'업무이야기' 카테고리의 글 목록 (27 Page)

업무이야기

Fortigate Custom Application Control 2018.05.08
Fortigate SSLVPN Host Check 2018.05.08
FortiAnalyzer SQL database delete and rebuild 2018.05.08
Fortigate IP Macbindging 2018.05.08
[Linux] Centos root passewd for parallels desktop 2018.05.08
Fortinet Open Ports Diagram 2018.05.08
Firemon SIQL 2018.05.08 1
FortiSandbox diagram 2018.05.08

Fortigate Custom Application Control

쫑콩아빠 2018. 5. 8. 10:32

2018. 5. 8. 10:32

1. Afreeca TV

F-SBID( --protocol tcp; --service http; --flow from_client; --pattern ".afreeca."; --context host; --no_case; --app_cat 5; )

2. Naver Café

F-SBID( --protocol tcp; --service http; --flow from_client; --pattern "cafe.naver.com"; --context host; --no_case; --app_cat 23; )

F-SBID( --protocol tcp; --service http; --flow from_client; --pattern "cafe"; --context host; --no_case; --within 10,context; --pattern ".naver.net"; --context host; --no_case; --app_cat 23; )

3. KakaoStory

F-SBID( --protocol tcp; --service SSL; --pattern "story.kakao.com"; --context host; --no_case; --app_cat 23; )

F-SBID( --protocol tcp; --service SSL; --pattern "story."; --context host; --no_case; --pattern ".kakaocdn.net"; --context host; --no_case; --app_cat 23; )

F-SBID( --protocol tcp; --service SSL; --pattern "story-"; --context host; --no_case; --pattern ".kakao"; --context host; --no_case; --app_cat 23; )

F-SBID( --protocol tcp; --service http; --flow from_client; --pattern "User-Agent: "; --context header; --no_case; --pattern "KakaoStory"; --context header; --no_case; --within 20; --app_cat 23; )

FG # sh ips custom Apache.Struts.CVE.2017.5638.Custom config ips custom edit "Apache.Struts.CVE.2017.5638.Custom" set signature "F-SBID( --attack_id 7386; --name Apache.Struts.CVE.2017.5638.Custom; --protocol tcp; --service HTTP; --flow from_client; --pattern Content-Type:; --context header; --no_case; --pattern multipart/form-data; --context header; --no_case; --within 64; --pattern %{; --context header; --distance -32; --within 64; --pcre /%{[^x0a]*([^x0a]*)/i; --context header; --distance -2; )" set log-packet enable set action block set comment "CVE-2017-5638" next

end

저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

FortiAuthenticator FSSO 설정 (0)	2018.05.08
FortiSandbox VM package (0)	2018.05.08
Fortigate SSLVPN Host Check (0)	2018.05.08
FortiAnalyzer SQL database delete and rebuild (0)	2018.05.08
Fortigate IP Macbindging (0)	2018.05.08

Fortigate SSLVPN Host Check

쫑콩아빠 2018. 5. 8. 10:30

2018. 5. 8. 10:30

*제약사항 : (1) SSLVPN는, forticlient v5.2만 가능(v5.4이상 연결안됨) (2) Endpoint Control는 5.4이상(v5.6 포함)에서 지원*테스트결과[외부접속 : SSLVPN - Host Check Software]1-0. 환경 : FortiClient v5.2.6.0664 1-1. 단일설정 (3rd party체크프로그램으로 KakaoTalk.exe로 테스트)config vpn ssl web host-check-software edit "KakaoTalk-2.5.6.1543" set type fw set version "2.5.6.1543" config check-item-list edit 1 set type process set target "KakaoTalk.exe" set version "2.5.6.1543" set md5s "62765EA78EABD95DC986EC285165EB7C" next end nextendconfig vpn ssl web portal edit "NICS-SSLVPN" set tunnel-mode enable set host-check custom set auto-connect enable set keep-alive enable set save-password enable set ip-pools "SSLVPN_192.168.221.[100-200]" set split-tunneling disable set host-check-policy "KakaoTalk-2.5.6.1543" nextend1-2. 복합설정 (KakaoTalk.exe와 V3Lite.exe 모두 실행해야 만족 - AND조건)config vpn ssl web host-check-software edit "NICSTECH" set type fw config check-item-list edit 1 set type process set target "V3Lite.exe" set version "3.0.1.181" set md5s "8712E59F299F740DD0B5931788DB94EB" next edit 2 set type process set target "KakaoTalk.exe" set version "2.5.6.1543" set md5s "62765EA78EABD95DC986EC285165EB7C" next end nextendconfig vpn ssl web portal edit "NICS-SSLVPN" set tunnel-mode enable set host-check custom set auto-connect enable set keep-alive enable set save-password enable set ip-pools "SSLVPN_192.168.221.[100-200]" set split-tunneling disable set host-check-policy "NICSTECH" nextend2-1. 테스트결과 (해당 파일 미동작시 : KakaoTalk.exe)

2-1. 단일테스트 (해당파일 동작시 : KakaoTalk.exe)

[내부접속 : endpoint-control profile]1-0. 환경 : FortiClient v5.4.3.0870 / v5.6.0.1075 + FortiGate 5.4.5 1-1. 설정 (3rd party체크프로그램으로 KakaoTalk.exe로 테스트)config endpoint-control profile edit "default" config forticlient-winmac-settings config forticlient-running-app edit 1 set app-name "KakaoTalk-2.5.6.1543" set process-name "KakaoTalk.exe" set app-sha256-signature "D3B4DEB0CAB4DE483CA7769CFC5289DCBBF30502626E15DE4A32B50E9F3287F5" next end set forticlient-log-upload disable set forticlient-vuln-scan disable end config forticlient-android-settings end config forticlient-ios-settings end nextend

2. 테스트 (compliance-action의 설정에 따른 변화)FortiGate-VM64 # config endpoint-control profileFortiGate-VM64 (profile) # edit defaultFortiGate-VM64 (default) # config forticlient-winmac-settingsFortiGate-VM64 (forticlient-winm~ngs) # set compliance-action block Block.warning Warning.auto-update Auto update.2-1. Compliance action=auto-update시, 해당 요소를 자동 다운로드하여 업데이트

2-2. Compliance action=block 및 warning시, 차단팝업 및 로그 알림(가) Compliance에 맞지 않는 경우(KakaoTalk.exe미실행)

(나) Compliance에 일치하는 경우 (KakaoTalk.exe실행후)

3. FortiGate에서의 Monitor(1) FortiClient Monitor

(2) Device Inventory

(3) Endpoint Events Log

4-1. 주의사항 : Forticlient 미설치/삭제이후/하위버전(5.2)설치시, 설치유도 페이지 팝업 발생

FortiCLient 설치후, 초기접속화면

4-2 주의사항 : 수동으로 연결을 끊는 경우 - Disconnect

재연결 및 Compliance만족 전에는 '인터넷 접속불가'

5.기타 : MD5 및 SHA256 checksum

저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

FortiSandbox VM package (0)	2018.05.08
Fortigate Custom Application Control (0)	2018.05.08
FortiAnalyzer SQL database delete and rebuild (0)	2018.05.08
Fortigate IP Macbindging (0)	2018.05.08
Fortinet Open Ports Diagram (0)	2018.05.08

FortiAnalyzer SQL database delete and rebuild

쫑콩아빠 2018. 5. 8. 10:28

2018. 5. 8. 10:28

Technical Note: FortiAnalyzer SQL database delete and rebuildProducts

FortiAnalyzer v5.0

FortiAnalyzer v5.2

Description

Occasionally an upgrade does not correctly update the SQL database and reporting will cease to function properly due to missing/misnamed columns and/or indexes.

“exec sql-local rebuild-db” is the first option, but if that does not resolve the issue then deleting and rebuilding of the database is the next step.

Solution

Remove and re-create the SQL db:

1) Change operation mode to collector

config system global

set log-mode collector

end

2) Disable SQL and remove the current database

config system sql

set status disable

end

execute sql-local remove-db

3) Re-enable SQL

config system sql

set status local

end

4) Change operation mode back to analyser

config system global

set log-mode analyzer

end

5) Rebuild database

exec sql-local rebuild-db

Notes:

(1) The rebuild-db command causes the unit to reboot and the rebuild starts when the unit comes back up.

(2) Use the command 'diag sql status rebuild-db' to show the status of the rebuild.

(3) The time required to rebuild the database depends on the amount of logs stored on the unit.

(4) Although this procedure does not remove any log files it is recommended to backup log files beforehand as a precaution.

저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Fortigate Custom Application Control (0)	2018.05.08
Fortigate SSLVPN Host Check (0)	2018.05.08
Fortigate IP Macbindging (0)	2018.05.08
Fortinet Open Ports Diagram (0)	2018.05.08
FortiSandbox diagram (0)	2018.05.08

Fortigate IP Macbindging

쫑콩아빠 2018. 5. 8. 10:27

2018. 5. 8. 10:27

Macbinding Table 생성

config firewall ipmacbinding table

edit 1

set mac 사용자맥주소1

set name "사용자명1"

set status enable

edit 2

set mac 사용자맥주소2

set name "사용자명2"

set status enable

…

end

Macbinding 옵션 설정 및 적용

config firewall ipmacbinding setting

set bindthroughfw enable

set bindtofw enable

set undefinedhost block

end

config system interface

edit "port1"

set vdom "root"

set ip 1.1.1.1 255.255.255.0

set allowaccess ping https ssh snmp

set ipmac enable

set type physical

set snmp-index 5

end

저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Fortigate SSLVPN Host Check (0)	2018.05.08
FortiAnalyzer SQL database delete and rebuild (0)	2018.05.08
Fortinet Open Ports Diagram (0)	2018.05.08
FortiSandbox diagram (0)	2018.05.08
FortiSandbox Flow (0)	2017.08.08

[Linux] Centos root passewd for parallels desktop

쫑콩아빠 2018. 5. 8. 10:25

2018. 5. 8. 10:25

$sudo passd

[sudo] Changing password for root

New password :

Retype password :

passed : all authentication tokens updated successfully

$su -

passed :

저작자표시 비영리 변경금지

'업무이야기 > OS' 카테고리의 다른 글

[MicroSoft] Windows Server 2008 R2에서 비활성화된 암호 복잡성 변경 (0)	2018.05.08
[MicroSoft] SSL Certificate SHA256 관련 (0)	2018.05.08
[MacOS] Mac LaunchPad 사이즈 조절 (0)	2017.08.08
[MacOS] Mac 자체 tftp, FTP 서버 이용 방법 (0)	2017.08.08
[MacOS] Centos root passes for parallels desktop (0)	2017.08.08

Fortinet Open Ports Diagram

쫑콩아빠 2018. 5. 8. 10:22

2018. 5. 8. 10:22

저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

FortiAnalyzer SQL database delete and rebuild (0)	2018.05.08
Fortigate IP Macbindging (0)	2018.05.08
FortiSandbox diagram (0)	2018.05.08
FortiSandbox Flow (0)	2017.08.08
FortiSandbox Clustering Setting (0)	2017.08.08

Firemon SIQL

쫑콩아빠 2018. 5. 8. 10:22

2018. 5. 8. 10:22

# SRC+ DST Any

domain { id = 1 } AND rule { (source.any = true) and (destination.any=true) }

# SRC + SVC Any

domain { id = 1 } AND rule { (source.any= true) and (service.any=true) }

# DST + SVC Any

domain { id = 1 } AND rule { (destination.any= true) and (service.any=true) }

# SRC + DST + SVC Any

domain { id = 1 } AND rule { (source.any=true) and (destination.any= true) and (service.any=true) }

# Last 30days Hit.Count=0

domain { id = 1 } AND rule { usage(date('last 30 days')).count = 0 }

# 전체 정책

domain { id = 1 } and device

# 사용 정책

domain { id = 1 } and device and rule

# 미사용 정책

domain { id = 1 } and device and rule

# Log Disable

domain { id = 1 } AND rule { (disabled = true) }

# No Logging

domain { id = 1 } AND rule { (log = false) }

# Disable or No Logging

domain { id = 1 } AND rule { (disabled = true OR log = false) }

# No Comment

domain { id = 1 } AND rule { comment is null }

# Create rule last 30 days

domain { id = 1 } and rule

# Management IP로 검색

device

# Action Filter

domain { id = 1 } and device AND rule { action='ACCEPT' or action='AUTHENTICATE' or action='DROP' or action='ENCRYPT' or action='REJECT' }

# Action & Service.any

rule

# Source Filter

rule { source is subset of ('7.7.7.4','7.7.7.5’)}

rule { source is subset of ('7.7.7.4','7.7.7.5') and usage (date('last 30

days')).count >100}

domain { id = 1 } and device and rule

# SRC + 정책 활성화/비활성화 + Action

rule

# 기간 + Count

rule

# 기간 + Created Policy

domain and device and rule

# 기간 + last Changed Policy

rule

자주 사용하는 쿼리

전체 방화벽 중 비활성화 정책을 제외, 2월 28일 부터 3월 29일안에 신규 생성된 정책을 제외, 특정기간동안(30일) Hitcount가 0인 정책을 출력	and rule{ disabled= false or log= false and created !~ date(2017-02-28T00:00:00, 2017-03-29T23:59:59) and usage(date(2017-02-28T00:00:00, 2017-03-29T23:59:59)).count = 0 }
특정기간 동안(30일, 90일, 180일 등) 사용률이 없는 정책 조회 특정기간 동안(30일, 90일, 180일 등) 사용률이 있는 정책 조회	and rule and rule
특정기간 동안(30일, 90일, 180일 등) 생성된 정책 중 7일 이내 생성된 정책을 제외한 정책 사용률 조회	and rule
특정기간 동안(30일, 90일, 180일 등) Any허용 정책 중 미사용 된 정책을 제외하고 조회	and rule
특정기간 동안(30일, 90일, 180일 등) Hit Count(사용률)이 1개 이상인 정책 조회	and rule
2017년 02월 01일 ~ 현재(혹은 2017년 04월 30일)까지 미사용 된 정책	and rule{ disabled= false and created !~ date(2017-02-01T00:00:00, 2017-04-30T23:59:59) and usage(date(2017-02-01T00:00:00, 2017-04-30T23:59:59)).count = 0}
Last used가 2017년 02월 01일 이전인 정책	and rule { disabled= false and lastuseddate <= 2017-02-01T23:59:59+09:00 }
Policy Pri to DB 정책 중 한번도 사용되지 않은	and policy { name = 'From: PRI To: DB' } AND rule { usage().count = 0 }
ANY 검색 쿼리	1. 출발지 허용정책, Disable 제외 and rule { action='ACCEPT' AND disabled='FALSE' AND (source.any = true OR (( source intersects '0.0.0.0' )) ) } 2. 목적지 허용정책 Disable 제외 and rule { action='ACCEPT' AND disabled='FALSE' AND (destination.any = true OR (( destination intersects '0.0.0.0' )) ) } 3. 서비스 허용정책, Disable 제외 and rule { action='ACCEPT' AND disabled='FALSE' AND (service.any = true OR (( service intersects 'ANY' )) ) } 4. 출발지 + 목적지 허용정책, Disable 제외 and rule { action='ACCEPT' AND disabled='FALSE' AND (destination.any = true OR (( destination intersects '0.0.0.0' )) ) AND (source.any = true OR (( source intersects '0.0.0.0' )) ) } 5. 출발지 + 서비스 허용정책, Disable 제외 and rule { action='ACCEPT' AND disabled='FALSE' AND (service.any = true OR (( service intersects 'ANY' )) ) AND (source.any = true OR (( source intersects '0.0.0.0' )) ) } 6. 목적지 + 서비스 허용정책, Disable 제외 and rule { action='ACCEPT' AND disabled='FALSE' AND (destination.any = true OR (( destination intersects '0.0.0.0' )) ) AND (service.any = true OR (( service intersects 'ANY' )) ) } 7. 출발지 + 목적지 + 서비스 허용정책, Disable 제외 and rule { (destination.any = true OR (( destination intersects '0.0.0.0' )) ) AND action='ACCEPT' AND disabled='FALSE' AND (service.any = true OR (( service intersects 'ANY' )) ) AND (source.any = true OR (( source intersects '0.0.0.0' )) ) }
특정 포트 검색	1. ANY 포함 and rule { action='ACCEPT' AND (service.any = true OR (( service intersects 'udp/137' )) ) } 2. ANY제외 and rule { action='ACCEPT' AND (service.any = false AND (( service intersects 'udp/137' )) }
호스트로 검색 - 그룹 포함 오브젝트 검색 / 대역 renge 제외	RULE { SOURCE IS SUPERSET OF '192.0.0.5' AND SOURCE.ANY = FALSE AND ( SOURCE.TYPE != 'NETWORK' OR SOURCE.TYPE != 'ADDRESS_RANGE') } 또는 RULE
특정 DEVICE를 여러 개 선택하여 검색	DEVICE { ID = 152 OR ID = 7 } AND RULE{ DESTINATION IS SUPERSET OF '192.168.10.55' AND DESTINATION.ANY = FALSE }
IP대역에 ANY를 제외하고 허용정책이면서 Disable이 안된 정책 검색	RULE { action='ACCEPT' AND disabled='FALSE' AND (SOURCE IS SUPERSET OF '121.125.26.0/24' ) AND source.any = false }
특정 오브젝트/그룹을 사용하는 정책 검색	Rule { SOURCE.name ~ 'SOFT' }
양방향 정책 검색 기능 제공	Rule { SOURCE.ANY =FALSE and DESTINATION.ANY=FALSE AND SOURCE equals DESTINATION }
하나의 정책에 IP가 10개 들어 있는 정책 검색 기능 또는 하나의 정책에 IP가 10개 이하가 들어 있는 정책 검색 기능	Rule { SOURCE.EXPANDEDOBJECTCOUNT = 10 } 또는 Rule { SOURCE.EXPANDEDOBJECTCOUNT != 10 }
출발지에 특정 IP가 있거나 목적지에 특정 IP가 있고 ANY를 제외한 허용 정책 검색	RULE { SOURCE IS SUPERSET OF '218.232.186.219' OR DESTINATION IS SUPERSET OF '114.202.129.73' AND source.any = false AND destination.any = false AND ACTION ='ACCEPT' }

저작자표시 비영리 변경금지

'업무이야기 > 정책관리솔루션' 카테고리의 다른 글

Gigamon HC Series의 Inline Concept (48)	2024.10.15
Firemon 웹로그인유저 패스워드 복구방법 (0)	2018.05.08
Firemon CLI (0)	2018.05.08
Firemon SIQL (0)	2017.08.08

FortiSandbox diagram

쫑콩아빠 2018. 5. 8. 10:20

2018. 5. 8. 10:20

FortiSandbox Flow

Static Scan:

- Rule matched : Suspicious(High/Medium/Low) -> End

- Rule did not match : Clean -> Goto AV Scan

AV Scan:

- Signature matched : Malicious -> End

- Signature did not match : Clean -> Goto Cloud Query

Cloud Query:

- Hash matched with Suspicious : Suspicious(High/Medium/Low) -> End

- Hash matched with Clean : Clean -> End

- Hash did not match : Clean -> End(if not supporting VM Scan for the file) or Goto VM Scan(if supporting VM Scan for the file)

VM Scan:

- Suspicous behavior was detected : Suspicious(High/Medium/Low) -> End

- Suspicous behavior was not detected : Clean -> End

- Other : Unknown -> End

저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Fortigate IP Macbindging (0)	2018.05.08
Fortinet Open Ports Diagram (0)	2018.05.08
FortiSandbox Flow (0)	2017.08.08
FortiSandbox Clustering Setting (0)	2017.08.08
FortiSandbox Custom VM (0)	2017.08.08

PREV 이전 1 ···24 25 26 27 28 29 30 ···40 NEXT 다음

쫑콩아빠의 지금 이 순간...