There may come a time when you have rev.1 and rev.2 hardware of a particular platform that you're trying to form an HA cluster with. To successfully accomplish this you need to tell the firewall to ignore the difference in hardware revision.
 
 In FortiOS 4.3 and earlier:
 config system global
 set ignore-hardware-revision enable
 end 
 
 In FortiOS 5.0 and later:
 exec ha ignore-hardware-revision enable
 exec ha ignore-hardware-revision status  
 A real world resource for Fortinet firewalls including How-Tos and Frequently Asked Questions
Monday, November 3, 2014
Thursday, September 25, 2014
Bash Vulnerability Signatures
 The newly announced Bash / Shellshock vulnerability is document in CVE2014-6271.
 
Here are IPS rules for immediate manual deployment. Fortinet has already generated
a new IPS signature, Bash.Function.Definitions.Remote.Code.Execution, which will be released in the next few hours after it has passed the QA testing process.
 
Fortigate firewalls do NOT use Bash and are not vulnerable to this exploit. The rules below can be used to filter traffic destined for devices protected by the firewall.
 
F-SBID( --name "Bash.Code.Execution.Custom1"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context uri; --pcre "/[=?&\x2f]\s*?\x28\x29\x20\x7b\x20/"; --context uri ; )
F-SBID( --name "Bash.Code.Execution.Custom2"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context header;)
F-SBID( --name "Bash.Code.Execution.Custom3"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context body; --pcre "/(?:^|[=?&])\s*?\x28\x29\x20\x7b\x20/"; --context body ; )
F-SBID( --name "Bash.Code.Execution.Custom4"; --protocol tcp; --service HTTP; --flow from_client; --pattern "()"; --context header; --pattern ":|3b|"; --context header; --within 8; --pattern "}"; --context header; --within 8; --pcre "/(Cookie|Host|Referer):\s*\(\)\s*\{\s*:\x3b\s*\}\s*\x3b/i"; --context header; --distance -32; --within 128; )
  Here are IPS rules for immediate manual deployment. Fortinet has already generated
a new IPS signature, Bash.Function.Definitions.Remote.Code.Execution, which will be released in the next few hours after it has passed the QA testing process.
Fortigate firewalls do NOT use Bash and are not vulnerable to this exploit. The rules below can be used to filter traffic destined for devices protected by the firewall.
F-SBID( --name "Bash.Code.Execution.Custom1"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context uri; --pcre "/[=?&\x2f]\s*?\x28\x29\x20\x7b\x20/"; --context uri ; )
F-SBID( --name "Bash.Code.Execution.Custom2"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context header;)
F-SBID( --name "Bash.Code.Execution.Custom3"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context body; --pcre "/(?:^|[=?&])\s*?\x28\x29\x20\x7b\x20/"; --context body ; )
F-SBID( --name "Bash.Code.Execution.Custom4"; --protocol tcp; --service HTTP; --flow from_client; --pattern "()"; --context header; --pattern ":|3b|"; --context header; --within 8; --pattern "}"; --context header; --within 8; --pcre "/(Cookie|Host|Referer):\s*\(\)\s*\{\s*:\x3b\s*\}\s*\x3b/i"; --context header; --distance -32; --within 128; )
Monday, September 15, 2014
Switching interface modes
 By default smaller Fortigate units such as the 60D or 90D series combine their interfaces into a virtual switch. Via a configuration change all ports can be assigned to their own broadcast domains. This is useful for example if you want to configure a number of different trunk ports.
 
By default the firewalls are also configured with basic policies that permit and NAT outbound traffic as well as a DHCP server. These configurations need to be cleared before the switch mode can be changed.
 
#config firewall policy
#purge
 
This operation will clear all table!
Do you want to continue? (y/n) y
 
#end
#config system dhcp server
#purge
 
This operation will clear all table!
Do you want to continue? (y/n) y
 
#end
#config system global
#set internal-switch-mode interface
#end
 
Changing switch mode will reboot the system!
Do you want to continue? (y/n) y
  By default the firewalls are also configured with basic policies that permit and NAT outbound traffic as well as a DHCP server. These configurations need to be cleared before the switch mode can be changed.
#config firewall policy
#purge
This operation will clear all table!
Do you want to continue? (y/n) y
#end
#config system dhcp server
#purge
This operation will clear all table!
Do you want to continue? (y/n) y
#end
#config system global
#set internal-switch-mode interface
#end
Changing switch mode will reboot the system!
Do you want to continue? (y/n) y
Wednesday, August 27, 2014
Silence of the Local Broadcasts
 When setting up a new FortiGate you tend to receive a lot of logs for traffic destined to 255.255.255.255 (aka the global broadcast address) or x.x.x.255 (your local subnet broadcast address). To reduce clutter and have the firewall drop these broadcasts silently use:
 
FortiAnalyzer:
config log fortianalyzer filter
set local-traffic disable
end
 
Log Disk
config log disk filter filter
set local-traffic disable
end
 
Memory:
config log memory filter
set local-traffic disable
end
 
Syslog
config log syslogd filter
set local-traffic disable
end
  FortiAnalyzer:
config log fortianalyzer filter
set local-traffic disable
end
Log Disk
config log disk filter filter
set local-traffic disable
end
Memory:
config log memory filter
set local-traffic disable
end
Syslog
config log syslogd filter
set local-traffic disable
end
Tuesday, July 29, 2014
New Feature Highlight: Dedicated Management CPU
 In FortiOS 5.2 and higher you can dedicate one of the CPUs for management access, in other words GUI and CLI access. If the system is running under extremely high loads this will guarantee access to management functions.
 
This feature is available in 2U firewalls and blades only that have multiple CPUs.
 
To enable this feature (default disabled):
 
conf system npu
set dedicated-management-cpu <enable | disable>
end
  This feature is available in 2U firewalls and blades only that have multiple CPUs.
To enable this feature (default disabled):
conf system npu
set dedicated-management-cpu <enable | disable>
end
Monday, July 21, 2014
Fortinet Diagnostic WIKI
 Very useful resource for diagnostic commands.
 
http://wiki.diagnose.fortinet.com:1080/index.php/Overview
  http://wiki.diagnose.fortinet.com:1080/index.php/Overview
Thursday, May 15, 2014
Exporting a local certificate with private key
 If you have a local certificate on the Fortigate and the original  certificate request (csr) was generated on the Fortigate then the  private key resides on the Fortigate and you need to export this in  order to install your signed certificate on another server.
The problem with the Fortigate certificate export feature is that it will only export the signed certificate (which you likely already have stored somewhere). The private key is stored in the configuration backup file however it is encrypted with an unknown password.
Luckily there is a workaround available, you can unset the private key password via CLI then back up your configuration file where you’ll find the private key available for use.
 
config vpn certificate local
show
 
This will give you a list of the local certificates. Next edit the desired certificate and unset the password
 
edit testcert
unset password
end
 
Now when you back up your Fortigate configuration you’ll find the signed certificate as well as the private key.
 
Look for the following line:
 
set private-key "-----BEGIN RSA PRIVATE KEY-----
 
Copy everything between (and including)
 
-----BEGIN RSA PRIVATE KEY-----
and
-----END RSA PRIVATE KEY-----
 
into a text file.. This is your private key that can be used with the signed certificate to be imported into another server.
 
   
  The problem with the Fortigate certificate export feature is that it will only export the signed certificate (which you likely already have stored somewhere). The private key is stored in the configuration backup file however it is encrypted with an unknown password.
Luckily there is a workaround available, you can unset the private key password via CLI then back up your configuration file where you’ll find the private key available for use.
config vpn certificate local
show
This will give you a list of the local certificates. Next edit the desired certificate and unset the password
edit testcert
unset password
end
Now when you back up your Fortigate configuration you’ll find the signed certificate as well as the private key.
Look for the following line:
set private-key "-----BEGIN RSA PRIVATE KEY-----
Copy everything between (and including)
-----BEGIN RSA PRIVATE KEY-----
and
-----END RSA PRIVATE KEY-----
into a text file.. This is your private key that can be used with the signed certificate to be imported into another server.
("Borrowed" from http://stuff.purdon.ca/?page_id=233)  Friday, April 11, 2014
Heartbleed - Part 3
 Anyone running FortiOS 5.0 GA to 5.0.6 can protect the firewall itself by
 
 
 
  - limiting access to the firewall's Admin interface using "Trusted Hosts" in the Admin profiles
- configuring an interface policy as per below
config firewall interface-policy
    edit 1
        set interface "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set service "HTTPS"
        set ips-sensor-status enable
        set ips-sensor "opensslheartbeat"
    next
end
  Wednesday, April 9, 2014
Heartbleed - Part 2
 Here is some more information from FortiGuard
http://www.fortiguard.com/advisory/FG-IR-14-011/
  http://www.fortiguard.com/advisory/FG-IR-14-011/
Tuesday, April 8, 2014
Exporting firewall rules to a CSV
 Sometimes it can be useful to export and analyze rules in a CSV type format. This comes in especially handy when working with long and complex firewall policies.
 
I came across the perl script below that takes firewall policies from a text file and performs the CSV conversion for you.
 
Syntax: csvparse.pl rules.txt
 
<rules.txt> should be in the following format:
 
 
  
  I came across the perl script below that takes firewall policies from a text file and performs the CSV conversion for you.
Syntax: csvparse.pl rules.txt
<rules.txt> should be in the following format:
config firewall policy
     edit 1
         set srcintf "internal"
         set dstintf "wan1"
             set srcaddr "all"
             set dstaddr "all"
         set action accept
         set schedule "always"
             set service "ANY"
         set logtraffic-app disable
         set webcache enable
         set nat enable
     next
end
 And here's the Perl script.#!/usr/bin/perl
#
my $output = "policies-out.csv";
my $policyid = 0;
my $setting = "";
my %policies;
my %seen;
my $in_policy_block = 0;
my @order_keys;
my $order_key = 0;
open(OUTFILE,">$output") || die "Can't open file $output: $!\n";
while (<>) {
	if ($in_policy_block) {
		if (/^\s*edit\s+(\d+)/i) {
			# start of new policy
			$policyid = $1;
		} elsif (/^\s*set\s+(\S+)\s+(.*)$/i) {
			# it's a setting
			my ($key,$value) = ($1,$2);
			$value =~ tr/\"\015\012\n\r//d;
			$order_keys[$order_key++] = $key unless $seen{$key}++;
			$policies{$policyid}{$key} = $value;
		} elsif (/^\s*end/i) {
			$in_policy_block = 0;
		}
	} elsif (/^\s*config firewall policy/i) {
		$in_policy_block = 1;
	}
}
# print out our header
print OUTFILE "id";
foreach my $key (@order_keys) {
	print OUTFILE ",$key";
}
print OUTFILE "\n";
# now print out each record
foreach my $policy (sort keys %policies) {
	print OUTFILE "$policy";
	foreach my $key (@order_keys) {
		if (defined($policies{$policy}{$key})) {
			print OUTFILE ",$policies{$policy}{$key}";
		} else {
			print OUTFILE ",";
		}
	}
	print OUTFILE "\n";
}
close(OUTFILE);
 Heartbleed OpenSSL Vulnerability
 You can use the following custom IPS signature to detect and block the recently disclosed OpenSSL "Heartbleed" vulnerability.
 
 
 
More information about the vulnerability can be found here:
http://heartbleed.com/
  F-SBID( --name "OpenSSL.TLS.Heartbeat.Information.Disclosure"; --protocol tcp; --flow from_client; --service SSL; --pattern "|18|"; --context packet; --within 1,context; --byte_test 2,>,255,2,relative; )
More information about the vulnerability can be found here:
http://heartbleed.com/
Tuesday, March 18, 2014
FortiAuthenticator SCEP
 You can use SCEP to auto-enroll devices in FortiAuthenticator as well as retrieve CRLs. When configuring this on a firewall or other device the correct URL to use is:
 
http://<fortiauth IP>/cert/scep
 
I have asked the technical documentation team to add this to the FortiAuthenticator Admin Guide.
  http://<fortiauth IP>/cert/scep
I have asked the technical documentation team to add this to the FortiAuthenticator Admin Guide.
Friday, March 14, 2014
Logging DNS Requests
 When inspecting DNS traffic it can be useful to log the domain names that are part of the DNS request. In order to accomplish this you can use a custom IPS signature:
 
  
The signature below allows you to search for and prevent DNS lookups for a specified domain, in this example xyz.com.
 
 
  
    
 
   IPS Custom Signature: F-SBID( --attack_id 4153; --name DOM-ALL; --protocol udp; --service dns; --log DNS_QUERY;)
 The signature below allows you to search for and prevent DNS lookups for a specified domain, in this example xyz.com.
 (Danke C.R) 
  Wednesday, March 5, 2014
Deleting VDOMs
 VDOMs have quite a number of dependencies that need to be deleted before you can get rid of the VDOM itself. Below is a useful little script that goes through all the sections and purges them so the VDOM can be deleted. Adjust it as needed.
 
## This script needs to be run interactively. In other words you cannot copy and paste the whole script. You have to acknowledge each purge command.
## Purge all VDOM specific configuration
 
 
config vdom
edit <vdomname>
config firewall policy
purge
end
config firewall policy6
purge
end
config firewall vipgrp
purge
end
config firewall vip
purge
end
config firewall addrgrp
purge
end
config firewall address
purge
end
config router static
purge
end
end
 
## Assign any interfaces used by the VDOM back to ROOT
 
config global
config system interface
edit <interface name>
set vdom root
end
end
 
## Delete any VDOM Links
 
config system global
config system vdom-link
delete <vdom link name>
end
end
 
## Make sure all admins are assigned to the root VDOM
 
config system global
config system admin
edit <admin-name>
set vdom root
end
end
 
config vdom
delete <vdomname>
end
  ## This script needs to be run interactively. In other words you cannot copy and paste the whole script. You have to acknowledge each purge command.
## Purge all VDOM specific configuration
config vdom
edit <vdomname>
config firewall policy
purge
end
config firewall policy6
purge
end
config firewall vipgrp
purge
end
config firewall vip
purge
end
config firewall addrgrp
purge
end
config firewall address
purge
end
config router static
purge
end
end
## Assign any interfaces used by the VDOM back to ROOT
config global
config system interface
edit <interface name>
set vdom root
end
end
## Delete any VDOM Links
config system global
config system vdom-link
delete <vdom link name>
end
end
## Make sure all admins are assigned to the root VDOM
config system global
config system admin
edit <admin-name>
set vdom root
end
end
config vdom
delete <vdomname>
end
Thursday, February 27, 2014
Replacing firewall hardware which is logging to a FortiAnalyzer
 When you replace firewall hardware that's reporting into a FortiAnalyzer due to an RMA or other failure it's important to make sure you update FortiAnalyzer with the new serial number of the device. Use the following command on the FAZ:
 
execute device replace <old serial number> <name> <new serial number>
  execute device replace <old serial number> <name> <new serial number>
Thursday, February 20, 2014
IP Address Management
 I have to admit I'm pretty spoiled when it comes to IPAM. In my previous role I was working with Bluecat Address Manager and loved it. Probably the best purchase order we ever issued :)
 
For my lab setup I didn't want to drop $30k so I set out looking for a free and open source IPAM tool. My former tool of choice was IPPlan. This hasn't been updated in several years though and IPv6 support is pretty basic.
 
So over the last few days I have been testing PHPIpam and I have to say I'm very impressed. Not only does it have a really "sexy" web interface but functionally it is very, very closed to what I'm used to from Bluecat.
 
There is an online demo available here.
http://demo.phpipam.net/login/
 
  
  For my lab setup I didn't want to drop $30k so I set out looking for a free and open source IPAM tool. My former tool of choice was IPPlan. This hasn't been updated in several years though and IPv6 support is pretty basic.
So over the last few days I have been testing PHPIpam and I have to say I'm very impressed. Not only does it have a really "sexy" web interface but functionally it is very, very closed to what I'm used to from Bluecat.
There is an online demo available here.
http://demo.phpipam.net/login/
Friday, February 14, 2014
UTM logging in Fortios 4.3.7 and 5.x
 Significant changes have been made to optimize logging in FortiOS.
Check out this Knowledgebase article for some very useful info.
 
http://kb.fortinet.com/kb/viewAttachment.do?attachID=FortiOS-v4%200-MR3-Logging-Optimization.pdf&documentID=FD33590
  Check out this Knowledgebase article for some very useful info.
http://kb.fortinet.com/kb/viewAttachment.do?attachID=FortiOS-v4%200-MR3-Logging-Optimization.pdf&documentID=FD33590
Thursday, February 13, 2014
FortiClient mass rollout - Heads up
 If you are deploying FortiClient for a large number of users, chances are you'll probably create a master build and image that to the drives you are installing in your machines.
One of the things to keep in mind is that when you install FortiClient it creates a unique UID.
 
So before you start copying your master build, follow these steps to remove the unique UID. Each individual machine will create a new UID on first use if one doesn't already exist.
 
To include a FortiClient installation in a hard disk image
 
IMPORTANT! Do not reboot the Windows operating system on the computer before you create the hard disk image. The FortiClient identifier is created before you log on.
 
 
  One of the things to keep in mind is that when you install FortiClient it creates a unique UID.
So before you start copying your master build, follow these steps to remove the unique UID. Each individual machine will create a new UID on first use if one doesn't already exist.
To include a FortiClient installation in a hard disk image
- Download the FortiClient tools from the Fortinet Support Site. The tools are located in the same folder as the FortiClient installer files.
- Using an MSI FortiClient installer, install and configure the FortiClient application to suit your requirements. You can use a standard or a customized installation package.
- Right-click the FortiClient icon in the system tray and select Shutdown FortiClient.
- From the folder where you expanded the FortiClientTools.zip file, run RemoveFCTID.exe. The RemoveFCTID tool requires administrative rights.
- Shut down the computer.
IMPORTANT! Do not reboot the Windows operating system on the computer before you create the hard disk image. The FortiClient identifier is created before you log on.
- Create the hard disk image and deploy it as needed.
Wednesday, February 12, 2014
Site-to-Site VPN performance issues
 If you are experiencing poor performance across your site-to-site VPNs on FortiOS 5.0.5 try disabling NPU acceleration for that particular tunnel:
  
 
   config vpn ipsec phase1-interface
edit <vpn name>
set npu-offload disable
end
  edit <vpn name>
set npu-offload disable
end
Monday, February 10, 2014
Strange Bird Phenomenon
 Birds all around the world have been spotted flying perfectly fine then diving straight into the ground. One of my customers found the culprit.
  
   
 
   Nom nom nom 
   Subscribe to: Posts (Atom)