Posted by keith.wirch at September 13, 2017

Category: CCNP Notes

ProtocolHSRP (Hot Standby Router Protocol)
CISCO - PROPRIETARY
VRRP (Virtual Router Redundancy Protocol)
MULTI-VENDOR
GLBP (Gateway Load Balancing Protocol
CISCO PROPRIETARY
TerminologyActive/StandbyMaster/BackupActive virtual Gateway (AVG)/Standby Virtual Gateway(SVG)/Active Virtual Forwarder(AVF)
Virtual MACAll participants share the MAC address that is passed between whoever is the active gateway.All participants share the MAC address that is passed between whoever is the master gateway.Gateway MAC is different for each member within the group.
Communication MethodIP Multicast
224.0.0.2 (v1) (popular)
224.0.0.102 (v2)
IP Multicast
224.0.0.18 (IPv4)
FF02::12 (IPv6)
IP Multicast
224.0.0.102
Authentication OptionsDefault: None
Plain Text
MD5
Default: None
Plain Text
MD5
Default: None
Plain Text
Active SelectionHighest Priority wins!

Default: 100
Highest Priority wins!

Default: 100
Highest Priority wins! There is SVG still chosen but the rest are in a listen state.

Default: 100
TimersHELLO - Messages exchanged between routers. Default is 3 seconds.
HOLD - TIme the router will hold until it doesn't receives Hello message assumes the Active is gone. Default is 10 seconds.
Similar to HSRP.
Hello Default is 1 second and Hold timer is 3 seconds.
Again, similar to HSRP. Hello default is 3 seconds and the Hold timer is 10 seconds.
Preemption DefaultsOffOnOff

Some of these were taken from here.  But I put a little of my own spin on it.

Posted by keith.wirch at August 18, 2017

Category: Fortigate, Quick Notes

There isn’t really a way to create a GRE Tunnel in the Fortigate GUI but you can through a CLI.  I find this process to be FortiOS version agnostic.  Take the image below as reference.

Here is the CLI for Site 1:

config system global
edit "GRE-to-Site2"
set interface "wan"
set remote-gw 2.2.2.2    # Remote Firewall WAN IP
set local-gw 1.1.1.1    # Local Firewall IP
next
end

Once the GRE Tunnel is configured, you need to setup the actual interface as shown.

config system interface
edit "GRE-to-Site2"
set vdom "root"
set ip 192.168.6.1 255.255.255.255    # Local GRE Tunnel IP
set allowaccess ping    # Might just need ping for troubleshooting.
set type tunnel
set remote-ip 192.168.6.2    # GRE Tunnel IP for the Remote side
set interface "wan"
next
end

I will not cover it in the guide but you do need to create a route for 10.30.2.0/24 via the GRE tunnel.  Refer to Fortigate Documentation for creating a Static Route.  Do not forget to create a Firewall Policy to allow the traffic to traverse the tunnel.  Been there…  *shakes head*

Here is the CLI for Site 2:

The CLI here is very similar to Site 1.  Just flipped a little.

config system gre-tunnel
edit "GRE-to-Site1"
set interface "wan"
set remote-gw 1.1.1.1    # Remote Firewall WAN IP
set local-gw 2.2.2.2    # Local Firewall WAN IP
next
end

Now configure the actual interface since the GRE tunnel config is made.

config system interface
edit "GRE-to-Site1"
set vdom "root"
set ip 192.168.6.2 255.255.255.255    # Local GRE Tunnel IP
set allowaccess ping    # Ping can be helpful for troubleshooting
set type tunnel
set remote-ip 192.168.6.1    # Remote Firewall GRE Tunnel IP
set interface "wan"
next
end

Again, do not forget to create your routs and firewall policies to allow the traffic to flow.

NOTE:  I find GRE tunnels to be the PERFECT opportunity to use 169.254.0.0/16 addresses.  Use them on the actual tunnel IPs since they are not routeable and link-local according to RFC 5735.

Posted by keith.wirch at August 17, 2017

Category: CCNP Notes

Access
This will put the interface in a permanent non-trunking mode.  With exception of a Voice VLAN, only one vlan will pass over this port.  The port will NEVER become a trunking port.

Trunk
This will put the interface in a permanent trunking mode.  Allowed VLANs allowed on the trunk will pass.  VTP will also pass traffic over this port.  DTP packets will be sent to ask the other side to become a trunk.  If the other side does not respond, the port will become a trunk anyway.

Nonegotiate
This will cause the interface to not send DTP packets.  Meaning that it will not attempt to negotiate as a trunk.  But if the port does receive a DTP packet that it wants to become a trunk, it will become a trunk.

Dynamic Desirable
When a port comes up with this configuration, it will ask the other side “Hey, wanna be a Trunk?”.  In other words, it will actively try to be a trunk.  But it will cause port to the function of an access port if needed.

Dynamic Auto (DEFAULT)
In this configuration, the port will become a trunk if asked to but otherwise just stays a regular access port otherwise.

Posted by keith.wirch at January 26, 2017

Category: Uncategorized

#Netflow Setup
 config system sflow
 set collector-ip <Collector IP>
 set collector-port 2055
 set source-ip <LAN IP Address>
 end</pre>
config system interface
edit <LAN Interface>
set sflow-sample enable
set sample-rate 10
set polling-interval 1
end

#SNMP Setup
 config system interface
 edit <Lan Interface>
 set allowaccess ping https ssh snmp fgfm  #Be sure to include SNMP
 next
 end</pre>
config system snmp sysinfo
set description <Device Description>
set location <Device Location>
set status enable
end
config system snmp community
edit 1
set events cpu-high mem-low fm-if-change fm-conf-change
config hosts
edit 1
set ip <SNMP Collector IP>
next
end
set name <SNMPv2 Community String>
set trap-v1-status disable
next
end

Posted by keith.wirch at December 9, 2016

Category: Networking, Quick Notes

ip flow-cache timeout active 5  # Five Minute Timeout
ip flow-export source FastEthernet0/0  # Source Address of the UDP Flow Datagrams
ip flow-export destination <IP Address> 9996

#interface config#
  ip route-cache flow  # Turns on Netflow for that interface

Posted by keith.wirch at November 22, 2016

Category: Email, Linux, Servers

I feel these are poorly documented so I’ll post em here for easy reference for myself.

IMAP:  <box hostname>  ;  Port 993  ;  SSL/TLS  ;  Normal Password for Authenication
SMTP: <box hostname>  ;  Port 587  :  STARTLS  :  Normal Password for Authentication

 

Posted by keith.wirch at November 6, 2016

Category: Fortigate, Networking, Quick Notes

Here is some quick notes about working with DHCP in a Fortigate firewall.  It is pretty common to have to work with them when you have a small office firewall.  I would not recommend using the DHCP Sever service on these firewalls in a large production environment.  Microsoft makes a pretty good one as a role in their server.

Showing/Clearing a DHCP Lease List

exec dhcp lease-list  #show current list on DHCP lease
execute dhcp lease-clear <ip address> #clear the DHCP lease of a specific ip
execute dhcp lease-clear all  #clear all the DHCP leases

Setting DHCP reservation on FortiOS 5.x

config system dhcp server  #Brings you into config mode of DHCP
edit 1 #This number will depend on what scope you are add the res too.  Use "show" to display them all.
config reserved-address
edit 1  #Increment this number for each reservation you need
set ip <ip address>
set mac <MAC Formatted 99:99:99:33:33:33>

Setting DHCP reservation on Pre-FortiOS5.x

config system dhcp reserved-address
edit "My_Reservation"
set ip <ip address>
set mac <MAC Formatted 99:99:99:33:33:33>
next
end

Posted by keith.wirch at November 3, 2016

Category: Batch, Quick Notes, Windows

Quick notes on working with Windows Services.  Windows Update will be our Guinea Pig.  Windows update service name is “wuauserv”.  You can get the service name of any service by getting the output of:

powershell get-service

Or if you prefer the GUI.  You can open the properties of a service via the services console.

Windows Update Service

Stopping and Disabling a Service at Startup

sc config wuauserv start= disabled
[options]
boot
system
auto
demand
disabled
delayed-auto</pre>
<pre>

Starting, Stopping, Checking Status of a Service

sc start wuauserv    #Start a Service
sc stop wuauserv     #Stop a Service
sc query wuauserv    #Check Status of a Service

 


 

Posted by keith.wirch at January 9, 2016

Category: Uncategorized

Being super pumped for the new Lets Encrypt project, I signed up for it shortly after beta and started using it some production web servers.  As of this posting, I haven’t done on this web server… obviously.  But I should do that soon.  A couple customers use Owncloud and DAVdroid to sync their files with works great but they kept getting this error message on their phones.

daV-Error

Well that got really annoying quick and many times caused syncing to fail. People got mad… I got called… meh.  IT Happens.

Seems there is an X1 chain of certificates that is not trusted or a link in the chain is just unknown to android.  To fix this, we just need to add a link in the chain to let it know.  Full disclosure though, I did not think of this on my own.  I found the answer on this page.

https://community.letsencrypt.org/t/cert-not-work-in-firefox/5272/10

The error appears in Firefox it seems for the same reasons.  The last post in the thread shows you need to do.  Those of you with Nginx should be able to do something similar but this was the solution for me with all my Apache Servers.  Where is solution from the last post in the thread.

cd /etc/letsencrypt/archive/yourdomain/
wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
nano Apache config file:/etc/apache2/mods-available/ssl.conf
# add SSLCertificateChainFile "/etc/letsencrypt/archive/yourdomain/lets-encrypt-x1-cross-signed.pem" to the config file before </IfModule>
# exit and save restart Apache

This will give whatever client, be it Firefox or DAVdroid, the links in the certificate chain to trust the certificate.  I’m not an expert in certificates but I am assuming this is a short lived bug in the project.

Props to the Lets Encrypt Project and it’s sponsors for this.  This is huge and will change the internet for the better.

Posted by keith.wirch at July 23, 2014

Category: Cryptography, Linux

In this tutorial I will cover how to setup a LUKS encrypted drive to be mounted with a keyfile and then have it mounted at boot.  It is recommended that you keep the keyfile on an encrypted drive but that’s your business, not mine.  For the purposes of the tutorial I will be using /dev/sdb to be my example drive.

CREATE KEYFILE

You will need to pick a folder to keep your keyfile.  Fill that file with what ever you want or run this command to make one pull of random data.  It does not need to be /etc/secretfoldder/keyfile

sudo dd if=/dev/urandom of=/etc/secretfolder/keyfile bs=1024 count=6

DRIVE FORMAT

First you will need to setup the encrypted drive.  For this part we will use fdisk because it it quite easy to use. Type m if you need some help.  My example below the general flow you need.  Delete all the partitions on the drive and then create a partition.  WARNING!  THIS WILL DELETE ALL DATA ON THE DRIVE

sudo fdisk /dev/sdb

Command (m for help): d
 Selected partition 1

Command (m for help): d
 No partition is defined yet!

Command (m for help): p

Disk /dev/sdb: 250.1 GB, 250059348992 bytes
 255 heads, 63 sectors/track, 30401 cylinders, total 488397166 sectors
 Units = sectors of 1 * 512 = 512 bytes
 Sector size (logical/physical): 512 bytes / 512 bytes
 I/O size (minimum/optimal): 512 bytes / 512 bytes
 Disk identifier: 0x000be3dd

Device Boot      Start         End      Blocks   Id  System

Command (m for help): b
 There is no *BSD partition on /dev/sdb.

Command (m for help): n
 Partition type:
 p   primary (0 primary, 0 extended, 4 free)
 e   extended
 Select (default p): p
 Partition number (1-4, default 1):
 Using default value 1
 First sector (2048-488397165, default 2048):
 Using default value 2048
 Last sector, +sectors or +size{K,M,G} (2048-488397165, default 488397165):
 Using default value 488397165

Command (m for help): w
 The partition table has been altered!

Encryption Filesystem

You are going to need a few kernel modules in order to properly get some encryption out of cryptsetup.

</pre>
sudo modprobe dm-crypt
 sudo modprobe sha256
 sudo modprobe aes

If you get an error with these modules.  Refer to this bug report.  You may need to utilize their workaround.

sudo cryptsetup luksAddKey /dev/sdX /etc/secretfolder/keyfile -c aes -s 256 -h sha256

Now mount your new encrypted partition and create a filesystem.

</pre>
sudo cryptsetup luksOpen /dev/sdb1 crypt
 sudo mkfs -t ext3 /dev/mapper/crypt

This part could take a while if you have a slow computer.

CREATE STARTUP ITEMS

Open up /etc/crypttab and add a line like this.

crypt     /dev/sdb1     /etc/secretfolder/keyfile     luks

If you want to, you used the UUID of your drive instead of the above option.

Now open up fstab.  /etc/fstab and add a new entry at bottom like so.

# Mount Encrypted FileSystem</pre>
/dev/mapper/crypt     /media/sdb1     ext3

BOOM!  You are done son!  Reboot and see that it mounts.  or you can do a mount -a to remount all filesystems.