Differences
This shows you the differences between two versions of the page.
|
sred:lab5 [2021/12/09 10:48] horia.stoenescu [Setup] |
sred:lab5 [2022/11/18 15:15] (current) horia.stoenescu Updated fgt node |
||
|---|---|---|---|
| Line 4: | Line 4: | ||
| === Story === | === Story === | ||
| - | After gaining some experience with Cisco FTD, our company decided to test a firewall product from a different vendor: Fortinet, called FortiGate. It will be used firstly to create simple configs (like the ones did on lab3): create the qemu image path, create the node and deploy the machine, configure the interfaces and policy rules between interfaces. | + | After gaining some experience with Cisco Firepower, our company decided to test a firewall product from a different vendor: Fortinet, called FortiGate. It will be used firstly to create simple configs (like the ones did on lab3): create the qemu image path, the node on eve-ng, and deploy the machine, configure the interfaces and policy rules between interfaces. |
| === Lab infra === | === Lab infra === | ||
| - | The FortiOS version of our FortiGate machine (FGT) is 6.4.2. You can find qcow2 image located in your home directory, called virtioa.qcow2 (this is based on [[https://www.eve-ng.net/index.php/documentation/qemu-image-namings/|this]] qemu images naming conventions). | + | The FortiOS version of our FortiGate machine (FGT) is 7.2.3 (the latest KVM release as of Nov 2022). You can find qcow2 image located in your home directory, called virtioa.qcow2 (this is based on [[https://www.eve-ng.net/index.php/documentation/qemu-image-namings/|this]] qemu images naming conventions). |
| - | t0. ssh to the eve-ng machine (use user root and -X flag) - for win use putty or mobaxterm: | + | t0. ssh to the eve-ng machine (use user root and -X flag) - for Windows use PuTTY or MobaXterm: |
| user: root | user: root | ||
| Line 16: | Line 16: | ||
| <code> | <code> | ||
| - | user@host:~# ssh -l root -X 10.3.0.A (where A is your 4th byte in ipv4 address) | + | user@host:~# ssh -l root -X 10.3.0.A (where A is your 4th byte in the assigned IPv4 address) |
| </code> | </code> | ||
| - | t1. create the directory of the FGT image, using the format **fortinet-FGT-vX-buildABCD** (where X is the max version, in our case 6 and ABCD is the fortios build, in our case 1723): | + | t1. create the directory of the FGT image, using the format **fortinet-FGT-vX-buildABCD** (where X is the max version, in our case 7 and ABCD is the fortios build, in our case 1262): |
| <code> | <code> | ||
| root@SRED:~# cdq | root@SRED:~# cdq | ||
| - | root@SRED:/opt/unetlab/addons/qemu# mkdir fortinet-FGT-v6-build1723 | + | root@SRED:/opt/unetlab/addons/qemu# mkdir fortinet-FGT-v7-build1262 |
| </code> | </code> | ||
| t2. move the qcow2 image (found in your home dir) to this path | t2. move the qcow2 image (found in your home dir) to this path | ||
| <code> | <code> | ||
| - | root@SRED:~# mv virtioa.qcow2 /opt/unetlab/addons/qemu/fortinet-FGT-v6-build1723 | + | root@SRED:~# mv virtioa.qcow2 /opt/unetlab/addons/qemu/fortinet-FGT-v7-build1262 |
| </code> | </code> | ||
| Line 35: | Line 35: | ||
| </code> | </code> | ||
| - | t4. go to eve-ng webui from your browser (http://10.3.0.A) and create a new lab by closing the old one (left > expand > close lab), create a new one (add new lab + add name lab5) and open it. | + | t4. go to eve-ng WebUI from your browser (http://10.3.0.A) and create a new lab by closing the old one (left > expand > close lab), create a new one (add new lab + add name **lab5**) and open it. |
| Create a new node for the FGT: | Create a new node for the FGT: | ||
| - | Right click > Add new object Node > Search for 'Fortinet FortiGate' (if you cannot find it, go back to steps t1,t2 and t3) > select the required image name (it is based on the folder name): | + | Right click > Add new object Node > Search for 'Fortinet FortiGate' (if you cannot find it, you need to go back to steps t1,t2, and t3) > select the required image name (it is based on the folder name): |
| - | {{:sred:fgt_node2.png?400|}} | + | {{:sred:fgt_setup_2022.png?450|}} |
| See the configuration (based on [[https://help.fortinet.com/fmgr/vm-install/60/Content/Document/200_Licenses/400_Minimum%20HW%20Required.htm|these]] hardware requirements): | See the configuration (based on [[https://help.fortinet.com/fmgr/vm-install/60/Content/Document/200_Licenses/400_Minimum%20HW%20Required.htm|these]] hardware requirements): | ||
| Line 47: | Line 47: | ||
| - ram 2 GB | - ram 2 GB | ||
| - | - 1 vCPUs (for more than 1 vCPU, the trial license will not be accepted, so stick to only 1) | + | - 1 vCPUs (for more than 1 vCPU, the existing license will not be accepted, so stick to only 1) |
| - 4 ethernet interfaces | - 4 ethernet interfaces | ||
| + | |||
| + | - console vnc | ||
| **Q**: why do we need 4 ethernet interfaces? | **Q**: why do we need 4 ethernet interfaces? | ||
| - | On FGT machines, interfaces are named portX, where X is a digit from 1+ (in our case port1->4): | + | On FGT machines, interfaces are named portX, where X is a digit from 1+ (in our case port1->port4): |
| - the first interface, called port1 (you can name it outside - see below how), is the management one and also used for Internet access (remember **outside interface** - G0/0 on FTD). It has by default a static route to 0.0.0.0/0 via def gw of ESX vswitch: | - the first interface, called port1 (you can name it outside - see below how), is the management one and also used for Internet access (remember **outside interface** - G0/0 on FTD). It has by default a static route to 0.0.0.0/0 via def gw of ESX vswitch: | ||
| Line 72: | Line 74: | ||
| - the next interfaces are used as traffic ports. In this lab we are going to use only the first 2 for internal clients (inside1 and inside2) and the third one will be kept for the next ones (maybe for an attacker). | - the next interfaces are used as traffic ports. In this lab we are going to use only the first 2 for internal clients (inside1 and inside2) and the third one will be kept for the next ones (maybe for an attacker). | ||
| - | t5. As the traffic is forwarded to Internet via the mgmt interface (port1), we are going to need only 1 Network Cloud Node. Create a new network (Right click > Network) and select type Management(Cloud0). Attach a wire from this Cloud to FGT (select the first interface - port1=). Using this, it will take an ip address from the ESX vswitch (via dhcp). | + | t5. As the traffic is forwarded to Internet via the mgmt interface (port1), we are going to need only 1 Network cloud node. Create a new network (Right click > Network) and select type Management(Cloud0). Attach a wire from this Cloud to FGT (select the first interface - port1). Using this, it will take an ip address from the ESX vswitch (via dhcp). |
| <note important> | <note important> | ||
| - | Regarding the license, we will use for now the 15-days eval one: see [[https://docs.fortinet.com/vm/kvm/fortigate/6.4/kvm-cookbook/6.4.0/504166/fortigate-vm-evaluation-license|here]] more. | + | Regarding the license, we will use the same for all forti instances (you can find it on Moodle course [[https://curs.upb.ro/2022/mod/folder/view.php?id=87287|page]]). We want to have for this lab network access, so the license will be invalidated after less than 5 minutes. Don't worry, our required features are still available and starting with the next lab, the default route will be blackholed. |
| </note> | </note> | ||
| Line 97: | Line 99: | ||
| <note important> | <note important> | ||
| - | Regarding the MAC addresses: you must change the default one to a custom one for port1 as each machine must have an unique private ip: | + | Regarding the MAC addresses: you MUST change the default one to a custom one for port1 as each machine must have an unique private ip: |
| Go to cli of forti: | Go to cli of forti: | ||
| Line 118: | Line 120: | ||
| t10. for port1, there are by default multiple administrative services are activated (like ping, http, snmp etc.) | t10. for port1, there are by default multiple administrative services are activated (like ping, http, snmp etc.) | ||
| - | Access from your browser the WEBUI of FGT: http://PORT1_IP. It should be available instantly. | + | Access from your browser the WEBUI of FGT: http://PORT1_IP (identified at t9). It should be available instantly. |
| - | t11. Do the webui setup: | + | t11. Do the WebUI setup: |
| - | - for the hostname, you can use the following format: **FGTlast_byte_eve_ng_address** (for example: for student-1 is FGT45) | + | - download the license from Moodle and upload it. After this, the machine will restart, then check again the ip from cli (it should be the same) |
| - | - select for dashbord Optimal (the newest dashboard available). The second option can be used by users that were used to the old version of WEBUI (this can interchanged anytime from the menu). | + | Login again: |
| - | From the cli (you can access also from webui), check the network connection: | + | - for the hostname, you can use the following format: **FGTlast_byte_eve_ng_address** (for example: for ip 10.3.0.10 is **FGT10**) |
| + | |||
| + | - select for dashbord Optimal (the newest dashboard available). The second option can be used by users that were used to the old version of WebUI (this can interchanged anytime from the menu). | ||
| + | |||
| + | From cli, check the network connection: | ||
| <code> | <code> | ||
| FGT81 # execute ping google.com | FGT81 # execute ping google.com | ||
| Line 137: | Line 143: | ||
| t12. Configure the rest of 2 interfaces (port2 and port3): | t12. Configure the rest of 2 interfaces (port2 and port3): | ||
| - | - for port2 use network 172.16.0.0/24 with .1 ip for forti | + | - for port2 use network 172.16.0.0/24 with .1 ip for forti. Name it **inside1** (alias) |
| - | - for port3 use network 192.168.0.0/24 with .1 ip for forti | + | - for port3 use network 192.168.0.0/24 with .1 ip for forti. Name it **inside2** |
| For each interface, configure also DHCP servers with range .2 - .254, with default gw the same interface, DNS server the same and activate ping for admin access. | For each interface, configure also DHCP servers with range .2 - .254, with default gw the same interface, DNS server the same and activate ping for admin access. | ||
| Line 154: | Line 160: | ||
| Check the ping to def gw. | Check the ping to def gw. | ||
| - | t14. As expected, clients cannot access anything from Internet, due to default firewall policy: Implicit Deny (which is like 'deny any any' from acls). You can enable logging for this rule and try to ping google.com from client1. You will see on log & report > forward traffic, that this will drop anything (with Deny: policy violation). | + | t14. As expected, clients cannot access anything from Internet, due to default firewall policy: Implicit Deny (which is like 'deny any any' from ACLs). You can enable logging for this rule and try to ping google.com from client1. You will see on log & report > forward traffic, that this will drop anything (with Deny: policy violation). |
| We need to create for each interface, a rule for letting any traffic outside (from Policy & Objects > Firewall Policy): | We need to create for each interface, a rule for letting any traffic outside (from Policy & Objects > Firewall Policy): | ||
| Line 173: | Line 179: | ||
| === e3. [1p] Filter web === | === e3. [1p] Filter web === | ||
| - | We want for client2 to filter access to facebook.com. Configure a web filter object with static URL filter and create a new security rule for filtering traffic to that website (using also the security profile). | + | We want for client2 to filter access to facebook.com. Configure a web filter object with static URL filter and create a new security rule for filtering traffic to that website. |
| + | |||
| + | Check other pages from facebook, like //reg// or __login__. Traffic should be blocked and a stock 'page blocked' should be served. | ||
| == Case study web filtering == | == Case study web filtering == | ||
| - | Discussion regarding website blocking: | + | Discussion regarding website blocking (remember also [[https://ocw.cs.pub.ro/courses/sred/labextraftd#e1_2p_traffic_analysis|e1]] from lab5): |
| 1. If you configure on Web Filter the URL **www.facebook.com** (exact match or regex), all traffic to www.facebook.com will be blocked, but traffic to facebook.com won't as no exact match is seen. | 1. If you configure on Web Filter the URL **www.facebook.com** (exact match or regex), all traffic to www.facebook.com will be blocked, but traffic to facebook.com won't as no exact match is seen. | ||
