PANOS ntp issues when not using mgmt interface

 If you have dns and ntp setup with a non-mgmt interface and a service route, you need to source the NTP with a different address/interface from that of DNS

e.g 

views of the cfg

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

      /      \ 

DTLS forticlient fortios v5.4.

In this blog I will show you how to enable  DTLS for FortiClient. In this example we have  the following

FORTIGATE = 900D
FortiOS = v5.4.5
FortiClient  = v5.6.0
OS =  windows10


1st, 

DTLS is only support in  the windows FortiClient versions ( sorry.... no support for macosx !)

2nd, 

you need 5.4.x code or higher to enable   DTLS on the fortigate

3rd,

you must enable the DTLS preferred in the client xml  ( download the cfg and edit the highlight light to a value of 1 }



4th

Ensure you have access to udp port. In  this example I'm using my  macosx host to check that udp.port 443 is available &  via gnutls-cli ( use the -u switch for udp )






The mode of operation is very  simple,

The FortiClient talks tcp over the designated port and then switched to  udp if the client prefers udp. 

Keep in mind that going thru a http-forward-proxy might break the renegotiation to udp , but if the DTLS setup fails,  the  Client will fallback to just  tcp.port 443

Here's a dump of  traffic showing a windows std and 1200 byte pings





Here's snippet of a wndows10 forticlient exported logs.





One cool thing you can do. You can run a diagnostic session  from the cli and see the client > Be advise the  SSLVPN session is terminate to a "pseudo firewall policy# "





     valid firewall policies numbers are 1 thru 4294967294



This is where the ciscoASA has a advantage, the  cisco ASA has support DTLS for over  5+  years with webvpn.

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o 

        /  \

Using the fortimanager to schedule a FortiOS upgrade

Within the fortinet Manager, you can schedule upgrades  for later execute against a  single or series of fortigates.


Navigate to the Device Manager > firmware 



Select your device.




{ Review the  available firmware and select that firmware after you  read  the release notes ,make sure to follow any upgrade paths }

toggle the schedule

select the date/time  ( something in the future )

 

 NOTE: You can always  cancel a upgrade that's scheduled by selecting the cancel button.

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o 

        /  \

Determining OSPF.interface mtu byte sizes via a packet capture

When using OSPF, the need can arise to validate the OSPF-interface-value amongst   OSPF neighbors.

If md5 authentication is not deploy the OPSF database descriptor will carry the  OSPF_interface_MTU value in the clear. A tool like  tshark/wireshark will easily display that value.


e.g

In a proper OSPF topology all interfaces attached to the LAN would use the same value. By dumping the  OSPF packets you can easily find the  Interface MTU value and ospf neighbors that are not configured correctly.






By using  a packet.capture you can easily  gather statistics without login into numerous routes or devices  for gathering ospf show  collections

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o 

        /  \

securing mysql with SSL/TLS

With databases and application  servers, we find  that most org do NOT  deploy SSL/TLS encryption. This post will demo  how easy it's to  set a  mysql server up for   SSL/TLS. Most  DBAs I've  meet thinks;

•  its hard to setup and configure
•  are just plain lazy
•  feels it's offer zero-security benefits
•  or a combination of ALL thee above :)

You will need the following for the server;

CA-cert
Server-cert
Server-key

You will need the following for the client(s);

CA-cert
Client-cert
Cient-key

1st here's my simplified  my.cnf cfg  ( this is very basic lean down conf )

[mysqld] 

bind-address = *

ssl-ca=/etc/ssl/ca.pem

ssl-cert=/etc/ssl/server-cert.pem

ssl-key=/etc/ssl/server-key.pem

Now to check for SSL support you need to  show global variables and match on SSL. If your  successful upon a restart the  DISABLE will be ENABLE and SSL support will be included in the mysql server services

Now we can test for basic  access with the root account and by specifying  SSL;

To lock this down for just a  database user account, you will grant  ( them  )  permission and set  required SSL for that user(s).

And now compare a SSL and non_SSL  access 

If a user that's required  SSL tries without  SSL certificates ( he/she ) will  get a reject message similar to  the below;

Yes it's really that simple. 

In a real professional environment, you will craft unique client-certificates  & 1 per  users  and ensure that the user has secured and protected his  key via a passphrase. 

If you  want to revoke his access revoke the cert and  remove his access.

  For  the   mysql services ensure the mysql  user that runs the daemon can read the server-private-keyfile .... I seen this  issue being the #1 problem when setting up  mysql w/SSL-TLS. chown and chmod the permission  for the priv-key   and  just for the mysql-services account

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o 

        /  \