What are Fortigate VDOMs(Virtual Domains)?

Well Fortigate VDOMs are like ASAs contexts, you are able to separate the firewall so it looks like you have 2, with different management and user groups. With ASA you lose some features when you enabled contexts, but in the Fortinets’ Firewall you do not lose any features.(Isn’t that just great?!)

VDOMs features:

1. Have separate routing and firewall services

2. Each physical interface belongs to only one Virtual Domains

3. By Default for the VDOMs to communicate you need an external source(Internet) to allow the communications

4. By Default 10 VDOMs are supported (in NAT or Transparent Modes)

5. The Configuration file of the Fortigate, holds all VDOM configuration. EX: AntiVirus, IPS and System Time

I. VDOM Configuration Features:

There are 2 features that you can configure for the VDOMs and those are applied globally:

1. Guaranteed – defined the minimum level of resources that will be available to the VDOM

2. Maximum – overrides the global limit to reduce the amount of each resource available for this VDOM. This must be the same or lower than the global limit!

II. Management VDOM/ROOT

All management traffic goes through this VDOM. Examples:

1. DNS lookup

2. Logging

3. Fortiguard services

4. Alerts/Traps

5. NTP

6. Quarantine of suspicious files

III. VDOM Types

There are 3 types of VDOMs:

1. Independent VDOM 

This uses multiple VDOMs that are completely separated from each others.

2. Management VDOM

The ROOT VDOM is the managemental VDOM and the other VDOMs are connected to the management VDOM with the VDOM links. With this implementation you do not need a user for each VDOM, you manage them from the Management VDOM.

3. Meshed VDOM

This feature uses interconnectivity between VDOMs. This setup can get complex very quickly. The security needs to be increased.

IV. SSL with VDOMs

SSL.VDOM are automaticly configured for each VDOM.

Picture source: fortinet.com

Fortigate processes Web Filtering options in the following order:

1. URL Filtering

2. Fortiguard Web Filtering

3. Content Exempt

4. Content Block

5. Script Filter

6. Antivirus

Let’s talk a little about all of them:

1. URL Filtering – you define what URLs the Fortigate can block

2. Fortiguard Web Filtering – based on the categories you choose, the Fortigate will block the pages

3. Web Content block

This option blocks specific words or patterns. You can use Perl regular expressions and the based on scores you can block those

4. Web Content Exemption – allows the administrator to override the web content block feature.

Fortiguard uses the industry standard definition of spam as Unsolicite Bulk Email.

Here are the Spam Filtering Methods implemented by Fortinet to its appliances:

1. IP Address Check

2. URL Check

3. Email Checksum Check

4. Spam Submission

5. Block/White List

6. HELO DNS Lookup

7. Return E-mail DNS check

8. Banned Words

9. MIME check

10. DNS Blackhole List (DNSBL) and Open Relay Database List (ORDBL)

II. Fortiguar AntiSpam

Global Filters

1. FortiIP Sender IP Reputation Database (based on the reputation of the IP)

2. FortiSig 1 – contains “spamvertised URLs” – matches URLs in the email

3. FortiSig 2 – contains “spamvertised email address”

4. FortiSig 3 – checks for spam objecte checksums

5. FortiRule – the global filter uses dynamically updated heuristic rules to identify spam using: header, body, mime header and attachment

6. Customized Filters: IP address, banned word etc.

III. Spam actions:

You have the possibility to tag SPAM with the following Actions:

a. Tag for: IPAM, POP3, SMTP -> this features tags the spam with [SPAM] at the beginning of the Email Subject

b. Drop: SMTP -> you can drop emails only using SMTP of course

IV. Banned Word List

You can add words and add a score for each word. If your total score(more banned words in the email) go over a specific threshold, then the email is processed according with the profile you defined.

V. IP Address Filter

You can add a profile and a list of IP

IP Trust – if a Fortigate is behind a Mail Transfer Unit(MTU), it may be unnecesarry to check the email IP address because, they are internet and of course are trusted. To enabled this option you can use the “iptrust” command from the CLI.

VI. MIME Header Checks

Fortigate checks the MIME header key-value pair of the incoming email to the list pair in the sequence.

A MIME Header Check can only be configured using the “config spamfilter mheader” command from the CLI.

The DNSBL (DNS Blackhole List) and ORDBL (Open Relay Database List) can only be configured from the CLI and only for SMTP with the following command:

“config spamfilter dnsbl”

The Fortimail and Fortigate can support the following:

1. Wildlist Virus Protection -> This can be supported by both applications

2. Legacy Virus Protection -> This can only be supported by the Fortimail

3. Advanced Spam Filter -> This can be supported by both, but it is very limited in the Fortigate

4. Email Quarantine -> This can only be supported by the Fortimail or a Fortigate with FortiAnalyzer

5. Email Archiving -> Supported by both

6. Email routing -> Supported only by the Fortimail

I just created a Twitter Account. You can find me here.

Follow me for great Networking and Security News.

That is all! The MBR should be fixed now.

Good luck!

I have found a great video that i find really interesting.

Hope you enjoy  it:

Whenever i have the change i read the following Magazine that i highly recommend.

Here is the download link: Insecure Magazine 

Hope you enjoy it!

This article presents some useful commands/tricks that you can do to your Fortigate.

Debug Addresses:
Many times it happens that we have a lot of firewall policies for one address defined in our address Pool.
Let’s take an example:
We have “WWW_Server” defined with the IP of 172.18.1.10. To see what policies are using this Address we can use the following:

#diag sys checkused firewall.address:name 'WWW_Server'

From the output you clearly see that the policy that is using this address is policy "14"

In case our address is in an address group, we can find out where that address group is used by executing the following commands:
#diag sys checkused firewall.addgrp:name 'Server_Groups'

The firewall from Fortinet has also sniffing capabilities(take that Wireshark ):

#diag debug packet Interface_Name 'host IP_Host' 3
test

If we would like to sniff all the interfaces on port 67 or 68 UDP we can try the following.
#diag sniff packet any 'udp port 67 or udp port 68' 6

To stop the sniffing issue CTRL+C. Do not use twice or your putty session will die

Fortigate CPU or Memory at 100% 

From time to time we discover bugs, or the CPU/Memory goes to 100% usage. Then we are left with a reboot and if that does not fix it we need to check what process is using all the memory.

To do this we can use the following:
#diag debug en
#get sys status
#get sys perf status
#diag sys top 1 100 -> let it run for 10-15 seconds and then stop it by pressing “Q”.
#diag hard sys mem

Let’s say we found out that the process “authd” is using 100% of the process. To reboot it we can use the following:
#diag sys kill 11 proccess_id

In our case we will perform the following command:

#diag sys kill 11 51

This command will re-spawn the authd process.
Some other Signal_IDs:
9 ca SIGKILL
15 ca SIGTERM

Problems with Authentication?

To test the authentication we can use the following commands:
#diag test auth <type> <server_name> <chap | pap | mschap | mschap2> <username> <pwd>

Lets say we want to test an users’ LDAP username and PASSWORD we will test with the following:

#diag test authserver ldap server <server_name> <username> <pwd>

If the authentication is succesful then that means that we are good to go! The problem is somewhere else.

BASIC COMMANDS
To show the ARP table:
#diag ip arp list

To show the routing table:
#diag ip route list

To check the NIC status on the Fortigate:
#diag hard dev nic port

PPPoE:

#diag debug en
#diag debug app ppp 3

Hope this helps!
Happy firewalling and please comment if you have any questions. Thanks!

It this post i will talk about the AntiVirus feature of Fortigate. Since the firewall from Fortinet has a lot of features it is normal that AntiVirus is one of them.

The processing of the Antivirus application goes as following:

1. File Filter -first it checks if any files match a file filter defined by you. Ex: block any “.exe” files

2. Virus Scan – it then scans the file for known viruses

3. Grayware – it scans the file for grayware applications

4. Heuristics – it scans the file using heuristics algorithms

The File Filter is composed of 3 main tasks:

1. File Pattern (name, extension etc)

2. File Type (pattern checking)

3. Actions (Allow or Block the file)

A simple definition of Grayware files = unsolicited software programs that get installed on computers, often without the user approval or knowledge.

If the Antivirus has a HDD and the file that is scanning is matching any of the criteria explained above it will move the file to Quarantine. If the Fortigate does not have a HDD it can move them to a FortiAnalyzer.

The AntiVirus feature can have the following options:

a. Proxy Splicing – sends some of the response to the client and so it prevents the client from dropping the packet, as the client does not receive an ACK for the request he sent. This is normally used for FTP, POP3, IMAP and SMTP traffic.

b. Client Comforting - gives info the the user about the process of Proxy Splicing. This is mainly used for FTP and HTTP

Please let me know if you have any questions.

Thanks.

Fortigate Tutorial 4 – Authentication

The Fortigate aplience support different types of authentication.

Let’s discuss them here:

1. LDAP

Fortigate support all servers that are LDAP compliant. It supports up to LDAPv3

Also LDAP over SSL/TLS is supported. One downside of using LDAP is that the Fortinet firewall does not  supply any information on why the user authentication failed. For the reason you must check the Server itself.

2. Local Users

You can define local users on the Fortigate itself, by defining a user name and a password for the user.

3. RADIUS

Radius is also supported on the Fortigate. For this you just define a RADIUS server and define the shared key between the RADIUS server and the FG.

The Fortigate support 4 different types of authentication the users to the RADIUS server:

a. MS-CHAP2

b. MS-CHAP

c. CHAP

d. PAP

If none of those is selected, then the default is in the following order: PAP, MS-CHAP v2, CHAP and the last one is MS-CHAP.

4. PKI

The Fortigate can login users based on the PKI protocol. Certificates are used in this case.

5. Novell eDirecotry & Microsoft Active Directory

An awesome feature is the integration with Active Directory, as this is transparent to the users.

You just have to install a FSAE/FSSO applience on the Domain Controller(Microsoft) and the FG will automaticly catch any logins to the Active Directory.

The FSAE/FSSO  is composed of 2 different things:

a. Domain Controller Agent – this application must be installed on every Domain Controller that you have in your Microsoft Domain

b. Collector Agent – this application must be installed on AT LEAST one Domain Controller that you have in your Microsoft Domain.

The Domain Controller Agent gets users login info.

The Collector Agent send the information gather by the Controller Agents to the Fortigate.

One important thing that mostly new Fortigate Network Engineers forget is that FSAE/FSSO needs read-access to each clients computer registry over TCP port 139 and TCP port 445 must be opened. This is needed so the FSAE/FSSO application knows when an user logs off.

So do you forget to allows this in the users PC windows firewall!

6. TACACS

Yes, Fortigate supports TACACS too . Isn’t this firewall really great?!

The same principal applies as the RADIUS server, but it supports the following:

a. Auto(here the default is enabled, PAP->MS-CHAP->CHAP)

b. ASCII

c. PAP only

d. CHAP only

e. MS-CHAP only

Hope this help you to better understand the Fortigate. Below is a pick on where you can define all of these: