Fortigate renew GoDaddy Cert

 Have a GoDaddy cert that has expired, and you need to update your Fortinet device, here are the steps I use to update it.

1. Renew Cert @ Godddy
2. Download certificate with server type = Other
3. Extract the zip file
4. With a text Editor open the .crt file that does not start with "gd"
5. Copy the contents of the file to your clipboard
6. Log into Fortigate
7. Open Command line / Terminal
8. Type: config vpn certificate local
9. Type: show (Verify the name of the cert you are updating"
10. Type: edit sslvpn (or your cert name)
11. See Example at the end of this post, however type this sequence 
1. Type: set certificate “
2. Paste the contents of the .crt file
3. Type: "
4. Type: enter
5. Type: End
12. The Cert should now show valid

 set certificate “—–BEGIN CERTIFICATE—– YBBAGCNxUHBm7xorRWhO7dYIcmuTrsCeCCA0gwPQYJKwDAwLgYmKwYBBAGCNxUIKtkziB9KY0PjDQDYkYHKcTrGa6aLYfd+BwIDAQABo4IDTDH7e1w1uM7kdaBAjyAgM>—–END CERTIFICATE—–“

Navigating trough may different regulatory compliance is rough.  When they start to layer on top of each other when they have their own difference almost makes it impossible.

I really like what the folks over at Secure Controls Framework has done my combining all the controls into a blended model.  This is available for download in Excel Here, or via their Github Here

Windows Firewall rules for Fortinet SSO Collector

The Fortinet SSO Collector service will collect login information from all domain controllers, and forward user / machine / IP information to the FortiGate.

I recently installed new Windows 2022 Domain Controllers in core mode (No GUI).  For the SSO collector and agent communication firewall ports needed to be installed to allow the incoming communications.

References:

Fortinet Community #1

Fortinet Community #2

Fortinet Community #3

Fortinet Guru #1

	<#
	https://community.fortinet.com/t5/FortiGate/Technical-Tip-List-of-TCP-and-UDP-ports-used-by-the-FSSO/ta-p/194130
	UDP/8002 – DC Agent keepalive and push logon info to Collector Agent
	TCP/8001 – FortiGate to FSSO Collector Agent connection (SSL)
	TCP/8000 – FortiGate to FSSO Collector Agent connection
	TCP/8000 – NTLM
	#>
	$fgtIP = '192.168.0.1'
	$DCs = @('192.168.0.51', '192.168.0.52', '192.168.0.61', '192.168.0.62')
	New-NetFirewallRule -Action Allow `
	-Description "Allow FortiGate to FSSO Collector Agent connection" `
	-Direction Inbound `
	-Enabled True `
	-Group Fortinet_SSO `
	-LocalPort 8000,8001 `
	-DisplayName Fortinet-Allow-FGT_to_SSO_Collector `
	-Protocol TCP `
	-RemoteAddress $fgtIP `
	New-NetFirewallRule -Action Allow `
	-Description "DC Agent keepalive and push logon info to Collector Agent" `
	-Direction Inbound `
	-Enabled True `
	-Group Fortinet_SSO `
	-LocalPort 8002 `
	-DisplayName Fortinet-Allow-DCAgent_to_SSO_Collector `
	-Protocol UDP `
	-RemoteAddress $DCs

view raw Powershell_Fortinet_FSSO_Collector_inboutd_firewall_rules.ps1 hosted with ❤ by GitHub

Tail Windows Defender Firewall Log

 

get-content $env:systemroot\system32\LogFiles\Firewall\pfirewall.log | Select-Object -Last 20

view raw tail_defender_log.ps1 hosted with ❤ by GitHub

Grab a NIC IP information and dynamically create a reset script

 I had a request to figure out how to record a NIC's IP information and make it easy to put the config back if required.  the result us a run-able $outfile PowerShell script to reset the settings.

	### Set Common Parameters ###
	$now = Get-Date -UFormat "%Y-%m-%d_%H-%M-%S"
	$extNIC = "Ethernet"
	$extSM = "255.255.255.0"
	$outpath = "c:\temp\"
	$outscriptname = "setIP_postwork.ps1"
	$outfile = $outpath + $outscriptname
	$CheckFilePath = Test-Path $outfile
	## Get the current IPv4 info for external NIC ##
	$NetIPextnic = (Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $extnic)
	$NetIPextnicIndex = $NetIPextnic.InterfaceIndex
	$ipv4_extnic = $NetIPextnic.IPAddress
	## Get Subnetmask ##
	$NetIPextnicPrefix = $NetIPextnic.PrefixLength
	## Get the current default gateway of the external NIC ##
	$gateway_extnic = (Get-NetRoute -DestinationPrefix "0.0.0.0/0" -InterfaceIndex $NetIPextnicIndex)
	$gw_extnic = $gateway_extnic.nexthop
	## Get the DNS Server Addresses of the external NIC ##
	$DnsPri = (Get-DnsClientServerAddress -InterfaceIndex $NetIPextnicIndex -AddressFamily IPv4).ServerAddresses[0]
	$DnsSec = (Get-DnsClientServerAddress -InterfaceIndex $NetIPextnicIndex -AddressFamily IPv4).ServerAddresses[1]
	$Dns = $DnsPri + "," + $DnsSec
	## Check if setIP_Postwork.ps1 exists, if so rename it ##
	If ($CheckFilePath -eq $True) {
	Rename-Item -Path $outfile -NewName ($now + $outscriptname)
	}
	## Create / Write Post Script ##
	Add-Content $outfile "### Set Common Parameters ###"
	Add-Content $outfile ("$" + "ExtNicAlias = ""$extNIC""")
	Add-Content $outfile ("$" + "ExtNicIndex = ""$NetIPextnicIndex""")
	Add-Content $outfile ("$" + "ExtNic_IPv4 = ""$ipv4_extnic""")
	Add-Content $outfile ("$" + "ExtNic_mask = ""$NetIPextnicPrefix""")
	Add-Content $outfile ("$" + "ExtNic_gw = ""$gw_extnic""")
	Add-Content $outfile ("$" + "ExtNic_dns = ""$Dns""")
	Add-Content $outfile "### Set IP address on External NIC ###"
	Add-Content $outfile ("New-NetIPAddress -InterfaceIndex " + "$" + "ExtNicIndex" + " -IPAddress " + "$" + "ExtNic_IPv4" + " -AddressFamily IPv4 -DefaultGateway " + "$" + "ExtNic_gw" + " -PrefixLength " + "$" + "ExtNic_mask")
	Add-Content $outfile "### Set DNS Server Address on External NIC ###"
	Add-Content $outfile ("Set-DnsClientServerAddress -InterfaceIndex " + "$" + "ExtNicIndex -ServerAddresses " + "$" + "ExtNic_dns")
	Add-Content $outfile "### Disable IPv6 on External NIC ###"
	Add-Content $outfile ("Disable-NetAdapterBinding –InterfaceAlias " + "$" + "ExtNicAlias –ComponentID ms_tcpip6")

view raw get_nic_ip_info-create_set_script.ps1 hosted with ❤ by GitHub

Native Windows 10 packet Sniffer PKTMON

I had to troubleshoot connectivity issues from a Window 10 machine, and really did not want to install Wireshark.  Then I remember reading this document for the built in sniffer: pktmon | Microsoft Docs

 Basically here are the steps:

• Change directory to where you want the results to be saved (I.E. c:\temp)
• Add Filters for the IP you want to monitor for
• pktmon filter add -i 8.8.8.8
• pktmon filter add -i 9.9.9.9

• Start pktmon
• pktmon start –etw  (this will send to PktMon.etl file only)
• pktmon start --etw -l real-time (Will send to PktMon.etl file and the screen)
• Generate the traffic

• Stop pktmon
• pktmon stop

The native file PktMon.etl can only be read by Microsoft’s NetMon.  If you have WireShark installed you can run this command to convert it:

• pktmon pcapng pktmon.etl -o log.pcapng

 

Also for reference, the on screen verbose (-l real-time) of opening nslookup and connecting to 8.8.8.8 would look like this:

 

 

 

There are other options in the linked doc but to get a quick view of traffic, not bad….  Enjoy!

Get all active directory users properties

Need to grab all the properties for all your AD users? Here you go!

	$now = Get-Date -UFormat "%Y-%m-%d_%H-%M-%S"
	$filepath = 'C:\temp\Service_Accounts_' + $now + '.csv'
	Get-ADUser -Filter * -Searchbase "DC=domain,DC=com" -Properties * | Export-CSV -append -NoTypeInformation $filepath

view raw get-all_ad_user_properties.ps1 hosted with ❤ by GitHub

Rename Files to a random name

 I had a bunch of photos that I wanted to randomize on a photo frame.  The frame processes photos alphabetically by file name. Since the original filename had the date / time the picture was taken, meant there was no randomness to what was displayed.

I wrote this to change the filenames to a random number.

	$files = Get-ChildItem -file -Path "C:temp\"
	ForEach ($file in $files) {
	Rename-Item -Path $file.FullName -NewName ([String]$(Get-Random) + $file.Extension)
	}

view raw random_rename_files hosted with ❤ by GitHub

Remove WSUS GPO settings

Most companies deploy Windows Software Update Services (WSUS) via a group policy to keep all corporate systems updated.  However sometimes nerd in me wants the latest and greatest, before corporate approves them.  So run these commands in a Administrative Powershell Session.  This will remove the WSUS settings until the next GPO sync.

	Remove-Item `
	-Path HKLM:SoftwarePoliciesMicrosoftWindowsWindowsUpdate `
	-Force `
	-Recurse `
	-ErrorAction SilentlyContinue;
	Stop-Service -Name wuauserv;
	Start-Service -Name wuauserv;
	(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

view raw remove_WSUS_settings.ps1 hosted with ❤ by GitHub

PCI Antivirus logs

QSA requested proof of Antivirus logging and the retention. Using the LET command I am grabbing the newest and oldest log entries as evidence.

	let oldest = ProtectionStatus
	| where TimeGenerated < ago(1h)
	| top 10 by TimeGenerated desc;
	let newest = ProtectionStatus
	| where TimeGenerated < ago(1h)
	| top 10 by TimeGenerated asc;
	union oldest, newest

view raw get_oldest_and_newest_defender_logs hosted with ❤ by GitHub