Wednesday, September 26, 2018

FortiOS API and policy creations

I had an earlier  email dialog from a user that found my API blog  that I posted earlier and he had a question on adding a new policy within FortiOS




Note , the POST action creates the policy and PUT  modifies any existing items. You need to ensure you  select the right policyid#.

Be very very very careful to ensure you do NOT modify or DELETE a policyid#  that was not correct.

What  a lot of org that uses API automations they  run the   script to backup the firewall 1st or list out all policies and then  execute  the changes regardless if it's and ADD DELETE or MODIFY { POST DELETE  PUT }


Also make sure you  place sanity  checks

      * if your going blacklist on add entries to the address group with a /32 subnet value


      * check your feeds and  scripts to ensure you do not  mistakenly  add your own blocks or trusted networks
      *  be very careful with  DELETE operations

      *  make sys-config backups before and after the  operations are ran


      *  !!!! YMMV  and use extreme caution until you get it all under control  !!!!




!!!!Any API call that's a GET is a Read-Only and will cause zero harm!!!!

















NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
  

Sunday, September 16, 2018

using curl to find support options

The http.request.method  OPTIONS is not  widely used or known but can be used in some case to find support  request methods that a webserver can support and for that URI

Here's an example of a  OPTIONS  request-method for  http://www.example.com/


example1



So in the above we know  "OPTIONS" "GET" "HEAD" "POST" are  the only supported  methods  "


And here's another example

example2



example3


Keep in mind a lot of web-server are not configured for  this function and not recognize this  request method.

In some cases if you send a request method not recognized, the  web-server will send a http.status.code 405   {  HTTP/1.1 405 Method Not Allowed }  and  actually  indicate what is supported.




or

The new trend is to send  back a html body that tells you the request.method is not supported or some other fancy information.


<HTML><HEAD>
<TITLE>Unsupported Request</TITLE>

</HEAD><BODY>

----------------------or----------------
<HTML><HEAD>
<TITLE>Bad Request</TITLE>
</HEAD><BODY>
<H1>Bad Request</H1>
Your browser sent a request that this server could not understand.<P>
Reference&#32;&#35;7&#46;827008d1&#46;1537091841&#46;0
</BODY>
--------------------or-----------------
<html>
<head><title>405 Not Allowed</title></head>
<body bgcolor="white">
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx</center>
</body>
</html>

 You might get lucky!









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----@---- socpuppets ---  "*"---com
     ^      ^
=(  @  @ )=
         o

        /  \

Saturday, September 15, 2018

Forcepoint SMC logserver rollup script

The forcepoint Security Management  Center allows for you to query logs. One issues, logs can  easily be pruned but no on board features   for log rollup to a remote-server like a  SFTP/SCP.


Here's a quick script that will allow you  to run a script via  cron job and on a  regular interval to   rollup logs from the SMC logServer to a remote  scp. This a bash script





/bin/bash 
#
# kfelix@socpuppets.com 
######## LOG ROLLER  IT ON UP  ########
# rev 1.0
#
   D=`date +Y%y_Moth%m_Day%d_%s`
# 
   H1="<insert the  rollup SFTP/SCP server name here >
   H2="<insert the  rollup SFTP/SCP server name here >

#  find all  files older than 180days in the /usr/local/forcepoint/smc/data/storage/

  LOG_DIR="/usr/local/forcepoint/smc/data/stor
age/"

   find $LOG_DIR -name "*.arch"  -mtime +180 > /tmp/logsarchs 

#  take  archive list and create  tarball.gz 
   tar czvf ROLLUP.$D.tar.gz --files-from  /tmp/logsarchs 

# delete  listed files 

   cat /tmp/logsarchs | xargs rm -f 

#  delete  logsarchs catalog text file

   rm /tmp/logsarchs
#
#  install at least two rollup destinations

   scp ./ROLLUP.$D.tar.gz  rollupusername:userpassword@$H1/ 
   scp ./ROLLUP.$D.tar.gz  rollupusername:userpassword@$H2/

#
# rm  old archive  gz tarball to  clear up  space

   rm -i  ROLLUP.$D.tar.gz



This can help  on  storage issues or before you have storage issues. You could even  set a trigger based on the diskutilizaion  % and have the script fire off if the   disk% is 75% or more

e.g



 C=` df -H | grep centos | awk '{  print $5 }' | cut -d % -f 1 `

if [ $C -lt 75 ]; then    

  exit 

elif [ $C -gt 75 ] ; then 

echo " Disk Usage is High  at   $C%  utilization  on $HOSTNAME " |  mail  -s " LogRoller SMC "  socteam_maillist@socpuppets.com   



  D=`date +Y%y_Moth%m_Day%d_%s`
#
   H1="<insert the  rollup SFTP/SCP server name here >
   H2="<insert the  rollup SFTP/SCP server name here >

#  find all  files older than 180days in the /usr/local/forcepoint/smc/data/storage/

  LOG_DIR="/usr/local/forcepoint/smc/data/stor
age/"

   find $LOG_DIR -name "*.arch"  -mtime +180 > /tmp/logsarchs

#  take  archive list and create  tarball.gz
   tar czvf ROLLUP.$D.tar.gz --files-from  /tmp/logsarchs

# delete  listed files

   cat /tmp/logsarchs | xargs rm -f

#  delete  logsarchs catalog text file

   rm /tmp/logsarchs
#
#  install at least two rollup destinations

   scp ./ROLLUP.$D.tar.gz  rollupusername:userpassword@$H1/
   scp ./ROLLUP.$D.tar.gz  rollupusername:userpassword@$H2/

#
# rm  old archive  gz tarball to  clear up  space


   rm -i  ROLLUP.$D.tar.gz

fi



Remember a  predefine alert exists for local Management  disk usage  if the  LogServer is local to the MgtServer








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----@---- socpuppets ---  "*"---com
     ^      ^
=(  @  @ )=
         o

        /  \

Thursday, September 13, 2018

Squid Proxy redirection Forcepoint NGFW

Here's a  Forcepoint  SQUID  redirection for the NGFW



  • SMC v6.4.4
  • NGFW v6.4.1
  • SQUID v3.5.20



1st you need to  define a  proxy-server element under Configuration>  network > servers 







In your  access.rule you only need to  set the HTTP/HTTPS and  direct to the  squid  server.





The   squid access.log and  NGFW log Browser  can be monitored.




squid.conf









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----@---- socpuppets ---  "*"---com
     ^      ^
=(  @  @ )=
         o

        /  \

Wednesday, September 12, 2018

Squid for FortiOS


# squid
#
wccp2_router 192.168.1.100

wccp2_forwarding_method gre

wccp2_return_method gre

wccp2_service standard 0 password=FortinetWEbberCache


#fortigate  WCCPcfg



config system interface
    edit "port1"
        set vdom "root"
        set ip 192.168.1.100 255.255.254.0
        set allowaccess ping   ssh https 
        set type physical
        set wccp enable  
    next
end

config system wccp
    edit "0"   
        set router-id 192.168.1.100  
        set server-list 192.168.1.99  
        set authentication enable  
        set password FortinetWEbberCache
end


config firewall policy
    edit 0
        set srcintf "LANLOCAL"
        set dstintf "EXTWANLEVEL3"
            set srcaddr "LOCALLAN_NET-GROUPS"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "HTTP"
        set wccp enable  
        set comments "HTTP TRAFFIC TO INTERCEPT FROM ALLOWED LAN USERS"
        set nat enable
    next
       edit 0 
        set srcintf "port1"
        set dstintf "EXTWANLEVEL3"
            set srcaddr "squidproxy"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "DNS" "HTTP" "PING"
        set comments "SQUID PROXY"
        set nat enable
    next 
       edit 0
        set srcintf "LANLOCAL"
        set dstintf "EXTWANLEVEL3"
            set srcaddr "LOCALLAN_NET-GROUPS"
            set dstaddr "all"
        set action deny
        set schedule "always"
            set service "HTTP"
        set comments "SAFEGUARD TO DROP ANY NONE PROXY"
 end







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Tuesday, September 11, 2018

DNS flagday edns

EDNS  is one of these tricky items that can  bring a lot of dns  answers . Per   DNS standards RFCs


DNS-server should not  flake out if a EDNS version options are sent and yet EDNS is not supported but in a lot of cases this  is not the case.

dnsflagday has a  test and compliance that you can run against any domain and get the  compliance results. They also have great collections and statistics.


running the test is simple, just add you domain



A pass or fail ( see fail below )




Details of the test results  are provided on  failures




So what do you do if you have a failure? Easy, you  upgrade your dns-server !


Alternative; you can  use the edns compliance checker at this URL link

https://ednscomp.isc.org/ednscomp/a768f12b06





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \