Tuesday, July 31, 2018

0119Y2038 www.1192038.com




perl -e "use Time::HiRes qw(gettimeofday); print gettimeofday ; print '{Do you have Time }' "



http://www.1192038.com  is coming soon !







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Saturday, July 28, 2018

FTNTis in the GCP cloud , this is good news

I was surprise to see the news that  Fortinet security is in the Google Cloud.



The image are  BYOL  style but the   FTNT website did mention about PAYG,which I just think means your  hourly  vm rates + BYOL. I will investigate this with my  FTNT partner






I threw up a  image just to check it out,  and they are running   v6.0.1  FortiOS which not desired but expected.





The time for deployment  was an amazing  1mins or less, so you can't beat that imho


 



BTW: After deployment you will receive a welcome type of email with links on usage.











NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
  


Thursday, July 26, 2018

HOWTO use fortios API to add delete entries

I 'm writing this blog to demo a few simples means for adding  address into a Fortigate that could be called up in a blacklist. The API  interface is simple and quick and if you run a for-loop, you could easily add hundreds of address entries into a FGT for using in a blacklist for example in matter of a few seconds.


You do not need any special  account just a role that allows you  to write/delete in the FortiOS and a interface that has allowaccess https.

The 1st thing you need to understand,  the initial logincheck will provide a ccsrtoken value. This is only need when POST PUT DELETE actions are taken against the  FGT. You need to provide  this token in a custom X header and in the format of  "X-CSRFTOKEN:  BlahBlahBlahBlah"


In my demo I will show you how we grab  the token. Using curl and -c options, you can write the cookies while authentication against the fgt via HTTPS with  administrator account

e.g

curl -k -s -c fgtcookies -d username=kfelix -d secretkey=test1234 https://192.168.1.99/logincheck


The file "fgtcookies" will have your  cookies and the CSRFTOKEN. You will use a "POST" to add  entries and "DELETE" for deletion of "existing" entrys and a "PUT" to modify entries.

This CSRFTOKEN has to be present as a X- header

See examples below







And now we will add and delete  a few firewall entries using  POST and DELETE  http.methods and adding the token as custom X header.











Now in this case I used these items with curl manually and set the data to POST|DELETE  but in real life you would have a script that loop thru and  add or delete the entries. Your ipv4 list could be a seed from a threat intelligence or SIEM.

Or you could download a blacklist and format it a json and call that file up for execution

e.g





These entries would be added to a predefined  addrgroup  in the same fashion and with a http.method==POST and then that address-group used for denying traffic in a policy on the firewall.


here's a few  API calls that can be used for monitoring or reading cfg files. Here's a few examples I cooked up just for this blogpost.

>

reading  all system global and grep'ing for word  admin with a GET


curl -k  -b fgtcookies -H "Content-Type: application/json"  -H "Accept: application/json"  https://192.168.1.99/api/v2/cmdb/system/global | grep admin





>
reading  the system admin named kfelix


curl -k  -b fgtcookies -H "Content-Type: application/json"  -H "Accept: application/json"  https://192.168.1.99/api/v2/cmdb/system/admin/kfelix




>
reading  sys-status


curl -k  -b fgtcookies -H "Content-Type: application/json"  -H "Accept: application/json"  https://192.168.1.99/api/v2/cmdb/system/status



>
reading a firewall.policy ID#2


curl -k  -b fgtcookies -H "Content-Type: application/json"  -H "Accept: application/json"  https://192.168.1.99/api/v2/cmdb/firewall/policy/2





NOTE: In these HTTP-GET,  if you don't supply a value it will display all objects under that path/table

e.g

{ will display all policy id # }

curl -k  -b fgtcookies -H "Content-Type: application/json"  -H "Accept: application/json"  https://192.168.1.99/api/v2/cmdb/firewall/policy/


{ will display only policy id #7 }

curl -k  -b fgtcookies -H "Content-Type: application/json"  -H "Accept: application/json"  https://192.168.1.99/api/v2/cmdb/firewall/policy/7


So play around with the API  interface and  use it to automate  daily tasks and for speeding up rapid deployment of  cmds.  I would suggest that you  test the API and your scripts in a LAB b4 using  POST|DELETES in a production environment.

Also make sure you  place sanity  checks

      * if your going blacklist on add entries to the address group with a /32 subnet value
      * check your feeds and  scripts to ensure you do not mistakenly  add your own blocks or trusted networks
      *  be very careful with  DELETE operations
      *  make sys-config backups before and after the  operations are ran
      *  !!!! YMMV  and use extreme caution until you get it all under control  !!!!










NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
  

Monday, July 23, 2018

Random ip address generator perl

Here's a simple perl script for generation of  random addresses that could come in handy. I'm working on a anomymizer tool and figure I would use some of  the perl scripting skills







Here's a final  built perl script that  generates  random networks values

#!/usr/bin/perl

#  kfelix    1plus1rq2.com  kfelix socpuppets.com
#
# for testing  purpose 
#-------------------------------
#print rand(), "\n";
#print rand(10), "\n";
#
# ------------------------------

$minimum = 1 ;
$maximum = 254 ;

$minimum0 = 0 ;

$ran_numA = int( $minimum  + rand( $maximum - $minimum ));
$ran_numB = int( $minimum0  + rand( $maximum - $minimum ));
$ran_numC = int( $minimum0  + rand( $maximum - $minimum ));
$ran_numD = int( $minimum0  + rand( $maximum - $minimum ));

#print $minimum 
print $ran_numA,".", $ran_numB,".", $ran_numC, ".",$ran_numD,  "\n"  ;





With  GDPR compliancy issues with privacy  and other agencies like mil/gov, the need to  random or purge data files of  sensitive information can come in handy.








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
  

Wednesday, July 18, 2018

PCNSE exam pass

I did the revamp PCNSE  exam. It overlapped  the  earlier PCNSE 6-7 exams that I have taken in the past,  and now PANW is dropping the  number for  just  the title PCNSE

e.g  No more version#




https://www.paloaltonetworks.com/services/education/pcnse


The exam covers a host of items from  NAT, diagnostic, decryption, Panorama,  Security Policy, etc...

The key with passing these exams is to study the answer. In most of the answer you can easily determine ones that are 100% incorrect for the  question.

Read the  FAQ before studying and setting a date. When your ready go git'er done !

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/PCNSE_FAQ.pdf

The exam was 75 question and 80mins to  execute the exam. Plenty of time was used for  review of the answers before submittal .PearsonVue will send you a final score sheet and validation ids


Remember to validate the   exam and then check at PANW

http://www.pearsonvue.com/authenticate/
https://www.certmetrics.com/PaloAltoNetworks/public/verification.aspx








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
  

Monday, July 2, 2018

IKEV2_NOTIFY_TS_UNACCEPTABLE

IKEv2  has the means to  help diagnosed trafficSelectors mismatches. In this example we have a simple IKEv2  gateway on a PANOS device and using the NCP client I will demonstrate how.


The NCP has been configured with the following

  •    local.identity blog
  •    static address  192.168.127.12
  •    split-tunnel networks ( one of which is not allowed by the PANOS  ipsec cfg  we will explore more later )
  •     PSK ( no xauth or EAP )
  •     PANOS gw is confgured only for 192.168.127.0/24 and 192.168.12.0/24 for the remote/local-subnet

Here's what the PANOS device expects  in a simple screenshot for the ipsec  tunnel


 Here's our NCPclient  configurations;









Here's what happens if the Initiator and Responder matches on the  traffic-selectors  ( take note of the TSI and TSR values )





So the  TSI ( initiator ) and TSR ( responder )  values are indicated for the IPSEC-SA.  If any party  provides traffic-selectors that are not allowed,  you will get a IKEV2_NOTIFY_TS_UNACCEPTABLE message similar to the following;

{ NCP client logs }


On the PAN device we have the following type of vpn logtypes that shows IPSEC-SA negotiations




How I force a bad  TS  was in my NCP cfg,  "  I have split-tunnel enabled with a proxyid that the PANOS device was not expecting  "

( example the network prefix  192.168.122.0/24 is not configured for the proxy-IDs  in the paloalto device  for this ipsec-tunnel )




With IKEv1 and a cisco ASA for example, this would  create a ESP payload error when TS values don't match. So always inspect the  IKEv2 message in a debug to look for mis-matches in TS values









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
     /  \