Archive for the ‘Firewalls’ Category

CSF bugs and updates

Saturday, June 25th, 2016

ConfigServer Security and Firewall (CSF) is a great program for managing iptables/netfilter firewall rules on Linux servers and performing automated blocks based on various things such as brute force login attempts (check it out at http://www.configserver.com/cp/csf.html) and I really shouldn’t complain given that it’s free, but sometimes I really do wonder if ConfigServer/Way to the Web actually do any testing at all before releasing new versions!

7 issues fixed in 6 bugfix releases (9.01 to 9.06) in 2 days! It’s a good job that the automatic update feature works properly…

Upgrading to Junos 12.3 from before 10.4R2 on Juniper EX

Monday, October 19th, 2015

In the release notes for Junos 12.3 (http://www.juniper.net/techpubs/en_US/junos12.3/information-products/topic-collections/release-notes/12.3/topic-69605.html#pre-resilient-dual-root-upgrade-ex) on Juniper EX series switches, it says:

Upgrading from Junos OS Release 10.4R2 or Earlier

To upgrade to Junos OS Release 12.3 from Junos OS Release 10.4R2 or earlier, first upgrade to Junos OS Release 11.4 by following the instructions in the Junos OS Release 11.4 release notes. See Upgrading from Junos OS Release 10.4R2 or Earlier or Upgrading from Junos OS Release 10.4R3 or Later in the Junos OS 11.4 Release Notes .

Unfortunately, Juniper don’t list any Junos releases older than 12.3R1 for the EX4200 (and possibly other EX series) on their download site.

After poking around the Juniper support site for a bit, I found technical bulletin TSB16151 (https://kb.juniper.net/InfoCenter/index?page=content&id=TSB16151), which contains downloads for Junos 11.4R8-S1 on EX2200, EX3200, EX3300, EX4200, EX4500, EX6200, EX8200 and XRE-200.

With this and the jloader files from technical bulletin TSB15524 (http://kb.juniper.net/InfoCenter/index?page=content&id=TSB15524), I was able to complete the upgrade successfully.

Fortinet FortiOS firmware upgrade – Upload file is too big or invalid

Sunday, June 5th, 2011

If you receive an “Upload file is too big or invalid” error message when trying to upload a new FortiOS image to your Fortinet device via the web interface, then the first thing to try is giving the device a quick reboot in order to free up memory to hold the uploaded copy of the firmware image.

If this doesn’t fix the problem, then I’ve had much more success with running the update process from command line, although this does require you to have the new FortiOS image on a TFTP server so that the Fortinet device can download it. Once you have issued the command, the device will download the new image and reboot.

The exact command varies depending on the deice type, for example FortiGate devices have the option of FTP or TFTP downloads, whilst FortiMail devices can only download new FortiOS images via TFTP.

For a FortiGate device:

exec restore image tftp

For a FortiManager device running FortiOS 3.x:

exec restore image

For a FortiManager device running FortiOS 4.x:

exec restore image tftp

For a FortiAnalyser device running FortiOS 3.x:

exec restore image

For a FortiAnalyser device running FortiOS 4.x:

exec restore image tftp

For a FortiMail device running FortiOS 3.x:

exec restore image

For a FortiMail device running FortiOS 4.x:

exec restore image tftp

Depending on the device and FortiOS version, you may have other file transfer options such as FTP available to you. Devices registered with a FortiManager can also update their FortiOS image by downloading a new one from the FortiManager unit.

If you are still having problems getting the new FortiOS firmware image onto your Fortinet device, then you can also download a FortiOS image via TFTP from within the Fortinet bootloader/BIOS using the serial console.

Connect a serial console to your device and reboot it, then interrupt the boot sequence when prompted. In the menu, select the option to download a new FortiOS firmware image and provide the file name, server IP address and local IP address.

Right at the start of the bot process, you should see a message along the line of:

Press any key to display configuration menu…

Once you have pressed a key, then the following configuration menu should appear:

[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[I]: Configuration and information.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.

Enter G,F,B,I,Q,or H:

At the configuration menu, type “G” and press enter and you will be asked to enter the details needed to TFTP a new image to your Fortinet device:

Enter TFTP server address [192.168.1.168]:
Enter local address [192.168.1.188]:
Enter firmware image file name [image.out]:

You will need to be on the same subnet as the TFTP server in order to do this.

Fortinet SSL VPN interface limitations

Saturday, March 26th, 2011

There seem to be some interface related limitations with the SSL VPN implementation on Fortinet’s FortiGate firewall devices which prevent you from connecting to the Fortinet SSL VPN on the IP address of an interface other than the one which your traffic enters the firewall on.

In other words, even with the appropriate rules configured in the firewall policy to allow your traffic to pass through the FortiGate between the interface that it is received on and the interface which that SSL VPN traffic is destined for, the FortiGate unit doesn’t respond.

I have been able to verify that this bug/feature is present in the latest build of FortiOS 3.0, but haven’t been able to test with any of the FortiOS 4.0 releases yet.

In my case, this was a problem because the WAN interface has a private IP address on it with a block of public IP addresses routed to the unit and in use on the LAN interface. In the end I worked around this by routing a single additional public address to the unit and configuring it as a secondary address on the WAN interface with a /32 subnet mask. The SSL VPN could then be accessed from this public IP address.