Monday, November 30, 2020

MS RDP and UDP

In most firewalls session the idle timers for  any UDP and ICMP session are typically expired once they go idle after 30secs or less. 

With MS RDP ( Terminal Services ) you can set the client up to use  TCP only if your seeing numerous disconnects


HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services


SelectTransport
REG_DWORD  1

 Than you can monitor the firewall session tables to see if the client is using Tcp.


fortios:


 diag sys session filter dport 3389

 diag sys session filter proto 6

 diag sys session list




Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Friday, November 20, 2020

fortiosapi address+group creation

 Some one raised  a email from the FTNT forum community  asking how to build address and add them to a group. 

Here's a sample way of accomplishing this action in one playbook that I will demonstrated.

I'm creating two address types and then adding them as a member to a group named maingroup;


---

- hosts: control_node

  collections:

  - fortinet.fortios

  

  vars:

    host: "12.12.12.12"

    username: ansible

    password: test1234

    vdom: "root"

    ssl_verify: false


  tasks:

  - name:  mkAddress-subnet

    fortios_firewall_address:

       host: "{{ host }}"

       vdom: "{{ vdom }}"

       username: "{{ username }}"

       password: "{{ password }}"

       state: "present"

       https: "true"

       ssl_verify: "{{ ssl_verify }}"

       firewall_address:

          comment: "subnet type"

          name: "name1"

          type: ipmask

          subnet: "192.0.2.0/30"

   

  - name:  mkAddress-fqdn

    fortios_firewall_address:

       host: "{{ host }}"

       vdom: "{{ vdom }}"

       username: "{{ username }}"

       password: "{{ password }}"

       state: "present"

       https: "true"

       ssl_verify: "{{ ssl_verify }}"

       firewall_address:

          comment: "fqdn type"

          name: "name2"

          type: fqdn

          fqdn: "soc.example.com"

   

  - name:  mkAddressGroup

    fortios_firewall_addrgrp:

       host: "{{ host }}"

       vdom: "{{ vdom }}"

       username: "{{ username }}"

       password: "{{ password }}"

       state: "present"

       https: "true"

       ssl_verify: "{{ ssl_verify }}"

       firewall_addrgrp:

          comment: "blog example https://socpuppet.blogspot.com/"

          member:

            - name: "name1"

            - name: "name2"

          name: maingroup   


Within fotiosapi if you provide item that is not recognize , the module will kick a error and tell you wants allowed. 

For example, I type fqdns when I should have typed fqdn




And now the module kicks a error telling me to use one of the following;




So always read the error, it will give you direction on what the module is expecting. To learn more about the fotiosAPI and example on what can be done read some of my earlier posts on this subject.



https://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html


Make sure you run your plays on a non-product device or  create a vdom for testing before applying changes to production fortigate. If your working with a dev-ops group, use the "ANSIBLE_DEBUG=1" to debug any playbooks if your having issues executing config changes. If you setup a dev-ops test vdom you can do all testing in the test vdom b4 rolling it out


e.g




So jump into the API and give it a spin. You can do a lot of creative configs and changes in your fortigate environment with the easy of the CM tool. 

You can find me on forum.fortinet.com posting under emnoc. I've been a member in the open community for over 12 years.



Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \



Friday, November 13, 2020

fortios alias cmd

 Fortios has the ability to create alias commands. Great if your tired of typing login strings to get status  


config system alias

    edit "get"

        set command "get system status | grep Version"

    next

    edit "policy"

        set command "show firewall policy"

    next

    edit "route"

        set command "get router info routing all"

    next

    edit "vpn1"

        set command "diag vpn ike gateway"

    next

    edit "vpn2"

        set command "diag vpn tunnel list"

    next

end


execute is simple , just use "alias" followed by the alias

e.g

alias route



Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Wednesday, November 11, 2020

OracleCloud vpn to fortigate

 Here we have a vpn and bgp cfg to a fortigate device.


FGT100E   6.4.3

oracle cloud ashbun


The fgt vpn-ipsec cfg;







 So use the wizard and define your tunnel0interface inside address and the CPE peer-ipv4 address ( aka your fortinet wan ) 



The oraclecloud will dump a simple cfg summary if you follow the wizard make sure to record all details. Similar to the following;





The dashboard will update when you have ipsec and bgp UP.





Make sure to monitor the fortigate for bgp connectivity and ipsec-vpn details;





Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Monday, November 9, 2020

Understand Juniper SRX self-traffic-policy

Any traffic origination to the SRX is controlled by a policy that is hidden. This policy is known as a self-traffic-policy   which means we originate or terminate the traffic to it's self.

e.g 

   A ssh to a SRX and BGP session




You can get a complete count of the self-traffic-policy via the policy #1




You do not need to enable this policy, when you enable a service the self-traffic-policy is enabled.


 



Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \