Restricting access using Geolocation via Fortigate

There will instances where you will need to set server to be public serving for remote offices requiring access to applications within your network.

FortiOS versions 7 and above offer Geo-IP restriction features, enabling administrators to control access to internal services based on geographical location. This feature is particularly useful for organizations with remote offices or users who need to access applications within the network from specific countries or regions.

By configuring Geo-IP restrictions, you can:

Allow access to internal services only from specific countries or regions.
Restrict access from countries or regions with high security risks.
Comply with data sovereignty regulations by controlling where data is accessed.
Enhance security by limiting exposure to unauthorized access.

To configure Geo-IP restrictions:

1. Login to your Fortigate admin portal, expand Policy and Objects and select Addresses.

2. Select Create New and select Address.

3. Type a name for the location, select Geography from Type dropdown list.

4. Select the country you want to allow.

5. Select the interface that this address restriction would apply on.

6. Click OK to save.

7. Regions added will appear in Geography address group.

8. Apply the policy by select the newly added address to source option of the policy you would like to add the restriction.

9. Click OK to complete the setup.

By limiting access to internal services from specific countries or regions, you can reduce unnecessary traffic and prevent bandwidth waste.

Geo-IP restrictions can help block malicious traffic from known botnet sources or countries with high cybercrime activity, reducing the risk of automated attacks.

FortiOS – buffer overflow – CVE-2023-27997

A critical vulnerability discovered in FortiGate SSL VPN enables hackers to infiltrate vulnerable systems and inject malicious code, even when Multi-Factor Authentication (MFA) is activated.

Following Fortinet product versions are affected and firmware should be updated.

Affected Products
FortiOS version 7.2.0 through 7.2.2
FortiOS version 7.0.0 through 7.0.8
FortiOS version 6.4.0 through 6.4.10
FortiOS version 6.2.0 through 6.2.11
FortiOS version 6.0.0 through 6.0.15
FortiOS version 5.6.0 through 5.6.14
FortiOS version 5.4.0 through 5.4.13
FortiOS version 5.2.0 through 5.2.15
FortiOS version 5.0.0 through 5.0.14
FortiOS-6K7K version 7.0.0 through 7.0.7
FortiOS-6K7K version 6.4.0 through 6.4.9
FortiOS-6K7K version 6.2.0 through 6.2.11
FortiOS-6K7K version 6.0.0 through 6.0.14
FortiProxy version 7.2.0 through 7.2.1
FortiProxy version 7.0.0 through 7.0.7
FortiProxy version 2.0.0 through 2.0.11
FortiProxy version 1.2.0 through 1.2.13
FortiProxy version 1.1.0 through 1.1.6
FortiProxy version 1.0.0 through 1.0.7

CVE-2023-27997 denotes a crucial heap buffer overflow vulnerability within Fortinet’s FortiOS SSL-VPN pre-authentication module.

Its exploitation permits an overflow of data from a designated memory block into adjacent blocks in the heap, enabling the execution of arbitrary code and facilitating malicious program activities.

SSL VPNs are typically relied upon for establishing secure connections to private organizational networks and the vulnerability could grant cybercriminals access to any networks and products assumed to be safeguarded.

This vulnerability exploit pre-authentication without privileged credentials allowing attackers to elude interception and escalate likelihood of successful data breach attempts.

Suggested response actions to mitigate the impact of CVE-2023-27997, is to upgrade to the Latest FortiOS Firmware Release and/or disable SSL-VPN on all impacted devices is it is not actively in use.

To shutoff SSL-VPN access, follow this link.

Follow Fortinet’s best practice on hardening your network devices.

Extending your wireless coverage

When trying to extend your wireless coverage to an area where it is hard to reach and it is close to ethernet cable length limit, a range extender may not be a good idea. Rather, a wireless point-to-point network will bridge the gap and provide a wireless backhaul from your perimeter back to your main site.

With the correct access point deployed and proper planning, it can even be an outdoor area that is extended from indoor or an area with limited line of sight.

Check with us for solution on providing wifi coverage to stretch existing network to cover your perimeters or nearby site office. Such features can usually be an option to running fiber cables and/or provide additional redundancy to support existing infrastructure.

What is Zero Trust?

Zero Trust is a network security concept and architectural approach that challenges the traditional perimeter-based security model. In a Zero Trust model, trust is never assumed, regardless of whether a user or device is inside or outside the corporate network. Instead, every request for access to resources is carefully verified and authenticated before being granted, regardless of the user’s location.

