How to configure an Automation Stitch (email alert) for CPU threshold on a Fortigate.

This is a quick reference on how to configure an Automation Stitch for CPU threshold on a Fortigate.

Please note that I configured this on Fortigate Firmware 6.2.7. You will also need to ensure that SMTP is setup on the Fortigate.

1. Configure CPU Threshold

This is the value at which point the Fortigate will generate a log for CPU usage.

conf system global
set cpu-use-threshold 50

2. Configure Automation Stitch

2.1 GUI

2.1.1 Create New

This can be found under Security Fabric / Automation

2.1.2 Select Trigger for Email

In this case CPU Usage Statistics which is under FortiOS Event Log option.

2.1.3 Select Email

Add the email address that you want the alerts sending to.

2.2 CLI

Configure the SMTP server email configured in step 1 as the “email-from”

config system automation-action
    edit "Nameofstitch_email"
        set action-type email
        set email-to "youremail@gmail.com"
        set email-from "yourgmail@gmail.com"
        set email-subject "configuration change"
        set email-body "%%log%%"
        set minimum-interval 60
        set delay 0
        set required disable
    next
end

4. Test

In order to test this you will need to generate enough traffic to peak the CPU past the minimum 50% . You could use a network stress tester to achieve this. Adding logging, UTM and turning off the CPU offloading on the firewall policy will increase CPU usage.

Thank you for reading and please feel free to leave any feedback.

Checklist for Fortigate admin access over SSL-VPN

This is a Checklist for Fortigate admin access over SSL-VPN

1. Trusted hosts

Ensure that the SSL-VPN source address or SSL-VPN address pool is on the trusted host list for admin access to the Fortigate.

config system admin
    edit "admin" 
        set trusthost5 10.212.134.0 255.255.255.0
        set accprofile "super_admin"
        set vdom "root"
        set password yourpassword
    next
end

2. Allowaccess on Interface

Ensure you have allowed the service or port access on the interface using the following command “set allowaccess ping https ssh” under the interface configuration.

config system interface
    edit "vlan100"
        set vdom "root"
        set ip 10.100.0.254 255.255.255.0
        set allowaccess ping https ssh
        set vlanforward enable
        set device-identification enable
        set role lan
        set snmp-index 12
        set interface "internal5"
        set vlanid 100
    next
end

3. Firewall policy

Ensure you have a firewall policy from the SSL-VPN interface to the LAN to where you intend to connect to.

config firewall policy
    edit 3
        set name "SSL_VPN_LAN"
        set srcintf "ssl.root"
        set dstintf "vlan100"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "SSL_VPN"
    next

4. Routing table

Ensure you have a route to the Firewall interface. You may have split-tunneling specifying the routable addresses by SSL-VPN any route not specified will route locally via users local internet breakout. 10.100.0.0/24 is the LAN network directly connected to the firewall. You can specify just the individual firewall interface address if you wanted to.

config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set web-mode enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set split-tunneling-routing-address "10.100.0.0/24"
        config bookmark-group
            edit "gui-bookmarks"
            next
        end
    next
end

If using Windows you can check the routing table by running the command route print.

C:\WINDOWS\system32>route print

Please let me know what you thought of the guide and if it worked, what issues you ran into or if anything wasn’t clear. Thank you for reading.

How to configure a SSL-VPN with certificate authentication on a Fortigate.

This is a detailed guide on how to configure a SSL VPN with certificate authentication on a Fortigate. We will be using OPENSSL to generate the CA and certificates.

1. Generate the CA or root certificate (Certificate Authority)

You will need to generate a root certificate to sign the Server and Client certificate. You will need to install the CA and Server Certificate on the Fortigate and the Client PKCS#12 certificate on the end user computer where the Forticlient VPN application is installed. This will create a chain of trust called public key infrastructure (PKI).

1.1 Create the directories to hold the CA certificate.

sudo mkdir /etc/ssl/CA
sudo mkdir /etc/ssl/newcerts

1.2 Create additional CA files

The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, and another file to record which certificates have been issued:

sudo sh -c "echo '01' > /etc/ssl/CA/serial"
sudo touch /etc/ssl/CA/index.txt

1.3 Edit the config file – nano /etc/ssl/openssl.cnf

This specifies the file locations for OPENSSL.

nano /etc/ssl/openssl.cnf
dir             = /etc/ssl              # Where everything is kept
database        = $dir/CA/index.txt     # database index file.
certificate     = $dir/certs/cacert.pem # The CA certificate
serial          = $dir/CA/serial        # The current serial number
private_key     = $dir/private/cakey.pem# The private key

1.4 Generate Root Certificate

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Please note that your Organization Name (O) needs to match on all your certificates that will be forming the chain of trust.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

You will need to ensure that your organization unit name (OU) is unique on each certificate in terms of the above. Steps 2 and 3 cover the Certificate Signing Request of both Server and Client where you will need to take into account these values.

1.5 Install the Root Certificate and Key

sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

2. Generate Server CSR (Certificate Signing Request) and Key

2.1 Generate Server Key

openssl genrsa -des3 -out server.key 2048

The next set of commands is so that you don’t have to enter a passphrase to generate the CSR (Certificate Signing Request)

openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

2.2 Generate Server CSR

Please note the following need to be accurate for it to work – the organization (o) need to match on all 3 certificates

openssl req -new -key server.key -out server.csr

3. Generate Client CSR (Certificate Signing Request) and key

Repeat step 2 – replacing the word server with client. You should have the following files.

root@dhcp-server:/home/david# ls
client.csr  client.key server.csr  server.key

4. Sign both the Server and Client CSR’s

This will create the server and client certificate.

sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf
sudo openssl ca -in client.csr -config /etc/ssl/openssl.cnf

You will now have both the .crt files

root@dhcp-server:/home/david# ls
client.crt  client.key  server.crt  server.key

5. Generate the .pfx file or pkcs12 Client certificate

This will be installed on the host where application is installed

openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile client.crt

You should now have the following files:

root@dhcp-server:/home/david# ls
client.crt  client.key  client.pfx  server.crt  server.key

6. Copy the CA certificate back to your home directory

cp /etc/ssl/certs/cacert.pem /home/david/

You will now have all the files you need for certificate authentication.

root@dhcp-server:/home/david# ls
cacert.pem  client.crt  client.key  client.pfx  server.crt  server.key

7. Install the Client certificate on the users computer

Copy the client.pfx to the users computer and double click the file. Using the Windows certificate wizard install the certificate to the personal certificate store.

8. Import CA Certificate to Fortigate

Import the cacert.pem file to your Fortigate. Under System/Certificates – Click Import and then CA Certificate. Then you will need to Click File and then the Upload button. You will now see the certificate installed

You will now see the certificate installed under Remote CA Certificates.

9. Import Server Certificate to Fortigate

You will need both server.crt and server.key for this. Again click Import and then time click local certificate. Upload the server and key file to the Fortigate as per below. Alternately you could generate the PKCS#12 or .pfx file (as was done withe client certificate).

You will now see the certificate on the Fortigate under local certificates. Please refer to the picture in step 8.

PLEASE NOTE: The following steps will assume that you have a working SSL VPN configuration and will not go through in detail the workings of a SSL-VPN setup.

10. Configure PKI user

10.1 You will need to specify a username, your CA certificate, and subject.

config user peer
    edit "yourusername"
        set ca "CA_Cert_1"
        set subject "C"
    next
end

10.2 Obtaining the subject from the certificate

root@dhcp-server:/home/david# openssl x509 -noout -in client.crt -subject
subject=C = UK, ST = Some-State, O = SecNetLinux, OU = Client, CN = Client

Once this has been completed you will see the PKI option on the GUI and can then put the PKI users that you have created into the corresponding SSLVPN groups.

10.3 Add two factor authentication

11. Configure the SSL-VPN settings

You will set the server certificate which you uploaded earlier ( set servercert “SSLSERVER” ) and also set the reqclientcert to enable. I have also set the default-portal to web-access although we will be using Forticlient.

config vpn ssl settings
    set reqclientcert enable
    set servercert "SSLSERVER"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set source-interface "wan1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
    config authentication-rule
        edit 1
            set groups "SSL_VPN"
            set portal "full-access"
        next
    end
end

Again I have not gone through too much detail regarding the SSL-VPN setup. You will need make sure you have your firewall policies, portal mappings etc in place for this to work. This guide assumes you have a working SSL-VPN configuration in place and that you are adding additional authentication.

12. Configure Forticlient

You will see once you have successfully installed the Client certificate as per step 7 it will populate the drop down next to Client Certificate.

