The dumpster fire that is Fortinet

[OVERKILL]

I replaced four Palo 5060s with Fortinet FortiGate 1800Fs for cost savings at a prior employer. Not my idea. Saved a half million dollars over 3 years versus buying Palo 5200 series to replace the 5060s.

Yeah, that was the reason a local ISP I have a good relationship switched from Cisco to Juniper, saved something like $15 million on just the contract cost, not to mention the much less expensive hardware.

Palo is of course, extremely proud of their ish, and they have been for a while. But they are not without their own problems. We spent something insane (I think $3M) for a pair of 5450s to replace 5260s, because even though they weren't anywhere close to the bandwidth limits, we were hitting the session limits because we are defending a lot of IP space. Da fuq? I gotta replace a 1 million dollar firewall pair with a 3 million dollar pair of firewalls because we don't use very much NAT? I'd hate to see one of these things with an EMEA customer using real IPv6 space, they'd have a meltdown.

Also, you still can't negate source and destinations in Palo, I.e. if this traffic is not from the US, then do XYZ with it. I mean Cisco had this feature 30 years ago. But anyway. I've fallen out of love with Palo, but, what else is there that's any good? I have not suffered a breach using Palo gear, I can at least say that much for it.

Yes, and Palo has had their own vulns recently in their SSL VPN, but they don't have the array of problems that Fortinet does, nobody does that I have seen. They are not the largest target, yet have an absolutely staggering number of security vulnerabilities discovered and exploited, seemingly quite regularly.

Ah yes we were talking about Fortinet. From a firewall admin perspective Fortigates aren't bad, the UI is pretty easy to work with both in the Web GUI and CLI. I'd take them over an old ASA any day from an ease of use perspective. But the software vulnerabilities make them unacceptable for use in any serious enterprise.

I got a call last year from the local Fortinet vendor rep, he had moved on to another job in a different company. Maybe saw the writing on the wall. Me and him were pretty tight for a while, we spent a lot of money with them a few years back at my prior employer. When I moved on in 2022 to a Palo shop he quit calling so much.

It's hard to believe FortiGate was in the Gartner Leaders Quadrant for Enterprise Firewalls in 2020. They have fallen hard since then.

Yeah, ASA's are/were clunky to work with, but were/are solid gear, if a bit antiquated (as were the PIX units they replaced). You'll laugh, but I've never had to deal with Palo, though I've seen a fair bit of it at various hospitals. Some medium sized hospitals use Meraki, though most of them are plain-Jane Cisco. Some also use Juniper. The odd one uses Aruba/HPE. I have some MSP's I deal with that use Fortinet, but I don't manage any of their equipment. I've also never used Barracuda, but have wanted to, have you used it?

 

[OVERKILL]

And yet another (thanks @Rand ):
https://cyberpress.org/mass-exploitation-of-fortinet-0-day-vulnerability/?amp=1

In a joint cybersecurity effort, Mandiant and Fortinet have uncovered a significant vulnerability affecting FortiManager devices tracked as CVE-2024-47575 (FG-IR-24-423), could allow threat actors to wildly exploit FortiManager appliances and execute unauthorized commands or gain access to sensitive enterprise environments.

Details of the Exploitation​

Mandiant’s investigation revealed a threat cluster, tagged UNC5820, actively exploiting the vulnerability as early as June 27, 2024.


The attackers used compromised FortiManager devices to access and exfiltrate configuration data from managed FortiGate appliances. This data included detailed system configurations, user metadata, and FortiOS256-hashed passwords.

---

The clown show continues! Stay tuned for the next chapter in "how the forti pwn3s"

 

[OVERKILL]

Yet another update (@Rand is having way too much fun sending me these):
https://www.theregister.com/2025/01/14/miscreants_mass_exploited_fortinet_firewalls/

Miscreants running a "mass exploitation campaign" against Fortinet firewalls, which peaked in December, may be using an unpatched zero-day vulnerability to compromise the equipment, according to security researchers who say they've observed the intrusions.

The team report the networking gear maker has yet to link the malicious activity to a specific flaw, assign a CVE, or patch a related hole.

Arctic Wolf Labs' lead threat intelligence researcher Stefan Hostetler told The Register his colleagues noticed "a cluster of intrusions affecting Fortinet devices in the tens" beginning early last month and mostly occurring within three days of each other.

"The pattern of activity we observed was consistent with opportunistic widespread exploitation, given that each of the affected victim organizations had somewhere between hundreds to thousands of malicious login events on Fortinet firewall devices," Hostetler told us.

He added this number of break-ins only represents "a limited sample compared to the total actual number of devices that were likely affected."

In these attacks, the unknown criminals somehow gained access to Fortinet FortiGate firewalls with internet-exposed management interfaces. The lab reckons it's "highly probable" a zero-day – a flaw that the vendor has been unaware to patch yet – was used.

With this access, they altered the firewall configurations, used SSL VPN tunnels to maintain a connection to the compromised devices, and then began stealing credentials for lateral movement through the victims' networks.

 

[Brons2]

Supposedly that was patched today, but, there are so many holes I lost track. It might have been for something else.

 

[Rand]

Supposedly that was patched today, but, there are so many holes I lost track. It might have been for something else.

there was at least one that wasnt even assigned a CVE yet "no idea how its happening"
Thats what I want to hear from my security vendor.... who is starting up a cybersecurity education center?

 

[nthach]

Work is a mix of SonicWall and Fortinet firewalls - we’re making a slow switch to Cisco Meraki.

 

[OVERKILL]

Work is a mix of SonicWall and Fortinet firewalls - we’re making a slow switch to Cisco Meraki.

Man, that's gotta be brutal! Spin the wheel of wonder, what's going to get pwn3d today?!