The core principles of Zero Trust include:

  1. Verify and Authenticate: All users, devices, and applications attempting to access resources must be verified and authenticated before access is granted. This involves using strong identity verification methods like multi-factor authentication (MFA) to ensure the user’s identity.
  2. Least Privilege: Users and devices are granted the least amount of privileges necessary to perform their tasks. This principle ensures that even if a user’s credentials are compromised, an attacker’s access to sensitive resources is limited.
  3. Micro-Segmentation: The network is divided into smaller, isolated segments or zones to reduce the potential impact of a security breach. Each segment has its own security policies and controls, and communication between segments is strictly regulated.
  4. Continuous Monitoring: Continuous monitoring and analysis of user behavior, device health, and network traffic help detect anomalies and potential security threats in real-time.
  5. Access Controls: Granular access controls are applied based on user identity, device health, and other contextual information. Access decisions are dynamically made based on this context.
  6. Encryption: Data in transit and at rest is encrypted to protect sensitive information from unauthorized access.
  7. Assume Breach: Zero Trust operates on the principle of “assume breach.” Instead of relying solely on prevention, the architecture assumes that threats are already inside the network and focuses on detection, containment, and response.

Zero Trust architecture is particularly relevant in today’s distributed and cloud-based environments, where the traditional perimeter-based security model is no longer sufficient to protect against sophisticated cyber threats. By adopting a Zero Trust approach, organizations can strengthen their security posture, reduce the attack surface, and improve the overall resilience of their network against modern cyber threats.

HTTPS Cipher Mismatch Error

The “cipher mismatch error” typically occurs in the context of secure internet connections when there is a mismatch between the encryption algorithms supported by the client (usually a web browser) and the server it is trying to connect to. This issue prevents the establishment of a secure and encrypted connection, leading to an error message being displayed to the user.

Besides network error, common cause could be due to outdated web browser, outdated server SSL/TLS Configuration, server misconfiguration, expired SSL/TLS certificates and incompatible cipher suites.

Much has changed since 2021 after the disabling of support for TLS1.1. Many modern browsers no longer support any SSL/TLS version prior to 1.2.

connection not secure

There may be reason that you would want access to an old router or firewall, to access some old configuration, to backup config or check network info.

enabling tls 1.0

You may need to enable TLS 1.0, TLS 1.1 and for even older router SSL protocols in order to access the router’s web admin portal. Just remember to reverse the process once you’re done.

click error

You may also need to use Internet Explorer (no longer available in Windows 11) as all newer versions of Chrome/Firefox/Opera do not support the older protocols.

If you’re insistent on not using IE, you may need to look for versions prior to Chrome 84, Edge 84, Firefox 78, & Safari 14 in order for TLS 1.0 to work.

Wifi6 with wireless controller

The Ubiquiti UniFi Network Controller is a powerful software platform that allows you to manage your entire network from a single, easy-to-use interface. When paired with the Ubiquiti LR6 Series access points, it provides a high-performance and scalable wireless network solution that can meet the needs of even the most demanding environments.

The Ubiquiti UniFi Network Controller is designed to simplify network management, allowing you to easily configure and monitor your entire network from a central location. With features such as real-time network monitoring, traffic analysis, and customizable alerts, you can ensure that your network is running smoothly and efficiently at all times.

The Ubiquiti LR6 Series access points provide exceptional wireless performance, with support for high-speed 802.11ac Wi-Fi and the latest MIMO technology. They also feature a sleek, minimalist design that blends seamlessly into any environment, making them ideal for both commercial and residential installations.

When used together, the Ubiquiti UniFi Network Controller and Ubiquiti LR6 Series access points provide a complete and powerful wireless networking solution that can meet the needs of businesses of all sizes. With advanced features such as guest access, VLAN support, and seamless roaming, you can ensure that your users have the connectivity and security they need to be productive.

Overall, the Ubiquiti UniFi Network Controller with Ubiquiti LR6 Series access points is a powerful and reliable wireless networking solution that can provide exceptional performance and ease-of-use. Whether you are looking to upgrade your existing wireless network or deploy a new one from scratch, this solution can help you achieve your goals and meet the needs of your users.

On-prem management option

Run a dockerized Unifi network controller on-premise with Synology NAS. Manage your site network without the need for cloud key. Set configuration and install updates with a single click.