Came across the need to allow SSL VPN clients access to remote networks beyond the SPOKE Firewall. In this instance, we have an IPSEC LAN-2-LAN VPN Tunnel between two points, we’ll use the name HQ & Sister-Company. A remote user accessing the HQ Firewall needs access to the Sister-Company file server. Instead of configuring another instance of a user on the Sister-Company firewall or another instance in the SSL VPN Client, we can allow access from the HQ Firewall.
HQ Fortigate LAN2LAN VPN MUST be configured in interface/route mode. SSL_VPN clients connect to the HUB FGATE ie. HQ
FW-Policy(s):
* ssl.root:(source subnet) -> VPN_Interface:(destination subnet)
* WAN:(source subnet) -> VPN_Interface:(destination subnet) (ACTION) SSL-VPN (identify “interesting traffic” on the SSL Client. Make sure to set the group access under this policy.
Route(s):
* Destination_Network:VPN_Interface
Connect using the SSL_Client and ping a host on the far side and see if your COUNT SEND/Receive increment with each ping on the SSL VPN Client.
Upgraded a test system to review the features/fixes, but it’s been getting some complaints from other admins that the IPSengine is consuming mass amounts of memory again. I’d recommend waiting for 4.3.5.
Connect to console via serial cable (typical 9600,8n1) using a terminal type program (HyperTerm, PuTTY, ZTERM, TerraTerm)
Username: maintainer
Password: bcpb + serial number of the firewall
Note: Some devices after booting, may only give you a window of 14 seconds to type in the username & password.
#config system admin
#edit admin
#set password
#end
All credit to Soni Hacker for this information.
Read this yesterday and have heard “things”, but it’s been confirmed apparently. There’s a technique (TCP Split Handshake attack) to fool common firewalls into “treating” an attacker as if it’s on the inside of the network. Appears to affect many of the big names in firewalls, Cisco, Juniper, Fortinet, SonicWall.
Read more about that here….
I started playing with the latest FortiAP220b device. Plugging in my trusty ultra-cool USB Bluetooth Serial adapter powered by the USB port on the FortiAP I noticed the following:
FAP22B3U1XXXX314 login: admin
Mar 1 12:12:03 login[606]: root login on `ttyS0′
BusyBox v1.01 (2010.08.28-00:38+0000) Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.
FAP22B3U1XXXX314 # help
Built-in commands:
——————-
. : alias bg break cd chdir continue eval exec exit export false
fg hash help jobs kill let local pwd read readonly return set
shift times trap true type ulimit umask unalias unset wait
FAP22B3U1XXXX314 # .
Ok, so we know it’s running an embedded type of Linux called Busy-Box. At this point the AP is NOT administrated by the Fortigate. Not sure how much I can do with it until I tick manage – more to follow…
Little did I know Fortinet released FortiOS 4.2.5 on April 1. I guess it’s real? Bunch of fixes many people were complaining about that were not addressed in 4.2.4.
I’m always looking for ways to lighten the load I carry on my back every day. That load being my backpack. I carry enough equipment to perform daily and semi-annual duties. Beside the absolute essential (MacBook Pro 15″ 2010), power supply & wireless mouse, I carry cables such as (funny I have to list it!)
- 7 ft Ethernet patch cable
- 7 ft Ethernet cross-over patch cable
- 25 ft Ethernet patch cable
- Ethernet couplers
- serial cables (2 types)
- gender changers (25 to 9 & male/female)
- null modems
- Cisco adapters
- Numerous USB cables (mini to normal)
So the other day, out of the blue I found out there’s blue-tooth serial adapters! I was like sliced-bread. I immediately ordered one:
The adapter defaults at 19200 baud so I had to connect my Serial-2-USB and set baud rate. If you are from the MODEM days 70′s-early 90′s), it’s very similar to the HAYES AT command set. Once I paired the adapter on my MAC, I loaded ZTERM and connected – voila! I have console on my Cisco from 40 ft away! Awesome I say and this will eliminate about 80 feet of cable I used to carry around!
I have worked with SonicWall’s in the past, one feature I am spoiled using is something Cisco calls an Extended Ping – per Cisco’s site
The Extended ping Command
When a normal ping command is sent from a router, the source address of the ping is the IP address of the interface that the packet uses to exit the router. If an extended ping command is used, the source IP address can be changed to any IP address on the router. The extended ping is used to perform a more advanced check of host reach-ability and network connectivity.
It appears SonicWall does not have a feature like this in their OS? I have confirmed this with their support while trying to diagnose a IPSEC tunnel remotely. How is that possible? Let’s hope they incorporate this soon…
Refer to my other articles for Cisco & Fortinet’s usage of the command..
Fortinet quietly released 4.0 MR3 Build 0441 yesterday, March 19th. Many fixes not addressed including:
- Infamous FireFox authentication. Bug ID: 128865
- IPS database updates could trigger FortiGate into conserve mode for a few seconds. Bug ID: 139625
- FortiGate may drop connections when AV database update is performed. Bug ID: 123389
The upside, 2 1/2 pages of enhancements – more to come while I digest this release notes…
–Update
Some enhancements -
- Wireless Controller (FINALLY! – One was forced to load a special firmware to support previously)
- Two Factor Authentication
- Enhanced Logging
- Facebook App Control
- FortiASIC traffic offloading
- Much Much More……