My Cybersecurity Journal: August 2021

Friday, August 13, 2021

Run FortiGate VM Firewall in VMware Workstation

I took the Fortinet NSE 1 and NSE 2 training, which are free online courses in the Fortinet NSE Training Institute portal. These courses provide an introduction to Cybersecurity and Fortinet security products to mitigate Cyber threats.

The NSE 3 training is reserved for Fortinet employees and partners so I took the NSE 4 training instead. The NSE 4 is also an online free course and it's divided into two sections: Security and Infrastructure. You'll receive an electronic certificate of completion (PDF) after finishing the two courses. Your NSE certs (PDF) are found in the NSE Training Institute portal under the Dashboard (Completed tab) or Profile page.

To be a certified Fortinet NSE 4 Network Security Professional (exam code: NSE4_FGT-6.4), you'll need to book and pass the online exam via Pearson VUE. The exam cost is $400 USD as of this writing. The exam has 60 questions and passing rate is 60%. Once passed, the cert is valid for two years. Refer to the NSE 4 description and NSE Training Institute portal FAQ.

Below is the FortiGate virtual lab I used to study for NSE 4.

Open FortiGate VM in VM Workstation, go to File > Open.

Browse/select the OVF file: FortiGate-VM64 > click Open.

Rename the VM: FortiGate-1 > click Import.

Click Accept to accept the End User License Agreement (EULA).

Click Edit virtual machine settings.

My VMnet0 is configured as VMnet0 which is bridged to the Internet and other virtual machines (Windows 10 host, Kali Linux, etc.). The VMnet1 is a LAN for the Windows 7 VM. Select VMNet2 Network Adapter 3 (Host-only/for HA link).

Click Power on this virtual machine.

Notice the license error 'INVALID'. Just perform a factory reset on the VM to resolve the error.

Login using the default username admin and just leave the password blank. You're forced to change and input a new password upon initial login.

Issue a execute factoryreset command to resolve the invalid license error. Type y to continue and reboot the VM.

After the factory reset and reboot, the invalid license error was gone. Re-type the new password.

Issue a show system interface command to view the available network interfaces.

Configure port1 (WAN) IP address. Note port1 already allows ping, HTTPS and SSH.

I was able to ping the FortiGate VM WAN IP address (192.168.1.160/24) from my Windows 10 machine (192.168.1.100/24).

C:\Users\User>ipconfig

Windows IP Configuration

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::c961:e77e:a95c:fcfb%21

IPv4 Address. . . . . . . . . . . : 192.168.1.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

C:\Users\User>ping 192.168.1.160

Pinging 192.168.1.160 with 32 bytes of data:

Reply from 192.168.1.160: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.1.160:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

I was unable to intially HTTPS to FortiGate and due to a SSL/TLS cipher mismatch.

I tried to change to both TLSv1.1 and TLSv1.2 but I'm still unable to HTTPS to port1 (192.168.1.160).

Per checking Fortinet KB, the FortiGate VM only use a low encryption (no HTTPS administrative access).

All SecurityProfiles (UTM features) are enabled (Antivirus, Web Filter, Application Control, etc.) EXCEPT FortiGuard updates. The Evaluation license is valid for only 15 days.

I just allowed ping, HTTP and SSH on port1 for this lab.

I was able to HTTP to port1 (192.168.1.160) afterwards.

Click Later to skip the initial FortiGate Setup.

Toggle Don't show again (turn to green) and click OK to skip introduction video.

This is the landing page upon login, which is the System Information Dashboard.

I was also able to SSH to port1.

Issue a get system status command to view the FortiGate version, license status, system uptime, etc.

FortiGate-VM64 # get system status

Version: FortiGate-VM64 v6.4.4,build1803,201209 (GA)

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

Extreme DB: 1.00000(2018-04-09 18:07)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 6.00741(2015-12-01 02:30)

APP-DB: 6.00741(2015-12-01 02:30)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

Serial-Number: FGVMEVLBM63ZQG09

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

License Status: Valid

Evaluation License Expires: Tue May 4 02:20:49 2021

VM Resources: 1 CPU/1 allowed, 2010 MB RAM/2048 MB allowed

Log hard disk: Available

Hostname: FortiGate-VM64

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 1

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Branch point: 1803

Release Version Information: GA

FortiOS x86-64: Yes

System time: Mon Apr 19 02:51:54 2021

Create a static default route, go to Network Static Routes > Create New.

Select default Destination: Subnet and 0.0.0.0/0.0.0.0 (quad zero route) > type Gateway Address: 192.168.1.1 (Cisco ASA Firewall) > select Interface: port1 (WAN: 192.168.1.160/24) > leave the Administrative Distance: 10 > leave the default Status: Enabled > click OK.

I configured FortiGate port2 (LAN) interface and allowed ping, SSH and HTTP.

FortiGate-VM64 # config system interface

FortiGate-VM64 (interface) # edit port2

FortiGate-VM64 (port2) # set mode static

FortiGate-VM64 (port2) # set ip 172.16.1.1 255.255.255.0

FortiGate-VM64 (port2) # set allowaccess ping ssh http

FortiGate-VM64 (port2) # end

I was able to ping and SSH using the FortiGate port2 172.16.1.1 IP address.

I was unable to reach the Internet (Google DNS 8.8.8.8) since there's no NAT policy configured yet.

The 15-day FortiGate VM Evaluation license is not long enough and it has already expired in my virtual lab.

I suspend the FortiGate VM when not in use to delay the Eval license expiration but I noticed its system time was automatically updated by NTP (FortiGuard). So I disable NTP after performing a factory reset.

FG-1 # get system status

Version: FortiGate-VM64 v6.4.4,build1803,201209 (GA)

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

Extreme DB: 1.00000(2018-04-09 18:07)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 6.00741(2015-12-01 02:30)

APP-DB: 6.00741(2015-12-01 02:30)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

Serial-Number: FGVMEVLBM63ZQG09

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

License Status: Expired

Evaluation License Expires: Tue May 4 02:20:49 2021

VM Resources: 1 CPU/1 allowed, 2010 MB RAM/2048 MB allowed

Log hard disk: Available

Hostname: FG-1

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 1

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Branch point: 1803

Release Version Information: GA

FortiOS x86-64: Yes

System time: Wed May 5 22:26:44 2021

FG-1 # get system ntp

ntpsync : enable

type : fortiguard

syncinterval : 60

source-ip : 0.0.0.0

source-ip6 : ::

server-mode : enable

authentication : disable

interface : "fortilink"

FG-1 # diagnose sys ntp status

synchronized: yes, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp1.fortiguard.com) 208.91.112.61 -- reachable(0xff) S:1 T:629 selected

server-version=4, stratum=2

reference time is e43df7ec.6aae6822 -- UTC Thu May 6 05:06:52 2021

clock offset is 6.108305 sec, root delay is 0.001358 sec

root dispersion is 0.044479 sec, peer dispersion is 199951 msec

ipv4 server(ntp2.fortiguard.com) 208.91.112.62 -- reachable(0xff) S:1 T:629

server-version=4, stratum=2

reference time is e43df906.3b732f6 -- UTC Thu May 6 05:11:34 2021

clock offset is 12.211762 sec, root delay is 0.001221 sec

root dispersion is 0.040100 sec, peer dispersion is 217109 msec

ipv4 server(ntp2.fortiguard.com) 208.91.112.60 -- reachable(0xff) S:1 T:629

server-version=4, stratum=2

reference time is e43df4b7.e3f49e10 -- UTC Thu May 6 04:53:11 2021

clock offset is 8.142703 sec, root delay is 0.001236 sec

root dispersion is 0.057037 sec, peer dispersion is 133425 msec

ipv4 server(ntp1.fortiguard.com) 208.91.112.63 -- reachable(0xfd) S:1 T:637

server-version=4, stratum=2

reference time is e43df906.3b732f6 -- UTC Thu May 6 05:11:34 2021

clock offset is 6.128610 sec, root delay is 0.001221 sec

root dispersion is 0.040237 sec, peer dispersion is 200269 msec

FG-1 # execute time

current time is: 22:29:55

last ntp sync:Wed May 5 22:27:16 2021

Factory reset and re-configure the FortiGate VM to renew again the License.

FG-1 # exec factoryreset

This operation will reset the system to factory default!

Do you want to continue? (y/n)y

Disable NTP (FortiGuard Cloud).

FG-1 # config system ntp

FG-1 (ntp) # set ntpsync disable

FG-1 (ntp) # set type

fortiguard Use the FortiGuard NTP server.

custom Use any other available NTP server.

FG-1 (ntp) # set type custom

FG-1 (ntp) # end

FG-1 # get system ntp

ntpsync : disable

type : custom

syncinterval : 60

ntpserver:

source-ip : 0.0.0.0

source-ip6 : ::

server-mode : enable

authentication : disable

interface : "fortilink"

FG-1 # execute time

current time is: 22:57:05

Once you have initial FortiGate GUI access, perform a configuration backup. Go to admin (upper right corner) > Configuration > Backup.

Select Backup to: Local PC > click OK.

A .conf file will appear > Save File > click OK.

Sunday, August 1, 2021

Juniper Networks SRX Firewall Content Filtering

The outdoor recreation have become increasingly popular due to the COVID-19 pandemic, so I went for a quick hike at Mount Faber Park. At the hilltop, you'll see the Singapore Cable Car (to/from Sentosa Island) and enjoy the scenic view of Keppel Harbour.

You'll also find the Henderson Waves bridge, which is the highest pedestrian bridge in Singapore. It connects Mount Faber Park to Telok Blangah Hill Park.

After a long and grueling hike, I treated myself a Chick'n Shack burger, cheese fries and a chocolate shake. This is Shake Shack in VivoCity shopping mall.

The Juniper SRX Firewall Content Filtering provides basic data loss prevention functionality. Content filtering filters traffic is based on MIME type, file extension, and protocol commands. You can also use the content filter module to block ActiveX, Java Applets, and other types of content. Content filtering does not require a separate license

The content filter module evaluates traffic before all other UTM modules, except Web Filtering. Therefore, if traffic meets criteria configured in the content-filter, the content-filter acts first upon this traffic.

You can configure the following types of content filters:

MIME Pattern Filter - MIME patterns are used to identify the type of traffic in HTTP and MAIL protocols. There are two lists of MIME patterns that are used by the content filter to determine the action to be taken

Block Extension List - Because the name of a file is available during file transfers, using file extensions is a highly practical way to block or allow file transfers.

Protocol Command Block and Permit Lists - Different protocols use different commands to communicate between servers and clients. By blocking or allowing certain commands, traffic can be controlled on the protocol command level.

The first step is to configure a Content Filtering profile, go to Configure > Security > UTM > Content Filtering > click Add.

You could either create a Custom Object to define several content types (exe, zip, etc) and select the created Custom Object under Block extension list.

In this case, I just want to filter an executable file (.exe) which is already listed under the Available content types. Type a Profile name: CF_EXE > select exe > move to the Selected content types on the right.

Go to Notification Options tab > select Notification type: message > type Custom notification message (according to your IT policy): File Download Blocked due to IT Security Policy. Please contact IT for further assistance > click OK.

The second step is to create a UTM Policy. Go to Configure > Security > UTM > Policy > click Add.

Under Main tab > type Policy name: UTM_POLICY_1 > leave the default Session per client over limit: Log and permit.

Go to Content filtering profiles tab > select HTTP profile: CF_EXE > click OK.

The last step is to assign the UTM Policy to a Security Policy rule.

Go to Configure > Security Policy > Policy Elements > Security Policy.

Filter the trust to untrust Security Context > select the TRUST-UNTRUST rule > click Edit.

Go to Application Services tab > select UTM Policy: UTM_POLICY_1 > click OK.

Click Commit > Commit to apply changes.

To test, I tried to download a free TFTP installer file (.exe) and it was blocked by the Content Filtering policy.

Notice the Internet Explorer tab indicated Request was dropped.

You can view the Content Filtering policy statistics under Monitor > Security > UTM > Content Filtering.

Notice under Statistics type: EXE files, a Counter blocked incremented by one (1).

You can view the same output in CLI using the show security utm content-filtering statistics command.

root@vSRX-1> show security ?

Possible completions:

advance-policy-based-routing Show advance policy based routing information

alarms Show active security alarm information

alg Show ALG security services information

application-firewall Show security application firewall policies

application-tracking Show Application tracking information

dns-cache Show DNS cache of firewall policy

dynamic-address Security dynamic address name

dynamic-policies Show security firewall dynamic policies

firewall-authentication Show firewall authentication tables, information

flow Show flow information

forward-options Show forward-options status

gprs Show GPRS information

group-vpn Show Group VPN Security information

idp Show Intrusion Detection and Prevention information

ike Show Internet Key Exchange information

internal-security-association Show internal security association

ipsec Show IP Security information

keychain Show all protocols keychain

log Show auditable security log information

match-policies Show security match policies

monitoring Show security SPU monitoring information

nat Show Network Address Translation information

pki Show public-key infrastructure information

policies Show security firewall policies

resource-manager Show resource manager security services information

screen Show screen service information

shadow-policies Show security shadow policies

softwires Show softwire information

ssh Show SSH information

tcp-encap Show TCP encapsulation information

user-identification Show user-identification information

utm Show security utm information

zones Show security zone information

root@vSRX-1> show security utm ?

Possible completions:

anti-spam Show anti-spam information

anti-virus Show anti-virus information

content-filtering Show content-filtering information

session Show security utm session

status Show security utm status

web-filtering Show web-filtering information

root@vSRX-1> show security utm content-filtering ?

Possible completions:

statistics Show content-filtering statistics

root@vSRX-1> show security utm content-filtering statistics

Content-filtering-statistic: Blocked

Base on command list: 0

Base on mime list: 0

Base on extension list: 0

ActiveX plugin: 0

Java applet: 0

EXE files: 1

ZIP files: 0

HTTP cookie: 0

Below is the complete show configuration.

root@vSRX-1# show

## Last changed: 2021-03-02 09:40:35 SGT

version 15.1X49-D80.4;

system {

host-name vSRX-1;

root-authentication {

encrypted-password "$5$h/gVhuqb$nH2lW4/iyVyXnAnvbBg8aLy2b1HZcpqhiTeH/lSFD./"; ## SECRET-DATA

}

name-server {

8.8.8.8;

}

services {

ssh {

root-login allow;

}

web-management {

https {

system-generated-certificate;

interface ge-0/0/0.0;

}

syslog {

user * {

any emergency;

}

file messages {

any any;

authorization info;

}

file interactive-commands {

interactive-commands any;

}

license {

autoupdate {

url https://ae1.juniper.net/junos/key_retrieval;

}

ntp;

}

services {

application-identification;

}

security {

utm {

custom-objects {

url-pattern {

ALLOWED_WEBSITES {

value [ www.juniper.net www.google.com www.playstation.com ];

}

BLOCKED_WEBSITES {

value [ www.cisco.com www.yahoo.com www.xbox.com ];

}

custom-url-category {

GOOD_WEBSITES {

value ALLOWED_WEBSITES;

}

BAD_WEBSITES {

value BLOCKED_WEBSITES;

}

feature-profile {

web-filtering {

url-whitelist GOOD_WEBSITES;

url-blacklist BAD_WEBSITES;

type juniper-local;

juniper-local {

profile CUSTOM_LOCAL_WF {

default block;

custom-block-message "Website access denied. Please contact IT for assistance.";

fallback-settings {

default log-and-permit;

server-connectivity log-and-permit;

timeout log-and-permit;

too-many-requests log-and-permit;

}

timeout 30;

}

content-filtering {

profile CF_EXE {

block-content-type {

exe;

}

notification-options {

type message;

custom-message "File Download Blocked due to IT Security Policy. Please contact IT for assistance.";

}

utm-policy UTM_POLICY_1 {

content-filtering {

http-profile CF_EXE;

}

traffic-options {

sessions-per-client {

over-limit log-and-permit;

}

screen {

ids-option untrust-screen {

icmp {

fragment;

ping-death;

}

ip {

source-route-option;

tear-drop;

}

tcp {

port-scan threshold 10000;

syn-flood {

alarm-threshold 1024;

attack-threshold 200;

source-threshold 1024;

destination-threshold 2048;

queue-size 2000; ## Warning: 'queue-size' is deprecated

timeout 20;

}

land;

}

nat {

source {

rule-set SOURCE-NAT-TRUST {

from zone trust;

to zone untrust;

rule SOURCE-NAT-TRUST {

match {

source-address 172.16.1.0/24;

destination-address 0.0.0.0/0;

}

then {

source-nat {

interface;

}

destination {

pool DEST_NAT_FTP {

address 172.16.1.100/32 port 21;

}

rule-set DEST_NAT_FTP {

from zone untrust;

rule DEST_NAT_FTP {

match {

destination-address 192.168.1.150/32;

destination-port {

21;

}

then {

destination-nat {

pool {

DEST_NAT_FTP;

}

policies {

from-zone trust to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone untrust to-zone trust {

policy FTP_UNTRUST_TRUST {

match {

source-address any-ipv4;

destination-address WIN7-VM;

application junos-ftp;

}

then {

permit;

log {

session-init;

}

from-zone trust to-zone untrust {

policy TRUST-UNTRUST {

match {

source-address any;

destination-address any;

application any;

}

then {

permit {

application-services {

utm-policy UTM_POLICY_1;

}

log {

session-init;

}

zones {

security-zone trust {

tcp-rst;

address-book {

address WIN7-VM 172.16.1.100/32;

}

interfaces {

ge-0/0/1.0 {

host-inbound-traffic {

system-services {

ping;

ssh;

}

security-zone untrust {

screen untrust-screen;

interfaces {

ge-0/0/0.0 {

host-inbound-traffic {

system-services {

ping;

ssh;

https;

}

interfaces {

ge-0/0/0 {

unit 0 {

family inet {

address 192.168.1.150/24;

}

ge-0/0/1 {

unit 0 {

family inet {

address 172.16.1.1/24;

}

fxp0 {

unit 0 {

family inet;

}

routing-options {

static {

route 0.0.0.0/0 next-hop 192.168.1.1;

}

[edit]