FortiGate Automation with Ansible

I recorded a video about Automating F5 configuration with Ansible last week. I want to know how to do the same with FortiGate firewalls. Therefore, I’ve been reading and testing with a FortiGate firewall and Ansible since then. I think it’s really interesting the automation and orchestration when there are lots of devices in the company. We can change the configuration in all devices quickly. For instance, there are Ansible Modules for FortiGate, FortiManager and FortiMail devices where we can configure security profiles, addresses, policies, etc easily.

Fortinet's Ansible Modules

 

I’ve recorded a new video about Automating FortiGate configuration with Ansible. We have to take into account two important things before executing the playbook. Firstly, we have to configure and execute the playbook with Python3 instead of Python2. Therefore, we have to install the fortiosapi for python3 with pip3. Secondly, we have to declare the ANSIBLE_LIBRARY with the 40ansible library to be able to use the fortiosconfig module. Finally, we should modify parameters such as interfaces and password. Once the YAML file is OK, we are ready to execute the playbook.

 

Regards my friends! Are you ready to automate processes?

Automating F5 configuration with Ansible

When we have lots of devices such as lots of firewalls, lots of load balancers or lots of switches, it’s really interesting and necessary the process automation. Automation and orchestration are increasingly used in large deployments and cloud infrastructures where there are lots of network devices around the world. For instance, we can automate initial configurations on BIG-IP such as DNS, NTP, etc. We can also automate deployments of HTTP and HTTPS applications or we can even manage Virtual Servers, Pools or Monitors.

Automating with Ansible

Ansible is one of the most known automation and orchestration tool. It’s an open-source software provisioning, configuration management, and application-deployment tool. We can install Ansible on many Unix-like systems such as Ubuntu and Debian. It’s really easy the installation process. It only requires Python. In addition, there are modules to automate lots of devices. For example, there are modules for FortiOS devices, F5 devices, Radware devices, etc.

Ansible-doc

 

I’ve recorded a video where I’ve used the playbook from F5 Networks located at their git repository. Firstly, I’ve created the necessary directories and files. Secondly, I’ve set the connection variables and I’ve added a pool, two pool members and a virtual server to the playbook YAML file. Finally, I’ve run the playbook and we can see the Virtual Server, pool and associate pool members on the F5 GUI. You will watch the configuration and execution are easy although it’s important to take into account the indentation and spaces.

 

Regards my friends! Are you ready to automate processes?

F5 BIG-IP AFM

I’ve worked with lots of Network Firewalls. Mainly, I’ve worked with Fortinet FortiGate firewalls. However, I also have to know about Checkpoint or Palo Alto firewalls from time to time, or even about pfSense or iptables firewalls. I’ve also installed Web Application Firewalls (WAF). Mainly, I’ve installed F5 BIG-IP ASM. However, I’ve also installed FortiGate WAF from time to time. Therefore, I would like to write about F5 BIG-IP AFM today, which is the Network Firewall of F5 Networks.

F5 BIG-IP AFM offers four core areas of functionalities. Network Firewall which provides layer 3 to layer 4 security by applying policy-based firewall rules on network traffic arriving into the BIG-IP device. Denial of Service where AFM checks either on the system or per virtual server for potential attacks and then can drop or rate limit that traffic according the thresholds you can configure. IP Intelligence which can be used to block traffic from known unreliable or questionable IP addresses provided from several sources. Finally, AFM Reporting and Logging provides historical and analytical data for the security administrator.

AFM Functionality

Creating a firewall in AFM is done in four steps. Firstly, create an schedule that identify the day ranges, days of the week and time ranges when client traffic would be accepted. Secondly, It can consolidate the schedule, address lists and port lists together into a firewall policy. Thirdly, creating an address list and a port list that identify the appropriate source IP address and destination port that would be accepted. Finally, applying the policy to the virtual server context that provides access to the website.

Creating a Scheduled Network Firewall Policy

 

AFM plays a significant role in F5 application delivery firewall solution. Together with other modules such as LTM, DNS and Advanced WAF, the BIG-IP system provides protection features across the entire OSI stack. AFM detects and mitigates network attacks such as SYN or connection floods. This is accomplished by rate limiting traffic and dropping traffic according the threshold you set for the BIG-IP AFM system as an whole.

DDoS Detection and Mitigation

 

Modern cyber criminals use numerous techniques to hide their identities and activities. However, every packet that traverses the Internet has a source IP address. Therefore, disabling inbound communication from known malicious IP is highly effective. IP Intelligence provides this functionality. With IP Intelligence, AFM can be configured to block or allow traffic entering the system based on the reputation of the source IP address.

IP Intelligence

 

F5 Networks is a company with good products. From my point of view, LTM, ASM and APM are the best modules for load balance, WAF and VPN. However, AFM and the Network Firewall is a little bit basic for network protection. It’s really useful for virtual server protection but it’s not made for user protection. Therefore, if you want to protect users, you’ll have to install a NGFW appliance.

Regards my friends! Drop me a line with the first thing you are thinking.

FortiGate WAF

I’ve already written a lot about Web Application Firewall (WAF). I’ve configured AWS Shield & AWS WAF in the Amazon Cloud. I’ve also configured F5 BIG-IP WAF and I’ve even recorded some videos such as L7 DDoS Mitigation and CSRF Protection. I’ve written about the differences between WAF vs IPS as well as I’ve configured the Fortinet FortiWeb. However, although I knew FortiOS allowed to enable the WAF feature years ago, I had never configured the WAF feature in FortiGate till now.

Firstly, it’s important to know WAF is not an Intrusion Detection System. An IDS is not going to block attacks. An IDS is going to alert us about attacks. I recommend installing an IDS in your network to know and detect attacks as well as misconfigurations and bad practices. Maybe an IDS is going to alert us about attacks which are not truth. They are false positives. It’s doesn’t matter! IDS are very sensitive and that’s why every suspicious packet can send alerts. However, it’s a best practice to install IDS probes in your network.

Secondly, it’s also important to highlight WAF is not like an IPS. An Intrusion Prevention System is going to block attacks but only well-known attacks. IPS use signatures to detect and block attacks. Therefore, signatures should be updated everyday. When there is a new vulnerability, the signature database is updated. It’s highly recommended installing IPS to all services they are reachable from Internet. For instance, web, mail and file services should have an IPS profile to protect these services from attackers who want to exploit vulnerabilities.

From my point of view, IDS and IPS are recommended to detect and block attacks. However, if you have web services and they are reachable from Internet, you should also install a WAF. You are going to realise a WAF is much better than an IPS because web services will also be protected from sophisticated attacks. You’ll be able to configure URLs, file types, cookies, redirections, etc in the WAF profile. I’ve recorded a new video where you can watch how to configure WAF in a FortiGate firewall.

Regards my friends! Have a nice day!