Yuri Slobodyanyuk's blog on IT Security and Networkinghttps://yurisk.info/2024-02-05T11:35:25+00:00Fortigate - switch from NAT to transparent mode error fix2024-02-05T11:35:25+00:002024-02-05T11:35:25+00:00Yuri Slobodyanyuktag:yurisk.info,2024-02-05:/2024/02/05/fortigate-switch-from-nat-to-transparent-mode-error-fix/<div class="paragraph">
<p>When trying to switch a Fortigate from NAT mode to the Transparent one, we get an error about Fortilink interface being used. The official docs just say to delete Fortilink from all used settings, but not how. This article shows where and how.</p>
</div>
<div class="paragraph">
<p>The error:</p>
</div>
<div class="paragraph">
<p><strong>config sys settings</strong></p>
</div>
<div class="paragraph">
<p><strong>set opmode …</strong></p></div><div class="paragraph">
<p>When trying to switch a Fortigate from NAT mode to the Transparent one, we get an error about Fortilink interface being used. The official docs just say to delete Fortilink from all used settings, but not how. This article shows where and how.</p>
</div>
<div class="paragraph">
<p>The error:</p>
</div>
<div class="paragraph">
<p><strong>config sys settings</strong></p>
</div>
<div class="paragraph">
<p><strong>set opmode transparent</strong></p>
</div>
<div class="paragraph">
<p><strong>set manageip 10.13.13.13/24</strong></p>
</div>
<div class="listingblock">
<div class="content">
<pre>Cannot change to Transparent mode because this vdom contains managed switches and switchctl-vlans.
Please clear managed-switches, disable fortilink and retry.
node_check_object fail! for opmode transparent
Attribute 'opmode' value 'transparent' checking fail -7610
Command fail. Return code -7610</pre>
</div>
</div>
<div class="paragraph">
<p>First thing is to look for <code>fortilink</code> in the config:</p>
</div>
<div class="listingblock">
<div class="content">
<pre># show | grep -i fortilink -f
config system interface
edit "fortilink" <---
set vdom "root"
set fortilink enable <---
set ip 10.255.1.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set lldp-reception enable
set lldp-transmission enable
set snmp-index 9
next
end
config system ntp
set ntpsync enable
set server-mode enable
set interface "fortilink" <---
end
config system dhcp server
edit 1
set ntp-service local
set default-gateway 10.255.1.1
set netmask 255.255.255.0
set interface "fortilink" <---
set vci-match enable
set vci-string "FortiSwitch" "FortiExtender"
next
end
config switch-controller storm-control-policy
edit "auto-config"
set description "storm control policy for fortilink-isl-icl port" <---
set storm-control-mode disabled
next
end</pre>
</div>
</div>
<div class="paragraph">
<p>All in all 4 places: NTP, switch-controller policy, interface itself under <code>config sys interface</code>, and DHCP server.</p>
</div>
<div class="paragraph">
<p>The <code>cmdb</code> command shows 3 references (misses switch-controller policy):</p>
</div>
<div class="listingblock">
<div class="content">
<pre># diagnose sys cmdb refcnt show system.interface.name fortilink
entry used by table system.dhcp.server:id '1'
entry used by child table interface:interface-name 'fortilink' of complex system.ntp:interface.interface-name</pre>
</div>
</div>
<div class="paragraph">
<p>Let’s see if deleting 3 of the above will be enough:</p>
</div>
<div class="paragraph">
<p>Deleting DHCP server instance "1":</p>
</div>
<div class="listingblock">
<div class="content">
<pre># config sys dhcp server
(server) # del 1
(server) # end</pre>
</div>
</div>
<div class="paragraph">
<p>Disabling NTP server which lists fortilink interface (or you can switch interface to any other available):</p>
</div>
<div class="listingblock">
<div class="content">
<pre># config sys ntp
FortiGate(ntp) # show
config system ntp
set ntpsync enable
set server-mode enable
set interface "fortilink"
end
(ntp) # set server-mode disable
(ntp) # end</pre>
</div>
</div>
<div class="paragraph">
<p>Disable Fortilink interface to see if enough:</p>
</div>
<div class="listingblock">
<div class="content">
<pre># config sys int
(interface) # edit fortilink
(fortilink) # set stat down
(fortilink) # end</pre>
</div>
</div>
<div class="paragraph">
<p>Checking again if there any references left:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>FortiGate # diagnose sys cmdb refcnt show system.interface.name fortilink
FortiGate #</pre>
</div>
</div>
<div class="paragraph">
<p>Output is empty so we are clear to engage:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>Cannot change to Transparent mode because this vdom contains managed switches and switchctl-vlans.
Please clear managed-switches, disable fortilink and retry.
node_check_object fail! for opmode transparent
Attribute 'opmode' value 'transparent' checking fail -7610
Command fail. Return code -7610</pre>
</div>
</div>
<div class="paragraph">
<p>Nope, no joy, so seems like we have to delete the Fortilink interface altogether (at least in VM Fortigate):</p>
</div>
<div class="listingblock">
<div class="content">
<pre># config sys int
(interface) # del fortilink
(interface) # end
# config sys settings
(settings) # set opmode transparent
(settings) # set manageip 10.13.13.13/24
(settings) # end
Changing to TP mode</pre>
</div>
</div>
<div class="paragraph">
<p>Done.</p>
</div>
<div class="paragraph">
<p>BTW, to switch back to NAT mode you will HAVE to specify <code>device</code> and interface <code>ip</code> for the default gateway (or just do <code>exe factoryreset</code> to wipe all config and it will reboot to NAT mode):</p>
</div>
<div class="listingblock">
<div class="content">
<pre>config sys settings
set opmode nat
set device port1
set ip 10.13.13.1/24</pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p><a href="https://yurisk.info/2023/05/14/fortigate-cannot-delete-vdom-or-other-object-in-use-problem-solution/">Search cmdb for where the object is used</a></p>
</li>
<li>
<p><a href="https://community.fortinet.com/t5/FortiGate/Technical-Tip-Change-from-NAT-to-transparent-mode-when-FortiLink/ta-p/189485" target="_blank">Technical Tip: Change from NAT to transparent mode when FortiLink is enabled</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>Fortinet-related blogs to read2024-01-21T19:35:25+00:002024-01-21T19:35:25+00:00Yuri Slobodyanyuktag:yurisk.info,2024-01-21:/2024/01/21/fortinet-related-blogs-to-read/<div class="sect1">
<h2 id="_blogs_and_other_resources_to_read_on_fortinet_products_fortigate_fortianalyzers_fortimanager_and_such">Blogs and other resources to read on Fortinet products - Fortigate, Fortianalyzers, Fortimanager and such</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Here are some Fortinet-related technical blogs I read. If you have additional blogs/sites to recommend - send me to add.</p>
</div>
<div class="ulist">
<ul>
<li>
<p><a href="https://www.ultraviolet.network/blog" class="bare">https://www.ultraviolet.network/blog</a> Matt Sherif’s blog. Matt is a System Engineer at Fortinet …</p></li></ul></div></div></div><div class="sect1">
<h2 id="_blogs_and_other_resources_to_read_on_fortinet_products_fortigate_fortianalyzers_fortimanager_and_such">Blogs and other resources to read on Fortinet products - Fortigate, Fortianalyzers, Fortimanager and such</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Here are some Fortinet-related technical blogs I read. If you have additional blogs/sites to recommend - send me to add.</p>
</div>
<div class="ulist">
<ul>
<li>
<p><a href="https://www.ultraviolet.network/blog" class="bare">https://www.ultraviolet.network/blog</a> Matt Sherif’s blog. Matt is a System Engineer at Fortinet and writes on Fortinet topics of intermediate-advanced level. He is also one of the moderators of the r/fortinet sub-Reddit.</p>
</li>
<li>
<p><a href="https://andrewtravis.com/category/fortinet/" class="bare">https://andrewtravis.com/category/fortinet/</a> Andrew Travis' blog. Andrew is a System Engineer at Fortinet US. It has topics on FortiExtender, SD-Wan, IOT, and other emerging technologies.</p>
</li>
<li>
<p><a href="https://infosecmonkey.com/" class="bare">https://infosecmonkey.com/</a> blog by Manny Fernandez - Sytem Engineer at Fortinet from US. The blog covers technical topics ranging from beginner up to advanced level.</p>
</li>
<li>
<p><a href="https://socpuppet.blogspot.com/" class="bare">https://socpuppet.blogspot.com/</a> Ken Felix blog on many topics, including Fortinet-related. Ken is also a long-time contributor on the community.fortinet.com forums.</p>
</li>
<li>
<p><a href="https://www.historiantech.com/" class="bare">https://www.historiantech.com/</a> Jonathan Torian’s blog with an impressive number of Fortinet-related articles, level intermediate-advanced</p>
</li>
<li>
<p><a href="https://ghost.reverside.ch/" class="bare">https://ghost.reverside.ch/</a> Interesting blog with articles not only on Fortigate, but Fortiweb/FortiAuthenticator/etc.</p>
</li>
<li>
<p><a href="https://blog.rdorman.net/tag/fortigate/" class="bare">https://blog.rdorman.net/tag/fortigate/</a> Ryan Dorman’s blog, with few posts Fortigate-related.</p>
</li>
<li>
<p><a href="https://travelingpacket.com/category/forti-products/" class="bare">https://travelingpacket.com/category/forti-products/</a> Few posts on Fortiauthenticator and FortiNAC</p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Send logs from non-Fortinet devices to Fortianalyzer via Syslog2024-01-09T09:35:25+00:002024-01-09T09:35:25+00:00Yuri Slobodyanyuktag:yurisk.info,2024-01-09:/2024/01/09/send-logs-to-fortianalyzer-via-syslog/<div class="sect1">
<h2 id="_can_we_send_logs_from_non_fortinet_devices_to_the_fortianalyzer">Can we send logs from non-Fortinet devices to the Fortianalyzer?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This question pops up from time to time and the short answer is yes, for sure - any device that can send its logs in syslog format (read any device of Enterprise level today), can also send the logs to Fortianalyzer …</p></div></div></div><div class="sect1">
<h2 id="_can_we_send_logs_from_non_fortinet_devices_to_the_fortianalyzer">Can we send logs from non-Fortinet devices to the Fortianalyzer?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This question pops up from time to time and the short answer is yes, for sure - any device that can send its logs in syslog format (read any device of Enterprise level today), can also send the logs to Fortianalyzer. The long answers yes, but …​ The <em>but</em> here is that Fortianalyzer does NOT parse such logs for the fields in it. Fortianalyzer will accept such logs, store them, but from its view those logs are just large chunks of text. FAZ will not extract, say source/destination IPs, usernames and the rest of information. We still can search such logs with wildcards. Starting with FAZ 7.4.0 Fortinet actually addeded few custom parsers for Apache/Nginx/Windows logs, but no parsers for Cisco/Juniper etc. And given that Fortinet have FortiSIEM product, that parses all kinds of devices even via Syslog, it is unlikely that they would endanger FortiSIEM sales by adding this functionality to FAZ.</p>
</div>
<div class="paragraph">
<p>In the video below I show how to configure FAZ to accept logs from Linux host via Syslog, and how it looks in the FAZ.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/Fortianalyzer-collect-logs-via-syslog.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Collection of Fortigate Automation Stitches2023-11-27T14:55:25+00:002023-11-27T14:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2023-11-27:/2023/11/27/fortigate-automation-stitches-collection/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_collection">Collection</a></li>
<li><a href="#_important_facts">Important facts</a></li>
<li><a href="#_all_about_email_alerts">All about email alerts</a></li>
<li><a href="#_debug">Debug</a></li>
<li><a href="#_automation_stitches_collection">Automation Stitches Collection</a></li>
</ul>
</div>
<div class="sect1">
<h2 id="_collection">Collection</h2>
<div class="sectionbody">
<div class="paragraph">
<p>I collected some Fortigate automation stitches I use in production systems to either alert me in real time on outstanding events, or run debug/maintenance action without manual intervention. The collection is here <a href="https://github.com/yuriskinfo/Fortinet-tools/tree/main/Fortigate-automation-stitches#automation-stitches-collection" class="bare">https://github …</a></p></div></div></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_collection">Collection</a></li>
<li><a href="#_important_facts">Important facts</a></li>
<li><a href="#_all_about_email_alerts">All about email alerts</a></li>
<li><a href="#_debug">Debug</a></li>
<li><a href="#_automation_stitches_collection">Automation Stitches Collection</a></li>
</ul>
</div>
<div class="sect1">
<h2 id="_collection">Collection</h2>
<div class="sectionbody">
<div class="paragraph">
<p>I collected some Fortigate automation stitches I use in production systems to either alert me in real time on outstanding events, or run debug/maintenance action without manual intervention. The collection is here <a href="https://github.com/yuriskinfo/Fortinet-tools/tree/main/Fortigate-automation-stitches#automation-stitches-collection" class="bare">https://github.com/yuriskinfo/Fortinet-tools/tree/main/Fortigate-automation-stitches#automation-stitches-collection</a></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_important_facts">Important facts</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p>If you have VDOMs enabled, you find Automation Stitches GUI menu
under the <em>Global</em> section.</p>
</li>
<li>
<p>When VDOMs are enabled, any networking with external to Fortigate hosts will happen with source IP and from
the <em>administrative</em> VDOM (usually <code>root</code>). E.g. auto-backup of configuration to external server etc. It means you need to
have security rules in <em>admin</em> VDOM accordingly to allow such communication.</p>
</li>
<li>
<p>When using email as alert action, make sure you have configured mail server
to relay these alerts. On CLI it is in <code>config sys email-server</code>, and in GUI it
is in the System → Settings.</p>
</li>
<li>
<p>It is recommended to configure PTR record for the sending IP of the Fortigate,
as well as SPF record in the domain you’re sending from, to prevent mails being
marked as spam.</p>
</li>
<li>
<p>Trigger <em>Field Conditions</em> - they match on either exact values or wildcards, no regex, no
ranges for numeric values. Also no partial match, so you cannot match <em>"Interface
down"</em> string with a word <em>"down"</em>, unless using wildcard *down*.</p>
</li>
<li>
<p>Bugs are always possible, e.g. for the built-in stitch <em>Reboot</em>, even though
it works and fires, the <em>trigger count</em> stays 0.</p>
</li>
<li>
<p>These types of stitches have <em>Test automation stitch</em> grayed out:</p>
<div class="ulist">
<ul>
<li>
<p>Event Log based.</p>
</li>
<li>
<p>Configuration change.</p>
</li>
<li>
<p>Reboot.</p>
</li>
<li>
<p>License expiration.</p>
</li>
<li>
<p>HA failover.</p>
</li>
<li>
<p>Scheduled.</p>
</li>
</ul>
</div>
</li>
<li>
<p>For scheduled triggers make sure Fortigate has reliable time source, like NTP.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_all_about_email_alerts">All about email alerts</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p>With VDOMs enabled, the email is sent from the <em>administrative</em> VDOM (usually
<em>root</em>) with the source IP defined by the routing table.</p>
</li>
<li>
<p>All the fields you see in the Fortigate <strong>raw log</strong> are available to be included in the email message.</p>
</li>
<li>
<p>When sending an email as action, based on log events, the body will contain the complete log
(<code>%%log%%</code>) by default, no need to do anything for that. But, if you do NOT want to include
log, for privacy reasons, set the <code>message</code> parameter to anything else:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config sys automation-action
edit "EmailWithoutBody"
set action-type email
set email-to "admin@yurisk.info"
set email-from "fgt@yurisk.info"
set email-subject "The stitch has fired"
set message "This text replaces the full log in the body."
next
end</pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Use specific log field surrounded with double <code>%</code> to include it in the message when the trigger is FortiOS Log Event. E.g. to include username of the admin that logged in the subject, and the source IP, and <em>time</em> in the message body:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config sys automation-action
edit ""AdminLoggedIn"
set action-type email
set email-to "admin@yurisk.info"
set email-from "fgt@yurisk.info"
set email-subject "Admin user %%user%% logged in"
set message "Source IP: %%srcip%%
Time: %%time%%"
next
end</pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>There is a special variable <code>%%results%%</code> that we can use in the Actions, it will be replaced with the output of the previously run command. E.g. you can create 2-step actions, 1st action runs some CLI debug on the Fortigate, the 2nd action sends the debug output by email, see example here: <a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/fortiguard-servers-unreachable-email-alert.adoc">Send email alert on FortiGuard servers becoming unreachable and attach debug output </a>. Be aware that it will include sensitive info if presented on CLI as well.</p>
</li>
<li>
<p>For anything you send in the email body, there is a limit of 16 KBytes, may differ by model.</p>
</li>
<li>
<p>Email server for sending alerts is configured under System → Settings, or on CLI:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config system email-server
set reply-to "fgt@yurisk.info" // MAIL FROM field is taken from here, unless set in the stitch action
set server "192.0.0.1"
set authenticate enable
set username "secret@yurisk.info"
set password s$cr$t
end</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_debug">Debug</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><strong>diag test app autod 2</strong> Show all enabled stitches with their settings.</p>
</li>
<li>
<p><strong>diag test app autod 3</strong> Show statistics for all enabled stitches, including numbers run (<em>hit</em>).</p>
</li>
<li>
<p>Email sending debug: <strong>dia debug app alertmail -1</strong>. This will show the whole mail sending session.</p>
</li>
<li>
<p>Reboot zeroizes the stitches statistics.</p>
</li>
<li>
<p>Some stitches have right click → <em>Test automation stitch</em> menu so that you can
trigger the stitch to see if it works. The CLI analog is <strong>diagnose automation test <stitch name> <log if needed></strong>.</p>
</li>
<li>
<p>Live debug:</p>
<div class="ulist">
<ul>
<li>
<p><strong>diag debug reset</strong> To reset any previous debug, just in case.</p>
</li>
<li>
<p><strong>diag test app autod 1</strong> Enable automation stitches logging.</p>
</li>
<li>
<p><strong>diag debug cli 7</strong> Show stitches' running log on the CLI.</p>
</li>
<li>
<p><strong>diag debug enable</strong> Enable debug.</p>
</li>
<li>
<p>right click → <em>Test automation stitch</em> menu or <strong>diagnose automation test <stitch name> <log if needed></strong>.</p>
</li>
</ul>
</div>
</li>
<li>
<p>Log-based stitches have the menu <em>Test automation stitch</em> grayed out, and we
can only trigger them for testing if we input the real log on the CLI. This will
also insert this log into the Fortigate logs as if it really happened. Example
of such log supplied on CLI, pay attention to every quote " being escaped and
log should be a single line:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>diagnose automation test VPNTunnelUp "date=2023-02-23 time=09:27:43
eventtime=1677144463207296135 tz=\"+0000\" logid=\"0101039947\" type=\"event\"
subtype=\"vpn\" level=\"information\" vd=\"root\" logdesc=\"SSL VPN tunnel up\"
action=\"tunnel-up\" tunneltype=\"ssl-tunnel\" tunnelid=418623311
remip=185.242.6.3 tunnelip=172.19.12.1 user=\"vpnlocal\" group=\"vpnsslgrp\"
dst_host=\"N/A\" reason=\"tunnel established\" msg=\"SSL tunnel established\""</pre>
</div>
</div>
<div class="paragraph">
<p>See for the full example: <a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/ssl-vpn-user-login-successful-from-specific-ip-alert-by-email.adoc">SSL VPN tunnel up with condition of remote IP address</a></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_automation_stitches_collection">Automation Stitches Collection</h2>
<div class="sectionbody">
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/admin-level-user-logged-in-email-alert.adoc">Send email alert on successful admin-level user log in.</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/admin-level-user-was-created.adoc">Send email on admin-level user being created/added</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/admin-level-user-password-changed-email-alert.adoc">Send email on admin-level user password change</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/backup-config-on-change.adoc">Back up configuration when changed to external server via SFTP</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/backup-config-daily-to-external-server.adoc">Back up configuration daily to external server via SFTP</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/certificate-is-about-to-expire-warning-email-alert.adoc">Local TLS Certificate is about to expire email alert</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/configuration-changed-by-admin-email-alert.adoc">Send alert on Fortigate configuration changed by administrator without details</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/configuration-changed-by-admin-with-changes-email-alert.adoc">Send alert on Fortigate configuration changed by administrator with details</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/conserve-mode-on-email-alert.adoc">email alert on Fortigate entering conserve mode</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/fortiguard-servers-unreachable-email-alert-with-vdoms.adoc">Send email alert on FortiGuard servers becoming unreachable and attach debug output (with VDOMs)</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/fortiguard-servers-unreachable-email-alert.adoc">Send email alert on FortiGuard servers becoming unreachable and attach debug output (without VDOMs)</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/high-cpu-usage-email-alert.adoc">Send an email alert when CPU usage reaches the threshold</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/interface-went-down-email-alert.adoc">Any of Fortigate interfaces goes down, send an email alert</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/interface-went-up-email-alert.adoc">Any of Fortigate interfaces goes up, send an email alert</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/reboot-email-alert.adoc">Fortigate undergoing a reboot email alert</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/restart-ips-process-daily.adoc">Restart IPS process daily </a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/restart-wad-process-daily.adoc">Restart WAD process daily </a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/schedule-daily-reboot.adoc">Schedule daily reboot of Fortigate</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/schedule-reboot-once.adoc">Schedule reboot of Fortigate one time</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/schedule-weekly-reboot.adoc">Schedule weekly reboot of Fortigate</a></p>
</div>
<div class="paragraph">
<p><a href="https://github.com/yuriskinfo/Fortinet-tools/blob/main/Fortigate-automation-stitches/specific-interface-went-down-email-alert.adoc">When only a given interface goes down, send an email alert</a></p>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>My networks talk to a prisoner, help.2023-11-06T14:55:25+00:002023-11-06T14:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2023-11-06:/2023/11/06/dns-requests-to-the-risoner/<div class="paragraph">
<p><strong>Help, my networks talk to a prisoner</strong>. This was a funny one - client saw lots of
DNS queries passing the Fortigate addressed at the prisoner.iana.org and was
worried what this was about. No worry - it just means (misconfigured) clients in
the LAN are trying to get PTR records …</p></div><div class="paragraph">
<p><strong>Help, my networks talk to a prisoner</strong>. This was a funny one - client saw lots of
DNS queries passing the Fortigate addressed at the prisoner.iana.org and was
worried what this was about. No worry - it just means (misconfigured) clients in
the LAN are trying to get PTR records for the private RFC 1918 IPs
(192.168.0.0/16, 10.0.0.0/8 etc) on the Internet. Those servers by IANA are
registered to be authoritative for those reverse zones 10.in-addr.arpa to
deflect all such junk coming to them from around the Globe.</p>
</div>
<div class="paragraph">
<p>More details can be read in RFC 6305
titled " I’m Being Attacked by PRISONER.IANA.ORG!" <a href="https://datatracker.ietf.org/doc/html/rfc6305.html" class="bare">https://datatracker.ietf.org/doc/html/rfc6305.html</a> . Another case of
"It is easy to be hard, it is harder to be smart" - IANA could try explain to
network admins till forever to stop such traffic going to the Internet/block
such traffic, or …​ they could just route this junk to the junk DNS servers and
be done with it.
Stay safe.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/prisoner-DNS.png" alt="Screenshot of Fortigate logs showing DNS queries to the server named prisoner.iana.org">
</div>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>sFlow in Fortigate disables Hardware Acceleration2023-09-12T15:45:25+00:002023-09-12T15:45:25+00:00Yuri Slobodyanyuktag:yurisk.info,2023-09-12:/2023/09/12/sflow-in-fortigate-disables-hardware-acceleration/<div class="sect1">
<h2 id="_do_not_use_sflow_in_fortigate_use_netflow_instead">Do not use sFlow in Fortigate - use Netflow instead</h2>
<div class="sectionbody">
<div class="paragraph">
<p>I was approached last month by 2 unrelated Fortigate admins with the same
problem - slow performance of otherwise very beafy Fortigate models. After some
digging in the configuration the culprit was found - there was enabled on WAN
interface <em>sFlow</em>. <code>sflow</code> collects …</p></div></div></div><div class="sect1">
<h2 id="_do_not_use_sflow_in_fortigate_use_netflow_instead">Do not use sFlow in Fortigate - use Netflow instead</h2>
<div class="sectionbody">
<div class="paragraph">
<p>I was approached last month by 2 unrelated Fortigate admins with the same
problem - slow performance of otherwise very beafy Fortigate models. After some
digging in the configuration the culprit was found - there was enabled on WAN
interface <em>sFlow</em>. <code>sflow</code> collects passing traffic statistics and sends it to
external server. What everybody nowadays does with Netflow. But back in the days
<code>sFlow</code> was the first available, quite popular, but …​ it was in the late 90s.
HP that invented it in 1991 made it available on all their switches ever since.
Fortinet introduced <code>sFlow</code> capability in FortiOS 4, I even wrote a post about it
<a href="https://yurisk.info/2010/10/14/do-not-miss-the-long-awaited-addition-to-the-fortigate-4-mr2-sflow-data-export/">Do not miss the long awaited addition to the Fortigate 4 MR2 – sFlow data export</a>
which happened in 2010. The problem with <code>sFlow</code> is that on Fortigate models
with Network Processor (NP) acceleration chip, it disables hardware acceleration
for the traffic
on the interfaces it was enabled on. Not good, at all.</p>
</div>
<div class="paragraph">
<p>So, the takeaway - use Netflow if you need to, not <code>sFlow</code>.</p>
</div>
<div class="paragraph">
<p>The graph below shows that 100% of network traffic (it does NOT show how CPU
itself is
loaded,
fortunately) is being processed by CPU instead on the NP ASIC, which causes
lowered network performance:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/sflow-disables-hardware-acceleration.jpeg" alt="graph shows with sFlow enabled all traffic is being processed by CPU" width="not NP">
</div>
</div>
<div class="paragraph">
<p>Official Fortinet docs telling just that:
<a href="https://docs.fortinet.com/document/fortigate/7.4.1/hardware-acceleration/631057/sflow-and-netflow-and-hardware-acceleration">sFlow and NetFlow and hardware acceleration</a></p>
</div>
<div class="ulist">
<ul>
<li>
<p>If you toubleshoot Fortigate and other gear in your work, make sure to clone my <a href="https://github.com/yuriskinfo/cheat-sheets/tree/master">Fortigate and other vendors' debug commands cheat sheets</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Fortinet products Fortigate Fortiweb Fortimail and others online demo access details2023-08-01T09:55:25+00:002023-08-01T09:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2023-08-01:/2023/08/01/fortinet-products-fortigate-fortiweb-fortimail-and-others-online-demo-access-details/<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>Be it to learn the interface or preparing for NSE 5, 6, 7 exams, having the
access to the real device is the best way to retain the information. Fortinet
make available online access to all of their products for demo purposes, all for
free. If not mentioned otherwise, the …</p></div></div></div><div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>Be it to learn the interface or preparing for NSE 5, 6, 7 exams, having the
access to the real device is the best way to retain the information. Fortinet
make available online access to all of their products for demo purposes, all for
free. If not mentioned otherwise, the user/pass combo is <strong>demo/demo</strong>.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
Fortinet change, from time to time, passwords - in that case, you can
request updated credentials for free at the page
<a href="https://www.fortinet.com/demo-center/" class="bare">https://www.fortinet.com/demo-center/</a>. You will get up-to-date password
instantly to the email you specify. No phone/email verification is required.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p><a href="https://fortigate.fortidemo.com/" class="bare">https://fortigate.fortidemo.com/</a> Fortigate</p>
</div>
<div class="paragraph">
<p><a href="https://fortianalyzer.fortidemo.com" class="bare">https://fortianalyzer.fortidemo.com</a> FortiAnalyzer</p>
</div>
<div class="paragraph">
<p><a href="https://fortimail.fortidemo.com/admin/" class="bare">https://fortimail.fortidemo.com/admin/</a> FortiMail as Gateway</p>
</div>
<div class="paragraph">
<p><a href="https://fortimail-srv.fortidemo.com/admin/Admin.html" class="bare">https://fortimail-srv.fortidemo.com/admin/Admin.html</a> FortiMail as Server</p>
</div>
<div class="paragraph">
<p><a href="https://fortiweb.fortidemo.com/" class="bare">https://fortiweb.fortidemo.com/</a> Fortiweb</p>
</div>
<div class="paragraph">
<p><a href="https://fortiadc.fortidemo.com/" class="bare">https://fortiadc.fortidemo.com/</a> FortiADC</p>
</div>
<div class="paragraph">
<p><a href="https://fortiauthenticator.fortidemo.com/" class="bare">https://fortiauthenticator.fortidemo.com/</a> FortiAuthenticator (user/pass:
<strong>demo/demo1234$</strong>)</p>
</div>
<div class="paragraph">
<p>BTW, all devices are not really "demo", but actual physical/virtual appliances
properly licensed and all. The only restriction is that <em>demo</em> user is
read-only.</p>
</div>
<div class="paragraph">
<p>Example, Fortiweb demo:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortinet-demo-fortiweb.png" alt="Fortiweb demo screenshot">
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_resources">Resources</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc">Fortigate diagnose and debug cheat sheet</a></p>
</li>
<li>
<p><a href="https://yurisk.info/2023/03/21/fortigate-vpn-ssl-hardening-guide/">SSL VPN Hardening Guide</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Transfer FortiTokens Mobile (FTM) between Fortigates - visual guide.2023-08-01T09:55:25+00:002023-08-01T09:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2023-08-01:/2023/08/01/transfer-mobile-fortitokens-between-fortigates-how-to-guide/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_introduction">Introduction</a></li>
<li><a href="#_steps_in_transferring_the_tokens">Steps in transferring the tokens</a></li>
<li><a href="#_steps_in_transferring_the_tokens_with_screenshots">Steps in transferring the tokens with screenshots</a>
<ul class="sectlevel2">
<li><a href="#_open_a_ticket_to_the_customer_service">Open a ticket to the Customer Service</a></li>
<li><a href="#_once_cs_in_the_ticket_confirm_the_license_was_transferred">Once CS in the ticket confirm the license was transferred</a></li>
</ul>
</li>
<li><a href="#_debug">Debug</a></li>
<li><a href="#_resources">Resources</a></li>
</ul>
</div>
<div class="sect1">
<h2 id="_introduction">Introduction</h2>
<div class="sectionbody">
<div class="paragraph">
<p>You may need to transfer Mobile FortiTokens from the failed Fortigate, on which
you …</p></div></div></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_introduction">Introduction</a></li>
<li><a href="#_steps_in_transferring_the_tokens">Steps in transferring the tokens</a></li>
<li><a href="#_steps_in_transferring_the_tokens_with_screenshots">Steps in transferring the tokens with screenshots</a>
<ul class="sectlevel2">
<li><a href="#_open_a_ticket_to_the_customer_service">Open a ticket to the Customer Service</a></li>
<li><a href="#_once_cs_in_the_ticket_confirm_the_license_was_transferred">Once CS in the ticket confirm the license was transferred</a></li>
</ul>
</li>
<li><a href="#_debug">Debug</a></li>
<li><a href="#_resources">Resources</a></li>
</ul>
</div>
<div class="sect1">
<h2 id="_introduction">Introduction</h2>
<div class="sectionbody">
<div class="paragraph">
<p>You may need to transfer Mobile FortiTokens from the failed Fortigate, on which
you did RMA, and got a new one. Or for any other reason - Fortitoken Mobile (FTM)
is a permanent purchase, and you can do whatever you wish .</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
I am talking about <strong>mobile</strong> FortiTokens only in this guide, not hardware ones. You can
transfer hardware tokens as well, but the procedure will be a bit different.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>Few facts to know beforehand:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>You actually transfer the license for FTMs, not specific/individual tokens. This means you cannot transfer partial list of tokens. If you bought the 50 FTMs license, you will have to transfer this license along with all the 50 tokens as well.</p>
</li>
<li>
<p>Licenses for FTMs are permanent and are not tied contractually to a specific Fortigate. This means it is OK to transfer/move FTM license as you see fit.</p>
</li>
<li>
<p>Down time - yes, there will be down time for the users with FTMs assigned,
unless you temporarily disable MFA for them. When Fortinet transfer the
license, the FTMs on the current/old Fortigate will stop working eventually.
There is no official info after how much time. From my subjective experience,
FTMs on the old FGT worked at least for a day, after the CS ticket was updated
that license was transferred out of it. Still, you have to delete FTMs on
the original FGT, before creating them on the destination FGT. I, personally,
wouldn’t count on using the same FTM license on both FGTs simultaneously.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_steps_in_transferring_the_tokens">Steps in transferring the tokens</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The process is simple:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Open a ticket with <strong>Customer Service</strong> at support.fortinet.com, in which ask
Fortinet to transfer tokens from the Fortigate (and give the serial number of the
current FGT), to the Fortigate (give serial number as well). Also specifying
SKU-ID of the FTM license.</p>
</li>
<li>
<p>Once the ticket is updated that transfer was done, you will get to your
email the PDF file(s) containing <em>Activation Code</em> - just a 20-character
string to be entered on the new Fortigate.</p>
</li>
<li>
<p>Delete FortiTokens from the configuration on the old FGT, if available. Now you
can re-create tokens on the destination Fortigate using the Activation Code.</p>
</li>
</ol>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_steps_in_transferring_the_tokens_with_screenshots">Steps in transferring the tokens with screenshots</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Now, the aforementioned process in pictures.</p>
</div>
<div class="sect2">
<h3 id="_open_a_ticket_to_the_customer_service">Open a ticket to the Customer Service</h3>
<div class="paragraph">
<p>When talking about the <strong>mobile</strong> Fortitokens, we only need one ticket with CS,
<strong>not</strong> Support. If you are transferring the <strong>hardware</strong> tokens, not shown in this
guide, you need to open the ticket with the Technical Support.</p>
</div>
<div class="paragraph">
<p>Here, I open a ticket using the serial number of the current Fortigate where the
FTMs are assigned:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-transfer-fortitokens-between-fortigates1.png" alt="x transfer fortitokens between fortigates1">
</div>
</div>
<div class="paragraph">
<p>The type of ticket is <em>License Transfer</em>:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-transfer-fortitokens-between-fortigates2.png" alt="x transfer fortitokens between fortigates2">
</div>
</div>
<div class="paragraph">
<p>In the ticket, I write something along <em>We’d like to transfer FTMs from
Fortigate serial FGTxxxxxxx to the Fortigate serial FGTYYYYYY, the list of
tokens is attached.</em> The Fortinet CS basically need to transfer just license,
they do not transfer/nor care about individual tokens. But to have this
documented,
I always attach, when available, as a text file, output of the command <strong>show user
fortitoken</strong>. The command output will look like:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-transfer-fortitokens-between-fortigates4.png" alt="x transfer fortitokens between fortigates4">
</div>
</div>
<div class="paragraph">
<p>Again - if transferring FTMs from the failed unit, you may not have this info,
then the license id (the one shown in the picture above starting with <code>EFTM</code>), or as Fortinet call it - <strong>SKU-ID</strong>, will suffice.</p>
</div>
<div class="paragraph">
<p>Also, if you are transferring a single license from FGT that has multiple FTM
licenses, make sure to transfer/delete only Fortitokens belonging to this specific
license.</p>
</div>
</div>
<div class="sect2">
<h3 id="_once_cs_in_the_ticket_confirm_the_license_was_transferred">Once CS in the ticket confirm the license was transferred</h3>
<div class="paragraph">
<p>If the original Fortigate is still online, remove MFA authentication from users
that have the FTMs-to-be-transferred, then delete Fortitokens themselves.</p>
</div>
<div class="paragraph">
<p>Fortinet CS will attach to the ticket a PDF file for each transferred license
(you may ask to transfer multiple FTM licenses from the same FGT in the same
ticket if needed). The file name will be the license’s SKU ID <em>EFTXXXXXX</em>.pdf.
You will find inside it the <strong>Activation Code</strong> to be entered in the destination
Fortigate. The PDF will look like:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-transfer-fortitokens-between-fortigates5.png" alt="x transfer fortitokens between fortigates5">
</div>
</div>
<div class="paragraph">
<p>You then take this Activation Code, and use it in the destination Fortigate like
that:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-transfer-fortitokens-between-fortigates7.png" alt="x transfer fortitokens between fortigates7">
</div>
</div>
<div class="paragraph">
<p>After saving, this Fortigate will have new, unassigned, and not activated
Fortitoken Mobile according to the license. In my example, the license was for
50 FTMs, so 50 Fortitokens were created.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-transfer-fortitokens-between-fortigates9.png" alt="x transfer fortitokens between fortigates9">
</div>
</div>
<div class="paragraph">
<p>Left is to assign users these tokens, they will receive usual activation email,
and all is ready to go.</p>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_debug">Debug</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To see FTM license verification against FortiGuard servers happening in real time, the debug commands will
be (208.91.113.53 is the IP of the FortiGuard server against which FTM licenses are
being checked):</p>
</div>
<div class="paragraph">
<p><strong>diagnose sniffer packet any "host 208.91.113.53 and port 443" 4 0 a</strong></p>
</div>
<div class="paragraph">
<p><strong>diag debug app forticldd -1</strong></p>
</div>
<div class="paragraph">
<p><strong>diag debug app alert -1</strong></p>
</div>
<div class="paragraph">
<p><strong>diag fortitoken debug enable</strong></p>
</div>
<div class="paragraph">
<p><strong>diag debug enable</strong></p>
</div>
<div class="paragraph">
<p><strong>execute fortitoken-mobile import <<em>put-activation-code-here</em>></strong></p>
</div>
<div class="paragraph">
<p>In the example below, I put intentionally a bad Activation Code
<em>BADLICBADLICXXX</em> (I sanitized Fortigate serial number with <code>FGXXXXXXX</code>):</p>
</div>
<div class="listingblock">
<div class="content">
<pre>diagnose sniffer packet any "host 208.91.113.53 and port 443" 4 0 a
diag debug app forticldd -1
diag debug app alert -1
diag fortitoken debug enable
diag debug enable
execute fortitoken-mobile import BADLICBADLICXXX
ftm_cfg_import_license[321]:import license BADLICBADLICXXX
ftm_fc_comm_connect[55]:ftm TCPS connected.ftm_fc_comm_send_request[117]:send
packet success.
POST /SoftToken/Provisioning.asmx/Process HTTP/1.1
Accept: application/json, text/javascript, */*, q=0.01
Content-Type: application/json;charset=utf-8
X-Requested-With: XMLHttpRequest
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0)
Host: 208.91.113.53:443
Content-Length: 297
Connection: Keep-Alive
Cache-Control: no-cache
{ "d": { "__type": "SoftToken.ActivationLicenseRequest", "__version": "4",
"license_activation_code": " BADLICBADLICXXX ", "serial_number": "FGXXXXXXX",
"__device_version": "7.0", "__device_build": "0523", "__clustered_sns": [ {
"sn": " FGXXXXXXX " }, { "sn": " FGXXXXXXX " } ] } }
ftm_fc_comm_recv_response[266]:receive packet success.
{"d":{"__type":"SoftToken.ActivationLicenseResponse","__version":"4"
,"serial_number":" FGXXXXXXX","__device_version":"7.0","__device_build":"0523",
"__clustered_sns":[{"sn":" FGXXXXXXX ","error":null},{"sn":"FGXXXXXX","error":
null}],"license_activation_code":" BADLICBADLICXXX ","license":"","tokens":null,
"result":0,"error":{"error_code":16,"error_message":"forticare license activation code invalid"}}}
ftm_fc_command[615]:received error from forticare [-7566]
import fortitoken license error: -7566</pre>
</div>
</div>
<div class="paragraph">
<p>As you can see, the debug clearly shows the reason - <em>forticare
license activation code invalid</em>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_resources">Resources</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p>Fortitoken and other kinds of debug can be found in my Github repo: <a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc">Fortigate debug diagnose cheat sheet</a></p>
</li>
<li>
<p><a href="https://yurisk.info/2023/03/21/fortigate-vpn-ssl-hardening-guide/">SSL VPN Hardening Guide</a></p>
</li>
<li>
<p><a href="https://community.fortinet.com/t5/FortiToken/Techical-Tip-Invalid-License-Migration-from-FortiToken-Mobile-to/ta-p/217292">Fortinet: Invalid License - Migration from FortiToken Mobile to FortiToken Cloud</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Tips on Upgrading Fortigate in HA Cluster2023-06-18T14:35:25+00:002023-06-18T14:35:25+00:00Yuri Slobodyanyuktag:yurisk.info,2023-06-18:/2023/06/18/tips-on-upgrading-fortigate-in-ha-cluster/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_upgrade_what_actually_happens">Upgrade - what actually happens</a></li>
<li><a href="#_tips_on_ha_upgrades">Tips on HA upgrades</a></li>
<li><a href="#_about_rollback_downgrade">About rollback/downgrade</a></li>
<li><a href="#_troubleshooting_tips">Troubleshooting tips</a></li>
</ul>
</div>
<div class="sect1">
<h2 id="_upgrade_what_actually_happens">Upgrade - what actually happens</h2>
<div class="sectionbody">
<div class="paragraph">
<p>When upgrading a Fortigate HA Cluster the following happens:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Admin uploads new FortiOS image via GUI to the Active member.</p>
</li>
<li>
<p>Active Fortigate verifies validity of the image (tampered/broken image …</p></li></ol></div></div></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_upgrade_what_actually_happens">Upgrade - what actually happens</a></li>
<li><a href="#_tips_on_ha_upgrades">Tips on HA upgrades</a></li>
<li><a href="#_about_rollback_downgrade">About rollback/downgrade</a></li>
<li><a href="#_troubleshooting_tips">Troubleshooting tips</a></li>
</ul>
</div>
<div class="sect1">
<h2 id="_upgrade_what_actually_happens">Upgrade - what actually happens</h2>
<div class="sectionbody">
<div class="paragraph">
<p>When upgrading a Fortigate HA Cluster the following happens:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Admin uploads new FortiOS image via GUI to the Active member.</p>
</li>
<li>
<p>Active Fortigate verifies validity of the image (tampered/broken image will be rejected).</p>
</li>
<li>
<p>Active member asks admin whether to Back up configuration and upgrade or just Upgrade. In any case, the current configuration will be stored in the partition of the harddisk, together with the current FortiOS image.</p>
</li>
<li>
<p>On confirmation, Active member saves new image into the secondary partition of the harddisk, then pushes the image to the Standby member and starts upgrade of the Standby member by uploading the new image to the secondary partition, then making it active partition and reboot.</p>
</li>
<li>
<p>On successful upgrade of the Standby member and its reboot, the Active member fails over making the upgraded Standby member an Active one.</p>
</li>
<li>
<p>Formerly Active but now Standby member upgrades itself and on successful completion and reboot joins cluster membership back.</p>
</li>
</ol>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_tips_on_ha_upgrades">Tips on HA upgrades</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p>Always follow the Upgrade Path.</p>
</li>
<li>
<p>Review Release Notes.</p>
</li>
<li>
<p>Back up configuration with <strong>local</strong> <strong>super_admin</strong> level account, as even <strong>super_admin</strong> but remote users from Radius/TACACS/LDAP/whatever do not see the whole configuration - local system admin and some other parts are missing. You cannot revert back with such configuration fully.</p>
</li>
<li>
<p>(Opt - I don’t do it, but some say worth it) Reboot the members one by one to make sure there aren’t any unexpected errors while booting unrelated to the upgrade.</p>
</li>
<li>
<p>Look at the crash logs <strong>diagnose debug crash-log read</strong> for any issues the firewall may be experiencing, and in general look around to make sure the Fortigate is doing fine before upgrade (e.g. bad idea to start upgrade when CPU is at 100%).</p>
</li>
<li>
<p>Have physical/console access to all members.</p>
</li>
<li>
<p>Have plan for rollback.</p>
</li>
<li>
<p>Have the necessary firmware at hand. It may look easier to just click "Upgrade from Fortiguard", but I’ve seen many cases where it times out, wasting our time.</p>
</li>
<li>
<p>Make backup of the configs - both clear text and encrypted (only encrypted config contains VPN certificates).</p>
</li>
<li>
<p>After upgrading, check the startup error log <strong>get sys startup-error-log</strong> for errors in converting the configuration, fix config if necessary.</p>
</li>
<li>
<p>Do not stress about the time it takes - Fortigate is busy validating the image, converting the configuration to new version, rebooting each member, full syncing after the reboot. The larger the model/configuration the more time it takes. E.g. Fortigate 1500D takes about 15 minutes to completely upgrade HA Cluster (A/P) with 2 members. It takes 20+ minutes to do the same for 3000D.</p>
</li>
<li>
<p>Do not stress about the failover time. The failover mostly causes 4-5 seconds of downtime if everything goes smoothly. The experienced by the end clients downtime may be longer depending on the topology - e.g. if there are BGP peerings, they will be reset and will return to established as soon as BGP timers are configured to do so. So, it may take 30 seconds or more for BGP routes to be back online.</p>
</li>
<li>
<p>Try to upgrade to the nearest available version only, according to the upgrade path - rolling back is easier. See below discussion on downgrading the cluster.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_about_rollback_downgrade">About rollback/downgrade</h2>
<div class="sectionbody">
<div class="paragraph">
<p>There is NO automated rollback in Fortigate. On each upgrade, Fortigate keeps the current version and its configuration in the secondary partition. So, if say you upgrade from 7.2.4 to 7.2.5, Fortigate will keep 7.2.4 and its configuration. This allows us to roll back to the previous version of FortiOS and configuration. The rollback in this situation is easy (for standalone Fortigate) - just make the secondary partition an active one and reboot.</p>
</div>
<div class="paragraph">
<p>Example: I upgraded this Fortigate 100E to 6.0.6 version from 5.6.11, the upgrade went OK but APs managed by this Fortigate started to have issues. I set the secondary partition with the saved 5.6.11 version as active, did reboot and all reverted successfully. To see the partition and active image use <strong>dia sys flash list</strong>. To revert back, we set secondary partition as active and reboot:</p>
</div>
<div class="paragraph">
<p><strong>execute set-next-reboot secondary</strong></p>
</div>
<div class="paragraph">
<p><strong>exe reboot</strong></p>
</div>
<div class="paragraph">
<p>Here is the output of <code>dia sys flash list</code> after reverting back:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/dia-sys-flash-list.png" alt="dia sys flash list">
</div>
</div>
<div class="paragraph">
<p>The above really works, except Cluster HA.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>The commands above are NOT synchronized to the passive member and thus the passive member(s) has no idea that we are reverting to the previous version.</p>
</li>
<li>
<p>If you do run the commands on the active member, it will work but after reboot the active member will come up with older FortiOS and configuration and the passive member may just bail out of the cluster. So you may end up with 2 machines each thinking he is the active member, resulting in <em>split brain</em>.</p>
</li>
<li>
<p>To prevent the above, we may use the procedure, but we HAVE to run <code>execute set-next-reboot secondary</code> command on each member (active/passive) AND reboot them simultaneously.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>If, on the other hand, you are jumping more than 1 version up, then it becomes
even more problematic to roll back. Configuration versions may be incompatible,
e.g. having upgraded to 7.2.4 from 6.0.17 you cannot just upload FortiOS 6.0.17
and stay with configuration from 7.2.4. Fortinet suggest harsh but universal
procedure for downgrade - dismantle the cluster <code>execute ha disconnect
FGxxxxxxxx <interface to connect to after disconnect> <ip address/mask></code>, downgrade each member as standalone Fortigate, construct cluster back. Here are details <a href="https://docs.fortinet.com/document/fortigate/6.0.0/handbook/915612/firmware-downgrade" class="bare">https://docs.fortinet.com/document/fortigate/6.0.0/handbook/915612/firmware-downgrade</a>.
Also here
<a href="https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-revert-HA-cluster-unit-to-the-previous/ta-p/194743" class="bare">https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-revert-HA-cluster-unit-to-the-previous/ta-p/194743</a></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_troubleshooting_tips">Troubleshooting tips</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p>Reboot slave if it doesn’t sync/upgrade</p>
</li>
<li>
<p>If one member upgraded successfully but the other not - run the upgrade procedure once again from the active member.</p>
</li>
<li>
<p>Give some time for members to sync after the upgrade, may take 5-10-15 mins.</p>
</li>
<li>
<p>As the last resort, having back up of configuration of all versions, disconnect one member from cluster, upgrade the remaining one any way you know, factory reset the second Fortigate, upgrade to the same version of FortiOS as the 1st one, construct cluster again - the new member will get the configuration via full sync.</p>
</li>
<li>
<p>Try to understand what is going on, here is the HA debug part in my cheat * sheet: <a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc#high-availability-clustering-debug">HA Cluster Debug</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Fortinet Support - Tips on opening tickets with their TAC to make them more effective2023-06-03T14:45:25+00:002023-06-03T14:45:25+00:00Yuri Slobodyanyuktag:yurisk.info,2023-06-03:/2023/06/03/fortinet-support-tips-on-opening-tickets-with-their-tac-to-make-them-more-effective/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_introduction">Introduction</a></li>
<li><a href="#_there_are_2_ways_to_open_a_ticket_via_phone_and_on_the_web_use_both_of_them_if_needed">There are 2 ways to open a ticket - via phone, and on the web, use both of them, if needed.</a></li>
<li><a href="#_have_someone_nse_4_certified_to_open_the_ticket_gets_you_straight_to_the_level_2_support">Have someone NSE 4 certified to open the ticket - gets you straight to the Level 2 Support.</a></li>
<li><a href="#_ongoing_communication_phone_or_email">Ongoing communication - phone or email?</a></li>
<li><a href="#_if_you_work_for_a_partner_search_for_your_issue_in_the_bug_tracker">If you work for …</a></li></ul></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_introduction">Introduction</a></li>
<li><a href="#_there_are_2_ways_to_open_a_ticket_via_phone_and_on_the_web_use_both_of_them_if_needed">There are 2 ways to open a ticket - via phone, and on the web, use both of them, if needed.</a></li>
<li><a href="#_have_someone_nse_4_certified_to_open_the_ticket_gets_you_straight_to_the_level_2_support">Have someone NSE 4 certified to open the ticket - gets you straight to the Level 2 Support.</a></li>
<li><a href="#_ongoing_communication_phone_or_email">Ongoing communication - phone or email?</a></li>
<li><a href="#_if_you_work_for_a_partner_search_for_your_issue_in_the_bug_tracker">If you work for a Partner, search for your issue in the Bug Tracker.</a></li>
<li><a href="#_upload_the_configuration_of_the_device_in_question">Upload the configuration of the device in question</a></li>
<li><a href="#_ask_for_a_remote_session">Ask for a Remote Session</a></li>
<li><a href="#_gather_and_upload_code_diagnose_debug_flow_code_when_traffic_is_being_blocked">Gather and upload <code>diagnose debug flow</code> when traffic is being blocked</a></li>
<li><a href="#_run_a_packet_sniffer_to_catch_the_affected_by_the_issue_traffic">Run a packet sniffer to catch the affected by the issue traffic</a></li>
<li><a href="#_run_code_execute_tac_report_code_capture_its_output_and_attach_to_the_case">Run <code>execute tac report</code>, capture its output and attach to the case</a></li>
<li><a href="#_run_specific_daemon_debug_capture_its_output_attach_to_the_case">Run specific daemon debug, capture its output, attach to the case</a></li>
</ul>
</div>
<div class="sect1">
<h2 id="_introduction">Introduction</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Below you will find ways to make your experience with Fortinet TAC better,
speedy, and resultative. Not all steps may fully apply to you or your specific
situation, as I write it from Fortinet Partner standpoint. Let’s begin.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_there_are_2_ways_to_open_a_ticket_via_phone_and_on_the_web_use_both_of_them_if_needed">There are 2 ways to open a ticket - via phone, and on the web, use both of them, if needed.</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The web portal of <a href="https://support.fortinet.com" class="bare">https://support.fortinet.com</a> allows you to open
tickets only of (low) <em>Priority</em> 3, and 4 (<code>P3/P4</code>), with P4 being the lowest. Even if
you open a ticket with a low priority, you can call in the TAC and request the
priority escalation to <code>P1/P2</code>, depending on the case severity. I, personally,
even when the case is pressing, first open a ticket on the web, then immediately
call the TAC to increase the priority and ask for the case to be assigned to the
TAC Engineer. The benefit here is that website allows to upload
debug/config/error messages when opening a ticket, unlike direct phone call. Even
on the direct phone call, you will have to wait while the TAC Engineer opens the
very same ticket on Support Portal, just a waste of time for both of us.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_have_someone_nse_4_certified_to_open_the_ticket_gets_you_straight_to_the_level_2_support">Have someone NSE 4 certified to open the ticket - gets you straight to the Level 2 Support.</h2>
<div class="sectionbody">
<div class="paragraph">
<p>I cannot tell the difference, because the tickets I open
always land with the Level 2 Support, but people on the Internet say it is worth
it. If you open a ticket with the account that has a valid NSE 4 or higher certification on
it, you are supposed to reach Level 2 Support automatically.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_ongoing_communication_phone_or_email">Ongoing communication - phone or email?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The difference is huge, that is why,
I guess, they assign Portal-opened tickets low priority by default.
Email/Support portal communication is fine, but clearly is low priority for the
Fortinet. You
can wait for days for a ticket to be updated, to just pick up the phone and
get the answers/updates immediately. So, if you see no updates on a ticket
- just call the TAC, tell the answering person the ticket number and you will be
connected with the TAC Engineer working on the case. Also, it happened in the
past that Fortinet mailers got black-listed by various mail providers and their
notification mails got directly into the spam folder.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_if_you_work_for_a_partner_search_for_your_issue_in_the_bug_tracker">If you work for a Partner, search for your issue in the Bug Tracker.</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The Bug
Tracker is available to Partners only, not the end clients. You find it on the
Support → Bug Tracker:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-Fortinet-Bug-Tracker-Tool1.png" alt="x Fortinet Bug Tracker Tool1">
</div>
</div>
<div class="paragraph">
<p>Inside, you can filter bugs by status, product, firmware version, or search by
free text description. This tool saved me time when I was about to open a ticket
on already
known issue:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortinet-bug-tracker-tool3.png" alt="x fortinet bug tracker tool3">
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_upload_the_configuration_of_the_device_in_question">Upload the configuration of the device in question</h2>
<div class="sectionbody">
<div class="paragraph">
<p>You can either export the configuration as a file, or run appropriate command on
CLI to show the configuration while writing the CLI output to a file. For
non-trivial issues Fortinet will set up a lab with the device configuration you
upload to the case. For privacy concerns, you may, in Fortigate at least, mask
all the passwords/keys when exporting the configuration:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-Fortigate-export-config-with-masking.png" alt="x Fortigate export config with masking">
</div>
</div>
<div class="paragraph">
<p>Uploading a config is not a must of course, but will speed up the ticket.
Also good idea, before exporting the config, is to add a temporary administrator
account for the Fortinet TAC to use, later to be deleted from the actual device.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_ask_for_a_remote_session">Ask for a Remote Session</h2>
<div class="sectionbody">
<div class="paragraph">
<p>If you have an urgent issue, or you cannot upload any configs for security
reasons - feel free to ask, after opening the ticket, for a remote session. I
don’t remember a single time for Fortinet folks to answer "no" to such requests.
It depends on the TAC Engineer availability of course, but usually the response
is quite fast.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_gather_and_upload_code_diagnose_debug_flow_code_when_traffic_is_being_blocked">Gather and upload <code>diagnose debug flow</code> when traffic is being blocked</h2>
<div class="sectionbody">
<div class="paragraph">
<p>When issue is with the traffic passing the Fortigate, run <code>dia debug flow</code> with
the appropriate filters and save the output. Here is the cheat sheet to the
command:
<a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc#security-rulebase-debug-diagnose-debug-flow">Security rulebase debug (diagnose debug flow)</a>. And don’t forget that with newer
Fortigate - 7.2 or newer, you can also get it in the GUI as well, short video
how:
<a href="https://yurisk.info/2022/04/21/fortios-7-2-new-diagnose-debug-flow-in-gui/">diagnose debug flow in the GUI</a></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_run_a_packet_sniffer_to_catch_the_affected_by_the_issue_traffic">Run a packet sniffer to catch the affected by the issue traffic</h2>
<div class="sectionbody">
<div class="paragraph">
<p>TAC will almost always ask for packet sniffer, preferably without any filters,
when the issue occurs. For Fortigate, you can either run it on CLI <code>dia sni packet</code> with
verbosity of 6 and save output as a text file, or, in the GUI and save it as a
.pcap file ready for upload to the case. Here is a short video on how to use the
packet sniffer in GUI:
<a href="https://yurisk.info/2022/04/21/fortios-7-2-new-improved-packet-sniffer-in-gui/">Improved
packet sniffer in the GUI</a>. And here is the command line options:
<a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc#packet-sniffer-diagnose-sniffer-packet"><code>diagnose sniffer packet</code></a></p>
</div>
<div class="paragraph">
<p>Many products by Fortinet have embedded sniffers as well, but the syntax
differs. E.g. in the FortiWeb it is <code>diagnose network sniffer</code>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_run_code_execute_tac_report_code_capture_its_output_and_attach_to_the_case">Run <code>execute tac report</code>, capture its output and attach to the case</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This command runs lots of diagnostics that may help TAC Engineers. The command is
for Fortigate, but other products may have an analog as well, even if by other
name.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_run_specific_daemon_debug_capture_its_output_attach_to_the_case">Run specific daemon debug, capture its output, attach to the case</h2>
<div class="sectionbody">
<div class="paragraph">
<p>When issue is with a specific daemon, and you know which one, it will shorten the
ticket time if you run the debug for this daemon beforehand. You can try to find
the exact name of the daemon in the <code>diagnose sys top</code> output, or do it in the
GUI (much easier):
<a href="https://yurisk.info/2022/04/21/Fortios-7-2-new-diagnose-sys-top-process-monitor-in-gui/">diagnose
sys top process monitor in the GUI</a>. You can find debug options for this daemon
then with the Google search. Some of the daemons and their debug options can be
found on my cheat sheet on Github:
<a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc">Fortigate
debug diagnose cheat sheet</a></p>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Fortigate cannot delete VDOM or other object in use problem solution2023-05-14T15:55:25+00:002023-05-14T15:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2023-05-14:/2023/05/14/fortigate-cannot-delete-vdom-or-other-object-in-use-problem-solution/<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>I file it under "feature, not a bug" category - you are trying to delete some
object, say VDOM, which is NOT actually used anywhere, but the Fortigate throws
an error <code>command fail. Return code -23</code>. Fortigate keeps <em>reference count</em> of
all objects at all times, and if for any given …</p></div></div></div><div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>I file it under "feature, not a bug" category - you are trying to delete some
object, say VDOM, which is NOT actually used anywhere, but the Fortigate throws
an error <code>command fail. Return code -23</code>. Fortigate keeps <em>reference count</em> of
all objects at all times, and if for any given object its reference count is not
0, trying to delete it will cause an error. This is a safety feature to prevent
admins deleting an object in use. In older Check Point versions -
before R80, you could delete an object used in rules, and firewall would replace
it with Any, what a disaster. But back to Fortigates - this error may, unfortunately
happen when you deleted all references to the object, for reasons not under our
control - be stuck in the cache, or
you deleted all references to the object in the wrong (to Fortigate) order. The
solution is simple (CLI only). Let’s take an example of deleting a VDOM.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Delete VDOM called MyVDOM:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config vdom
del MyVDOM
Domain MyVDOM: used by interface, can not delete
Command fail. Return code -23</pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>First, make sure the object is indeed not used:</p>
</li>
</ul>
</div>
<div class="paragraph">
<p><strong>show | grep -f MyVDOM</strong></p>
</div>
<div class="listingblock">
<div class="content">
<pre>config vdom
edit MyVDOM <---
next
end
config global
config sys interface
edit "ssl.MyVDOM"
set vdom "MyVDOM"
set status down
set type tunnel
next
end</pre>
</div>
</div>
<div class="paragraph">
<p>We can see, that only <em>ssl.MyVDOM</em> interface exists in this VDOM, and it is OK -
this interface is auto-created by Fortigate, and will be auto-deleted by it
together with the VDOM.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>See what Fortigate thinks about references to the object in question:</p>
</li>
</ul>
</div>
<div class="paragraph">
<p><strong>diagnose sys cmdb refcnt show system.interface.name ssl.MyVDOM</strong></p>
</div>
<div class="listingblock">
<div class="content">
<pre>diagnose sys cmdb refcnt show system.interface.name ssl.MyVDOM
The total reference number is 0</pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Anyway, the secret command to refresh/reset reference count. Here I run it on
both - interface, and the VDOM, just in case:</p>
</li>
</ul>
</div>
<div class="paragraph">
<p><strong>diagnose sys cmdb refcnt reset system.interface.name ssl.MyVDOM</strong></p>
</div>
<div class="paragraph">
<p><strong>dia sys cmdb refcnt reset system.vdom.name MyVDOM</strong></p>
</div>
<div class="listingblock">
<div class="content">
<pre>diagnose sys cmdb refcnt reset system.interface.name ssl.MyVDOM
The total reference number is reset to 0 from 1.
dia sys cmdb refcnt reset system.vdom.name MyVDOM
Entry used by table system.interface.name 'ssl.MyVDOM'
entry used by child table gui-dashboard:id '222'
... CUT...
The total reference number is reset to 14 from 20</pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>After that, I could delete the VDOM:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config vdom
delete MyVDOM
end</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_resources">Resources</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc">This and other debug in Fortigate debug cheat sheet on Github</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Fortigate as DNS authoritative server with DNS database2023-04-12T11:55:25+00:002023-04-12T11:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2023-04-12:/2023/04/12/fortigate-as-dns-authoritative-server-with-dns-database/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_configuration">Configuration</a></li>
<li><a href="#_debug_and_diagnostics">Debug and diagnostics</a>
<ul class="sectlevel2">
<li><a href="#_diag_test_application_dnsproxy_8">diag test application dnsproxy 8</a></li>
<li><a href="#_diag_test_application_dnsproxy_3">diag test application dnsproxy 3</a></li>
<li><a href="#_diagnose_test_app_dnsproxy_2">diagnose test app dnsproxy 2</a></li>
<li><a href="#_diagnose_test_app_dnsproxy_7">diagnose test app dnsproxy 7</a></li>
<li><a href="#_diagnose_test_app_dnsproxy_6">diagnose test app dnsproxy 6</a></li>
<li><a href="#_diagnose_test_app_dnsproxy_9">diagnose test app dnsproxy 9</a></li>
</ul>
</li>
<li><a href="#_windows_dns_commands">Windows DNS commands</a>
<ul class="sectlevel2">
<li><a href="#__strong_dnscmd_strong_em_server_name_or_ip_em_zoneinfo_em_domain_name_em"><strong>dnscmd</strong> <em>server-name-or-IP</em> /zoneinfo <em>domain-name</em></a></li>
<li><a href="#__strong_dnscmd_strong_em_server_name_or_ip_em_zoneresetsecondaries_em_domain_name_em"><strong>dnscmd</strong> <em>server-name-or-IP</em> /ZoneResetSecondaries <em>domain-name</em></a></li>
<li><a href="#__strong_dnscmd_strong_em_server_name_or_ip_em_zoneresetsecondaries_em_domain_name_em_securelist_em_ipstoallowzonetransfer_em"><strong>dnscmd</strong> <em>server-name-or-IP …</em></a></li></ul></li></ul></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_configuration">Configuration</a></li>
<li><a href="#_debug_and_diagnostics">Debug and diagnostics</a>
<ul class="sectlevel2">
<li><a href="#_diag_test_application_dnsproxy_8">diag test application dnsproxy 8</a></li>
<li><a href="#_diag_test_application_dnsproxy_3">diag test application dnsproxy 3</a></li>
<li><a href="#_diagnose_test_app_dnsproxy_2">diagnose test app dnsproxy 2</a></li>
<li><a href="#_diagnose_test_app_dnsproxy_7">diagnose test app dnsproxy 7</a></li>
<li><a href="#_diagnose_test_app_dnsproxy_6">diagnose test app dnsproxy 6</a></li>
<li><a href="#_diagnose_test_app_dnsproxy_9">diagnose test app dnsproxy 9</a></li>
</ul>
</li>
<li><a href="#_windows_dns_commands">Windows DNS commands</a>
<ul class="sectlevel2">
<li><a href="#__strong_dnscmd_strong_em_server_name_or_ip_em_zoneinfo_em_domain_name_em"><strong>dnscmd</strong> <em>server-name-or-IP</em> /zoneinfo <em>domain-name</em></a></li>
<li><a href="#__strong_dnscmd_strong_em_server_name_or_ip_em_zoneresetsecondaries_em_domain_name_em"><strong>dnscmd</strong> <em>server-name-or-IP</em> /ZoneResetSecondaries <em>domain-name</em></a></li>
<li><a href="#__strong_dnscmd_strong_em_server_name_or_ip_em_zoneresetsecondaries_em_domain_name_em_securelist_em_ipstoallowzonetransfer_em"><strong>dnscmd</strong> <em>server-name-or-IP</em> /ZoneResetSecondaries <em>domain-name</em> /SecureList <em>IPsToAllowZoneTransfer</em></a></li>
</ul>
</li>
<li><a href="#_resources">Resources</a></li>
</ul>
</div>
<div class="sect1">
<h2 id="_configuration">Configuration</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p>Make sure <code>DNS Database</code> is enabled in Feature Visibility for configuring it in GUI, or <code>config sys setting</code> → <code>set gui-dns-database enable</code></p>
</li>
<li>
<p>A must-to-specify settings: <em>domain name</em></p>
</li>
<li>
<p>Supported DNS records:</p>
<div class="ulist">
<ul>
<li>
<p>A</p>
</li>
<li>
<p>NS</p>
</li>
<li>
<p>CNAME</p>
</li>
<li>
<p>MX</p>
</li>
<li>
<p>AAAA</p>
</li>
<li>
<p>PTR</p>
</li>
<li>
<p>PTR_V6</p>
</li>
</ul>
</div>
</li>
<li>
<p>For type <code>secondary</code>, if also set <code>authoritative enable</code>, Fortigate will NOT forward queries for records it does not have, even if the <code>forwarder</code> is also set. E.g. in Windows environment, Fortigate does not support SRV records, so for them to work (<strong>Split DNS</strong>), we have to set <code>set authoritative disable</code> or Fortigate will drop queries for SRV records.</p>
</li>
<li>
<p>When Fortigate is a Master/Authoritative zone holder, we can specify up to 12
Slave DNS servers to allow zone transfer from this Fortigate. You do so within <code>config sys dns-database</code> → <code>edit yurisk.com-zone</code> → <code>set allow-transfer "192.168.13.82" "8.8.8.8"</code></p>
</li>
<li>
<p>Frequent case is when Fortigate is a Slave of Active Directory DNS and the records will not update, even so AD DNS saved the change. Windows DNS sends <code>Notify</code> to the configured Slave servers, but this message tells Fortigate to go and check if there were any changes to the domain. And Fortigate looks first at SOA on the Master and compares with the stored one - if they don’t differ, Fortigate will not pull the changed zone file. You would need to remember to always increase SOA on the Windows AD DNS every time you change the zone file.</p>
</li>
</ul>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
Fortigate supports DNS over TLS (DOT) and DNS over HTTPS (DOH) protocols
for both - querying external servers as a client, and answering queries as a DNS
server. To test/debug those protocols on the client side, use <strong>kdig</strong> utility,
e.g. <code>kdig A +tls google.com @8.8.8.8</code>, <code>kdig</code> can be found on
<a href="https://www.knot-dns.cz/docs/2.4/html/installation.html" class="bare">https://www.knot-dns.cz/docs/2.4/html/installation.html</a>. Install on Ubuntu as
<code>apt install knot-dnsutils</code>.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>Example full config (nse8.com is a Slave, yurisk.com Master):</p>
</div>
<div class="listingblock">
<div class="content">
<pre>config system dns-database
edit "nse8-zone" // name can be anything, up to 35 chars
set domain "nse8.com" // Domain has to be exact
set type secondary // Slave zonefile
set view shadow // Answer only to internal clients
set authoritative disable // disable, see above for why
set forwarder "192.168.13.82" // DC as resolver for unknown
domains/records
set source-ip 0.0.0.0 // Not needed here, but for e.g. VPN
site-to-site may be needed to be set to IP that is inside encryption domain
set ip-primary 192.168.13.82 // AD DC as master DNS holding nse8.com
next
edit "yurisk.com-zone"
set domain "yurisk.com" //Becomes authoritative by default
set type primary
set view shadow
set ttl 86400 // Default TTL for all records
set authoritative enable
unset forwarder
set source-ip 0.0.0.0
config dns-entry
edit 1
set hostname "bla"
set ip 192.12.12.12
next
end
set allow-transfer "192.168.13.82" "8.8.8.8"
next
end</pre>
</div>
</div>
<div class="paragraph">
<p>And now, enable DNS service on <em>port2</em> connected to the LAN:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>config system dns-server
edit "port2"
set mode recursive // Default
set dnsfilter-profile '' // Default
set doh disable // Default</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_debug_and_diagnostics">Debug and diagnostics</h2>
<div class="sectionbody">
<div class="paragraph">
<p>There are quite a few commands available, all gathered under <strong>dia test app
dnsproxy</strong>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre># diagnose test app dnsproxy
worker idx: 0
1. Clear DNS cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
7. Dump DNS cache
8. Dump DNS DB
9. Reload DNS DB
10. Dump secure DNS policy/profile
11. Dump Botnet domain
12. Reload Secure DNS setting
13. Show Hostname cache
14. Clear Hostname cache
15. Show SDNS rating cache
16. Clear SDNS rating cache
17. DNS debug bit mask
18. DNS debug obj mem
99. Restart dnsproxy worker</pre>
</div>
</div>
<div class="paragraph">
<p>Below is the output of some of them.</p>
</div>
<div class="sect2">
<h3 id="_diag_test_application_dnsproxy_8">diag test application dnsproxy 8</h3>
<div class="paragraph">
<p>Before enabling DNS on client-facing interface:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>worker idx: 0</pre>
</div>
</div>
<div class="paragraph">
<p>After enabling, the cached resolvings:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>worker idx: 0
vfid=0 name=nse8-zone domain=nse8.com ttl=86400 authoritative=1 view=shadow
type=secondary serial=1588 refresh=900
forwarder:
192.168.13.82 secure=0
A: ForestDnsZones.nse8.com-->192.168.13.82(600)
NS: _msdcs.nse8.com-->win-o4nhhlcjg1c.nse8.com(3600)
A: WIN10AD.nse8.com-->10.10.17.128(1200)
A: win2016-gui-dc.nse8.com-->192.168.13.82(3600)
A: win-o4nhhlcjg1c.nse8.com-->10.10.10.130(3600)
A: win-o4nhhlcjg1c.nse8.com-->192.168.13.133(3600)
A: DomainDnsZones.nse8.com-->192.168.13.82(600)
SOA: nse8.com (primary: win2016-gui-dc.nse8.com, contact:
hostmaster@nse8.com, serial: 1588)(3600)
A: nse8.com-->192.168.13.82(600)
NS: nse8.com-->win2016-gui-dc.nse8.com(3600)</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_diag_test_application_dnsproxy_3">diag test application dnsproxy 3</h3>
<div class="paragraph">
<p>Ongoing DNS connections:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>worker idx: 0
VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1
dns64 is disabled
DNS servers:
8.8.8.8:53 vrf=0 tz=0 encrypt=none req=47 to=0 res=47 rt=3 ready=1 timer=0
probe=0 failure=0 last_failed=0
194.90.0.1:53 vrf=0 tz=0 encrypt=none req=57 to=0 res=57 rt=1 ready=1 timer=0
probe=0 failure=0 last_failed=0
96.45.45.45:53 vrf=0 tz=0 encrypt=none req=45 to=2 res=45 rt=5 ready=1 timer=0
probe=0 failure=0 last_failed=0
96.45.46.46:53 vrf=0 tz=0 encrypt=none req=43 to=4 res=43 rt=5 ready=1 timer=0
probe=0 failure=0 last_failed=0
SDNS servers:
208.91.112.220:53 vrf=0 tz=0 encrypt=none req=0 to=0 res=0 rt=1494 ready=0
timer=2331 probe=11 failure=0 last_failed=0
65.0.232.185:53 vrf=0 tz=300 encrypt=none req=0 to=0 res=0 rt=1494 ready=0
timer=2341 probe=11 failure=0 last_failed=0
83.231.212.53:53 vrf=0 tz=60 encrypt=none req=0 to=0 res=0 rt=1494 ready=0
timer=2341 probe=11 failure=0 last_failed=0
173.243.138.221:53 vrf=0 tz=-480 encrypt=none req=0 to=0 res=0 rt=1494 ready=0
timer=2341 probe=11 failure=0 last_failed=0
194.69.172.53:53 vrf=0 tz=0 encrypt=none req=0 to=0 res=0 rt=1494 ready=0
timer=2341 probe=11 failure=0 last_failed=0
208.184.237.71:53 vrf=0 tz=-480 encrypt=none req=0 to=0 res=0 rt=1494 ready=0
timer=2341 probe=11 failure=0 last_failed=0
154.52.12.53:53 vrf=0 tz=480 encrypt=none req=0 to=0 res=0 rt=1494 ready=0
timer=2341 probe=11 failure=0 last_failed=0
154.52.24.53:53 vrf=0 tz=600 encrypt=none req=0 to=0 res=0 rt=1494 ready=0
timer=2341 probe=11 failure=0 last_failed=0
154.52.26.53:53 vrf=0 tz=-300 encrypt=none req=0 to=0 res=0 rt=1494 ready=0
timer=2341 probe=11 failure=0 last_failed=0
149.5.232.53:53 vrf=0 tz=60 encrypt=none req=0 to=0 res=0 rt=1494 ready=0
timer=2341 probe=11 failure=0 last_failed=0
140.174.22.53:53 vrf=0 tz=-300 encrypt=none req=0 to=0 res=0 rt=1494 ready=0
timer=2341 probe=11 failure=0 last_failed=0
ALT servers:
Interface selecting method: auto
Specified interface:
FortiGuard interface selecting method: auto
FortiGuard specified interface:
vfid=0, interface=port2, ifindex=4, lb=0, recursive,
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: udp_s=8 udp_c=18:19 ha_c=23 unix_s=9, unix_nb_s=24, unix_nc_s=10
v6_udp_s=7, v6_udp_c=21:22, snmp=25, redir=14, v6_redir=15
DNS FD: tcp_s=11, tcp_s6=12, redir=27 v6_redir=28
DNS UNIX FD: dnsproxy_un=29
FGD_DNS_SERVICE_LICENSE:
server=208.91.112.220:53, expiry=0000-00-00, expired=1, type=0
server=65.0.232.185:53, expiry=0000-00-00, expired=1, type=0
server=83.231.212.53:53, expiry=0000-00-00, expired=1, type=0
server=173.243.138.221:53, expiry=0000-00-00, expired=1, type=0
server=194.69.172.53:53, expiry=0000-00-00, expired=1, type=0
server=208.184.237.71:53, expiry=0000-00-00, expired=1, type=0
server=154.52.12.53:53, expiry=0000-00-00, expired=1, type=0
server=154.52.24.53:53, expiry=0000-00-00, expired=1, type=0
server=154.52.26.53:53, expiry=0000-00-00, expired=1, type=0
server=149.5.232.53:53, expiry=0000-00-00, expired=1, type=0
server=140.174.22.53:53, expiry=0000-00-00, expired=1, type=0
FGD_CATEGORY_VERSION:9
SERVER_LDB: gid=0af2, tz=-420, error_allow=0
FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:[2620:101:9000:53::55]</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_diagnose_test_app_dnsproxy_2">diagnose test app dnsproxy 2</h3>
<div class="paragraph">
<p>See latency to the used DNS servers outside:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>worker idx: 0
worker: count=1 idx=0
retry_interval=500 query_timeout=1495
DNS latency info:
vfid=0 server=96.45.45.45 latency=5 updated=3162
vfid=0 server=8.8.8.8 latency=6 updated=2404
vfid=0 server=194.90.0.1 latency=1 updated=4789
vfid=0 server=96.45.46.46 latency=5 updated=7197
SDNS latency info:
vfid=0 server=65.0.232.185 latency=-1 updated=26943
vfid=0 server=208.184.237.71 latency=-1 updated=26938
vfid=0 server=194.69.172.53 latency=-1 updated=26951
vfid=0 server=140.174.22.53 latency=-1 updated=26945
vfid=0 server=149.5.232.53 latency=-1 updated=26951
vfid=0 server=83.231.212.53 latency=-1 updated=26953
vfid=0 server=154.52.12.53 latency=-1 updated=26937
vfid=0 server=154.52.24.53 latency=-1 updated=26927
vfid=0 server=154.52.26.53 latency=-1 updated=26944
vfid=0 server=173.243.138.221 latency=-1 updated=26938
DNS_CACHE: alloc=19, hit=18
RATING_CACHE: alloc=0, hit=0
DNS query: alloc=0
DNS UDP: req=228 res=213 fwd=207 cmp=13 retrans=12 to=40
cur=6 switched=273106 num_switched=2
v6_cur=0 v6_switched=0 num_v6_switched=0
DNS FTGD: ftg_fwd=0, ftg_res=0, ftg_retrans=0
DNS TCP: req=0, res=0, fwd=0, retrans=0, to=0
DNS TCP connections:
DNS UNIX streams: cfd=33
FQDN: alloc=6 nl_write_cnt=126 nl_send_cnt=137 nl_cur_cnt=0
Botnet: searched=0 hit=0</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_diagnose_test_app_dnsproxy_7">diagnose test app dnsproxy 7</h3>
<div class="paragraph">
<p>Shows resolved FQDN objects:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>worker idx: 0
vfid=0, name=gmail.com, ttl=10:0:1787
172.217.16.197 (ttl=290)
vfid=0, name=login.microsoftonline.com, ttl=186:125:1739
40.126.32.137 (ttl=186) 40.126.32.132 (ttl=186) 20.190.160.13 (ttl=186)
40.126.32.75 (ttl=186) 20.190.160.15 (ttl=186)
40.126.32.69 (ttl=186) 20.190.160.23 (ttl=186) 40.126.32.139 (ttl=186)
vfid=0, name=login.microsoft.com, ttl=227:87:1660
40.126.32.69 (ttl=233) 40.126.32.75 (ttl=233) 20.190.160.23 (ttl=233)
40.126.32.67 (ttl=233) 20.190.160.12 (ttl=233)
20.190.160.15 (ttl=233) 20.190.160.13 (ttl=233) 40.126.32.137 (ttl=233)
vfid=0, name=login.windows.net, ttl=10:0:1636
40.126.31.73 (ttl=192) 40.126.31.71 (ttl=192) 20.190.159.68 (ttl=192)
40.126.31.69 (ttl=192) 40.126.31.67 (ttl=192)
20.190.159.4 (ttl=192) 20.190.159.64 (ttl=192) 20.190.159.2 (ttl=192)
vfid=0, name=skydrive.wns.windows.com, ttl=10:0:1578
40.113.103.199 (ttl=259)
vfid=0, name=directregistration.fortinet.com, ttl=402:161:1559
63.137.229.3 (ttl=402)
vfid=0, name=cs.dds.microsoft.com, ttl=286:19:1533
52.152.90.172 (ttl=286)
vfid=0, name=forticlient.fortinet.net, ttl=10:0:1448
208.184.237.75 (ttl=0) 173.243.138.98 (ttl=0)
vfid=0, name=ping-edge.smartscreen.microsoft.com, ttl=10:0:1266
20.86.249.62 (ttl=8)
vfid=0, name=cnn.com, ttl=10:0:1104
2a04:4e42:600::773 (ttl=131) 2a04:4e42:c00::773 (ttl=131)
2a04:4e42:400::773 (ttl=131) 2a04:4e42:200::773 (ttl=131) 2a04:4e42:800::773
(ttl=131)
2a04:4e42:e00::773 (ttl=131) 2a04:4e42::773 (ttl=131)
2a04:4e42:a00::773 (ttl=131)
vfid=0, name=cnn.com, ttl=10:0:1104
151.101.3.5 (ttl=60) 151.101.131.5 (ttl=60) 151.101.67.5 (ttl=60)
151.101.195.5 (ttl=60)
vfid=0, name=google.com, ttl=10:0:1078
142.250.184.238 (ttl=204)
vfid=0, name=mtalk.google.com, ttl=10:0:1075
173.194.76.188 (ttl=280)
vfid=0, name=mus.cisco.com, ttl=289:0:1059
72.163.1.80 (ttl=289)
vfid=0, name=self.events.data.microsoft.com, ttl=10:0:1033
20.44.10.122 (ttl=6)
vfid=0, name=identity.getvideostream.com, ttl=101:0:1030
172.67.202.21 (ttl=101) 104.21.76.235 (ttl=101)
vfid=0, name=au.download.windowsupdate.com, ttl=174:0:1030
93.184.221.240 (ttl=2762)
vfid=0, name=ntp2.fortiguard.com, ttl=41245:40473:1028
208.91.112.60 (ttl=41743) 208.91.112.62 (ttl=41743)
vfid=0, name=ntp1.fortiguard.com, ttl=41245:40473:1028
208.91.112.61 (ttl=42508) 208.91.112.63 (ttl=42508)
CACHE num=19</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_diagnose_test_app_dnsproxy_6">diagnose test app dnsproxy 6</h3>
<div class="listingblock">
<div class="content">
<pre>worker idx: 0
vfid=0 name=login.windows.net ver=IPv4 wait_list=0 timer=6 min_refresh=60
min_ttl=1 cache_ttl=0 slot=-1 num=16 wildcard=0
40.126.31.73 (ttl=192:0:0) 40.126.31.71 (ttl=192:0:0) 20.190.159.68
(ttl=192:0:0) 40.126.31.69 (ttl=192:0:0) 40.126.31.67 (ttl=192:0:0)
20.190.159.4 (ttl=192:0:0) 20.190.159.64 (ttl=192:0:0) 20.190.159.2
(ttl=192:0:0) 20.190.160.13 (ttl=1:0:0) 20.190.160.21 (ttl=1:0:0) 40.126.32.73
(ttl=1:0:0)
40.126.32.137 (ttl=1:0:0) 40.126.32.135 (ttl=1:0:0) 40.126.32.132
(ttl=1:0:0) 20.190.160.12 (ttl=1:0:0) 40.126.32.69 (ttl=1:0:0)
vfid=0 name=login.microsoft.com ver=IPv4 wait_list=0 timer=10 min_refresh=60
min_ttl=227 cache_ttl=0 slot=-1 num=8 wildcard=0
40.126.32.69 (ttl=233:22:22) 40.126.32.75 (ttl=233:22:22) 20.190.160.23
(ttl=233:22:22) 40.126.32.67 (ttl=233:22:22) 20.190.160.12 (ttl=233:22:22)
20.190.160.15 (ttl=233:22:22) 20.190.160.13 (ttl=233:22:22)
40.126.32.137 (ttl=233:22:22)
vfid=0 name=login.microsoftonline.com ver=IPv4 wait_list=0 timer=48
min_refresh=60 min_ttl=186 cache_ttl=0 slot=-1 num=16 wildcard=0
20.190.159.70 (ttl=300:113:113) 40.126.31.64 (ttl=300:113:113)
20.190.159.72 (ttl=300:113:113) 20.190.159.1 (ttl=300:113:113) 20.190.159.74
(ttl=300:113:113)
20.190.159.69 (ttl=300:113:113) 40.126.31.70 (ttl=300:113:113)
40.126.31.72 (ttl=300:113:113) 40.126.32.137 (ttl=186:54:54) 40.126.32.132
(ttl=186:54:54) 20.190.160.13 (ttl=186:54:54)
40.126.32.75 (ttl=186:54:54) 20.190.160.15 (ttl=186:54:54) 40.126.32.69
(ttl=186:54:54) 20.190.160.23 (ttl=186:54:54) 40.126.32.139 (ttl=186:54:54)
vfid=0 name=gmail.com ver=IPv4 wait_list=0 timer=200 min_refresh=60 min_ttl=290
cache_ttl=0 slot=-1 num=1 wildcard=0
172.217.16.197 (ttl=290:206:206)
vfid=0 name=*.google.com ver=IPv4 wait_list=0 timer=0 min_refresh=60 min_ttl=280
cache_ttl=0 slot=-1 num=1 wildcard=1
173.194.76.188 (ttl=280:0:0)
vfid=0 name=*.dropbox.com ver=IPv4 wait_list=0 timer=0 min_refresh=60 min_ttl=0
cache_ttl=0 slot=-1 num=0 wildcard=1
FQDN num=6</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_diagnose_test_app_dnsproxy_9">diagnose test app dnsproxy 9</h3>
<div class="paragraph">
<p>No output, just reloads the zone(s), if secondary zone - pulls the zone from the
primary.</p>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_windows_dns_commands">Windows DNS commands</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Some commands to verify/diagnose on Windows Servers.</p>
</div>
<div class="sect2">
<h3 id="__strong_dnscmd_strong_em_server_name_or_ip_em_zoneinfo_em_domain_name_em"><strong>dnscmd</strong> <em>server-name-or-IP</em> /zoneinfo <em>domain-name</em></h3>
<div class="paragraph">
<p>Show info on a given (<em>nse8.com</em>) zone hosted on <em>localhost</em> server:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>dnscmd localhost /zoneinfo nse8.com
PS C:\Users\Administrator> dnscmd localhost /zoneinfo nse8.com
Zone query result:
Zone info:
ptr = 0000021381F37460
zone name = nse8.com
zone type = 1
shutdown = 0
paused = 0
update = 2
DS integrated = 1
read only zone = 0
in DS loading queue = 0
currently DS loading = 0
data file = (null)
using WINS = 0
using Nbstat = 0
aging = 0
refresh interval = 168
no refresh = 168
scavenge available = 0
Zone Masters NULL IP Array.
Zone Secondaries
Ptr = 0000021381F371C0
MaxCount = 1
AddrCount = 1
Secondary[0] => af=2, salen=16, [sub=0, flag=00000000] p=13568,
addr=192.168.13.237 <b class="conum">(1)</b>
secure secs = 2
directory partition = AD-Domain flags 00000015
zone DN =
DC=nse8.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=nse8,DC=com
Command completed successfully.</pre>
</div>
</div>
<div class="colist arabic">
<ol>
<li>
<p>Our Fortigate (<em>192.168.13.237</em>) as a Slave for this (nse8.com) zone is allowed to do a zone transfer from this DNS server.</p>
</li>
</ol>
</div>
</div>
<div class="sect2">
<h3 id="__strong_dnscmd_strong_em_server_name_or_ip_em_zoneresetsecondaries_em_domain_name_em"><strong>dnscmd</strong> <em>server-name-or-IP</em> /ZoneResetSecondaries <em>domain-name</em></h3>
<div class="paragraph">
<p>Reset/delete all allowed secondary servers.</p>
</div>
<div class="paragraph">
<p>In our case:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>dnscmd localhost /ZoneResetSecondaries nse8.com</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="__strong_dnscmd_strong_em_server_name_or_ip_em_zoneresetsecondaries_em_domain_name_em_securelist_em_ipstoallowzonetransfer_em"><strong>dnscmd</strong> <em>server-name-or-IP</em> /ZoneResetSecondaries <em>domain-name</em> /SecureList <em>IPsToAllowZoneTransfer</em></h3>
<div class="paragraph">
<p>Add IPs allowed to do zone transfer against this WIndows server.
In our case, adding 192.168.13.237 and 192.168.13.22 (for example only):</p>
</div>
<div class="listingblock">
<div class="content">
<pre>dnscmd localhost /ZoneResetSecondaries nse8.com /SecureList 192.168.13.237
192.168.13.22</pre>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_resources">Resources</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p>For general, and specifically, DNS debug commands on Fortigate see <a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc#dns-server-and-proxy-debug" class="bare">https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc#dns-server-and-proxy-debug</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>macOS mdfind examples cheat sheet2023-03-28T09:55:25+00:002023-03-28T09:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2023-03-28:/2023/03/28/mdfind-macos-examples-cheat-sheet/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_introduction">Introduction</a></li>
<li><a href="#_find_files_with_a_given_word_in_it">Find files with a given word in it</a></li>
<li><a href="#_search_for_a_word_in_file_names_only_not_their_contents">Search for a word in file names only, not their contents</a></li>
<li><a href="#_find_a_file_with_multiple_keywords_in_its_name">Find a file with multiple keywords in its name</a></li>
<li><a href="#_limit_search_to_specific_file_format_s">Limit search to specific file format(s)</a></li>
<li><a href="#_look_up_folder_names">Look up folder names</a></li>
<li><a href="#_search_for_an_exact_match">Search for an exact match</a></li>
<li><a href="#_search_in_specific_folder_s_only">Search in …</a></li></ul></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_introduction">Introduction</a></li>
<li><a href="#_find_files_with_a_given_word_in_it">Find files with a given word in it</a></li>
<li><a href="#_search_for_a_word_in_file_names_only_not_their_contents">Search for a word in file names only, not their contents</a></li>
<li><a href="#_find_a_file_with_multiple_keywords_in_its_name">Find a file with multiple keywords in its name</a></li>
<li><a href="#_limit_search_to_specific_file_format_s">Limit search to specific file format(s)</a></li>
<li><a href="#_look_up_folder_names">Look up folder names</a></li>
<li><a href="#_search_for_an_exact_match">Search for an exact match</a></li>
<li><a href="#_search_in_specific_folder_s_only">Search in specific folder(s) only</a></li>
<li><a href="#_search_by_created_modified_dates">Search by created, modified dates</a></li>
<li><a href="#_find_file_by_their_size">Find file by their size</a></li>
<li><a href="#_disable_spotlight_mdfind_indexing_for_a_specific_volume">Disable Spotlight/mdfind indexing for a specific volume</a></li>
<li><a href="#_resources">Resources</a></li>
</ul>
</div>
<div class="sect1">
<h2 id="_introduction">Introduction</h2>
<div class="sectionbody">
<div class="paragraph">
<p><code>mdfind</code> is a command-line interface to the SpotLight search tool on every
Apple macOS system. Being a CLI tool, it saves time when searching for stuff in
your Mac. Unfortunately, there is a lot of documentation on the topic which is
out of date - the examples either do not work or give an error. Otherwise, the
tool is not well-documented. Below are few examples for every day usage, tested
on the newest versions - Catalina, Big Sur, Monterrey, Ventura.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_find_files_with_a_given_word_in_it">Find files with a given word in it</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Just give the <code>mdfind</code> a word to search for, and it will find it in
file/media/applications
names, as well as in their contents.</p>
</div>
<div class="listingblock">
<div class="content">
<pre>mdfind mysearchword</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_search_for_a_word_in_file_names_only_not_their_contents">Search for a word in file names only, not their contents</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Add <code>-name</code> qualifier before the search word.</p>
</div>
<div class="listingblock">
<div class="content">
<pre>mdfind -name October</pre>
</div>
</div>
<div class="paragraph">
<p>Will find files named: <em>OctoberFest.pdf</em>, <em>inoctober.txt</em>, <em>Red October.mp4</em></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_find_a_file_with_multiple_keywords_in_its_name">Find a file with multiple keywords in its name</h2>
<div class="sectionbody">
<div class="paragraph">
<p>We can specify more than 1 word to look for in the file/app name - the <code>mdfind</code>
uses logical AND by default for multiple keywords.</p>
</div>
<div class="listingblock">
<div class="content">
<pre>mdfind -name red october</pre>
</div>
</div>
<div class="paragraph">
<p>Will find: <em>Red October.mp4</em>, <em>red octoberfest.jpg</em>, but NOT <em>red.pdf</em> or
<em>October.mp4</em>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_limit_search_to_specific_file_format_s">Limit search to specific file format(s)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>You can use <code>kind:</code><em>file-format</em> to additionally limit results to this file
format. Be aware that <em>kind</em> is not always the file extension though. I list the
most popular file formats below.</p>
</div>
<div class="paragraph">
<p>Find file with the <em>red</em> in its name, but only in <em>mp4</em>, <em>.mov</em> etc. files:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>mdfind -name red kind:movie</pre>
</div>
</div>
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 25%;">
<col style="width: 25%;">
<col style="width: 25%;">
<col style="width: 25%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>File format</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>kind term</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>File format</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>kind term</strong></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">jpeg/jpg, png, gif, tiff</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">image</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Application</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">app</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">mp3, ogg</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">music</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">mp4, mov, mpeg</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">movie</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Bookmarks</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">bookmark</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Email messages</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">email</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Folders</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">folder</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">MS Word docs (docx, dot)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">word</p></td>
</tr>
</tbody>
</table>
<div class="paragraph">
<p>The other way to look for file extensions is with the <em>kMDItemFSName</em> metadata
value and listing the desired extension after the asterisk.</p>
</div>
<div class="listingblock">
<div class="content">
<pre>mdfind "kMDItemFSName == '*.pdf'"</pre>
</div>
</div>
<div class="paragraph">
<p>But if you want to look for a specific file name as well, you will have to pipe the
command above to <em>grep</em> or alike.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_look_up_folder_names">Look up folder names</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Using (see table above) <code>kind:folder</code> we can search in folder names only.</p>
</div>
<div class="paragraph">
<p>Find all folders with the name <em>document</em> in them:</p>
</div>
<div class="paragraph">
<p><code>mdfind -name documents kind:folder</code></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_search_for_an_exact_match">Search for an exact match</h2>
<div class="sectionbody">
<div class="paragraph">
<p>We can do it in 2 ways.
First, wrapping search terms in double and then single quotes:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>mdfind -name '"red carpet"'</pre>
</div>
</div>
<div class="paragraph">
<p>This will match <em>red carpet.txt</em>, but not <em>red 2 carpet.txt</em>.</p>
</div>
<div class="paragraph">
<p>The other way to look for an exact match is with the <code>-literal</code> qualifier, which prohibits any other qualifier though.</p>
</div>
<div class="paragraph">
<p>Find everything having <em>Hat, Red</em> in the name:</p>
</div>
<div class="paragraph">
<p><code>mdfind -literal "kMDItemDisplayName == 'Hat, Red'"</code></p>
</div>
<div class="paragraph">
<p>Here, <strong>kMDItemDisplayName</strong> is a metadata field holding the item name for files/folders/etc. Any additional options will be ignored.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_search_in_specific_folder_s_only">Search in specific folder(s) only</h2>
<div class="sectionbody">
<div class="paragraph">
<p>We can use <strong>-onlyin</strong> option to limit the search:</p>
</div>
<div class="paragraph">
<p><code>mdfind -name red.txt -onlyin ~/Documents</code></p>
</div>
<div class="paragraph">
<p>This will only search in the folder <em>Documents</em> and its subfoldes.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_search_by_created_modified_dates">Search by created, modified dates</h2>
<div class="sectionbody">
<div class="admonitionblock important">
<table>
<tr>
<td class="icon">
<div class="title">Important</div>
</td>
<td class="content">
The date format is your current locale. So, I put dates in the
<em>19/1/2023</em> format, but if your Mac is set to use <em>1/19/2023</em>, do so.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>Find file named <em>red</em> and created on 19th of January 2023:</p>
</div>
<div class="paragraph">
<p><code>mdfind -name red AND created:19/1/2023</code></p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
The <em>AND</em> is not explicitly needed here, but I put it for reminder yet.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>Find file named <em>red</em> modified on 19th of January 2023:</p>
</div>
<div class="paragraph">
<p><code>mdfind -name red AND modified:19/1/2023</code></p>
</div>
<div class="paragraph">
<p>The date-related searches also understand ranges.</p>
</div>
<div class="paragraph">
<p>Find files with <em>red</em> in their name modified in the period from the 1st of January
2023, and up to (including) 19th of January 2023:</p>
</div>
<div class="paragraph">
<p><code>mdfind -name red modified:01/01/2023-19/1/2023</code></p>
</div>
<div class="paragraph">
<p>Same, but <em>created</em> in that period:</p>
</div>
<div class="paragraph">
<p><code>mdfind -name red created:01/01/2023-19/1/2023</code></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_find_file_by_their_size">Find file by their size</h2>
<div class="sectionbody">
<div class="paragraph">
<p>We can specify file size as additional search term.
This will find files with the <em>red</em> in their names AND of size 0 bytes.</p>
</div>
<div class="paragraph">
<p><code>mdfind name:red AND size:0</code></p>
</div>
<div class="paragraph">
<p><code>mdfind name:red AND NOT size:0</code> will find files named <em>red</em> that are NOT 0
bytes in size.</p>
</div>
<div class="paragraph">
<p>We can provide ranges for sizes as well. To find files named <em>red</em> of size
between 10 and 25 bytes:</p>
</div>
<div class="paragraph">
<p><code>mdfind -interpret name:red AND size:\<25 AND size:\>10</code></p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
The '\' escapes '<' and '>' from the shell interpretation.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_disable_spotlight_mdfind_indexing_for_a_specific_volume">Disable Spotlight/mdfind indexing for a specific volume</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p>Spotlight (and thus mdfind) stores its index for each hard drive in a hidden
directory named <code>.Spotlight-V100</code> located at the root of each disk. You can list this directory contents with
sudo mdutil -L <em>path-to-the-disk</em>* , e.g.</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>sudo mdutil -L /Volumes/exFAT1Tb
/Volumes/exFAT1Tb/.Spotlight-V100:
drwxrwxrwx 1 99 99 262144 Jun 27 2021 07:46 Store-V2
-rwxrwxrwx 1 99 99 4246 Jun 13 2022 11:09
VolumeConfiguration.plist
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2:
drwxrwxrwx 1 99 99 262144 Jun 27 2021 07:46 B332121F-C8CA-4FF1-924A-67FC321C3FFCC/
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.assisted_import_post:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.assisted_import_pre:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.corespotlight:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.health_check:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.live:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.live_priority:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.live_system:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.live_user:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.migration:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.migration_secondchance:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.repair:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.scan:</pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>For space savings or privacy concerns, you can turn off indexing of a given volume by running
<strong>sudo mdutil -i off /Volumes/<em>volume-name</em></strong>, and even
erase the existing index with <strong>sudo mdutil -E /Volumes/<em>volume-name</em></strong>.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_resources">Resources</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p>For additional cheat sheets, see Github: <a href="https://github.com/yuriskinfo/cheat-sheets" class="bare">https://github.com/yuriskinfo/cheat-sheets</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>tcpdump now shows interface names in its output, finally2023-03-27T17:55:25+00:002023-03-27T17:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2023-03-27:/2023/03/27/tcpdump-shows-interface-names-in-its-output/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_resources">Resources</a></li>
</ul>
</div>
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>Actually it is not news - it happened with the new 4.99 tcpdump version starting
2 years ago. But most binary distributions still lack this version. So, I had to
install it from sources even on the RHEL 9, the newest version. The steps are
simple …</p></div></div></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_resources">Resources</a></li>
</ul>
</div>
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>Actually it is not news - it happened with the new 4.99 tcpdump version starting
2 years ago. But most binary distributions still lack this version. So, I had to
install it from sources even on the RHEL 9, the newest version. The steps are
simple:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Download sources: <code>wget <a href="https://www.tcpdump.org/release/tcpdump-4.99.3.tar.gz" class="bare">https://www.tcpdump.org/release/tcpdump-4.99.3.tar.gz</a></code></p>
</li>
<li>
<p>Install, if not already, <code>libpcap</code> headers:
<code>yum install libpcap-devel</code></p>
</li>
<li>
<p>Compile the <code>tcpdump</code> from source:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>tar -zxvf tcpdump-4.99.3.tar
cd tcpdump-4.99.3/
./configure
make; make install</pre>
</div>
</div>
<div class="paragraph">
<p><span class="image"><img src="/assets/tcpdump-shows-interface-names.png" alt="tcpdump shows interface names"></span></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_resources">Resources</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p>For additional cheat sheets, see Github: <a href="https://github.com/yuriskinfo/cheat-sheets" class="bare">https://github.com/yuriskinfo/cheat-sheets</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Fortigate VPN SSL Hardening Guide2023-03-21T09:55:25+00:002023-03-21T09:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2023-03-21:/2023/03/21/fortigate-vpn-ssl-hardening-guide/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_introduction">Introduction</a></li>
<li><a href="#_change_the_default_ssl_vpn_port_10443_443_to_anything_else">Change the default SSL VPN port 10443/443 to anything else</a></li>
<li><a href="#_do_not_use_local_users_for_authentication_and_if_using_keep_passwords_elsewhere_or_and_enable_mfa">Do not use local users for authentication, and if using - keep passwords elsewhere or/and enable MFA</a></li>
<li><a href="#_enable_multi_factor_authentication_for_vpn_users">Enable Multi-Factor Authentication for VPN users</a></li>
<li><a href="#_limit_access_to_vpn_ssl_portal_to_specific_ip_addresses">Limit access to VPN SSL portal to specific IP addresses</a></li>
<li><a href="#_move_vpn_ssl_listening_interface_to_a_loopback_interface">Move VPN …</a></li></ul></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_introduction">Introduction</a></li>
<li><a href="#_change_the_default_ssl_vpn_port_10443_443_to_anything_else">Change the default SSL VPN port 10443/443 to anything else</a></li>
<li><a href="#_do_not_use_local_users_for_authentication_and_if_using_keep_passwords_elsewhere_or_and_enable_mfa">Do not use local users for authentication, and if using - keep passwords elsewhere or/and enable MFA</a></li>
<li><a href="#_enable_multi_factor_authentication_for_vpn_users">Enable Multi-Factor Authentication for VPN users</a></li>
<li><a href="#_limit_access_to_vpn_ssl_portal_to_specific_ip_addresses">Limit access to VPN SSL portal to specific IP addresses</a></li>
<li><a href="#_move_vpn_ssl_listening_interface_to_a_loopback_interface">Move VPN SSL listening interface to a Loopback interface</a></li>
<li><a href="#__less_preferred_than_above_limit_access_to_ssl_vpn_portal_in_local_in_policy">(Less preferred than above) Limit access to SSL VPN portal in Local-in Policy</a></li>
<li><a href="#_limit_access_to_portal_by_geoip_location">Limit access to portal by GeoIP location</a></li>
<li><a href="#_block_access_to_from_tor_exit_nodes_and_relays_to_anything">Block access to/from Tor Exit Nodes and Relays to anything</a></li>
<li><a href="#_install_trusted_ca_issued_certificate_but_don_t_issue_let_s_encrypt_certificates_directly_on_the_fortigate">Install trusted CA-issued certificate, but don’t issue Let’s Encrypt certificates directly on the Fortigate</a></li>
<li><a href="#_configure_email_alert_on_each_successful_vpn_ssl_connection">Configure email alert on each successful VPN SSL connection</a></li>
<li><a href="#_prevent_re_using_the_same_user_account_to_connect_in_parallel">Prevent re-using the same user account to connect in parallel</a></li>
<li><a href="#_in_security_rules_allow_access_only_to_specific_destinations_and_services_not_em_all_em">In security rules, allow access only to specific destinations and services, not <em>all</em></a></li>
<li><a href="#_if_not_using_vpn_ssl_disable_it_or_assign_to_a_dummy_interface">If not using VPN SSL, disable it, or assign to a dummy interface</a></li>
<li><a href="#_create_a_no_access_portal_and_set_it_as_default_in_the_vpn_settings">Create a no-access portal and set it as default in the VPN settings</a></li>
<li><a href="#_block_offending_ip_after_em_n_em_failed_attempts">Block offending IP after <em>n</em> failed attempts</a></li>
<li><a href="#_disable_weak_and_outdated_tls_protocols_for_ssl_vpn">Disable weak and outdated TLS protocols for SSL VPN</a></li>
<li><a href="#_consider_switching_from_vpn_ssl_to_vpn_ipsec_for_clients">Consider switching from VPN SSL to VPN IPSec for clients</a></li>
<li><a href="#_consider_moving_vpn_ssl_into_its_own_vdom">Consider moving VPN SSL into its own VDOM</a></li>
<li><a href="#_additional_resources_to_follow">Additional Resources to follow</a></li>
</ul>
</div>
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>Last updated: 19.03.2023, the PDF version of this guide is available on
<a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/fortigate-ssl-vpn-hardening-guide.pdf">Github cheat sheets repository</a>.
Russian translation is here: <a href="https://habr.com/ru/articles/734044/">Fortigate SSL
VPN рекомендации по ужесточению конфигурации</a></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_introduction">Introduction</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This guide is the result of closely following Fortigate VPN SSL vulnerabilities
over the years, actual cases of compromised firewalls, operational manuals and
reports of multiple gangs (e.g. <em>Conti manuals</em>) and my experience with Fortigates
of 15+ years and counting. By implementing all/some of the measures below you
will make your SSL VPN on Fortigate substantially harder to break in and thus less
attractive to the attackers.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_change_the_default_ssl_vpn_port_10443_443_to_anything_else">Change the default SSL VPN port 10443/443 to anything else</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This security by obscurity actually works. In most cases, the attackers do
not target specific companies, but are looking for low hanging fruit. And the
easiest way to do so is to scan for known ports/services. And both, 443 and 10443, are
well known Fortigate listening ports. It is even easier - just search
Shodan/Censys for "Fortigate" and currently Shodan has 185K results for port
10443, and Censys 317K. That was what happened with a large VPN
credentials leak 2 years ago
<a href="https://www.linkedin.com/pulse/50000-vpn-usernames-passwords-from-fortigates-around-we-slobodyanyuk/" class="bare">https://www.linkedin.com/pulse/50000-vpn-usernames-passwords-from-fortigates-around-we-slobodyanyuk/</a>
- all of the affected Fortigates were listening on either 443 or 10443 ports.</p>
</div>
<div class="paragraph">
<p>The possible downside can be that VPN users connecting via WiFi in hotels/caffe
may have outgoing ports blocked except 443, but with cellular packages being so
cheap today, it is viable for them to use their phone as hotspot for VPN
connectionis and avoid using public WiFi altogether.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortigate-ssl-vpn-change-port.png" alt="Change default port of SSL VPN daemon">
</div>
</div>
<div class="paragraph">
<p>On the CLI:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>config vpn ssl settings
set port 13123</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_do_not_use_local_users_for_authentication_and_if_using_keep_passwords_elsewhere_or_and_enable_mfa">Do not use local users for authentication, and if using - keep passwords elsewhere or/and enable MFA</h2>
<div class="sectionbody">
<div class="paragraph">
<p>In general, keeping all the security info in one box (Fortigate here) is a bad
practice. The mentioned vulnerability CVE-2018-13379 affected only Fortigates
with local VPN users having local authentication. Additionally, you give up
password policies, centralized system to expire/change passwords,
non-repeatability of the passwords etc. with such locally authenticated on the
Fortigate users. Integrating user authentication with existing user database
(LDAP/Active Directory/Cloud AD) is a breeze in Fortigate.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_enable_multi_factor_authentication_for_vpn_users">Enable Multi-Factor Authentication for VPN users</h2>
<div class="sectionbody">
<div class="paragraph">
<p>ANY form of MFA will be better than none. Hardware Fortigate come with 2 mobile
application FortiTokens for free. Additionally, you can use SMS as MFA, but will
cost you money, or email that is completely free.
The email as MFA is not visible nor enabled by default, so I wrote a short guide
how to use it
<a href="https://yurisk.info/2020/03/01/fortigate-enable-e-mail-as-mfa-and-increase-token-validity-time/">enable e-mail as a two-factor authentication for a user and increase token timeout</a></p>
</div>
<div class="paragraph">
<p>And of course, any 3rd party providing MFA can be used via RADIUS protocol
(Okta/Azure/Duo/etc.)</p>
</div>
<div class="paragraph">
<p>There is also option of <em>client</em> PKI certificates as MFA, which is quite secure,
but also is most complex in setting up of all. Client certificates do not work
together with SAML authentication (Azure/etc.), which is also a disadvantage.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_limit_access_to_vpn_ssl_portal_to_specific_ip_addresses">Limit access to VPN SSL portal to specific IP addresses</h2>
<div class="sectionbody">
<div class="paragraph">
<p>If your users happen to have static IP addresses assigned by their ISP, it is an excellent way to
limit exposure of VPN SSL portal.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortigate-vpn-ssl-allow-specific-ips.png" alt="Limit access to specific IPs">
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_move_vpn_ssl_listening_interface_to_a_loopback_interface">Move VPN SSL listening interface to a Loopback interface</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This step will give an additional security control - Security Rule.
The benefits of which are:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>The rule is highly visible, not hidden in CLI as Local-in Policy.</p>
</li>
<li>
<p>It will have detailed traffic & security logs.</p>
</li>
<li>
<p>It enables to turn SSL VPN access on and off on a time schedule.</p>
</li>
<li>
<p>Allows us to disable SSL VPN access in one click (just disable this security
rule) without deleting anything.</p>
</li>
<li>
<p>Makes possible to use ISDB address objects (See below on blocking Tor Exit
Nodes).</p>
</li>
<li>
<p>And finally, as SSL VPN is NOT hardware-accelerated on any Fortigate, no matter where it
is set, on physical or Loopback interface, no reason to avoid Loopback here.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>To set it up:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Create a Loopback interface (here <em>Loop33</em> with IP of <em>13.13.13.13</em>, not shown)</p>
</li>
<li>
<p>Enable VPN SSL on this Loopback in VPN SSL Settings:</p>
</li>
</ul>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortigate-ssl-vpn-loopback-vpn-setings.png" alt="Use Loopback interface in the VPN Settings">
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Allow access to the Loopback on the listening port from the Internet. I use <em>all</em> as a
source (rule id <em>2</em>)
here, but see other recommendations on limiting source IP for finer control:</p>
</li>
</ul>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortigate-ssl-vpn-loopback-security-rule.png" alt="Security rule to allow traffic to Loopback">
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="__less_preferred_than_above_limit_access_to_ssl_vpn_portal_in_local_in_policy">(Less preferred than above) Limit access to SSL VPN portal in Local-in Policy</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The idea here is that unlike limits in the VPN SSL Settings, limits in the
Local-in Policy come before any traffic reaches VPN SSL daemon. Starting with
FortiOS 7.2 we can also use in Local-in Policies GeoIP objects, external feeds (I
haven’t seen much benefit in them though). As I mentioned above, due to CLI-only
nature of the Local-in Policy, it is more manageable to use rather Loopback for
SSL VPN connections. But Local-in policy can do the job as well, see some
examples of using it here
<a href="https://yurisk.info/2022/07/04/fortigate-local-in-policy-configuration-examples-for-vpn-ipsec-vpn-ssl-bgp-and-more/">Fortigate Local-in policy configuration examples for VPN IPSec, VPN SSL, BGP and more</a> and <a href="https://yurisk.info/2020/06/07/fortigate-local-in-policy/">Fortigate Local in Policy what it does and how to change/configure it</a></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_limit_access_to_portal_by_geoip_location">Limit access to portal by GeoIP location</h2>
<div class="sectionbody">
<div class="paragraph">
<p>When your users are located in a specific country(s), it is advisable to at
least limit access to the VPN to those countries. E.g. for users coming from
Israel:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Create an address of type <em>Geography</em>:</p>
</li>
</ul>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortigate-ssl-vpn-geography.png" alt="Geo object">
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Use it in VPN SSL Settings:</p>
</li>
</ul>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortigate-ssl-vpn-geoip-vpn-settings.png" alt="Use GEo object in VPN Settings">
</div>
</div>
<div class="paragraph">
<p>The option to use Geo objects appeared in newer FortiOS, so if you have an older
version, moving SSL VPN to loopback interface will give you this option.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_block_access_to_from_tor_exit_nodes_and_relays_to_anything">Block access to/from Tor Exit Nodes and Relays to anything</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Attackers using Tor are pretty much untraceable, so this motivates them to
brute-force from Tor network a lot. Again, it is possible to implement only when your SSL VPN is listening on the Loopback
interface - neither VPN Settings, nor Local-in Policy accept ISDB addresses so
far. Just use the ISDB objects for Tor Exit Nodes and Relays, and VPN
Anonymizers in the
security rule that is above the VPN SSL rule to block them.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortigate-ssl-vpn-tor-exit-nodes.png" alt="Find Tor exit nodes">
</div>
</div>
<div class="paragraph">
<p>Security Rule to block access from Tor to the Loopback interface where SSL VPN
is listening:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortigate-ssl-vpn-block-tor-to-loopback.png" alt="Use Tor ISDB in a rule">
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_install_trusted_ca_issued_certificate_but_don_t_issue_let_s_encrypt_certificates_directly_on_the_fortigate">Install trusted CA-issued certificate, but don’t issue Let’s Encrypt certificates directly on the Fortigate</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Users, and people in general, are suspicious of anything strange/new/unknown. If
they get used to a valid TLS certificate from a trusted CA Authority on each
login into VPN SSL, they will immediately catch the browser error when being
exposed to Man-in-the-middle attack. Users are your friends, just teach them
good habits and they will be your allies.</p>
</div>
<div class="paragraph">
<p><em>Let’s encrypt</em> certificates - yes, they are free and trusted. But, issuing them
directly on the Fortigate has 2 disadvantages:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>It enables <em>Acme</em> protocol daemon to listen on port 80, and it HAS to be open
from ANY for auto-renewal to work, and exposing any additional daemon to the
Internet is a bad idea. To be exact - you need to have port 80 open only for the
period of issuing/renewing the certificate. So, you may, if you want to, enable
incoming port 80 from any when requesting certificate, then close the port until
time comes to renew it. But then it is no different from manually requesting and
importing.</p>
</li>
<li>
<p>It does not support requesting <em>wildcard</em> certificates, only a specific
subdomain one. And this has additional downside - your VPN subdomain gets logged
on the Internet for everyone to see. Just search here
<a href="https://crt.sh/?q=yurisk.com" class="bare">https://crt.sh/?q=yurisk.com</a></p>
</li>
</ol>
</div>
<div class="paragraph">
<p>I do use Let’s Encrypt certificates, but on a separate
Linux server from which I export then import the certificates to the Fortigate
manually.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_configure_email_alert_on_each_successful_vpn_ssl_connection">Configure email alert on each successful VPN SSL connection</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Why on successful and not failed? The real-life experience proves that
after <em>nth</em> alert on failed login in a day, people stop looking at them
at all. And in my opinion, the successful log in is more important than the
failed one.
I am working on a collection of automation stitches that will include also this
email alert, follow me for updates on this.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_prevent_re_using_the_same_user_account_to_connect_in_parallel">Prevent re-using the same user account to connect in parallel</h2>
<div class="sectionbody">
<div class="paragraph">
<p>You can, by default, connect with the same VPN user from different locations at
the same time. To somewhat improve on this, disable simultaneous logins for
users. This way, the connected user will be disconnected when someone else logs
in with his/her credentials - this would alert the user that something fishy is
going on. You set this feature per Portal.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortigate-ssl-vpn-limit-logins-per-user.png" alt="Limit login per user">
</div>
</div>
<div class="paragraph">
<p>On CLI:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>config vpn ssl web portal
edit "full-access"
set limit-user-logins enable
end</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_in_security_rules_allow_access_only_to_specific_destinations_and_services_not_em_all_em">In security rules, allow access only to specific destinations and services, not <em>all</em></h2>
<div class="sectionbody">
<div class="paragraph">
<p>I see it many times - to save few clicks, admins put in the <em>Destination</em> column
of the SSL VPN security rule <em>all</em>/whole LAN, instead of specific host(s) with
specific services. If attackers get hold of VPN connection to the Fortigate,
they will mass scan internal LAN for AD Domain Controllers, SMB shares,
enumerate all hosts and none of this will happen if you harden the VPN Remote
Access rules to specific services and hosts.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortigate-ssl-rule-to-specific-services.png" alt="Limit rules to specific services">
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_if_not_using_vpn_ssl_disable_it_or_assign_to_a_dummy_interface">If not using VPN SSL, disable it, or assign to a dummy interface</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The VPN SSL setting is <strong>on</strong> by default, which is ok - as long as there is no
listening interface assigned to it and no security rules using <code>ssl.root</code>
exist, the service will NOT listen actually. On some FortiOS versions you have
to do it on CLI. If you want to disable temporarily SSL VPN without deleting
anything, you could, besides clicking on <em>Disable</em>, assign it a Loopback
interface which you also put in a <em>Down</em> state.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortigate-ssl-vpn-assign-loopback-which-is-disabled.png" alt="Use disabled Loopback">
</div>
</div>
<div class="paragraph">
<p>On CLI:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>config vpn ssl settings
set status disable
set source-interface Loop1
end</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_create_a_no_access_portal_and_set_it_as_default_in_the_vpn_settings">Create a no-access portal and set it as default in the VPN settings</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Once you have VPN SSL enabled, you <strong>have</strong> to specify the default portal
to which all unmapped to portals users will be assigned. To prevent unintended
users/groups connecting via this default portal, create the one disabling all
the access inside it and then set it as the default.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Create a portal with no factual access:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config vpn ssl web portal
edit DefaultNoAccess
set tunnel-mode disable
set web-mode disable
set ipv6-tunnel-mode disable
next
end</pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Make it the default portal:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config vpn ssl setting
set default-portal DefaultNoAccess
end</pre>
</div>
</div>
<div class="admonitionblock important">
<table>
<tr>
<td class="icon">
<div class="title">Important</div>
</td>
<td class="content">
Make sure you have the relevant users/groups mapped to other, working portals, before doing this.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_block_offending_ip_after_em_n_em_failed_attempts">Block offending IP after <em>n</em> failed attempts</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This slows down brute-force and scanning attacks on VPN SSL. This feature is on
by default, but the block duration is just 60 seconds. You will want to
tune it to your environment and users. I usually set number of failed login
attempts to 3, then block the offender for 10 minutes. In many cases it was
enough for accidental attackers to give up and move to another target.</p>
</div>
<div class="paragraph">
<p>This can be configured in CLI:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>config vpn ssl settings
set login-attempt-limit 3
set login-block-time 600
end</pre>
</div>
</div>
<div class="paragraph">
<p>Here I block the IP for 10 minutes after 3 unsuccessful authentication attempts.
The maximum duration of blocking is 86400 seconds, or 24 hours.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_disable_weak_and_outdated_tls_protocols_for_ssl_vpn">Disable weak and outdated TLS protocols for SSL VPN</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Even with newer FortiOS versions VPN SSL by default supports TLS 1.1, and TLS
1.2 versions that are outdated and recommended against usage everywhere. You can
set SSL VPN to use only TLS 1.2 & 1.3 (on CLI only) with this command ( I
thought of recommending to leave just TLS 1.3, but Forticlient is currently having
problems with using it on Windows 10 & 11, so not for now):</p>
</div>
<div class="listingblock">
<div class="content">
<pre>config vpn ssl settings
set ssl-min-proto-ver tls1-2
end</pre>
</div>
</div>
<div class="paragraph">
<p>And make sure it worked:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>curl -v https://vpn.yurisk.com:13123 --tlsv1.1 -o /dev/null
* Connected to vpn.yurisk.com (52.58.153.81) port 13123 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.1 (OUT), TLS handshake, Client hello (1):
} [140 bytes data]
* TLSv1.1 (IN), TLS alert, Server hello (2):
{ [2 bytes data]
* error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
* stopped the pause stream!
* Closing connection 0
curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol
version</pre>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
This will prevent older browsers/Forticlients from connecting, but we talk
about <em>very</em> old versions, like Internet Explorer 11, or Chrome version 50
(current one is 110). So it should not be a problem.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_consider_switching_from_vpn_ssl_to_vpn_ipsec_for_clients">Consider switching from VPN SSL to VPN IPSec for clients</h2>
<div class="sectionbody">
<div class="paragraph">
<p>A bit drastic, but in all those years of VPN SSL vulnerabilities happening, I
remember of no single critical CVE for the IPSec daemon in Fortigate. Yes, it is more
involved in configuring it, but it may well be worth the effort. You use on the
client side the same Forticlient.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_consider_moving_vpn_ssl_into_its_own_vdom">Consider moving VPN SSL into its own VDOM</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This is a measure against the worst case scenario - remotely executable 0-day
happens in the SSL VPN daemon, and attackers break into your Fortigate. In this
scenario the attackers will most probably create their own admin users for
persistence, set up VPN for remote access with rules permitting <em>Any</em> to the
internal LAN, and if not trying to hide - will delete/remove your admin user to
block you access to the Fortigate. If this happens with the Fortigate that all
your DMZ/LAN/Storage/Backup networks are connected to, the game is over. But if
the same happens to the Internet-facing VDOM that has only SSL VPN configs and
rules, well, maximum they will have access to is anything you explicitly allowed
in rules between VDOMs. And if you implemented specific rules to allow specific
protocols to specific hosts, that would be not much of a gain to the attackers.
And all Fortigate models except the smallest ones, have hardware acceleration on
their inter-VDOM links, so perfomance-wise you lose nothing as well.
And price-wise, every Fortigate (even the smallest 40F) includes 10 VDOMs for free.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_additional_resources_to_follow">Additional Resources to follow</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://www.fortiguard.com/psirt" class="bare">https://www.fortiguard.com/psirt</a> Fortinet announcements on new vulnerabilities.</p>
</li>
<li>
<p><a href="https://t.me/fortichat" class="bare">https://t.me/fortichat</a> Fortinet-related Telegram group with experts (Russian language)</p>
</li>
<li>
<p>For Fortigate CLI cheat sheets, see Github: <a href="https://github.com/yuriskinfo/cheat-sheets" class="bare">https://github.com/yuriskinfo/cheat-sheets</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Fortigate end of support and end of life explained2023-01-03T09:55:25+00:002023-01-03T09:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2023-01-03:/2023/01/03/fortigate-end-of-support-end-of-life-cycle/<div id="preamble">
<div class="sectionbody">
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortigate-end-of-support-life-cycle.svg" alt="Fortigate end of support and end of life life cycle">
</div>
</div>
<div class="paragraph">
<p>When buying/renewing Fortigate firewalls it is important to take into account
the Support/Updates life cycle. Fortinet use few terms in this regard we need to
understand.</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">End of Order Date</dt>
<dd>
<p>The last date we can buy a particular model of the
Fortigate. Those dates are individual for each …</p></dd></dl></div></div></div><div id="preamble">
<div class="sectionbody">
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortigate-end-of-support-life-cycle.svg" alt="Fortigate end of support and end of life life cycle">
</div>
</div>
<div class="paragraph">
<p>When buying/renewing Fortigate firewalls it is important to take into account
the Support/Updates life cycle. Fortinet use few terms in this regard we need to
understand.</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">End of Order Date</dt>
<dd>
<p>The last date we can buy a particular model of the
Fortigate. Those dates are individual for each model and are announced on
ongoing basis. The source of truth for all models is the page
<a href="https://support.fortinet.com/Information/ProductLifeCycle.aspx" class="bare">https://support.fortinet.com/Information/ProductLifeCycle.aspx</a>, which is being
updated periodically. The page requires Forticloud registration, but is free and
available to everyone. This date is the starting point of all the other date
calculations.</p>
</dd>
<dt class="hdlist1">End of Support (EOS)</dt>
<dd>
<p>The last date in the Fortigate model life cycle. There will be
no hardware or software support for this model beyond this date. The usual
practice is to have EOS <strong>60</strong> months (<strong>5</strong> years) since the <em>End of Order</em> date.
After this date, nor hardware nor software support is provided, even the critical vulnerabilities in the FortiOS (software)
will not be fixed.</p>
</dd>
<dt class="hdlist1">Last Service Extension Date (LSED)</dt>
<dd>
<p>The last date we can extend
support/subscription service for a model which is not being sold anymore. This
date will be at the latest 12 months before the <em>End of Support</em> date.</p>
</dd>
<dt class="hdlist1">End of Engineering Support Date (EOES)</dt>
<dd>
<p>This is for firmware (FortiOS) only -
after this date, only the critical security patches and updates will be issued for a
given version of FortiOS, until the <em>End of Support</em> for this FortiOS version. The regular bugs will not be fixed or reported.
Currently, it is <strong>36</strong> months (<strong>3</strong> years) starting with the date of the first release in a
given FortiOS version.</p>
</dd>
</dl>
</div>
<div class="paragraph">
<p>Now let’s look at examples. <em>Fortigate 100E</em> - End of Order is August 17th of
2021, Last Service Extension Date is 17th of August year 2025, and End of Support
is 17th of August year 2026. This means we cannot (2023) order this model
anymore as new, we can extend subscription services like AV/IPS/etc. till the
17th of August 2025, and after the 17th of August 2026 we cannot open
support/RMA tickets or get new patches/software for this Fortigate. On the
FortiOS level, the release notes for FortiOS 7.2.3 list Fortigate 100E as
supported, so we can safely assume that until the End of Engineering Support for
this version (7.2.x), set at 31st of March 2025, we will have
updated versions fixing bugs and security vulnerabilities available as well.
After that date we can hope Fortinet will issue patches for critical
vulnerabilities in 7.2.x, but no regular bugs would be fixed.
After the End of Support for 7.2 date, which happens at 30th of September 2026,
given that hardware model is
supported until 17th August of 2026, there will be no new
releases of any FortiOS for this Fortigate 100E.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortigate-lifecycle-page1.png" alt="Fortinet page ofr life cycle for all models">
</div>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/x-fortigate-lifecycle-page2.png" alt="Screenshot of the life cycle page">
</div>
</div>
<div class="admonitionblock important">
<table>
<tr>
<td class="icon">
<div class="title">Important</div>
</td>
<td class="content">
Life cycles of Fortigate hardware models and FortiOS firmware versions
are <strong>unrelated</strong>. Fortinet drops FortiOS new releases support for
smaller models first.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>Let’s look at <em>Fortigate 30E</em> - which was released in <strong>2015</strong>. The End of Order is
31st of March 2022, End of Service Extension is 31st of March 2026, and the End of
Support is on 31st of March, 2027. The logic is the same as for the Fortigate 100E,
but the latest version of FortiOS available for this model is 6.2.x train and
there will be no 6.4/7.0/7.2/etc. versions for it. End of Engineering Support
for 6.2 happened on 28th of March 2022, which means even though we have model
support up to 2027, Fortinet will not release new features or fix regular bugs
for this 6.2 versions. Moreover, the critical vulnerabilities will be fixed
until 28th of September 2023. So we may potentially have a supported hardware
model until 2027, but which has/will have critical vulnerabilities in its
FortiOS version unfixed for 4 years. Be aware of this in your calculations.</p>
</div>
<div class="paragraph">
<p>N.B. It is not all black or white - for the recent critical heap-based
buffer overflow Fortinet did create a fix even for beyond End of
Support version 6.0 (6.0.16), but it is not guaranteed or even promised.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_resources">Resources</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://github.com/yuriskinfo/cheat-sheets">Complete Fortigate debug commands cheat sheet</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Fortigate subscription expired, list of features that will continue to work2022-12-22T11:35:25+00:002022-12-22T11:35:25+00:00Yuri Slobodyanyuktag:yurisk.info,2022-12-22:/2022/12/22/fortigate-subscription-expired-list-of-features-that-will-work/<div id="preamble">
<div class="sectionbody">
<div class="imageblock">
<div class="content">
<img src="/assets/fortigate-forticare-expired-smaller.png" alt="Forticare expired subscription">
</div>
</div>
<div class="paragraph">
<p>When subscription for Fortiguard-based services expires, many things will stop
working, but a lot will continue to work still. Below is the full list of features
in Fortigate that will <strong>continue working</strong> after the subscription expires. It
also means these features work even if your Fortigate has never had the …</p></div></div></div><div id="preamble">
<div class="sectionbody">
<div class="imageblock">
<div class="content">
<img src="/assets/fortigate-forticare-expired-smaller.png" alt="Forticare expired subscription">
</div>
</div>
<div class="paragraph">
<p>When subscription for Fortiguard-based services expires, many things will stop
working, but a lot will continue to work still. Below is the full list of features
in Fortigate that will <strong>continue working</strong> after the subscription expires. It
also means these features work even if your Fortigate has never had the
subscription in the first place.</p>
</div>
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<div class="title">Warning</div>
</td>
<td class="content">
VM Fortigate has a license check, which is unrelated to the Fortiguard
subscription. This license check requires a non-stop online communication with
the Fortiguard servers. The VM Fortigate will stop working completely, if it
cannot reach Fortiguard servers for a long time (30 days usually), unless using
a special, offline license (most clients don’t).
</td>
</tr>
</table>
</div>
<div class="ulist">
<ul>
<li>
<p>Security rules. The Fortigate will continue filtering
traffic according to the Security Rulebase.</p>
</li>
<li>
<p>All kinds of NAT: SNAT, DNAT, VIP, dynamic pools, etc.</p>
</li>
<li>
<p>VPN - all types, IPSec site-to-site, Remote Access as SSL VPN in webmode and full tunnel with
Forticlient and as IPSec client.</p>
</li>
<li>
<p>IPS with the signatures last updated before the subscription expired. That is,
IPS will continue working, but new signatures will not be downloaded.</p>
</li>
<li>
<p>AppControl using the signatures last updated before the subscription expired.</p>
</li>
<li>
<p>Web/URL Filtering using <strong>static</strong> allow/block lists. Without subscription
the firewall cannot query FortiGuard for URL web ratings, so Web filtering using
Fortiguard assigned Categories will <strong>not</strong> work. But if you use static
block/allow URL lists, they will work. Also blocking ActiveX controls will work
too.</p>
</li>
<li>
<p>All types of interfaces: physical, VLANs, Virtual Wire, Loopbacks, LAGs,
redundant, Zones.</p>
</li>
<li>
<p>Security rules modes: proxy and flow. All modes of proxy mode will work: Explicit, Transparent.</p>
</li>
<li>
<p>SSL/SSH inspection - certificate and deep packet inspection.</p>
</li>
<li>
<p>Applying UTM in both: Policy based and Profile based modes.</p>
</li>
<li>
<p>VDOMs.</p>
</li>
<li>
<p>High Availability (HA).</p>
</li>
<li>
<p>QOS.</p>
</li>
<li>
<p>SD-WAN feature, including AppControl integration (but see above about
Application Control signature updates).</p>
</li>
<li>
<p>WAF with the signatures last updated before the subscription expired.</p>
</li>
<li>
<p>VIP of load balancing type.</p>
</li>
<li>
<p>DoS/DDoS protection rules.</p>
</li>
<li>
<p>Device inventory.</p>
</li>
<li>
<p>Access Point controller.</p>
</li>
<li>
<p>FortiSwitch management.</p>
</li>
<li>
<p>All types of logging, Netflow/sFlow export.</p>
</li>
<li>
<p>GRE and VXLAN traffic encapsulation.</p>
</li>
<li>
<p>VRFs, if supported by FortiOS version.</p>
</li>
<li>
<p>One-arm sniffer.</p>
</li>
<li>
<p>Static, all dynamic protocol, and Policy Based routing.</p>
</li>
<li>
<p>All types of authentication: local, LDAP, Radius, Tacacs, SAML, MFA.</p>
</li>
<li>
<p>SNMP.</p>
</li>
<li>
<p>DHCP server.</p>
</li>
<li>
<p>Internet Service Database (ISDB).</p>
</li>
<li>
<p>External Threat Feeds.</p>
</li>
<li>
<p>VOIP protections and profiles.</p>
</li>
<li>
<p>Configuration version revisions.</p>
</li>
<li>
<p>DLP.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_additional_resources">Additional Resources</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://yurisk.info/2021/02/21/failed-to-connect-to-fortiguard-servers-updated/">Failed to connect to Fortiguard servers verification and debug</a></p>
</li>
<li>
<p><a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc">License and other service debug cheat sheet on Github</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Fortigate buying used pre-owned firewall most frequently asked questions2022-12-19T15:55:25+00:002022-12-19T15:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2022-12-19:/2022/12/19/fortigate-buy-used-most-frequently-asked-questions/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_introduction">Introduction</a></li>
<li><a href="#_is_it_worth_buying_hardware_fortigate_vs_free_vm_evaluation_one">Is it worth buying hardware Fortigate vs free VM evaluation one?</a></li>
<li><a href="#_can_i_get_a_demo_fortigate_appliance">Can I get a demo Fortigate appliance?</a></li>
<li><a href="#_can_i_buy_a_used_fortigate_from_fortinet">Can I buy a used Fortigate from Fortinet?</a></li>
<li><a href="#_is_it_ok_legal_from_the_fortinet_standpoint_to_buy_the_firewall_on_the_secondary_market">Is it OK/legal from the Fortinet standpoint to buy the firewall on the secondary market?</a></li>
<li><a href="#_will_i_need_a_license_for_my_fortigate_to_work">Will I need a …</a></li></ul></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_introduction">Introduction</a></li>
<li><a href="#_is_it_worth_buying_hardware_fortigate_vs_free_vm_evaluation_one">Is it worth buying hardware Fortigate vs free VM evaluation one?</a></li>
<li><a href="#_can_i_get_a_demo_fortigate_appliance">Can I get a demo Fortigate appliance?</a></li>
<li><a href="#_can_i_buy_a_used_fortigate_from_fortinet">Can I buy a used Fortigate from Fortinet?</a></li>
<li><a href="#_is_it_ok_legal_from_the_fortinet_standpoint_to_buy_the_firewall_on_the_secondary_market">Is it OK/legal from the Fortinet standpoint to buy the firewall on the secondary market?</a></li>
<li><a href="#_will_i_need_a_license_for_my_fortigate_to_work">Will I need a license for my Fortigate to work?</a></li>
<li><a href="#_should_i_transfer_the_purchased_fortigate_to_my_account_in_fortinet">Should I transfer the purchased Fortigate to my account in Fortinet?</a></li>
<li><a href="#_how_do_i_transfer_fortigate_to_my_account_in_the_fortinet_portal">How do I transfer Fortigate to my account in the Fortinet portal?</a></li>
<li><a href="#_hidden_cost_of_renewing_an_existing_subscription">Hidden cost of renewing an existing subscription</a></li>
<li><a href="#_should_i_wipe_the_firewall_could_it_be_back_doored">Should I wipe the firewall, could it be back-doored?</a></li>
<li><a href="#_do_i_need_to_buy_additional_hardware">Do I need to buy additional hardware?</a></li>
<li><a href="#_what_model_should_i_buy">What model should I buy?</a></li>
<li><a href="#_seller_sold_me_a_firewall_without_an_admin_password_what_can_i_do">Seller sold me a firewall without an admin password, what can I do?</a></li>
<li><a href="#_where_do_i_get_up_to_date_firmware_for_my_firewall">Where do I get up-to-date firmware for my firewall?</a></li>
</ul>
</div>
<div class="sect1">
<h2 id="_introduction">Introduction</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Buying a used/pre-owned Fortigate is often the best way to learn to work with the
firewall. Offers are plenty - just hit the search on eBay. But, there is always
but, purchasing a pre-owned Fortigate is not like ordering a used MacBook - many
questions will arise, not many of which have answers in official docs. In this
article I compiled the most frequent/important of them. Disclaimer: I do not
work for Fortinet and this is not an official guide in any way, so do your due
diligence.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_is_it_worth_buying_hardware_fortigate_vs_free_vm_evaluation_one">Is it worth buying hardware Fortigate vs free VM evaluation one?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>I’d say free VM is enough if you start learning from zero. As you progress you
will hit the VM evaluation limitations. I list those limits here
<a href="https://yurisk.info/2021/02/28/fortigate-vm-evaluation-license-15-days-limitations/">Fortigate VM Evaluation License 15 Days Limitations</a> and here
<a href="https://yurisk.info/2022/08/08/Fortigate-free-VM-Evaluation-License-is-now-permanent-not-15-days/">Fortigate free VM Evaluation License is now permanent, not limited to 15 days, here is how to get it.</a></p>
</div>
<div class="paragraph">
<p>The appliance Fortigate, on the other hand, has <strong>none</strong> of these limitations,
even without active subscription. Want to do Deep SSL Inspection? No problem.
Trying to configure VPN SSL for Forticlient? Sure.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_can_i_get_a_demo_fortigate_appliance">Can I get a demo Fortigate appliance?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>As an individual - no. Fortinet have Not For Resale (NFR) Fortigate appliances
that are fully functional, but you can only get them as a Partner and even then
with much effort. If all you want, on the other hand, is to see how Fortigate
GUI looks and feels without doing anything, you can go here
<a href="https://fortigate.fortidemo.com" class="bare">https://fortigate.fortidemo.com</a> with the
user/pass <em>demo</em>/<em>demo</em> and log in into a real Fortigate (2000E as of this writing)
as read-only admin.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_can_i_buy_a_used_fortigate_from_fortinet">Can I buy a used Fortigate from Fortinet?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>No, you can’t. The policy of Fortinet is to sell their products as new via registered
partners/resellers only, and they have no incentive to supply clients with second-hand
Fortigates.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_is_it_ok_legal_from_the_fortinet_standpoint_to_buy_the_firewall_on_the_secondary_market">Is it OK/legal from the Fortinet standpoint to buy the firewall on the secondary market?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Fortinet have no problems with this, so it is OK with them, provided you
acquired the firewall in legitimate ways.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_will_i_need_a_license_for_my_fortigate_to_work">Will I need a license for my Fortigate to work?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>No, but read on. There is no such thing as "unlicensed"
hardware/appliance firewall. Licensing, or more exact <strong>subscription</strong> is needed for some
services, but many core features, like VPN (IPsec and VPN SSL), Security Rules,
QOS, static and dynamic (OSPF, BGP, etc.) routing, VLANs, and such will work out
of the box. Even if you hard reset your Fortigate, or more - format its
harddisk erasing everything, the core features will work just fine.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_should_i_transfer_the_purchased_fortigate_to_my_account_in_fortinet">Should I transfer the purchased Fortigate to my account in Fortinet?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>It depends. When you buy a <strong>new</strong> Fortigate from a Fortinet partner, you can
optionally (and most usually do) buy services like hardware warranty, Technical
Support, subscriptions for FortiGuard Web Filtering/IPS/AV/etc. services as well. All those additional
services are linked to an account in the Fortinet portal. It can be the
partner’s account, or the end client account who purchased the firewall and then
transferred to her own account. If you want to use/renew/buy those services for
your Fortigate, then yes - you have your Fortigate (its serial number) to be
under your account in the Fortinet portal.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_how_do_i_transfer_fortigate_to_my_account_in_the_fortinet_portal">How do I transfer Fortigate to my account in the Fortinet portal?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>You open a ticket with the Customer Service at support.fortinet.com, or send the
request for assets transfer to <code>cs@fortinet.com</code>. Next, Fortinet will send an
email to the <strong>current/registered</strong> owner for this Fortigate, asking if they
approve the transfer to your account. Here comes the pitfall - if the owners (as
per Fortinet records) of this used firewall do not confirm/reply to this
request, you may be denied the transfer or (more probably), asked for a proof of
the purchase and ownership of the appliance (photo of the admin GUI with the
serial number clearly seen). If the Fortinet cannot verify that you lawfully
purchased your unit from an official partner/owner, you may be denied transfer
of the ownership. This does not stop Fortigate from working, but subscription
based services will be unavailable to it.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_hidden_cost_of_renewing_an_existing_subscription">Hidden cost of renewing an existing subscription</h2>
<div class="sectionbody">
<div class="paragraph">
<p>If there is a time gap between the date
of subscription expiration and your order to renew it, you pay one time for this
gap as well. That is, say you bought a Fortigate with a subscription bundle
that expired 3 months ago and you want to renew this bundle - Fortinet will bill this
3 month gap as well. And so forth, up to 6 months back. Also worth noting that to
be able to buy/renew a subscription for a Fortigate, it has to be still supported
and active. You cannot buy, for example, subscription for Fortigate 110C. To see
the end of life status for a Fortigate search for <em>Fortinet Product Life Cycle</em>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_should_i_wipe_the_firewall_could_it_be_back_doored">Should I wipe the firewall, could it be back-doored?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>When you get someone’s firewall, it is always a good idea to reset its
configuration to the
factory defaults. You can do it on CLI with <code>execute factoryreset</code>. This will
reset the configuration to the default one but will leave the firmware FortiOS
intact. Many recommend to go further and
format the flash that holds FortiOS firmware to boot from. The downside to
formatting the flash is you have to do TFTP network boot afterwards, and have
image of FortiOS ready, not
everyone would want to do so.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_do_i_need_to_buy_additional_hardware">Do I need to buy additional hardware?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>You may need a console cable, if a Fortigate was not reset to the default
configs and so will not allocate IPs via DHCP. The console cable is the usual
one, like you may have seen with the Cisco equipment. IMPORTANT: when buying a used
firewall, make sure it includes a power adapter, as the new one will cost
you at least 100$.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_what_model_should_i_buy">What model should I buy?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>For learning purposes even the smallest models will do. The available features
are almost identical for small and big (expensive) models. For example, the
smallest Fortigate 30E also supports up to 5 VDOMs, High Availabilty in cluster,
and such. The important consideration here is the <strong>latest supported FortiOS
version</strong> for a given model. Fortinet stops supporting small models much sooner
than the larger ones. As an example, Fortigate 30E has the latest FortiOS available
6.2.11, while a slightly larger model Fortigate 60E has FortiOS 7.2.3
available. This means if you buy the (cheaper) 30E model, you will not be able to
use features introduced in 6.4/7.0/7.2 versions. This may be important to you or
not, but be aware.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_seller_sold_me_a_firewall_without_an_admin_password_what_can_i_do">Seller sold me a firewall without an admin password, what can I do?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>It happens, especially when a seller offers a Fortigate in "power test only"
condition, that you will have no admin-level user/password to manage it. The
best case scenario is that you will be able to reset admin password on boot up
via console using <code>maintainer</code> built-in account. Just search Google for
<em>Fortigate Resetting a lost Admin password</em>. The worst case scenario is that you
have no admin password AND previous owner <strong>disabled</strong> <code>maintainer</code> feature - you
will get an error trying to use <em>maintainer</em> account <em>PASSWORD RECOVERY
FUNCTIONALITY IS DISABLED</em>. What happens next depends on a specific model -
small models (Fortigate 40F, 80F, etc.) have RESET button on the face panel,
which, while pressed, will reset the configuration to the factory default. The
large models do not have such one. Conclusion - if you’re not sure of the seller, check
that your model can be reset with the button in its data sheet beforehand. I
have collected most of the data sheets here if you need to:
<a href="https://yurisk.info/2021/03/14/Fortigate-Firewalls-Hardware-CPU-model-and-number-Memory-size-datasheet-table/">Fortigate Firewalls Hardware - CPU model and number, Memory (RAM) and hard disk size datasheet table</a></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_where_do_i_get_up_to_date_firmware_for_my_firewall">Where do I get up-to-date firmware for my firewall?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>You can only legally get new firmware, provided it exists for a given model, if you have
an active Forticare contract. Chances are your used Fortigate will have all
contracts/subscriptions expired already. So, see entry above about
buying/renewing subscriptions or you may try your luck
asking for firmware on the Internet (Reddit/Telegram/Forums/etc.). The firmware upgrade is just a
downloadable file that will work no matter in which way you got it.</p>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Fortigate administrator GUI authentication bypass critical vulnerability CVE-2022-40684 found2022-10-10T09:55:25+00:002022-10-10T09:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2022-10-10:/2022/10/10/fortigate-admin-gui-authentication-bypass-critical-vulnerability/<div id="preamble">
<div class="sectionbody">
<div class="imageblock">
<div class="content">
<img src="/assets/fortigate-admin-gui-critical-alert-vulnerability.png" alt="Fortigate admin GUI authentication bypass vulnerability">
</div>
</div>
<div class="paragraph">
<p>On 6th of October 2022, the Fortinet started circulating internally and to their
clients preliminary alert that <strong>admin GUI vulnerability</strong> had been found. They
released more details by now, but the whole picture regarding the exploitation
path is not known yet. The vulnerability was assigned severity 9.6 (very high …</p></div></div></div><div id="preamble">
<div class="sectionbody">
<div class="imageblock">
<div class="content">
<img src="/assets/fortigate-admin-gui-critical-alert-vulnerability.png" alt="Fortigate admin GUI authentication bypass vulnerability">
</div>
</div>
<div class="paragraph">
<p>On 6th of October 2022, the Fortinet started circulating internally and to their
clients preliminary alert that <strong>admin GUI vulnerability</strong> had been found. They
released more details by now, but the whole picture regarding the exploitation
path is not known yet. The vulnerability was assigned severity 9.6 (very high),
and as far as we can understand from their bulletin - allows attackers to bypass
the administrator authentication mechanisms and get access to the GUI. Also, not
stated directly, but understood - <del>the `trusthost` configuration does NOT
prevent attackers coming from IPs not on the trusthost list.</del> It is now
known that if any admin-level account has <code>0.0.0.0</code> as its trusthost set, then
such Fortigate is vulnerable from any IP.</p>
</div>
<div class="paragraph">
<p>Fortinet recommend the following to be done immediately:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Upgrade the affected versions: 7.0.0 - 7.0.6, and 7.2.0-7.2.1 to the next available (7.0.7 and 7.2.2), as a solution.</p>
</li>
<li>
<p>Configure/duplicate specific IP addresses from <code>trusthost</code> settings (if already in place) in Local-in policy, limiting management GUI access to the trusted by you IPs, as a work around.</p>
</li>
<li>
<p>Disable admin GUI HTTP/HTTPS access on Internet-facing interface(s).</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>To exploit this vulnerability, an attacker has to send specially crafted HTTP
request. It is not known, unfotunately, how complex (or not) the exploitation
is.</p>
</div>
<div class="paragraph">
<p>The Fortinet designation for this vulnerability is:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>FortiGuard ID: FG-IR-22-377
CVE ID: CVE-2022-40684
Severity: Critical / CVSS: 9.6</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_additional_resources">Additional resources</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://yurisk.info/2022/07/04/fortigate-local-in-policy-configuration-examples-for-vpn-ipsec-vpn-ssl-bgp-and-more/#_limit_management_port_access_to_specific_ips">Limit management port access to specific IPs in Local-in Policy</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Network MTU maximum size path discovery (PMTU) testing with ping2022-08-30T11:55:25+00:002022-08-30T11:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2022-08-30:/2022/08/30/network-mtu-maximum-size-testing-with-ping-on-linux-and-windows/<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>MTU (MAximum Transmit Unit) plays central role in available throughput.
And while with the Internet the maximum size isn’t going to surpass 1500 bytes,
on MPLS/IPL/etc lines, owned by 1 provider, it is possible to get better MTU.</p>
</div>
<div class="paragraph">
<p>THe easiest way to test for the maximum size …</p></div></div></div><div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>MTU (MAximum Transmit Unit) plays central role in available throughput.
And while with the Internet the maximum size isn’t going to surpass 1500 bytes,
on MPLS/IPL/etc lines, owned by 1 provider, it is possible to get better MTU.</p>
</div>
<div class="paragraph">
<p>THe easiest way to test for the maximum size of the packets that can pass without
fragmenting is to use ping with appropriate option.</p>
</div>
<div class="paragraph">
<p>The idea is to send pings increasing each time their size, until we get an error.</p>
</div>
<div class="paragraph">
<p>Linux:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="pygments highlight"><code data-lang="bash"><span class="tok-c1"># for ii in {1450..2500..20} ; do ping -c 2 -M do -s ${ii} 194.90.1.5; done</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>Here:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>I ping the destination 194.90.1.5</p>
</li>
<li>
<p>The ping size starts at 1450 bytes, and increases by 20 bytes each new ping until 2500 bytes</p>
</li>
<li>
<p><code>-M do</code> sets dont-fragment bit on the pings.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p><strong>Windows</strong>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="pygments highlight"><code data-lang="console"><span class="tok-go">for /L %A in (1450,20,2500) do ping -f -l %A -n 2 194.90.1.5</span></code></pre>
</div>
</div>
<div class="paragraph">
<p>Same as for Linux - send 2 pings each time, start with the size <code>-l</code> of 1450,
increase each time by 20 bytes, and <code>-f</code> set <em>dont-fragment</em> bit.</p>
</div>
<div class="paragraph">
<p>As for the expected error message, it is "Packet needs to be fragmented but DF
set." for Windows, and "error: Message too long, mtu=" for the Linux, once ping
size is larger than possible over the path.</p>
</div>
<div class="paragraph">
<p>In the examples below the maximum MTU is 1500 bytes:</p>
</div>
<div class="paragraph">
<p>Windows:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>> for /L %A in (1450,20,1550) do ping -f -l %A -n 2 194.90.1.5
> ping -f -l 1450 -n 2 194.90.1.5
Pinging 194.90.1.5 with 1450 bytes of data:
Reply from 194.90.1.5: bytes=1450 time=4ms TTL=59
Reply from 194.90.1.5: bytes=1450 time=6ms TTL=59
Ping statistics for 194.90.1.5:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 6ms, Average = 5ms
C:\WINDOWS\system32>ping -f -l 1470 -n 2 194.90.1.5
Pinging 194.90.1.5 with 1470 bytes of data:
Reply from 10.120.12.1: Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.</pre>
</div>
</div>
<div class="paragraph">
<p>Linux:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="pygments highlight"><code data-lang="bash"><span class="tok-c1"># for ii in {1450..2000..20} ; do ping -c 2 -M do -s ${ii} 194.90.1.5; done</span>
PING <span class="tok-m">194</span>.90.1.5 <span class="tok-o">(</span><span class="tok-m">194</span>.90.1.5<span class="tok-o">)</span> <span class="tok-m">1450</span><span class="tok-o">(</span><span class="tok-m">1478</span><span class="tok-o">)</span> bytes of data.
<span class="tok-m">1458</span> bytes from <span class="tok-m">194</span>.90.1.5: <span class="tok-nv">icmp_seq</span><span class="tok-o">=</span><span class="tok-m">1</span> <span class="tok-nv">ttl</span><span class="tok-o">=</span><span class="tok-m">45</span> <span class="tok-nv">time</span><span class="tok-o">=</span><span class="tok-m">54</span>.2 ms
<span class="tok-m">1458</span> bytes from <span class="tok-m">194</span>.90.1.5: <span class="tok-nv">icmp_seq</span><span class="tok-o">=</span><span class="tok-m">2</span> <span class="tok-nv">ttl</span><span class="tok-o">=</span><span class="tok-m">45</span> <span class="tok-nv">time</span><span class="tok-o">=</span><span class="tok-m">54</span>.2 ms
--- <span class="tok-m">194</span>.90.1.5 ping statistics ---
<span class="tok-m">2</span> packets transmitted, <span class="tok-m">2</span> received, <span class="tok-m">0</span>% packet loss, <span class="tok-nb">time</span> 1001ms
rtt min/avg/max/mdev <span class="tok-o">=</span> <span class="tok-m">54</span>.267/54.276/54.285/0.009 ms
PING <span class="tok-m">194</span>.90.1.5 <span class="tok-o">(</span><span class="tok-m">194</span>.90.1.5<span class="tok-o">)</span> <span class="tok-m">1470</span><span class="tok-o">(</span><span class="tok-m">1498</span><span class="tok-o">)</span> bytes of data.
<span class="tok-m">1478</span> bytes from <span class="tok-m">194</span>.90.1.5: <span class="tok-nv">icmp_seq</span><span class="tok-o">=</span><span class="tok-m">1</span> <span class="tok-nv">ttl</span><span class="tok-o">=</span><span class="tok-m">45</span> <span class="tok-nv">time</span><span class="tok-o">=</span><span class="tok-m">54</span>.2 ms
<span class="tok-m">1478</span> bytes from <span class="tok-m">194</span>.90.1.5: <span class="tok-nv">icmp_seq</span><span class="tok-o">=</span><span class="tok-m">2</span> <span class="tok-nv">ttl</span><span class="tok-o">=</span><span class="tok-m">45</span> <span class="tok-nv">time</span><span class="tok-o">=</span><span class="tok-m">54</span>.2 ms
--- <span class="tok-m">194</span>.90.1.5 ping statistics ---
<span class="tok-m">2</span> packets transmitted, <span class="tok-m">2</span> received, <span class="tok-m">0</span>% packet loss, <span class="tok-nb">time</span> 1001ms
rtt min/avg/max/mdev <span class="tok-o">=</span> <span class="tok-m">54</span>.201/54.208/54.216/0.232 ms
PING <span class="tok-m">194</span>.90.1.5 <span class="tok-o">(</span><span class="tok-m">194</span>.90.1.5<span class="tok-o">)</span> <span class="tok-m">1490</span><span class="tok-o">(</span><span class="tok-m">1518</span><span class="tok-o">)</span> bytes of data.
From <span class="tok-m">172</span>.31.16.1 <span class="tok-nv">icmp_seq</span><span class="tok-o">=</span><span class="tok-m">1</span> Frag needed and DF <span class="tok-nb">set</span> <span class="tok-o">(</span><span class="tok-nv">mtu</span> <span class="tok-o">=</span> <span class="tok-m">1500</span><span class="tok-o">)</span>
ping: <span class="tok-nb">local</span> error: Message too long, <span class="tok-nv">mtu</span><span class="tok-o">=</span><span class="tok-m">1500</span></code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_resources">Resources</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://yurisk.info/2009/09/01/ping-setting-dont-fragment-bit-in-linuxfreebsdsolarisciscojuniper/">Ping – setting don’t fragment bit in Linux/FreeBSD/Solaris/Cisco/Juniper</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Fortigate free VM Evaluation License is now permanent, not limited to 15 days, here is how to get it.2022-08-08T11:55:25+00:002023-03-06T08:32:33+00:00Yuri Slobodyanyuktag:yurisk.info,2022-08-08:/2022/08/08/Fortigate-free-VM-Evaluation-License-is-now-permanent-not-15-days/<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>Starting with <strong>FortiOS 7.2.1</strong>, Fortinet removed built-in 15 days free evaluation
license from the Fortigate VM images. It was replaced with the <em>permanent</em>
evaluation license, still free. The steps to get it have changed - you now
<em>have</em> to create a free Forticare/FortiCloud account, and use it inside …</p></div></div></div><div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>Starting with <strong>FortiOS 7.2.1</strong>, Fortinet removed built-in 15 days free evaluation
license from the Fortigate VM images. It was replaced with the <em>permanent</em>
evaluation license, still free. The steps to get it have changed - you now
<em>have</em> to create a free Forticare/FortiCloud account, and use it inside the
Fortigate GUI to activate this evaluation license. The license will be generated
and added to your Forticloud account automatically.</p>
</div>
<div class="paragraph">
<p>Unfortunately, there are new limitations as well:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><strong>Security Rules</strong>: the limit is 3, instead of 5.</p>
</li>
<li>
<p><strong>Number of routes</strong>: the limit is also 3, while was unlimited before. This means severe limiting of dynamic protocols labs like OSPF/BGP. Currently (FortiOS 7.2.1) , though, there is no actual enforcement of this limit - I configured BGP and few static routes, 6 all in all, and it worked without any issue.</p>
</li>
<li>
<p><strong>Number of interfaces</strong>: maximum 3, was unlimited. This counts also interfaces that are in state <em>disabled</em>/<em>down</em>. And on top of it, it also counts Loopback interfaces as well.</p>
</li>
<li>
<p><strong>One license per one FortiCloud account</strong>: this means that to have multiple evaluation licenses for multiple Fortigates, we need to create multiple FortiCloud accounts, nuisance but doable. The accounts are still free of charge.</p>
</li>
<li>
<p><strong>The rest of limitations</strong>: additional limitations (CPU/Memory/etc.) that were present in 15 days license, are still enforced as well. See the reference at the bottom for details.</p>
</li>
<li>
<p><strong>Internet access</strong>: Fortigate VM has to have Internet access to activate the license. The alternative is having Fortimanager to do so.</p>
</li>
<li>
<p><strong>Let’s Encrypt Certificates</strong> - even though, we have now normal encryption for admin https access, the ACME daemon for provisioning SSL/TLS certificates will
not run.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Now, to the visual guide of how to issue this free evaluation license for your
virtual Fortigate.</p>
</div>
<div class="paragraph">
<p>BTW: The only addition (and not subtraction) in this new evaluation licensing is that we can now
access management web GUI of the Fortigate via regular <strong>https</strong> not only http as
before.</p>
</div>
<div class="paragraph">
<p>First, download VM image for your virtualization platform, as usual:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/fortigate-download-free-vm-image.png" alt="Fortigate download free VM image">
</div>
</div>
<div class="paragraph">
<p>Then install it as before. I did it in the VMWare Workstation here. On the 1st
boot we can see that the license status is <code>invalid</code>:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/fortigate-vm-free-license-first-boot.png" alt="Fortigate with no license" width="first boot">
</div>
</div>
<div class="paragraph">
<p>Next step is to login to the Fortigate GUI. We will be presented with this page,
where we can enter the Forticare/FortiCloud account. The account does <strong>not</strong> have
to be a paying account, the free account is enough.</p>
</div>
<div class="imageblock">
<div class="content">
<a class="image" href="https://yurisk.info/assets/fortigate-free-vm-license-activation-page.png"><img src="/assets/fortigate-free-vm-license-activation-page-colors-31.png" alt="Fortigate free vm license activation page"></a>
</div>
</div>
<div class="paragraph">
<p>Upon clicking OK, the Fortigate will contact Fortiguard servers, and will
issue itself a license automatically. Here is the license status after the
successful activation:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/fortigate-vm-evaluation-license-status-after-activation.png" alt="Fortigate evaluation license status-after-activation">
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_debug_if_something_goes_wrong">Debug if something goes wrong</h2>
<div class="sectionbody">
<div class="paragraph">
<p>You can get various error messages trying to activate the evaluation license,
like <em>Error downloading license: Invalid serial number</em>, or <em>Failed to download
VM license</em>. There can be few reasons for that:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>This Fortigate VM does not have access to the Internet.</p>
</li>
<li>
<p>The Fortigate VM cannot resolve correctly via DNS Fortiguard-related domains.</p>
</li>
<li>
<p>You are trying to register the Fortigate VM with the Forticare/Forticloud account that already has another evaluation registered to it.</p>
</li>
<li>
<p>Finally, not frequently, but happens that FortiGuard servers are having a
reachability issues, and you need to wait and try later.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>To diagnose these problems, you may run the following commands:</p>
</div>
<div class="paragraph">
<p><strong>exe ping service.fortiguard.net</strong>, <strong>exe ping update.fortiguard.net</strong> to verify
DNS resolving and Internet accessibility.</p>
</div>
<div class="paragraph">
<p><strong>get sys stat</strong>, <strong>diagnose debug vm-print-license</strong> to see the current license
status on the Fortigate. The valid license output will look like:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>FGT-7-2-4 # diagnose debug vm-print-license
SerialNumber: FGVMEV_ATFDMNL66
CreateDate: Sun Nov 6 12:27:13 2022
UUID: 564d5a668795856cbd9d9b2939a7eff8
Key: yes
Cert: yes
Key2: yes
Cert2: yes
Model: EVAL (1)
CPU: 1
MEM: 2048
VDOM license:
permanent: 2
subscription: 0</pre>
</div>
</div>
<div class="paragraph">
<p><strong>diagnose hardware sysinfo vm full</strong> to see the license status as the FortiGuard
servers see it:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>FGT-7-2-4 # diagnose hardware sysinfo vm full
UUID: 564d5a668795856cbd9d9b2939a7eff8
valid: 1
status: 1
code: 0
warn: 0
copy: 0
received: 5330050190
warning: 4294940124
recv: 202303060746
dup:</pre>
</div>
</div>
<div class="paragraph">
<p><strong>execute vm-license</strong>, <strong>exe update now</strong> to re-initiate process of requesting the license. On
success will show:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>FGT-7-2-4 # execute vm-license
Trial license exists.</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_resources">Resources:</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p>Older, before FortiOS 7.2.1, versions still come with the 15 days evaluation license. You can read more on this at <a href="https://yurisk.info/2021/02/28/fortigate-vm-evaluation-license-15-days-limitations/" class="bare">https://yurisk.info/2021/02/28/fortigate-vm-evaluation-license-15-days-limitations/</a></p>
</li>
<li>
<p>The download URL as well as the process did not change, the video walkthrough of downloading free VM Fortigate image can be found here: <a href="https://yurisk.info/2022/04/13/where-to-download-fortigate-free-trial-vm/" class="bare">https://yurisk.info/2022/04/13/where-to-download-fortigate-free-trial-vm/</a></p>
</li>
<li>
<p><a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc">License and other services debug cheat sheet on Github</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>GNU tar archive tool reference by example2022-07-13T09:55:25+00:002022-07-13T09:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2022-07-13:/2022/07/13/GNU-tar-examples-cookbook/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_archive_and_gzip_compress_the_current_folder_with_tar">Archive and gzip-compress the current folder with tar</a></li>
<li><a href="#_archive_and_gzip_compress_the_current_folder_using_maximal_compression_possible">Archive and gzip-compress the current folder using maximal compression possible</a>
<ul class="sectlevel2">
<li><a href="#_set_compression_level_as_the_code_gzip_code_environmental_variable_for_code_gzip_code">Set compression level as the <code>GZIP</code> environmental variable for <code>gzip</code></a></li>
<li><a href="#_set_compression_level_by_piping_code_tar_code_output_to_the_code_gzip_code">Set compression level by piping <code>tar</code> output to the <code>gzip</code></a></li>
<li><a href="#_use_code_i_code_option_for_modern_versions_of_tar">Use <code>-I</code> option for modern versions of tar</a></li>
</ul>
</li>
<li><a href="#_archive_and_bzip2_compress_the_current_folder_with_tar">Archive …</a></li></ul></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_archive_and_gzip_compress_the_current_folder_with_tar">Archive and gzip-compress the current folder with tar</a></li>
<li><a href="#_archive_and_gzip_compress_the_current_folder_using_maximal_compression_possible">Archive and gzip-compress the current folder using maximal compression possible</a>
<ul class="sectlevel2">
<li><a href="#_set_compression_level_as_the_code_gzip_code_environmental_variable_for_code_gzip_code">Set compression level as the <code>GZIP</code> environmental variable for <code>gzip</code></a></li>
<li><a href="#_set_compression_level_by_piping_code_tar_code_output_to_the_code_gzip_code">Set compression level by piping <code>tar</code> output to the <code>gzip</code></a></li>
<li><a href="#_use_code_i_code_option_for_modern_versions_of_tar">Use <code>-I</code> option for modern versions of tar</a></li>
</ul>
</li>
<li><a href="#_archive_and_bzip2_compress_the_current_folder_with_tar">Archive and bzip2-compress the current folder with tar</a></li>
<li><a href="#_archive_the_current_folder_but_exlude_specific_file_and_or_subfolder">Archive the current folder but exlude specific file and/or subfolder</a></li>
<li><a href="#_list_contents_of_a_tar_archive_gzipped_or_not_without_actually_extracting_it">List contents of a tar archive (gzipped or not) without actually extracting it</a></li>
<li><a href="#_create_a_tar_archive_embedding_the_current_day_month_and_year_in_the_name">Create a tar archive embedding the current day, month, and year in the name</a></li>
<li><a href="#_append_file_s_to_the_existing_archive">Append file(s) to the existing archive</a></li>
<li><a href="#_move_the_current_directory_and_all_of_its_contents_as_a_whole_keeping_file_permissions">Move the current directory and all of its contents as a whole, keeping file permissions</a></li>
<li><a href="#_encrypt_decrypt_the_resulting_archive_with_openssl_and_password">Encrypt/Decrypt the resulting archive with OpenSSL and password</a></li>
<li><a href="#_extract_only_specific_file_s_from_the_tar_archive">Extract only specific file(s) from the tar archive</a></li>
<li><a href="#_archive_directory_on_the_remote_server_and_download_to_the_local_host_via_ssh_in_one_command">Archive directory on the remote server and download to the local host via SSH in one command</a></li>
<li><a href="#_remove_do_not_preserve_anonymize_username_and_group_name_of_the_files_owner_when_adding_files_to_tar_archive">Remove / do not preserve / anonymize username and group name of the files owner when adding files to tar archive</a></li>
<li><a href="#_delete_only_specific_file_s_or_folder_s_from_the_archive">Delete only specific file(s) or folder(s) from the archive</a></li>
<li><a href="#_how_can_i_run_tar_in_parallel_on_multi_core_cpu_when_creating_an_archive">How can I run tar in parallel on multi-core CPU when creating an archive?</a></li>
<li><a href="#_find_all_tar_archives_even_those_not_having_tar_extension">Find all tar archives even those NOT having .tar extension</a></li>
<li><a href="#_tar_archives_symlinks_instead_of_the_objects_they_point_to_how_to_fix">tar archives symlinks instead of the objects they point to, how to fix?</a></li>
<li><a href="#_archive_only_those_objects_modified_last_24_hours">Archive only those objects modified last 24 hours</a>
<ul class="sectlevel2">
<li><a href="#_archive_only_those_objects_modified_between_24_and_48_hours_ago">Archive only those objects modified between 24 and 48 hours ago</a></li>
</ul>
</li>
<li><a href="#_verify_tar_archive_integrity_in_a_bash_script_i_e_non_interactively">Verify tar archive integrity in a Bash script, i.e. non interactively</a></li>
</ul>
</div>
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>Linux version of <code>tar</code> usage examples, that covers 90% of my use cases and saves
time so not to Google it. The
<a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/gnu-tar-example-reference.pdf">PDF version</a> of this cheat sheet.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
All the examples below are for the Linux GNU tar, not for the Solaris, FreeBSD, or Mac OS operating systems native versions of tar.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_archive_and_gzip_compress_the_current_folder_with_tar">Archive and gzip-compress the current folder with tar</h2>
<div class="sectionbody">
<div class="listingblock">
<div class="content">
<pre>tar -czf gzipped-folder.tar.gz .</pre>
</div>
</div>
<div class="paragraph">
<p>Here:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>c</code> For <em>create</em></p>
</li>
<li>
<p><code>z</code> For <em>gzip</em> compress</p>
</li>
<li>
<p><code>f</code> Filename of the archive to create</p>
</li>
<li>
<p><code>.</code> (dot) for the current folder</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>The file <code>gzipped-folder.tar.gz</code> will contain all the files (including dot files) and subfolders of the current folder.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_archive_and_gzip_compress_the_current_folder_using_maximal_compression_possible">Archive and gzip-compress the current folder using maximal compression possible</h2>
<div class="sectionbody">
<div class="paragraph">
<p>There are few ways to do it. The older versions of <code>tar</code> do not accept compression level for the <code>gzip</code>, so we have to hint to the <code>gzip</code> in other way.</p>
</div>
<div class="sect2">
<h3 id="_set_compression_level_as_the_code_gzip_code_environmental_variable_for_code_gzip_code">Set compression level as the <code>GZIP</code> environmental variable for <code>gzip</code></h3>
<div class="paragraph">
<p>Let’s set the maximum compression level of 9:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>GZIP=-9 tar -cvzf maxcompression.tar.gz .</pre>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
Disadvantage of this method is that it depends on the shell you are using. It works for Bash, but may fail to work in other shells.
</td>
</tr>
</table>
</div>
</div>
<div class="sect2">
<h3 id="_set_compression_level_by_piping_code_tar_code_output_to_the_code_gzip_code">Set compression level by piping <code>tar</code> output to the <code>gzip</code></h3>
<div class="paragraph">
<p>Most straightforward way to do it:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>tar -cvf - . | gzip -9 - > maxcompression.tar.gz</pre>
</div>
</div>
<div class="paragraph">
<p>Variation of the above:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>tar -cvf maxcompression.tar ; gzip -9 maxcompression.tar</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_use_code_i_code_option_for_modern_versions_of_tar">Use <code>-I</code> option for modern versions of tar</h3>
<div class="paragraph">
<p>This option <code>I</code> or <code>--use-compress-program</code> appeared somewhere in version 1.22 or earlier, year of 2009. So, if your tar is newer than that (most probably is), you can change compression level:</p>
</div>
<div class="listingblock">
<div class="content">
<pre> tar -I 'gzip -9' -cvf maxcompression.tar.gz .</pre>
</div>
</div>
<div class="paragraph">
<p><code>I</code> sends its arguments in quotes as options to the compression program of choice as is.</p>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_archive_and_bzip2_compress_the_current_folder_with_tar">Archive and bzip2-compress the current folder with tar</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Same as the above, but use <code>bzip2</code> compression instead of the <code>gzip</code>. In the past the bzip2 compression produced smaller size archives compared to the gzip, but today they perform pretty much the same.</p>
</div>
<div class="listingblock">
<div class="content">
<pre>tar -cjf gzipped-folder.tar.bz2 .</pre>
</div>
</div>
<div class="paragraph">
<p>Here:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>c</code> For <em>create</em></p>
</li>
<li>
<p><code>j</code> For <em>bzip2</em> compress</p>
</li>
<li>
<p><code>f</code> Filename of the archive to create</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>The file <code>gzipped-folder.tar.bz2</code> will contain all the files (including dot files) and subfolders of the current folder.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_archive_the_current_folder_but_exlude_specific_file_and_or_subfolder">Archive the current folder but exlude specific file and/or subfolder</h2>
<div class="sectionbody">
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<div class="title">Warning</div>
</td>
<td class="content">
Even though not explicitly mentioned in the tar’s man - except for the newest versions, you HAVE to put the folder/path to work on as the LAST argument on the line, or <code>--exclude</code> will be ignored.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>E.g. create an archive named <code>tared-folder.tar</code> to include all files/subfolders of the current folder except the file named <code>cookbook.gzip</code> and subfolder and its contents named <code>.git</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>tar -cvf tared-folder.tar --exclude=cookbook.gzip --exclude=.git .</pre>
</div>
</div>
<div class="paragraph">
<p><code>v</code> is for verbose output during the operation.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_list_contents_of_a_tar_archive_gzipped_or_not_without_actually_extracting_it">List contents of a tar archive (gzipped or not) without actually extracting it</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Use <code>-t</code> option before the <code>f</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>tar -tf gzipped-folder.tar.gz</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_create_a_tar_archive_embedding_the_current_day_month_and_year_in_the_name">Create a tar archive embedding the current day, month, and year in the name</h2>
<div class="sectionbody">
<div class="paragraph">
<p>When running tar as scheduled/cron-ed job, it is benefitial to include date of the archive creation in the name.</p>
</div>
<div class="paragraph">
<p>E.g.: create a tar archive named <em>backup-<current date>.tar</em> from files in the current folder ending in <code>*.md</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>tar -cf backup-`date +%d-%m-%Y`.tar *.md</pre>
</div>
</div>
<div class="paragraph">
<p>Result:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>ls *.tar
backup-13-07-2021.tar</pre>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
Look at the <code>man date</code> for more options, like hour, second etc.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_append_file_s_to_the_existing_archive">Append file(s) to the existing archive</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The file(s) will be appended at the end of the archive, just so you know.</p>
</div>
<div class="paragraph">
<p>E.g. let’s append to the existing <em>backup-13-07-2021.tar</em> archive the file named <em>missfont.log</em>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>tar -rf backup-13-07-2021.tar missfont.log</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_move_the_current_directory_and_all_of_its_contents_as_a_whole_keeping_file_permissions">Move the current directory and all of its contents as a whole, keeping file permissions</h2>
<div class="sectionbody">
<div class="paragraph">
<p>An old trick to compensate for various deficiencies of <code>cp</code> and <code>mv</code>.</p>
</div>
<div class="listingblock">
<div class="content">
<pre>tar -cf - . | (cd new-location; tar xvpf -)</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_encrypt_decrypt_the_resulting_archive_with_openssl_and_password">Encrypt/Decrypt the resulting archive with OpenSSL and password</h2>
<div class="sectionbody">
<div class="paragraph">
<p>We just pipe the tar output to the OpenSSL, provided it is already installed. The password is given interactively in the CLI, so this is not very secure way to do so.</p>
</div>
<div class="paragraph">
<p>E.g. tar the current folder into tar archive and the encrypt it:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>tar -cvf - * | openssl enc -e -aes256 -out encrypted-dolder.tar.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.</pre>
</div>
</div>
<div class="paragraph">
<p>Now, decrypt it:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>openssl enc -d -aes256 -in encrypted-folder.tar.enc | tar -xf -
enter aes-256-cbc decryption password:</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_extract_only_specific_file_s_from_the_tar_archive">Extract only specific file(s) from the tar archive</h2>
<div class="sectionbody">
<div class="paragraph">
<p>We may specify a specific filename to extrtact or use shell globbing patterns for file name matching.</p>
</div>
<div class="paragraph">
<p>E.g.: extract only file named <em>README.md</em> from the archive tar <em>cookbooks.tar.bz2</em>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>tar -xjvf cookbooks.tar.bz2 ./README.md</pre>
</div>
</div>
<div class="paragraph">
<p>E.g.: extract all Markdown files from the archive:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>tar -xjvf cookbooks.tar.bz2 ./*.md</pre>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
<code>-j</code> is to extract from bzip2-compressed archive, if extracting from plain tar archive just remove -j
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_archive_directory_on_the_remote_server_and_download_to_the_local_host_via_ssh_in_one_command">Archive directory on the remote server and download to the local host via SSH in one command</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Task: add to tar archive and compress contents of the directory <em>ASM</em> on the remote server 19.23.55.158 and download it to the local host as file <em>ASM.tar.gz</em></p>
</div>
<div class="listingblock">
<div class="content">
<pre>ssh root@19.23.55.158 'cd ASM && tar -czf - *' > ASM.tar.gz
root@19.23.55.158's password:</pre>
</div>
</div>
<div class="paragraph">
<p>Result:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>ls -l
-rw-r--r-- 1 root root 505 Jul 14 08:39 ASM.tar.gz</pre>
</div>
</div>
<div class="paragraph">
<p>Here:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>ASM</code> - relative path of the directory on the remote server, using absolute path is recommended.</p>
</li>
<li>
<p><code>tar -czf -</code> - creates gzip-compressed tar archive with stdout being the output device so we can redirect output on local server to the file <em>ASM.tar.gz</em></p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_remove_do_not_preserve_anonymize_username_and_group_name_of_the_files_owner_when_adding_files_to_tar_archive">Remove / do not preserve / anonymize username and group name of the files owner when adding files to tar archive</h2>
<div class="sectionbody">
<div class="paragraph">
<p>By default tar will add files/directories to the archive along with their owner user/group. The only reliable way to prevent this is to replace actual data with fake user/group when adding to the archive.</p>
</div>
<div class="paragraph">
<p>E.g. Add file <em>README.md</em> to the archive, but change the owner’s username/group to the fictitious <em>Doe</em> with numeric id of <em>1002</em>. If we supply just username/group name, then depending on version/implementation, the tar may change them as asked but leave the real numeric IDs. To force tar not to do it, specify both - alphanumeric name and numeric ID or add beyond numeric IDs the option <code>--numeric-owner</code>, which forces tar to keep only numeric IDs.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
tar does not check if the given user and group name actually exist on the system.
</td>
</tr>
</table>
</div>
<div class="listingblock">
<div class="content">
<pre>tar -cvf perms.tar README.md --owner=Doe:1002 --group=Doe:1002</pre>
</div>
</div>
<div class="paragraph">
<p>Verify:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>tar -vtf perms.tar
-rw-r--r-- Doe/Doe 542 2020-08-22 09:50 README.md</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_delete_only_specific_file_s_or_folder_s_from_the_archive">Delete only specific file(s) or folder(s) from the archive</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Not really possible. There is <code>--delete</code> option that seemingly does this, but under the surface this option just combines extracting the whole archive to the temporary directory, deleting the file(s) in question, and creating the archive again from scratch into one command.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_how_can_i_run_tar_in_parallel_on_multi_core_cpu_when_creating_an_archive">How can I run tar in parallel on multi-core CPU when creating an archive?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The short answer - you can’t. The extended answer - you can’t archive in parallel to the same archive (it was never the goal of <code>tar</code>, which originally wrote archives to the physical tapes that could not be accessed in parallel), but you have options (if you need at all) to parallelize compression of the archive. The options for parallel execution depend on the compressing utility used. There are <code>xz</code>, <code>7zip</code>, and <code>pigz</code> tools which can compress an archive in parallel, given the correct options. But they cannot decompress in parallel way though, only to compress.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_find_all_tar_archives_even_those_not_having_tar_extension">Find all tar archives even those NOT having .tar extension</h2>
<div class="sectionbody">
<div class="paragraph">
<p>In situation where you are presented with a bunch of files with random names, finding which ones are proper tar archive can be done in few ways. The idea behind all of them is to look for the tar’s <strong>magic number</strong> inside the file. On systems with <code>file</code> utility installed, it is really easy:</p>
</div>
<div class="listingblock">
<div class="content">
<pre># file * | awk -F: '/POSIX tar archive/ {print $1}'
damaged.tar
deleteme-13-07-2021.tar
maxwithI.tar.gz
perms.tar
permstar
permstar2</pre>
</div>
</div>
<div class="paragraph">
<p>As you can see, it found tar archives without any extension <em>permstar</em> and <em>permstar2</em>.</p>
</div>
<div class="paragraph">
<p>When the <code>file</code> tool is not available (highly unprobable), we can go more old school way looking at the magic number:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>find . -type f -exec xxd -g 6 -s 257 -l 6 \{\} \; -print | sed -n '/757374617220/{n;p}'
./perms.tar
./maxwithI.tar.gz
./damaged.tar
./deleteme-13-07-2021.tar
./test/deleteme-13-07-2021.tar
./permstar2
./permstar</pre>
</div>
</div>
<div class="paragraph">
<p>Here:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>757374617220 is the magic number for the tar filetype</p>
</li>
<li>
<p><code>xxd</code> is hex dumper to show contents of a file in hexadecimal</p>
</li>
<li>
<p><code>-g 6</code> tells xxd to group the found bytes into a group of 6 bytes (size of the magic number) when printing</p>
</li>
<li>
<p><code>-l 6</code> limits output to just 6 bytes</p>
</li>
<li>
<p><code>-s 257</code> skips first 256 bytes to start printing from byte 257 forward</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_tar_archives_symlinks_instead_of_the_objects_they_point_to_how_to_fix">tar archives symlinks instead of the objects they point to, how to fix?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Use <code>-h</code> switch to tell tar to dereference symlinks and add to archive objects (directories/files) that those symlinks point to.</p>
</div>
<div class="listingblock">
<div class="content">
<pre>tar -hcf .</pre>
</div>
</div>
<div class="paragraph">
<p>This will dereference all symlinks found in the current directory.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_archive_only_those_objects_modified_last_24_hours">Archive only those objects modified last 24 hours</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Tar itself does not have option to search by timestamps, but <code>find</code> does.</p>
</div>
<div class="listingblock">
<div class="content">
<pre>find . -mtime 0 -print0 | tar -cvf modified.tar --null -T -</pre>
</div>
</div>
<div class="paragraph">
<p>Here:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>-mtime</code> tells <code>find</code> what modification timestamps of the objects we are looking for, in days. The <code>0</code> means "0 days ago", i.e. last 24 hours. This option accepts relative values as well. E.g. <code>-2</code> means modified less than 2 days ago. And <code>-mtime +2</code> will find objects modified earlier than 2 days ago. See below for another example.</p>
</li>
</ul>
</div>
<div class="sect2">
<h3 id="_archive_only_those_objects_modified_between_24_and_48_hours_ago">Archive only those objects modified between 24 and 48 hours ago</h3>
<div class="paragraph">
<p>The extension of the above. In general, <code>find</code> is such an essential tool, that you can’t do much without it in any Linux/BSD/Unix system.</p>
</div>
<div class="listingblock">
<div class="content">
<pre>find . -mtime 1 -print0 | tar -cvf modified.tar --null -T -</pre>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
To search for modified times in minute resolution, use <code>-mmin</code> instead of <code>-mtime</code>.
</td>
</tr>
</table>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_verify_tar_archive_integrity_in_a_bash_script_i_e_non_interactively">Verify tar archive integrity in a Bash script, i.e. non interactively</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Tar itself does not calculate/save checksum in the archive it creates. The rudimentary "integrity" check can be done
with <code>-t</code> switch, which produces an error and exits if the archive is severely damaged - cannot be read, headers are mangled and such. The change in the <strong>contents</strong> of a file this <code>-t</code> check will NOT notice. When gzip-ing tar archive, though, the CRC checksum is autosaved, but of the final tar archive, not individual files inside this archive. This way, if there is a CRC checksum mismatch on unzipping tar archive, the <code>gzip</code> will issue an error on the standard output.</p>
</div>
<div class="paragraph">
<p>So, to try and read the archive, verifying that it is readable:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>#!/bin/bash
if ! tar tf /path/to/archive.tar &> /dev/null; then # Here we check the EXIT status of reading a tar archive, also redirecting stdout to the /dev/null, as no need to see the contents of archive
do_something_if_exit_status_is_error
fi</pre>
</div>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> or
<a href="https://github.com/yuriskinfo" class="bare">https://github.com/yuriskinfo</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Fortigate Local-in policy configuration examples for VPN IPSec, VPN SSL, BGP and more2022-07-04T09:55:25+00:002022-07-04T09:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2022-07-04:/2022/07/04/fortigate-local-in-policy-configuration-examples-for-vpn-ipsec-vpn-ssl-bgp-and-more/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_introduction">Introduction</a></li>
<li><a href="#_allow_vpn_ipsec_port_500_4500_and_protocol_esp_access_to_specific_ip_addresses_only">Allow VPN IPSec port 500, 4500, and protocol ESP access to specific IP addresses only</a></li>
<li><a href="#_allow_only_to_specific_bgp_peers_to_connect_to_the_port_179_tcp">Allow only to specific BGP peers to connect to the port 179 TCP</a></li>
<li><a href="#_ssl_vpn_limit_access_to_the_port_10443_to_a_specific_country_israel_in_this_example">SSL VPN - limit access to the port 10443 to a specific country, Israel in this example</a></li>
<li><a href="#_deny_all_services_from_all_ip_addresses">Deny all …</a></li></ul></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_introduction">Introduction</a></li>
<li><a href="#_allow_vpn_ipsec_port_500_4500_and_protocol_esp_access_to_specific_ip_addresses_only">Allow VPN IPSec port 500, 4500, and protocol ESP access to specific IP addresses only</a></li>
<li><a href="#_allow_only_to_specific_bgp_peers_to_connect_to_the_port_179_tcp">Allow only to specific BGP peers to connect to the port 179 TCP</a></li>
<li><a href="#_ssl_vpn_limit_access_to_the_port_10443_to_a_specific_country_israel_in_this_example">SSL VPN - limit access to the port 10443 to a specific country, Israel in this example</a></li>
<li><a href="#_deny_all_services_from_all_ip_addresses">Deny all services from all IP addresses</a></li>
<li><a href="#_limit_management_port_access_to_specific_ips">Limit management port access to specific IPs</a></li>
<li><a href="#_verification_and_debug">Verification and Debug</a>
<ul class="sectlevel2">
<li><a href="#_show_configured_local_in_policies_strong_show_firewall_local_in_policy_strong">Show configured Local-in policies: <strong>show firewall local-in-policy</strong></a></li>
<li><a href="#_show_policy_hit_count_strong_diag_firewall_iprope_show_00100001_em_policy_id_em_strong">Show policy hit count: <strong>diag firewall iprope show 00100001 <em>policy-id</em></strong></a></li>
<li><a href="#_usual_and_proven_strong_diagnose_debug_flow_strong">Usual and proven: <strong>diagnose debug flow</strong></a></li>
</ul>
</li>
<li><a href="#_additional_resources">Additional resources</a></li>
</ul>
</div>
<div class="sect1">
<h2 id="_introduction">Introduction</h2>
<div class="sectionbody">
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<i class="fa icon-warning" title="Warning"></i>
</td>
<td class="content">
As of 06 Oct 2022, there is a <strong>Critical admin GUI authentication
bypass</strong> vulnerablity in the Fortigate/FortiProxy products, versions 7.0.0 -
7.0.6 & 7.2.0 - 7.2.1. More info
<a href="https://www.linkedin.com/posts/yurislobodyanyuk_fortigate-fortigate-cve-activity-6983870612293181440-JaxM" class="bare">https://www.linkedin.com/posts/yurislobodyanyuk_fortigate-fortigate-cve-activity-6983870612293181440-JaxM</a>
. One of the ways to protect against this vulnerablity is either configure admin
access on the Loopback interface, or use Local-in Policy for admin access, see
example below.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p><strong>Local-in</strong> policy is the policy guarding/protecting the Fortigate itself, i.e.
it filters/restricts access when the destination is one of the Fortigate
interfaces and its IPs. Below you will find example configurations, but before jumping in,
you have to know few important facts
about Local-in policy:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>It is visible in the GUI by default starting with FortiOS 7.x, but in older versions you
have to go to System → Feature Visibility → Local-in Policy to make it so.</p>
</li>
<li>
<p>The Local-in policy can <strong>only be configured in CLI</strong>, the GUI display is
read-only.</p>
</li>
<li>
<p>Additionally, the GUI displays <strong>only default</strong> rules, created automatically by
the Fortigate when you enable appropriate services. GUI will <strong>not</strong> show any
rules you configure on CLI, and thus may confuse you into thinking
CLI-configured rules do not work. My advice: forget about GUI, work on CLI from
the beginning.</p>
</li>
<li>
<p>You have separate, ipv4 and ipv6, local-in policies.</p>
</li>
<li>
<p>The default action in rules is <strong>deny</strong>, so when you see no action in the <em>show</em> output,
it means the action is to deny.</p>
</li>
<li>
<p>You cannot disable/delete/manipulate the auto-created by Fortigate rules any
other way but by disabling/deleting services that opened them up. The
custom rules we create on CLI override (go above) the default rules, but do not
remove them. This means you have to take them into account. E.g., once you
configure BGP on the Fortigate, this will open port 179 TCP to ALL, so to
restrict BGP port to specific IPs, you will need to create 2 rules: 1st with
action <em>accept</em> and use those specific IPs, then 2nd rule below, that denies ALL
to port 179 TCP of BGP. This way, the default auto-created rule <em>port 179 TCP -
allow ALL</em> will not be reached when matching the traffic.</p>
</li>
<li>
<p>When configuring on CLI, you must specify: incoming interface to protect,
source and destination address (you can use all), schedule, and service (you
can use specific or <em>ALL</em>).</p>
</li>
<li>
<p>In newer FortiOS versions, if I remember correctly, 6.4.9 or newer, we can set as a source address the <em>Geography</em> (Geolocation) object, allowing/blocking this way access by the country.</p>
</li>
<li>
<p>Local-in policy does NOT control NAT/port-forwarded rules, aka Virtual IPs
(VIPs). This means, for example, if you configured a port-forwarding VIP allowing some specific
port or a one-to-one NAT in Security Rules, no matter what you do in Local-in
policy for the same IPs, the Fortigate will only look at Security Rules,
ignoring Local-in. In short - VIPs override Local-in policies.</p>
</li>
<li>
<p>By default, Local-in policy hits are not logged, you have to set in Log
Settings → Log All for denied packets to be logged. The logs are in <em>Local
Traffic</em> section.</p>
</li>
<li>
<p>You can use <em>Workspace Mode</em> to prevent mistakenly locking out yourself when
changing Local-in policy, see Resources at the end of the post.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_allow_vpn_ipsec_port_500_4500_and_protocol_esp_access_to_specific_ip_addresses_only">Allow VPN IPSec port 500, 4500, and protocol ESP access to specific IP addresses only</h2>
<div class="sectionbody">
<div class="paragraph">
<p><em>Task</em>: We set up VPN site to site with the remote peer of 13.13.13.13 and this
opened port 500 (IKE), port 4500 (NAT-T), and protocol ESP to all IPs on the Internet.
Let’s limit it to the 13.13.13.13 only.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Create a firewall address object (if not already) for the remote peer:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config firewall address
edit "VPNpeer1"
set comment "Remote peer for VPN"
set subnet 13.13.13.13 255.255.255.255
next
end</pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Create rule to allow IKE and ESP from this peer on port1 (WAN interface):</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config firewall local-in-policy
edit 0
set intf "port1"
set srcaddr "VPNpeer1"
set dstaddr "all"
set action accept
set service "IKE" "ESP" //"IKE" service includes ports 500 and 4500
set schedule "always"
next
end</pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Create rule below to deny IKE and ESP protocols to everyone else:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config firewall local-in-policy
edit 0
set intf "port1"
set srcaddr "all"
set dstaddr "all"
set service "IKE" "ESP"
set schedule "always"
next
end</pre>
</div>
</div>
<div class="paragraph">
<p>Done. Now, this Fortigate will only answer to this peer (13.13.13.13) on
port 500 UDP (for IKE), port 4500 for NAT Traversal, and
to protocol ESP (Phase 2 VPN).</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_allow_only_to_specific_bgp_peers_to_connect_to_the_port_179_tcp">Allow only to specific BGP peers to connect to the port 179 TCP</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Strictly speaking, by BGP protocol standard, it is enough for just one peer to
listen for incoming BGP connections on port 179 TCP. So, even if we block
incoming port 179 altogether, the BGP session would still be established if
the remote BGP peer has port 179 open and listening. But let’s not go overboard.</p>
</div>
<div class="paragraph">
<p><em>Task</em>: After creating BGP configuration between Fortigate and the remote peer
of 12.12.12.12, you noticed that port 179 TCP on the Fortigate answers to
connections from any IP. Not good, let’s limit port 179 just to the BGP peer.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Create firewall address object for the remote BGP peer (if not already):</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config firewall address
edit BGPpeer12.12.12.12
set subnet 12.12.12.12/32
set comment "Remote BGP peer address"
end</pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Create Local-in rule to allow this peer connection to our port 179:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config firewall local-in-policy
edit 0
set intf "port1"
set srcaddr "BGPpeer12.12.12.12"
set dstaddr "all"
set action accept
set service "BGP"
set schedule "always"
next
end</pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Create a rule below, that block all IPs to port 179 on the Fortigate:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config firewall local-in-policy
edit 0
set intf "port1"
set srcaddr "all"
set dstaddr "all"
set service "BGP"
set schedule "always"
next
end</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_ssl_vpn_limit_access_to_the_port_10443_to_a_specific_country_israel_in_this_example">SSL VPN - limit access to the port 10443 to a specific country, Israel in this example</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Fortigates have suffered a bunch of remotely exploitable vulnerabilities in their SSL
VPN service. And while not securing against that, restricting access to VPN SSL
to the country where the Fortigate and VPN clients are located will set up
another hurdle on the attackers' path.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
Starting with Fortios <strong>7.2</strong> it is no longer necessary to use Local-in
policy for that because VPN SSL Settings accept Geo object as source address to
limit the access. For versions before 7.2, it is still doable only in Local-in
policy.
</td>
</tr>
</table>
</div>
<div class="ulist">
<ul>
<li>
<p>Create Geo address representing Israel IPs:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config firewall address
edit "ILgeoIPs"
set type geography
set comment "All Israel IPs"
set country "IL"
next
end</pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Use it in a Local-in policy for port 10443 (or any other set for VPN SSL)</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config firewall local-in-policy
edit 0
set intf "port1"
set srcaddr "ILgeoIPs"
set dstaddr "all"
set service "Custom_10443" <-- Custom service, created earlier, not shown
set schedule "always"
set action accept
next
end</pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Finally, deny access to all the rest:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config firewall local-in-policy
edit 0
set intf "port1"
set srcaddr all
set dstaddr "all"
set service "Custom_10443" <-- Custom service, created earlier, not shown
set schedule "always"
next
end</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_deny_all_services_from_all_ip_addresses">Deny all services from all IP addresses</h2>
<div class="sectionbody">
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<i class="fa icon-warning" title="Warning"></i>
</td>
<td class="content">
Do this only after you have identified all services you need to be
exposed to the outside on the given interface, especially management if any, and
created rules in Local in Policy allowing them.
</td>
</tr>
</table>
</div>
<div class="listingblock">
<div class="content">
<pre>config firewall local-in-policy
edit 0
set intf "port1"
set srcaddr "all"
set dstaddr "all"
set action deny
set service "ALL"
set schedule "always"
next</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_limit_management_port_access_to_specific_ips">Limit management port access to specific IPs</h2>
<div class="sectionbody">
<div class="ulist">
<div class="title">Few reasons to mention:</div>
<ul>
<li>
<p>Fortigate already has a built-feature <code>trusthost</code> for that.</p>
</li>
<li>
<p>The risk is great - Local-in rules are not visible in GUI, IP addresses change
frequently, and it is easy to forget to change such a rule with the result being
locked out of the Fortigate altogether. The chance of having to use console to
get access back is substantial.</p>
</li>
<li>
<p>You can create a Loopback interface and enable management protocols just
there. This way, you will have to create an explicit Security rule that will be
prominent, which will also log all management access by default.</p>
</li>
<li>
<p>If you still decide to do so - configure rule as in other cases. The Local-in
policy <strong>overrides</strong> the <em>Trusted Host</em> settings for admin users.</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>config firewall local-in-policy
edit 0
set intf "port1"
set srcaddr "Management_IPs"
set dstaddr "all"
set service "admin_port"
set schedule "always"
set action accept
next
end
config firewall local-in-policy
edit 0
set intf "port1"
set srcaddr all
set dstaddr "all"
set service "admin_port"
set schedule "always"
next
end</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_verification_and_debug">Verification and Debug</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="_show_configured_local_in_policies_strong_show_firewall_local_in_policy_strong">Show configured Local-in policies: <strong>show firewall local-in-policy</strong></h3>
<div class="listingblock">
<div class="content">
<pre>show firewall local-in-policy
config firewall local-in-policy
edit 1
set uuid 140e2800-ea2d-51ec-838f-8ecf16d58d4e
set intf "port1"
set srcaddr "VPNpeer1"
set dstaddr "all"
set action accept
set service "IKE" "ESP"
set schedule "always"
next
edit 2
set uuid cfcaa5f0-ea2d-51ec-bc4a-56cacfb950b4
set intf "port1"
set srcaddr "all"
set dstaddr "all"
set service "IKE" "ESP"
set schedule "always"
next
edit 3
set uuid d89f54b6-ea30-51ec-9646-909a1610e650
set intf "port1"
set srcaddr "BGPpeer12.12.12.12"
set dstaddr "all"
set action accept
set service "BGP"
set schedule "always"
next
edit 4
set uuid 0f9275d4-ea31-51ec-5c9b-271138ae6f3d
set intf "port1"
set srcaddr "all"
set dstaddr "all"
set service "BGP"
set schedule "always"
next
end</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_policy_hit_count_strong_diag_firewall_iprope_show_00100001_em_policy_id_em_strong">Show policy hit count: <strong>diag firewall iprope show 00100001 <em>policy-id</em></strong></h3>
<div class="paragraph">
<p>Let’s see how many times incoming BGP connections were blocked on rule 4 above:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>diag firewall iprope show 00100001 4
idx:4
pkts:30 (30 0 0 0 0 0 0 0)
bytes:1800 (1800 0 0 0 0 0 0 0)
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:30 (30 0 0 0 0 0 0 0)
first hit:2022-06-12 04:21:01 last hit:2022-06-12 04:25:35</pre>
</div>
</div>
<div class="paragraph">
<p>We can see that 30 packets have been blocked incoming on port 179 so far.
Note: hit count statistics on Local-in rules are available starting with 7.0
only.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
The key here is to use <em>00100001</em> as the table index for Local-in policy.
</td>
</tr>
</table>
</div>
</div>
<div class="sect2">
<h3 id="_usual_and_proven_strong_diagnose_debug_flow_strong">Usual and proven: <strong>diagnose debug flow</strong></h3>
<div class="paragraph">
<p>Let’s see how the Fortigate blocks BGP incoming connection in real-time.</p>
</div>
<div class="listingblock">
<div class="content">
<pre>dia debug flow filter port 179
dia debug flow show function
diagnose debug enable
dia debug flow trace start
# id=65308 trace_id=1 func=print_pkt_detail line=5895 msg="vd-root:0 received a
packet(proto=6, 10.10.10.218:23538->10.10.10.111:179) tun_id=0.0.0.0 from
port1. flag [S], seq 2606637155, ack 0, win 65535"
id=65308 trace_id=1 func=init_ip_session_common line=6076 msg="allocate a new
session-00003239, tun_id=0.0.0.0"
id=65308 trace_id=1 func=vf_ip_route_input_common line=2605 msg="find a route:
flag=84000000 gw-10.10.10.111 via root"
id=65308 trace_id=1 func=fw_local_in_handler line=522 msg="iprope_in_check()
check failed on policy 4, drop"</pre>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_additional_resources">Additional resources</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://yurisk.info/2020/06/07/fortigate-local-in-policy/">Additional post about Local-in policy with screenshsots as well</a></p>
</li>
<li>
<p><a href="https://yurisk.info/2022/04/04/fortigate-workspace-mode-commit-changes-example/">Fortigate Workspace Mode to commit changes in a batch</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Aruba and HP switches debug and diagnostics commands cheat sheet2022-06-16T17:55:25+00:002022-06-16T17:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2022-06-16:/2022/06/16/aruba-hp-switches-debug-and-diagnostics-commands-cheat-sheet/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_general_health">General Health</a></li>
<li><a href="#_logs">Logs</a></li>
<li><a href="#_interfaces">Interfaces</a></li>
<li><a href="#_vlans">VLANs</a></li>
<li><a href="#_daemons_real_time_debug">Daemons Real-Time Debug</a></li>
<li><a href="#_spanning_tree_protocol_stp">Spanning Tree Protocol (STP)</a></li>
<li><a href="#_routing_info">Routing Info</a>
<ul class="sectlevel2">
<li><a href="#_static">Static</a></li>
<li><a href="#_bgp">BGP</a></li>
<li><a href="#_ospf">OSPF</a></li>
</ul>
</li>
<li><a href="#_lldp_mac_cdp">LLDP & MAC & CDP</a></li>
<li><a href="#_poe">PoE</a></li>
<li><a href="#_dhcp">DHCP</a></li>
<li><a href="#_ntp">NTP</a></li>
<li><a href="#_vsf_virtual_switching_framework">VSF (Virtual Switching Framework)</a></li>
</ul>
</div>
<div id="preamble">
<div class="sectionbody">
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
All commands were tested on HP/Aruba 5400 switches (specifically
5406Rzl2), but will work on any model with recent …</td></tr></table></div></div></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_general_health">General Health</a></li>
<li><a href="#_logs">Logs</a></li>
<li><a href="#_interfaces">Interfaces</a></li>
<li><a href="#_vlans">VLANs</a></li>
<li><a href="#_daemons_real_time_debug">Daemons Real-Time Debug</a></li>
<li><a href="#_spanning_tree_protocol_stp">Spanning Tree Protocol (STP)</a></li>
<li><a href="#_routing_info">Routing Info</a>
<ul class="sectlevel2">
<li><a href="#_static">Static</a></li>
<li><a href="#_bgp">BGP</a></li>
<li><a href="#_ospf">OSPF</a></li>
</ul>
</li>
<li><a href="#_lldp_mac_cdp">LLDP & MAC & CDP</a></li>
<li><a href="#_poe">PoE</a></li>
<li><a href="#_dhcp">DHCP</a></li>
<li><a href="#_ntp">NTP</a></li>
<li><a href="#_vsf_virtual_switching_framework">VSF (Virtual Switching Framework)</a></li>
</ul>
</div>
<div id="preamble">
<div class="sectionbody">
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
All commands were tested on HP/Aruba 5400 switches (specifically
5406Rzl2), but will work on any model with recent firmware versions (16.x or
newer), except for the hardware features unavailable on smaller models, like VSF
.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_general_health">General Health</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show system</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show general info: current CPU load, uptime, memory used/free, software
version.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show cpu [<em>seconds</em>]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show CPU stats of average load for 1 second, 5 seconds, and 1 minute,
optionally setting period in <em>seconds</em> (300 is max).</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show uptime</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show uptime of the switch since reboot, for VSF stacked switches shows uptime
for each member.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show time</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show switch time and date, for log correlation.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show flash</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show what firmware images are stored in the flash, and which one is the
primary/secondary for the next boot.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show boot-history</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show log of previous boots with their reason (user reboot/cold reboot), crashes
and what process crashed with its memory dump, and timestamps.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>boot system flash primary|secondary</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Set the image to boot from on the next reboot.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show redundancy [detail]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">In module management redundancy standalone/stack topology, shows firmware image
version of each module, as well as the number of failovers.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show system power-supply [detail]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show statistics of the power supplies: power consumed, power supplied, fan
speed,inlet and internal temperature.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show system fans</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show fans state: OK/Failed, and number of failures if any. For VSF shows info
for both members.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show config <em>option</em></strong></p></td>
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
<p>Display part of saved configuration given by <em>option</em>:</p>
</div>
<div class="paragraph">
<p><code>status</code>: Tell if the running config differs from the startup config.</p>
</div>
<div class="paragraph">
<p><code>interface</code> <em>port-id</em>: Show startup config for the specified interface.</p>
</div>
<div class="paragraph">
<p><code>router bgp|ospf|pim</code>: Show startup configuration section for this routing
protocol.</p>
</div>
<div class="paragraph">
<p><code>vlan</code> <em>vlan-id</em>: Startup configuration for VLAN(s).</p>
</div></div></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show modules</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show installed modules and their state and serial numbers.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show tech [all]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">WARNING: I bring this command for completeness sake, but this command will run
dozens/hundreds of debug commands, printing lots of info, hundreds of pages,
which in turn will load the switch as well. Run it with caution, most probably
at the HPE support request only.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show environment</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show the chassis' sensors temperature</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="_logs">Logs</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
<p>Logs severity:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>W=Warning</p>
</li>
<li>
<p>I=Information</p>
</li>
<li>
<p>M=Major</p>
</li>
<li>
<p>D=Debug</p>
</li>
<li>
<p>E=Error</p>
</li>
</ul>
</div></div></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">All logs are categorized into severities when written, and the severity is
presented in the 1st column of each log. This also
allows filtering logs for display by their severity, see below.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show logging -r</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show system logs and events in reverse chronological order, i.e. newest logs
first.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show log -a</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show logs from previous boot cycles. HP/Aruba will display only logs since the
last boot, by default, but you can add <code>-a</code> to any of the log display commands
below to work on previous logs as well.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show log <em>string-to-search</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Search and display only logs containing the specified string. The search is
<strong>case sensitive</strong>, and no regex - just plain strings with exact match. E.g. to
search for logs containing the interface <em>1/B2</em>: <code>show log 1/B2</code>; to search
for all bgp-related logs like peer up/down: <code>show log -r bgp</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show log command [-a]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show log of commands issued by users on CLI. This log is NOT hidden even by
the <code>clear log</code> and records all commands - both configuration and not. So, it
will record commands like <code>ping 8.8.8.8</code>, <code>clear log</code>, <code>no router bgp</code>. Adding
<code>-a</code> will show logs from previous boot cycles.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show running-config changes-history [detail]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Display history of up to 32 last changes to the configuration, including time
of change, IP address if any, event id. This will NOT show what the changes were
themselves though.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show log -m/-e/-p/-w/-i/-d</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show only logs of the specified severity, see above for the available
severities.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>clear log</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Hides, not deletes, (almost) all logs for the current session. Applying <code>-a</code>
will still display all logs.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show log -s</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Display logs from the Standby commander/management module in a VSF stack or in
standalone switch with management module redundancy.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show log -b</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show logs with time since boot instead of an absolute date/time format.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="_interfaces">Interfaces</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show interface [<em>port-id</em>]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show as a table (if <em>port-id</em> is not given) all ports with the total
bytes/frames, Rx/Tx errors, and Broadcast limit if set for each port.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>clear statistics global</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Clear counters on all interfaces.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show interface status</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show list of all interfaces with info for each: state (Up/Down), Actual Speed,
Tagged or not, VLANs configured for the interface (single VLAN for Untagged,
<code>multiple</code> for Tagged). NOTE: In Cisco world Tagged interface is called <strong>trunk</strong>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>display interface [<em>name</em>]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show detailed information of an interface: media type, speed/duplex state, MAC
address, up/down, max frame size, VLAN id if any untagged set and <code>.</code> (dot) for
multiple tagged VLANs, input/output erros, buffer failures, CRC errors, runts.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show interface display</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Present TUI dialog window with real-time information for all interfaces,
including total bytes/frames, Rx/Tx errors, and drops. The information is
updated every 3 seconds dynamically. Use arrows/tab to navigate, CTRL + C to
exit the menu.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show interfaces custom <em>start-port</em>[-<em>end-port</em>] <port / type / status / speed
/ mode / name / vlan / enabled></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show selected ports with only specified fields: <code>port</code>, <code>type</code>, <code>status</code> etc.
E.g. <code>show interface custom 1/B1 port status speed vlan</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show interface port-utilization</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show one time as a table the current traffic rates passing each interface.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show interface trunk-utilization</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show current traffic rates of all trunks.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show int queue <em>port-name</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show statistics of all queue buffers of a given interface, including <em>drops</em>
for each.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>conf t</strong>
</p><p class="tableblock"><strong>int <em>name</em></strong>
</p><p class="tableblock"><strong>disable/enable</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Disable/enable a specific interface (in Cisco world <code>shut</code>/<code>no shut</code>)</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show interface transceiver [<em>name</em>] [detail]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Info on installed optical transceivers: Port number where installed,
Type/Speed, Serial Number. If <em>detail</em> is added, will also show temperature,
voltage, Transmit (TX) and Receive (RX) power in mW and dBm.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ip</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show all configured IP addresses on a switch.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show arp vlan <em>vlan-id</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">List all IP addresses (provided Layer 3 features are enabled) learned on the
VLAN <em>vlan-id</em>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show name</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Lists all interfaces with their names if set. In Cisco it would be <code>show int
description</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show trunks</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show trunk interfaces with their state and type. NOTE: In HP/Aruba world
<strong>trunk</strong> means aggregated interfaces (LAG), what in Cisco world is called
port/ether-channel.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show trunk-statistics <em>trunk-name</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show cumulative statistics for the trunk interface: packets passed, bytes
received, drops if any.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show lacp</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show LACP state on the trunking interfaces.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show lacp counters</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">show stats for received/sent LACP PDUs per trunk (should be increasing).</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show port-security <em>port-id</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show port security state for all/specified interfaces.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>test cable-diagnostics <em>port-list</em></strong>
</p><p class="tableblock"><strong>show cable-diagnostics</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Initiate and show results of Time-domain reflectometer cable diagnostics test
to check Ethernet cables for faults. This will <strong>shut down</strong> temporarily all the
tested ports!</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="_vlans">VLANs</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show vlans</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show a list of all VLANs configured on this switch.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show vlans ports <em>port-name</em>[<em>,port2-name</em>…​]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show vlans enabled on the specified physical port.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show vlans <em>vlan-id</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show ports where the specified <em>vlan-id</em> is enabled, either as <code>tagged</code> or
<code>untagged</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>conf t</strong>
</p><p class="tableblock"><strong>(config)# no vlan <em>vlan-id</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Deletes VLAN <em>vlan-id</em> from configuration and un-assigns all ports from it, if
some ports have no other VLAN association, they will be auto-assigned to default
VLAN 1. WARNING: this command deletes the VLAN specified no matter from which
sub-config mode you issue it. That is, even under interface config mode, this
will remove all configuration for this VLAN from everywhere.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="_daemons_real_time_debug">Daemons Real-Time Debug</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show debug</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show currently enabled debug</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>debug destination logging/session/buffer</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Set location to output the debug to (default <code>none</code>), run before enabling the
debug:
</p><p class="tableblock"><code>logging</code> - send the debug to the configured (if any) syslog server.
</p><p class="tableblock"><code>session</code> - send to the terminal (Cisco analog of <code>term mon</code>).
</p><p class="tableblock"><code>buffer</code> - send to the switch memory buffer.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show debug buffer</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show log buffer with the collected debug output if the destination was set to
<code>buffer</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>[no] debug <em>daemon-name</em></strong></p></td>
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
<p>enable real-time debug of the specified daemon. Use <code>no</code> option to disable the
debug. The daemons are:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>acl</code> Displays debug messages for access control lists.</p>
</li>
<li>
<p><code>all</code> Display all debug messages.</p>
</li>
<li>
<p><code>aruba-central</code> Display Aruba Central server debug information.</p>
</li>
<li>
<p><code>bfd</code> Enable BFD debug logging.</p>
</li>
<li>
<p><code>cdp</code> Display CDP information.</p>
</li>
<li>
<p><code>cfg-restore</code> Display cfg-restore debug messages.</p>
</li>
<li>
<p><code>dhcp-server</code> Display DHCP server debug messages.</p>
</li>
<li>
<p><code>distributed-trunking</code> Display DT debug messages.</p>
</li>
<li>
<p><code>est</code> Display EST debug messages.</p>
</li>
<li>
<p><code>event</code> Display event log messages.</p>
</li>
<li>
<p><code>ip</code> Display debug messages for IPv4.</p>
</li>
<li>
<p><code>ip-sla</code> Enable debug logs for IP SLA.</p>
</li>
<li>
<p><code>ipv6</code> Enable debug messages for IPv6.</p>
</li>
<li>
<p><code>lacp</code> Display LACP information.</p>
</li>
<li>
<p><code>lldp</code> Display LLDP information.</p>
</li>
<li>
<p><code>mdns</code> Display mDNS debug messages.</p>
</li>
<li>
<p><code>mstp</code> Display MSTP debug messages.</p>
</li>
<li>
<p><code>mvrp</code> Enable MVRP debug messages.</p>
</li>
<li>
<p><code>ntp</code> Display debug messages for NTP.</p>
</li>
<li>
<p><code>openflow</code> Display all OpenFlow packets.</p>
</li>
<li>
<p><code>rest-interface</code> Display REST debug information.</p>
</li>
<li>
<p><code>rpvst</code> Display RPVST debug messages.</p>
</li>
<li>
<p><code>security</code> Display all Security messages.</p>
</li>
<li>
<p><code>services</code> Display debug messages on services module.</p>
</li>
<li>
<p><code>smart-link</code> Display Smart link debug messages.</p>
</li>
<li>
<p><code>snmp</code> Display SNMP debug messages.</p>
</li>
<li>
<p><code>time-stamp</code> Enable/disable system-time to be associated with debug</p>
</li>
<li>
<p>messages.</p>
</li>
<li>
<p><code>tunnel</code> Display tunnel debug messages.</p>
</li>
<li>
<p><code>udld</code> Display UDLD debug messages.</p>
</li>
<li>
<p><code>uplink-failure-detection</code> Display UFD debug messages.</p>
</li>
<li>
<p><code>usertn</code> Displays authentication module log messages for</p>
</li>
<li>
<p>user-based tunneled node</p>
</li>
<li>
<p><code>vrrp</code> Display VRRP debug messages.</p>
</li>
<li>
<p><code>ztp</code> Display ZTP debug messages.</p>
</li>
</ul>
</div></div></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>debug ip <em>routing-process</em></strong></p></td>
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
<p>Debug various routing processes. The <em>routing-process</em> is one of the:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>bgp</code> Display all BGP routing messages.</p>
</li>
<li>
<p><code>client-tracker</code> Displays debug messages for IP client tracker.</p>
</li>
<li>
<p><code>fib</code> Display IP Forwarding Information Base messages &</p>
</li>
<li>
<p>events.</p>
</li>
<li>
<p><code>forwarding</code> Display IPv4 forwarding messages.</p>
</li>
<li>
<p><code>iface</code> Display interface management messages.</p>
</li>
<li>
<p><code>igmp</code> Display all IGMP messages.</p>
</li>
<li>
<p><code>ospf</code> Display all OSPF routing messages.</p>
</li>
<li>
<p><code>ospfv3</code> [Deprecated] Enable debug messages for OSPFv3.</p>
</li>
<li>
<p><code>packet</code> Display IPv4 packet messages.</p>
</li>
<li>
<p><code>pbr</code> Enable debug messages for PBR.</p>
</li>
<li>
<p><code>pim</code> Enable/disable tracing of PIM messages.</p>
</li>
<li>
<p><code>rip</code> Display all RIP routing messages.</p>
</li>
</ul>
</div></div></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="_spanning_tree_protocol_stp">Spanning Tree Protocol (STP)</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>display stp root</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show root switch for each VLAN.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>display stp brief</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show STP state for each port/VLAN - Forwarding/Blocking, STP role.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="_routing_info">Routing Info</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="_static">Static</h3>
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ip</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show IP routing state: disabled/enabled. It is disabled by default, to enable:
<strong>(config)# ip routing</strong> on platforms that support Layer 3 routing. Also displays
list of all the interfaces/VLANs with IP address set.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ip route</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show static and connected routes on the switch.</p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_bgp">BGP</h3>
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ip bgp summary</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show in short format all BGP peers with their IP address, AS number, and state.
The first command to try for BGP.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ip bgp <em>prefix/mask</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show BGP info for the specified prefix.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ip bgp</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Display routes learned via BGP.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ip bgp neighbor [<em>ip-address-of-peer</em>]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show detailed information about the BGP session with all or the specified
peer(s), including hold time, weight, prefixes advertised/received, etc.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ip bgp neighbor <em>ip-address</em> advertised-routes</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Display routes we advertise via BGP to the <em>ip-address</em> neighbor.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ip bgp neighbor <em>ip-address</em> received-routes</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Display routes we learned from the given BGP peer.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show log bgp</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show logs that include the word <code>bgp</code>. It will include BGP peering
establishment/tear up.</p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_ospf">OSPF</h3>
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ip ospf</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show if the OSPF process is running and router id.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ip ospf area</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show all areas configured on this device.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ip ospf statistics</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">List OSPF packet statistics (OSPF sent,recieved and error packet count) of all
OSPF enabled interfaces.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ip ospf interface</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show OSPF interfaces' information.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ip ospf neighbor</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">List all established neighborships on this device.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ip ospf link-state</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show all Link State Advertisements.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_lldp_mac_cdp">LLDP & MAC & CDP</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show lldp info remote-device [detail]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Display LLDP neighbors. The info includes: local port name, chassis id of the
peer, remote system name, remote port. If <em>detail</em> is added, will also show
exact firmware version used, and management IP address if configured. Useful for
topology discovery, which switch is connected to which.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show lldp info local-device [detail]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show info about the device you are connected to: chassis id, system name,
firmware image version, IP addresses configured.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show lldp stats</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show LLDP packets sent/received per port.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show mac-address [detail]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show complete MAC addresses table with port names, MAC addresses, and VLANs. If
<em>detail</em> is added, will also show age of
each entry.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show mac-address vlan <em>vlanid</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show MAC addresses learned on the specified VLAN.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show mac-address <em>port1</em>[,<em>port2</em>…​]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show MAC addresses learned on specified ports.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show cdp neighbors [detail]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show list of CDP neighhbors with info on their MAC address, model, local port
where it was seen. Adding <code>detail</code> also shows IP address of the CDP neighbor, if
configured.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="_poe">PoE</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show power-over-ethernet brief [<em>port name</em>]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show detailed information about PoE-enabled interfaces, including information
on drawn/available
power per port, state. Optionally, limit information to a specific port.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show power-over-ethernet brief vsf member <em>member id</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show PoE detailed info per VSF member.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show power-over-ethernet</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Display PoE general information for the whole switch: total available/used
power, PoE redundancy status,
internal power.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="_dhcp">DHCP</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show dhcp-server statistics</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show DHCP server stats for Discover/Offer/Ack/NAK messages received/sent,
number of pools configured.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>clear dhcp-server statistics</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Clear DHCP server stats.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show dhcp-server binding|conflict|database|pool</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show variouis operational parameters of the DHCP server.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="_ntp">NTP</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ntp status</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show current status of NTP</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ntp servers</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Display configured NTP servers</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ntp statistics</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show stats for NTP - number of NTP packets sent/received, and errors.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ntp associations [detail]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show state of associations with the configured NTP servers, together with
stats: delay, offset, dispersion, and stratum.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show run | i ntp</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show NTP-related configs.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="_vsf_virtual_switching_framework">VSF (Virtual Switching Framework)</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show vsf [detail]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show general VSF status: who is active, priority, software versions.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show vsf member <em>member-id</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show general info on a specific member: serial number, uptime, cpu usage,
memory usage, status: Commander/Standby, priority.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show vsf link [detail|utilization]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show info on VSF link (VPC peer link in the Cisco world). Problems with VSF
link may cause split-brain situation, when each member acts independently.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show redundancy</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Shows firmware image version of each member, as well as the number of
failovers.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>boot vsf member <em>member-id</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Reboot the specified VSF member.</p></td>
</tr>
</tbody>
</table>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>How to downgrade Fortigate Fortios version without losing the configuration2022-05-29T09:55:25+00:002022-05-29T09:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2022-05-29:/2022/05/29/how-to-downgrade-fortigate-fortios-version-without-losing-the-configuration/<div class="paragraph">
<p>Upgrading Fortigate Fortios version is easy:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Find the correct upgrade path for the model you have
<a href="https://docs.fortinet.com/upgrade-tool" class="bare">https://docs.fortinet.com/upgrade-tool</a></p>
</li>
<li>
<p>Back up the current configuration: <em>Admin → Configuration → Backup</em></p>
</li>
<li>
<p>If your Fortigate has an active subscription - upgrade directly from the
Fortiguard servers, and if not - upload each Fortios image as …</p></li></ol></div><div class="paragraph">
<p>Upgrading Fortigate Fortios version is easy:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Find the correct upgrade path for the model you have
<a href="https://docs.fortinet.com/upgrade-tool" class="bare">https://docs.fortinet.com/upgrade-tool</a></p>
</li>
<li>
<p>Back up the current configuration: <em>Admin → Configuration → Backup</em></p>
</li>
<li>
<p>If your Fortigate has an active subscription - upgrade directly from the
Fortiguard servers, and if not - upload each Fortios image as a local file.</p>
</li>
</ol>
</div>
<div class="paragraph">
<p>Downgrading is not that straightforward. The reason is that major version
releases (and many times minor) change the configuration commands in some way -
remove, add, move location. And when upgrading, the Fortios "upgrades" the
configuration file as well fixing the differences between releases. E.g. in
FortiOS 5.x, and 6.x you configure SD-WAN as <code>config system virtual-wan-link</code>,
but in FortiOS 7.x it was replaced with <code>config system sd-wan</code>. When you follow
the upgrade path, Fortigate takes care of it automatically. But if you decide to
downgrade, it is NOT being done at all. As a consequence, you cannot apply
FortiOS 7.2 configuration backup to the FortiOS 6.4 Fortigate. Actually, the
Fortigate will issue an error if you try to, as the firmware version is in the
header of the config file.</p>
</div>
<div class="paragraph">
<p>The best way to downgrade and keep the configuration is to save configuration on
<strong>each upgrade step</strong> - upgraded 6.4.3 → 6.4.9? Back up the configuration. In
this case, you can freely reset to factory defaults the Fortigate, downgrade to
any version you want, say from 7.2 to 6.4.9, then upload the backed up
configuration of version 6.4.9.</p>
</div>
<div class="paragraph">
<p>If you didn’t save configuration on the intermediate upgrades, then there is a
risk to decide upon. The risk is that downgrading to lower versions, may delete,
render not working various parts of the Fortigate configuration. And there is no
tool to calculate this risk or help with assessing what is going to happen to
the configuration. In my opinion it is safer to manually copy & paste important
configuration parts after downgrading the factory-defaulted configuration.</p>
</div>
<div class="paragraph">
<p>The officially supported way to convert the Fortigate configuration between
different models and firmware versions is <strong>FortiConverter</strong>. The FortiConverter
comes either as a standalone software paid yearly (expensive), or as a one-time
service from the Fortinet support.</p>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I
publish on Linkedin, Github, blog, and more.</em></p>
</div>FortiOS 7.2 New - diagnose debug flow in the GUI2022-04-21T08:55:25+00:002022-04-21T08:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2022-04-21:/2022/04/21/fortios-7-2-new-diagnose-debug-flow-in-gui/<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>One of the most helpful additions - 𝐝𝐢𝐚 𝐝𝐞𝐛𝐮𝐠 𝐟𝐥𝐨𝐰 is accessible in the GUI now. This can help when saving the trace
for later analysis, or attaching it to the TAC case, or instructing someone less
technical to do it. The usual CLI <strong>diaganose debug flow</strong> is there and not …</p></div></div></div><div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>One of the most helpful additions - 𝐝𝐢𝐚 𝐝𝐞𝐛𝐮𝐠 𝐟𝐥𝐨𝐰 is accessible in the GUI now. This can help when saving the trace
for later analysis, or attaching it to the TAC case, or instructing someone less
technical to do it. The usual CLI <strong>diaganose debug flow</strong> is there and not changed.</p>
</div>
<div class="paragraph">
<p><em>Video has no sound</em>.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7.2-dia-debug-flow.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_additional_resources">Additional Resources</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc">Fortigate CLI ebug cheat sheet on Github</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>FortiOS 7.2 New - improved packet sniffer in the GUI2022-04-21T08:55:25+00:002022-04-21T08:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2022-04-21:/2022/04/21/fortios-7-2-new-improved-packet-sniffer-in-gui/<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>𝐅𝐨𝐫𝐭𝐢𝐎𝐒 7.2 𝐍𝐞𝐰: 𝐈𝐦𝐩𝐫𝐨𝐯𝐞𝐝 𝐩𝐚𝐜𝐤𝐞𝐭 𝐬𝐧𝐢𝐟𝐟𝐞𝐫 𝐢𝐧 𝐭𝐡𝐞 𝐆𝐔𝐈. This episode is about
improved/re-worked packet sniffer in GUI. Most notable improvement is that we
can see captured packets payload directly in the GUI!</p>
</div>
<div class="paragraph">
<p><em>Video has no sound</em>.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7.2-packet-sniffer-in-GUI.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_additional_resources">Additional Resources</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc">Fortigate …</a></p></li></ul></div></div></div><div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>𝐅𝐨𝐫𝐭𝐢𝐎𝐒 7.2 𝐍𝐞𝐰: 𝐈𝐦𝐩𝐫𝐨𝐯𝐞𝐝 𝐩𝐚𝐜𝐤𝐞𝐭 𝐬𝐧𝐢𝐟𝐟𝐞𝐫 𝐢𝐧 𝐭𝐡𝐞 𝐆𝐔𝐈. This episode is about
improved/re-worked packet sniffer in GUI. Most notable improvement is that we
can see captured packets payload directly in the GUI!</p>
</div>
<div class="paragraph">
<p><em>Video has no sound</em>.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7.2-packet-sniffer-in-GUI.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_additional_resources">Additional Resources</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc">Fortigate sniffer and other debug cheat sheet on Github</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>FortiOS 7.2 New: diagnose sys top process monitor in the GUI2022-04-21T07:55:25+00:002022-04-21T07:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2022-04-21:/2022/04/21/Fortios-7-2-new-diagnose-sys-top-process-monitor-in-gui/<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>𝐅𝐨𝐫𝐭𝐢𝐎𝐒 7.2 is out and is full of new cool features! In this video I will show
a completely new feature in GUI - <strong>Process Monitor</strong>. It shows in real-time list
of processes and their CPU/memory usage etc. Basically, all we have in the CLI
as <strong>diagnose sys top …</strong></p></div></div></div><div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>𝐅𝐨𝐫𝐭𝐢𝐎𝐒 7.2 is out and is full of new cool features! In this video I will show
a completely new feature in GUI - <strong>Process Monitor</strong>. It shows in real-time list
of processes and their CPU/memory usage etc. Basically, all we have in the CLI
as <strong>diagnose sys top</strong> is now available in the GUI. Additionally, it even allows
to kill any process in the list.</p>
</div>
<div class="paragraph">
<p><em>Video has no sound</em>.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7.2-whats-new-dia-sys-top-in-GUI.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_additional_resources">Additional Resources</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc">Fortigate sniffer and other debug cheat sheet on Github</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Where do I download Fortigate free trial VM?2022-04-13T09:55:25+00:002022-04-13T09:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2022-04-13:/2022/04/13/where-to-download-fortigate-free-trial-vm/<div class="paragraph">
<p>Where do I download the free trial VM of the Fortigate? Probably the most frequent
question I get asked. And not to stop at the answer "support.fortinet.com", here
is a video walk-through. The version you download has built-in 15 days trial
license, which comes with some limitations you …</p></div><div class="paragraph">
<p>Where do I download the free trial VM of the Fortigate? Probably the most frequent
question I get asked. And not to stop at the answer "support.fortinet.com", here
is a video walk-through. The version you download has built-in 15 days trial
license, which comes with some limitations you can read about here:
<a href="https://yurisk.info/2021/02/28/fortigate-vm-evaluation-license-15-days-limitations/" class="bare">https://yurisk.info/2021/02/28/fortigate-vm-evaluation-license-15-days-limitations/</a></p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
Starting with FortiOS 7.2.1, the evaluation license and the process of
issuing it have changed. The steps to download the image, shown below, are still
the same, but make sure to read about new evaluation licensing as well, here:
<a href="https://yurisk.info/2022/08/08/Fortigate-free-VM-Evaluation-License-is-now-permanent-not-15-days/" class="bare">https://yurisk.info/2022/08/08/Fortigate-free-VM-Evaluation-License-is-now-permanent-not-15-days/</a>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>If all you want, on the other hand, is to see how
Fortigate GUI looks and feels, you can go here <a href="https://fortigate.fortidemo.com" class="bare">https://fortigate.fortidemo.com</a> with
the user/pass <em>demo/demo</em> and log in into a real Fortigate (2000E as of this
writing) as read-only admin.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/Fortigate-Download-VM-for-free-BLOG-version.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>Fortigate new Workspace Mode to commit changes in a batch - with an example of changing default gateway2022-04-04T09:55:25+00:002022-04-04T09:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2022-04-04:/2022/04/04/fortigate-workspace-mode-commit-changes-example/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_introduction">Introduction</a>
<ul class="sectlevel2">
<li><a href="#_important_facts_about_workspace_mode">Important facts about WorkSpace Mode</a></li>
</ul>
</li>
<li><a href="#_example_change_wan_ip_address_and_default_gateway">Example - change WAN IP address and default gateway</a>
<ul class="sectlevel2">
<li><a href="#_let_s_start_workspace_session">Let’s start WorkSpace session.</a></li>
<li><a href="#_do_the_configuration_we_need">Do the configuration we need</a></li>
<li><a href="#_verify">Verify</a></li>
<li><a href="#_commit_the_changes_and_finish_the_session">Commit the changes and finish the session</a></li>
</ul>
</li>
</ul>
</div>
<div class="sect1">
<h2 id="_introduction">Introduction</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Fortigate saves and applies changes made on CLI immediately after you issue
<code>end</code> / <code>next …</code></p></div></div></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_introduction">Introduction</a>
<ul class="sectlevel2">
<li><a href="#_important_facts_about_workspace_mode">Important facts about WorkSpace Mode</a></li>
</ul>
</li>
<li><a href="#_example_change_wan_ip_address_and_default_gateway">Example - change WAN IP address and default gateway</a>
<ul class="sectlevel2">
<li><a href="#_let_s_start_workspace_session">Let’s start WorkSpace session.</a></li>
<li><a href="#_do_the_configuration_we_need">Do the configuration we need</a></li>
<li><a href="#_verify">Verify</a></li>
<li><a href="#_commit_the_changes_and_finish_the_session">Commit the changes and finish the session</a></li>
</ul>
</li>
</ul>
</div>
<div class="sect1">
<h2 id="_introduction">Introduction</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Fortigate saves and applies changes made on CLI immediately after you issue
<code>end</code> / <code>next</code> commands. And this can be a problem, if
you, for example, need to change WAN IP address AND default gateway of the
Fortigate at the same time. Or if you want multiple changes applied if, and
only if, all of those changes are successful or else roll back all those changes.</p>
</div>
<div class="sect2">
<h3 id="_important_facts_about_workspace_mode">Important facts about WorkSpace Mode</h3>
<div class="paragraph">
<p>Starting with FortiOS 6.2 Fortigate firewalls have a new feature - <strong>WorkSpace Mode</strong> that enables all such cases. Few facts about this feature:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>The algorithm is simple: you start this mode on CLI with <code>execute
config-transaction start</code>, you make all the changes you want, you commit
changes and finish the configuration session with <code>execute config-transaction commit</code>.</p>
</li>
<li>
<p>When you edit an object in this mode, the object is locked and other admins cannot edit it at that time.</p>
</li>
<li>
<p>WorkSpace transaction is universal for CLI and GUI - the locked in CLI object cannot be edited in
GUI management as well until the transaction expires/finishes on CLI.</p>
</li>
<li>
<p>The WorkSpace mode is available to all administrator users of Fortigate, subject to the usual permissions for a user.</p>
</li>
<li>
<p>There is an Idle Timeout (5 mins by default, can be changed), which discards all the changes and aborts session if
the user is inactive for that much of a time.</p>
</li>
<li>
<p>If an admin user disconnects/loses connection while transaction is active, all changes are discarded when the session expires on Idle Timeout. You cannot re-connect to the lost/someone else’s session.</p>
</li>
<li>
<p>Changes can be aborted by the admin at any time until committed with <code>exe config-transaction abort</code>.</p>
</li>
<li>
<p>There can be multiple WorkSpace sessions by the same or different users, provided
they edit/work on different subconfig trees/objects. That is, say user <em>admin</em> is logged
in and configures routing, then you can still log in with <em>admin</em> in another
session, and configure anything except routing.</p>
</li>
</ul>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_example_change_wan_ip_address_and_default_gateway">Example - change WAN IP address and default gateway</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Let’s see an example and it will make everything clear. We have a Fortigate connected
to the Internet via the interface <em>port1</em>. The IP is 10.10.10.111, the default
gateway is 10.10.10.2. We need to change IP to 192.168.213.3/24, and the default
gateway to 192.168.213.30/24. All this while connected through the <em>port1</em>
interface.</p>
</div>
<div class="sect2">
<h3 id="_let_s_start_workspace_session">Let’s start WorkSpace session.</h3>
<div class="paragraph">
<p><strong>exe config-transaction start <em>mins</em></strong></p>
</div>
<div class="listingblock">
<div class="content">
<pre>FGT-7-2-0 # exe config-transaction start 10 <b class="conum">(1)</b>
config transaction (id=7) started</pre>
</div>
</div>
<div class="colist arabic">
<ol>
<li>
<p><em>10</em> here is the Idle Timeout in minutes, as the default of 5 minutes is too short</p>
</li>
</ol>
</div>
<div class="paragraph">
<p>Verify that the session runs:</p>
</div>
<div class="paragraph">
<p><strong>diagnose sys config-transaction status</strong></p>
</div>
<div class="listingblock">
<div class="content">
<pre>FGT-7-2-0 # diagnose sys config-transaction status
The CLI is running config transaction (id=7)</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_do_the_configuration_we_need">Do the configuration we need</h3>
<div class="paragraph">
<p>We need to change IP address on the interface and the default gateway.</p>
</div>
<div class="listingblock">
<div class="content">
<pre>config system interface
edit "port1"
set vdom "root"
set ip 192.168.213.3 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set snmp-index 1
next
end</pre>
</div>
</div>
<div class="listingblock">
<div class="content">
<pre>config router static
edit 1
set gateway 192.168.213.30
set device "port1"
set comment "Default Gateway to Internet"
next
end</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_verify">Verify</h3>
<div class="paragraph">
<p>Let’s connect in a second session with the same user <em>admin</em> and try to edit
static route:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>FGT-7-2-0 # config router static
Can not config the object since either the object or the referenced objects are
being configured by other transactions.
Command fail. Return code 14</pre>
</div>
</div>
<div class="paragraph">
<p>As you see, the user cannot edit object that was/is edited in the 1st session
where the WorkSpace session started.
Also, in this session, we cannot yet see changes made in the 1st session
as they were not committed yet.</p>
</div>
<div class="listingblock">
<div class="content">
<pre>FGT-7-2-0 # show sys int port1
config system interface
edit "port1"
set vdom "root"
set ip 10.10.10.111 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set snmp-index 1
next
end</pre>
</div>
</div>
<div class="paragraph">
<p>We can see information about the running WorkSpace session(s):</p>
</div>
<div class="paragraph">
<p><strong>diagnose sys config-transaction show txn-meta</strong></p>
</div>
<div class="listingblock">
<div class="content">
<pre>FGT-7-2-0 # diagnose sys config-transaction show txn-meta
txn_next_id=8, txn_nr=1</pre>
</div>
</div>
<div class="paragraph">
<p>Here, <strong>txn_nr</strong> shows number of currently active configuration sessions.</p>
</div>
<div class="paragraph">
<p>Next command, run inside WorkSpace session, will show all the changes made so
far in this session - important to check yourself before committing:</p>
</div>
<div class="paragraph">
<p><strong>diagnose sys config-transaction show txn-cli-commands</strong></p>
</div>
<div class="listingblock">
<div class="content">
<pre>FGT-7-2-0 # diagnose sys config-transaction show txn-cli-commands
config router static
edit 1
set gateway 192.168.213.30
next
end
config sys int
edit "port1"
set ip 192.168.213.3/24
end</pre>
</div>
</div>
<div class="paragraph">
<p>We can see short info on active sessions also with</p>
</div>
<div class="paragraph">
<p><strong>diagnose sys config-transaction show txn-info</strong></p>
</div>
<div class="listingblock">
<div class="content">
<pre>FGT-7-2-0 # diagnose sys config-transaction show txn-info
txn_id=7, expire=1193 seconds, user='admin', userfrom='ssh(172.14.14.1)',
clicmd_fpath='/dev/cmdb/txn/8_zkDnGZ.conf'</pre>
</div>
</div>
<div class="paragraph">
<p>If the user is idle for the set duration, Fortigate warns 1 minute before
expiring the session, then undoes all changes and finishes the session.</p>
</div>
<div class="listingblock">
<div class="content">
<pre>FGT-7-2-0 # config transaction id=7 will expire in 30 seconds
config transaction id=7 will expire in 20 seconds
config transaction id=7 will expire in 10 seconds
config transaction id=7 has expired</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_commit_the_changes_and_finish_the_session">Commit the changes and finish the session</h3>
<div class="paragraph">
<p>Once we have done all the changes, we can commit and made them active with</p>
</div>
<div class="paragraph">
<p><strong>exe config-transaction commit</strong></p>
</div>
<div class="listingblock">
<div class="content">
<pre>FGT-7-2-0 # exe config-transaction commit
config transaction (id=7) committed</pre>
</div>
</div>
<div class="paragraph">
<p>In another session I run non-stop ping to the 8.8.8.8 and after committing the
changes that included change of the WAN IP and the default gateway, there was no single
ping lost! That is, downtime 0.</p>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>
</div>Fortigate CLI Tips to avoid costly mistakes, save time, and make you more effective2022-02-21T15:55:25+00:002023-02-05T09:33:00+01:00Yuri Slobodyanyuktag:yurisk.info,2022-02-21:/2022/02/21/fortigate-cli-tips-to-avoid-costly-mistakes-save-time-make-you-more-effective/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_benefits_of_using_cli">Benefits of using CLI</a></li>
<li><a href="#_use_em_get_em_inside_any_configuration_subtree_to_show_currently_active_settings_for_this_module">Use <em>get</em> inside any configuration subtree to show currently active settings for this module</a></li>
<li><a href="#__em_grep_em_the_secret_weapon_for_searching_the_configuration_and_diagnostics"><em>grep</em> - the Secret weapon for searching the configuration and diagnostics</a></li>
<li><a href="#_navigating_the_cli">Navigating the CLI</a></li>
<li><a href="#_use_em_select_em_em_append_em_em_unselect_em_to_avoid_costly_mistakes">Use <em>select</em>, <em>append</em>, <em>unselect</em> to avoid costly mistakes</a></li>
<li><a href="#_disable_screen_paging_to_get_rid_of_code_more_code_in_the_output">Disable screen paging to get rid of <code>--More-- …</code></a></li></ul></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_benefits_of_using_cli">Benefits of using CLI</a></li>
<li><a href="#_use_em_get_em_inside_any_configuration_subtree_to_show_currently_active_settings_for_this_module">Use <em>get</em> inside any configuration subtree to show currently active settings for this module</a></li>
<li><a href="#__em_grep_em_the_secret_weapon_for_searching_the_configuration_and_diagnostics"><em>grep</em> - the Secret weapon for searching the configuration and diagnostics</a></li>
<li><a href="#_navigating_the_cli">Navigating the CLI</a></li>
<li><a href="#_use_em_select_em_em_append_em_em_unselect_em_to_avoid_costly_mistakes">Use <em>select</em>, <em>append</em>, <em>unselect</em> to avoid costly mistakes</a></li>
<li><a href="#_disable_screen_paging_to_get_rid_of_code_more_code_in_the_output">Disable screen paging to get rid of <code>--More--</code> in the output</a></li>
<li><a href="#__em_alias_em_for_commands_saves_typing_time"><em>alias</em> for commands saves typing time</a></li>
<li><a href="#_not_sure_what_is_the_string_limitation_or_what_is_availabe_in_any_config_mode_em_tree_em_to_the_rescue">Not sure what is the string limitation or what is availabe in any config mode? <em>tree</em> to the rescue</a></li>
<li><a href="#_save_console_output_to_a_file">Save console output to a file</a></li>
<li><a href="#_run_cli_command_s_remotely_without_interactive_login">Run CLI command(s) remotely without interactive login</a>
<ul class="sectlevel2">
<li><a href="#_find_admin_users_open_to_the_world">Find admin users open to the World</a></li>
<li><a href="#_send_multi_line_command_get_routing_table_and_wan_interface_state">Send multi-line command - get routing table and wan interface state</a></li>
</ul>
</li>
<li><a href="#_use_em_edit_0_em_to_add_new_entries">Use <em>edit 0</em> to add new entries</a></li>
<li><a href="#_use_em_move_em_to_change_order_of_entries">Use <em>move</em> to change order of entries</a></li>
<li><a href="#_use_em_delete_em_to_remove_an_entry">Use <em>delete</em> to remove an entry</a></li>
<li><a href="#_use_with_caution_em_purge_em_to_delete_the_whole_table">Use (with caution!) <em>purge</em> to delete the whole table</a></li>
<li><a href="#_objects_with_names_can_be_renamed_with_em_rename_em">Objects with names can be renamed with <em>rename</em></a></li>
<li><a href="#_workspace_mode_missing_em_commit_em_for_configuration_changes_here_it_is_to_prevent_concurrent_changes_partial_configuration_and_more">Workspace Mode - missing <em>commit</em> for configuration changes? Here it is to prevent concurrent changes, partial configuration and more</a></li>
</ul>
</div>
<div class="sect1">
<h2 id="_benefits_of_using_cli">Benefits of using CLI</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Working on Fortigate CLI instead of GUI has lots of advantages, some of them are:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Most of the advance settings in Fortigate are available ONLY in CLI.</p>
</li>
<li>
<p>The CLI changes very little with new firmware versions, as opposed to GUI where settings/menu get moved around freely. So, once you learn it (CLI), you don’t need to re-learn it with new FortiOS releases.</p>
</li>
<li>
<p>You can see the context of the configuration by using <code>show</code>, so not to make mistakes.</p>
</li>
<li>
<p>Full configuration search <code>grep</code> is available only on CLI.</p>
</li>
<li>
<p>You can jump between different parts of configuration in split seconds, unlike navigating each menu item in GUI.</p>
</li>
<li>
<p>You can see actual active and complete settings of any Fortigate configuration by using <code>get</code>, which is not possible in GUI.</p>
</li>
<li>
<p>Diagnostics and debug are done exclusively on CLI.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>And now, when you are sold on benefits of using CLI in Fortigate, let me share useful tips on working with CLI I learned over the years.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_use_em_get_em_inside_any_configuration_subtree_to_show_currently_active_settings_for_this_module">Use <em>get</em> inside any configuration subtree to show currently active settings for this module</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Once you enter any configuration subtree by using <code>config</code> command, you can issue <code>get</code> to see settings for this subtree. For example, going to <code>config sys interface</code>, then <code>edit port1</code> to enter <em>port1</em> interface subtree, you can run <code>get</code> and see ALL the settings for this port. It will be at least 3 times more than is shown in GUI.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="__em_grep_em_the_secret_weapon_for_searching_the_configuration_and_diagnostics"><em>grep</em> - the Secret weapon for searching the configuration and diagnostics</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Fortigate configuration is huge, thousands of lines, no one can remember where every setting is located, nor should. You can search all the configuration with the <code>grep</code> command. For example, say we need to know what HTTPS port was configured for admin access, but we don’t know where it is placed neither how exactly it is named. No problem, just search for <em>admin</em>, like this:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">NSE8# show | grep admin
#config-version=FG100E-5.6.11-FW-build1700-190814:opmode=1:vdom=0:user=admin
set admin-scp enable
set admin-sport 4434 <-- HERE IT IS!
set admintimeout 300
...</code></pre>
</div>
</div>
<div class="paragraph">
<p>But that is not the whole power of <strong>grep</strong> - now we want to see the exact configuration location to go and change it. You can use <strong>-f</strong> for that to show the context of the search term. To continue the example above, let’s find the subtree for the HTTPS GUI admin port:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">NSE8# show | grep admin-sport -f
config system global
set admin-scp enable
set admin-sport 4434 <---
set admintimeout 300
set alias "FG100E123123"
set gui-certificates enable
set hostname "NSE8"
set proxy-auth-timeout 1
set timezone 36
end</code></pre>
</div>
</div>
<div class="paragraph">
<p>Now, we can change this GUI management port easily on CLI.</p>
</div>
<div class="paragraph">
<p>Even more to that, the command <code>show</code> displays only non-default settings, that is, the settings we changed. But <code>grep</code> knows to search even configs not visible neither in GUI, nor in CLI! Just use <code># show full | grep <config we want to see></code>.</p>
</div>
<div class="paragraph">
<p>And of course, you can use <strong>grep</strong> with ANY output producing command, like <code>diagnose</code> and <code>get</code>, not only <code>show</code>.</p>
</div>
<div class="paragraph">
<p><code>grep</code> search is case sensitive by default, but we can add <strong>-i</strong> option to make
it case insensitive.</p>
</div>
<div class="paragraph">
<p>Another useful option is <strong>-n</strong> which will show line numbers of each found
configuration line.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_navigating_the_cli">Navigating the CLI</h2>
<div class="sectionbody">
<div class="paragraph">
<p>We have some basic Linux movements available, which makes editing long commands much faster.</p>
</div>
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>Ctrl + C</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">When inside <code>config</code> subtree, jump out to non-config mode aborting and losing all configuration commands you typed so far. Use it to abort unsaved changes you haven’t applied via <code>next/end</code> yet.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>Ctrl + A</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Jump to the beginning of the line.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>Ctrl + E</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Jump to the end of the line.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>Ctrl + F</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Move cursor one word forward.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>Ctrl + B</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Move cursor back one word.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>Arrow up/down</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Put previous/next command you entered before (command history).</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>\</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Use backslash as the last character on a line to continue the command to the next line without applying it. It is sometimes useful when entering long URL/Regex filters to see the whole command uncut.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="_use_em_select_em_em_append_em_em_unselect_em_to_avoid_costly_mistakes">Use <em>select</em>, <em>append</em>, <em>unselect</em> to avoid costly mistakes</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Using <code>set</code> inside any config subtree replaces any existing values there, which may be not what you meant. Fortigate have other options for us.</p>
</div>
<div class="paragraph">
<p>To APPEND to the exiting values, leaving them intact, use <strong>append</strong> instead of <code>set</code>. Let’s see an example. Say we have a firewall address group containing 5 addresses, like this:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">config firewall addrgrp
edit "TEST_GROUP"
set member "TEST2" "TEST1" "TEST3" "TEST4" "TEST5"
next
end</code></pre>
</div>
</div>
<div class="paragraph">
<p>And we want to add another member <em>TEST7</em> to this list. If we use <code>set member TEST7</code> this will put <em>TEST7</em> as the member but will also remove the other members. To actually add to the list, we use <code>append</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>(TEST_GROUP) # append member TEST7</pre>
</div>
</div>
<div class="paragraph">
<p>After which, the address group will look:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>config firewall addrgrp
edit "TEST_GROUP"
set member "TEST1" "TEST2" "TEST3" "TEST4" "TEST5" "TEST7"
next
end</pre>
</div>
</div>
<div class="paragraph">
<p>Next is <strong>unselect</strong> keyword - it deletes from the list members you give it.
For example above, let’s delete just members <em>TEST2</em> and <em>TEST5</em>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>(TEST_GROUP) # unselect member TEST2 TEST4</pre>
</div>
</div>
<div class="paragraph">
<p>This will have the effect:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>config firewall addrgrp
edit "TEST_GROUP"
set member "TEST1" "TEST3" "TEST5" "TEST7"
next
end</pre>
</div>
</div>
<div class="paragraph">
<p>Next in line is <strong>unset</strong> - when you want to keep the containing object (say address group), but clear it from all of its members. Example is due, let’s remove all members from the address group (this will NOT delete those objects from Fortigate, just from the address group):</p>
</div>
<div class="listingblock">
<div class="content">
<pre>(TEST_GROUP) # unset member</pre>
</div>
</div>
<div class="paragraph">
<p>The address group will now look like:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>config firewall addrgrp
edit "TEST_GROUP"
set uuid fd3er8e8-8d2a-53ec-93e3-33578fa
next
end</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_disable_screen_paging_to_get_rid_of_code_more_code_in_the_output">Disable screen paging to get rid of <code>--More--</code> in the output</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Output paging is on by default, but if you want to see the full command output, for example when saving console output to a log file, this gets in the way as it peppers each output window with <code>--More--</code>. We can disable this paging:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">config system console
set output standard
end</code></pre>
</div>
</div>
<div class="paragraph">
<p>To bring paging back:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">config sys console
set output more
end</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="__em_alias_em_for_commands_saves_typing_time"><em>alias</em> for commands saves typing time</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Fortigate commands can be and many times are lengthy, how about showing routing table - <code>get router info routing all</code>? Typing such commands over and over again wastes time. The <strong>command alias</strong> will help us here. Unlike in Cisco world, unfortunately, there are some limitations:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Configured aliases are saved in the configuration and so survive reboots and upgrades.</p>
</li>
<li>
<p>Aliases are available at the top level only. That is, if we are inside configuration subtree no aliases for us. E.g. we can set/use aliases for commands run at # prompt, but once we enter say interface configuration, no aliases are available.</p>
</li>
<li>
<p>Commands in aliases are not limited in the depth of subconfiguration tree. It means, while they have to start at the top level, they don’t have to end there. E.g. we can create alias that combines commands like <code>config system interface</code>, <code>edit port1</code>, <code>set status disable</code> in one alias.</p>
</li>
<li>
<p>Alias can combine multiple commands run in sequence.</p>
</li>
<li>
<p>Alias can NOT accept arguments. If we have an alias <em>shint</em> for <code>show system interface</code>, we cannot add an interface name to it as an argument when running it - <code>alias shint port1</code> will report error.</p>
</li>
<li>
<p>To use alias you specify word <em>alias</em> then name of the alias itself (see below examples).</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>To configure alias we use <strong>config system alias</strong> command. Let’s create an alias for displaying routing table.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">config system alias
edit "rt"
set command "get router info routing all"
next
edit "rt6"
set command "get router info6 routing-table"
next
end</code></pre>
</div>
</div>
<div class="paragraph">
<p>Now, to use the alias:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash"># alias rt
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 192.168.13.1, port1
C 10.10.17.0/24 is directly connected, port3
C 192.168.13.0/24 is directly connected, port1</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_not_sure_what_is_the_string_limitation_or_what_is_availabe_in_any_config_mode_em_tree_em_to_the_rescue">Not sure what is the string limitation or what is availabe in any config mode? <em>tree</em> to the rescue</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Every user-defined setting you enter has some limitation, be it on its numerical value range, or string/name length. It disappoints to carefully type a long and descriptive name for a new address or url filter just to get it discarded with the error "The string is too long".</p>
</div>
<div class="paragraph">
<p>To see limitations of all the settings in the current config subtree, just run <strong>tree</strong> inside the config mode:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash"># config sys int
(interface) # tree
-- [interface] --*name (16) <-- Interface name can be up to 16 characters long
<-- * means this is a required setting.
|- vdom (32)
|- cli-conn-status (0,4294967295)
|- fortilink
|- mode
|- distance (1,255)
|- priority (0,4294967295)</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_save_console_output_to_a_file">Save console output to a file</h2>
<div class="sectionbody">
<div class="paragraph">
<p>CLI browser applet in the Fortigate has option to save the output (after it was dsiplayed) to a file. Find this in the upper right corner of the GUI. For those cases when you don’t have luxury of fully fledged SSH client.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/fortigate-applet-console-download.png" alt="Download log of console output">
</div>
</div>
<div class="paragraph">
<p>On any standalone SSH client though, there is always an option to enable <em>logging</em> of the session output to a text file, so use it accordingly, probably disabling the paging as per above.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_run_cli_command_s_remotely_without_interactive_login">Run CLI command(s) remotely without interactive login</h2>
<div class="sectionbody">
<div class="paragraph">
<p>When you need to run a command (or series of commands) and be off, you can save time by running Fortigate CLI command(s) via ssh tunnel without interactively logging in to the firewall. This is a feature of SSH protocol, not specific to Fortigate. Additionally, by piping the output of CLI command to the local shell we can do powerful post-processing which is not possible on the Fortigate CLI.</p>
</div>
<div class="sect2">
<h3 id="_find_admin_users_open_to_the_world">Find admin users open to the World</h3>
<div class="paragraph">
<p>For example, let’s find all the admin local users of the Fortigate where their access is NOT limited by IP address, that is, which are allowed to login from ANY. Bad practice.</p>
</div>
<div class="paragraph">
<p>When an admin user is set with <code>trusthost</code> equal to 0.0.0.0, it means such user can connect from anywhere, also, in CLI such user has no <code>trusthost</code> in the output of <code>show</code> command. So, we have to search for the lack of <code>set trusthost</code> command in the output of <code>show sys admin</code>. Let’s do so with the Awk:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-awk" data-lang="awk">yurisk@Yuri-Mac-mini% echo -e " show sys admin " |
ssh admin@192.168.13.177 | awk 'BEGIN {RS = "edit"} $0 !~ /trusthost/' <b class="conum">(1)</b>
Pseudo-terminal will not be allocated because stdin is not a terminal.
Enter passphrase for key '/Users/yurisk/.ssh/id_rsa':
NSE8-lab-FGT200F # config system admin
"bad_user" <b class="conum">(2)</b>
set accprofile "super_admin"
set vdom "root"
set password ENC SH2JxMvVDR87AhtyTiChIbkk+fEJAWjDtpGA=
next
end</code></pre>
</div>
</div>
<div class="colist arabic">
<ol>
<li>
<p>This is run on the local host - <code>show sys admin</code> is sent to Fortigate, then output is parsed by Awk to look for users without <em>trusthost</em> set.</p>
</li>
<li>
<p>This is the user open to the World.</p>
</li>
</ol>
</div>
<div class="paragraph">
<p><strong>If VDOMs are enabled</strong>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>ssh myuser@192.168.13.177 '
config global
show sys admin' | awk 'BEGIN {RS = "edit"} $0 !~ /trusthost/'</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_send_multi_line_command_get_routing_table_and_wan_interface_state">Send multi-line command - get routing table and wan interface state</h3>
<div class="paragraph">
<p>We can send multi-line commands to the Fortigate as well. Let’s send in one go 2 commands: <code>get router info routing all</code> and <code>get sys interface | grep wan1</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">yurisk@Yuris-Mac-mini% ssh admin@192.168.13.177 '
get router info routing all
get sys int| grep wan1'
Pseudo-terminal will not be allocated because stdin is not a terminal.
Enter passphrase for key '/Users/yurisk/.ssh/id_rsa':
NSE8-lab-FGT200F # Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 192.168.13.176, wan1
C 10.0.0.0/24 is directly connected, WiFi
C 192.168.10.0/24 is directly connected, LAN_SF_SWITCH
C 192.168.13.177/31 is directly connected, wan1
NSE8-lab-FGT200F # == [ wan1 ]
name: wan1 mode: static ip: 192.168.13.177 255.255.255.254 status: up
netbios-forward: disable type: physical netflow-sampler: disable
sflow-sampler: disable scan-botnet-connections: disable src-check: enable
mtu-override: disable wccp: disable drop-overlapped-fragment: disable
drop-fragment: disable</code></pre>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_use_em_edit_0_em_to_add_new_entries">Use <em>edit 0</em> to add new entries</h2>
<div class="sectionbody">
<div class="paragraph">
<p>When creating a new entry in config submode, many times you have to specify this entry running number. If you give the existing entry number, you will not add, but edit this existing entry. You have to provide unused entry number to create a new entry. These running numbers are for Fortigate reference only, they do not signify order of the entries. So not to come up with big unused number, use <strong>edit 0</strong> and this will create a new entry with the next available running number.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_use_em_move_em_to_change_order_of_entries">Use <em>move</em> to change order of entries</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Using <strong>move <em>from</em> to <em>destination</em></strong> allows us to rearrange entries inside the relevant config submode. We have to use entry’s running numbers for source and destination. Let’s say we want to move security policy rule 22 higher than rule number 13:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">config firewall policy
move 22 before 13
end</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_use_em_delete_em_to_remove_an_entry">Use <em>delete</em> to remove an entry</h2>
<div class="sectionbody">
<div class="paragraph">
<p>With <strong>delete <em>entry-number</em></strong> command in config submode we can delete the given entry.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">config firewall policy
delete 13
end</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_use_with_caution_em_purge_em_to_delete_the_whole_table">Use (with caution!) <em>purge</em> to delete the whole table</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This command deletes the WHOLE table you are currently in. Most configuration
settings in Fortigate are collected in tables. E.g. all security rules are
contained in the firewall policy table. In rare cases when you need to delete
all the entries in such tables, the command <code>purge</code> does just that.</p>
</div>
<div class="paragraph">
<p>Let’s delete, for example, all security rules of the firewall:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">config firewall policy
(policy) # purge
<Enter>
This operation will clear all table!
Do you want to continue? (y/n)y</code></pre>
</div>
</div>
<div class="paragraph">
<p>The result is empty rulebase:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">(policy) # show
config firewall policy
end</code></pre>
</div>
</div>
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<div class="title">Warning</div>
</td>
<td class="content">
There is no <em>undo</em> to this deletion, so be careful in what
subconfiguration mode you currently are.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_objects_with_names_can_be_renamed_with_em_rename_em">Objects with names can be renamed with <em>rename</em></h2>
<div class="sectionbody">
<div class="paragraph">
<p>To rename a named object, enter the appropriate config submode and run <strong>rename <em>current-name</em> to <em>new-name</em></strong>. E.g.:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">config firewall addrgrp
rename TEST_GROUP to PROD_GROUP
end</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_workspace_mode_missing_em_commit_em_for_configuration_changes_here_it_is_to_prevent_concurrent_changes_partial_configuration_and_more">Workspace Mode - missing <em>commit</em> for configuration changes? Here it is to prevent concurrent changes, partial configuration and more</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This feature (Workspace Mode) was introduced in FortiOS 6.2 and makes possible
to combine multiple CLI commands into a batch, which is later committed in one
go as a single action. This (finally) allows us to, for example, change WAN
facing IP address of the interface and its default gateway without losing access
to the Fortigate. But this feature deserves more than a short-tip treatment and
so I wrote a post about it -
<a href="https://yurisk.info/2022/04/04/fortigate-workspace-mode-commit-changes-example/">Fortigate new Workspace Mode to commit changes in a batch - with an example of changing default gateway</a></p>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>How to request Google, Cloudflare, and OpenDNS/Umbrella DNS servers cache clearing for your domain records2021-11-07T11:44:46+00:002021-11-07T11:44:46+00:00Yuri Slobodyanyuktag:yurisk.info,2021-11-07:/2021/11/07/request-dns-cache-flush-of-google-cloudflare-and-other-dns-providers/<p><img alt="Google DNS 8.8.8.8" src="/assets/Google-dns-8.8.8.8-svg.svg"></p>
<p>It is rare for these well-known DNS providers to cause problems to your domain records, but everything is possible. More often though, you may need to refresh some DNS record of your domain sooner than its TTL expires. Below you will find links how to do so for the aforementioned …</p><p><img alt="Google DNS 8.8.8.8" src="/assets/Google-dns-8.8.8.8-svg.svg"></p>
<p>It is rare for these well-known DNS providers to cause problems to your domain records, but everything is possible. More often though, you may need to refresh some DNS record of your domain sooner than its TTL expires. Below you will find links how to do so for the aforementioned DNS services providers.</p>
<p><a href="https://1.1.1.1/purge-cache/">Cloudflare</a> <br>
<a href="https://developers.google.com/speed/public-dns/cache">Google</a><br>
<a href="https://cachecheck.opendns.com">OpenDNS/Umbrella</a> </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Cisco router - disconnect VTY user forcefully without reloading the router2021-09-22T18:44:46+00:002021-09-22T18:44:46+00:00Yuri Slobodyanyuktag:yurisk.info,2021-09-22:/2021/09/22/cisco-router-disconnect-vty-user-forcefully-without-reload/<p><em>Today's log</em>.<br>
- Alert on a suspicious connection via ssh to the VTY line of the Cisco ISR 1100 router. <br>
- Logged in to the router, saw an <strong>established</strong> connection from IP belonging to Chinanet ISP (the router is in Israel) to the port 22. The router was compromised as someone removed …</p><p><em>Today's log</em>.<br>
- Alert on a suspicious connection via ssh to the VTY line of the Cisco ISR 1100 router. <br>
- Logged in to the router, saw an <strong>established</strong> connection from IP belonging to Chinanet ISP (the router is in Israel) to the port 22. The router was compromised as someone removed ACL from VTY lines. Deleted all local usernames, created new with complex passwords, applied ACL to VTY 0 4, made sure no malicious configuration changes were made. But how do I disconnect the connected attacker without reloading the whole router (applying ACL to block already established connection does not work)? </p>
<h3>Solution:</h3>
<ol>
<li>See the established connections to the Cisco router:</li>
</ol>
<p><strong>show tcp brief</strong></p>
<div class="highlight"><pre><span></span><code>TCB Local Address Foreign Address (state)
7F7019F118 92.92.92.92.22 49.88.112.114.14088 FINWAIT1
7F6EEE29D0 92.92.92.92.23 13.13.13.13.44770 ESTAB
7F640A08B0 92.92.92.92.22 49.88.112.114.25021 FINWAIT1
7F70176C98 92.92.92.92.22 49.88.112.114.47365 ESTAB
7F6F6A08E8 92.92.92.92.23 119.29.62.10.43466 FINWAIT1
7F6D8508F8 92.92.92.92.22 180.253.192.25.31052 FINWAIT1
7F701A5898 92.92.92.92.23 47.101.55.93.50138 FINWAIT1
7F6ED4B298 92.92.92.92.23 172.104.242.173.41600 FINWAIT1
</code></pre></div>
<p><em>Legend</em>:<br>
<code>92.92.92.92</code> - Cisco ISR 1100 (sanitized)<br>
<code>13.13.13.13</code> - My IP (sanitized)<br>
<code>49.88.112.114</code> - Chinanet ISP (real)</p>
<ol>
<li>
<p>Apply the ACL to the VTY line 0 4 (not shown).</p>
</li>
<li>
<p>Disconnect the attacker:</p>
</li>
</ol>
<p><strong>clear tcp tcb <em>TCB id</em></strong></p>
<p>Here: <strong>clear tcp tcb 7F70176C98</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">#clear</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="n">tcb</span><span class="w"> </span><span class="mi">7</span><span class="n">F70176C98</span><span class="w"></span>
<span class="o">[</span><span class="n">confirm</span><span class="o">]</span><span class="w"></span>
<span class="w"> </span><span class="o">[</span><span class="n">OK</span><span class="o">]</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Check Point Certified Troubleshooting Administrator (CCTA) 156-580 Exam Preparation Tips and Impressions2021-06-12T08:55:25+00:002021-06-12T08:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2021-06-12:/2021/06/12/checkpoint-certified-troubleshooting-administrator-ccta-156-580-exam-preparation/<div id="preamble">
<div class="sectionbody">
<div class="imageblock">
<div class="content">
<img src="/assets/CCTA-Credly.png" alt="CCTA Exam Checkpoint verification">
</div>
</div>
<div class="paragraph">
<p>The following, I hope, will help you to prepare better for the exam as there is no information I could find anywhere.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
Links to all the resources I mention in the text are at the end. Also, for obvious reasons this article does not contain actual questions from the …</td></tr></table></div></div></div><div id="preamble">
<div class="sectionbody">
<div class="imageblock">
<div class="content">
<img src="/assets/CCTA-Credly.png" alt="CCTA Exam Checkpoint verification">
</div>
</div>
<div class="paragraph">
<p>The following, I hope, will help you to prepare better for the exam as there is no information I could find anywhere.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
Links to all the resources I mention in the text are at the end. Also, for obvious reasons this article does not contain actual questions from the exam.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>First, the exam wasn’t easy by any means and I’ve been passing #Checkpoint exams starting with R60. Still, it is doable. There are all in all 75 questions. There were no long-winded questions as in the past spanning 4-5 lines. I didn’t need to actually type anything - only multiple answer types of questions. I took the exam via the PearsonVue online proctoring and had 0 issues with the technical side of it. If you plan on taking it online for the first time, make sure to see Youtube walk-throughs of the process to prevent any surprises and run System Test software from PearsonVue BEFORE actually ordering the exam. Now, to the exam preparation itself.</p>
</div>
<div class="ulist">
<ul>
<li>
<p><strong>Official materials</strong>. Start your preparation with the exam topics in the official preparation course syllabus. As I understand from bits of information found on the Checkpoint Community forum and elsewhere, the distinction between CCTA and Check Point Certified Troubleshooting Expert (CCTE) exam is not in the level of expertise, but rather in the topics. I haven’t taken CCTE yet. By this I want to say - don’t be fooled by "Administrator" versus "Expert" in the exam title. I didn’t take the official Checkpoint course, so can’t comment how it helps to pass the exam. In theory, you can buy just the official courseware from Checkpoint catalog website (about 650$ last time I checked). The catch, though, is that you can’t directly buy it from Checkpoint - when trying to pay for it, the website refers you to your Account Manager. And from, again, reports on the Checkpoint Community forum - they (AM) will refer you back to ATC center, which of course will have no incentive to sell you just courseware, without the instructor based course of their own (2000$-3000$ depending on location).</p>
</li>
<li>
<p><strong>CCSM R80 overlap</strong>. The exam, unfortunately, had very little questions from CCSM R80, my rough estimate would be about 15 out of 75. It means it is NOT possible to pass the exam on CCSM R80 knowledge/study materials/experience only.
New: UserCenter TAC website procedures questions. That was a surprise. I answered one such question wrong just because lacking context, the question asked about specifics of the UserCenter website and I didn’t understand that they were actually testing on TAC website and not on technical issue of the firewall. To prepare for such questions, I would suggest dry run opening ALL types of tickets, stopping just before hitting "Submit" button. Know what types of tickets exist, how they differ, what information each one requires, etc.</p>
</li>
<li>
<p><strong>This is R80.20+ Based Exam</strong>. The official preparation course is titled "R80.30 …​", so it is expected. The point to remember , especially for those who have experience with pre-R80.30 versions and exams (like me), is when in doubt - think it is R80.30 specific exam only. Many features we’ve known for years in Checkpoint have changed in R80.30 and you may fall in the trap of answering the R77.30/R80.10-way. E.g. (not from real exam, but it could be) - fw monitor questions, which are always present in such exams. Before R80.20 Take xxx and R80.30, it was the Checkpoint recommendation to disable SecureXL before running fw monitor and exams followed the suite. Then, they changed it to NOT disable for version R80.20, only later to change it again to DO disable SecureXL. So, currently, the correct answer is to disable SecureXL until further notice. Kernel debug, which is always present as well, changed too. Refresh your knowledge even for the well known topics.</p>
</li>
<li>
<p><strong>More than usual questions on fw monitor</strong>. fw monitor questions were always on this exam (CCSE+, CCSM), but I felt this time they increased in number and depth. So, know all the switches/options and how to work with this sniffer well. And again - refresh your knowledge for R80.30 as new options such as filtering/insertion points appeared.</p>
</li>
<li>
<p><strong>Blades that are on the topics list - know their debug well</strong>. Obvious, but still - Security Blades listed on the official course syllabus make a large portion of the exam. Know their specific debug, daemon names, files they create/use, their databases locations.</p>
</li>
<li>
<p><strong>Kernel debug</strong>. No news here - you have to remember general steps in running kernel debug for at least popular modules like ClusterXL, NAT, IPSec VPN. Pay attention that usual <code>𝚏𝚠 𝚌𝚝𝚕 𝚍𝚎𝚋𝚞𝚐 𝚏𝚠 +`</code>…​ syntax is not enough in R80.30. That is - learn both <code>𝚣𝚍𝚎𝚋𝚞𝚐</code> and <code>𝚔𝚍𝚎𝚋𝚞𝚐</code>.</p>
</li>
<li>
<p><strong>Daemons and their ports</strong>. This sort of questions is present in, seems like, all the Checkpoint exams. In the References section below I put Heiko Ankenbrand’s complete cheat sheet on what port which daemon works, including the changes in R80.30. Memorize this cheat sheet, you’ll thank me and Heiko later.</p>
</li>
<li>
<p><strong>Read ATRGs on relevant topics</strong>. Reading Advanced Technical Reference Guides (ATRG) is my way to prepare extra for the exam. I can’t say this is strictly necessary, but helps to feel more confident. If you do, read only ATRGs on the topics mentioned in the official course list.</p>
</li>
<li>
<p><strong>Timothy Hall book</strong>. I didn’t read it specifically for the exam, but for my work and recommend it not only for optimization but debug as well. The book is R80.30+ only so helps with exam topics as well.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>That’s all for this exam. Make sure to share this with your friends who prepare for the exam. Thanks for reading, nice and peaceful weekend to everyone.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_references">References.</h2>
<div class="sectionbody">
<div class="paragraph">
<p><a href="https://www.checkpoint.com/partners/resources/uploads/CCTA-R80-Marketing.pdf">Official Checkpoint CCTA Preparation Course Syllabus</a></p>
</div>
<div class="paragraph">
<p><a href="https://www.ankenbrand24.de/wp-content/uploads/2021/05/Ports_1.8a.pdf">Heiko’s Cheat Sheet of Daemons and Ports</a></p>
</div>
<div class="paragraph">
<p><a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowtechnicalreferenceguides">List of all ATRGs on the Checkpoint site</a></p>
</div>
<div class="paragraph">
<p><a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk30583&partition=General&product=Security">fw monitor complete reference on Checkpoint SecureKnowledgeBase</a></p>
</div>
<div class="paragraph">
<p><a href="https://www.ankenbrand24.de/index.php/articles/check-point-articel/cheat-sheets/r80-cheat-sheet-fw-monitor/">Heiko’s fw monitor Cheat Sheet, with R80.30 differences highlighted</a></p>
</div>
<div class="paragraph">
<p><a href="http://www.maxpowerfirewalls.com/max-power-2020.html">Tim Hall’s book on Checkpoint Firewall Optimization, updated for R80.30 and newer</a></p>
</div>
<div class="paragraph">
<p><a href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topics-FWG/Kernel-Debug/Kernel-Debug-Modules-and-Debug-Flags.htm">Kernel Debug Modules and Flags, R80.40</a></p>
</div>
<div class="paragraph">
<p><a href="https://www.ankenbrand24.de/wp-content/uploads/2019/12/r8010_packet_flow_1.5b_pdf.pdf">Heiko’s Visual Graph of R80.30+ Packet Flow</a></p>
</div>
<div class="paragraph">
<p><a href="https://community.checkpoint.com/t5/General-Topics/useful-debug-command-in-checkpoint/td-p/17149">Collection of useful kernel debug options on Checkpoint Community</a></p>
</div>
<div class="paragraph">
<p><a href="https://www.youtube.com/watch?v=otw3uO3KXpA">Youtube video by Mark Anthony V. Melendres walking through the PearsonVue online exam procedure</a></p>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>You CAN and probably should rename/delete the default admin user on Fortigate, here is how2021-06-09T07:55:25+00:002021-06-09T07:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2021-06-09:/2021/06/09/rename-or-delete-default-fortigate-admin-administrator-account/<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>Many best practices in security and regulations (PCI-DSS, NIST 800-53) demand or recommend renaming/deleting the default administrative accounts that come with the equipment. And every Fortinet product comes with the <code>admin</code> account built-in. Some people are afraid to lose administrative access by such changes, but with the Fortinet Fortigate …</p></div></div></div><div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>Many best practices in security and regulations (PCI-DSS, NIST 800-53) demand or recommend renaming/deleting the default administrative accounts that come with the equipment. And every Fortinet product comes with the <code>admin</code> account built-in. Some people are afraid to lose administrative access by such changes, but with the Fortinet Fortigate it is not the case - you can rename or delete this account without any bad consequences whatsoever. Here is how to do it on CLI of the Fortigate.</p>
</div>
<div class="paragraph">
<p>Before diving in to the config, you may want to know few facts about the procedure:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>You cannot rename/delete the <code>admin</code> user while logged in with it.</p>
</li>
<li>
<p>You have to create first another user privileged enough (<code>super_admin</code>) to make changes to <code>admin</code>. This way Fortigate prevents you from locking yourself out of the management.</p>
</li>
<li>
<p>Just renaming the <code>admin</code> does NOT alter its password, so you can still log in with the existing one.</p>
</li>
<li>
<p>You can rename the user back to <code>admin</code> if you want to, i.e. the renaming is reversible.</p>
</li>
<li>
<p>If you delete <code>admin</code>, you can later create a new user named <code>admin</code> again.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_renaming_the_code_admin_code_user_to_something_else_here_to_code_original_admin_code">Renaming the <code>admin</code> user to something else (here to <code>original_admin</code>)</h2>
<div class="sectionbody">
<div class="olist arabic">
<ol class="arabic">
<li>
<p>First, have to create a new user (<code>fortiadmin</code>, name is irrelevant) with <code>super_admin</code> access profile:</p>
</li>
</ol>
</div>
<div class="listingblock">
<div class="content">
<pre>config sys admin
edit fortiadmin
set password s#cr#t
set accprofile super_admin
set trusthost1 10.10.19.0/24
next</pre>
</div>
</div>
<div class="olist arabic">
<ol class="arabic" start="2">
<li>
<p>Now I can rename the <code>admin</code></p>
</li>
</ol>
</div>
<div class="listingblock">
<div class="content">
<pre># config sys admin
(admin) # rename admin to original_admin
command parse error before 'admin' . <-- HAVE TO LOG OUT OF ALL SESSIONS OF admin FIRST
Command fail. Return code -61
FGT-Perimeter (admin) # rename admin to original_admin
FGT-Perimeter (admin) # show
config system admin
edit "original_admin"
set accprofile "super_admin"
set vdom "root"
set password ENC SH2vACIdY6Mn1jTArqaRkLrK5kRjdFSMOrFUwG5wY/MdGEQQfVOPeDq7vzVEZs=
next
edit "fortiadmin"
set accprofile "super_admin"
set vdom "root"
set trusthost 10.10.19.0/24
set password ENC SH2/ivwkt6MPTQbJdStQmFrA6CAn73T86rjGEPka3ivoNfbVE6a6W2YlpBFjN8=
next
end</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_delete_code_admin_code_altogether">Delete <code>admin</code> altogether</h2>
<div class="sectionbody">
<div class="listingblock">
<div class="content">
<pre>FGT-Perimeter (admin) # del admin
FGT-Perimeter (admin) # end</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_re_crete_code_admin_code_user">Re-crete <code>admin</code> user</h2>
<div class="sectionbody">
<div class="listingblock">
<div class="content">
<pre>FGT-Perimeter # config sys admin
FGT-Perimeter (admin) # edit admin
new entry 'admin' added
FGT-Perimeter (admin) # set password s3cr3ButNot
FGT-Perimeter (admin) # set accprofile super_admin
FGT-Perimeter (admin) # end</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_related">Related:</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://yurisk.info/2020/12/12/VPN-Fortigate-accounts-50000-leaked-by-hackers-on-the-internet/">50,000 VPN usernames and their passwords from Fortigates around the world were leaked last week – what you can do to prevent it from happening to you</a></p>
</li>
<li>
<p><a href="https://yurisk.info/2020/07/29/fortigate-guest-user-accounts-create-edit-delete-deploy/">Fortigate guest user accounts - create, edit, delete and deploy</a></p>
</li>
<li>
<p><a href="https://yurisk.info/2020/03/01/fortigate-enable-e-mail-as-mfa-and-increase-token-validity-time/">Fortigate - enable e-mail as a two-factor authentication for a user and increase token timeout</a></p>
</li>
<li>
<p><a href="https://yurisk.info/2018/01/05/Fortinet-Fortigate-ssh-access-with-certificate-authentication/">Fortigate ssh admin access with certificate authentication</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Fortigate - doing SNAT and DNAT on the same traffic in traditional and Central NAT modes how-to2021-05-24T17:55:25+00:002021-05-24T17:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2021-05-24:/2021/05/24/perform-snat-and-dnat-on-the-same-traffic-in-fortigate/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_translate_source_ip_address_snat_and_destination_ip_dnat_in_usual_non_central_nat_mode">Translate source IP address (SNAT) and Destination IP (DNAT) in usual, non-Central NAT mode</a>
<ul class="sectlevel2">
<li><a href="#_configuration">Configuration</a></li>
<li><a href="#_verification">Verification:</a></li>
</ul>
</li>
<li><a href="#_translate_source_and_destination_ip_addresses_when_the_central_nat_is_enabled">Translate Source and Destination IP addresses when the Central NAT is enabled</a>
<ul class="sectlevel2">
<li><a href="#_configuration_2">Configuration</a></li>
<li><a href="#_verification_2">Verification</a></li>
<li><a href="#_cli_configuration">CLI configuration</a></li>
</ul>
</li>
<li><a href="#_related">Related:</a></li>
</ul>
</div>
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>When the situation requires to translate both - source and destination addresses in incoming packets …</p></div></div></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_translate_source_ip_address_snat_and_destination_ip_dnat_in_usual_non_central_nat_mode">Translate source IP address (SNAT) and Destination IP (DNAT) in usual, non-Central NAT mode</a>
<ul class="sectlevel2">
<li><a href="#_configuration">Configuration</a></li>
<li><a href="#_verification">Verification:</a></li>
</ul>
</li>
<li><a href="#_translate_source_and_destination_ip_addresses_when_the_central_nat_is_enabled">Translate Source and Destination IP addresses when the Central NAT is enabled</a>
<ul class="sectlevel2">
<li><a href="#_configuration_2">Configuration</a></li>
<li><a href="#_verification_2">Verification</a></li>
<li><a href="#_cli_configuration">CLI configuration</a></li>
</ul>
</li>
<li><a href="#_related">Related:</a></li>
</ul>
</div>
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>When the situation requires to translate both - source and destination addresses in incoming packets , it may be not obvious how to do so. In this article I will show how to do it in either usual NAT or Central NAT modes.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_translate_source_ip_address_snat_and_destination_ip_dnat_in_usual_non_central_nat_mode">Translate source IP address (SNAT) and Destination IP (DNAT) in usual, non-Central NAT mode</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="_configuration">Configuration</h3>
<div class="paragraph">
<p>This is how it is being done in most of the deployments.</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Configure VIP as usual, translating the destination IP address from external to internal one.</p>
</li>
<li>
<p>In security rule using the VIP object, enable NAT and set either outgoing interface or IP Pool as the source IP address.</p>
</li>
</ol>
</div>
<div class="paragraph">
<p>In the following examples I want to make accessible internal server with IP of 172.20.20.218 and port 80 via external IP of 10.10.10.218 and port 8080. Additionally, I want clients connecting to the server to come from the source of 172.20.20.254 of the Fortigate internal (port2) interface.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/fortigate-vip-as-usual-no-central-nat-vip.png" alt="VIP as usual with port forwarding">
</div>
<div class="title">Figure 1. VIP translating incoming connections to port 8080 to internal server 172.20.20.218 and port 80</div>
</div>
<div class="paragraph">
<p><br></p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/fortigate-snat-no-central-nat-vip-security-rule.png" alt="Security rule using the VIP and enabling NAT">
</div>
<div class="title">Figure 2. Security rule using the VIP</div>
</div>
</div>
<div class="sect2">
<h3 id="_verification">Verification:</h3>
<div class="listingblock">
<div class="title">Sniffer on the Fortigate</div>
<div class="content">
<pre>FGT-7 # diagnose sniffer packet any ' port 8080 or net 172.20.20.0/24' 4
Using Original Sniffing Mode
interfaces=[any]
filters=[ port 8080 or net 172.20.20.0/24]
4.579674 port1 in 172.14.14.1.56352 -> 10.10.10.218.8080: syn 1639243840 <b class="conum">(1)</b>
4.579752 port2 out 172.20.20.254.56352 -> 172.20.20.218.80: syn 1639243840 <b class="conum">(2)</b></pre>
</div>
</div>
<div class="colist arabic">
<ol>
<li>
<p>First packet from client 172.14.14.1 arrives to external interface destined to 10.10.10.218 port 8080</p>
</li>
<li>
<p>Packet’s source and destination are translated: source from 172.14.14.1 to 172.20.20.254 (internal port2 IP on the Fortigate) and destination from 10.10.10.218 to 172.20.20.218 (Internal server IP)</p>
</li>
</ol>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_translate_source_and_destination_ip_addresses_when_the_central_nat_is_enabled">Translate Source and Destination IP addresses when the Central NAT is enabled</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The functionality does not change with switching to the Central NAT, but NAT, security rules, and VIP configurations are done in separate sections and do not depend on each other.</p>
</div>
<div class="paragraph">
<p>The workflow is:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Create VIP object in <strong>Policy & Objects → DNAT & Virtual IP</strong> as usual.</p>
</li>
<li>
<p>Create the security rule allowing access to the TRANSLATED destination IP, i.e. internal IP used in VIP configuration.</p>
</li>
<li>
<p>Create the following rule in <strong>Policy & Objects → Central NAT</strong> policy:</p>
<div class="olist loweralpha">
<ol class="loweralpha" type="a">
<li>
<p><em>Direction</em>: External to Internal interface</p>
</li>
<li>
<p><em>Src IP</em>: All or as needed, represents external clients connecting to the internal hosts, used for matching only, not for translating.</p>
</li>
<li>
<p><em>Dst IP</em>: Internal IP address of the internal host, i.e. IP after DNAT translation.</p>
</li>
<li>
<p><em>Translation</em>: Here we set to what IP address we want Source IP of the external client to be translated - pick either outgoing interface or IP Pool.</p>
</li>
</ol>
</div>
</li>
</ol>
</div>
<div class="sect2">
<h3 id="_configuration_2">Configuration</h3>
<div class="imageblock">
<div class="content">
<img src="/assets/fortigate-vip-as-usual-no-central-nat-vip.png" alt="VIP as usual with port forwarding">
</div>
<div class="title">Figure 3. Create VIP object in usual way.</div>
</div>
<div class="paragraph">
<p><br></p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/fortigate-snat-dnat-cnat-security-rule.png" alt="Security rule">
</div>
<div class="title">Figure 4. Security rule allowing access to the internal server</div>
</div>
<div class="paragraph">
<p><br></p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/fortigate-cnat-dnat-central-nat-rule.png" alt="Central NAT rule for the SNAT">
</div>
<div class="title">Figure 5. Central NAT rule for the purpose of doing SNAT</div>
</div>
</div>
<div class="sect2">
<h3 id="_verification_2">Verification</h3>
<div class="listingblock">
<div class="title">Sniffer on Fortigate</div>
<div class="content">
<pre>FGT-7 # diagnose sniffer packet any ' port 8080 or host 172.20.20.218' 4
Using Original Sniffing Mode
interfaces=[any]
filters=[ port 8080 or host 172.20.20.218]
6.396542 port1 in 172.14.14.1.58630 -> 10.10.10.218.8080: syn 1396331329
6.396611 port2 out 172.20.20.254.58630 -> 172.20.20.218.80: syn 1396331329</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_cli_configuration">CLI configuration</h3>
<div class="listingblock">
<div class="title">Full configuration for the Central NAT case:</div>
<div class="content">
<pre>FGT-7 # show firewall central-snat-map
config firewall central-snat-map
edit 1
set uuid 5f691854-bc8f-51eb-bd91-c227379e4792
set srcintf "port1"
set dstintf "port2"
set orig-addr "all"
set dst-addr "Server_172.20.20.218"
set protocol 6
next
end
FGT-7 # show firewall policy
config firewall policy
edit 1
set name "VIP-with-SNAT-and-DNAT-in-CNAT"
set uuid 15ac35d4-bc8f-51eb-ad82-7fc0a73227b3
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "Server_172.20.20.218"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
FGT-7 # show firewall vip
config firewall vip
edit "VIP-as-usual"
set uuid 5eda6046-bc76-51eb-cbe7-ab34fa9b44ff
set extip 10.10.10.218
set mappedip "172.20.20.218"
set extintf "any"
set portforward enable
set extport 8080
set mappedport 80
next
end</pre>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_related">Related:</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://yurisk.info/2020/06/04/fortigate-virtual-ip-server-load-balancing/">Fortigate virtual IP server load balancing configuration and debug</a></p>
</li>
<li>
<p><a href="https://yurisk.info/2021/04/01/fortigate-fortios-7-what-is-new-visual-guide/">Fortigate FortiOS 7.0 is out - what’s new Visual Guide</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Checkpoint API tutorial, part 1 - getting started2021-05-09T11:55:25+00:002021-05-09T11:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2021-05-09:/2021/05/09/checkpoint-api-tutorial-part1-getting-started/<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>In this, 1st part of tutorial series, I will show how to enable remote access to API on Checkpoint Management Server, verify that it is running and is indeed enabled for remote access, and create first Network object - Host via HTTP request. All this I will do in <strong>Postman</strong> software …</p></div></div></div><div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>In this, 1st part of tutorial series, I will show how to enable remote access to API on Checkpoint Management Server, verify that it is running and is indeed enabled for remote access, and create first Network object - Host via HTTP request. All this I will do in <strong>Postman</strong> software, so no coding skills are required.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_introduction">Introduction</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Before diving in it is worth knowing those things about Checkpoint API:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>API is a Management Server only feature. There is no API on the firewall gateway so far, but I heard Checkpoint are working on it as well.</p>
</li>
<li>
<p>API in Checkpoint can be accessed in 4 ways: Web/HTTP REST API, SmartConsole applet CLI, <code>mgmt_cli</code> CLI tool (available on both - Management and local PC), and GAIA <code>clish</code>.</p>
</li>
<li>
<p>Web API service listens on the same port configured for the GAIA management portal access.</p>
</li>
<li>
<p>Access to Web API is via https only (naturally).</p>
</li>
<li>
<p>API first appeared in Checkpoint R80.</p>
</li>
<li>
<p>API is versioned as 1.x for the current R8x train. API versions will update with major version releases (e.g. R80.20 to R80.30), as well as optionally with Jumbo Hotfixes.</p>
</li>
<li>
<p>API is part of the Management server: you don’t need to install/update or manage it in any way. Once the Management is installed, the API is inside.</p>
</li>
<li>
<p>All previous API versions are available on every Management version. E.g. the current/latest API version on R80.40 is v1.6, but you can also use API v1.5, v1.4 etc on it. You just append to your API commands the version explicitly. This ensures that scripts/dashboards developed for one API version will work in the future.</p>
</li>
<li>
<p>API versions are mostly compatible. After the major change (81 additions) from R80 to R80.10, most of the changes are either addition of new API functions, or addition of new properties to existing ones. So, while there is no guarantee, it is not necessary to cling to a specific version fearing the code will break.</p>
</li>
<li>
<p>All Web API requests will start with the path <code>web_api</code>. This way Checkpoint can differentiate HTTP requests to Web API versus requests to GAIA portal.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Now, let’s configure something.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_enable_api_remote_access_and_verify">Enable API remote access and verify</h2>
<div class="sectionbody">
<div class="paragraph">
<p>API is installed and enabled by default, except for the corner case of low memory - "By default, the API server is active on management servers with 4GB of RAM (or more) and on stand-alone servers with 8GB of RAM (or more)".</p>
</div>
<div class="paragraph">
<p>So, provided your server has enough of RAM, next step is to allow remote access to the API, otherwise only local to Management server access is possible.</p>
</div>
<div class="paragraph">
<p>To do so, in the SmartConsole, go to <strong>Manage and Settings → Blades → Management API → Advanced Settings</strong> and check either <strong>All IP addresses</strong> (this removes IP restrictions on the API server level, firewall secuity rules still work as expected if there any [and they should be]) or <strong>All IP addresses that can be used for GUI clients</strong> (this references <em>GUI clients</em> setting for the SmartConsole access).</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/checkpoint-api-tutorial-enable-remote-api-access.png" alt="checkpoint api tutorial enable remote api access">
</div>
</div>
<div class="paragraph">
<p>Next, click on <strong>Publish</strong> and <strong>Install</strong>. Then restart the API service on the Management server on CLI in Expert mode, no other services are affected, so no downtime: <strong>api restart</strong>.</p>
</div>
<div class="paragraph">
<p>You should see the output like that:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>[Expert@CP80-40:0]# api restart
2021-Apr-21 12:35:36 - Stopping API...
2021-Apr-21 12:35:39 - API stopped successfully.
2021-Apr-21 12:35:39 - Starting API...
. . . . . . . . . . . . .
2021-Apr-21 12:36:51 - API started successfully.</pre>
</div>
</div>
<div class="paragraph">
<p>Here comes the first verificaiton task - make sure the change actually took effect. It happens that you need to ask the Management twice to do this - I had to do Policy Install twice after changing the access. Or you’ll have to restart the API service twice, happens.</p>
</div>
<div class="paragraph">
<p>The following will show the settings that are in effect:</p>
</div>
<div class="paragraph">
<p><strong>api status</strong></p>
</div>
<div class="listingblock">
<div class="content">
<pre>[Expert@CP80-40:0]# api status
PI Settings:
---------------------
Accessibility: Require ip 127.0.0.1 <b class="conum">(1)</b>
Automatic Start: Enabled <b class="conum">(2)</b>
Processes:
Name State PID More Information
-------------------------------------------------
API Started 32042
CPM Started 10098 Check Point Security Management Server is running and ready <b class="conum">(3)</b></pre>
</div>
</div>
<div class="colist arabic">
<ol>
<li>
<p>This means the API is ready to accept requests only sourced from the Management server itself, the default state, not good.</p>
</li>
<li>
<p>Unless someone messed with the Managent it should be <code>Enabled</code></p>
</li>
<li>
<p>Self-explanatory</p>
</li>
</ol>
</div>
<div class="paragraph">
<p>After setting, in this case, in SmartConsole to allow from IPs allowed the GUI access, the output will look:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>Expert@CP80-40:0]# api status
API Settings:
---------------------
Accessibility: Require all granted <b class="conum">(1)</b>
Automatic Start: Enabled
Processes:
Name State PID More Information
-------------------------------------------------
API Started 911
CPM Started 10098 Check Point Security Management Server is running and ready</pre>
</div>
</div>
<div class="colist arabic">
<ol>
<li>
<p>The state changed to what we desire, good.</p>
</li>
</ol>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_create_authenticated_session_record_session_identifier">Create authenticated session, record session identifier</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Before we can talk to API, we have to authenticate ourselves to the Management server. This process will also authorize our session to do/query only things our user is allowed via administrator profile assigned on the Management server.</p>
</div>
<div class="paragraph">
<p>To do so, we start every new API session with <code>login</code> request.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
As this is a tutorial on Web API, I will not include <code>mgmt_cli</code>, <code>clish</code> and SmartConsole CLI applet in our discussion, but just be aware the process is the same - 1st you log in, then you work with the API.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>On successful <code>login</code> request, the API service will answer with JSON formatted data in the <em>body</em>.</p>
</div>
<div class="paragraph">
<p>In this tutorial I will use <em>admin</em> user with full privileges, something you may stay away in production firewall. I will, at a later time, show how to apply admin profiles to the user or alternatively use <code>api-key</code> instead of username/password.</p>
</div>
<div class="paragraph">
<p><code>sid</code> is one of the parameters returned by <code>login</code> POST request (we talk with API in HTTP/1.1) and it contains the one-time authentication token we need to save for further requests in this session.</p>
</div>
<div class="paragraph">
<p>Ok, now, that we know enough to be dangerous, let’s make a <code>login</code> POST request.</p>
</div>
<div class="sect2">
<h3 id="_create_a_login_session">Create a login session</h3>
<div class="paragraph">
<p>If you don’t know, Postman is the (free) software with GUI for testing API. Even if in production you work in code (Python/Golang/etc.), I highly recommend getting to know this tool, as it allows to understand what is going on with any API and without resorting to <code>print</code> on every other line of code.</p>
</div>
<div class="paragraph">
<p>I assume you already downloaded the Postman and have it open.</p>
</div>
<div class="paragraph">
<p>We need to set the following parameters for our POST request session:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><em>IP address and port of the Management server</em>: whom we are going to query.</p>
</li>
<li>
<p><em>username/password of administrator</em>: by administrator I mean any user that can login into SmartConsole/GAIA. We set it inside the request body in JSON format. In the JSON format it will look as (I am using <code>qwe123</code> for the password just because it is a lab, don’t do it in production):<br></p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>{
"user" : "admin",
"password" : "qwe123"
}</pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p><code>Content-type: applicaiton/json</code> header. Hint to Postman, otherwise it will try to guess appropriate type of the content and may do it wrong.</p>
</li>
<li>
<p><em>path to login resource</em>: We request <code>web_api/login</code> resource on the API server.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>The screenshot of the above settings:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/checkpoint-api-tutorial-postman-session1.png" alt="checkpoint api tutorial postman session1">
</div>
</div>
<div class="paragraph">
<p>As you can see, we got in reply <code>sid</code> with the authentication token. Now we can copy its value and move to the next step - creating a Host object.</p>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_create_a_host_object_and_publish_the_result">Create a Host object and publish the result</h2>
<div class="sectionbody">
<div class="paragraph">
<p>First, we need to know what API function creates a Host object. This can be looked up at <a href="https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-host~v1.6">Checkpoint API documentation</a> .
From there we learn that the required parameters are <code>x-chkp-sid</code> header, <code>name</code>, and <code>ip-address</code> and we should request <code>/web_api/add-host</code>.</p>
</div>
<div class="paragraph">
<p><code>x-chkp-sid</code> will contain the <code>sid</code> token and the rest is obvious. So, let’s create a host object named <em>Dummy\_33</em> with the IP address of 33.33.33.33.</p>
</div>
<div class="paragraph">
<p>Again, with these parameters I construct a new request. The bottom picture is of the answer to the request:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/checkpoint-api-tutorial-postman-create-host.png" alt="checkpoint api tutorial postman create host">
</div>
</div>
<div class="paragraph">
<p>As seen above, the object was successfully (response code 200) created. The final step is to publish the result, so all Checkpoint admins will be able to use this object. We need to send POST request for the resource <code>/web_api/publish</code> using the same token from <code>sid</code> and <code>Content-type: applicaiton/json</code> header. I’ll live it as an exercise.</p>
</div>
<div class="sect2">
<h3 id="_verification">Verification</h3>
<div class="paragraph">
<p>Few points about verification:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>In Web API, always check the HTTP response code: anything but <code>200 OK</code> means something went wrong.</p>
</li>
<li>
<p>Additionally, look in the body of the response for clues on what wasn’t right.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Here are 2 examples of something going wrong.</p>
</div>
<div class="paragraph">
<p><strong>Case 1: Trying to reference a property of the object that doesn’t exist</strong></p>
</div>
<div class="paragraph">
<p>I tried to set property <code>tags</code> while there is no such one, the <code>tag</code> is the correct property:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/checkpoint-api-tutorial-postman-bad-parameter-name.png" alt="checkpoint api tutorial postman bad parameter name">
</div>
</div>
<div class="paragraph">
<p>As you can see, the response <code>message</code> tells me exactly what was wrong.</p>
</div>
<div class="paragraph">
<p><strong>Case 2: Sending POST request as a form instead of the JSON in the body</strong>:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/checkpoint-api-tutorial-postman-wrong-data-format.png" alt="checkpoint api tutorial postman wrong data format">
</div>
</div>
<div class="paragraph">
<p>Checkpoint gives exact reason in the <code>message</code> as well. This is in addition to response error code of <code>400 bad Request</code>.</p>
</div>
<div class="paragraph">
<p>That’s all for this part in which I showed how to create login session, obtain authentication token, create host object, and publish the result. In the next part I will talk about changing and installing the Security Policy.</p>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>
</div>Fortianalyzer diagnose and debug cheat sheet2021-05-03T18:55:25+00:002021-05-03T18:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2021-05-03:/2021/05/03/fortianalyzer-daignose-and-debug-cheat-sheet/<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>This cheat sheet as PDF: <a href="/assets/fortianalyzer-debug-cheat-sheet.pdf">Fortianalyzer diagnose and debug cheat sheet</a></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_general_health">General Health</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>get sys status</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Get general information: firmware version, serial number, ADOMs enabled or not, time and time zone, general license status (Valid or not).</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>get sys performance</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Detailed performance statistics: CPU load, memory usage, hard …</p></td></tr></tbody></table></div></div><div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>This cheat sheet as PDF: <a href="/assets/fortianalyzer-debug-cheat-sheet.pdf">Fortianalyzer diagnose and debug cheat sheet</a></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_general_health">General Health</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>get sys status</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Get general information: firmware version, serial number, ADOMs enabled or not, time and time zone, general license status (Valid or not).</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>get sys performance</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Detailed performance statistics: CPU load, memory usage, hard disk/flash disk used space and input/output (<code>iostat</code>) statistics.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>exe top</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Display real time list of running processes with their CPU load.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diag log device</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Shows how much space is used by each device logging to the Fortianalyzer, including quotas.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>exe iotop -b -n 1</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Display and update every 1 second READ/WRITE statistics for all the processes.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose system print cpuinfo</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Display hardware CPU information - vendor, number of CPUs etc.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose hardware info</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Even more hardware-related info.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose system print df</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show disk partitions and space used. Analog of the Linux <code>df</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>exe lvm info</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Shows disks status and size</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose system print loadavg</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show average system load, analog to the Linux <code>uptime</code> command.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose system print netstat</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show established connections to the Fortianalyzer, as well as listening ports. Every logging device can (and usually does) have multiple connections established.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose system print route</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show routing table of the Fortianalyzer.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="_communication_debug">Communication debug</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose test application oftpd 3</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">List all devices sending logs to the Fortianalyzer with their IP addresses, serial numbers, <em>uptime</em> meaning connection establishment uptime, not remote device uptime, and packets received (should be growing).</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose debug application oftpd 8 <<em>Device name</em>></strong>
</p><p class="tableblock"><strong>diagnose debug enable</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Real time debug of communicating with the <em>Device name</em> device.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose sniffer packet any "host <em>IP of remote device</em>"</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Sniff packets from/to remote device, to make sure they are sending each other packets. The communication is encrypted.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose sniffer packet any "port 514"</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Sniff all packets to/from port 514 used by Fortianalyzer to receive logs from remote devices.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="_logs_from_devices">Logs from devices</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose test application oftpd 50</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show log types received and stored for each device.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diag log device</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Shows how much space is used by each device logging to the Fortianalyzer, including quotas.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose fortilogd lograte</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show in one line last 5/30/60 seconds rate of receiving logs.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose fortilogd lograte-adom all</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show as table log receiving rates for all ADOMs aggregated per device type (i.e. rate for all Fortigates will be as one data per ADOM).</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose fortilogd lograte-device</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show average logs receive rate per device for the last hour, day, and week.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose fortilogd lograte-total</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show summary log receive rate for all devices on this Fortianalyzer.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="_licensing">Licensing</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose dvm device list</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Look for the line <em>There are currently N devices/vdoms count for license</em>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>diagnose debug vminfo</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show report on Virtual Machine license: whether valid or not, type, licensed storage volume, licensed log receive rate, licensed maximum device count.
</p><p class="tableblock"></p><p class="tableblock"></p><p class="tableblock"></p><p class="tableblock"></p><p class="tableblock"></p><p class="tableblock"><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p></td>
</tr>
</tbody>
</table>
</div>
</div>Fortianalyzer Custom Reports from Custom Datasets Visual Guide How-to2021-04-27T18:55:25+00:002021-04-27T18:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2021-04-27:/2021/04/27/fortianalyzer-custom-reports-from-custom-dataset-visual-guide-how-to/<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>In this short visual guide I will show how to create a custom report from your own SQL query in Fortianalyzer. Fortianalyzer comes with plethora of datasets and reports defined - more than 800. My issue with all of them - they are <strong>overly complex</strong> and are geared more towards <strong>C-level management …</strong></p></div></div></div><div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>In this short visual guide I will show how to create a custom report from your own SQL query in Fortianalyzer. Fortianalyzer comes with plethora of datasets and reports defined - more than 800. My issue with all of them - they are <strong>overly complex</strong> and are geared more towards <strong>C-level management</strong> to impress with lots of pie charts and graphs. 5 lines of SQL query to just get CPU/memory/sessions/users connected ? In this guide I will get from Fortianalyzer CPU, memory, number of sessions and their setup rate, and bandwidth used. I needed this data to do sizing/capacity planning for existing Fortigate 500D of our client.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/fortianalyzer-custom-reports-work-flow.svg" alt="Fortianalyzer custom report workflow">
</div>
<div class="title">Figure 1. The workflow to create any custom report</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_create_custom_dataset">Create custom dataset</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Any report, custom or built-in, starts with the dataset - SQL query sent to the Fortianalyzer PostGRE SQL database holding the Analytics data. Different log types (Event, Traffic etc.) are inserted into separate SQL tables. We can specify the table name explicitly or use generic <code>$log</code> and set the table via drop down menu.</p>
</div>
<div class="paragraph">
<p>To create a dataset, go to <strong>Reports → Report Definitions → Datasets</strong>.</p>
</div>
<div class="paragraph">
<p>Here is the dataset I created to get the data I needed (legend and explanations below):</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/FAZ-Custom-Data-set-SQL-query-CPU-memory-session-setup-rate-bandwidth.png" alt="Fortianalyzer custom dataset" width="100%" height="auto">
</div>
</div>
<div class="paragraph">
<p><em>Name</em> Any name to make it easy to find.</p>
</div>
<div class="paragraph">
<p><em>Log Type</em> SQL table to query. You can either explicitly state the log name (see table below for the whole list) or leave it to Fortianalyzer. Here I am using <em>Event</em> as this type of log (and accordingly its SQL table) contains performance data I need.</p>
</div>
<div class="paragraph">
<p><em>Query</em>: select from_dtime(dtime) as epoch_time, cpu, mem, setuprate, totalsession, bandwidth from $log where $filter and action='perf-stats' ORDER by epoch_time <br>
- <code>from_dtime(dtime)</code> <em>dtime</em> is timestamp of the log on the device (Fortigate) in epoch format, and <code>from_dtime</code> is a utility function to translate this timestamp from epoch to human-readable format. <br>
- <code>cpu, mem, setuprate, totalsession, bandwidth</code> are column names in the table I want to get values of. <br>
- <code>from $log</code>: as I set in drop down menu above log type to the <em>Event</em>, this will auto-choose correct the SQL table.<br>
- <code>where $filter and action='perf-stats'</code> is a combined filter, <code>$filter</code> is a place holder for <em>Time Period</em> (Today) and <em>Devices</em> (All), which Fortianalyzer obliges you to set. Set the time period to how far back in time you need this data. And <code>action='perf-stats'</code> is my search filter on <em>action</em> column in the table/log, to return only those logs from <em>Events</em>, that have <em>action</em> column set to <em>perf-stats</em>.<br>
- <code>ORDER BY epoch_time</code> order the result set by logs timestamps, as by default results are returned in random order otherwise. I use capital here to show that for Fortianalyzer the case of SQL query does not matter.</p>
</div>
<div class="paragraph">
<p>Next step is to click on <em>Test</em> and verify that results are what you expect. This testing returns about 100 lines only, but no worries - in actual report it will return all records it finds.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_create_a_chart_using_the_dataset">Create a chart using the dataset</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Now I can use this custom dataset to create a chart <strong>Report Definitions → Chart Library → New ..</strong>. I choose <strong>Table</strong> as chart type, the alternative being pie and other graphics. As I need to get ALL CPU/memory measurements over time, only table will suit.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/FAZ-Custom-Data-set-SQL-query-CPU-memory-session-setup-rate-bandwidth-Chart.png" alt="Custom Chart using the custom dataset" width="100%" height="auto">
</div>
</div>
<div class="hdlist">
<table>
<tr>
<td class="hdlist1">
Name
</td>
<td class="hdlist2">
<p>Any unique name to find it later.</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Description
</td>
<td class="hdlist2">
<p>Well, description.</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Dataset
</td>
<td class="hdlist2">
<p>Here I choose the custom dataset I created earlier.</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Resolve Hostname
</td>
<td class="hdlist2">
<p>Leave it as is.</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Chart Type
</td>
<td class="hdlist2">
<p>Table</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Data Binding
</td>
<td class="hdlist2">
<p>Regular</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Columns
</td>
<td class="hdlist2">
<p>These were auto-added based on the dataset I chose, no need to change anything.</p>
</td>
</tr>
<tr>
<td class="hdlist1">
Show Top
</td>
<td class="hdlist2">
<p>This is important - by default it is set to <em>100</em> and so the result table would include first 100 rows only! Not what I need, so I set it to <em>0</em> to return ALL results.</p>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>Click <em>OK</em> and let’s move to the next step - creating the report.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_create_the_custom_report_using_the_chart_created_above">Create the Custom Report Using the Chart Created Above</h2>
<div class="sectionbody">
<div class="paragraph">
<p>In <strong>Reports → Report Definitions → All Reports → New ..</strong> I create a new blank report</p>
</div>
<div class="paragraph">
<p>In the <em>Layout</em> tab I click on <strong>Insert Chart</strong> and pick the chart I created above. In <em>Settings</em> tab we can limit the returned data by device and by time. This is the second place it is possible to do - first one is when creating dataset. If Fortianalyzer has data for less than specified period, it will not complain nor warn us in any way.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/FAZ-Custom-Data-set-SQL-query-CPU-memory-session-setup-rate-bandwidth-report5.png" alt="Layout tab" width="100%" height="auto">
</div>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/FAZ-Custom-Data-set-SQL-query-CPU-memory-session-setup-rate-bandwidth-report1.png" alt="Setting tab of Report creation" width="100%" height="auto">
</div>
</div>
<div class="paragraph">
<p>Click on OK and it’s done - the new custom report is available to run.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_run_the_custom_report_and_download_result">Run the Custom Report and Download Result</h2>
<div class="sectionbody">
<div class="paragraph">
<p>What is left is to go to <strong>Reports → Report Definitions → All Reports</strong>, find the report I created, select it, and click <strong>Run</strong>.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/FAZ-Custom-Data-set-SQL-query-CPU-memory-session-setup-rate-bandwidth-report7.png" alt="Run the report" width="100%" height="auto">
</div>
</div>
<div class="paragraph">
<p>When finished running, there are results available for download as XML, PDF, HTML, CSV in <strong>Generated Reports</strong>.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/FAZ-Custom-Data-set-SQL-query-CPU-memory-session-setup-rate-bandwidth-report8.png" alt="Report for download" width="100%" height="auto">
</div>
</div>
<div class="paragraph">
<p>Here is how this report looks in Excel after downloading it as CSV file:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/assets/FAZ-Custom-Data-set-SQL-query-CPU-memory-session-setup-rate-bandwidth-report11.png" alt="Report as seen in Excel" width="100%" height="auto">
</div>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 1. Log types and their table names in the SQL database of Fortianalyzer</caption>
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Log type</th>
<th class="tableblock halign-left valign-top">Log name to use in SQL query</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>$log-traffic</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Traffic log</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>$log-event</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Event log</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>log-attack</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Attack log</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>log-app-ctrl</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">AppControl log</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>$log-virus</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Antivirus log</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>$log-webfilter</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Web filter log</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>$log-dlp</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">DLP log</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>$log-emailfilter</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Antispam log</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>$log-netscan</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Netscan log</p></td>
</tr>
</tbody>
</table>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Fortigate FortiOS 7.0 is out - what's new Visual Guide2021-04-01T17:55:25+00:002021-04-01T17:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2021-04-01:/2021/04/01/fortigate-fortios-7-what-is-new-visual-guide/<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>On 30th of March Fortinet released <strong>FortiOS 7.0</strong> for all the supported models (alas, many <strong>D series</strong> Fortigates like 500D, are not supported), and here is the visual walkthrough of changes that can be seen in GUI.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
All the videos below come without sound.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_new_color_themes_were_added_some_old_ones_were_removed_bad">New color themes were …</h2></div><div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>On 30th of March Fortinet released <strong>FortiOS 7.0</strong> for all the supported models (alas, many <strong>D series</strong> Fortigates like 500D, are not supported), and here is the visual walkthrough of changes that can be seen in GUI.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
All the videos below come without sound.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_new_color_themes_were_added_some_old_ones_were_removed_bad">New color themes were added, some old ones were removed (bad)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>It is a tradition for Fortinet to redesign Web management GUI of each new major FortiOS release, with most of their hit-and-miss redesigns being a miss. Finally, in Fortigate 6.0, they came up with the <em>Green</em> theme that most of the people liked. Only that in FortiOS 7.0 …​ it was removed. To provoke emotional selling point they added the <em>Retro</em> theme, see below. Unfortunately, to me, this theme of FortiOS 2.8 era provokes not much nostalgia (Fortinet marketing hoped), but bad memories of Fortigate 60 never coming up after you push <em>Reboot</em> button in this Web GUI. The only theme I find the least ugly is the <em>Mariner</em> one, but let’s hope that after much discontent I see coming, Fortinet will get back the <em>Green</em> theme.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7-whats-new-Color-Themes.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_api_preview_option_is_available_almost_for_all_configuration_screens_good">API Preview option is available almost for all configuration screens (good)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>That’s pretty cool - now we can see underlying API calls to automate the configuration. A bit of context - Fortigate (and other Fortinet products), have well working REST API, which you can use to programmatically configure/monitor these devices via HTTPS REST API requests. Unfortunately for us, Fortinet hid the API Documentation behind the paywall. To access the full Fortigate API reference, you have to have subscription to the <em>Fortinet Developers Network</em>, which costs about 2000 Euro a year. They offer a free access (kind of) though - if you can find 2 "sponsors" to vouch for you at Fortinet, you can ask for free developer access to the FDN (without ability to post on forums or any support obviously). But now, with this <em>API Preview</em> button, we can see the API calls and get along without access to API documentation.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7-whats-new-API-preview.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_edit_in_cli_option_added_in_many_places">Edit in CLI option added in many places</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This enters configuration level up to the very object we have opened in GUI.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7-whats-new-Edit-in-CLI.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_insecure_admin_protocols_are_highlighted_in_bold_red_on_the_interface_page_good">Insecure admin protocols are highlighted in bold red on the interface page (good)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>It was previously in pink, but now it screams at the administrators "What are you doing?". The Telnet access was even removed from GUI and can only be enabled on CLI.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7-whats-new-Telnet-enabled.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_all_sd_wan_related_configs_are_now_in_a_single_page_on_different_tabs_good">All SD-WAN related configs are now in a single page on different tabs (good)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>That was begging to be fixed - no sense to separate part of the same feature into 3 different pages.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7-whats-new-SD-WAN-tabs.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_dropped_support_for_many_most_of_the_d_series_fortigates_bad">Dropped support for many/most of the D series Fortigates (bad)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Not sure whether it is marketing-reasoned or technically based, but we have clients with various D models that work just fine, also with valid updated subscriptions. And the thought of upgrading firewall just because no new FortiOS versions will be released for it is not much fun as puts pressure on admins to upgrade while everything works fine. Fortinet announced few months ago <em>Long Time Support</em> program to keep older FortiOS versions up-to-date security-wise, but I haven’t heard anything about it since then.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_new_local_out_settings_must_be_1st_enabled_in_visibility_to_set_source_ip_for_fortigate_originated_traffic_good">new Local Out settings (must be 1st enabled in Visibility) to set Source IP for Fortigate-originated traffic (good)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This feature was available in CLI only, now it has been exposed in GUI as well. We can control what source IP Fortigate will use for the traffic it originates, e.g. FortiGuard/DNS etc. When enabling SD-WAN it can be quite important.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7-whats-new-Local-Out-Policy-new.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_free_ssl_certificates_via_acme_let_s_encrypt_with_dns_verification_but_only_for_60_days_validity_max_good">Free SSL Certificates via ACME Let’s Encrypt with DNS verification, but only for 60 days validity max (good)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Another "cool category" feature - we can set up Fortigate to request and update automatically SSL certificate from <em>Let’s Encrypt</em> certificates issuer, and of course it is totally free. This takes away the last reason not to install valid SSL certificate for admin access "But it costs money …​".</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7-whats-new-Lets-Encrypt-certificate.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_security_fabric_automation_rearranged_new_tabs_for_triggers_actions_good">Security Fabric → Automation rearranged, new tabs for Triggers, Actions (good)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Here too, they just combined Automation related pages into tabs of the same page, no new functionality.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7-whats-new-Automation-stitches.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_new_network_routing_objects_good">New: Network → Routing Objects (good)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Finally, not only cool, but essential feature - all routing-related configs available in CLI until now, got their own page in <em>Network → Routing objects</em>. Prefix lists, Community, route-map - all the things you can’t really do without when enabling dynamic routing protocols on Fortigate. I , personally, will continue configuring those things on CLI.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7-whats-new-Route-Object.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_merge_all_traffic_shaping_related_pages_into_one_with_policy_objects_traffic_shaping_with_multiple_tabs_good">Merge all Traffic Shaping related pages into one with Policy & Objects → Traffic Shaping with multiple tabs (good)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Also, not new functionality, but re-arrangement that was only logical.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7-whats-new-Traffic-SHaping.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_security_profiles_ssl_inspection_now_multiple_ssl_certificates_can_be_chosen_for_the_same_profile_to_protect_multiple_web_sites_residing_on_the_same_ip_server_good">Security Profiles → SSL Inspection, now multiple SSL certificates can be chosen for the same profile to protect multiple web sites residing on the same IP/server (good)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Quite important one for those who use Fortigate to protect their internal servers with load-balancing and SSL offloading.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7-whats-new-multi-SSL-certificates-in-profile.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_security_profiles_video_filter_good">Security Profiles → Video Filter (good)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>What was in the past part of Web Filtering profiles, now has moved to its own page. I see it mostly used by K-12, university environments, and for regular Enterprise admins it was just a distraction on the Web Filtering page.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7-whats-new-Video-Filter.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_ssl_vpn_client_configuration_is_now_available_for_fortigate_to_connect_as_vpn_ssl_client_to_another_fortigate_good">SSL VPN Client configuration is now available for Fortigate to connect as VPN SSL Client to another Fortigate (good)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This is completely new feature - we can now (seemingly) set up local Fortigate to connect to the remote one as VPN SSL client. Fortigate as IPSec VPN client capability has been around for ages and works actually well. Let’s wait and see how it works in production. Usually, brand new features take their time to work as expected.</p>
</div>
<div class="videoblock">
<div class="content">
<video src="/assets/FortiOS-7-whats-new-Fortigate-as-VPN-SSL-client.mp4" width="100%" height="auto" controls>
Your browser does not support the video tag.
