반응형
SMALL

Firemon SIQL

 

l domain{}
l devicegroup{}
l device{}
l policy{}
l rule{}
l natrule{}
l control{}
l assessment{}
l networkObj{}
l serviceObj{}
l userObj{}
l applicationObj{} 
l ticket{}
l review{}
 
# SRC+ DST Any
domain { id = 1 }  AND rule { (source.any = true) and (destination.any=true) }
# SRC + SVC Any
domain { id = 1 }  AND rule { (source.any= true) and (service.any=true) }
# DST + SVC Any
domain { id = 1 }  AND rule { (destination.any= true) and (service.any=true) }
# SRC + DST + SVC Any
domain { id = 1 }  AND rule { (source.any=true) and  (destination.any= true) and (service.any=true) }
# Last 30days Hit.Count=0
domain { id = 1 }  AND rule { usage(date('last 30 days')).count = 0 }
# 전체 정책
domain { id = 1 } and device
domain { id = 1 } and device
# 사용 정책
domain { id = 1 } and device and rule
# 미사용 정책
domain { id = 1 } and device and rule
# Log Disable
domain { id = 1 }  AND rule { (disabled = true) }
# No Logging
domain { id = 1 }  AND rule { (log = false) }
# Disable or No Logging
domain { id = 1 }  AND rule { (disabled = true OR log = false) }
# No Comment
domain { id = 1 }  AND rule { comment is null } 
# Create rule last 30 days
domain { id = 1 } and rule
# Management IP로 검색
device
# Action Filter
domain { id = 1 } and device AND rule { action='ACCEPT' or action='AUTHENTICATE' or action='DROP' or action='ENCRYPT' or action='REJECT'  } 
# Action & Service.any
rule
# Source Filter
rule { source is subset of ('7.7.7.4','7.7.7.5’)}
rule { source is subset of ('7.7.7.4','7.7.7.5') and usage (date('last 30 
days')).count >100}
domain { id = 1 } and  device and rule
# SRC + 정책 활성화/비활성화 + Action
rule
# 기간 + Count
rule
rule
# 기간 + Created Policy
domain and device and  rule
# 기간 + last Changed Policy
rule
 
자주 사용하는 쿼리
전체 방화벽 중 비활성화 정책을 제외, 2 28일 부터 3 29일안에 신규 생성된 정책을 제외특정기간동안(30) Hitcount 0인 정책을 출력 and rule{ disabled= false or log= false and created !~ date(2017-02-28T00:00:00, 2017-03-29T23:59:59) and usage(date(2017-02-28T00:00:00, 2017-03-29T23:59:59)).count = 0 }
특정기간 동안(30, 90, 180일 등사용률이 없는 정책 조회
특정기간 동안(30, 90, 180일 등사용률이 있는 정책 조회		 and rule
 
and rule
특정기간 동안(30, 90, 180일 등생성된 정책 중 7일 이내 생성된 정책을 제외한 정책 사용률 조회 and rule
특정기간 동안(30, 90, 180일 등) Any허용 정책 중 미사용 된 정책을 제외하고 조회 and rule
특정기간 동안(30, 90, 180일 등) Hit Count(사용률) 1개 이상인 정책 조회 and rule
2017 02 01 ~ 현재(혹은 2017 04 30)까지 미사용 된 정책 and rule{ disabled= false and created !~ date(2017-02-01T00:00:00, 2017-04-30T23:59:59) and usage(date(2017-02-01T00:00:00, 2017-04-30T23:59:59)).count = 0}
Last used 2017 02 01일 이전인 정책 and rule {  disabled= false and lastuseddate <= 2017-02-01T23:59:59+09:00 }
Policy Pri to DB 정책 중 한번도 사용되지 않은 and policy { name = 'From: PRI To: DB' }  AND rule { usage().count = 0 }
ANY 검색 쿼리 1. 출발지 허용정책, Disable 제외
and rule { action='ACCEPT' AND disabled='FALSE' AND (source.any = true OR (( source intersects '0.0.0.0' )) )  } 
2. 목적지 허용정책 Disable 제외
and rule { action='ACCEPT' AND disabled='FALSE' AND (destination.any = true OR (( destination intersects '0.0.0.0' )) )  } 
3. 서비스 허용정책, Disable 제외
and rule { action='ACCEPT' AND disabled='FALSE' AND (service.any = true OR (( service intersects 'ANY' )) )  } 
4. 출발지 + 목적지 허용정책, Disable 제외
and rule { action='ACCEPT' AND disabled='FALSE' AND (destination.any = true OR (( destination intersects '0.0.0.0' )) )  AND (source.any = true OR (( source intersects '0.0.0.0' )) )  } 
5. 출발지 + 서비스 허용정책, Disable 제외
and rule { action='ACCEPT' AND disabled='FALSE' AND (service.any = true OR (( service intersects 'ANY' )) ) AND (source.any = true OR (( source intersects '0.0.0.0' )) )  }
6. 목적지 + 서비스 허용정책, Disable 제외
and rule { action='ACCEPT' AND disabled='FALSE' AND (destination.any = true OR (( destination intersects '0.0.0.0' )) )  AND (service.any = true OR (( service intersects 'ANY' )) )  } 
7. 출발지 + 목적지 + 서비스 허용정책, Disable 제외
and rule { (destination.any = true OR (( destination intersects '0.0.0.0' )) ) AND action='ACCEPT' AND disabled='FALSE' AND (service.any = true OR (( service intersects 'ANY' )) ) AND (source.any = true OR (( source intersects '0.0.0.0' )) )  } 
특정 포트 검색 1. ANY 포함
and rule { action='ACCEPT' AND (service.any = true OR (( service intersects 'udp/137' )) )  } 
2. ANY제외
and rule { action='ACCEPT' AND (service.any = false AND (( service intersects 'udp/137' )) }
호스트로 검색 - 그룹 포함 오브젝트 검색 / 대역 renge 제외 RULE { SOURCE IS SUPERSET OF '192.0.0.5' AND SOURCE.ANY = FALSE AND ( SOURCE.TYPE != 'NETWORK' OR SOURCE.TYPE != 'ADDRESS_RANGE') }
또는
RULE
특정 DEVICE를 여러 개 선택하여   검색 DEVICE { ID = 152 OR ID = 7 } AND RULE{ DESTINATION IS SUPERSET OF '192.168.10.55' AND DESTINATION.ANY = FALSE }
IP대역에 ANY를 제외하고 허용정책이면서 Disable이 안된 정책 검색 RULE {  action='ACCEPT' AND disabled='FALSE' AND (SOURCE IS SUPERSET OF '121.125.26.0/24' ) AND source.any = false }
특정 오브젝트/그룹을 사용하는 정책 검색 Rule { SOURCE.name ~ 'SOFT' }
양방향 정책 검색 기능 제공 Rule { SOURCE.ANY =FALSE and  DESTINATION.ANY=FALSE AND  SOURCE equals  DESTINATION }
하나의 정책에 IP가 10개 들어 있는 정책 검색 기능 또는 하나의 정책에 IP가 10개 이하가 들어 있는 정책 검색 기능 Rule { SOURCE.EXPANDEDOBJECTCOUNT = 10 } 또는 Rule { SOURCE.EXPANDEDOBJECTCOUNT != 10 }
출발지에 특정 IP가 있거나 목적지에 특정 IP가 있고 ANY를 제외한 허용 정책 검색 RULE { SOURCE IS SUPERSET OF '218.232.186.219' OR DESTINATION IS SUPERSET OF '114.202.129.73' AND source.any = false AND destination.any = false AND ACTION ='ACCEPT' }

 

 

 

반응형
LIST
저작자표시 비영리 변경금지

'업무이야기 > 정책관리솔루션' 카테고리의 다른 글

Gigamon HC Series의 Inline Concept  (48) 2024.10.15
Firemon SIQL  (1) 2018.05.08
Firemon 웹로그인유저 패스워드 복구방법  (0) 2018.05.08
Firemon CLI  (0) 2018.05.08
반응형
SMALL
FortiSandbox Flow
 
Static Scan:
- Rule matched : Suspicious(High/Medium/Low) -> End
- Rule did not match : Clean -> Goto AV Scan
 
AV Scan:
- Signature matched : Malicious -> End
- Signature did not match : Clean -> Goto Cloud Query
 
Cloud Query:
- Hash matched with Suspicious : Suspicious(High/Medium/Low) -> End
- Hash matched with Clean : Clean -> End
- Hash did not match : Clean -> End(if not supporting VM Scan for the file) or Goto VM Scan(if supporting VM Scan for the file)
 
VM Scan:
- Suspicous behavior was detected  : Suspicious(High/Medium/Low) -> End
- Suspicous behavior was not detected : Clean -> End
- Other : Unknown -> End

 

 

 

반응형
LIST
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Fortinet Open Ports Diagram  (0) 2018.05.08
FortiSandbox diagram  (0) 2018.05.08
FortiSandbox Clustering Setting  (0) 2017.08.08
FortiSandbox Custom VM  (0) 2017.08.08
Fortinet euc-kr 한글 지원 설정  (0) 2015.12.28
반응형
SMALL
FortiSandbox Clustering Setting
 

Step 1 - Configure the master
1. Configure the port IP addresses and gateway address with the following commands:
set port1-ip 192.168.1.99/24
set port2-ip 192.168.2.99/24
set port3-ip 192.168.3.99/24
set default-gw 192.168.1.1

2. Configure the device as the master node and its cluster fail-over IP for Port1 with the following commands:
hc-settings -sc -tM -nMasterA -cTestHCsystem -ppassw0rd -iport2
hc-settings -si -iport1 -a192.168.1.98/24
See Appendix A - CLI Reference on page 1 for more information about the CLI commands.

3. Review the cluster status with the following command:
hc-status -l
Other ports on the device can be used for file inputs.

Step 2 - Configure the primary slave
1. Configure the port IP addresses and gateway address with the following commands:
set port1-ip 192.168.1.100/24
set port2-ip 192.168.2.100/24
set port3-ip 192.168.3.100/24
set default-gw 192.168.1.1

2. Configure the device as the primary slave node with the following commands:
hc-settings -s -tP -nPslaveB -iport2
hc-settings -l
hc-slave -a -s192.168.2.99 -ppassw0rd

3. Review the cluster status with the following command:
hc-status -l

Step 3 - Configure the normal slave
1. Configure the port IP addresses and gateway address with the following commands:
set port1-ip 192.168.1.101/24
set port2-ip 192.168.2.101/24
set port3-ip 192.168.3.101/24
set default-gw 192.168.1.1

2. Configure the device as a slave node with the following commands:
hc-settings -s -tR -nSlaveC -iport2
hc-settings -l
hc-slave -a -s192.168.2.99 -ppassw0rd

3. Review the cluster status with the following command:
hc-status -l

 

 

반응형
LIST
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

FortiSandbox diagram  (0) 2018.05.08
FortiSandbox Flow  (0) 2017.08.08
FortiSandbox Custom VM  (0) 2017.08.08
Fortinet euc-kr 한글 지원 설정  (0) 2015.12.28
Fortigate Port Restricted  (0) 2015.12.28
반응형
SMALL
FortiSandbox Custom VM
 

아래한글 지원 custom VM 입니다.

http://fsavm.fortinet.net/WIN7X86VM_HWP.pkg.7z 
파일을받아서 FTP 서버에올려놓고아래처럼 fw-upgrade 로올려야합니다.
>fw-upgrade -l -v -tftp -s192.168.200.100 -uadmin -padmin -f/VM/WIN7X86VM_HWP.pkg.7z

기본 패키지 업로드
>fw-upgrade -l -v -tftp -sfsavm.fortinet.net -uanonymous -f/general/image/2.0.0/2015022118_vm.pkg.7z

ftp://fsavm.fortinet.net/general/image/2.0.0/2015022118_vm.pkg.7z


커스텀 패키지 업로드
> vm-customized -cn -tftp -s10.10.11.111 -uadmin -padmin1 -f/V5Win7EntSP1x64.vdi -oWindows7_64 -vCustHWP7

> vm-customized -cn -tftp -s192.168.234.223 -unicstech -pnics00 -f/V5Win7ProSP1x86/V5Win7ProSP1x86.vdi -k344ADE788168B08581349D71C8299AFA -voWindows7 -vnCustHWP

메타 파일 업로드
> vm-customized -cf -tftp -s10.10.11.111 -uadmin -padmin1 -f/metafile.txt -vCustWin7-32
--2016-09-29 17:33:09--  ftp://10.10.11.111/metafile.txt
=> '/drive0/tmp/customizedvm.meta.tmp'
Connecting to 10.10.11.111:21... connected.
Logging in as admin ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD not needed.
==> SIZE metafile.txt ... 108
==> PASV ... done. ==> RETR metafile.txt ... done.
Length: 108 (unauthoritative)

metafile.txt 100%[=============================================================================>] 108 --.-KB/s in 0.002s  

2016-09-29 17:33:09 (43.7 KB/s) - '/drive0/tmp/customizedvm.meta.tmp' saved [108]



메타파일
파일명 : metafile.txt
HWP NEO Viewer
Visual C++ Redistributor 2013
.NET Framework 4.0
Adobe Flash Player 22.0
Alzip 10.5

 

 

반응형
LIST
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

FortiSandbox Flow  (0) 2017.08.08
FortiSandbox Clustering Setting  (0) 2017.08.08
Fortinet euc-kr 한글 지원 설정  (0) 2015.12.28
Fortigate Port Restricted  (0) 2015.12.28
Spam test  (0) 2015.12.28
반응형
SMALL

Fortinet euc-kr 한글 지원 설정

CLI>
config system appearance
set fallback-charset EUC-KR
end

Spam Score 96 설정

CLI>
config antispam deepheader-analysis
set confiddence 96.000000
set greyscale-level 7
end

 

 

반응형
LIST
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

FortiSandbox Clustering Setting  (0) 2017.08.08
FortiSandbox Custom VM  (0) 2017.08.08
Fortigate Port Restricted  (0) 2015.12.28
Spam test  (0) 2015.12.28
Fortigate SIP ALG / Fortinet SIP ALG  (0) 2015.12.28
반응형
SMALL

## Dynamic source NAT without changing the source port (one-to-one source NAT)

# Problem


Some protocols or services will only function if they use a specific source port, or a source port that does not change. Normally source NAT changes the source port to allow multiple simultaneous sessions. 

# Solution

You can select the fixed port option to restrict the FortiGate unit to not translate the source port. This results in a one-to-one NAT configuration. One-to-one NAT limits the number of simultaneous sessions that are supported because one variable for tracking sessions (the source port number) is no longer available. To allow more sessions, one-to-one NAT is normally used with multiple external IPs added to an IP pool. 

In this example, you enable one-to-one NAT by enabling the fixed port option in a security policy and adding an IP pool containing three IP addresses: 172.20.120.[13-15]. The fixed port option is enabled from the CLI so this entire example is configured from the CLI.

1 Enter the following command to add the IP pool:

config firewall ippool

edit Dynamic-Source

set startip 172.20.120.13

set endip 172.20.120.15

end

2 Enter the following command to add a security policy that allows users on the private network to access the Internet.

config firewall policy

edit 0

set srcintf internal

set srcaddr all

set dstintf wan1

set dstaddr all

set schedule always

set service ANY

set action accept

set nat enable

set fixedport enable

set ippool enable

set poolname Dynamic-Source

end

If you edit this policy from the web‑based manager, you will notice that the Fixed Port option is visible and is selected.

 

반응형
LIST
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

FortiSandbox Custom VM  (0) 2017.08.08
Fortinet euc-kr 한글 지원 설정  (0) 2015.12.28
Spam test  (0) 2015.12.28
Fortigate SIP ALG / Fortinet SIP ALG  (0) 2015.12.28
FortiAP Configuration  (0) 2015.12.28
반응형
SMALL

Self Serve Spam
http://www.maysoft.com/selfservespam.nsf/dl

Type of Spam
https://www.securelist.com/en/threats/spam?chapter=88

Sample Spam Email
http://www.kevingunn.com/spam.htm

 

반응형
LIST
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Fortinet euc-kr 한글 지원 설정  (0) 2015.12.28
Fortigate Port Restricted  (0) 2015.12.28
Fortigate SIP ALG / Fortinet SIP ALG  (0) 2015.12.28
FortiAP Configuration  (0) 2015.12.28
FortiGate diagnose CLI  (0) 2015.12.28
반응형
SMALL

Fortigate SIP ALG / Fortinet SIP ALG

FortiOS has two features that can modify the SIP headers and SDP parameters. The first feature is called the “SIP Session Helper”. If you are experiencing one way audio issues disable this feature first, reboot your IP phone then try making another call. If disabling the session helper does not work, disable the SIP ALG as well.

To disable the sip session helper:

1 Enter the following command to find the sip session helper entry in the session-helper list:

show system session-helper

edit 10
set name sip
set port 5060
set protocol 17

2 Enter the following command to delete session-helper list entry number 10 to disable the sip session helper:

config system session-helper
delete 10

To disable the SIP ALG:

There are typically two VOIP profiles on a factory shipped Fortinet firewall. You may need to disable both profiles to fully stop the ALG.

config voip profile
edit VoIP_Pro_2
config sip
set status disable
end
end

See the Fortigate Technical documentation page for further details.

 

 

반응형
LIST
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Fortigate Port Restricted  (0) 2015.12.28
Spam test  (0) 2015.12.28
FortiAP Configuration  (0) 2015.12.28
FortiGate diagnose CLI  (0) 2015.12.28
FortiGate FGSP  (0) 2015.12.28

+ Recent posts

티스토리툴바