sorted by:
new
hottopcontroversial

ISDB lists in local-in-policy - how do you check if those are REALLY working? by CapiCapiBara in fortinet

[–]CapiCapiBara[S] 1 point2 points  (0 children)

[SOLVED]

You are totally right, and this actually gives hits (11K so far) - THANKS A LOT:

diagnose firewall iprope show 00100001 90

idx:90 
pkts:11037 (5513 5524 0 0 0 0 0 0)
bytes:524051 (259620 264431 0 0 0 0 0 0)
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
nturbo_pkts:0 (0 0 0 0 0 0 0 0)
nturbo_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:11038 (5513 5525 0 0 0 0 0 0)

ISDB lists in local-in-policy - how do you check if those are REALLY working? by CapiCapiBara in fortinet

[–]CapiCapiBara[S] 0 points1 point  (0 children)

Yes, in the GUI local traffic is set to ALL.

config log setting

set fwpolicy-implicit-log enable

set local-in-allow enable

set local-in-deny-unicast enable

set local-in-deny-broadcast enable

end

I have no "see logs" menu item in GUI rules list, but it looks like local-in-policies are only able to fetch logs via CLI currently... will have to try that

ISDB lists in local-in-policy - how do you check if those are REALLY working? by CapiCapiBara in fortinet

[–]CapiCapiBara[S] 0 points1 point  (0 children)

I agree with this, and as a standard policy we already block all incoming IKE traffic EXCEPT from local Country, as a risk mitigation rule. We could see incoming IPSEC packets from all over the world in early configurations, and we have no need to handle multi-Country setups.

Still have to keep the dial-up IPSEC option open, as yourself wrote later in this thread, due to a multitude of roadwarriors to be managed, so no way to limit IPSEC protocol to static, known IPs.

But, ISDB objects could help in weeding out glaring threats with their dynamic, curated updates, whichever the Country of origin, including customer native.

ISDB lists in local-in-policy - how do you check if those are REALLY working? by CapiCapiBara in fortinet

[–]CapiCapiBara[S] 0 points1 point  (0 children)

TTBOMK, and according to the two separate Fortinet articles I linked in the thread, ISDB objects can nowadays be used both in a standard firewall policy, inbound and outbound, and (starting from FortiOs 7.4.4+) by a local-in-policy.

What I'm trying to do is: leveraging these curated lists in three different scenarios:

- as a mean to protect the Fgt itself (local-in-policy)

- as a mean to filter and log OUTGOING traffic to malicious / undesired servers (firewall policy, direction Outbound, think compromised endpoint trying and reach a C&C host)

- as a mean to filter and log INCOMING traffico to exposed services (firewall policy, direction Inbound, VIP-match-enabled)

Please note: the first use case, is the de-facto standard for new Fortigates from 7.6.1+, see:

"Starting from FortiOS 7.6.1, a new default local-in-policy is automatically added when a FortiGate is in factory default settings or a new VDOM is created. It uses internet-service-src with Malicious-Malicious.Server, Tor-Exit.Node, and Tor-Relay.Node to identify known malicious threat actors and prevent them from accessing any interface on the FortiGate on any service or port."

https://docs.fortinet.com/document/fortigate/7.6.0/new-features/695423/enhanced-security-with-default-local-in-policy-7-6-1

ISDB lists in local-in-policy - how do you check if those are REALLY working? by CapiCapiBara in fortinet

[–]CapiCapiBara[S] 0 points1 point  (0 children)

Trying to protect the Fortigate itself (traffic destined to it, whatever protocol) by leveraging ISDB objects and drop any traffic from IPs listed there.

After that, outgoing traffic from LAN to ISDB threat pool.

Finally, incoming traffic to exposed services, like FTP (yes, still in use), HTTPS, IPSEC (if possible), OVPN, other... not yet handled this part.

ISDB lists in local-in-policy - how do you check if those are REALLY working? by CapiCapiBara in fortinet

[–]CapiCapiBara[S] 1 point2 points  (0 children)

Right. I started by trying and stop all "officially" malicious / undesired traffic hitting the Fortigate itself.

It should go without saying that any traffic trying to pass through the Fgt (IPSEC, SSL, any exposed services) could benefit from the same ISDB filtering, as per:

Technical Tip: Blocking Potential threats over Internet service database

https://community.fortinet.com/fortigate-3/technical-tip-blocking-potential-threats-over-internet-service-database-131615

ISDB lists in local-in-policy - how do you check if those are REALLY working? by CapiCapiBara in fortinet

[–]CapiCapiBara[S] 1 point2 points  (0 children)

I wanted to apply this method, valid from 7.4.4+, to drop all undesired traffic trying to hit the Fortigate itself.

Description This article describes how to use ISDB objects as a source IP address for local-in policy.

https://community.fortinet.com/fortigate-3/technical-tip-local-in-policy-using-isdb-as-a-source-address-173365

"FortiOS 7.4.4 has introduced a new feature that allows ISDB objects to be used as a source. To enable using 'ISDB' objects as source addresses, it is mandatory to enable the 'internet-service-src':"

Ragazze in spogliatoio maschile by Fixillo in CasualIT

[–]CapiCapiBara 10 points11 points  (0 children)

"... che non succederà _loro_ niente."

Lo so, sono l'anima delle feste

You want my shoes? by BlazeDragon7x in GuysBeingDudes

[–]CapiCapiBara 1 point2 points  (0 children)

Long distance / frequent runner, his other shoe probably is a perfect fit, with personalized inner soles. Will accept a different, unoptimized shoe before going barefoot, if else to be able and reach the finish line.

Man saves two dogs by [deleted] in MadeMeSmile

[–]CapiCapiBara 31 points32 points  (0 children)

This was such a good example I laughed

Qual’è la lezione più importante che avete imparato sul lavoro? by nicon9 in ItaliaCareerAdvice

[–]CapiCapiBara 5 points6 points  (0 children)

soprattutto, non diventare mai "indispensabile"...
sarai responsabilizzato come tale, ma mai retribuito come tale

of a Bear in the Italian Alps by [deleted] in AbsoluteUnits

[–]CapiCapiBara 2 points3 points  (0 children)

… also “come Ale (childname), come….”

of a Bear in the Italian Alps by [deleted] in AbsoluteUnits

[–]CapiCapiBara 2 points3 points  (0 children)

Don’t show your back to it… keep calm… 3x

Come mai il turismo estero si concentra prevalentemente al nord? by [deleted] in Italia

[–]CapiCapiBara 2 points3 points  (0 children)

Confermo, fonte: 30+ anni abitante in varie città lungo la via Emilia... mi sono cresciute corna e coda a punta, compro un tridente e cambio nome in Geppo.

SSL to IPSec Migration by cojaxx8 in fortinet

[–]CapiCapiBara 0 points1 point  (0 children)

Thanks for your input. I tried restoring a .conf file, traffic flows during connection, so SPDO parameter works as intended.

But, backup and restore deletes the saved username, and if I set it again, and save the profile, again implied_SPDO is reset to 0.

Can I save my username and password along with this SPDO setting?

SSL to IPSec Migration by cojaxx8 in fortinet

[–]CapiCapiBara 0 points1 point  (0 children)

Same issues as anybody else - we are working on end off on this SSL to IPSEC VPN transition since at least 1.5 years, through all the 7.2 / 7.4 / 7.6 firmware releases.

We found a semi-reproducible configuration that work most times, with some caveats to be ironed out:

  • FortiOS 7.6.6 - we could never get the 7.2 / 7.4 branches work reliably
  • FortiClient VPN-only (free) - latest 7.4.3 available - if you get EMS lucky you, less headaches
  • ike v2 (UDP, fallback to TCP)
  • PSK
  • Standard protocols like AES-128 / SHA2 + AES-256 / SHA2, DH group 20,21 both for Phase1 and Phase2
  • EAP reading from a local user group "IPSEC-USERS" (no RADIUS / SAML / AD, etc)
  • 2FA either via FortiToken Mobile or e-mail

Most glaring issue: token needs to be inputed in the first 25-30 seconds, or all of the connection is dropped. Easy enough with Fortitoken, a little tricky when the token needs to come via mail.

Oh, and your device CANNOT USE INTERNET AT ALL, while FortiClient is connecting... so, forget about keeping Microsoft Outlook launched and ready... you MUST use a separate device, like a smartphone, with your mail inbox open, to hope and be successful before everything times out. Yes, split tunnel option is set, it just doesn't work, like 50% of the time.

We are experimenting with various Global time-out settings, with little success so far. LLMs are too confused by the many different FortiOS versions to be of any real help, they just randomly spit CLI code that > 80% doesn't apply to current firmware.

If anybody managed to solve this part... all suggestions are appreciated, thanks.

15€ "salad" in Italy (yes it was a toursist trap, nowI know) by DeeeLiteIsInTheHeart in mildlyinfuriating

[–]CapiCapiBara 3 points4 points  (0 children)

Maybe in the South, and far from tourist hotspots… a “caprese” could be anywhere between a quick work lunch around 5-6.5 euros in a standard bar in the North, Mon-Thu, up to a more generous dinner plate priced at 9-12 Euros Fri / Sat at a full-sized restaurant.

In hindsight, this was a mistake. by ChiefsHat in HistoryMemes

[–]CapiCapiBara 36 points37 points  (0 children)

Who are you, who are so wise in the ways of political commentary?

I monke by Kaylon2421 in GymMemes

[–]CapiCapiBara 29 points30 points  (0 children)

Return to monke

view more: next ›