miércoles, 14 de septiembre de 2022

Fortiweb

Control de aplicaciones expuestas a internet

Control de APIS


one-arm, una sola red

two-arm dos redes distintas

 


4 Pasos generales para la configuración inicial.

    1.Cargar el certificado

            extensiones  

                .prt

                .pm

    2. Configurar el server pool,  la ip del server que contiene la aplicaciones web

    3. Configurar el virtual server, una ip dentro de la red del Fortiweb.

    4. Configurar política 






Capas de protección

ip reputacion

ddos proteccion

protocol validation

attack signatures

antivirus/dlp

integration

advance proteccion

behavioral validation

https://avinetworks.com/glossary/ssl-offload/


Web Application Firewall or WAF provides web application security for online services from malicious Internet traffic. WAFs detect and filter out threats such as OWASP Top 10 which could degrade, compromise or bring down online applications.

SSL offloading is the process of removing the SSL based encryption from incoming traffic that a web server receives to relieve it from decryption of data. Security Socket Layer (SSL) is a protocol that ensures the security of HTTP traffic and HTTP requests on the internet. SSL traffic can be compute intensive since it requires encryption and decryption of traffic. SSL (called TLS or Transport Layer Security now) relies on public key cryptography to encrypt communications between the client and server sending messages safely across networks. Encryption of sensitive information protects against potential hackers and man-in-the-middle attacks.

Image depicting ssl offloading through a load balancer that ensures security of http to https traffic from applications to webservers.


-------------------



troubleshooting

26:12:6

26 access control
12 politica
6 recipient policy


lunes, 2 de agosto de 2021

Forticlient (FCT) debug

 Desde el FGT:

diagnose vpn ssl debug-filter src-addr4 x.x.x.x --> donde x.x.x.x es la IP Pública del cliente que realiza la prueba.
diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug enable

Desde el FCT:
How to enable debug log in FortiClient v5.0 and later
https://kb.fortinet.com/kb/documentLink.do?externalID=FD38644


Para detener la captura del FGT:
diagnose debug disable
diagnose debug reset

jueves, 7 de mayo de 2020

Filtro

diagnsose sys session filter src
diagnose sys session list | grep policy_id

diagnose sys session filter dport  5060
 show | grep -f Red\ server

diagnose ip addres lists

domingo, 3 de mayo de 2020

INSPECCIÓN AVANZADA DE FLUJO DE TRÁFICO

INSPECCIÓN AVANZADA DE FLUJO DE TRÁFICO

diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug flow show function-name disable
diagnose debug flow show iprope disable
diagnose debug reset 4
diagnose debug flow filter dadd 8.8.8.8
diagnose debug flow filter sadd 10.212.134.200
diagnose debug flow show console enable
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug flow trace start 30

sábado, 2 de mayo de 2020

Fortigate SIP


https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-voip-guide/ALG.htm
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-voip-guide/ALG.htm
https://kb.fortinet.com/kb/documentLink.do?externalID=FD38920



Fortigate maneja dos métodos para controlar las sesione SIP


The SIP session helper

config system settings
set default-voip-alg-mode kernel-helper-based
set sip-helper enable
end


show system session-helper
.
.
.
edit 13
set name sip
set port 5060
set protocol 17
next


Use the following command to set the debug level for the SIP session helper. Different debug masks display different levels of detail about SIP session helper activity.
diagnose sys sip debug-mask <debug_mask_int>
Use the following command to display the current list of SIP dialogs being processed by the SIP session help. You can also use the clear option to delete all active SIP dialogs being processed by the SIP session helper.
diagnose sys sip dialog {clear | list}
Use the following command to display the current list of SIP NAT address mapping tables being used by the SIP session helper.
diagnose sys sip mapping list
Use the following command to display the current SIP session helper activity including information about the SIP dialogs, mappings, and other SIP session help counts. This command can be useful to get an overview of what the SIP session helper is currently doing.
diagnose sys sip status

The SIP session helper is disabled by default and must be enabled for the SIP session helper to process VoIP traffic

The SIP ALG

config system settings
set default-voip-alg-mode proxy-based
set sip-helper disable
end




config voip profile
    edit "default"
        set comment "Default VoIP profile."
    next

By default all SIP traffic is processed by the SIP ALG. If the policy that accepts the SIP traffic includes a VoIP profile, the SIP traffic is processed by that profile. If the policy does not include a SIP profile the SIP traffic is processed by the SIP ALG using the default VoIP profile.

Use the following command to list all active SIP calls being processed by the SIP ALG. You can also use the clear option to delete all active SIP calls being processed by the SIP ALG, the idle option to list idle SIP calls, and the invite option to list SIP invite transactions.
diagnose sys sip-proxy calls {clear | list | idle | invite}
Use the following commands to employ filters to display specific information about the SIP ALG and the session that it is processing. You can build up a filter by including a number of options such as source address, VoIP profile, policy, and so on.
diagnose sys sip-proxy filter <filter_options>
diagnose sys sip-proxy log-filter <filter_options>
Use the following command to display the active SIP rate limiting meters and their current settings.
diagnose sys sip-proxy meters list
Use the following command to display status information about the SIP sessions being processed by the SIP ALG. You can also clear all SIP ALG statistics.
diagnose sys sip-proxy stats {clear | list}


Conflicts between the SIP ALG and the session helper

------------

diagnose sys sip status
dialogs: max=32768, used=0
mappings: used=0
dialog hash by ID: size=2048, used=0, depth=0
dialog hash by RTP: size=2048, used=0, depth=0
mapping hash: size=2048, used=0, depth=0
count0: 0
count1: 0
count2: 0
count3: 0
count4: 0
This command output shows that the session helper is not processing SIP sessions because all of the used and count fields are 0. If any of these fields contains non-zero values then the SIP session helper may be processing SIP sessions.


diagnose sys sip-proxy stats list 


The RTP port number is included in the m= part of the SDP profile. In the example above, the SIP INVITE message includes RTP port number is 49170 so the RTCP port number would be 49171. In the SIP response message the RTP port number is 3456 so the RTCP port number would be 3457.




Debug:
 diagnose debug disable 
 diagnose debug reset
 diagnose debug application sip -1
 diagnose debug enable
Use following commands to display status information about the SIP sessions being processed by the SIP ALG.
Clear all SIP ALG statistics.

 diagnose sys sip-proxy calls list
 diagnose sys sip-proxy stats {clear | list}
 diagnose sys sip-proxy stats
 diagnose sys sip status
 diagnose sys sip dialog list
 diagnose sys sip mapping list






-
diagnose debug application sip 

1Configuration changes, mainly addition/deletion/modification of virtual domains.
2TCP connection accepts or connects, redirect creation.
4Create or delete a session.
16Any IO read or write.
32An ASCII dump of all data read or written.
64Include HEX dump in the above output.
128Any activity related to the use of the FortiCarrier dynamic profile feature to determine the correct profile-group to use.
256Log summary of interesting fields in a SIP call.
1024Any activity related to SIP geo-redundancy.
2048Any activity related to HA syncing of SIP calls.

miércoles, 11 de julio de 2018

Notas de HA en Fortigate


Validar si el cluster esta sincronizado

diagnose sys ha checksum cluster

diagnose sys ha checksum recalculate

execute ha synchronice star  ==> este comando lo utilizo en la unidad de backup para sincronizar la configuración de la unidad primaria a la secundaria.

##################################
########### HA_PRIMARY ###########
##################################
config system global
  set hostname Primary_FortiGate
end
config system ha
  set mode a-p
  set group-name My-HA-Cluster
  set password
  set priority 250
  set override enable
  set hbdev ha1 50 ha2 50
end
#################################
########### HA_BACKUP ###########
#################################
execute factoryreset
config system global
   set hostname Backup_FortiGate
end
config system ha
   set mode a-p
   set group-name My-HA-Cluster
   set password
   set priority 50
   set hbdev ha1 50 ha2 50
end
#########################################################################
########### Checking cluster operation and disabling override ###########
#########################################################################
diag sys ha cluster-csum
config system ha
    set override disable
end
OVERRIDE  funciona como un premt , el primario siempre seria el primario en condiciones normales.



///////////
diagnose sys ha reset-uptime
//////////