My Network Security Journal

Sunday, March 2, 2025

Change the VLAN ID in a FortiGate Interface

Here's a Fortinet technical guide in changing the interface VLAN ID in a FortiGate firewall. I tried changing the VLAN ID (565 > 555) using the CLI first but received an error below. So I used the web GUI instead.

FW01_PRI (inet) # config system interface

FW01_PRI (interface) # edit "po1.565"

FW01_PRI (po1.565) # show

config system interface

edit "po1.565"

set vdom "inet"

set ip 172.x.x.x 255.255.255.248

set allowaccess ping

set alias "inside-inet"

set device-identification enable

set role lan

set snmp-index 151

set interface "po1"

set vlanid 565

end

FW01_PRI (po1.565) # set vlanid 555

FW01_PRI (po1.565) # end

VLAN ID, VLAN protocol, or physical interface cannot be changed once a VLAN has been created.

object set operator error, -522 discard the setting

Command fail. Return code -522

To change the interface VLAN ID, go to Network > Interfaces > select interface > VLAN ID > Edit.

Type the new VLAN ID > click Next.

Review settings > click Update.

Click OK to proceed.

The new VLAN ID got reflected afterwards. This is applicable if it's a new interface/config and there are no dependencies on the interface.

I tried changing the interface VLAN ID (90 > 100) of a production FortiGate with Firewall Policies and VPN tunnel dependencies but got a "Failed" status.

To quickly update the interface VLAN ID, download the config file, edit the VLAN ID using notepad then upload/restore in the FortiGate. It's advisable to perform this in a maintenance window since FortiGate will need a reboot.

Tuesday, February 4, 2025

Create a Custom ICMP Service in a FortiGate Firewall

I had to configure a firewall policy in a FortiGate firewall and wanted to restrict the ICMP or ping service since the default type is ANY (ALL_ICMP). You can refer to the different ICMP types and codes in the IANA website. For an ICMP echo reply, you'll use a type and code of 0.

It's always best practice to clone the original service to prevent any disruption whenever there's a new firmware update (if there's a change in a command/feature). To clone a Ping service, search and right-click PING > Clone.

Type a Name > change the Type and Code.

For an ICMP time exceeded, it uses a Type of 11 and Code of 0.

Wednesday, January 8, 2025

FortiGate Direct Firmware Upgrade

You can "safely" upgrade the FortiOS directly to the target firmware code if it's brand new and since it still has a default configuration. You only follow the upgrade path if there's an existing configuration and the upgrade process will handle the changes in the command line or features (if there's any).

I upgraded a brand new standalone FortiGate and it was shipped with a default 6.4 firmware.

FortiGate-xxF login: admin

Password:

You are forced to change your password. Please input a new password.

New Password:

Confirm Password:

Welcome!

FortiGate-xxF # get system status

Version: FortiGate-xxF v6.4.4,build5543,201214 (GA)

Firmware Signature: certified

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 6.00741(2015-12-01 02:30)

APP-DB: 6.00741(2015-12-01 02:30)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

Serial-Number: FGxxFT923901234

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

BIOS version: 05000011

System Part-Number: P25132-01

Log hard disk: Available

Hostname: FortiGate-xxF

Private Encryption: Disable

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Branch point: 1803

Release Version Information: GA

FortiOS x86-64: Yes

I uploaded the target firmware and the direct upgrade only took around 4 minutes to complete. I proceeded with the configuration afterwards.

FortiGate-xxF # get system status

Version: FortiGate-xxF v7.xx,buildxx (GA.M)

Security Level: 2

Firmware Signature: certified

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

AV AI/ML Model: 0.00000(2001-01-01 00:00)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 6.00741(2015-12-01 02:30)

APP-DB: 6.00741(2015-12-01 02:30)

FMWP-DB: 0.00000(2001-01-01 00:00)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

IoT-Detect: 0.00000(2022-08-17 17:31)

Serial-Number: FGxxFT923901234

BIOS version: 05000011

System Part-Number: P25132-01

Log hard disk: Available

Hostname: FortiGate-xxF

Private Encryption: Disable

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Branch point: 1706

Release Version Information: GA

FortiOS x86-64: Yes

System time: Mon Oct 7 03:14:05 2024

Last reboot reason: warm reboot

Friday, December 6, 2024

Troubleshoot FortiGuard Server Connectivity

Here's a Fortinet link in troubleshooting FortiGuard server connectivity over the Internet. I was configuring a new FortiGate firewall in Multiple VDOM mode but I can't ping or perform a license update to the FortiGuard server (a cloud service over the Internet).

FGT # config vdom

FGT (vdom) # edit root

current vf=root:0

FGT (root) # execute ping update.fortiguard.net

Unable to resolve hostname.

The FortiGate uses FortiGuard public DNS server IP: 96.45.45.45 and 96.45.46.46 by default. To change DNS server settings, go to Network > DNS > select: Specify > type the usable public DNS server IP (Google DNS 8.8.8.8 or your private DNS server) > enable/toggle: DNS (UDP/53) > click Apply.

FGT (root) # execute ping service.fortiguard.net

PING guard.fortinet.net (208.184.237.61): 56 data bytes

64 bytes from 208.184.237.61: icmp_seq=0 ttl=47 time=255.0 ms

64 bytes from 208.184.237.61: icmp_seq=1 ttl=47 time=254.7 ms

64 bytes from 208.184.237.61: icmp_seq=2 ttl=47 time=254.7 ms

64 bytes from 208.184.237.61: icmp_seq=3 ttl=47 time=254.7 ms

64 bytes from 208.184.237.61: icmp_seq=4 ttl=47 time=254.7 ms

--- guard.fortinet.net ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 254.7/254.7/255.0 ms

FGT (root) # execute ping update.fortiguard.net

PING fds1.fortinet.com (12.34.97.16): 56 data bytes

64 bytes from 12.34.97.16: icmp_seq=0 ttl=46 time=332.9 ms

64 bytes from 12.34.97.16: icmp_seq=1 ttl=46 time=333.5 ms

64 bytes from 12.34.97.16: icmp_seq=2 ttl=46 time=333.4 ms

64 bytes from 12.34.97.16: icmp_seq=3 ttl=46 time=333.5 ms

64 bytes from 12.34.97.16: icmp_seq=4 ttl=46 time=337.0 ms

--- fds1.fortinet.com ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 332.9/334.0/337.0 ms

FGT (root) # execute ping guard.fortinet.net

PING guard.fortinet.net (208.184.237.61): 56 data bytes

64 bytes from 208.184.237.61: icmp_seq=0 ttl=47 time=254.9 ms

64 bytes from 208.184.237.61: icmp_seq=1 ttl=47 time=254.6 ms

64 bytes from 208.184.237.61: icmp_seq=2 ttl=47 time=254.5 ms

64 bytes from 208.184.237.61: icmp_seq=3 ttl=47 time=254.5 ms

64 bytes from 208.184.237.61: icmp_seq=4 ttl=47 time=254.5 ms

--- guard.fortinet.net ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 254.5/254.6/254.9 ms

The FortiCare (support and warranty), Next Generation Firewall licenses (Intrusion Prevention, Antivirus and Web filtering) were updated/enabled after a few minutes.

The Internet Service Database (ISDB) objects were updated as well. You can view these under Policy & Objects > Internet Service Database.

The ISDB is a comprehensive list of public IP addresses (Geolocation based), service/port numbers, reputation, popularity (Facebook, Amazon, Microsoft, etc.) which can be used in creating a firewall policy or security profile (Antivirus, Web filter, Application Control, etc.) in a FortiGate firewall.

Sunday, November 10, 2024

Create a Fortinet Support Ticket

Here's a Fortinet link for device hardening and best practice in a FortiGate firewall.

To create a new Fortinet support ticket, go to this link > select Create a Ticket.

Select a Request Ticket Type (closest to your issue/inquiry). In this case, I selected Customer Service > Submit ticket.

Select a CS category. In this case I selected: Cloud Portal Query.

Put the device Serial Number > Contact Information > Ticket Information.

Add Comment to describe your issue or upload a screenshot of the error in the Attachments.

Click Finish and note the ticket number. The Fortinet ticket number and summary will be sent to your registered email.

Another way to create a Fortinet ticket is via the Asset Management portal. Click Support > FortiCare > Create a Ticket.

Click New Ticket.

Choose: Technical Support Ticket > Submit Ticket.

You can get the FortiGate serial number with the get system status CLI command:

FG# get system status

Version: FortiGate-xx v7x,buildxx

Security Level: 2

Firmware Signature: certified

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

Extreme DB: 1.00000(2018-04-09 18:07)

AV AI/ML Model: 0.00000(2001-01-01 00:00)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 6.00741(2015-12-01 02:30)

APP-DB: 6.00741(2015-12-01 02:30)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

IoT-Detect: 0.00000(2022-08-17 17:31)

Serial-Number: FGxx

BIOS version: 06000008

System Part-Number: Pxx

Log hard disk: Available

Hostname: FG

Private Encryption: Disable

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Virtual domains status: 2 in NAT mode, 0 in TP mode

Virtual domain configuration: multiple

FIPS-CC mode: disable

Current HA mode: a-p, primary

Cluster uptime: 241 days, 23 hours, 33 minutes, 20 seconds

Cluster state change time: 2024-03-06 07:04:47

Branch point: xx

Release Version Information: GA

FortiOS x86-64: Yes

System time: Fri Sep 6 03:20:07 2024

Last reboot reason: warm reboot

Or retrieve it via the web GUI under Dashboard > Status.

Under the Product Info > type the device SN > click Go

Fill up the required info > click Next.

Type the Comment (answer the pre-filled questionnaire) or click File Upload to upload a screenshot of the error.

It's also very useful to upload the Debug log which is similar to show tech-support in a Cisco device. Go to System > Settings > Debug logs > click Download.

It only took a few seconds to download the Debug log text file. Here's a snippet of the Debug log output:

----------------------------------------------------------------

Serial Number: FG4Hxx Diagnose output

----------------------------------------------------------------

### get system status

Version: FortiGate-xxv7x

Security Level: 2

Firmware Signature: certified

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

Extreme DB: 1.00000(2018-04-09 18:07)

AV AI/ML Model: 0.00000(2001-01-01 00:00)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 6.00741(2015-12-01 02:30)

APP-DB: 6.00741(2015-12-01 02:30)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

IoT-Detect: 0.00000(2022-08-17 17:31)

Serial-Number: FG4xx

BIOS version: 06000008

System Part-Number: P27xx

Log hard disk: Available

Hostname: xx

Private Encryption: Disable

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Virtual domains status: 2 in NAT mode, 0 in TP mode

Virtual domain configuration: multiple

FIPS-CC mode: disable

Current HA mode: a-p, primary

Cluster uptime: 241 days, 23 hours, 40 minutes, 25 seconds

Cluster state change time: 2024-03-06 07:04:47

Branch point: xx

Release Version Information: xx

FortiOS x86-64: Yes

System time: Fri Sep 6 03:27:12 2024

Last reboot reason: warm reboot

### get system performance status

CPU states: 1% user 0% system 0% nice 99% idle 0% iowait 0% irq 0% softirq

CPU0 states: 2% user 0% system 0% nice 98% idle 0% iowait 0% irq 0% softirq

CPU1 states: 0% user 0% system 0% nice 99% idle 0% iowait 0% irq 1% softirq

CPU2 states: 7% user 5% system 0% nice 87% idle 0% iowait 0% irq 1% softirq

CPU3 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq

CPU4 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq

CPU5 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq

CPU6 states: 0% user 0% system 0% nice 99% idle 0% iowait 0% irq 1% softirq

CPU7 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq

CPU8 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq

Review the ticket summary before submitting > click Confirm to proceed.

Saturday, October 5, 2024

Cisco GRE Tunnel Keepalive

This Cisco link covers the GRE Tunnel and how a keepalive works. I got a GRE over IPSec VPN configured between Singapore and London. The GRE tunnel only goes up whenever I perform a ping. So I configured the GRE tunnel keepalive so it always stays up. The default keepalive interval is 10 seconds and 3 retries.

SIN#show run interface Tunnel40
Building configuration...

Current configuration : 314 bytes
!
interface Tunnel40
ip address 10.16.2.194 255.255.255.252
ip mtu 1400
tunnel source 192.168.1.18
tunnel destination 192.168.1.146
end

SIN#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SIN(config)#interface Tunnel40
SIN(config-if)#keepalive ?
<0-32767> Keepalive period (default 10 seconds)
<cr> <cr>

SIN(config-if)#keepalive
SIN(config-if)#end
SIN#write memory
Building configuration...
[OK]

SIN#show run interface Tunnel40
Building configuration...

Current configuration : 330 bytes
!
interface Tunnel40
ip address 10.106.192.194 255.255.255.252
ip mtu 1400
keepalive 10 3
tunnel source 192.168.1.18
tunnel destination 192.168.1.146
end

LON#show run interface Tunnel40
Building configuration...

Current configuration : 322 bytes
!
interface Tunnel40
ip address 10.16.2.193 255.255.255.252
ip mtu 1400
tunnel source 192.168.1.146
tunnel destination 192.168.1.18
end

LON#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
LON(config)#interface Tunnel40
LON(config-if)#keepalive
LON(config-if)#end
LON#write memory
Building configuration...
[OK]

LON#show run interface Tunnel40
Building configuration...

Current configuration : 338 bytes
!
interface Tunnel40
ip address 10.16.2.193 255.255.255.252
ip mtu 1400
keepalive 10 3 // DEFAULT IS 10 SECOND INTERVAL AND 3 RETRIES
tunnel source 192.168.1.146
tunnel destination 192.168.1.18
end

LON#ping 10.16.2.194
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.16.2.194, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 181/181/181 ms

I've checked the IPSec VPN was already up in the FortiGate firewall even before I did a ping.

Friday, September 6, 2024

Cisco ASA Firewall SNMP OID

There's a "hidden" Cisco ASA CLI command in order to retrieve the SNMP MIB OID info without performing an SNMP walk from a remote server/NMS. The Management Information Base (MIB) is the hierarchical (tree) structure of the SNMP Object Identifier (OID). OID is the long code string or numbers separated by dots. It uniquely identifies an SNMP managed object such as a device interface, CPU, memory, bandwidth/traffic stats, etc.

I had a high CPU alarm in our NMS but there was no high CPU when checked. It was later found out the NMS didn't support the new Firepower ASA platform using multiple Core CPU, so it needed to update its MIB OID database.

FPR2100# show cpu core all

Core 5 sec 1 min 5 min

Core 0 1.4% 0.8% 0.7%

Core 1 0.2% 0.2% 0.2%

Core 2 0.2% 0.2% 0.2%

Core 3 0.2% 0.2% 0.2%

Core 4 0.2% 0.2% 0.2%

Core 5 0.2% 0.2% 0.2%

Core 6 0.2% 0.2% 0.2%

Core 7 0.2% 0.2% 0.2%

Core 8 0.2% 0.2% 0.2%

Core 9 0.2% 0.2% 0.2%

Core 10 0.2% 0.2% 0.2%

Core 11 1.0% 0.6% 0.5%

Core 12 0.2% 0.2% 0.2%

Core 13 0.2% 0.2% 0.2%

Core 14 0.2% 0.2% 0.2%

Core 15 0.2% 0.2% 0.2%

Core 16 0.2% 0.2% 0.2%

Core 17 0.2% 0.2% 0.2%

Core 18 0.2% 0.2% 0.2%

Core 19 0.2% 0.2% 0.2%

Core 20 0.2% 0.2% 0.2%

Core 21 0.2% 0.2% 0.2%

The output below came a Cisco ASA5515-X firewall. You'll need to run this command in the admin context if the ASA is in Multiple Context mode.

ciscoasa# show snmp-server ?

engineID    Show snmp engineID
group       Show snmp groups
host        Show snmp host's
statistics Show snmp-server statistics
user        Show snmp users

ciscoasa# show snmp-server oidlist ? // IT'S A HIDDEN CLI COMMAND
ERROR: % Unrecognized command

ciscoasa# show snmp-server oidlist

-------------------------------------------------
[0]     1.3.6.1.2.1.1.1.        sysDescr
[1]     1.3.6.1.2.1.1.2.        sysObjectID
[2]     1.3.6.1.2.1.1.3.        sysUpTime
[3]     1.3.6.1.2.1.1.4.        sysContact
[4]     1.3.6.1.2.1.1.5.        sysName
[5]     1.3.6.1.2.1.1.6.        sysLocation
[6]     1.3.6.1.2.1.1.7.        sysServices
[7]     1.3.6.1.2.1.1.8.        sysORLastChange
[8]     1.3.6.1.2.1.1.9.1.2.    sysORID
[9]     1.3.6.1.2.1.1.9.1.3.    sysORDescr
[10]    1.3.6.1.2.1.1.9.1.4.    sysORUpTime
[11]    1.3.6.1.2.1.2.1.        ifNumber
[12]    1.3.6.1.2.1.2.2.1.1.    ifIndex
[13]    1.3.6.1.2.1.2.2.1.2.    ifDescr
[14]    1.3.6.1.2.1.2.2.1.3.    ifType
[15]    1.3.6.1.2.1.2.2.1.4.    ifMtu
[16]    1.3.6.1.2.1.2.2.1.5.    ifSpeed
[17]    1.3.6.1.2.1.2.2.1.6.    ifPhysAddress
[18]    1.3.6.1.2.1.2.2.1.7.    ifAdminStatus
[19]    1.3.6.1.2.1.2.2.1.8.    ifOperStatus
[20]    1.3.6.1.2.1.2.2.1.9.    ifLastChange
[21]    1.3.6.1.2.1.2.2.1.10.   ifInOctets
[22]    1.3.6.1.2.1.2.2.1.11.   ifInUcastPkts
<--- More --->

[1002] 1.3.6.1.6.3.15.1.2.2.1.3.       usmUserSecurityName
[1003] 1.3.6.1.6.3.15.1.2.2.1.4.       usmUserCloneFrom
[1004] 1.3.6.1.6.3.15.1.2.2.1.5.       usmUserAuthProtocol
[1005] 1.3.6.1.6.3.15.1.2.2.1.6.       usmUserAuthKeyChange
[1006] 1.3.6.1.6.3.15.1.2.2.1.7.       usmUserOwnAuthKeyChange
[1007] 1.3.6.1.6.3.15.1.2.2.1.8.       usmUserPrivProtocol
[1008] 1.3.6.1.6.3.15.1.2.2.1.9.       usmUserPrivKeyChange
[1009] 1.3.6.1.6.3.15.1.2.2.1.10.      usmUserOwnPrivKeyChange
[1010] 1.3.6.1.6.3.15.1.2.2.1.11.      usmUserPublic
[1011] 1.3.6.1.6.3.15.1.2.2.1.12.      usmUserStorageType
[1012] 1.3.6.1.6.3.15.1.2.2.1.13.      usmUserStatus
[1013] 1.3.6.1.6.3.16.1.2.1.3. vacmGroupName
[1014] 1.3.6.1.6.3.16.1.2.1.4. vacmSecurityToGroupStorageType
[1015] 1.3.6.1.6.3.16.1.2.1.5. vacmSecurityToGroupStatus
-------------------------------------------------