13. Troubleshooting Commands on the Fortigate

diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application sslvpn -1
diagnose debug enable

Please let me know what you thought of the guide and if it worked, what issues you ran into or if anything wasn’t clear. Thank you for reading.

How to configure route leaking between VRFs Fortigate CLI

This is a detailed guide on how to configure route leaking between VRFs on a Fortigate using the CLI

In this scenario I will be leaking the default route into another VRF.

You will need to configure a BGP neighbor in order for this to work. This can be any BGP neighbor. In this example I have connected another router to the dmz interface and configured BGP so that a neighbor relationship will form over this link.

1. Configure Vdom-mode

You will need to set the Fortigate to multi-vdom mode so that you can create two Inter-vdom links and put them in the two separate VRF’s. Multi-vdom means that you can create more than one Virtual Firewall on a single box. The Inter-vdom links that you create will remain in the root vdom.

config system global
    set vdom-mode multi-vdom

2. Allow overlapping of subnets

By default the Fortigate will not allow you to configure duplicate or overlapping networks on the same vdom. The two Inter-vdom links will be on the same subnet.

configure vdom
edit root
config system settings
    set allow-subnet-overlap enable

3. Configure Inter-Vdom Links

Configure the two Inter-Vdom Links in the same subnet. You will see that the links are put in their respective vrfs with the following commands set vrf (<0> to <31>).

config vdom
edit root
config system interface
edit "npu0_vlink0"
        set vdom "root"
        set vrf 1
        set ip 10.200.0.1 255.255.255.0
        set allowaccess ping https ssh snmp http
        set type physical
        set snmp-index 13
    next
    edit "npu0_vlink1"
        set vdom "root"
        set vrf 2
        set ip 10.200.0.2 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
        set type physical
        set snmp-index 14

You will need to put your physical or virtual interfaces into their respective VRF’s – for example:

config system interface
edit "wan1"
        set vdom "root"
        set vrf 1
        set ip x.x.x.x 255.255.255.252
next 
  edit "vlan100"
        set vdom "root"
        set vrf 2
        set ip 10.100.0.254 255.255.255.0
end

You will see that I have put my wan interface in into one of the VRF’s. This is because I am going to leak the default route from vrf 1 into vrf 2 so that vlan 100 will have internet access.

4. Configure prefix-list

Configure the prefix-list of the routes that you are wanting to leak. In this case I will be leaking the source subnet 10.100.0.0/24 (so the return route) of VRF 2 and the default route in VRF 1.

config router prefix-list
    edit "1"
        config rule
            edit 1
                set prefix 0.0.0.0 0.0.0.0
                unset ge
                unset le
            next
        end
    next
    edit "2"
        config rule
            edit 1
                set prefix 10.100.0.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
end

5. Configure route-map

The route map is used to identify the subnets used in the VRF Leaking and matched against the prefix-list in the previous step.

config router route-map
 edit "VRF1Routes"
        config rule
            edit 1
                set match-ip-address "1"
                unset set-ip-nexthop
                unset set-ip6-nexthop
                unset set-ip6-nexthop-local
                unset set-originator-id
            next
        end
    next
    edit "VRF2Routes"
        config rule
            edit 1
                set match-ip-address "2"
                unset set-ip-nexthop
                unset set-ip6-nexthop
                unset set-ip6-nexthop-local
                unset set-originator-id
            next
        end
    next
end

6. Configure VRF Leaking

I have included my full BGP configuration. As mentioned at the beginning the BGP neighbour connects to the dmz interface and you will need to specify this in your BGP configuration with the following command set update-source “yourinterface”. In order for the VRF leaking to work you need any up neighbour. Under the config vrf-leak the edit <no.> is the ” vrf Origin VRF ID <0 – 31>”. Under the config target the edit is the target or destination vrf “vrf Target VRF ID <0 – 31>”. Make sure that you assign the correct route map to each.

config router bgp
    set as 65536
    set router-id 1.1.1.1
    config neighbor
        edit "192.168.1.254"
            set remote-as 65535
            set update-source "dmz"
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
    end
    config redistribute "static"
        set status enable
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end
    config redistribute6 "isis"
    end
    config vrf-leak
        edit "2"
            config target
                edit "1"
                    set route-map "VRF2Routes"
                    set interface "npu0_vlink1"
                next
            end
        next
        edit "1"
            config target
                edit "2"
                    set route-map "VRF1Routes"
                    set interface "npu0_vlink0"
                next
            end
        next
    end
end

7. Check the routing table

get router info routing-table all

## lines omitted for brevity ##

Routing table for VRF=1
S*      0.0.0.0/0 [10/0] via 10.50.0.254, wan1
B       10.100.0.0/24 [20/0] via 10.200.0.2, npu0_vlink0, 05:18:07
C       10.200.0.0/24 is directly connected, npu0_vlink0

Routing table for VRF=2
B*      0.0.0.0/0 [20/0] via 10.200.0.1, npu0_vlink1, 05:15:02
C       10.100.0.0/24 is directly connected, vlan100
C       10.200.0.0/24 is directly connected, npu0_vlink1
C       192.168.1.0/24 is directly connected, dmz
B       192.168.2.0/24 [20/0] via 192.168.1.254, dmz, 03:00:13

8. Configure firewall policies

This is an example of a firewall policy setup. You will need to configure a policy from the physical or VLAN interface to the VDOM-Link in VRF 2 and then a policy from the VDOM-Link to the WAN interface in VRF 1. I have also configure policies for a VIP (Virtual IP ) for connecting via Public IP to the server.

9. Test

david@WonderSH:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  _gateway (10.100.0.254)  0.587 ms  0.319 ms  0.326 ms
 2  10.200.0.1 (10.200.0.1)  0.354 ms  0.367 ms  0.351 ms
 3  vodafone.connect (10.50.0.254)  5.202 ms  4.974 ms  4.777 ms

If you feel that there is anything you can add or have a question please feel free to leave a comment below.

How to configure an Automation Stitch (email alert) on a Fortigate using Gmail SMTP.

This is a quick reference on how to configure an Automation Stitch on a Fortigate using Gmail SMTP.

Please note that I configured this on Fortigate Firmware 6.2.7

1. Configure SMTP server on Fortigate.

Probably easiest to just copy and paste the below into the CLI (with your details) – otherwise you can find the settings under system/settings on the GUI. You will need to add the gmail account that will act as the serving account for the alerts emails.

config system email-server
    set server "smtp.gmail.com"
    set port 465
    set authenticate enable
    set username "yourgmail@gmail.com"
    set password yourpassword
    set security smtps
end

2. Allow Fortigate access to GMAIL account.

You will need to go into your Gmail account – and allow access as per screenshot. (turn on Less secure app access).

3. Configure Automation Stitch

3.1 GUI

3.1.1 Create New

This can be found under Security Fabric / Automation

3.1.2 Select trigger for email

3.1.3 Select Email

Add the email address that you want the alerts sending to.

3.2 CLI

Configure the SMTP server email configured in step 1 as the “email-from”

config system automation-action
    edit "Nameofstitch_email"
        set action-type email
        set email-to "youremail@gmail.com"
        set email-from "yourgmail@gmail.com"
        set email-subject "configuration change"
        set email-body "%%log%%"
        set minimum-interval 60
        set delay 0
        set required disable
    next
end

4. Test

You will need to test this by doing the action for what the stitch is setup up for. You can set it up to alert for admin successful logout or reboot for example and test this way.

Thank you for reading and please feel free to leave any feedback.

How to configure BGP over IPSEC VPN Fortigate CLI.

This is a quick reference on how to configure BGP over IPSEC VPN Fortigate CLI.

1. Scenario

2. Configure Firewall “BGP1”

2.1 Configure VPN IPSEC phase1-interface

config vpn ipsec phase1-interface

edit "BGP_1"
        set interface "port1"
        set peertype any
        set proposal des-md5 des-sha1
        set remote-gw 10.0.0.6
        set psksecret yourpassword                                                                         
end

2.2 Configure VPN IPSEC phase2-interface

config vpn ipsec phase2-interface

 edit "BGP_1"
        set phase1name "BGP_1"
        set proposal des-md5 des-sha1
        set src-subnet 0.0.0.0 0.0.0.0
        set dst-subnet 0.0.0.0 0.0.0.0
    next
end

2.3 Configure firewall policies

config firewall policy

edit 1
        set name "BGP-VPN"
        set srcintf "BGP_1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next

edit 2
        set name "BGP-VPN"
        set srcintf "port2"
        set dstintf "BGP_1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

2.4 Edit VPN interface

You will need to configure an IP address on either end of the tunnel including the corresponding remote IP address of the remote device.

config system interface
    edit "BGP_1"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.2 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
end

2.5 Configure BGP

Configure the IP address of the remote ends IPSEC VPN interface as the neighbour address as per step 2.4.

config router bgp
    set as 1111
    set router-id 1.1.1.1
    config neighbor
        edit "1.1.1.2"
            set remote-as 1112
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
    end
    config redistribute "static"
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end
    config redistribute6 "isis"
    end
end


3. Configure Firewall BGP2

3.1 Configure VPN IPSEC phase1-interface

config vpn ipsec phase1-interface
edit "BGP_1"
        set interface "port1"
        set peertype any
        set proposal des-md5 des-sha1
        set remote-gw 10.0.0.2
        set psksecret yourpassword                                                                          
    next
end

3.2 Configure VPN IPSEC phase2-interface

config vpn ipsec phase2-interface

 edit "BGP_1"
        set phase1name "BGP_1"
        set proposal des-md5 des-sha1
        set src-subnet 0.0.0.0 0.0.0.0
        set dst-subnet 0.0.0.0 0.0.0.0
    next
end

3.3 Configure firewall policies


config firewall policy

edit 1
        set name "BGP-VPN"
        set srcintf "BGP_1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next

    edit 2
        set name "BGP-VPN"
        set srcintf "port2"
        set dstintf "BGP_1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

3.4 Edit VPN interface

config system interface
   edit "BGP_1"
        set vdom "root"
        set ip 1.1.1.2 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.1 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
end

3.5 Configure BGP

config router bgp
    set as 1112
    set router-id 1.1.1.2
    config neighbor
        edit "1.1.1.1"
            set remote-as 1111
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
    end
    config redistribute "static"
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end
    config redistribute6 "isis"
    end
end

4. Diagnosis

4.1 Check the VPN tunnel is up

If the phase 2 tunnel is down you will see no SA’s (security associations) – for example sa=0

BGP2 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=BGP_1 ver=1 serial=1 10.0.0.6:0->10.0.0.2:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=16 ilast=7 olast=7 ad=/0
stat: rxp=287 txp=277 rxb=34664 txb=19048
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=BGP_1 proto=0 sa=1 ref=2 serial=2
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=30202 type=00 soft=0 mtu=1446 expire=40274/0B replaywin=2048
       seqno=116 esn=0 replaywin_lastseq=00000120 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42932/43200
  dec: spi=e7bd5aa2 esp=des key=8 5fed049f153a3bc1
       ah=md5 key=16 9fb00da00bba3e3ea0a7f456d04b8b84
  enc: spi=11c9c117 esp=des key=8 585db5038f75e4b2
       ah=md5 key=16 5fd1f5e42993cdf31243f2869cdf5bec
  dec:pkts/bytes=287/19656, enc:pkts/bytes=277/33496
run_tally=1

4.2 Check the BGP neighbour is up

BGP2 # get router info bgp summary
BGP router identifier 1.1.1.2, local AS number 1112
BGP table version is 2
2 BGP AS-PATH entries
0 BGP community entries

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.1         4       1111       9       8        1    0    0 00:06:06        4

Total number of neighbors 1

4.3 Check the BGP routing table


BGP2 # get router info routing-table bgp

Routing table for VRF=0
B       10.0.0.0/30 [20/0] via 1.1.1.1, BGP_1, 00:04:23
B       192.168.1.0/24 [20/0] via 1.1.1.1, BGP_1, 00:04:23

4.4 Ping test from host to host

PC2> ping 192.168.1.1

84 bytes from 192.168.1.1 icmp_seq=1 ttl=62 time=21.280 ms
84 bytes from 192.168.1.1 icmp_seq=2 ttl=62 time=19.798 ms
84 bytes from 192.168.1.1 icmp_seq=3 ttl=62 time=20.844 ms
84 bytes from 192.168.1.1 icmp_seq=4 ttl=62 time=30.281 ms
84 bytes from 192.168.1.1 icmp_seq=5 ttl=62 time=22.197 ms

Thank you for reading and please feel free to leave any feedback.

How to configure OSPF over IPSEC VPN Fortigate CLI.

This is a quick reference on how to configure OSPF over IPSEC VPN Fortigate CLI.

1. Scenario

2. Configure Firewall OSPF1

2.1 Configure VPN IPSEC phase1-interface

config vpn ipsec phase1-interface

edit "OSPF_1"
        set interface "port1"
        set peertype any
        set proposal des-md5 des-sha1
        set remote-gw 10.0.0.6
        set psksecret yourpassword                                                                         
end

2.2 Configure VPN IPSEC phase2-interface

config vpn ipsec phase2-interface

 edit "OSPF_1"
        set phase1name "OSPF_1"
        set proposal des-md5 des-sha1
        set src-subnet 0.0.0.0 0.0.0.0
        set dst-subnet 0.0.0.0 0.0.0.0
    next
end

2.3 Configure firewall policies

config firewall policy

edit 1
        set name "OSPF-VPN"
        set srcintf "OSPF_1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next

edit 2
        set name "OSPF-VPN"
        set srcintf "port2"
        set dstintf "OSPF_1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

2.4 Edit VPN interface

You will need to add an IP address and remote IP address to the IPSEC VPN interface so that OSPF can send multicast traffic over the IPSEC tunnel.

config system interface
    edit "OSPF_1"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.2 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
end

2.5 Configure OSPF

Under network configuration ensure that the network subnet covers what you have configured on the IPSEC VPN interface. The network statement is used to tell OSPF which interface/s to send out OSPF information.

config router ospf
    set router-id 1.1.1.1
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "VPN_OSPF"
            set interface "OSPF_1"
            set dead-interval 40
            set hello-interval 10
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 1.1.1.0 255.255.255.252
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end
    config redistribute "isis"
    end
end

3. Configure Firewall OSPF2

3.1 Configure VPN IPSEC phase1-interface

config vpn ipsec phase1-interface
edit "OSPF_1"
        set interface "port1"
        set peertype any
        set proposal des-md5 des-sha1
        set remote-gw 10.0.0.2
        set psksecret yourpassword                                                                          
    next
end

3.2 Configure VPN IPSEC phase2-interface

config vpn ipsec phase2-interface

 edit "OSPF_1"
        set phase1name "OSPF_1"
        set proposal des-md5 des-sha1
        set src-subnet 0.0.0.0 0.0.0.0
        set dst-subnet 0.0.0.0 0.0.0.0
    next
end

3.3 Configure firewall policies


config firewall policy

edit 1
        set name "OSPF-VPN"
        set srcintf "OSPF_1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next

    edit 2
        set name "OSPF-VPN"
        set srcintf "port2"
        set dstintf "OSPF_1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

3.4 Edit VPN interface

config system interface
   edit "OSPF_1"
        set vdom "root"
        set ip 1.1.1.2 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.1 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
end

3.5 Configure OSPF

config router ospf
    set router-id 1.1.1.2
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "VPN_OSPF"
            set interface "OSPF_1"
            set dead-interval 40
            set hello-interval 10
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 1.1.1.0 255.255.255.252
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end
    config redistribute "isis"
    end
end

4. Diagnosis

4.1 Check the VPN tunnel is up

If the phase 2 tunnel is down you will see no SA’s (security associations) – for example sa=0

OSPF2 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=OSPF_1 ver=1 serial=1 10.0.0.6:0->10.0.0.2:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=16 ilast=7 olast=7 ad=/0
stat: rxp=287 txp=277 rxb=34664 txb=19048
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=OSPF_1 proto=0 sa=1 ref=2 serial=2
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=30202 type=00 soft=0 mtu=1446 expire=40274/0B replaywin=2048
       seqno=116 esn=0 replaywin_lastseq=00000120 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42932/43200
  dec: spi=e7bd5aa2 esp=des key=8 5fed049f153a3bc1
       ah=md5 key=16 9fb00da00bba3e3ea0a7f456d04b8b84
  enc: spi=11c9c117 esp=des key=8 585db5038f75e4b2
       ah=md5 key=16 5fd1f5e42993cdf31243f2869cdf5bec
  dec:pkts/bytes=287/19656, enc:pkts/bytes=277/33496
run_tally=1

4.2 Check the OSPF neighbour

OSPF1 # get router info ospf neighbor

OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.2           1   Full/ -         00:00:34    1.1.1.2         OSPF_1

4.3 Check the OSPF routing table

OSPF1 # get router info routing-table ospf

Routing table for VRF=0
O E2    10.0.0.4/30 [110/10] via 1.1.1.2, OSPF_1, 00:47:16
O E2    192.168.2.0/24 [110/10] via 1.1.1.2, OSPF_1, 00:47:16

4.4 Ping test from host to host

PC2> ping 192.168.1.1

84 bytes from 192.168.1.1 icmp_seq=1 ttl=62 time=21.280 ms
84 bytes from 192.168.1.1 icmp_seq=2 ttl=62 time=19.798 ms
84 bytes from 192.168.1.1 icmp_seq=3 ttl=62 time=20.844 ms
84 bytes from 192.168.1.1 icmp_seq=4 ttl=62 time=30.281 ms
84 bytes from 192.168.1.1 icmp_seq=5 ttl=62 time=22.197 ms

Thank you for reading and please feel free to leave any feedback.

Getting started with UFW (Uncomplicated Firewall) Ubuntu CLI

This is a quick reference guide about getting started with UFW (Uncomplicated Firewall) Ubuntu CLI

1.Check the status of the firewall

ufw status

root@FTP:~# ufw status
Status: inactive

IMPORTANT! Please see step 2 before enabling the firewall

root@FTP:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)

ufw status verbose – gives more information about the firewall status.

root@FTP:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)


2. Enabling ufw

2.1 CAUTION! Before enabling your firewall make sure that you have added a policy to allow SSH.

root@FTP:/etc/ufw# ufw  allow ssh
Rules updated
Rules updated (v6)

You can check this has been added in the following file: /etc/ufw/user.rules

nano /etc/ufw/user.rules

]

### RULES ###

### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 22 -j ACCEPT

2.2 ufw enable

ufw enable

3. Adding ufw rules

3.1 Basic ufw rule examples

The below rules will be from any source to a specific port on the local server.

root@FTP:~# ufw allow http
Rule added
Rule added (v6)
root@FTP:~# ufw allow https
Rule added
Rule added (v6)
root@FTP:~# ufw allow ftp
Rule added
Rule added (v6)
root@FTP:~# ufw allow tftp
Rule added
Rule added (v6)
root@FTP:~# ufw allow snmp
Rule added
Rule added (v6)
root@FTP:~# ufw allow sftp
Rule added
Rule added (v6)
root@FTP:~# ufw allow smtp
Rule added
Rule added (v6)
root@FTP:~# ufw allow 3389
Rule added
Rule added (v6)

3.2 Check ufw rules

root@FTP:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
21/tcp                     ALLOW       Anywhere
69/udp                     ALLOW       Anywhere
161                        ALLOW       Anywhere
115/tcp                    ALLOW       Anywhere
25/tcp                     ALLOW       Anywhere
3389                       ALLOW       Anywhere

3.3 Source and destination specific ufw rules

root@FTP:~# ufw allow from 10.0.125.0/24 to any
Rule added
root@FTP:~# ufw allow from 10.0.130.0/24 to any  port sftp
Rule added
root@FTP:~# ufw status
Anywhere                   ALLOW       10.0.125.0/24
115/tcp                    ALLOW       10.0.130.0/24

4. Delete ufw rules

root@FTP:~# ufw delete allow https
Rule deleted
Rule deleted (v6)
root@FTP:~#

Thank you for reading and please feel free to leave any feedback.

How to port forward IPv4 traffic using ufw on Ubuntu CLI

This is a detailed guide on how to port forward IP traffic on Ubuntu CLI.

Warning: Please make sure that you have access to the device you are working on as making changes to the ufw could potentially lock you out of your machine if working remotely.

Please note this guide also covers Masquerading private IP traffic outbound.

1. nano /etc/default/ufw

Enable packet forwarding by editing DEFAULT_FORWARD_POLICY=”ACCEPT”

root@test:~# nano /etc/default/ufw
# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"

2. nano /etc/ufw/sysctl.conf

Uncomment net/ipv4/ip_forward=1 (remove the # symbol)

# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
#net/ipv6/conf/default/forwarding=1
#net/ipv6/conf/all/forwarding=1

3. nano /etc/ufw/before.rules 

Add the following to /etc/ufw/before.rules 

This will need to be added to the top of the file – please see example below.

Make sure you specify the source subnet you are wanting to NAT and the destination interface where your Public IP address is configured. The example below is 10.0.125.0/24 (source) and destination interface is eth1.

The port forward part of this guide is the following addition to the file:

-A PREROUTING -i eth1 -d 91.203.x.x -p tcp –dport 2200 -j DNAT –to-destination 10.0.125.10:22

This line forwards traffic connecting to public IP address and port 91.203.x.x:2200 to private IP address and port 10.0.125.10:22

# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 10.0.125.0/24 -o eth1 -j MASQUERADE
-A PREROUTING -i eth1 -d 91.203.x.x  -p tcp --dport 2200 -j  DNAT --to-destination 10.0.125.10:22
# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

IMPORTANT: I have added the whole file as a reference below , so you can see the positioning of the lines.

Example:

root@test:~# cat /etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 10.0.125.0/24 -o eth1 -j MASQUERADE
-A PREROUTING -i eth1 -d 91.203.x.x  -p tcp --dport 2200 -j  DNAT --to-destination 10.0.125.10:22
# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

4. ufw disable && ufw enable

root@test:~# ufw disable && ufw enable
Firewall stopped and disabled on system startup
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
root@test:~#

5. Check that the configuration is correct

You can check the ufw policy using ” iptables -t nat -L -v”

Check for DNAT (destination NAT)

root@test:~# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 196 packets, 10492 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    52 DNAT       tcp  --  eth1   any     anywhere             91-203-x-x

7. Troubleshoot using tcpdump

Make sure traffic is traversing the Ubuntu device where you have configured the Port Forward.

root@test:~# tcpdump -i eth1 -c 200 port 2200
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Thank you for reading and please feel free to leave any feedback.

How to secure your FTP server using FTPS and VSFTPD on Linux Cli

This is a detailed guide on how to secure your FTP server using FTPS and VSFTPD on Linux Based Operating Systems.

1.Generate your certificate

1.1 Generate private RSA key

You can change the encryption by replacing -aes256 to say -aes128 for example. The private key is used to generate the certificate.

openssl genrsa -aes256 -out SSL.key

1.2 Generate Certificate Signing Request or CSR

openssl req -new -key SSL.key -out certificate.csr

IMPORTANT: At this point you may want to send the CSR to a Certificate Authority who will create a certificate for you. If this is the case you can skip the rest of step 1 and move to step 2.

1.3 Remove the private key password from the private key

cp SSL.key SSL.key.orig
openssl rsa -in SSL.key.orig -out ssl.key

Please see the difference between the two files below – you also notice that the files are named differently – one is SSL.key and the other is ssl.key (which we use in the final step to create the certificate). VSFTPD will not be able to use the certificate as it would not have the passphrase, so this needs to be removed.

root@GNS3-Server:~# cat SSL.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,E35C0C8969A325B4AF35E737933BD2B6

root@GNS3-Server:~# cat ssl.key
-----BEGIN RSA PRIVATE KEY-----

1.4 Generate Certificate

openssl x509 -req -days 365 -in certificate.csr -signkey ssl.key -out mycertificate.crt

1.5 Copy the private key file and certificate to /etc/pki/tls/certs/

You may need to create these directories /tls/certs

cp ssl.key /etc/pki/tls/certs/
cp mycertificate.crt /etc/pki/tls/certs

2. Configure VSFTP to use your certificate

2.1 Edit /etc/vsftpd

nano  /etc/vsftpd

I have added the full file as an example.

root@GNS3-Server:~# cat /etc/vsftpd.conf
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
nopriv_user=vsftpd
virtual_use_local_privs=YES
guest_enable=YES
user_sub_token=$USER
local_root=/var/www/$USER
chroot_local_user=YES
hide_ids=YES
guest_username=vsftpd
ssl_enable=YES

allow_anon_ssl=YES

ssl_tlsv1=YES

ssl_sslv2=NO

ssl_sslv3=NO

rsa_cert_file=/etc/pki/tls/certs/mycertificate.crt

rsa_private_key_file=/etc/pki/tls/certs/ssl.key

ssl_ciphers=HIGH

require_ssl_reuse=NO


2.2 Restart VSFTPD

service vsftpd restart

3. Test

You should get a certificate error if the certificate is not signed by a certificate authority.

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Thank you for reading and please feel free to leave any feedback.