Ken Felix Security Blog: November 2020

Monday, November 30, 2020

MS RDP and UDP

In most firewalls session the idle timers for any UDP and ICMP session are typically expired once they go idle after 30secs or less.

With MS RDP ( Terminal Services ) you can set the client up to use TCP only if your seeing numerous disconnects

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

SelectTransport

REG_DWORD 1

Than you can monitor the firewall session tables to see if the client is using Tcp.

fortios:

diag sys session filter dport 3389

diag sys session filter proto 6

diag sys session list

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Friday, November 20, 2020

fortiosapi address+group creation

Some one raised a email from the FTNT forum community asking how to build address and add them to a group.

Here's a sample way of accomplishing this action in one playbook that I will demonstrated.

I'm creating two address types and then adding them as a member to a group named maingroup;

---

- hosts: control_node

collections:

- fortinet.fortios

vars:

host: "12.12.12.12"

username: ansible

password: test1234

vdom: "root"

ssl_verify: false

tasks:

- name: mkAddress-subnet

fortios_firewall_address:

host: "{{ host }}"

vdom: "{{ vdom }}"

username: "{{ username }}"

password: "{{ password }}"

state: "present"

https: "true"

ssl_verify: "{{ ssl_verify }}"

firewall_address:

comment: "subnet type"

name: "name1"

type: ipmask

subnet: "192.0.2.0/30"

- name: mkAddress-fqdn

fortios_firewall_address:

host: "{{ host }}"

vdom: "{{ vdom }}"

username: "{{ username }}"

password: "{{ password }}"

state: "present"

https: "true"

ssl_verify: "{{ ssl_verify }}"

firewall_address:

comment: "fqdn type"

name: "name2"

type: fqdn

fqdn: "soc.example.com"

- name: mkAddressGroup

fortios_firewall_addrgrp:

host: "{{ host }}"

vdom: "{{ vdom }}"

username: "{{ username }}"

password: "{{ password }}"

state: "present"

https: "true"

ssl_verify: "{{ ssl_verify }}"

firewall_addrgrp:

comment: "blog example https://socpuppet.blogspot.com/"

member:

- name: "name1"

- name: "name2"

name: maingroup

Within fotiosapi if you provide item that is not recognize , the module will kick a error and tell you wants allowed.

For example, I type fqdns when I should have typed fqdn

And now the module kicks a error telling me to use one of the following;

So always read the error, it will give you direction on what the module is expecting. To learn more about the fotiosAPI and example on what can be done read some of my earlier posts on this subject.

https://socpuppet.blogspot.com/2020/07/howto-user-ansible-with-fortios.html

https://socpuppet.blogspot.com/2019/09/howto-use-fortios-apiuser.html

https://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html

Make sure you run your plays on a non-product device or create a vdom for testing before applying changes to production fortigate. If your working with a dev-ops group, use the "ANSIBLE_DEBUG=1" to debug any playbooks if your having issues executing config changes. If you setup a dev-ops test vdom you can do all testing in the test vdom b4 rolling it out

e.g

So jump into the API and give it a spin. You can do a lot of creative configs and changes in your fortigate environment with the easy of the CM tool.

You can find me on forum.fortinet.com posting under emnoc. I've been a member in the open community for over 12 years.

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Friday, November 13, 2020

fortios alias cmd

Fortios has the ability to create alias commands. Great if your tired of typing login strings to get status

config system alias

edit "get"

set command "get system status | grep Version"

next

edit "policy"

set command "show firewall policy"

next

edit "route"

set command "get router info routing all"

next

edit "vpn1"

set command "diag vpn ike gateway"

next

edit "vpn2"

set command "diag vpn tunnel list"

next

end

execute is simple , just use "alias" followed by the alias

e.g

alias route

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Wednesday, November 11, 2020

OracleCloud vpn to fortigate

Here we have a vpn and bgp cfg to a fortigate device.

FGT100E 6.4.3

oracle cloud ashbun

The fgt vpn-ipsec cfg;

So use the wizard and define your tunnel0interface inside address and the CPE peer-ipv4 address ( aka your fortinet wan )

The oraclecloud will dump a simple cfg summary if you follow the wizard make sure to record all details. Similar to the following;

The dashboard will update when you have ipsec and bgp UP.

Make sure to monitor the fortigate for bgp connectivity and ipsec-vpn details;

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Monday, November 9, 2020

Understand Juniper SRX self-traffic-policy

Any traffic origination to the SRX is controlled by a policy that is hidden. This policy is known as a self-traffic-policy which means we originate or terminate the traffic to it's self.

e.g

A ssh to a SRX and BGP session

You can get a complete count of the self-traffic-policy via the policy #1

You do not need to enable this policy, when you enable a service the self-traffic-policy is enabled.

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \