Monday, October 28, 2019

Howto reduce BGP capabilities advertisements FortiOS

FortiOS has this weird behavior that by default it advertises ipv6 capabilities to any neighboring bgp router, even if you're not using ipv6 for that bgp-neighbor. You can get the list of capabilities sent via "get router info bgp neighbor" command executed from the cli

To disable the advertisement of ipv6 to a bgp-neighbor you will need to disable this capability from the cli per each neighbor


e.g





Here's a before and after screenshot of a neighbor output once the above command has been set to disable



As you can see the output is reduced and eliminates ipv6 advertisements. You can read more at one of my early posted blog

http://socpuppet.blogspot.com/2013/05/bgp-capabilities.html











NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Wednesday, October 23, 2019

Fortigate dialup vpn ipsec from a 2nd Fortigate

FortiOS supports IPSEC dialup where a Fortigate is the dialup device that uses  a username/password with the PSK

The ciscoASA had this function for many years under easyVPN


Here's a basic view;




The light-blue firewall is connecting to the firewall on the left both of these are fortigates but in reality it could have been a FGT to any other dynamic dialup.


Here's the dark blue firewall cfg





We have a user defined and local usergroup named remote-fgts


FWF  # show user group remote-fgts 
config user group
    edit "remote-fgts"
        set member "remote-fgt"
    next
end

FWF # show user local remote-fgt 
config user local
    edit "remote-fgt"
        set type password
        set passwd-time 2019-08-11 18:01:01
        set passwd ENC bK70ALGrYzvTd/7+Das6DdQZpGUaUuq9+wZQGVb6P8A5xfQbrcBKPBlyGs4WrQ3NfGCUMPZsB4adzXg706DgkN3OYryXHub2eb1uvHO62m5M7F7n6AyKUmUPILCeFVyXNsMb1QShc5OqRx9oH2xNoUodDHeZWr6ca6cu1RZ84XM1/O/hxDm+DK1mMkSdFeaYD8x70g==
    next

end



The remote firewall configuration of the firewall in the right of the screenshot will use the correct username/password in its configuration







Note: always double-check the username and password for correctness if you see authentication error or using an external authenticator.


The cmd:   diag vpn ike gateway will show you details and the user that did authenticate






As you can see username "remote-fgt" authenticated. We can also double-check the phase2 details





to secure the dialup firewalls it best to set localid and peerids for both of the peers, in the below example we are defining a fqdn type set a ipsecremotes for the localid and remote peerid.


















NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Tuesday, October 22, 2019

Jumpcloud MFA and RADIUS gotcha

MFA with  Jumpcloud is easy to do, but be advised of issues with OTP expiration and the OTP still be honored.

1st a typical jumpcloud radius-server cfg for a fortiOS device
reference one of my many previous blog on this

http://socpuppet.blogspot.com/2017/03/using-jump-cloud-radius-for-fortimail.html



/* A FortiOS cfg example



config user radius
    edit "jcradius"
        set server "18.204.0.31"
        set secret ENC H0YE6EqYG0W9AB1uXPbAsKwQIAS9IxYI7T4v3VOjBj9f89U0RfmDfbD6U47dU6DD+3YidfbkGvtwzFYhCFsSQY8DodYhtsFiyKBBN1t6unIGH+ZlgB/MQaFOx/ncbNnyTk6D4RObIKj3BSGd9DbEr2jm4Vv+w6/nXa/Y64pCq6cZWpdQfRr4EylK+A5zD4r/XiCnetQ==
        set radius-port 1812
    next
end



Okay, that's easy and we can test via the "diag test authserver radius-direct" cmd from the cli. Here's where it gets funky. I continue to authenticate with the same OTP and over a period that was almost 2mins. Finally, the previous OTP was not accepted for my usernamed "mfa" as you can see with the "Access-Reject" message




Even the user-portal login exhibits the same behavior upon my testing.








And  OTP 125738 for "mfa" user has long expired  ( see OTP value #861102 ) , but  I can still login with the now expired OTP  60secs later and after a new OTP has been generated.







Interesting, a new OTP that has expired is still granted access for at least 1+ min or more even tho the Google OTP is 30secs TTL. I have not seen this issue in Entrust IdenityGuard , Okta, RSA,etc......



So jumpcloud has granted the OTP upto the next-plus-next OTP cycle.


e.g

OTP . 123 456--30sec --->  expired, 

          new OTP 667 788----30secs later expired, 
                    
                                  new OTP 788 928--30sec expired, 

                                                 and now previous OTP 123 456  is now not honor some 60seconds plus the original expiration.


So this violates two functions and rules within OTP usage for MFA authentication

1: A OTP is good for 30secs ( +-  a few secs

2: A QTP becomes invalid after a successful login ( prevent reuse or the continual use.....the OT in OTP is suppose to mean "One Time" ! )










NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \








Monday, October 21, 2019

GRE KeepAlives Fortios

In this case we will display a basic GenericRoutingEncapsulation tunnel cfg for FortiOS and JunOS





FGT GRE cfg with KeepAlives set for 10 second interval and 20 failures



We also configured the GRE1 interface with layer3 details

config system interface
    edit "GRE1"
        set vdom "root"
        set ip 192.0.2.129 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 192.0.2.130 255.255.255.255
        set snmp-index 13
        set interface "wan1"
    next

end


A juniper SRX with no KeepAlives enabled




KeepAives does not need to be set on both ends. A Non GRE-keepAlive device will respond back.














NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \







Thursday, October 17, 2019

BFD fortiagte and junos firewalls

Both the Juniper SRX and Fortigate support BFD. This uses a udp port 3784 and helps identify one-way failures.

On the fortigate the cfg is simple, you need to enable it globally, and under system interface. You have to enable the  bfd per each routing peer ( BGP in my case )


cfg


show sys settings | grep bfd
    set bfd enable

show sys interface GCM | grep bfd
        set bfd enable


config router bgp
    set as 5706
    set ebgp-multipath enable
    config neighbor
        edit "192.168.127.1"
            set bfd enable
            set remote-as 65001
        end       




Junos device it's even simpler, just enable it per each bgp neighbor

set protocols bgp group FGT bfd-liveness-detection minimum-interval 1000 



To validate;

FortiOS



JunOS





It's recommended NOT to run bfd and graceful restart at the same time. 
                   bfd supports authentication on Junos but not in FortiOS



If you suspect bfd is not working or not being sent use the diag sniffer cmd

e.g


   diag sniffer packet <interfacename> "port 3784"












NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Forcepoint SMC policy push

Installing a firewall policy on a NGFW does not break any local sessions. Here's an example of ZERO-TEST-policy push and my ssh was not closed.





When I logged out and tried to login, my connection is refused due to the policy rule set









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Tuesday, October 15, 2019

Enabling Fortigate BGP over vpn-tunnel to Junos SRX

In this post, we will enable BGP and advertise a network over the route-base tunnel that has assigned addresss

SRX  ( st0 interface 192.168.127.1 )


set interfaces st0 unit 0 family inet

set interfaces st0 unit 16 family inet address 192.168.127.1/30












FGT ( GCM interface 192.168.127.2 )


config system interface
    edit "GCM"
        set vdom "root"
        set ip 192.168.127.2 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 192.168.127.1 255.255.255.252
        set snmp-index 14
        set interface "wan1"
    next

end



The configures are simple and you can now use the following commands to confirm;


SRX



FGT






Since this interface is a route-based, you can also run "diag sniffer packet" cmds for inspecting BGP traffic

e.g


  diag sniffer packet <tunnel name> " port 179"






In large deployments with a lot of networks, it's ideal to BGP advertises those networks that you want to send vrs installing manual static routes.



On JunOS you can modify route-advertisements within the route-filter per-each peer or group




Now the fortiO will see the routes modified once applied, no need to reset any BGP peers




BGP table 











NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Fortigate FGT to Juniper SRX vpn route-based with RSA signatures dynamic end-point

In this post I will demo a simple  RSA signature based vpn between a  FGT and Juniper Device. Again I used  "getacert"  to sign certificates for the FGT and SRX devices.

I will demo a CSR request from a Junos SRC since it requires a few items that must be done.

1: you need to define a priv-key. You will need to determine the key pair name and size


   request security pki generate-key-pair size 2048 type rsa certificate-id junipersrx

e.g

kfelix@BROOKLYN> request security pki generate-key-pair size 1024 type rsa certificate-id newksc 

Generated key pair newksc, key size 1024 bits


kfelix@BROOKLYN> request security pki generate-certificate-request certificate-id newksc subject "CN=newksc,L=Austin,ST=TEXAS,C=US" domain-name vpn.socpuppets.com 
Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIIBrzCCARgCAQAwPzEPMA0GA1UEAxMGbmV3a3NjMQ8wDQYDVQQHEwZBdXN0aW4x
DjAMBgNVBAgTBVRFWEFTMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAvGQnXlevHoXmnyyCpOFo1BmwjxspGygXONqCfOKLlAFA5fqO3nMj
gozVK5rlLPuDT3Vz/VQRpV2efq5rsHG2RKLDx6Om9obpSHhQhQvVHYlGJldTnZt/
IhDQ6QmOmOsI8hODQ9Em+ygh8aOxTPkoCu2k4t0huUrFhFHMp2pPwyECAwEAAaAw
MC4GCSqGSIb3DQEJDjEhMB8wHQYDVR0RBBYwFIISdnBuLnNvY3B1cHBldHMuY29t
MA0GCSqGSIb3DQEBBQUAA4GBAJDq1t5WHdlWrr1UoHgDX/IFlorTjj4X0F6yrAYB
W6E6HP5ch58+uRcjGMhxXCTCaBKCwfQK2K5OU/pPj0hnVk01BGHIREmWIFeTgYOR
/ztEKR2r7IofP3s/WduiG2qmJPPt1tOXzX8HmPXzfCGceGgdYUdstsJuYCgo0g59
bNwx
-----END CERTIFICATE REQUEST-----
Fingerprint:
0a:ab:39:05:4c:35:2c:48:ee:89:33:57:22:e1:62:77:21:d5:88:8f (sha1)

00:ce:6b:e5:fe:95:d4:91:fc:f4:ee:d4:70:7e:48:79 (md5)

3: Send the  CSR off to your CA for signing and scp it into the juniper. You should import the cert and CA-cert into the system at the same time


4: You load the certificate with the follow command

e.g

request security pki local-certificate load filename <certfilename>
request security pki ca-certificate load filename < ca cert filename>




5:  Once you have your respective certificates loaded you can start the IPSEC cfg. Here's the fgt cfg




I 'm using a peer-type  of any for the FGT


6: Junos is a little bit the same,  just more steps but here's our IKE/IPsec configurations



I defined matching TS for the local/remote subnets within the encryption domain. I also set  DN for determining the local and remote-id. I will speak more about the DN and wildcards


For Junos since it uses a  central-nat table, we want to do a NONAT rules and ensure this rule is at the top of the list.

e.g




You would also need a static route thru the defined tunnel.




Okay outside of security-policies we should see the tunnel up and can gather details.


FGT phase1 { diag vpn ike gateway }




FGT phase2 { diag vpn tunnel list  }




Juniper Phase1 {  show security ike security-associations }



For troubleshooting use the JunOS checklist section route-based

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21781&actp=METADATA#IpsecRouteBased

For troubleshooting FortiOS

diag vpn tunnel list
diag vpn ike gateaway
diag debug application ike -1



Items to review;


  • ensure the ca-certificate is installed
  • ensure the certificates are not expired
  • ensure the CN is correct in the configurations in JunOS and FortiOS










NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \