Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Fortinet Web Filtering

SSL Inspection – Office 365

1 Reply

I saw this post over on the Fortinet Support forums and wanted to cross post it here in case no one has experienced this issue. Always check the web filter and make sure domains are rated properly! Some situations it makes sense to allow websites if they are unrated or if a rating failure occurs. Especially in environments where down time hurts. Granted, I like to keep my environment more secure than that so it just makes sense for me to be quick with the troubleshooting.

Question: Hi all,

I am trying to get Office 365 to work on site behind a Fortigate 50E. Unfortunately I’m having a lot of trouble.

I found this document: http://cookbook.fortinet.com/exempting-google-ssl-inspection/

I was able to translate that into 5.4 and create the addresses that should be used by Office 365, but it still isn’t working. When I look at the IP4 policy, it appears to just be doing SSL Certificate Inspection. Do the exceptions I put into the Deep Inspection apply to SSL Certificate Inspection as well? Because that is very not clear. And if not, how do I exempt sites from SSL Certificate Inspection?

Thanks!

Correct Answer: This was actually being blocked in Webfiltering because the autodiscover.domain.com was unrated, which was set to block by default. I created an exception for it and changed the category from unrated to business IT use, and it now works.

Thanks!

NSS Labs

Fortinet Kicking Ass On NSS Labs NGFW Security Value Report

Leave a reply

I don’t know if you guys have seen the report of not but Fortinet has whooped some serious ass on the NGFW Security Value Report from NSS Labs. In case you don’t know, NSS Labs is a truly unbiased hardware research firm. You may be thinking to yourself, “But Mike, what about Gartner?” Well, everyone knows that the Gartner reports are all about how much money you throw to line their pockets with. Cough, I mean, Cough how well you “sell” your product to them.

NSS Labs has been providing quality third party reviews and ratings of devices for a while now and according to the NGFW Security Value Report the FortiGate 3200D placed ahead of all NGFW competitors (cough Palo, Cough Check Point) in terms of NGFW (Next Generation Firewall) effectiveness.

It’s cool though. I’m sure a lot of businesses out there will keep falling for the marketing gimmicks and flashy ads for Palo Alto and Cisco. Let them waste their money while you get better value and total cost of ownership by flying under the Fortinet flag. I swear if Fortinet would listen to some of my feature requests (mostly items listed on the “Where Fortinet is Messing Up” page of this site, and get some sexy advertising going to wow the idiots out there they would squash the competition. Oh well…

NSS Labs NGFW Security Value Report

NSS Labs NGFW Security Value Report

FortiGate 92D

FortiGate 92D Tweaks Incoming

3 Replies

Going to be overhauling my policy set and UTM Sensors on the 92D at the house. Pretty excited. Gotta lock security down even further because I want to host some services off my business line with static IP. Pretty stoked and will go through the process with you all in hopes that it provides clarity on something Fortinet related to you that you didn’t get before.

AV Throughput Removed From DataSheets

1 Reply

So, I am sure some of you have been running around a little bit like chickens with your heads cut off about that fact that the data sheets no longer list the AV throughput. Don’t worry, this is by design. They are switching to NGFW values for these to compete with Palo Alto and the likes in the NGFW market. Don’t worry, AV throughput is about to be useless anyways as 5.4 comes more mainstream. the 5.4 code is SO MUCH better on speed and reliability that even if they kept the AV numbers they would have to retest the hardware to get new numbers.

Official Fortinet Response:

“The Proxy AV specification will no longer be presented and removed from all existing FortiGate data sheet starting from 15th January 2016. An archive of old data sheets will be available. We’ll be replacing these specifics with more widely used NGFW values. The new data sheet should be out 28th January and Product Matrix updated in February Edition.”

A Closer Look at Locky Ransomware

Leave a reply

A new ransomware named “Locky” is currently circulating in the wild and making the headlines. There are some good reports regarding Locky ransomware already available over the Internet. This blog intends to focus on some technical areas that (we believe) have not been covered yet, namely, its domain generation algorithm, command and control communication, and file encryption.

For reference, the following is a screenshot of Locky’s Decrypter page (cropped to save space): Click Here To Read The Rest Of The Article

Zones Will Save Your Sanity

10 Replies

FortiGates are interface driven firewalls. Policy is relatively straight forward. Port 1 to Wan 1 Allow HTTP NAT you get my drift. In more complex environments though where you can easily have 5-10 interfaces (even more if you  bring in VLAN’s) you will most certainly want to use Zones.

What is a zone? A zone is a created “Interface” that you assign other interfaces to. For instance, my common deployment has 2 main zones, INSIDE and OUTSIDE. This keeps policy extremely simple.

The train of thought with this ZONE setup is traffic is either coming in or out. From there you just create the policy and work accordingly. This makes deployments for my clients super easy.

The setup at my house is utilized this way as well (I have a FortiGate 92D at home). My setup is slightly more advanced though thanks to having dual internet connections, SSL VPN, and other capabilities kicked on. But as you can see in the policy set below I have an INSIDE zone. That zone has my work network, my personal home network, and my DMZ wireless network (for when I am cleaning peoples deranged and abused machines). I have each one assigned to the INSIDE zone so that I can apply the same policy for traffic that is traveling from inside sources to the internet. This greatly reduces policy count and helps keep things uniform.

Disclaimer: Make sure to click the “Block Intra-Zone Traffic” check box when creating a zone that includes a set of networks that you don’t want to communicate without policy. For instance, my INSIDE zone has my work network which I need to make sure only my work laptop can see, My personal network which sees everything on the personal net, and a DMZ network that I absolutely don’t want ANY of my other networks to receive traffic from or send traffic to. So I check the “block intra-zone traffic” box when I create my zone (can be edited after the zone is created as well) and then manually allow it via policy (work network is able to access printer on personal net etc). Remember, the more granular you are the better your security will be. Also, the only traffiic that should be able to flow is the traffic you explicitly allow.

Zone Setup FortiGate FortiOS 5.4

Zone Setup FortiGate FortiOS 5.4

 

10 Simple Ways to Mitigate DNS Based DDoS Attacks

Leave a reply

UDP floods are used frequently for larger bandwidth DDoS attacks because they are connectionless and it is easy to generate UDP packets using scripts.

DNS uses UDP primarily and under some circumstances uses TCP. Because, the usage of UDP/DNS protocol is extremely popular as a DDoS tool.

Since DNS is a critically important protocol upon which the Internet is based, its availability is of utmost importance. To deny the availability, a malicious attacker sends spoofed requests to open DNS resolvers that allow recursion. There are millions of open DNS resolvers on the Internet including many home gateways. The open DNS resolver processes these requests as valid and then returns the DNS replies to the spoofed recipient (i.e., the victim). When the number of requests is large, the resolvers could potentially generate a large flood of DNS replies. This is known as an amplification attack because this method takes advantage of misconfigured DNS resolvers to turn a small DNS query into a much larger payload directed at the target. In yet another type of attacks, unsolicted or anomalous queries may be sent to the DNS servers. Click Here To Continue Reading

Security is at the Top of Healthcare Providers’ “Must-Do” Lists—Or It Should Be

Leave a reply

“Houston, we have a problem.” This is not news to healthcare organizations, whether they are in Houston, Boston, St. Louis or San Francisco. 2015 was a banner year in healthcare, for all the wrong reasons. The increasing number of attacks on healthcare systems exposed security shortcomings: many unsecured attack vectors, compromised sensitive data and the possibility of catastrophic consequences.

2016 will bring more of the same. Healthcare organizations must speed up their security efforts to avoid putting their patients, and themselves, at risk. There were multiple data breaches in 2015—Anthem and Premera among them—as well as a well-publicized ransomware attack on Hollywood Presbyterian Medical Center. 2016 will continue those trends. In fact, the Hollywood Presbyterian attack could have been the proving ground forthat ransomware, which may be put into larger, more costly attacks in 2016.

Fortunately, there is growing recognition among healthcare leaders that security needs to be at the top of their “must do” list. Firewalls are no longer enough to protect patient information. The expansion of the Internet of Medical Things has resulted in a borderless network perimeter. There are devices in use in multiple locations that must be secured, including: Continue Reading This Article