Wednesday, May 31, 2017

gnutls tricks for SSL check

Have you ever used  gnutls-cli-debug  it's one of the coolest tool in the gnutls  suite


Take alook at how easy it is to use and the data reported. Here's a website that does not support  SSLv3 and the output




How about google.com search ( notice it supports SSLv3 )

 


The tool can be used to chek mail-server gateways and confirm what is or not supported.





Ken Felix




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Tuesday, May 30, 2017

FortiOS v5.6 video

Here's a great source for the  video information  that's available in  FortiOS v5.6 tips/tricks

https://video.fortinet.com/video/252/fortios-5-6-gui-tips-and-tricks?fgt_model=FG1K5D&fgt_version=5.6.0&fgt_build=1449&fgt_page=dashboard


Additional  videos links are available for review and study.

Ken



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

FortiAnalyzer license expirations HOWTO

The fortinalyzer license expiration-time can be  tricky to determine. Here's one sure way. Just ask the appliance for this information.



Keep in mind that not all FAZ  virtual appliances  & versions  will display the license life in the widget that's available from within the WebGUI

reference previous post;

http://socpuppet.blogspot.com/2017/05/fortianalyzer-license-expirations.html


examples.


v5.4.1-build1082 




v5.4.3-build1187





I hope  that  you found this tip very useful




Ken Felix






Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Monday, May 29, 2017

TIPS for analyzing fortigate loggings

Have you ever  logged into the WebGUI and see the system resource widget and a abnormal  log rates for  disk vrs faz ?


e.g




In a multi-vdim  environment you might not be logging to disk for the other  vdomss, so the log-rate p/sec could be different across logging-targets.


You can quickly validate this via the cli by execution the get sys log settings and the status




Alternatively you  can use the cli and  try to retrieve logs via disk vrs memory or  faz to determine  if logs are present in that vdom and for that logging-targets.


e.g




To delete the local logs,  you can  use the following cli cmd for the deletion and validations.


















Execute the  log list cmd from above , & before you delete . Re-validate date/timestamps





Ken Felix



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \



Saturday, May 27, 2017

ipsec vpn F5 to Fortigate Firewall

In this blog we will look at how to  craft a ipsec-vpn from a f5 to a fortigate. The cfg is simple  to deploy and even simpler to trouble-shoot.



On the  FGT you will craft a route-base- vpn and specify the SRC/DST subnet like any other   route-based vpn solution.






Ensure the  proposal matches for  FGT and F5 side of things, also  don't forget the  route for the destination network  at the F5 and  the target local-subnet.


e.g

config router static
   edit 666  
    set dst  10.52.132.250/32
    set dev  f5
end


Now on the f5 side of things we need todo the following;


  •  set up a layer3  forwarding  VIP
  •  define the phase1 parameter ( remote-gw, proposal, df-grps, ask,etc...)
  • define a ipse-policy name  with the  proposal
  •  and a traffic-selector



Here's these steps;

PHASE1 aka ikeparameters for the IKE-SA





IPSEC-POLICY





TRAFFIC_SELECTOR FOR ENCRYPTION  of the SecurityAssociations






NOTE:  !!!!!!!  The  local/remote subnets needs to match the fortigate  dat/src-subnets exactly  !!!!!!.


Layer3 forwarding VIP




And finally use the  local raccoon.log for  the diagnostic on the  f5 appliance





 SPIs are bi-directional the FGT-outbound SA will be the f5-inbound SA and vice-versa.



You can use the WebGUI ipsec-diagnostic for any details & for  displaying these diagnostics,   but the raccoon.log provides a better diagnostic-details  and  with tunnel  creation times, errors and warnings.








Ken Felix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

fortinet demo center has been open

IIRC the older post on the many fortinet demo appliances.

http://socpuppet.blogspot.com/2015/10/ftnt-fortinet-demo.html


Here's a quick link to see what FTNT has available from a product lineup. They have branch and spread into numerous "other" systems.


https://www.fortinet.com/demo-center.html


A sales rep can speak with you on acquiring a local demo, but since most of these items have a virtual appliance it's easier to plumb this virtually and run your demo or POC for validation and before you  committed yourself.


KenFelix




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Friday, May 26, 2017

Hosted SITE-DOWN F5 style with IRules

When hosting web-sites, we have the means to craft  a "SIT-DOWN PAGE" to give feedback to the end-users that the site is down and the reason way.

It's good practice for providing a comfort page so the user would know the site is down versus hitting dry air. The site being down could be from a host of issues


  • planned maintenance
  • un-planned maintenance
  • serve-load
  • critical errors
  • code-application errors
  • etc..




Concept #1 is a hosted HTML PAGE via the F5 LTM

example



Concept#2  is to host a pool of ever-green servers that house the SITE_DOWN pages. Bigger application hosting outfits typical this method

example


Concept#3  is to host a server  node that houses the site down page


example



Concept#4
A hosted a data iFile and  that's call   out as required

example



Out of the above the pool and or node is the better method , since the administrators of the web server that hosts the site down can modify the content as required, If you set a NULL_POOL, you can always call up the "dummy" site and check the page. With a off-F5-LTM hosted site_down page, the  F5 engineer would not be tied up with managing Ifile or HTML respond content.


With the NULL_POOL defined, you can point your  browser at the http://ww11.example.com will call up the hosted our  site_down for testing

http://ww11.example.com


Image result for SITE DOWN


And lastly, you could a simple site  http redirect or fallback statement, but be advise of  mistakes with bad 302 redirects or even worst redirect loops.










Finally the title of this post was specific with examples for using Irules. We have one more method that's even simpler.

By using a priority-group and with a node(s) set as the SITE_DOWN, you can apply that  node to your pools to host the site DOWN when all other nodes are down in that pool.

See this visio diagram where we have two priority groups and the last group with the server node "SSD" while be hit for the SiteDown page when !!!!! ALL OTHER NODES HAVE FAILED !!!!











Ken Felix





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Thursday, May 25, 2017

HOWTO export the MACOSX RootCA List

MACOSX  keychain  holds the rootCAs that are pre-installed by the system. Approx 180 CAs are pre-canned int he OS.


Here's a quick way to export ALL of them

1: open the keychain access  and  click System

2: select the  listed CA



3: Select "Export"





4: 

DO NOT  CLICK "GET INFO" unless you want 192 pop-screens on you desktop



After the export has been saved you will have a PEMbundle, you can use this simple script for listing the  bundle names and dates




Ken Felix



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Monday, May 22, 2017

Fortigate SSLVPN and multiple -realms

In this blog we will show how to  use a fortigate with  numerous realms. The realm name would be the target  URL path

e.x

https://sslvpn.example.com/vpnclientfr
https://sslvpn.example.com/vpnclientsp

In this design , we have craft  2 realm for our spanish and french speakers. This will allow you  craft  unique pages and even have unique authentication requirements such as users/groups/ldap-authservers

1st here's a topo-map





2nd  you need to craft the respective  realm and web-portals. In mine case the web-portals are web-mode only , but these could be tunnel-mode  or a combination.




In our vpn ssl settings we will define the   auth-roles;



And now if you login at your site with the correct, you will be auth by that auth-role and present just that webportal.



and for  our french speakers;


  

TIP: make sure you have the  SSLVPN fwpolicies with the correct group(s)
 
Yeap , it's that easy !




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \


Saturday, May 20, 2017

FortiAnalyzer license expirations

 FAZ  license expirations






Here's what happens if you let a FAZ unit expires & from the cli aspect. The webgui is pretty much useless btw.



FAZ-001 # config sys admin user
Critical error: command 'system.admin.user' is not permitted if no valid license

No permission to 'config system.admin.user'

FAZ-001 # config system  global
Critical error: command 'system.global' is not permitted if no valid license

No permission to 'config system.global'

FAZ-001 # config sys  mail 
Critical error: command 'system.mail' is not permitted if no valid license

No permission to 'config system.mail'

FAZ-001 # config sys  snmp community
Critical error: command 'system.snmp.community' is not permitted if no valid license

No permission to 'config system.snmp.community'


Most system config items that are NOT networking related are blocked. Diag commands do work for the most part btw.

Ken Felix



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \