How to Configure VPN in Pfsense Firewall

How to Configure VPN in Pfsense Firewall

VPN provides an encrypted server and hides your IP address from corporations, government agencies, and would-be hackers. A VPN protects your identity even if you are using public or shared Wi-Fi, and your data will be kept private from any prying internet eyes.

Before we configure our OpenVPN server, we need to choose an authentication method. Both OpenVPN and Pfsense support password-based authentication, certificate-based authentication, or both. Here we use certificate-based authentication. So, for that, we need to generate a Certificate Authority as well as a server certificate.

1. Generating a CA Certificate:

The first thing we need to do is generate our Certificate Authority (CA), which will validate the OpenVPN server’s identity and authenticate user certificates (if enabled).

1.1 System > Cert. Manager > Add

Descriptive name: Test

Fill in the Details on the page as shown in the screenshot below:

Method: Create an internal Certificate Authority.

Key type: RSA

Key length: 4096

Digest Algorithm: sha512

Common Name: Choose a Common Name for your certificate or leave the default of internal-ca.

Click on ‘Save’.

You’ve created your Certificate Authority.

2. Generating a Server Certificate:

2.1 Go to System > Cert. Manager > Certificate (Sub Menu) > ADD

2.2 Fill required details on the page:

Method: Create an internal Certificate.

Descriptive name: Test

Use the same values you set for the Certificate Authority for the Key type and length, as well as for the Digest Algorithm.

Lifetime: 365 days

Certificate Type: Server Certificate

3. Create your OpenVPN user and your user certificate

3.1      Go to System > User Manager

We now need to create a user to access the OpenVPN server. I will be creating a single user for this guide, but you can create as many users as you need. Simply repeat these steps.

If you chose to set up your server for certificate-based authentication or for certificate and password-based authentication, click the pencil icon to the right of your new user. You’ll be taken back to the Edit User window.

Click the Add button under User Certificates. You’ll be taken to the Certificate Manager, and prompted to input the parameters for your user certificate.

4. Creating OpenVPN Server:

4.1 VPN > OpenVPN

Set the below information into their respective field as shown in the screenshot:

Description: Test

Server mode: Remote Access (SSL/TLS + User Auth)

Cryptographic Setting:

Use a TLS Key and Automatically generate a TLS Key are enabled.

Peer Certificate Authority: Test (we have created earlier)

Server certificate: the server certificate we created earlier.

DH Parameter : 4096

Auth digest algorithm: SHA512 (512-bit).

Tunnel Setting:

In the IPv4 Tunnel Network field, enter a subnet that is not present on your network to be used as the OpenVPN network’s internal subnet. I’m using 10.100.100.0/24/24.

Enable Redirect IPv4 Gateway to route all IPv4 traffic over the VPN tunnel.

In Advance Setting, enable UDP Fast I/O.

If you’re only using IPv4, select IPv4 only in the Gateway creation field.

Click on ‘Save’.

Verifying the OpenVPN server configuration

Status > System Logs > OpenVPN

5. Create Firewall Rules:

5.1 Firewall > Rules > OpenVPN

Set below information into their respective field:

Action: Pass

Interface: OpenVPN

Address Family: IPv4.

Protocol: Any.

Source: Network (OpenVPN subnet you specified earlier. For example: 10.100.100.0/24

5.2 Wan Rule

To connect to your OpenVPN server from the outside world (i.e., the internet), you’re going to need to open the port your server runs on (1194, in this example) on your WAN interface. This rule will allow your client to connect to your OpenVPN server from the internet.

Firewall > Rules > WAN

Action: Pass

Interface: WAN

Address Family: IPv4.

Protocol: UDP.

Source: any

Destination: WAN Address

Destination Port Range : Other (1194)

6. Install the OpenVPN Client Export Utility:

We need to install the package from the pfSense Package Manager manually.

Go to System > Package Manager > Available Packages

Install openvpn-client-export

As it was already installed, it’s shown in Installed Packages.

7. Export the OpenVPN client Configuration:

VPN > OPEN VPN > client Export > scroll down > OpenVPN client

AD Authentication

AD Authentication with Firewall

How does AD Authentication with Firewall

One of our end customers wanted an AD Authentication to be done between its Head Office and Branch Office.

They had Sophos Firewall installed and wanted a secure connection in the entire network.

In this blog, we demonstrate how you can add an authentication server on Sophos Firewall and how to import AD groups. 

Here’s an overview of our process-

  • Refer to IP address as per the diagram
  • After Basic parameters configuration into the firewall, we need to create IPSEC tunnel between Head Office and Branch Office.
  • First, we need to create IPsec Tunnel between Head Office and BR_Office 1 & BR_Office 2.
  • Configure the Authentication server on all Firewall and
  • Install STAS into the Head Office AD server

IPsec Tunnel Configuration

Head Office Firewall Configuration

Step 1:

Host Creation

In your Sophos Panel, go to System >> Host and Services >> IP Host

In our case, as shown below we have created hosts for each the Head Office and the 2 branch offices.

Step 2:

Add IPSEC connection:

Configuration >> site-to-site VPN >> IPse

Step 3: Configure AD Server in firewall:

Under Configure, go to “Authentication” > Servers > Add

Select Server Type as “Active Directory”.

In the Connection Security option, make sure you either select SSL/TLS or START/TLS (as they are both secure)

Fill in the rest of the details and then click on the “Test Connection” button at the bottom to check the connectivity and then click on Save if everything is okay.

Before enabling STAS, you need to enable AD Authentication Service:

To do that, go to Adminstration > Device Access > Check necessary requirements and click on Apply

Once done, Go to Authentication > Services and choose your AD server as the primary authentication method before integrating STAS.

What is STAS?                       

Stands for Sophos Transparent Authentication Suite. By keeping track of domain controller events, Sophos STAS authentication can match authenticated users with their corresponding IP addresses. Once the user’s identity is known, the Sophos UTM can provide access based on that user.

How does Authentication work?

STAS tracks events taking place in the Domain Controller (DC). Each DC is supposed to track user log-ins and log-outs.

DC Collects these events and forwards them to the STAS Collector, the information collected is consolidated and forwarded to Sophos UTM along with the IP address and username.

The UTM pushes the Active Directory to establish which group the user falls under and then it allows or denies access based on permissions granted.

Integrate STAS:

  1. On the firewall, go to Authentication > STAS.
  2. Toggle On the Enable Sophos Transparent Authentication Suite and click Apply
  3. Click on Add new collector, specify your settings and then click Save

Add Firewall Rule:

STAT Configuration on AD Server:

  1. Download STAS Client from Firewall.

Configuration>>Authentication>>Client Download

Download it on Server Device

Install Client into AD server.

STAT Agent Configuration:

STAT Collector Configuration:

How to check if the STAS Service is Running or not

In order to check that, you need to start WMI Service in AD Server

Start WMI Service in AD Server:

Installed AD Certificate to Avoid SSL/TLS error:

It can happen to you that you get an SSL TLS Error when you try to work the above mentioned procedure. To avoid that, do the following:

Go t o AD Console>> Manage>> Add Roles and Features

Check Server Roles and check the status.

Now follow the IPSec Configuration step for the Branch offices as well and you are good to go.

fortianalyzer

FortiAnalyzer: Generate Audit Report

This blog is regarding generating an audit report of the day-to-day bandwidth and other applications usage from FortiAnalyzer generated from FortiGate firewall.

What is FortiAnalyzer?

FortiAnalyzer is a powerful log management, analytics, and reporting platform that provides organizations with a single console to manage, automate, orchestrate and respond, enabling simplified security operations, proactive identification and remediation of risks, and complete visibility of the entire attack landscape.

For generating report from Analyzer, we need to perform the below steps.

  • First, login to Analyzer.
  • After logging in, you will see a dashboard which includes the below options.
FortiAnalyzer
  • Once you can see the dashboard, just click on the Report.
FortiAnalyzer
  • After clicking on the reports, you will see Reports bars/options below.
FortiAnalyzer

Here, for now, I am only showing you how to generate the bandwidth and application Report.

Note: By default, this Template is available in Analyzer, you can create your own custom template as per the requirement.

  • Click on the bandwidth and application report > Report > Edit. As shown below.
FortiAnalyzer
FortiAnalyzer
  • After clicking on the edit, you will see generated reports, settings and editor.
  • Generated reports: you will see the reports which is generated already.
  • Editor: you can edit the layout of your reports as per the customers’ requirements.
  • Settings: under settings, you can see the below options.
                   

Name – you can give custom names to the reports.

Time period – you can select the time range, here I am generating for the previous 30 days.

  • Device:  we have two options here.

1. All devices– this will generate a report for all firewall/devices which is connected to this Forti Analyzer or in your network.

    2. Specify- from here we can select the individual devices as I have selected below.

  • Subnets:  
  1. All subnets- you can run reports for all subnets which is currently implemented in your FortiGate.
  2. Specify– for particular subnets (not for all the subnets).
  • Type:
  1. Single report- for each device it will generate a single report.
  2. Multiple reports- for each device It will generate a separate report

Now you have three options here,

  1. Enable Schedule: from here you can schedule your report like when it needs to be generated automatically.
  2. Enable Notification: Select this to enable report notification when generated.
  3. Enable Auto-cache: When enabled, this process uses system resources and is recommended only for reports that require days to assemble datasets. Disable this option for unused reports and for reports that require little time to assemble datasets.

You can also apply filters and go to advanced settings to customize fonts, language layout headers and other features.

FortiAnalyzer

Once all this is done, click on apply and return to the Reports section.

  • Under the report section, select your template and click on run report.
FortiAnalyzer
  • After clicking on the Run report, you will be able to see your generated report in the Generated Report section below.

Here, you will see the report is generated, and you can download this in HTML, PDF, XML, or CSV format.

FortiAnalyzer

Upcoming

We upload blogs on our website on a weekly basis. Keep an eye out for it. If you want to go through all the other blogs that we’ve uploaded, you can visit our blog section.

Update esmc

Here’s how you can quickly update ESMC using the ESET Web console

What is ESMC?

ESMC stands for ESET Security Management Centre – it enables you to centrally manage all ESET products on servers, workstations and mobiles. Using the web console you can manage tasks, deploy ESET Solutions, enforce security policies and respond to issues arising through the remote computers.

 

To manage remote devices and to update ESMC-

  1. Login to the ERA (ESET Remote Administrator) Portal using a web browser (Google Chrome preferred).
  2. To check if an update is available, or to update the product, go to the help button (question mark) > Update Productupdate section
  3. Once you click on it, you will get an update popup. The popup will suggest and prompt you to take backup of all ESET Certification authorities (CA), Peer certificates and ESMC database.certificates
  4. To take backup of the above certificates, click on the open certification authorities (ca)or click on peer certificates  It will take you to certificate locations respectively where you can export them one by one.

 

Why take a backup of these certificates on ESMC?

As part of the installation/update process, ESMC needs a peer certificate for agents and a peer certificate authority and a certificate authority (CA). All these certificates are used to authenticate all the ESET Products that have been distributed under your license. For example, you can create a server certificate which will be required for distribution of ESET Server products.

  1. To export the certificate, click on one of the certificates and select “Export Public Key” It will download the certificate automatically. Follow the same steps for all certificates.

For database backup, click this link, which is suggested by ESET support. Or you can click on the OPEN DOCUMENTATION option to direct yourself to this link

 

Steps to take backup of the database



After taking backup we can go for an update. For that, Click the UPDATE button. An update of your ESMC Server is scheduled – in Client Tasks you can find a new client task that upgrades ESMC components on the computer where ESMC Server is installed. To update other ESMC components on the devices connected to ESMC Server to the latest version, you can trigger the Security Management Center Components Upgrade task directly from the update popup window.

 

Note: 

  1. After triggering the task you will lose connectivity of ESMC Console for some time until the ESMC upgrade process is done.
  2. Verify the updated version by going to appwiz.cpl or by login into the ESMC portal again and going to Help> About.
  3. Verify the connectivity after upgrading the ESMC by login into its Portal.
  4. Make sure that ESET Protect Server and Web console version (8.0) must be the same after update (refer given below SS) otherwise, it throws an error.

 

Some frequently asked questions:

What is ESMC console?

The traditional ERA Console has now been replaced by the ESMC (ESET Security Management Center) Web Console. It is the primary online interface that allows you to virtually administer and manage your clients and network from anywhere.

How do I access ESET management console?

If you are on a local ESMC Server: Open an ESMC-compatible web browser and type https://localhost/era in the address bar and you’ll be able to access the ESMC Web Console.

If your ESMC Server is accessible to outside connections: Open your web browser and type https://%yourservername%/era   Here you need to replace %yourservername% with your actual IP address or name of your web server

 

Which are the core components in Esmc 7 that must be installed?

For a perfect deployment, we recommend the following core components to be installed:

ESMC Web Console

ESET Management Agent

ESMC Server 

 

Is ESET Free?

ESET isn’t free but you can get a 30 day full-featured, free trial across all its 3 categories: Essential Protection, Advanced Protection and Ultimate Protection

Can you protect multiple devices using the free trial?

No. You can cover only 1 device during the trial but once you purchase the product, multiple devices can be secured via the ESET product of your choice.

Will ESET work if there is another pre-installed cybersecurity software?

It is best to uninstall any other software in the same category for this to work optimally.

 

Upcoming: 

We keep uploading new blogs quite frequently on our website- keep an eye out for those.

Lastly, if you need help with more such IT Solutions, feel free to reach out to us. We’ll be happy to resolve your queries. 

 

Sophos SSL VPN – Save Password

Sophos SSL VPN is a VPN software that establishes a highly encrypted and secure tunnel for remote workers to connect to. The end-to-end encrypted tunnel requires both an SSL Certificate and a username and password combination for authentication and to create a secure connection.

 

Sophos SSL VPN Client does not allow to save the username and password credentials by default. However, there is a workaround to save the username and password.

 

 

How to Save Password in a Sophos SSL VPN Client

  1. Create a text file with username in one line and password in the next line
  2. Save the file name as Password.txt
  3. Save it to the path location “C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config”save credentials sophos ssl vpn 
  4. Run Notepad with Administrative Privileges
  5. Open the configuration file in the above location. Scroll down to the line “auth-user-pass” and update that to:
    auth-user-pass password.txt

 

That’s it! You should now be able to just double click the Sophos SSL VPN Client icon and it will log in automatically without you having to enter the credentials.

 

Disclaimer:

However, we would like to bring to your notice that we do not endorse this. because if your systems’ security gets compromised for eg: A hack, then it could fall into the wrong hands.

Upcoming:

We keep uploading new blogs every week on our website- keep an eye out for those.

Lastly, if you need help with more such IT Solutions, feel free to reach out to us. We’ll be happy to resolve your queries. 

 

Lets-encrypt-winacme

Let’s Encrypt- Upgrade Win-Acme Version 1 to Version 2 

Win-Acme has reached end-of-life (EOL) for Version 1. Any renewals running on v1 will not work and it’ll have to be upgraded to win-acme v2. Followed by, the certificates being imported from v1 to v2. This blog will walk you through how you can upgrade win-acme version 1 to version 2.

Let’s Encrypt is a non-profit Certificate Authority that provides TLS certificates. These are free certificates to protect the traffic between your website (domain) and visitors. TLS stands for Transport Layer Security and SSL (Secure Socket Layer) is its predecessor. 

TLS Certificates are digital or private key certificates and files that are used to certify the ownership of a public key. 

The Certificate Authority (CA) signs and certifies indicating that they have indeed verified it and that it indeed belongs to the owners of the said domain. 

 

https

What information is carried by a TLS or SSL certificate? 

TLS or SSL Certificates contain: 

  • Domain Name 
  • Sub-domain Name 
  • Organization Name 
  • Name of the CA
  • Date of Issuance and expiry 
  • Digital Signature 

 

Port 80- Indicates HTTP- connects users to an unencrypted network 

Port 443- a default port for a secure encrypted protocol- Indicates HTTPS- connects users to a secure network. The port enables encrypted communication to pass between the server and the browser. 

 

What is Win-Acme? 

Win-Acme (Automated Certificate Management Environment) is an ACME client for Windows, hence win-acme. It is used with Let’s Encrypt, which was formerly known as letsencrypt-win-simple (LEWS). 

If you are considering using Let’s encrypt, win-acme will provide you with an automated and reliable way to renew the certificate. 

Ultimately, the most important aspect of any ACME client is the automatic renewal of the certificate. Win-acme creates a single scheduled task to renew all certificates on a server. This task does all the work to renew the certificate as soon as the first certificate is created.

 

This article will walk you through how you can perform the update: 

    1. Download win-acme v2.1.18
    2. Extract the contents of the zip file to a folder in the C drive
    3. Open the destination folder and run the file named “wacs.exe” (shown below) with administrative privilegesupgrade win-acme setup file

      win acme 2

    4. Select Option “O” followed by Option “I”. O will help manage renewals and I will import scheduled renewals from the previous version of win-acme. This will give you a list of options. You can go with the default options unless there are any settings that you need to modifyupgrade win-acme option O

      wacs3

    5. Now that you have imported the renewal tasks to the new client version, you can view and manage the renewals using option “A”.  Or you can directly select Option “R” which shows the number of renewals that are currently due.

Final step- upgrade to winacme version 2

Post-renewal and upgrade of Win-acme 

Post the renewal initiation, it will ask for the email address that you would like to receive your notification on, for any reminders and notifications.  

As with the previous version, make sure that port forwarding for port 80 and port 443 has been set up to the server.  on the IP address being resolved on the hostname for certificate SAN (Subject Alternative Name). Otherwise, the verification by Let’s Encrypt will fail and the certificate renewal will have an error. 

 

Upcoming

We keep uploading new blogs quite frequently on our website- keep an eye out for those.

Lastly, if you need help with more such IT Solutions, feel free to reach out to us. We’ll be happy to resolve your queries. 

Firewall Audit Checklist: All that you need to know

 

Stringent standards such as SOX, PCI-DSS, and HIPAA, are the reasons why network security audits are getting good coverage these days. Your network safety, business relationship with customers make you ensure that the network is secure even if you don’t need to comply with any of these standards. Firewall audits are one good way through which you can increase your chances of catching any threat or weakness present in the network security posture. They also help in ensuring that the security controls and policy controls are being reviewed. Our Firewall Audit Checklist is meant to ease the process for you.

Infrassist recommends regular firewall audits as firewalls require constant observation to provide optimum security for your enterprise. Although, most companies assume that they are protected and do not perform a regular firewall audit.  Here are some reasons why firewall audit should be a regular practice:

  • Enterprises think that they did secure configuration, but it is not truly secure
  • Firewalls are not investigated on a day to day basis
  • Small things like a temporary rule or a disabled rule can cause security breaches
  • Firewalls are not logged into every day to check the dashboards
  • Backups are not configured well
  • Multi-factor authentication is missing

While firewall audit may seem like a straightforward process, it requires as many efforts as a security assessment does. Let’s look at the firewall audit checklist:

Gather all information > Pre-audit

  • Ensure to have copies of security policies
  • Safety Check for access to all firewall logs
  • Details on current network dynamics
  • Review documentation from previous audits
  • Find all relevant ISPs and VPNs
  • Get all firewall vendor information
  • Comprehend the setup of all key servers

Review the Change Management Process:

  • Check the procedures for rule-base maintenance
  • Analyze the process for firewall changes
  • Ensure whether all previous changes were authorized

Audit the Firewall’s Physical and OS Security:

  • Ensure that your management servers are physically secure
  • Check the access procedures to these restricted locations
  • Verify all vendor updates have been applied
  • Make sure the OS passes common hardening checks
  • Assess the procedures for device administration

Optimize Your Rule Base:

  • Delete redundant rules
  • Delete or disable unused objects
  • Evaluate the order of firewall rules for performance
  • Remove unused connections
  • Document the rules and changes for future reference

Conduct a Risk Assessment:

  • Review industry best practices for methodology
  • Ask a series of thorough questions
  • Document your assessment and save it as a report

Improve Firewall Processes:

  • Replace error-prone manual tasks with automation
  • Make sure all auditing activities have been documented
  • Create an actionable firewall change workflow

If all the above steps are followed carefully, it is much easier to clear the firewall audits. For a large set of firewall audit, removing the margin for errors manually makes it worth the cost and effort. While this does cover all the scenarios that the engineers may encounter while evaluating the firewalls, it does give a broader idea of the actions that the engineers should take.

With decent experience in performing firewall audits, Infrassist has gained in-depth knowledge and expertise in performing firewall audits in diverse network scenarios. Look at a sample firewall report.