yurisk.info

Disabling SSL Deep inspection proxy in Fortigate should be easier

Yuri — Sat, 04 May 2013 11:18:03 +0000

This one can be filed under Fortinet ‘undocumented/unwanted’ feature rather than bug.The case in question: Fortigate 80C , firmware 4 something, all subscriptions are up-to-date, no crazy configurations, life is beautiful… Until client adds to his LAN some back-up device that works by gathering data from clients installed on PCs and then pushes updates from behind Fortigate to the Internet residing cloud storage.

The problem with it occurred on install of the backup box and its reason also was clear as vodka – the backup box uses POP3s protocol (POP3 encrypted with SSL using certificates) to communicate with cloud servers and when this communication is passing the Fortigate, the Fortigate intercepts it for SSL Deep inspection (man-in-the-middle) and presents to the cloud servers its own (i.e. Fortigate) SSL certificate, thus preventing the bakup box to use its own SSL certificate. The remote cloud servers, of course, refuse to accept it.

So, what’s the fuss? Just disable SSL inspection and that’s it, no ? According to the Fortinet yes, http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD31820 “ FortiGate Intercepts POP3S, SMTPS and IMAPS certificates “ . But the real life says no.

First, the document above lists commands that Fortigate 80C didn’t recognize, ok , no big deal. We tried to remove any protection profile from hosts in question, add protection profile with HTTPS inspection disabled – still nada .

In the end, as the client didn’t really need this feature at all, we just disabled SSL inspection for good, and it finally did the job.

The steps and output from the device are below.

FGT80C # get firewall ssl setting

caname : Fortinet_CA_SSLProxy
cert-cache-capacity : 100
cert-cache-timeout : 10
no-matching-cipher-action: bypass
proxy-connect-timeout: 30
session-cache-capacity: 500
session-cache-timeout: 20
ssl-dh-bits : 1024
ssl-max-version : tls-1.0
ssl-min-version : ssl-3.0
ssl-send-empty-frags: enable

Get the statistics/diagnostics info about SSL Proxy in Fortigate:

FGT80C # diagnose test application ssl 0

SSL Proxy Test Usage
1: Dump Memory Usage
2: Drop all connections
3: Display PID
4: Display connection stat
5: Toggle AV Bypass mode
6: Display memory statistics
44: Display info per connection
11: Display connection TTL list
12: Clear the SSL certificate cache
13: Clear the SSL session cache
14: Display PKey file checksum
15: Clear the SSL server name cache
99: Restart proxy
SSL Proxy stats:

FGT80C # diagnose test application ssl 4

Current connections (all proxies) = 12/8048
Running time (HH:MM:SS:usec) = 57:21:06.569388
Bytes sent = 499 (kb)
Bytes received = 909 (kb)
Error Count (alloc) = 0
Error Count (accept) = 0
Error Count (bind) = 0
Error Count (connect) = 0
Error Count (read) = 0
Error Count (write) = 0
Error Count (retry) = 0
Error Count (poll) = 0
Error Count (unhandled state) = 0
Error Count (SSL handshake) = 0
Error Count (SSL internal) = 0
Last Error = 0
IPC Connection Count = 1
IPC Hand-off Count = 7838
IPC Packet Sent Count = 0
IPC Error Count (connect) = 0
IPC Error Count (handoff) = 0
IPC Error Count (send) = 0
IPC Error Count (socketpair) = 0
IPC Error Count (timeout) = 0
Client cipher failure = 0
Server cipher failure = 0
SSL decryption failure = 0
SSL internal error = 0
SSL public key too big = 0
Total Connections Proxied = 0
Web request backlog drop = 0
Web response backlog drop = 0
AV Bypass is off
Drop on backlog is on
Accounting is off

This one is important, it shows connections under SSL inspection
Here 13.43.12.77 is remote cloud server (sanitized) and 192.168.10.150 is backup box in LAN.

FGT80C# diagnose test application ssl 44

Current https connections = 0
Current imaps connections = 0
proxy=pop3s id=8070 clt=45(r=0, w=0) srv=46(r=1, w=0) c:192.168.10.150:36905 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=3541

proxy=pop3s id=8069 clt=43(r=0, w=0) srv=44(r=1, w=0) c:192.168.10.150:56246 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=3540

proxy=pop3s id=8068 clt=41(r=0, w=0) srv=42(r=1, w=0) c:192.168.10.150:56245 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=3401

proxy=pop3s id=8067 clt=26(r=0, w=0) srv=27(r=1, w=0) c:192.168.10.150:36902 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=3399

proxy=pop3s id=8039 clt=24(r=0, w=0) srv=25(r=1, w=0) c:192.168.10.150:40980 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=2625

proxy=pop3s id=8032 clt=35(r=0, w=0) srv=36(r=1, w=0) c:192.168.10.150:39432 -> s:13.43.12.77995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=2424

proxy=pop3s id=8029 clt=28(r=0, w=0) srv=29(r=1, w=0) c:192.168.10.150:39429 -> s:13.43.12.77:995 c2s/s2c=0/0 state=SSL_CONTINUE_SETUP_STATE duration=0 expire=2415

Current pop3s connections = 12
Current smtps connections = 0
Current ftps connections = 0
- Disable SSL proxy for AV scanning :

FGT80C # diagnose test application ssl 5

SSL AV Bypass is now on

FGT80C3909621311 # diagnose test application ssl 4

Current connections (all proxies) = 12/8048
Running time (HH:MM:SS:usec) = 57:22:37.346514
Bytes sent = 499 (kb)
Bytes received = 909 (kb)
Error Count (alloc) = 0
Error Count (accept) = 0
Error Count (bind) = 0
Error Count (connect) = 0
Error Count (read) = 0
Error Count (write) = 0
Error Count (retry) = 0
Error Count (poll) = 0
Error Count (unhandled state) = 0
Error Count (SSL handshake) = 0
Error Count (SSL internal) = 0
Last Error = 0
IPC Connection Count = 1
IPC Hand-off Count = 7839
IPC Packet Sent Count = 0
IPC Error Count (connect) = 0
IPC Error Count (handoff) = 0
IPC Error Count (send) = 0
IPC Error Count (socketpair) = 0
IPC Error Count (timeout) = 0
Client cipher failure = 0
Server cipher failure = 0
SSL decryption failure = 0
SSL internal error = 0
SSL public key too big = 0
Total Connections Proxied = 0
Web request backlog drop = 0
Web response backlog drop = 0
AV Bypass is on
Drop on backlog is on
Accounting is off

- Making sure it worked:

FGT80C3909621311 # diagnose test application ssl 44

Current https connections = 0
Current imaps connections = 0
Current pop3s connections = 0
Current smtps connections = 0
Current ftps connections = 0

md5 sha256 sha-1 tiger and whirlpool sum checker for Windows

Yuri — Mon, 08 Oct 2012 09:47:56 +0000

Trying out Amazon AWS Glacier with fastglacier.com as the upload GUI app I looked at few SHA256 sum calculating tools, and found this one by Jesse Kornblum to be the best for Windows.
It has some quite useful options like recursive folders calculation, file size limitation, reading file names from file and hash comparing. Be aware it is command-line only.

Checkpoint SNX 75 does work on Mac OS X 10.8 Mountain Lion

Yuri — Fri, 03 Aug 2012 04:05:20 +0000

While not mentioned explicitly in Release Notes for SNX 75 (it lists there only Mac OS X 10.7, 10.7.1, 10.7.2 Lion, 32-bit and 64-bit as supported versions) , it does work with new version of Apple Mac.
Yesterday I did it for R71.40 and it worked just fine, you have to install hotfix though - SNX_MACOS.linux.tgz .

Agressive scans from 69.175.126.170 – HD Moore is trying to save the Internet

Yuri — Tue, 31 Jul 2012 12:50:09 +0000

I’ve been seeing this for some time so you will see it soon too. We speak here mostly about SNMP probes coming from a set of very specific IPs. If you do a search on IP you get to the webpage below (critical.io ) , explaining to the reader that it constitutes a vulnerability/misconfiguration disclosure effort by HD Moore exercised on the wide Internet for our own good . ~~I haven’t had answer from Hd Moore himself (probably because of Defcon:) ) so can’t really deny nor confirm this claim I did heard~~ I did hear from him, it is indeed scans done by him.
Anyway, as the scans are much more frequent/agressive than usual attack/scan attempts I see everyday, I decided , while not seeing them as any threat, to filter them out and here are IP addresses if you decide too.
IPs:
69.175.126.168/29 69.175.126.170
184.154.42.192/29 184.154.42.194
173.236.44.96/29   173.236.44.98
69.175.54.104/29   69.175.54.106
173.236.30.120/29 173.236.30.122
96.127.150.216/29 96.127.150.218
Screenshot of the website hosted on aforementioned IPs:

SCP and Checkpoint R75 problems

Yuri — Mon, 23 Jul 2012 09:00:37 +0000

There is a known issue with transferring big files (bigger than 1 Mb) from/to SecurePlatform firewall by Checkpoint you should be aware of. The file transfer fails with some error about buffers. The problem is that Checkpoint SPLAT comes with old opensshd daemon , which has a bug in it dated 2006 ( https://bugzilla.redhat.com/show_bug.cgi?id=184357 ) causing transfer to fail if SCP client is trying to use buffer bigger than 1 Mb . And as (the only) Windows based client WinSCP (that in turn uses putty code) has been using buffer larger than that for ages, trying to use versions of WinSCP newer than 3.x results in failure .
Checkpoint have a hotfix for that, according to SK sk66195, but the less intrusive alternative is to use older versions – pscp 0.60 and Winscp 3.x (e.g. 3.7.4)

A bit of privacy on Youtube is now available

Yuri — Wed, 18 Jul 2012 17:00:54 +0000

If you are not careful enough not to upload any identifiable videos to Youtube.com , at least make it less damaging to the people in the video by blurring faces with the new tool
introduced by them : http://youtube-global.blogspot.co.il/2012/07/face-blurring-when-footage-requires.html

How to enroll VPN client with IOS CA

Yuri — Mon, 16 Apr 2012 17:23:20 +0000

If you didn’t notice Cisco IOS routers can serve as CA servers as well. The example configurations are easy to find on the cisco.com but the only trick to know when enrolling Cisco VPN client with IOS CA is the syntax you put as url – the string should look:
http://192.182.12.1:80/cgi-bin/pkiclient.exe
I attach below screenshot so you can see what I mean.
Some references as well .
www.cisco.com
ieoc.com/forums/t/12071.aspx

PKI client enrol with cisco CA

Check duplex and speed settings of all interfaces in one go

Yuri — Thu, 16 Feb 2012 18:36:39 +0000

One of the first things you do when checking connectivity issues on the Checkpoint (or any networking gear for that matter) is to see speed and duplex parameters of the interfaces. But have you tried to do it on a firewall with 15-20 interfaces ?
No fun entering one by one interfaces’ names. Here is the one-liner I use to get speed and duplex settings of all interfaces in one go.

# for ii in $(ifconfig | awk ' /Ethernet/ {print $1}') ;do ethtool $ii; done | egrep 'eth|Speed|Duplex'
Settings for eth0:
Speed: 100Mb/s
Duplex: Full
Settings for eth1:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.150:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.160:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.161:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.270:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.271:
Speed: 1000Mb/s
Duplex: Full

Settings for eth1.281:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.35:
Speed: 1000Mb/s
Duplex: Full
Settings for eth2:
Speed: 100Mb/s
Duplex: Full
Settings for eth3:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.112:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.211:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.311:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.71:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.72:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.73:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.413:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.419:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.451:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.407:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.408:
Speed: 1000Mb/s
Duplex: Full
Settings for eth5:
Speed: 1000Mb/s
Duplex: Full
Settings for eth7:
Speed: 1000Mb/s
Duplex: Full

Funny way to expire Antispam license in Checkpoint

Yuri — Mon, 13 Feb 2012 16:19:35 +0000

After years with Checkpoint products I came to conclusion that if you don’t have logical explanation why something doesn’t work, it is most probably license issue.
My client stopped getting emails behind UTM-132 at some remote branch . Doing the basics – telnet to port 25 (Checkpoint answered as it should),Exchange answering on port 25 as well didn’t come up with anything.
Then I looked at mail spool in the Checkpoint and voila, all the emails that didn’t reach internal Exchange were stuck there for no obvious reason.
The reason became obvious when I looked at the SmartTracker and saw “AntiSpam service license expired” message . Only then did I recall that this UTM had once Total security license that included the Antispam , but had expired long ago.
Why upon expiring license Checkpoint instead of passing mails without Antispam filtering decided to “hijack” the mails is left without answer.

Finally GEO location blocking has arrived to Fortigate

Yuri — Thu, 09 Feb 2012 18:35:47 +0000

It was predictable thing for Fortinet to do as everyone else has already been doing so.
I haven’t verified myself but according to the informed source (can only say his name – Hen) they are using
Maxmind database . So let’s see how to do it .
First you create in New Address dialog window the Geography type object specifying the country. As you can only pick one country per address use Address Groups to combine few countries together.
After creating such Address object you can use it in Firewall Policy just as you would the usual Address.
Personal Note: While there is an ongoing fuss/hysteria about the cyberwar being waged that started 2 weeks ago when Saudi “hackers” DDOS’ed few Israel websites, from what I see in the field it is more of a FUD campaign, one of the byproducts of which is rush of many website owners in Israel to block Saudi Arabia IPs (or any Arabic world IPs for that matter). What happened in fact was that most of DDOS came from anywhere but Arab world (Russia, China,US) , from botnets-for-hire.
The only reason I can think of why you would use Geo location block is to lower noise/size of logs by silently dropping traffic from unwanted countries.