Friday, August 13, 2021

Run FortiGate VM Firewall in VMware Workstation

I took the Fortinet NSE 1 and NSE 2 training, which are free online courses in the Fortinet NSE Training Institute portal. These courses provide an introduction to Cybersecurity and Fortinet security products to mitigate Cyber threats.


The NSE 3 training is reserved for Fortinet employees and partners so I took the NSE 4 training instead. The NSE 4 is also an online free course and it's divided into two sections: Security and Infrastructure. You'll receive an electronic certificate of completion (PDF) after finishing the two courses. Your NSE certs (PDF) are found in the NSE Training Institute portal under the Dashboard (Completed tab) or Profile page.



To be a certified Fortinet NSE 4 Network Security Professional (exam code: NSE4_FGT-6.4), you'll need to book and pass the online exam via Pearson VUE. The exam cost is $400 USD as of this writing. The exam has 60 questions and passing rate is 60%. Once passed, the cert is valid for two years. Refer to the NSE 4 description and NSE Training Institute portal FAQ.

Below is the FortiGate virtual lab I used to study for NSE 4.

Open FortiGate VM in VM Workstation, go to File > Open.

Browse/select the OVF file: FortiGate-VM64 > click Open.

Rename the VM: FortiGate-1 > click Import.

Click Accept to accept the End User License Agreement (EULA).

Click Edit virtual machine settings.

My VMnet0 is configured as VMnet0 which is bridged to the Internet and other virtual machines (Windows 10 host, Kali Linux, etc.). The VMnet1 is a LAN for the Windows 7 VM. Select VMNet2 Network Adapter 3 (Host-only/for HA link).

Click Power on this virtual machine.

Notice the license error 'INVALID'. Just perform a factory reset on the VM to resolve the error.

Login using the default username admin and just leave the password blank. You're forced to change and input a new password upon initial login.

Issue a execute factoryreset command to resolve the invalid license error. Type y to continue and reboot the VM.

After the factory reset and reboot, the invalid license error was gone. Re-type the new password.

Issue a show system interface command to view the available network interfaces.


Configure port1 (WAN) IP address. Note port1 already allows ping, HTTPS and SSH.

I was able to ping the FortiGate VM WAN IP address (192.168.1.160/24) from my Windows 10 machine (192.168.1.100/24).

C:\Users\User>ipconfig

 

Windows IP Configuration

 

Ethernet adapter Ethernet:

 

   Connection-specific DNS Suffix  . :

   Link-local IPv6 Address . . . . . : fe80::c961:e77e:a95c:fcfb%21

   IPv4 Address. . . . . . . . . . . : 192.168.1.100

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 192.168.1.1

 

 

C:\Users\User>ping 192.168.1.160

 

Pinging 192.168.1.160 with 32 bytes of data:

Reply from 192.168.1.160: bytes=32 time<1ms TTL=255

Reply from 192.168.1.160: bytes=32 time<1ms TTL=255

Reply from 192.168.1.160: bytes=32 time<1ms TTL=255

Reply from 192.168.1.160: bytes=32 time<1ms TTL=255

 

Ping statistics for 192.168.1.160:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

 

 

I was unable to intially HTTPS to FortiGate and due to a SSL/TLS cipher mismatch.

 


I tried to change to both TLSv1.1 and TLSv1.2 but I'm still unable to HTTPS to port1 (192.168.1.160).


Per checking Fortinet KB, the FortiGate VM only use a low encryption (no HTTPS administrative access).

 

All SecurityProfiles (UTM features) are enabled (Antivirus, Web Filter, Application Control, etc.) EXCEPT FortiGuard updates. The Evaluation license is valid for only 15 days.

 

I just allowed ping, HTTP and SSH on port1 for this lab.

 


 I was able to HTTP to port1 (192.168.1.160) afterwards.

Click Later to skip the initial FortiGate Setup.

Toggle Don't show again (turn to green) and click OK to skip introduction video.

This is the landing page upon login, which is the System Information Dashboard.

I was also able to SSH to port1.


 

Issue a get system status command to view the FortiGate version, license status, system uptime, etc.

 

FortiGate-VM64 # get system status

Version: FortiGate-VM64 v6.4.4,build1803,201209 (GA)

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

Extreme DB: 1.00000(2018-04-09 18:07)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 6.00741(2015-12-01 02:30)

APP-DB: 6.00741(2015-12-01 02:30)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

Serial-Number: FGVMEVLBM63ZQG09

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

License Status: Valid

Evaluation License Expires: Tue May  4 02:20:49 2021

VM Resources: 1 CPU/1 allowed, 2010 MB RAM/2048 MB allowed

Log hard disk: Available

Hostname: FortiGate-VM64

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 1

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Branch point: 1803

Release Version Information: GA

FortiOS x86-64: Yes

System time: Mon Apr 19 02:51:54 2021


Create a static default route, go to Network Static Routes > Create New.


 
Select default Destination: Subnet and 0.0.0.0/0.0.0.0 (quad zero route) > type Gateway Address: 192.168.1.1 (Cisco ASA Firewall) > select Interface: port1 (WAN: 192.168.1.160/24) > leave the Administrative Distance: 10 > leave the default Status: Enabled > click OK.

I configured FortiGate port2 (LAN) interface and allowed ping, SSH and HTTP.

 

FortiGate-VM64 # config system interface

 

FortiGate-VM64 (interface) # edit port2

 

FortiGate-VM64 (port2) # set mode static

 

FortiGate-VM64 (port2) # set ip 172.16.1.1 255.255.255.0

 

FortiGate-VM64 (port2) # set allowaccess ping ssh http

 

FortiGate-VM64 (port2) # end

 

 

I was able to ping and SSH using the FortiGate port2 172.16.1.1 IP address.

 

I was unable to reach the Internet (Google DNS 8.8.8.8) since there's no NAT policy configured yet.

 



The 15-day FortiGate VM Evaluation license is not long enough and it has already expired in my virtual lab.

I suspend the FortiGate VM when not in use to delay the Eval license expiration but I noticed its system time was automatically updated by NTP (FortiGuard). So I disable NTP after performing a factory reset.

 

FG-1 # get system status

Version: FortiGate-VM64 v6.4.4,build1803,201209 (GA)

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

Extreme DB: 1.00000(2018-04-09 18:07)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 6.00741(2015-12-01 02:30)

APP-DB: 6.00741(2015-12-01 02:30)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

Serial-Number: FGVMEVLBM63ZQG09

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

License Status: Expired

Evaluation License Expires: Tue May  4 02:20:49 2021

VM Resources: 1 CPU/1 allowed, 2010 MB RAM/2048 MB allowed

Log hard disk: Available

Hostname: FG-1

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 1

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Branch point: 1803

Release Version Information: GA

FortiOS x86-64: Yes

System time: Wed May  5 22:26:44 2021

FG-1 # get system ntp

ntpsync             : enable

type                : fortiguard

syncinterval        : 60

source-ip           : 0.0.0.0

source-ip6          : ::

server-mode         : enable

authentication      : disable

interface           : "fortilink"

FG-1 # diagnose sys ntp status

synchronized: yes, ntpsync: enabled, server-mode: enabled

 

ipv4 server(ntp1.fortiguard.com) 208.91.112.61 -- reachable(0xff) S:1 T:629 selected

        server-version=4, stratum=2

        reference time is e43df7ec.6aae6822 -- UTC Thu May  6 05:06:52 2021

        clock offset is 6.108305 sec, root delay is 0.001358 sec

        root dispersion is 0.044479 sec, peer dispersion is 199951 msec

 

ipv4 server(ntp2.fortiguard.com) 208.91.112.62 -- reachable(0xff) S:1 T:629

        server-version=4, stratum=2

        reference time is e43df906.3b732f6 -- UTC Thu May  6 05:11:34 2021

        clock offset is 12.211762 sec, root delay is 0.001221 sec

        root dispersion is 0.040100 sec, peer dispersion is 217109 msec

 

ipv4 server(ntp2.fortiguard.com) 208.91.112.60 -- reachable(0xff) S:1 T:629

        server-version=4, stratum=2

        reference time is e43df4b7.e3f49e10 -- UTC Thu May  6 04:53:11 2021

        clock offset is 8.142703 sec, root delay is 0.001236 sec

        root dispersion is 0.057037 sec, peer dispersion is 133425 msec

 

ipv4 server(ntp1.fortiguard.com) 208.91.112.63 -- reachable(0xfd) S:1 T:637

        server-version=4, stratum=2

        reference time is e43df906.3b732f6 -- UTC Thu May  6 05:11:34 2021

        clock offset is 6.128610 sec, root delay is 0.001221 sec

        root dispersion is 0.040237 sec, peer dispersion is 200269 msec

 

