labunix's blog

labunixのラボUnix

Fortigate-VM64版をVMPlayerにインストールしてみる。

■Fortigate-VM64版をVMPlayerにインストールしてみる。
 残念ながら一般公開されていないので、評価版であっても製品版であっても
 入手経路の確保が必要。

$ vmplayer -v
VMware Player 7.1.0 build-2496824

$ zipinfo FortiOS5.2.3/FGT_VM64-v5-build0670-FORTINET.out.ovf.zip 
Archive:  FortiOS5.2.3/FGT_VM64-v5-build0670-FORTINET.out.ovf.zip
Zip file size: 33024916 bytes, number of entries: 6
-rw-r--r--  3.0 unx    71680 bx defN 10-Aug-24 02:32 datadrive.vmdk
-rw-r--r--  2.3 unx    26956 tx defN 15-Mar-18 12:44 FortiGate-VM64.ovf
-rw-r--r--  2.3 unx    21879 tx defN 15-Mar-18 12:44 FortiGate-VM64.hw04.ovf
-rw-r--r--  2.3 unx    26996 tx defN 15-Mar-18 12:44 FortiGate-VM64.hw07_vmxnet2.ovf
-rw-r--r--  2.3 unx    32800 tx defN 15-Mar-18 12:44 FortiGate-VM64.hw07_vmxnet3.ovf
-rw-------  2.3 unx 33266176 bx defN 15-Mar-18 12:44 fortios.vmdk
6 files, 33446487 bytes uncompressed, 33023958 bytes compressed:  1.3%

■変換対象のOVFファイルを確認。
 仮想マシンは、Linux2.4系のOther 64bitらしい。

$ mkdir FGT-VM64 && cd FGT-VM64; \
  unzip ../FortiOS5.2.3/FGT_VM64-v5-build0670-FORTINET.out.ovf.zip; \
  cd ..

$ ovftool FGT-VM64/FortiGate-VM64.ovf | tail -90 | grep -v "^\$"
Download Size:  31.79 MB
Deployment Sizes:
  Flat disks:   32.00 GB
  Sparse disks: Unknown
Networks:
  Name:        Network 1
  Description: The VM Network network
  Name:        Network 2
  Description: The Network 2 network
  Name:        Network 3
  Description: The Network 3 network
  Name:        Network 4
  Description: The Network 4 network
  Name:        Network 5
  Description: The Network 5 network
  Name:        Network 6
  Description: The Network 6 network
  Name:        Network 7
  Description: The Network 7 network
  Name:        Network 8
  Description: The Network 8 network
  Name:        Network 9
  Description: The Network 9 network
  Name:        Network 10
  Description: The Network 10 network
Virtual Machines:
  Name:               Fortigate-VM
  Operating System:   other24xlinux64guest
  Virtual Hardware:
    Families:         vmx-07 
    Number of CPUs:   1
    Cores per socket: 1
    Memory:           1024.00 MB
    Disks:
      Index:          0
      Instance ID:    6
      Capacity:       2.00 GB
      Disk Types:     SCSI-lsilogic 
      Index:          1
      Instance ID:    7
      Capacity:       30.00 GB
      Disk Types:     SCSI-lsilogic 
    NICs:
      Adapter Type:   E1000
      Connection:     Network 3
      Adapter Type:   E1000
      Connection:     Network 4
      Adapter Type:   E1000
      Connection:     Network 5
      Adapter Type:   E1000
      Connection:     Network 6
      Adapter Type:   E1000
      Connection:     Network 7
      Adapter Type:   E1000
      Connection:     Network 8
      Adapter Type:   E1000
      Connection:     Network 9
      Adapter Type:   E1000
      Connection:     Network 10
      Adapter Type:   E1000
      Connection:     Network 1
      Adapter Type:   E1000
      Connection:     Network 2

■OVFをVMXに変換

$ ovftool "FGT-VM64/FortiGate-VM64.ovf" "FGT-VM64/FortiGate-VM64.vmx"
...

Accept end-user license agreement?
Write 'yes' or 'no' (write 'read' to reread the EULA): 
yes         
Writing VMX file: FGT-VM64/FortiGate-VM64.vmx
Transfer Completed                    
Warning:
 - No manifest file found.
 - No manifest entry found for: 'fortios.vmdk'.
 - No manifest entry found for: 'datadrive.vmdk'.
Completed successfully

■Bridge1ネットワークを1つめをNAT(wan)にそれ以外をhostonly(internal)に。

$ ip a list | grep vmnet1\$
    inet 172.16.76.1/24 brd 172.16.76.255 scope global vmnet1

$ ip a list | grep vmnet8\$
    inet 192.168.152.1/24 brd 192.168.152.255 scope global vmnet8

$ sed -i -e 's/nat/hostonly/' FGT-VM64/FortiGate-VM64.vmx
$ sed -i -e 's/\(ethernet0.*\)hostonly/\1nat/' FGT-VM64/FortiGate-VM64.vmx

■初回起動

$ vmrun -T player start FGT-VM64/FortiGate-VM64.vmx 

■ログイン「admin/パスワードなし」
 port1、port2にIPを設定、ping/https/telnet許可。
 ちなみに「edit 0」は自動採番のテクニック。

 参考:FortiGate完全攻略
    https://gihyo.jp/book/2015/978-4-7741-7266-8

FortiGate-VM64 login: admin
Password:

FortiGate-VM64 # config system interface
FortiGate-VM64 (interface) # edit port1
FortiGate-VM64 (port1) # set description wan
FortiGate-VM64 (port1) # set ip 192.168.152.155 255.255.255.0
FortiGate-VM64 (port1) # show 
config system interface
    edit "port1"
        set vdom "root"
        set ip 192.168.152.155 255.255.255.0
        set type physical
        set description "wan"
        set snmp-index 1
    next
end
FortiGate-VM64 (port1) # next
FortiGate-VM64 (interface) # edit port2
FortiGate-VM64 (port2) # set ip 172.16.76.155 255.255.255.0
FortiGate-VM64 (port2) # set description internal
FortiGate-VM64 (port2) # set allowaccess ping http telnet
FortiGate-VM64 (port2) # show 
config system interface
    edit "port2"
        set vdom "root"
        set ip 172.16.76.155 255.255.255.0
        set allowaccess ping http telnet
        set type physical
        set description "internal"
        set snmp-index 2
    next
end
FortiGate-VM64 (port2) # end

■ルーティング設定

FortiGate-VM64 # config router static 
FortiGate-VM64 (static) # edit 0
FortiGate-VM64 (0) # set dst 172.16.76.0 255.255.255.0
FortiGate-VM64 (0) # set gateway 172.16.76.2
FortiGate-VM64 (0) # set device port2
FortiGate-VM64 (0) # next
FortiGate-VM64 (static) # edit 0
FortiGate-VM64 (0) # set gateway 192.168.152.2
FortiGate-VM64 (0) # set device port1
FortiGate-VM64 (0) # end

■ping/httpチェック、telnetログイン

$ ping -c 2 172.16.76.155
PING 172.16.76.155 (172.16.76.155) 56(84) bytes of data.
64 bytes from 172.16.76.155: icmp_req=1 ttl=255 time=0.418 ms
64 bytes from 172.16.76.155: icmp_req=2 ttl=255 time=0.471 ms

--- 172.16.76.155 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.418/0.444/0.471/0.033 ms

$ w3m -no-proxy -dump_head http://172.16.76.155 | grep ^HTTP
HTTP/1.1 200 OK

$ telnet 172.16.76.155Trying 172.16.76.155...
Connected to 172.16.76.155.
Escape character is '^]'.

FortiGate-VM64 login: admin
Password: 
Welcome !

■ライセンス投入まで15日の評価ライセンスで稼働する。

 ただし、シリアルが「FGVMEV0000000000」のままでは
 パターンファイルのアップデートもHA構成にも出来ない。

 また、VM版のHA構成時、ホストがESXiの場合は
 ハートビートのためのVMNICの偽装MACを許可する必要がある。

FortiGate-VM64 # get system fortiguard | grep license
antispam-license    : Unknown
avquery-license     : Unknown
webfilter-license   : Unknown

FortiGate-VM64 # get system status | grep Serial
Serial-Number: FGVMEV0000000000

■GUIの日本語化

FortiGate-VM64 # config system global 
FortiGate-VM64 (global) # set language japanese
FortiGate-VM64 (global) # set timezone 60
FortiGate-VM64 # show system global | grep "language\|timezone"
    set language japanese
    set timezone 60

■ログのフォーマット
 ※強制再起動

FortiGate-VM64 # get system status | grep Log
Log hard disk: Need format
FortiGate-VM64 # execute formatlogdisk 
Log disk is /dev/sdb1.
Formatting this storage will erase all data on it, including
  logs, quarantine files;
and require the unit to reboot.
Do you want to continue? (y/n)

■シャットダウンを契機にGUI起動を止めてCUIバックグラウンド起動に変更

$ vmrun -T player start FGT-VM64/FortiGate-VM64.vmx nogui
$ vmrun -T player list
Total running VMs: 1
/home/labunix/dlsv/FGT-VM64/FortiGate-VM64.vmx

■ログの設定
 ローテーション等はお好きなように。今回はデフォルトのまま。

FortiGate-VM64 # get system status | grep Log
Log hard disk: Available
FortiGate-VM64 # get log disk setting 
status              : enable 
ips-archive         : enable 
max-policy-packet-capture-size: 10
log-quota           : 0
dlp-archive-quota   : 0
report-quota        : 0
maximum-log-age     : 7
upload              : disable 
full-first-warning-threshold: 75
full-second-warning-threshold: 90
full-final-warning-threshold: 95
max-log-file-size   : 100
storage             : 
roll-schedule       : daily 
roll-time           : 00:00
diskfull            : overwrite 

■Syslogサーバにログを転送

 Fortigate-80CのログをDebian Wheezyのrsyslogに転送してみる。
 http://labunix.hateblo.jp/entry/20150226/1424960541

■プロキシ設定

FortiGate-VM64 # config system autoupdate tunneling
FortiGate-VM64 (tunneling) # set address 10.10.10.88
FortiGate-VM64 (tunneling) # set port 3128
FortiGate-VM64 (tunneling) # set status enable
FortiGate-VM64 (tunneling) # get
status              : enable 
address             : 10.10.10.88 
port                : 3128
username            : 
password            : *
FortiGate-VM64 (tunneling) # end

■プロキシサーバへのルーティング設定

FortiGate-VM64 # config router static 
FortiGate-VM64 (0) # set dst 10.10.10.0 255.255.255.0
FortiGate-VM64 (0) # set gateway 192.168.152.2
FortiGate-VM64 (0) # set device port1
FortiGate-VM64 (0) # end

FortiGate-VM64 # execute ping 10.10.10.88 
PING 10.10.10.88 (10.10.10.88): 56 data bytes
64 bytes from 10.10.10.88: icmp_seq=0 ttl=128 time=0.7 ms

--- 10.10.10.88 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.7/0.7/0.7 ms

■プロキシサーバからの時刻同期

FortiGate-VM64 # config system ntp 
FortiGate-VM64 (ntp) # set type custom 
FortiGate-VM64 (ntp) # set source-ip 192.168.152.155
FortiGate-VM64 (ntp) # config ntpserver 
FortiGate-VM64 (ntpserver) # edit 0
FortiGate-VM64 (0) # set server 10.10.10.88
FortiGate-VM64 (0) # end
FortiGate-VM64 (ntp) # end
FortiGate-VM64 # get system ntp
ntpsync             : enable 
type                : custom 
syncinterval        : 60
ntpserver:
    == [ 1 ]
    id: 1           
source-ip           : 192.168.152.155
server-mode         : disable 

FortiGate-VM64 # diagnose sys ntp status 
synchronized: yes, ntpsync: enabled, server-mode: disabled

ipv4 server(10.10.10.88) 10.10.10.88 -- reachable(0xff) S:1 T:705 selected 
server-version=4, stratum=2
reference time is d905ba0e.126f0e87 -- UTC Tue May 19 13:33:02 2015
clock offset is -32400.107223 sec, root delay is 661 msec
root dispersion is 2330 msec, peer dispersion is 56 msec

FortiGate-VM64 # execute time
current time is: 23:09:07
last ntp sync:Tue May 19 22:49:07 2015

■DNSクライアントの設定
 外部へのpingを許可して、疎通が確認出来たら[Ctrl]+[C]で停止

FortiGate-VM64 # config system dns
FortiGate-VM64 (dns) # set source-ip 192.168.152.155
FortiGate-VM64 (dns) # set primary 192.168.152.2
FortiGate-VM64 (dns) # set secondary 10.10.10.254
FortiGate-VM64 (dns) # end
FortiGate-VM64 # get system dns
primary             : 192.168.152.2
secondary           : 10.10.10.254
domain              : 
ip6-primary         : ::
ip6-secondary       : ::
dns-cache-limit     : 5000
dns-cache-ttl       : 1800
cache-notfound-responses: disable 
source-ip           : 192.168.152.155
FortiGate-VM64  #  execute ping update.fortiguard.net 
PING fds1.fortinet.com (96.45.33.88): 56 data bytes
64 bytes from 96.45.33.88: icmp_seq=0 ttl=128 time=116.8 ms
64 bytes from 96.45.33.88: icmp_seq=1 ttl=128 time=116.3 ms
64 bytes from 96.45.33.88: icmp_seq=2 ttl=128 time=117.3 ms

--- fds1.fortinet.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 116.3/116.8/117.3 ms

FortiGate-VM64 # execute ping service.fortiguard.net
PING guard.fortinet.net (208.91.112.198): 56 data bytes
64 bytes from 208.91.112.198: icmp_seq=0 ttl=128 time=95.1 ms
64 bytes from 208.91.112.198: icmp_seq=1 ttl=128 time=94.3 ms
64 bytes from 208.91.112.198: icmp_seq=2 ttl=128 time=94.8 ms

--- guard.fortinet.net ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 94.3/94.7/95.1 ms

■DNS proxyを確認

FortiGate-VM64 #  get test dnsproxy 12
DST HOSTNAME CACHE: 9
vdom=0 num=9 ttl=86400 limit=5000
...
208.91.112.196 (domain=service.fortiguard.net, ttl=84970)
...
208.91.114.28 (domain=fortiguard.com, ttl=84709)
...
96.45.34.47 (domain=flow.fortinet.net, ttl=84741)
208.91.112.68 (domain=update.fortiguard.net, ttl=84734)
...
96.45.33.88 (domain=update.fortiguard.net, ttl=84734)
96.45.33.89 (domain=update.fortiguard.net, ttl=84734)

■ポリシー(アドレス)の作成

FortiGate-VM64 # config firewall address
FortiGate-VM64 (address) # edit 10.10.10.0/24
FortiGate-VM64 (10.10.10.0/24) # set subnet 10.10.10.0 255.255.255.0
FortiGate-VM64 (10.10.10.0/24) # next
FortiGate-VM64 (address) # edit 192.168.152.0/24
FortiGate-VM64 (192.168.152.0/24) # set subnet 192.168.152.0 255.255.255.0
FortiGate-VM64 (192.168.152.0/24) # next
FortiGate-VM64 (address) # edit 172.16.76.0/24
FortiGate-VM64 (172.16.76.0/24) # set subnet 172.16.76.0 255.255.255.0
FortiGate-VM64 (172.16.76.0/24) # end

■ポリシー(ルール)を作成

FortiGate-VM64 # config firewall policy
FortiGate-VM64 (policy) # edit 0
FortiGate-VM64 (0) # set srcintf port1
FortiGate-VM64 (0) # set srcaddr all
FortiGate-VM64 (0) # set dstintf port2
FortiGate-VM64 (0) # set dstaddr 172.16.76.0/24 192.168.152.0/24
FortiGate-VM64 (0) # set action accept 
FortiGate-VM64 (0) # set service ALL_TCP ALL_UDP
FortiGate-VM64 (0) # set logtraffic-start enable
FortiGate-VM64 (0) # set nat enable 
FortiGate-VM64 (0) # set status enable
FortiGate-VM64 (0) # next
FortiGate-VM64 # config firewall policy
FortiGate-VM64 (policy) # edit 0
FortiGate-VM64 (0) # set srcintf port2
FortiGate-VM64 (0) # set srcaddr 172.16.76.0/24 192.168.152.0/24
FortiGate-VM64 (0) # set dstintf port1
FortiGate-VM64 (0) # set dstaddr all
FortiGate-VM64 (0) # set action accept
FortiGate-VM64 (0) # set service ALL_TCP ALL_UDP
FortiGate-VM64 (0) # set logtraffic-start enable
FortiGate-VM64 (0) # set nat enable
FortiGate-VM64 (0) # set status enable
Gate-VM64 (policy) # show 
FortiGate-VM64 (policy) # show
config firewall policy
    edit 1
        set uuid 421c184e-fe3d-51e4-8f9c-cf1d0a244192
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "172.16.76.0/24" "192.168.152.0/24"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL_TCP" "ALL_UDP"
        set logtraffic-start enable
        set nat enable
    next
    edit 2
        set uuid aa769f90-fe3d-51e4-efdb-f0f48eaa7843
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "172.16.76.0/24" "192.168.152.0/24"
        set action accept
        set schedule "always"
        set service "ALL_UDP" "ALL_TCP"
        set logtraffic-start enable
        set nat enable
    next
end

FortiGate-VM64 (policy) # end

■パターンアップデート(※ライセンス適用前)

FortiGate-VM64 # execute update-now 

FortiGate-VM64 # diagnose autoupdate status
FDN availability:  unknown at Thu Jan  1 09:00:00 1970

Push update: disable
Scheduled update: enable
	Update daily:	at 1 after 81 minutes
Virus definitions update: enable
IPS definitions update: enable
Push address override: disable
Web proxy tunneling: enable
	Proxy address: 10.10.10.88
	Proxy port:    3128
	Username:      
	Password:      

■GUIからの評価ライセンスの投入

 以下でライセンスファイルをWeb管理画面からアップロード
 システム > ダッシュボード > ステータス
   > ライセンス情報 > バーチャルマシーン(ライセンス) > アップデート

■パターンアップデート確認

# execute update-now
# execute update-av
# execute update-ips

#  diagnose autoupdate status
FDN availability:  available at Wed May 20 21:37:30 2015

Push update: disable
Scheduled update: enable
	Update daily:	at 1 after 230 minutes
Virus definitions update: enable
IPS definitions update: enable
Push address override: disable
Web proxy tunneling: enable
	Proxy address: 10.10.10.88
	Proxy port:    3128
	Username:      
	Password:      

# get system fortiguard-service status
NAME               VERSION LAST UPDATE          METHOD    EXPIRE              
AV Engine           5.164  2015-01-27 14:28:00  manual    201X-XX-XX 09:00:00 
Virus Definitions   25.764  2015-05-20 21:28:09  manual    201X-XX-XX 09:00:00 
Extended set        1.000  2012-10-17 15:46:00  manual    201X-XX-XX 09:00:00 
Attack Definitions  6.645  2015-05-20 21:28:09  manual    201X-XX-XX 09:00:00 
Attack Extended Definitions  0.000  2001-01-01 00:00:00  manual    201X-XX-XX 09:00:00 
Botnet Definitions  2.254  2015-05-20 21:28:09  manual    n/a                 
IPS/FlowAV Engine   3.073  2015-05-20 21:28:09  manual    201X-XX-XX 09:00:00 

FGVM010000037084 # get system status | grep DB
Virus-DB: 25.00764(2015-05-20 01:10)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 6.00645(2015-05-16 01:40)
IPS-ETDB: 0.00000(2001-01-01 00:00)
Botnet DB: 2.00254(2015-05-19 20:30)

■WebフィルタとE-Mailフィルタ時のFortiguardへのDNSの疎通は
 問い合わせをした時のみなので、GUIから。

 システム > 設定 > Fortiguard
   > WebフィルタリングとE-Mailフィルタリングオプション
 「Test Availablity」

 なお、53/UDPはプロキシを通らず、直接アクセスする。
  上位のDNSサーバだけが外部への53/UDPを許可しているような環境では
  フィルタが使えない。(戻ってこれるルートがあればNATしてても大丈夫。)

$ sudo awk '/dstip=208.*dstport=53/{print}' /var/log/Fortigate-VM.log | \
    sed -e 's/ devname=/\n&/'  -e 's/ vd=/\n&/'      -e 's/ sessionid=/\n&/' \
        -e 's/ policyid=/\n&/' -e 's/ service=/\n&/' -e 's/ sentbyte=/\n&/' 
May 20 22:29:10 vmhost date=2015-05-20 time=22:29:11
 devname=FGVMXXXXXXXXXXXX devid=FGVMXXXXXXXXXXXX logid=0001000014 type=traffic subtype=local level=notice
 vd=root srcip=192.168.152.155 srcport=1025 srcintf="root" dstip=208.91.112.198 dstport=53 dstintf="port1"
 sessionid=313 proto=17 action=accept
 policyid=0 dstcountry="United States" srccountry="Reserved" trandisp=noop
 service="DNS" app="DNS" duration=182
 sentbyte=184 rcvdbyte=504 sentpkt=2 rcvdpkt=2
May 20 22:29:10 vmhost date=2015-05-20 time=22:29:11
 devname=FGVMXXXXXXXXXXXX devid=FGVMXXXXXXXXXXXX logid=0001000014 type=traffic subtype=local level=notice
 vd=root srcip=192.168.152.155 srcport=1025 srcintf="root" dstip=208.91.112.196 dstport=53 dstintf="port1"
 sessionid=314 proto=17 action=accept
 policyid=0 dstcountry="United States" srccountry="Reserved" trandisp=noop
 service="DNS" app="DNS" duration=182
 sentbyte=184 rcvdbyte=504 sentpkt=2 rcvdpkt=2