Category: Firewall

Authenticating SSL VPN users using LDAP

· Leave a comment ·

This example illustrates how to configure a FortiGate to use LDAP authentication to authenticate remote SSL VPN users. With a properly configured LDAP server, user and authentication data can be maintained independently of the FortiGate, accessed only when a remote user attempts to connect through the SSL VPN tunnel.

  1. Downloading and installing FSSO agent in the LDAP server
  2. Registering the LDAP server on the FortiGate
  3. Configuring Single Sign-On on the FortiGate
  4. Importing LDAP users
  5. Creating the SSL VPN user group
  6. Creating the SSL address range
  7. Configuring the SSL VPN tunnel
  8. Creating security policies
  9. Results

capture1

  1. Downloading and installing FSSO agent in the LDAP server

The current Forti OS version which we are using in our firewall is 5.2.5 build 701 (shown below)

Forti OS version.JPG

Download and install FSSO client on your Domain Controller, find a download link here:

https://support.fortinet.com/Download/FirmwareImages.aspx

fsso

Accept the license and follow the Wizard. Enter the Windows AD administrator password.

ca-step1

Click Next, select the Advanced Access method

ca-step2

In the Collector Agent IP address field, enter the IP address of the Windows AD server.

ca-step3

Select the domain you wish to monitor.

ca-step4

Next, select the users you do not wish to monitor.

ca-step5

Under Working Mode, select DC Agent mode.

ca-step6

Reboot the Domain Controller.

ca-step7

Upon reboot, the collector agent will start up.

You can choose to Require authenticated connection from FortiGate and set a Password.

ca-step8

2. Registering the LDAP server on the FortiGate

Go to User & Device > Authentication > LDAP Servers to configure the LDAP server.

ldap

3.  Configuring Single Sign-On on the FortiGate

Go to User & Device > Authentication > Single Sign-On and create a new SSO server.

Under Groups tab, select the user groups to be monitored. In this example, “FortiOS Writers” group is used.

sso_fgt

4.  Importing LDAP users

Go to User & Device > User > User Definition, and create a new user, selecting Remote LDAP User.

Choose your LDAP Server from the dropdown list.

You will be presented with a list of user accounts, filtered by the LDAP Filter to include only common user classes.

fsso-1

5.  Creating the SSL VPN user group

Go to User & Device > User > User Groups to create a new FSSO user group.

user-group

6.  Creating the SSL address range

Go to Policy & Objects > Objects > Addresses, and create a new address.

Set the Type to IP Range, and in the Subnet/IP Range field, enter the range of addresses you want to assign to SSL VPN clients. Select Any as the Interface.

Then create another Address for each Subnet or IP Range within your internal network to which remote users will connect.

capture-2

7.  Configuring the SSL VPN tunnel

Go to VPN > SSL > Portals and create the full-access portal or edit the full-access portal

capture-3

Source IP pools > select from the drop down menu > SSL address range created above (point#6)

Go to VPN > SSL > Settings.

Under Connection Settings set Listen on Port to 443.

ssl-settings1

Under Authentication/Portal Mapping, select Create New.

capture-4

Assign the LDAP group user group to the full-access portal

8.  Creating security policies

Go to Policy & Objects > Policy >  IPv4 and create an ssl.root – wan1 policy.

policyconfig1

9.  Results

Click on  VPN client > Select SSl-VPN > click on New VPN > Give Connection Name

Type the IP Address of Remote Gateway ( WAN IP Address)

Click customize the port( default port# 443)

Click on Do not Warn Invalid Server Certificate

Click > Apply and close

capture-5

Open the Forticlient >

capture-6

Type your LDAP credentials and click on Connect.

That’s it.

Happy Browsing!!

Check this video for detailed information about installation,

 source: FortiGate

File System Check Error in FortiGate

· Leave a comment ·

File System Check Error in FortiGate 5.2.3 and above

In FortiOS 5.2 patch3, the file system check dialogue was introduced in the GUI and it offers the options to restart the unit and perform a file system check or, if desired, to be reminded later for performing the action in a maintenance window.

FortiGate error

File System check is a feature that is checking if the device was not shutdown properly. It will do a disk scan when the system boots up to avoid any potential file system errors.  In fact, if the unit was shut down without using the proper command (#execute shutdown), during the booting sequence, the FortiGate will check internal files for this log event and, if it cannot find it, the message will be shown.

This behavior is by design and there is no option to disable this message.

The message should no longer be seen once the following actions have been completed:

– Check of the file system.
– Reboot of the device.

source:itzecurity

FortiGate Firewall Admin Credentials lost

· 5 Comments ·

Resetting a lost admin password:

Periodically a situation arises where the FortiGate needs to be accessed or the

Admin account’s password needs to be changed, but no one with the existing

password is available. If you have physical access to the device and a few other

tools then the password can be reset.

Warning:

This procedure will require the reboot of the FortiGate unit.

You need:

• Console cabel

• Terminal software such as Putty.exe (Windows) or Terminal (Mac OS)

• Serial number of the FortiGate device

 Step-1: Connect the computer to the firewall via the Console port on the

back of the unit.

In most units this is done either by a Serial cable or a RJ-45 to

Serial cable. There are some units that use a USB cable and

FortiExplorer to connect to the console port.

                                                       Console cable

Virtual instances will not have any physical port to connect to so

you will have to use the supplied VM Hosts’ console connection

utility.

Step 2: Start your terminal software.

Step 3: Connect to the firewall using the following:

Step 4:

The firewall should then respond with its name or hostname. (If it

doesn’t try pressing “enter”)

Step 5:

Reboot the firewall. If there is no power button, disconnect the

power adapter and reconnect it after 10 seconds. Plugging in the

power too soon after unplugging it can cause corruption in the

memory in some units.

Step 6:

Wait for the Firewall name and login prompt to appear. The

terminal window should display something similar to the following:

FortiGate-60C (18:52-06.18.2010)

Ver:04000010

Serial number: FGT60C3G10016011

CPU(00): 525MHz

Total RAM: 512 MB

NAND init… 128 MB

MAC Init… nplite#0

Press any key to display configuration menu

……

reading boot image 1163092 bytes.

Initializing firewall…

System is started.

<name of Fortinet Device> login:

Step 7:
Type in the username:
maintainer

Step 8:

The password is
bcpb + the serial number of the firewall (letters of

the serial number is in UPPERCASE format)

Example:

bcpbFGT60C3G10016011

 Note:

On some devices, after the device boots, you have

only 14 seconds or less to type in the username and

password. It might, therefore, be necessary to have the

credentials ready in a text editor, and then copy and paste

them into the login screen. There is no indicator of when

your time runs out so it is possible that it might take more

than one attempt to succeed.

Step 9:

Now you should be connected to the firewall. To change the admin

password you type the following…

In a unit where vdoms are not enabled:

config system admin

edit admin

set password <psswrd>

end

In a unit where vdoms are enabled:

config global

config system admin

edit admin

set password <psswrd>

end

Warning:

Good news and bad news. Some might be worried that there is a backdoor into

the system. The maintainer feature/account is enabled by default, but the better

news is, if you wish, there is an option to disable this feature. The bad news is

that if you disable the feature and lose the password without having someone

Else that can log in as a superadmin profile user, you will be out of options.

If you attempt to use the maintainer account and see the message on the

console,PASSWORD RECOVERY FUNCTIONALITY IS DISABLED“, this

means that the maintainer account has been disabled.

Disabling the maintainer feature/account

Use the following command in the CLI to change the status of the maintainer

Account

To disable

config system global

set admin-maintainer disable

end

To enable

config system global

set admin-maintainer enable

end

Source: Fortinet

FortiGate Firewall Configuration Backup and Restore procedure Firmware V4.0

· 35 Comments ·

FortiGate Firewall Configuration Backup and Restore procedure Firmware V4.0:

Do the following tasks to take FortiGate firewall backup.

Steps:

  1. Connect the firewall through browser.

 2.   Login to the firewall (Enter User name & Password) (see Figure-4).

Figure-4

3.  After logging in, click on System –>Dashboard –> Dashboard on the left hand side of the window (see Figure-5)

Figure-5

4.  Right side pane of the window, under System Information –> System Configuration –> click on Backup (see Figure-6)

Figure-6

5.  Backup window will appear (see Figure-7); Enter a password to encrypt the configuration file. You will need this password while restoring the configuration file. Confirm Enter the password again to confirm the password. Click on Backup tab.

Figure-7

Restore

After logging in, click on System –>Dashboard –> Dashboard on the left hand   side of the window.

 Right side pane of the window, under System Information –> System Configuration –> click on Backup (see Figure-8)

Figure-8

7.     Use the “choose file” button if you are restoring the configuration file from the management computer.

                Select the configuration file name from the browse list if you are restoring the configuration file from the USB disk.

       8.   Enter the password, you entered when backing up the configuration file.

Figure-9

     NOTE:  If the password is forgotten, there is no way to use the file.

source: fortinet

FortiGate Firewall Configuration Backup and Restore procedure Firmware V3.0

· Leave a comment ·

FortiGate Firewall Configuration Backup and Restore procedure Firmware V3.0:

Do the following tasks to take FortiGate firewall backup.

Steps:

  1. Connect the firewall through browser.
  2. Login to the firewall (Enter User name & Password) (see Figure-1)
Figure-1

3.  After logging in, click on System –>Maintenance –>Backup & Restore on the left hand side of the window (see Figure-2).

Figure-2

 4.  FortiGate firewall configuration can be saved to management computer, a central Mangement station or to a USB stick, if the FortiGate supports a USB stick.

5.  The central management station is referred to remote management service the FortiGate unit is connected to. For example, if the current configuration on a FortiGate-60 is backed up to a FortiManager unit, the central management station would be the FortiManager unit.

 USB Disk – displays if the FortiGate unit supports USB disks. This option is grayed out if no USB disks are connected.

6.  Select to encrypt the backup file. Encryption must be enabled to save VPN certificates with the configuration. This option is not available for FortiManager backup option.

 Enter a password to encrypt the configuration file. You will need this password while restoring the configuration file. Confirm Enter the password again to confirm the password.

NOTE:If the password is forgotten, there is no way to use the file.

 Enter the name of the backup file or select Browse to locate the file. The File name field is only available when the USB drive is connected.

Figure-3

7.  Restoreprovides the ability to restore the firewall configuration file.

   8.  Use the “choose file” button if you are restoring the configuration file from the management computer.

         Select the configuration file name from the browse list if you are restoring the configuration file from the USB disk.

  9.  Enter the password, you entered when backing up the configuration file.

source: fortinet

Firewall

· 4 Comments ·

A firewall is defined as a system which is designed to prevent unauthorized access to or from a private network. Claimed to be implemented in both hardware and software, or a combination of both, firewalls are frequently used in order to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets.

Types of firewall techniques:

Packet filter: Each packet entering or leaving the network is checked and based on user-defined rules it is either accepted or rejected. It is said to be fairly effective and transparent to users, but is difficult to configure and is susceptible to IP spoofing.
Application gateway: Security mechanisms are applied to specific applications, such as FTP and Telnet servers. Although this is very effective, performance degradation can be imposed.
Circuit-level gateway: Security mechanisms are applied when a TCP or UDP connection is established. Upon establishing the connection, packets can flow between the hosts without further checking.
Proxy server: All messages are intercepted while entering and leaving the network, while the true network addresses are kept effectively hidden by the proxy server

Principle of a Firewall:

A set of predefined rules constitute a firewall system wherein the system is allowed to:

Authorise the connection (allow)
Block the connection (deny)
Reject the connection request without informing the issuer (drop)

Firewall Management Best Practices:

  • Don’t assume that the firewall is the answer to all your network security needs.
  • Deny all the traffic and allow what is needed and the other way, allowing all and blocking the known vulnerable ports.
  • Limit the number of applications running (Antivirus, VPN, Authentication software’s) in your host based firewalls to maximize the CPU cycles and network throughput.
  • Run the firewall services from unique ID rather than running from generic root/admin id.
  • Follow good password practices

                   – Change the default admin or root passwords before connecting the firewall to the internet

                   – Use long and complex pass phrase difficult to crack and easy to remember

                   – Change the passwords once in 6 months and whenever suspected to be compromised

  • Use features like stateful inspection, proxies and application level inspections if available in the firewalls.
  • Physical Access to the firewall should be controlled.
  • Keep the configurations simple, eliminate unneeded and redundant rules.
  • Audit the firewall rule base regularly.
  • Perform regular security tests on your firewalls for new exploits, changes in rules and with firewall disabled to determine how vulnerable you will be in cased of firewall failures.
  • Enable firewall logging and alerting.
  • Use secure remote syslog server that makes log modification and manipulation difficult for an attacker.
  • Consider outsourcing firewall management to a managed service provider to leverage on their expertise, trend analysis and intelligence.
  • Have strong Change Management process to control changes to firewalls.
  • Try to have personal firewalls/intrusion prevention software’s, as the network firewalls can be easily circumvented when connected through devices like USB modems, ADSL links etc.
  • Backup the firewalls rule base regularly and keep the backups offsite