Sunday, June 22, 2014

Fortiexplorer can't access CLI usb port ( problem and solution )

Here's a problem that can comes up with  the new crop of  current model of fortigates.  This problem can easily be missed and cause a host of access problems for CLI access.

The fortiexplorer is a WebGUI terminal utility that allows direct access to certain models of fortinet gear



( I'm posting a link to the it's " so easy a six year old can set it ! " )
http://www.fortinet.com/videos/fortigate_fortiexplorer_so_easy_six_year_old_can_set_it.html

Some firewall administrators  hate it ( fortiexplorer )  and wants a real db9 or rj45 console.  Others ( like me ) thinks it's good in that you don't need a USB2Serial adapter.



I can ship a fortigate device to a customer site, and not have to rely on having a usb2serial adapter  available. The local staff can easily  setup a fortigate to give me remote access, like in  5mins or the time it takes to install the fortiexplorer application and connect just one cable to a usb port on a laptop/desktop..

Keep in mind,  even cisco has the usb-mini console integrated into some of their gear also. But unlike Fortinet,  they still offer the RJ45 interfaces. How long will they keep this up? is TBD

Okay here's the problem. You installed fortiexplorer and it does NOT find any device!
( frustrating to say the least )

So what's the problem ?

Here's one of the easiest missed item. Has the console been disabled ? You can only check this from what I can tell, only from  ssh/telnet  access. I don't think there's a WebGUI method


NOTE: So as you can see, it was disabled.


As soon as you enable it, you will now see your device if you properly have the cables conneced or reconnect.




Pay attention to the big warning if you should disable the console.




I personally think fortinet screwed up on this feature.  Why would you want to disable the console, does not make any sense,  nor should not have been a feature imho.

If you disable this or if the FortiOS comes with the console disable, this could become a chicken and egg on how do you re-enable it or diagnose the problem, or conduct a factory-reset.

I understand from a remote security access & the need to disable consoles on some security appliances, but a console should have an  active  login/account/timeout setup & configured. This would ensure no "unauthorized " remote user can access the devices. Or if he/she walks away, that the console login timeouts.

I was told  by a source within Fortinet, that this was feature was requested by various security & gov agencies to ensure that a lost or remote device, could not be compromised.

I personally think this is not needed, since fortinet has done a great job with one-way hashing of key critical passphrases such as;

  • VPN-PSK
  • user-administrators
  • etc....


So enjoy and make sure that you check that console !


Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- Socpuppets ---dot---com

   ^    ^
=( $ $ )=
     @
     /  \

No comments:

Post a Comment