Play with Fortigate on your own ground!

Posted on June 30, 2012

15



It is the 3rd Firewall I tries at home on my laptop, that is required for my work. Cisco ASA works in GNS3
http://blog.gns3.net/2009/12/how-to-emulate-cisco-asa/
Checkpoint Firewall works in Virtualbox too, that is a great advantage for me as it is free and really easy to use.
And now the Fortigate can work in test enviroment at home, now I can prepare for the exams…
Cool stuff! :-)

1. Install vmware workstation 8.0.2

I have tried on my Ubuntu 12.04 LTS the vmware player 4.0.3 and 4.0.2 and vmware workstation 8.0.3.
None of the above version worked without interaction.
vmware player 4.0.2 worked after patching itaccording to the link below:
http://communities.vmware.com/message/1900761
patch required:
http://weltall.heliohost.org/wordpress/wp-content/uploads/2012/01/vmware802fixlinux320.tar.gz

the command issued after saving and extracting the patch file (vmware802fixlinux320.tar.gz):

# sudo ./patch-modules_3.2.0.sh

and after every kernel update on ubuntu i have to issue the same:

# sudo mv /usr/lib/vmware/modules/source/.patched .
# sudo ./patch-modules_3.2.0.sh
# sudo vmware

but I was not able to import the fortigate virtual machine in it. There was an error message that I did not notice.
I have deleted vmware player:

# sudo vmware-installer -u vmware-player

I tried after that vmware workstation 8.0.2 and it worked with the patch and I have easily managed to import the fortigate virtual machine.
To find older version of workstation was not easy, I could find it only with google:
https://my.vmware.com/web/vmware/details/wkst_802_lx/dCVkYnRAQGVidHQldw==

# sudo sh ./VMware-Workstation-Full-8.0.2-591240.x86_64.bundle

As the patch was already installed, but the patched modules were deleted with vmware-player we have to patch it again. The patch file wont run as it says “already installed”, we have to delete the control point:

sudo mv /usr/lib/vmware/modules/source/.patched .

and patch again:

# sudo ./patch-modules_3.2.0.sh

The vmware requires a license key, that can be a trial one if you register yourself or buy it :-)
Or search in hexenküche and find such a pages:
hexenküche_ein

The tested fortigate software from http://www.fortinet.com (login required):
FGT_VM32-v400-build0521-FORTINET.out.ovf.zip

So far so good, I have changed the interfaces as the default setting is not good for my network settings.
vmnet0 will be bridged on port1, that will be Fortigates external interface to Internet
vmnet1 will be bridged on port2, that will be Fortigates internal interface.

Link for Virtual Fortigate Install Guide:
docs.fortinet.com/vm/fortigate-vm-install-guide-40-mr2.pdf
docs.fortinet.com/vm/fortigate-vm-install-guide-40-mr3.pdf

2. Checkpoint GUI Clients like settings in Fortigate:

After starting to dig the configuration of Fortigate I have found something similar to Checkpoint. (why can we use only 10 hosts is not clear, but it is a fact!)

config system admin
{trusthost1 | trusthost2 | trusthost3 | trusthost4 | trusthost5 | trusthost6 | trusthost7 | trusthost8 | trusthost9 | trusthost10}

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit.
If you want the administrator to be able to access the FortiGate unit from any address, set the trusted hosts to 0.0.0.0 and the netmask to 0.0.0.0.

default value:
0.0.0.0 0.0.0.0

3. Weak encryption method with small RSA key on VM

Somehow my virtual Fortigate has a really weak encryption method for ssh and https does not work as my browser and the fortigate https server have no matching encryption.

another point, but maybe important: the maximum RSA key that can be used is 512 on the VM. Was it calculated according to the CPU and Memory of Host machine? A stronger host machine could use stronger key?

Advertisements