In today’s topic we will look more in detail about the network security model which exhibits how security service is designed, its components, how it works and its features.

Network Security Model

Network security model describes how a security service is designed to prevent cyber attackers from causing threat to confidentiality and authenticity of information transmitted or exchanged over the network. Exchange of messages happen between a sender and receiver and before transmission they need to mutually agree on sharing the message with this comes in picture is the communication channel or information channel which is an Internet service.

When message is transmitted over the network between sender and receiver, it involves three components from security service perspective namely: 

• Transformation – of information which needs to be sent or received to be encrypted so that a cyber attacker is unable to intercept it. It may involve addition of code during the transmission of information which will be used to verify the identity of the receiver.
• Secret information / key sharing between sender and receiver is used to encrypt messages at sender end and decrypt at receiver end. 
• Trusted third party is the one which should take the responsibility of distributing secret information / key to both sender and receiver involved in communication without the involvement of intruder or cyber attacker.

Network Security Model Architecture

The network security model above depicts two parties in communication where sender and receiver mutually agree to exchange information. Sender wants to send some messages to the receiver but cannot transmit them in clear text format as it would have risk of interception by intruder. So before sending a message to the receiver via an information channel, it should be transmitted in an unreadable format. 

• Secret information / key is used to transmit a message to receiver along with key to make message readable to the receiver and thus a third party comes into the picture who would be responsible for distributing the secret information / key to both the parties involved in communication.
• An encryption key used in conjunction with transformation to scramble message before transmission and then unscramble it on receiving it.
• Encryption provides data protection while key management is required to enable access to data which require protection from unauthorized parties.

Cryptography

Cryptography is used to store / transmit data in a specific format so that only those from whom it is intended are able to process it. The cleartext is scrambled into ciphertext (known as encryption) and then back again, known as decryption. There are in general three types of cryptographic schemes commonly used: secret key (or symmetric) cryptography, public-key (or asymmetric) cryptography, and hash functions.

Types of Cryptography

Secret Key (or symmetric) Cryptography

A single key is used for encryption and decryption both as depicted in figure below.

Sender A uses Key M to encrypt plaintext message L and sends the ciphertext O to the receiver. The receiver applies the Key M to decrypt the ciphertext O and recover plaintext L. Key must be known to both sender and receiver here. 

Public-key (or asymmetric) Cryptography

Encryption is performed using different keys – public and private key. Sender uses the public key of the receiver to encrypt plaintext message L and sends ciphertext O to the receiver. The receiver replies with its own private key to decrypt the ciphertext O and recover plaintext message L.

Hash functions

A digital signature is an authentication mechanism to enable the creator of a message to attach a code which acts as signature. Signature is formed by taking the hash of the message and encrypting the message with the creator’s private key. Signature is used to guarantee message source and its integrity.

In today’s topic we will learn about virtual firewalls and three use cases of virtual firewalls in detail. 

About Virtual Firewall

A virtual firewall provides network security for virtualized environments such as cloud. Virtualization process allows creation of multiple virtual instances of a physical device or a server and allows more efficient utilization of underlying physical resources and more flexibility for network management. Virtualization technologies brought some new set of security risks as well such as unauthorised access to virtual resources and increased data breaches.

The virtual firewalls become the gatekeeper or keeper of perimeter security again like their physical avatars. Virtual firewalls operate at the virtualization layer and protect virtual machines (VMs) or any other virtualized resources in cloud networks. Virtual firewalls provide additional functions such as VPN connections, intrusion detection and prevention and malware protection.  

Virtual firewalls secure cloud deployments and so they are also called cloud firewalls. They can scale with virtual environments and protect against north-south traffic and allow fine grained network segmentation within virtual networks. 

Benefits of using a Virtual / Cloud Firewall

• Cloud native virtual firewalls centralize security and apply policies consistently to all virtual machines and applications
• Virtual firewall upgrades are easier compared to management and upgrades of physical firewalls
• Virtual firewalls are safest way to quickly rollout cloud applications 
• More cost effective as compared to their physical counterparts
• Provide cloud native threat detection and prevention capabilities to secure data and applications.

Virtual Firewall Use Cases 

Use Case 1: Securing Public Clouds 

Public clouds such as Google cloud platform (GCP), Amazon web services (AWS) and Microsoft Azure host virtual machines to support different types of workloads, virtual firewalls secure these workloads. 

Virtual firewalls are deployed to implement advanced security capabilities such as threat detection and segmentation to isolate critical workloads to meet regulatory requirements such as GDPR, HIPAA, PCI-DSS etc.

To secure flow of traffic moving laterally within cloud networks Virtual firewalls implement inline threat prevention mechanism.

Use Case 2: Security Extension to branches and SDNs

Virtual firewalls help in securing systems at branch offices and for software defined networks. In SDN environments data routing and networking is controlled with software virtualization. Deployment of virtual firewalls in SDN environments allow organizations to secure their perimeter, segmentation of network and extend protection to remote branches.

Advanced firewalls in SDN networks provide consistent network security and help to manage branch network security from a centralized console, segmentation of networks to support isolation, secures the live network flow and sets the stage for secure migration of applications to cloud. 

Use Case 3: Protection of Cloud Assets 

Virtual firewalls enhance security of private cloud assets. They come with policy based, auto provisioning of security capabilities for networks and help in securing private cloud assets quickly and support in workload isolation from one another. 

Today we look more in detail about next generation firewalls such as Juniper SRX firewall and Fortinet firewalls, how they are different from each other, and their features. 

Juniper SRX Firewall

Juniper SRX is a single appliance having NGFW functionality, unified threat management (UTM) capability, and secure switching and routing. The SRX firewalls provide network wide threat visibility.

• It provides NGFW capabilities such as full packet inspection, appliance aware, UTM.
• It has inbuilt intrusion prevention to understand application behaviour and weaknesses.
• It defends the network from viruses, phishing attacks, malware, and intrusion.
• Adaptive threat intelligence is performed using spotlight secure to consolidate threat feeds from various sources to provide actionable insights into SRX gateway.
• Role of router and firewall into one appliance with switching capabilities.
• Juniper uses Junos Services Redundancy Protocol (JSRP) to enable it to set up two SRX gateways for high availability. 

Fortinet Firewall

Fortinet NGFW works at high speed and inspects encrypted traffic, identifies, isolates, and defuses live threats and protection from threats. Fortinet also provides web filtering, sandboxing, anti-virus, and intrusion prevention system (IPS) capabilities. Performing high speed secure socket layer (SSL) or transport layer (TLS) inspection. Consistent enforcement policies using central policy and device management having zero touch deployments. 

What is common between Juniper SRX firewall and Fortinet Firewall?

• Secure routing where inspection happens to analyze if traffic is legitimate before being forwarded across network 

Comparison: Juniper SRX firewall vs Fortinet Firewall

Download: Juniper SRX firewall vs Fortinet Firewall Comparison table

Continue Reading:

Palo Alto vs Fortinet Firewall: Detailed Comparison

Juniper SRX Firewall vs Palo alto Firewall

Today we look more in detail about comparison – FortiAnalyzer vs Panorama, understand their purpose, capabilities, and key differences.   

What is FortiAnalyzer?

FortiAnalyzer is a centralized network security management solution having logging and reporting capabilities for Fortinet network devices at network security fabric layer. It performs functions such as viewing and filtering individual event logs, security reports generation, event logs management, alerting based on suspicious behaviour, and investigation activity via drill down feature. 

FortiAnalyzer can orchestrate security tools, people, and processes to have streamlined execution, incident analysis and response. It can automate workflows and trigger actions with playbooks, connectors, and event handlers. Response in real time for network security attacks, vulnerabilities, and warnings of compromise suspicion.

What is Panorama?

Palo Alto Panorama is a centralized management platform to have insight into network wide traffic logs and threats. Reduction in complexity by simplification of configuration, management, and deployment of Palo Alto network security devices. Panorama provides a graphical summary of applications on the network, users, and potential security impact.

You can deploy enterprise-wide policies along with local policies to bring in flexibility. Delegation of appropriate levels of administrative control at network device level and role-based access management is available. Central analysis of logs, investigation and reporting on network traffic, security incidents and notifications is available.

Comparison: FortiAnalyzer vs Panorama

Download: FortiAnalyzer vs Panorama Comparison Table

Continue Reading:

Cisco SD-WAN vs Palo Alto Prisma: Detailed Comparison

Fundamentals of FortiGate Firewall: Essential Guide

Are You Preparing For Your Next Interview

If you want to learn more about Palo Alto or Fortigate (Fortinet), then check our e-book on Palo Alto Interview Questions & Answers and Fortinet Interview questions & Answers in easy to understand PDF Format explained with relevant Diagrams (where required) for better ease of understanding.

Firewalls sit on the boundary of the network entry point and provide protection against malicious threats originating from the public net or Internet. A traditional or simple firewall is a stateful filter security device which simply scans incoming packets and rejects or accepts data packets. 

Next generation firewalls (NGFW) are advanced cousins of traditional firewalls, which not just scan data entering into the network but also provide additional features which a traditional firewall will not have. They integrate with other security features such as malware protection, intrusion prevention, URL filtering etc. due to their capability to operate at application layer. 

Unified threat management (UTM) is a well-advanced security system having the capability to unify security features of a traditional firewall, instruction prevention, Anti-malware protection, content filtering and VPN – all delivered from a single platform. 

What is a Firewall

Traditional firewalls operate at layer 3 (network layer) of OSI model and provide IP address, protocol and port number-based filtering services. Firewall is a basic network security device which sits at the network perimeter and provides protection against malicious traffic trying to enter an organization network. It has a basic functionality where a set of rules on firewall determine whether traffic will be accepted, rejected or dropped.

What is a  NGFW

NGFW are the successor of traditional firewalls and designed to handle advanced security threats in addition to features of a traditional firewall by operating at network + application layer (layer 3-7)  of OSI model. Stateful inspection and packet filtering is something it borrowed and carried forwarded along with enhanced capability to filter traffic based on applications and perform deep inspection of packets. 

What is UTM

Unified threat management (UTM) is a comprehensive threat management solution and its need arose due to the expanding threat landscape over the years. As the severity of cyber threats increased the need was felt for a single defense system which under its umbrella manages complete network security including  hardware, virtual and cloud devices and services. UTM devices are placed at key positions in the network to monitor, manage and nullify threats. UTM devices have capabilities of anti-malware, instruction detection and prevention, spam filtering, VPN and URL filtering. 

Comparison: Firewall vs NGFW vs UTM

Download the comparison table: Firewall vs NGFW vs UTM

In networking systems are addressed with a unique numerical value which is known as IP address. IP address is used to locate a system in the networks and basis of communication between systems. However, IP address alone is not enough as it is difficult to remember, each IP address has an associated host name. DNS or domain name systems map this host name to its corresponding IP address. DNS server or service is prone to a variety of cyber attacks DNS rebinding is one such mechanism. 

In today’s topic we will learn about DNS rebinding attack, how rebinding attacks works, Mitigation and preventive measures against DNS rebinding attacks.

DNS Rebinding Attack

DNS rebinding attack leverages the fact that when an exploit such as cross site scripting – XSS happens to compromise the domain the domain name server is also hijacked. In DNS binding attacks the DNS requests go to a specially crafted website by sending requests to name servers of compromised domains rather than the requesting address of a legitimate website. All traffic sent to different IP addresses is relayed back to the web server even if it is not a malicious URL or anything else used commonly during phishing scams and other kinds of attacks which occur online. 

When a DNS rebinding attack happens then there is no control over the nameserver and all requests to resolve hostname are redirected to an alternate nameserver which is under attacker control. Sometimes end users are tricked into creating phishing websites using these websites and all traffic that is redirected to the hijacked URL is sent back to the original server, which forces users to install phishing pages as a result.

DNS rebinding attacks let attackers access sensitive information such as credentials and confidential emails. 

How DNS Rebinding Attack works

The DNS rebinding attack happens to bypass security controls and policies which restrict someone from accessing a network device to which they have no authorization to access over a network. 

1. The attacker creates an A record in DNS for his hostname to point to his internet facing web server. The TTL (time to live) record is set for a very limited time such as a few seconds. 
2. The user visits malicious host name 
3. The attacker changes DNS A record of that hostname to point to its target IP address 
4. The JavaScript component in a malicious website tries to connect to a malicious hostname but since TTL is set with low value, the user system will again make a DNS request to the malicious hostname. This time the IP address is resolved as set by the attacker in step 2. 

The attacker can also create a CNAME record to an internal hostname to rebind their hostname to the internal hostname. DNS rebinding can be used to circumvent the same original policy. Internal websites are more prone to such attacks due to hosting sensitive information. Internal websites usually do not use HTTPS and there won’t be SSL mismatch errors which could hamper the attack. 

DNS rebinding can be used to target web servers or any other network devices. 

Mitigation & Prevention of DNS Rebinding Attacks

DNS pinning is one common technique to prevent these attacks. This makes the browser ignore TTL or DNS records and set itself TTL. This however can be bypassed as well if the attacker implements a firewall in front of the web server. 

Another way to protect web servers from rebinding attacks is configuring the webserver to check HTTP host header in the incoming request. If the host header does not match, the request will be dropped. The firewall can be configured to prevent external host names for resolution of internal IP addresses. 

Intrusion prevention systems or IPS provide security for the networks and hosts within a network. They can detect and block network-based attacks. IPS sensors can be enabled based on IPS signatures, IPS patterns and IPS filters. Many service providers provide separate hardware or software for IPS functionality. However, certain high-end firewall providers bundle IPS capability into their firewall box itself which is actually a complete threat management solution in itself. 

In today’s topic we will learn about how to configure Intrusion prevention (IPS) on a FortiGate firewall. 

What is FortiGate Firewall IPS

FortiGate intrusion prevention is designed to provide real time threat protection for networks. It leverages signature-based behaviour and anomaly-based detection techniques to detect and prevent security threats. FortiGate applies intrusion prevention using a variety of operational modes. All three modes have their own benefits and limitations, which one to choose is based on the placement.  

