Friday, October 30, 2020

HOWTO: lock out users from fortios

 FortiOS does not have a direct mean for disabling an administrator account. 


So if you want to be config exclusive and prevent others from gaining access, you have to use a readonly or a accessprofile with nothing allowed.


Take this user ansible and the accprofile assigned;





So if this user does login to the fortigate,  he will be limited to executing NO commands


e.g 




Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \
Posted by at No comments:

Friday, October 9, 2020

HOWTO: debug bgp on fortios

 BGP configuration seems difficult but in reality it's a  simple routing protocol. To proper debug  bgp on fortios you need to do a few primary actions.


To test layer2/3 connection ;

x.x.x.x == the remote -bgp speaker

    execute ping x.x.x.x

You probably want to set ping-options and the source

To verify tcp.port 179 is open,

   execute telnet x.x.x.x 179 

 Next, you can enable bgp protocol debug options





It's wise to set level to info and if you have numerous bgp peers you might have a lot of information. For a new turn up that's giving you issues, use "diag ip router bgp all enable"  for example.


Most bgp issues always fall back on typo( wrong peer, wrong AS,etc...) or layer2/3 issue. Keep in mind if you have filters, tcp.port destination 179 needs to be allowed in and out.

If you do get a ESTABLISHMENT and then the session dies, that could be a maximum-received prefix limits reach and the bgp-session tcp-reset when this happens.






Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Posted by at No comments:

Friday, October 2, 2020

Fortios Ansible plugins

 



FTNT has a list of quite a few plugins that can be configured via ansible. A lot of the low level configuration can be done with in a CM tool like ansible. FortiManager is also a good alternative that's documented and supported by FTNT.

https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/index.html

https://www.fortinet.com/products/management/fortimanager



The key things to look at, you need to be running the latest python version natively or in a python virtenv. In any RHEL  distro you can't really delete python2 per-se since  "yum" is py2 only.

If you haveboth  py2/3 you have to ensure ansible is set for version 3 if you want the best results.

extra things to considers

  • ANSIBLE_DEBUG=1 for any issues and use -vvv for extra verbosity. 
  • You are only limited by your imagination and what the limits of the plugins. 
  • You should study the FTNT developer network documents


Ken Felix 

NSE ( network security expert) and Route/Switching Engineer Protecting networks
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o

        /  \



Posted by at No comments:
Subscribe to: Posts (Atom)