Category Archives: Firewalls
Openstack neutron iki farkli katmanda guvenlik saglar. Ilki port bazli ki instance yaratilirken oncelike port yaratilir ve bu port’a atanan Security Group dogrultusunda VM-to-VM ayni L2 networkunde dair koruma saglayabilirsiniz. Ikincisi ise Router uzerinde, ne zamanki iki farkli network’u veya instance’lari internet’e ve/veya internet’den instance’lara dogru erisim soz konusu oldugunda Router uzerinde uygulanan firewall kurallari devreye girer. Baska bir deyisle Neutron NSX gibi kuzey-guney ve bati-dogu yollari uzerinde koruma saglar.
Security Group(SG), nova security group(NSG) uyumludur, ingress(giris)/egress(cikis) yonunde kural tanimlamanizi bunuda ilgili neutron portlarina uygulamaniza, gercek zamanli kural degisiklikleri uygulamaniza izin verir.
Davranis sekli giris yonunde sadece matched(uyan) aksi taktirde drop. Egress keza ayni fakat her yeni Security Group yaratildiginda disariya dogru tum trafik izinlidir.
Openstack uzerinde varsayili olarak “default security group” mevcut olup disa dogru tum trafik , security group icersinde tum trafik izinli olup disardan gelecek tum trafige karsi kapalidir.
Security Group sonuc olarak bir iptables uyarlamasidir fakat ML2 + OVS entegrastonu biraz karisiktir ve sirf iptables uygulanabilsin diye OVS ile instance arasinda linux bridge entegre edilmistir, ornek bir cizimi asagida gorebilirsiniz.
Today we faced Fortinet web interface become unresponsive, we find out some articles and expect that killing/restarting httpd will be enough but we faced policy load issues for example try to list rules but we have empty response and after some time its gone and need to restart httpd to access webui again.
Then after some investigation we saw that cluster checksum is not consistent (command:diagnose sys ha cluster-csum)
Tried to sync ha config but not succeed (command:exec ha synchronize start) (for more pls check)
Then somehow we maybe did not prioritise but cluster member which web interface is working but first snmp service stop response and then sslvpn connections are start to not work ! in this time what i remember we changed the password of sslvpn user but i don’t think that this help us but when we kill the sslvpnd magically non-responsive fortinet box become to run , after all checked ha csum its worked and snmp also start to work !
Actually if we did not try this (also vendor said that related firmware have a bug) we have to restart nodes and this will cause some downtime . Version is 5.2.6
Some good link for debugging ha http://kb.fortinet.com/kb/documentLink.do?externalID=FD36494
diag debug enable
diagnose debug console timestamp enable
diag debug application hasync -1
diag debug application hatalk -1
execute ha synchronize start
I expect that you know the pid but if its not you have two ways
Walter (global) # diag test app snmpd 1
snmpd pid = 161
Option 2 (somehow related commands are not return some processes pids, then start to use fnsysctl )
List pid files then get pid id from related file
Walter (global) # fnsysctl ls /var/run/
Walter (global) # fnsysctl cat /var/run/snmpd.pid
Then execute (somehow diag sys kill 11 <pid_id> do not kill related pid)
Walter (global) # fnsysctl kill -9 161
thats it !
Since the beginning we have always trouble about choosing wrong hardwares , developer issues like handle sessions with single core , then ASIC things , its always changing NPx support something NPy support more , end of the day you will always have NPx/y/z/t/u what released but cost is another issue but don’t worry providers always things these are usual things. Hope one day with DPDK or another technology will help us to use firewalls without ASICs and without need always buy new hardwares. (I know you know SDDC , SDN also i know ! )
I know this device is UTM , UTM is somehow fancy things, you know you shouldn’t use , know what will happen but you have to because of some situations (for ISPs)
AV issues , IPS engine issues , conserve mode ! I don’t how you really protect my device and network behind
Big problem AV and memory , still can not understand small to bigger devices why more ram is not used ! Memory is expensive ? or maybe still 32 bit ! What developers can’t handle ?
at the end AV full the ram , whole device under stress and communication issues , BGPs or OSPF are gone ! :(((
For AV its not working like a linux services or something ? you should kill it ! Step by Step , each process , disabling AV is not helping every time
Login your device , switch to config global (it is also command ) then execute diagnose sys top see the processed press q and leave to console execute diagnose sys kill 11 <process_id> . Here we are using because maybe some outputs we could have then fallow console for mem usage.
Another issue is ips engine , so understandable command diag test 🙂 lovely , its not meaningful for me but meaningful for developer or who maintain cli commands
diagnose test app ipsmonitor
You will see nice options and choose what you exactly want , restart , stop , start , get status
Also if you run cluster then consider do same things on slave 🙂 to switch slave
- config global
- get system ha status
- exec ha manage 1 (mostly)
Good fixes !
After switching static routing to dynamic routing with OSPF next level is create redundancy if one of the OSPF neighbor goes down.
Problem is with our Fortigate we can not achive OSPF redundancy with the network routers or L3 devices, then we switched to BGP and success about it.
Architecture is like below , two Juniper MX960 routers and a Fortigate 3600c firewall box. Fortigate outside interface and one interface from each routers are on same network like any /29 network for example ; MX960-1 xxx.yyy.zzz.1/29 , MX960-2 xxx.yyy.zzz.2/29 and FG3600C xxx.yyy.xxx.3/29
Also we have additional network for inside which servers are behind for example ttt.yyy.zzz.0 /24
You have to provide this information’s from network guys also they have to provide AS number which we will use it in our configuration
You can do the %90 configuration from GUI also maybe need something via CLI.
On fortigate we are using firmware 5.x , configuration is done under one of the VDOM. You can access the screens from Virtual Domains and go under related VDOM, open Router , Dynamic and BGP section. You can see everything in one screen 😀
Set Local AS what provided from your network guys
Router ID will be your outside interface ip address in our example xxx.yyy.xxx.3Neighbors will be the peers in my example they are two MXs xxx.yyy.zzz.1 and xxx.yyy.zzz.2
No need to set the Networks because i will configure to advertise all my connected interfaces but if you want to you add the network want to advertise instead of advertise connected interface from CLI for example you can add ttt.yyy.zzz.0 /24
Now switch to CLI of Fortigate
edit VDOM1 (choose your one)
config router bgp
end then execute this things
config redistribute connected
set status enable
Also in our config network guys extra configured next-hop-self configuration, a good post you can find from this link.
Some useful commands ;
Check the neighbors
get router info bgp neighbors
See the for such network which next hop is used
get router info bgp network
See the routing table
get router info routing-table details
Don’t forget to test failover scenarios because BGP converge time can be slow , need to play with timers, a good explanation about it in cisco community maybe can help you
Take a Care
Today i faced stupid network access issue
I don’t know how but i started to get no translate group found between some of source and destinations. After leave the ASA for a long year, its really hard to adapt again but a cool feature which must be used at first time , its Packet Tracer
Second is NAT 😀 In my config why i need a NAT , back to the NAT screen and got it !
Pls check the Enable traffic through the firewall without address trasnlation, because if not ASA looks like try to find out some nat matches to allow access which is not needed in my config.
This document is covering vShield to CheckPoint VPN configuration.
CheckPoint steps and screenshots are below ;
First create the device
Then create an object for remote network which cover xx.xx.xx.xx/24 for example and integrate it with device
if you already have some vpn configuration before pls add you local network on related group which is described on Manually defined , if you do not have create one group object and add your local network which will make a vpn configuration with remote site and set it
Create a community
Aggregate two firewalls
Configure Phase 1 & 2
Set encryption and has algorithm for phase 1 & 2
Set DH Group , SPF and timeout values
Set pre-shared key
Add a rule(s)….
Thats it !
Thanks to Cem , you can find out many useful articles on his blog http://www.cemkayar.com
vShield Edge and VPN with Fortigate
VPN configuration for Fortigate is not documented you can find out all on this article ….
Please go to vShield configuration like below Administration -> Open vDC –> Edge Gateway -> Right click on right edge device –> Click Edge Gateway Services
Related screen show below taken from already configured one , but first you have to Enable VPN which you can see on left site , its a checkbox !
Quick not for you, if edge device is not connected internet and its behind of some networks and outside of this edge ip is private then you can click Configure Public IPs section and make a nat for reach that edge for VPN …
Before start please be careful to write down everything correct after submit config you do not have a chance to edit it, you have to delete and re-enter everything
Please click a “Add” for configure new VPN configuration , for phase1 and phase2 full settings defaults check this article. vCloud Director do not show full configuration like traditional firewall configuration.
Give the name and description which will be indicator about VPN to whom or between
Establish VPN to : –> because of i imagine you will do VPN with remote network which is not in your provider vCloud island , selected a remote network
Choose which internal network will be interact with remote network
Peer Network : is remote network block, here we can not set single ip address, because looks like vShield not supporting it, i will provide infer later … Please use xxx.yyy.zz.ttt./24 or xxx.yyy.zz.ttt./29 bla bla ….
Local Endpoint : Leave default or desired one
Local ID : You can set any here, but i generally set ip address of my edge gateway outside ip here , again this could be hostname something which firewall use indicator for that
Peer ID : You can set any here, but i generally set ip address of my remote firewall outside ip here , again this could be hostname something which firewall use indicator for that
Peer IP : Very important, it should be exactly the remote firewall outside ip address which you will establish VPN
Encryption Protocol : Choose agreed one with remote site
Shared Key : like this 123451234512345123451234512345aA
if everything is okay, first screen you have to see check sign on first screen which you enabled VPN first.
Generally on vCloud Director you need to wait little, everything is updating slow and in 5 mins everything start to seen correctly, do not worry about changes of status not seen correctly
For vCloud Director providers, do many things like debug , log or something else, use vShield Manager
For customers use syslog but looks like some debugs you need a syslog and also vCloud Director GUI still not comfortable for example if you want to change something you need to delete whole config and re-enter everything 😀
A good feature you will get notification about vpn tunnel when its up or down , mail will be like below
You will also get down message like top and also from vCloud Director GUI you can see the error message
Last thing about configuration ;
After over the vpn config you have to do one more thing, from firewall section you have to create rule to remote site access you network via vpn like below …
Fortigate site screen shots are below … i’m not explaining something, forti guys also should have a knowledge, if something you need to learn please comment me or send a mail / tweet from About page …
To established VPN between firewalls sometimes not easy, two sites need to be agree on settings and firewall rules need to matched
I would like to describe vShield Edge defaults because not all informations are described and shown on vCloud Director GUI and also on vShield Manager
if you are customer i advise you to have syslog server
if you are admin on provider site pls run with vShield Manager logging
You can little confuse when you start to configure VPN, vShield Edge configuration is not like standard firewalls, you can not see the sections of phase1 and phase2 and don’t configure SA lifetimes or others because of that you have to know default values
I also advise to read http://www.vmware.com/pdf/vshield_51_admin.pdf
vShield Edge use/support
Main Mode (For other modes and explanations pls read this ) No Aggressive Mode
3DES/AES (Choose Encryption)
SHA1 (Integrity Algorithm )
PSK(pre-shared secret key) and Certificate (For Certificate you have to use vShield Manager GUI)(I never use it)
SA Lifetime (28800) no any data kbyets
DH Group 2
3DES/AES (Choose Encryption) (From vDirector GUI you will see that selected one will be available for phase1 and 2 )
SHA1 (Integrity Algorithm )
ESP Tunnel Mode
DH Group 2
SA Lifetime (3600) no any data kbyets
Selectors for all IP protocols, all ports, between the two networks, using IPv4 subsets
DPD (Dead Peer Detection also generally selected on remote site)
Looks like VMware already tested vShield Edge to Cisco Router /ASA, Watchguard
My next articles will be VPN between vShield Edge to Frotigate and vShield Edge to CheckPoint
I know you do not have enough time, go !!
First activate SSL VPN on forti.
Need to create ip pool which forti will set when people connected, you can see below default forti already have such pre-configured one, if you want you can use it or create new object and set ip address range what you want assign to consumers , i generally add /24 C class
Need to modify routing table, add static route and forti should know what it will be do where it will route SSL-VPN source traffic for reach target
Device should be you interface which start with ssl.
No need to set default gw, leave 0.0.0.0 ,forti will handle it
Distance and priority is not important if you do not have other or more preferential one
Portals, i remember that SSL VPN and SSL VPN portals are pushed by Juniper, they have additional SSL VPN boxes for handle this jobs also extra cost and what good in Forti, no need to pay extra for it, but i don’t know what juniper do now !
Portals are used what customer/user sees when they login also applications are important because its affect how you configure the widgets later on
Set the name and application what you need, actually i used it for only use it on rules , after all changes pls don’t forget to click apply on left-top site
Pls set the ip range to portal what you created on second step like below and click OK (Click Edit on IP Pools and choose the IP Mode as a Range), after all changes pls don’t forget to click apply on left-top site
Create Users ….
Create Group and assign user and portal to group , to do it click SSL-VPN Access and choose portal from drop down , move the user right site
Last 2 steps …
First need to create auth rule, via this we will make authentication, you decide which ip address which destination,which group , which services and go !
and last thing
Where this customers/users allowed to access, need to write down a rule from network which assigned by forti to customer and target, where they need to access
Lets try , link should be like below if you did not change the port number on first step and give the username and pass and try to access
i wrote down forti.out.site.ip this is what outside ip of forti or related VDOM outside ip
For extra and more information maybe you would like to check out