Monday, July 31, 2017

cli audit logs fortiOS

Playing around in v5.6 fortiOS, we have the ability to log  cli commands. This gives you the means  for tracking cli cmds issued.


To enable this feature you need to enable the set cli-audit enable from global system



Messages are set via the action ( execute edit delete etc. ). This is great and  provides a simple audit trail.

You can use a combination of execute log filter field values to  track a user 

e.g

execute log filter field user kfelix

 

So  keep this feature in mind if you need to track user commands executions.


note: The execution of cmds via the hidden   fnsysctl or diagnostic commands are not displayed in the audit logs.






Ken   Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \







Sunday, July 30, 2017

entrustIDguard license usage and tracking

With the Entrust Identity  Guard  solution,  you have a simple means for alerting  on license counts. 

By logging into the EntrustIDGuardServer,  you can easily see the license in use  by navigating to systems and license tab.



By enabling log alerts from the properties editor you can easily sent email alerts similar to the below.



You can set the threshold at the % for alerting and default is within 15% of the max count. By clicking over the "?" marks you can find the details

e.g

https://<address>:8444/IdentityGuardPropertiesEditor/PropertiesEditor.do#id0x3b07200

item#10



This will help with alerting with the counts are near the max and can provide proactive alerts before your license count is exceed.

Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Saturday, July 29, 2017

custom-log fields fortiOS

Logging in  the FortiOS is good  for the most part when it comes to logging.

I want to post about  custom log fields, logging  comment section and  CEF logging outputs.

Custom-Fields has been around  for a while. It allows you to set fields in the log message that you can apply to a firewall-policy.

Policy with the set logtraffic all will include these  additional fields. Here's the quick dirty means for enabling custom-fields.








Here's a difference in  logging of the custom-field from  display from logdisk and fortianalzyer





You can also add 1 or more custom-fields to a fwpolicy;


Using custom-fields can leverage reporting for traffic  hitting a fwpolicy. Under  fortiOS 5.6 you can log  firewall policy comments.

Keep in mind logging   custom-fields against  FAZ is not enable be default. You have to set the custom logfield on the fortianalyzer  and I don't believe you can log multiple custom-fields in  FAZ.












Ken   Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

public certificate for ssh FortiOS

Here's how you  enable the  PEM public-certificate  for ssh authentication & with a fortigate.

You can use   public or private sign-certificate for  ssh-authentications by using the private-key for the   ssh-client.

Here's the steps in-ordered to use   x509 certificate component for  ssh-clients

1:  Draft a  certificate-sign-request, and have a certificate sign. In my case the CN value was simplified as  "kenfelix" this value DOES NOT NEED TO MATCH THE LOCAL  ACCOUNT NAME USED ON THE FORTIGATE, but it would help form  audit and management standpoint



2nd:

You need to import that  certificate into the  fortigate, I  prefer  to import it as a pkcs12  and let it be.





3rd



Now you can define the system admin name and select the certificate that you import as shown above or below.











NOTE:  On the   certificate  I like o upload the CA certificate if you are  the "signer for   actual system_admin  certificate but this is optional and not required ".


4th, now for the  actual  ssh-client you only need the private-key component  from the certificate. This should be in a PEM format btw.

e.g ( a RSA encrypted prig-key based on the above  certificate named "kenfelix"  )

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2FD1E9D43D98C8AB

793wP7Gokz5RgZ7ojGoxvWAAOqZo1gCsIwvgXh7gvlqhYztvW1zdFI8qC4wSlTQX
pLiU+aTVoySLY1p7bg//MuISEGnbotA04JipRB8UznVQBVFNNVq7RQQPkPYxz3xM
UrkgNvzkxWI3/Rqa8QMfT0msrE+dwcGVIfJ940LwGgr5pFO1MbJZZVfYgnnAdL3F
m55Pv1hamT0Qs6TD8vsrWt2AU4yOx6I4JhH/ylFe23fQW6bGpfysX4VuZk/z/KdD
JlAZUFn8kMLra+HAUUjVm7s0MHeb3Zu4bK7nw+6NTDeAj9RpLxga1CmCxomAQ6+q
Ls4Pl5ldShuOT0+PnYly337gKrjTrVUFQQ90sQawK5kSEEhrAgatJ+1GYaLos5Al
pE3BtCymsxkihx+KgvDhBF+VN+ZBgArycKz4p8s5L4z/WXqKpbJud/H8BvwU/aVe
J8/x1ypLCgscJvzTidw9o+mXZvzDrdcGNGJOv9nny5MMXBSz3sg19KALK5KLW6tS
U7kQs5zk9N9UiE0jcp6rdR+wlAfYrkapLP5bVPTMitIJcJgdt4nZSQTX6VR06NA8
d5arGS1EkDgQcmRHuq95L33eAkG/ec0Fl+uF6pz5nW6nTNZ9EZ8e8+58DoBqP4ng
PsklUuiJ1EFHoXl1Gq/KgBapWFxH73UlzZFqa/1LfsXoU1TMvvRAvjXWRr5202Xs
utGv6zMhogFIFktKPPG6Udom6x0x6aDKU7TW2PLLLYELVAz36wAa35LDrDVHXf9c
sxwyiIDYu2CYcPinCP1nbByubgvbCt5cclBCy+tUR3HwQhTPH9cCbwQgq4/nhF5t
GB26VWzN4LU56fYClugDH59U+xrWlV5486g9p6CMIUTMcepzuVx0qIpfVwAi4mCL
icXMm/Fi/qeAXVDsYQOOWqZqxxkfmhJ3P3vlv84j9Nz9rTrUnMmuaeeY/v2OxFIs
6v1ISnzsKJyyopu8LZTbjQdubpLdzn17uv3avs6rcmYZpkh9PF0/lLi0+w1/X64S
ueZ14zrZ9UtdAN9IDMNwMgB69l+hhBRMnhRc9pxilnvVZrqlQf+0894JVVsRT0y3
v3zAhYq6Zk+F2qLu2Bm6bZ4z5oLr0AxV6AcpsHU5d8CqRg++4rSVxcet80to0bqH
zhIJY1qQrN/4xIWke2qbt3992TduwYreLBgyAHhEaS51gSE1QU34rkq1a/MX+jU3
mNraIHLogthwGGRjpHSzmStgNRoL/PyXeNdNfffO9WSFvH46PKRBI+rNtZEmJ9Zl
BQM5qbtGdh/U8PiO7779gVUDQ0+pqMCKdQfrYWJsZLNwe/399Rqc9qM7q91GJ/fu
Irn8IafbZ4M/jjVEMMidnFrCxqxA8P9k8VnwhGaeKhmDqlF9/l76CJk6kXaK4fvu
imMu2QXALgV+k2M5Wsefb9t550YvgTWj+/SIB/jhE59Dm78FhJ9DXcLsNjVxX50O
ZmWYlpAEf/48/JVqAW4e7hNBocqhNwCfJps4Caz7Tz6fuhUC2bgvDOzFmghHItnR
hYtDwIotFZRLt0OF8Jk2aEIOjunBYYAdeP3FqU2xqHWGE7pKdPDMdQ==

-----END RSA PRIVATE KEY-----



The easiest and laziest approach would be to take a Pfx file and output  the cert and private-key  into a single  file or just extract the private-key


At this point, you could  passphrase the priv-key which would challenge you  every time you execute the ssh-client session, which is shown above with the DES-encrypted key.



Here's a means for  extracting the priv-key with certificate  using openssl;









Okay now you can test the access by  using the  named "mayflile.pem" and the   " -i  " switch with OPENssh or your ssh-client


e.g


NOTE: if your priv-key is encrypted , than you must use the  passphrase for the privy-key


e.g





KenFelix





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Tuesday, July 25, 2017

FTNT CSB-170616-1 bye bye bye

If you missed this, the standalone vpn_client days are finished.


FTNT CSB-170616-1

 This customer service bulletin is very simply put, "use the forticlient and the vpn components".



KenFelix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 

Sunday, July 23, 2017

AWS subnet concerns

When laying out a AWS VPC  you will need to select a CIDR block for that VPC.

It critical that you  ensure  your VPCs subnets will not collide or overlap with any other VPCs or your  local-OnPrem-Corporate networks.

Take this simple multiple region layout and  with VPCs executed on /20 boundaries.



These 3 containers ( VPC ) are reachable back to Corp via  DirectConnections. Alternatively they could be VPN-ipsec tunnels. The  direct-connect would eliminate any IPSEC configuration, mtu  issues, and complexity.

At the HQ these terminations could easily be terminate at a  security edge device or a gatekeeper for the appearance into AWS and the respective VPC.

Traffic between  regions could be carried via AWS backbone or a internet-IPSEC connection. Traffic could indeed travel to a customer VPCs held in another AWS account.




Network layout and subnet allocations needs to be carefully craft and thought out.  Bad design upfront could lead into duplication networks and complexity and |  or  poor network routing in or out of the AWS instances.

Key CheckPoints;

  1. have a plan
  2. have a ip management solution like ipplan  http://iptrack.sourceforge.net/  or similar
  3. try to ensure growth  for the now and future
  4. maintain ipv4 address boundaries and contiguous networks from a routing concept
  5. be aware of the max numbers and sizes of CIDRs
  6. don't over look any  local on-Prem networks and what might need access both locally or remotely


KenFelix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 

Saturday, July 22, 2017

CONTROL EXTERNAL ACCESS to a F5 VS data-group

HOWTO

Restrict access to a website via external source_address  & by using a  ltm  data-group.



1st ,  craft a DATA_GROUP and specify the  networks CIDRs blocks


ltm data-group MYAPPROVEDNETS {
    records {
        6.1.9.0/17 { }
        195.3.1.0/20 { }
        1.1.1.1/32 { }
        10.17.1.0/24 { }

    }
    type ip
}


2nd
  Build a simple iRule and reference the data-group for the client_address.



ltm rule MYACCESSRULE {
       when CLIENT_ACCEPTED {
   if { not ( [class match [IP::client_addr] equals MYAPPROVEDNETS ) } {
      reject
   }
}


when HTTP_REQUEST {
  switch [HTTP::host] {
  "GHjdev.examples.com" {
   persist cookie insert "HjDEVWEBS01" "1d 00:00:00"
   pool pool.GHjdev.examples.com
    }

  "GHjdev-admin.examples.com" {
   persist cookie insert "HjDEVWEBS03" "1d 00:00:00"
   pool pool.GHjdev-admin.examples.com
   }


  "GHjtest-admin.examples.com" {
   persist cookie insert "HjDEVWEBS02" "1d 00:00:00"
   set node 10.1.1.13:80
   }

  "dfdev.examples.com" {
   persist cookie insert "HjDEVWEBSx2" "1d 00:00:00"

   snatpool  POOLSNAT01
   pool pool.dfdev.examples.com
   }

  }
 }
}


NOTE:  so  the above   examples.com  website will only allow connections from the sources defined by the data-group.



ALTERNATIVELY

You could use mutual ssl authentication and only web-users with a valid cert can access the website. This is smarter in a long run,  since you don't have to  worry about web-client that changes  address on regular  basis.


Using this approach you could stand up  DEV or UAT environments and allow  trusted  networks access  to these DEV/UAT environments.


reference a typical  design with multiple pools that makes up various sites and a dev team in two network spaces.



Ken Felix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \



Friday, July 21, 2017

Finding traffic that's hitting a F5 vip via IRule

So let say you have  traffic hitting a f5 VirtualServer,  but you want to  find out what/who  is hitting it and what URI they are asking for,  you can do  a log Statement inside   a iRule defining what you want to log ( src addr, host_header URI )  


e.g

ltm rule HOSTSWITCHER {
    when HTTP_REQUEST {
    switch [HTTP::host] {
   "mysite.mydomain.com" {

    persist cookie insert "c00k3yM0nst3r" "7d 00:00:00"
    log local0. " The site name  [HTTP::host] and uri  [HTTP::uri]  is hitting  the mysite.mydomain.com"
    pool mysite.mydomain.com_pool
   }
  
 

   default {
   log local0. " The site name  [HTTP::host] and uri  [HTTP::uri] and client's address  [IP::client_addr]   is hitting  the default"
   persist cookie insert "de3fAUlt" "1d 00:00:00"
   pool default_pool
  }
 }
}
}


This helps to find DNS entries that could be lefted over and pointing to your public address. By generating a log message for the host and|or URI  you can easily debugged left over or bad configurations.

The f5 logs  for  ltm will show something similar ;



KenFelix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, July 19, 2017

TLS1.3 support

So TLS v1.3 has been out for some time. You can navigate to various  sites that are  TLS v1.3 and check the status connections for support,   but typically your browser needs to be  enabled for this  new TLS version


The common  browsers like firefox, requires you to navigate the  about:config  and search for the tls  security settings and set the max version to  "4". Other browsers are similar to some degree of fashion.



example:



Now validate using mail.google.com ( yes google is tls v1.3 supported )



vrs  1.2




If you mistakenly set the TLS v1.3 support , and  with no  fallback,  you will start seeing the following connection errors for know  operative websites.



So what's all the TALK  about tls v1.3 ?

A Simpilifed   handshake that speeds up the delivery of  the  1st byte sent for a website.  So speed is one major change.


 1: example of  TLS handshake improvement


2: Improvement  over all and with ciphers from tls v1.2

 https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3_.28draft.29


So what the major issues that can come up ?

  1.   it  very new and needs experimentation and trials by the internet community to become comfortable with
  2.   must  existing systems don't have support for it 
  3.   most management interface for  IT gear has no awareness of  TLS v1.3
  4.   most IT support staff from the network to security engineer,  has no working knowledge of TLS much less for  the latest version
  5. Various SSL deep inspection hardware can break 
  6. some forward proxies if not update will break 


Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \





Sunday, July 16, 2017

Understanding the BIG_IQ restore process

Here's some tips on BIGIQ restore.

1st it works great,  but you need to  know a few items


A: if you  restore the active f5 it will swack roles to "standby".  This is a standard function.







B: The unit will   go off-line and disconnect while the restoral takes places






C: than a oneline disconnect



D: you will probably need to  do  cfg-sync


During the restore the bigstart process will restart but the system will not reboot.

E: if you try to restore the same "file" twice you can see the following  error








Ken Felix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


Thursday, July 6, 2017

Cisco ACS 5.8 patch

Will our report monitoring  tool hasn't  been working with  various browsers.

Will our cisco ACS need to be patched in order to get our monitor tool up and running.

1st step was to execute  backup on the primary ACS

My repository was named TAC

acs backup  TEXT01 repository  TAC JUN062017BACKUP

2nd we copy the  gpg patch ball into the host that has the repository TAC

scp ./5-8-0-32-7.tar.gpg  ken.felix@1.1.1.1:

3rd
from witin the  ciscoACS, we only need to execute the acs install patch against the repository and the name patch ball

CISCOACSSERVER01/adminacsuser# acs patch  install  5-8-0-32-7.tar.gpg repository  TAC
 md5: ae3c92ed519471319132dfdbe9982d1a
 sha256: 62bd5e42f22c9f7e4c65480ffef8b8b46ac073e50ce6e92ae6940665c8080174
% Please confirm above crypto hash matches what is posted on Cisco download site.
% Continue? Y/N [Y] ? Y
Installing ACS patch requires a restart of ACS services. Continue?  (yes/no) yes
Calculating disk size for /opt/CSCOacs/patches
Total size of patch files are 1763 M.
Max Size defined for patch files are 2000 M.
Stopping ACS.
Stopping Management and View............................................................./opt/CSCOacs/bin/acs-for-cars-cli: line 58: kill: (7633) - No such process
..
Stopping Runtime........
Stopping Database.......
Stopping Ntpd...
Cleanup...
Stopping log forwarding .....
Installing patch version '5.8.0.32.7'
Installing ADE-OS 2.0 patch.  Please wait...
About to install files
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Installing PBIS patch.  Please wait...
Installing TCP kernel patch.  Please wait...
nstalling new NSS.  Please wait...
This patch includes security fixes which requires ACS server reboot. It is highly recommended to proceed with reboot
Do you want to reboot the server ? Y/N : y
You have choosen to reboot the server, Rebooting ...


The system is going down for reboot NOW!
/opt/CSCOacs/patches/5-8-0-32-7
Patch '5-8-0-32-7' version '5.8.0.32.7' successfully installed
Starting ACS ....

To verify that ACS processes are running, use the
'show application status acs' command.



4th

Now sit back and wait for it to come back up ;)


5th

login into the  ciscoACS and goto  > about and validate that the patch_level is correct






Finally ,




run thru the logs and  account and ensure AAAclients are authenticating.

remember to repeat the above on the secondary if you have dual ciscoACS.


;)