[rancid] Fortigate additional tweaks and device filters

Nick Nauwelaerts nick.nauwelaerts at aquafin.be
Wed Aug 1 19:22:42 UTC 2018


they're a combination of version & download time as i understand it.

they can be either manually updated or via a scheduled run, but for most if not all a valid support contract is required.
the reason why i prefer this info to be available is because some also change parts of the running config, though as far as i can tell this is only for autoupdating ips rules.

(example of an autoupdate 2 weeks ago)

 #Version: FortiGate-800C XXX
 #Extreme DB: 1.00000(2012-10-17 15:47)
-#IPS-ETDB: 13.00413(2018-07-17 00:10)
+#IPS-ETDB: 13.00414(2018-07-18 00:13)
 #Serial-Number: FG800XXX
 #Botnet DB: 4.00261(2018-06-22 10:09)
 #BIOS version: XXX
@@ -39065,10 +39065,14 @@
 end
 config ips rule "Adobe.Acrobat.PDF.XSL.Engine.Javascript.Handling.Use.After.Free"
 end
+config ips rule "Adobe.Acrobat.PDF.U3D.Data.Stream.PICT.Memory.Corruption"
+end
 config ips rule "Adobe.Acrobat.EMF.EmfPlusObject.Memory.Corruption"
 end
 config ips rule "Adobe.Acrobat.XPS2PDF.Cmap.Encoding.Information.Disclosure"
 end
+config ips rule "Adobe.Acrobat.PDF.LZW.Decoding.Memory.Corruption"
+end
 config ips rule "Adobe.Acrobat.PDF.Javascript.Annotation.Out.of.Bounds.Read"
 end
 config ips rule "Adobe.Acrobat.EMF.EmfPlusDrawLines.PointData.Heap.Overflow"



i guess you could argue that the information thats being filtered is somewhat incomplete to begin with, since for example for antivirus you get the av definitions version but lack the av engine version. as i understand it this was due to the way how firewalls with or without vdoms parse their commands?



FG800C # config global
FG800C (global) # diagnose autoupdate versions
AV Engine
---------
Version: 5.00178
Contract Expiry Date: Sun Oct 28 2018
Last Updated using manual update on Thu Jun 30 14:26:00 2016
Last Update Attempt: Wed Aug  1 01:58:39 2018
Result: No Updates

Virus Definitions
---------
Version: 61.00126
Contract Expiry Date: Sun Oct 28 2018
Last Updated using scheduled update on Wed Aug  1 01:58:39 2018
Last Update Attempt: Wed Aug  1 01:58:39 2018
Result: Updates Installed

<snip>

Vulnerability Compliance and Management
---------
Version: 1.00384
Contract Expiry Date: Sun Oct 28 2018
Last Updated using manual update on Fri Oct  2 23:54:00 2015
Last Update Attempt: n/a
Result: Updates Installed




// nick




-----Original Message-----
From: heasley [mailto:heas at shrubbery.net] 
Sent: Wednesday, August 1, 2018 17:35
To: Nick Nauwelaerts <nick.nauwelaerts at aquafin.be>
Cc: Doug Hughes <doug.hughes at keystonenap.com>; rancid-discuss at shrubbery.net
Subject: Re: [rancid] Fortigate additional tweaks and device filters

Wed, Aug 01, 2018 at 08:37:03AM +0000, Nick Nauwelaerts:
> hm,
> i actually like to have those versions in the output. if something breaks my first reaction tends to be: "what changed?", and rancid is usually the first place i check.
> 
> would it be an option to control this with FILTER_OSC , even though its not quite it's intended application?

Could be; what are they?  version stamp of what exactly?

> thx
> 
> // nick
> 
> 
> From: Rancid-discuss [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Doug Hughes
> Sent: Tuesday, July 31, 2018 23:18
> To: rancid-discuss at shrubbery.net
> Subject: Re: [rancid] Fortigate additional tweaks and device filters
> 
> 
> 
> 
> On 7/31/2018 5:14 PM, heasley wrote:
> 
> Fri, Jul 27, 2018 at 08:02:28AM -0500, Chris Wopat:
> 
> Hi Heasley and folks,
> 
> 
> 
> Sept 2017 i sent a note in with some proposed tweaks to a Fortigate. to
> 
> filter out some additional chattiness, see:
> 
> 
> 
> http://www.shrubbery.net/pipermail/rancid-discuss/2017-September/009871.html
> 
> http://www.shrubbery.net/pipermail/rancid-discuss/2017-June/009643.html
> 
> 
> 
> A few people chimed in seeming to be OK with the propsed changes, which are
> 
> to filter these things:
> 
> 
> 
> next if (/^\s*IPS-ETDB: .*/);
> 
> next if (/^\s*APP-DB: .*/);
> 
> next if (/^\s*IPS Malicious URL Database: .*/);
> 
> next if (/^\s*Botnet DB: .*/);
> 
> 
> 
> Mentioning this as 3.8 came out and i didn't notice any of these included.
> 
> 
> 
> We have an additional fortigate tweak we make every time we update too,
> 
> which to change from 'show full-configuration' to just 'show' in
> 
> @commandtable. 'full-configuration' shows default config, just like the
> 
> cisco 'full' command. It's really not necessary IMO.
> 
> 
> 
> This is from:
> 
> r2258 | heas | 2010-10-11 20:49:05 +0000 (Mon, 11 Oct 2010) | 3 lines
> 
> 
> 
> fnrancid: update recent fortinet software - Diego Ercolani
> 
> Cleaned-up a little by me.
> 
> 
> 
> afaict, the justification for full-configuration was so that VDOMs would
> 
> be included in the output.  perhaps this behavior has changed since this
> 
> change??  I have none of these devices.
> 
> I think you are right.. I have a vague recollection of this as well.
> --
> Doug Hughes
> Keystone NAP
> Fairless Hills, PA
> 1.844.KEYBLOCK (439.2562)
> 
> [http://www.keystonenap.com/wp-content/themes/keystoneNAP/images/keystone-nap-logo.png]
> 
> 
> 
> ________________________________
> 
> Volg Aquafin op Facebook<https://www.facebook.com/AquafinNV> | Twitter<https://twitter.com/aquafinnv> | YouTube<http://www.youtube.com/channel/UCk_4P5BJ-MtEEDCkCsR_KqQ?feature=mhee> | LinkedIN<http://www.linkedin.com/company/aquafin/products>
> 
> In het kader van de uitoefening van onze taken verzamelen we bij Aquafin persoonsgegevens. Hoe we omgaan met deze gegevens en wat de rechten van de betrokkenen zijn, kan je nalezen in onze privacy policy<https://www.aquafin.be/nl-be/privacy-policy>.
> 
> [https://www.aquafin.be/sites/aquafin/files/styles/paragraph_with_caption/public/2018-06/email_banner_web.jpg]<https://www.aquafin.be/>
>   P Denk aan het milieu. Druk deze mail niet onnodig af.

> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss



More information about the Rancid-discuss mailing list