Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

IPv6 Addresses

Leave a reply

IPv6 Addresses

When creating an IPv6 address there are a number of different types of addresses that can be specified. These include:

  • Subnet
  • IP Range – the details of this type of address are the same as the IPv4 version of this type

The IPv6 addresses don’t yet have the versatility of the IPv4 address in that they don’t have things like geography based or FQDN address but as IPv6 becomes more mainstream this should change.

 

Subnet Addresses

The Subnet Address type is one that is only used in reference to IPv6 addresses.It represents an IPv6 address subnet. This means that the address will likely be a series of hexadecimal characters followed by a double colon, followed by a “/”, and then a number less than 128 to indicate the size of the subnet. An example would be:

fd5e:3c59:35ce:f67e::/64

  • The hexidecimal charaters represent the IPv6 subnet address.
  • The “::” indicates 0’s from that point to the left. In an actual address for a computer, the hexadecimal characters that would take the place of these zeros would represent the device address on the subnet.
  • /xx, in this case /64 represents the number of bits in the subnet.This will make a range that can potentially include 18,446,744,073,709,551,616 addresses. For those wanting to use English rather than math, that is 18 Quintillion.

 

 

Creating a Subnet address

1. Go to Policy & Objects > Addresses.

2. Select Create New. A drop down menu is displayed. Select Address

3. In the Category field, chose IPv6 Address.

4. Input a Name for the address object.

5. In the Type field, select Subnet from the drop down menu.

6. In the Subnet / IP Range field, enter the range of addresses in IPv6 format (no spaces)

7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.

8. Input any additional information in the Comments field.

9. Press OK.

 

 

Example

Example of a IP Range address for a group of computers set aside for guests on the company network.

Field                                Value

Category                          IPv6 Address

Name                              IPv6_Guest_user_range

Type                                Subnet

Subnet / IP Range         fd5e:3c59:35ce:f67e::/64

Show in Address List    [on]

Comments

Pages: 1 2 3

IPv4 Addresses

Leave a reply

IPv4 Addresses

 

When creating an IPv4 address there are a number of different types of addresses that can be specified. These include:

  • FQDN
  • Geography
  • IP Range
  • IP/Netmask
  • Wildcard FQDN

 

Which one chosen will depend on which method most easily yet accurately describes the addresses that you are trying to include with as few entries as possible based on the information that you have. For instance, if you are trying to describe the addresses of a specific company’s web server but it you have no idea of how extensive there web server farm is you would be more likely to use a Fully Qualified Domain Name (FQDN) rather than a specific IP address. On the other hand some computers don’t have FQDNs and a specific IP address must be used.

The following is a more comprehensive description of the different types of addresses.

 

FQDN Addresses

By using Fully Qualified Domain Name (FQDN) addressing you can take advantage of the dynamic ability of DNS to keep up with address changes without having to manually change the addresses on the FortiGate. FQDN addresses are most often used with external web sites but they can be used for internal web sites as well if there is a trusted DNS server that can be accessed. FQDN addressing also comes in handy for large web sites that may use multiple addresses and load balancers for their web sites. The FortiGate firewall automatically maintains a cached record of all the addresses resolved by the DNS for the FQDN addresses used.

For example, if you were doing this manually and you wanted to have a security policy that involved Google you could track down all of the IP addresses that they use across multiple countries. Using the FQDN address is simpler and more convenient.

When representing hosts by an FQDN, the domain name can also be a subdomain, such as mail.example.com. Valid FQDN formats include:

  • <host_name>.<top_level_domain_name> such as example.com
  • <host_name>.<second_level_domain_name>.<top_level_domain_name>, such as mail.example.com

When creating FQDN entries it is important to remember that:

  • Wildcards are not supported in FQDN address objects
  • While there is a level of convention that would imply it, “www.example.com” is not necessarily the same address of “example.com”. they will each have their own records on the DNS server.

The FortiGate firewall keeps track of the DNS TTLs so as the entries change on the DNS servers the IP address will effectively be updated for the FortiGate. As long as the FQDN address is used in a security policy, it stores the address in the DNS cache.

There is a possible security downside to using FQDN addresses. Using a fully qualified domain name in a security policy means that your policies are relying on the DNS server to be accurate and correct. DNS servers in the past were not seen as potential targets because the thinking was that there was little of value on them and therefore are often not as well protected as some other network resources. People are becoming more aware that the value of the DNS server is that in many ways it controls where users and computers go on the Internet. Should the DNS server be compromised, security policies requiring domain name resolution may no longer function properly.

 

Creating a Fully Qualified Domain Name address

1. Go to Policy & Objects > Addresses.

2. Select Create New. A drop down menu is displayed. Select Address.

3. In the Category field, chose Address. (This is for IPv4 addresses.)

4. Input a Name for the address object.

5. In the Type field, select FQDN from the drop down menu.

6. Input the domain name in the FQDN field.

7. In the Interface field, leave as the default any or select a specific interface from the drop down menu.

8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.

9. Input any additional information in the Comments field.

10. Press OK.

 

 

Example

Example of a FQDN address for a remote FTP server used by Accounting team:

Field                        Value

Category                  Address

Name                       Payroll_FTP_server

Type                         FQDN

FQDN                       ftp.payrollcompany.com

Interface                  any

Show in Address

List                          [on]

Comments              Third party FTP server used by Payroll.

Geography Based Addresses

Geography addresses are those determined by country of origin. This type of address is only available in the IPv4 address category.

 

Creating a Geography address

1. Go to Policy & Objects > Addresses.

2. Select Create New. A drop down menu is displayed. Select Address.

3. In the Category field, chose Address. (This is for IPv4 addresses.)

4. Input a Namefor the address object.

5. In the Type field, select Geography from the drop down menu.

6. In the Country field, select a single country from the drop down menu.

7. In the Interface field, leave as the default any or select a specific interface from the drop down menu.

8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.

9. Input any additional information in the Comments field.

10. Press OK.

 

Pages: 1 2 3 4

Service Groups

Leave a reply

Service Groups

Just like some of the other firewall components, services can also be bundled into groups for ease of administration.

 

Creating a ServiceGroup

1. Go to Policy & Objects > Services.

2. Select Create New. A drop down menu is displayed. Select Service Group

3. Input a Group Name to describe the services being grouped

4. Input any additional information in the Comments field.

5. Choose a Type of group.The options are Firewall or Explicit Proxy.

6. Add to the list of Members from the drop down menu. Using the + sign beside the field will allow the addition of multiple services.

7. Press OK.

 

Example

Example of a New Service Group:

Field                                Value

Group Name                   Authentication Services

Comments                      Services used in Authentication

Type                                Firewall

 

Members

  • Kerberos
  • LDAP
  • LDAP_UDP
  • RADIUS

 

FortiGate 60E Best Distributed Firewall

Leave a reply

So, in case you guys weren’t aware, Fortinet has released their 60E. This FortiGate is an awesome device. It has a new SOC3 ASIC which sets the 60E on a whole new level. Fortinet is making their firewalls more affordable while at the same time drastically adding functionality and performance.

FortiGate60E

If you weren’t excited about the newer hardware being released then you REALLY need to look at the chart below which breaks down the performance of the device versus the industry average.

FortiGate60E-Specs

Did I mention that this device gives you SD-WAN capabilities (Software Defined). Have fun guys and dig in! By the way, I sell these things at cost soooo…

Interfaces

Leave a reply

Interfaces

When setting up an address one of the parameters that is asked for is the interface. This means that the system will expect to see that address only on the interface that you select. You can only select one interface. If you expect that the address may be seen at more than one interface you can choose the “any” interface option. Whenever, possible it is best to choose a more specific interface than the “any” option because in the GUI configuration of firewall policies there is a drop down field that will show the possible addresses that can be used. The drop down will only show those addresses that can be on the interface assigned for that interface in the policy.

 

Example:

  • You have an address called “XYZ”.
  • “XYZ” is set to the WAN1 interface because that is the only interface that will be able to access that address.
  • When you are selecting a Source Address in the Web-based Manager for a policy that is using the DMZ the address “XYZ” will not be in the drop-down menu.

 

When there are only 10 or 20 addresses this is not a concern, but if there are a few hundred addresses configured it can make your life easier.

Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies. If an address is selected in a policy, the address cannot be deleted until it is deselected from the policy.

Addressing Best Practices Tip

The other reason to assign a specific interface to addresses is that it will prevent you from accidentally assigning an address where it will not work properly. Using the example from earlier, if the “XYZ” address was assigned to the “Any” interface instead of WAN1 and you configure the “XYZ” address.

Addressing Best Practices Tip

Don’t specify an interface for VIP objects or other address objects that may need to be moved or approached from a different direction. When configuring a VIP you may think that it will only be associated with a single interface, but you may later find that you need to reference it on another interface.

Example: Some web applications require the use of a FQDN rather than an IP address. If you have a VIP set up that works from the Internet to the Internal LAN you wont be able to use that VIP object to access it from an internal LAN interface.

 

Addresses

Leave a reply

Addresses

Firewall addresses define sources and destinations of network traffic and are used when creating policies. When properly set up these firewall objects can be used with great flexibility to make the configuration of firewall policies simpler and more intuitive. The FortiGate unit compares the IP addresses contained in packet headers with a security policy’s source and destination addresses to determine if the security policy matches the traffic.

The address categories and the types within those categories on the FortiGate unit can include:

  • IPv4 addresses
  • IP address and Netmask
  • IP address range
  • Geography based address
  • Fully Qualified Domain Name (FQDN) address
  • Wildcard FQDN
  • IPv4 Address Group
  • IPv6 addresses
  • Subnets
  • IP range
  • IPv6 Address Group
  • Multicast addresses
  • Multicast IP range
  • Broadcast subnets
  • Explicit Proxy Addresse
  • URL Pattern
  • Host Regex Match
  • URL Category
  • HttpMethod
  • User Agent
  • HTTP Header
  • Advanced (Source)
  • Advanced (Destination)
  • IP Pools (IPv4)
  • Overload
  • One-to-one
  • Fixed Port Range
  • Port Block Allocation
  • IP Pools (IPv6)
  • Virtual IP Addresses
  • IPv4
  • IPv6
  • NAT46
  • NAT64

UUID Support

Leave a reply

UUID Support

A Universally Unique Identified (UUID) attribute has been added to some firewall objects, so that the logs can record these UUID to be used by a FortiManager or FortiAnalyzer unit. The objects currently include:

  • Addresses, both IPv4 and IPv6
  • Address Groups, both IPv4 and IPv6
  • Virtual IPs, both IPv4 and IPv6
  • Virtual IP groups, both IPv4 and IPv6
  • Policies, IPv4,IPv6 and IP64

A UUID is a 16-octet (128-bit) number that is represented by 32 lowercase hexidecimal digits. The digits are displayed in five groups separated by hyphens (-). The pattern is 8-4-4-4-12; 36 digits if you include the hyphens.

Note: UUID is only supported on large-partition platforms (>=128M)

 

Firewall objects

Leave a reply

Firewall objects

As was mentioned earlier, the components of the FortiGate firewall go together like interlocking building blocks. The Firewall objects are a prime example of those building blocks. They are something that can be configured once and then used over and over again to build what you need. They can assist in making the administration of the FortiGate unit easier and more intuitive as well as easier to change. By configuring these objects with their future use in mind as well as building in accurate descriptions the firewall will become almost self documenting. That way, months later when a situation changes, you can take a look at a policy that needs to change and use a different firewall object to adapt to the new situation rather than build everything new from the ground up to accommodate the change.

 

This chapter includes information about the following Firewall objects:

  • Addresses
  • Services and TCP ports
  • Firewall schedules
  • Security profiles