Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
... run into same bug, on 5.0.7, wasting a day trying to figure out why pings were failing even though interface's allowaccess included 'ping'. [ping came about because needed to test routeability from FortiManager to Fortigate.]
The worst thing is that Fortigate provides no visibility for execution of this 'feature':
FGT60D-1 (border) # execute log display 1 logs found. 1 logs returned. 1: date=2015-10-21 time=17:58:04 logid=0001000014 type=traffic subtype=local level=notice vd=border srcip=10.161.1.46 srcintf="wan1" dstip=140.159.XX.YY dstintf=14 sessionid=149735 status=deny policyid=0 dstcountry="Australia" srccountry="Reserved" trandisp=noop service=8/0/icmp proto=1 app=8/0/icmp duration=0 sentbyte=0 rcvdbyte=0 and FGT60D-1 (border) # diag debug flow trace start 10 id=13 trace_id=130 func=resolve_ip_tuple_fast line=4299 msg="vd-border received a packet(proto=1, 10.161.1.46:1->140.159.XX.YY:8) from wan1." id=13 trace_id=130 func=init_ip_session_common line=4430 msg="allocate a new session-000248e7
No clue to explain deny, except policyid=0 which, at best, is unhelpful.
Show use the trusthost setting but like bob said a common practice for external access that's very tight is to allow forticlient and ssl.root management access. This will require your admin has ssh access or https over the ssl.root and the forticlient.
http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html
The bad or negative to this approach;
1: if the sslvpnd daemon dies; you could be locked out
2: if you mistakenly mess up your sslvpn settings ; you could be locked out
3: if you delete or a fwpolicy or ; you could be locked out
YMMV may vary over this. Lately I've been using the fortitoken approach for both ssh and https management for external access. It's has proven to be 100% reliable.
Ken
PCNSE
NSE
StrongSwan
Hi Ken,
> ssl.root management access
we have a dedicated-to-VPN Gateway, ASA 5525 and I trust Cisco's AnyConnect.
In your opinion, Forticlient is a seriously reliable alternative?
In your website:
> And just create a ssl vpns setting and a portal that has tunnel-mode and assign the group.
Why not include the configuration and make the example complete?
R's, Alex
Hi Ken, > ssl.root management access we have a dedicated-to-VPN Gateway, ASA 5525 and I trust Cisco's AnyConnect. In your opinion, Forticlient is a seriously reliable alternative? In your website: > And just create a ssl vpns setting and a portal that has tunnel-mode and assign the group. Why not include the configuration and make the example complete? R's, Alex
I'll address both items.
#1 if you have a management gateway device than great, trust and filter that "trusthost" but that add more $$$$.$$ and complexity and a avg SMB/ENT probably will not buy a ASA or anotherdevice just for this purpose. I've have seen org do this and buy a dedicate sslvpn gateway like irepass , cyberroam or even plain jain OPENVPN, but all of that add one more tier and support which might be overkill for a smaller organization.
The vpnclient ( FTNT ) SSLVPN will allow a admin to access a device very securely, but ALL of the earlier risks mention above could be a showstop. Also one more risk; " if you have local-authentication or if your using remote-authentication, any changes or errors in these will become a "show stopper" for that admin account "
#2, i guess I could have built a full tunnel-mode example but that was not my intention. Plenty of example exist in either a fortinet kb, youtube-video, or cookbook.
The goal of that blog post was just to show and demo that the ssl.root is a "interface" and has the same management functions as real or virtual-interface. So allowaccess with allowances for ping ssh, https, snmp , etc... does exist your trusthost will work also.
We've done some weird things in the past using this method to include trusthost of the sslvpn_pool member and statically assignment of address to a "particular" user. All of this was due to the government agencies had problem and issues with pure "ssh access" and the debian_ssh-keys issues in the pass. So double encrypting it in a secured and strong SSL_VPN just makes it all much better and limits your brute-force for ssh or weak ssh-keys.
Bottom line, just build a regular tunnel-mode sslvpn and allow the ssl.root allowaccess if you want the security of ssl/tls with or without client_side-certificate requirements.
You have a host of methods for gaining and restrict access from the outside untrusted networks with a fortigate that pretty much other security-appliance don't offer. If you don't want , or don't like to use the trusthost for the user profile. Research what you want, and means that you are attempting and go at it ;)
if you need to open up trusthost for pings but restrict ssh access ;
1: move the ssh port to something NONE tcp/22
2: deploy fortitoken via email/sms
or the best ( imho )
3: allow ssh / https for management after a successful sslvpn connection and still deploy the trust_host for the ssl_vpn SRC(s)
Ken
PCNSE
NSE
StrongSwan
You should be controlling pings from the external untrusted or internal(s) via the set allowaccess command imho and further via the trusthost if you have it enabled.Hi Emnoc, That IS how I' m TRYING to control PING access. But the trusthost settings OVERRIDE the " set allowaccess ping" seting. If ANY administrator has a trusthost setting (which of course all should), then NO host which does not appear in at least one administrator' s list of trusted hosts will be able to PING the interface. So at least one junk administrator with wide open " trusted hosts" will be required in order to allow PINGs. (And, we' ll start getting harmless but distracting notices about failed SSH logins, because the trusthost configuration of that same ' administrator' who is allowed to PING also makes it possible for any of those ' trusted' many-or-all Internet IP addresses to hit the SSH Server port, even though the SSH protocol is NOT selected in the " set allowaccess ..." configuration for the interface.) It' s a bad design.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.