• L3 (NAT/route mode): In this mode FortiGate places an L3 network where traffic is routed. IP addresses are configured statistically or dynamically on each interface. MAC based policies are applicable for IPS policy source address in NAT route mode.
• Virtual wire mode: In this mode it is deployed between two network segments. It operates like a virtual wire and does not perform routing or NAT. 
• Transparent mode: In this mode it acts like a bridge. All interfaces in the same VDOM are in the same L2 forwarding domain.

Configuring IPS on FortiGate Firewall

To configure IPS on FortiGate firewall 

Step 1

Choose endpoint policy🡪 Infranet Enforcer

Step 2

Click on New Infranet Enforcer and select FortiGate firewall in platform from drop down

Provide name of Intranet Enforcer: ‘FortiGate 12D’ 

Enter FortiGate firewall IP address

Enter shared secret 

Enter port number 

Step 3

Click on Save changes and create policies on FortiGate firewall for enforcement of traffic

FortiGate has IPS sensors which are collections of IPS signatures and filters which define what IPS engine will scan when the sensor is applied. An IPS sensor could have multiple signatures or filters. Custom IPS signatures can also be created to apply to an IPS sensor. 

Step 4

From Security profiles 🡪 Intrusion prevention pane – create new sensor and also view list of predefined sensors. FortiOS has a predefined list of sensors having associated signatures. 

IPS engine does not examine network traffic by default for all signatures. It examines network traffic for signatures mentioned in IPS sensors. You need to create an IPS sensor and specify which IPS signature it is going to use. 

Step 5

To view IPS sensors go to security profiles🡪 intrusion prevention and to create new sensor click on ‘New’

Step 6

Under IPS signatures and filters, click create new to create a set of IPS signatures or set of IPS filters. 

IPS sensors can be created for specific types of traffic. FortiGuard periodically adds predefined signatures to update and counter new threats. These are included automatically in IPS sensors which are configured to use filters when new signatures match with specifications of filters.

Constant threats and vulnerabilities are permanent companions in the IT landscape. Various security solutions have emerged to protect perimeter, digital assets. As the cyber threat landscape is very vast and complex and requires specialized tools and technologies to effectively handle cyber threats and which are constantly evolving to reduce the threat landscape. 

In today’s article we understand the difference between endpoint detection and response (EDR) and Network detection and response (NDR) tools and technologies, their key features, key differences and use cases. 

What is Endpoint Detection and Response (EDR)

Endpoint detection and response tools focus on endpoints as the name suggests. They work on endpoints such as workstations, servers, mobiles, laptops and other mobile assets. They provide real time monitoring, detection and blocking of threats with advanced threat detection capabilities. It can identify malware and other malicious activities on devices and provide rapid incident response. EDR solutions provide threat hunting, malicious activity discovery and its containment to prevent incidents and reduce the attack surface. 

Features of EDR

• Real time visibility into activities happening on endpoints 
• Wide range of threat detection techniques being used such as anomaly detection, heuristics and scans based on threat signatures
• Rapid incident response to isolate suspected endpoints , malicious content blocking and threat remediation with minimal or no impact on operations
• Proactive threat hunting is supported to identify hidden threats and potential vulnerabilities on endpoints 

What is Network Detection and Response (NDR)

Network detection and response or NDR as the name suggests focus is network perimeter / network traffic. Continuous monitoring of network traffic is performed to create a baseline for normal network behaviour patterns. When any pattern outside the baseline is detected then potential threat presence is recorded and notified. NDR tools collect and analyze network data using machine learning techniques to detect potential threats. It detects unusual traffic based on baseline derived by network analysts which might get missed out due to unknown or new signatures. 

Features of NDR

• Capturing network packets and analyzing them for their content for unusual behaviour detection, threat identification with deep packet inspections
• Behaviour analytics to establish normal network traffic baseline
• Continuous monitoring of network traffic for anomaly detection such as unusual high data transfers, multiple login attempts and suspected breach indicated with data flows
• It is integrated with threat intelligence feeds to detect unknown threats from dark web
• Network traffic analysis in real time using machine learning and AI algorithms
• On detection of suspicious activity real time threat alerts are generated 

Comparison: EDR vs NDR

Below table summarizes the differences between the two:

Download the comparison table: Endpoint Detection and Response vs Network Detection and Response

In today’s topic we will learn about different types of DNS attacks and measures to mitigate them. 

What are DNS Attacks?

DNS attacks have been on the rise for quite some time. In 2024 DNS Filter report showing phishing attacks went up to 106% and as these attacks are getting worse, enterprises and individuals need to take these DNS attacks more seriously as they lead to data loss, ransom demand, and damaged reputation. In DNS attack hackers exploit DNS weaknesses such as 

• Traffic redirection to malicious websites changing DNS records 
• Overwhelm DNS servers with too many requests in short span of time to cause service disruptions
• Tick users in visiting fake websites to steal credentials, passwords etc.

Types of DNS Attacks

DNS Cache Poisoning (DNS Spoofing)

Users are redirected to malicious websites by manipulating the DNS cache of the DNS resolver by the attacker. Attackers exploit vulnerabilities in DNS software or intercept DNS queries and inject false DNS records into the DNS cache database. The legitimate domain names are mapped with malicious IP addresses to redirect users to fictitious websites.

DNS spoofing leads users to unknown websites which result in phishing attacks, malware distribution or sensitive information theft. Implementation of DNSSEC (Domain name system security extensions) help in authenticating DNS data to prevent tampering. Configuring secure DNS resolver settings, regular monitoring and updated DNS cache contents, deploy intrusion detection systems to detect and block malicious spoof traffic. 

DNS Amplification

DNS Amplification exploits open DNS servers which generate a large volume of traffic which is redirected to the target. Small DNS requests are sent by attackers to open DNS servers having spoofed source IP address which belong to the victim. DNS server responds with larger responses with amplified volume of traffic directed to the targeted network. Overwhelming of network bandwidth occurs in this case.

To mitigate these attacks ingress filtering is an effective option to mitigate IP address spoofing. Configuring DNS servers to put limits on query response, and traffic scrubbing solutions which filter malicious DNS traffic. Maintaining up to date DNS server configurations and monitoring of DNS traffic for anomalous patterns. 

DNS Tunnelling

This technique is used by attackers to bypass network security controls using encapsulation of unauthorized data in DNS query and response. Attackers launch exploits to establish covert communication channels between external servers and victim systems, enable data exfiltration, control /command, propagation of malware which remain undetected.

Anomalous patterns are analyzed by DNS traffic monitoring. Enforce query size/response limits, intrusion detection and prevention systems implementation to detect and block suspicious traffic, DNS firewall solutions and DNS traffic inspection for any signs of tunnelling activity. 

Distributed Denial of Service (DDoS) Attack

DDoS attacks overwhelm DNS servers with flooding malicious traffic making them inaccessible and disrupting DNS resolution services. Exploit vulnerabilities in DNS and abuse misconfigurations in DNS servers, botnets to generate DNS queries in high volumes which lead to service degradation leading to its unavailability.

Mitigation techniques involve deploying DDoS mitigation software to detect and mitigate volumetric attacks. Distribution of query loads using distributed DNS infrastructure absorbs DNS traffic attacks. Implement network traffic filtering in collaboration with internet service providers (ISPs) and rate limiting feature to maintain redundancy and failover for continued services availability during DNS attacks. 

NXdomain Attack

NXdomain attack focus is DNS servers. Fake requests for websites which do not exist are sent by hackers to flood servers. Server time is wasted and eventually resources are overwhelmed and stopped working as people can’t access actual websites. Implementing rate limiting technologies in collaboration with internet service providers, restricting number of requests to DNS resolvers for single IP address source reduces load on servers and prevents them from getting overwhelmed. 

Comparison Table

Below table summarizes the difference between the 5 types of DNS attacks:

Download the comparison table: DNS Attack Types Compared

In today’s topic we will learn about the zero trust architecture approach, its need, how zero trust security is achieved and its benefits. 

What is  Zero Trust Architecture (ZTA)

Zero trust architecture’s basic principle is ‘Never trust, always verify’ which focuses on stringent access controls and user authentication. It helps organizations to improve their cyber defenses and reduce network complexity. Pre-authorized user access concept no longer exists in zero trust architecture.

Due to cloud computing penetration and diminishing physical boundaries and network complexity of enterprises is increased. Implementing several layers of security is tough to manage and maintain. Traditional perimeter-based security is no longer adequate. Zero trust architecture helps organizations build policy-based access which are meant to prevent lateral movement across networks with more stringent access  controls. User policies can be defined based on location, device and role requirement. 

How Zero Trust works

Zero trust works by combination of encryption, access control, next generation endpoints security, identity protection and cloud workloads advantages. Below set principles are the basis for NIST zero trust architecture as under:

• Access to resources is managed at organization policies level considering several factors such as user, IP address of user, operating system and location.
• Corporate network or resource access is based on with secure authentication for every individual request 
• User or device authentication do not automatically provide resources access
• All communication is encrypted and authenticated 
• Servers, endpoints and mobile devices are secured with zero trust principals which together are considered corporate resources 

How to implement Zero Trust Architecture?

The very first step is to define the attack surface which means identify what you need to protect which areas? Based on this you need to deploy policies and tools across the network. The focus should be protection of your digital assets.

Define Attack Surface 

• Sensitive data – the organization collects and stores what kind of sensitive data such as employees and customers personal information 
• Critical applications – used by business to tun its operations or meant for customers 
• Physical assets – IoT devices, POS devices any other equipment
• Corporate services – all internal infrastructure meant to provide day to day operations  

Implement controls around network traffic 

The routing of requests within the network for example access to a corporate database which could be critical to business so as to ensure access is secure. Network architecture understanding will help to implement network controls relevant to its placement.

Create a Zero-Trust Policy 

Use the Kipling method here to define the zero-trust policy : who, what , when , where , why and how need to be well thought out for every device, user. 

• Architect a zero-trust network 
• Use a firewall to implement segmentation within the network. 
• Use multi-factor authentication to secure users 
• Eliminate implicit trust 
• Consider all components of organization infrastructure in zero-trust implementation scope such as workstations, servers, mobile devices, IoT devices, supply chain , cloud etc.

Monitor the Network 

Once a network is secured using zero trust architecture it is important to monitor it. 

Reports, analytics and logs are three major components of monitoring. Reports are used to analyze data related to system and users and could be an indication of anomalous behaviour. Data collected by systems can be used to gain insight into behaviour and performance of users. Logs produced by different devices in your network provide a record of all kinds of activities. These can be analyzed using the SIEM tool to detect anomalies and patterns. 

Every organization, be it small, medium or large are impacted by third party risks. This risk is exponentially increased as more and more providers are building and using AI technologies in their products which resulted in apart from security but privacy concerns also. 

In today’s topic we will learn about top 10 TPRM Tools (third party risk management tools) available in the market.

List of TPRM Tools

Upguard 

Upguard has seven key features to detect threats at multiple levels. It covers security risks associated with Internet facing third party assets. Auto detection happens using third- and fourth-party mapping techniques. 

Key features of Upguard 

• Evidence gathering involves combining risk information from multiple sources to get complete risk profile
• Monitoring third party attack surfaces via automated scan 
• Third parties trust and security pages to showcase information about their data privacy standards, certifications, cybersecurity programs 
• Elaborate security questionnaires to assess risk posture of third party
• Third party baseline security posture 
• Vulnerability model of third party 

SecurityScore card 

SecurityScore card detects security risks associated with third party vendors.

Key features of SecurityScore

• Detection of security risks associated with internal and third-party attack surface mapped to NIST 800-171 
• Projected impact of remediation tasks and board summary reports 
• Third parties risk management via Atlas to manage security questionnaires and calculate third-party risk profiles 
• Third-party monitoring via security score feature and track performance 

Bitsight

Bitsight multiple third-party risk identification techniques work together to present a comprehensive risk profile from third-party exposure. 

Key features of Bitsight 

• Automatic identification of risks associated with alignment gaps with regulations and cyber frameworks such as NIS 2 and SOC 2 
• Track third-party cybersecurity performance using security ratings
• Monitor emerging cyber threats across cloud, geographies, subsidiaries and remote workers
• Multiple threat sources are used to create a risk profile

OneTrust

OneTrust identifies risks across onboarding and offboarding phases of third-party vendors.

Key features of OneTrust 

• Predictive capabilities to gather insights about privacy and security , governance risks 
• Maintain updated vendor inventory but workflow automation across vendor onboarding / offboarding
• AI engine (Athena) to expedite internal and third-party vendor risk discovery 

Prevalent

Prevalent point in time risk assessments with automated workflows to monitor third-parties and track emerging risks in real time. 

Key features of Prevalent 

• Impact of third-party risks on organization and security ratings from 0-100
• Point in time risk assessments with continuous monitoring capabilities
• Identification of common data leak sources, dark web forums and threat intelligence feeds 

Panorays

Remain informed of third-party risks with built-in risk assessment workflow for risk assessment creation quickly. But it does not support threat and risk intelligence into supply chain data. 

Key features of Panorays

• Detection of common data breach vectors
• Library of questionnaire templates mapped to popular standards and frameworks
• Combining data from security ratings and questionnaires to support third-party risk attack surface
• Workflows customization with external applications using JSON based REST API 

RiskRecon

Third-party risk exposure assessments with deep reporting and security ratings. 

Key features of RiskRecon 

• Uses risk analysis methodology having 11 security domains and 41 security criteria to get contextualized insight into third-party security posture
• Security rating scoring system 0-100 
• Standard API to create extensive cybersecurity ratings  

CyberGRX

Expediting third-party risk discovery during vendor due diligence. More frequent risk assessments are supported coupling third-party risk data streams.

Key features of CyberGRX

• Security questionnaires to establish vendor security posture
• Continuous updates to library of point in time assessments to map current risks to threat landscape
• Monitor emerging risks related to phishing, email spoofing, domain hijacking, and DNS issues

Vanta

Focuses on detection of risks associated with misalignment to frameworks and standards. 

Key features of Vanta 

• Intuitive dashboard to monitor third-party risks related to compliance and track their progress
• Alignment tracking with security frameworks and standards such as SOC 2, ISO 27001, GDPR and HIPAA.

Drata

Full audit readiness assessment by security tools monitoring and compliance workflows to streamline operations 

Key features of Drata 

• Policy builder to map specific compliance requirement for third-party risk analysis
• Maintain compliance across 14 cybersecurity frameworks
• Continuous monitoring of compliance controls 

Palo Alto Packet Flow Troubleshooting Issues

1. Incorrect Security Policies

• Issue: Traffic is being dropped due to misconfigured or missing security policies.
• Troubleshooting:
  • Verify the security policies using the CLI command show running security-policy or through the GUI.
  • Ensure that traffic matches the intended policy based on source, destination, and service.
  • Check the rule order and make sure no unintended policy overrides occur.

2. NAT Misconfigurations

• Issue: Traffic might not be properly translated due to incorrect Network Address Translation (NAT) rules.
• Troubleshooting:
  • Use the command show running nat-policy to verify NAT rules.
  • Confirm the source and destination NAT configurations, and ensure that the translated IPs are correct.
  • Utilize packet capture to see if the translation is occurring as expected.

3. Zone Misalignment

• Issue: Traffic is dropped because it is not traversing through the correct zones.
• Troubleshooting:
  • Confirm that the zones are correctly configured and that both the source and destination zones are assigned properly.
  • Check if the zones match the security policies for inter-zone or intra-zone traffic.

4. Routing Issues

• Issue: The firewall might not know how to route traffic to the next hop or the intended destination.
• Troubleshooting:
  • Check the routing table using the command  show routing route
  • Verify static and dynamic routing configurations.
  • Perform trace routes or ping tests to validate the reachability of the destination.

5. Session Table Problems

• Issue: Traffic may be dropped due to session table issues, such as an existing session not being cleared.
• Troubleshooting:
  • Use the command show session all to see the active sessions.
  • Clear the session related to the problematic traffic using the clear session id <session-id> command.
  • Check if session timeouts are configured too aggressively.

6. Application Identification (App-ID) Problems

• Issue: Traffic may be classified incorrectly due to App-ID issues, causing unexpected behavior.
• Troubleshooting:
  • Use packet capture or logs to verify how the application is being identified.
  • Adjust App-ID settings or override the App-ID as needed for specific traffic.
  • Monitor traffic using the “ACC” tab in the web interface to see how applications are being categorized.

7. Asymmetric Routing

• Issue: When traffic flows into one interface and the return traffic comes from another, the firewall may drop it.
• Troubleshooting:
  • Enable session synchronization for asymmetric traffic using session distribution or configuring source/destination zone-based routing.
  • Use packet captures and session lookups to trace asymmetric paths.

8. High Availability (HA) Configuration Issues

• Issue: Traffic might be dropped during failover or HA synchronization.
• Troubleshooting:
  • Ensure HA configurations are correct and both devices are synchronized.
  • Check the failover logs to determine if traffic was interrupted during an HA event.
  • Perform packet captures during HA transitions to analyze packet drops.

9. Decryption Issues (SSL/TLS Decryption)

• Issue: Misconfigurations in SSL/TLS decryption rules can cause traffic to be dropped or misclassified.
• Troubleshooting:
  • Review the SSL/TLS decryption policy.
  • Use decryption logs to check whether traffic is being decrypted as expected.
  • Analyze traffic using packet capture tools to confirm if decryption is causing issues.

10. GlobalProtect VPN Issues

• Issue: Traffic passing through GlobalProtect VPN might face issues due to misconfigurations or certificate problems.
• Troubleshooting:
  • Verify the GlobalProtect configuration and client settings.
  • Check for certificate-related errors.
  • Analyze the traffic through GlobalProtect using packet captures to identify where the issue lies.

11. Licensing and Feature Constraints

• Issue: Certain traffic may be dropped due to feature or license limitations, such as URL filtering or WildFire.
• Troubleshooting:
  • Ensure that all necessary licenses are active and not expired.
  • Review feature-specific logs to determine if traffic is being blocked due to licensing constraints.

12. Fragmentation Issues

• Issue: Packet fragmentation can cause issues with larger packets being dropped.
• Troubleshooting:
  • Check if fragmentation is enabled for relevant traffic.
  • Use packet captures to determine if fragmented packets are causing the problem.
  • Adjust Maximum Transmission Unit (MTU) settings as needed.

Each of these common issues can be addressed through packet captures, session monitoring, and careful analysis of the Palo Alto firewall’s traffic logs.

Palo Alto Firewall Architecture : An Overview

Palo Alto Firewall Architecture is based upon an exclusive design of Single Pass Parallel Processing (SP3) Architecture. This setup enables high-throughput, low-latency network security integrated with remarkably features and technology. Palo Alto Networks fixes the performance problems that impact today’s security infrastructure with the SP3 architecture (, which is composed of two key components:

1. Single Pass software
2. Parallel Processing hardware

Single Pass Software

Palo Alto Networks Next-Generation Firewall is provided with a Single Pass Software. It processes the packet to perform features such as networking, user identification (User-ID), policy lookup, traffic classification with application identification (App-ID), decoding, signature matching for detecting threats and malicious contents. Processing of a packet in one go or single pass by Palo Alto Networks Next-Generation Firewall significantly reduces the overhead of packet processing.

On the contrary, other firewall vendors leverage a different type of network architecture, which produces a higher overhead when processing packets traversing the firewall. Another notable feature introduced in other Firewall vendor’s Next-Generation Firewalls is Unified Threat Management (UTM) which processes the packet and then verifies the contents of packet. As a result, spike in CPU overhead affects latency and throughput of the Firewalls, a degradation in performance.

Single Pass software is designed to achieve two key parameters.

• Firstly, the single pass software performs operation per packet. When packet is processed in this mechanism the functions like policy lookup, application identification and decoding and signature matching for all threats and content are all performed just once.
• Secondly, the packet processed in Single Pass software is stream based, and uses uniform signature matching to detect and block threats. Single Pass does not use separate engines and signature sets and file proxies requiring for file download prior to scanning, the single pass software in our next generation firewalls scans packets once and stream based fashion to avoid latency and throughput.

This Single Pass software content processing enables high throughput and low latency with all security functions active. It also offers the additional feature of a single fully integrated policy, enabling easier management of enterprise network security.

Related – Palo Alto Administration & Management

Parallel Processing Hardware

Palo Alto Networks Parallel Processing hardware makes sure function specific processing is done in parallel at the hardware level, which in conjunction with the dedicated data plane and control plane, produces amazing performance results. By separation of the data plane and control plane, Palo Alto Networks is ensuring heavy utilization of either plane will not impact the overall performance of the platform.

Palo Alto Firewall Architecture : Control Plane & Data Plane

Control plane is liable for tasks such as management, configuration of Palo Alto firewall and it also takes care of logging and reporting features. Palo Alto Networks Next-Generation Firewall’s main feature is the set of dedicated processors which are responsible for specific functions (all of these work in parallel). The data plane in the high end models contains three types of processors (CPUs) connected by high speed of 1Gbps busses.

Types Of Processors:

The three type of processors are-

1. Security Matching Processor: Dedicated processor that performs vulnerability and virus detection tasks.
2. Security Processor: Dedicated processor that performs hardware acceleration and handles security tasks such as SSL decryption, IPsec decryption and similar other tasks.
3. Network Processor: Dedicated processor responsible for network tasks such as routing, NAT, QOS, route lookup, MAC Lookup and network layer communications.

First, Palo Alto Firewall Architecture design split up the 2 planes i.e. it has separate data plane and control plane. This separation means that heavy utilization of one plane will never impact the other. The second important element is the Parallel Processing hardware which includes discrete specialized processing groups that work in harmony to perform several key functions.

• Routing, flow lookup, traffic analysis statistics, NAT and similar other functions are performed on network specific hardware.
• User-ID, App-ID and policies all occur on a multi core security engine with hardware acceleration for encryption, decryption and compression, decompression.
• Content-ID content analysis uses dedicated and specialized content scanning engine.
• On the control plane, a dedicated management processor (with dedicated disk and RAM) drives the configuration management, logging and reporting without interfering user data.

Conclusion

Network Architecture of Palo Alto consists of Single Pass software and Parallel Processing hardware, which is perfectly apposite combination in network security and empowers the Palo Alto Networks next-generation firewalls to restore visibility and control over enterprise networks.

Continue Reading:

SSL VPN Configuration in Palo Alto

Palo Alto GlobalProtect

Firewall is a network security device which grants or rejects network access to traffic flowing between untrusted zone (External networks) to trusted (Internal networks) zone. Starting from initial days of Stateful inspection firewalls and then onto UTM (unified threat management), Application aware next generation firewalls have now become synonyms for firewalls.

Palo Alto is one such Next Gen firewall which provides flexible deployment options for your network, firewall platforms, available both for physical and virtual platforms. 

In this article we will learn more about how to reset Palo Alto firewall to factory default, why it is required and so on.

Reset Palo Alto Firewall to Factory Default Settings

There could be three scenarios or cases where it is required to reset the Palo Alto firewall to its default settings. In case you don’t have admin password or you have admin password or with admin password need to remove all logs and restore the default configuration of firewall.

Steps to Restore Default Configuration

To reset the firewall to default configuration you need to go to maintenance mode first. 

Step 1 : connect the console cable from console port to your system and verify console settings as under speed – 9600, data bits – 8, parity – none and stop bits – 1 

Step 2: enter maintenance mode and power on or reboot the device 

Step 3: during boot below screen will appear

Booting PANOS (sysroot0) after 5 seconds…

Entry: Type ‘Maint’ and Enter

Step 4: There will be multiple options on display you need to choose PANOS (maint) mode

Step 5: it will display the maintenance recovery section. Press enter to proceed further

Step 6: Choose ‘Factory reset’ and press enter

Step 7: Warning message will display along with factory reset option. Select factory reset and press enter.

The progress will be displayed on screen with percent complete 

Factory reset on completion will display as per screen below to complete process reboot the device

Continue Reading:

Palo Alto Troubleshooting CLI Commands

NAT Configuration & NAT Types – Palo Alto

In today’s topic we will learn about phishing, common types of phishing and how to prevent phishing for remote workers.  

What is Phishing? 

Phishing is a social engineering technique which is usually performed using an email as a medium to trick a user into entering credentials data, click on malicious links which install malware on the victim system or take him to a malicious website for downloading malware or any other infected software meant to steal personal information. Latest Verizon report indicated that ‘90% of security incidents and data breaches are result of phishing attacks’

Phishing Attack Types

Phishing attacks are of various types as under:

• Email Phishing – is the most common form of phishing where fake mails are presented to the victim with mention of a piece of personal information of user interest
• Spear Phishing – Specific individuals or organizations are targeted here.
• Clone Phishing – is creation of exact copy of legitimate emails but with fictitious or dubious links 
• Vishing – uses phone and pretend to be legitimate caller and try to gain personal information over phone
• Smishing – SMS based phishing uses text messages asking personal information
• Whaling – targeted attack on high profile executives or individuals such as CEOs, government officials etc. to get personal information or money transfer.
• Zishing – Video conferencing platforms such as MS-Teams, zoom etc. users are targeted here. The users have been sent a fake meeting invite requesting to join the link. They mimic actual meeting platform sites and trick users into sharing their personal information or downloading malware. 

Phishing Prevention for Remote Workers 

• Careful About emails – always check sender email address before clicking any links or open any emails that come from unknown sources. If the message seems suspicious, always check the official website or call them.
• Remain Educated and Updated – keep yourself updated about the latest information on phishing techniques. Undertake refresher courses on cybersecurity provided by organizations. 
• Use Multi-factor Authentication – for work and banking etc. enable MFA to add an additional layer of security to your sensitive accounts. 
• Implement Zero Trust Network Access (ZTNA) – each and every user and device are verified regardless of its location before being granted access to the corporate network. Remote workers can access organization resources in a secure manner without the risk of compromise.
• Report Suspicious Activities – report all phishing attempts to your IT and cybersecurity team immediately. So that they can investigate and take the required action as needed. 

Related FAQs

Q.1 How can I recognize a phishing attempt?

Look for these warning signs:

• Suspicious sender address: Email domains that don’t match the official domain (e.g., “support@paypal-secure.com” instead of “support@paypal.com”).
• Urgent or threatening language: Messages claiming your account will be suspended unless you act immediately.
• Poor grammar and spelling: Legitimate companies rarely send emails with typos or awkward phrasing.
• Unexpected attachments or links: Be cautious of unsolicited files or URLs.

Q.2 What should I do if I suspect I’ve been phished?

• Stop engaging: Avoid clicking any further links or downloading attachments.
• Change passwords immediately: Use a strong, unique password for the compromised account.
• Notify relevant parties: Inform your IT department, bank, or other affected organizations.
• Monitor accounts: Check for unauthorized transactions or activity.
• Report the phishing attempt: Forward phishing emails to organizations like reportphishing@apwg.org or the company being impersonated.

Q.3 Are there tools to help protect against phishing?

• Email filtering tools: Identify and block suspicious emails before they reach your inbox.
• Browser extensions: Many browsers have phishing protection settings to warn you about fraudulent websites.
• Anti-phishing software: Comprehensive solutions that detect and prevent phishing attempts.
• Password managers: Generate and store unique passwords, preventing reuse across sites.
• DNS-based security tools: Block access to known malicious sites.

In today’s topic we will learn about cybersecurity compliance, what is cybersecurity compliance and why it is needed?

What is Cybersecurity Compliance?

Cybersecurity compliance is adherence to a set of regulations and standards which provide protection against cyber threats. Implementation of various security tools and controls such as firewalls, intrusion detection and prevention systems, Anti-malware, encryption and patching and updates combined together is a cybersecurity compliance discipline. 

Prevention of data breaches and maintaining customer trust is crucial for business and they need to continuously evaluate their security posture and implement a risk governance approach to meet regulatory requirements. Regular monitoring and assessment ensure better risk appetite. 

Cybersecurity Compliance Significance 

Cybersecurity compliance ensures organization commitment to protect confidentiality, Integrity and availability of data in their possession. Safeguarding personal and sensitive data require alignment to regulatory bodies with stringent requirements related to data security such as PCI-DSS (For banking industry), General data protection regulation (GDPR), National institute of standards and technology (NIST), Health portability and accountability act (HIPAA). 

All organizations have a digital attack surface which is consistently increasing due to expansion of the IT landscape beyond four walls of the organization. Access to critical information, personal in nature such as email address, bank accounts, cardholder data etc. make organizations vulnerable to cyber-attacks. Cybersecurity compliance ensures organizations operate legally with protection of its resources. Lack of compliance to cybersecurity standards lead to fines which hit the company’s bottom line. 

Types of Data Subjects Require Cybersecurity Compliance

• Personal Identifiable Information (PII) – A piece of information which could help in identifying a data subject uniquely. PII may include first name, last name, address, PAN card number, social security number etc.
• Personal Health Information (PHI) – is related to individual health and its corresponding records. This may include insurance number, claim number , health care tests / records.
• Financial Information – bank accounts, credit and debit card numbers , funds , investments etc.

Benefits of Having Cybersecurity Compliance 

All organizations require to have a cybersecurity governance program to adhere to regulations and comply with industry specific information. 

• Protecting reputation and trust – Most valuable asset of any organization is its reputation and brand value. Adherence to regulatory frameworks and compliances help businesses to attract and retain customers
• Smooth business operations and bottom line – if data is safe business will operate smoothly with solid bottom line
• Keeping away from fines – regulatory non-compliances are costly and come at a hefty price. For example, GDPR fines are as large as 4% of your annual turnover or more depending on the violation.

Cybersecurity Program

To setup cybersecurity compliance organizations required to undergo a set of steps as under:

• Type of data and its requirements – the very first step here is to identify what all types of data is handled by organization, locations it operates from, and what regulations are applicable in those geographies. 
• Define cybersecurity team and compliance team – setup a cybersecurity and compliance team led by CISO and expert from other teams as well such as operations, product , security etc
• Perform risk assessment – once type of data is identified , the next step is to identify the vulnerabilities and cyber risks. Risk tolerance, BCP and DR requirements 
• Implement technical security controls  – once you have determined your risk tolerance level in the business next step is to implement technical controls. Such as firewall, encryption etc
• Create and deploy security policies – document policies and guidelines and get them evaluated with regular audits (Internal and external).
• Monitor and respond – cybersecurity compliance is a continuous process as threats are evolving so our infrastructure needs to grow in the same manner. Good monitoring and response management systems ensure proactive management of cyberthreats.

In today’s topic we will learn about the ransomware resilience approach and how to achieve it. 

What is Ransomware Resilience?

Ransomware attacks target data and usually encrypt data and demand ransom from the victim to release it. It is a form of Advanced Persistent Threat (APT) where hackers or hacking groups run an attack campaign against an organization network. This is a multi-dollar industry and in 2024, 33% of organizations that paid ransom could not recover their data. ‘Ransomware resilience’ is an approach towards cybersecurity which is focused on proactive protection of systems and data from ransomware attacks.

It is about being vigilant, prepared with robust security infrastructure to combat ransomware threats. The ultimate goal is to ‘never pay cybercriminals’. Let’s look at ways to establish a resilient ransomware defense for your IT landscape.

Ways to Establish a Resilient Ransomware Defense

• Comprehensive Security Measures – Robust combination of several layers of defense comprising endpoints, perimeter firewalls, intrusion detection and prevention systems, anti-malware along with regular security updates and patching establish a strong wall of defense against cybercriminals and minimizes vulnerabilities that can be exploited. 
• Ongoing Employee Training and Awareness – Humans are considered the weakest link in the security chain so it is important to focus on the human aspect of security. Educating employees in recognizing phishing attacks , avoidance of malicious downloads and safe web browsing practices help to build the first line of defense. 
• Data Backup and Recovery – For ransomware resilience it is very crucial to ensure a strong backup and restore strategy should be implemented. Backups are required to be encrypted both at REST and in TRANSIT with limited personnel having access to it. Periodic restorations ensure that when you need a clean and working backup copy it is available to business. 
• Incident Response Plan – A well architected and defined incident response plan crucial to handle ransomware situations. In the event of ransomware what steps required to be taken immediately are outlined in this plan which include isolation of affected systems and informing the concerned authorities.
• Patch Management – Often poorly patched systems are easy targets to exploit vulnerabilities in operating systems and applications. Regular patching and upgrades ensure that security vulnerabilities are taken care of, making it harder for cybercriminals to find an easy entry into your IT landscape.
• Network Segmentation – Segmentation helps in restricting lateral movement of cyber attackers into your infrastructure. This strategy can help to ensure isolation of infection and its prevention of being spread to critical systems. 
• Threat Detection and Endpoint Response – Invest in a good endpoint threat detection and response software. They are quite effective in detecting and blocking ransomware before malicious payload execution. 

Related: 20 Types of Malware

Why Paying Ransomware is Never a Choice 

Making ransomware payment is similar to paying a blackmailer. Do you think the blackmailer will stop once he gets what he wants from you? Instead of paying a hefty ransomware it is wiser to strengthen your ransomware resilience and invest in that. Paying ransomware makes you an easy target for future attacks. Also, ransomware payments do not guarantee data security. 

Continue Reading:

6 Types of Hackers

How to make a career in Cybersecurity or Ethical hacking?

Various forms of cyber attacks are prevailing these days and method of attack sophistication has reached new levels where now attackers are not limited only to fake websites, messages or emails but also focus is on theft of data from social media platforms and failure of security systems. Social engineering attacks are on rise which trick victims into disclosing confidential, personal or sensitive information and then use it for financial gains or to bother cybercrimes. 

Today we look more in detail about two cyber attack techniques: phishing and spam, how these attacks are carried out, how to identify such attacks, steps that can be taken to avoid not being a victim of such attacks and so on.

What is Phishing?

Cybercriminal’s cheat and obtain confidential information in deceiving ways such as passwords, or information about credit cards or other banking details, which could lead to financial loss. Social engineering techniques such as obtaining necessary information by manipulating legitimate users is on the rise. Cybercriminal or attacker poses as a person or business of trust in an official communication usually via an email or instant message, social networks, or even using phone calls. 

Related: Spear Phishing vs Phishing

Such emails usually contain a malicious link which when clicked lead to false web pages letting users believe that they are at a trusted website and provide requested information which goes into spammer hand.

• The SMS based phishing attack which is also known as smishing is the one in which a user receives a text message to visit a malicious link or 
• A vishing kind of phishing attack is the one where user receives a call from a bank or some other financial institution asking for verification of personal details which attacker could use to steal money. 

What is Spam?

Spam is nothing but a flooding of mailboxes or systems with unwanted messages sent by unknown senders, which you have not requested or desired are sent in large numbers. The nature of most of the spam mail is to advertise a product or service. Spammers buy databases which include thousands of email addresses and often mask the origin of message or sender information with the intent to damage or choke systems. 

Spams are also used by hackers to create problems for network administrators but flooding systems, taxed bandwidth, unwanted use of storage space etc. 

How to protect from Phishing and Spam?

• Don’t click on unsolicited emails or links 
• Don’t enter your personal sensitive information on unsecured sites if the site URL not starting with HTTPS and a padlock symbol don’t enter any sensitive information or download any files from such sites
• Rotate your passwords regularly and enablement of multi factor authentication is a good strategy to secure passwords
• Make sure your system has latest security patches and updates are installed 

Comparison Table: Phishing vs Spam

Below table summarizes the differences between the two cyber attack technologies:

Download the comparison table here: Phishing vs Spam

Continue Reading:

What is Spoofing? Detailed Explanation

Top 10 Cybersecurity trends

In today’s topic we will learn about Remote access trojan (RAT), how remote access trojan works, how to detect a remote access trojan, how to protect against remote access trojans.

Remote Access Trojan (RAT)

The word Trojan finds reference in the mythological Trojan horse used to conquer the city of Troy in Trojan war in Greek mythology, Greeks left this giant hollow horse as an offering to goddess Athena. The Greek soldiers were hiding the belly of a hollow horse and once they entered the city they ravaged the city of troy. Same way RAT fools its recipient by inviting them into the malicious software onto their system. Once malicious software is installed it provides access to RAT hackers.

Hacker gains remote access to a system disguised as a harmless file or application it opens a backdoor to devices over the network, exposing data and other sensitive information. It gives malicious actors unrestricted access to devices and can control hardware such as webcam and software or personal information such as financial details – credit card, bank details etc.

How Remote Access Trojan (RAT) works

Remote Access Trojan works like a non-malicious remote access tool. They are designed to stay hidden and carry out tasks without the knowledge or consent of system user. To install a RAT the hacker first tricks user into downloading the software. The bad actor might send a phishing email link containing a legit URL from website. The downloaded application imitates itself as a trustworthy remote application but post installation it will not appear in the list of installed software’s or running processes. They are dangerous because hackers get complete administrative control of the system.

Sometimes RATs are paired with keyloggers to increase the chance of obtaining credential details etc. If RAT gains access to several devices, they can target a server having internet traffic from all of them and launch a DDoS attack and can shut a server down. Some most popular and common RAT viruses are – CrossRAT, Beast, Mirage, Saefko, Poison ivy, Blackshades.

How to detect Remote Access Trojan (RAT)

RAT is difficult to detect however, there could be some tail-able signs indicating its presence on the system.

• Redirection of Websites – if the browser keeps redirecting web searches onto different pages this could be a probable sign that the system is under someone else’s control.
• Strange Files on System – hackers may try to store their files on your system to hide their illegal activities. If you find files on your system which you do not recognize scan system
• Webcam is On – if webcam is randomly on there is a possibility being activated remotely
• Poor System Performance – Slow or poor performance of system could be an indication of hacker using your system for some background activities

How to Protect Against Remote Access Trojan (RAT)

• Enable two factor Authentication – enabling two factor authentication helps to keep hackers at bay in gaining access to online accounts even if they gain access to the system.
• Avoiding Suspicious links and Email attachments – whenever you receive an email or link in your inbox, always check its authenticity and do not open or click on mails from unknown senders.
• Keep Operating System Updated – ensure that your system has latest patches and you update your system regularly
• Software Installation from Legitimate Websites Only – Stick to legitimate websites and stores (Such as Apple and google play store) to get softwares
• Using VPN – VPN encrypts the internet data and hides IP address when you venture online. They block anyone trying to track your system
• Using an Intrusion Detection System – An intrusion detection system (IDS) monitors network activity and alerts you if something suspicious happens, such as an attempt to stop a firewall.
• Install Antivirus Software – having a good quality antivirus software re help to block suspicious software’s getting installed into your system and shield them.

In today’s topic we will learn about how to configure route leaking between Virtual route forwarding (VRFs) FortiGate using command line interface (CLI). 

What is VRFs FortiGate?

Virtual routing and forwarding (VRFs) provides virtual router functionality on physical routers. Each VRF operates in isolation and maintains its routing table, configurations and interfaces. Each VRF is a self-realm in itself unaware of the existence of others. FortiGate is like a guardian who facilitates communication among these isolated VRFs. It has the capability to manage these delicate connections. FortiGate protects the pathway between VRFs.  

Configuring Route Leaking between VRFs FortiGate CLI   

VRF table routes can be leaked into the Global routing table to make traffic communication possible. This scenario requires enabling and configuring a BGP neighbour. 

1.Configure VDOM-Mode

Step 1:

Set the FortiGate to multi-vdom mode to create two inter-vdom links and assign them to separate VRFs. Multi-vdom creates one more virtual firewall on a single physical box. The inter-vdom created will remain in root vdom.

Configure system globa2

Set vdom-mode multi-vdom 

2. Subnet Overlapping 

Step 2:

By default, FortiGate on the same VDOM does not permit to configure duplicate or overlapping networks. The two inter-vdom links need to be on the same subnet.

configure vdom

edit root

config system settings

    set allow-subnet-overlap enable

3. Configuring Inter-VDOM links

Step 3:

On the same subnet, configure two inter-vdom links. The links are put in their respective VRFs using set vrf (<0> to <31>).

config vdom

edit root

config system interface

edit “npu1_vlink0”

        set vdom “root”

        set vrf 2

        set ip 10.300.0.1 255.255.255.0

        set allowaccess ping ssh snmp http https 

        set type physical

        set snmp-index 11

    next

    edit “npu1_vlink1”

        set vdom “root”

        set vrf 3

        set ip 10.300.0.2 255.255.255.0

        set allowaccess ping ssh snmp telnet http https

        set type physical

        set snmp-index 15

Put physical or virtual interfaces into respective VRFs using the below command. 

config system interface

edit “wan12”

        set vdom “root”

        set vrf 2

        set ip x.x.x.x 255.255.255.252

next 

  edit “vlan200”

        set vdom “root”

        set vrf 3

        set ip 10.200.0.254 255.255.255.0

end

wan12 is put in vrf 2 so that the default route from vrf2 to vrf 3 will be leaked so that vlan 200 can have Internet access.

4. Configuration of Prefix-list 

Configure the prefix-list of routes which you have intent to leak. We will be leaking here source subnet 10.200.0.0/24 of vrf3 and default route in vrf2. 

config router prefix-list

    edit “1”

        config rule

            edit 1

                set prefix 0.0.0.0 0.0.0.0

                unset ge

                unset le

            next

        end

    next

    edit “2”

        config rule

            edit 1

                set prefix 10.200.0.0 255.255.255.0

                unset ge

                unset le

            next

        end

    next

end

5. Configuring Route-Map 

Route map is used to identify subnets used in vrf leaking and matched against the prefix-list 

config router route-map

 edit “VRF2Routes”

        config rule

            edit 1

                set match-ip-address “1”

                unset set-ip-nexthop

                unset set-ip6-nexthop

                unset set-ip6-nexthop-local

                unset set-originator-id

            next

        end

    next

    edit “VRF3Routes”

        config rule

            edit 1

                set match-ip-address “2”

                unset set-ip-nexthop

                unset set-ip6-nexthop

                unset set-ip6-nexthop-local

                unset set-originator-id

            next

        end

    next

end

6. Configuring Route Leaking 

BGP neighbour connects to the dmz interface and this is specified in configuration using set update -source command in your interface. For vrf leaking to work any up neighbour is needed. 

config router bgp

    set as 65533

    set router-id 2.2.2.2

    config neighbor

        edit “198.168.2.254”

            set remote-as 65534

            set update-source “dmz”

        next

    end

    config redistribute “connected”

        set status enable

    end

    config redistribute “rip”

    end

    config redistribute “ospf”

    end

    config redistribute “static”

        set status enable

    end

    config redistribute “isis”

    end

    config redistribute6 “connected”

    end

    config redistribute6 “rip”

    end

    config redistribute6 “ospf”

    end

    config redistribute6 “static”

    end

    config redistribute6 “isis”

    end

    config vrf-leak

        edit “2”

            config target

                edit “1”

                    set route-map “VRF3Routes”

                    set interface “npu1_vlink1”

                next

            end

        next

        edit “1”

            config target

                edit “2”

                    set route-map “VRF2Routes”

                    set interface “npu1_vlink0”

                next

            end

        next

    end

end

7. Configure Firewall Policies

Configure policy from physical or VLAN interface to VDOM-link in vrf 3 and then policy from vdom-link to WAN interface in vrf 2. 

Cisco FTD design and deployment implementation involves setting up firewall, SSL inspection, NAT, IPS and active/standby HA. Deployment model determines placement of FirePower into the network as Firewall/IPS device or as an IPS only device. In Firewall/IPS mode you have the option to choose between routed and transparent mode and in IPS only devices you can choose between inline and passive mode.

In today’s blog we will cover in detail about FTD deployment modes, differences between each of the modes, and use cases.

Cisco FTD Deployment 

Cisco FTD interface could be deployed in

• Regular firewall mode and
• IPS only mode

We can include both firewall and IPS only interfaces on the same device. 

FTD Deployment Modes: Regular Firewall Mode

Regular firewall mode interface subject traffic to firewall functions such as maintain flows, track flow states at IP and TCP layer, IP defragmentation, TCP normalization. IPS functions can be configured optionally for traffic according to security policy. The type of firewall interfaces one can configure based on firewall mode set for the device: routed or transparent mode. 

FTD Routed Mode Deployment

Routed mode interfaces routed firewall mode only, each interface that you want to route between is on a different subnet.

FTD Transparent Mode Deployment 

In transparent mode the firewall is configured as a switch and no IP address is assigned to any interface except to the firewall itself.

Limitations of FTD transparent mode (Firewalls)

• No unicast/ multicast routing
• No DHCP relay
• No VPN termination
• LAN cannot be used as an enterprise gateway

However, NAT feature can be enabled in transparent mode 

To configure a transparent firewall, we have to configure the bridge group and add interfaces to that bridge group.  In transparent mode each bridge group is separate and not communicate with each other. FirePower threat defence (FTD) system use bridging technique to pass traffic between interfaces. Each bridge group includes Bridge virtual interface (BVI) to which IP address is assigned on network. In routed mode FTD routes between BVI and regular routed interfaces. 

Access rules in transparent firewall mode 

• ARP is allowed by default and can be controlled with ARP inspection
• IPv6 neighbour discovery is not allowed by default
• Multicast and broadcast (RIP/OSPF/EIGRP) traffic not allowed by default
• STP BPDU is allowed by default to prevent loop 

FTD Deployment Modes: IPS Only Mode

IPS only mode can be deployed in three ways. Let us understand each one of them more in detail. 

Inline Mode

Inline Mode (without tap) – When it comes to inline mode, only two interfaces can be connected for each pair. Whatever is received on either of the interfaces will be checked and then transmitted to the other interface without any MAC switching or IP routing. It functions similarly to a wire with an inspection module in the middle.

When compared to transparent mode, inline mode has a different function as multiple interfaces may be incorporated into each bridge group, making each bridge group behave like a separate switch.

Inline with Tap Mode

In tap mode however, traffic itself is not inspected but its copy is inspected. So, it is not possible to drop intrusions in this mode but only alerts can be received. FTD will make a copy of each packet so it can analyse it. This is ideal where you want to fine tune your intrusion policy and add drop rules which best protect your network without hampering its efficiency. Once you are ready to deploy FTD online you can disable tap mode. 

Passive Mode

In this mode FTD will not sit physically inserted into the path. Copy of traffic will be sent to IPS with the help of SPAN/RSPAN/ERSPAN technology.

Passive Span Mode

Passive interface monitors traffic flow across the network using a switch SPAN or mirror port. The SPAN or mirror port allows for traffic to be copied from other ports on switch. FTD cannot take actions such as blocking or shaping traffic in passive mode.

Passive ERSPAN Mode

Encapsulated remote switched port analyzer (ERSPAN) interfaces allow monitoring traffic from source ports and uses GRE to encapsulate traffic. In routed firewall mode only ERSPAN interfaces are allowed. 

Continue Reading:

Palo Alto Interface Types & Deployment Modes Explained

Understanding Checkpoint 3-Tier Architecture: Components & Deployment

Today we look more in detail about their features, use cases and comparison Cisco ASA vs Cisco FTD, i.e. how they are different from each other. 

What is  Cisco ASA? 

Cisco ASA is a network security appliance which gives firewall, VPN, and Intrusion prevention functionality. It has extra layers of security feature by application of advanced threat protection and behaviour analysis. It can detect threats in real time and block them before they cause damage to the network. Well suite for small and large enterprises as well as wired and wireless networks both. It has high throughput and low latency. 

Cisco ASA firewalls were designed to prevent all external traffic from entering into the network. ASA allows stateful inspection by saving session information so that when a valid response comes back, it can recognize and permit traffic. In addition, they provide network address translation or port address translation for network protection. 

Features of Cisco ASA

• Cisco ASA provides stateful tracking of packet if it is generated from higher security level to low security level
• It can perform static routing, default routing and dynamic routing using EIGRP, OSPF and RIP protocols
• It can operate in routed mode where it acts like a layer 3 device and need to have 2 different IP addresses on its interface and in transparent mode where it operates at layer 2 and need only single IP address
• It supports AAA services using local database or using an external server like ACS 
• VPN support is also given by Cisco ASA firewall like Point to Point, IPSec VPN and SSL based VPNs
• It new version supports IPv6 protocol routing (Static and dynamic)
• It provides high availability for pair of ASA firewalls 
• Advanced Malware protection 
• Modular policy framework supports policy definitions at traffic flow levels 

Use cases of Cisco ASA

• VPN logging
• Startup and running configuration change
• TCP port scanning
• Permitted / denied blacklisted source management 
• Permitted/ denied blacklisted destination management 

What is Cisco FTD?

Cisco FTD is a high end firewall appliance which is used to protect networks from intrusion attacks. It offers an extra layer of security to data centers and enterprises. Cisco FTD enables service level agreements (SLAs) to support real time in service monitoring, analysis and control of the network for optimization of performance on mobile applications. 

Features of Cisco FTD

• Continuous visibility across attack landscape 
• Maintains data integrity and confidentiality of enterprise network with out of band segmentation
• Includes advanced threat prevention from malware, ransomware, phishing attacks, and other exploits. 
• Architecture to support multi-tenant deployments
• Network protection from insider attack using Cisco Identity services engine (ISE). 

Use cases of Cisco FTD

• Logging security events
• Intrusion detection and prevention 
• URL filtering
• Malware protection 

Comparison: Cisco ASA and Cisco FTD

Below table summarizes the differences between the two types of Network Security Appliances:

Download the comparison table: Cisco ASA vs Cisco FTD

Final Words

The primary dissimilarity between Cisco FTD and ASA is that while ASA allows users to access VPN, IDS, IPS, anti-malware, and anti-virus facilities, these amenities are absent in Cisco FTD. However, when it comes to performance, FTD is capable of replacing ASA with ease.

Continue Reading:

Cisco PIX vs Cisco ASA Firewall

Intro to Cisco FTD Firewall (Firepower Threat Defense)

Are you preparing for your next interview?

Please check our e-store for e-book on Cisco ASA Interview Q&A. All the e-books are in easy to understand PDF Format, explained with relevant Diagrams (where required) for better ease of understanding.

Cisco FTD Packet Flow Troubleshooting Issues

1. Access Control Policy Issues

• Issue: Traffic is dropped due to incorrect or missing access control rules.
• Troubleshooting:
  • Verify the access control policy using Firepower Management Center (FMC).
  • Use system support trace and packet-tracer to trace packet flow through policies.
  • Check the logs for denied or dropped traffic.

2. NAT Configuration Errors

• Issue: Traffic fails due to incorrect or missing NAT rules.
• Troubleshooting:
  • Review NAT rules in FMC.
  • Use packet-tracer to simulate packet flow through NAT.
  • Check show nat detail to inspect NAT rule matches and translations.

3. Routing Issues

• Issue: Packets not reaching the destination due to routing misconfigurations.
• Troubleshooting:
  • Verify the routing table using show route.
  • Use ping and traceroute to test network connectivity.
  • Ensure static or dynamic routing (e.g., OSPF, BGP) is properly configured.

4. Interface Configuration Issues

• Issue: Traffic dropped due to interface misconfiguration or VLAN mismatches.
• Troubleshooting:
  • Verify interface configurations using show interface and show vlan.
  • Ensure VLAN tagging is correct and matches the upstream switch configuration.
  • Use packet-tracer to confirm interface behavior.

5. Inspection Engine Blocking Traffic

• Issue: Legitimate traffic dropped by FTD’s deep packet inspection engine (IPS, URL Filtering, Malware Protection).
• Troubleshooting:
  • Review inspection settings in the FMC.
  • Check logs for inspection-related traffic drops.
  • Create bypass rules or tune inspection settings if false positives are identified.

6. SSL/TLS Decryption Issues

• Issue: SSL/TLS traffic is dropped due to decryption issues.
• Troubleshooting:
  • Review SSL policy configurations in FMC.
  • Check logs for SSL decryption failures.
  • Use packet captures (capture) to verify SSL traffic behavior.

7. High Availability (HA) Failover Issues

• Issue: Traffic disruption during failover or synchronization issues in an HA environment.
• Troubleshooting:
  • Check HA status with show failover and show failover history.
  • Ensure proper synchronization between HA members.
  • Use packet captures during failover events to analyze traffic flow.

8. Session Table Issues

• Issue: Traffic dropped due to incorrect session handling or session table overflow.
• Troubleshooting:
  • Check session entries with show conn.
  • Clear sessions if needed with clear conn.
  • Review session timeout settings and adjust if necessary.

9. VPN Configuration Issues

• Issue: VPN tunnels fail to establish or traffic is dropped within the VPN.
• Troubleshooting:
  • Verify VPN settings (phase 1/2) using show crypto ikev2 sa and show vpn-sessiondb.
  • Review logs for VPN negotiation failures.
  • Use packet-tracer to simulate VPN packet flow.

10. Licensing or Feature Activation Issues

• Issue: Traffic blocked or features disabled due to expired licenses or unlicensed features.
• Troubleshooting:
  • Verify licenses with show license.
  • Ensure that all necessary licenses (e.g., Threat, URL Filtering, Malware) are installed and valid.
  • Review logs for traffic blocked due to feature limitations.

11. Multicast Routing Issues

• Issue: Multicast traffic not being forwarded due to incorrect multicast configuration.
• Troubleshooting:
  • Verify multicast routing configurations with show igmp and show pim.
  • Ensure multicast traffic is routed correctly through the interfaces.
  • Use packet captures to analyze multicast traffic flow.

12. Policy Deployment Failures

• Issue: Changes made in FMC are not deployed correctly to FTD devices.
• Troubleshooting:
  • Check deployment status in FMC to ensure policies are applied.
  • Use system support diagnostic-cli to check the FTD device for errors.
  • Review the deployment log for errors or misconfigurations.

13. Latency and Performance Issues

• Issue: Traffic delays or performance degradation due to excessive inspection or resource overload.
• Troubleshooting:
  • Monitor resource utilization using show cpu usage and show memory.
  • Review inspection profiles and disable unnecessary features.
  • Use capture to analyze packet latency and response times.

14. Fragmentation Issues

• Issue: Fragmented packets being dropped or mishandled.
• Troubleshooting:
  • Adjust the Maximum Transmission Unit (MTU) on interfaces if necessary.
  • Use capture to analyze packet fragments.
  • Ensure fragmented packet handling is configured in the firewall policy.

15. Time Synchronization (NTP) Issues

• Issue: NTP time synchronization issues causing logging and event correlation problems.
• Troubleshooting:
  • Verify NTP configuration using show ntp and ensure synchronization is working.
  • Check logs for time drift issues.
  • Correct NTP server settings if necessary.

16. Logging and Monitoring Issues

• Issue: Insufficient logging or missing events in logs, making troubleshooting difficult.
• Troubleshooting:
  • Ensure logging is enabled for relevant access control and inspection rules.
  • Use show logging and review FMC to confirm logs are properly recorded.
  • Increase logging verbosity if needed for detailed analysis.

17. Threat Defense Rule Optimization Issues

• Issue: Rules not optimized, leading to traffic being dropped or misrouted.
• Troubleshooting:
  • Review rule order and optimization in the FMC.
  • Use system support trace to trace traffic and ensure it follows the intended path.
  • Reorder or refine rules to improve performance and accuracy.

These issues can typically be diagnosed using Cisco’s built-in tools like packet-tracer, capture, show conn, and system support trace, along with detailed analysis in Firepower Management Center.

Checkpoint Packet Flow Troubleshooting Issues

1. Security Policy Misconfiguration

• Issue: Traffic is dropped due to incorrect or missing security policies.
• Troubleshooting:
  • Review security policies in the SmartDashboard.
  • Use the command fw monitor to see how packets traverse through policy layers.
  • Ensure that source, destination, services, and actions in policies are configured correctly.

2. NAT Misconfiguration

• Issue: Traffic fails due to incorrect or missing NAT rules.
• Troubleshooting:
  • Check NAT rules in the SmartDashboard.
  • Use fw monitor or tcpdump to verify that the NAT translation is happening as expected.
  • Ensure proper ordering of manual NAT rules and automatic NAT rules.

3. Routing Problems

• Issue: Packets do not reach the destination due to routing issues.
• Troubleshooting:
  • Check the routing table using netstat -rn or ip route show.
  • Verify that static or dynamic routing protocols (e.g., OSPF, BGP) are correctly configured.
  • Perform a traceroute from the firewall to the destination to check path availability.

4. Anti-Spoofing

• Issue: Traffic is dropped due to Check Point’s anti-spoofing protection.
• Troubleshooting:
  • Review anti-spoofing settings in the network interface settings.
  • Ensure that the interfaces’ networks and the anti-spoofing configuration match.
  • Use fw ctl zdebug + drop to identify if traffic is being dropped due to anti-spoofing.

5. Session Table Problems

• Issue: Packets dropped due to session state issues or session table being full.
• Troubleshooting:
  • Use fw tab -t connections -s to check the session table size and utilization.
  • Clear specific sessions using fw tab -x if necessary.
  • Review session timeouts and adjust if needed.

6. Inspection Module Drops

• Issue: The firewall’s inspection engine drops traffic for security reasons.
• Troubleshooting:
  • Review SmartLog and the fw ctl zdebug output to see inspection engine logs.
  • Ensure the inspection profiles are correctly configured (IPS, Application Control, etc.).
  • Disable or modify specific inspection rules if they are triggering false positives.

7. High Availability (ClusterXL) Issues

• Issue: Traffic disruption due to HA failover or ClusterXL synchronization problems.
• Troubleshooting:
  • Check ClusterXL status using cphaprob stat.
  • Ensure that synchronization between cluster members is healthy (cphaprob syncstat).
  • Use tcpdump to capture traffic during failover events.

8. Interface and VLAN Issues

• Issue: Traffic may be dropped due to incorrect interface or VLAN configuration.
• Troubleshooting:
  • Check interface and VLAN configurations in the SmartConsole and the Gaia portal.
  • Use tcpdump to verify that traffic is reaching the correct interface.
  • Ensure that VLAN tagging is properly configured on both firewall and connected devices.

9. Encryption/Decryption (VPN) Issues

• Issue: VPN tunnels fail to establish or traffic is dropped inside the VPN.
• Troubleshooting:
  • Verify VPN configuration for phase 1/2 settings (IKE and IPSec).
  • Use vpn tu to reset tunnels and verify their state.
  • Review logs for encryption and decryption errors.

10. IPS Blocking Legitimate Traffic

• Issue: Legitimate traffic blocked due to IPS false positives.
• Troubleshooting:
  • Review the IPS logs and check if legitimate traffic is flagged.
  • Add exceptions or tune IPS profiles to reduce false positives.
  • Use SmartEvent or SmartLog to analyze the specific attack signatures triggered.

11. Global Properties Misconfiguration

• Issue: Traffic may be affected by incorrect global properties settings.
• Troubleshooting:
  • Review global properties, such as NAT settings, logging, and session timeouts.
  • Ensure that the security settings are aligned with your network requirements.
  • Use fw ctl debug to see if global property settings are affecting traffic.

12. SecureXL and CoreXL Issues

• Issue: Performance degradation due to incorrect configuration of SecureXL/CoreXL.
• Troubleshooting:
  • Check SecureXL status using fwaccel stat to ensure acceleration is enabled.
  • Review CoreXL CPU distribution using fw ctl affinity -l -a.
  • Disable SecureXL temporarily (fwaccel off) to see if acceleration is causing the issue.

13. Multicast Traffic Issues

• Issue: Multicast traffic not reaching its destination due to improper configuration.
• Troubleshooting:
  • Ensure multicast routing is configured correctly using cphaprob -a if and IGMP settings.
  • Use tcpdump to monitor multicast traffic on relevant interfaces.
  • Verify that routing protocols like PIM are correctly set up if needed.

14. Licensing or Blade Activation

• Issue: Features not functioning or traffic being blocked due to licensing issues.
• Troubleshooting:
  • Verify licenses using cplic print or the SmartUpdate tool.
  • Ensure that all required security blades (e.g., IPS, Application Control) are activated.
  • Check SmartLog for traffic that might be blocked due to license limitations.

15. Fragmentation Issues

• Issue: Large packets may be dropped due to improper handling of fragmented packets.
• Troubleshooting:
  • Use fw ctl debug to monitor for packet fragmentation issues.
  • Check the Maximum Transmission Unit (MTU) settings on interfaces.
  • Enable fragmented packet handling in the global properties if necessary.

16. Secure Policy Installation Issues

• Issue: New policies are not being installed or causing traffic issues after installation.
• Troubleshooting:
  • Use the fw stat command to verify if the policy has been installed.
  • Review policy installation logs in SmartConsole.
  • Reinstall or recompile policies if needed using the “Install Policy” button in the SmartDashboard.

17. Logging and Monitoring Configuration

• Issue: Insufficient logging or monitoring settings may prevent proper troubleshooting.
• Troubleshooting:
  • Ensure logging is enabled on relevant rules and features (e.g., IPS, VPN, etc.).
  • Use SmartView Tracker or SmartLog for real-time log monitoring.
  • Increase log verbosity for deeper analysis of traffic issues.

Each of these common issues can be diagnosed with Check Point’s packet capture tools (tcpdump, fw monitor), session monitoring, and log analysis, allowing administrators to quickly pinpoint and resolve packet flow problems.

Fortigate Packet Flow Troubleshooting Issues

1. Incorrect Firewall Policies

• Issue: Traffic is dropped due to misconfigured firewall policies.
• Troubleshooting:
  • Verify that policies are correctly configured for source, destination, and services.
  • Check policy order and make sure no unintended policy is overriding the expected rule.
  • Use the command diagnose firewall proute list to check the routing of packets through policies.

2. NAT Misconfigurations

• Issue: Traffic fails due to incorrect or missing NAT configurations.
• Troubleshooting:
  • Check NAT rules with diagnose firewall iprope lookup.
  • Confirm source and destination NAT configurations.
  • Use packet capture (diagnose sniffer packet any) to confirm whether traffic is being translated correctly.

3. Routing Issues

• Issue: Traffic doesn’t reach the destination due to routing misconfigurations.
• Troubleshooting:
  • Verify the routing table with get router info routing-table all.
  • Use traceroute or ping to confirm reachability to the destination.
  • Check static and dynamic routing configurations (OSPF, BGP).

4. Session Handling

• Issue: Sessions may fail due to timeouts or not being properly cleared.
• Troubleshooting:
  • List sessions using diagnose sys session list.
  • Clear specific sessions using diagnose sys session clear.
  • Ensure session TTL (time-to-live) values are correctly set and not too aggressive.

5. Zone and Interface Mismatch

• Issue: Traffic dropped due to incorrect interface or zone configurations.
• Troubleshooting:
  • Verify interface assignments and zone configuration.
  • Use the command diagnose netlink brctl name list to check zone interface mappings.

6. SSL/TLS Decryption Issues

• Issue: Misconfigured SSL/TLS decryption profiles leading to traffic drop.
• Troubleshooting:
  • Check SSL/SSH inspection profile and confirm if traffic is being inspected as expected.
  • Analyze logs and packet captures to verify if decrypted traffic is handled correctly.
  • Review the certificate configuration for any mismatches or invalid certificates.

7. DNS Misconfigurations

• Issue: Incorrect DNS settings can prevent the firewall from resolving domain names.
• Troubleshooting:
  • Verify DNS server settings using get system dns.
  • Ensure that DNS servers are reachable and properly configured.
  • Check logs for DNS query failures.

8. High Availability (HA) Failover Issues

• Issue: Traffic disruption during HA failover or improper HA synchronization.
• Troubleshooting:
  • Verify HA status using get system ha status.
  • Check HA synchronization logs and event history for any failover issues.
  • Monitor traffic during failover events with packet captures.

9. IPS Blocking Legitimate Traffic

• Issue: False positives in IPS (Intrusion Prevention System) may block legitimate traffic.
• Troubleshooting:
  • Review IPS logs for blocked traffic patterns.
  • Create exceptions for legitimate traffic in the IPS profile.
  • Tune IPS signatures to reduce false positives.

10. Session Helpers (VoIP, FTP, etc.)

• Issue: Incorrect session helper configuration can cause issues with specific protocols (e.g., VoIP, FTP).
• Troubleshooting:
  • Check session helper configuration with show system session-helper.
  • Disable session helpers if causing issues and configure specific policies instead.
  • Review logs for protocol-specific traffic drops.

11. VLAN Misconfigurations

• Issue: Traffic dropped due to incorrect VLAN tagging or trunk configuration.
• Troubleshooting:
  • Verify VLAN settings with diagnose netlink vlan.
  • Ensure proper tagging on both FortiGate and connected switches.
  • Use packet captures to see if traffic is being tagged or dropped.

12. Licensing and Feature Restrictions

• Issue: Traffic blocked due to expired licenses or disabled features (e.g., antivirus, web filtering).
• Troubleshooting:
  • Verify license status using get system status.
  • Ensure all necessary features (web filtering, antivirus, etc.) are licensed and active.
  • Review logs for license-related blocking events.

13. IPSec VPN Issues

• Issue: IPSec tunnels may not establish or drop traffic due to misconfigurations.
• Troubleshooting:
  • Verify VPN settings and phase 1/phase 2 configuration.
  • Use diagnose vpn tunnel list to check the status of VPN tunnels.
  • Check logs for any negotiation or key exchange failures.

14. Traffic Shaping or Bandwidth Management Issues

• Issue: Traffic might be limited or dropped due to traffic shaping rules.
• Troubleshooting:
  • Verify traffic shaping policies with diagnose firewall shaper traffic-log.
  • Adjust bandwidth limits or create new shaping policies for critical traffic.

15. Multicast/Unicast Forwarding Issues

• Issue: FortiGate might drop multicast or broadcast traffic if not configured correctly.
• Troubleshooting:
  • Verify multicast routing configuration using get router info multicast.
  • Ensure proper multicast forwarding or IGMP settings.
  • Use packet captures to analyze multicast traffic flow.

Each of these issues can be diagnosed using FortiGate’s packet capture tools, session monitoring, and log analysis. Knowing where to look in the FortiGate system is key to efficiently troubleshooting packet flow problems.

• IPSec
• IKE
• Site to Site VPN between two FortiGate Sites
• Phase I and Phase II Parameters
• Tunnel Configuration
• Troubleshooting Commands

IPSec VPN Configuration: Fortigate Firewall

IPsec: It is a vendor neutral security protocol which is used to link two different networks over a secure tunnel. IPsec supports Encryption, data Integrity, confidentiality.

IPsec contains suits of protocols which includes IKE.

IKE is used to authenticate both remote parties, exchange keys, negotiate the encryption and checksum that is used in VPN Tunnel. IKE uses port 500 and USP 4500 when crossing NAT device.

IKE allows two remote parties involved in a transaction to set up Security Association.

Security Association are basis for building security functions into IPsec. IPsec parameters like encryption algorithm, authentication methods, Hash value, pre-shared keys must be identical to build a security association between two remote parties.

Site To Site VPN Between FortiGate FWs

Phase I and Phase II Parameters are:

Firewall -1, check internal interface IP addresses and External IP addresses

IPSec VPN Configuration Site-I

Follow below steps to Create VPN Tunnel -> SITE-I

1. Go to VPN > IPSec WiZard

2. Select VPN Setup, set Template type Site to Site

3. Name – Specify VPN Tunnel Name (Firewall-1)

4. Set address of remote gateway public Interface (10.30.1.20)

5. Egress Interface (Port 5)

6. Enter Pre-shared Key, Pre-shared key is used to authenticate the integrity of both parties. It must be same on both sides.

7. Select IKE version to communicate over Phase I and Phase II

8. Mode of VPN – Main mode/Aggressive Mode. Main mode is the suggested key-exchange method because it hides the identities of the peer sites during the key exchange.

9. Encryption Method, it must be identical with remote parties. Encryption method provides end-to-end confidentiality to the VPN traffic.

10. Authentication method – it must be identical with remote site. Authentication methods verify the identity of peer user which means traffic is coming from correct user and there is no man-in-middle attack.

11. DH Group- Must be identical with remote peer (DH-5). Diffie-Helliman is a key exchange protocol and creates a secure channel by exchanging public key /master key.

12. Key Lifetime – it defines when re-negotiation of tunnels is required. Key lifetime should be identical. However, if the lifetime of key mismatched then it may lead to tunnel fluctuations.

VPN Phase-II

13. Add Phase II proposals

14. Select Encrytpion method AES256

15. Select Authentication method SH-I

16. Enable Anti-Replay Detection è Anti-replay is an IPSec security method at a packet level which helps to avoid intruder from capturing and modifying an ESP packet.

17. PFS (Enable Perfect Forward Secrecy)-Must be enabled at both peers end,

18. DH Group- Select 5

19. Key lifetime for Phase II

Phase II Selector

20. Share Local LAN subnet which will communicate once VPN is established

21. Share remote end LAN subnet

Create Static Route towards VPN Tunnel Interface

22. Static Route

23. Local LAN subnet going via Tunnel Interface To-FG-2

24. Allocate Tunnel Interface

25. Assign Administrative distance 10 (static Routes)

Create VPN- Policy for interesting traffic & allow ports according to requirement

26. Assign name to the policy in IPV4 Policy Tab

27. Traffic incoming from Inside Zone/Interface and Outgoing Interface will be Tunnel Interface

28. Source address which will be 80.25.0/24

29. Destination address will be remote site Local LAN subnet 10.100.25.0/24

30. Services/protocol – select all or you can select specific servuces like FTP/HTTP/HTTPS

31. Accept the action.

32. NAT is OFF and Protocol Options are Default

33. Basic Anti-Virus has been enabled and Basic Application Control is enabled

34. SSL Certificate is enabled to authenticate over SSL Inspection/ Its completely optional

35. Enable ALL session logs

36. Add Policy Comment and Enable the Policy

37. Select OK

**If requires,  create a reverse clone policy for the connection to enable bi-direction action.

From Step 1 to Step 37, VPN configuration has been completed for Firewall -1/Site-1.

Let’s move to Firewall -2/Site II

• Check Internal and External Interface IP address and Ports

IPSec VPN Configuration Site-II

Start following step-1 to step-22 to complete the VPN configuration in Firewall-2.

• Monitor VPN traffic status in IPSec Monitor TAB for further Troubleshooting.

Troubleshooting Commands

Run debug and basic troubleshooting commands if tunnel status in not showing or visible in IPSec Monitor TAB,

Debug commands:

Initiate the connection and try to bring up the tunnel from GUI

Disable the Debug to stop packets

Continue Reading:

Routing Configuration in FortiGate Firewall: Static, Dynamic & Policy Based

Types of Firewall: Network Security

NAT is a process that enables a single device such as a firewall or router to act as an agent between the internet or public network to LAN or private segment. 

NAT is usually use for below reasons

• It proves security, addresses behind the NAT device is virtually hidden
• It provides Public IP address for private IP addresses to make traffic routable 

**In the FortiGate firewall we can apply NAT directly to the policy without creating a separate NAT policy. 

FortiGate NAT

FortiGate provides below NAT features in the Firewall:

1. SNAT
2. DNAT
3. PAT

FortiGate NAT Modes  

Firewall Policy NAT – SNAT and DNAT must be configured for Firewall policies. SNAT takes the outgoing interface IP address of the firewall as a source address. DNAT uses configured VIP.

Central NAT – SNAT and DNAT are configured as per the VDOM (virtual Domain)

• SNAT rule is implemented from central SNAT Policy
• DNAT is configured from DNAT and VIPs

Firewall Policy NAT

We can configure Firewall policy NAT by applying two different ways

1. Use outgoing interface as a NAT IP address
2. Use predefined pool (dynamic pool)

Firewall policies can be configured by using below types of NAT

1. Static SNAT
2. Dynamic SNAT

Static SNAT

In Static SNAT all internal IP addresses will be translated to a single Public IP address by using multiple source ports.

E.g.

10.10.10.1-> source port 1110-> NAT IP address 172.16.100.1:5001

10.10.10.2-> source port 1111-> NAT IP address 172.16.100.1:5002

10.10.10.3->source port 1112->NAT IP address 172.16.100.1:5003

How to configure Static SNAT

1. Create Security Policy -> IPV4 Policy

2. Give the details in the policy TAB, add source address/subnet

3. Add Destination address/subnet

4. Add Service/port

5. Accept the policy

6. Select NAT-ON, Select Outgoing Interface Address

Dynamic SNAT

Dynamic SNAT maps private IP addresses with the IP pool of Public IP.

4-types of IP Pool are available in FortiGate Firewall

Overload

It contains more than one Public IP addresses. Internal IP addresses can use available IP addresses from public pools to exit the firewall. Source and destination ports are mapped from 1024 to 65533.

Configure Overload Dynamic SNAT

1. Create IP Pool for Public IP address>> Go to Policy & Objects

2. Name the pool and select type>> Overload

3. Select Pool Subnet IP or range

4. Apply the pool in the security policy

5. Select NAT-ON>> IP Pool Configuration Use Dynamic IP Pool

6. Choose Overload Pool>> NAT_POOL

One-to-One Dynamic SNAT

It means there is one-to-one IP match of internal IP address with external IP address, example

10.10.1.1>>>172.168.1.1

10.10.1.2>>>172.168.1.2

10.10.1.3>>>172.168.1.3

If there are 100 users in a LAN network for which one-to-one SNAT is used, then we would require 100 Public IP range.

Fixed Port Range

In Fixed Port Range we need to mention Internal/LAN IP address range. Here, we can define internal and external public IP ranges both.

Further FortiGate devices can calculate port range for each combination from source IP address range to translated IP address range.

1. Create NAT_POOL for Fixed Port Range
2. Select type Fixed Port Range
3. Add External IP Range
4. Add Internal IP range detail

Apply the Pool in Security policy

Central NAT

Before discussing Central NAT, we should know about VIP objects.

VIP is DNAT objects, for session mapping. VIP means destination address is translated which means public IP address translated to local server IP address.

Default VIP type is static NAT. Static NAT is one-to-one mapping which applies to incoming and outgoing connections(bi-directional). 

** VIP address must be routable towards external facing traffic for return connection/traffic.

By default, Central NTA is disabled in the firewall. Two types of options are provided by using central NAT.

1. Central SNAT
2. DNAT and Virtual IP

Central NAT can only be configured in policy-based Firewall mode.

Central SNAT

Central SNAT provides us more granular control to customise the policy like, we can select exit interface, ingress IP or specify source port or destination port as per our requirement. Once policy matches happen, then source address / destination address is parsed as per the configured NAT criteria in Central SNAT policy.

Prerequisites to define Central SNAT policy

• Configure IP Pool/interface IP address (outgoing IP)
• Configure NAT policy

First, enable central NAT in Firewall from cli

Policy will be matched by using below criteria

• Source Interface -> Inside
• Destination outgoing Interface-> Outside
• Source address-> 192.168.2.0/24
• Destination address-> wildcarddropbox.com
• Protocol/application port-> any
• Source port-> any
• Outgoing IP address/translated IP address -> 172.16.100.100/32

Central DNAT & VIP

Additionally in firewall VIPs are created as a destination address in security policy. On FortiGate you can configure DNAT and VIPs for Destination NAT. As soon as you configure VIP it automatically creates a rule in the kernel to allow DNAT.

As we all know destination NAT means traffic comes from the outside world to access internal servers or services by using Public IP address of the server.

Prerequisites to configure DNAT with VIP

• External IP address (external user)-> 1.2.3.1
• Internal Local server IP which is mapped to external IP -> 192.168.1.50
• Forwarding port-> 25 (source side)
• Translated port-> 25

After creating DNAT and Virtual IP you only need to create a policy as per your requirement.

That’s it.

Continue Reading:

FortiGate Firewall Policy: Rules, Types & Configuration

FortiGate VDOM Configuration: Complete Guide

UTM (Unified Threat Management) is a feature of a firewall in which multiple security profiles combine and provide protection from threats and attacks. These features are antivirus, web filtering, IPS, anti-spam etc.

UTM is the consolidated solution for an organisation against attacks and malicious traffic. In other words, UTM is a capsule of multiple security features.

FortiGate UTM Profiles

Let’s discuss FortiGate UTM profiles one by one.

Anti-Virus Profile

Antivirus Scanning Modes

FortiGate Antivirus is used to detect viruses in the traffic or files. FortiGate uses many techniques to detect viruses. This detection technique includes:

1. Anti-Virus Scan: This is the simplest and fastest way to detect malware. It detects viruses that are an exact match for a signature in the anti-virus database.
2. Grayware Scan: This scan detects unsolicited program known as Grayware that have been installed without the knowledge of user or consent. Grayware is not technically a virus, it is a bundle of a software which produces unwanted side-effects in the network or system.  
3. Machine Learning AI Scan: It tests the possibility of attack like Zero-Day Attacks. Zero-Day Attacks are the malwares that are new and known hence have no existing associated signatures. If your network has a frequent target, enabling an AI scan may be worth it for performance cause because it helps you to detect performance issues and attack in the network. 

Anti-virus can operate by using flow-based or Proxy-based inspection mode. Both inspection modes use a full AV database.

Flow-based Scanning Mode

In this mode anti-virus engines reaches to the payload of packet and caches the real packet. Further it forwards the packet to the receiver. It consumes more CPU than other modes. 

If a virus is detected in a TCP session, some packets are already forwarded to the receiver, FortiGate resets the connection and does not send the last piece of file. However, the receiver has received almost part of the file, but the file is truncated and not able to open.

If an attacker tries to re-send the file to user, FortiGate firewall blocks the connection.

Proxy-based Inspection Mode

In this mode each protocol proxy picks up a connection and buffers the entire file first. Clients must wait for the scanning to be finished.

If a virus is detected, a block replacement page will be displayed. Because FortiGate must buffer the whole file, the firewall does the scanning which takes a long time to scan the data. Using a proxy-based scan process allows you to stream-based scanning which is enabled by default. Stream-based scanning scans large archive files by decompressing the files and scanning and extracting the files at the same time. This process optimises the memory process. Viruses can be detected in the middle of scan or at the end of scan.

Configuring Anti-Virus Profile and Policy

• Create Anti-virus Profile

• 1. Got to Security Profile TAB
  2. Select Antivirus Profile
  3. Create new Profile, name as ANTIVIRUS
  4. Select Scan Mode (proxy/Full or flow/Quick)
  5. Selection action if virus detected, Block—block the file. Monitor—generate alert of virus file.
  6. Select OK

• Apply Anti-Virus Profile to Security Policy

• 1. Create Internet Policy, Go to IPV4 Policy TAB
  2. Add Policy NAME- Antivirus Policy
  3. Go to the Security Profile section in Internet Policy and add ANTIVIRUS profile which is created above.
  4. Select OK.

Now traffic going to the internet will parse every file from anti-virus engine and take necessary action accordingly.

Web-Filter Profile

Web-filtering is the feature in FortiGate to control web traffic of firewalls by using block or allow action.

It uses two types of inspection mode for URL traffic

1. Flow Based: Default inspection mode and faster than other modes. 
2. Proxy Based: FortiGate buffers the traffic and examine it whole. It works as a mediator between client and web server.

Further NGFW modes are also used in Web-filtering configuration. These modes are:

Profile-based Mode: 

It requires application control and web-filter profiles and applies them to firewall policy. It uses flow-based OR proxy-based inspection. 

Policy-based Mode: 

Application control and web-filtering can directly apply to the firewall policy. It does not require profiles to be Application Control OR Web Filtering profiles.

Web-filtering has to control and manage the sites which people visited. It includes preserving employee productivity. It prevents network congestion by blocking malicious and un-authorised URLs. It prevents exposure of confidential data by scanning the web-URLs.

Configure Web-Filtering Profile 

1. Go to Security Profile
2. Select Web Filter
3. Create new Web Filter with name Web-Filter-Profile-1
4. Create a FortiGuard category-based filter and select customer categories.
5. Select any category which you wish to block/allow/monitor. Here the Potentially Liable category is blocked manually.
6. Select ok

Apply Web-Filter Profile in Security Policy

1. Create Security policy to apply web-filtering. Go to IPV4 Policy.
2. Create New policy name Internet-Policy-With-Webfilter
3. Assign incoming and outgoing interfaces.
4. Add source address
5. Add destination address
6. Add services
7. Select action as Accept
8. Go to Security Profiles and select Web Filter TAB. Select the web filtering profile which we have created above. And select OK. That’s it

IPS – Intrusion Prevention System Profile

We should implement IPS in our network to protect it from intrusion. IPS in FortiGate uses signature databases to detect anomalies and attacks. The purpose of the IPS filter is to protect the inside network from outside threats. Protocol decoders can also detect network errors and protocol anomalies. IPS engine can cover 

• Antivirus 
• Web Filter
• Email Filter
• Application Control

IPS Signature Updates

FortiGuard updates the IPS signatures and decoders with new signatures. That way IPS engines become effective against the new exploits. Regular updates or customised updates are configured in the FortiGate to fetch IPS signatures periodically. 

The default setting of updates is Automatic. Please refer to the image below to check the settings of IPS updates in FortiGate firewall.

After FortiGate downloads the FortiGuard package, new signatures will appear in the signature list. When configuring FortiGate you can change the action setting for each signature. However, the default action setting is often correct except in a few cases. We can create custom signatures with the help of the FortiGate DevOps team to parse custom applications. Sometimes false/positive alert triggers in the FortiGate IPS, you can enable/disable it as per the requirement. Moreover, FortiGate Support team can modify the false positive signature once you report the error on the support portal.

IPS Sensors

IPS Sensors contain a list of signatures in the profile which will later call-in security policy. There are two ways to configure IPS sensors 

1. Select the signatures individually, once you select sensors in the list, it automatically calls into the sensors database.
2.  You can add a sensor in IPS Profile by applying a filter in it. FortiGate adds all the sensors in profile which match the filters.

Configure IPS Profile in FortiGate Firewall

1. Go to Security Profiles
2. Select Intrusion Prevention
3. Create a new profile. Here we have created IPS Profile-1
4. Add Signature based IPS profile. Signature base means we can select signature from database of FortiGate IPS and add it into a single profile
5. Add filters in the profile and select a list of signatures from database.
6. Add signatures in the profile and apply it to the newly created Profile.

Apply IPS-Profile in Firewall Policy

      7. Now it’s turn to apply the IPS profile in firewall Policy. Go to IPV4 Firewall policy TAB. Add policy parameters            to which IPS profile is enabled, like source IP address, destination IP address and services or port.

      8. Go to Security Profiles section in Firewall policy and add IPS Profile-1

      9. Select OK to apply the parameters in policy.

DOS Policy Configuration in FortiGate

DOS- Denial of Service is a packet-based attack which consumes resources of infrastructure and makes it unavailable to legitimate traffic/users.

To block DOS attacks we can apply DOS-Policy on FortiGate that is located between the attacker and all the resources that you want to protect. DOS filtering is done early in the packet handling process which is handled by the kernel.

Let’s discuss type of DOS attack before implementing DOS policy in FortiGate firewall:

1. TCP SYN Flood: Incomplete TCP/IP connections are flooded to the victim which occupy the connection table of device and make it unavailable for legitimated users.
2. ICMP Sweep: ICMP traffic flood sent to the target device. Victim’s all sources become busy in responding to ICMP traffic which makes it unavailable for genuine users.
3. TCP Port Scan: Attacker sends TCP/IP connection to identify open ports in the network. Further the attacker exploits those ports and hampers network services.

Apply DOS Policy in FortiGate

1. Go to IPV4 DoS Policy
2. Create new policy, here we have named it DOS-Protection-1
3. Specify source and destination address and incoming interface
4. Specify service or port
5. Block/disable L3 anomalies
6. Select the source/destination session
7. Enable or disable DoS sessions and apply it to the incoming interface.

Application Control in FortiGate

• Application control detects applications that transfer over the network by using any port. Application control takes appropriate action on the application traffic to stop any malicious attack.
• Application controls detect application traffic like google talk, Facebook chat, Gmail hangout etc.
• This application works on port 443 or Web-browsing port. So, a firewall as a L4 device is not able to check if traffic is legitimated or there is any malicious content in the traffic.
• As we all know that port 443 carries normal browsing traffic and it also transfers application traffic like BitTorrent etc. Application control can differentiate the traffic based on the application used by it and block the site as per the policy configured in the firewall.
• Application control can be configured flow-based or Policy-based in the firewall. It performs a traffic scan which compares traffic to the known application patterns.
• It detects Peer-to-Peer applications. P2P traffic uses distributed architecture to forward traffic in the network.
• Traditional Client to Server Architecture uses client to server communication by using a simple port number which can easily be blocked by firewall policy.
• Peer to Peer download divides each file among the multiple peers and uses dynamic ports to transfer the data. Hence it is very difficult to identify the traffic and block it from firewall level based on port only. 

Application Control Signatures

FortiGuard subscription is required to download and enable application control signatures in the firewall. These signatures parse the traffic and scan dynamic application ports in the content.

Configure Application Control Policy

1. Go to Application Control
2. Create new Application control profile
3. Select category or application which you want to block, for example Proxy and P2P application is blocked in below image.
4. Select ok

You can add application signature by selecting Add Signatures Tab in Application Overrides

Apply Application Control Profile in the Policy

1. Go to IPV4 Policy
2. Enable Application Control and select the above created profile.

Continue Reading:

Fundamentals of FortiGate Firewall: Essential Guide

NGFW vs UTM

Fortinet covers many technologies within a single umbrella such as VPN, UTM, Security Profiles, FortiManager, FortiAnalyzer and many more.

Here, we will discuss all important features and technologies covered by Fortinet. Let’s start then…

Fundamentals of FortiGate Firewall

Below is the list of components supported by FortiGate. However, we have covered important components in this document.

FortiGate Firewall Dashboard

FortiOS Dashboard consists of graphical view and stats of alerts. Widgets are static views of the FortiGate properties. It consists of:

• System Information contains hostname, IP address, Serial Number Firmware
• Licenses shows list of licences installed on the system and respective expiry date
• ForitCloud represents statistics of FortiCloud data
• Security Fabric shows summary of devices who have using Security Fabric feature
• Administrator all connected admin and their logged in time along with IP address 
• CPU utilisation of device 
• Memory, live utilisation of device 
• Sessions shows number of sessions firewall is processing per second or minute

Other Widgets present in Dashboard

• HA status 
• Log rate
• Interface Bandwidth
• Botnet Activity
• Advanced threat Protection 

FortiGate Security Fabric

Fortinet Security Fabric involves different components that work together to secure the network.

Combination of below devices are required to create Security Fabric.

FortiGate Firewall

Firewall acts as a security component between ISP and downstream LAN devices. It secures networks from outside unknown attackers.

FortiAnalyzer

As its name defines, FortiAnalyzer can scan, monitor, collect logs of live traffic and create reports accordingly. It shows historical logs and events of any network which parse through the firewall.

FortiAnalyzer has below tabs available in the device to check logs:

• FortiView
• Threats
• Traffic
• Applications and Websites
• VPN
• System
• Security, Application Control, Web Filter, DNS
• Custom View
• Log Browse
• Log Group

LogView from FortiAnlyzer device:

FortiManager

FortiManager provides remote management to FortiGate Firewall. It uses port TCP 541 to communicate with the firewall.

FortiManager pushes Anti-virus, IPS and latest UTM updates from ForitManager to all connected devices.

FortiManager contains below tabs:

• Add Device
• Device Group
• Firmware
• License

FortiSandbox

It is a cloud-based technology which generates the latest signatures based on malicious attacks.  A FortiSandbox is a device that runs a sample in an isolated VM or cloud environment. 

Copy of threat logs forward to FortiSandbox where it can check if the traffic has malicious content in it. 

FortiSandbox has performed 3 types of scanning when receives any file from FortiGate

• Pre-Scan Group– it is the initial place where initial scan is performed by FortiSanbox. Several filtering is applied to the new file like pattern matching, checksum code sequence and TCP/IP attributes along with behavioural analysis of file/traffic pattern.
• Static Scan – Mainly deal with anti-virus and static AI scan. Antivirus is a traditional pattern matching feature however static AI scan uses machine learning to detect malware based on collected malware attributes from millions of samples.
• Dynamic Scan- It uses VM scan where the submitted file is processed in an isolated environment. Dynamic Scan also uses PEXBOX(code emulator) in which  window files are parsed.

FortiSandbox Dashboard

FortiADC

Application Delivery Controller is used to improve scalability of firewalls. It uses advanced server load balancer which routes traffic to available destination server based on the availability of backend server.

It helps to manage applications reliably, responsible and easy to manage.

ForiADC performs below task:

• Security
• Server Load Balancing 
• Link Load Balancing 
• Global Load Balancing 

FortiADC benefits:

• Scale application with server load balancing feature
• Apply persistence with servers to maintain connection
• Reduce bandwidth needs and improve user QoE 
• Provide redundancy and WAN optimization for applications
• We can apply traffic prioritization by applying QoS (Quality of Services)
• Improves SSL offloading win firewall for fast processing

Dashboard of FortiADC

FortiAP

FortiAP units are thin wireless access points supporting the latest Wi-Fi technologies and easy deployment. For larger deployment FortiAP controllers can carry a dedicated wireless network and FortiAP models support a dedicated monitor to check radio signals.

FortiAP, FortiAP-C, FortiAP-S, FortiAP-W2, and FortiAP-U units are offered in a diversity of models to address particular use cases and management modes.

Wireless access points can be added in any network to provide wireless connection to users. 

FortiClient 

FortiClient is a VPN (IPSec and SSL) client just like Cisco AnyConnect. It can be used as an Anti-virus client and a host vulnerability scanners. Moreover it supports Web Filtering as well.  In FortiGate you get at least 10 free licenses if you want to use those clients.

FortiClients helps to protect all the endpoints of your network including laptops, desktops and other devices.

These devices are either directly connected to your FortiGate devices or remotely connected through VPN.

• After admin set-up endpoint security on FortiGate , first time user with unregistered endpoints attempts to internet
• Captive portal will be displayed to download and install FortiCLient on the system.
• Once Installed FortiClient registered system to FortiGate 
• Endpoint security profiles will be applient through FortiClient to local user system
• After successful registration windows PC will become a compliant endpoint.

FortiMail

FortiMail is a secure email solution which can provide a protection against inbound attacks , outbound attack , data loss issues in the network. As it captures email related threats like phishing, spamming, malware, zero-day attacks.

It protects emails from: 

• Known and unknown threats
• Whaling Attack
• Spams
• Malicious link in email

4 types of modes used in FortiMail to protect emails from attack.

1. Gateway Mode – FortiMail acts as an email gateway or a device which is used for Mail Transfer Agent. It fetches emails, scans the content and transfers it to the email server. Change in network topology will be required to implement FortiMail in the existing network.
2. Transparent Mode – As the name specifies Fortimail acts as a Transparent proxy/device. It fetches the email, scans them and directly transfers it to the email server. No topology changes are required.
3. Server Mode—It acts as a Local email server to the emails. It receives emails, scans it, and directly forwards them to users. Yes, topology change is required in the implementation of this mode.

FortiGate VPN

FortiGate supports IPSec VPN and SSL VPN.

• SSL VPN – It is used for remote users to access applications from remote sites.

1. 1. Tunnel Mode- FortiClient VPN is required to install on users system to user system.
   2. Web Mode- Services are accessible via web-browser. But some applications and services are not supported.

• IPSec VPN – Site to Site tunnel needs to be created in the network  to transfer data in an encrypted format.

1. 1. Site to site VPN initiated between to end points or physical devices
   2. IPSec Remote VPN also used in organizations to provide remote access to the Network by using remote VPN.

Security Profiles

Profiles which contain security features are known as Fortinet Security Profiles.

It includes below information about configuration.

• Anti-Virus: It identifies and block virus after scanning network traffic. FortiGate has offered two types of anti-virus features.

1. Proxy-based: useful to mitigate suspicious malicious code.
2. Flow-based: high performance based

• Web Filter: This feature takes action on internet URLs based on allow/block category in firewall. You can customize the URL Category in the firewall as well.
• Intrusion Prevention: It detects  threat in network  and mitigate malicious traffic in the network by applying signatures. We can create custom signatures as well.

Log and Report

Logging and reporting are useful to check and understand any network logs. It covers event logs, system logs, VPN logs, threat logs, UTM logs and customized reports. 

FortiGate supports several other log  devices like FortiAnalyzer , Cloud, and syslog server.

Moreover, the log severity level is defined in every traffic log.

We can filter logs by using below options:

Conclusion

Fortinet brings high-performance network infrastructure security that ensures protection of any network, associated users, and components of traffic. FortiGate provides top rated solutions and centralized management systems to handle end to end security of an organisation.

Continue Reading:

FortiGate Firewall Policy: Rules, Types & Configuration

Palo Alto vs Fortinet Firewall: Detailed Comparison

We use Hairpin NAT or NAT reflection when our aim is to access an internal server from an internal workstation of a client by being able to access the Public IP that would be bound to an external interface on any firewall.

NAT reflection divides external and internal networks in a way that external users redirect to the Public IP address of server and Internal users can directly access server via internal IP address. In other words, a client from an internal network uses an external IP/Public IP address of the server to access the application, NAT reflection can rewrite the traffic so that the user’s traffic reaches the internal server via internal route without taking an external interface path which improves access speed and decreases load on firewall.

Let’s discuss above image to understand NAT reflection.

• User is trying to access server 192.100.1.10 from inside network
• 192.100.1.10 is public IP address of 100.0.0.10 server which resides in same network where user PC is connected
• User traffic reaches to Firewall for 192.100.1.10,
• Firewall checks that server public IP address is bind with internal IP address 100.0.0.10
• So, instead of sending traffic via external route firewall redirect traffic to internal route 
• And traffic takes a U-turn to reach private IP address of server
• That’s why it is called Hairpin or Loopback NAT 

In short, source address and destination address will be changed/modified by Firewall NAT feature so that devices can accept traffic to and from the correct locations.

Return traffic must reach the correct private IP address through the Firewall interface. And security policy must be placed for the correct source and destination to allow intra-zone communication between client and server.

Let’s take different scenarios where we can implement NAT Reflection in Firewall. (FortiGate Firewall)

CASE STUDY 1: When User and Webserver behind the DIFFERENT Firewall interface

As in diagram we have 3 ports configured in FortiGate firewall

• Port 1: Internal

• Port 2: External

• Port 3: Server Segment

Configure Virtual IPs for Hairpin network 

1. Go to Virtual IPs option
2. Name Virtual IP
3. Give External Public NAT IP address
4. Map to Server Private IP address
5. Enable Port forwarding 
6. Select Protocol TCP
7. External Port any random port range and Map to IPV4 Port 22. Click OK

Now first create external access of server to Public IP address

1. Go to firewall Policy 
2. Name firewall policy 
3. Select inside and outside port for connection
4. Select Source Any/All and destination VIPs which we have created above
5. Select services which you want to allow
6. Use outgoing interface and Click OK

Now our aim to move traffic of internal user from Port 1 -> Port 2 and then further Port 2 -> Port 3

First create Policy to enable access from Port 1 to Port 2 from internal Client 

1. Create Firewall policy
2. Allow access from port 1 to port 2
3. Select source Any and destination any
4. Service SSH
5. Action Accept 
6. Select OK

Now we have policy from Port1-> Port 2 and Port 2 -> Port 3

When user trying to access the server by using its public IP address from Internal segment then below output will receive in Firewall logs.

CASE STUDY 2: When User and Webserver behind the SAME Firewall interface

Now you can check Web Server IP address 192.168.0.100 and Client subnet range 192.168.0.0/24 

Here Client initiate connection to Port 1 and then traffic redirect to Port2 from where traffic forwards to Web Server again on Port 1

Internal Port 1 Connected to LAN-> Port 2

External Port 2 Connected to Internet-> Port 1

Let’s configure the Hairpin NAT for this case.

1. Create VIPs in the FortiGate Firewall
2. Assign Name to the VIP Policy
3. Select Interface 
4. Add external IP (Public IP) values and Mapped IP address in the tab
5. Enable port forwarding if requires in your network and click OK

Then Create Firewall policy and add below parameters to enable access.

Enable NAT so that external users can also access the internal web server.

Now we will create another firewall policy which allows traffic from Internal network to Port 2 and from External Port 2 to Internal NAT server IP.

Here we disable NAT in the policy as communication doesn’t require translation from Internal Client to Internal web server.

Click OK

External NAT and HAIR-PIN NAT Policy will look like as below.

NAT Reflection is now introduced in many other firewalls as well which includes Juniper SRX series, Cisco ASA and Checkpoint Firewall. It’s the simplest way to access an internal server by an internal Client via Public IP address.

Continue Reading:

FortiGate NAT Policy: Types & Configuration

NAT Configuration & NAT Types – Palo Alto