Wednesday, November 24, 2021

How to troubleshoot the IPS issues in fortigate firewalls

 How to find problem with IPS in fortigate firewall?


In our case issues is High memory utilization in the devices so start the capture memory process first.

1st step

#diagnose hardware sysinfo memory

Run Time:  41 days, 16 hours and 7 minutes

4U, 0N, 1S, 94I, 0WA, 0HI, 1SI, 0ST; 3615T, 764F

       ipsengine    23181      S <    12.7     3.6   ( Noticed that the IPS engine is taking lot of memory)

       ipsengine    23183      S <     4.9     3.7

       ipsengine    23180      S <     4.9     3.7

       scanunitd     3505      S <     4.9     0.6

       ipsengine    23179      S <     2.9     3.7

         miglogd      262      S       0.9     1.9

                                 

2d step

# diag debug crashlog read          >>>>Not able to find anything related to ips engine

 
3d step

n0_fw (global) # get sys fortiguard-service status

NAME               VERSION LAST UPDATE          METHOD    EXPIRE

AV Engine           6.149  2020-05-29 21:34:00  manual    2025-08-11 23:59:59

Virus Definitions   89.7121  2021-11-23 10:04:37  scheduled 2025-08-11 23:59:59

Extended set        89.7121  2021-11-23 10:04:37  scheduled 2025-08-11 23:59:59

Flow-based Virus Definitions  89.7121  2021-11-23 10:04:37  scheduled 2025-08-11 23:59:59

Attack Definitions  6.741  2015-12-01 02:30:00  manual    2025-08-11 23:59:59  Find this outdated

Attack Extended Definitions  18.200  2021-11-22 20:05:11  scheduled 2025-08-11 23:59:59

IPS Malicious URL Database  3.195  2021-11-22 20:05:11  scheduled 2025-08-11 23:59:59

IPS/FlowAV Engine   6.071  2021-02-17 20:28:04  scheduled 2025-08-11 23:59:59

IPS Config Script   1.009  2019-06-06 14:02:00  manual    2025-08-11 23:59:59

Application Definitions  18.199  2021-11-18 20:07:31  scheduled 2025-08-11 23:59:59

Industrial Attack Definitions  6.741  2015-12-01 02:30:00  manual    n/a

  

4th step

(Solution for this we need update the IPS from cli using below command)

#execute update-ips  (In global mode)

Note: Performing the activity of upgrading IPS engine will terminate all TCP sessions. This will have impact to firewall. Make sure that you schedule this activity

 Few more commands to trouble shoot the IPS engine

diagnose test application ipsmonitor 5 (This command will help us to bypass the IPS for monitoring)

diagnose ips packet status (This will help to check ips packet counters/monitor the traffic for ips)

dia ips session list

dia test application ipsmonitor 13 >     This will  soft restart the ips 

diagnose ips packet status

diag ips session performance

diag ips session performance

diag ips signature status

diag ips  packet status

n0_fwl_i (global) # dia ips session list

Total TCP sessions: 165

SESSION id:105637489 serial:754130096 proto:6 group:0 age:6 idle:6 flag:0x200027

        feature:0x202 encap:0 ignore:1,0 ignore_after:0,204800

  C-212.224.76.233:44882, S-94.154.20.19:80

  state: C-ESTABLISHED/731/0/0/0/0, S-ESTABLISHED/0/0/0/0/0 pause:0, paws:0

  expire: 24

  app: unknown:0 last:0 unknown-size:0

  cnfm: http

  set: http sip rtsp

  asm: http

n0_fwl1_i (global) # dia test application ipsmonitor 13

Session List: pid=23179

vf=4 proto=6 194.154.20.10:49770->92.168.217.1:3306

vf=4 proto=6 82.4.241.19:39352->94.154.20.7:443

Total session :26660


n0_fwl1_i (global) # diag ips session performance


PERFORMANCE STATISTICS

name           :       sess |       pkts   cycles |       pkts   cycles

decoder        :          0 | 1007720701        0 |          0        0

session        :          0 | 1007720701        0 |          0        0

protocol       :          0 |  969665012        0 |          0        0

application    :          0 | 1544856777        0 |   63603439        0

detect         :          0 |          0        0 |          0        0

match          :          0 | 2096202687        0 |          0        0

NC match       :          0 | 2931515123        0 |          0        0

Cross Tag      :          0 |  107154002        0 |          0        0

-------------------------------------------------------------------------

By - No comments:
Labels: ,

Friday, November 19, 2021

How to extend the Mpls network to spoke devices using Juniper Mx480 and Juniper Srx340






We can extend the MPLS backbone to spoke router which we install newly below is the configuration 

Head end   Juniper MX480 < > Spoke device Juniper SRX340

Step by step process 
  1. Create the Bgp community.
  2. Create the bgp group for bgp peer .
  3. Create write the policy for routes to come in and out .
  4. Create routing instance and assign interface.
  5. Check the bgp peer is ping reachable. 

Head end configuration 
------------------------------------------------------

Bgp configuration 

set protocols bgp group SR2_TC1 type external
set protocols bgp group SR2_TC1 hold-time 30
set protocols bgp group SR2_TC1 advertise-inactive
set protocols bgp group SR2_TC1 log-updown
set protocols bgp group SR2_TC1 family inet labeled-unicast
set protocols bgp group SR2_TC1 family inet-vpn unicast
set protocols bgp group SR2_TC1 export BGP-export-l3vpn
set protocols bgp group SR2_TC1 export DEFAULT-ONLY
set protocols bgp group SR2_TC1 peer-as 4099.35
set protocols bgp group SR2_TC1 neighbor 94.54.4.242


BGP Community 

set policy-options community cust-svcs-1121_export members target:503:101121
set policy-options community cust-svcs-1121_import members target:4100:101121
set policy-options community cust_fwl_1121_export members target:503:101279
set policy-options community cust_fwl_1121_import members target:4100:101279


Only adv the default 

set policy-options policy-statement DEFAULT-ONLY term default-only from route-filter 0.0.0.0/0 exact
set policy-options policy-statement DEFAULT-ONLY term default-only then accept
set policy-options policy-statement DEFAULT-ONLY term reject-others then reject

L3VPN routes policy 

set policy-options policy-statement BGP-export-l3vpn term T1 from family inet-vpn
set policy-options policy-statement BGP-export-l3vpn term T1 then accept
set policy-options policy-statement BGP-export-l3vpn term T2 from family route-target
set policy-options policy-statement BGP-export-l3vpn term T2 then accept


Spoke site 

set protocols bgp group SR2_TC1 type external
set protocols bgp group SR2_TC1 hold-time 30
set protocols bgp group SR2_TC1 family inet labeled-unicast
set protocols bgp group SR2_TC1 family inet-vpn unicast
set protocols bgp group SR2_TC1 export bgp-export
set protocols bgp group SR2_TC1 peer-as 5503
set protocols bgp group SR2_TC1 neighbor 94.54.4.241
set protocols bgp group SR2_TC1 neighbor 94.54.4.243
set protocols mpls traffic-engineering mpls-forwarding

Route policy to adv the routes

set policy-options policy-statement bgp-export term T1 from protocol direct
set policy-options policy-statement bgp-export term T1 from route-filter 94.154.4.26/32 exact   (Loopback ip address of router)
set policy-options policy-statement bgp-export term T1 then accept
set policy-options policy-statement bgp-export term T2 then reject


Policy community 


set policy-options policy-statement VRF_1121_export term VRF_1121_export then community add cust-svcs-1121_import
set policy-options policy-statement VRF_1121_export term VRF_1121_export then next term
set policy-options policy-statement VRF_1121_export term VRF_1121_export-1 then community add cust_fwl_1121_import
set policy-options policy-statement VRF_1121_export term VRF_1121_export-1 then accept
set policy-options policy-statement VRF_1121_import term SVC_cust_fwl_1121 from protocol bgp
set policy-options policy-statement VRF_1121_import term SVC_cust_fwl_1121 from community cust_fwl_1121_export
set policy-options policy-statement VRF_1121_import term SVC_cust_fwl_1121 then accept
set policy-options policy-statement VRF_1121_import term SVC_cust_services_1121 from community cust-svcs-1121_export
set policy-options policy-statement VRF_1121_import term SVC_cust_services_1121 then accept

BGP Community 

set policy-options community cust-svcs-1121_export members target:503:101121
set policy-options community cust-svcs-1121_import members target:4100:101121
set policy-options community cust_fwl_1121_export members target:503:101279
set policy-options community cust_fwl_1121_import members target:4100:101279

Route-instances configuration

set routing-instances Monitoring-LCN-1121 interface ae1.55
set routing-instances Monitoring-LCN-1121 instance-type vrf
set routing-instances Monitoring-LCN-1121 route-distinguisher 94.54.4.26:8757
set routing-instances Monitoring-LCN-1121 vrf-import VRF_1121_import
set routing-instances Monitoring-LCN-1121 vrf-export VRF_1121_export
set routing-instances Monitoring-LCN-1121 vrf-table-label
By - No comments:
Labels: ,

Wednesday, November 17, 2021

Cheat sheet FortiGate For Troubleshooting

 L3 Diagnose Commands 
-------------------------------------
 · Diagnose Ip Arp List
 · Debug Flow
 · Diagnose Debug Flow Show Console Enable
 · Diagnose Debug Enable
 · Diag Debug Flow Trace Start 
 · Diagnose Debug Flow Trace Stop
 · Diagnose Debug 
 
--------------------------------------------
CPU Usage Diagnose Commands
--------------------------------------------
 · Get System Performance Status
 · Diagnose Sys Top 1
 · Diagnose Sys Top
 · Diagnose Sys Top-Summary
 · Diagnose Hardware Test Suite All
 
--------------------------------------
Crash Logs Diagnose Commands
--------------------------------------
 · Diagnose Debug  Crashlog Read
----------------------------------------------------
Fortigate Hardware Diagnose Commands 
----------------------------------------------------
 · Get Hardware Status
 · Get Hardware Npu Mp6 Port-List
Network Process Work In Interface Level  L1 Issues
-------------------------------------------------
 · Diagnose Sys Session List
 · Diag Netlink Aggregate Name Agg1
 · Diagnose Npu Spm List
Firewall Disk Space Or To Format The Firewall Disk 
--------------------------------------------------------- 
 · Get Hardware Status
 · Execute Disk List
 · Execute Disk Format
CPU Use And Memory 
--------------------------------------------------------
CPU#    Diagnose Hardware Sysinfo Cpu
Mem#    Diagnose Hardware Sysinfo Memory

Log
------
Diagnose Log Test  ( Test If The Logs Are Generating) 
Execute Backup Disk Alllogs {FTP}Tftp |USB)
Note:- User-Anonymize We Can Set The Log For Users 
---------------------------------------------------

Basic Commands
-----------------------------------------------
Administrative User Only 
----------------------------------
Get System Status
Show Full Configuration System Interface <Port>
Show System Interface <Port>
How Do You Restrict Logins To FortiGate To Be Only From Specific IP Addresses?
 A. Disable HTTPS Access On Interface
 B. Configure Trusted Host
User Administrator
---------------------------------------------
System > Admin Profiles  (Ro View The Admin Profile)
Network > Interfaces  >Address >Administrator Access 
Transparent Mode MAC Table 
--------------------------------------------
Diagnose Netlink Brct1 Name Host < VDOM1>.B
Debug Commands Routing Table Display 
--------------------------------------------------------
 • Get Router Info Routing-Table All 
 • Get Router Info Routing-Table Database  : To See The Inactive Routes From Routing Table
 • Diagnose Firewall Proute List   : - To View Policy Routing Table 

RPF Checks
--------------------------------------- 
 • Strict-Src-Check Disable (Loose RPF )(Default)
 • Strict-Src-Check Enble  (Strict RPF)
 • Set Strict-Src-Check Disable 
Packet Capture In Fortigate 
 • Diagnose Sniffer Packet <Interface> <Filter><Timestamp><Frame Size>
 • Ctrl +C To Stop The Packet Capture 
 • Diagnose Sniffer Packet Any 'Host 192.168.1.254 And Icmp" 3
 • Diagnose Sniffer Packet Any 'Port 443' 4   (It Will Show In/Out Packet
By - No comments:
Labels: ,
Location: V8W2+CW Chandrapur, Maharashtra, India
Subscribe to: Posts (Atom)

Optimization of fortigate IPS

IPS signature need select according to infrastructure environment  Eg:-  if  we are not have Linux servers this ips signature can disable (d...