Your site slogan.

Existential Cash Flow Crisis of Ransomware

Ransomware has evolved into a model known as Double Extortion. Before encrypting your data and holding it ransom, the criminals copy the data off your computers to their own, where they keep it as a hostage. If you choose to not pay the ransom they will expose the hostage copy of your data publicly on the internet. They use reputation risk and confidentiality requirements (either regulation or contractual) as a way to force the payment. Further, while they have a copy of your data, they are able to read your financials and insurance contracts so that they can set the maximum ransom. While there is a negotiation to determine the ransom, it is very one-sided.

FortiSwitch VLANs

In the FortiSwitch Management, for Ports and Trunks, it shows Native VLAN and Allowed VLANs. This was new terminology for me. Other switches I’ve used in the past have had either Tagged or Untagged. If you look in the CLI, you can also assign an Untagged VLAN to ports… How do you modify the VLANs in the GUI? Quick note, to change the VLAN in the GUI, find the port, put your mouse over the table cell for the port and VLAN type you want to change, then click the Pencil icon that will show up in the top right of the cell. This will open a menu where you can select the new settings you want.

Security Baseline

Background In Heavy Strategy EP. 010 - Budgeting for Cybersecurity Greg Ferro & Johna Till Johnson agree that “Detection is better than Prevention”, in that same episode Greg said that he recommended SDP (Software-Defined Perimeter), Asset Inventory and EPP (Endpoint Protection Platform) for all devices. SDP, Asset Inventory and EPP are protection technologies, so this could be seen as conflicting with “detection is better…”. However, I think what Greg is getting at is that there needs to be a minimum level of protection and that further spending on additional protection technologies is likely to be wasteful. Nearly all organizations are going to have already spent some money on “prevention tech”, it’s probably built into the network design.

Setup MCLAG Trunks between FortiSwitch and VMware

If you have MCLAG setup on FortiSwitches, you can setup static Trunks to the ESXi hosts for redundant connections. I’ve used this with FortiOS 6.2 and 6.4 with VMware 6.7. I’ve only attempted this with FortiGate Managed FortiSwitch, I believe - but can’t confirm - that this is a requirement. (I’m pretty sure MCLAG only works when the FortiSwitches are Managed by a FortiGate.) Directions are below. Requirments: Two FortiSwitches capable of MCLAG (Model 200+) Two NIC ports in the ESXi hosts One cable from the ESXi host connecting to each switch vSwitch Standard Settings I’ve only tested this with Standard vSwitches, so my directions will only cover them.

FortiGate CLI LDAP Test

The Symptoms A client was having an issue with IPsec VPN connections to their FortiGate. Users were getting non-descriptive error messages and not able to connect. The issue was affecting all users. We couldn’t find anything in the FortiClient or FortiGate logs to indicate what the problem was. As far as we could see, the FortiClient connection was simply timing out. The FortiGate Web GUI showed us LDAP was working. Looking at packet traces on the FortiGate we could see the IPsec traffic come in, but we weren’t seeing any traffic going back to the source.

ASD Essential Eight

Essential Eight The Australian Signals Directorate, an organization with a similar* mission to the American NSA, has published a number of very interesting documents. Their Essential Eight Explained provides a quick overview of the eight Mitigations to cyber security threats that they deem to be the most effective. These eight, implemented properly and proactively, will establish a secure baseline for an organization. The eight are a subset of a larger list. The larger list covers many more technologies and process that can be implemented to address and mitigate further risks. Not all organizations need to address the risks mitigated by the larger list, but every organization would benefit from implementing the Essential Eight.
SSL/SSH Inspection Policy section

FortiGate SSL Inspection Exclusion

Things weren’t working as expected I had recently enabled the SSL Deep Inspection policy on some of my web traffic - in part to try to block ads, maybe I’ll write a blog post about that another time - and I was noticing odd behaviour. A few of the odd things were around VPN connections and Citrix sessions. FortiClient VPN wasn’t able to connect - it was getting to 80% then throwing an error saying there was something wrong w/ my credentials or my account wasn’t setup for VPN access. With Citrix, apps would look like they were launching from the StoreFront, but they wouldn’t load - they wouldn’t even briefly show up in the connection manager. Launching a published desktop it would load the app’s borders, but then throw an error.

BGP Local Preference

Local Preference I needed to use BGP to advertise the networks in a multi-site network, with FortiGates acting as routers at each site. Using iBGP we configured the Primary Subnet at the Primary Date Center to also be advertised by the DR Data Center. However, because the workload would only be active at the Primary DC - until an actual DR event happened - we needed to ensure that traffic for that subnet would only be routed to the Primary DC. Reviewing the documentation I determined that modifying the Local Preference was the best option to configure.

ADVPN Overview

High Level Overview To explain ADVPN it is useful to contrast it with the two main alternatives - Hub & Spoke and Full Mesh. In a Hub & Spoke network one site is deemed the Hub, with all other sites - Spokes - connecting directly to the Hub. In a Full Mesh all sites connect to all other sites. ADVPN starts as Hub & Spoke, with one site deemed the Hub - but all Spokes can directly connect by getting connection details from the Hub.
Error message

FortiManager VPN Certificate

Issue FortiManager, when it’s new - I think, will sometimes try to push a certificate to FortiGate devices. The error message in FortiManager is spread across four lines, they are: “Input is not a valid CA certificate.” “The field ca is empty!” “node_check_object fail! for ca” “Attribute ‘ca’ MUST be set.” I’ve run into this in my lab, and I’m pretty sure I saw this in a production FortiManager. I found this issue discussed on the Fortinet forums, but I didn’t find the solution there.