Two Rules For Fortigate Beginners

After managing a small number of Fortigates for a handful of years I have came up with two rules that I wished I would have known when I started. There are numerous best practices but these two have caused me the most pain recently.

  1. Never install a dot zero release of the Fortigate firmware and more specifically wait till .4 or .5 or later before upgrading. For example if you are on 6.2.7 and would like to upgrade to the latest currently at this time it is 6.4.x wait until 6.4.5. Each main release branch includes large number of new features and each of the dot releases include fixes. I have made the mistake twice when starting out and the firewalls became unstable and difficult to maintain and upgrade.
  2. Always use zones for building policies. Zones allow you to add and remove interfaces from a zone and inherit all policies associated with that zone. If you build policies directly against interfaces when you need to add interfaces that fall into similar zones you have to rebuild all of those policies for the new interface vs adding the interface to a zone and being done. Zones really shine when doing upgrades from one hardware platform to the next when interface names and counts differ. You can easily remove all interfaces from the zone transfer the config and add the new interfaces to the correct zone.

Those are two simple rules that would have saved me a lot of time.

Azure Application Insights On-Prem Web Farm

On each of the nodes of the web farm with a shared config run the following commands.


Download: https://www.powershellgallery.com/packages/Az.ApplicationMonitor/

$pathToNupkg = "C:\temp\az.applicationmonitor.1.1.2.nupkg"
$pathToZip = ([io.path]::ChangeExtension($pathToNupkg, "zip"))
$pathToNupkg | rename-item -newname $pathToZip
$pathInstalledModule = "$Env:ProgramFiles\WindowsPowerShell\Modules\az.applicationmonitor"
Expand-Archive -LiteralPath $pathToZip -DestinationPath $pathInstalledModule


Enable-ApplicationInsightsMonitoring -InstrumentationKey xxxxx-xxx-xxx-xxxxx -IgnoreSharedConfig -EnableInstrumentationEngine

After the commands have been run go into IIS on one of the machines in the web farm and add a module with name ManagedHttpModuleHelper pointing to Microsoft.AppInsights.IIS.ManagedHttpModuleHelper.ManagedHttpModuleHelper in the dropdown box.

https://docs.microsoft.com/en-us/azure/azure-monitor/app/status-monitor-v2-overview

Vmware workstation error code 0xc00000005

Kept getting error code 0xc00000005 when trying to install windows 2019 as a guest on VMware workstation. I uninstalled and tried VirtualBox and got a different error. Searching the log files lead me to the following post about hyper-v interference. I had uninstalled Hyper-v but there must have been some hyper-v feature left. The following commands worked.

bcdedit /set hypervisorlaunchtype off

DISM /Online /Disable-Feature:Microsoft-Hyper-V

Finally passing the CISSP certification

After multiple starts and stops I finally was forced to take the CISSP November 23rd as I was not able to postpone the cert further.

I have been working as a sysadmin/security analyst in a single location for over 20 years. When working at the same job for so long, there is a risk of not growing and learning to help keep up with the industry. I take certs to help fill the gaps.

I started studying for the CISSP two years ago but life continued to get in the way.  I thought I  was prepped and ready to go when COVID hit and I was forced to postpone.  After rescheduling multiple times I was forced to take it because pearson vue wouldn’t allow me to reschedule any later.

Users in the reddit.com/r/cissp group recommended taking 3-4k questions and using multiple study guides and resources.  Although that seems like overkill it ended up being about right for me to understand the material well enough.  

I hear a lot of complaints about the CISSP, but I found it to be valuable coming from a purely technical role all these years it helped me fit the various “pieces” together.  Being forced to spend more time looking at security from a management point was very valuable.  CISSP gave me value due to the preparation required to sit and pass the test.

I used the following resources.

https://reddit.com/r/cissp – This is a valuable resource helping me to know what to study and what resources.

https://thorteaches.com/ – Thor does a good job of breaking down the material and giving a good overview.  I watched all the videos and answered all the questions.  The questions were slightly repetitive but still good.

Sybex official study guide and questions.  – This was one of the better resources read the book twice and go through all the question in the online test bank.

https://www.cccure.education/home – Good questions used this towards the end of my preparation.

https://www.studynotesandtheory.com/ – I like Luke’s videos, his questions are very challenging but may be of value.

Boson CISSP Practice questions.

Eric Conrad’s 11th hour and CISSP study guide books were a good review and worthwhile to read once or twice.

Glad to have it over now I am looking into Azure certifications or Offensive Security AWAE certification.

Fortigate to Fortigate VXLAN – Disaster Recovery

Been working on a solution for a disaster recovery one of the goals was a stretched layer 2 network. Since we would need a similar firewall with similar rules at the DR location I have been investigating vxlan over and IPSEC tunnel.

This is the current test config I will update it when more testing has been completed.

config sys global
 set hostname FIREWALL1
end

config system interface
    edit "wan1"
        set vdom "root"
        set mode static
        set ip 173.1.1.1 255.255.255.0
        set allowaccess ping fgfm
        set type physical
        set role wan
        set snmp-index 1
    next
end

config vpn ipsec phase1-interface
    edit "to_HQ2"
        set interface "wan1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set wizard-type static-fortigate
        set remote-gw 173.1.1.2
        set psksecret supersecret
    next
end
   
config vpn ipsec phase2-interface
    edit "to_HQ2"
        set phase1name "to_HQ2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set comments "VPN: to_HQ2 (Created by VPN wizard)1"
        set src-addr-type ip
        set dst-addr-type ip
        set src-start-ip 1.1.1.1
        set dst-start-ip 1.1.1.2
    next
end


config system vxlan
    edit "vxlan1"
        set interface "to_HQ2"
        set vni 1000
        set remote-ip "1.1.1.2"
    next
end



config system interface
   edit "to_HQ2"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.2 255.255.255.255
        set snmp-index 8
        set interface "wan1"
    next
   edit vlan100
     set vdom root
     set vlanid 100
     set interface dmz
   next
   edit vxlan100
     set type vlan
     set vlanid 100
     set vdom root
     set interface vxlan1
   next
end


config system switch-interface
  edit sw1
    set vdom root
    set member vlan100 vxlan100
  next
end
config system interface 
edit "sw1"
        set vdom "root"
        set ip 192.168.4.1 255.255.255.0
        set type switch
        set snmp-index 12
next
end
config router static
    edit 1
        set dst 1.1.1.2 255.255.255.255
        set device "to_HQ2"
    next
end


//////////  FIREWALL 2

config sys global
 set hostname FIREWALL2
end

config system interface
    edit "wan1"
        set vdom "root"
        set mode static
        set ip 173.1.1.2 255.255.255.0
        set allowaccess ping fgfm
        set type physical
        set role wan
        set snmp-index 1
    next
end

config vpn ipsec phase1-interface
    edit "to_HQ1"
        set interface "wan1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set wizard-type static-fortigate
        set remote-gw 173.1.1.1
        set psksecret supersecret
    next
end
   
config vpn ipsec phase2-interface
    edit "to_HQ1"
        set phase1name "to_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type ip
        set dst-addr-type ip
        set src-start-ip 1.1.1.2
        set dst-start-ip 1.1.1.1
    next
end


config system vxlan
    edit "vxlan1"
        set interface "to_HQ1"
        set vni 1000
        set remote-ip "1.1.1.1"
    next
end



config system interface
   edit "to_HQ1"
        set vdom "root"
        set ip 1.1.1.2 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.1 255.255.255.255
        set snmp-index 8
        set interface "wan1"
    next

   edit vlan100
     set vdom root
     set vlanid 100
     set interface dmz
   next
   edit vxlan100
     set type vlan
     set vlanid 100
     set vdom root
     set interface vxlan1
   next
end


config system switch-interface
  edit sw1
    set vdom root
    set member vlan100 vxlan100
  next
end
config system interface 


edit "sw1"
        set vdom "root"
        set ip 192.168.4.2 255.255.255.0
        set type switch
        set snmp-index 12
next
end

config router static
    edit 1
        set dst 1.1.1.1 255.255.255.255
        set device "to_HQ1"
    next
end



Packet Capture without Wireshark

I needed to capture packets off a production web server but did not want to add additional unnecessary software to production like wireshark or similar.

I came across some dated articles on Netsh that looked promising. But the tool used to convert to packet capture seemed to be deprecated. Luckily the following tool allows you to convert ETL to packet capture so it can be opened in wireshark.

Here is a basic example.

netsh trace start capture=yes report=disabled
netsh trace stop

Copy the .etl file to a machine with wireshark.

etl2pcapng.exe NetTrace.etl out.pcapng

https://github.com/microsoft/etl2pcapng to convert the file.

Ultramarathon Man review

A quick entertaining read about Dean Karnazes, how he began running, and started ultra endurance racing. The book does a good job of detailing some of his bigger endurance feats, as you read about some of his overnight and extreme runs you start to realize that the human body is capable of so much more than we think.

Good motivational book to help you push through training plateaus.

Fortigate with Fortilink enabled switches that won’t upgrade

We had a number of Fortigate firewalls managing Fortiswitches via Fortilink, and no matter what version of Fortiswitch firmware we tried the switches would reboot but not upgrade. After some troubleshooting we found that using the following commands allowed the switches to be upgraded.

config switch-controller global
set https-image-push enable
end

Fortigate traffic sourced from wrong interface

Installed new Fortigate 61E’s, everything seemed to work as planned until I wanted to added Fortianalyzer for traffic analysis. Testing seemed to indicate that Fortianalyzer traffic was being sent out the WAN interface instead of the IPSEC tunnel. After searching around I found that a source ip needed to be set for traffic originating from the Fortigate for traffic like Fortianalyzer, syslog etc. The following config helped resolve.

config log fortianalyzer setting
set status enable
        set server x.x.x.x
set source-ip x.x.x.x
end

config log syslogd setting
     set status enable
     set server x.x.x.x
     set source-ip x.x.x.x

end