흙수저의 엔지니어링

fortigate에서 syslog를 전달할 경우 아래와 같이 _gateway로 표시되는 경우가 있습니다.

특별한 문제는 없지만, 그래도 IP가 보기 좋은 것 같더군요.

예를 들어 어떤 IP가 syslog를 전달 해 주는 지 확인도 가능하고요.

Jun 15 11:01:13 _gateway date=2023-06-15 time=11:01:12 devname="xxxxxxxx" devid="FG200F########" eventtime=1686794472544187716 tz="+0900" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.xxx.xx srcport=52170 srcintf="ha" srcintfrole="undefined" dstip=192.168.xxx.x dstport=5601 dstintf="dmz" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=144924 proto=6 action="accept" policyid=17 policytype="policy" poluuid="0aaaaaaa68-0aa8-51ee-06c7-4a2eb8b62f63" policyname="serial to dmz" service="tcp/5601" trandisp="noop" duration=121 sentbyte=2356 rcvdbyte=2492 sentpkt=11 rcvdpkt=8 appcat="unscanned" sentdelta=2356 rcvddelta=2492 dsthwvendor="MSI" dstosname="Linux" masterdstmac="ac:a0:ad:5a:9a:2a" dstmac="2c:f0:5a:5a:9a:2a" dstserver=0

syslog 설정을 UI로 하면 특별한 설정이 없는데, CLI로 확인할 경우 source-ip를 설정할 수 있습니다.

hostname # config log syslogd setting 

hostname (setting) # show
config log syslogd setting
    set status enable
    set server "192.168.xxx.xxx" #syslog server
    set source-ip "192.168.xxx.xxx" #syslog 전달할 ip
end

hostname (setting) #

이후 syslog를 확인하면 아래와 같이 _gateway가 아닌 IP로 표시되는 것을 확인할 수 있습니다.

(로그 서버와 같은 대역에서 설정을 하면 _gateway로 표시가 되네요~)

Jun 15 11:01:13 192.168.xxx.xxx date=2023-06-15 time=11:01:12 devname="xxxxxxxx" devid="FG200F########" eventtime=1686794472544187716 tz="+0900" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.xxx.xx srcport=52170 srcintf="ha" srcintfrole="undefined" dstip=192.168.xxx.x dstport=5601 dstintf="dmz" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=144924 proto=6 action="accept" policyid=17 policytype="policy" poluuid="0aaaaaaa68-0aa8-51ee-06c7-4a2eb8b62f63" policyname="serial to dmz" service="tcp/5601" trandisp="noop" duration=121 sentbyte=2356 rcvdbyte=2492 sentpkt=11 rcvdpkt=8 appcat="unscanned" sentdelta=2356 rcvddelta=2492 dsthwvendor="MSI" dstosname="Linux" masterdstmac="ac:a0:ad:5a:9a:2a" dstmac="2c:f0:5a:5a:9a:2a" dstserver=0

포티게이트의 웹 페이지 접근 보호 방법을 공유 합니다.

웹 페이지 노출을 맞기 위해서는 관리자 계정에 접근 제한을 하시면, 자동으로 웹 페이지 화면 노출이 차단됩니다.

WAN 인터페이스의 Administrative access에서 PING을 제거한다면,

외부에서 PING 체크도 되지 않으면서, 허용된 IP로 웹을 접속할 수 있게 됩니다.

[관리자 계정의 "Restrict login to trusted hosts" 활성화 여부: OFF]

[관리자 계정의 "Restrict login to trusted hosts" 활성화 여부: ON]

[WAN 인터페이스의 "PING" 체크 해제]

elastalert을 설치하는 방법은 아래 글 참조

https://dirt-spoon.tistory.com/58

https://dirt-spoon.tistory.com/19

elastalert을 이용하여 알람 설정하는 방법은 아래 게시글 참조

https://dirt-spoon.tistory.com/61

fortigate login 시 알람 설정 룰

name: firewall_console_login
 
type: any
 
index: logstash-fortigate-event*
 
filter:
- query:
    query_string:
      query: logdesc:"Admin login successful" AND action:"login"

doc_type: _doc

alert:
- "slack"
 
slack:
# 슬랙 웹훅 주소
slack_webhook_url: "https://hooks.slack.com/services/----------------------------삭제-------"

# 슬랙 채널에 메시지 전달할 이름
slack_username_override: "ElastAlert-Bot"

# 슬랙 메시지를 보낼 채널
slack_channel_override: "#security_alert"

# 슬랙 메시지에 타이틀 지정
# 지정하지 않을 경우 rule의 절대 경로 명이 찍힘: /opt/elastalert/rules/firewall_login_success.yaml
slack_title: FIREWALL_LOGIN_SUCCESS

# 슬랙 메시지 색
slack_msg_color: "good"

 
alert_text: "FIREWALL_CONSOLE_LOGIN: 접속시간: {0} / 접속계정: {1} / 접속자IP: {2}"
alert_text_type: "alert_text_only"
alert_text_args: ["TIMESTAMP", "user", "srcip"] # 해당 field 명은 kibana에서 로그 확인

알람 수신 내역

logstash plugin을 이용하여 logstash-filter-bytes 설치

[root@tmplogsvr bin]# /usr/share/logstash/bin/logstash-plugin install logstash-filter-bytes
Using bundled JDK: /usr/share/logstash/jdk
Validating logstash-filter-bytes
Resolving mixin dependencies
Installing logstash-filter-bytes
Installation successful
[root@tmplogsvr bin]#

fortigate를 위한 logstash 패턴

####################################
###Fortinet Syslog Pattern Types:###
####################################

FORTILOG (?<TIMESTAMP>^\w+\s+\d+\s+\d+\:\d+\:\d+)\s(?<Client>\d+.\d+.\d+.\d+)\sdate=(?<DAY>\w+\-\w+\-\w+)\stime=(?<HOUR>\d+)\:(?<MINUTE>\d+)\:(?<SECOND>\d+)\sdevname="(?<Device_Name>.*)"\sdevid="(?<DEV_ID>\w+)"\slogid="(?<LOG_ID>\d+)"\stype="(?<LOG_TYPE>\w+)"\ssubtype="(?<SUB_LOG_TYPE>\w+)"

※ 기본 grok.pattern의 설정과 연계되어 있어 grok.pattern도 함께 작성 필요

fortigate를 위한 logstash 설정

[root@tmplogsvr bin]# cat /etc/logstash/conf.d/logstash.conf
input {
        file {
                path => "/var/log/rsyslog/192.168.10.14/*.log"
                start_position => "beginning"
                tags => ["fortigate"]
        }
}

filter {
        if "fortigate" in [tags] {
                grok {
                        patterns_dir => ["/etc/logstash/pattern.d"]
                        match => { "message" => [ "%{FORTILOG} %{GREEDYDATA:sub_message}" ] }
                }
                kv {
                        source => "sub_message"
                        value_split => "="
                }
                mutate { remove_field => [ "sub_message" ] }
                if "wan" in [srcintfrole] {
                        geoip {
                                source => "srcip"
                                target => "geoip_src"
                        }
                }
                if [sentbyte] != "" and [rcvdbyte] != "" {
                        bytes {
                                source => "rcvdbyte"
                                target => "receivedbyte"
                        }
                        bytes {
                                source => "sentbyte"
                                target => "sentedbyte"
                        }
                }
                mutate {
                        convert => {
                                "rcvdpkt" => "integer"
                                "sentpkt" => "integer"
                                "proto" => "integer"
                                "srcserver" => "integer"
                                "sessionid" => "integer"
                                "duration" => "integer"
                                "policyid" => "integer"
                                "HOUR" => "integer"
                                "MINUTE" => "integer"
                                "SECOND" => "integer"
                        }
                }
        }
}

output {
        if "fortigate" in [tags] {
                if "traffic" in [LOG_TYPE] {
                        elasticsearch {
                                hosts => ["http://192.168.0.17:9200"]
                                index => "logstash-fortigate-traffic-index-%{+YYYY.MM.dd}"
                        }
                }
                else if "event" in [LOG_TYPE] {
                        elasticsearch {
                                hosts => ["http://192.168.0.17:9200"]
                                index => "logstash-fortigate-event-index-%{+YYYY.MM.dd}"
                        }
                }
                else if "utm" in [LOG_TYPE] {
                        elasticsearch {
                                hosts => ["http://192.168.0.17:9200"]
                                index => "logstash-fortigate-utm-index-%{+YYYY.MM.dd}"
                        }
                }
        }
}

FortiGate-100D # config system interface
FortiGate-100D # show
config system interface
    edit "wan1"
        set vdom "root"
        set mode dhcp
        set allowaccess https ssh http
        set type physical
        set role wan
        set snmp-index 1
    next
    edit "dmz"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https http fgfm fabric
        set type physical
        set role dmz
        set snmp-index 2
    next
    edit "modem"
        set vdom "root"
        set mode pppoe
        set type physical
        set snmp-index 3
    next
    ...
FortiGate-100D # edit <인터페이스 이름>
FortiGate-100D # edit wan1
FortiGate-100D (wan1) # show
config system interface
    edit "wan1"
        set vdom "root"
        set mode dhcp
        set allowaccess https ssh http
        set type physical
        set role wan
        set snmp-index 1
    next
end
FortiGate-100D (wan1) # set allowaccess ?
ping              PING access.
https             HTTPS access.
ssh               SSH access.
snmp              SNMP access.
http              HTTP access.
telnet            TELNET access.
fgfm              FortiManager access.
radius-acct       RADIUS accounting access.
probe-response    Probe access.
fabric            Security Fabric access.
ftm               FTM access.

FortiGate-100D (wan1) # set allowaccess <필요한 프로토콜 입력1> <필요한 프로토콜 입력2> ...
FortiGate-100D (wan1) # set allowaccess https http ssh

FortiGate-100D (wan1) # end

FortiGate-100D #

FortiGate-100D # get system interface physical
== [onboard]
        ==[dmz]
                mode: static
                ip: 10.10.10.1 255.255.255.0
                ipv6: ::/0
                status: down
                speed: n/a
        ==[ha1]
                mode: static
                ip: 0.0.0.0 0.0.0.0
                ipv6: ::/0
                status: down
                speed: n/a
        ==[ha2]
                mode: static
                ip: 0.0.0.0 0.0.0.0
                ipv6: ::/0
                status: down
                speed: n/a
        ==[mgmt]
                mode: static
                ip: 192.168.1.99 255.255.255.0
                ipv6: ::/0
                status: down
                speed: n/a
        ==[wan1]
                mode: dhcp
                ip: 192.168.0.14 255.255.255.0
                ipv6: ::/0
                status: up
                speed: 1000Mbps (Duplex: full)
        ==[wan2]
                mode: dhcp
                ip: 0.0.0.0 0.0.0.0
                ipv6: ::/0
                status: down
                speed: n/a
        ==[modem]
                mode: pppoe
                ip: 0.0.0.0 0.0.0.0
                ipv6: ::/0
                status: down
                speed: n/a

FortiGate-100D #

FortiGate-100D # execute shutdown
This operation will shutdown the system !
Do you want to continue? (y/n)y


System is shutting down...


The system is going down NOW !!

FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
FortiGate-100D #
The system is halted.

중고로 100D 장비를 구매했습니다.

가져오자마자 패스워드 설정이 되어 있어 초기화 한답시고 매뉴를 잘못 눌러 부팅 디스크를 포멧 했네요.

덕분에 사용해보지도 않던 기능을 사용해 보았습니다.

Windows 10에서 tftp 서버 만들기

tftpd64.exe 검색하셔서 다운로드 받고, 바로 실행하시면 됩니다.

실행 자체가 tftp 서버의 설정이 되는 것이며, firmware 파일이 있는 폴더를 소스 폴더로 설정해 주세요.

IP 설정은 TFTP 서버 설정에 맞는 인터페이스를 선택해 주시면 됩니다.

업로드 할 펌웨어 파일명도 폴더에 있는 이름과 동일하게 설정이 필요합니다.

fortigate disk 날려먹기

FortiGate-100D (17:36-08.07.2014)
Ver:05000006
Serial number:FG100D3G000000000
RAM activation
CPU(00:000106ca bfebfbff): MP initialization
CPU(01:000106ca bfebfbff): MP initialization
CPU(02:000106ca bfebfbff): MP initialization
CPU(03:000106ca bfebfbff): MP initialization
Total RAM: 4096MB
Enabling cache...Done.
Scanning PCI bus...Done.
Allocating PCI resources...Done.
Enabling PCI resources...Done.
Zeroing IRQ settings...Done.
Verifying PIRQ tables...Done.
Boot up, boot device capacity: 15272MB.
Press any key to display configuration menu...
...
[C]:  Configure TFTP parameters.
[R]:  Review TFTP parameters.
[T]:  Initiate TFTP firmware transfer.
[F]:  Format boot device.
[B]:  Boot with backup firmware and set as default.
[I]:  System information.
[Q]:  Quit menu and continue to boot.
[H]:  Display this list of options.

Enter C,R,T,F,B,I,Q,or H: F

All data will be erased,continue:[Y/N]? Y
FortiGate-100D (17:36-08.07.2014)
Ver:05000006
Serial number:FG100D3G00000000
RAM activation
CPU(00:000106ca bfebfbff): MP initialization
CPU(01:000106ca bfebfbff): MP initialization
CPU(02:000106ca bfebfbff): MP initialization
CPU(03:000106ca bfebfbff): MP initialization
Total RAM: 4096MB
Enabling cache...Done.
Scanning PCI bus...Done.
Allocating PCI resources...Done.
Enabling PCI resources...Done.
Zeroing IRQ settings...Done.
Verifying PIRQ tables...Done.
Boot up, Initialize boot device failed.

TFTP 서버를 이용하여 펌웨어 복구(재설치) 하기

FortiGate-100D (17:36-08.07.2014)
Ver:05000006
Serial number:FG100D3G00000000
RAM activation
CPU(00:000106ca bfebfbff): MP initialization
CPU(01:000106ca bfebfbff): MP initialization
CPU(02:000106ca bfebfbff): MP initialization
CPU(03:000106ca bfebfbff): MP initialization
Total RAM: 4096MB
Enabling cache...Done.
Scanning PCI bus...Done.
Allocating PCI resources...Done.
Enabling PCI resources...Done.
Zeroing IRQ settings...Done.
Verifying PIRQ tables...Done.
Boot up, boot device capacity: 15272MB.
Press any key to display configuration menu...
.....
[C]:  Configure TFTP parameters.
[R]:  Review TFTP parameters.
[T]:  Initiate TFTP firmware transfer.
[F]:  Format boot device.
[B]:  Boot with backup firmware and set as default.
[I]:  System information.
[Q]:  Quit menu and continue to boot.
[H]:  Display this list of options.

Enter C,R,T,F,B,I,Q,or H: C

[P]:  Set image download port.
[D]:  Set DHCP mode.
[I]:  Set local IP address.
[S]:  Set local subnet mask.
[G]:  Set local gateway.
[V]:  Set local VLAN ID.
[T]:  Set remote TFTP server IP address.
[F]:  Set firmware image file name.
[E]:  Reset TFTP parameters to factory defaults.
[R]:  Review TFTP parameters.
[N]:  Diagnose networking (ping).
[Q]:  Quit this menu.
[H]:  Display this list of options.

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H: I

Enter local IP address [192.168.1.66]:192.168.0.18

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H: S

Input local subnet mask [255.255.255.0]:

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H: G

Enter local gateway IP address [192.168.1.254]:192.168.0.1

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H: T

Enter remote TFTP server IP address [192.168.1.168]:192.168.0.54

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H: F

Enter firmware file name [image.out]: 6.2.12-FGT_100D-v6-build1319-FORTINET.out

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H: R

Image download port:    MGMT
DHCP status:            disabled
Local VLAN ID:          none
Local IP address:       192.168.0.18
Local subnet mask:      255.255.255.0
Local gateway:          192.168.0.1
TFTP server IP address: 192.168.0.54
Firmware file name:     6.2.12-FGT_100D-v6-build1319-FORTINET.out

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H: N

[1]:  Ping remote TFTP server.
[2]:  Ping gateway.
[3]:  Ping specified IP address.
[Q]:  Quite the menu.
[H]:  Display the list of opinion.

Enter 1,2,3,Q or H: 1
Begin to send ICMP packets:
Press ESC to abort ping action.

Reply from 192.168.0.54: time=67ms ttl=128
Reply from 192.168.0.54: time=50ms ttl=128
Reply from 192.168.0.54: time=107ms ttl=128
Reply from 192.168.0.54: time=73ms ttl=128
Reply from 192.168.0.54: time=50ms ttl=128
Successfully receive 5 of out 5 packets from 192.168.0.54.

Enter 1,2,3,Q or H: Q

Enter P,D,I,S,G,V,T,F,E,R,N,Q or H: Q

[C]:  Configure TFTP parameters.
[R]:  Review TFTP parameters.
[T]:  Initiate TFTP firmware transfer.
[F]:  Format boot device.
[B]:  Boot with backup firmware and set as default.
[I]:  System information.
[Q]:  Quit menu and continue to boot.
[H]:  Display this list of options.

Enter C,R,T,F,B,I,Q,or H: T

Please connect TFTP server to Ethernet port "MGMT".

Initiating firmware TFTP Transfer...

MAC:         90:6C:AC:00:00:00
.#########################################################
Total 60581933 bytes data downloaded.
Verifying the integrity of the firmware image.

Total 262144kB unzipped.
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]? D
Programming the boot device now.
................................................................................................................................................................................................................................................................
Reading boot image 2721475 bytes.
Initializing firewall...
System is starting...
Resizing shared data partition...done
Formatting shared data partition ... done!
Starting system maintenance...
Scanning /dev/sdb1... (100%)
Scanning /dev/sdb3... (100%)

System storage='Internal' disk-usage changed, please 'execute disk format 255'.


Disk usage changed, please wait for reboot...

Formatting the disk...
- unmounting /data2 :  ok
- unmounting /var/log :  ok
Partitioning and formatting /dev/sda label LOGUSEDX2C5B29F6 ... done


The system is going down NOW !!

Please stand by while rebooting the system.
Restarting system.
FortiGate-100D (17:36-08.07.2014)
Ver:05000006
Serial number:FG100D3G00000000
RAM activation
CPU(00:000106ca bfebfbff): MP initialization
CPU(01:000106ca bfebfbff): MP initialization
CPU(02:000106ca bfebfbff): MP initialization
CPU(03:000106ca bfebfbff): MP initialization
Total RAM: 4096MB
Enabling cache...Done.
Scanning PCI bus...Done.
Allocating PCI resources...Done.
Enabling PCI resources...Done.
Zeroing IRQ settings...Done.
Verifying PIRQ tables...Done.
Boot up, boot device capacity: 15272MB.
Press any key to display configuration menu...
......

Reading boot image 2721475 bytes.
Initializing firewall...
System is starting...


FortiGate-100D login:

fortigate 초기 패스워드 재설정하기

기본 설정: admin

패스워드: 없음

FortiGate-100D login: admin
Password:
You are forced to change your password, please input a new password.
New Password:*****
Confirm Password:*****
Welcome!

FortiGate-100D #

fortigate 패스워드를 모를 경우 (재부팅 후 1분 이내 접속 가능)

ID: maintainer

PW: bcpb<씨리얼 넘버>

*씨리얼 넘버: 장비 재부팅할때 3번째 줄에 보입니다.

 확인은 못해 봤지만, Forti 7.2.4 버전부터는 삭제되었다는 글귀를 보았습니다.

FortiGate-100D login: maintainer
Password: ********************
Welcome!

FortiGate-100D # config system admin

FortiGate-100D (admin) # edit <변경할 ID>

FortiGate-100D (admin) # set password <변경할 패스워드>

FortiGate-100D (admin) # end

FortiGate-100D # exit

FortiGate-100D login: