Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Multicast forwarding

Leave a reply

Multicast forwarding

Multicasting (also called IP multicasting) consists of using a single multicast source to send data to many receivers. Multicasting can be used to send data to many receivers simultaneously while conserving bandwidth and reducing network traffic. Multicasting can be used for one-way delivery of media streams to multiple receivers and for one-way data transmission for news feeds, financial information, and so on.

Also RIPv2 uses multicasting to share routing table information, OSPF uses multicasting to send hello packets and routing updates, Enhanced Interior Gateway Routing Protocol (EIGRP) uses multicasting to send routing information to all EIGRP routers on a network segment and the Bonjour network service uses multicasting for DNS.

A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router. FortiGate units support PIM sparse mode (RFC 4601) and PIM dense mode (RFC 3973) and can service multicast servers or receivers on the network segment to which a FortiGate unit interface is connected. Multicast routing is not supported in transparent mode (TP mode).

To support PIM communications, the sending/receiving applications and all con- necting PIM routers in between must be enabled with PIM version 2. PIM can use static routes, RIP, OSPF, or BGP to forward multicast packets to their destinations. To enable source-to-destination packet delivery, either sparse mode or dense mode must be enabled on the PIM-router interfaces. Sparse mode routers cannot send mul- ticast messages to dense mode routers. In addition, if a FortiGate unit is located between a source and a PIM router, two PIM routers, or is connected directly to a receiver, you must create a security policy manually to pass encapsulated (multicast) packets or decapsulated data (IP traffic) between the source and destination.

A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at least one Boot Strap Router (BSR), and if sparse mode is enabled, a number of Rendezvous Points (RPs) and Designated Routers (DRs). When PIM is enabled on a FortiGate unit, the FortiGate unit can perform any of these functions at any time as configured.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

GUI & CLI – What You May Not Know

1 Reply

GUI & CLI – What You May Not Know

The Graphic User Interface (GUI) is designed to be as intuitive as possible but there are always a few things that are left out because to put all of that information on the interface would clutter it up to the point where it wouldn’t be graphical and intuitive anymore.

This section is made up of knowledge that will make working with the both of the management interfaces easier because you wont have to find out about things like field limitations through trial and error. Some of it has to do with changing in how navigation in the GUI has changed.

The section includes the topics:

Mouse Tricks
Changing the default column setting on the policy page
Naming Rules and Restrictions
Character Restrictions
Length of Fields Restrictions l Object Tagging and Coloring l Numeric Values
Selecting options from a list
Enabling or disabling options
To Enable or Disable Optionally Displayed Features

Mouse Tricks

In previous version of the firmware much of the navigation, editing or choosing of options in the Web-based Manager was carried out by using the mouse in combination with a number of icons visible on the interface. This version of the firmware makes more extensive use of the right or secondary mouse button as well as the “drag and drop” feature. If you are used to the old Web-based Manager interface you will notice that a number of the options at the top of the display window are not there anymore or there are fewer of them.

To get a feel for the new approach the Policy & Objects > Policy > IPv4 window is a noticeable place to see some of these changes in action.

The different view modes are still in the upper right-hand corner as they were before but now there is no column settings link to move or configure the columns of the window. Now if you wish to reposition a column just use the mouse to click on the column heading and drag it to its new position. If you wish to add a new column just right- click on one of the column headings and a drop down menu will appear with the option “Column Settings”. Use the right pointing triangle to expand the “Column Settings” option to see a choice of possible columns for the window you are in. Those already selected will be at the top with a checked box and the available new ones will be at the bottom ready to be selected.

Rather than having a link to initiate a move in the positioning of policies in the sequence, you can select a policy and hold down the mouse button and drag it to its new position.

By right or secondary clicking the mouse curser in the cells of the Policy window you will get a drop down menu that is contextual to the column and policy row where you made the clck.For example if you right click in the “Schedule” column for the row that is for policy #5 you will get the option to select a schedule for policy #5 along with a number of other configuration options relating to that policy or its position in the sequence of policies.

You will find this approach used much more frequently through out the Web-based Manager, giving it a more modern and intuitive feel once you learn to use the right mouse button rather than finding a link displayed on the page.

Pages: 1 2 3

Network defense

Leave a reply

Network defense

This section describes in general terms the means by which attackers can attempt to compromise your network and steps you can take to protect it. The goal of an attack can be as complex as gaining access to your network and the privileged information it contains, or as simple as preventing customers from accessing your web server. Even allowing a virus onto your network can cause damage, so you need to protect against viruses and malware even if they are not specifically targeted at your network.

The following topics are included in this section:

Monitoring
Blocking external probes
Defending against DoS attacks

Monitoring

Monitoring, in the form of logging, alert email, and SNMP, does not directly protect your network. But monitoring allows you to review the progress of an attack, whether afterwards or while in progress. How the attack unfolds may reveal weaknesses in your preparations. The packet archive and sniffer policy logs can reveal more details about the attack. Depending on the detail in your logs, you may be able to determine the attackers location and identity.

While log information is valuable, you must balance the log information with the resources required to collect and store it.

Pages: 1 2 3 4 5 6 7 8 9

Firewall schedules

3 Replies

Firewall schedules

Firewall schedules control when policies are in effect. When you add a security policy on a FortiGate unit you need to set a schedule to determine the time frame in which that the policy will be functioning. While it is not set by default, the normal schedule would be always. This would mean that the policy that has been created is always function and always policing the traffic going through the FortiGate. The time component of the schedule is based on a 24 hour clock notation or military time as some people would say.

There are two types of schedules: One-time schedules and recurring schedules.

One-Time schedules are in effect only once for the period of time specified in the schedule. This can be useful for testing to limit how long a policy will be in effect in case it is not removed, or it can be used for isolated events such as a conference where you will only need a temporary infrastructure change for a few days.

The time frame for a One-time schedule is configured by using a start time which includes, Year | Month | Day | Hour | Minute and a Stop time which includes the same variables. So while the frequency of the schedule is only once it can last anywhere from 1 minute to multiple years.

Recurring schedules are in effect repeatedly at specified times of specified days of the week. The Recurring schedule is based on a repeating cycle of the days of the week as opposed to every x days or days of the month. This means that you can configure the schedule to be in effect on Tuesday, Thursday, and Saturday but not every 2 days or on odd numbered days of the month.

If a recurring schedule has a stop time that is earlier than the start time, the schedule will take effect at the start time but end at the stop time on the next day. You can use this technique to create recurring schedules that run from one day to the next.

Creating a recurring schedule object

1. Go to Policy & Objects > Schedules.

2. Select Create New. A drop down menu is displayed. Select Schedule.

3. From the Type options, choose Recurring.

4. Input a Name for the schedule object.

5. From the Days options, choose the day of the week that you would like this schedule to apply to. The schedule will be in effect on the days of the week that have a check mark in the checkbox to the left of the name of the weekday.

6. Choose a Start Time.

The Start Time is composed of two fields, Hour and Minute. Think of setting the time for a digital clock in

24 hour mode. The Hour value can be an integer from 0 and 23. The Minute value can be from 0 to 59. 0 and 0 would be midnight at the start of the day and 23 and 59 would be one minute to midnight at the end of the day. The value can be entered by keyboard or by using the up and down arrows in the field to select the value.

7. Choose a Stop Time.

Configuration is the same as Start Time.

8. Press OK.

Creating a One-time schedule object

1. Go to Policy & Objects > Schedules.

2. Select Create New. A drop down menu is displayed. Select Schedule.

3. From the Type options, choose One-time.

4. Input a Name for the schedule object.

5. Choose a Start Date.

Selecting the field with the mouse will bring up a interactive calendar graphic that will allow the user to select the date.The date can also be typed in using the format YYYY/MM/DD.

6. Choose an End Date.

Configuration is the same as Start Date.

7. Choose a Start Time.

The Start Time is composed of two fields, Hour and Minute. Think of setting the time for a digital clock in

8. Choose a Stop Time.

Configuration is the same as Start Time.

9. Enable/Disable Pre–expiration event log.

This configures the system to create an event log 1 to 100 days before the End Date as a warning in case the schedule needs to be extended.

10. If the Pre–expiration event log is enabled, set the value for Number of days before.

11. Press OK.

Example

You want to schedule the use of Skype to only between noon (12:00) and 1 p.m. (13:00). You could create a schedule that allows Skype traffic:

Starting at Hour:12 and Minute: 00
Stopping at Hour:13 and Minute: 00
Set for days of the week: Sunday | Monday |Tuesday |Wednesday | Thursday | Friday | Saturday

Or you could have a schedule that blocks Skype traffic:

Starting at Hour:13 and Minute: 00 (and goes to the next day)
Stopping at Hour:12 and Minute: 00
Set for days of the week: Sunday | Monday |Tuesday |Wednesday | Thursday | Friday | Saturday

Either way is effective for the task but other factors may make one method work better than another in certain situations of it could be just a preference in approach.

Schedule Groups

You can organize multiple firewall schedules into a schedule group to simplify your security policy list. The schedule parameter in the policy configuration does not allow for the entering of multiple schedules into a single policy so if you have a combination of time frames that you want to schedule the policy for then the best approach, rather than making multiple policies is to use a schedule group.

Creating a recurring schedule object

1. Go to Policy & Objects > Schedules.

2. Select Create New. A drop down menu is displayed. Select Schedule Group

3. Input a Name for the schedule object.

4. In the Members field, select the “+” to bring forth the panel for selecting entries.

5. Press OK.

Example

Your Internet policy allows employees to visit Social Media sites from company computers but not during what is considered working hours. The offices are open a few hours before working hours and the doors are not locked until a few hours after official closing so work hours are from 9 to 5 with a lunch break from Noon to 1:00 p.m.

Your approach is to block the traffic between 9 and noon and between 1:00 p.m. and 5:00 p.m. This means you will need two schedules for a single policy and the schedule group handles this for you. Schedule groups can contain both recurring and one-time schedules. Schedule groups cannot contain other schedule groups.

Schedule Expiration

The schedule in a security policy enables certain aspects of network traffic to occur for a specific length of time. What it does not do however, is police that time. That is, the policy is active for a given time frame, and as long as the session is open, traffic can continue to flow.

For example, in an office environment, Skype use is allowed between noon and 1pm. During that hour, any Skype traffic continues. As long as that session is open, after the 1pm end time, the Skype conversations can continue, yet new sessions will be blocked. Ideally, the Skype session should close at 1pm.

Using a CLI command you can set the schedule to terminate all sessions when the end time of the schedule is reached. Within the config firewall command enter the command:

set schedule-timeout enable

By default, this is set to disable.

Services

Leave a reply

Services

While there are a number of services already configured within FortiOS, the firmware allows for administrators to configure there own. The reasons for doing this usually fall into one or more of the following categories:

The service is not common enough to have a standard configuration
The service is not established enough to have a standard configuration
The service has a standard port number but there is a reason to use a different one:
Port is already in use by another service
For security reasons, want to avoid standard port

When looking at the list of preconfigured services it may seem like there are a lot, but keep in mind that the theoretical limit for port numbers is 65,535. This gives a fairly good sized range when you are choosing what port to assign a service but there are a few points to keep in mind.

Most of the well known ports are in the range 0 – 1023
Most ports assigned by the Internet Corporation for Assigned Names and Numbers (ICANN) will be in the 1024 – 49151 range
Port numbers between 49,152 and 65,535 are often used for dynamic, private or ephemeral ports. There are 3 Service objects that can be added and configured:
Categories
Services
Service Groups

Pages: 1 2 3 4 5 6 7 8 9 10

Configuring IP Pools

1 Reply

Configuring IP pools

A IP pool is essentially one in which the IP address that is assigned to the sending computer is not known until the session is created, therefore at the very least it will have to be a pool of at least 2 potential addresses. A quick example would be an IP pool for users of a VPN. IP pools are based upon the version of IP determined by the interface that they are associated with so as expected there are two types of IP pools that can be configured:

IPv4 Pool
IPv6 Pool

Because of the differences in the configuration for the two types of pools, instructions for configuring them will be done separately.

Creating a IPv4 Pool

1. Go to Policy & Objects > IP Pools.

2. Select Create New.

3. In the IP Pool Type field choose IPv4 Pool

4. Enter a name in the Name field for the new service

5. Include any description you would like in the Comments field

6. In the Type field choose between:

Overload
One-to–One
Fixed Port Range
Port Block Allocation

At this point the configurations can start to differ based on the type of type of pool.

For more information on the different types of IP pools, check IP Pools in the Concepts section.

Overload

7. For the External IP Range fields, enter the lowest and highest addresses in the range.If you only want a single address used, enter the same address in both fields.

8. Enable the ARP Reply field by making sure there is a check in the box

9. Select OK

Overload Example for GUI

In this example, the Sales team needs to connect to an Application Service Provider that does the accounting for the company. As a security measure, the ASP only accepts traffic from a white list of IP addresses. There is 1 public IP address of the company on that list.The Sales team consists of 40 people, so they need to share.The external interface is wan1.

Field Value

IP Pool Type IPv4 Pool

Name Sales_Team

Comments For the Sales team to use to connect to the Accounting ASP

Type Overload (This is the default)

External IP Range 10.23.56.20 – 10.23.56.20

ARP Reply enabled

Overload Example for CLI

config firewall ippool edit Sales_Team

set comments “For the Sales team to use to connect to the Accounting ASP” set type overload

set startip 10.23.56.20 set endip 10.23.56.20 set arp-reply enable

set arp-intf wan1 end

One-to–one

7. For the External IP Range fields, enter the lowest and highest addresses in the range. If you only want a single address used, enter the same address in both fields.

8. Enable the ARP Reply field by making sure there is a check in the box.

9. Select OK

One-to–one Example for GUI

In this example, the external IP address of the mail server is part of a range assigned to the company but not the one that is assigned to the Internet facing interface. A VIP has been set up but in order to properly resolve Reverse DNS lookups the mail server always has to use a specific IP address.The external interface is wan1.

Field Value

IP Pool Type IPv4 Pool

Name Mail-Server

Comments So the the correct IP address is resolved on Reverse DNS look ups of the mail server.

Type One-to-one

External IP Range 10.23.56.21 – 10.23.56.21

ARP Reply enabled

Pages: 1 2 3 4

Virtual IPs

3 Replies

Virtual IPs

The mapping of a specific IP address to another specific IP address is usually referred to as Destination NAT. FortiOS has a component that is a bit more specialized along this line called a Virtual IP Address, sometimes referred to as a VIP. FortiOS uses a Virtual IP address to map an External IP address to an IP address. This address does not have to be an individual host, it can also be an address range. This mapping can include all TCP/UDP ports or if Port Forwarding is enabled it will only refer to the specific ports configured.

Virtual IP addresses are typically used to NAT external or Public IP addresses to internal or Private IP addresses. Using a Virtual IP address between 2 internal Interfaces made up of Private IP addresses is possible but there is rarely a reason to do so as the 2 networks can just use the IP addresses of the networks without the need for any address translation. Using a Virtual IP address for traffic going from the inside to the Internet is even less likely to be a requirement, but it is supported.

Something that needs to be considered when there are multiple Public IP addresses on the external interface(s) is that when a Virtual IP address is used without Port Forwarding enabled there is a reciprocal effect as far as traffic flow is concerned. Normally, on a firewall policy where NAT is enabled, for outgoing traffic the internal address is translated to the Public address that is assigned to the FortiGate, but if there is a Virtual IP address with no port forwarding enabled, then the Internal IP address in the Mapped field would be translated to the IP address configured as the External Address in the VIP settings.

Example

The assigned External address (WAN1) of the FortiGate unit is 172.12.96.3 with a subnet mask of 255.255.255.128
There is a Virtual IP address set up to map the external address 172.12.96.127 on WAN1 to the internal IP address of 192.168.1.127
Port Forwarding is not enabled because you want all allowed traffic going to the external IP address to go to this server.

In this case any outbound traffic from 192.168.1.127 will go out on WAN1 with the IP address of 172.12.96.127 as the source IP address.

In terms of actually using the Virtual IP address, they would be using in the security policies in the same places that other addresses would be used, usually as a Destination Address.

UUID Support for VIP

UUID is now supported in for virtual IPs and virtual IP groups. This includes virtual IPs for IPv4, IPv6, NAT46, and NAT64. To view the UUID for these objects in a FortiGate unit’s logs, log-uuid must be set to extended mode, rather than policy-only (which only shows the policy UUID in a traffic log). UUID can only be configured through the CLI

Syntax

config sys global

set log-uuid {disable | policy-only | extended}

end

There is another type of address that the term “virtual IP address” commonly refers to which is used in load balancing and other similar configurations. In those cases, a num- ber of devices share a separately created virtual IP address that can be sent to multiple possible devices. In FortiOS these are referred to as Virtual Servers and are configured in the “Load Balance” section.

Pages: 1 2 3

Address Groups

Leave a reply

Address Groups

Address groups are designed for ease of use in the administration of the device. If you have a number of addresses or address ranges that will commonly be treated the same or require the same security policies, you can put them into address groups, rather than entering multiple individual addresses in each policy refers to them.

The use of groups is not required. If you have a number of different addresses you could add them individually to a policy and the FortiGate firewall will process them just as quickly and efficiently as if they were in a group, but the chances are that if you have used a group once you could need to use it again and depending on the number of addresses involved entering them individually for each policy can become tedious and the likelihood of an address being missed becomes greater. If you have a number of policies using that combination of addresses it is much easier to add or subtract addresses from the group than to try and remember all of the firewall policies that combination of addresses was used in. With the group, you only have to make the one edit and it is used by any firewall policy using that address group.

Because security policies require addresses with homogenous network interfaces, address groups should contain only addresses bound to the same network interface, or to Any.

For example, if address 1.1.1.1 is associated with port1, and address 2.2.2.2 is associated with port2, they cannot be in the same group. However, if 1.1.1.1 and 2.2.2.2 are configured with an interface of Any, they can be grouped, even if the addresses involve different networks.

There are 3 Categories of Address groups to choose from:

IPv4 Group
IPv6 Group
Explicit Proxy Group

You cannot mix different categories of addresses within a group, so whether or not it makes sense from an administrative purpose to group certain addresses together, if some are IPv4 and some are IPv6, it cannot be done.

Creating an Address Group

1. Go to Policy & Objects > Addresses.

2. Select the down arrow next to Create New, select Address Group.

3. Choose the Category, that is applicable to the proposed selection of addresses.

4. Input a Group Name for the address object.

Depending on which Category has been chosen the configurations will differ slightly

IPv4 Group

1. Select the “+” in the Members field. You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.

2. Select the desired on/off toggle setting for Show in Address List.

3. Select the desired on/off toggle setting for Static Route Configuration .

IPv6 Group

2. Select the desired on/off toggle setting for Show in Address List.

Explicit Proxy Group

1. Select which Type, either Source Group or Destination Group.

2. Select the “+” in the Members field. You can select members of the group from the window that slides out from the left of the screen. It is possible to select more than 1 entry. Select the “X” icon in the field to remove an entry.

3. Select the desired on/off toggle setting for Show in Address List.

Irrespective of the Category the groups all have the same final configuration options:

1. Input any additional information in the Comments field.

2. Press OK. UUID Support

Syntax:

config firewall {address|addres6|addgrp|addgrp6}

edit 1

set uuid <example uuid: 8289ef80-f879-51e2-20dd-fa62c5c51f44>

next end