Ken Felix Security Blog: July 2020

Wednesday, July 15, 2020

ANSIBLE for fortigate devices setups

Here's a simple play that sets our org wide settings for all new fortigates.

(virt1) [opc@ansible-cloud ~]$ cat fgtsetup.yml

---

- hosts: fgt

collections:

- fortinet.fortios

gather_facts: false

connection: httpapi

vars:

vdom: "root"

ansible_httpapi_use_ssl: yes

ansible_httpapi_validate_certs: no

ansible_httpapi_port: 443

ansible_python_interpreter: virt1/bin/python

tasks:

- name: Setup_Console

fortios_system_console:

vdom: "{{ vdom }}"

system_console:

output: "more"

baudrate: 19200

- name: Setup_Global

fortios_system_global:

vdom: "{{ vdom }}"

system_global:

hostname: "BROOKLYNCNTAL"

admin_login_max: "6"

login_timestamp: "enable"

cfg_save: "automatic"

timezone: "08"

admin_ssh_port: "2022"

admin_scp: "enable"

gui_certificates: "enable"

- name: Setup_NTP

fortios_system_ntp:

vdom: "{{ vdom }}"

system_ntp:

interface:

- interface_name: wan2

syncinterval: "15"

type: "fortiguard"

ntpsync: "enable"

- name: Setup_AlertEmail

fortios_alertemail_setting:

vdom: "{{ vdom }}"

alertemail_setting:

mailto1: "soc@socpuppets.com"

username: "noc@socpuppets.com"

In our inventory file we define the fortigate address and these various variables

[fgt]

192.0.2.1 ansible_user=ansible ansible_password=test1234

192.0.2.2 ansible_user=ansible ansible_password=setup

192.0.2.3 ansible_user=ansible ansible_password=password123

192.0.2.4 ansible_user=ansible ansible_password=password0987654321

[fgt:vars]

ansible_network_os=fortinet.fortios.fortios

# ansible_httpapi_password=hhhjh05tyx5h3r15d64Gm6Nh15tjpm

To call our setup we just run the command and let the play execute the tasks.

example;

And lastly, we install our standard admin accounts;

(virt1) [opc@ansible-cloud ~]$ cat fgtaddadmin.yml

---

- hosts: fgt

collections:

- fortinet.fortios

gather_facts: false

connection: httpapi

vars:

vdom: "root"

ansible_httpapi_use_ssl: yes

ansible_httpapi_validate_certs: no

ansible_httpapi_port: 443

ansible_python_interpreter: virt1/bin/python

tasks:

- name: Configure primary admin

fortios_system_admin:

vdom: "{{ vdom }}"

state: "present"

system_admin:

accprofile: "super_admin"

vdom:

- name: "root"

comments: "socpuppet admin account do not delete"

name: "socadmin2"

password: "testing1234"

- name: Configure primary admin

fortios_system_admin:

vdom: "{{ vdom }}"

state: "present"

system_admin:

accprofile: "auditor"

vdom:

- name: "root"

comments: "socpuppet PCI account do not delete"

name: "auditor"

password: "pciblahbl"

if you loose the admin account password and still have the "ansible user account". You can always re-add the account. This makes for a great password recovery options.

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Tuesday, July 14, 2020

HOWTO user ansible with fortios

To use ansible with the fortiosapi module you need to install the module and ensure that you have it installed;

pip install fortiosapi

pip list | grep forti

Your install output should look like the following;

example

Now you can write your 1st playbook. Here's a simple playbook that was defined to check status

And the output when it ran;

Here's a simple group creation;

If you have problem executing use the ANSIBLE_DEBUG=1 while execution of the playbook

example;

ANSIBLE_DEBUG=1 ansible-playbook fortios1.yml

you can also step thru the play using the switch --step when playing the playbook

Reference my earlier posts on fortios API and examples

https://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html

https://socpuppet.blogspot.com/2019/09/howto-use-fortios-apiuser.html

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Monday, July 6, 2020

HOWTO: Audit unused fwpolicy on fortios via snmp

The firewall once configured for SNMP has a simple oid that will list the counters by packets for a given policy. You can snmpget the oid for the fwpolicyId or walk the whole tree.

.1.3.6.1.4.1.12356.101.5.1.2.1.1.2

So you can see that the firewall homefgt has 4 policyID 24/25/1/2 but only policy id #1 is taking traffic.

by querying the fwpolicy oid for statistics you can quickly ascertain what fwpolicyId by # is being used or not used.

If your only interesteding in un-used fwPolicyId # just do something like this and grep out the policy #

snmpwalk -v2c -c mycommunity 192.168.1.99 .1.3.6.1.4.1.12356.101.5.1.2.1.1.2 | egrep "Counter32: 0"

The output will clearly show you zero matched policies that you could dump to a sheet for later exploration and analysis.

For snmpv3. here's a working example;

Keep in mind, no matched for a policy that been installed for some considerable time is a good indicator of one of the following;

policyid seq and order is incorrect
service is wrong for that policy
policy is written wrong with regards to src/dst address and src/dst interface|zone

The manual method for counting policy match is by the execution of the diag firewall iprope show 001000004 <policyid> command.

example;

diagnose firewall iprope show 00100004 2

idx=2 pkts/bytes=420878/339340862 asic_pkts/asic_bytes=405523/337996081 nturbo_pkts/nturbo_bytes=0/0 flag=0x0 hit count:3895

    first:2020-07-07 20:58:07 last:2020-07-07 21:41:01

 established session count:236

    first est:2020-07-07 20:58:07 last est:2020-07-07 21:41:01

The above could be tiring some if you had hundreds or thousands of fwPolicy and only need to see the ones not being matched.

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \