Posted by keith.wirch at December 18, 2017

Category: Quick Notes

The default gnome panel is Ubuntu 17.10 does not include the date.  It only shows the day of the week.  Strange default if you ask me.  See the image below.

I mush prefer it have the date on it.  Like you see below.

To do that, use command below in any terminal window of your choice.

gsettings set org.gnome.desktop.interface clock-show-date true

If you regret your decision, you can set the clock-show-date boolean variable to false and ti will remove the date.

Posted by keith.wirch at September 13, 2017

Category: CCNP Notes

ProtocolHSRP (Hot Standby Router Protocol)
VRRP (Virtual Router Redundancy Protocol)
GLBP (Gateway Load Balancing Protocol
TerminologyActive/StandbyMaster/BackupActive virtual Gateway (AVG)/Standby Virtual Gateway(SVG)/Active Virtual Forwarder(AVF)
Virtual MACAll participants share the MAC address that is passed between whoever is the active gateway.All participants share the MAC address that is passed between whoever is the master gateway.Gateway MAC is different for each member within the group.
Communication MethodIP Multicast (v1) (popular) (v2)
IP Multicast (IPv4)
FF02::12 (IPv6)
IP Multicast
Authentication OptionsDefault: None
Plain Text
Default: None
Plain Text
Default: None
Plain Text
Active SelectionHighest Priority wins!

Default: 100
Highest Priority wins!

Default: 100
Highest Priority wins! There is SVG still chosen but the rest are in a listen state.

Default: 100
TimersHELLO - Messages exchanged between routers. Default is 3 seconds.
HOLD - TIme the router will hold until it doesn't receives Hello message assumes the Active is gone. Default is 10 seconds.
Similar to HSRP.
Hello Default is 1 second and Hold timer is 3 seconds.
Again, similar to HSRP. Hello default is 3 seconds and the Hold timer is 10 seconds.
Preemption DefaultsOffOnOff

Some of these were taken from here.  But I put a little of my own spin on it.

Posted by keith.wirch at August 18, 2017

Category: Fortigate, Quick Notes

There isn’t really a way to create a GRE Tunnel in the Fortigate GUI but you can through a CLI.  I find this process to be FortiOS version agnostic.  Take the image below as reference.

Here is the CLI for Site 1:

config system global
edit "GRE-to-Site2"
set interface "wan"
set remote-gw    # Remote Firewall WAN IP
set local-gw    # Local Firewall IP

Once the GRE Tunnel is configured, you need to setup the actual interface as shown.

config system interface
edit "GRE-to-Site2"
set vdom "root"
set ip    # Local GRE Tunnel IP
set allowaccess ping    # Might just need ping for troubleshooting.
set type tunnel
set remote-ip    # GRE Tunnel IP for the Remote side
set interface "wan"

I will not cover it in the guide but you do need to create a route for via the GRE tunnel.  Refer to Fortigate Documentation for creating a Static Route.  Do not forget to create a Firewall Policy to allow the traffic to traverse the tunnel.  Been there…  *shakes head*

Here is the CLI for Site 2:

The CLI here is very similar to Site 1.  Just flipped a little.

config system gre-tunnel
edit "GRE-to-Site1"
set interface "wan"
set remote-gw    # Remote Firewall WAN IP
set local-gw    # Local Firewall WAN IP

Now configure the actual interface since the GRE tunnel config is made.

config system interface
edit "GRE-to-Site1"
set vdom "root"
set ip    # Local GRE Tunnel IP
set allowaccess ping    # Ping can be helpful for troubleshooting
set type tunnel
set remote-ip    # Remote Firewall GRE Tunnel IP
set interface "wan"

Again, do not forget to create your routs and firewall policies to allow the traffic to flow.

NOTE:  I find GRE tunnels to be the PERFECT opportunity to use addresses.  Use them on the actual tunnel IPs since they are not routeable and link-local according to RFC 5735.

Posted by keith.wirch at August 17, 2017

Category: CCNP Notes

This will put the interface in a permanent non-trunking mode.  With exception of a Voice VLAN, only one vlan will pass over this port.  The port will NEVER become a trunking port.

This will put the interface in a permanent trunking mode.  Allowed VLANs allowed on the trunk will pass.  VTP will also pass traffic over this port.  DTP packets will be sent to ask the other side to become a trunk.  If the other side does not respond, the port will become a trunk anyway.

This will cause the interface to not send DTP packets.  Meaning that it will not attempt to negotiate as a trunk.  But if the port does receive a DTP packet that it wants to become a trunk, it will become a trunk.

Dynamic Desirable
When a port comes up with this configuration, it will ask the other side “Hey, wanna be a Trunk?”.  In other words, it will actively try to be a trunk.  But it will cause port to the function of an access port if needed.

Dynamic Auto (DEFAULT)
In this configuration, the port will become a trunk if asked to but otherwise just stays a regular access port otherwise.

Posted by keith.wirch at January 26, 2017

Category: Uncategorized

#Netflow Setup
 config system sflow
 set collector-ip <Collector IP>
 set collector-port 2055
 set source-ip <LAN IP Address>
config system interface
edit <LAN Interface>
set sflow-sample enable
set sample-rate 10
set polling-interval 1

#SNMP Setup
 config system interface
 edit <Lan Interface>
 set allowaccess ping https ssh snmp fgfm  #Be sure to include SNMP
config system snmp sysinfo
set description <Device Description>
set location <Device Location>
set status enable
config system snmp community
edit 1
set events cpu-high mem-low fm-if-change fm-conf-change
config hosts
edit 1
set ip <SNMP Collector IP>
set name <SNMPv2 Community String>
set trap-v1-status disable

Posted by keith.wirch at December 9, 2016

Category: Networking, Quick Notes

ip flow-cache timeout active 5  # Five Minute Timeout
ip flow-export source FastEthernet0/0  # Source Address of the UDP Flow Datagrams
ip flow-export destination <IP Address> 9996

#interface config#
  ip route-cache flow  # Turns on Netflow for that interface

Posted by keith.wirch at November 22, 2016

Category: Email, Linux, Servers

I feel these are poorly documented so I’ll post em here for easy reference for myself.

IMAP:  <box hostname>  ;  Port 993  ;  SSL/TLS  ;  Normal Password for Authenication
SMTP: <box hostname>  ;  Port 587  :  STARTLS  :  Normal Password for Authentication


Posted by keith.wirch at November 6, 2016

Category: Fortigate, Networking, Quick Notes

Here is some quick notes about working with DHCP in a Fortigate firewall.  It is pretty common to have to work with them when you have a small office firewall.  I would not recommend using the DHCP Sever service on these firewalls in a large production environment.  Microsoft makes a pretty good one as a role in their server.

Showing/Clearing a DHCP Lease List

exec dhcp lease-list  #show current list on DHCP lease
execute dhcp lease-clear <ip address> #clear the DHCP lease of a specific ip
execute dhcp lease-clear all  #clear all the DHCP leases

Setting DHCP reservation on FortiOS 5.x

config system dhcp server  #Brings you into config mode of DHCP
edit 1 #This number will depend on what scope you are add the res too.  Use "show" to display them all.
config reserved-address
edit 1  #Increment this number for each reservation you need
set ip <ip address>
set mac <MAC Formatted 99:99:99:33:33:33>

Setting DHCP reservation on Pre-FortiOS5.x

config system dhcp reserved-address
edit "My_Reservation"
set ip <ip address>
set mac <MAC Formatted 99:99:99:33:33:33>

Posted by keith.wirch at November 3, 2016

Category: Batch, Quick Notes, Windows

Quick notes on working with Windows Services.  Windows Update will be our Guinea Pig.  Windows update service name is “wuauserv”.  You can get the service name of any service by getting the output of:

powershell get-service

Or if you prefer the GUI.  You can open the properties of a service via the services console.

Windows Update Service

Stopping and Disabling a Service at Startup

sc config wuauserv start= disabled

Starting, Stopping, Checking Status of a Service

sc start wuauserv    #Start a Service
sc stop wuauserv     #Stop a Service
sc query wuauserv    #Check Status of a Service



Posted by keith.wirch at January 9, 2016

Category: Uncategorized

Being super pumped for the new Lets Encrypt project, I signed up for it shortly after beta and started using it some production web servers.  As of this posting, I haven’t done on this web server… obviously.  But I should do that soon.  A couple customers use Owncloud and DAVdroid to sync their files with works great but they kept getting this error message on their phones.


Well that got really annoying quick and many times caused syncing to fail. People got mad… I got called… meh.  IT Happens.

Seems there is an X1 chain of certificates that is not trusted or a link in the chain is just unknown to android.  To fix this, we just need to add a link in the chain to let it know.  Full disclosure though, I did not think of this on my own.  I found the answer on this page.

The error appears in Firefox it seems for the same reasons.  The last post in the thread shows you need to do.  Those of you with Nginx should be able to do something similar but this was the solution for me with all my Apache Servers.  Where is solution from the last post in the thread.

cd /etc/letsencrypt/archive/yourdomain/
nano Apache config file:/etc/apache2/mods-available/ssl.conf
# add SSLCertificateChainFile "/etc/letsencrypt/archive/yourdomain/lets-encrypt-x1-cross-signed.pem" to the config file before </IfModule>
# exit and save restart Apache

This will give whatever client, be it Firefox or DAVdroid, the links in the certificate chain to trust the certificate.  I’m not an expert in certificates but I am assuming this is a short lived bug in the project.

Props to the Lets Encrypt Project and it’s sponsors for this.  This is huge and will change the internet for the better.