Tyler Vilo tvilo

## fortigate sniff packet cheat sheet
#=====================================================================
diagnose sniffer packet vs diag debug flow filter

# diagnose sniffer packet checks if the packet reaches fortigate
# diag debug flow filter checks packet's traffic within fortigate internally

diagnose debug flow #trace per-packet operations for flow tracing
diagnose sniffer packet #trace per-Ethernet frame
#=====================================================================
#WEB GUI v7.2.3

## nmap cheat sheet
----------------------------------------------------------------------------------------------------
#detect rogue dhcp server

nmap -sU -p67,68 --script dhcp-discover <network_range>
sudo nmap --script broadcast-dhcp-discover
sudo nmap --script broadcast-dhcp-discover -e eth0
----------------------------------------------------------------------------------------------------
Wireshark Output for nmap IP Fragment Scan (Sample):
Filter: ip.flags.mf == 1
No. Time Source Destination Protocol Length Info

## Powershell_Fortinet_FSSO_Collector_inboutd_firewall_rules.ps1
<#
https://community.fortinet.com/t5/FortiGate/Technical-Tip-List-of-TCP-and-UDP-ports-used-by-the-FSSO/ta-p/194130
UDP/8002 – DC Agent keepalive and push logon info to Collector Agent
TCP/8001 – FortiGate to FSSO Collector Agent connection (SSL)
TCP/8000 – FortiGate to FSSO Collector Agent connection
TCP/8000 – NTLM
#>

$fgtIP = '192.168.0.1'
$DCs = @('192.168.0.51', '192.168.0.52', '192.168.0.61', '192.168.0.62')

## fortigate - HA mode cheat sheet
#=====================================================================
#how to power off fortigate cluster
#unplug the power cables as there is no power buttons

shut down first the secondary(backup unit)
Unit-1 # execute ha manage 1                 {To switch to the backup unit}
Unit-2 $                                     {Now on the backup unit}
Unit-2 $ execute shutdown                    {To shut down the backup unit}
This operation will shutdown the system !
Do you want to continue? (y/n)y

## fortigate - IPS
#=================================================================================================================================
#ChatGPT

how to debug IPSengine in 6.4 or later:

# diagnose ips debug enable
init              init
packet            packet
packet_detail     packet_detail
error             error

## fortigate - webfilter - url filter cheat sheet
#=====================================================================
# Log&Report - Security Events - Web Filter, filter a specific URL. v7.2.3

#launch CLI from fortigate GUI
config webfilter profile #Configure Web filter profiles
get #list all profiles
edit profile-name
show # see current setting
set log-all-url enable
set extended-log enable

## fortigate - deep inspection cheat sheet
---------------------------------------------------------------------------------------------------------------------------
#exempting websites from deep inspection like github.com etc

method

#create group
Security Profiles > SSL/SSH Inspection > Profile1 > Addresses > + > Wildcard FQDN Group
#create members
Security Profiles > SSL/SSH Inspection > Profile1 > Addresses > + > Wildcard  "*.github.com

## powershell script cheat sheet
==========================================================================================================
#Gemini
==========================================================================================================
#ChatGPT
==========================================================================================================
#Gemini

Ensuring PowerShell DSC and Chocolatey are Installed

PowerShell DSC is a feature of PowerShell. If you have PowerShell installed on your Windows 10 system, DSC is likely already available.

## fortigate - Firewall Hardening cheat sheet
#=====================================================================
#Bard

#configure an email alert on each successful VPN SSL connection on FortiGate 7.2:

Go to Security Fabric > Automation.
Click Create New.
In the Name field, enter a name for the automation stitch.
In the Trigger field, select FortiOS Event Log.
In the Event field, select SSL VPN Tunnel Up.

## fortigate - ssl-vpn cheat sheet
#====================================================================================================================================
# microsoft built-in vpn client on windows 11 , not working
only for "local" user account, no fortinet support on ms store

#====================================================================================================================================
# microsoft built-in vpn client on windows 11 , not working
# ChatGPT

let's explore examples to illustrate the differences between L2TP/IPsec and SSL VPN in practical scenarios:
	#=====================================================================
	diagnose sniffer packet vs diag debug flow filter

	# diagnose sniffer packet checks if the packet reaches fortigate
	# diag debug flow filter checks packet's traffic within fortigate internally

	diagnose debug flow #trace per-packet operations for flow tracing
	diagnose sniffer packet #trace per-Ethernet frame
	#=====================================================================
	#WEB GUI v7.2.3
	----------------------------------------------------------------------------------------------------
	#detect rogue dhcp server

	nmap -sU -p67,68 --script dhcp-discover <network_range>
	sudo nmap --script broadcast-dhcp-discover
	sudo nmap --script broadcast-dhcp-discover -e eth0
	----------------------------------------------------------------------------------------------------
	Wireshark Output for nmap IP Fragment Scan (Sample):
	Filter: ip.flags.mf == 1
	No. Time Source Destination Protocol Length Info
	<#
	https://community.fortinet.com/t5/FortiGate/Technical-Tip-List-of-TCP-and-UDP-ports-used-by-the-FSSO/ta-p/194130
	UDP/8002 – DC Agent keepalive and push logon info to Collector Agent
	TCP/8001 – FortiGate to FSSO Collector Agent connection (SSL)
	TCP/8000 – FortiGate to FSSO Collector Agent connection
	TCP/8000 – NTLM
	#>

	$fgtIP = '192.168.0.1'
	$DCs = @('192.168.0.51', '192.168.0.52', '192.168.0.61', '192.168.0.62')
	#=====================================================================
	#how to power off fortigate cluster
	#unplug the power cables as there is no power buttons

	shut down first the secondary(backup unit)
	Unit-1 # execute ha manage 1 {To switch to the backup unit}
	Unit-2 $ {Now on the backup unit}
	Unit-2 $ execute shutdown {To shut down the backup unit}
	This operation will shutdown the system !
	Do you want to continue? (y/n)y
	#=================================================================================================================================
	#ChatGPT

	how to debug IPSengine in 6.4 or later:

	# diagnose ips debug enable
	init init
	packet packet
	packet_detail packet_detail
	error error
	#=====================================================================
	# Log&Report - Security Events - Web Filter, filter a specific URL. v7.2.3

	#launch CLI from fortigate GUI
	config webfilter profile #Configure Web filter profiles
	get #list all profiles
	edit profile-name
	show # see current setting
	set log-all-url enable
	set extended-log enable
	---------------------------------------------------------------------------------------------------------------------------
	#exempting websites from deep inspection like github.com etc

	method

	#create group
	Security Profiles > SSL/SSH Inspection > Profile1 > Addresses > + > Wildcard FQDN Group
	#create members
	Security Profiles > SSL/SSH Inspection > Profile1 > Addresses > + > Wildcard "*.github.com
	==========================================================================================================
	#Gemini
	==========================================================================================================
	#ChatGPT
	==========================================================================================================
	#Gemini

	Ensuring PowerShell DSC and Chocolatey are Installed

	PowerShell DSC is a feature of PowerShell. If you have PowerShell installed on your Windows 10 system, DSC is likely already available.
	#=====================================================================
	#Bard

	#configure an email alert on each successful VPN SSL connection on FortiGate 7.2:

	Go to Security Fabric > Automation.
	Click Create New.
	In the Name field, enter a name for the automation stitch.
	In the Trigger field, select FortiOS Event Log.
	In the Event field, select SSL VPN Tunnel Up.
	#====================================================================================================================================
	# microsoft built-in vpn client on windows 11 , not working
	only for "local" user account, no fortinet support on ms store

	#====================================================================================================================================
	# microsoft built-in vpn client on windows 11 , not working
	# ChatGPT

	let's explore examples to illustrate the differences between L2TP/IPsec and SSL VPN in practical scenarios: