Category Archives: Firewalls

Openstack Security Group ve FWaaS , sadece cli !

Openstack neutron iki farkli katmanda guvenlik saglar. Ilki port bazli ki instance yaratilirken oncelike port yaratilir ve bu port’a atanan Security Group dogrultusunda VM-to-VM ayni L2 networkunde dair koruma saglayabilirsiniz. Ikincisi ise Router uzerinde, ne zamanki iki farkli network’u veya instance’lari internet’e ve/veya internet’den instance’lara dogru erisim soz konusu oldugunda Router uzerinde uygulanan firewall kurallari devreye girer. Baska bir deyisle Neutron NSX gibi kuzey-guney ve bati-dogu yollari uzerinde koruma saglar.

Security Groups

Security Group(SG), nova security group(NSG) uyumludur, ingress(giris)/egress(cikis) yonunde kural tanimlamanizi bunuda ilgili neutron portlarina uygulamaniza, gercek zamanli kural degisiklikleri uygulamaniza izin verir.

Davranis sekli giris yonunde sadece matched(uyan) aksi taktirde drop. Egress keza ayni fakat her yeni Security Group yaratildiginda disariya dogru tum trafik izinlidir.

Openstack uzerinde varsayili olarak “default security group” mevcut olup disa dogru tum trafik , security group icersinde tum trafik izinli olup disardan gelecek tum trafige karsi kapalidir.

Security Group sonuc olarak bir iptables uyarlamasidir fakat ML2 + OVS entegrastonu biraz karisiktir ve sirf iptables uygulanabilsin diye OVS ile instance arasinda linux bridge entegre edilmistir, ornek bir cizimi asagida gorebilirsiniz.

screen-shot-2016-10-18-at-11-25-05

Read the rest of this entry

sslvpnd can cause ha sync /Webinterface unresponsive issue? -another Fortinet story-

Today we faced Fortinet web interface become unresponsive,  we find out some articles and expect that killing/restarting httpd will be enough but we faced policy load issues for example try to list rules but we have empty response and after some time its gone and need to restart httpd to access webui again.

Then after some investigation we saw that cluster checksum is not consistent (command:diagnose sys ha cluster-csum)

Tried to sync ha config but not succeed (command:exec ha synchronize start) (for more pls check)

Then somehow we maybe did not prioritise  but cluster member which web interface is working but first snmp service stop response and then sslvpn connections are start to not work ! in this time what i remember we changed the password of sslvpn user but i don’t think that this help us but when we kill the sslvpnd magically non-responsive fortinet box become to run , after all checked ha csum its worked and snmp also start to work !

Actually if we did not try this (also vendor said that related firmware have a bug) we have to restart nodes and this will cause some downtime  . Version is 5.2.6

Some good link for debugging ha http://kb.fortinet.com/kb/documentLink.do?externalID=FD36494

diag  debug enable
diagnose  debug  console  timestamp enable
diag debug application hasync -1
diag debug application hatalk -1
execute ha synchronize start

When you can not kill process gently -another Fortinet story-

I expect that you know the pid but if its not you have two ways

Option 1

Walter (global) # diag test app snmpd 1

snmpd pid = 161

Option 2 (somehow related commands are not return some processes pids, then start to use fnsysctl )

List pid files then get pid id from related file

Walter (global) # fnsysctl ls /var/run/

Walter (global) # fnsysctl cat /var/run/snmpd.pid

161

Then execute (somehow diag sys kill 11 <pid_id> do not kill related pid)

Walter (global) # fnsysctl kill -9 161

thats it !

When Fortigate ips engine and AV engine fuck everything !

Since the beginning we have always trouble about choosing wrong hardwares , developer issues like handle sessions with single core , then ASIC things , its always changing  NPx support something NPy support more , end of the day you will always have NPx/y/z/t/u what released but cost is another issue but don’t worry providers always things these are usual things. Hope one day with DPDK or another technology will help us to use firewalls without ASICs and without need always buy new hardwares. (I know you know SDDC , SDN also i know ! )

I know this device is UTM , UTM is somehow fancy things, you know you shouldn’t use , know what will happen but you have to because of some situations (for ISPs)

AV issues , IPS engine issues , conserve mode ! I don’t how you really protect my device and network behind

Big problem AV and memory , still can not understand small to bigger devices why more ram is not used ! Memory is expensive ? or maybe still 32 bit ! What developers can’t handle ?

at the end AV full the ram , whole device under stress and communication issues , BGPs or OSPF are gone ! :(((

For AV its not working like a linux services or something ? you should kill it ! Step by Step , each process , disabling AV is not helping every time

Login your device , switch to config global (it is also command ) then execute diagnose sys top see the processed press q and leave to console execute diagnose sys kill 11 <process_id> . Here we are using because maybe some outputs we could have then fallow console for mem usage.

Another issue is ips engine , so understandable command diag test 🙂 lovely , its not meaningful for me but meaningful for developer or who maintain cli commands

diagnose test app ipsmonitor

You will see nice options and choose what you exactly want , restart , stop , start , get status

Also if you run cluster then consider do same things on slave 🙂 to switch slave

  • config global
  • get system ha status
  • exec ha manage 1 (mostly)

Good fixes !

VM

Dynamic Routing BGP Configuration for FortiGate

Hello All,

After switching static routing to dynamic routing with OSPF next level is create redundancy if one of the OSPF neighbor goes down.

Problem is with our Fortigate we can not achive OSPF redundancy with the network routers or L3 devices, then we switched to BGP and success about it.

Architecture is like below , two Juniper MX960 routers and a Fortigate 3600c firewall box. Fortigate outside interface and one interface from each routers are on same network like any /29 network for example ; MX960-1 xxx.yyy.zzz.1/29 , MX960-2 xxx.yyy.zzz.2/29 and FG3600C xxx.yyy.xxx.3/29

Also we have additional network for inside which servers are behind for example ttt.yyy.zzz.0 /24

You have to provide this information’s from network guys also they have to provide AS number which we will use it in our configuration

BGP_F_MX

You can do the %90 configuration from GUI also maybe need something via CLI.

On fortigate we are using firmware 5.x , configuration is done under one of the VDOM. You can access the screens from Virtual Domains and go under related VDOM, open Router , Dynamic and BGP section. You can see everything in one screen 😀

Screen Shot 2014-01-08 at 15.31.10

Set Local AS what provided from your network guys
Router ID will be your outside interface ip address in our example xxx.yyy.xxx.3Neighbors will be the peers in my example they are two MXs xxx.yyy.zzz.1 and xxx.yyy.zzz.2
No need to set the Networks because i will configure to advertise all my connected interfaces but if you want to you add the network want to advertise instead of advertise connected interface from CLI for example you can add ttt.yyy.zzz.0 /24

Now switch to CLI of Fortigate

config vdom
edit VDOM1 (choose your one)
config router bgp

end then execute this things

config redistribute connected

set status enable

end

Also in our config network guys extra configured next-hop-self configuration, a good post you can find from this link.

Some useful commands ;

Check the neighbors

get router info bgp neighbors

See the for such network which next hop is used

get router info bgp network

See the routing table

get router info routing-table details

Don’t forget to test failover scenarios because BGP converge time can be slow , need to play with timers, a good explanation about it in cisco community maybe can help you

Take a Care
VM

A stupid problem – No translate group found on Cisco ASA Firewall

Today i faced stupid network access issue
I don’t know how but i started to get no translate group found between some of source and destinations. After leave the ASA for a long year, its really hard to adapt again but a cool feature which must be used at first time , its Packet Tracer

Screen Shot 2013-01-11 at 8.47.35 PM

Second is NAT 😀  In my config why i need a NAT , back to the NAT screen and got it !

Screen Shot 2013-01-11 at 9.00.54 PM

Pls check the Enable traffic through the firewall without address trasnlation, because if not ASA looks like try to find out some nat matches to allow access which is not needed in my config.

VM

VPN Config vShield Edge to CheckPoint

This document is covering vShield to CheckPoint VPN configuration.

vShield defaults are on such article,  for configuration on vShield side you can get reference from this article.

CheckPoint steps and screenshots are below ;

First create the device 

 

Then create an object for remote network which cover xx.xx.xx.xx/24 for example and integrate it with device

 

if you already have some vpn configuration before pls add you local network on related group which is described on Manually defined , if you do not have create one group object and add your local network which will make a vpn configuration with remote site and set it

 

Create a community 

 

Aggregate two firewalls 

Configure Phase 1 & 2

Set encryption and has algorithm for phase 1 & 2

Set DH Group , SPF and timeout values 

 

Set pre-shared key

 

Add a rule(s)….

 

Thats it !

Thanks to Cem , you can find out many useful articles on his blog http://www.cemkayar.com

VM

VPN Config vShield Edge to Fortigate

vShield Edge and VPN with Fortigate

VPN configuration for Fortigate is not documented you can find out all on this article ….

Please go to vShield configuration like below Administration -> Open vDC –> Edge Gateway -> Right click on right edge device –> Click Edge Gateway Services

Related screen show below taken from already configured one , but first you have to Enable VPN which you can see on left site , its a checkbox !
Quick not for you, if edge device is not connected internet and its behind of some networks and outside of this edge ip is private then you can click Configure Public IPs section and make a nat for reach that edge for VPN …
Before start please be careful to write down everything correct after submit config you do not have a chance to edit it, you have to delete and re-enter everything

Please click a “Add” for configure new VPN configuration , for phase1 and phase2 full settings defaults check this article. vCloud Director do not show full configuration like traditional firewall configuration.

Part 1

Give the name and description which will be indicator about VPN to whom or between
Establish VPN to : –> because of i imagine you will do VPN with remote network which is not in your provider vCloud island , selected a remote network
Choose which internal network will be interact with remote network
Peer Network : is remote network block, here we can not set single ip address, because looks like vShield not supporting it, i will provide infer later … Please use xxx.yyy.zz.ttt./24 or xxx.yyy.zz.ttt./29 bla bla ….
Local Endpoint : Leave default or desired one
Local ID : You can set any here, but i generally set ip address of my edge gateway outside ip here , again this could be hostname something which firewall use indicator for that
Peer ID :  You can set any here, but i generally set ip address of my remote firewall outside ip here , again this could be hostname something which firewall use indicator for that

Part 2

Peer IP : Very important, it should be exactly the remote firewall outside ip address which you will establish VPN
Encryption Protocol : Choose agreed one with remote site
Shared Key : like this 123451234512345123451234512345aA

if everything is okay, first screen you have to see check  sign on first screen which you enabled VPN first.
Generally on vCloud Director you need to wait little, everything is updating slow and in 5 mins everything start to seen correctly, do not worry about changes of status not seen correctly

For vCloud Director providers, do many things like debug , log or something else, use vShield Manager

For customers use syslog but looks like some debugs you need a syslog and also vCloud Director GUI still not comfortable for example if you want to change something you need to delete whole config and re-enter everything 😀

A good feature you will get notification about vpn tunnel when its up or down , mail will be like below

You will also get down message like top and also from vCloud Director GUI you can see the error message

Last thing about configuration ;

After over the vpn config you have to do one more thing, from firewall section you have to create rule to remote site access you network via vpn like below …

Fortigate site screen shots are below … i’m not explaining something, forti guys also should have a knowledge, if something you need to learn please comment me or send a mail / tweet from About page …

 

 

 

VM

 

vSheild Edge VPN Defaults

To established VPN between firewalls sometimes not easy, two sites need to be agree on settings and firewall rules need to matched

I would like to describe vShield Edge defaults because not all informations are described and shown on vCloud Director GUI and also on vShield Manager

if you are customer i advise you to have syslog server

if you are admin on provider site pls run with vShield Manager logging

You can little confuse when you start to configure VPN, vShield Edge configuration is not like standard firewalls, you can not see the sections of phase1 and phase2 and don’t configure SA lifetimes or others because of that you have to know default values

I also advise to read http://www.vmware.com/pdf/vshield_51_admin.pdf

vShield Edge use/support

IKEv2

Phase 1

Main Mode (For other modes and explanations pls read this ) No Aggressive Mode
3DES/AES (Choose Encryption)
SHA1 (Integrity Algorithm )
PSK(pre-shared secret key) and Certificate (For Certificate you have to use vShield Manager GUI)(I never use it)
SA Lifetime (28800) no any data kbyets
DH Group 2

Phase2

3DES/AES (Choose Encryption) (From vDirector GUI you will see that selected one will be available for phase1 and 2  )
SHA1 (Integrity Algorithm )
ESP Tunnel Mode
DH Group 2
PFS
SA Lifetime (3600) no any data kbyets
Selectors for all IP protocols, all ports, between the two networks, using IPv4 subsets

DPD (Dead Peer Detection also generally selected on remote site)

Looks like VMware already tested vShield Edge to Cisco Router /ASA, Watchguard

My next articles will be VPN between vShield Edge to Frotigate and vShield Edge to CheckPoint

VM

Fortigate and SSL VPN Configuration

I know you do not have enough time, go !!

First activate SSL VPN on forti.

Need to create ip pool which forti  will set when people connected, you can see below default forti already have such pre-configured one, if you want you can use it or create new object and set ip address range what you want assign to consumers , i generally add /24 C class

Need to modify routing table, add static route and forti should know what it will be do where it will route SSL-VPN source traffic for reach target

Device should be you interface which start with ssl.
No need to set default gw, leave 0.0.0.0 ,forti will handle it
Distance and priority is not important if you do not have other or more preferential one

Portals, i remember that SSL VPN and SSL VPN portals are pushed by Juniper, they have additional SSL VPN boxes for handle this jobs also extra cost and what good in Forti, no need to pay extra for it, but i don’t know what juniper do now !

Portals are used what customer/user sees when they login also applications are important because its affect how you configure the widgets later on

 

Set the name and application what you need, actually i used it for only use it on rules , after all changes pls don’t forget to click apply on left-top site

Pls set the ip range to portal what you created on second step like below and click OK (Click Edit on IP Pools and choose the IP Mode as a Range), after all changes pls don’t forget to click apply on left-top site

Create Users ….

 

Create Group and assign user and portal to group , to do it click SSL-VPN Access and choose portal from drop down , move the user right site

Last 2 steps …

First need to create auth rule, via this we will make authentication, you decide which ip address which destination,which group , which services and go !

and last thing

Where this customers/users allowed to access, need to write down a rule from network which assigned by forti to customer and target, where they need to access

Lets try , link should be like below if you did not change the port number on first step and give the username and pass and try to access

https://forti.out.site.ip:10443/remote/login

i wrote down forti.out.site.ip this is what outside ip of forti or related VDOM outside ip

For extra and more information maybe you would like to check out

http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-sslvpn-40-mr3.pdf

VM