Thursday, August 25, 2016

FQDN address policies fortigate FortiOS

I was using a  FQDN policy object in a firewall and want to share some simple tips that could come in handy. To review if the  FQDN is mapped & found,  you can use the following  cli command

    diag firewall  fqdn  list 

To purge ALL objects the following cli cmd

    diag firewall  purge

To set  specific TTL for caching, set the  TTL in the object  directly.

e.g

config firewall address
    edit  dns1
         set type fqdn
         set fqdn www.example.com 
         set cache-ttl 10
   end

In the above, "The firewall will conduct a  DNS lookup and refresh the local-cache ever 10secs if it has changed.

If the objects has multiple A records, it will  display all records attached;

FGT310C (root) # diag firewall  fqdn  list | grep www.etrade.com
www.etrade.com: ID(117) REF(1) ADDR(65.196.177.42) ADDR(12.221.217.42)
 

FGT310C (root) # diag firewall  fqdn  list | grep www.twitter.com
www.twitter.com: ID(19) REF(1) ADDR(199.59.149.198) ADDR(199.59.148.82) ADDR(199.59.150.7) ADDR(199.59.148.10)





A firewall object of type fqdn will use the   firewall local dns-servers settings to resolved the  FQDN.

 A FGT firewall will ALWAYS resolve a FQDN object regardless if it used in a firewall-policy 


A fqdn firewall address object that does NOT exist, will still be cached but with no  resolved address;

   diag firewall  fqdn  list
   List all FQDN:
   nohost.socpuppets.com: ID(140) REF(1)





be carefull  of bad FQDNs or no-such hosts, traffic will be blocked.




The firewall fqdn firewall-objects are ONLY applicable for ipv4 address, hosts with both A and AAAA resources will only display the A record. You can't do  fqdn type in address6



I haven't checked in FortiOS 5.4 to see if this feature has change




Ken

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


Wednesday, August 24, 2016

Fortianalyzer 5.4.x issues

Since launching the  VM -FAZ appliance and upgrades , we still see various issues;

1: chartviewer fails
2: working reports fails to display
3: unable to launch the console ICONs " Failed to Start"

The item#3 is a new one that requires a reboot. I didn't bother opening a ticket with FTNT  btw they have been just about useless imho


I hope the next release of FAZ fixes these issues.

Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Monday, August 22, 2016

The SSL certificate has nothing todo with the ciphersuite strength

Most individuals installing a HTTPS  web site seems to think the "certificate" or the CA controls the  cipher suite strength which in fact is 100% wrong.

Take a  SSLLAB analysis of a website that was recently installed.


All of the  weak ciphers in the above list scored this site as marginal B score. But have no fear, socpuppets is here.

You can enable only strong ciphersuites and retest the site using SSLLAB and witness the new grade.

( after striking RC4 MD5,etc......)



Now the site has a A+ grade and it's still the same server and installed certificate+private-key.


Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Tuesday, August 9, 2016

Using Execute log filters to monitor firewall traffic

One cool function that's over looked in the firewall ( fortigate )

1: if you have logtraffic all enable on your firewall policies, you  can construct filters for traffic flows




2: and display just  traffic that has hit the define category and filter field(s)

3: speed up "traffic review" without  having to go to a remote logging appliance
  (  forticloud, FortiAnalyzer  remote-syslog )


Here's a simple example using just a policyid and the with the traffic category { # 0 }


Now if a match was found, we would have details similar to the below;




Here's a few of the filters that available under category #0 { traffic }

FWF50D (socpuppy) $ execute  log  filter  field 
Available fields:
timestamp
action
app
appact
appcat
appid
applist
apprisk
collectedemail
countapp
countav
countdlp
countemail
countips
countweb
craction
crlevel
crscore
custom
date
devid
devtype
dstcountry
dstintf
dstip
dstname
dstport
dstssid
dstuuid
duration
group
lanin
lanout
level
logid
mastersrcmac
msg
osname
osversion
policyid
poluuid
proto
rcvdbyte
rcvdpkt
sentbyte
sentpkt
service
sessionid
shaperdroprcvdbyte
shaperdropsentbyte
shaperperipdropbyte
shaperperipname
shaperrcvdname
shapersentname
srccountry
srcintf
srcip
srcmac
srcname
srcport
srcssid
srcuuid
subtype
time
trandisp
tranip
tranport
transip
transport
type
unauthuser
unauthusersource
user
utmaction
vd
vpn
vpntype
wanin
wanoptapptype
wanout


I find myself using the following options the most;

    dstip,srcip,policyid

Btw these are the same filters available in the FortiAnalyzer.

By using a string of filters you can easy obtain if traffic is matching and the action taken.


Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Monday, July 25, 2016

how to find long-winded sessions fortigate

When working with fwpolicies and for testing  new applications,  it's proper to use the diag system session command from the cli .

In some case, you might have a new Application that needs close monitoring or want to validate that  sessions are indeed up and for a extended time.

By using the  filter option and with the diagnostic  sys session command you can find those sessions and with other attributes ( src dst port policyid# ) you can confirm or dis-confirm issues that might be drive by firewall or applications.

e.g

the above has a filter option for 900-24400 seconds and any traffic that matches that duration would be presented




You can set other values to drill in  on traffic of interest.




Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


Friday, July 15, 2016

PANOS Security Advisor

One feature Palo Alto has is for updating end-users to security issues to "end-users". The advisory  will list the  Vulnerabilities and the impact, and workaround or correction such-as a software update.


One other cool feature, they acknowledge 3rd parties that exposes these issues.







Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Friday, July 8, 2016

FAZ group authenication issues continual

FAZ 5.4 and 5.4.1  behavior with user-type group net a non working   WebGUI when we have a wildcard and dev-profiles.


If you recall http://socpuppet.blogspot.com/2016/06/faz-user-type-group-version-type-tacacs.html
A  FAZ appliance upgraded to 5.4.1 nets a display message in the webGUI. I'm working with FTNT support on trying to get a answer to this issue.




If you specify a group with tacacs+ radius for example, the  webGUI login will pass,  BUT the display will not display any ICONs. FTNT support has my case but are still researching the issues.


Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \