Connecting the world…

fortigate

FortiGate – OnDemand Token Timeout

Today’s customer is having a problem with OnDemand tokens on a FortiGate firewall. The FortiGate firewall uses RADIUS authentication for SSL VPN user authentication. FortiAuthenticator is used as RADIUS server. To strengthen the security levels, FortiAuthenticator is configured to demand two-factor authentication (2FA) for successful authentication. FortiAuthenticator has multiple options to demand 2FA from a user, like hardware FortiTokens, FortiToken Mobile or mail or SMS services.

Problem with the latter two could be timeouts. By default, FortiAuthenticator expects the token code after 60 seconds. This value is customizable.

However, only changing the timeout in FortiAuthenticator isn’t enough, because FortiGate has its own timeout value too. So you need to change this value if you would like to increase the time between entering username/password and token code. The timers are configurable via the CLI in “system global”

two-factor-email-expiry: Email-based two-factor authentication session timeout (30 – 300 seconds (5 minutes), default = 60).
two-factor-fac-expiry: FortiAuthenticator token authentication session timeout (10 – 3600 seconds (1 hour), default = 60).
two-factor-ftk-expiry: FortiToken authentication session timeout (60 – 600 sec (10 minutes), default = 60).
two-factor-ftm-expiry: FortiToken Mobile session timeout (1 – 168 hours (7 days), default = 72).
two-factor-sms-expiry: SMS-based two-factor authentication session timeout (30 – 300 sec, default = 60).

In this particular case, I changed the two-factor-fac-expiry setting to match the setting on FortiAuthenticator.

FortiGate – backup via auto-script

One of the features I would like to see in a FortiGate is the ability to automatically create backups and copy them to offline storage. Of course, this can be accomplished by adding FortiManager to the solution, but why would I need FortiManager if I only have one FortiGate (cluster). Another option would be using scripts, like Python or PowerShell, with scheduled tasks on servers to pull a backup from the FortiGate firewalls.

A very basic option would be the usage of system auto-script in FortiOS 5.4 and higher. Use this command to create CLI command scripts that can be saved and run. This gives you the possibility to auto-script the execute backup full-config commando. A disadvantage of this command is that you only have the option to use (T)FTP. There is no option to use a secure protocol like SFTP.

An example of an auto-script:


The example executes the backup command and sends the backup via TFTP to the TFTP server. The script runs every 24 hours (86400 seconds). It repeats infinite and starts automatically.

The script can also be configured via the GUI (Global >> System >> Advanced >> Configuration Scripts). More information about the feature can be found here.

FortiGate – IPSec with dynamic IP

Site-to-site VPN connections are a common way to connect a branch office to the corporate network. In the Netherlands it is still common to have a internet connection at a branch office with a dynamic IP address. The usage of dynamic IP address is not ideal when configuring a site-to-site VPN connection, because the configuration almost always relies on static IP addresses.

I recently configured an IPSec VPN between two FortiGate appliances and the branch appliance is using a dynamic IP address. I used Fortinet’s DDNS feature to configure the VPN.

To configure the branch FortiGate for DDNS, I had to configure the WAN interface to retrieve its IP address via DHCP. Next I configured DDNS.

config system ddns
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain “branche01-booches.fortiddns.com”
set monitor-interface “wan1”
next
end

This can also be done in the GUI.

FortiDDNS

The VPN configuration on the hub firewall for dynamic DNS support is the same as the configuration of a regular VPN connection. The only difference is the configuration of the peer IP address. Instead of a static IP, you configure the DDNS FQDN.

config vpn ipsec phase1-interface
edit “vpn_p1_branche01”
set type ddns
set interface “wan1”
set proposal 3des-sha1
set dhgrp 2
set remotegw-ddns “branche01-booches.fortiddns.com”
set psksecret P$k-VPN!
next
end

And as you can image, this can also be done via the GUI.

FortiDDNS IPSec - HQ

Check the status of the VPN connection via the regular methods like cli (get vpn ike gateway or get vpn ipsec tunnel name <tunnel-name>) or via the GUI.

FortiGate – Outbound OSPF filtering

Just a quick post on filtering outbound OSPF advertisements. I had some struggle with this config today.

config router prefix-list
  edit “filter-outbound”
  config rule
    edit 1
      set prefix 10.10.0.0 255.255.0.0
      unset ge
      unset le
    next
    edit 2
      set prefix 10.20.0.0 255.255.0.0
      unset ge
      unset le
    next
    edit 3
      set action deny
      set prefix any
      unset ge
      unset le
    next
  end
 next
end
!
config router ospf
 set router-id 1.1.1.10
  config area
    edit 1.1.1.1
      config filter-list
        edit 1
          set list “filter-outbound”
          set direction out
        next
end

Like a said: a quick-and-dirty  note

FortiGate – debug flow

You can use the diagnose debug flow commands to do a policy simulation. An example of the output:

fw01 (root) # diagnose debug enable

fw01 (root) # diagnose debug flow show console enable
show trace messages on console

fw01 (root) # diagnose debug flow filter addr 10.10.1.25

fw01 (root) # diagnose debug flow trace start 5

You can stop the trace with the following commands:

fw01 (root) # diagnose debug flow trace stop

fw01 (root) # diagnose debug flow show console disable
do not show trace messages on console

fw01 (root) # diagnose debug disable