'쫑콩아빠' 태그의 글 목록 (140 Page)

# SRC+ DST Any

domain { id = 1 } AND rule { (source.any = true) and (destination.any=true) }

# SRC + SVC Any

domain { id = 1 } AND rule { (source.any= true) and (service.any=true) }

# DST + SVC Any

domain { id = 1 } AND rule { (destination.any= true) and (service.any=true) }

# SRC + DST + SVC Any

domain { id = 1 } AND rule { (source.any=true) and (destination.any= true) and (service.any=true) }

# Last 30days Hit.Count=0

domain { id = 1 } AND rule { usage(date('last 30 days')).count = 0 }

# 전체 정책

domain { id = 1 } and device

# 사용 정책

domain { id = 1 } and device and rule

# 미사용 정책

domain { id = 1 } and device and rule

# Log Disable

domain { id = 1 } AND rule { (disabled = true) }

# No Logging

domain { id = 1 } AND rule { (log = false) }

# Disable or No Logging

domain { id = 1 } AND rule { (disabled = true OR log = false) }

# No Comment

domain { id = 1 } AND rule { comment is null }

# Create rule last 30 days

domain { id = 1 } and rule

# Management IP로 검색

device

# Action Filter

domain { id = 1 } and device AND rule { action='ACCEPT' or action='AUTHENTICATE' or action='DROP' or action='ENCRYPT' or action='REJECT' }

# Action & Service.any

rule

# Source Filter

rule { source is subset of ('7.7.7.4','7.7.7.5’)}

rule { source is subset of ('7.7.7.4','7.7.7.5') and usage (date('last 30

days')).count >100}

domain { id = 1 } and device and rule

# SRC + 정책 활성화/비활성화 + Action

rule

# 기간 + Count

rule

# 기간 + Created Policy

domain and device and rule

# 기간 + last Changed Policy

rule

자주 사용하는 쿼리

전체 방화벽 중 비활성화 정책을 제외, 2월 28일 부터 3월 29일안에 신규 생성된 정책을 제외, 특정기간동안(30일) Hitcount가 0인 정책을 출력	and rule{ disabled= false or log= false and created !~ date(2017-02-28T00:00:00, 2017-03-29T23:59:59) and usage(date(2017-02-28T00:00:00, 2017-03-29T23:59:59)).count = 0 }
특정기간 동안(30일, 90일, 180일 등) 사용률이 없는 정책 조회 특정기간 동안(30일, 90일, 180일 등) 사용률이 있는 정책 조회	and rule and rule
특정기간 동안(30일, 90일, 180일 등) 생성된 정책 중 7일 이내 생성된 정책을 제외한 정책 사용률 조회	and rule
특정기간 동안(30일, 90일, 180일 등) Any허용 정책 중 미사용 된 정책을 제외하고 조회	and rule
특정기간 동안(30일, 90일, 180일 등) Hit Count(사용률)이 1개 이상인 정책 조회	and rule
2017년 02월 01일 ~ 현재(혹은 2017년 04월 30일)까지 미사용 된 정책	and rule{ disabled= false and created !~ date(2017-02-01T00:00:00, 2017-04-30T23:59:59) and usage(date(2017-02-01T00:00:00, 2017-04-30T23:59:59)).count = 0}
Last used가 2017년 02월 01일 이전인 정책	and rule { disabled= false and lastuseddate <= 2017-02-01T23:59:59+09:00 }
Policy Pri to DB 정책 중 한번도 사용되지 않은	and policy { name = 'From: PRI To: DB' } AND rule { usage().count = 0 }
ANY 검색 쿼리	1. 출발지 허용정책, Disable 제외 and rule { action='ACCEPT' AND disabled='FALSE' AND (source.any = true OR (( source intersects '0.0.0.0' )) ) } 2. 목적지 허용정책 Disable 제외 and rule { action='ACCEPT' AND disabled='FALSE' AND (destination.any = true OR (( destination intersects '0.0.0.0' )) ) } 3. 서비스 허용정책, Disable 제외 and rule { action='ACCEPT' AND disabled='FALSE' AND (service.any = true OR (( service intersects 'ANY' )) ) } 4. 출발지 + 목적지 허용정책, Disable 제외 and rule { action='ACCEPT' AND disabled='FALSE' AND (destination.any = true OR (( destination intersects '0.0.0.0' )) ) AND (source.any = true OR (( source intersects '0.0.0.0' )) ) } 5. 출발지 + 서비스 허용정책, Disable 제외 and rule { action='ACCEPT' AND disabled='FALSE' AND (service.any = true OR (( service intersects 'ANY' )) ) AND (source.any = true OR (( source intersects '0.0.0.0' )) ) } 6. 목적지 + 서비스 허용정책, Disable 제외 and rule { action='ACCEPT' AND disabled='FALSE' AND (destination.any = true OR (( destination intersects '0.0.0.0' )) ) AND (service.any = true OR (( service intersects 'ANY' )) ) } 7. 출발지 + 목적지 + 서비스 허용정책, Disable 제외 and rule { (destination.any = true OR (( destination intersects '0.0.0.0' )) ) AND action='ACCEPT' AND disabled='FALSE' AND (service.any = true OR (( service intersects 'ANY' )) ) AND (source.any = true OR (( source intersects '0.0.0.0' )) ) }
특정 포트 검색	1. ANY 포함 and rule { action='ACCEPT' AND (service.any = true OR (( service intersects 'udp/137' )) ) } 2. ANY제외 and rule { action='ACCEPT' AND (service.any = false AND (( service intersects 'udp/137' )) }
호스트로 검색 - 그룹 포함 오브젝트 검색 / 대역 renge 제외	RULE { SOURCE IS SUPERSET OF '192.0.0.5' AND SOURCE.ANY = FALSE AND ( SOURCE.TYPE != 'NETWORK' OR SOURCE.TYPE != 'ADDRESS_RANGE') } 또는 RULE
특정 DEVICE를 여러 개 선택하여 검색	DEVICE { ID = 152 OR ID = 7 } AND RULE{ DESTINATION IS SUPERSET OF '192.168.10.55' AND DESTINATION.ANY = FALSE }
IP대역에 ANY를 제외하고 허용정책이면서 Disable이 안된 정책 검색	RULE { action='ACCEPT' AND disabled='FALSE' AND (SOURCE IS SUPERSET OF '121.125.26.0/24' ) AND source.any = false }
특정 오브젝트/그룹을 사용하는 정책 검색	Rule { SOURCE.name ~ 'SOFT' }
양방향 정책 검색 기능 제공	Rule { SOURCE.ANY =FALSE and DESTINATION.ANY=FALSE AND SOURCE equals DESTINATION }
하나의 정책에 IP가 10개 들어 있는 정책 검색 기능 또는 하나의 정책에 IP가 10개 이하가 들어 있는 정책 검색 기능	Rule { SOURCE.EXPANDEDOBJECTCOUNT = 10 } 또는 Rule { SOURCE.EXPANDEDOBJECTCOUNT != 10 }
출발지에 특정 IP가 있거나 목적지에 특정 IP가 있고 ANY를 제외한 허용 정책 검색	RULE { SOURCE IS SUPERSET OF '218.232.186.219' OR DESTINATION IS SUPERSET OF '114.202.129.73' AND source.any = false AND destination.any = false AND ACTION ='ACCEPT' }

저작자표시 비영리 변경금지

'업무이야기 > 정책관리솔루션' 카테고리의 다른 글

Gigamon HC Series의 Inline Concept (48)	2024.10.15
Firemon 웹로그인유저 패스워드 복구방법 (0)	2018.05.08
Firemon CLI (0)	2018.05.08
Firemon SIQL (0)	2017.08.08

FortiSandbox Flow

Static Scan:

- Rule matched : Suspicious(High/Medium/Low) -> End

- Rule did not match : Clean -> Goto AV Scan

AV Scan:

- Signature matched : Malicious -> End

- Signature did not match : Clean -> Goto Cloud Query

Cloud Query:

- Hash matched with Suspicious : Suspicious(High/Medium/Low) -> End

- Hash matched with Clean : Clean -> End

- Hash did not match : Clean -> End(if not supporting VM Scan for the file) or Goto VM Scan(if supporting VM Scan for the file)

VM Scan:

- Suspicous behavior was detected : Suspicious(High/Medium/Low) -> End

- Suspicous behavior was not detected : Clean -> End

- Other : Unknown -> End

저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Fortigate IP Macbindging (0)	2018.05.08
Fortinet Open Ports Diagram (0)	2018.05.08
FortiSandbox Flow (0)	2017.08.08
FortiSandbox Clustering Setting (0)	2017.08.08
FortiSandbox Custom VM (0)	2017.08.08

BlueCoat Packet Capture

admin> capture reset

admin> capture filter ip 192.168.234.81

admin> capture filter ?

[src-ip] = <arg> : Only capture packets on flow with specified source IPv4 address

[dst-ip] = <arg> : Only capture packets on flow with specified destination IPv4 address

[ip] = <arg> : Only capture packets on flow with specified IPv4 address

admin> cap

capture reset

capture stop

capture start

capture status

capture select

capture filter

capture filter6

admin> capture select 5

admin> capture start

Capture started

admin> capture stop

Waiting while capture files are being processed (0 secs elapsed)

Capture file available via scp

Linux/Mac: scp <user>@<appliance>:pcap_20170811101023_20170811101053.tar.gz pcap_20170811101023_20170811101053.tar.gz

Windows: pscp.exe -scp <user>@<appliance>:pcap_20170811101023_20170811101053.tar.gz pcap_20170811101023_20170811101053.tar.gz

저작자표시 비영리 변경금지

'업무이야기 > 보안솔루션' 카테고리의 다른 글

Menlo Security 이메일 격리 솔수션을 통한 메일 사용 시연 동영상 (0)	2022.06.13
Menlo Security 제품 소개 동영상 (0)	2022.06.07
Menlo Security Demo Video (0)	2022.06.07
Menlo Security Isolation Platform Overview (0)	2022.06.07
The benefits of Menlo Private Access (0)	2022.06.07

[웹로그인유저 패스워드 복구방법]

(1) SSH접속

MacBook-Pro:~ $ ssh firemon@172.17.232.75

firemon@172.17.232.75's password:

Last login: Wed Aug 30 19:28:23 2017

This is FireMon FMOS 8.9.0

ALERT: Could not get system monitor status

For assistance, contact support@firemon.com

[firemon@firemon ~]$

(2)아래 명령어 실행

[firemon@firemon ~]$ sudo psql -U postgres firemon

firemon=# select * from users;

iouslogin | passwordchanged | authtype | authserverid | authfailures

----+----------+----------------------------------+---------------+----------+--------------------------------------------------------------+------------+---------+---------+--------+-----------------+-------------------------+----------

---------------+-----------------+----------+--------------+--------------

2 | 1 | firemon@example.com | Workflow | Executor | $2a$06$DsG8KTZEarX65pl8aeZiEuQiFP3pXQ7Id/T461PW3Yt2KH5PkWvXa | workflow | t | f | f | f | |

| | | | 0

1 | 1 | firemon@example.com | FireMon | FireMon |$2a$10$WzkdgLahF10w26sWf.wl0OLGsljsOwUv3SgKU9BaSL.viZuLGHNZi | firemon | t | f | t | f | 2017-08-24 17:45:35.205 | 2017-08-0

8 17:20:48.173 | | LOCAL | | 5

3 | 1 | | ndexec | firemon | $2a$10$UN7Ucd07pCSQSn8CMBtbmeP9S47GqGp6eXM5PBco0NvVrmBfXWU.i | nd_firemon | t | f | f | f | 2017-08-30 19:45:45.188 | 2017-08-3

0 19:45:44.995 | | LOCAL | | 0

5 | 1 | sec.network.support@nicstech.com | nics | nicst | $2a$10$19R2htVQDDf.5jr4dRAcY.BEU59xaK.PKx0LxIw7wN5YZiifTaoBO | nicstech | t | f | f | f | 2017-08-30 19:32:33.971 |

| | LOCAL | | 0

4 | 1 | | datacollector | firemon | $2a$10$Q3OT80zHUetQWtH60pX7mOXS44A9t12MDZEjY38sF2IjAS2pLf./C | dc_firemon | t | f | f | f | 2017-08-30 19:45:42.796 | 2017-08-3

0 19:43:42.786 | | LOCAL | | 0

(5 rows)

firemon=# sudo psql -U postgres firemon

firemon=# update users set password='$2a$10$WzkdgLahF10w26sWf.wl0OLGsljsOwUv3SgKU9BaSL.viZuLGHNZi' where id=1;

UPDATE 1

firemon=#

firemon=# postgresql exit

firemon-#

firemon-# \q

[firemon@firemon ~]$

=>관련 문서

Forgot Password:

If a user forgets the password for the "firemon" account run this command to set it back to the default password; the word "firemon”:

sudo psql -U postgres firemon

update users set password='$2a$10$WzkdgLahF10w26sWf.wl0OLGsljsOwUv3SgKU9BaSL.viZuLGHNZi' where id=1;

#You can use this to change anyone's password to "firemon" you just need their id

postgresql exit

\q

(2) firemon계정이 잠긴경우, 아래와 같이 수정

[firemon@firemon ~]$ sudo psql -U postgres firemon

firemon=# select * from users;

# locked=t인경우, 아래 명령어 실행 (t를 f로 변경)

firemon=# update users set locked=‘f' where id=1;

[기간만료 대비, 날짜 변경방법]

(1) firemon계정으로 로그인

(2) 아래 명령어 입력

sudo date -s ‘2017-8-28 00:00:00'

저작자표시 비영리 변경금지

'업무이야기 > 정책관리솔루션' 카테고리의 다른 글

Gigamon HC Series의 Inline Concept (48)	2024.10.15
Firemon SIQL (1)	2018.05.08
Firemon CLI (0)	2018.05.08
Firemon SIQL (0)	2017.08.08

Firemon Firmware 8.15.x 이상에서 Interface 정보 변경 방법

fmos config --e 또는 https://firemon_ip:55555

AS / DC 연동

AS : fmos shareconf export

AS : scp 파일명 firemon@IP:/home/firemon

DC : fmos shareconf import 파일명

또는

AS : fmsh_registerdc 1.1.1.1(DC IP) 실행하면 DataCollector_1_1_1_1.xml 파일 생김

DC : fmsh_importdcxml DataCollector_1_1_1_1.xml

Firemon 데이터 삭제

fmsh_purgedata

sudo rm-rf /etc/localtime

sudo ln -s /usr/share/zoneinfo/Asia???Seoul /etc/localtime

sudo date -s "20170210 15:21:00"

sudo vi /etc/hosts FQDN 등록

fmos status

fmos restart all

sudo tail -F /var/log/firemon/dc/Datacommector.log

tcpdump -ni eno16777728 host 192.168.200.254 and port 514 -nnxs 0 -vv | grep Msg | grep info

fmos install wireshark

fmos install wireshark --source FMOS-8.9.1.iso

sudo gpasswd -a firemon wireshark

fmos restart all

tshark -D

ip link show

tshark -i 3 host 192.168.0.21

tshark -i 3 host 192.168.0.22

tshark -i 3 host 192.168.0.23

fmos redeploy all

1. Firemon 정보 학인 : fmsh_fmversion

2. ifconfig 정보 설정 및 확인 : fmsh_ifconfig

fmsh_ifconfig help

fmsh_ifconfig <int> <address> <netmask>

fmsh_ifconfig <int> dhcp

fmsh_ifconfig <int> disabled

fmsh_ifconfig <int> status

fmsh_ifconfig all status

3. G/W 설정 : fmsh_gateway <gateway>

4. hostname설정 : fmsh_hostname <hostname>

5. Firemon 방화벽 확인 / 정지 / 시작

fmsh_fwstatus

fmsh_fwstop

fmsh_fwstart

6. Firemon 데몬 확인 / 정지 / 시작 / 재시작

fmsh_fmstatus

fmsh_fmstop

fmsh_fmstart

fmsh_fmrestart

7. DC Debug 모드 동작

fmsh_dclogprofile <profile> Profiles: info / dugall

8. Firemon 장비 off / reboot

fmsh_reboot

fmsh_shutdown

9. FMOS 업데이트

fmsh_update file <filename>

10. Firemon Data 복구

fmsh_restorebackup <filename> [--no-verify]

11. Firemon Data 백업

명령어 : /opt/firemon/JAS/fm-server.sh -backup -filename <backupfilename>

백업경로 : /opt/firemon/backup

12. CVE업데이트

fmsh_cveupdate

15. 기타 주요 명령어

경로 : /opt/firemon/JAS/fm-server.sh

[root@device-pack JAS]$ ./fm-server.sh

usage: java com.sp.core.server.Server

[-showdcs] ## 등록된 DC 목록 확인

[-showlicense]

[-adddc ipaddress]

[-deldc ipaddress] ## 등록된 DC 삭제

[-showdn]

[-backup -filename backupfilename ] ## 데이터 백업 (위치 : /opt/firemon/backup)

[-restorebackup -filename backupfilename -outputdir destinationDirectory]

[-consolidate]

[-installCert -alias certAlias -filename certFilename]

[-deleteCert -alias certAlias]

[-listCerts]

[-uc]

[-upt]

fmos install wireshark

sudo gpasswd -a wireshark firemon

sudo gpasswd -a firemon wireshark

fmos install traceroute

fmos install bind-utils

fmos install net-tools

sudo tshark -nni eth0 host 192.168.234.2

sudo tshark -nni 3 host 192.168.234.2

curl -v telnet://192.168.234.253:22

curl -v telnet://192.168.234.253:443

저작자표시 비영리 변경금지

'업무이야기 > 정책관리솔루션' 카테고리의 다른 글

Gigamon HC Series의 Inline Concept (48)	2024.10.15
Firemon SIQL (1)	2018.05.08
Firemon 웹로그인유저 패스워드 복구방법 (0)	2018.05.08
Firemon SIQL (0)	2017.08.08