Chromcast SSDP and mDNS Service Control on Fortinet Wireless Controllers

Service control feature on FortiRu Controller’s been there for quite some time now. This has been very effective in managing the mDNS traffic on wireless side. Once you enable this feature on the Wireless controller you could manage the mDNS traffic flow across VLANS and ESSIDS by creating Service control policy.

This works well for mDNS traffic control for Airprint ,Airplay, etc. There are some limitation in case of chromecast multicast traffic management when it comes managing SSDP traffic.

FortiRU controller don’t support SSDP service control across multiple VLANs from day one. While still this can work between ESSIDs within VLAN.

Reason, In your FortiRU controller’s :

                           SSDP forwarding happens on data path
                           mDNS forwarding happens on user space.

Since SSDP traffic doesn’t hit the user space the Service control policy don’t get applied.

A real world condition:  If you try use your Windows computer with chromecast you mostly will notice mDNS traffic used for discovery and mirroring. While on a iPad running YouTube application and you try to mirror that application you will see SSDP application used for discovery. So, this very well depends on Device/Application using SSDP ( udp dst port 1900) for discovery.

Following a Feature request, now from SD 8.4 General release onward it will be supported.

SSDP

By default, on  FortiRU OS you will have apple service types available for service control while for chromecast you might need to create your own service types(FortiRu OS might be missing what exactly you want).

#Configuration on WLC controller is straight forward::

1.Enable service control

enable service control

2.Confirm that your interested service types are available on your WLC controller for service control

service type

3.SC-AP Group creation

sc ap group

4. Publisher and subscriber User Group creation.

user group

5. Finally Policy creation:

policy.PNG

To debug Service control issue on WLC-Controller:

FortiMeruXXX(15)# sup-cli
FortiMeruXXX]
FortiMeruXXX] tr ServiceMgr ffffffff

FortiMeruXXX] trace on (turn on the trace)

Once the issue is captured turn it OFF.

FortiMeruXXX] trace off (turn OFF the trace)

To debug on AP side:

AP level : (check the client connected AP and run the trace on the AP)

Conn ap  

ap X> trace on 
Real-time trace display enabled for severity >= 0. 

Once the issue is captured turn it OFF. 

ap X> trace off 
Real-time trace display disabled. 

 

Advertisements

Internet Service DB (ISDB) on Fortigate

A  feature called Internet service DB(ISDB) is introduce on ForitOS. Using this feature you could write firewall policy and Route and ask Fortigate to take Necessary action based on the Application IP DB it has.

This feature was introduced in FortiOS v5.4 and above. NOTE: ISDB updates require active FortiCare support contact, no FortiGuard subscription required.

During FortiOS v5.2 days  you could create a firewall policy with FQDN to Block/Allow users based  website Hostname. However that is no more an option from v5.4 and above(not supported)

Blocking/allowing user access based on Public Application IP address is not a easy task. There will be dozens of IP address “Ex: Facebook an Google” and its not easy to manage the IP DB by Every one, While new IP address’s will always get added to this list.

So , You could now take advantage of this feature ISDB and manage the Dynamic changes of IP address.

ISDB

 

>While running the following command will show you the available and updated signature DB on fortigate. And you should see ISDB also showing up there.

# diagnose autoupdate versions

>Inorder to list out the IPs address on DB for a particular Application (or)  can see through GUI also.

# diagnose firewall internet-service list 3604481

‘3604481’ is application ID for Github-Web.

Github

NOTE: I have chosen Application GitHub just for my examples.

>FortiOS also lets you to create your own custom ISDB, this helps customer to manage their own list on top of what FortiOS is offering. You could list your custom object after you create one like below.

# diagnose firewall internet-service-custom list

List internet service in kernel(custom):
name=Git-custom, id=4294901760 flags=0x0 protocol=6 port=80-65535 1-65535
addr ip range(1): 200.X.X.X-200.X.X.X

 

>You could also Add more IP address that you feel ISDB missing for an application by just creating a custom object mentioning the master-service-id

# config firewall internet-service-custom

(internet-service~tom) #

(internet-service~tom) # show
config firewall internet-service-custom
edit “Git-custom”
set master-service-id 3604481
set comment “git”
config entry
edit 1
set protocol 6
config port-range
edit 1
set start-port 80
next
edit 2
next
end
set dst “x.x.x.x”
next
end
next
end

 

>You could create a firewall policy with Existing Internet service DB available or customer Internet service DB created while also doing route control.

github policy

route

FortiGate on SIP/ALG/Session Helper

If you are looking for some idea on change/tweak on fortigate for SIP/VoIP traffic,  I believe the below details could give help you a bit of insight on configuring Fortinet for your SIP/VoIP design. I know there are other Fortinet Experts who already shared some idea related to the this. This is just my version of the same and with some add-ons!!

When to use”session helper” && “Voip-ALG(Kernel mode)” && “Voip-ALG(Proxy mode)”??

Type of SIP VoIP design:

Peer to peer configuration

SIP proxy server configuration

 

 

SIP redirect server configuration

 

SIP registrar configuration

SIP with a FortiGate running Transparent Mode

 

SIP network with FortiGate running NAT/Route Mode:

 

Tweaking your Fortigate  based on your design requirements for SIP VoIP Traffic :

*SIP sessions using port 5060 accepted by a security policy that does not include a VoIP profile are processed by the “SIP session helper”.

*Session helper + Fortigate VoIP ALG mode “Kernel Mode” = SIP session offload, SDP conversion happens with RTP session pin hole

*Fortigate VoIP ALG mode “Proxy Mode”(ALG)  = More SIP ALG features and RTP Session pin hole.

 

By default FortiOS uses the Proxy Mode SIP ALG for SIP traffic. If you want to use the SIP session helper you need to enter the following command:

config system settings

set default-voip-alg-mode kernel-helper-based

end

In most cases you would want to use the SIP ALG since the SIP session helper provides limited functionality. However, the SIP session helper is available and can be useful for high-performance solutions where a high level of SIP security is not a requirement.

 

#Key Things you should understand#

*Controlling NAT for addresses in SDP lines
You can use the no-sdp-fixup option to control whether the Fortigate performs NAT on addresses in SDP lines in the SIP message body.

The no-sdp-fixup option is disabled by default and the FortiGate performs NAT on addresses in SDP lines. Enable this option if you don’t want the FortiGate to perform NAT on the addresses in SDP lines.

config voip profile

edit VoIP_Pro_1

config sip

set no-sdp-fixup enable

end

end

 

*How the SIP ALG performs NAT :

I see this as an important portion to understand atleast while working with fortigate firewalls.

NAT with SIP gets bit complex because of IP and Port Number used in SIP message Header and Bodies. When a SIP caller on private network calls the phone server or SIP phone on internet, the SIP ALG must translate the private network addresses to internet valid IP and port numbers. And when receiving the response message to the caller, the SIP ALG must translate back to valid private network address.

Additionally, the media stream generated by SIP session are independent SIP message and use different port numbers during media session. Based on the information in the SIP message the SIP ALG opens pinholes to accept media stream and perform port translation on media stream.

When SIP ALG receives an INVITE message, fortigate extracts information like port number and IP address and stores it in SIP Dialog table. This is similar to IP session table and this data is used for subsequent SIP message that are part of same call.

ALG then using the information in SDP field helps reserve port number and IP address for media session and create NAT mapping between ports in the SDP field. Normally SDP uses sequential ports for the RTP and RTCP channels and ALG provides consecutive even-odd ports.

 

 

System commander Script for troubleshooting Fortinet Infrastructure AP reboot/radio reset issues

Its sometime get tough troubleshooting an AP Reboot issue. While troubleshooting Fortinet WiFi APs, You might need to capture the AP flash event log to identify the cause of reboot. However, some time AP flash space ran out  already storing Maximum logs files(This could happen if AP is Up and running log time in production or there are many events happening in AP that filled up the space soon). In this case you might need to clear those flash log space, so it can store the latest/ fresh log files.

This is needed because you making sure that those are latest logs of the crash/reboot happened.

#You run the following command on AP to clear the old flash logs:

file areaerase logk0 

file areaerase logk1

#You run the following command to read the flashlogs in the AP:

flashcmds show logk0

flashcmds show logk1

However, Incase of big deployments where you cannot run this on each AP separately and  also without causing WIFI service disruption you have to run this at-least on a bunch of AP to save your time. We have something called “system commander” where you will be executing a script to clear those AP flash logs.

Step1:

To use the system commander tool you have to enable telnet on the controller.
FortiWLC# configure terminal

FortiWLC(config)# telnet enable

Step2:

Please create a folder on the c drive of your computer and copy these two files shared on the link below:
https://www.dropbox.com/s/82ir713iegxj0tt/SystemCommandExecutor_Ver14.exe?dl=0

https://www.dropbox.com/s/otrkiobxmhnhq4y/SystemCommands_AP.txt?dl=0

Step3:
Run the following commands from your computer command prompt window.

SYNTAX: cfolder_name SystemCommandExecutor_Ver14.exe -c ipaddressofcontroller-username-password -o 4 -a APMODEL -l 1

Example for AP822s: 

C:\PRAVEEN>SystemCommandExecutor_Ver14.exe -c 192.168.10.3-admin-admin -o 4 -a AP822 -l 1

Explanation:

The folder name is the name of the folder in which you have saved the files(SystemCommands_AP.txt) on c drive. The username and password are the login credentials of the controller. The logs will be saved in the same folder on c drive once the loop is completed.

If you look at the syntax it has AP model mentioned in that so please choose the AP model accordingly, depending on for which AP you want to collect the logs.
* For any and all AP reboots we need to run this to gather AP reboot logs (file areaerase logk0/logk1)
* After collecting Disable Telnet

1. On the command prompt we need to specify AP model. Since we can only collect with particular AP type. If customer has mixed AP environment we need to collect separately for each AP model.
2. If we have any AP which is disable offline. Make sure to delete that entry before running System commander, since loop will end at that point and we don’t have option to start again from there. (Ex: If we have 100 AP on network and AP ID 44 is offline, loop will end at AP Id 44)

Addon :You can add more commands on the script file(SystemCommands_AP.txt) to execute and get to collect a dump of those command output’s too.

 

 

How to check why FortiAP got Offline from FortiGate

If the AP lost its channel connection with FortiGate you can check to see if the AP has just lost the contact with firewall missing the heartbeat or if has got rebooted for any reason.

Points to remember:

*Forti AP reboot only if has any power issue.

*FortiAP had any Software crash or kernal panic.

>>Following command on FortiGate can give you an idea why the AP is offline in FortiGate:

 

#Scene 1 :If the AP is offline because of any operation initiated from controller/FortiGate (changes that needs a AP reboot)

——————————-WTP 1—————————-
WTP vd : root
vfid : 0
id : FP221B3X12007124
mgmt_vlanid : 0
region code : N
regcode status : invalid
refcnt : 2 own(1) wtpprof(1)
plain_ctl : disabled
deleted : no
admin : enable
cfg-wtp-profile : praveen_wifi_integrated
override-profile : enabled
oper-wtp-profile : resv-dflt-FP221B3X12007124
wtp-mode : normal
wtp-group :
name :
location :
led-state : enabled
ip-frag-prevent : TCP_MSS
tun-mtu : 0,0
split-tunneling-local-ap-subnet : disabled
active sw ver : FP221B-v5.2-build0254
local IPv4 addr : 192.168.242.63
board mac : 00:09:0f:7c:1a:70
join_time : Tue Jan 17 13:51:56 2017
mesh-uplink : ethernet
mesh hop count : 0
parent wtp id :
connection state : Disconnected
image download progress: 0
last failure : 8 — AC daemon reset timer expired –<change caused AP reboot>     
last failure param: N/A
last failure time: Tue Jan 17 13:52:01 2017
station info : 0/0

 

#Scene 2: On the other hand FortiGate is reporting that the Heatbeat timed out and so the AP went offline.

#diagnose  wireless-controller  wlac -c wtp

——————————-WTP 1—————————-
WTP vd : root
vfid : 0
id : FP221B3X12007124
mgmt_vlanid : 0
region code : N
regcode status : invalid
refcnt : 3 own(1) wtpprof(1) ws(1)
plain_ctl : disabled
deleted : no
admin : enable
cfg-wtp-profile : praveen_wifi_integrated
override-profile : enabled
oper-wtp-profile : resv-dflt-FP221B3X12007124
wtp-mode : normal
wtp-group :
name :
location :
led-state : enabled
ip-frag-prevent : TCP_MSS
tun-mtu : 0,0
split-tunneling-local-ap-subnet : disabled
active sw ver : FP221B-v5.2-build0254
local IPv4 addr : 192.168.242.63
board mac : 00:09:0f:7c:1a:70
join_time : Tue Jan 17 13:41:18 2017
mesh-uplink : ethernet
mesh hop count : 0
parent wtp id :
connection state : Connected
image download progress: 0
last failure : 14 — ECHO REQ is missing        … <heatbeat missed>
last failure param: N/A
last failure time: Tue Jan 17 13:40:39 2017     …<Failure time>
station info : 0/0
geo : World (0)
LLDP : disabled
Radio 1 : AP

So FortiGate just reported its a heatbeat miss from AP that cause AP go offline and Wifi service interrupted.

*Here we need to find the reason if its the network or the AP itself didn’t sent out the heatbeat.

*Log into the AP and check to see if the AP got rebooted or even AP reports that WTP is  what its has  has to reconnect.

*To TELNET from FortiGate into the AP,Command ## execute telnet <dest>    IP address.

*Check the Uptime on AP,#cw_diag uptime

Log1:

FP221B3XXXXXXXXX # cw_diag uptime
Could not open fsm RUN uptime file /tmp/uptime_fsm_run.
Current uptime : 1567338
WTP daemon start uptime : 1565549                                         <Ap never got rebooted>
WTP daemon RUN uptime : 1567338
Time since WTP daemon started : 1789   
Time since WTP daemon connected : 0                        <Did loose the contact with FGT>

Watchdog timer triggered : 0
Watchdog timer action : 3
Watchdog timer time : 27

Log2:

FP221B3XXXXXXXX # cw_diag uptime
Could not open fsm RUN uptime file /tmp/uptime_fsm_run.
Current uptime : 78                                                                     <AP got rebooted>
WTP daemon start uptime : 31
WTP daemon RUN uptime : 78
Time since WTP daemon started : 47
Time since WTP daemon connected : 0

Watchdog timer triggered : 0
Watchdog timer action : 3
Watchdog timer time : 29

*By this way you could narrow down the issues and so next time could help to find Route Cause of the issue.

Other Handy AP commands:

>cfg -s
>fap-get-status
>cw_diag uptime
>cw_diag sys-performance
>iwconfig
>diag_debug_crashlog read
>cw_diag -c wtp-cfg
>cw_diag -c radio-cfg
>cw_diag -c vap-cfg
>cw_diag kernel-panic
>dmesg
>rcfg
>klog

 

 

 

First universal APs @fortinet

These U- FAPs can be managed by Infrastructure controllers or Fortigate Firewalls or via Cloud based management.

Like other Fortinet infrastructure Access points it support  Single channel Architecture/ Virtual Cell or Micro cell/Native cell too.

#802.11AC#Wave2#4*4#universal

Configuring your Fortigate for Higher cipher and SSL/TLS protocol

From version 5.4 onwords you  can control on setting  Encryption and Decryption to Highest Cipher for SSLVPN

FG08XXXXXXXXXX # config vpn ssl settings
FG080XXXXXXXXX (settings) #
FG080XXXXXXXXX (settings) # set banned-cipher
RSA         Ban the use of cipher suites using RSA key.
DH          Ban the use of cipher suites using DH.
DHE         Ban the use of cipher suites using authenticated ephemeral DH key agreement.
ECDH        Ban the use of cipher suites using ECDH key exchange.
ECDHE       Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
DSS         Ban the use of cipher suites using DSS authentication.
ECDSA       Ban the use of cipher suites using ECDSA authentication.
AES         Ban the use of cipher suites using either 128 or 256 bit AES.
AESGCM      Ban the use of cipher suites AES in Galois Counter Mode (GCM).
CAMELLIA    Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES        Ban the use of cipher suites using triple DES
SHA1        Ban the use of cipher suites using SHA1.
SHA256      Ban the use of cipher suites using SHA256.
SHA384      Ban the use of cipher suites using SHA384.

#To set the SSL/TLS protocol versions for ADMIN and SSL VPN

 

>>Allow only TLS 1.2:
       # config system global
       # set admin-https-ssl-versions tlsv1-2
       # end
>>Disable everything except TLS 1.2 as go to high algorithm:
       # config vpn ssl settings
       # set tlsv1-0 disable
       # set tlsv1-1 disable
       # set sslv3 disable
       # set algorithm high
       # end
>>Whats with setting the algorithm on HIGH/LOW/MEDIUM:
The default option of Medium at RC4 (128 bits) is acceptable, but the High option, AES (128/256 bits) and 3DES is more secure. The Low option, RC4 (64 bits), DES and higher does not meet PCI DSS requirements
>>Configure the system to use strong crypto:
   # config system global
       # set strong-crypto enable
       # end
Note: Enabling strong crypto will disable using SSLV3 and TLSv1.0. So its  TLSv1.1 and TLSv1.2