Archive for the ‘Quick Notes’ Category

Posted by keith.wirch at August 18, 2017

Category: Fortigate, Quick Notes

There isn’t really a way to create a GRE Tunnel in the Fortigate GUI but you can through a CLI.  I find this process to be FortiOS version agnostic.  Take the image below as reference.

Here is the CLI for Site 1:

config system global
edit "GRE-to-Site2"
set interface "wan"
set remote-gw 2.2.2.2    # Remote Firewall WAN IP
set local-gw 1.1.1.1    # Local Firewall IP
next
end

Once the GRE Tunnel is configured, you need to setup the actual interface as shown.

config system interface
edit "GRE-to-Site2"
set vdom "root"
set ip 192.168.6.1 255.255.255.255    # Local GRE Tunnel IP
set allowaccess ping    # Might just need ping for troubleshooting.
set type tunnel
set remote-ip 192.168.6.2    # GRE Tunnel IP for the Remote side
set interface "wan"
next
end

I will not cover it in the guide but you do need to create a route for 10.30.2.0/24 via the GRE tunnel.  Refer to Fortigate Documentation for creating a Static Route.  Do not forget to create a Firewall Policy to allow the traffic to traverse the tunnel.  Been there…  *shakes head*

Here is the CLI for Site 2:

The CLI here is very similar to Site 1.  Just flipped a little.

config system gre-tunnel
edit "GRE-to-Site1"
set interface "wan"
set remote-gw 1.1.1.1    # Remote Firewall WAN IP
set local-gw 2.2.2.2    # Local Firewall WAN IP
next
end

Now configure the actual interface since the GRE tunnel config is made.

config system interface
edit "GRE-to-Site1"
set vdom "root"
set ip 192.168.6.2 255.255.255.255    # Local GRE Tunnel IP
set allowaccess ping    # Ping can be helpful for troubleshooting
set type tunnel
set remote-ip 192.168.6.1    # Remote Firewall GRE Tunnel IP
set interface "wan"
next
end

Again, do not forget to create your routs and firewall policies to allow the traffic to flow.

NOTE:  I find GRE tunnels to be the PERFECT opportunity to use 169.254.0.0/16 addresses.  Use them on the actual tunnel IPs since they are not routeable and link-local according to RFC 5735.

Posted by keith.wirch at December 9, 2016

Category: Networking, Quick Notes

ip flow-cache timeout active 5  # Five Minute Timeout
ip flow-export source FastEthernet0/0  # Source Address of the UDP Flow Datagrams
ip flow-export destination <IP Address> 9996

#interface config#
  ip route-cache flow  # Turns on Netflow for that interface

Posted by keith.wirch at November 6, 2016

Category: Fortigate, Networking, Quick Notes

Here is some quick notes about working with DHCP in a Fortigate firewall.  It is pretty common to have to work with them when you have a small office firewall.  I would not recommend using the DHCP Sever service on these firewalls in a large production environment.  Microsoft makes a pretty good one as a role in their server.

Showing/Clearing a DHCP Lease List

exec dhcp lease-list  #show current list on DHCP lease
execute dhcp lease-clear <ip address> #clear the DHCP lease of a specific ip
execute dhcp lease-clear all  #clear all the DHCP leases

Setting DHCP reservation on FortiOS 5.x

config system dhcp server  #Brings you into config mode of DHCP
edit 1 #This number will depend on what scope you are add the res too.  Use "show" to display them all.
config reserved-address
edit 1  #Increment this number for each reservation you need
set ip <ip address>
set mac <MAC Formatted 99:99:99:33:33:33>

Setting DHCP reservation on Pre-FortiOS5.x

config system dhcp reserved-address
edit "My_Reservation"
set ip <ip address>
set mac <MAC Formatted 99:99:99:33:33:33>
next
end

Posted by keith.wirch at November 3, 2016

Category: Batch, Quick Notes, Windows

Quick notes on working with Windows Services.  Windows Update will be our Guinea Pig.  Windows update service name is “wuauserv”.  You can get the service name of any service by getting the output of:

powershell get-service

Or if you prefer the GUI.  You can open the properties of a service via the services console.

Windows Update Service

Stopping and Disabling a Service at Startup

sc config wuauserv start= disabled
[options]
boot
system
auto
demand
disabled
delayed-auto</pre>
<pre>

Starting, Stopping, Checking Status of a Service

sc start wuauserv    #Start a Service
sc stop wuauserv     #Stop a Service
sc query wuauserv    #Check Status of a Service