Net Worker World

New VM  1. Get Auth-code 2. Login CSP > Asset > VM Series Auth-Codes > Add VM series Auth-code 3. VM > Device > Licenses > Activate feature using authorization code  Existing VM use new Auth-code 1. Get API key     1.1 CSP > Products > API management     1.2 VM CLI:             request license api-key set key <key>                    request license api-key show     1.3  VM > Device > Licenses > Deactivate VM     1.4  VM > Device > Licenses > Activate feature using authorization code  2 . If deactivated VM without API key, activate with new Auth-code will get error       "cannot apply a provisioning license feature to an already provisioned device"      2.1 VM CLI:       show license-token-file       dact_lic.01282015.100502.tok        scp export license-token-file to admin@10.1.10.55:/ from dact_lic.01282015.100502.tok       2.2 CSP >  Asset > VM Series Auth-Codes > Deactivate License, upload license taken file abov

 1.Expoit    Known, confirmed attack, detected by signature               IPS signature               WAF signature                Antivirus signature    example: Explot to known application vulnerabilities                  2 .Anomaly     Zero-day or DoS attach     Detected by behavioral analysis             Rate-based IPS signature             DoS policies             Protocol constraints inspection     example: high rate traffic (DoS/Flood) 3. IPS components      IPS signature databases      Protocol decoders      IPS Engine  - app control, antivirus, web filter, email filter, DLP 4. IPS license. 5. Regular and Extended signature database. 6. IPS profile Add individual signature or use filter 7. IPS signature -- Hold time config system ips     set signature-hold-time 0h end 8. Add signature with CVE number via CLI 9: DoS     Policy & Object > IPv4 DoS Policy         TCP SYN flood  -- incomplete connection requests         ICMP sweep         TCP port scan 10. Web Application Fi

 1. Use IPS engine, requires SSL Inspection profile.  2. https://www.fortiguard.com/services/appcontrol 3. Application control profile:      Categories      Application overrides      Filter Overrides 4. Network Protocol Enforcement     Blocking or minoring of known services on unknown ports. 5. Application control occurs before Web Filter.

 1. Inspection Modes:      Flow-base  - for performance      Proxy-base  - two TCP connections, add latency,  more thorough, all security profiles 2. NGFW Mode     Profile-based: applicable for flow-based and proxy based inspection mode     Policy-based: app and web filtering applied directly to the policy, only to flow-based inspection.           Needs SSL inspection & Authentication policy first 3. Web Filter      based on HTTP GET request 4. Web Filter Profiles -Flow Base     Fortigard categories     Static URL     Rating option 5. Web Filter Profiles -Proxy Base     Local categories     Remote categories     Search Engines     Proxy options 6. Can use FotiManger instead of Fortigate for web rating. 7. Determine web rating     www.fortiguard.com/webfilter/categories 8. Categories Action 9. External Threat Feeds   Security Fabric > External Connectors > Threat Feeds:        FortiGuard Category           Used in: Web Filter > Remote Categories      IP address          Use

  Windows: The  Netstat.exe  utility has a switch, that can display the process identifier (ID) that is associated with each connection to identify port conflicts. This information can be used to determine which process (program) listens on a given port. Using Netstat command: Open a CMD prompt Type in the command:  netstat -ano -p tcp You'll get an output similar to this one Look-out for the TCP port in the Local Address list and note the corresponding PID number If you use Task Manager, you can match the process ID that is listed to a process name (program). This feature enables you to find the specific port that a program currently uses. Because this specific port is in use already by a program, another program is prevented from using that same port. To match the process ID to a program using Task Manager: Press CTRL+ALT+DELETE, and then click  Task Manager . Click the  Processes  tab. If you do not have a PID column, click  View , click  Select Columns , and then click to selec

 1. Log to local disk or external device such as FortiAnalyzer, syslog, FortiCloud, FortiSEIM and FortiManager.  2. Log Types 3. Log Severity Levels    where set it?    4. Log Message Layout   5.  Log Filtering 6. VIew log in CLI #exe log filer #exe log display 7. Config Alert email          8. Threat Weight

 Feature Visibility: Multiple Interface Polices . Alternatively, Zone can be used. with multiple source or destination interfaces or any, only By Sequence view is available. I nternet service database (ISDB) Can be used in Source or Destination. Flow-based and Proxy-based inspection mode in FW policy. Flow-based inspection takes a snapshot of content packets and uses pattern matching to identify security threats in the content. Proxy-based inspection reconstructs content that passes through the FortiGate and inspects the content for security threats. proxy-based provides more feature configuration options, while flow-based is designed to optimize performance. have different profiles. Logging Log Allowed Traffic:  Security Event or All Sessions. All sessions logging is generated at the end of the session, enable ""Generate Logs when Session Starts" will generate two logs: 1. Result or Action shows: Accept: session start 2. Result shows sent / receive bytes, action shows:

Check a certificate Check a certificate and return information about it (signing authority, expiration date, etc.): openssl x509 -in server.crt -text -noout   Check a key Check the SSL key and verify the consistency: openssl rsa -in server.key -check Check a CSR Verify the CSR and print CSR data filled in when generating the CSR: openssl req -text -noout -verify -in server.csr Verify a certificate and key matches These two commands print out md5 checksums of the certificate and key; the checksums can be compared to verify that the certificate and key match. openssl x509 -noout -modulus -in server.crt | openssl md5 openssl rsa -noout -modulus -in server.key | openssl md5