Tag Archives: Fortigate AS Path

Fortigate – Simple device hardening

As always docs.fortinet.com has the best information.

Firewalls almost always interface with the internet, and most of the time we enable remote access from the internet to make our lives easier when troubleshooting an issue, and maybe not being behind the firewall at the time. The best why to secure the device is just not enable access from insecure locations, but some times we have to enable it.

There are a few simple things we can do to help elevate vulnerable spots when allowing access from the internet.

  • Enable a password policy
  • Modify lockout policy/duration if needed
  • Allow admin access from only Trusted hosts
  • Modify default access TCP ports
  • Create a new admin account named something different, and then delete the default admin account.
  • Make sure a log in banner is active – Certain cyber laws need explicit notification that the user attempting login should have authorization.
  • Use dual factor authentication to gain admin access to the device.
  • Logging , always logging!

This blog is written with both 5.2 and 5.4 firmwares.

Enabling a password policy

This is great to do if you have multiple accounts on the device. This way a user cannot change their super complex password to something with 3-4 letters. A password policy enforces certain specifics to the password. For example you can set the character requirements as well as password reuse/expiration. Check out the below images for 5.2 and 5.4. Notice you can enable this for VPN accounts and admin accounts.

5.4

password-po

5.2

password-pol-5-2

Login failure lockout duration and Threshold

When you mistype your password 3 times by default you are locked out of the firewall for 5 minutes (All docs say 60 seconds though). This is a great defense against applications that attempts to brute for the firewall user/pass. Increasing the time the user is locked out can be a good idea to keep the bad guys from knocking, but could also really put a damper in your day if you lock yourself out for X amount of time.

But the commands to lower or increase it are the same in both firmware’s:

config sys global

set admin-lockout-duration X (seconds)

end

To increase the threshold (how many incorrect login attempts you can have)

config sys global

set admin-lockout-threshold (1-10 attempts)

end

Only allow logins from Trusted hosts

Why allow logins from anywhere on the internet, when you know if you logged in it would come from only a few sources.

5.4

Under the administrators options, you can select the trusted hosts (IP networks) that can login with the Mirazon account in this case. You could also modify the default admin account.

trusted-5-4

 5.2

truested-5-2

Change default port numbers used for logins

I was in a debate one time about the security of changing default port numbers, and a friend said “Changing your login port numbers is as secure as hiding your keys under the front door mat.” He was most certainly correct, but security by obscurity is better than nothing. By changing the default port numbers from 443,80 some bots that try to log in will not find the open login due to different ports that are not in its scanning script.

In the following examples I am changing the default port of 443 to 8081.

5.4

ports-5-4

5.2

ports-5-2

Summary

In summary there are tons of things to do to increase device security. One of the most important, if you don’t need to allow remote logins to the device, why even enable it? Disable the login options under the interface. I believe the best practice is to have an out of band management PC that might connect directly into the MGMT port. To access the FW you have to access this machine.

Changing Port numbers and implementing the other options are great ways to help reduce login failure attempts, or unauthorized access. Another great option, not explained here is using dual factor authentication. By default you get two licenses for two factor – why not use it for admin access!

The importance of logging is one thing that cannot be underestimated. When logging is enabled you know exactly what happened – if someone tried to log in, from where, what username, and if they failed or were successful.

These were just a few of the many ways to increase device security.

Link to login banner blog: https://www.mirazon.com/how-to-implement-a-fortigate-login-banner/

Fortinet AS Path filtering with Regular Expressions

Recently I had a project where 1 Fortigate had two MPLS networks connected for redundant connections. These two MPLS networks were from different providers. I had a few problems where networks from other peers were transiting through my device to be advertised out to these links. I did not want this to happen. There are many ways to do this exact thing, but what I did was use an AS path filter with regular expressions to find anything passing through my remote peers and block them going out on the opposite peer. The image below will sum up what I just wrote a little better:

Path-filtering

So as with almost all BGP commands on Fortinet – they have to be done through CLI. The following are the commands needed to create the AS-Path list, Create the Route map, then apply the route map to our neighbor. We are using regular expressions to map grab our AS path, you might say what the heck is a regular expression? Here is a link that explains how to put an expression together http://blog.ine.com/2008/01/06/understanding-bgp-regular-expressions/ . If you notice what I am doing “_65000_” This basically says that if 65000 is in the AS Path block it. the _ is a space so my expression reads – Anything before 65000 or after 65000 gets blocked. For example, if you wanted to block routes that originate from 65000 you could do “_65000” or “_65000$” The dollar sign means that is the end of the string, so nothing else beyond that.

config router aspath-list
edit Match-L3
config rule
edit 10
set action deny
set regexp _65000_
end
next

edit Match-WS
config rule
edit 10
set action deny
set regexp _65400_
end
end

config router route-map
edit Block-WS
config rule
edit 10
set match-as-path Match-WS
next
edit 11 — Note- There is a deny all on the Routemap, this rule 11 basically says permit anything else
end
next

edit Block-L3
config rule
edit 10
set match-as-path Match-L3
next — Note- There is a deny all on the Routemap, this rule 11 basically says permit anything else
edit 11
end
end

config neighbor
edit “2.2.2.1”
set capability-default-originate enable
set remote-as 65400
set route-map-out “Block-L3”
set send-community6 disable
next

edit “1.1.1.1”
set remote-as 65000
set route-map-out “Block-WS”
set send-community6 disable
next
end

Now we have to flush those routes, we can do this with the command:

exe router clear bgp ip 1.1.1.1 soft out
exe router clear bgp ip 2.2.2.1 soft out

After you clear you should see a good drop in routes being advertised to those neighbors.

get router infor  bgp neigh 1.1.1.1 advertised-routes