Friday, August 28, 2009

Resetting a lost Fortigate Admin Password

If you have lost the admin password for a Fortigate you can reset it if you have physical access to the box.

Heads up: You have to type the userid and password within a 15 seconds of the login prompt first appearing. If you take too much time you should reboot the firewall again.
  • Connect the console cable to the Fortigate and fire up your favorite terminal emulator
  • Reboot the firewall unit.
  • At the console login prompt, type in "maintainer" as the userid.
  • Type in bcpbFGTxxxxxxxxxxxxx as the password. xxxxxxxxxxxxx will be the S/N of the Fortigate. The serial number is case sensitive so for example you should use FGT60B, not FGT60b. If that does NOT work try bcpbxxxxxxxxxxxxx as the password.
  • After logging in, change the admin password:
config system admin
edit admin
set password
next
end

Wednesday, August 26, 2009

Syslog Problem in FortiAnalyzer 4.1

If you have devices reporting to your FA you might want to hold up on an upgrade to 4.1. One of the things I noticed on various FA platforms is that Syslog devices still send logs but the content of the logs appears blank in FA. Ticket with Fortinet is pending.

** Update **

Fortinet has corrected the bug and will include the fix in FortiAnalyzer 4.1.1.

** Second Update **

4.1 Patch 1 restores access to all the syslogs that were previously received

Software Updates - FortiAnalyzer 4.1 (AKA 4.0 MR1)

Log Reduction and Optimization
· WAN Optimization Reports
· System Migration
· Vulnerability Management – PCI Compliance Reports
· Vulnerability Management – Achieve CVE Compatible
· Web Clicks vs Hits Algorithm
· Custom Charts
· Quarantine and Report Extensions
· Per-VDom Quarantine
· Improved Log Rolling Mechanism
· Viewing of Real and Historical logs for multiple and mixed devices
· Support for encrypted mail protocols (SMTPs, POP3s, IMAPs) - log viewing, searches, and reports

Tuesday, August 25, 2009

Openswan - Host to Subnet Configuration

Sometimes you may want to have a single host running Openswan connecting to your firewall.
Here are some tips on how to configure this scenario.
  • On your host running Openswan put the following information in your connection definition:
conn office
#left side is home
left=%defaultroute
#leftsubnet is the IP of your host with a /32 bit subnetmask
leftsubnet=2.2.2.2/32
#right side is work
#set right to vpn remote gateway
right=1.2.3.4
#set rightsubnet to remote network
rightsubnet=192.168.1.0/24
keyexchange=ike
#auth=esp
#Automatically bring up VPN tunnel auto=start
auto=start
authby=secret
#specify encryption FortiGate VPN uses
esp=3des
#perfect forward secrecy (default yes)
#optionally enable compression
compress=yes

The key here is that the leftsubnet parameter is the IP address of your Openswan host.

On the Fortigate firewall configure your Phase 1 parameters with the appropriate settings.
In Phase 2 edit the Quick Mode Selectors in the "Advanced" section as follows:

Source Address: 192.168.1.0/24
Source Port: 0
Destination Address: 2.2.2.2
Destination Port: 0
Protocol: 0

This tells the firewall that on one side it is expecting the 192.168.1.0/24 network and on the remote side it is only expecting to connect to a single host, 2.2.2.2.

Site-to-Site VPN - Openswan to Fortinet

Openswan IPSec is an open source implementation of IPSec that is included in many Linux distributions. When appropriately configured, it can interoperate with FortiGate VPNs.

Global settings

The global settings for the Openswan IPSec service are found in /etc/ipsec.conf. Unless you are certain that you don't need NAT traversal, ensure that the following line appears in ipsec.conf:

nat_traversal=yes

The line must begin with whitespace and be in the config setup section of the file.

There is also an include line that defines the name and location of your connection definition files. For example,

include /etc/ipsec.d/*.conf

Put your definition file in this location with an appropriate name.

Connection definition

You need a connection definition for each remote network you want to access.

An Openswan connection definition does not use the terms "source" or "destination". Instead, you define the two ends of the VPN as "left" and "right". The software determines for itself which definition applies to its end of the tunnel.

Example -- /etc/ipsec.d/office.conf

conn office
#left side is home
left=%defaultroute
#right side is work
#set right to vpn remote gateway
right=1.2.3.4
#set rightsubnet to remote network
rightsubnet=192.168.1.0/24
keyexchange=ike
#auth=esp
#Automatically bring up VPN tunnel auto=start
auto=start
authby=secret
#specify encryption FortiGate VPN uses
esp=3des
#perfect forward secrecy (default yes)
#optionally enable compression
compress=yes

For more information, see the ipsec.conf man page.

Secrets file for preshared keys

If you use a preshared key for authentication, you need to specify the key for the connection. Check the /etc/ipsec.secrets file. Typically this contains an include statement that defines the location and naming for the file, for example:

include /etc/ipsec.d/*.secrets

Put your definition file in this location with an appropriate name, typically ipsec.secrets. This file contains sensitive information, so it should be accessible only to the root user.

Entries in the secrets file should take either one of these two forms:

1.2.3.4 : PSK "pre_shared_key" # specify remote gateway only if your host's IP address is dynamic
2.2.2.2 1.2.3.4 : PSK "pre_shared_key" # specify remote and local IPs

(2.2.2.2 is the local address, 1.2.3.4 is the remote gateway you are connecting to)

The definition that specifies only the remote gateway address does not always work. You might get an error message that no PSK was found for your connection. The definition that specifies both local and remote gateway addresses is useful only if you have a fixed local IP address.

Starting the IPSec service

Typically, the IPSec service is configured to start at boot-up. If you are not sure that it is running, enter the following command as root:

/sbin/service ipsec restart

The startup messages will show if there are problems with the installation or syntactic problems with your configuration files.

Starting and stopping the VPN

If you used the auto=start option in your connection definition, the VPN is established when the IPSec service starts. Otherwise, you need to use the ipsec command to start and stop the vpn.

You might need to use the whereis command to locate the ipsec command unless it is on the command path. /usr/sbin is a typical location.

In these examples, the connection is called office.

To start the VPN

/usr/sbin/ipsec auto --add office
/usr/sbin/ipsec auto --up office

To view VPN status

/usr/sbin/ipsec auto --status

To stop the VPN

/usr/sbin/ipsec auto --down office
/usr/sbin/ipsec auto --delete office

(Using information from Fortinet Knowledgebase Article at http://kc.forticare.com/default.asp?id=1835&Lang=1&SID)

Software Updates - FortiOS 4.1 (AKA FortiOS 4.0 MR1)

· Supports Log Storage in SQL Format
· Supports IKEv2
· Supports Multiple FortiAnalyzer and/or Syslog Devices Per-VDom
· Supports IPv6 Dynamic Routing
· Introduction of Per-VDom Dashboard
· SNMPv3 Encryption & Authentication
· Supports Enhanced DHCP over IPSec as IKE Configuration Method
· Enhanced DNS Server
· Introduction of Strict Password Options
· Safe Search Feature for Web Filtering
· IPv6 Extensions
· DLP International Character Sets
· Web Content Block/Exempt List Merge
· Schedule Groups
· Traffic Shaping Extensions
· Support for Replacement Message Groups
· SSL-VPN Enhancements
· Supports Reliable Syslog
· Supports Multiple Schedule Objects per Firewall Policy
· LDAP Authentication Improvements
· Enhanced Application Control Statistics
· Supports IPv6 AV scanning and Management Access
· Supports Reporting based on SQL Logs
· Supports Cookie-based Overrides on FortiCarrier Platforms
· Supports SIP over IPv6
· DLP Archive
· SIP Enhancements
· Log Reduction & Optimization
· Supports Wireless Controller
· Easy FortiCare and FortiGuard Services Registration and Renewal
· Endpoint Control Enhancements
· Supports Per-VDom Replacement Messages
· Alert Message Console Enhancements
· Interface Status Detection for Gateway Load Balancing
· Dynamic Profile Enhancements for FortiCarrier Platforms

Monday, August 17, 2009

Software Updates

Current Updates

FortiDB:
3.2.3, Build 21

FortiMail:
3.0 MR5 Patch 2, Build 522

Thursday, August 13, 2009

Got DoS? ERP and Fortinet Anti-Virus Scanning Problems

I ran into a situation where a customer utilized an embedded Telnet/Web application to their ERP vendor. Using Cacti to monitor bandwidth, we noticed their connection was completely saturated. Everything pointed to INBOUND traffic. First impression was that we are getting hit by a Denial of Service attack. This went on for a couple of days. After working with Fortinet’s support, we determined the issue was our “Oversized File/Email Threshold (1 - 139 MB)” setting specifically in one of our Protection Profiles. It was set to 5MB; however, the default is 10MB. Apparently, the application during the 5MB scanning phase was not receiving a TCP ACK within an adequate amount of time, therefore, would resend the data, hence DoS. We lowered the “Oversized File/Email Threshold (1 - 139 MB)” to 2MB with immediate resolution. Although not malicious, this was a true DoS experience and seems to be more common than not especially with streaming services.

(Article by Joseph Finley)

Wednesday, August 12, 2009

CLI Magic: Finding out where your Objects are used in the Config

A firewall setup may get quite involved with many complex settings and user additions such as addresses and protection profiles. Sometimes you are desperately looking to delete an old unused object but that darn trash can icon just won't show up. Fortunately the FortiOS CLI includes a command to allow you to find all places where an object is used.

From the CLI, enter the following command:

diagnose sys path.object.mkey

This will return all objects where the specified object key is referenced.

For example:

diagnose sys checkused sytem.interface.name dmz

entry used by table system.interface:name 'vlan1‘

** If someone out there knows of a place where Fortinet lists all the object references please post a comment and I will update this article **

Sunday, August 2, 2009