Archive

Posts Tagged ‘fortigate’

Monitoring policy packet and byte hit counts on a Fortigate via SNMP

June 14, 2013 1 comment

Within the MIB for the Fortigate, there are two OIDs that contain the policy hit counts:

fgFwPolPktCount
1.3.6.1.4.1.12356.101.5.1.2.1.1.2
Number of packets matched to policy (passed or blocked, depending on policy action). Count is from the time the policy became active.

1.3.6.1.4.1.12356.101.5.1.2.1.1.2.V.P = policy packet count for policy ID P, in VDOM V
fgFwPolByteCount
1.3.6.1.4.1.12356.101.5.1.2.1.1.3
Number of bytes in packets matching the policy. See fgFwPolPktCount.

1.3.6.1.4.1.12356.101.5.1.2.1.1.3.V.P = policy byte count for policy ID P, in VDOM V

I just created a DENY policy for a variety of geographic regions, a feature of the Fortigate. Although I am also monitoring destination country code information with argus, I have not yet integrated argus into an IDS platform. Before I do this, I can quickly set up a icinga/nagios service to query this value and report when it increases above 0. I am logging policy violations within the Fortigate so that I can quickly review the source, revert to argus, then to the workstation itself.

Advertisements

Obtain ID numbers of application definitions for Application Control portion of the UTM on Fortigate

June 12, 2013 Leave a comment

How to open a ticket with the FortiGuard team to request the creation (and testing) of a definition

June 10, 2013 Leave a comment

A while back, I came across the very cool piece of software called ScreenHero. It is a screen sharing + IM client that I’ve installed on several of my family members’ PCs and Macs. Unfortunately for my co-workers, I also wanted to block it through the use of the FortiGuard UTM services featured on our Fortigate firewall.

It is quite easy to request a new definition to be added.

Read more…

Track the CPU and RAM utilization of a process on FortiOS

June 4, 2013 Leave a comment

On Windows/cmd:

Create a file (that is very secure) with the contents:

echo "conf global" > c:\plink_fortigate.txt
echo "diag sys top 20 40" >> c:\plink_fortigate.txt

Use plink to run the connection, and the win32 ports of grep, awk and sleep:

Replace “ssl” with the process you wish to monitor:

echo echo ^%date^%,^%time^% ^>^> c:\output.csv ^&^& plink -pw "admin's password" admin@192.168.100.1 -m c:\plink_fortigate.txt 2^>^&1 ^| grep ssl ^| awk "{print $4, $5}" OFS="," ^>^> c:\output.csv ^&^& sleep 5s > c:\fortigate_proc_watch.bat

Run it 20000 times:

for /l %G in (0,1,20000) do c:\fortigate_proc_watch.bat

 
On *nix/bash:

Create a file (that is very secure) with the contents:

echo "conf global" > ~/ssh.in
echo "diag sys top 20 40" >> ~/ssh.in
chmod 600  ~/ssh.in

Use ssh to run the connection:

Replace “ssl” with the process you wish to monitor:

yum -y install sshpass #in rpmforge and fedora repos
echo '#!/bin/bash' > ~/fortigate_proc.sh
echo "datetimepre=\$(date)" >> ~/fortigate_proc.sh
echo "output=\$(sshpass -p 'admin password' ssh admin@192.168.100.1 < ~/ssh.in 2>&1 | grep ssl | awk '{print \$4, \$5}' OFS=',')" >> ~/fortigate_proc.sh
echo "echo \$datetimepre,\$output >> ~/output.csv" >> ~/fortigate_proc.sh
chmod 700  ~/fortigate_proc.sh

Run it once every 5 seconds times:

watch -n 5 ~/fortigate_proc.sh

Conclusion:
The first column is the CPU, the second is RAM.

This will repeatedly connect using SSH and run `diag sys top`, disconnecting and killing `diag sys top` when done. This should work fine unless there’s a bug in FortiOS.

Alternately, you can us `diag sys top` to obtain the PID of the target process, set it as an environmental variable, then parse the output of `fnsysctl cat /proc/[PID]/status` or ../stat or ../statm.

Fortigate /proc tree

June 3, 2013 Leave a comment

Configuring a Fortigate for UTM inspection of SSL/TLS encrypted channels (Fortigate ssl mitm)

June 3, 2013 Leave a comment

Man in the middle
What you are actually doing is creating a CA on the Fortigate (a public/private key pair). This Fortigate housed CA will be a subordinate CA. Clients will trust the Fortigate housed CA by trusting the certificate chain (since they trust your root CA). You may have seen this sort of thing before.

I am awaiting word on how to properly assign a CRL to the subordinate CA cert when signing.
Read more…

Fun times with Fortigate

March 25, 2013 Leave a comment

This is still a problem outside of v4.0 MR1, apparently. :D

seeing:
pid-34 lock_mlog()-555 shmget()failed: No such file or directory maxsize 0
log on fails at serial console.

9600 8-n-1 off

You must interrupt normal boot, format partition(s), then load firmware. See Rollback procedure.
user: admin
password: [blank/no password]

For reference:

Subject: FortiGuard Update - Failed Reboot Condition
 Released: 10 June 2011
 Modified: 18 July 2011
 Product: FortiGate
 
 
Description:
 
 A FortiGate may fail to restart correctly after a power cycle or a software reboot if a FortiGuard update of either the IPS engine and its signatures or the AV engine and its signatures has been performed. After the update has successfully completed and a subsequent reboot is carried out, the FortiGate device may hang and traffic may not traverse through it, the following output may be seen on the console port:
 
__get_backdoor_timeout: Couldn't get shm
 __set_backdoor_timeout: Couldn't get shm
 __admindb_get_copy: Couldn't get admindb
 
 
Affected Products:
 
 FortiGate devices running FortiOS v4.0 MR1 Patch Release 1 through to Patch Release 9, inclusive. The issue can occur, but is not specifically limited to, when IPS engine 1.230 or a later engine and signature package is loaded on the FortiGate, this can be verified with the following command:
 
 FortiGate# get sys fortiguard-service status
NAME               VERSION LAST UPDATE          METHOD    EXPIRE
 AV Engine           3.013  2009-08-13 15:44:00  manual    2012-01-03 00:00:00
 Virus Definitions   13.309 2011-06-10 04:31:07  manual    2012-01-03 00:00:00
 Extended set        0.000  2003-01-01 00:00:00  manual    2012-01-03 00:00:00
 Attack Definitions  3.012  2011-06-10 04:31:07  manual    2012-01-03 00:00:00
 IPS Attack Engine   1.230  2011-06-10 04:33:48  manual    2012-01-03 00:00:00
 
If the FortiGate is running one of the affected firmware versions listed above, the IPS engine is version 1.230 or a later release, it will also require specific attack definitions to be loaded to be susceptible to this issue.
 
Resolution:
 
 Fortinet recommends the upgrade of the FortiOS version to v4.0 MR1 Patch Release 10 or a later release for all customers currently running FortiOS v4.0 MR1 Patch Release 1 through to Patch Release 9, inclusive, even if IPS is not used on the device.
 Patch Release 10, v4.0, MR1 was released on June 20th, 2011 to correct the FortiOS corruption of shared memory issue.
 If the FortiGate has been rebooted and is already in the hung state, recovery can be achieved by reloading the firmware image via a TFTP reload.

Lies!

%d bloggers like this: