A real world resource for Fortinet firewalls including How-Tos and Frequently Asked Questions
Thursday, September 25, 2014
Bash Vulnerability Signatures
The newly announced Bash / Shellshock vulnerability is document in CVE2014-6271.
Here are IPS rules for immediate manual deployment. Fortinet has already generated
a new IPS signature, Bash.Function.Definitions.Remote.Code.Execution, which will be released in the next few hours after it has passed the QA testing process.
Fortigate firewalls do NOT use Bash and are not vulnerable to this exploit. The rules below can be used to filter traffic destined for devices protected by the firewall.
F-SBID( --name "Bash.Code.Execution.Custom1"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context uri; --pcre "/[=?&\x2f]\s*?\x28\x29\x20\x7b\x20/"; --context uri ; )
F-SBID( --name "Bash.Code.Execution.Custom2"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context header;)
F-SBID( --name "Bash.Code.Execution.Custom3"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context body; --pcre "/(?:^|[=?&])\s*?\x28\x29\x20\x7b\x20/"; --context body ; )
F-SBID( --name "Bash.Code.Execution.Custom4"; --protocol tcp; --service HTTP; --flow from_client; --pattern "()"; --context header; --pattern ":|3b|"; --context header; --within 8; --pattern "}"; --context header; --within 8; --pcre "/(Cookie|Host|Referer):\s*\(\)\s*\{\s*:\x3b\s*\}\s*\x3b/i"; --context header; --distance -32; --within 128; )
Here are IPS rules for immediate manual deployment. Fortinet has already generated
a new IPS signature, Bash.Function.Definitions.Remote.Code.Execution, which will be released in the next few hours after it has passed the QA testing process.
Fortigate firewalls do NOT use Bash and are not vulnerable to this exploit. The rules below can be used to filter traffic destined for devices protected by the firewall.
F-SBID( --name "Bash.Code.Execution.Custom1"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context uri; --pcre "/[=?&\x2f]\s*?\x28\x29\x20\x7b\x20/"; --context uri ; )
F-SBID( --name "Bash.Code.Execution.Custom2"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context header;)
F-SBID( --name "Bash.Code.Execution.Custom3"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context body; --pcre "/(?:^|[=?&])\s*?\x28\x29\x20\x7b\x20/"; --context body ; )
F-SBID( --name "Bash.Code.Execution.Custom4"; --protocol tcp; --service HTTP; --flow from_client; --pattern "()"; --context header; --pattern ":|3b|"; --context header; --within 8; --pattern "}"; --context header; --within 8; --pcre "/(Cookie|Host|Referer):\s*\(\)\s*\{\s*:\x3b\s*\}\s*\x3b/i"; --context header; --distance -32; --within 128; )
Monday, September 15, 2014
Switching interface modes
By default smaller Fortigate units such as the 60D or 90D series combine their interfaces into a virtual switch. Via a configuration change all ports can be assigned to their own broadcast domains. This is useful for example if you want to configure a number of different trunk ports.
By default the firewalls are also configured with basic policies that permit and NAT outbound traffic as well as a DHCP server. These configurations need to be cleared before the switch mode can be changed.
#config firewall policy
#purge
This operation will clear all table!
Do you want to continue? (y/n) y
#end
#config system dhcp server
#purge
This operation will clear all table!
Do you want to continue? (y/n) y
#end
#config system global
#set internal-switch-mode interface
#end
Changing switch mode will reboot the system!
Do you want to continue? (y/n) y
By default the firewalls are also configured with basic policies that permit and NAT outbound traffic as well as a DHCP server. These configurations need to be cleared before the switch mode can be changed.
#config firewall policy
#purge
This operation will clear all table!
Do you want to continue? (y/n) y
#end
#config system dhcp server
#purge
This operation will clear all table!
Do you want to continue? (y/n) y
#end
#config system global
#set internal-switch-mode interface
#end
Changing switch mode will reboot the system!
Do you want to continue? (y/n) y
Subscribe to:
Posts (Atom)