FortiGate Access Slave in HA mode
Posted on March 17th, 2017 by Bert Zefat
To change from the Primary to the Secondary Fortigate:
execute ha manage 1
To change from the Secondary to the Primary:
execute ha manage 0
To change from the Primary to the Secondary Fortigate:
execute ha manage 1
To change from the Secondary to the Primary:
execute ha manage 0
Step 1: Login to master node, su to root
Step 2: Open a new ssh window, login to master again, su to root
Step 3: On 2nd window, enter: ha_utils ssh
Step 4: In the 2nd window, login to slave as loginuser, then su to root
Step 5: On both ssh windows, enter: killall repctl
Step 6: On both ssh windows, enter: /etc/init.d/postgresql92 rebuild
Step 7: After database rebuilds, enter on both ssh windows: repctl
Now reboot the slave.
NOTE: You’ll loose reporting data for the passed time.
There are 3 steps involved in this process.
FGxxxxxxxxxxxxxx # config system global
FGxxxxxxxxxxxxxx # set internal–switch-mode interface
FGxxxxxxxxxxxxxx # end
Changing switch mode will reboot the system!
Do you want to continue? (y/n) y
FGxxxxxxxxxxxxxx #
A good practice to enhance firewall security is to rename the default administrator account of the box. On Fortigate, default administrator username is admin. If you leave your admin as ‘admin’, then the leftover part of the brute-force password cracking is just a piece of cake.
You need to finish these steps within command line mode. The best way to manage Fortinet devices is using SSH or Serial terminal. If you need help of how to connect to a Fortinet box using Serial terminal, click here.
Fortinet will prevent you from changing your currently logged in account. I assume that you are logged in under the default “admin”. You could not rename “admin” to “yourname” if you are logging under “admin”, it’s reasonable, isn’t it?
Do these steps while you are already in privilege mode (logged in as “admin”):
CUSTOMER_FW01# config system admin CUSTOMER_FW01(admin) # edit newadmin new entry ‘newadmin’ added CUSTOMER_FW01(newadmin) # set password Myn3w-password CUSTOMER_FW01(newadmin) # set accprofile super_admin CUSTOMER_FW01(newadmin) # end CUSTOMER_FW01# exit Auto backup config … login.c-__config CUSTOMER_FW01login: newadmin Password: ************** Welcome ! CUSTOMER_FW01#
To rename your Fortinet default “admin”, follow these steps:
CUSTOMER_FW01 # config system admin CUSTOMER_FW01 (admin) # rename admin to nimda CUSTOMER_FW01 (admin) #
| Scan a single IP | nmap 192.168.10.1 |
| Scan a host | nmap www.testhost.com |
| Scan a range of IPs | nmap 192.168.10.1-20 |
| Scan a subnet | nmap 192.168.10.0/24 |
| Scan targets from a text file | nmap -iL list-of-ips.txt |
| Scan a single Port | nmap -p 22 192.168.10.1 |
| Scan a range of ports | nmap -p 1-100 192.168.10.1 |
| Scan 100 most common ports (Fast) | nmap -F 192.168.10.1 |
| Scan all 65535 ports | nmap -p- 192.168.10.1 |
| Scan using TCP connect | nmap -sT 192.168.10.1 |
| Scan using TCP SYN scan (default) | nmap -sS 192.168.10.1 |
| Scan UDP ports | nmap -sU -p 123,161,162 192.168.10.1 |
| Scan selected ports – ignore discovery | nmap -Pn -F 192.168.10.1 |
| Detect OS and Services | nmap -A 192.168.10.1 |
| Standard service detection | nmap -sV 192.168.10.1 |
| More aggressive Service Detection | nmap -sV –version-intensity 5 192.168.10.1 |
| Lighter banner grabbing detection | nmap -sV –version-intensity 0 192.168.10.1 |
| Save default output to file | nmap -oN outputfile.txt 192.168.10.1 |
| Save results as XML | nmap -oX outputfile.xml 192.168.10.1 |
| Save results in a format for grep | nmap -oG outputfile.txt 192.168.10.1 |
| Save in all formats | nmap -oA outputfile 192.168.10.1 |
| Scan using default safe scripts | nmap -sV -sC 192.168.10.1 |
| Get help for a script | nmap –script-help=ssl-heartbleed |
| Scan using a specific NSE script | nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.10.1 |
| Scan with a set of scripts | nmap -sV –script=smb* 192.168.10.1 |
| Scan for UDP DDOS reflectors | nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr 192.168.10.0/24 |
| Gather page titles from HTTP services | nmap –script=http-title 192.168.10.0/24 |
| Get HTTP headers of web services | nmap –script=http-headers 192.168.10.0/24 |
| Find web apps from known paths | nmap –script=http-enum 192.168.10.0/24 |
| Heartbleed Testing | nmap -sV -p 443 –script=ssl-heartbleed 192.168.10.0/24 |
| Find Information about IP address | nmap –script=asn-query,whois,ip-geolocation-maxmind 192.168.10.0/24 |
First of all we will install the open source Google Authenticator PAM module by executing the following command on the shell.
# yum install google-authenticator
# google-authenticator
The next step is to change some files which we will start by first changing /etc/pam.d/sshd. Add the following line to the top:
auth required pam_google_authenticator.so
auth required pam_google_authenticator.so
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
Additional you could also add folowing line. This makes it possible to logon localy without verify code:
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
Contect of /etc/security/access-local.conf:
# Google Authenticator can be skipped on local network + : ALL : 192.168.1.0/24 + : ALL : LOCAL - : ALL : ALL
Change the next file which is /etc/ssh/sshd_config. Add the following line in the file and if its already placed then change the parameter to “yes”:
ChallengeResponseAuthentication yes
Now restart the service of ssh by the following command:
# service sshd restart
To disable GSSAPI authentication on an SSH server, look for “GSSAPIAuthentication” in /etc/ssh/sshd_config, and edit it or add the line as follows.
$ sudo vi /etc/ssh/sshd_config
# add this line
GSSAPIAuthentication no
Then restart SSH server:
$ sudo /etc/init.d/ssh restart (Debian, Ubuntu or Linux Mint) $ sudo systemctl restart sshd (Fedora) $ sudo service sshd restart (CentOS or RHEL)
To disable reverse DNS lookups on an SSH server, edit SSH server configuration as follows.
$ sudo vi /etc/ssh/sshd_config
# add this line
UseDNS no
Then restart SSH server:
$ sudo /etc/init.d/ssh restart (Debian, Ubuntu or Linux Mint) $ sudo systemctl restart sshd (Fedora) $ sudo service sshd restart (CentOS or RHEL)
To change the default policy use SSH to connect to ESXi/ESX host.
#Â esxcli storage nmp satp list
To change e.g. the standard policy for storage type VMW_SATP_ALUA from fixed to Round-Robin (RR) the following command is necessary.
# esxcli storage nmp satp set –s VMW_SATP_ALUA –P VMW_PSP_RR
Reboot the ESXi/ESX host to apply the changes
Today I encountered the issue that I could not run a SureBackup from an ESX server. Although the ESX server (vmkernel) could ping the Veeam Backup server and coudl connect tot the NFS service (Port 111 and 6161).
I finally saw that there was also a Service NFS running. Disabling this service did not help.
At last i just removed the “Service fro NFS” from the Windows 2012 R2 Storage server.
A reboot is needed AND…. the Surebackup run.
So. If you have a Windows Storage server and you install Veeam Backup and Replication on it. Remove the Service for NFS from it to make vPower NFS work.
If you have a HA Sophos UTM solution and you are nog able to ping the VM in VMware you may have to do this in the console:
Login as loginuser
You might need to go to root (su -)
Find out the status ov virtual_mac setting:
cc get ha advanced virtual_mac
Change it with:
cc set ha advanced virtual_mac 0