There are 5 specific functions that can be tested to make sure that the ThreatSTOP solution is working properly:
- Does the management VM pull IPs from our database
- Are the IPs applied to firewall rules
- Do the blocked IPs get logged
- Can the logs be uploaded to our database.
- Can 1-4 be done automatically
-
Does the management VM pull IPs from our database?
At anytime you can run the ts-fort.pl script which loads your FortiGate device with the IPs from your policy. You can find the command by checking the crontab:
crontab -l
Which will show an output similar to:
The above example is from a fresh default install of the ThreatSTOP service on a clean ThreatSTOP appliance. In this example, the command is:
/home/threatstop/ts-fortinet/ts-fort.pl
Running this command will show the current amount of IPs in both the block and allow list in your polciy. The output will start thusly:
and print out the ip addresses as they are added. If the script completes succseuffully, the end of the out put will read:
You have now verified that management VM can pull IPs from our database.
-
Are the IPs applied to firewall rules?
Log into your FortiGate via the web GUI. Go to "Policies & Objects" >> "Objects" >> "Addresses".
In the main window, you will see the list of IP address that are in your ThreatSTOP policy. Scroll to the bottum of the list and note that the final TSbXXX entry should be the total number of IPs in you block list. Furthur down you will see the TSAllow-1 and TSblock-1 address groups.
Then navigate to "Policies & Objects" >> "Policy" >> "IPv4".
This will show the firewall rules and where they are applied in the main screen. Below is an example with no other firewall rules. Note that the ThreatSTOP rules should be before your other rules.
You have now verified that the IPs are applied to your firewall rules.
-
Do the blocked IPs get logged?
Log into the threatstop management VM and issue the following command:
tailf -f /var/log/remotes.log
Depening on how you have configured your logging, you should see log lines being written to.
Break out of the tail command (ctrl+c) and issue the same command, but grep for our known bad IP, 64.87.3.133.
tail -f /var/log/remotes.log | grep 64.87.3.133
From a device that is behind the FortiGate open up a web browser and go to http://block-test.threatstop.com/. In the putty session you should see a line similar to the following:
The web page should either time out or have the FortiNet Firewall notfication splash screen.
You have now verifed that the blocked IPs are getting logged.
-
Can the logs be uploaded to our database?
On the ThreatSTOP management VM, look at the root cronatb by running the command:
sudo crontab -l
You should see a job similar to:
7 * * * * perl -e'exec q(/usr/sbin/logrotate -f /etc/logrotate.d/remotes.log) if (stat q(/var/log/remotes.log))[7]>100000;'
You should take the command out of that job and run it manually. The command is:
/usr/sbin/logrotate -f /etc/logrotate.d/remotes.log
Running the command manual will show a similar output:
The output to note is the following which shows that the upload was successful
[INFO ] : Upload was successful [200 OK] [DEBUG] : Cleaning [/tmp/tmplog_0.log] previous tmp file [INFO ] : Finish ThreatSTOP logupload operation at 26/06/2015 10:00:25 after 00:00:03
Once you have successfully uploaded a log to our system, there should now be a /var/log/remotes.log.1. You have now verified that the logs can be uploaded to our database.
- Can 1-4 be done automatically?
Comments