Avoiding device management being exposed on interfaces to the internet is something that we all want to avoid, but if such an exposure was to occur wouldn’t you want to know?
This query inspects all interfaces and specifically checks whether http, https, fgfm (FortiManager), snmp, and SSH are enabled via the set allowaccess command.
To run this check you’ll need to configure a custom command.
Custom Command Required.
show system interfaces
The Query:
/**
* @intent Do not present fgfm, SSH, HTTPS on the internet ports
* @description Check all interfaces that face the internet to ensure
* "SSH","HTTPS" and "fgfm" are not present.
Example Interface:
edit "mgmt1"
set vdom "root"
set ip 169.254.255.2 255.255.255.255
set allowaccess ping https ssh snmp
set status down
set type physical
set dedicated-to management
set role lan
set snmp-index 1
next
*/
ifacePattern =
```
config system interface
edit {ifaceName:string}
set ip {strAddress:string} {strSubnet:string}
set allowaccess {accessPermitted:(string*)}
```;
//List of permissions we want to ensure are not present on internet facing interface
permissionsList = L"fmfg","ssh","snmp","http","https"];
strRfcRanges = n"10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","169.254.0.0/16"]; //rfc1918 Ranges
foreach device in network.devices
where device.platform.vendor == Vendor.FORTINET // Onlyh select fortinet devices, as we only have firewalls, this is sufficent.
foreach command in device.outputs.commands
where command.commandText == "show system interface" //Retrieve only the command show system interface
let response = command.response
let parsedOutput = parseConfigBlocks(OS.FORTINET,response)
let matches = blockMatches(parsedOutput,ifacePattern) //Match the data within the ifacePattern Variable
foreach match in matches
let ipAddr = ipAddress(match.data.strAddress) //Convert String of IP Address into an IP Address
let ifacePerms = match.data.accessPermitted // Create variable for permitted access (Probably not needed but looks a bit neater in my view)
//Set rfcAddress if ipAddress in the rfc1918 Ranges
let rfcAddress = (foreach rfcSubnet in strRfcRanges
where ipAddr in ipSubnet(rfcSubnet)
select{ipAddr})
where length(rfcAddress) == 0 // If this is 0 then this is an internet facing address and we should be checking.
let bannedPerms = (foreach bannedPerm in permissionsList //Using the permissions list check each one in turn to see if the interface has that permission present.
where bannedPerm in ifacePerms
select{ifacePerms})
//Display data if violation occurs as management access is presented to the internet.
select {
violation: length(bannedPerms) > 0,
name:device.name,
ifaceName:match.data.ifaceName,
ip:ipAddr,
ifaceParams:ifacePerms
}
While 169.254.0.0/16 is not part of RFC1918, it appears on non-internet facing interfaces so needed to be excluded.
Any suggestions gratefully received, and i hope it is useful.