Thursday, December 16, 2021

Optimization of fortigate IPS



  1. IPS signature need select according to infrastructure environment 
    Eg:-  if  we are not have Linux servers this ips signature can disable (default behavior of ips is to monitor TCP/IP packet)
  2. Interzone to interzone or inside interfaces to inside interfaces traffic don't call ips profile. this will affect fortigate memory /CPU
  3. Only allow/call ips security profile (in firewall rule) from inside zone to outside zone 
  4. Always create global profile and call in other VDOMs
  5. Always trigger IPS engine update manually using #execute update-ips from global mode (if the updates are not coming from fortiguard cloud) 


  • Always check the fortigate OS compatibility with IPS engine .



  • In this case the IPS engine is outdated with version 6.4.2 fortigate OS built (above picture)
  • Ones upgraded the ips we must restart the IPS engine using


    # diag test app ipsmonitor 99 (from global mode cli)

    #diag autoupdate versions | grep "IPS Attack" -A 6 (this command will help us to see the updated version from cli )

IPS Attack Engine
---------
Version: 6.00036
Contract Expiry Date: Sat Jan 16 2021
Last Updated using manual update on Mon Aug 31 14:17:05 2020
Last Update Attempt: Mon Oct  5 22:49:27 2020
Result: No Updates

                  Wednesday, November 24, 2021

                  How to troubleshoot the IPS issues in fortigate firewalls

                   How to find problem with IPS in fortigate firewall?


                  In our case issues is High memory utilization in the devices so start the capture memory process first.

                  1st step

                  #diagnose hardware sysinfo memory

                  Run Time:  41 days, 16 hours and 7 minutes

                  4U, 0N, 1S, 94I, 0WA, 0HI, 1SI, 0ST; 3615T, 764F

                         ipsengine    23181      S <    12.7     3.6   ( Noticed that the IPS engine is taking lot of memory)

                         ipsengine    23183      S <     4.9     3.7

                         ipsengine    23180      S <     4.9     3.7

                         scanunitd     3505      S <     4.9     0.6

                         ipsengine    23179      S <     2.9     3.7

                           miglogd      262      S       0.9     1.9

                                                   

                  2d step

                  # diag debug crashlog read          >>>>Not able to find anything related to ips engine

                   
                  3d step

                  n0_fw (global) # get sys fortiguard-service status

                  NAME               VERSION LAST UPDATE          METHOD    EXPIRE

                  AV Engine           6.149  2020-05-29 21:34:00  manual    2025-08-11 23:59:59

                  Virus Definitions   89.7121  2021-11-23 10:04:37  scheduled 2025-08-11 23:59:59

                  Extended set        89.7121  2021-11-23 10:04:37  scheduled 2025-08-11 23:59:59

                  Flow-based Virus Definitions  89.7121  2021-11-23 10:04:37  scheduled 2025-08-11 23:59:59

                  Attack Definitions  6.741  2015-12-01 02:30:00  manual    2025-08-11 23:59:59  Find this outdated

                  Attack Extended Definitions  18.200  2021-11-22 20:05:11  scheduled 2025-08-11 23:59:59

                  IPS Malicious URL Database  3.195  2021-11-22 20:05:11  scheduled 2025-08-11 23:59:59

                  IPS/FlowAV Engine   6.071  2021-02-17 20:28:04  scheduled 2025-08-11 23:59:59

                  IPS Config Script   1.009  2019-06-06 14:02:00  manual    2025-08-11 23:59:59

                  Application Definitions  18.199  2021-11-18 20:07:31  scheduled 2025-08-11 23:59:59

                  Industrial Attack Definitions  6.741  2015-12-01 02:30:00  manual    n/a

                    

                  4th step

                  (Solution for this we need update the IPS from cli using below command)

                  #execute update-ips  (In global mode)

                  Note: Performing the activity of upgrading IPS engine will terminate all TCP sessions. This will have impact to firewall. Make sure that you schedule this activity