FG-1 # execute time

current time is: 22:29:55

last ntp sync:Wed May  5 22:27:16 2021

 

Factory reset and re-configure the FortiGate VM to renew again the License.

 

FG-1 # exec factoryreset

This operation will reset the system to factory default!

Do you want to continue? (y/n)y

 


Disable NTP (FortiGuard Cloud).

 

FG-1 # config system ntp

 

FG-1 (ntp) # set ntpsync disable

 

FG-1 (ntp) # set type

fortiguard    Use the FortiGuard NTP server.

custom        Use any other available NTP server.

 

FG-1 (ntp) # set type custom

 

FG-1 (ntp) # end

 

 

FG-1 # get system ntp

ntpsync             : disable

type                : custom

syncinterval        : 60

ntpserver:

source-ip           : 0.0.0.0

source-ip6          : ::

server-mode         : enable

authentication      : disable

interface           : "fortilink"

FG-1 # execute time

current time is: 22:57:05

  

 

Once you have initial FortiGate GUI access, perform a configuration backup. Go to admin (upper right corner) > Configuration > Backup.

Select Backup to: Local PC > click OK.

 

A .conf file will appear > Save File > click OK.

 


Sunday, August 1, 2021

Juniper Networks SRX Firewall Content Filtering

The outdoor recreation have become increasingly popular due to the COVID-19 pandemic, so I went for a quick hike at Mount Faber Park. At the hilltop, you'll see the Singapore Cable Car (to/from Sentosa Island) and enjoy the scenic view of Keppel Harbour.



You'll also find the Henderson Waves bridge, which is the highest pedestrian bridge in Singapore. It connects Mount Faber Park to Telok Blangah Hill Park.

After a long and grueling hike, I treated myself a Chick'n Shack burger, cheese fries and a chocolate shake. This is Shake Shack in VivoCity shopping mall.

The Juniper SRX Firewall Content Filtering provides basic data loss prevention functionality. Content filtering filters traffic is based on MIME type, file extension, and protocol commands. You can also use the content filter module to block ActiveX, Java Applets, and other types of content. Content filtering does not require a separate license

The content filter module evaluates traffic before all other UTM modules, except Web Filtering. Therefore, if traffic meets criteria configured in the content-filter, the content-filter acts first upon this traffic.

You can configure the following types of content filters:

MIME Pattern Filter - MIME patterns are used to identify the type of traffic in HTTP and MAIL protocols. There are two lists of MIME patterns that are used by the content filter to determine the action to be taken

Block Extension List - Because the name of a file is available during file transfers, using file extensions is a highly practical way to block or allow file transfers.

Protocol Command Block and Permit Lists - Different protocols use different commands to communicate between servers and clients. By blocking or allowing certain commands, traffic can be controlled on the protocol command level.  

The first step is to configure a Content Filtering profile, go to Configure > Security > UTM > Content Filtering > click Add.

You could either create a Custom Object to define several content types (exe, zip, etc) and select the created Custom Object under Block extension list.

 

In this case, I just want to filter an executable file (.exe) which is already listed under the Available content types. Type a Profile name: CF_EXE > select exe > move to the Selected content types on the right.

 

Go to Notification Options tab > select Notification type: message > type Custom notification message (according to your IT policy): File Download Blocked due to IT Security Policy. Please contact IT for further assistance > click OK.

The second step is to create a UTM Policy. Go to Configure > Security > UTM > Policy > click Add.


Under Main tab > type Policy name: UTM_POLICY_1 >  leave the default Session per client over limit: Log and permit.

Go to Content filtering profiles tab > select HTTP profile: CF_EXE > click OK.


The last step is to assign the UTM Policy to a Security Policy rule.

 

Go to Configure > Security Policy > Policy Elements > Security Policy.

 

Filter the trust to untrust Security Context > select the TRUST-UNTRUST rule > click Edit.

 



 Go to Application Services tab > select UTM Policy: UTM_POLICY_1 > click OK.


Click Commit > Commit to apply changes.

To test, I tried to download a free TFTP installer file (.exe) and it was blocked by the Content Filtering policy.

Notice the Internet Explorer tab indicated Request was dropped.

You can view the Content Filtering policy statistics under Monitor > Security > UTM > Content Filtering.

 

Notice under Statistics type: EXE files, a Counter blocked incremented by one (1).

 


You can view the same output in CLI using the show security utm content-filtering statistics command.

 

root@vSRX-1> show security ?

Possible completions:

  advance-policy-based-routing  Show advance policy based routing information

  alarms               Show active security alarm information

  alg                  Show ALG security services information

  application-firewall  Show security application firewall policies

  application-tracking  Show Application tracking information

  dns-cache            Show DNS cache of firewall policy

  dynamic-address      Security dynamic address name

  dynamic-policies     Show security firewall dynamic policies

  firewall-authentication  Show firewall authentication tables, information

  flow                 Show flow information

  forward-options      Show forward-options status

  gprs                 Show GPRS information

  group-vpn            Show Group VPN Security information

  idp                  Show Intrusion Detection and Prevention information

  ike                  Show Internet Key Exchange information

  internal-security-association  Show internal security association

  ipsec                Show IP Security information

  keychain             Show all protocols keychain

  log                  Show auditable security log information

  match-policies       Show security match policies

  monitoring           Show security SPU monitoring information

  nat                  Show Network Address Translation information

  pki                  Show public-key infrastructure information

  policies             Show security firewall policies

  resource-manager     Show resource manager security services information

  screen               Show screen service information

  shadow-policies      Show security shadow policies

  softwires            Show softwire information

  ssh                  Show SSH information

  tcp-encap            Show TCP encapsulation information

  user-identification  Show user-identification information

  utm                  Show security utm information

  zones                Show security zone information

root@vSRX-1> show security utm ?

Possible completions:

  anti-spam            Show anti-spam information

  anti-virus           Show anti-virus information

  content-filtering    Show content-filtering information

  session              Show security utm session

  status               Show security utm status

  web-filtering        Show web-filtering information

root@vSRX-1> show security utm content-filtering ?

Possible completions:

  statistics           Show content-filtering statistics

 

root@vSRX-1> show security utm content-filtering statistics   

 

 Content-filtering-statistic:         Blocked

     Base on command list:                    0

     Base on mime list:                       0

     Base on extension list:                  0

     ActiveX plugin:                          0

     Java applet:                             0

     EXE files:                               1

     ZIP files:                               0

     HTTP cookie:                             0


Below is the complete show configuration.

 

root@vSRX-1# show

     ## Last changed: 2021-03-02 09:40:35 SGT

version 15.1X49-D80.4;

system {

    host-name vSRX-1;

    root-authentication {

        encrypted-password "$5$h/gVhuqb$nH2lW4/iyVyXnAnvbBg8aLy2b1HZcpqhiTeH/lSFD./"; ## SECRET-DATA

    }

    name-server {

        8.8.8.8;

    }

    services {

        ssh {

            root-login allow;

        }

        web-management {

            https {

                system-generated-certificate;

                interface ge-0/0/0.0;

            }

        }

    }

    syslog {

        user * {                       

            any emergency;

        }

        file messages {

            any any;

            authorization info;

        }

        file interactive-commands {

            interactive-commands any;

        }

    }

    license {

        autoupdate {

            url https://ae1.juniper.net/junos/key_retrieval;

        }

    }

    ntp;

}

services {

    application-identification;

}

security {

    utm {

        custom-objects {               

            url-pattern {

                ALLOWED_WEBSITES {

                    value [ www.juniper.net www.google.com www.playstation.com ];

                }

                BLOCKED_WEBSITES {

                    value [ www.cisco.com www.yahoo.com www.xbox.com ];

                }

            }

            custom-url-category {

                GOOD_WEBSITES {

                    value ALLOWED_WEBSITES;

                }

                BAD_WEBSITES {

                    value BLOCKED_WEBSITES;

                }

            }

        }

        feature-profile {

            web-filtering {

                url-whitelist GOOD_WEBSITES;

                url-blacklist BAD_WEBSITES;

                type juniper-local;    

                juniper-local {

                    profile CUSTOM_LOCAL_WF {

                        default block;

                        custom-block-message "Website access denied. Please contact IT for assistance.";

                        fallback-settings {

                            default log-and-permit;

                            server-connectivity log-and-permit;

                            timeout log-and-permit;

                            too-many-requests log-and-permit;

                        }

                        timeout 30;

                    }

                }

            }

            content-filtering {

                profile CF_EXE {

                    block-content-type {

                        exe;

                    }

                    notification-options {

                        type message;

                        custom-message "File Download Blocked due to IT Security Policy. Please contact IT for assistance.";

                    }

                }

            }

        }

        utm-policy UTM_POLICY_1 {

            content-filtering {

                http-profile CF_EXE;

            }

            traffic-options {

                sessions-per-client {

                    over-limit log-and-permit;

                }

            }

        }

    }

    screen {                           

        ids-option untrust-screen {

            icmp {

                fragment;

                ping-death;

            }

            ip {

                source-route-option;

                tear-drop;

            }

            tcp {

                port-scan threshold 10000;

                syn-flood {

                    alarm-threshold 1024;

                    attack-threshold 200;

                    source-threshold 1024;

                    destination-threshold 2048;

                    queue-size 2000; ## Warning: 'queue-size' is deprecated

                    timeout 20;

                }

                land;

            }

        }

    }                                  

    nat {

        source {

            rule-set SOURCE-NAT-TRUST {

                from zone trust;

                to zone untrust;

                rule SOURCE-NAT-TRUST {

                    match {

                        source-address 172.16.1.0/24;

                        destination-address 0.0.0.0/0;

                    }

                    then {

                        source-nat {

                            interface;

                        }

                    }

                }

            }

        }

        destination {

            pool DEST_NAT_FTP {

                address 172.16.1.100/32 port 21;

            }

            rule-set DEST_NAT_FTP {    

                from zone untrust;

                rule DEST_NAT_FTP {

                    match {

                        destination-address 192.168.1.150/32;

                        destination-port {

                            21;

                        }

                    }

                    then {

                        destination-nat {

                            pool {

                                DEST_NAT_FTP;

                            }

                        }

                    }

                }

            }

        }

    }

    policies {

        from-zone trust to-zone trust {

            policy default-permit {

                match {                

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

        from-zone untrust to-zone trust {

            policy FTP_UNTRUST_TRUST {

                match {

                    source-address any-ipv4;

                    destination-address WIN7-VM;

                    application junos-ftp;

                }

                then {

                    permit;

                    log {

                        session-init;

                    }

                }

            }                          

        }

        from-zone trust to-zone untrust {

            policy TRUST-UNTRUST {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit {

                        application-services {

                            utm-policy UTM_POLICY_1;

                        }

                    }

                    log {

                        session-init;

                    }

                }

            }

        }

    }

    zones {

        security-zone trust {          

            tcp-rst;

            address-book {

                address WIN7-VM 172.16.1.100/32;

            }

            interfaces {

                ge-0/0/1.0 {

                    host-inbound-traffic {

                        system-services {

                            ping;

                            ssh;

                        }

                    }

                }

            }

        }

        security-zone untrust {

            screen untrust-screen;

            interfaces {

                ge-0/0/0.0 {

                    host-inbound-traffic {

                        system-services {

                            ping;

                            ssh;       

                            https;

                        }

                    }

                }

            }

        }

    }

}

interfaces {

    ge-0/0/0 {

        unit 0 {

            family inet {

                address 192.168.1.150/24;

            }

        }

    }

    ge-0/0/1 {

        unit 0 {

            family inet {

                address 172.16.1.1/24;

            }

        }

    }                                  

    fxp0 {

        unit 0 {

            family inet;

        }

    }

}

routing-options {

    static {

        route 0.0.0.0/0 next-hop 192.168.1.1;

    }

}

                                       

[edit]