Thursday, February 27, 2014

Replacing firewall hardware which is logging to a FortiAnalyzer

When you replace firewall hardware that's reporting into a FortiAnalyzer due to an RMA or other failure it's important to make sure you update FortiAnalyzer with the new serial number of the device. Use the following command on the FAZ:

execute device replace <old serial number> <name> <new serial number>

Thursday, February 20, 2014

IP Address Management

I have to admit I'm pretty spoiled when it comes to IPAM. In my previous role I was working with Bluecat Address Manager and loved it. Probably the best purchase order we ever issued :)

For my lab setup I didn't want to drop $30k so I set out looking for a free and open source IPAM tool. My former tool of choice was IPPlan. This hasn't been updated in several years though and IPv6 support is pretty basic.

So over the last few days I have been testing PHPIpam and I have to say I'm very impressed. Not only does it have a really "sexy" web interface but functionally it is very, very closed to what I'm used to from Bluecat.

There is an online demo available here.
http://demo.phpipam.net/login/

Friday, February 14, 2014

Thursday, February 13, 2014

FortiClient mass rollout - Heads up

If you are deploying FortiClient for a large number of users, chances are you'll probably create a master build and image that to the drives you are installing in your machines.
One of the things to keep in mind is that when you install FortiClient it creates a unique UID.

So before you start copying your master build, follow these steps to remove the unique UID. Each individual machine will create a new UID on first use if one doesn't already exist.

To include a FortiClient installation in a hard disk image
  • Download the FortiClient tools from the Fortinet Support Site. The tools are located in the same folder as the FortiClient installer files.
  • Using an MSI FortiClient installer, install and configure the FortiClient application to suit your requirements. You can use a standard or a customized installation package.
  • Right-click the FortiClient icon in the system tray and select Shutdown FortiClient.
  • From the folder where you expanded the FortiClientTools.zip file, run RemoveFCTID.exe. The RemoveFCTID tool requires administrative rights.
  • Shut down the computer.

IMPORTANT! Do not reboot the Windows operating system on the computer before you create the hard disk image. The FortiClient identifier is created before you log on.

  • Create the hard disk image and deploy it as needed.
 

Wednesday, February 12, 2014

Site-to-Site VPN performance issues

If you are experiencing poor performance across your site-to-site VPNs on FortiOS 5.0.5 try disabling NPU acceleration for that particular tunnel:

config vpn ipsec phase1-interface
edit <vpn name>
set npu-offload disable
end

Monday, February 10, 2014

Strange Bird Phenomenon

Birds all around the world have been spotted flying perfectly fine then diving straight into the ground. One of my customers found the culprit.


Nom nom nom

Friday, February 7, 2014

How to revert to previous FortiGate configuration with FortiManager

In FortiManager 4.3 and 5.x reverting a firewall to a previous configuration file is supported but it's not entirely obvious how to do it. The linked PDF from the Fortinet Knowledgebase has a step by step walk through.

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD34123&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=59407167&stateId=0%200%2059405428

GUI Options in FortiManager 5.x - Where's Waldo?

In FortiManager 5.x a number of features are disabled in the GUI by default to reduce clutter. Things like the Web Filter Profile for example.
In order to enable these features in the GUI head to the "Policy & Objects" tab and click the "Display Options" icon.
In the newly released FortiManager 5.0.6 the button is now labeled but in versions 5.0.5 and prior it's a little less obvious.

Wednesday, February 5, 2014

FortiOS Cross Site Scripting Vulnerability

FortiOS versions 5.0.5 and below are vulnerable to a Cross Site Scripting attack. In reality this is extremely hard to exploit. This issue has been resolved in FortiOS 5.0.6 and above.

Here is more info:
http://www.fortiguard.com/advisory/FG-IR-14-003/