Scribd
Upload
93 views11 pages

Securing The Infra - Solution

This document contains configuration steps for securing OSPF routing on FortiGate firewall devices. The steps configure OSPF interfaces on core routers RT-DC01 and RT-DC02 as well as spoke firewalls FGT-DC01, FGT-DC02, FGT-S01 and FGT-S02 to use MD5 authentication with the key "SDWANisFTNT". Port 5 is configured as a passive interface on all devices to disable OSPF on that interface. Output from the "get router info ospf interface" command on RT-DC01 and RT-DC02 confirms OSPF is configured with MD5 authentication on other interfaces.

Uploaded by

Renato Tarifa Dias
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
93 views11 pages

Securing The Infra - Solution

This document contains configuration steps for securing OSPF routing on FortiGate firewall devices. The steps configure OSPF interfaces on core routers RT-DC01 and RT-DC02 as well as spoke firewalls FGT-DC01, FGT-DC02, FGT-S01 and FGT-S02 to use MD5 authentication with the key "SDWANisFTNT". Port 5 is configured as a passive interface on all devices to disable OSPF on that interface. Output from the "get router info ospf interface" command on RT-DC01 and RT-DC02 confirms OSPF is configured with MD5 authentication on other interfaces.

Uploaded by

Renato Tarifa Dias
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Lab 1.

02
Securing the Infra - Solution
Lab 1.02 – Securing the Infra
Resolution

config route ospf


config ospf-interface RT-DC01
edit port2
set interface port2
set authentication md5
config md5-keys
edit 1
set key-string SDWANisFTNT
next
end
next
edit port3
set interface port3
set authentication md5
config md5-keys
edit 1
set key-string SDWANisFTNT
next
end
next
end
set passive-interface "port5"
end

31
Lab 1.02 – Securing the Infra
Resolution

config route ospf


config ospf-interface RT-DC02
edit port2
set interface port2
set authentication md5
config md5-keys
edit 1
set key-string SDWANisFTNT
next
end
next
edit port3
set interface port3
set authentication md5
config md5-keys
edit 1
set key-string SDWANisFTNT
next
end
next
end
set passive-interface "port5"
end

32
Lab 1.02 – Securing the Infra
Resolution

FGT-DC01

config route ospf edit "ipsecS2S"


config ospf-interface set authentication md5
edit "ipsec1" config md5-keys
set authentication md5 edit 1
config md5-keys set key-string SDWANisFTNT
edit 1 next
set key-string SDWANisFTNT end
next next
end edit port5
next set interface port5
edit "ipsec2" set authentication md5
set authentication md5 config md5-keys
config md5-keys edit 1
edit 1 set key-string SDWANisFTNT
set key-string SDWANisFTNT next
next end
end next
next end
end

33
Lab 1.02 – Securing the Infra
Resolution

FGT-DC02

config router ospf edit "ipsecS2S"


config ospf-interface set authentication md5
edit "ipsec1" config md5-keys
set authentication md5 edit 1
config md5-keys set key-string SDWANisFTNT
edit 1 next
set key-string SDWANisFTNT end
next next
end edit port5
next set interface port5
edit "ipsec2" set authentication md5
set authentication md5 config md5-keys
config md5-keys edit 1
edit 1 set key-string SDWANisFTNT
set key-string SDWANisFTNT next
next end
end next
next end
end

34
Lab 1.02 – Securing the Infra
Resolution

FGT-S01

config router ospf edit "DC2_A"


config ospf-interface set authentication md5
edit "DC1_A" config md5-keys
set authentication md5 edit 1
config md5-keys set key-string SDWANisFTNT
edit 1 next
set key-string SDWANisFTNT end
next next
end edit "DC2_B"
next set authentication md5
edit "DC1_B" config md5-keys
set authentication md5 edit 1
config md5-keys set key-string SDWANisFTNT
edit 1 next
set key-string SDWANisFTNT end
next next
end end
next set passive-interface "port5"
end

35
Lab 1.02 – Securing the Infra
Resolution
FGT-S02

config router ospf edit "DC2_A"


config ospf-interface set authentication md5
edit "DC1_A" config md5-keys
set authentication md5 edit 1
config md5-keys set key-string SDWANisFTNT
edit 1 next
set key-string SDWANisFTNT end
next next
end edit "DC2_B"
next set authentication md5
edit "DC1_B" config md5-keys
set authentication md5 edit 1
config md5-keys set key-string SDWANisFTNT
edit 1 next
set key-string SDWANisFTNT end
next next
end end
next set passive-interface "port5"
end

36
Lab 1.02 – Securing the Infra
Resolution
RT-DC01 and RT-DC02
RT-DC02 # get router info ospf interface port5
port5 is up, line protocol is up
Internet Address 10.201.0.254/24, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 10.200.0.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DROther, Priority 1
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
No Hellos (Passive interface)
RT-DC01 # get router info ospf interface port5 Neighbor Count is 0, Adjacent neighbor count is 0
port5 is up, line protocol is up Crypt Sequence Number is 222640
Internet Address 10.101.0.254/24, Area 0.0.0.0, MTU 1500 Hello received 0 sent 523, DD received 0 sent 0
Process ID 0, VRF 0, Router ID 10.100.0.1, Network Type BROADCAST, Cost: 1
LS-Req received 0 sent 0, LS-Upd received 0 sent 0
Transmit Delay is 1 sec, State DROther, Priority 1 LS-Ack received 0 sent 0, Discarded 0
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
No Hellos (Passive interface)
Neighbor Count is 0, Adjacent neighbor count is 0
Crypt Sequence Number is 222716
Hello received 0 sent 525, DD received 0 sent 0
LS-Req received 0 sent 0, LS-Upd received 0 sent 0
LS-Ack received 0 sent 0, Discarded 0

37
Lab 1.02 – Securing the Infra
Resolution
FGT-S01 and FGT-S02
FGT-S02 # get router info ospf interface port5
port5 is up, line protocol is up
Internet Address 10.2.0.254/24, Area 0.0.0.0, MTU 1500
Process ID 0, VRF 0, Router ID 10.2.0.254, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DROther, Priority 1
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
No Hellos (Passive interface)
FGT-S01 # get router info ospf interface port5 Neighbor Count is 0, Adjacent neighbor count is 0
port5 is up, line protocol is up Crypt Sequence Number is 223752
Internet Address 10.1.0.254/24, Area 0.0.0.0, MTU 1500 Hello received 0 sent 0, DD received 0 sent 0
Process ID 0, VRF 0, Router ID 10.1.0.254, Network Type BROADCAST, Cost: 1
LS-Req received 0 sent 0, LS-Upd received 0 sent 0
Transmit Delay is 1 sec, State DROther, Priority 1 LS-Ack received 0 sent 0, Discarded 0
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
No Hellos (Passive interface)
Neighbor Count is 0, Adjacent neighbor count is 0
Crypt Sequence Number is 223786
Hello received 0 sent 8, DD received 0 sent 0
LS-Req received 0 sent 0, LS-Upd received 0 sent 0
LS-Ack received 0 sent 0, Discarded 0

38
Lab 1.02 – Securing the Infra
Describing the Resolution

On all the FortiGates:


 We configured Authentication to all the neighbors using MD5.
 With this authentication enabled, all routers that will participate in the OSPF
Network needs to know the exactly same password to form adjacency with
the others routers.

39
Lab 1.02 – Securing the Infra
Describing the Resolution

On RT-DC01, RT-DC02, FGT-S01 and FGT-S02:


 We configure the Interface Port5 (the LAN interface) as a passive interface.
With this, the interface does not participate in OSPF and does not establish
adjacencies or send routing updates. However, the interface is announced
as part of the routing network.
 The HUB Fortigates aren’t directly connected on LANs Network, so this
command doesn’t need to be configured on them.

40

You might also like