yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Category: Fortigate (page 1 of 3)

Disabling SSL Deep inspection proxy in Fortigate should be easier

[showmyads]

This one can be filed under Fortinet ‘undocumented/unwanted’ feature rather than bug.The case in question: Fortigate 80C , firmware 4 something, all  subscriptions are up-to-date, no crazy configurations, life is beautiful… Until client adds to his LAN some back-up device that works by gathering data from clients installed on PCs and then pushes updates from behind Fortigate to the Internet residing cloud storage.

The problem with it occurred on install of the backup box and its reason also was clear as vodka – the backup box uses POP3s protocol (POP3 encrypted with SSL using certificates) to communicate with cloud servers and when this communication is passing the Fortigate, the Fortigate intercepts it for SSL Deep inspection (man-in-the-middle) and presents to the cloud servers its own (i.e. Fortigate) SSL certificate, thus preventing the bakup box to use its own SSL certificate.  The remote cloud servers, of course, refuse to accept it.

So, what’s the fuss? Just disable SSL inspection and that’s it, no ? According to the Fortinet yes, http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD31820   “ FortiGate Intercepts POP3S, SMTPS and IMAPS certificates “ . But the real life says no.

First, the document above lists commands that Fortigate 80C didn’t recognize, ok , no big deal. We tried to remove any protection profile from hosts in question, add protection profile with HTTPS inspection disabled – still nada .

In the end, as the client didn’t really need this feature at all, we just disabled SSL inspection for good, and it finally did the job.

The steps and output from the device are below.

FGT80C # get firewall ssl setting

caname : Fortinet_CA_SSLProxy
cert-cache-capacity : 100
cert-cache-timeout : 10
no-matching-cipher-action: bypass
proxy-connect-timeout: 30
session-cache-capacity: 500
session-cache-timeout: 20
ssl-dh-bits : 1024
ssl-max-version : tls-1.0
ssl-min-version : ssl-3.0
ssl-send-empty-frags: enable

Get the statistics/diagnostics info about SSL Proxy in Fortigate:

FGT80C # diagnose test application ssl 0

SSL Proxy Test Usage
1: Dump Memory Usage
2: Drop all connections
3: Display PID
4: Display connection stat
5: Toggle AV Bypass mode
6: Display memory statistics
44: Display info per connection
11: Display connection TTL list
12: Clear the SSL certificate cache
13: Clear the SSL session cache
14: Display PKey file checksum
15: Clear the SSL server name cache
99: Restart proxy
SSL Proxy stats:

FGT80C # diagnose test application ssl 4

Current connections (all proxies) = 12/8048
Running time (HH:MM:SS:usec) = 57:21:06.569388
Bytes sent = 499 (kb)
Bytes received = 909 (kb)
Error Count (alloc) = 0
Error Count (accept) = 0
Error Count (bind) = 0
Error Count (connect) = 0
Error Count (read) = 0
Error Count (write) = 0
Error Count (retry) = 0
Error Count (poll) = 0
Error Count (unhandled state) = 0
Error Count (SSL handshake) = 0
Error Count (SSL internal) = 0
Last Error = 0
IPC Connection Count = 1
IPC Hand-off Count = 7838
IPC Packet Sent Count = 0
IPC Error Count (connect) = 0
IPC Error Count (handoff) = 0
IPC Error Count (send) = 0
IPC Error Count (socketpair) = 0
IPC Error Count (timeout) = 0
Client cipher failure = 0
Server cipher failure = 0
SSL decryption failure = 0
SSL internal error = 0
SSL public key too big = 0
Total Connections Proxied = 0
Web request backlog drop = 0
Web response backlog drop = 0
AV Bypass is off
Drop on backlog is on
Accounting is off

This one is important, it shows connections under SSL inspection
Here 13.43.12.77 is remote cloud server (sanitized) and 192.168.10.150 is backup box in LAN.

FGT80C# diagnose test application ssl 44

Current https connections = 0
Current imaps connections = 0
proxy=pop3s id=8070 clt=45(r=0, w=0) srv=46(r=1, w=0) c:192.168.10.150:36905 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=3541

proxy=pop3s id=8069 clt=43(r=0, w=0) srv=44(r=1, w=0) c:192.168.10.150:56246 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=3540

proxy=pop3s id=8068 clt=41(r=0, w=0) srv=42(r=1, w=0) c:192.168.10.150:56245 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=3401

proxy=pop3s id=8067 clt=26(r=0, w=0) srv=27(r=1, w=0) c:192.168.10.150:36902 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=3399

proxy=pop3s id=8039 clt=24(r=0, w=0) srv=25(r=1, w=0) c:192.168.10.150:40980 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=2625

proxy=pop3s id=8032 clt=35(r=0, w=0) srv=36(r=1, w=0) c:192.168.10.150:39432 -> s:13.43.12.77995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=2424

proxy=pop3s id=8029 clt=28(r=0, w=0) srv=29(r=1, w=0) c:192.168.10.150:39429 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=2415

Current pop3s connections = 12
Current smtps connections = 0
Current ftps connections = 0
– Disable SSL proxy for AV scanning :

FGT80C # diagnose test application ssl 5

SSL AV Bypass is now on

FGT80C3909621311 # diagnose test application ssl 4

Current connections (all proxies) = 12/8048
Running time (HH:MM:SS:usec) = 57:22:37.346514
Bytes sent = 499 (kb)
Bytes received = 909 (kb)
Error Count (alloc) = 0
Error Count (accept) = 0
Error Count (bind) = 0
Error Count (connect) = 0
Error Count (read) = 0
Error Count (write) = 0
Error Count (retry) = 0
Error Count (poll) = 0
Error Count (unhandled state) = 0
Error Count (SSL handshake) = 0
Error Count (SSL internal) = 0
Last Error = 0
IPC Connection Count = 1
IPC Hand-off Count = 7839
IPC Packet Sent Count = 0
IPC Error Count (connect) = 0
IPC Error Count (handoff) = 0
IPC Error Count (send) = 0
IPC Error Count (socketpair) = 0
IPC Error Count (timeout) = 0
Client cipher failure = 0
Server cipher failure = 0
SSL decryption failure = 0
SSL internal error = 0
SSL public key too big = 0
Total Connections Proxied = 0
Web request backlog drop = 0
Web response backlog drop = 0
AV Bypass is on
Drop on backlog is on
Accounting is off

– Making sure it worked:

FGT80C3909621311 # diagnose test application ssl 44

Current https connections = 0
Current imaps connections = 0
Current pop3s connections = 0
Current smtps connections = 0
Current ftps connections = 0

Finally GEO location blocking has arrived to Fortigate

It was predictable thing for Fortinet to do as everyone else has already been doing so.
I haven’t verified myself but according to the informed source (can only say his name – Hen) they are using
Maxmind database . So let’s see how to do it .
First you create in New Address dialog window the Geography type object specifying the country. As you can only pick one country per address use Address Groups to combine few countries together.
After creating such Address object you can use it in Firewall Policy just as you would the usual Address.
Personal Note: While there is an ongoing fuss/hysteria about the cyberwar being waged that started 2 weeks ago when Saudi “hackers” DDOS’ed few Israel websites, from what I see in the field it is more of a FUD campaign, one of the byproducts of which is rush of many website owners in Israel to block Saudi Arabia IPs (or any Arabic world IPs for that matter). What happened in fact was that most of DDOS came from anywhere but Arab world (Russia, China,US) , from botnets-for-hire.
The only reason I can think of why you would use Geo location block is to lower noise/size of logs by silently dropping traffic from unwanted countries.

Convert Fortigate diagnose sniffer packet output into tcpdump format understood by Wireshark

Running diagnose sniffer packet on Fortinet Fortigate unit outputs human-readable packet information and packet data . Only that sometimes you would like to have the traffic sniffed at Fortigate in Wireshark-readable format so that it can be analyzed by all powerful Wireshark.
For this case Fortinet came up with the script and application that takes text output of this sniffer command and parses it into tcpdump format (.cap) which you can later open in Wireshark.
I guess there are other scripts available that do just that (after all it is just parsing the text file) , but from Fortinet you can find it here:
kb.fortinet.com/kb/viewContent.do?externalId=11186&sliceId=1

Or by searching their website for
fgt2eth.pl
fgt2eth.zip

Do not miss the long awaited addition to the Fortigate 4 MR2 – sFlow data export

Great news – now Fortigate supports exporting data flows statistics to an external server using sFlow protocol (twin of Netflow from the Cisco world). I configured it in about a minute and it just works. To collect the sFlow data I use nfdump/Nfsen , that I found to be the most stable and versatile, not to mention being the rare one supporting both Netflow and sFlow.
You first set external server IP and destination port , here it is 10.99.99.158 and UDP 7774, and then enable flow export per interface. Example follows, here I did it on Fortigate 100.

# show system sflow
config system sflow

set collector-ip 10.99.99.158

set collector-port 7774

end

# show system interface dmz1

config system interface

edit “dmz1”

set vdom “root”

set ip 10.99.99.254 255.255.255.0

set allowaccess ping https ssh snmp
set type physical
set wccp enable
set sflow-sampler enable
next
end

Fortigate article

Break free from the GUI dependency – checking Fortigate logs on the cli.

[showmyads]Fortinet are doing a lot to keep us away from the command line. And that’s ok in 95% of the cases. But sooner or later you come to meet the 5% of the bad and the ugly when you have no access to the GUI at all. Can you imagine the terror of such situation ? Fear no more – forewarned is forearmed. Just grab the Fortigate CLI Reference PDF (all in all 754 pages) , learn it by heart then return to my blog . A year has passed quickly, ah ?
Now you are ready for the introduction. One late evening [ and I am sure all security/networking equipment long ago conspired with clients against us to cause troubles at abnormal/non-working hours only] one of the clients asked if I can check something. "No, not something critical but STILL can you check it NOW ..? " , of course ,why not ?
To check something I needed access to the Fortigate logs. All good and well if it were not for the excruciatingly slow connection (in your case it may be blocked GUI management ports, out of band console access, high Fortigate CPU utilization) that made the GUI unusable. As I had not slightest inclination to turn late evening into early morning I did SSH to the machine, run #show log and #get log commands … and got logging configuration settings on the firewall. But where are the logs?
Here:

FGT-ugly # execute log display

Hurray ! I got lots of lines running on the terminal, only that it was traffic log and I wanted Event log, and moreover it showed only first 100 lines out of 3400 and I wanted it all. So let’s do it by steps.
Step 1 – know what is served
Run this first to see what you will be presented and what not:

FGT-ugly # execute log filter dump
category: traffic // each type of log is called category , see later
device: memory // from where logs are to be read
roll: 0 // archived version
start-line: 1 // on which line of the logs to start presenting
view-lines: 700 // how many lines to show

Step 2 – I want Event logs now !

FGT-ugly# execute log filter category //this way you can see all available logs
Available categories:
10: application control
9: dlp
6: content
5: spam
4: ids
3: webfilter
2: virus
1: event
0: traffic
FGT-ugly# execute log filter category 1 // switch to Event log

Left is how many lines to show at once .

FGT-ugly # execute log filter view-lines

number 5 – 1000 /// Aha, so we can see maximum 1000 lines per go. Not a problem actually cause every time you hit # execute log display starting line is increased for the next time by the number of lines shown.
To conclude it all I enabled logging in Putty through which I connected to the firewall and run

FGT-ugly# execute log display
3011 logs found.
1000 logs returned.
1: 2010-07-13 19:10:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=4 msg=”Performance statistics”
2: 2010-07-1319:05:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=7 msg=”Performance statistics”
3: 2010-07-1319:01:28 log_id=0104032001 type=event subtype=admin vd=root pri=information user=”admin” ui=https(21.14.127.14) action=login status=success reason=none profile=”super_admin” msg=”Administrator admin logged in successfully from https(21.14.127.14)”
4: 2010-07-1319:00:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=5 msg=”Performance statistics”
5: 2010-07-1318:55:58 log_id=0143040704 type=event subtype=his-performance pri=information vd=”root” action=perf-stats cpu=0 mem=10 total_session=8 msg=”Performance statistics”
6: 2010-07-1318:54:09 log_id=0104032003 type=event subtype=admin vd=root pri=information user=”admin” ui=https(21.14.127.14) action=logout status=success reason=timeout msg=”Administrator admin timed out on https

Reference of all log messages known to Fortigate firmware 4 :
FortiGate_Log_Message_Reference

MAC finder script

While I don’t like going down to Layer 2 , recently I had to do it – I didn’t know IP address of the Cisco router I wanted to connect to but I had access to the Cisco router sitting in the same network. That would be pretty easy to do #show arp on this router and then search on Google to whom belongs each MAC if it wasn’t the subnet mask of /26. Copy pasting each entry of the ARP table into Google didn’t look like a lot of fun. So I wrote a python script that reads MAC addresses in bulk from command line and using downloaded beforehand database of MAC-vendor translations prints vendor for each MAC address. It works for #show arp on CIsco,#show mac-address-table on CIsco switches, #arp -en on Linux (means including Checkpoint), #arp -a on Freebsd ,#show arp of Junos from Juniper, #get sys arp on Fortigate.
Below is the script.
Here:
mac-database.txt – file containing MAC-vendor translation in format <MAC 6 hex digits as a sequence> <VENDOR>, I used standards.ieee.org/regauth/oui/oui.txt as the source with a bit of sed, but if you want ready to use file I recommend nmap-mac-prefixes from nmap source-code distribution http://nmap.org/svn/nmap-mac-prefixes
Download script (to make sure formatting is preserved, an important thing for Python)
http://yurisk.info/scripts/mac-finder.py
Script AND mac database from nmap project – http://yurisk.info/scripts/mac.tar.gz

#!/usr/bin/python
#This script accepts MAC addresses from the command line and
#prints vendor for each mac address
# Author:Yuri, yurisk@yurisk.info,06.2010
import sys
import re
#This function removes from MACs colon or dot and returns MAC as a sequence of HEX chars
def dotreplace(matchobj):
         if matchobj.group(0) == '.':
                return ''
         elif  matchobj.group(0) == ':':
                return ''
#open file with MAC addresses and vendors database,it has form xxxx <Vendor>
macs=open('mac-database.txt','r')
macs_lines=macs.readlines()
#Read from stdinput
data = sys.stdin.readlines()
for ppp in data:
       popa=re.search('.*([a-f0-9]{4}\.[a-f0-9]{4}\.[a-f0-9]{4}).*',ppp,re.IGNORECASE)
       if popa:
             newpopa=re.sub('\.', dotreplace,popa.group(1))[0:6]
             newpopa_re=re.compile(newpopa,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopa_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]
       popalinux = re.search('.*([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popalinux:
             newpopalinux=re.sub(':',dotreplace,popalinux.group(1))[0:6]
             newpopalinux_re=re.compile(newpopalinux,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopalinux_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

       popadash = re.search('.*([a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popadash:
             newpopadash=re.sub('-',dotreplace,popadash.group(1))[0:6]
             newpopadash_re=re.compile(newpopadash,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopadash_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

Running it:

[root@darkstar ]# ./mac-finder.py
<now I copy paste output from arp -a in BSD>
$ arp -a
(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet]
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet]
<Hit CTRL+D to signal the end of input>
(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet] VMware, Inc.
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet] Fortinet Inc.

Visio stencils for Cisco, Juniper, Fortinet, Checkpoint, Avaya

Some links to download Microsoft Visio stencils of the most popular vendors.
Juniper
Cisco
Avaya
BlueCoat
Fortinet
Dell
Checkpoint happen not to have official stencils set, only Nokia appliances stuff can be found. So someone volunteered and using icons/press releases/PowerPoint presentations done by the Checkpoint turned it into the Visio stencils:
fireverse.org
If nothing else helps here you can find the rest:
nag.ru/projects/visio

Older posts

© 2016 yurisk.info

Theme by Anders NorenUp ↑