                   Few more commands to trouble shoot the IPS engine

                  diagnose test application ipsmonitor 5 (This command will help us to bypass the IPS for monitoring)

                  diagnose ips packet status (This will help to check ips packet counters/monitor the traffic for ips)

                  dia ips session list

                  dia test application ipsmonitor 13 >     This will  soft restart the ips 

                  diagnose ips packet status

                  diag ips session performance

                  diag ips session performance

                  diag ips signature status

                  diag ips  packet status

                  n0_fwl_i (global) # dia ips session list

                  Total TCP sessions: 165

                  SESSION id:105637489 serial:754130096 proto:6 group:0 age:6 idle:6 flag:0x200027

                          feature:0x202 encap:0 ignore:1,0 ignore_after:0,204800

                    C-212.224.76.233:44882, S-94.154.20.19:80

                    state: C-ESTABLISHED/731/0/0/0/0, S-ESTABLISHED/0/0/0/0/0 pause:0, paws:0

                    expire: 24

                    app: unknown:0 last:0 unknown-size:0

                    cnfm: http

                    set: http sip rtsp

                    asm: http

                  n0_fwl1_i (global) # dia test application ipsmonitor 13

                  Session List: pid=23179

                  vf=4 proto=6 194.154.20.10:49770->92.168.217.1:3306

                  vf=4 proto=6 82.4.241.19:39352->94.154.20.7:443

                  Total session :26660


                  n0_fwl1_i (global) # diag ips session performance


                  PERFORMANCE STATISTICS

                  name           :       sess |       pkts   cycles |       pkts   cycles

                  decoder        :          0 | 1007720701        0 |          0        0

                  session        :          0 | 1007720701        0 |          0        0

                  protocol       :          0 |  969665012        0 |          0        0

                  application    :          0 | 1544856777        0 |   63603439        0

                  detect         :          0 |          0        0 |          0        0

                  match          :          0 | 2096202687        0 |          0        0

                  NC match       :          0 | 2931515123        0 |          0        0

                  Cross Tag      :          0 |  107154002        0 |          0        0

                  -------------------------------------------------------------------------

                  Friday, November 19, 2021

                  How to extend the Mpls network to spoke devices using Juniper Mx480 and Juniper Srx340






                  We can extend the MPLS backbone to spoke router which we install newly below is the configuration 

                  Head end   Juniper MX480 < > Spoke device Juniper SRX340

                  Step by step process 
                  1. Create the Bgp community.
                  2. Create the bgp group for bgp peer .
                  3. Create write the policy for routes to come in and out .
                  4. Create routing instance and assign interface.
                  5. Check the bgp peer is ping reachable. 

                  Head end configuration 
                  ------------------------------------------------------

                  Bgp configuration 

                  set protocols bgp group SR2_TC1 type external
                  set protocols bgp group SR2_TC1 hold-time 30
                  set protocols bgp group SR2_TC1 advertise-inactive
                  set protocols bgp group SR2_TC1 log-updown
                  set protocols bgp group SR2_TC1 family inet labeled-unicast
                  set protocols bgp group SR2_TC1 family inet-vpn unicast
                  set protocols bgp group SR2_TC1 export BGP-export-l3vpn
                  set protocols bgp group SR2_TC1 export DEFAULT-ONLY
                  set protocols bgp group SR2_TC1 peer-as 4099.35
                  set protocols bgp group SR2_TC1 neighbor 94.54.4.242


                  BGP Community 

                  set policy-options community cust-svcs-1121_export members target:503:101121
                  set policy-options community cust-svcs-1121_import members target:4100:101121
                  set policy-options community cust_fwl_1121_export members target:503:101279
                  set policy-options community cust_fwl_1121_import members target:4100:101279


                  Only adv the default 

                  set policy-options policy-statement DEFAULT-ONLY term default-only from route-filter 0.0.0.0/0 exact
                  set policy-options policy-statement DEFAULT-ONLY term default-only then accept
                  set policy-options policy-statement DEFAULT-ONLY term reject-others then reject

                  L3VPN routes policy 

                  set policy-options policy-statement BGP-export-l3vpn term T1 from family inet-vpn
                  set policy-options policy-statement BGP-export-l3vpn term T1 then accept
                  set policy-options policy-statement BGP-export-l3vpn term T2 from family route-target
                  set policy-options policy-statement BGP-export-l3vpn term T2 then accept


                  Spoke site 

                  set protocols bgp group SR2_TC1 type external
                  set protocols bgp group SR2_TC1 hold-time 30
                  set protocols bgp group SR2_TC1 family inet labeled-unicast
                  set protocols bgp group SR2_TC1 family inet-vpn unicast
                  set protocols bgp group SR2_TC1 export bgp-export
                  set protocols bgp group SR2_TC1 peer-as 5503
                  set protocols bgp group SR2_TC1 neighbor 94.54.4.241
                  set protocols bgp group SR2_TC1 neighbor 94.54.4.243
                  set protocols mpls traffic-engineering mpls-forwarding

                  Route policy to adv the routes

                  set policy-options policy-statement bgp-export term T1 from protocol direct
                  set policy-options policy-statement bgp-export term T1 from route-filter 94.154.4.26/32 exact   (Loopback ip address of router)
                  set policy-options policy-statement bgp-export term T1 then accept
                  set policy-options policy-statement bgp-export term T2 then reject


                  Policy community 


                  set policy-options policy-statement VRF_1121_export term VRF_1121_export then community add cust-svcs-1121_import
                  set policy-options policy-statement VRF_1121_export term VRF_1121_export then next term
                  set policy-options policy-statement VRF_1121_export term VRF_1121_export-1 then community add cust_fwl_1121_import
                  set policy-options policy-statement VRF_1121_export term VRF_1121_export-1 then accept
                  set policy-options policy-statement VRF_1121_import term SVC_cust_fwl_1121 from protocol bgp
                  set policy-options policy-statement VRF_1121_import term SVC_cust_fwl_1121 from community cust_fwl_1121_export
                  set policy-options policy-statement VRF_1121_import term SVC_cust_fwl_1121 then accept
                  set policy-options policy-statement VRF_1121_import term SVC_cust_services_1121 from community cust-svcs-1121_export
                  set policy-options policy-statement VRF_1121_import term SVC_cust_services_1121 then accept

                  BGP Community 

                  set policy-options community cust-svcs-1121_export members target:503:101121
                  set policy-options community cust-svcs-1121_import members target:4100:101121
                  set policy-options community cust_fwl_1121_export members target:503:101279
                  set policy-options community cust_fwl_1121_import members target:4100:101279

                  Route-instances configuration

                  set routing-instances Monitoring-LCN-1121 interface ae1.55
                  set routing-instances Monitoring-LCN-1121 instance-type vrf
                  set routing-instances Monitoring-LCN-1121 route-distinguisher 94.54.4.26:8757
                  set routing-instances Monitoring-LCN-1121 vrf-import VRF_1121_import
                  set routing-instances Monitoring-LCN-1121 vrf-export VRF_1121_export
                  set routing-instances Monitoring-LCN-1121 vrf-table-label

                  Wednesday, November 17, 2021

                  Cheat sheet FortiGate For Troubleshooting

                   L3 Diagnose Commands 
                  -------------------------------------
                   · Diagnose Ip Arp List
                   · Debug Flow
                   · Diagnose Debug Flow Show Console Enable
                   · Diagnose Debug Enable
                   · Diag Debug Flow Trace Start 
                   · Diagnose Debug Flow Trace Stop
                   · Diagnose Debug 
                   
                  --------------------------------------------
                  CPU Usage Diagnose Commands
                  --------------------------------------------
                   · Get System Performance Status
                   · Diagnose Sys Top 1
                   · Diagnose Sys Top
                   · Diagnose Sys Top-Summary
                   · Diagnose Hardware Test Suite All
                   
                  --------------------------------------
                  Crash Logs Diagnose Commands
                  --------------------------------------
                   · Diagnose Debug  Crashlog Read
                  ----------------------------------------------------
                  Fortigate Hardware Diagnose Commands 
                  ----------------------------------------------------
                   · Get Hardware Status
                   · Get Hardware Npu Mp6 Port-List
                  Network Process Work In Interface Level  L1 Issues
                  -------------------------------------------------
                   · Diagnose Sys Session List
                   · Diag Netlink Aggregate Name Agg1
                   · Diagnose Npu Spm List
                  Firewall Disk Space Or To Format The Firewall Disk 
                  --------------------------------------------------------- 
                   · Get Hardware Status
                   · Execute Disk List
                   · Execute Disk Format
                  CPU Use And Memory 
                  --------------------------------------------------------
                  CPU#    Diagnose Hardware Sysinfo Cpu
                  Mem#    Diagnose Hardware Sysinfo Memory

                  Log
                  ------
                  Diagnose Log Test  ( Test If The Logs Are Generating) 
                  Execute Backup Disk Alllogs {FTP}Tftp |USB)
                  Note:- User-Anonymize We Can Set The Log For Users 
                  ---------------------------------------------------

                  Basic Commands
                  -----------------------------------------------
                  Administrative User Only 
                  ----------------------------------
                  Get System Status
                  Show Full Configuration System Interface <Port>
                  Show System Interface <Port>
                  How Do You Restrict Logins To FortiGate To Be Only From Specific IP Addresses?
                   A. Disable HTTPS Access On Interface
                   B. Configure Trusted Host
                  User Administrator
                  ---------------------------------------------
                  System > Admin Profiles  (Ro View The Admin Profile)
                  Network > Interfaces  >Address >Administrator Access 
                  Transparent Mode MAC Table 
                  --------------------------------------------
                  Diagnose Netlink Brct1 Name Host < VDOM1>.B
                  Debug Commands Routing Table Display 
                  --------------------------------------------------------
                   • Get Router Info Routing-Table All 
                   • Get Router Info Routing-Table Database  : To See The Inactive Routes From Routing Table
                   • Diagnose Firewall Proute List   : - To View Policy Routing Table 

                  RPF Checks
                  --------------------------------------- 
                   • Strict-Src-Check Disable (Loose RPF )(Default)
                   • Strict-Src-Check Enble  (Strict RPF)
                   • Set Strict-Src-Check Disable 
                  Packet Capture In Fortigate 
                   • Diagnose Sniffer Packet <Interface> <Filter><Timestamp><Frame Size>
                   • Ctrl +C To Stop The Packet Capture 
                   • Diagnose Sniffer Packet Any 'Host 192.168.1.254 And Icmp" 3
                   • Diagnose Sniffer Packet Any 'Port 443' 4   (It Will Show In/Out Packet

                  Tuesday, April 13, 2021

                  Backup User to pull the configuration from fortigate using SSL keys

                  In configuration we are setting up 2 trust host to pull the configuration using any backup 
                  software "Rancid" or scripts.


                   fwl1(backup) # show

                  config system admin
                      edit "backup"
                          set trusthost1 1.2.4.107 255.255.255.255
                          set trusthost2 1.28.49.1 255.255.255.255
                          set accprofile "super_admin"
                          set vdom "root"
                          set ssh-public-key1 "ssh-rsa M+hK0a60Hw== rancid"  >>>Full key need to put here
                          set ssh-public-key2 "ssh-rsa +Yptf rancid" >>>>>>>>>>>>full key need put here
                          
                      next
                  end
                  



                  Wednesday, February 6, 2019

                  How to set the debug file in juniper device for ospf



                  How to set the debug file in juniper device for ospf 



                  set protocols ospf traceoptions file ospf-log
                  set protocols ospf traceoptions file size 10k
                  set protocols ospf traceoptions file files 5
                  set protocols ospf traceoptions flag lsa-ack
                  set protocols ospf traceoptions flag database-description
                  set protocols ospf traceoptions flag hello
                  set protocols ospf traceoptions flag lsa-update
                  set protocols ospf traceoptions flag lsa-request
                  set protocols ospf traceoptions flag error



                   show log ospf-log | last 10

                  Feb  6 05:35:09.041161 OSPF hello from 194.154.4.28 (IFL 81, area 0.0.0.0) absorbed
                  Feb  6 05:35:09.046626 OSPF periodic xmit from 194.154.4.232 to 224.0.0.5 (IFL 81 area 0.0.0.0)
                  Feb  6 05:35:09.926405 OSPF periodic xmit from 194.154.4.232 to 224.0.0.5 (IFL 81 area 0.0.0.0)
                  Feb  6 05:35:09.951517 OSPF hello from 194.154.4.28 (IFL 81, area 0.0.0.0) absorbed
                  Feb  6 05:35:10.712453 OSPF hello from 194.154.4.28 (IFL 81, area 0.0.0.0) absorbed
                  Feb  6 05:35:10.893468 OSPF periodic xmit from 194.154.4.232 to 224.0.0.5 (IFL 81 area 0.0.0.0)


                  NOTE



                  The Routing Engine copies the forwarding table to the Packet Forwarding Engine, the part of the router that is responsible for forwarding packets. To display the entries in the Packet Forwarding Engine's forwarding table, use the show pfe route command.


                  root@> show pfe route summary

                  ================ master ================


                  IPv4 Route Tables:
                  Index         Routes     Size(b)
                  --------  ----------  ----------
                  Default          109       10024
                  1                 12        1100
                  2                  6         548
                  3                  9         824
                  5                  5         456

                  MPLS Route Tables:
                  Index         Routes     Size(b)
                  --------  ----------  ----------
                  Default            5         456
                  7                  1          88

                  IPv6 Route Tables:
                  Index         Routes     Size(b)
                  --------  ----------  ----------
                  Default            4         388
                  1                  4         388
                  5                  4         388

                  CLNP Route Tables:
                  Index         Routes     Size(b)
                  --------  ----------  ----------
                  Default            1          88
                  5                  1          88

                  MSTP-instance Route Tables:
                  Index         Routes     Size(b)
                  --------  ----------  ----------
                  Default            1          88


                  root@>

                  Monday, February 4, 2019

                  Fortigate Vdom

                  VDOM administration

                  Super _admin profile can have access to all VDOM

                  Policy- based routes configuration in

                  Network > policy routes

                  Enable the ipv6 / or any other feature

                  System>Feature visibility    (to view the feature set)

                  Fortigate ECMP

                  Config system settings

                  Set v4-ecmp-mode [source-ip-based ] by default
                  ---------------------------------------------------------------------
                  Learning mode :- in Fortinet Enable devices detection on the source interfaces

                  Traffic shapers  :- - Shared traffic

                  For mapping the more than one services we can create  :- services object


                  Session table in fortigate

                  Session diagnose (output)

                  Session table >   Fortiview > all sessions

                  TCP default TTL vale for session table on firewall

                  3600 sec default vale

                  Firewall services> firewall policies >global sessions

                  Clear any previous filters
                  ------------------------------------------------------------
                  Diagnose sys session filter clear
                  Diagnose sys session list
                  Diagnose sys session clear


                  Eg :- Diagnose sys session filter dst 10.200.1.254
                  Diag sys session filter dport 80
                  Diag sys session list


                  Show the routing table
                  ------------------------------------------
                  Get router info routing-table all 

                  What criteria are used to install routes in the "bgp.l3vpn.0" routing table?

                  Nice one

                  What criteria are used to install routes in the "bgp.l3vpn.0" routing table?


                  https://kb.juniper.net/InfoCenter/index?page=content&id=KB1534

                  Steps to create VPNv4 routes in Juniper

                  Steps to create VPNv4 routes in Juniper 

                  (CE)-----(PE-A)-------(OSPF-MPLS-LDP-IBGP--VPNv4PEERING)----(PE-B)--(CE)


                  1, Create a routing path between PE to PE(using IGP or IBGP)

                  2, Create VPN VRF instances in PE routers (eg VRF_Customer1)

                  3, Create the L3vpn BGP peer 

                  4, Create a policy for import and export to filter the VPNV4 routes from neighbors 


                  Create a policy in PE's and bring them to VRF instances

                  PE-A                                                        PE-B
                  ------------                                            ---------------------------
                  Import : 100300                              Export 100300
                  Export :100301                              Import 100301   


                  Use policy to redistribute routes from OSPF to BGP 

                  Import and Export VRF in juniper


                  Import and Export VRF in juniper 
                  --------------------------------------------

                  The simple explanation for Import and Export routing instances.

                  So the export targets from the services vrf need to be the import target in customer vrf and import target from the services vrf will be the export targets in customer vrf. 


                  The export command in juniper

                  VRF Export if you see in any juniper devices it means it is exporting(giving) the routes to VRF/VR/Other routing tables etc.... 
                  In summary, it is giving its routes to other routing tables.

                  Import command in juniper 

                  VRF Import if you see in juniper devices it means it importing(accepting)the routes from neighbor devices or VR, VRF etc...
                  In summary, it is taking the routes from Peer devices
                   



                  Optimization of fortigate IPS

                  IPS signature need select according to infrastructure environment  Eg:-  if  we are not have Linux servers this ips signature can disable (d...