Friday, September 8, 2017

Fortinet HQIP Test

I've been busy lately, obviously.  Learning a bunch of new stuff related to my job, and some unrelated.  In order to be good at information security, one should be good at areas in IT-the sys admin work.  So I'm learning about Fortigate firewalls.  

Sometimes issues come up and tests need to be performed in order to be able to get a return authorization for the device.  Since I have an older model, I had to perform something called an HQIP Test.  The directions are here: 


The directions show the diagram for the 60C Model.  The model that I have is a 60D.  Needless to say, there are a couple of different things about the model that I have.  Mine has 7 switch Ports, a DMZ port, a WAN1 port, and a WAN2 port.

So, I will describe how to perform the test to make others lives easier.

Make sure you have everything that you need:

Hardware
Laptop/Desktop Computer to act as Terminal/TFTP Server
Ethernet Cables * 5 in this case.
A USB-to-Console adapter
The console cable that came with the device.
The power cable that came with the device.
A paper clip.
USB drive

Software
FortiExplorer can be used.  However I didn't use it because I didn't know how to save the output with it.  In order to do an RMA, the output must be included with the request.
I used Putty and SolarWinds TFTP Server.  
Correct HQIP Test Image
Firmware Image on a USB drive in case something goes wrong.

Acquire The Test Image

The image can be downloaded from the Fortinet Support site.
  • Login with your account username and password
  • Click on your account.
  • Select the Download Tab
  • Select the HQIP Images Option
  • Click on the text-box
  • Type in your serial number
  • Download the specified test image by clicking on the link.
  • Once the TFTP Server is set up, move this image from downloads to C:/TFTP-Root which is the default folder for SolarWinds TFTP Server or whatever folder you set it up to be in.

Device Set-UP
  • Connect the USB-Console adapter into the firewall via the Console Port
  • Make sure that the other end is connected to the laptop via the USB port.
  • Connect the Ethernet Cable from the laptop to the WAN1 port on the firewall (this can be any of the ports so long as it’s configured properly in the test script.)
  • Connect the loopback wiring according to the diagram below.  If the diagram is wrong, the test will tell you how to wire it properly.
  • You will not start out with the device properly wired according to the instructions.  Wire as much of it as you can to make your life easier later.  Don’t worry that you can’t wire all of it properly yet.  One port has to be connected to the laptop serving as the TFTP Server/Terminal, leaving one port open.  This is normal.  Before the test is performed, you will be asked to wire the rest of it properly.
  • Connect the Power Cable

FortiWifi 60D Loopback Wiring Diagram
Port 1 to Port 2
Port 3 to Port 4
Port 5 to Port 6
Port 7 to DMZ Port
WAN1 Port to WAN2 Port

Set Ethernet Adapter to Static IP Address

For Windows 10:
  • Right-Click on the Connection Icon in the task bar on the right hand side
  • Select “Open Network and Sharing Center”
  • Click on the “Change Adapter Settings Link” on the left-hand side
  • Right-Click on the Adapter you want to use
  • Select “Properties”
  • Click on “Internet Protocol Version 4 (TCP/IPv4)” to highlight it
  • Click the “Properties” button
  • Select the “Use the following IP Address” radio button
  • Type in the desired IP Address, Subnet, and default Gateway

Make Sure that the Firewall Allows TFTP
For Windows 10:
  • Click the Windows icon at the bottom left of the screen
  • Type “Windows Firewall”
  • Select the “Windows Firewall Control Panel” Option
  • A popup will appear
  • Click on the “Advanced Settings” link on the left-hand side
  • Click on “Inbound” Rules
  • Click on the “New Rule” link on the right-hand side
  • A pop-up will appear to configure the new rule.
  • Click on the "Port" radio button
  • Click "Next"
  • Click on the "UDP" radio Button
  • Click on the "Specific Local Ports" radio button
  • Type "69" into the text box
  • Click "Next"
  • Choose the “Allow the connection” radio button
  • Choose which areas the rule applies.  Be careful with this one because you don’t want just anyone to be able to connect.  Most people choose domain or home-actually as I recall though, public has more strict rules-but you don't want the TFTP server to be connected to on a public network, so it’s best not to use public.
  • Type in a Name for the rule: TFTP, and a Description if desired.
  • Click "Finish"
  • To ensure that not just anyone can connect, you can limit the IPs that can connect to it.
    • Find the TFTP rule in the rules list
    • Right-Click on it
    • Click "Properties"
    • Click "Scope"
    • Change the scope to the IP or range of IPs that you are comfortable connecting with your TFTP server.  (In this case, the IP that you plan to set the firewall to in the HQIP test.)
    • Remember that people can spoof IP Addresses, so this isn't foolproof.
  • If you’re paranoid, remove/disable this rule when you are done.  Disabling is as simple as right-clicking the rule in the rules list and selecting the “Disable” option.
  • Repeat the above steps with the exception of choosing “Outbound” instead of “Inbound” rules in the second step.

Setting up the TFTP Server:
If you are using SolarWinds TFTP Server:
  • Click on “File>Configure”
  • Select the “Server Bindings Tab”
  • You can bind it to all IP Addresses on the machine by selecting the "bind to all IP Addresses" radio button.  This is not recommended for security reasons.
  • Select the “use custom server binding” radio button
  • Click in the text box
  • Type the desired IP range that the laptop will be serving the file from in CIDR notation (if it is not specified, the program will choose the CIDR notation.  Like /32.
  • Click the + sign on the right side.  The IP Address should now be added to the custom server binding box.
  • Click OK
  • There should be a popup showing that TFTP was started on Port 69.

Setting up Putty for the Console Connection:

  • On the left-hand side, there will be a section called “Connection”
  • Choose “Serial”
  • On the right-hand side, change the “Serial line to connect to” to the COM interface of the laptop.
  • This can be checked in "Device Manager" under "Ports (COM & LPT)"
  • On the right-hand side,
  • Speed(baud) should be 9600
  • Data bits should be 8
  • Stop bits should be 1
  • Parity should be None
  • Flow Control should be XON/XOFF
  • Click "Open".  Assuming that the cables are properly set up and device is functioning properly, you should get a console connection to the device.  Sometimes you have to press Enter to see the prompt.


Configure the Settings on the Router for the TFTP Transfer

  • Login using your credentials.  The default username for this model is: admin, the default password is <no password>.
  • Type “execute reboot”.
  • Watch the screen carefully.  When it says, “Please wait for the OS to boot, or press any key to display configuration menu”, at this point, press any key.
  • A configuration menu will be displayed.


The first menu looks like this on this model:

[C]:  Configure TFTP parameters.
[R]:  Review TFTP parameters
[T]:  Initiate TFTP firmware transfer
[F]:  Format boot device.
[I]:  System information.
[B]:  Boot with backup firmware and set as default
[Q]:  Quit menu and continue to boot.
[H]:  Display this list of options.

Configure the following settings, noting that anything in brackets is the default setting.

First, we want to configure it to grab the test image from the TFTP server (AKA our laptop/Desktop computer running Solarwinds TFTP Server.)

So the first option we should select is C.

The next menu looks like this:

[P]:  Set firmware download port
[D]:  Set DHCP mode
[I]:  Set local IP address.
[S]:  Set local subnet mask.
[G]:  Set local gateway
[V]:  Set local VLAN ID
[T]:  Set remote TFTP server IP address
[F]:  Set firmware file name
[E]:  Reset TFTP parameters to factory defaults
[R]:  Review TFTP parameters
[N]:  Diagnose networking(ping).
[Q]:  Quit this menu
[H]:  Display this list of options.

Select P to set the firmware download port.  You can choose the default option-in this case I think that it’s WAN1, but keep in mind that if that port is bad, it won’t work, so you’ll have to choose a different port in that particular case.  It’s trial and error choosing the correct one because the default port may be different for each model and like I said, the port could be bad.   If one port fails to work, start this portion over again, and try another.  The options are:

[0]:  Any of port 1-7
[1]:  WAN1
[2]:  WAN2

Choose 1 for the WAN1 port.

The next option that should be selected is I, to set the local IP address.  This is the IP address of the firewall.  Again, you can select the default, just make sure that the ethernet adapter on your laptop is configured to be on this same subnet.  I make it easy and use 192.168.0.2.

Select S to set the local subnet mask.  I use 255.255.255.0, which is the default.  Press enter to choose the default.  Just make sure that your laptop ethernet adapter is configured with the same subnet mask.

Select G to set the local Gateway.  I make this the same as the laptop/TFTP Server/Terminal.  Usually 192.168.0.1.

I’m not concerned with the local VLAN ID, but this may apply to you if you use VLANs, so use it if you need to.

Select T to set the remote TFTP server IP Address.  This should be the same as your laptop Ethernet Adapter IP Address.  Again, I use 192.168.0.1.

Select F to set the firmware file name.  This must the same name as the test image name you downloaded from the fortinet support site or whatever you rename it to.

Select R to review the settings.

Make any necessary changes.

Select Q to exit this menu and return to the first menu.

Select T to grab the test image from the laptop/TFTP Server.

If the file is transferring properly, you will see a bunch of pound signs in the Putty display.  When the image is transferring, you will see a notification in the SolarWinds TFTP window.
If it isn’t transferring, do normal troubleshooting to find out what the error is.

Common issues:

Cables aren’t properly configured.
The wrong download was chosen in the router settings.
TFTP server not configured properly.
Firewall not configured to allow TFTP connections.

If it transferred properly, the Putty/Terminal display will ask you what you want to do with the test image.
Type R to reset without saving the image.
In this case, it doesn’t start on it’s own.  (Some models will automatically start.)  You have to login with the default credentials.  For this model:  User: admin, password: <no password>.
Type “diagnose hqip start” into Putty/Terminal Session.

There will be a message asking for a USB key.  Don’t worry about it.  That is for a firmware image on a USB drive.  Just press enter twice.  Since you selected “R”, it should just keep the old firmware.  You may want to reset the firmware anyway, but for RMA purposes, it may be best to keep the firmware as is.

It will run tests on its own.

You will be asked to check the LEDs.  Follow the directions in the Putty/Terminal session.  Press the spacebar if it passes, enter if it fails.

You will be asked to check to see if the reset button functions properly.  Follow the directions in the Putty/Terminal Session.  Simply use a paperclip to press the reset button.  If it functions properly, you will see output and the word “PASSED”.  If you don’t see that, then it may have “FAILED”.  Wait a few minutes.  If it still doesn’t do anything, press Enter.  For the 60D model, it is located near the power plug in.
Do not unplug anything yet.

Save the Test Results

In Putty:
Method 1:
Right-Click on the Title in the Terminal Screen
Select "Copy Contents to Clipboard"

Open Notepad
Paste the contents into the file
Save the results as your desired file name (I use serial number_HQIP_Test_Results)

Method 2:
Enable Logging in Putty
On the left-hand side, there will be Session.  Select Logging.
Choose the “Printable Output” radio button.  (“All session output” will show you everything.  For RMA, the All session output option may be the best.)
Select the log file name.  The default is “putty.log”
Choose what to do if the file exists.  Choose either the radio button that says, “always append to the end of it” or the “ask the user” radio button.
Confirm that all the output was captured.

Gracefully Shut Down the Firewall

In the Putty session, before unplugging anything, type "execute shutdown" and press enter.
Do not unplug anything until it says, “The system is halted.”




No comments:

Post a Comment