Monday, August 28, 2017



When evaluating  security appliance you need to be aware of the certifications that are done based on the security appliance model and version.

Here's a few links

https://f5.com/about-us/certifications




https://www.checkpoint.com/products-solutions/certified-check-point-solutions/







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Thursday, August 24, 2017

Get a caddy ( web server )

The needs typically arises sometime for a simple & lite-weight   http daemon. The caddy  webserver which is simple and very easily to manipulate  has  been available.

https://caddyserver.com

The cool thing about the caddy is; "  you can customize build it for your OSversion and defined  various plugins of interest  or required ".

Here's a macosx  build where I have selected 9 of the  available plugins. By hovering over each plugin you can get a summary  detail on what that plugin does.




















Here's how to check what plugins you have installed in a build binary.


macbook:caddy kfelix$ sudo ./caddy -plugins
Server types:
  net
  http

Caddyfile loaders:
  short
  flag
  default

Other plugins:
  http.basicauth
  http.bind
  http.browse
  http.datadog
  http.errors
  http.expires
  http.expvar
  http.ext
  http.fastcgi
  http.gzip
  http.header
  http.index
  http.internal
  http.ipfilter
  http.limits
  http.log
  http.markdown
  http.mime
  http.nobots
  http.pprof
  http.proxy
  http.proxyprotocol
  http.push
  http.realip
  http.reauth
  http.redir
  http.request_id
  http.rewrite
  http.root
  http.status
  http.templates
  http.timeouts
  http.webdav
  http.websocket
  net.host
  shutdown
  startup
  tls
  tls.storage.file

 A simple caddy conf file can be crafted for  defined various webserver details and upon launch you can use  cUrl to validate






The above gives a simple example as to  what ou can do from defining   certificate+key or even  custom X headers.

The access.log follows the  simple  Apache Style





If your ever in a crunch and need a simple  webserver, do not over look caddyserver

Ken Felix





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Friday, August 18, 2017

FortiOS long vdom names

Long vdoms name is a feature support in the most current  FortiOS version. Previous you where limited to 11 characters in a vdom name.

Now the long vdom-name you can craft  extremely long names. Take these screen shots;






The negatives to long names; " if you ever downgrade to a older fortiOS version, this could cause problems.

Ken Felix






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Tuesday, August 15, 2017

howto validate that your fortigate AVprofile is working

When you have enabled AV ( AntiVirus ) scan enable on a fortigate, you should  test against any one of the EICAR  test files.

1st here's the default AV profile on a typical firewall.






When the  AVprofile has detected a  virus it will throw a similar  formatted log_message



You can test both HTTP and HTTPS when you have  ssl-inspection enabled.


 

Note, this is a sure way to  test that your ssl-inspection is also working  btw



If you have  NO ssl-inspection profile enable, the fortigate-firewall will let you  download the  EICAR  test.file over  a secure protocol like  HTTPs with no warning. Here's a source for  text and zip or double-zip files.

http://www.rexswain.com/eicar.html




e.g ( with no ssl-inspection  the EICAR  test file  was downloaded )





Security  best practice mandate you should have AV enabled and  ssl-inspection profile for protecting local lan users if end-point  protection has not been installed.






Here's how a firewall policy will look like from the  CLI  & that's enabled for  AV-profile and with SSL inspections.




A feedback page will  be displayed  to the end-user who hit's the policy and a simple link provided  if he/she want to  investigate what and why  the content was blocked in regards to AV.



( https test EICAR  file  source )

https://secure.eicar.org/eicar.com


If your using the fortigate as an explicit -proxy, please ensure you have AVprofiles in use and in  proxy-mode.


example



Ken Felix






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Friday, August 11, 2017

conserve mode FortiGates

Within in the Fortigate models, you have a conserve mode. This is a simple method that FortiOS triggers in order to try to  protect  the systems.

Almost all security profiles are handle in shared memory. Any time this memory is exhausted or nearly exhausted the  unit will go into  conserver mode and deactivate certain scan profiles.

You can easy check if your  unit is in conserve mode by the following diagnostic command;

diagnostic hardware sysinfo shm | grep conser



You can also review logs , if this event happens it will be recorded as a "critical" event .

e.g





Okay to  avoid this, we need to understand the following;


  • Combinations of AV-profile  scanning with  proxy/flow mode can cause havoc conserve-mode
  •  excess traffic and utm-function can cause  kernel conserve mode
  • it best to be aware of running  multiple  scan mode flow or proxy
  • Limit what fwpolicies have  AV-profiles
  • Upgrade the unit if it's under-size  and if repetitive  conserve-mode events happens


So to ensure you don't enter conserver mode you need to reduce logging-to-memory.

Various fortigate-models  uses a certain  % of the shared-memory or physical-memory thresholds  to determine when it goes into  conserve-mode . The FTNT support-team  can provide you these values upon request.

It's best to optimized the firewall just for the UTM features that you  required and disable all other utm and profiles from the firewall-policies.






 
Ken Felix
 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

deleting the root vdom ..you can't do it!




Working with various IT/Security outfits over the past few years and  with numerous  Sec-Engineers  to Directors, a lot of them get hung up over the vdom name of  "root". I've even  had  numerous  request for removing the root vdom or renaming it.

Image result for rolleyes



 
In one of my last encounter , they actually  had me open a ticket with  FTNT  & who the engineer made a wild claim that  he think it could be deleted.

In fact this is NOT true! Or I have yet to be proven wrong.


Here's some screenshot of a  wasted of time with "attempting" to remove the vdom name "root", after deleting all policies, creating a a new vdom, deleting any bindings to  root-vdom ( interfaces, admin-accounts,   dhcp-server , fortianalyzer, fortimanager , central-management  etc......)









So the conclusion;


1: the root-vdom  can not be deleted

2: it's just a name-vdom use it as-is or do use it

3: trying to rename vdom-root or deleting it,  is amounting to  trying to rename or deleting the   windowOS  system32 directory or the  unix "/"  directory 


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Monday, August 7, 2017

Fortigate Explicit Proxy with webfiltering

In the school for both public/private sector  the Web-Proxy and URL filtering is a must. This is ensure pupils are restricted to what content they can access.

Here  will show a top-view of a multiple explicit-proxy setup where user groups are defined to  grant users access based on the web_profile that's applied.












































You could have multiple   web_profiles define for various groups .


In the above , we will allow the  grade_levels network ranges to the explicit proxies address which happens to be  loopbacks.

A firewall policy(s) will be required to allow the networks to the proxy address.

This policy will allow the  web_client to use the proxy, all outbound traffic to the internet will be be_blocked, in fact you will NOT need a policy from the loopback address, the fortigate allows this proxy_initiated traffic automatically

1st ( example of a web_client allowances to the web_proxy )


config firewall policy
    edit 0
        set dstintf "loop1"
        set srcintf "LAN1" "LAN2"
        set srcaddr "LANNET01" "LANNET02"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "WEB_PROXY" "PING"
        set comments " !!!!!ALLOW  EXPLICIT  PROXY TO THE CLIENTS school!!!!"
    next

    edit 0
        set dstintf "loop0"
        set srcintf  "LAN3"
        set srcaddr "LANNET03" 
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "WEB_PROXY" "PING"
        set comments " !!!!!ALLOW  EXPLICIT  PROXY TO THE CLIENTS school!!!!"
    next

 end


The above will allow the   src_networks to the respective  proxy_address. You can assign these  address via a GPO for windows clients or statically for others.


Now, that on the loopback interfaces we only need to turn n web_proxy servers


config sys int 
    edit loop0 
           set explicit-web-proxy  enable
    next 
    edit loop1 
           set explicit-web-proxy  enable
    end



The above will  allow the web_clients to reach  the web_proxy services at the 2 loop-backs.


Now, since we have the policies in place and web_proxy enabled, you can optional configure web_proxy profiles and  global  settings.

We will now a web_filter profiles, it might be a combination of categories and static_filters.



In order to use a url-filter for explicit proxy , it MUST BE SET as proxy-mode








Now with all of the above you can define  explict_firewall policies similar to the following;


config firewall explicit-proxy-policy
    edit 1
        set proxy web
        set dstintf "wan1"
        set srcaddr "SCHOOL EDU_NET_RANGE"
        set dstaddr "all"
        set service "WEB_PROXY"
        set action accept
        set identity-based enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                    set utm-status enable
                    set group  "proxy_user0"
                    set webfilter-profile "SCHOOL"
                    set profile-protocol-options "default2"
                    set ssl-ssh-profile "certificate-inspection"
                next
                edit 2
                    set schedule "always"
                    set users "proxy_user1"
                next
                edit 3
                    set schedule "always"
                    set  group  "School_Resource_Group"
                next      
                edit 4
                    set schedule "always"
                    set group  "K-12students"
                    set utm-status enable
                    set webfilter-profile "SCHOOLK12"
                    set profile-protocol-options "default2"
                    set ssl-ssh-profile "certificate-inspection"
                next
            end
    next
end





Each Id_Policy rule could be  a different authentication type or a method  ( local user, RADIUS,LDAP, etc...). Using a RADIUS or LDAP-aaS  solution could also be deployed.



For example, you might use a RADIUS-aaS for one group of users, a static user  for diagnostics, and the student and faculty body authenticated via  MS-AD credentials.


Be aware of the id_rule ordering and what and how a user can authenticate.







The explicit proxy allows for  great means for controlling and inspecting user requests. The Fortigate is a simple  firewall to  execute web_filter from   domain and *wildcard syntax matches, plus category  based filtering.


Each  identity rule could have it's own  web_profile  to match the web_clients authorizations.


Examples

  •   police/resource officer  has allowance to all site to include social media to investigate threats
  •   where K-5 has  a restrict  profile that allows   sites that are educational approved or static entries
  •   8-12 are allow the same plus any SAT or assessment  systems in a static url list
  •    The Information Team has  access to  IT sites for upload/downloads, securiy related matter
  •    Guess uses have basic   access for sites deem approved.

To test the proxy I've found chrome launched manually is a great method. You  could use a static pac.file or just call up the proxy-server

( launching chrome )


( sample pac.file )




Based on your webfilter  category or static URLs and the action you can test for allow or block.  based on that user_group and the action allowed for the URL , you will either be allowed or deny. If denied, you will have a response page similar to below.


If you failed AUTHENTICATION, the proxy will provide a login_failure message.



 


If you do you Chrome, alway check for the proxy settings that the "SYSTEM"  has enabled



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \


Wednesday, August 2, 2017

FortiOS GEOIP tips

The GEO-IP is a feature in fortigate , very simple to use and here's some  tips and tricks for  getting around it.

Here's a few things to considered;


  • Updates are pushed via an active  fortiguard subscriptions to the fortigates under contract
  • It does not support ipv6  GEOIP database at this time
  • There's no manual updates you  can push
  • You can craft  firewall address objects with custom GEOIP data
  • Keep in mind you can't assign a IANA assigned 2 letter GEO id for custom  firewall address



TIP#1

To get the  current   versions of geoip

diag autoupdate versions



IP Geography DB
---------
Version: 1.054
Contract Expiry Date: n/a
Last Update Date: Tue Aug 30 14:10:59 2016




TIP#2


To execute  update request from  command line

diag debug reset
diag debug enable
diag debug application  update -1
execute  update-geo-ip
diag debug  reset 
diag debug disable


TIP#3

To find  network ranges per country

FW01 $ diag firewall ipgeo ip-list ST
         45.42.228.0 - 45.42.228.127
        46.36.203.71 - 46.36.203.75
       104.167.215.0 - 104.167.215.255
         154.72.12.0 - 154.72.15.255
       197.159.160.0 - 197.159.191.255
Country name:ST Total IP Range:5




TIP#4

To find   what country a ipv4 address belongs to;

diag firewall ipgeo ip2country 169.254.23.22
169.254.23.22 is in country:ZZ







Ken   Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

log forecasting trending fortianalyzer

fortianalyzer

The number of log messages per/sec and sze of the log message will determine just how much data storage you will need. Yes it's really that easy but how can you get a base line.


As  you have more logging enable ( fwpolicy l, ocal-in , local-out , systems  ) this will directly impact the log-disk-size

Take a local FAZ event log, they do a great job showing just how much disksize was used and per-day.


Using the above you  can set forecast for logdisk size based on current log-rates. I see so many orgs that enable the "log all" approach and don't realize just how much of a resource impact that it makes.

As you have more policies, more traffic, more end-nodes, etc..... log rate can easily climb.




Ken   Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^      ^
=(  #  #  )=
        o 
      /    \