I was asked by a colleague at work the other day, can we replace the Cisco firewalls with FortiGate firewalls for a client? As a business we are heading towards Forti, but before I said yes I wanted to know what the firewall was actually doing before I said yes. On closer inspection the firewall in question didn’t appear to be doing anything too scary, but I did notice that the LAN interface was sub-interfaced to the various internal VLANs. I didn’t know how FortiGate handled this, so I fired it up on the test bench to test FortiGate Sub Interfaces.
So I needed to create TWO sub interfaces on the FortiGate (on port3).
Creating FortiGate Sub Interfaces
Simply put, on a FortiGate if you want what a Cisco engineer would refer to as a ‘sub interface‘, then you simply add a VLAN interface to a physical interface. Like so, Network > Interfaces > {Physical Interface} > Create New > Interface.
Give the new interface a name (and alias if required) > Interface Type should be VLAN > Select the parent physical interface > Add the VLAN ID (Tag) and specify an IP address of the interface.
Just for testing I’ll allow PING, on the VLAN interface also > OK.
Repeat the procedure to add further sub interfaces (VLANs).
Remember this is just a ‘Router on a stick‘ configuration, to further allow traffic to the internet, (or between VLANs) you still need to add that traffic to the firewall policy to let the traffic through, (it is a firewall after all!)
Setting up Switches for FortiGate Sub Interfaces?
I’ve probably got this covered elsewhere on the site, but the core switch is Cisco so I just created a trunk port, and allowed ALL VLANs, (because I’m lazy, in production, you might want to lock that down a little!)
So my aim was to setup FortiGate High Availability failover in Active / Passive mode. I’m setting this up in EVE-NG and here’s what my lab looks like;
Note: Im using TWO connections for Heartbeat/Failover, you can simply use one if you prefer.
FortiGate High Availability (Pre-Requisites)
Obviously the firewalls need to be the same! For physical firewalls that’s straightforward, but be careful if you are using virtual FortiGates, make sure they are the same hardware and licence versions!
As you can see in my topology (above), each port needs to be connected to the same network on BOTH firewalls.
Make sure both firewalls are running the SAME firmware.
Make sure the interfaces are not getting their IP addresses from DHCP, or PPPoE.
I’m assuming the primary firewall is all setup and configured properly, the secondary firewall then needs to be built, licensed, and internet connected (so it can update etc). Note: It will take it’s config from the primary firewall when configured.
FortiGate High Availability (Active Passive) From Command Line
I know, Fortinet like to say that there’s no need to be working at command line these days, but when you see how easy it is to setup from CLI, you might choose to do it that way instead.
Primary FortiGate High Availability Setup
FortiGate uses priority to set the primary firewall, by default it sets the value to 128. So I’m going to set my Primary firewall to 200 and my Secondary firewall to 100.
Here are the commands you can simply copy and paste;
[box]
config system ha
set group-id 10
set group-name HA-GROUP
set mode a-p
set password Password123
set hbdev port3 0 port4 0
set session-pickup enable
set override enable
set override-wait-time 10
set priority 200
end
[/box]
What does all that mean? The Group ID and Group Name, are shared by all firewalls in the cluster. (Yes cluster, you can scale this up to more firewalls). Mode simply sets the mode to a-p (active passive). Hbdev denotes the interfaces used for the heartbeat network, (the zeros denote that they will be used equally). Session-pickup allows the firewalls to share the session state table for your clients, (i.e. provides seamless TCP session failover). Override is enabled, this will fail back the the primary firewall when it becomes available. Note: wait-time is enabled and set to 10 seconds to avoid any ‘flap / stutter’ that may cause disconnections when executing the override. Then finally the priority is set to 200.
Secondary FortiGate Hight Availability Setup
Practically the same, but you don’t need to set override, and the priority will be lower (100).
[box]
config system ha
set group-id 10
set group-name HA-GROUP
set mode a-p
set password Password123
set hbdev port3 0 port4 0
set session-pickup enable
set priority 100
end
[/box]
FortiGate HA Monitor and TroubleShooting
At this point go and have a coffee, the config needs replicating from the primary to the secondary, and this can take a few minutes. Use the following command to check;
[box]
get system ha status
[/box]
You want to see them both ‘in-sync‘.
To troubleshoot, use;
[box]
diagnose system ha status
[/box]
FortiGate Failover (Active Passive) From GUI
On the Primary (pre configured) firewall, System > HA > Change the drop down to Active-Passive.
Monitor Interfaces: {you can leave this blank, unless you only want to monitor certain interfaces}.
Heartbeat Interfaces: {enter one or more interfaces}.
What’s Management interface Reservation? : You can use this to have separate management for each firewall, (usually you can’t get to the standby/secondary firewall for GUI/SSH management etc).
Clock OK when complete
You should see something like this;
Jump onto the Secondary firewall, and set it the same, (with the exception of the priority).
Note: Override (Fail Back) cannot currently be set in the GUI.
Wait a while and hit refresh, you should see both firewalls in Sync
Possible Bug in 6.4.4 build 1803 (GA)
When carrying out the above procedure (from the web management console), my firewalls did not sync, while trouble shooting at command line they were both set as primary and appeared not to be able to see the other, they were saying;
{Firewall Serial Number}is selected as the master because it’s the only member in the cluster.
Despite many hours of troubleshooting/rebuilding, this kept happening, it worked fine when configured from command line, but not from the GUI. When I checked the commands after using the GUI I noticed that “set group-id {number}” was missing from the config. If I added this manually it started syncing straight away?
Related Articles, References, Credits, or External Links
Thanks to the good folk at Fortinet for sending me some licences to test this (much appreciated).
I’ve had a Windows 2012R2 server image that I’ve ben using in EVE-NG for ever. This week it bit the dust so I thought, can I deploy a shiny new 2019 server?
EVE-NG Windows Virtual Machines
Yes! In fact the deployment procedure is the same for 2019 as it was for earlier versions of Windows server. First log onto your EVE-NG host and create the folder;
[box]
mkdir /opt/unetlab/addons/qemu/winserver-2019/
[/box]
Then ‘upload’ a copy of the Windows Server 2019 installation iso into that folder with WinSCP or FileZilla.
Now rename the ISO image file to cdrom.iso, then create a new, (empty) hard drive file, that we will install windows onto. (Note: below I’m setting it to 60GB in size).
In EVE-NG create a new Lab and add in your Windows 2019 Server, then power it on.
It wont find the hard drive, because it has not got the controller driver, click ‘Load Driver‘.
Navigate to B:\Storage\2003R2\amd64 OK > Next > It will detect and load the ‘Red Hat Virtio‘ driver and install Windows. Once done shut the Windows server down.
WARNING: If you intend to deploy ‘multiple’ Server OS’s into single EVE-NG Labs, then run ‘Sysprep‘ on the server image select ‘Generalize’ and ShutdownTHEN commit the image, once it’s shut down.
Now you need to ‘commit’ that image (so all new VMs will be created form that image). Ive written about this before, see the following link;
If you have a host that you want to be able to access from the outside of the firewall e.g. a webserver then this is the process you want to carry out. I didn’t find this process particularly intuitive and it highlighted why I don’t like GUI management interfaces, (in 6.4 the menu names have changed, this rendering a million blog pages inaccurate!)
I’m setting this up in EVE-NG on the work bench and this is what I’m trying to achieve;
So to access my web server from ‘outside‘ the firewall I need to give it a NATTED ‘public‘ address on 192.168.100.0/24. Here the server is on the LAN if yours is in a DMZ then substitute the DMZ interface for the inside one I’m using.
Solution
First task is to create a ‘Virtual IP‘, this will be the ‘public IP‘ that the web server will use. From the management interface > Policy and Objects > Virtual IPs > Create New > Virtual IP
‘Give it a sensible name, and add a comment if you wish > Set the interface to the public facing port > Type, set to ‘Static NAT‘ > External IP, (although it says range just type in the single public IP) > Internal IP = Enter the LAN IP > OK.
Firewall Policy > Create New.
Note: If your firewall is older then 6.4 the tab is called ‘IPv4 Policy‘
Give the entry a name > Incoming interface = the public interface > Outgoing Interface = the inside/LAN interface > Source = ALL > Destination = SET TO YOUR VIRTUAL IP > Schedule = Always > Service = ALL (though you can of course select http and or https in production) > DISABLE NAT. (Trust me I know that makes no sense) > OK.
Just to prove this is not all ‘Smoke and Mirrors‘ here’s my topology running in EVE-NG, and my external host (Named: Public-Client) Browsing to 192.168.100.110, and the Fortigate translates that to 192.168.1.123
Related Articles, References, Credits, or External Links
The firm I work for are looking at a replacement for Cisco ASA as their preferred firewall of choice. We are looking at Fortinet to fill this gap, but as a product/solution it’s something I know very little about.
So the best way to learn is to deploy and play with, and the test bench weapon of choice for discerning technical types is EVE-NG. So can I deploy the newest (v6.4.2 at time of writing) Fortigate firewall into EVE-NG? Indeed, read on.
Solution
Getting the VM is pretty easy, Fortinet allows you to create a free login account, and download the trial version. REMEMBER you want the KVM version of the appliance!
If you didn’t know EVE-NG (and the Qemu software that runs inside it) needs to have its images in certain named folders. So log into your EVE-NG appliance and create a new folder;
Note: fortinet-xxxxxxxxxx is the correct naming convention 🙂
Now copy your downloaded image into this folder, I use WinSCP, but FileZilla is also free. Remember that your transfer method should be set to ‘binary’.
Back in the EVE-NG console, you need to unzip the appliance, then rename it (EVE-NG also needs the images to have certain names). Then you can delete the original Zip file, and make sure the permissions are set correctly.
[box]
cd /opt/unetlab/addons/qemu/fortinet-FGT-v6.4.2
unzip FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip
mv fortios.qcow2 virtioa.qcow2
rm FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
[/box]
That’s the hard part done. Log into EVE-NG create a new lab and drop a Fortigate device into the workspace. (Note: You can raise the RAM to 2048 to get it to perform a little better, but no higher though, as only 2GB is permitted with the trial licence).
Allow Web Management Of Fortigate VM
I’ve included this bit because most articles don’t, and if I’m unfamiliar with Fortigate, then some of you will be also. Essentially you setup the interface that you will be using as the inside interface with a static IP and allow web management via HTTP. (Note: First you will be asked to change the Admin password).
[box]
config system interface
edit port1
set mode static
set ip 192.168.1.1 255.255.255.0
set allowaccess http
end
[/box]
Then from a management VM, (on the same network segment) connect to the appliance and log in.
If you just see a blank screen with no logon options see this article.
Related Articles, References, Credits, or External Links
I’ve been trying to deploy a Fortigate into EVE-NG (article to follow) this week. I could get the appliance running fine but when I tried to access the web management console all I got was the following.
Note: I have a couple of management VMs in EVE-G (Windows 7 and Server 2012), they had a mixture of IE, Chrome and Firefox on them but still I could not get in?
Solution
All forums yielded no more info other than ‘Check you have allowed access for http“. But as you can see (above) for Fortinet Logo is on the windows I was hitting the firewall and http was allowed? (Also the http daemon was running inside the appliance.
Just for fun I connected the outside interface to my test network, allowed http, and tried from there, it worked perfectly? So I deployed another Fortigate and connected the ‘inside’ interface to my test network, again it worked fine? At this point it was becoming obvious that my management machines browsers were probably the problem. Is I deployed a new Kali Linux VM fired up Firefox and;
That took a LOT longer than it needed to!
Related Articles, References, Credits, or External Links
I already had some F5 Images in my EVE-NG, but I wanted to run version 16.x. However, I didn’t think that was officially supported, so I thought I would try and get it running anyway!
Solution
Theres no need to scour the internet for ‘dodgy’ versions, F5 will quite happily give you the latest version, just sign up for a free account, and you can download the image. While you are there, you can apply for a trial licence, (or two if you want to test HA).
Important: I use FileZilla to upload images into EVE-NG, make sure your transfers are set for ‘binary’ I’ve seen this break things in the past, so mines already setup to use that by default;
Upload the image into EVE-NG, (I’ve shown the location, on the image below).
Now, SSH into EVE-NG, extract/unzip the image, then copy/rename it to virtioa.qcow2, remove the ZIP file, and finally fix the permissions; (Change the values in bold (below) to match your version);
[box]
cd /opt/unetlab/addons/quemu/bigip-16.0/
unzip BIGIP-16.0.0-0.0.12.ALL.qcow2.zip
mv BIGIP-16.0.0-0.0.12.ALL.qcow2 virtioa.qcow2
rm BIGIP-16.0.0-0.0.12.ALL.qcow2.zip
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
You will be asked to change the passwords. (Note: The admin password may expire straight away so you will need to change it again when you log into the web console!)
To ‘Get Access’ you will need to configure the Management Network on the F5, to do that run the config command.
I don’t wish to insult your intelligence by walking though these steps, set an IP address and subnet mask on the management port.
In ‘Most” cases you wont want a default route on the management network, (normally that’s set on the ‘External‘ network).
Now browse to the appliance from a host on the management network, you will need to log on as the ‘admin‘ user, and (as I mentioned above), I needed to reset the password again!
Now you can configure the appliance, when your trial licences, (unless you bought some lab licences,) come through.
Related Articles, References, Credits, or External Links
Recently I was building a lab for testing load balancing, and needed some web servers, I could have built three Windows servers, but I wanted to run them in EVE-NG, so they had to be as light as I could make them. I chose TinyCore Linux, (I know there are smaller options, but it’s light enough for me to run, and work with).
The problem occurs when you reboot the TinyCore host, it (by default) reverts back to its vanilla state, (that’s not strictly true, a couple of folders are persistent).
So I had to build a server that would let me SFTP some web content into it and allow me to reboot it without losing the web content, settings, and IP address.
Step 1: Configure TinyCore IP & Web Server
This is a two step procedure, firstly I’m going to give it a static IP.
cd /usr/local/etc/init.d/
./openssh start
cd /etc/init.d/services/
./tftpd start
[/box]
Now create a basic web page, (index.html) which you can update later. Setup the website, then copy that file to a location that will be persistent (you will see why later).
[box]
cd /usr/local/httpd/bin
sudo ./busybox httpd -p 80 -h /usr/local/httpd/bin/
sudo vi index.html {ENTER SOME TEXT TO TEST, AND SAVE}
sudo mkdir /mnt/sda1/wwwsite/
sudo cp /usr/local/httpd/bin/index.html /mnt/sda1/wwwsite/index.html
[/box]
At this point, (if you want) you can use your favourite SFTP client, (I recommend FileZilla or WinSCP) and copy in some live web content to /mnt/sda1/wwwsite/ But ensure the home/landing page is still index.html though!
Step 2: Make TinyCore Settings ‘Persistent’
There may be better ways to do this, this just worked for me, and made sense! There’s a shell script that is executed as the TinyCore machine boots (bootlocal.sh) so if you edit that file and put in the commands to configure the IP, copy the website files from the permanent mount folder, start the web server, then start SSH and TFTP, you end up with a server doing what you want, every time the server boots.
[box]
sudo vi /opt/bootlocal.sh
ADD THE FOLLOWING TO THE BOTTOM OF THE FILE;
sudo ifconfig eth0 192.168.100.110 netmask 255.255.255.0
sudo route add default gw 192.168.100.1
cp /mnt/sda1/wwwsite/index.html /usr/local/httpd/bin/index.html
cd /usr/local/httpd/bin/
Sudo ./busybox httpd -p 80 -h /usr/local/httpd/bin/
cd /usr/local/etc/init.d/
./openssh start
cd /etc/init.d/services/
./tftpd start
[/box]
Save and exit the file, then finally BACKUP THE CHANGES with the following command;
[box]
filetool.sh -b
[/box]
Related Articles, References, Credits, or External Links
I’ve been working on a load balancing lab in EVE-NG this last week or so. I created some web servers (in TinyCore Linux,) to act as the web servers in that lab. (Essentially they serve a different colour web page so I can test the load balancing is working OK).
Now I wanted to save the changes I made so that I could redeploy the configured servers to multiple labs. But when you deploy a qemu VM as a node in a lab, EVE-NG copies the VM to the lab, and the changes you make, only apply to the node, in the lab, in the pod, you are working on!
So I wanted to update the ‘Master‘ image in EVE-NG, with the one I configured. Here is how to do that;
Solution
Firstly you need to get your POD NUMBER, you can get that from the user management screen, below you can see my user, (you can see already logged on), is using pod number 1.
Now you need to get the LAB ID NUMBER. Open the lab > Shut down the machine that you want to save the changes from > Lab Details > Copy the lab ID number.
Lastly you need the NODE ID NUMBER. Either select Nodes and take note of the number, or right click the node and the node ID is shown (in brackets).
Armed with those three pieces of information, SSH into the EVE-NG host, and execute the following commands;
[box]
cd /opt/unetlab/tmp/POD-NUMBER/LAB-ID/NODE-ID/
for example;
cd /opt/unetlab/tmp/1/2277307f-b0bc-45a4-831f-a89a716b5841/3/
[/box]
Now depending on the VM/Appliance in question, it may be called hda.qcow2, or virtioa.qcow2 (a quick ls command will tell you!) Take the name and commit the changes with the following command;
[box]
/opt/qemu/bin/qemu-img commit hda.qcow2
[/box]
Job done!
Yes but you wanted three different servers? Correct, I then copied the server (twice) edited the IP address, and the web page served on the two copies and committed the changes back to the original VMs!
Related Articles, References, Credits, or External Links
A colleague was doing a firewall migration yesterday and I offered to sit in, in case he had any problems, one of the tasks was a VPN tunnel getting migrated, this is usually painless, (if you have control of both ends!) But in this case we didn’t, and it’s usually the case, when there’s VPN problems, the people at the {ahem} ‘less experienced,’ end of the tunnel tend to blame the other end.
I asked if we could get on the client’s servers to set up a constant ping, (to force the tunnel up as soon as the far side had changed peer ip addresses). But we couldn’t, I was asked ‘Can we not bring the tunnel up from the ASA?’
Solution
Note: To save people emailing me to ask, the above is virtualised using EVE-NG in VMware ESX.
Well, yes you can do this, BUT there are some caveats,
The inside IP of the ASA needs to be part of the ACL that declares ‘interesting traffic’ i.e. the one matched in the crypto map.
The inside IP o the ASA needs to also be in the nat exemption for the VPN traffic.
‘Management-access inside‘ needs to be enabled in the config, (so traffic can be sourced from it).
Then, (assuming 192.168.1.10 is an IP address at the far-end of the VPN tunnel), use the following syntax;
[box]
ping inside192.168.1.10
[/box]
Note: This assumes your inside interface is called ‘inside‘, yours may be called LAN, or Inside, or something else.
Well my IP is on a different range to the inside interface, or I can’t enable management-access inside, and/or my IPs are not in the nat exemption! Jeez there’s always one! Well in your case you can simulate VPN traffic to bring the tunnel up, with packet-tracer, like so;
Note: This assumes 172.16.1.1 is at YOUR site and 192.168.1.10 is at the OTHER site, and you interesting traffic ACL permits TCP port 80, (most of them permit all ports but you may be in a more secure environment so check).
Related Articles, References, Credits, or External Links