Wednesday, September 2, 2020

FortiClient EMS Cloud Login Problem - Solved

 I noticed today that when you logout from your cloud based FortiClient EMS instance and then try to login again you receive the following error message in Firefox:

{"result": {"retval": 0, "message": "Local signin is not available in EMS Cloud"}} 

 It appears to be a cookie related issue in Firefox. When I delete any cookies in the browser referencing "forticlient" I am able to login normally.
Also, this appears to be limited to Firefox as Chrome works fine, even without messing with the cookies.

Thursday, August 23, 2018

Beware - Upgrade to FortiOS 5.6.3+ with IPSec VPNs

If you are upgrading from version 5.4.5, 5.4.6, or 5.4.7 to FortiOS 5.6.3, the IPsec phase1 psksecret setting might be lost. To avoid this, upgrade to FortiOS 5.6.2 and then to 5.6.3. If the psksecret setting is lost, you will need to reconfigure it after upgrading.

Even if you have saved configs you will need to reset the passwords since FortiOS 5.6.3 will not allow you to paste the encrypted passwords from 5.4.x versions.

Ironically Fortinet on their Support site states that the "recommended" upgrade path is from 5.4.5 directly to 5.6.3 - see screenshot below.

Thursday, December 29, 2016

Cisco ASA to Fortigate conversion

I'm getting ready to migrate a number of Cisco ASA firewalls to Fortigate.
Fortinet sells a ~$4000 license for their FortiConverter which I didn't want to spend.

My goal was to automate the conversion of objects which will save time and virtually eliminate the possibility of typos.

The below perl script is what I came up with.

-Syntax: "perl <ASA config file name>" (e.g. "perl")
-Script converts hosts, networks and ip ranges
-Script does NOT convert or create group objects (someone want to add that for me?)

Once run all that's left to do is remove all the miscellaneous Cisco commands, import the config (via GUI or CLI) and within a couple of minutes you have all the objects ready for use in creating policies.

Happy New Year :)


# Requires Net::Netmask module

use strict;
use warnings;
use Net::Netmask;

$^I = '.bak'; # create a backup copy

BEGIN {undef $/;}

while (<>) {
# match host objects in groups
   s/network\-object host ((?:\d{1,3}\.){3}\d{1,3})/config firewall address\redit h-$1\rset subnet $1\rnext\rend/g; # do the replacement

# match network objects in groups
   s/network\-object ((?:\d{1,3}\.){3}\d{1,3})\s(.*)/"config firewall address\redit n-$1\/".Net::Netmask->new("", $2)->bits."\rset subnet $1 $2\rnext\rend"/ge;

# match host objects with descriptions
   s/object network.*\s*host ((?:\d{1,3}\.){3}\d{1,3})\s*description\s(.*)/config firewall address\redit h-$1\rset comment $2\rset subnet $1\rnext\rend/g;

# match host objects without descriptions
   s/object network.*\s*host ((?:\d{1,3}\.){3}\d{1,3})/config firewall address\redit h-$1\rset subnet $1\rnext\rend/g;

# match subnet objects with descriptions
   s/object network.*\s*subnet ((?:\d{1,3}\.){3}\d{1,3})\W(.*)\s*description\s(.*)/"config firewall address\redit n-$1\/".Net::Netmask->new("", $2)->bits."\rset comment $3\rset subnet $1 $2\rnext\rend"/ge;

# match subnet objects without descriptions
   s/object network.*\s*subnet ((?:\d{1,3}\.){3}\d{1,3})\W(.*)/"config firewall address\redit n-$1\/".Net::Netmask->new("", $2)->bits."\rset subnet $1 $2\rnext\rend"/ge;

# match range objects with descriptions  
   s/object network\s.*\s*range ((?:\d{1,3}\.){3}\d{1,3})\W(.*)\s*description\s(.*)/config firewall address\redit r-$1-$2\rset comment $3\rset type iprange\rset start-ip $1\rset end-ip $2\rnext\rend/g;

# match range objects without descriptions
   s/object network.*\s*range ((?:\d{1,3}\.){3}\d{1,3})\s(.*)/config firewall address\redit r-$1-$2\rset type iprange\rset start-ip $1\rset end-ip $2\rnext\rend/g;

# remove leftover network group names with descriptions

# remove leftover network group names without descriptions

# remove references to existing network objects
   s/network-object object.*//g;

 print; # print to the modified file

How-to: Automatically revert a config on a FortiGate

There's nothing worse than remotely configuring a firewall and then loosing access once you've made your changes. Having a failsafe mechanism in place to revert to a previous config automatically will help you minimise potential issues and save you alot of stress! Luckily FortiOS gives you a few options on how to save your running config which we'll discuss below.

We'll go through each of the three options available. Each one is configured via the CLI.
  1. Automatic
  2. Manual
  3. Revert

1. Automatic

This is the default setting. The FortiGate will automatically save it's running config to the start-up config every time you make a change by typing 'end' in the CLI or clicking Ok/Apply in the GUI.

config system global
set cfg-save automatic

2. Manual

In Manual mode, your changes will take effect immediately (saved to the running config) but will be lost on a reboot unless a special save command is given (the running config will then be saved to the startup config).

config system global
set cfg-save manual

To save your changes to the startup config use the following command:

execute cfg save

3. Revert

Revert mode will start a countdown timer as soon as you've made a change. If you don't save the config before the countdown timer has ended then the unit will automatically reboot and load the startup config (ie: all your changes will be lost).

This is perfect if you're doing remote administration. If you make a change that locks you out, just wait until the timer has restarted then the firewall will reboot with your previous config.

config system global
set cfg-save revert
set cfg-revert-timeout 300

The cfg-revert-timeout variable is the countdown timer in seconds. The default is 600 seconds (10 minutes).

To save your changes to the startup config use the following command:

execute cfg save

One word of warning: You will not see any countdown timers via SSH/Telnet or the WebGUI. You can only see these timers if you've connected to the device via console. The countdown starts warning you from 10 seconds, so you need to be quick!

(credit: Al's Tech Corner)