Saturday, March 25, 2017

FTNT CSB FGT90E

The new series of FGT90E has a not so funny CSB out that I thought was  strange to say the least.

Does not build confidence in these  hardware platforms.




The fact that they state it's a degrading issues, does not ned replacement but we are fully committed. Make you wonder how much commitment FTNT really has





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, March 22, 2017

how to extract MS azure DCs subnets for a batch of address Fortigate

Here's a simple means for extracting the ranges of address that MS AZURE POSTs for it's geo-datacenters listings.



The link below lists the file in a a xml format which is posted every week or so.


https://www.microsoft.com/en-us/download/details.aspx?id=41653


{ script }

#!/bin/bash
#
#

#rev 1.0

#  azure dc ranges  prep script make for fortigate batch execution
# reference href https://www.microsoft.com/en-us/download/details.aspx?id=41653
#
#
if [ ! $1 ]; then
            echo " USAGE azuredcrange.sh filename"
            echo ""
            echo  " azuredcrange.sh PublicIPs.xml"
            exit 1
fi

#

#
#

for p in `cat $1 |  grep IpRange |  cut -d "=" -f2 | awk '{print$1}'  |  sed -e 's/"//g' ` ;


do echo -e " config  firewall address\n edit  $p\n   set subnet $p\n   set tag MSAZURE_DC\n   set comment MS_AZURE_DC\n   end\n" ;


done



You can catch the output in a text file and use  the batch cfg mode for execution within the webGUI




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
  


Thursday, March 9, 2017

jump cloud LDAP with a fortigate for user remote-user authentication

In this series of jumpcloud configurations, here's a basic  cfg for  a jump cloud LDAP-as-a -Service  .



1st you need to define the LDAP server cfgs.

NOTE: you need to set the cnid value to uid. It's a good thing to use LDAPS and not LDAP. The  fortigate will use the  SSL certificate on jump cloud LDAP-aaS server instance

Now, we set the group with the name JUMPCLOUD  server-profie.




And here's my simple user name jump01 set as a Super Admin;





Okay now you test using the following ;


diag test authserver ldap  <servernameLDAP>  <username> <password>


Or just login  via  the ssh or webgui






Ensure the fortigate has a clear path for communication  for LDAP or LDAPS 389/636.




You can use the jump utility script or ldapsearch to test  connectivity and bind user credentials, and filter or firewall policies


e.g



testing LDAPS




Image result for hintHINT





If you know the attribute your looking for or a range of attribute you can query just those attributes

e.g ( query for cn uid and sshKey )


e.g ( query user home directory )





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

decrypt junos $9 passwords

Here's three means for decrypting  $9$ passwords in juniper JunOS


1> later  JunOS versions has the ability to request system decrypt from the cli

2> or use a online decrypt tool such as;

https://www.m00nie.com/juniper-type-9-password-tool/


3>  another tool

http://junostools.com/pdecrypt



You don't have to rekey various  hash ( vrrp , psk, bgp etc...) if you use one of the three above methods for lost passwords.



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Tuesday, March 7, 2017

Certificate with a limited subject field

 The age old story of what' need for a certificate subject  such as;   Country State Locale etc....


Here's a  basic  certificate with just  a CN

{A ms-RDP certificate}

Here's another example



{ A juniper SRX }

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

RADIUS TAGs with JumpCloud

In this post we will look at  account  controls by using  tags. Ben@jumpcloud suggested this is  the best way for  controlling user access,  and for turning off accounts without  actually "deleting" the user account from  the portal.

With tags, you bind the radius server &  users to a tag. So only users within that tag-combo have authentication access by that radius client profile.

In my example, we have  3 users name  ;     user1, user2, user3

The tag defined is at followed SOCBLOG01




Each user is bounded to that tag and the  radius-client




For LDAP-aaS you will need to click the  tag  button.





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \






jumpcloud LDAP-aaS with fortimail remote-authentications

Here's a blog started which will be a series of jumpcloud configurations  for the FTNT fortimail appliance.


This 1st up is a HOWTO with LDAP for authentication. The cfg is simple and can also be used for group and  user verification.






You can  authentication remote fortimail clients using  the Jumpcloud LDAP-as-a-Service cloud  hosted.

The   JumpCloud ldap servers are located at the following ipv4 address.The are hosted in a AWScloud instance

We have the LDAP servers at  the following URI

### URI/LDAP Server ###

ldaps://ldap.jumpcloud.com:636     ( secured )
ldap://ldap.jumpcloud.com:389       ( not secured )




You can find all of this  information in the jumpcloud utility shell script.
{ jumpcloud_test_utility.sh }







In my  cfg,  I'm using LDAPS for this configuration. This will ensure  communications and secured between LDAP client and the JumpCloud instance




1: We define our Base/Bind-DN and authentication users you will need the  Ldap bind-user account and group-id#.



2:  Than you need the following cfg details in


advance  options


3:  Than we can test using the ldap test.






Or just login and test;





Here's a simplified  view of how a cfg would encompass.






Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \