Friday, April 30, 2021

fortios upgrade from usb

 In some rare instance you might have to upgrade a fortigate from usb. This can be due to numerous reasons


proxy

inside firewall access

a closed system from the internet

etc...


So here's the basic steps


A> read the release notes. This will help you to know what changed , fixes, improvements.


B> study any migration path


C> make a backup configuration 




D> clear the debug config error




E> copy the image to a ms-dot formatted usb-stick



F> start the upgrade





G> check status and read any diag debug config errors






And lastly, you have two partitions, you can always revert back to the inactive partition if you want to reboot in previous  installed version








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \




Friday, April 23, 2021

ipv6 sit-tunnel using https://www.tunnelbroker.ch/

 So an alternative to hurricane electric is https://www.tunnelbroker.ch/

The advantage here are;


  1.    the user interface is much better design
  2.    A API is available


disadvantage 

  1.    the free account only offers a /64
  2.    you can only craft 3  upto 3 tunnels in the free offering 
  3.   total number of end-point regions is much less than hurricane electric


Here's a few snapshots of the portal


API


ipv6 tunnel details



Fortios cfg





 Ping check from keycdn tools



And traceroute source from the /64 for testing;



YMMV but this is an exceptional tunnelbroker for ipv6.

note: their auto-cfg generator for fortios is incorrect {config system sbtb-tunnel}

     








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Thursday, April 22, 2021

ipv6 sit-tunnel using Hurricane Electric

 So you want to try ipv6 but your local provider has no IPv6 capabilities. Use the Hurricane Electric tunnelbroker and build a sit tunnel. HurricaneElectric https://tunnelbroker.net/

1st lets understand what SIT means.


Okay that's what SIT tunnel means and does. So on to the HE tunnel broker the request is simple to execute just make sure the ipv4 outer address on your fortigate is allowing pings.


HE tunnel assignment with a /48 allocation;


Okay now that you have the HE pieces, you can configure the fortios settings. Since I want to test the /48 allocation, I will assign a /64 subnet to a loop back and configure it for icmp6 and a firewall policy. Keep in mind since fortios0 6.4 ipv4/ipv6 policy are now done from with the same hierarchy from the CLI. no more "config firewall polic6"
 
sys sit-tunnel cfg and loopback ( notice allowaccess ping was set ) 






A firewall policy to allow for my testing ;



Okay let's looking over ipv6 route table and do some basic checks


here's  some ping6 and traceroute6  test using the fortigate and loopback address;




Here's me testing from KeyCDN tools for simultaneous pings/traceroutes








 


This was all done on a FGT100E  and with an attach with a tunnel endpoint in EU region.



So to recap, ipv6 support is great in fortios. If you need ipv6 connectivity and your provider does not support ipv6, just use the tunnel services from HurricaneElectric https://tunnelbroker.net/

HE will give you the option to create up to 5  unique sit-tunnels.










NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Wednesday, April 7, 2021

ansible and napalm to get your fortios configuration

 With naplam-fortios you have numerous means to login and do certain commands within fortios. The supported command are listed at the following link below

https://napalm.readthedocs.io/en/reunification/support/index.html#getters-support-matrix


Here's a simple play to gather the fortios config;



- name: fgtconfig
 hosts:  firewall1
 connection: local  
 gather_facts: no  
 vars_prompt:
  - name: password
   prompt: "password please"
  - name: admin
   prompt: "username please"
   private: no
 tasks:                   
  - name: getConfigDevice      
   napalm_get_facts:          
    username: "{{ admin }}"        
    dev_os: 'fortios'        
    password: "{{ password }}"      
    filter: 'config'        
   register: result        
  - name: print results       
   debug: msg="{{ result }}"


Here's an example for gather fwpolicies which is great if you want to do audits.


tasks:
  - name: get fwpolices from device
   napalm_get_facts:
    username: "{{ admin }}"
    dev_os: 'fortios'
    password: "{{ password }}"
    filter: 'firewall_policies'
   register: resultfwpol
  - name: print results
   debug: msg="{{ resultfwpol }}"


A sample output;



A fgt collection play



- name: fgtcollections
 hosts: fgt1
 connection: local  
 gather_facts: no  
 vars_prompt:
  - name: password
   prompt: "password please"
  - name: admin
   prompt: "username please"
   private: no
 tasks:                   
  - name: get facts from device      
   napalm_get_facts:          
    username: "{{ admin }}"        
    dev_os: 'fortios'        
    password: "{{ password }}"      
    filter: 'config'        
   register: result        
  - name: print results       
   debug: msg="{{ result }}"     
 tasks:
  - name: get fwpolices from device
   napalm_get_facts:
    username: "{{ admin }}"
    dev_os: 'fortios'
    password: "{{ password }}"
    filter: 'firewall_policies'
   register: resultfwpol
  - name: print results
   debug: msg="{{ resultfwpol }}" 
 tasks:
  - name: get interface_counters from device
   napalm_get_facts:
    username: "{{ admin }}"
    dev_os: 'fortios'
    password: "{{ password }}"
    filter: 'interfaces_counters'
   register: counters
  - name: print results
   debug: msg="{{ counters }}"


You can do a host of items if supported in the  napalm module but napalm is limited. 


The fortios API is a better approach since it's documented very well and has a host of options for add/delete/change of configurations pieces.


YMMV







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \