FortiGate Port Forwarding

KB ID 0001742

Problem

I was back on the tools again today setting up FortiGate Port Forwarding! This was for one of our partners that I have to do some remote work for, so I temporarily needed to get onto their servers. Normally I’d just SSL VPN in, (but that’s what I’m setting up!) So to get onto their servers I had to setup a port forward for RDP.

WARNING: Port forwarding RDP from ALL / Any is a BAD IDEA (Cryptolocker anyone?) So if you must port forward RDP, then lock it down to a particular source IP like I’m about to do.

Fortigate Port Forwarding

The Process is;

  1. Setup a ‘Virtual IP’ (with port forward enabled)
  2. Create a ‘Virtual IP Group
  3. Allow traffic to the Virtual IP Group.

FortiGate Port Forwarding: Create a Virtual IP

Policy and Objects  >Virtual IPs > Create New > Virtual IP.

Give it a sensible name > Set the interface to the outside/WAN interface > External IP set to the public IP address of the firewall* > Mapped IP address, set to the internal IP address of the server you are forwarding to > Enable ‘Port forwarding’ > Select TCP or UDP > Type in the port(s) you want to forward. Forwarding a range of ports is much easier on a FortiGate than ‘some other’ vendors! > OK.

*Note: I’m assuming if you are port forwarding you only have one public IP, (or you’ve ran out). 

FortiGate Port Forwarding: Create a Virtual IP Group

From the Virtual IP menu > Create New > Virtual IP Group.

Give the group a name > Select the outside/WAN interface > Add in the Virtual IP you created above > OK.

FortiGate Port Forwarding: Fortigate Add an ‘Address’

If you are port forwarding something  like HTTP/HTTPS to a web server, or SMTP to a mail server you can skip this step. As per my warning above I’m restricting public access to one single public IP (mine). For most port forwarding scenarios you would set the source to ‘ALL‘.

Anyway for completeness here’s how to create an Address object. Policy & Objects > Addresses > Create New > Address.

Give it a recognisable name > Type=Subnet > Type the IP into the IP range box > Set the interface to outside/WAN > OK.

FortiGate Port Forwarding: Allow Port Forwarded Traffic

Policy and Objects > IPv4 Policy (or Firewall Policy on the newer firmware) > Create New.

  • Name: Something identifiable
  • Incoming Interface: Outside / WAN
  • Source: For RDP specify the single address you created above for all other port forwarding simply use ALL instead.
  • Destination: Your Virtual IP Group
  • Schedule: Always
  • Service: RDP (or the port you are forwarding if different)
  • Allow: Accept

Click OK.

FortiGate Port Forwarding: Troubleshooting Port Forwarding

You can see what’s going on by using the packet sniffer in the firewall.

[box]

diagnose sniffer packet {interface} 'host {External IP} and port {Port Number}' 4

e.g.

diagnose sniffer packet wan 'host 234.234.234.234 and port 3389' 4

[/box]

Note: In the example above I’m getting no return (ACK) traffic, (because the Windows firewall was on and dropping the traffic!) I diagnosed that by attempting to ping the server from the firewall (execute ping {internal IP address}) and failing to see a response!

Related Articles, References, Credits, or External Links

Fortigate: One to One (Static NAT)

Replacing Cisco Firewalls with Fortinet Firewalls

KB ID 0001741

Replacing Cisco

If you’ve been following articles on the site you will know that the focus of the firewall related output is shifting from Cisco ASA / Cisco FirePOWER to Fortinet (FortiGate) firewalls.

This article is so you can make an informed choice about what you want to replace your Cisco firewall with.

Note: I’m starting with SOHO and Small Business sized firewalls, but I will extend this to ‘Enterprise sized’ firewalls as I have the time.

Replacing Cisco SOHO Small Business Firewalls with FortiGate

If ever there was something that was incorrectly sold it was likely a SOHO Cisco firewall. The problem was, back in the day of the ASA5505 the only alternative was a ASA5510 and that was four times the price, plus the 5505 had a built in switch which saved you having to buy one of those as well. Even now (in 2021) these things are ubiquitous, I see them balanced in wall mounted comms cabinets, and sat in data centres and popped under peoples desks.

To make matters worse it’s replacement the ASA5506-X was a decent firewall but it wasn’t also a switch! (Cisco half heartedly tried to fix this and made it worse). To add insult to injury if you paid for the NGFW Firepower option Cisco just disabled it without warning in version 9.10.(1)

Then we got the FPR1010 this comes in two flavours, the ASA Code version which I deploy, and the FDM version which is bobbins! (I get 10 questions a day on the site to help people set them up). This (at time of writing) is a relatively new firewall but I’ll include it for completeness, (and article longevity).

High Availability: Seriously? I see this more often than I should! Don’t be deploying home sized firewalls and wanting Enterprise solutions! Stop it now. On a serous note, all the little ASA/FPR support it, but they all need additional licensing to do so. 

Stats: Remember when comparing the stats, we are comparing (mostly) old hardware against brand new (purpose built) hardware so the FortiGates will always look better on paper.

Cisco ASA5505, 5506-X and FPR1010 Specifications

Fortigate 40F, 60F, and 80F Specifications

Replacing Cisco SOHO Firewalls Conclusion

  • Unless you need 10Gb connectivity (on your WAN) then go for the 60F, if you need all those 1Gb ports and you want it to function as a switch.
  • If you don’t need so many LAN ports then go for the 40F (Note: even with 1x WAN port you can deploy SDWAN by using another interface!)

Replacing Cisco Medium Business / Small enterprise Firewalls with FortiGate

This is a difficult one to call, you can’t really say FortiGate model X is a direct comparison for Cisco model Y. To size a FortiGate firewall you need to 

First: Decide what throughput you need (remember to factor in NGFW/IDS/ATP and possibly HTTPS Throughput this will be LOWER than the max throughput!)

Second: Decide what connectivity you want.

FortiGate throughput for these classes of firewalls falls into roughly three different categories;

  1. 10Gbps Throughput (1Gbps HTTPS Inspection throughput) to 27Gbps Throughput (4Gbps HTTPS throughput) = 100 and 200 Series.
  2. 32Gbps Throughput (3.9Gbps HTTPS Inspection throughput) to 36Gbps Throughput (5.7Gbps HTTPS throughput) = 300, 400 and 500 Series.
  3. 36Gbps Throughput (8Gbps HTTPS Inspection throughput) to 52Gbps Throughput (3.9Gbps HTTPS throughput) = 600, 800 and 900 Series.

Note: If the figures dont overlap neatly, thats because these are a mixture of D, E and F Releases.

Cisco ASA5500 and 5500-X  Specifications

Cisco Firepower 1100 to 2100 Series Specifications

Fortigate 100 to 900 Series Specifications

Replacing Cisco Bonuses

  • Remote VPN: You don’t need to buy additional remote VPN (AnyConnect) licences any more. With FortiGate remote SSL VPN is built in, and the client numbers are impressive.
  • Failover: Is supported even for Active / Active and good old Active / Passive. and Clustering.
  • SDWAN: You now have this capability if you require it.
  • Redundant Power Supply: Is on all FortiGate models in this class.

If anyone wants to add any real world experiences or comments, please do so below.

Related Articles, References, Credits, or External Links

NA

VMware ESX – Sockets and Cores (Logical Processors)

KB ID 0001124 

Problem

While explaining to a client the difference between Sockets, Cores, Logical processors, I had to revisit this post today, so I updated it for vSphere7

Calculating Sockets and Cores

 Essentially;

A: Processor Sockets: The Physical amount of CPUs on the motherboard.

B: Cores Per Socket: For a dual core processor this would be 2, triple core=3, quad core = 4, hex core = 6, octa core=8, deca core=12, etc.

C: Logical Processors: This is the amount of sockets, multiplied by the cores, and if Hyperthreading is enabled on the processors (see above), then that figure is doubled.

Related Articles, References, Credits, or External Links

NA

Azure Traffic Manager (DNS Failover)

KB ID 0001740

Problem

Why Azure Traffic Manager? I had to price up a hardware load balancer (ADC)  a couple of weeks ago for a client. I wont mention the vendor, (though I’m sure you can guess). Over 3 years it was going to cost (for a pair) about £100k, (so about 33k a year). That included the global DNS failover, this was so they, (the client) could fail over their services between multiple data centres.

OK there are other ADC vendors, and there’s even some budget vendors, I could use ARR, or even deploy NGINX. (Though supporting those deployments is another matter!) Whilst discussing this with my colleagues, the consensus was “We would be better deploying Azure Traffic Manager”. So I though I’d take a look to see just how difficult that was to deploy.

What is Azure Traffic Manager? Essentially a cloud based ADC that can provide availability and DNS failover, between Azure regions, and (more importantly in my case)  ‘External‘ endpoints, (so on premises, multiple data centres, other public clouds, etc.)

What Does Azure Traffic Manager Cost? Therein lies most people’s ‘bug-bear‘ with public cloud, that’s hard to quantify. So per million DNS lookups it’s £0.403p a month (up to a billion DNS queries,) THEN £0.28p per million DNS queries (over a billion) per month. I’m not sure how you would begin to calculate that? I can tell you how many people are on this website while you are reading this text, and how many hits we get a month, but DNS queries?

I no longer host my own DNS, I used to, but it was getting hammered by script kiddies 24/7 and my servers were just using processor cycles to do nothing productive. So I pay someone else to host my records now. I asked them..

Additionally you pay: £0.403p a month per (basic) monitored external endpoint or £1.41 a month per (rapid) monitored external endpoint.

I’m being a little disingenuous to Microsoft, in their defence this is a traffic management solution NOT a web load balancing/HA solution. If you look at it from that perspective then DNS queries is a better measurement than ‘web-hits‘ or ‘page-impressions’. But you will be billed on multiples of something that you have no control over and you have to just ‘Trust’ that when Microsoft tells you you’ve had 36 million DNS lookups then that’s correct.

Deploy Azure Traffic Manager

From the Azure portal > Create a Resource.

You will need to search for ‘Traffic Manager Profile” > Create.

Give it a sensible name > Set the routing meshing to Priority > Pick a Resource group (or create a new one) > Select your resource group location > Create.

Locate your traffic manager profile (look under all resources if you can’t find it) > Configuration.

Drop the DNS TTL to 30 seconds > I’m monitoring HTTPS on Port 80> Leave the probing interval on 30 seconds > Save.

Note: this will take 3 lots of 30 seconds before it will fail over (90 seconds). If you drop the poll interval to 10 seconds then you get billed the additional ‘fast interval charges‘ I mentioned above). You can set it to 0 lots of 10 seconds to make it fail over quicker, but that’s more expensive.

Endpoints > Add.

Add your primary site in with a priority of ‘1’, the repeat for your standby site(s), with lower priorities.

Before testing, make sure all the endpoints are ‘Online‘.

Overview > Copy the DNS name.

In your own DNS config, simply create a CNAME DNS record to point to the Azure one you copied above.

Testing Azure Traffic Manager

First let’s test Azure > Ping the domain name you coped from the Azure portal, you will notice it resolves to my primary site IP (that wont respond to pings, but that’s not important for testing. Power off the primary endpoint (or disconnect its NIC). And wait 90 seconds. Then ping it again, this time the IP address it responds to has changed to my secondary endpoint. That proves the Azure Traffic Manager works.

To illustrate I’ve got a slightly different web page on my primary and secondary external node, just to prove its working.

Related Articles, References, Credits, or External Links

NA

Free Exchange Certificate

KB ID 0001739

Problem

A couple of weeks ago I wrote an article about getting free certificates for IIS with ‘Let’s Encrypt’. Last week the renewal for my ‘test’ Exchange server’s certificate came though. So I thought “Why don’t I try and get a ‘Free Exchange Certificate’?”

Free Exchange Certificate

Before we start let’s take a moment to take a look at our existing Exchange Certificate, as you can see it’s a publicly signed and trusted certificate, the only thing wrong with it, is it’s going to expire in a couple of weeks, yours may have already expired, or you may be running a self signed SSL certificate, (horror!)

To do all the heavy lifting you need a peice of software, the easiest (I’ve seen) is win-acme (at time of writing the latest version is 2.1.14.996) you simply download it as a zip file.

Extract the contents of that zip file to a folder on your hard drive.

Apply For & Install the Free Exchange Certificate

Open an administrative command prompt > Navigate to the folder you just created > run wacs.exe

WARNING: Some other run throughs I’ve read, have different option numbers, (wacs.exe has obviously been updated). So instead of just posting the Number to select I’ll post the Option, then put the number, (or letter) of that option in brackets, (in case they change the option numbers again!)

Create a new certificate (full options) {m} > Manual Input {2}.

Manual Input {2} > Enter the public filly qualified domain name(s) of your exchange server (spectated by commas) > Press Enter to accept the default friendly name (unless you want to specify your own).

[http-01] Serve certification files from memory {2} > RSA Key {2}. 

Note: You will need TCP Port 80 open to the Exchange server for this to work, (in most cases you will only have HTTPS or TCP Port 443 open!)

Windows certificate store {4} > No (additional) store steps {5}.

Create or update https binding in IIS {1} > Default Web Site {1} > Start external script or program {3} > Paste in the following;

[box]

./Scripts/ImportExchange.ps1

[/box]

At the prompt paste in the following;

[box]

'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'

[/box]

No (additional) installation steps {4}.

No, (or it will open the terms and conditions in another window) > Yes (your soul now belongs to Let’s Encrypt!) > Type in an email address  > Quit {q}

Now reconnect to either OWA or the Exchange Admin Center > And you should see you have a new certificate.

It only lasts three months! That’s correct but;

Let’s Encrypt Free Exchange Certificate Auto Renewal

As well as getting your certificate, win-acme also created a scheduled task to check your certificate validity and renew it before it expires. Cool eh?

Where Does Win-ACME Store its information

Good question, it took me a little while to find that out, essentially once ran it creates a new folder in %programdata% (That’s a hidden folder on the C drive usually) called win-acme all your settings are in there, so if you make a mistake like enter the wrong email address, you can delete this folder and start again.

How To Remove Let’s Encrypt Exchange Free Certificate & Settings

  1. Remove the certificate from Exchange Admin Center.
  2. Remove the win-acme folder from %Programdata%.
  3. Delete the scheduled update task from ‘Task Sheduler‘.

Related Articles, References, Credits, or External Links

NA