You do not need any special account just a role that allows you to write/delete in the FortiOS and a interface that has allowaccess https.
The 1st thing you need to understand, the initial logincheck will provide a ccsrtoken value. This is only need when POST PUT DELETE actions are taken against the FGT. You need to provide this token in a custom X header and in the format of "X-CSRFTOKEN: BlahBlahBlahBlah"
In my demo I will show you how we grab the token. Using curl and -c options, you can write the cookies while authentication against the fgt via HTTPS with administrator account
e.g
curl -k -s -c fgtcookies -d username=kfelix -d secretkey=test1234 https://192.168.1.99/logincheck
The file "fgtcookies" will have your cookies and the CSRFTOKEN. You will use a "POST" to add entries and "DELETE" for deletion of "existing" entrys and a "PUT" to modify entries.
This CSRFTOKEN has to be present as a X- header
See examples below
And now we will add and delete a few firewall entries using POST and DELETE http.methods and adding the token as custom X header.
Now in this case I used these items with curl manually and set the data to POST|DELETE but in real life you would have a script that loop thru and add or delete the entries. Your ipv4 list could be a seed from a threat intelligence or SIEM.
Or you could download a blacklist and format it a json and call that file up for execution
e.g
These entries would be added to a predefined addrgroup in the same fashion and with a http.method==POST and then that address-group used for denying traffic in a policy on the firewall.
here's a few API calls that can be used for monitoring or reading cfg files. Here's a few examples I cooked up just for this blogpost.
>
reading all system global and grep'ing for word admin with a GET
curl -k -b fgtcookies -H "Content-Type: application/json" -H "Accept: application/json" https://192.168.1.99/api/v2/cmdb/system/global | grep admin
>
reading the system admin named kfelix
curl -k -b fgtcookies -H "Content-Type: application/json" -H "Accept: application/json" https://192.168.1.99/api/v2/cmdb/system/admin/kfelix
>
reading sys-status
curl -k -b fgtcookies -H "Content-Type: application/json" -H "Accept: application/json" https://192.168.1.99/api/v2/cmdb/system/status
>
reading a firewall.policy ID#2
curl -k -b fgtcookies -H "Content-Type: application/json" -H "Accept: application/json" https://192.168.1.99/api/v2/cmdb/firewall/policy/2
NOTE: In these HTTP-GET, if you don't supply a value it will display all objects under that path/table
e.g
{ will display all policy id # }
curl -k -b fgtcookies -H "Content-Type: application/json" -H "Accept: application/json" https://192.168.1.99/api/v2/cmdb/firewall/policy/
curl -k -b fgtcookies -H "Content-Type: application/json" -H "Accept: application/json" https://192.168.1.99/api/v2/cmdb/firewall/policy/7
Also make sure you place sanity checks
* if your going blacklist on add entries to the address group with a /32 subnet value
* check your feeds and scripts to ensure you do not mistakenly add your own blocks or trusted networks
* be very careful with DELETE operations
* make sys-config backups before and after the operations are ran
* !!!! YMMV and use extreme caution until you get it all under control !!!!
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment