Windows – Certificate Enrollment Fails

KB ID 0000921 

Problem

I first saw this problem a few years ago trying to get some Windows clients to auto enrol with server 2008, then this week my colleagues could not get  new 2019 Domain Controller to enrol for a Kerberos certificate, and the this was caused by the same problem.

Symtoms (RPC Error)

1. Test to make sure the client can see the CA, and is able to communicate with it, issue the following command;

[box]

certutil -pulse

[/box]

As you can see above, the first time I ran the command I got the following error;

CertUtil: -pulse command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.

I then ran the command window ‘as administrator’ and it completed, this was the first inkling I had, that permissions were probably not right.

2. Run mmc on an affected machine, and add in the certificates (local computer*) snap-in. right click the ‘personal container’ > attempt to get the certificate you have published manually.

Problem seen on a Domain Controller (Attempting to get a Kerberos Certificate).

An error occurred while enrolling for a certificate.
The Certificate request could not be submitted to the certification authority

Url: {CA Server Path}

Error: the RPC server is unavailable. 0x80076ba (WIN32: 1722
RPC_S_SERVER_UNAVAILABLE)

Problem seen on Windows Client (attempting to enrol for a Computer Certificate).

*Or local user if you are auto enrolling user certificates.

At that point I on the Windows cliebntgot this error;

Active Directory Enrollment Policy
STATUS: Failed

The RPC server is unavailable.

Resolution (Windows Certificate RPC Error)

The most common cause for that error, is the membership of the ‘Certificate Service DCOM Access’ group is incorrect, check yours and make sure it matches the one below.

On the CA Server launch the Certification Authority management tool and look at the properties of the CA Server itself, on the security tab make sure yours looks like this, (Domain computer and domain controllers should have the ‘request certificates‘ rights).

Still on the CA Server, check the permissions on the C:Windows\System 32\certsrv directory, authenticated users should have Read & Execute rights.

This is the change that finally fixed mine: In active directory users and computers, locate the Builtin container, within it there is a group called ‘Users’. Make sure it contains Authenticated Users and INTERACTIVE.

Run a ‘gpupdate /force’ on your test client, and/or reboot it.

Related Articles, References, Credits, or External Links

NA

FortiGate TFTP : Backup To & Restore From

FortiGate TFTP KB ID 0001788

Problem

I know FortiGate prides itself on being able to do everything from the GUI, but if you can only get in at CLI and need to take a backup then you need to go old school. Recently I had an HA Pair of Fortis, the primary had broken and I could not get access to the GUI on the standby. My plan was to get a backup, blow both (virtual Firewalls) away, deploy two new ones, and restore the config.

What about Licenses? Licences are handled separately (to the config) on FortiGate

FortiGate TFTP (Back Up)

Obviously you will need an TFTP server setup, I use a mac so it’s not a problem for me, but when that’s not an option I still use 3cDaemon.The command you need is.

[box]

execute backup config tftp {Name-of-Backup} {IP-of-TFTP-Server}

[/box]

Above (in the 3xDaemon window) you can watch the backup file coming in.

FortiGate TFTP (Restore)

Very similar to above, (Warning: This will cause the firewall to reboot).

[box]

execute restore config tftp {Name-of-Backup} {IP-of-TFTP-Server}

[/box]

Once again above (in the 3xDaemon window) you can watch the backup file going out.

Related Articles, References, Credits, or External Links

NA

FortiGate Web Filtering Setup and Deployment

FortiGate Web Filtering KB ID 0001787

Problem

In all honesty, enabling Web Filtering on your FortiGate really could not be simpler, you can simply enable it on your default users outbound policy, and select one of the three ‘pre-canned’ profiles, job done!

But most companies not only want to filter their web traffic they want to see who is getting blocked, and what are users trying to get access to. Most businesses now have ‘an acceptable use policy‘ for their IT, and if you don’t, get it sorted or when you want to sack “Creepy Dave” because he’s been frequenting ‘dodgy‘ websites you might be on a sticky wicket.

So before you even think about enabling Web Filtering you may want to roll out FSSO, so the firewall knows who everybody is, and what machines they are logged into.

FSSO FortiGate Single Sign On

FortiGate Web Filtering

As with any Advanced Threat Protection product, you need to have a license for Web Filtering, let’s check that first > Dashboard > Status.

Then let’s make sure our definitions are up to date and the FortiGate is happy > System > FortiGuard > Web Filtering.

You can find the three ‘pre-canned‘ profiles under Security Profiles > Web Filter

Edit the policy, some of the things that are ‘allowed’, might raise an eyebrow, so block anything you consider to be inappropriate for your workplace.

Then locate the policy object that your users are using to browse the web (under Policy & Objects > Firewall Policy) > Scroll down and enable Web Filtering > Select the correct Profile > OK > OK.

Note: If you are just rolling this out it might be worth using the Monitor All policy first for a while,  just so you can get a handle on what your users are doing, and how much data there will be to trawl though.

Then if your users attempt to go to a site that’s blocked, they will see something like the screen below.

Technical Tip: When testing Web filtering I use www.page3.com, (for my friends over the pond, in the 70’s, 80’s, and 90’s one of the UK “newspapers” used to have a scantily clad, (usually topless) lady on page 3. In modern society we frown on exploiting these girls, and making them multi millionaires now). However the domain still exists, and (if it were not blocked), it just redirects to the “newspapers” home page now. So if someone is looking over your shoulder they will not get an eyeful of nakedness (there’s a phrase I never though I’d be writing on PNL).

   

FortiGate Web Filtering: Whitelist a Blocked URL 

The system is pretty robust, but you may sometimes want to allow a particular blocked URL, as you can see (above users can apply from the block page to have that URL unblocked if it’s been blocked in error. But what if you want to explicitly allow a URL thats getting blocked, (I had to do this a lot when I worked in the health sector for example).

Go to the Profile thats applying the block  > Edit > > Enable URL Filter > Create New > Type in the URL you want to unblock > Note: I’m selecting Exempt NOT Allow, (theres three hours I’ll never get back) > OK > OK.

FortiGate Web Filtering: Enable Password Override

You can (if you wish create a group that can manually override the block screen (Note: It will still get logged). So here I’ve created a Domain Security Group.

Then I can use FSSO, to enable that group on my FortiGate.

Create a new Profile > Give it a sensible name > Enable “Allow users to override blocked categories”.

Add in the FSSO Group you created above, then in the profile section select the profile you want to ‘Switch‘ them to, and select ‘Monitor-all” > OK.

  

Now create an outbound policy for web traffic > Add your FSSO users and ALL to the source, and make sure you enable the password override policy.

Note: Make sure this rule comes BEFORE your normal web traffic rule.

Now when those users are blocked, they get the option to “Proceed“.

FortiGate Web Filtering (Viewing User Activity)

On my little test bench my firewalls are logging to FortiCloud. If you have FortiManager or FortiAnalizer then head in that direction for your reports, but for small deployments like this > Log & Report > Web Filter. Here you can see the block action that was taken above for example.

Related Articles, References, Credits, or External Links

FSSO FortiGate Single Sign On
FortiGate IPS (IDS)
Web Filtering Admin Guide

FSSO FortiGate Single Sign On

FSSO  KB ID 0001786

If you are applying polices with your FortiGate, e.g. Web Filtering or IPS, then the ability to track actual users rather than IP addresses is advantageous, it’s all very well blocking access to adult material or gambling sites, from the corporate network, but most companies want to know WHO is attempting to connect to what and when. 

To do that the firewall needs to learn what users are where, we can make all users actively authenticate to the firewall as they attempt to get on the web, but that does not make for a great user experience, it’s better to passively learn where your users are, and what machines they are using, then we can the use that in a policy. (let’s not get to far ahead for the moment).

Q. How do we learn where your users are, and what machines they are on?

A. FSSO

To enable FSSO you need to understand the difference between two pieces of software, the FSSO Collector, and FSSO DC Agent. The DC Agent (as the name implies) run on each of your DCs, it captures login events and then does DNS lookups to see what machines people are using. The Collector takes the output from one or more DC Agents and collates it for the firewall, it does not have to run on a domain controller (but it can).

I only have one server! Well thats OK, both the collector and agent can be on the same box

However most networks will have multiple Domain Controllers, so your FSSO topology may look a little more like this.

Or if you have an even larger network, you may want to build in a backup collector(s)

Deploy FSSO

In my small test environment I’m going to put the collector and agent on a single DC. Your first challenge is actually getting the FSSO software. Log into your FortiCloud portal and proceed as if you want to download some FortiGate firmware.

Then in the version of FortiGate firmware that matches your firewall you will find an FSSO directory, (unless your’e in the dark ages your domain controllers will be x64 bit) so in my case I want FSSO_Setup5.0.0306_x64.exe (that will download the collector setup, that also includes the DC Agent software as well, which you can also download separately if you wish).

Install Collector

Accept the EULA, change the install directory if you don’t want it on the C: Drive > Enter some administrative credentials > Next.

My FortiGate has LDAPS Lookups so I’m going for Advanced > Next.

Install > When complete, Im installing the DC Agent on the same server so MAKE SURELaunch DC Agent Install WizardIS ticked, and click finish.

Warning: Installing a DC Agent will result in the reboot of this DC, (you might want to do the next step out of hours).

Install DC Agent

Accept the defaults > Next > Select the Domain > Next > Select any user(s) you want to be exempt > Next.

Select DC Agent Mode > Next > It will prompt for a reboot, let it do so.

Post reboot launch FortiGate Single Sign On Agent Configuration > And change the password to something memorable, (you will need to enter this onto the FortiGate in a minute).

Register FSSO on FortiGate

Back on the Fortigate > Security Fabric EXTERNAL Connectors > FSSO Agent on Windows AD.

Give it a sensible name > Enter the IP address and the password you set above > Apply and Refresh > OK.

You will know it’s working because it will give you a free up arrow (it can take a little while, be patient).

Create FSSO Groups

Now you can add GROUPs based on FSSO learned groups, like so.

Once you have the FSSO groups defined, you can use them in policies. Below I’ve added Domain Users to my default outbound policy.

WARNING: If you have any devices, or assets that need access out you will need to add a new rule to alow them out explicitly before this rule, or their internet access will suddenly stop.

 

Monitor FSSO Events

To make sure the system is working you can go to Events > User Events > Make sure your user logon activity is getting logged.

Related Articles, References, Credits, or External Links

FSSO Handbook

ESX SD Card?

KB ID 0001785

Problem

For a while it’s been common knowledge that running ESX 7.x from a server that boots with an SD-Card is a no no. VMware themselves said (originally) that they would not support it. Then they said they would ‘sort of‘ support it, if there was additional persistent storage. Then in the past week they’ve said,

VMware will continue supporting USB/SD card as a boot device through the vSphere next product release, including the update releases. Both installs and upgrades will be supported on USB/SD cards.

But, it’s not a complete ‘Back peddle’ because they also say;

The upgrade or install workflows for vSphere will ensure that the OSData partition is relocated away from USB/SD card into a persistent device. There will be an automatic fallback to use a VMFS datastore, or a RAMDisk if such a device is not available. Preferably, the SD cards should be replaced with an SSD or another local persistent device as the standalone boot option.

Reference

ESX SD Card 

So best to err on the side of caution and NOT install anything (or upgrade to anything) newer than 7.0 on an SD Card. I’ve got a client running 6.7 looking to upgrade so I needed to find out if their hosts (a mix of Dells and IBMs) were on the HCL, and more importantly were they booting from SD-Cards?

A quick Google search revealed someone had written PowerCLI Script to do this, problem was the clients management server would need a reboot to get the PowerCLI installed (with the management agents). So I had to grow a ginger pony tail, don my socks and sandals, and do some Linux.

Connect to your EXIi via SSH, First ascertain where you’re booting from (bootbank)

[box]

ls -la /bootbank

[/box]

As you can see in the example below, this will return the VFMS volume tat we need (in this case /vmfs/volumes/dcb33778-ff2797db-9624-0bfeb9391a11) change your command to match the name of yours.

[box]

vmkfstools -P /vmfs/volumes/dcb33778-ff2797db-9624-0bfeb9391a11

[/box]

This time look for Partitions spanned (on “disks”) in the example below, mine’s called naa.600605b00a6913d01e22c30c056436ac (Note: ignore any colons ‘:’ and anything to the right of them).

Then use the disk name in the following command.

[box]

esxcli storage core device list |grep -A27 ^naa.600605b00a6913d01e22c30c056436ac

[/box]

From the output you should be able to tell what the boot device is, for example my client IBM servers gave me this (so I knew they were booting from internal disks).

But the Dell servers, although on the VMware HCL for version 7, were booting from SD Cards (see the following output).

Knowing the servers concerned (Dell R630 PowerEdges) I know they need a particular RAID card (yes I know you can get a cheap 330 model, but not for production hosts!) Then, a specific cable, and the the cost of the drives, to get them for a server this old, Dell will try to charge me a fortune, it’s probably easier to replace those hosts.

Get ESX SD Card Boot Info From PowerCLI

I mentioned earlier that this avenue was not open to me, so I gave it a shot on my test network.

SD-Card-Check is what I used (Note: I do not claim credit for this, Credit to Ivo Bereens.)

Related Articles, References, Credits, or External Links

NA

FortiGate IPS (IDS)

KB ID 0001783

Problem

If you want to employ the IPS service of a FortiGate firewall then you need a license for that privilege. At the time of writing you can get IPS as part of the following subscription licenses;

  • Enterprise Protection
  • SMB Protection (Only on firewalls SMALLER than 100F)
  • Unified Threat Protection (UTP)
  • Advanced Threat Protection (ATP)

But Forti love to change the names of things, so double check with your vendor.

Fortigate IPS (A Quick Tour)

OK let’s see if we have a valid IPS Licence. Dashboard > Status > Licences > IPS > If it’s green and ticked we are good.

Now let’s make sure all our Intrusion Prevention definitions and engines etc are all up to date.

Note: Notice the Malicious URLs – I’ll mention that again in a minute.

The next couple of steps are purely informational, (so you can understand how IPS works, and how everything hangs together). Go to Security Profiles > IPS Signatures. Spend a few minutes looking at this page so you will better understand how they are applied. First each one is assigned a Severity,

1. Informational (green) 2. Low (blue) 3. Medium (yellow) 4. High (orange) 5. Critical (red).

In addition it’s given a Target (Server, Client , or BOTH), and an applicable OS, Action is set by default to BLOCK or PASS

Note: You can also find specific CVE-IDs (if applicable) for each signature, this will hyperlink to the info for that CVE, but also lets you quickly check you are protected against a new CVE, (you can type them in the search section).

Why is all that important? Well if you know that then, how the IPS profiles work is pretty self explanatory, it uses all the above to group signatures together by severity, target and OS, which enable you to make your own very granular profiles (if you wanted to).

So let’s have a look at them, Security Profiles > Intrusion Protection.

To take a look at each one, select it and edit, to be honest most of the time you will be wanting default or all_default though (as you can see there are specific profiles for web servers and mail servers etc.

Note: Remember I mentioned the Suspicious  URLs above? This is where you can enable that if you wish, be aware this is a dynamic list of URLs that you cannot edit (or whitelist) you need to make a request to FortiNet if you want to remove a URL from it. The documentation says;

To use this IPS signature to block malicious URLs, select Block malicious URLs. This feature uses a local malicious URL database on the FortiGate to assist in drive-by exploits detection. The database contains all malicious URLs active in the last one month, and all drive-by exploit URLs active in the last three months. The number of URLs controlled are in the one million range.

Also Note: Logging is disabled by default, (more on that in a minute).

Enable FortiGate IPS

To actually enable IPS is simple, in any normal Firewall Policy (or IPv4 Policy if you’re on ‘old code’) you enable the IPS Policy you require inside it like so.

Testing FortiGate IPS

Do a search for this and the web is full of articles on creating a custom signature adding that to a policy then testing it, which is a bit ‘bobbins’ IMHO. It’s an IPS, let’s put on our black hat and do something nefarious to make sure it’s working, (obviously ask a grown ups permission before launching attacks on your own network, and don’t send your IT security manager to PeteNetLive to complain, because I’ll just laugh at them).

OK, really straight forward, I’ve got KALI Linux running Armitage (a Metasploit tool) on my LAN. Which I’m going to use to attack a Windows server that’s sat just outside my FortiGate. Using a known RDP vulnerability. But first let’s enable logging on our IPS Profile.

Edit the policy (make sure it’s the one that’s actually getting inspected!) Enable packet logging > OK.

Launch Armitage, connect using the default settings, search for MS12_020 and you should see it listed (as shown) > Double click it > Enter the IP of the server to attack > Launch. After some code scrolls by eventually it will probably say ‘RDP service unreachable‘ (because our IPS has earned its wages).

Note: At this point I’d say go and have a coffee, IPS blocks instantaneously, but it takes a couple of minutes for it to appear in the logs. 

Log and Report > Intrusion Prevention > Boom time for tea and medals!’ (remember give it a few minutes). Dont forget to go back and disable logging on your IDS Policy.

Related Articles, References, Credits, or External Links

NA

FortiCare Versions Essentials, Premium, or Elite?

KB ID 0001782

FortiCare Versions

With the release of the Q2 2022 FortiNet price list, they have decided to split FortiCare up into three different versions

  • FortiCare Essentials: Is the base-level service, and it is targeted toward devices that require a limited amount of support. This service is only offered to FortiGate models 8x and below and to low-end FortiWifi devices. Support includes web only tickets & chat, with next day business response.
  • FortiCare Premium: The previous 24×7 FortiCare offering, including ‘follow the sun support’, one-hour response for critical issues and the next business-day response for non-critical issues.
  • FortiCare Elite: The previous ASE (Advanced Support and Engineering) FortiCare offering now enabling coverage of a broader product range. This level provides 24×7 follow the sun support and optimum response times of 15 minutes. FortiCare Elite services offers enhanced service-level agreements (SLAs) and accelerated issue resolution. This advanced support offering provides access to a dedicated support team. Single-touch ticket handling by the expert technical team streamlines resolution. This option also provides Extended End-of-Engineering-Support (EoE’s) of 18 months for added flexibility and access to the new FortiCare Elite Portal. This intuitive portal provides a single unified view of device and security health.

Related Articles, References, Credits, or External Links

NA

Fortigate Hairpin NAT

KB ID 0001781

Problem

Imagine the following scenario, you have a PUBLIC web server and it’s either in the same network your uses are or attached to a DMZ on your FortiGate.

So above our users open a web browser and attempts to go to www.ubique.com (1) Their PC will do a DNS lookup for www.ubique.com and (in this case) a public web server returns an ip of 192.168.100.200 (2). The browser then attempts to HAIRPIN to that IP which is external to your FoirtiGate and the traffic is blocked.

FortiGate Hairpin Solution

If you have internal DNS servers you can of course solve this problem with Split DNS with a Cisco firewall, you could also solve this problem with DNS Doctoring, In fact if your from a Cisco background then even the name Hairpin is confusing because in Cisco when we mention Cisco Hair pinning we are usually talking about VPN traffic. Anyway I digress.

So to replicate the scenario above, i.e. it being broken on my LAN PC, I cannot browse to that site, and you can see my DNS is resolving to its public IP.

Polices and Objects > Virtual IPs > New > Virtual IP > Give it a Name > Interface  = any > Set External IP > Set Internal IP > Note: You don’t have to set port forwarding but I’m only using TCP 80 > OK.

I already Have a Virtual IP: If your existing web server already has a Virtual IP object MAKE SURE it’s NOT bound to the outside interface, (or you won’t be able to select it in a minute). If you can’t edit it (because it’s in use), then you might need to remove it from the existing policy, and recreate it.

Policy and Object > Firewall Policy > Create New > Give the Policy a Name > Set the incoming and outgoing interface to the internal one > Source =  All > Destination > the Virtual IP you just Created > Schedule = always > Service = HTTP  > Disable NAT > OK.

I can’t see Virtual IP in the Policy:  Then it’s either bound to an interface that ISN’T the inside one, or you have Central NAT enabled. If you don’t want to change your global NAT policy create an address object for the internal IP and use that instead.

Now the website should work

Related Articles, References, Credits, or External Links

NA