Saturday, April 22, 2017

F5 no-handler tmm traffic

The F5  tmm is the heart at processing traffic for the F5 LTM SLB.

 In our example the microkernel traffic  shows under the "error" field  a handler counters that's incrementing.

see the following snapshot and the highlighted area { arrow }



From  the webGUI you have something similar;





This is not a error per-se . When the TMM  tries to process a traffic flow for packets that  it has no reference for,  this counter will increment.

This is could be caused by numerous conditions.

    static ARP for a address not bound on the  LTM
    inbound traffic for a service port not configured  
    traffic for a VS not on the  LTM
    etc.......

Speaking with a f5 support engineer, we didn't find any quick means for  monitoring the specific traffic that triggers this counter ,  but you can lab this up and by using a static arp entry send  a traffic request to the F5  and for a VS or Self not-reference for that dst-ip and you will see the counter increment  per-request.


Ken




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Saturday, April 15, 2017

f5 any6 and APM connections and other tips.

In this post we will look at  connections tables on a f5 that acts like a vpn gateway using a APM policy.

The connection table is a great way to  find  any6 entries to see the who/what  is connecting to a f5. It will also show or demonstrate connections that are not decided on and  show you what TMM has that connection.

e.g ( a typical  f5 conn  output )

show sys connection | grep any6

10.75.2.69:56138     198.209.23.11:443      any6.any             any6.any              tcp   48    (tmm: 1)  none
23.115.26.28:61190   198.209.23.11:443      any6.any             any6.any              tcp   1     (tmm: 1)  none
69.132.155.53:53284  198.209.23.11:443      any6.any             any6.any              tcp   0     (tmm: 1)  none
174.193.128.25:9744  198.209.23.11:443      any6.any             any6.any              tcp   59    (tmm: 1)  none
98.216.118.29:62514  198.209.23.11:443      any6.any             any6.any              tcp   5     (tmm: 1)  none
108.26.230.54:61928  198.209.23.11:443      any6.any             any6.any              tcp   0     (tmm: 1)  none

show the above output shows numerous connection lated as  "any6.any"  and they are all TCP.

You could get creative and  do a geoip  lookup by using maxmind or unix geoip-bin and look for location and  client types for trending.

e.g

ISP name, Continnet, Country,etc...






So armed with geoip database details you could now  investigate as security  analyst if these address are repetitional bad or known bot or C&Cs,etc...


Keep in mind,  connections that are no authenticated or have a final disposition could trigger a any6.any connection state and it's not always a sign of something "bad"

NOTE: These connections are also show as no handler  in the show sys tmp-traffic  details if they are actually drop.


Finally,

With in the APM sessions, until a user  has started the authentication process, you will not known the "username" for obvious reasons.

examples ( unknown username and  geo &  no geo-info )







 Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \



Thursday, April 6, 2017

BigIP cookie decode available in chrome extensions

In order to  set a persistence value for  http transmissions, a cookie value is typically set in   the http.response from the server to client via a cookie header.



e.g  ( a typical  encrypted cookie)

Set-Cookie: pSocl=!UST2rduOVFooxhc5HPwDsEGFTpBTV2uQlX8cNvAz4fXrXYow5ViH/BsvUy+25R/9oxlME0KP9bSc; path=/




This value is encrypted via the cookie profile and passphrase used under the F5 VirtualServer or via a iRule.

You can use  the unix cmd curl and with the verbose output and see if the "Set-Cookie:"  value is  encrypted or  via chrome , it has a simple extensions that can be used  on the chrome browser

e.g




And by execution of the  extension on the toolbar if your cookie details are note encrypted you will get the address and node details

If it's encrypted, you will see nah nah nah nah

( encrypted cookies )





Not encrypted






Yes it's that simple to  check for  cookie that are encrypted or not via the chrome extension.


Ken  Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Tuesday, March 28, 2017

Fortimail recipient verification using Jumpcloud LDAP

In this last series  of working examples and by using the  jumpCloud  LDAP-aaS,   I will demonstrate  having  a fortinet EmailSecurityAppliance & the concept of  verifying recipient  email-address.

A   email has a RCPT TO: header which will be in the protected  email-domain that we will verify.

This is common-practices with ESAs or email-gateways  to verify &  eliminate  spam   for  an user that does not exist in the local email domain.com.

Just like in the my previous  earlier  blogs, "    the  JumpCloud LDAP-aaS can  be use with these appliances to verify the recipient  address " . The steps are out line here below and with diagram of possible deployments solutions.

1st create  a LDAP profile as shown in one of  my  earlier blog postings.

http://socpuppet.blogspot.com/2017/03/jumpcloud-ldap-aas-with-fortimail.html

check here for an example of  jump cloud bind and basedn



2nd apply the named LDAP  profile for the email protect-domain

Mail Settings > Domains  > LDAP User Profile 







3rd VERY VERY IMPORTANT , apply a recipient policy and selected your LDAP profile under

Policy > Recipient 




Keep in mind that recipient policies are very important in the FortiMail  mail-processing , and please  be cautious of the pecking order. Move and re-adjust the policies as required.

Send a test-email  , in my case the email address ldap2@socpuppets.com  is not a local mailbox on a fortimail acting as a mail-server  so it was bounced





: LOGS:








1st match wins. So like in a firewall-policy specify the  most specific 1st

e.g top-2-bottom ordering.

   RCP-policy 111  info@socpuppets.com  { no  verification }
   RCP-policy 12         *@socpuppets.com  { verification  via LDAP  profile  & w/jumpCloud }
   RCP-policy 18  googleblogger@socpuppets.com  { no  verification }


The latter will  never be match due to the "*" wildcard policy preceding it. So the  ordering of the  policy-id regardless of the  assigned numbers are very very important !

And my final tip,  always review the logs on the FortiMail ESA. If you have  any matches,  the  event logs will reflect the policy # for that match and disposition.


A user  that has not been verified will generate a bounce back and no delivery  to any inside exchange servers .









By  deploy a LDAP services and profile and using a LDAP-aaS provider like JumpCloud , will allow you to apply good anti-spam filtering and secure email delivery.

https://jumpcloud.com


Now here' some  deployment diagrams. The 1st is  supplement  your local LDAP server  with Jumpcloud as a fallback. Great for a  enterprise.Org that's rebuilding or upgrading it local AD server but needs to have a active LDAP services available. Here we achieve this with   SLB and  priortizing ldap queries to the local LDAP server and fallback to JumpCloud when the local services are not functional , down or interrupted.








The next diagram shows a simple  diagram that solely  uses  a single  JumpCloud instance for  recipient verifications purposes with multiple MUAs sending mail to valid and non-Valid  Recipients.




And lastly,   in a email-hosting provider  arena &  where you might have  single or pair of ESA email-appliance that needs multiple hosted  email protect-domains. Here you could craft multiple  JumpCloud org-id and build  multiple LDAP profile  that's unique for each hosted  email-domain.



A unique  ldap-administrator could be assigned for each instance and controls his/her  own scope and manage the  ldap org tree  and have a unique org-id and ldap-service account for that domain.




And  for diagnostics ensure you  test for ldap connectivity and the corrent  syntax. Here we are using curl for testing LDAPS to  jumpcloud








Always ensure the correct credentials and use the "-k" if your using cUrl and have not save the  jump cloud public-cert.






Ken



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


Saturday, March 25, 2017

FTNT CSB FGT90E

The new series of FGT90E has a not so funny CSB out that I thought was  strange to say the least.

Does not build confidence in these  hardware platforms.




The fact that they state it's a degrading issues, does not ned replacement but we are fully committed. Make you wonder how much commitment FTNT really has





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, March 22, 2017

how to extract MS azure DCs subnets for a batch of address Fortigate

Here's a simple means for extracting the ranges of address that MS AZURE POSTs for it's geo-datacenters listings.



The link below lists the file in a a xml format which is posted every week or so.


https://www.microsoft.com/en-us/download/details.aspx?id=41653


{ script }

#!/bin/bash
#
#

#rev 1.0

#  azure dc ranges  prep script make for fortigate batch execution
# reference href https://www.microsoft.com/en-us/download/details.aspx?id=41653
#
#
if [ ! $1 ]; then
            echo " USAGE azuredcrange.sh filename"
            echo ""
            echo  " azuredcrange.sh PublicIPs.xml"
            exit 1
fi

#

#
#

for p in `cat $1 |  grep IpRange |  cut -d "=" -f2 | awk '{print$1}'  |  sed -e 's/"//g' ` ;


do echo -e " config  firewall address\n edit  $p\n   set subnet $p\n   set tag MSAZURE_DC\n   set comment MS_AZURE_DC\n   end\n" ;


done



You can catch the output in a text file and use  the batch cfg mode for execution within the webGUI




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
  


Thursday, March 9, 2017

jump cloud LDAP with a fortigate for user remote-user authentication

In this series of jumpcloud configurations, here's a basic  cfg for  a jump cloud LDAP-as-a -Service  .



1st you need to define the LDAP server cfgs.

NOTE: you need to set the cnid value to uid. It's a good thing to use LDAPS and not LDAP. The  fortigate will use the  SSL certificate on jump cloud LDAP-aaS server instance

Now, we set the group with the name JUMPCLOUD  server-profie.




And here's my simple user name jump01 set as a Super Admin;





Okay now you test using the following ;


diag test authserver ldap  <servernameLDAP>  <username> <password>


Or just login  via  the ssh or webgui






Ensure the fortigate has a clear path for communication  for LDAP or LDAPS 389/636.




You can use the jump utility script or ldapsearch to test  connectivity and bind user credentials, and filter or firewall policies


e.g



testing LDAPS




Image result for hintHINT





If you know the attribute your looking for or a range of attribute you can query just those attributes

e.g ( query for cn uid and sshKey )


e.g ( query user home directory )





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \