account admin lockdown
Ken
1: you can delete it from config sys admin
2: if you remove it out of a fortiOS config and retore that cfg, the firewall will still re apply it.
It's like a bad rash that won't go away.
To make admin in operative you and to satisfy any security concern you need to hack it. The process is simple.
Define a noaccess profile
apply admin to the noaccess profile
set a password value of more than 32characters ( beadvise fortiOS has a password max value length )
e.g
TIP: if paranoid
next , define a two-factor with a email address that's not valid
And finally apply trusthost statements for that account to a non-used and routed address. The finally configuration would something like this.
system admin access profile with NONE
the account admin lockdown
Ken