Wednesday, March 7, 2018

The History of a Firewall: How to buy a used Fortigate and not die in the process

While talking with a friend he asked for my input regarding a Firewall option for his small business, he needs something to replace a server which he could be using for whatever else he could think of, we are talking about a rack type server with something akin to two Xeon and 16GB of RAM for an office with less than 20 workers which are only during some times of the day.

Overkill is the right word here.

Asking around many solutions came by, Cisco ASA, FirePower, Palo Alto, SonicWall and Fortinet were some of the names that rang the most but I was somewhat familiar with Fortinet and the price range was reasonable for what it does in general but I decided to take a dive onto eBay and managed to squeeze some money out of a Fortigate 60C (it ended up being 50 dollars with tax and shipping).

This was a slippery slope to "what the fuck is going on and what am I doing?".

Getting it was fast and easy, opening the box confirmed that I had received what the seller specified, plugging it in gave me nothing but a power light and a blinking status light that went off, looking at the documentation it was not clear to me what was going on but getting no IP address from the device on the LAN ports made it clear something was not right.

I tried following the other instructions which indicated there was a Web UI, which I could never get to even with a static IP address, no routing, it would not get an IP address through the WAN port, the appliance was dead apparently.

This is when I complained to the seller, which provided no feedback, about not specifying that the appliance had either been wiped clean or that configurations were still in place. The only way to figure this out was to get a RJ45 to DB9 cable and work my way through the console.

If you are wondering how that even works in 2018 let me tell you that I keep an old laptop for this purpose, a Toshiba PIII laptop with Windows 98 (I love doing retrocomputing, guilty as charged, also I do not have a docking station for my T400 otherwise I would not have to use it).

Bringing the connection up with PuTTY showed me a screen asking me if I wanted to do a test with or without express card, I was baffled by this but I got it to go through the test without an express card and it indicated a failure with the USB and Ethernet ports (because I was missing the loopback wiring it requires but I wasn't looking to make any tests, I wanted to get this working).

Turns out that I was running a troubleshooting firmware that came with the Fortigate which was in the backup section, there was no main firmware loaded onto the device so this took me to the next logical step which was getting an account with Fortinet and registering the device.

This is where the "what the fuck is going on" part gets interesting.

It turns out I could not register the device with the SN and it would ask me to contact Support, when I contacted Fortinet Support they told me nothing could be done as:

1) This appliance was registered under a different name and I could not be provided additional information on this
2) The seller I bought it from was not an authorized reseller of Fortinet
3) There was support or plan I could pay for to get assistance with this
4) I was told to get a refund from the seller because this was pointless
5) Also I got told to read the Terms of Agreement (should do that next time I try to do something this stupid, DUH, bad customer, you used to work customer support, how could you not know this!)

If at this point you are wondering, why is this important? Well friend-o, the whole reason this is breaking my neck is because without this type of support I cannot get the firmware for the device, even though I have it physically with me and I paid money for it I could not get what I needed (I also read about doing the one month free for FortiGuard or some such but I could not find this, my google-fu was weakening because my brain was drying out at this point).

I did not despair though, I assumed a good Samaritan somewhere in the world would be kind enough to have the firmware somewhere in the public even if that meant getting shit-canned by Fortinet. My assumption was right, I found it in an open FTP folder on a website (which I will not name to avoid issues but if you leave a comment or send me a message I can point you in the right direction though).

Finally I had the Fortigate 60C 5.2.8 firmware (fuck the cookbook, I had this and only this, following the damn path was out of the picture at this point) so I had to get working on pushing it through TFTP which in turn takes me to the "what am I doing?" section.

Picture this, I have a Windows 98 computer which is the only one that can connect through the console to the Fortigate, I have no other Windows machine in the house (I run Debian, Windows has been out of the question for years even if I have Virtual machines and other nonsense around, I use it at work half the time, the other half is flying through *nix consoles). I do not want to do a whole ordeal on putting a TFTP on Debian, so I end up downloading tftpd32 version 3.0 which works fine in Windows 98 but I can't get the firmware onto the Windows 98 directly (because the browsers won't work on the site, lucky me eh?) so I get them on my Debian machine, push a Samba folder that Windows 98 can access (how vulnerable am I?) and then onto the tftpd32 folder, setup the DHCP server, connect it to port 1 on the appliance (after reading through the messages on the screen) and pushing it through the console.

Was I successful? Of course! It took about a minute or two to move the image and another minute or two for the appliance to be ready but as soon as it was done it came to life, the Fortigate was alive and I could move through the Web UI as promised (no, I just did not want to deal with the console at this point, thank you very much).

After changing some of the configurations and confirming that I could not register the appliance no matter what I tried I got connected to the internet and began to toy around with the configurations which were easier than I thought.

Was I done? Oh no, I also had to try one last step before I was happy with what I had done.

I had to forward the logs to Splunk, Splunk Light that is because I have no hardware that can run the Enterprise version. After opening UDP 514 to receive logs I could see them slowly moving in (I'm just one person testing it out) and while I could get the FortiGate App for Splunk installed I see little purpose at the moment.

Hope this helps someone in the future (maybe even myself) and save some precious hours of their life. Feel free to leave a comment or message me for any questions regarding this!

No comments:

Post a Comment

Installing OSSEC 3.7.0 on Debian 11 (Bullseye) How-To

Now that version 3.7.0 has been released I took another deep dive into how this is compiled from Source, as usual I brought this onto me bec...