</video>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_zero_trust_network_capability_good_probably">Zero Trust Network capability (good, probably?)</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This one is so new that I can’t find much information on the Fortinet site. So can’t say much except that exists, will update once have some experience with it, as every vendor means different things for Zero Trust Access.</p>
</div>
<div class="paragraph">
<p>That’s all for today, I will be posting about new features as I test them, so come back again to read about them.</p>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Fortigate Firewalls Hardware - CPU model and number, Memory (RAM) and hard disk size datasheet table2021-03-14T13:55:25+00:002021-03-14T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2021-03-14:/2021/03/14/Fortigate-Firewalls-Hardware-CPU-model-and-number-Memory-size-datasheet-table/<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
The data is gathered via <strong>get hardware stat</strong> command.
</td>
</tr>
</table>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
If you have access to the Fortigate model not listed here, please consider sending me output of <code>get hardware stat</code> to be included in the table to <a href="mailto:yuri@yurisk.info">yuri@yurisk.info</a> for the benefit of all of us.
</td>
</tr>
</table>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
It …</td></tr></table></div><div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
The data is gathered via <strong>get hardware stat</strong> command.
</td>
</tr>
</table>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
If you have access to the Fortigate model not listed here, please consider sending me output of <code>get hardware stat</code> to be included in the table to <a href="mailto:yuri@yurisk.info">yuri@yurisk.info</a> for the benefit of all of us.
</td>
</tr>
</table>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
It is possible for the same model to have different <em>revisions/Generations</em>. e.g. 100D rev. 1 was fitted with 2048 MB of RAM, while rev.2 and rev. 3 with 4096 MB, while the CPU stayed the same.
</td>
</tr>
</table>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
Bookmark this page as I will be updating it with new Fortigate models as they become available. Also, this table as PDF <a href="https://yurisk.info/assets/2021-03-14-fortigate-hardware-cpu-memory-ram-per-model-table.pdf">Fortigate Firewalls Hardware - CPU model and number, Memory (RAM) and hard disk size</a>
</td>
</tr>
</table>
</div>
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 12.5%;">
<col style="width: 12.5%;">
<col style="width: 12.5%;">
<col style="width: 12.5%;">
<col style="width: 12.5%;">
<col style="width: 12.5%;">
<col style="width: 12.5%;">
<col style="width: 12.5%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top"><strong>Fortigate Model</strong></th>
<th class="tableblock halign-left valign-top"><strong>ASIC version</strong></th>
<th class="tableblock halign-left valign-top"><strong>CPU model</strong></th>
<th class="tableblock halign-left valign-top"><strong>Number of CPUs/threads for Intel CPUs</strong></th>
<th class="tableblock halign-left valign-top"><strong>Memory (RAM) size (MB)</strong></th>
<th class="tableblock halign-left valign-top"><strong>Compact Flash size (MB)</strong></th>
<th class="tableblock halign-left valign-top"><strong>Hard disk size (MB)</strong></th>
<th class="tableblock halign-left valign-top"><strong>Datasheet</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-30D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP0</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiSOC2</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">932</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3879</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate-30D.pdf">Fortigate 30D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiWifi-30E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv7</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">2</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1006</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">128</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_FortiWiFi_30E.pdf">Fortigate 30E datasheet</a>
<a href="/assets/FortiGate_FortiWiFi_30E_3G4G.pdf">Fortigate 30E 3G4G datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiWiFi-40C</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP0</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiSOC</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">436</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3838</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-40F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1820</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3662 (EMMC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-fortiwifi-40f-series.pdf">Fortigate 40F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiWiFi-50E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv7</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">2</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">2021</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">128</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_FortiWiFi_50E_Series.pdf">Fortigate 50E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-60D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP0</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiSOC2</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1839</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3879</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_FortiWiFi_60D_3G4G_VZW.pdf">Fortigate 60D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiWiFi-60E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC3</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv7</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1863</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3662 (EMMC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_FortiWiFi_60E_Series.pdf">Fortigate 60E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-60E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC3</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv7</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1866</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3662 (EMMC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_FortiWiFi_60E_Series.pdf">Fortigate 60E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-61E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC3</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv7</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1866</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3662 (EMMC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">122104</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_FortiWiFi_60E_Series.pdf">Fortigate 61E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-60F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1919</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3662 (EMMC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-fortiwifi-60f-series.pdf">Fortigate 60F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-61F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1919</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3662 (EMMC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">122104</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-fortiwifi-60f-series.pdf">Fortigate 61F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-70D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP0</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC2</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1838</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1907</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-70d-series.pdf">Fortigate 70D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-70F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3717</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3742 (EMMC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-70f-series.pdf">Fortigate 70F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-80C</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP6</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Celeron (Covington)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">499</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">493</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate-80C.pdf">Fortigate 80C datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-80D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Atom™ CPU N2600 @ 1.60GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1985</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">980</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15272</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate-80D.pdf">Fortigate 80D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-80E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC3</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv7</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1866</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3662 (EMMC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_80E_Series.pdf">Fortigate 80E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-81E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC3</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv7</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1866</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3662 (EMMC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">122104</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_80E_Series.pdf">Fortigate 81E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-80F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3718</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3662 (EMMC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-fortiwifi-80f-series.pdf">Fortigate 80F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-81F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3718</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3662 (EMMC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">122104</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-fortiwifi-80f-series.pdf">Fortigate 81F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-90D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP0</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC2</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1838</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1907</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">30533</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-90G</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC5</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">7547</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">9982</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-90g-datasheet.pdf">Fortigate 90G datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-91E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Atom™ CPU C2338 @ 1.74GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">2</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">2010</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">7758</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">122104</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_90E_Series.pdf">Fortigate 90E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-91G</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC5</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">7547</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">9982</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">114473</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-91g-datasheet.pdf">Fortigate 91G datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiWiFi-92D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Atom™ CPU D525 @ 1.80GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1971</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15272</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate-FortiWiFi-92D.pdf">Fortigate 92D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-100D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Atom™ CPU D525 @ 1.80GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3955</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">30533</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/Fortigate-100D.pdf">Fortigate 100D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-100E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC3</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv7</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3040</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3662 (EMMC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_100E_Series.pdf">Fortigate 100E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-101E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC3</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv7</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3040</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3662 (EMMC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">457862</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_100E_Series.pdf">Fortigate 101E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-100F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3616</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3663 (EMMC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-100f-series.pdf">Fortigate 100F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-100F 2nd revision (2022)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">7588</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3742 (MLC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-100f-series.pdf">Fortigate 100F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-101F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3616</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3662 (EMMC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">457862</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-100f-series.pdf">Fortigate 100F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-101F 2nd revision (2022)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">7587</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3662 (MLC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">457862</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-100f-series.pdf">Fortigate 100F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-120G</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">SOC5</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">ARMv8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">7486</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">9982 (MLC)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-120g-datasheets.pdf">Fortigate 120G datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-140D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Atom™ CPU D525 @ 1.80GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3955</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1917</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">30533</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/Fortigate-100D.pdf">Fortigate 140D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-200D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Celeron® CPU G540 @ 2.50GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">2</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3947</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">61057</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate-200D.pdf">Fortigate 200D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-200E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Celeron® CPU G1820 @ 2.70GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">2</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3962</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_200E_Series.pdf">Fortigate 200E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-201E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Celeron® CPU G1820 @ 2.70GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">2</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3962</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">457862</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_200E_Series.pdf">Fortigate 201E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-200F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® CPU D-1627 @ 2.90GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">7979</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">28738</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-200f.pdf">Fortigate 200F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-300D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel Core i3-3220 (Ivy Bridge) @ 3.3Ghz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">7996</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">114473</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate_300d.pdf">Fortigate 300D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-300E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Core™ i5-6500 CPU @ 3.20GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">7980</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_300E.pdf">Fortigate 300E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-301E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Core™ i5-6500 CPU @ 3.20GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">7980</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_300E.pdf">Fortigate 301E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-400D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Core™ i3-3220 @ 3.30GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">unknown</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">7996</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate-400D.pdf">Fortigate 400D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-400E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Core™ i5-8500 @ 3.00GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">unknown</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">7996</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_400E.pdf">Fortigate 400E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-401E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Core™ i5-8500 @ 3.00GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">unknown</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">7996</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">457862</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_400E.pdf">Fortigate 401E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-400F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® E-2336 CPU @ 2.90GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">12</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">16010</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">28738</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-400f-data-sheet.pdf">Fortigate 400F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-401F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® E-2336 CPU @ 2.90GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">12</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">16010</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">28738</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">457862</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-400f-data-sheet.pdf">Fortigate 401F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-500D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® E3-1225 V2 @ 3.20GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">7996</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">114473</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate-500D.pdf">Fortigate 500D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-500E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Core™ i7-6700 CPU @ 3.40GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">16048</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_500E.pdf">Fortigate 500E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-501E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Core™ i7-6700 CPU @ 3.40GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">16048</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">228936</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_500E.pdf">Fortigate 501E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-600D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Core™ i7-3770 CPU @ 3.40GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">7996</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">114473</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate-600D.pdf">Fortigate 600D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-600E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Core™ i7-8700 CPU @ 3.20Ghz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">12</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">16031</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_600E.pdf">Fortigate 600E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-601E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Core™ i7-8700 CPU @ 3.20Ghz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">12</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">16031</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">228936/447000</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_600E.pdf">Fortigate 601E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-600F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® E-2386G CPU @ 3.50GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">12</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15995</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">28738</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-600f-series.pdf">Fortigate 600F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-601F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® E-2386G CPU @ 3.50GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">12</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15995</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">28738</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">228936</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-600f-series.pdf">Fortigate 601F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-800D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Core™ i5-4690S CPU @ 3.20GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">7997</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">228936</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_800D.pdf">Fortigate 800D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-900D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® CPU E3-1225 v3 @ 3.20GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">4</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">16064</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1925</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">244198</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_900D.pdf">Fortigate 900D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-900G</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">AMD Ryzen Embedded 5950E 16-Core Processor</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">32</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">32128</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">28738</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-1000D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® CPU E3-1275 v3 @ 3.50GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15979</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">3840</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">114473/244198</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_1000D.pdf">Fortigate 1000D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Fortigate-1000F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® E-2388G CPU @ 3.20GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">16</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">16009</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">28738</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-1000f-series.pdf">Fortigate 1000F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-1101E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® E-2186G CPU @ 3.80GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">12</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">16048</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">457862/915724</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-1100e-series.pdf">Fortigate 1100E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-1200D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® CPU E5-1620 v2 @ 3.70GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">16064</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">228936</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate-1200D.pdf">Fortigate 1200D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-1500D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® CPU E5-1650 0 @ 3.20GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">12</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">16064</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">30653</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">2x228936</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_1500D.pdf">Fortigate 1500D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-1800F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® W-3223 CPU @ 3.50GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">16</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">24102</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">28738</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-1800f-series.pdf">Fortigate 1800F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-1801F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® W-3223 CPU @ 3.50GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">16</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">24101</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">28738</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">953869</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-1800f-series.pdf">Fortigate 1801F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-2000E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® CPU E5-1650 v4 @ 3.60GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">12</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">32198</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">457862</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_2000E.pdf">Fortigate 2000E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-2200E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® Gold 6126 CPU @ 2.60GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">24</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">48294</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-2200e-series.pdf">Fortigate 2200E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-2201E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® Gold 6126 CPU @ 2.60GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">24</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">48294</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">2x915715</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-2200e-series.pdf">Fortigate 2201E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-2500E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® CPU E5-1650 v3 @ 3.50GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">12</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">32199</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">457862</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_2500E.pdf">Fortigate 2500E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-2600F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® Gold 6208U CPU @ 2.90GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">32</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">48292</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">28738</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-2600f-series.pdf">Fortigate 2600F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-2601F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® Gold 6208U CPU @ 2.90GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">32</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">48292</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">28738</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">953869</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-2600f-series.pdf">Fortigate 2601F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-3000D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® CPU E5-2650 v3 @ 2.30GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">40</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">64469</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">457862</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_3000D.pdf">Fortigate 3000D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-3100D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® E5-2660 v3 @ 2.60GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">unknown</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">64469</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">457862</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_3100D.pdf">Fortigate 3100D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-3200D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® CPU E5-2670 v3 @ 2.30GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">48</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">64468</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">457862</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_3200D.pdf">Fortigate 3200D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-3300E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® Gold 5118 CPU @ 2.30GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">unknown</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">96674</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-3300e-series.pdf">Fortigate 3300E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-3400E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® Gold 6130 CPU @ 2.10GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">64</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">96674</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_3400E.pdf">Fortigate 3400E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-3401E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® Gold 6130 CPU @ 2.10GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">64</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">96674</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">2x915724</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_3400E.pdf">Fortigate 3401E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-3600E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® Gold 6152 CPU @ 2.10GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">unknown</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">96674</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_3600E.pdf">Fortigate 3600E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-3601E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® Gold 6152 CPU @ 2.10GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">unknown</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">96674</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">2x915724</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_3600E.pdf">Fortigate 3601E datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-3700D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® E5-2680 V2 CPU @ 2.80GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">unknown</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">64469</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">2x457862</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_3700D.pdf">Fortigate 3700D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-3700F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® Gold 6348 CPU @ 2.60GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">112</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">258345</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">28738</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/fortigate-3700f-datasheet">Fortigate 3700F datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-3800D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® E5-2680 V2 CPU @ 2.80GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">unknown</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">64469</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">2x457862</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="/assets/FortiGate_3800D_Series.pdf">Fortigate 3800D datasheet</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-3810D</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP8</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® E5-2680 V2 CPU @ 2.80GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">unknown</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">64469</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">2x457862</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-3960E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® E5-2650 V4 CPU @ 2.20GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">unknown</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">256000</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-3980E</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® E5-2650 V4 CPU @ 2.20GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">unknown</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">256000</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">15331</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">n/a</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">FortiGate-4401F</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CP9</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Intel® Xeon® Gold 6248 CPU @ 2.50GHz</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">160</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">387712</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">28738</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">1907729</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
This website is not affiliated with/nor endorsed by Fortinet™. All trademarks belong to their respective owners.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p><em>Make sure to visit and watch <a href="https://github.com/yuriskinfo/cheat-sheets" class="bare">https://github.com/yuriskinfo/cheat-sheets</a> for collection of cheat sheets and examples of troubleshooting and configuring Linux, Fortinet, Checkpoint, Cisco, HP/Aruba and more.</em></p>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>Fortigate VM Evaluation License 15 Days Limitations Explained2021-02-28T08:44:49+00:002021-02-28T08:44:49+00:00Yuri Slobodyanyuktag:yurisk.info,2021-02-28:/2021/02/28/fortigate-vm-evaluation-license-15-days-limitations/<p><strong>Update August 2022</strong>: All the said below is still true, but starting with <strong>FortiOS 7.2.1</strong> the process of issuing the evaluation license has changed. So, after reading this article, make sure to read this one as well: <a href="https://yurisk.info/2022/08/08/Fortigate-free-VM-Evaluation-License-is-now-permanent-not-15-days/">Fortigate free VM Evaluation License is now permanent, not limited to …</a></p><p><strong>Update August 2022</strong>: All the said below is still true, but starting with <strong>FortiOS 7.2.1</strong> the process of issuing the evaluation license has changed. So, after reading this article, make sure to read this one as well: <a href="https://yurisk.info/2022/08/08/Fortigate-free-VM-Evaluation-License-is-now-permanent-not-15-days/">Fortigate free VM Evaluation License is now permanent, not limited to 15 days, here is how to get it.</a></p>
<p>Each Fortigate Virtual Machine (VM) image (until FortiOS 7.2.1) comes with built-in 15 days evaluation license which starts the moment you spin this image in your virtual environment - VMWare ESXi/WorkStation, KVM, GNS3, EVE-NG. Unfortunately, it comes with some limitations you should be aware of so not to waste your time trying to debug them. Here is the list of them.</p>
<p><strong>Note:</strong> There is another evaluation license - for <strong>60 days</strong>, that you can only get from Fortinet Account Manager. This license, unlike the 15-days one, has almost NO limitations, and you get fully functional virtual Fortigate.</p>
<p><strong>Where To Download:</strong> You can (legally) download ANY version of Fortigate VM image from https://support.fortinet.com if you are a Fortinet client, i.e. have a valid support contract. BUT, you can always download (only) the LATEST version vm image, by just registering with an email in FortiCloud, no need to be a paying client of Fortinet. </p>
<p><strong>Limitations and their consequences</strong>:</p>
<ul>
<li><strong>1 CPU maximum</strong>: for labs/demo and such not much of a concern as you will not likely to hit this limitation. </li>
<li><strong>Memory 1024 Mb max</strong>: also, if not trying to use Virtual Fortigate for production level traffic, you will unlikely to hit this memory threshold. Both CPU and memory usage in Fortigate depends on the traffic volume passing the Fortigate. If you pass some 1-10 Mbit/sec in a lab, you will have both mostly idle. </li>
<li><strong>VDOMs: Only split-VDOM mode is supported</strong>, i.e. you can create 1 admin-only VDOM and 1 traffic-only VDOM. This is quite limited mode and does not approximate fully featured multi-VDOM mode. And you <strong>cannot create fully featured VDOMs</strong> on this license, just a single default one <strong>root</strong> VDOM is available. </li>
<li><strong>5 Security Rules Maximum</strong>: At any given moment, you can have up to 5 security rules present. This causes discomfort as forces us to delete some rules to add new ones. </li>
<li><strong>Crypto - IPSec/SSL/TLS: Low only</strong>, means only <strong>DES</strong> is enabled as algorithm. In my view this is the most limiting disabled feature. It means we can create IPsec with DES algo only, which is actually OK for labbing, IPSec VPN tunnels, including Forticlient dial-up, will come up just fine and we can later run OSPF/BGP over them. But <strong>SSL VPN</strong>, <strong>AppControl</strong>, and <strong>Web Filtering</strong> for HTTPS traffic will not work at all, unless you use some Windows 2000-era browser with such a low encryption, and even then, it will not work for other reasons. Also, any HTTPS traffic inspection, even certificate-only, is not going to work. </li>
<li><strong>HTTPS GUI access for admin: disabled</strong>.See above for why, but the result is you can only access Fortigate via HTTP not HTTPS as admin (not a big deal for labs). The SSH admin access is fully functional. </li>
<li><strong>FortiOS version upgrade: not possible</strong>: this one is expected, and not that important. </li>
<li><strong>Importing configuration: not possible</strong>: Kind of limitation, but actually not - no one stops you from copy & pasting any configuration on the CLI. </li>
<li><strong>Any Fortiguard related services: unavailable</strong>: Any subscription-based services like signature updates, Web Filter Category filtering, DNS filtering will NOT work as this license does not allow any Fortiguard connection. </li>
<li><strong>VIP load balancing to multiple servers: will not work</strong>. Virtual IP mapping for a single internal server (usual VIP static or portforwarding), will work. </li>
<li><strong>Clustering (HA): will not work in any form</strong>. It does not throw any error on configuring, but the cluster will fail to form. It actually comes from a-must condition to form a cluster in Fortigate: both Fortigates have to be of the same version and other parameters AND have to have different serial numbers. And all VM Fortigate firewalls of the same FortiOS version with 15-days license will have the same serial number, no matter how many instances of it you will spin. </li>
<li><strong>Connect to the Fortimanager/FortiAnalyzer: problematic</strong>. Again, because of the <em>low encryption</em> Fortigate will not be able to use secured connection to FortiManager/FortiAnalyzer. In the older versions, we could disable encryption completely, now we can only set it to low, and it still works, but not sure about the future versions. Try this to lower the encryption level on Fortimanager:</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="nv">config</span><span class="w"> </span><span class="nv">system</span><span class="w"> </span><span class="nv">global</span><span class="w"></span>
<span class="nv">set</span><span class="w"> </span><span class="nv">enc</span><span class="o">-</span><span class="nv">algorithm</span><span class="w"> </span><span class="nv">low</span><span class="w"></span>
<span class="nv">set</span><span class="w"> </span><span class="nv">fgfm</span><span class="o">-</span><span class="nv">ssl</span><span class="o">-</span><span class="nv">protocol</span><span class="w"> </span><span class="nv">tlsv1</span>.<span class="mi">0</span><span class="w"></span>
<span class="k">end</span><span class="w"></span>
</code></pre></div>
<p>To see what kind of license you have, run : <strong>get sys stat</strong> or/and <strong>diag debug vm-print-license</strong>. </p>
<p>When this evaluation license expires, there is no need to create new Fortigate VM - it is enough to factory-reset this Virtual Fortigate with <strong>exe factoryreset</strong> or (if you want to keep IP addressing) <strong>exe factoryreset2</strong> , this will erase all configuration and will reset evaluation license to 15 days again.</p>
<div class="highlight"><pre><span></span><code>FGT-6-4-4 # diag debug vm-print-license
SerialNumber: FGVMEVALPP4Z8K78
CreateDate: Tue Feb 9 04:29:06 2021
Evaluation license expires: Wed Feb 24 04:29:06 2021
Model: EVAL (1)
CPU: 1
MEM: 2048
</code></pre></div>
<p>I recorded a video walkthrough of downloading VM trial image from the Fortinet website as well: <a href="https://yurisk.info/2022/04/13/where-to-download-fortigate-free-trial-vm/">yurisk.info/2022/04/13/where-to-download-fortigate-free-trial-vm</a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Failed to connect to Fortiguard servers verification and debug2021-02-21T08:44:49+00:002021-02-21T08:44:49+00:00Yuri Slobodyanyuktag:yurisk.info,2021-02-21:/2021/02/21/failed-to-connect-to-fortiguard-servers-updated/<p>Fortiguard is a subscription based service from Fortinet, where your Fortigate queries their servers in real-time for various services: </p>
<ul>
<li>Periodic checking of Fortigate subscription/license validity for Web Filtering/AppControl/AntiVirus/AntiSpam/DNS Filtering. </li>
<li>Real-time querying for visited by users web sites rating. </li>
<li>Periodic signatures updates for IPS/AppControl/AntiVirus …</li></ul><p>Fortiguard is a subscription based service from Fortinet, where your Fortigate queries their servers in real-time for various services: </p>
<ul>
<li>Periodic checking of Fortigate subscription/license validity for Web Filtering/AppControl/AntiVirus/AntiSpam/DNS Filtering. </li>
<li>Real-time querying for visited by users web sites rating. </li>
<li>Periodic signatures updates for IPS/AppControl/AntiVirus.</li>
</ul>
<p>Most critical of them is Web Filter rating query - if your Fortigate cannot get answer what category the web site belongs to, access to this web site will be blocked by default. It means that if for any reason Fortigate cannot reach Fortiguard servers and it has security rules with Web Filtering by Category configured - those rules will BLOCK users access to ANY website, not just malicious ones. </p>
<p>First, as emergency but not advisable measure, you can click in <strong>Security Profiles -> Web Filter -> <Profile Used in Security Rules</strong> on <em>Allow websites when a rating error occurs</em>. This will ALLOW access to any website if a Fortigate cannot get rating from the FortiGuard. Also you can remove Web Filter Profile from Security Rules, but it is even worse security-wise. </p>
<p>So how do you debug such a situation?</p>
<p><strong>First, check status of license/subscription and FortiGuard connection status</strong> in <strong>System -> FortiGuard</strong> - the Web Filtering status should be in green. This checks subscription license status, but not always detects connection to the FortiGuard status. If you see it red, it is most probably a license/subscription issue to be checked with Fortinet TAC, as subscription checks are done once in a while and are cached. To check actual connectivity to the FortiGuard servers - on the same page, under <em>Filtering</em> subsection, there is <strong>Test Connectivity</strong> button to push. It should return status as Up/green. Also pay attention to the widget on the same page in the right bottom corner <em>FortiGuard Filter Rating Servers</em>, it shows real time stats and IP addresses of the servers the Fortigate is trying to reach. If timings are unusually high and in red, there could be network connectivity problem, we will look at next.</p>
<p>First step in checking connectivity to FortiGuard servers is successful DNS resolving by Fortigate of the following hostnames:</p>
<ul>
<li><strong>service.fortiguard.net</strong> </li>
<li><strong>update.fortiguard.net</strong> </li>
<li><strong>guard.fortinet.net</strong></li>
</ul>
<p>Even better check is to run ping <strong>exe ping</strong> to all the hostnames above to see if the Fortigate can resolve AND can reach them. The most important of them being <strong>service.fortiguard.net</strong>. </p>
<p>If the resolving is OK, next step is this:</p>
<p><strong>diagnose debug rating</strong></p>
<p>This will show a list of FortiGuard servers this Fortigate is trying to reach for Web Filtering rating and their status.</p>
<p>The output will look like:</p>
<div class="highlight"><pre><span></span><code><span class="n">Locale</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">english</span><span class="w"></span>
<span class="n">Service</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">Web</span><span class="o">-</span><span class="n">filter</span><span class="w"></span>
<span class="n">Status</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">Enable</span><span class="w"></span>
<span class="n">License</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">Contract</span><span class="w"></span>
<span class="n">Service</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">Antispam</span><span class="w"></span>
<span class="n">Status</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">Disable</span><span class="w"></span>
<span class="n">Service</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">Virus</span><span class="w"> </span><span class="n">Outbreak</span><span class="w"> </span><span class="n">Prevention</span><span class="w"></span>
<span class="n">Status</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">Disable</span><span class="w"></span>
<span class="n">Num</span><span class="o">.</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">servers</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="mi">6</span><span class="w"></span>
<span class="n">Protocol</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">https</span><span class="w"></span>
<span class="n">Port</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="mi">443</span><span class="w"></span>
<span class="n">Anycast</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">Disable</span><span class="w"></span>
<span class="n">Default</span><span class="w"> </span><span class="n">servers</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">Included</span><span class="w"></span>
<span class="o">-=-</span><span class="w"> </span><span class="n">Server</span><span class="w"> </span><span class="n">List</span><span class="w"> </span><span class="o">(</span><span class="n">Sun</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mi">21</span><span class="w"> </span><span class="mi">09</span><span class="o">:</span><span class="mi">20</span><span class="o">:</span><span class="mi">14</span><span class="w"> </span><span class="mi">2021</span><span class="o">)</span><span class="w"> </span><span class="o">-=-</span><span class="w"></span>
<span class="n">IP</span><span class="w"> </span><span class="n">Weight</span><span class="w"> </span><span class="n">RTT</span><span class="w"> </span><span class="n">Flags</span><span class="w"> </span><span class="n">TZ</span><span class="w"> </span><span class="n">Packets</span><span class="w"> </span><span class="n">Curr</span><span class="w"> </span><span class="n">Lost</span><span class="w"> </span><span class="n">Total</span><span class="w"> </span><span class="n">Lost</span><span class="w"> </span><span class="n">Updated</span><span class="w"> </span><span class="n">Time</span><span class="w"></span>
<span class="mf">149.5</span><span class="o">.</span><span class="mf">232.18</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">1060088</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">815</span><span class="w"> </span><span class="n">Sun</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mi">21</span><span class="w"> </span><span class="mi">09</span><span class="o">:</span><span class="mi">19</span><span class="o">:</span><span class="mi">19</span><span class="w"> </span><span class="mi">2021</span><span class="w"></span>
<span class="mf">12.34</span><span class="o">.</span><span class="mf">97.18</span><span class="w"> </span><span class="mi">70</span><span class="w"> </span><span class="mi">566</span><span class="w"> </span><span class="o">-</span><span class="mi">5</span><span class="w"> </span><span class="mi">34828</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">6</span><span class="w"> </span><span class="n">Sun</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mi">21</span><span class="w"> </span><span class="mi">09</span><span class="o">:</span><span class="mi">19</span><span class="o">:</span><span class="mi">19</span><span class="w"> </span><span class="mi">2021</span><span class="w"></span>
<span class="mf">65.210</span><span class="o">.</span><span class="mf">95.234</span><span class="w"> </span><span class="mi">70</span><span class="w"> </span><span class="mi">572</span><span class="w"> </span><span class="o">-</span><span class="mi">5</span><span class="w"> </span><span class="mi">34165</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">418</span><span class="w"> </span><span class="n">Sun</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mi">21</span><span class="w"> </span><span class="mi">09</span><span class="o">:</span><span class="mi">19</span><span class="o">:</span><span class="mi">19</span><span class="w"> </span><span class="mi">2021</span><span class="w"></span>
<span class="mf">210.7</span><span class="o">.</span><span class="mf">96.18</span><span class="w"> </span><span class="mi">70</span><span class="w"> </span><span class="mi">1439</span><span class="w"> </span><span class="mi">9</span><span class="w"> </span><span class="mi">30847</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">Sun</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mi">21</span><span class="w"> </span><span class="mi">09</span><span class="o">:</span><span class="mi">19</span><span class="o">:</span><span class="mi">20</span><span class="w"> </span><span class="mi">2021</span><span class="w"></span>
<span class="mf">96.45</span><span class="o">.</span><span class="mf">33.68</span><span class="w"> </span><span class="mi">100</span><span class="w"> </span><span class="mi">801</span><span class="w"> </span><span class="o">-</span><span class="mi">8</span><span class="w"> </span><span class="mi">33731</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">8</span><span class="w"> </span><span class="n">Sun</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mi">21</span><span class="w"> </span><span class="mi">09</span><span class="o">:</span><span class="mi">19</span><span class="o">:</span><span class="mi">19</span><span class="w"> </span><span class="mi">2021</span><span class="w"></span>
<span class="mf">173.243</span><span class="o">.</span><span class="mf">138.210</span><span class="w"> </span><span class="mi">100</span><span class="w"> </span><span class="mi">821</span><span class="w"> </span><span class="n">DI</span><span class="w"> </span><span class="o">-</span><span class="mi">8</span><span class="w"> </span><span class="mi">33874</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">22</span><span class="w"> </span><span class="n">Sun</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mi">21</span><span class="w"> </span><span class="mi">09</span><span class="o">:</span><span class="mi">19</span><span class="o">:</span><span class="mi">19</span><span class="w"> </span><span class="mi">2021</span><span class="w"></span>
</code></pre></div>
<p>Here:<br>
<em>Status</em> - shows if Web Filtering as a service is enabled.<br>
<em>Protocol</em> - via what protocol this Fortigate is trying to reach FortiGuard servers (more on this below).<br>
<em>Anycast</em> - whether this Fortigate is trying to reach Anycast servers of FortiGuard (more on this below).<br>
<em>Server List</em> - actual list of FortiGuard servers that this Fortigate was/is trying to reach. Here most important is status legend:<br>
- <strong>F</strong>: failed, bad - Fortigate tried few times to reach this server to no avail. Note that it is bad only if ALL servers in the list have this status. It is OK if only few of the servers are unreachable.<br>
- <strong>D</strong>: this server was successfully resolved from FQDN to its IP address, but it does not indicate its reachability yet.<br>
- <strong>I</strong>: server to which Fortigate tries to initiate connection, most frequently goes with <em>D</em>,it does not indicate if a server is working or not yet.<br>
- <strong>T</strong>: server was found, it answered, and is now being "timed", i.e. its answer time/RTT is being measured.<br>
- <strong>TZ</strong>: Time Zone, while not a status indicator, Fortigate tries and prefers servers with the least time zone difference in hope of geographic proximity. Therefore, it is quite important to set correctly the time zone for your Fortigate. </p>
<p>Fortigate communicates for its functions with just one server at a time - the one on top of the list. The rest of the servers are being constantly monitored and their RTT, and packet loss measured. If the top-list server fails, it will be replaced with the next best one and so on. We do not have capability to influence this server list manually. </p>
<p>So if <strong>all servers in the list have F(ailed), what do we do next?</strong>. This may mean either all Fortiguard servers at the Fortinet side are down (less likely), or that this Fortigate has the problem of reaching them at the network level. </p>
<p>Fortigate can use several ports to talk to Fortiguard servers (or Fortiguard Distribution Network as they call it) - 53, 8888, 443, the default being 8888. The port 53 is a well known DNS protocol/port, only that Fortigate uses proprietary UDP/53 obfuscated/encrypted protocol to query the servers, and for this reason some IPS/anti-DDoS/etc protections on the way from Fortigate to FortiGuard may mark such traffic as malicious and drop it. You can check if it is the case by going to <strong>System -> FortiGuard -> Filtering</strong> and change (if set so) from port 53 to port 8888. On newer FortiOS versions (6.4 and up) they moved this to CLI only: <code>config sys fortiguard</code> then <code>set port 53|8888|443</code>. So, as first debug measure it is recommended to try all possible ports and see if status of connection to the FortiGuard servers changes. Note about <strong>protocol</strong> I mentioned before - in 6.4 and newer they added option to force the communication to FortiGuard servers to be a valid HTTPS traffic, which is most likely to pass the Internet successfully. For this you have to enable it (in addition to setting port to 443) via CLI: <code>config sys fortiguard</code>, then <code>set protocol https</code> <code>end</code>. </p>
<p><strong>Important note if you have VDOMs enabled</strong> - all communication to the Fortiguard network is initiated from <strong>management/root</strong> VDOM only! The frequent human error I've seen - someone by mistake changes management domain to the VDOM that has no/limited access to the Internet and as a consequence, it cannot reach FortiGuard network. Very common, indeed. To verify who is the management VDOM: </p>
<div class="highlight"><pre><span></span><code><span class="nv">config</span><span class="w"> </span><span class="nv">sys</span><span class="w"> </span><span class="nv">global</span><span class="w"></span>
#<span class="w"> </span><span class="k">show</span><span class="w"> </span><span class="nv">full</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nv">grep</span><span class="w"> </span><span class="nv">vdom</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">management</span><span class="o">-</span><span class="nv">vdom</span><span class="w"> </span><span class="s2">"root"</span><span class="w"> </span><span class="o"><--</span><span class="w"> </span><span class="nv">THIS</span><span class="w"> </span><span class="nv">IS</span><span class="w"> </span><span class="nv">THE</span><span class="w"> </span><span class="nv">VDOM</span><span class="w"> </span><span class="nv">THAT</span><span class="w"> </span><span class="nv">WILL</span><span class="w"> </span><span class="nv">COMMUNICATE</span><span class="w"> </span><span class="nv">WITH</span><span class="w"> </span><span class="nv">FORTIGUARD</span><span class="w"></span>
</code></pre></div>
<p><strong>Anycast servers</strong> - starting with FortiOS 6.4 the default setting to reach FortiGuard is anycast. The intention was good - to improve reachability of FortiGuard servers, but unfortunately the implementation did not live up to the expectations. More often than not it actually creates a problem in reaching the Fortinet servers. It may improve in the future, but for now my advice is to <strong>disable anycast</strong> and switch back to unicast servers. You do so in CLI:</p>
<div class="highlight"><pre><span></span><code><span class="nv">config</span><span class="w"> </span><span class="nv">system</span><span class="w"> </span><span class="nv">fortiguard</span><span class="w"></span>
<span class="nv">set</span><span class="w"> </span><span class="nv">fortiguard</span><span class="o">-</span><span class="nv">anycast</span><span class="w"> </span><span class="nv">disable</span><span class="w"></span>
<span class="nv">set</span><span class="w"> </span><span class="nv">protocol</span><span class="w"> </span><span class="nv">udp</span><span class="w"></span>
<span class="nv">set</span><span class="w"> </span><span class="nv">port</span><span class="w"> </span><span class="mi">8888</span><span class="w"></span>
<span class="nv">set</span><span class="w"> </span><span class="nv">sdns</span><span class="o">-</span><span class="nv">server</span><span class="o">-</span><span class="nv">ip</span><span class="w"> </span><span class="mi">208</span>.<span class="mi">91</span>.<span class="mi">112</span>.<span class="mi">220</span><span class="w"> </span><span class="o"><--</span><span class="w"> </span><span class="nv">IMPORTANT</span><span class="w"> </span><span class="nv">TO</span><span class="w"> </span><span class="nv">ADD</span><span class="w"> </span><span class="nv">THIS</span><span class="w"> </span><span class="nv">OR</span><span class="w"> </span><span class="nv">ANY</span><span class="w"> </span><span class="nv">OTHER</span><span class="w"> </span><span class="nv">FDN</span><span class="w"> </span><span class="nv">SERVER</span><span class="w"> </span><span class="nv">TO</span><span class="w"> </span><span class="nv">PREVENT</span><span class="w"> </span><span class="nv">DOWNTIME</span><span class="o">!</span><span class="w"></span>
<span class="k">end</span><span class="w"></span>
</code></pre></div>
<p>This configuration above will cause Fortigate to disable anycast, then reach the specified server (here <code>208.91.112.220</code>), download from it the full list of available unicast servers and use them.</p>
<p>Sum up of steps to fix FortiGuard failed connection situation:</p>
<ul>
<li>Check that FortiGuard license on the Fortigate is in green. </li>
<li>Make sure Fortigate can DNS resolve update.fortinet.net, service.fortinet.net </li>
<li>Make sure Fortigate can ping service.fortinet.net </li>
<li>Try changing communication with FortiGuard port between 53, 8888, 443</li>
<li>Make sure (if VDOMs are enabled) that management VDOM has access to the Internet </li>
<li>Disable anycast and enable unicast for FortiGuard services.</li>
</ul>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>50,000 VPN usernames and their passwords from Fortigates around the world were leaked last week – what you can do to prevent it from happening to you2020-12-12T11:59:25+00:002020-12-12T11:59:25+00:00Yuri Slobodyanyuktag:yurisk.info,2020-12-12:/2020/12/12/VPN-Fortigate-accounts-50000-leaked-by-hackers-on-the-internet/<p>Around 50,000 Fortigate VPN accounts from around the globe were leaked to the public Internet last week. Not really news anymore, you can learn details elsewhere. What I asked myself about that was – is there anything to be done to prevent or lower the damage of such vulnerabilities? The …</p><p>Around 50,000 Fortigate VPN accounts from around the globe were leaked to the public Internet last week. Not really news anymore, you can learn details elsewhere. What I asked myself about that was – is there anything to be done to prevent or lower the damage of such vulnerabilities? The remotely exploitable vulnerabilities after all are that – remote, if you have to provide remote services on your Fortigate (VPN/Port Forwarding, etc), and no one can predict what the next vulnerability is going to be – how can we possible prepare? The short answer we can’t, the long answer – depends.</p>
<p>Below are some ideas of mine to lower the risk/damage or even prevent remote exploitations by built-in Fortigate means. Would these measures prevent such leaks? Not sure, but believe for many of these 50,000 it would.</p>
<p>“Security through obscurity” was the label for such measures in the early 2000s, but not anymore, not at all. Let’s have a look at possible path to such public leaks/dumps. It starts with a script kid Joe hearing some vulnerabilities in Fortinet-something firewall/or “whatever they called the device on the Twitter”. He goes to shodan.io, puts “Fortinet” in the search box and voila – 79,171 devices found! Zero effort. Conveniently for Joe, Nessus has already published the plugin https://www.tenable.com/plugins/nessus/128552 for that (he couldn’t even know that all he needed was curl/wget in a loop), again, zero effort for Joe. He runs the automatic scan and gets the list of vulnerable Fortigates with no idea what to do with them. So, naturally he brags about “pwn1ng” lots of Pentagon firewalls on social networks. This list of devices gradually spreads, until someone bored enough to run a wget downloading VPN users caches from those Fortigates finds it amusing to post the dump online. Again – zero effort on the attacker part. The Fortigates haven’t been compromised yet, but now each and every vulnerable Fortigate, which could go unnoticed for years, is being probed/watched by tens, then hundreds, then thousands Joe/Jane on the Internet until someone sees a benefit and connects with the stolen VPN credentials for real and pivots into the LAN.</p>
<p><img alt="Fortigates found on Shodan" src="/assets/Fortinet-leaks-LD-article1.png"></p>
<p>All this “chain of contagion” could have been prevented should the Fortigate admin had implemented the “masks protection”, of course first of all updates to the FortiOS, but even the measures below would do the trick. </p>
<p><strong>Change the default listening ports of the Fortigate services.</strong></p>
<p>Internet is being scanned all the time by multiple parties. The aforementioned search in Shodan.io, if you noticed, shows most popular services as well, and most of them are default ports for default Fortigate services. The same goes for other scanners – doing the wide scan on all 65K ports is very, very expensive. Only large organizations can afford it, but then, we will categorize them as an APT threat and beyond scope of this article. The majority, though, scan only well-known ports in general, and to a lesser degree well-known ports for a given vendor. By changing the listening ports of such services, you stop the “chain reaction” I depicted above because even being vulnerable, your Fortigate will not be discovered by such scans. Here is how to change some of the services:</p>
<p>Here I change admin HTTPS port to 12771 and SSH port to 5533:</p>
<div class="highlight"><pre><span></span><code>config system global
set admin-sport 12771
set admin-telnet disable
set admin-ssh-port 5533
</code></pre></div>
<p>Here I change VPN SSL listening port from the default 10443 to 13771:</p>
<div class="highlight"><pre><span></span><code>config vpn ssl settings
set port 13771
</code></pre></div>
<p><strong>Any sensitive information stored on the perimeter is bad. Authorize/authenticate users remotely.</strong></p>
<p>We cannot reliably predict which remotely exploitable vulnerability will affect what next time, service-wise. We can, nevertheless, say with certainty that the first (and probably the only) device to be affected by such a vulnerability will be the Fortigate itself and everything stored in its configuration. This includes any “secret” information like local users’ passwords, SNMP strings, pre-shared keys, Active Domain query domain user, etc. The only remedy here is to move as much of such secret data away from Fortigate as possible.</p>
<p>Local users (admin/VPN) options:<br>
- Local users but LDAP authentication against Active Directory.<br>
- (Ideal) No local users: everything is stored on Active Directory server.<br>
- Local/remote user but with Two Factor Authentication enabled (free for 2 FortiTokens Mobile, unlimited free for email, and almost free for SMS authentication when purchased in bulk from your SMS Gateway provider, not to say Duo and others are there as well).<br>
- Local user but with the user certificate authentication (free of charge). </p>
<p><strong>Use Geo Location to limit remote access.</strong></p>
<p>In most of the cases your remote workers work from the same country. So, if you are an Israeli company with all your Remote VPN connections coming from Israel – why allow the whole world to connect to the VPN Portal? Use Geo addresses to limit access to the VPN portal or any other service limitation. It can be circumvented by using local country proxy/VPN-for-hire servers, but we are talking about opportunistic attackers, not resolved ones.</p>
<p><img alt="Create GEO address" src="/assets/vpn-leaked-accounts1.png"> </p>
<p><img alt="Using GEO address in VPN SSL Fortigate" src="/assets/vpn-leaked-accounts2.png"></p>
<p><strong>Consider allowing access to SSL VPN only from static IPs.</strong></p>
<p>If you, the IT admin, cannot say for sure to what device you are logging in, how can the your less technical users tell? They can’t. Unless you tell them to enter VPN SSL portal only via FQDN name (and please, refrain from vpn.example.com, vpnssl.example.com or remote.example.com) and present their browser/FortiClient with valid SSL certificate bought from a trusted provider for some 20$/year. I use valid SSL certificates even to connect to my labs, and paid some 8$ for it. People even made Fortigate work with Let’s encrypt free certificate, just Google it.</p>
<p>Also, nothing screams “I am Fortigate” to the network scan as the default SSL certificate issued by “Fortinet, CA, USA”. </p>
<p><strong>Dormant remote access accounts are your “sleeper agents”, find and shut them.</strong></p>
<p>An attacker needs no vulnerability if she has access to the VPN with local users and enough time to guess the user and its password. I’ve seen enough of local VPN accounts not used for YEARS, but still being active. Brute forcing takes time, but a dedicated attacker will continue guessing passwords for days/months and in the end she will succeed. With FortiAnalyzer you can have report auto-send to you on VPN users’ behavior and filter those that are not in use. But even plain System Events/User Events logs are good enough to weed out dormant VPN users.</p>
<p><strong>Use password policy at least for admin users.</strong></p>
<p>Unfortunately, Fortigate doesn’t provide currently for password policy for local SSL VPN users yet, but for admins they have existed for a long time. So, no real reason not to use them at least for admins who connect from the Internet to prevent password guessing.</p>
<p><strong>Enable secure communication with Active Directory Domain Controller.</strong></p>
<p>I see it, unfortunately, all the time in 2021 as well – Domain Admin user is configured in Fortigate for querying AD DC and … over the port 389 without “Secure connection” turned on. Fortunately for an attacker that manages to get CLI access to the firewall it means now he has password for Domain Admin ready and served. All he needs to do is to run a sniffer in Fortigate diagnose sniffer packet any ‘port 389’ 6 and see Domain Admin pass being sent in clear text for LDAP binding. Great (not). </p>
<p><strong>Do not use Domain Admin account to query the Active Directory.</strong></p>
<p>The untold truth is that you only need an AD user that can READ, not write, the Directory Tree where the VPN users are located. That is, a REGULAR AD user will do the job just well, no need for Domain Admin at all for VPN authentication.</p>
<p><strong>Alert email on firewall configuration changes.</strong></p>
<p>Production-level firewalls do not change every day, so every configuration change should be noticed and accounted for. In older FortiOS version we have Alert Email in Logs settings to be sent each time the configuration changes. The newer ones also have Automation stitches that can send email each time the configuration changed (and not only). </p>
<p><strong>Port scan your Fortigate and close open ports in Local Policy.</strong></p>
<p>Fortigate has quite a few ports open by default. They can only be seen in GUI after enabling “Local Policy” in Feature visibility, and changed only on CLI. Do not panic once you look there and see lots of open ports – not all of them/may be none of them are exploitable, but anyway as a hygiene rule – close everything on a need-to-work basis. You can read more about this on <a href="https://yurisk.info/2020/06/07/fortigate-local-in-policy/">Fortigate Local in Policy what it does and how to change/configure it </a>. Here is a typical list of open ports:</p>
<p><img alt="Local in policy Fortigate" src="/assets/vpn-leaked-accounts3.png"></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Nfdump netflow/sflow cookbook of examples2020-09-20T13:55:25+00:002020-09-20T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2020-09-20:/2020/09/20/nfdump-netflow-usage-examples-cookbook/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_introduction">Introduction</a></li>
<li><a href="#_start_code_nfcapd_code_netflow_collector_in_a_daemon_mode_listening_on_port_5001_with_all_extensions_enabled_and_saving_received_netflow_data_into_the_named_folder_em_nfs_cisco_rtr_em_accept_netflow_records_only_coming_from_the_sender_with_the_ip_of_13_13_13_137">Start <code>nfcapd</code> netflow collector in a daemon mode listening on port 5001 with all extensions enabled and saving received netflow data into the named folder <em>NFS-cisco-rtr</em>. Accept netflow records only coming from the sender with the IP of 13.13.13.137</a></li>
<li><a href="#_read_and_print_all_records_form_a_single_file">Read and print all …</a></li></ul></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_introduction">Introduction</a></li>
<li><a href="#_start_code_nfcapd_code_netflow_collector_in_a_daemon_mode_listening_on_port_5001_with_all_extensions_enabled_and_saving_received_netflow_data_into_the_named_folder_em_nfs_cisco_rtr_em_accept_netflow_records_only_coming_from_the_sender_with_the_ip_of_13_13_13_137">Start <code>nfcapd</code> netflow collector in a daemon mode listening on port 5001 with all extensions enabled and saving received netflow data into the named folder <em>NFS-cisco-rtr</em>. Accept netflow records only coming from the sender with the IP of 13.13.13.137</a></li>
<li><a href="#_read_and_print_all_records_form_a_single_file">Read and print all records form a single file</a></li>
<li><a href="#_display_cumulative_statistics_about_all_the_flows_in_a_records_file">Display cumulative statistics about all the flows in a records file</a></li>
<li><a href="#_read_and_print_all_records_from_a_range_of_files_starting_at_em_nfcapd_202004221040_em_and_up_to_but_not_including_the_current_file_still_being_written_to_em_nfcapd_current_1609_em">Read and print all records from a range of files, starting at <em>nfcapd.202004221040</em> and up to but not including the current file still being written to <em>nfcapd.current.1609</em></a></li>
<li><a href="#_read_all_records_from_a_range_of_files_starting_at_em_nfcapd_202209242120_em_and_finishing_at_em_nfcapd_202209242150_em">Read all records from a range of files, starting at <em>nfcapd.202209242120</em> and finishing at <em>nfcapd.202209242150</em></a></li>
<li><a href="#_print_sessions_where_the_source_or_destination_ip_is_8_8_8_8">Print sessions where the source or destination IP is 8.8.8.8</a></li>
<li><a href="#_print_sessions_where_the_destination_port_is_53_the_destination_ip_is_8_8_8_8_and_the_protocol_is_tcp">Print sessions where the destination port is 53, the destination IP is 8.8.8.8, and the protocol is TCP</a></li>
<li><a href="#_show_top_10_flows_sorted_by_the_bits_per_second_statistics">Show top 10 flows sorted by the bits per second statistics</a></li>
<li><a href="#_show_all_flows_sorted_by_the_bits_per_second_statistics">Show all flows sorted by the bits per second statistics</a></li>
<li><a href="#_aggregate_all_flows_to_from_host_8_8_8_8_based_on_source_ip">Aggregate all flows to/from host 8.8.8.8 based on source IP</a></li>
<li><a href="#_calculate_statistics_for_port_443_traffic_and_sort_by_code_bps_code_to_see_bandwidth_abusing_hosts">Calculate statistics for port 443 traffic and sort by <code>bps</code> to see bandwidth abusing hosts</a></li>
<li><a href="#_sort_presented_flows_by_duration_longest_at_the_bottom">Sort presented flows by duration, longest at the bottom</a></li>
<li><a href="#_anonymize_ip_addresses_in_all_the_flows_in_the_file_overwrite_in_place">Anonymize IP addresses in all the flows in the file, overwrite in-place</a></li>
<li><a href="#_find_records_in_the_time_range_of_12_19_00_12_20_00_matching_the_filter_of_protocol_udp_and_port_53">Find records in the time range of 12:19:00 - 12:20:00 matching the filter of protocol = UDP and port = 53</a></li>
</ul>
</div>
<div class="sect1">
<h2 id="_introduction">Introduction</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Few facts to know before diving into examples:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>nfdump packet filter syntax is tcpdump-compatible, and it should come as the last argument on the line.</p>
</li>
<li>
<p><code>nfcapd</code> daemon receives Netflow streams and saves them into local files,
switching to a new file every 5 minutes (configurable). The naming starts with <em>nfcapd</em>, then dot, and finally date and time stamp.</p>
</li>
<li>
<p>The newest version for 2022 is 1.7, which is multi-threaded.</p>
</li>
<li>
<p>There is a GUI web based front end <strong>nfsen</strong>, which is a separate install.</p>
</li>
<li>
<p>nfdump reads files from filesystem and outputs to either STDOUT or to binary files (if used with <code>-w</code> option). If it runs out of host memory or free disk space for temporary files, it will crash.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_start_code_nfcapd_code_netflow_collector_in_a_daemon_mode_listening_on_port_5001_with_all_extensions_enabled_and_saving_received_netflow_data_into_the_named_folder_em_nfs_cisco_rtr_em_accept_netflow_records_only_coming_from_the_sender_with_the_ip_of_13_13_13_137">Start <code>nfcapd</code> netflow collector in a daemon mode listening on port 5001 with all extensions enabled and saving received netflow data into the named folder <em>NFS-cisco-rtr</em>. Accept netflow records only coming from the sender with the IP of 13.13.13.137</h2>
<div class="sectionbody">
<div class="listingblock">
<div class="content">
<pre>nfcapd -D -T all -n NFS-cisco-rtr,13.13.13.137,/var/flows/NFS-cisco-rtr -p 5001</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_read_and_print_all_records_form_a_single_file">Read and print all records form a single file</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Here the records file is <em>nfcapd.202004221040</em>
nfdump prints record in random order, not sorted by any means.</p>
</div>
<div class="listingblock">
<div class="content">
<pre>nfdump -r nfcapd.202004221040</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_display_cumulative_statistics_about_all_the_flows_in_a_records_file">Display cumulative statistics about all the flows in a records file</h2>
<div class="sectionbody">
<div class="listingblock">
<div class="content">
<pre>nfdump -I -r nfcapd.202004221040</pre>
</div>
</div>
<div class="paragraph">
<p><em>Output:</em></p>
</div>
<div class="listingblock">
<div class="content">
<pre>Ident: NFS-cisco-rtr
Flows: 378330
Flows_tcp: 318586
Flows_udp: 54743
Flows_icmp: 3864
Flows_other: 1137
Packets: 11162669
Packets_tcp: 8681920
Packets_udp: 2163252
Packets_icmp: 34346
Packets_other: 283151
Bytes: 6315310484
Bytes_tcp: 5677222352
Bytes_udp: 467682299
Bytes_icmp: 3717079
Bytes_other: 166688754
First: 1587551972
Last: 1587552299
msec_first: 950
msec_last: 914
Sequence failures: 0</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_read_and_print_all_records_from_a_range_of_files_starting_at_em_nfcapd_202004221040_em_and_up_to_but_not_including_the_current_file_still_being_written_to_em_nfcapd_current_1609_em">Read and print all records from a range of files, starting at <em>nfcapd.202004221040</em> and up to but not including the current file still being written to <em>nfcapd.current.1609</em></h2>
<div class="sectionbody">
<div class="listingblock">
<div class="content">
<pre>nfdump -R nfcapd.202004221040</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_read_all_records_from_a_range_of_files_starting_at_em_nfcapd_202209242120_em_and_finishing_at_em_nfcapd_202209242150_em">Read all records from a range of files, starting at <em>nfcapd.202209242120</em> and finishing at <em>nfcapd.202209242150</em></h2>
<div class="sectionbody">
<div class="paragraph">
<p>This works if files are in the same directory. If they are not, also specify <code>-M</code> for
directories list.</p>
</div>
<div class="listingblock">
<div class="content">
<pre>nfdump -R nfcapd.202209242120:nfcapd.202209242150</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_print_sessions_where_the_source_or_destination_ip_is_8_8_8_8">Print sessions where the source or destination IP is 8.8.8.8</h2>
<div class="sectionbody">
<div class="listingblock">
<div class="content">
<pre>nfdump -r nfcapd.202004221040 'host 8.8.8.8'</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_print_sessions_where_the_destination_port_is_53_the_destination_ip_is_8_8_8_8_and_the_protocol_is_tcp">Print sessions where the destination port is 53, the destination IP is 8.8.8.8, and the protocol is TCP</h2>
<div class="sectionbody">
<div class="listingblock">
<div class="content">
<pre>nfdump -r nfcapd.202004221040 'host 8.8.8.8 and dst port 53 and proto tcp '</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_show_top_10_flows_sorted_by_the_bits_per_second_statistics">Show top 10 flows sorted by the bits per second statistics</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Note: <code>-o extended</code> sets output to include also <code>bps</code> column. <code>-n 10</code> limits output to top 10 rows (which is default as well). Finally, <code>-O bps</code> tells nfdump to sort the output by bits per second value in descending (default) order.</p>
</div>
<div class="listingblock">
<div class="content">
<pre>nfdump -r nfcapd.202004221050 -n 10 -O bps -o extended</pre>
</div>
</div>
<div class="paragraph">
<p>Output:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows
2020-04-22 12:19:58.824 0.004 TCP 44.30.248.239:443 -> 44.244.6.114:54044 ...AP... 16 141 204984 35250 410.0 M 1453 1
2020-04-22 12:22:37.845 0.004 TCP 175.68.86.47:80 -> 44.244.6.114:53717 ...AP... 128 133 184649 33250 369.3 M 1388 1
2020-04-22 12:20:37.844 0.004 TCP 175.68.86.47:80 -> 44.244.6.114:53717 ...AP... 128 133 184649 33250 369.3 M 1388 1
2020-04-22 12:24:37.845 0.004 TCP 175.68.86.47:80 -> 44.244.6.114:53717 ...AP... 128 132 184609 33000 369.2 M 1398 1
2020-04-22 12:22:59.517 0.008 TCP 44.244.195.12:443 -> 44.244.6.114:58302 ...AP... 16 212 302672 26500 302.7 M 1427 1
2020-04-22 12:23:15.541 0.036 TCP 44.244.195.12:443 -> 44.244.6.114:58302 ...AP... 16 915 1.3 M 25416 298.9 M 1469 1
2020-04-22 12:20:03.728 0.004 TCP 50.62.32.42:80 -> 216.88.40.116:52054 ...AP... 40 99 135345 24750 270.7 M 1367 1
2020-04-22 12:23:08.773 0.012 TCP 44.244.195.12:443 -> 44.244.6.114:58302 ...AP... 16 255 371935 21250 248.0 M 1458 1
2020-04-22 12:22:58.377 0.004 TCP 50.62.32.25:80 -> 216.88.40.116:52157 ...AP... 0 77 109616 19250 219.2 M 1423 1
2020-04-22 12:21:25.568 0.028 TCP 158.255.172.17:443 -> 44.244.6.114:55324 ...AP... 16 483 669748 17250 191.4 M 1386 1
IP addresses anonymised
Summary: total flows: 492540, total bytes: 7.4 G, total packets: 14.6 M, avg bps: 184.8 M, avg pps: 45237, avg bpp: 510
Time window: 2020-04-22 12:19:37 - 2020-04-22 12:24:59
Total flows processed: 492540, Blocks skipped: 0, Bytes read: 39403680
Sys: 0.216s flows/second: 2277989.2 Wall: 0.404s flows/second: 1219146.3</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_show_all_flows_sorted_by_the_bits_per_second_statistics">Show all flows sorted by the bits per second statistics</h2>
<div class="sectionbody">
<div class="listingblock">
<div class="content">
<pre class="pygments highlight"><code data-lang="bash">nfdump -r nfcapd.202004221050 -n <span class="tok-m">0</span> -O bps -o extended</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_aggregate_all_flows_to_from_host_8_8_8_8_based_on_source_ip">Aggregate all flows to/from host 8.8.8.8 based on source IP</h2>
<div class="sectionbody">
<div class="listingblock">
<div class="content">
<pre>nfdump -r nfcapd.202004221005 -A srcip ' host 8.8.8.8'</pre>
</div>
</div>
<div class="listingblock">
<div class="content">
<pre>Date first seen Duration Src IP Addr Packets Bytes bps Bpp Flows
2020-04-22 10:05:01.183 241.032 113.166.180.142 122 6938 230 56 122
2020-04-22 10:05:00.915 295.020 18.113.121.204 1493 96860 2626 64 62
2020-04-22 10:05:03.819 289.848 18.113.43.130 750 63000 1738 84 54
2020-04-22 10:05:02.887 289.828 113.166.180.139 750 63000 1738 84 49
2020-04-22 10:05:01.455 295.148 113.166.180.138 812 50458 1367 62 810
2020-04-22 10:05:03.507 289.852 113.166.180.137 750 63000 1738 84 56
2020-04-22 10:04:55.799 300.484 89.12.212.116 417 33261 885 79 417
2020-04-22 10:05:00.667 289.868 113.166.180.141 750 63000 1738 84 55
2020-04-22 10:04:56.047 303.116 8.8.8.8 6730 768784 20290 114 1825
2020-04-22 10:05:01.127 291.740 113.166.88.58 886 70796 1941 79 172
Summary: total flows: 3622, total bytes: 1.3 M, total packets: 13460, avg bps: 33731, avg pps: 44, avg bpp: 95
Time window: 2020-04-22 10:04:37 - 2020-04-22 10:09:59
Total flows processed: 426270, Blocks skipped: 0, Bytes read: 34102112
Sys: 0.036s flows/second: 11784203.7 Wall: 0.036s flows/second: 11560177.9</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_calculate_statistics_for_port_443_traffic_and_sort_by_code_bps_code_to_see_bandwidth_abusing_hosts">Calculate statistics for port 443 traffic and sort by <code>bps</code> to see bandwidth abusing hosts</h2>
<div class="sectionbody">
<div class="paragraph">
<p>We can include as many <code>-s</code> as needed, each statistics table will be printed independently. Statistics will be calculated for the flows located in this specific <em>nfcapd.</em> file, to count statistics over longer periods of time see <code>-R</code> & <code>-M</code></p>
</div>
<div class="listingblock">
<div class="content">
<pre>nfdump -r nfcapd.202004220705 -s srcip/bps -s dstip/bps ' port 443'</pre>
</div>
</div>
<div class="paragraph">
<p>Output:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>Top 10 Src IP Addr ordered by bps:
Date first seen Duration Proto Src IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp
2020-04-22 12:19:50.336 309.513 any 219.149.22.196 8957( 2.6) 995109(10.7) 1.3 G(21.6) 3215 34.2 M 1327
2020-04-22 12:19:50.336 309.361 any 219.149.22.201 8167( 2.4) 837173( 9.0) 1.1 G(18.1) 2706 28.6 M 1321
2020-04-22 12:19:37.828 322.081 any 44.244.6.114 58555(16.9) 2.1 M(22.3) 978.3 M(16.0) 6471 24.3 M 469
2020-04-22 12:21:31.120 0.496 any 128.73.82.164 6( 0.0) 958( 0.0) 1.3 M( 0.0) 1931 21.7 M 1406
2020-04-22 12:19:49.064 310.609 any 244.34.184.28 6849( 2.0) 411384( 4.4) 369.3 M( 6.0) 1324 9.5 M 897
2020-04-22 12:23:01.213 2.244 any 148.161.85.162 3( 0.0) 1322( 0.0) 1.9 M( 0.0) 589 6.9 M 1469
2020-04-22 12:19:49.860 309.909 any 244.34.184.29 4425( 1.3) 270828( 2.9) 250.0 M( 4.1) 873 6.5 M 922
2020-04-22 12:19:52.984 306.313 any 219.149.22.228 12205( 3.5) 245171( 2.6) 244.1 M( 4.0) 800 6.4 M 995
2020-04-22 12:21:08.360 6.460 any 92.34.211.23 4( 0.0) 3080( 0.0) 4.5 M( 0.1) 476 5.6 M 1472
2020-04-22 12:19:37.828 321.421 any 219.149.22.229 16208( 4.7) 252091( 2.7) 220.4 M( 3.6) 784 5.5 M 874
Top 10 Dst IP Addr ordered by bps:
Date first seen Duration Proto Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp
2020-04-22 12:19:37.828 322.081 any 44.244.6.114 57453(16.6) 3.5 M(37.6) 3.1 G(51.2) 10892 77.8 M 893
2020-04-22 12:19:43.316 316.633 any 216.88.40.117 56198(16.2) 1.1 M(11.8) 939.0 M(15.4) 3470 23.7 M 854
2020-04-22 12:19:48.900 311.033 any 216.88.40.116 56349(16.3) 1.0 M(11.0) 835.6 M(13.7) 3295 21.5 M 815
2020-04-22 12:19:54.760 300.929 any 93.161.105.117 833( 0.2) 83367( 0.9) 108.3 M( 1.8) 277 2.9 M 1299
2020-04-22 12:19:47.736 310.013 any 210.249.165.16 89( 0.0) 79489( 0.9) 92.7 M( 1.5) 256 2.4 M 1165
2020-04-22 12:19:59.256 298.577 any 70.35.238.51 180( 0.1) 100020( 1.1) 85.8 M( 1.4) 334 2.3 M 858
2020-04-22 12:20:07.024 0.004 any 209.213.75.111 2( 0.0) 28( 0.0) 1120( 0.0) 7000 2.2 M 40
2020-04-22 12:21:16.636 0.004 any 216.88.58.165 2( 0.0) 22( 0.0) 968( 0.0) 5500 1.9 M 44
2020-04-22 12:19:59.472 299.353 any 207.176.46.233 94( 0.0) 42353( 0.5) 45.7 M( 0.7) 141 1.2 M 1079
2020-04-22 12:19:50.356 309.537 any 219.149.22.196 9055( 2.6) 274394( 2.9) 47.0 M( 0.8) 886 1.2 M 171
IP addresses anonymised
Summary: total flows: 346143, total bytes: 6.1 G, total packets: 9.3 M, avg bps: 151.8 M, avg pps: 28957, avg bpp: 655
Time window: 2020-04-22 12:19:37 - 2020-04-22 12:24:59
Total flows processed: 492540, Blocks skipped: 0, Bytes read: 39403680
Sys: 0.139s flows/second: 3539124.8 Wall: 0.136s flows/second: 3598781.3</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_sort_presented_flows_by_duration_longest_at_the_bottom">Sort presented flows by duration, longest at the bottom</h2>
<div class="sectionbody">
<div class="paragraph">
<p>nfdump itself has no provision to sort flows by their duration, but we can
easily pipe the output to any Linux sorting tool.
Let’s display top 10 flows by duration:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>echo 'Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows ' ; \
nfdump -r nfcapd.202209281905 | sort -n -k3,3 | tail -10</pre>
</div>
</div>
<div class="paragraph">
<p>Output:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2022-09-28 18:10:08.820 3360.080 TCP 172.17.12.130:57095 -> 20.199.120.182:443 4 306 1
2022-09-28 18:10:08.820 3360.080 TCP 20.199.120.182:443 -> 172.17.12.130:57095 2 428 1
2022-09-28 18:11:48.620 3360.130 TCP 172.17.12.164:49836 -> 20.199.120.151:443 4 304 1
2022-09-28 18:11:48.620 3360.130 TCP 20.199.120.151:443 -> 172.17.12.164:49836 2 426 1
2022-09-28 17:06:18.140 7202.630 ICMP 172.17.80.245:0 -> 172.20.0.2:0.8 120 7200 1
2022-09-28 09:09:36.580 35232.610 PIM 100.100.100.100:0 -> 172.17.46.254:0 0 0 1
2022-09-27 20:34:35.550 81030.200 ICMP 172.17.80.245:0 -> 87.128.226.58:0.8 1362 81720 1
2022-09-27 20:34:35.550 81030.200 ICMP 87.128.226.58:0 -> 172.17.80.245:8.8 1362 81720 1
2022-09-27 15:45:26.850 98610.750 ICMP 172.17.7.12:0 -> 172.17.24.127:8.8 9860 433840 1
2022-09-27 15:45:26.850 98610.750 ICMP 172.17.24.127:0 -> 172.17.7.12:0.8 9859 433796 1</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_anonymize_ip_addresses_in_all_the_flows_in_the_file_overwrite_in_place">Anonymize IP addresses in all the flows in the file, overwrite in-place</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Use bundled with <code>nfdump</code> tool named <code>nfanon</code>. To use it we have to specify a random ASCII of 32 characters or hexadecimal string of 64 characters. The <code>-K</code> option accepts the random key.</p>
</div>
<div class="paragraph">
<p>To generate random 32 chars:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>dd if=/dev/urandom bs=16 count=1 | hexdump -v -e '/1 "%02X "' | tr -d ' ' ; echo
1+0 records in
1+0 records out
16 bytes copied, 0.000491685 s, 32.5 kB/s
E9C11DC6F92488E7A13A1F42EF6A9E87</pre>
</div>
</div>
<div class="listingblock">
<div class="content">
<pre>nfanon -K E9C11DC6F92488E7A13A1F42EF6A9E87 -r nfcapd.202004220710</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_find_records_in_the_time_range_of_12_19_00_12_20_00_matching_the_filter_of_protocol_udp_and_port_53">Find records in the time range of 12:19:00 - 12:20:00 matching the filter of protocol = UDP and port = 53</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Using <code>-t</code> option we can limit the time range of the records to look into. nfdump puts 0 for any missing time part, e.g. 12:19 means 12:19:00.</p>
</div>
<div class="listingblock">
<div class="content">
<pre> nfdump -r nfcapd.202004220920 -t 2020/04/22.12:19:00-2020/04/22.12:20:00 'port 53 and proto udp'</pre>
</div>
</div>
<div class="paragraph">
<p>Output:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2020-04-22 12:19:55.564 0.000 UDP 56.30.111.241:53 -> 216.88.40.117:64842 1 636 1
2020-04-22 12:19:55.564 0.000 UDP 216.88.40.117:64012 -> 158.174.33.78:53 1 81 1
2020-04-22 12:19:54.852 0.000 UDP 216.88.40.117:63044 -> 70.158.34.8:53 1 80 1
2020-04-22 12:19:55.712 0.000 UDP 219.154.149.77:53 -> 216.88.40.116:49880 1 89 1
2020-04-22 12:19:55.716 0.000 UDP 216.88.40.117:65172 -> 246.220.77.233:53 1 82 1
2020-04-22 12:19:55.152 0.000 UDP 216.88.40.117:63463 -> 177.234.225.103:53 1 79 1
2020-04-22 12:19:55.364 0.000 UDP 216.88.40.117:63493 -> 51.11.3.16:53 1 73 1
IP addresses anonymised
Summary: total flows: 7, total bytes: 1120, total packets: 7, avg bps: 10370, avg pps: 8, avg bpp: 160
Time window: 2020-04-22 12:19:37 - 2020-04-22 12:24:59
Total flows processed: 492540, Blocks skipped: 0, Bytes read: 39403680
Sys: 0.050s flows/second: 9713068.7 Wall: 0.048s flows/second: 10233959.4</pre>
</div>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Using external threat feeds in FortiGate has become much easier with 6.0 and 6.2 versions2020-08-08T11:59:25+00:002020-08-08T11:59:25+00:00Yuri Slobodyanyuktag:yurisk.info,2020-08-08:/2020/08/08/fortigate-using-external-threat-feeds-and-ip-domain-block-lists/<p>Recently I had the opportunity to configure an external threat feed as a block list for the Fortigate and was pleasantly surprised by how much simpler it has become.
Task at hand: Block incoming connections sourced from IP addresses supplied as a list by a 3rd party commercial Threat Intelligence …</p><p>Recently I had the opportunity to configure an external threat feed as a block list for the Fortigate and was pleasantly surprised by how much simpler it has become.
Task at hand: Block incoming connections sourced from IP addresses supplied as a list by a 3rd party commercial Threat Intelligence feed. </p>
<p>Until FortiOS 6.0.1 we had to resort to custom scripting which downloaded those block lists, then parsed and compiled Fortigate CLI commands to add them as address objects, circumventing limitations by grouping addresses into Address Groups. In short, it was doable but painful. But no more - starting with FortiOS 6.0.1 we have a Fabric Connector for the IP address/domains block lists which we can use in DNS Filtering (6.0.1 and newer) and also as regular Address objects in Source/Destination fields of Security Rules (starting with 6.2 and newer).</p>
<p>So let's see how to do it. For this post I will be using free "Bogons List" by Cymru Team as in the original case I was using commercial and confidential one which cannot be disclosed here. The idea is identical - the feed provider gives (usually) HTTP/HTTPS link to download IP block list. The list has to have IP address/network or domain per line and it must be readable as a plain text. Example:</p>
<div class="highlight"><pre><span></span><code># last updated 1595753401 (Sun Jul 26 08:50:01 2020 GMT)
0.0.0.0/8
5.44.248.0/21
5.57.208.0/21
5.172.176.0/21
</code></pre></div>
<p>The FortiOS used here is 6.2.3. We start by creating new Fabric Connector: <strong>Security Fabric -> Fabric Connectors -> Create New -> Threat Feeds: IP Address</strong>. In which we specify URL to download the block list, with optional Basic HTTP Authentication. It should look like this:</p>
<p><img alt="Create new Fabric COnnector" src="/assets/fortigate-bogons-fabric-connector.png"></p>
<p>Upon saving, give it few minutes for the Fortigate to fetch the URL. When it is ready, the arrow will change from red to green:</p>
<p><img alt="Status red is not synced" src="/assets/fortigate-bogons-fabric-connector2.png"></p>
<p><img alt="status green is synced" src="/assets/fortigate-bogons-fabric-connector3.png"> </p>
<p>Once the Fabric Connector is synchronized with the feed, we can edit it to verify IPs/domains it downloaded:</p>
<p><img alt="Contents of the feed as seen by Fortigate" src="/assets/fortigate-bogons-fabric-connector4.png"></p>
<p>What is left is to use this feed object in Security rule. Here I will create a new rule above the rule allowing HTTP/HTTPS access to the website with the action of Deny:</p>
<p><img alt="Security rules" src="/assets/fortigate-bogons-security-rule1.png"></p>
<p><img alt="Security rule done" src="/assets/fortigate-bogons-security-rule2.png"></p>
<p>Key takeaway today - keep abreast of new major and minor FortiOS releases, as any update may introduce new feature that will make your life as Network/Security admin much easier.</p>
<h3>Resources</h3>
<p><a href="https://team-cymru.com/community-services/bogon-reference/" target=_blank rel="noopener"> Team Cymru Bogon Reference</a> </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Fortigate guest user accounts - create, edit, delete and deploy2020-07-29T10:59:25+00:002020-07-29T10:59:25+00:00Yuri Slobodyanyuktag:yurisk.info,2020-07-29:/2020/07/29/fortigate-guest-user-accounts-create-edit-delete-deploy/<p>The guest user accounts are special in Fortigate and unlike regular local Firewall user accounts. The flow of creating them is:</p>
<p><img alt=" Guest users creation workflow" src="/assets/fortigate-guest-user-accounts.svg"></p>
<p>Let's configure it.</p>
<h3>First, you create Groups, which serve, in this case, as a template for various parameters users can/must have later:</h3>
<p><strong>User & Device</strong> -> <strong>User Groups</strong> -> <strong>New</strong> .. -> <strong>Type …</strong></p><p>The guest user accounts are special in Fortigate and unlike regular local Firewall user accounts. The flow of creating them is:</p>
<p><img alt=" Guest users creation workflow" src="/assets/fortigate-guest-user-accounts.svg"></p>
<p>Let's configure it.</p>
<h3>First, you create Groups, which serve, in this case, as a template for various parameters users can/must have later:</h3>
<p><strong>User & Device</strong> -> <strong>User Groups</strong> -> <strong>New</strong> .. -> <strong>Type: Guest</strong></p>
<p><img alt="create new group" src="/assets/fortigate-gues-user-accounts1.png"></p>
<p>If you enable "Batch Guest Account Creation" then all the configs become grayed out and all the details of the to-be created users will auto-randomly generated.</p>
<h3>(Optional) Create Guest users admin to manage them and assign relevant Groups</h3>
<p>Such admin can only see the page of managing these Guest users and that is it.</p>
<p><strong>System</strong> -> <strong>Administrators</strong> -> <strong>New ..</strong> -> <strong>Type: Restrict admin to guest account provisioning only</strong>:</p>
<p><img alt="guest admin" src="/assets/fortigate-gues-user-accounts4.png"></p>
<p>This admin has to have access to the Management IP as a usual admin:</p>
<p><img alt="admin GUI" src="/assets/fortigate-gues-user-accounts7.png"></p>
<h3>Create Guest users</h3>
<p><strong>User & Device</strong> -> <strong>Guest Management</strong> -> <strong>New ..</strong></p>
<p>Pay attention to the right upper corner to pick the correct group for the new to-be created user.</p>
<p><img alt="create new guest user" src="/assets/fortigate-gues-user-accounts2.png"></p>
<p><img alt="create new user" src="/assets/fortigate-gues-user-accounts3.png"></p>
<h3>Use the created Groups</h3>
<p>Finally, we can use the Guest groups in Security rules or WiFi SSID for the Captive Portal for authenticaton.</p>
<p>Here is the example of Security rule. A user will have to first browse somewhere to get the login page.</p>
<p><img alt="security rule" src="/assets/fortigate-gues-user-accounts5.png"></p>
<p>Full CLI configuration:</p>
<div class="highlight"><pre><span></span><code><span class="n">config</span><span class="w"> </span><span class="k">user</span><span class="w"> </span><span class="k">group</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="ss">"SSO_Guest_Users"</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="ss">"Guest-group"</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="k">group</span><span class="o">-</span><span class="n">type</span><span class="w"> </span><span class="n">guest</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="k">user</span><span class="o">-</span><span class="n">name</span><span class="w"> </span><span class="n">enable</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">sponsor</span><span class="w"> </span><span class="n">mandatory</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">expire</span><span class="o">-</span><span class="n">type</span><span class="w"> </span><span class="k">first</span><span class="o">-</span><span class="n">successful</span><span class="o">-</span><span class="n">login</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">expire</span><span class="w"> </span><span class="mi">446400</span><span class="w"></span>
<span class="w"> </span><span class="n">config</span><span class="w"> </span><span class="n">guest</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="ss">"joan@nasa.gov"</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="ss">"guest1"</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="n">ENC</span><span class="w"> </span><span class="n">y3UDU</span><span class="o">+</span><span class="n">HYxl2n7KBFwPXNkd1BD2XmoAKyga50LtyL</span><span class="o">+</span><span class="n">qk</span><span class="o">+</span><span class="n">GLcwPDGHyw8hzkY9Wl0Q7wYYm4dOWuqMoDAzvQ1MsxyoxJsLag</span><span class="o">+</span><span class="n">esNBC4nGONVC</span><span class="o">+</span><span class="n">tRqyWSjA</span><span class="o">+</span><span class="mi">8</span><span class="n">xvyiZykgwB3Urj0ylv6vd99mVk0XiwHtd2S</span><span class="o">/</span><span class="n">GLB7</span><span class="o">/</span><span class="mi">1</span><span class="n">DsfQtinp6NwH4FF3g</span><span class="o">+</span><span class="mi">3</span><span class="n">YPni7fThHwWQjnMfH3w</span><span class="o">==</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">sponsor</span><span class="w"> </span><span class="ss">"NASA"</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">company</span><span class="w"> </span><span class="ss">"NASA"</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="ss">"joan@nasa.gov"</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">expiration</span><span class="w"> </span><span class="mi">2020</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">03</span><span class="w"> </span><span class="mi">05</span><span class="err">:</span><span class="mi">13</span><span class="err">:</span><span class="mi">27</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="ss">"Guest-group2"</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="k">group</span><span class="o">-</span><span class="n">type</span><span class="w"> </span><span class="n">guest</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="k">user</span><span class="o">-</span><span class="n">name</span><span class="w"> </span><span class="n">enable</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">expire</span><span class="o">-</span><span class="n">type</span><span class="w"> </span><span class="k">first</span><span class="o">-</span><span class="n">successful</span><span class="o">-</span><span class="n">login</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">expire</span><span class="w"> </span><span class="mi">878400</span><span class="w"></span>
<span class="w"> </span><span class="n">config</span><span class="w"> </span><span class="n">guest</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="ss">"johnny@nsa.gov"</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="ss">"guest2"</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="n">ENC</span><span class="w"> </span><span class="mi">41</span><span class="o">+</span><span class="n">u3YABUwTLctu56UTIni2P7rRnr3edfCKOfH</span><span class="o">/</span><span class="n">RJatGi7znh8kpcxc03vJTciH4J7</span><span class="o">/</span><span class="n">CDmBVESD4foPi5hMV</span><span class="o">+</span><span class="n">u9DQLzQ2AN2sxKMcB</span><span class="o">+</span><span class="mi">9</span><span class="n">fJ</span><span class="o">/</span><span class="n">O2RhlVRoBwR7SN</span><span class="o">/</span><span class="n">is2G2Tra3pMA1lkWzJhMAcXfQnB55YcYq5UnXqGYDNhNt</span><span class="o">+</span><span class="n">I8</span><span class="o">+</span><span class="mi">1</span><span class="n">CDyowlxIxWpS5grwPIYJEiWQCQ</span><span class="o">==</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">sponsor</span><span class="w"> </span><span class="ss">"NSA"</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">company</span><span class="w"> </span><span class="ss">"NSA"</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="ss">"johnny@nsa.gov"</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">expiration</span><span class="w"> </span><span class="mi">878400</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="k">end</span><span class="w"></span>
</code></pre></div>
<p>Optional guest users admin:</p>
<div class="highlight"><pre><span></span><code><span class="nv">config</span><span class="w"> </span><span class="nv">system</span><span class="w"> </span><span class="nv">admin</span><span class="w"></span>
<span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="s2">"guest-admin"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">vdom</span><span class="w"> </span><span class="s2">"root"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">guest</span><span class="o">-</span><span class="nv">auth</span><span class="w"> </span><span class="nv">enable</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">guest</span><span class="o">-</span><span class="nv">usergroups</span><span class="w"> </span><span class="s2">"Guest-group"</span><span class="w"> </span><span class="s2">"Guest-group2"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">password</span><span class="w"> </span><span class="nv">ENC</span><span class="w"> </span><span class="nv">SH2SUStSlY72bDN</span><span class="o">/</span><span class="mi">7</span><span class="nv">nYPYJGaKNHPdtjsd4BLiYwKzXu</span><span class="o">+</span><span class="nv">N</span><span class="o">/</span><span class="nv">B19BHiX899iakQ6k</span><span class="o">=</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="k">end</span><span class="w"></span>
</code></pre></div>
<p>LAN to Internet wired networks rule:</p>
<div class="highlight"><pre><span></span><code><span class="nv">edit</span><span class="w"> </span><span class="mi">3</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">name</span><span class="w"> </span><span class="s2">"LAN-10.17-to-Internet"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">uuid</span><span class="w"> </span><span class="nv">cdfe8fee</span><span class="o">-</span><span class="nv">ca85</span><span class="o">-</span><span class="mi">51</span><span class="nv">ea</span><span class="o">-</span><span class="mi">5</span><span class="nv">c07</span><span class="o">-</span><span class="nv">b2311d5406cd</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">srcintf</span><span class="w"> </span><span class="s2">"port3"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">dstintf</span><span class="w"> </span><span class="s2">"port1"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">srcaddr</span><span class="w"> </span><span class="s2">"LAN_10.10.17"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">dstaddr</span><span class="w"> </span><span class="s2">"all"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">action</span><span class="w"> </span><span class="nv">accept</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">schedule</span><span class="w"> </span><span class="s2">"always"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">service</span><span class="w"> </span><span class="s2">"ALL"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">utm</span><span class="o">-</span><span class="nv">status</span><span class="w"> </span><span class="nv">enable</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">fsso</span><span class="w"> </span><span class="nv">disable</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">groups</span><span class="w"> </span><span class="s2">"Guest-group"</span><span class="w"> </span><span class="s2">"Guest-group2"</span><span class="w"> </span><span class="o"><--</span><span class="w"> </span><span class="nv">Guest</span><span class="w"> </span><span class="nv">user</span><span class="w"> </span><span class="nv">groups</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">webfilter</span><span class="o">-</span><span class="nv">profile</span><span class="w"> </span><span class="s2">"custom1"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">dnsfilter</span><span class="o">-</span><span class="nv">profile</span><span class="w"> </span><span class="s2">"custom-dns-filter1"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">application</span><span class="o">-</span><span class="nv">list</span><span class="w"> </span><span class="s2">"Custom-app-control"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">ssl</span><span class="o">-</span><span class="nv">ssh</span><span class="o">-</span><span class="nv">profile</span><span class="w"> </span><span class="s2">"deep-inspection"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">nat</span><span class="w"> </span><span class="nv">enable</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Fortigate how to verify that IPS is actually working2020-07-26T11:59:25+00:002020-07-26T11:59:25+00:00Yuri Slobodyanyuktag:yurisk.info,2020-07-26:/2020/07/26/fortigate-how-to-verify-and-test-if-ips-is-working/<p>Is your IPS actually doing what you expect? You have to test your configurations, especially with the Intrusion Prevention System, which demands not only On/Off switch, but also tuning or it may become useless. With AntiVirus we have Eicar fake virus on eicar.org to download. With IPS there …</p><p>Is your IPS actually doing what you expect? You have to test your configurations, especially with the Intrusion Prevention System, which demands not only On/Off switch, but also tuning or it may become useless. With AntiVirus we have Eicar fake virus on eicar.org to download. With IPS there is no such well-known service. So here is how to test your Fortigate IPS configuration. I can see 2 ways: </p>
<ol>
<li><strong>Create custom IPS signature</strong> . Pros: you can match any traffic, even valid one as "malicious" and thus trigger the IPS. This makes it easy to test - just match your PC IP address, and try generating any traffic. The cons of it is that if you err and create wrong signature it may mislead to either false positive or false negative. This way it becomes testing your signature writing skills rather than IPS functionality. </li>
<li><strong>Use build-in signature</strong>. It is closer to real life testing. The problem, though, is to create environment "vulnerable" enough to trigger a real IPS signature. Vulnerable host(s) in the network is never a good idea, even just for testing. And testing vulnerabilities on patched anad non-vulnerable hosts i s usually fruitless. E.g. running Metasploit "MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution" exploit on patched Windows 10 will not trigger this signature because before sending the exploit, Metasploit runs auxiliary module to test if the target is vulnerable. If the target is not vulnerable, the payload will not be sent (by default) and IPS will not fire.</li>
</ol>
<p>So what I do is modified Case 2 way - I run built-in signature , but using just rate-based signatures. This way I don't need to make any host vulnerable, and the signatures are easy to trigger. </p>
<p>Case study: I will configure <em>"HTTP.Authentication.Brute.Force"</em> <a href="https://fortiguard.com/encyclopedia/ips/20949/http-authentication-brute-force" target=_blank rel="noopener">Fortiguard Labs</a> to trigger on 10 failed authentication attempts to Apache server.</p>
<p><strong>Apache configs</strong>. </p>
<ol>
<li>Create user with password. </li>
<li>Enable authentication on some throw away directory.</li>
</ol>
<p>Create user <code>test</code> with pass <code>qwe123</code>: </p>
<div class="highlight"><pre><span></span><code>htpasswd -c /etc/passwords test
</code></pre></div>
<p>Protect directory :</p>
<div class="highlight"><pre><span></span><code><span class="nt"><Directory</span> <span class="err">/var/www/html</span><span class="nt">/></span>
AuthType Basic
AuthName "Restricted Access"
AuthBasicProvider file
AuthUserFile "/etc/passwords"
Require user test
<span class="nt"></Directory></span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>apachectl restart
</code></pre></div>
<h3>Fortigate</h3>
<p>Let's create new IPS sensor and add this signature (the other one in the picture is unrelated):</p>
<p><img alt="IPS sensor with single signature" src="/assets/fortigate-ips-brute-force-signatire1.png"></p>
<p>The signature itself should be tuned or it will not trigger. The reason is that based on the signature false positive probability, Fortinet assign actions either <strong>Block</strong> or <strong>Pass</strong>. Where Pass means the matched traffic will pass unhalted. Just like that. So we have to change the action to Block, and lower trigger value - by default (see URL above) this signature triggers on > 200 failed attempts per minute. I would need lots of bruteforce parallel sessions to generate such a high threshold, so I lower it to 10.</p>
<p><img alt="IPS sensor with single signature" src="/assets/fortigate-ips-brute-force-signatire2.png"></p>
<p>Now we can use the IPS sensor in the Security Policy:</p>
<p><img alt="IPS sensor inside a rule" src="/assets/fortigate-ips-brute-force-signatire3.png"></p>
<p>Finally, we can verify whether the IPS functions as expected. I am using <a href="https://github.com/vanhauser-thc/thc-hydra" target=_blank rel="noopener"> thc-hydra</a> to brute-force the authentication:</p>
<div class="highlight"><pre><span></span><code>hydra -l test -P 1000passwords.txt 3.123.8.115 http-get
</code></pre></div>
<p>Where:<br>
<code>test</code> - username to try.<br>
<code>1000passwords.txt</code> - text file with 1000 random passwords from the Internet.<br>
<code>3.123.8.115</code> - external IP of the Fortigate.<br>
<code>http-get</code> - HTTP GET method to use to query for the page and be presented with Authentication Required.</p>
<video width="1920" height="1080" style="max-width:100%; height:auto;" controls>
<source src="/assets/fortigate-IPS-testing.mp4" type="video/mp4">
Your browser does not support the video tag.
</video>
<h3>Full CLI config:</h3>
<p>NOTE1: additionally I set action towards attacker to <code>quarantine</code> so it will block not just packets of the attack itself, but ANY packets coming from this source IP. The default quarantine time is 5 minutes, I increased it here to 10 minutes with the command <code>set quarantine-expiry 0d0h10m</code>. </p>
<p>NOTE2: You can exempt some IPs from this signature as I show below for the 10.10.10.1</p>
<p>NOTE3: I enabled <code>log-packet</code> to save contents of the attacking packets as .pcap files, but use it with care as can use lots of disk space over the time.</p>
<p>NOTE4: The last entry - 5 (actually unrelated to the specific signature, just as a note), is using filter instead of specifying exact IPS signature ID, as 2 and 3 do. Here I pick signatures that have OS defined as BSD and whom it should protect - client.</p>
<div class="highlight"><pre><span></span><code><span class="nv">config</span><span class="w"> </span><span class="nv">ips</span><span class="w"> </span><span class="nv">sensor</span><span class="w"></span>
<span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="s2">"Kali-block"</span><span class="w"></span>
<span class="w"> </span><span class="nv">config</span><span class="w"> </span><span class="nv">entries</span><span class="w"></span>
<span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">rule</span><span class="w"> </span><span class="mi">43796</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">status</span><span class="w"> </span><span class="nv">enable</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">log</span><span class="o">-</span><span class="nv">packet</span><span class="w"> </span><span class="nv">enable</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">action</span><span class="w"> </span><span class="nv">block</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="mi">3</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">rule</span><span class="w"> </span><span class="mi">20949</span><span class="w"> </span><span class="o"><--</span><span class="w"> </span><span class="nv">HTTP</span>.<span class="nv">Authentication</span>.<span class="nv">Brute</span>.<span class="nv">Force</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">status</span><span class="w"> </span><span class="nv">enable</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">log</span><span class="o">-</span><span class="nv">packet</span><span class="w"> </span><span class="nv">enable</span><span class="w"> </span><span class="o"><--</span><span class="w"> </span><span class="nv">Archive</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">whole</span><span class="w"> </span><span class="nv">packet</span><span class="w"> </span><span class="nv">as</span><span class="w"> </span><span class="nv">PCAP</span><span class="w"> </span><span class="nv">on</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">harddisk</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">action</span><span class="w"> </span><span class="nv">block</span><span class="w"> </span><span class="o"><--</span><span class="w"> </span><span class="nv">Override</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">action</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">Block</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">rate</span><span class="o">-</span><span class="nv">count</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="o"><--</span><span class="w"> </span><span class="nv">Lower</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="mi">200</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">just</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="nv">per</span><span class="w"> </span><span class="nv">minute</span><span class="w"></span>
<span class="w"> </span><span class="nv">config</span><span class="w"> </span><span class="nv">exempt</span><span class="o">-</span><span class="nv">ip</span><span class="w"></span>
<span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">src</span><span class="o">-</span><span class="nv">ip</span><span class="w"> </span><span class="mi">10</span>.<span class="mi">10</span>.<span class="mi">10</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">255</span>.<span class="mi">255</span>.<span class="mi">255</span>.<span class="mi">255</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">quarantine</span><span class="w"> </span><span class="nv">attacker</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">quarantine</span><span class="o">-</span><span class="nv">expiry</span><span class="w"> </span><span class="mi">10</span><span class="nv">m</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="mi">5</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">location</span><span class="w"> </span><span class="nv">client</span><span class="w"> </span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">os</span><span class="w"> </span><span class="nv">BSD</span><span class="w"> </span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="k">end</span><span class="w"></span>
</code></pre></div>
<h3>Verification</h3>
<p>See quarantined IPs (in case action quarantine is enabled inside the sensor):</p>
<h3>diagnose user quarantine list</h3>
<div class="highlight"><pre><span></span><code>src-ip-addr created expires cause
8.4.62.16 Tue Jul 28 03:17:42 2020 Tue Jul 28 03:27:42 2020 IPS
</code></pre></div>
<p>Here the <code>8.4.62.16</code> is "attacker", and <code>10.17.7.11</code> is the Web server attacked.</p>
<p>To remove all quarantined hosts in one go: </p>
<h3>diagnose user quarantine clear</h3>
<p>To add/delete specific host to the quarantined list: </p>
<h3>diagnose user quarantine add src4/src6 ...</h3>
<p>NOTE: Quarantine list is kept in kernel and thus available and used by many other modules of Fortigate, like Antivirus, DLP etc. This means if an IP gets quarantined, it will be blocked not just by IPS and rules it contains, but by other modules as well. So the quarantined host will be blocked totally by the Fortigate. </p>
<p>Create a filter (optional) and list all sessions passing the IPS sensor in the stateful sessions table:</p>
<h3>diag ips filter set "port 80"</h3>
<h3>diag ips filter status</h3>
<div class="highlight"><pre><span></span><code>DEBUG FILTER:
debug level: 0
filter: "port 80"
process id: 0
</code></pre></div>
<p>To see all sessions IPS is following:</p>
<h3>dia ips session list</h3>
<div class="highlight"><pre><span></span><code><span class="nv">Total</span><span class="w"> </span><span class="nv">TCP</span><span class="w"> </span><span class="nv">sessions</span>:<span class="w"> </span><span class="mi">3</span><span class="w"></span>
<span class="nv">SESSION</span><span class="w"> </span><span class="nv">id</span>:<span class="mi">76</span><span class="w"> </span><span class="nv">serial</span>:<span class="mi">3664</span><span class="w"> </span><span class="nv">proto</span>:<span class="mi">6</span><span class="w"> </span><span class="nv">group</span>:<span class="mi">6</span><span class="w"> </span><span class="nv">age</span>:<span class="mi">1769</span><span class="w"> </span><span class="nv">idle</span>:<span class="mi">1768</span><span class="w"> </span><span class="nv">flag</span>:<span class="mi">0</span><span class="nv">x100026</span><span class="w"></span>
<span class="w"> </span><span class="nv">feature</span>:<span class="mi">0</span><span class="nv">x2</span><span class="w"> </span><span class="nv">encap</span>:<span class="mi">0</span><span class="w"> </span><span class="nv">ignore</span>:<span class="mi">0</span>,<span class="mi">0</span><span class="w"> </span><span class="nv">ignore_after</span>:<span class="mi">204800</span>,<span class="mi">204800</span><span class="w"></span>
<span class="w"> </span><span class="nv">C</span><span class="o">-</span><span class="mi">8</span>.<span class="mi">4</span>.<span class="mi">62</span>.<span class="mi">16</span>:<span class="mi">59998</span>,<span class="w"> </span><span class="nv">S</span><span class="o">-</span><span class="mi">10</span>.<span class="mi">17</span>.<span class="mi">7</span>.<span class="mi">11</span>:<span class="mi">80</span><span class="w"></span>
<span class="w"> </span><span class="nv">state</span>:<span class="w"> </span><span class="nv">C</span><span class="o">-</span><span class="nv">CLOSE_WAIT</span><span class="o">/</span><span class="mi">130</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span>,<span class="w"> </span><span class="nv">S</span><span class="o">-</span><span class="nv">FIN_WAIT_1</span><span class="o">/</span><span class="mi">695</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="w"> </span><span class="k">pause</span>:<span class="mi">0</span>,<span class="w"> </span><span class="nv">paws</span>:<span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="nv">expire</span>:<span class="w"> </span><span class="mi">1832</span><span class="w"></span>
<span class="w"> </span><span class="nv">app</span>:<span class="w"> </span><span class="nv">unknown</span>:<span class="mi">0</span><span class="w"> </span><span class="nv">last</span>:<span class="mi">0</span><span class="w"> </span><span class="nv">unknown</span><span class="o">-</span><span class="nv">size</span>:<span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="nv">cnfm</span>:<span class="w"> </span><span class="nv">http</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span>:<span class="w"> </span><span class="nv">http</span><span class="w"> </span><span class="nv">sip</span><span class="w"> </span><span class="nv">rtsp</span><span class="w"></span>
<span class="w"> </span><span class="nv">asm</span>:<span class="w"> </span><span class="nv">http</span><span class="w"></span>
<span class="nv">SESSION</span><span class="w"> </span><span class="nv">id</span>:<span class="mi">78</span><span class="w"> </span><span class="nv">serial</span>:<span class="mi">3672</span><span class="w"> </span><span class="nv">proto</span>:<span class="mi">6</span><span class="w"> </span><span class="nv">group</span>:<span class="mi">6</span><span class="w"> </span><span class="nv">age</span>:<span class="mi">1769</span><span class="w"> </span><span class="nv">idle</span>:<span class="mi">1768</span><span class="w"> </span><span class="nv">flag</span>:<span class="mi">0</span><span class="nv">x100026</span><span class="w"></span>
<span class="w"> </span><span class="nv">feature</span>:<span class="mi">0</span><span class="nv">x2</span><span class="w"> </span><span class="nv">encap</span>:<span class="mi">0</span><span class="w"> </span><span class="nv">ignore</span>:<span class="mi">0</span>,<span class="mi">0</span><span class="w"> </span><span class="nv">ignore_after</span>:<span class="mi">204800</span>,<span class="mi">204800</span><span class="w"></span>
<span class="w"> </span><span class="nv">C</span><span class="o">-</span><span class="mi">8</span>.<span class="mi">4</span>.<span class="mi">62</span>.<span class="mi">16</span>:<span class="mi">59990</span>,<span class="w"> </span><span class="nv">S</span><span class="o">-</span><span class="mi">10</span>.<span class="mi">17</span>.<span class="mi">7</span>.<span class="mi">11</span>:<span class="mi">80</span><span class="w"></span>
<span class="w"> </span><span class="nv">state</span>:<span class="w"> </span><span class="nv">C</span><span class="o">-</span><span class="nv">CLOSE_WAIT</span><span class="o">/</span><span class="mi">130</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span>,<span class="w"> </span><span class="nv">S</span><span class="o">-</span><span class="nv">FIN_WAIT_1</span><span class="o">/</span><span class="mi">695</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="w"> </span><span class="k">pause</span>:<span class="mi">0</span>,<span class="w"> </span><span class="nv">paws</span>:<span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="nv">expire</span>:<span class="w"> </span><span class="mi">1832</span><span class="w"></span>
<span class="w"> </span><span class="nv">app</span>:<span class="w"> </span><span class="nv">unknown</span>:<span class="mi">0</span><span class="w"> </span><span class="nv">last</span>:<span class="mi">0</span><span class="w"> </span><span class="nv">unknown</span><span class="o">-</span><span class="nv">size</span>:<span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="nv">cnfm</span>:<span class="w"> </span><span class="nv">http</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span>:<span class="w"> </span><span class="nv">http</span><span class="w"> </span><span class="nv">sip</span><span class="w"> </span><span class="nv">rtsp</span><span class="w"></span>
<span class="w"> </span><span class="nv">asm</span>:<span class="w"> </span><span class="nv">http</span><span class="w"></span>
<span class="nv">SESSION</span><span class="w"> </span><span class="nv">id</span>:<span class="mi">83</span><span class="w"> </span><span class="nv">serial</span>:<span class="mi">4080</span><span class="w"> </span><span class="nv">proto</span>:<span class="mi">6</span><span class="w"> </span><span class="nv">group</span>:<span class="mi">6</span><span class="w"> </span><span class="nv">age</span>:<span class="mi">483</span><span class="w"> </span><span class="nv">idle</span>:<span class="mi">483</span><span class="w"> </span><span class="nv">flag</span>:<span class="mi">0</span><span class="nv">x100026</span><span class="w"></span>
<span class="w"> </span><span class="nv">feature</span>:<span class="mi">0</span><span class="nv">x2</span><span class="w"> </span><span class="nv">encap</span>:<span class="mi">0</span><span class="w"> </span><span class="nv">ignore</span>:<span class="mi">0</span>,<span class="mi">0</span><span class="w"> </span><span class="nv">ignore_after</span>:<span class="mi">204800</span>,<span class="mi">204800</span><span class="w"></span>
<span class="w"> </span><span class="nv">C</span><span class="o">-</span><span class="mi">8</span>.<span class="mi">4</span>.<span class="mi">62</span>.<span class="mi">16</span>:<span class="mi">60058</span>,<span class="w"> </span><span class="nv">S</span><span class="o">-</span><span class="mi">10</span>.<span class="mi">17</span>.<span class="mi">7</span>.<span class="mi">11</span>:<span class="mi">80</span><span class="w"></span>
<span class="w"> </span><span class="nv">state</span>:<span class="w"> </span><span class="nv">C</span><span class="o">-</span><span class="nv">CLOSE_WAIT</span><span class="o">/</span><span class="mi">130</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span>,<span class="w"> </span><span class="nv">S</span><span class="o">-</span><span class="nv">FIN_WAIT_1</span><span class="o">/</span><span class="mi">695</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="w"> </span><span class="k">pause</span>:<span class="mi">0</span>,<span class="w"> </span><span class="nv">paws</span>:<span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="nv">expire</span>:<span class="w"> </span><span class="mi">3117</span><span class="w"></span>
<span class="w"> </span><span class="nv">app</span>:<span class="w"> </span><span class="nv">unknown</span>:<span class="mi">0</span><span class="w"> </span><span class="nv">last</span>:<span class="mi">0</span><span class="w"> </span><span class="nv">unknown</span><span class="o">-</span><span class="nv">size</span>:<span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="nv">cnfm</span>:<span class="w"> </span><span class="nv">http</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span>:<span class="w"> </span><span class="nv">http</span><span class="w"> </span><span class="nv">sip</span><span class="w"> </span><span class="nv">rtsp</span><span class="w"></span>
<span class="w"> </span><span class="nv">asm</span>:<span class="w"> </span><span class="nv">http</span><span class="w"></span>
<span class="nv">Total</span><span class="w"> </span><span class="nv">UDP</span><span class="w"> </span><span class="nv">sessions</span>:<span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Total</span><span class="w"> </span><span class="nv">ICMP</span><span class="w"> </span><span class="nv">sessions</span>:<span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Total</span><span class="w"> </span><span class="nv">ICMP6</span><span class="w"> </span><span class="nv">sessions</span>:<span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Total</span><span class="w"> </span><span class="nv">IP</span><span class="w"> </span><span class="nv">sessions</span>:<span class="w"> </span><span class="mi">0</span><span class="w"></span>
</code></pre></div>
<h3>dia test application ipsmonitor 13</h3>
<div class="highlight"><pre><span></span><code><span class="n">Session</span><span class="w"> </span><span class="n">List</span><span class="o">:</span><span class="w"> </span><span class="n">pid</span><span class="o">=</span><span class="mi">1043</span><span class="w"></span>
<span class="n">vf</span><span class="o">=</span><span class="mi">0</span><span class="w"> </span><span class="n">proto</span><span class="o">=</span><span class="mi">6</span><span class="w"> </span><span class="mf">8.4.62.16</span><span class="o">:</span><span class="mi">59998</span><span class="o">-></span><span class="mf">10.17.7.11</span><span class="o">:</span><span class="mi">80</span><span class="w"></span>
<span class="n">vf</span><span class="o">=</span><span class="mi">0</span><span class="w"> </span><span class="n">proto</span><span class="o">=</span><span class="mi">6</span><span class="w"> </span><span class="mf">8.4.62.16</span><span class="o">:</span><span class="mi">59990</span><span class="o">-></span><span class="mf">10.17.7.11</span><span class="o">:</span><span class="mi">80</span><span class="w"></span>
<span class="n">Session</span><span class="w"> </span><span class="n">List</span><span class="o">:</span><span class="w"> </span><span class="n">total</span><span class="o">=</span><span class="mi">2</span><span class="w"></span>
<span class="n">Session</span><span class="w"> </span><span class="n">List</span><span class="o">:</span><span class="w"> </span><span class="n">pid</span><span class="o">=</span><span class="mi">1044</span><span class="w"></span>
<span class="n">vf</span><span class="o">=</span><span class="mi">0</span><span class="w"> </span><span class="n">proto</span><span class="o">=</span><span class="mi">6</span><span class="w"> </span><span class="mf">8.4.62.16</span><span class="o">:</span><span class="mi">59994</span><span class="o">-></span><span class="mf">10.17.7.11</span><span class="o">:</span><span class="mi">80</span><span class="w"></span>
<span class="n">vf</span><span class="o">=</span><span class="mi">0</span><span class="w"> </span><span class="n">proto</span><span class="o">=</span><span class="mi">6</span><span class="w"> </span><span class="mf">8.4.62.16</span><span class="o">:</span><span class="mi">60004</span><span class="o">-></span><span class="mf">10.17.7.11</span><span class="o">:</span><span class="mi">80</span><span class="w"></span>
<span class="n">Session</span><span class="w"> </span><span class="n">List</span><span class="o">:</span><span class="w"> </span><span class="n">total</span><span class="o">=</span><span class="mi">2</span><span class="w"></span>
<span class="n">Session</span><span class="w"> </span><span class="n">List</span><span class="o">:</span><span class="w"> </span><span class="n">pid</span><span class="o">=</span><span class="mi">1045</span><span class="w"></span>
<span class="n">Session</span><span class="w"> </span><span class="n">List</span><span class="o">:</span><span class="w"> </span><span class="n">total</span><span class="o">=</span><span class="mi">0</span><span class="w"></span>
<span class="n">Session</span><span class="w"> </span><span class="n">List</span><span class="o">:</span><span class="w"> </span><span class="n">pid</span><span class="o">=</span><span class="mi">1046</span><span class="w"></span>
<span class="n">vf</span><span class="o">=</span><span class="mi">0</span><span class="w"> </span><span class="n">proto</span><span class="o">=</span><span class="mi">6</span><span class="w"> </span><span class="mf">8.4.62.16</span><span class="o">:</span><span class="mi">59996</span><span class="o">-></span><span class="mf">10.17.7.11</span><span class="o">:</span><span class="mi">80</span><span class="w"></span>
<span class="n">Session</span><span class="w"> </span><span class="n">List</span><span class="o">:</span><span class="w"> </span><span class="n">total</span><span class="o">=</span><span class="mi">1</span><span class="w"></span>
</code></pre></div>
<p>THis command shows health statistics of the IPS, so DROPS there means not blocked attack packets, but packets IPS was unable to process:</p>
<h3>diagnose ips packet status</h3>
<div class="highlight"><pre><span></span><code># diagnose ips packet status
PID: 1043
PACKET STATISTICS:
total packets 823
tcp packets 823
udp packets 0
icmp packets 0
other packets 0
fast path bad packets 0
fast path other packets 0
fast path nocfg packets 0
fast path invcfg packets 0
fast path config changed packets 0
slow path invcfg packets 0
tcp PAWS packets 0
huge packets 0
PACKET ACTION STATISTICS:
PASS 821
DROP 0
RESET 0
</code></pre></div>
<p>Another general stats of IPS command:</p>
<h3>diag ips session performance</h3>
<div class="highlight"><pre><span></span><code>PERFORMANCE STATISTICS
name : sess | pkts cycles | pkts cycles
decoder : 0 | 823 2163 | 0 0
session : 0 | 823 1252 | 0 0
protocol : 0 | 822 8454 | 0 0
application : 0 | 751 16122 | 0 0
detect : 0 | 0 0 | 0 0
match : 0 | 2731 2801 | 0 0
NC match : 0 | 5698 816 | 0 0
Cross Tag : 0 | 79 13864 | 0 0
-------------------------------------------------------------------------
</code></pre></div>
<p>Number of hits per signature activated: </p>
<h3>diag ips sign hit</h3>
<div class="highlight"><pre><span></span><code><span class="c">SIGNATURE PERFORMANCE: 853 packets</span>
<span class="nb">------------------------------------------------------+-------------------------------------------------</span><span class="c"></span>
<span class="c"> Pattern | Non</span><span class="nb">-</span><span class="c">Pat</span>
<span class="nb">------------------------------------------------------+-------------------------------------------------</span><span class="c"></span>
<span class="c"> # Attack ID Hits Cycles | Attack ID Hits Cycles</span>
<span class="nb">------------------------------------------------------+-------------------------------------------------</span><span class="c"></span>
<span class="c"> 1 64474 (Ih</span><span class="nb">-</span><span class="c">) 78 6567 | 68480 (Ih</span><span class="nb">-</span><span class="c">) 478 458</span>
<span class="c"> 2 15425 (I</span><span class="nb">--</span><span class="c">) 78 2166 | 68661 (Ih</span><span class="nb">-</span><span class="c">) 478 282</span>
<span class="c"> 3 51312 (Ih</span><span class="nb">-</span><span class="c">) 78 1517 | 72387 (Ih</span><span class="nb">-</span><span class="c">) 246 495</span>
<span class="c"> 4 22607 (I</span><span class="nb">--</span><span class="c">) 78 2074 | 67810 (I</span><span class="nb">--</span><span class="c">) 232 693</span>
<span class="c"> 5 57955 (I</span><span class="nb">--</span><span class="c">) 78 2404 | 67812 (Ih</span><span class="nb">-</span><span class="c">) 232 300</span>
<span class="c"> 6 56472 (I</span><span class="nb">--</span><span class="c">) 78 2299 | 60398 (Ih</span><span class="nb">-</span><span class="c">) 232 1423</span>
<span class="c"> 7 35945 (I</span><span class="nb">--</span><span class="c">) 78 2691 | 44961 (Ih</span><span class="nb">-</span><span class="c">) 232 907</span>
<span class="c"> 8 49214 (I</span><span class="nb">--</span><span class="c">) 78 1355 | 44962 (Ih</span><span class="nb">-</span><span class="c">) 232 260</span>
<span class="c"> 9 37958 (Ih</span><span class="nb">-</span><span class="c">) 78 3615 | 72388 (Ih</span><span class="nb">-</span><span class="c">) 232 248</span>
<span class="c"> 10 72298 (I</span><span class="nb">--</span><span class="c">) 78 640 | 51952 (Ih</span><span class="nb">-</span><span class="c">) 175 904</span>
<span class="nb">--------------------------------------</span><span class="c"></span>
<span class="nb">----------------+-------------------------------------------------</span><span class="c"></span>
</code></pre></div>
<p>And the final way to see IPS works - <code>diagnose debug flow</code>. In its output, watch that sessions are being sent to the IPS: <code>msg="send to ips"</code>.</p>
<h3>diag debug flow filter "port 80"</h3>
<h3>dia deb flow show function</h3>
<h3>dia debug enable</h3>
<h3>dia deb flow trace start</h3>
<div class="highlight"><pre><span></span><code><span class="err">#</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">20085</span><span class="w"> </span><span class="n">trace_id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="n">func</span><span class="o">=</span><span class="n">print_pkt_detail</span><span class="w"> </span><span class="n">line</span><span class="o">=</span><span class="mi">5501</span><span class="w"> </span><span class="n">msg</span><span class="o">=</span><span class="ss">"vd-root:0 received a packet(proto=6, 8.4.62.16:60086->10.17.5.217:80) from port1. flag [S], seq 961143888, ack 0, win 64240"</span><span class="w"></span>
<span class="n">id</span><span class="o">=</span><span class="mi">20085</span><span class="w"> </span><span class="n">trace_id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="n">func</span><span class="o">=</span><span class="n">init_ip_session_common</span><span class="w"> </span><span class="n">line</span><span class="o">=</span><span class="mi">5666</span><span class="w"> </span><span class="n">msg</span><span class="o">=</span><span class="ss">"allocate a new session-0000126a"</span><span class="w"></span>
<span class="n">id</span><span class="o">=</span><span class="mi">20085</span><span class="w"> </span><span class="n">trace_id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="n">func</span><span class="o">=</span><span class="n">fw_pre_route_handler</span><span class="w"> </span><span class="n">line</span><span class="o">=</span><span class="mi">181</span><span class="w"> </span><span class="n">msg</span><span class="o">=</span><span class="ss">"VIP-10.17.7.11:80, outdev-port1"</span><span class="w"></span>
<span class="n">id</span><span class="o">=</span><span class="mi">20085</span><span class="w"> </span><span class="n">trace_id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="n">func</span><span class="o">=</span><span class="n">__ip_session_run_tuple</span><span class="w"> </span><span class="n">line</span><span class="o">=</span><span class="mi">3300</span><span class="w"> </span><span class="n">msg</span><span class="o">=</span><span class="ss">"DNAT 10.17.5.217:80->10.17.7.11:80"</span><span class="w"></span>
<span class="n">id</span><span class="o">=</span><span class="mi">20085</span><span class="w"> </span><span class="n">trace_id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="n">func</span><span class="o">=</span><span class="n">vf_ip_route_input_common</span><span class="w"> </span><span class="n">line</span><span class="o">=</span><span class="mi">2596</span><span class="w"> </span><span class="n">msg</span><span class="o">=</span><span class="ss">"find a route: flag=00000000 gw-10.17.7.11 via port2"</span><span class="w"></span>
<span class="n">id</span><span class="o">=</span><span class="mi">20085</span><span class="w"> </span><span class="n">trace_id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="n">func</span><span class="o">=</span><span class="n">fw_forward_handler</span><span class="w"> </span><span class="n">line</span><span class="o">=</span><span class="mi">771</span><span class="w"> </span><span class="n">msg</span><span class="o">=</span><span class="ss">"Allowed by Policy-1: SNAT"</span><span class="w"></span>
<span class="n">id</span><span class="o">=</span><span class="mi">20085</span><span class="w"> </span><span class="n">trace_id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="n">func</span><span class="o">=</span><span class="n">ids_receive</span><span class="w"> </span><span class="n">line</span><span class="o">=</span><span class="mi">289</span><span class="w"> </span><span class="n">msg</span><span class="o">=</span><span class="ss">"send to ips"</span><span class="w"> </span><span class="o"><--</span><span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="n">tells</span><span class="w"> </span><span class="n">us</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="k">connection</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">offloaded</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">IPS</span><span class="w"> </span>
<span class="n">id</span><span class="o">=</span><span class="mi">20085</span><span class="w"> </span><span class="n">trace_id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="n">func</span><span class="o">=</span><span class="n">__ip_session_run_tuple</span><span class="w"> </span><span class="n">line</span><span class="o">=</span><span class="mi">3286</span><span class="w"> </span><span class="n">msg</span><span class="o">=</span><span class="ss">"SNAT 8.4.62.16->10.17.7.10:60086"</span><span class="w"></span>
</code></pre></div>
<p>In the above:<br>
8.4.62.16 - attacker.<br>
10.17.5.217 - External/WAN IP of the Fortigate.<br>
10.17.7.11 - Internal IP of Ubuntu web server.<br>
10.17.7.10 - port2 IP on the Fortigate in Ubuntu network (I enabled NAT over this port2).</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Fortigate to Fortimanager management tunnel connection debug how-to2020-07-19T10:06:12+00:002020-07-19T10:00:00+02:00Yuri Slobodyanyuktag:yurisk.info,2020-07-19:/2020/07/19/fortigate-to-fortimanager-tunnel-connection-debug/<p>When the policy install fails on Fortimanager, it may mean many things as the process is quite complex with database/policy verification. But frequently, it happens because the communication tunnel between Fortimanager and Fortigate is down. The tunnel works on port 541, is encrypted (so we cannot see the contents …</p><p>When the policy install fails on Fortimanager, it may mean many things as the process is quite complex with database/policy verification. But frequently, it happens because the communication tunnel between Fortimanager and Fortigate is down. The tunnel works on port 541, is encrypted (so we cannot see the contents) and can fail for various reasons. The first step I do is to check whether the tunnel is up or down. Here is example of such situation where client suspected tunnel was down, but I showed her it was not.
I run all the commands on Fortigate only.</p>
<p>First, let's make sure configuration is correct on the Fortigate:</p>
<h3>show sys central-management</h3>
<div class="highlight"><pre><span></span><code>config system central-management
<span class="nb">set</span> <span class="nb">type</span> fortimanager
fmg <span class="s2">"10.72.38.11"</span> <--IP address of FMG
<span class="nb">set</span> fmg-source-ip <span class="m">10</span>.13.91.99 <-- setting <span class="nb">source</span> IP is not a must of course, depends on the admin decision
end
</code></pre></div>
<p>All seems in place, so the next step is to try and ping the Fortimanager from the Fortigate. This does NOT pass inside the management tunnel, but at least verifies reachability:</p>
<h3>exe ping-options source 10.13.91.99</h3>
<h3>exe ping 10.72.38.11</h3>
<div class="highlight"><pre><span></span><code>PING <span class="m">10</span>.72.38.11 <span class="o">(</span><span class="m">10</span>.72.38.11<span class="o">)</span>: <span class="m">56</span> data bytes
<span class="m">64</span> bytes from <span class="m">10</span>.72.38.11: <span class="nv">icmp_seq</span><span class="o">=</span><span class="m">0</span> <span class="nv">ttl</span><span class="o">=</span><span class="m">59</span> <span class="nv">time</span><span class="o">=</span><span class="m">22</span>.8 ms
<span class="m">64</span> bytes from <span class="m">10</span>.72.38.11: <span class="nv">icmp_seq</span><span class="o">=</span><span class="m">1</span> <span class="nv">ttl</span><span class="o">=</span><span class="m">59</span> <span class="nv">time</span><span class="o">=</span><span class="m">27</span>.3 ms
<span class="m">64</span> bytes from <span class="m">10</span>.72.38.11: <span class="nv">icmp_seq</span><span class="o">=</span><span class="m">2</span> <span class="nv">ttl</span><span class="o">=</span><span class="m">59</span> <span class="nv">time</span><span class="o">=</span><span class="m">32</span>.7 ms
</code></pre></div>
<p>Ping works, looks good so far, next is the sniffer to actually see if port 541 packets are being exchanged: </p>
<h3>diag sniffer packet any 'host 10.72.38.11' 4</h3>
<p>NOTE: Management tunnel works on port 541, but logs, if you enabled Fortianalyzer feature on the FMG are still being sent on the usual
for Fortigate port 514. So make sure not to confuse them, as logs sending is a different daemon's work.</p>
<p>And the last step to make sure that management tunnel works as expected is to run debug: </p>
<h3>diag deb app fgfm 255</h3>
<h3>diag deb enable</h3>
<div class="highlight"><pre><span></span><code>upd_cfg_extract_ids_db_version<span class="o">[</span><span class="m">367</span><span class="o">]</span>-version<span class="o">=</span>05006033NIDS02402-00006.00741-1512010230
FGFMs: client:send:
keepalive
<span class="nv">checksum</span><span class="o">=</span><span class="m">57</span> ba <span class="m">31</span> <span class="m">52</span> f0 a2 0c 7a c3 e7 b8 ff <span class="m">40</span> d5 1a <span class="m">22</span>
<span class="nv">ipsversion</span><span class="o">=</span><span class="m">6</span>.00741<span class="o">(</span><span class="m">2015</span>-12-01 <span class="m">02</span>:30<span class="o">)</span>
FGFMs: client:
reply <span class="m">200</span>
<span class="nv">request</span><span class="o">=</span>keepalive
<span class="nv">cur_tun_serial</span><span class="o">=</span>
FGFMs: <span class="o">[</span>fgfm_chan_msg_handler:607<span class="o">]</span> peer close channel: <span class="nv">local</span><span class="o">=</span><span class="m">5502</span>, <span class="nv">remote</span><span class="o">=</span><span class="m">10151</span>, <span class="nv">body_len</span><span class="o">=</span><span class="m">0</span>
FGFMs: Destroy tcp channnel <span class="nv">local_id</span><span class="o">=</span><span class="m">5502</span>, <span class="nv">remote_id</span><span class="o">=</span><span class="m">10151</span>, <span class="nv">sock_rd</span><span class="o">=</span><span class="m">6076</span>, <span class="nv">sock_wr</span><span class="o">=</span><span class="m">203</span>, <span class="nv">sock_size</span><span class="o">=</span><span class="m">0</span>.
FGFMs: Destroy stream_svr_obj
FGFMs: Destroy chan <span class="nv">local</span><span class="o">=</span><span class="m">5502</span>, <span class="nv">remote</span><span class="o">=</span><span class="m">10151</span>, <span class="k">in</span><span class="o">=</span><span class="m">203</span>, <span class="nv">ack</span><span class="o">=</span><span class="m">203</span>, <span class="nv">out</span><span class="o">=</span><span class="m">6076</span>,acked<span class="o">=</span><span class="m">6076</span>,inbuff<span class="o">=</span>-1.
FGFMs: client:
get connect_tcp
<span class="nv">localid</span><span class="o">=</span><span class="m">10152</span>
<span class="nv">chan_window_sz</span><span class="o">=</span><span class="m">32768</span>
<span class="nv">deflate</span><span class="o">=</span>gzip
<span class="nv">tcp_port</span><span class="o">=</span><span class="m">80</span>
FGFMs: <span class="o">[</span>fgfm_chan_msg_handler:607<span class="o">]</span> peer close channel: <span class="nv">local</span><span class="o">=</span><span class="m">5503</span>, <span class="nv">remote</span><span class="o">=</span><span class="m">10152</span>, <span class="nv">body_len</span><span class="o">=</span><span class="m">0</span>
FGFMs: Destroy tcp channnel <span class="nv">local_id</span><span class="o">=</span><span class="m">5503</span>, <span class="nv">remote_id</span><span class="o">=</span><span class="m">10152</span>, <span class="nv">sock_rd</span><span class="o">=</span><span class="m">581</span>, <span class="nv">sock_wr</span><span class="o">=</span><span class="m">204</span>, <span class="nv">sock_size</span><span class="o">=</span><span class="m">0</span>.
FGFMs: Destroy stream_svr_obj
FGFMs: Destroy chan <span class="nv">local</span><span class="o">=</span><span class="m">5503</span>, <span class="nv">remote</span><span class="o">=</span><span class="m">10152</span>, <span class="k">in</span><span class="o">=</span><span class="m">204</span>, <span class="nv">ack</span><span class="o">=</span><span class="m">204</span>, <span class="nv">out</span><span class="o">=</span><span class="m">581</span>,acked<span class="o">=</span><span class="m">581</span>,inbuff<span class="o">=</span>-1.
upd_cfg_extract_ids_db_version<span class="o">[</span><span class="m">367</span><span class="o">]</span>-version<span class="o">=</span>05006033NIDS02402-00006.00741-1512010230
FGFMs: client:send:
keepalive
<span class="nv">checksum</span><span class="o">=</span><span class="m">57</span> ba <span class="m">31</span> <span class="m">52</span> f0 a2 0c 7a c3 e7 b8 ff <span class="m">40</span> d5 1a <span class="m">22</span>
<span class="nv">ipsversion</span><span class="o">=</span><span class="m">6</span>.00741<span class="o">(</span><span class="m">2015</span>-12-01 <span class="m">02</span>:30<span class="o">)</span>
FGFMs: client:
reply <span class="m">200</span>
<span class="nv">request</span><span class="o">=</span>keepalive
<span class="nv">cur_tun_serial</span><span class="o">=</span>
</code></pre></div>
<p>The important part here is keep-alive exchange. And as we can see it works just fine - Fortigate received reply 200 which means "Success". The tunnel works correctly, case closed.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Fortiweb Cookbook: Most Basic Setup - One website, add HTTPS support, Round Robin load balancing between two physical servers, all protections on Alert only, Host header filtration2020-06-16T11:59:25+00:002020-06-16T11:59:25+00:00Yuri Slobodyanyuktag:yurisk.info,2020-06-16:/2020/06/16/fortiweb-cookbook-basic-setup-one-website-add-ssl-protocol-round-robin-load-balancing-alert-only-protection-host-filtration/<p><strong>Task</strong>: Taking the <a href="https://yurisk.info/2020/06/06/fortiweb-cookbook-basic-setup-one-website-http-only-round-robin-load-balancing-alert-only-protection-host-filtration/" target=_blank rel="noopener">basic setup</a> a step further, let's enable HTTPS protocol between clients and Fortiweb for the yurisk.com.</p>
<p><strong>Solution</strong>.</p>
<p><img alt="fortiweb-basic-ssl" src="/assets/fortiweb-basic-ssl.svg"> </p>
<p>Step 1. Create certificate signing request (CSR) to use in issuing the SSL certificate.</p>
<p>I will use Ubuntu server. It does not have to be a server actually hosting …</p><p><strong>Task</strong>: Taking the <a href="https://yurisk.info/2020/06/06/fortiweb-cookbook-basic-setup-one-website-http-only-round-robin-load-balancing-alert-only-protection-host-filtration/" target=_blank rel="noopener">basic setup</a> a step further, let's enable HTTPS protocol between clients and Fortiweb for the yurisk.com.</p>
<p><strong>Solution</strong>.</p>
<p><img alt="fortiweb-basic-ssl" src="/assets/fortiweb-basic-ssl.svg"> </p>
<p>Step 1. Create certificate signing request (CSR) to use in issuing the SSL certificate.</p>
<p>I will use Ubuntu server. It does not have to be a server actually hosting the website yurisk.com as long as I have the private key used in generating this CSR file.</p>
<p>Here I create a private key <em>yurisk.com.priv.key</em> and CSR <em>yurisk.com.request.csr</em>. While you can produce the private key file unencrypted by adding <code>-nodes</code> option, it is highly discouraged in production as anyone with this key can impersonate the SSL certificate of the website.</p>
<div class="highlight"><pre><span></span><code>openssl req -newkey rsa:2048 s -keyout yurisk.com.priv.key -out yurisk.com.request.csr
Generating a RSA private key
................................................+++++
..............................................................................................+++++
writing new private key to <span class="s1">'yurisk.com.priv.key'</span>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter <span class="s1">'.'</span>, the field will be left blank.
-----
Country Name <span class="o">(</span><span class="m">2</span> letter code<span class="o">)</span> <span class="o">[</span>AU<span class="o">]</span>:IL
State or Province Name <span class="o">(</span>full name<span class="o">)</span> <span class="o">[</span>Some-State<span class="o">]</span>:Jerusalem
Locality Name <span class="o">(</span>eg, city<span class="o">)</span> <span class="o">[]</span>:Jerusalem
Organization Name <span class="o">(</span>eg, company<span class="o">)</span> <span class="o">[</span>Internet Widgits Pty Ltd<span class="o">]</span>:Yurisk Ltd
Organizational Unit Name <span class="o">(</span>eg, section<span class="o">)</span> <span class="o">[]</span>:IT
Common Name <span class="o">(</span>e.g. server FQDN or YOUR name<span class="o">)</span> <span class="o">[]</span>:yurisk.com
Email Address <span class="o">[]</span>:yuri@yurisk.com
Please enter the following <span class="s1">'extra'</span> attributes
to be sent with your certificate request
A challenge password <span class="o">[]</span>:
An optional company name <span class="o">[]</span>:
root@ubuntu1:~#
</code></pre></div>
<p>Now I can use <em>yurisk.com.request.csr</em> to issue the SSL certificate. For this lab I used <em>instantssl.com</em> to get a free 30-day certificate, but of course any SSL CA provider will do. Once issued, I downloaded the ready-to-use certificate as a file <em>yurisk_com.crt</em> and can move to step 2.</p>
<p>Step 2. Import SSL certificate and potentially intermediate certificates into Fortiweb.</p>
<p><strong>System -> Certificates -> Local -> Import ...</strong>. </p>
<p><img alt="fortiweb-basic-setup-ssl-add-certificate" src="/assets/fortiweb-basic-setup-ssl-add-certificate.png"></p>
<p>I use here the password set when generating the private key earlier on Ubuntu server.</p>
<p>The result looks like:</p>
<p><img alt="fortiweb-basic-setup-ssl-add-certificate" src="/assets/fortiweb-basic-setup-ssl-add-certificate2.png"> </p>
<p>Step 3. Enable the HTTPS service and set the SSL certificate to use in Server Policy.</p>
<p><strong>Policy -> Server Policy -> Edit ...</strong>.</p>
<p><img alt="fortiweb-basic-setup-ssl-add-server-policy" src="/assets/fortiweb-basic-setup-ssl-add-server-policy.png"></p>
<p><em>NOTE</em>: I did not enable HTTPS or change the configuration of the Apache servers at all. The conneciton between Fortiweb and Apache servers stays cleartext on port 80. This is called <em>SSL offloading</em> - all the SSL related encryption/decryption is being done by the Fortiweb only, to offload these tasks from physical servers.<br>
It is possible of course to enable SSL connection also between Fortiweb and internal servers.</p>
<h3>Verify</h3>
<p>For verification let's enter the https://yurisk.com. Also, to make sure the policy just Alerts, not blocks attacks, I will run <code>dirbuster</code> against the website.</p>
<video width="1920" height="1080" style="max-width:100%; height:auto;" controls>
<source src="/assets/Fortiweb-basic-setup-SSL.mp4" type="video/mp4">
Your browser does not support the video tag.
</video>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Fortiweb Cookbook: Basic setup - adding web site access authentication with local and remote (LDAP) users2020-06-14T10:59:25+00:002020-06-14T10:59:25+00:00Yuri Slobodyanyuktag:yurisk.info,2020-06-14:/2020/06/14/fortiweb-cookbook-basic-setup-user-authentication/<p><strong>Task</strong>: Continuing the <a href="https://yurisk.info/2020/06/06/fortiweb-cookbook-basic-setup-one-website-http-only-round-robin-load-balancing-alert-only-protection-host-filtration/">Basic setup</a>, we want to protect access to some pages, namely the root document "/" and "/treasure" with username and password.
For this we want 2 kinds of users: local created on the Fortiweb, and remote residing in the Active Directory of the company. Even though it is …</p><p><strong>Task</strong>: Continuing the <a href="https://yurisk.info/2020/06/06/fortiweb-cookbook-basic-setup-one-website-http-only-round-robin-load-balancing-alert-only-protection-host-filtration/">Basic setup</a>, we want to protect access to some pages, namely the root document "/" and "/treasure" with username and password.
For this we want 2 kinds of users: local created on the Fortiweb, and remote residing in the Active Directory of the company. Even though it is insecure, the password is sent in clear text, we will use Basic HTTP Authentication for now because in the next episode we will enable HTTPS protocol.</p>
<p><em>NOTE</em>: The Fortinet call it "authentication offloading" meaning it to be used for a web site that does not have its own authentication. </p>
<p><strong>Solution</strong>: </p>
<p><img alt="fortiweb-basic-authentication" src="/assets/fortiweb-basic-authentication.svg"></p>
<p><strong>Step 1</strong>. Let's create local user "Joe Doe" with username <em>joedoe</em>.<br>
<strong>User -> Local User -> Create New ..</strong></p>
<p><img alt="fortiweb basic setup authentication local user" src="/assets/fortiweb-basic-setup-authentication-local-user.png"></p>
<p>Additionally (not shown here), I create user "John Silver" with account <code>johns</code> to be allowed access to <code>/treasure</code> part of the website.</p>
<p><strong>Step 2</strong>. Create Remote Authentication Server to authenticate AD users. <br>
Fortiweb can work with AD/LDAP server in clear text LDAP protocol, which sends usernames/passwords in CLEAR TEXT, and therefore is not recommended. And it can communicate securely using either STARTTLS or LDAPS protocol. STARTTLS (port 389, encryption built-in) is newer but LDAP functionality is the same as with LDAPS (port 636, usual LDAP protocol wrapped in SSL). I will be using LDAPS here. For encrypted communication to work, Fortiweb has to have SSL certificate of the AD Domain Controller against which it tries to authenticate users. So first step is to import AD DC certificate into Fortiweb.</p>
<p>I will be using local/file importing <em>AD-CA-cert.cer</em>.</p>
<p><img alt="fortiweb-basic-setup-authentication-import-CA-certificate" src="/assets/fortiweb-basic-setup-authentication-import-CA-certificate.png"> </p>
<p>The result should look like:</p>
<p><img alt="fortiweb-basic-setup-authentication-import-CA-certificate-result.png" src="/assets/fortiweb-basic-setup-authentication-import-CA-certificate-result.png"> </p>
<p>Here, after importing <em>AD-CA-cert.cer</em>, Fortiweb renamed it to <em>CA_Cert_1</em>. </p>
<p>Now we can create and configure Remote Server: <strong>User -> Remote Server -> LDAP Server -> Create New</strong>.</p>
<p><img alt="fortiweb-basic-setup-authentication-create-remote-server" src="/assets/fortiweb-basic-setup-authentication-create-remote-server.png"></p>
<p>Here:<br>
<code>192.168.13.82</code> - Active Directory Domain Controller.<br>
<code>636</code> - port of communication for LDAPS.<br>
<code>cn</code> - Common Name Identifier. This setting defines how users will authenticate themselves, i.e. how they will enter their usernames. The options are:<br>
- <code>cn</code> Use full name as set in AD, e.g. "Tara Addison".<br>
- <code>samaccountname</code> Use account login, e.g. "tara".<br>
- <code>userprincipalname</code> Use account login name + domain, e.g. "tara@nse8.com"</p>
<p><em>Bind Type</em> - almost always use Regular here, as others are fringe cases.<br>
<em>User DN</em> - username to bind with Active Directory. It is a prevalent opinion that you have to use AD Administrator or equivalent permissions here, but it is not correct - any user which can query the AD tree can be used here. I am using <code>ldap-user</code> that is a regular user created in built-in <em>Users</em> tree. <br>
<em>Password</em> - password of the binding user.<br>
<em>Filter</em> - Additional means of limiting who can authenticate. This filter sets specific groups/objects that can be found by this Remote Server object. </p>
<p><strong>Step 3</strong>. Next, we create User Group to include users that will be able to authenticate. Unlike Fortigate, Fortiweb allows to put any type of user in the same group. But... if some user type is not compatible with the type of authentication, those users will be ignored and will fail to authenticate. E.g. For <em>Digest</em> Authentication, which is more secure than <em>Basic</em> one as it doesn't send password in clear text, only LOCAL users are supported. So, if you add Remote Users and Local users to the same User Group in the Digest User Group - local users will work, but Remote will not. Also, Fortiweb does not give you any error on that when configuring. </p>
<p>In this scenario with Basic authentication it works for any type of users so we add both local user and Remote Server users to the same group: <strong>User -> User Group -> Create New ..Authe Type: Basic</strong>. </p>
<p><img alt="fortiweb-basic-setup-authentication-user-group1" src="/assets/fortiweb-basic-setup-authentication-user-group1.png"></p>
<p><img alt="fortiweb-basic-setup-authentication-user-group2" src="/assets/fortiweb-basic-setup-authentication-user-group2.png"></p>
<p>Also, I create User Group "Crew" with the only member being "John Silver".</p>
<p><strong>Step 4</strong>. Create Authentication Rules to define when Fortiweb is going to require users to authenticate.</p>
<p><img alt="fortiweb-basic-setup-authentication-authenticaiton-rule1.png" src="/assets/fortiweb-basic-setup-authentication-authenticaiton-rule1.png"> </p>
<p>Here:<br>
<em>User Group</em> - User Group created earlier.<br>
<em>User Realm</em> - Fortiweb requires us to set it, even if not used for anything later.<br>
<em>Auth Path</em> - This is the URL that accessing it by a user will trigger Fortiweb to ask for username/password. This URL has to be EXACT match - no wildcards/regex is understood. I create 2 Authentication Rules here for 2 different server locations: "/" and "/treasure".</p>
<p>I do the same for the 2nd rule for John Silver access to the <code>/treasure</code> part of the website.<br>
The resulting 2 rules should look like: </p>
<p><img alt="fortiweb-basic-setup-authentication-authenticaiton-rule2" src="/assets/fortiweb-basic-setup-authentication-authenticaiton-rule2.png"></p>
<p><strong>Step 5</strong>. Combine the created before 2 rules into a policy.No surprises here, just pick the Authentication Rules I created and set Alert Type to "All" to log both successful and failed authentications. </p>
<p><img alt="fortiweb-basic-setup-authentication-authenticaiton-rule3" src="/assets/fortiweb-basic-setup-authentication-authenticaiton-rule3.png"></p>
<p><strong>Step 6</strong>. I create a new Web Protection Profile by first cloning the Alert Only one (as you cannot change pre-built profiles) and then adding only authentication policy to it: <strong>Policy -> Web Protection Profile -> Inline Protection Profile -> Clone ...</strong>. </p>
<p>I will name the new policy <em>Custom-Alert-Only</em>, and add the Authentication Policy <em>auth-pol-yurisk-com</em>. </p>
<p><img alt="fortiweb-basic-setup-authentication-web-protection-profile" src="/assets/fortiweb-basic-setup-authentication-web-protection-profile.png"></p>
<p><strong>Step 7</strong>. Finaly, I will set the Web Protection Profile in the Server Policy <em>srv-policy-yurisk-com</em>: <strong>Policy -> Server Policy -> Edit ...</strong></p>
<p><img alt="fortiweb-basic-setup-authentication-server-policy" src="/assets/fortiweb-basic-setup-authentication-server-policy.png"></p>
<h3>Verification</h3>
<p>For verification let's enter the website: </p>
<video width="1920" height="1080" style="max-width:100%; height:auto;" controls>
<source src="/assets/Fortiweb-basic-setup-authentication-verification.mp4" type="video/mp4">
Your browser does not support the video tag.
</video>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Fortigate Local in Policy what it does and how to change/configure it2020-06-07T14:56:12+00:002020-07-03T18:34:00+02:00Yuri Slobodyanyuktag:yurisk.info,2020-06-07:/2020/06/07/fortigate-local-in-policy/<p>Fortigate comes with some services allowed in incoming direction, even without any configuration done by you. Important to note is that in such pre-configured security rules the destination is mostly the Fortigate itself, sometimes its specific interfaces, sometimes all of the interfaces. That is, this does not allow access though …</p><p>Fortigate comes with some services allowed in incoming direction, even without any configuration done by you. Important to note is that in such pre-configured security rules the destination is mostly the Fortigate itself, sometimes its specific interfaces, sometimes all of the interfaces. That is, this does not allow access though the firewall to the internal nets. Anyway, especially in penetration testing audits, these ports show up as open/closed/filtered and auditors complain asking to close them. Here is how to do so. </p>
<p>Another use case is when you actually want to allow only specific IPs to communicate with Fortigate. This is the only way, for example, to allow only specific IPs to initiate IPSec IKE negotiations (ports UDP 500 and 4500). </p>
<p>You make default Local policy visible in GUI by going to <strong>System -> Feature Visibility -> Local In Policy</strong></p>
<p>Even then, you can only see but not change the policy in the GUI. You can change the policy but only in CLI.</p>
<p><strong>NOTE</strong>: In GUI we can only see the <strong>default</strong> rules, managed automatically by enabling/disabling services. We will NOT see there the custom rules we create on CLI! It may confuse you when you configure rules in CLI and then cannot find them in the GUI - this is expected (bug or feature decide for yourself) behaviour.</p>
<p>This is how the default Policy looks (I only configured admin access via SSH/HTTPS, the rest of configs are pristine): </p>
<p><strong>Policy & Objects -> Local In Policy</strong>.</p>
<p><img alt="fortigate-local-in-policy-rules" src="/assets/fortigate-local-in-policy-rules.png"></p>
<p><em>Other</em> ports open and their meaning: </p>
<table class="w3-table w3-striped w3-border">
<tr class="w3-green">
<th>Port </th>
<th> Description</th>
</tr>
<tr>
<td> <b>1144</b></td>
<td> (Undocumented) Allows AeroScout to communicate with FortiAPs "The AeroScout suite of products provides Enterprise Visibility Solutions using Wi-Fi wireless networks as an infrastructure." More details: <a href="https://community.fortinet.com/t5/Wireless-Controller/Meru-Technical-Note-Aeroscoute-related-AP-commands-for/ta-p/194873" target=_blank rel="noopener">AeroScout – Meru Interop - Fortinet Knowledge Base</a>
</td>
</tr>
<tr>
<td> <b>3799</b></td>
<td> (Undocumented) Radius Dynamic Authorization/Change of Authorization communication.For more details see `radius-coa {enable | disable}` in CLI reference.</td>
</tr>
<tr>
<td><b>2000</b></td>
<td> Cisco Skinny Clients protocol for IP Phones to communicate with Call Manager</td>
</tr>
<tr>
<td> <b>8014</b>
<td>Uploading logs and diagnostics to EMS server, see <a href="https://docs.fortinet.com/document/fortigate/6.0.0/fortinet-communication-ports-and-protocols/250063/forticlient-open-ports" target=_blank rel="noopener"> Fortinet Communication Ports and Protocols</td>
</tr>
</table>
<p>To see open to/from the Fortigate itself ports and conenctions:</p>
<h3>diagnose ip tcp list</h3>
<div class="highlight"><pre><span></span><code>diagnose ip tcp list
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode
<span class="m">0</span>: <span class="m">00000000</span>:28A0 <span class="m">00000000</span>:0000 0A <span class="m">00000000</span>:00000000 <span class="m">00</span>:00000000 <span class="m">00000000</span> <span class="m">0</span> <span class="m">0</span> <span class="m">14035</span> <span class="m">2</span> ffff88001f77a080 <span class="m">100</span> <span class="m">0</span> <span class="m">0</span> <span class="m">10</span> -1 <span class="m">0</span>:0/0:0/0:0 <span class="m">0</span>
<span class="m">1</span>: <span class="m">00000000</span>:1E82 <span class="m">00000000</span>:0000 0A <span class="m">00000000</span>:00000000 <span class="m">00</span>:00000000 <span class="m">00000000</span> <span class="m">0</span> <span class="m">0</span> <span class="m">14064</span> <span class="m">2</span> ffff8800186d5980 <span class="m">100</span> <span class="m">0</span> <span class="m">0</span> <span class="m">10</span> -1 <span class="m">0</span>:0/0:0/0:0 <span class="m">0</span>
<span class="p">|</span>--- <span class="nb">local</span> open port <span class="k">in</span> hex <span class="o">(</span> <span class="nv">1E82</span> <span class="o">=</span> <span class="m">7810</span> <span class="o">)</span>
....
</code></pre></div>
<p>And for UDP: </p>
<h3>diagnose ip udp list</h3>
<div class="highlight"><pre><span></span><code> sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode ref pointer drops
<span class="m">2</span>: <span class="m">00000000</span>:0202 <span class="m">00000000</span>:0000 <span class="m">07</span> <span class="m">00000000</span>:00000000 <span class="m">00</span>:00000000 <span class="m">00000000</span> <span class="m">0</span> <span class="m">0</span> <span class="m">13933</span> <span class="m">3</span> ffff88001ab720c0 <span class="m">0</span> <span class="m">1</span>:0/1:0/0:0 <span class="m">0</span>
<span class="m">2</span>: <span class="m">00000000</span>:0202 <span class="m">00000000</span>:0000 <span class="m">07</span> <span class="m">00000000</span>:00000000 <span class="m">00</span>:00000000 <span class="m">00000000</span> <span class="m">0</span> <span class="m">0</span> <span class="m">13291</span> <span class="m">3</span> ffff88001ab72740 <span class="m">0</span> <span class="m">1</span>:0/1:0/0:0 <span class="m">0</span>
<span class="p">|</span>---this is <span class="nb">local</span> open port on Fortigate <span class="k">in</span> hex <span class="o">(</span><span class="nv">0202</span> <span class="o">=</span> <span class="m">514</span><span class="o">)</span>
....
</code></pre></div>
<p>Now to the next important question - <strong>How do I disable these listening ports?</strong><br>
You have two ways to do so: disable services listening on these ports, unfortunately not always working one, and change Local Policy way that always works.<br>
Fortinet recommends trying to disable some (not all services can be disabled completely) services that use these open ports, for example to close ports <em>5060</em> for SIP and <em>2000</em> for Skinny, they give us:</p>
<div class="highlight"><pre><span></span><code><span class="nv">config</span><span class="w"> </span><span class="nv">system</span><span class="w"> </span><span class="nv">settings</span><span class="w"></span>
<span class="nv">set</span><span class="w"> </span><span class="nv">default</span><span class="o">-</span><span class="nv">voip</span><span class="o">-</span><span class="nv">alg</span><span class="o">-</span><span class="nv">mode</span><span class="w"> </span><span class="nv">kernel</span><span class="o">-</span><span class="nv">helper</span><span class="o">-</span><span class="nv">based</span><span class="w"></span>
<span class="k">end</span><span class="w"></span>
</code></pre></div>
<p>But first, disabling VOIP helpers affects ALL VOIP communications, when you might want to leave it open for the legitimate voice traffic. Second, they do not always work, depending on the firmware version and who knows what else conditions. </p>
<p>I, instead, prefer to edit the Local In security Policy and block or restrict to specific IPs the open ports. It always works and has predictable results.</p>
<p>For example, I will block all incoming traffic from Kali linux host 192.168.13.17 to the Fortigate at 192.168.13.91.</p>
<div class="highlight"><pre><span></span><code>config firewall address
edit <span class="s2">"Kali_192.168.13.17"</span>
<span class="nb">set</span> color <span class="m">13</span>
<span class="nb">set</span> subnet <span class="m">192</span>.168.13.17 <span class="m">255</span>.255.255.255
next
config firewall local-in-policy
edit <span class="m">1</span>
<span class="nb">set</span> intf <span class="s2">"port1"</span>
<span class="nb">set</span> srcaddr <span class="s2">"Kali_192.168.13.17"</span>
<span class="nb">set</span> dstaddr <span class="s2">"all"</span>
<span class="nb">set</span> service <span class="s2">"ALL"</span>
<span class="nb">set</span> schedule <span class="s2">"always"</span>
next
end
</code></pre></div>
<p>Let's see the difference. </p>
<p>BEFORE:</p>
<div class="highlight"><pre><span></span><code>root@kali:~# nmap -sS -T <span class="m">5</span> <span class="m">192</span>.168.13.91
Starting Nmap <span class="m">7</span>.80 <span class="o">(</span> https://nmap.org <span class="o">)</span> at <span class="m">2020</span>-06-07 <span class="m">06</span>:08 EDT
Nmap scan report <span class="k">for</span> <span class="m">192</span>.168.13.91
Host is up <span class="o">(</span><span class="m">0</span>.00026s latency<span class="o">)</span>.
Not shown: <span class="m">995</span> filtered ports
PORT STATE SERVICE
<span class="m">22</span>/tcp open ssh
<span class="m">80</span>/tcp open http
<span class="m">113</span>/tcp closed ident
<span class="m">443</span>/tcp open https
<span class="m">541</span>/tcp open uucp-rlogin
root@kali:~# nmap -sU -T <span class="m">5</span> <span class="m">192</span>.168.13.91
Starting Nmap <span class="m">7</span>.80 <span class="o">(</span> https://nmap.org <span class="o">)</span> at <span class="m">2020</span>-06-07 <span class="m">06</span>:08 EDT
Nmap scan report <span class="k">for</span> <span class="m">192</span>.168.13.91
Host is up <span class="o">(</span><span class="m">0</span>.00094s latency<span class="o">)</span>.
Not shown: <span class="m">996</span> open<span class="p">|</span>filtered ports
PORT STATE SERVICE
<span class="m">500</span>/udp closed isakmp
<span class="m">520</span>/udp closed route
<span class="m">2000</span>/udp closed cisco-sccp
<span class="m">4500</span>/udp closed nat-t-ike
</code></pre></div>
<p>AFTER:</p>
<div class="highlight"><pre><span></span><code>root@kali:~# nmap -sS -T <span class="m">5</span> <span class="m">192</span>.168.13.91
Starting Nmap <span class="m">7</span>.80 <span class="o">(</span> https://nmap.org <span class="o">)</span> at <span class="m">2020</span>-06-07 <span class="m">06</span>:12 EDT
Nmap scan report <span class="k">for</span> <span class="m">192</span>.168.13.91
Host is up <span class="o">(</span><span class="m">0</span>.00027s latency<span class="o">)</span>.
Not shown: <span class="m">999</span> filtered ports
PORT STATE SERVICE
<span class="m">113</span>/tcp closed ident
root@kali:~# nmap -sU -T <span class="m">5</span> <span class="m">192</span>.168.13.91
Starting Nmap <span class="m">7</span>.80 <span class="o">(</span> https://nmap.org <span class="o">)</span> at <span class="m">2020</span>-06-07 <span class="m">06</span>:12 EDT
Nmap scan report <span class="k">for</span> <span class="m">192</span>.168.13.91
Host is up <span class="o">(</span><span class="m">0</span>.00042s latency<span class="o">)</span>.
All <span class="m">1000</span> scanned ports on <span class="m">192</span>.168.13.91 are open<span class="p">|</span>filtered
</code></pre></div>
<h3>Additional Resources</h3>
<ul>
<li><a href="https://yurisk.info/2022/07/04/fortigate-local-in-policy-configuration-examples-for-vpn-ipsec-vpn-ssl-bgp-and-more/">Fortigate Local-in policy configuration examples for VPN IPSec, VPN SSL, BGP and more</a></li>
<li><a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc">Local-in Policy and other debug commands cheat sheet</a></li>
<li><a href="https://community.fortinet.com/t5/Support-Forum/Show-custom-local-in-policies-in-FortiGate-WebUI/m-p/256298">Javascript bookmarklet to show Local-in Policy inside GUI</a></li>
</ul>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Fortiweb Cookbook: Most Basic Setup - One website, HTTP only, Round Robin load balancing between two physical servers, all protections on Alert only, Host header filtration2020-06-06T11:59:25+00:002020-06-06T11:59:25+00:00Yuri Slobodyanyuktag:yurisk.info,2020-06-06:/2020/06/06/fortiweb-cookbook-basic-setup-one-website-http-only-round-robin-load-balancing-alert-only-protection-host-filtration/<p><strong>Task</strong>: publish website <em>yurisk.com</em>, hosted on 2 physical servers: <em>server1</em> (10.10.10.13) and <em>server2</em> (10.10.10.14). The site should be available on HTTP only, no HTTPS. Apply preconfigured protection <em>Inline Alert Only</em>. The website's IP address visible to clients is 192.168.13.92. </p>
<p><strong>Solution …</strong></p><p><strong>Task</strong>: publish website <em>yurisk.com</em>, hosted on 2 physical servers: <em>server1</em> (10.10.10.13) and <em>server2</em> (10.10.10.14). The site should be available on HTTP only, no HTTPS. Apply preconfigured protection <em>Inline Alert Only</em>. The website's IP address visible to clients is 192.168.13.92. </p>
<p><strong>Solution</strong>. </p>
<p>Configuration flow: </p>
<p><img alt="fortiweb-basic-setup" src="/assets/fortiweb-basic-setup.svg"> </p>
<p>Step 1: Create Virtual IP on which Fortiweb will listen for incoming HTTP connections.
<strong>Network -> Virtual IP -> Create ...</strong>. For the name I use <em>VIP-yurisk-com</em>, IP is 192.168.13.92, and the interface via which this IP is reachable is <em>port1</em>. <br>
<em>NOTE</em>: some objects in Fortiweb do not allow dots in their names, so, to be consistent, I am using dashes where a dot would normally go. Also, you cannot change the name of any created object later - to change the name, you have to delete this object and re-create from scratch.</p>
<p><img alt="fortiweb basic setup create virtual ip" src="/assets/fortiweb-basic-setup-create-virtual-ip.png"></p>
<p>Step 2: Use the VIP in creating new <em>Virtual Server</em>. </p>
<p><strong>Server Objects -> Server -> Virtual Server -> New ..</strong> </p>
<p><img alt="fortiweb basic setup create virtual server" src="/assets/fortiweb-basic-setup-create-virtual-server.png"></p>
<p>Step 3: (Optional, but recommended) Create <em>Protected Hostnames</em> so to apply all the protections for HTTP requests with valid Host headers only, namely <em>yurisk.com</em> and <em>www.yurisk.com</em>. Any other (and therefore invalid) requests will be dropped. This configuration is optional but recommended as saves Fortiweb resources. All the protections/checks are applied in order, and checking the <code>Host:</code> header is done very early in the processing. This way many requests done by bots/crawlers/scanners which try to brute force available virtual hosts on the web servers will be blocked before Fortiweb applies additional protections to them.</p>
<p><strong>Server Objects -> Protected Hostnames -> Create New ...</strong>.
<strong>Default Action: Deny</strong>. This means for all NON-matching <code>Host:</code> headers listed below drop the requests. If, on the other hand, we wanted to block some hosts but allow other, we would set Default Action to Accept, and then would set Accept or Deny in each hostname configured.</p>
<p><img alt="fortiweb basic setup create protected hostnames" src="/assets/fortiweb-basic-setup-create-protected-hostnames.png"> </p>
<p>Step 4: Create Server Pool to represent our 2 physical servers: <strong>Server Objects -> Server Pool -> Create New...</strong>. For this type of set up (HTTP servers), we'll use <em>Create HTTP Server Pool</em> as oppsed to <em>ADFS or FTP</em>. Regarding the Type - as this Fortiweb is operating in the Reverse Proxy Mode (used probably in 90% of all the installations and is most feature-rich), the server pool has to be Reverse Type as well. <br>
Single Server vs Server Balance: I prefer to use <em>Server Balance</em> even if the pool actually has just one member server. This is for the case additional servers are added later.</p>
<p>Server Health Check: I'll be using preconfigured one <em>HLTHCK_HTTP</em> which checks that the physical server is responding for the website requests. </p>
<p>Load Balancing Algorithm: <em>Round Robin</em>. </p>
<p>Persistence: <em>None</em>, as I haven't created Persistence Policy. </p>
<p><img alt="fortiweb basic setup create server pool" src="/assets/fortiweb-basic-setup-create-server-pool-1.png"></p>
<p><em>NOTE</em>: If the object configuration is multi-step, as here, you have to do the 1st step, click on OK, and only then it will allow to continue to step 2.</p>
<p>Create New: After saving the work done above, we can create 2 physical servers with their real IP addresses (10.10.10.13 and 10.10.10.14), state (Enabled/Disabled/Maintenance), listening port (80), Health Check Domain Name - I set it to <em>yurisk.com</em>, and leave the rest with defaults. </p>
<p>Create physical server: </p>
<p><img alt="fortiweb basic setup create server pool" src="/assets/fortiweb-basic-setup-create-server-pool-2.png"></p>
<p>Final result should look like that: </p>
<p><img alt="fortiweb basic setup create server pool" src="/assets/fortiweb-basic-setup-create-server-pool-3.png"> </p>
<p>Step 5: Use all the created so far to create a <em>Server Policy</em>. </p>
<p><strong>Policy -> Server Policy -> Create New -> Create HTTP Policy...</strong> </p>
<p>Deployment Mode: <em>Single Server/Server Pool</em> (<em>Content Routing</em> is used to route clients based on any of the HTTP multiple parameters, you can look at an example here: <a href="https://yurisk.info/2020/03/05/fortiweb-cookbook-content-routing-based-on-url-in-request-configuration/" target+_blank rel="noopener">Fortiweb Cookbook: content routing based on URL configuration example</a>). </p>
<p>Virtual Server: <em>vsrv-yurisk-com</em> </p>
<p>Server Pool: <em>srv-pool-yurisk-com</em> </p>
<p>Protected Hostnames: <em>hostnames-yurisk-com</em></p>
<p>HTTP Service: <em>HTTP</em> (If we wanted the Fortiweb to listen ona custom port, say 3123, we would first create such custom service and then would put it instead of built-in HTTP).</p>
<p>Web Protection Profile: <em>Inline Alert Only</em></p>
<p><img alt="fortiweb basic setup create server policy" src="/assets/fortiweb-basic-setup-create-server-policypng.png"></p>
<p><em>NOTE</em>: In Reverse Proxy mode of operation, which is our case, without a Server Policy allowing the traffic, all requests to the physical web servers would be blocked.</p>
<h2>Verification</h2>
<p>Let's browse to the website yurisk.com to see if it works. Pay attention as I press F5 to refresh, I reach each time the other server in the server pool due to the Round Robin balancing method we set earlier:</p>
<p>Note: This video has no sound.<br>
<video width="1920" height="1080" style="max-width:100%; height:auto;" controls>
<source src="/assets/Fortiweb-basic-setup-verify-works.mp4" type="video/mp4" >
Your browser does not support the video tag.
</video></p>
<p>Now let's try to reach some non-existent on those servers domain. I will try to reach some web site by IP only - 192.168.13.92. Without <em>Protected Hostnames</em> setting it would work, as default Apache install listens for all unknown domains as well. But Fortiweb blocks this attempt:</p>
<p>Note: This video has no sound.</p>
<video width="1920" height="1080" style="max-width:100%; height:auto;" controls>
<source src="/assets/Fortiweb-basic-setup-block-by-host.mp4" type="video/mp4">
Your browser does not support the video tag.
</video>
<p>Regarding Health checks of the servers in a pool - here is tcpdump on the physical server side how such checks look:</p>
<div class="highlight"><pre><span></span><code><span class="gp">root@ubuntu1:~# </span>tcpdump -n -c <span class="m">5</span> -vv -i any port <span class="m">80</span>
<span class="go"> 10.10.10.74.33230 > 10.10.10.13.80: Flags [P.], cksum 0x8f39 (correct), seq 1:175, ack 1, win 8030, length 174: HTTP, length: 174</span>
<span class="go"> HEAD / HTTP/1.1</span>
<span class="go"> Accept: */*</span>
<span class="go"> Accept-Language: en</span>
<span class="go"> Content-Type: text/html</span>
<span class="go"> Host: yurisk.com</span>
<span class="go"> User-Agent: HealthCheck</span>
<span class="go"> Server-pool: srv-pool-yurisk-com</span>
<span class="go"> Connection: close</span>
</code></pre></div>
<p>In the next episodes I will add local and LDAP user authentication to access the website, and HTTPS as one of the protocols.</p>
<p><a href="https://yurisk.info/2020/06/14/fortiweb-cookbook-basic-setup-user-authentication/"> Add web site authentication with local and remote (LDAP) users</a><br>
<a href="https://yurisk.info/2020/06/16/fortiweb-cookbook-basic-setup-one-website-add-ssl-protocol-round-robin-load-balancing-alert-only-protection-host-filtration/"> Add HTTPS protocol support for SSL offloading.</a> </p>
<h3>CLI configuration of all the above</h3>
<div class="highlight"><pre><span></span><code>config system vip
edit <span class="s2">"VIP-yurisk-com"</span>
<span class="nb">set</span> vip <span class="m">192</span>.168.13.92/32
<span class="nb">set</span> interface port1
<span class="nb">set</span> index <span class="m">1</span>
next
end
config server-policy vserver
edit <span class="s2">"vsrv-yurisk-com"</span>
config vip-list
edit <span class="m">1</span>
<span class="nb">set</span> vip VIP-yurisk-com
next
end
next
end
config server-policy allow-hosts
edit <span class="s2">"hostnames-yurisk-com"</span>
<span class="nb">set</span> default-action deny
config host-list
edit <span class="m">1</span>
<span class="nb">set</span> host www.yurisk.com
next
edit <span class="m">2</span>
<span class="nb">set</span> host yurisk.com
next
end
next
end
config server-policy server-pool
edit <span class="s2">"srv-pool-yurisk-com"</span>
<span class="nb">set</span> server-balance <span class="nb">enable</span>
<span class="nb">set</span> health HLTHCK_HTTP
<span class="nb">set</span> server-pool-id <span class="m">15152185382089931844</span>
config pserver-list
edit <span class="m">1</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.13
<span class="nb">set</span> server-id <span class="m">14833377406792437432</span>
<span class="nb">set</span> hlck-domain yurisk.com
next
edit <span class="m">2</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.14
<span class="nb">set</span> server-id <span class="m">13115127060638259350</span>
<span class="nb">set</span> hlck-domain yurisk.com
next
end
next
end
config server-policy policy
edit <span class="s2">"srv-policy-yurisk-com"</span>
<span class="nb">set</span> vserver vsrv-yurisk-com
<span class="nb">set</span> service HTTP
<span class="nb">set</span> web-protection-profile <span class="s2">"Inline Alert Only"</span>
<span class="nb">set</span> replacemsg Predefined
<span class="nb">set</span> server-pool srv-pool-yurisk-com
<span class="nb">set</span> allow-hosts hostnames-yurisk-com
<span class="nb">set</span> policy-id <span class="m">16091469981553709465</span>
config http-content-routing-list
end
next
end
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Fortigate virtual IP server load balancing configuration and debug2020-06-04T14:56:12+00:002020-06-05T12:00:00+02:00Yuri Slobodyanyuktag:yurisk.info,2020-06-04:/2020/06/04/fortigate-virtual-ip-server-load-balancing/<p>The general workflow is:</p>
<p><img alt="Virtual Ip load balancing servers work flow" src="/assets/virtual-server-load-balancing.svg"></p>
<p>Facts to know: </p>
<ul>
<li>Available server types: http, https, imaps, pop3s, smtps, ssl, tcp, udp, ip</li>
<li>Server types ssl, https and all the SSL based ones are available in <strong>Proxy</strong> inspection mode of the Fortigate only.</li>
<li>Only starting with FortiOS 6.2.1 https load balancing supports …</li></ul><p>The general workflow is:</p>
<p><img alt="Virtual Ip load balancing servers work flow" src="/assets/virtual-server-load-balancing.svg"></p>
<p>Facts to know: </p>
<ul>
<li>Available server types: http, https, imaps, pop3s, smtps, ssl, tcp, udp, ip</li>
<li>Server types ssl, https and all the SSL based ones are available in <strong>Proxy</strong> inspection mode of the Fortigate only.</li>
<li>Only starting with FortiOS 6.2.1 https load balancing supports HTTP to HTTPS redirection inside the VIP configuration. </li>
<li>Available load balancing algorithms (depends on the chosen server type), starting 6.0.x, earlier versions have less:<br>
<strong>static</strong> - Distribute to server based on source IP.<br>
<strong>round-robin</strong> - Distribute to server based on round robin order.<br>
<strong>weighted</strong> - Distribute to server based on weight. You have to assign different weights to real servers for this to be useful.<br>
<strong>least-session</strong> - Distribute to server with lowest session count.<br>
<strong>least-rtt</strong> - Distribute to server with lowest Round-Trip-Time.<br>
<strong>first-alive</strong> - Distribute to the first server that is alive. Also means no load balancing is done - just redundancy. As long as the 1st available server is up, all connections will go to it. If it fails, only then the next server will get the incoming connections.<br>
<strong>http-host</strong> - Distribute to server based on host field in HTTP header. </li>
<li>You cannot have 2 different VIPs listening for the same port and the same external IP. </li>
<li>Persistence is available for HTTP and SSL virtual server types only. The best close-by is to use <code>static</code> algorithm for source IP based balancing. </li>
<li>If Central NAT is enabled, VIP cannot be added to firewal policy, this is by design and the way Central NAT works. The VIP with load balance will function as expected though.</li>
</ul>
<h2>Case 1: Load balance incoming UDP port 53 DNS requests to IP 192.168.13.55 between 2 servers 10.10.10.13 & 10.10.10.14. Use weighted load balancing algorithm, assign 1st server twice as many connections.</h2>
<p>Step 1. Health checking monitor.<br>
I configure all the needed for the next examples monitors here, but will use ping ICMP monitor only.</p>
<div class="highlight"><pre><span></span><code>config firewall ldb-monitor
edit <span class="s2">"PING_MNTR"</span>
<span class="nb">set</span> <span class="nb">type</span> ping
<span class="nb">set</span> timeout <span class="m">1</span>
next
edit <span class="s2">"HTTP_MNTR"</span>
<span class="nb">set</span> <span class="nb">type</span> http
<span class="nb">set</span> http-get <span class="s2">"/monitor.txt"</span>
<span class="nb">set</span> http-match <span class="s2">"Success"</span> <-- Case sensitive! Looks at the CONTENTS of the page returned, no regexes, exact string match.
<-- You don<span class="err">'</span>t have to <span class="nb">set</span> http-match, <span class="k">in</span> such
<-- a <span class="k">case</span>, Fortigate will verify to get <span class="m">200</span> Ok when asking <span class="k">for</span> the
<-- URL <span class="s2">"/monitor.txt"</span>
next
edit <span class="s2">"TCP_MNTR"</span>
<span class="nb">set</span> <span class="nb">type</span> tcp
next
end
</code></pre></div>
<p>Step 2. Create the VIP for incoming to 192.168.13.55 connections. Create real servers inside the VIP.</p>
<div class="highlight"><pre><span></span><code>config firewall vip
edit <span class="s2">"LDC_UDP_PORT_53"</span>
<span class="nb">set</span> <span class="nb">type</span> server-load-balance
<span class="nb">set</span> extip <span class="m">192</span>.168.13.55
<span class="nb">set</span> extintf <span class="s2">"port1"</span>
<span class="nb">set</span> server-type udp
<span class="nb">set</span> monitor <span class="s2">"PING_MNTR"</span> <-- I don<span class="err">'</span>t <span class="nb">set</span> individual monitors <span class="k">in</span> each server, so this one will be used by default
<span class="nb">set</span> ldb-method weighted
<span class="nb">set</span> extport <span class="m">53</span>
config realservers
edit <span class="m">1</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.13
<span class="nb">set</span> port <span class="m">53</span>
<span class="nb">set</span> weight <span class="m">2</span>
next
edit <span class="m">2</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.14
<span class="nb">set</span> port <span class="m">53</span> <-- no weight shown here as left the <span class="nv">default</span> <span class="o">=</span> <span class="m">1</span>
next
end
next
end
</code></pre></div>
<p>Step 3. Use the VIP in security rule. </p>
<div class="highlight"><pre><span></span><code>config firewall policy
edit <span class="m">1</span>
<span class="nb">set</span> srcintf <span class="s2">"port1"</span>
<span class="nb">set</span> dstintf <span class="s2">"port2"</span>
<span class="nb">set</span> srcaddr <span class="s2">"all"</span>
<span class="nb">set</span> dstaddr <span class="s2">"LDC_UDP_PORT_53"</span>
<span class="nb">set</span> action accept
<span class="nb">set</span> schedule <span class="s2">"always"</span>
<span class="nb">set</span> service <span class="s2">"DNS"</span>
<span class="nb">set</span> logtraffic all
next
end
</code></pre></div>
<p>GUI: <strong>Feature visibility -> Load Balancing</strong>.<br>
<strong>Policy & Objects -> Health Check</strong>.<br>
<strong>Policy & Objects -> Virtual Servers</strong>. </p>
<p><img alt="fortigate virtual ip load balance server" src="/assets/fortigate-virtual-ip-load-balance-server.png"></p>
<h2>Verification and debug</h2>
<ul>
<li>Status of the real servers: </li>
</ul>
<h3>diagnose firewall vip realserver list</h3>
<div class="highlight"><pre><span></span><code><span class="nv">alloc</span><span class="o">=</span><span class="m">3</span>
------------------------------
<span class="nv">vf</span><span class="o">=</span><span class="m">0</span> <span class="nv">name</span><span class="o">=</span>LDC_UDP_PORT_53/2 <span class="nv">class</span><span class="o">=</span><span class="m">4</span> <span class="nv">type</span><span class="o">=</span><span class="m">2</span> <span class="m">192</span>.168.13.55:<span class="o">(</span><span class="m">53</span>-53<span class="o">)</span>, <span class="nv">protocol</span><span class="o">=</span><span class="m">17</span>
<span class="nv">total</span><span class="o">=</span><span class="m">2</span> <span class="nv">alive</span><span class="o">=</span><span class="m">2</span> <span class="nv">power</span><span class="o">=</span><span class="m">3</span> <span class="nv">ptr</span><span class="o">=</span><span class="m">1013716</span>
<span class="nv">ip</span><span class="o">=</span><span class="m">10</span>.10.10.13-10.10.10.13/53 <span class="nv">adm_status</span><span class="o">=</span><span class="m">0</span> <span class="nv">holddown_interval</span><span class="o">=</span><span class="m">300</span> <span class="nv">max_connections</span><span class="o">=</span><span class="m">0</span> <span class="nv">weight</span><span class="o">=</span><span class="m">2</span> <span class="nv">option</span><span class="o">=</span><span class="m">01</span>
<span class="nv">alive</span><span class="o">=</span><span class="m">1</span> <span class="nv">total</span><span class="o">=</span><span class="m">1</span> <span class="nv">enable</span><span class="o">=</span><span class="m">00000001</span> <span class="nv">alive</span><span class="o">=</span><span class="m">00000001</span> <span class="nv">power</span><span class="o">=</span><span class="m">2</span>
<span class="nv">src_sz</span><span class="o">=</span><span class="m">0</span>
<span class="nv">id</span><span class="o">=</span><span class="m">0</span> <span class="nv">status</span><span class="o">=</span>up <span class="nv">ks</span><span class="o">=</span><span class="m">9</span> <span class="nv">us</span><span class="o">=</span><span class="m">0</span> <span class="nv">events</span><span class="o">=</span><span class="m">1</span> <span class="nv">bytes</span><span class="o">=</span><span class="m">720</span> <span class="nv">rtt</span><span class="o">=</span><span class="m">0</span>
<span class="nv">ip</span><span class="o">=</span><span class="m">10</span>.10.10.14-10.10.10.14/53 <span class="nv">adm_status</span><span class="o">=</span><span class="m">0</span> <span class="nv">holddown_interval</span><span class="o">=</span><span class="m">300</span> <span class="nv">max_connections</span><span class="o">=</span><span class="m">0</span> <span class="nv">weight</span><span class="o">=</span><span class="m">1</span> <span class="nv">option</span><span class="o">=</span><span class="m">01</span>
<span class="nv">alive</span><span class="o">=</span><span class="m">1</span> <span class="nv">total</span><span class="o">=</span><span class="m">1</span> <span class="nv">enable</span><span class="o">=</span><span class="m">00000001</span> <span class="nv">alive</span><span class="o">=</span><span class="m">00000001</span> <span class="nv">power</span><span class="o">=</span><span class="m">1</span>
<span class="nv">src_sz</span><span class="o">=</span><span class="m">0</span>
<span class="nv">id</span><span class="o">=</span><span class="m">0</span> <span class="nv">status</span><span class="o">=</span>up <span class="nv">ks</span><span class="o">=</span><span class="m">5</span> <span class="nv">us</span><span class="o">=</span><span class="m">0</span> <span class="nv">events</span><span class="o">=</span><span class="m">1</span> <span class="nv">bytes</span><span class="o">=</span><span class="m">374</span> <span class="nv">rtt</span><span class="o">=</span><span class="m">0</span>
</code></pre></div>
<p>GUI:<br>
<strong>Monitoring -> Load Balance Monitor</strong>.</p>
<p><img alt="fortigate-virtual-ip-load-balance-monitor" src="/assets/fortigate-virtual-ip-load-balance-monitor.png"></p>
<p>I block incoming ICMP packets on 1st server 10.10.10.13. Status of the monitor/server changes to down: </p>
<div class="highlight"><pre><span></span><code><span class="c1"># diagnose firewall vip realserver list</span>
<span class="nv">alloc</span><span class="o">=</span><span class="m">3</span>
------------------------------
<span class="nv">vf</span><span class="o">=</span><span class="m">0</span> <span class="nv">name</span><span class="o">=</span>LDC_UDP_PORT_53/2 <span class="nv">class</span><span class="o">=</span><span class="m">4</span> <span class="nv">type</span><span class="o">=</span><span class="m">2</span> <span class="m">192</span>.168.13.55:<span class="o">(</span><span class="m">53</span>-53<span class="o">)</span>, <span class="nv">protocol</span><span class="o">=</span><span class="m">17</span>
<span class="nv">total</span><span class="o">=</span><span class="m">2</span> <span class="nv">alive</span><span class="o">=</span><span class="m">1</span> <span class="nv">power</span><span class="o">=</span><span class="m">1</span> <span class="nv">ptr</span><span class="o">=</span><span class="m">1013716</span>
<span class="nv">ip</span><span class="o">=</span><span class="m">10</span>.10.10.13-10.10.10.13/53 <span class="nv">adm_status</span><span class="o">=</span><span class="m">0</span> <span class="nv">holddown_interval</span><span class="o">=</span><span class="m">300</span> <span class="nv">max_connections</span><span class="o">=</span><span class="m">0</span> <span class="nv">weight</span><span class="o">=</span><span class="m">2</span> <span class="nv">option</span><span class="o">=</span><span class="m">01</span>
<span class="nv">alive</span><span class="o">=</span><span class="m">0</span> <span class="nv">total</span><span class="o">=</span><span class="m">1</span> <span class="nv">enable</span><span class="o">=</span><span class="m">00000001</span> <span class="nv">alive</span><span class="o">=</span><span class="m">00000000</span> <span class="nv">power</span><span class="o">=</span><span class="m">0</span>
<span class="nv">src_sz</span><span class="o">=</span><span class="m">0</span>
<span class="nv">id</span><span class="o">=</span><span class="m">0</span> <span class="nv">status</span><span class="o">=</span>down <span class="nv">ks</span><span class="o">=</span><span class="m">0</span> <span class="nv">us</span><span class="o">=</span><span class="m">0</span> <span class="nv">events</span><span class="o">=</span><span class="m">2</span> <span class="nv">bytes</span><span class="o">=</span><span class="m">720</span> <span class="nv">rtt</span><span class="o">=</span><span class="m">0</span>
<span class="nv">ip</span><span class="o">=</span><span class="m">10</span>.10.10.14-10.10.10.14/53 <span class="nv">adm_status</span><span class="o">=</span><span class="m">0</span> <span class="nv">holddown_interval</span><span class="o">=</span><span class="m">300</span> <span class="nv">max_connections</span><span class="o">=</span><span class="m">0</span> <span class="nv">weight</span><span class="o">=</span><span class="m">1</span> <span class="nv">option</span><span class="o">=</span><span class="m">01</span>
<span class="nv">alive</span><span class="o">=</span><span class="m">1</span> <span class="nv">total</span><span class="o">=</span><span class="m">1</span> <span class="nv">enable</span><span class="o">=</span><span class="m">00000001</span> <span class="nv">alive</span><span class="o">=</span><span class="m">00000001</span> <span class="nv">power</span><span class="o">=</span><span class="m">1</span>
<span class="nv">src_sz</span><span class="o">=</span><span class="m">0</span>
<span class="nv">id</span><span class="o">=</span><span class="m">0</span> <span class="nv">status</span><span class="o">=</span>up <span class="nv">ks</span><span class="o">=</span><span class="m">0</span> <span class="nv">us</span><span class="o">=</span><span class="m">0</span> <span class="nv">events</span><span class="o">=</span><span class="m">1</span> <span class="nv">bytes</span><span class="o">=</span><span class="m">374</span> <span class="nv">rtt</span><span class="o">=</span><span class="m">0</span>
</code></pre></div>
<p>General stats: </p>
<div class="highlight"><pre><span></span><code><span class="c1"># get test ipldb 2</span>
num of <span class="nv">vf</span><span class="o">=</span><span class="m">1</span>
--------dump ipldb <span class="nv">vf</span><span class="o">=</span><span class="m">0</span>----------
num of <span class="nv">vips</span><span class="o">=</span><span class="m">1</span>
num of registered monitor <span class="nv">types</span><span class="o">=</span><span class="m">4</span>
num of ping <span class="nv">monitors</span><span class="o">=</span><span class="m">0</span>
num of ping <span class="nv">monitors</span><span class="o">=</span><span class="m">2</span>
num of tcp <span class="nv">monitors</span><span class="o">=</span><span class="m">0</span>
num of http <span class="nv">monitors</span><span class="o">=</span><span class="m">0</span>
</code></pre></div>
<p>Best verification is packet sniffer. In this sniffer on Fortigate we can see that packets distribution follows (roughly) weights I assigned
each server: </p>
<div class="highlight"><pre><span></span><code><span class="c1"># diagnose sniffer pa port2 ' port 53' 4 </span>
<span class="nv">interfaces</span><span class="o">=[</span>port2<span class="o">]</span>
<span class="nv">filters</span><span class="o">=[</span> port <span class="m">53</span><span class="o">]</span>
<span class="m">15</span>.257112 port2 -- <span class="m">192</span>.168.13.17.2785 -> <span class="m">10</span>.10.10.13.53: udp <span class="m">0</span>
<span class="m">16</span>.258720 port2 -- <span class="m">192</span>.168.13.17.2786 -> <span class="m">10</span>.10.10.13.53: udp <span class="m">0</span>
<span class="m">17</span>.259267 port2 -- <span class="m">192</span>.168.13.17.2787 -> <span class="m">10</span>.10.10.14.53: udp <span class="m">0</span>
<span class="m">18</span>.259394 port2 -- <span class="m">192</span>.168.13.17.2788 -> <span class="m">10</span>.10.10.13.53: udp <span class="m">0</span>
<span class="m">19</span>.259734 port2 -- <span class="m">192</span>.168.13.17.2789 -> <span class="m">10</span>.10.10.13.53: udp <span class="m">0</span>
<span class="m">20</span>.260002 port2 -- <span class="m">192</span>.168.13.17.2790 -> <span class="m">10</span>.10.10.14.53: udp <span class="m">0</span>
<span class="m">21</span>.260136 port2 -- <span class="m">192</span>.168.13.17.2791 -> <span class="m">10</span>.10.10.13.53: udp <span class="m">0</span>
<span class="m">22</span>.260786 port2 -- <span class="m">192</span>.168.13.17.2792 -> <span class="m">10</span>.10.10.13.53: udp <span class="m">0</span>
<span class="m">23</span>.261635 port2 -- <span class="m">192</span>.168.13.17.2793 -> <span class="m">10</span>.10.10.14.53: udp <span class="m">0</span>
<span class="m">24</span>.261417 port2 -- <span class="m">192</span>.168.13.17.2794 -> <span class="m">10</span>.10.10.13.53: udp <span class="m">0</span>
</code></pre></div>
<p>7 packets out of 10 are sent to 10.10.10.13 and 3 packets to 10.10.10.14, almost the desired 2 to 1 ratio. </p>
<ul>
<li>VIP display filter. Helpful on Fortigate with many VIPs:</li>
</ul>
<p><strong>diagnose firewall vip virtual-server filter</strong> </p>
<div class="highlight"><pre><span></span><code>diagnose firewall vip virtual-server filter ?
list Display the current filter.
clear Erase the current filter.
name VIP name to filter by.
src Source address range to filter by.
dst Destination address range to filter by.
src-port Source port range to filter by.
dst-port Destination port range to filter by.
vd Index of virtual domain. -1 matches all.
negate Negate the specified filter parameter.
</code></pre></div>
<h2>Case 1.1: To the configuration above also ensure to hide clients' IPs from the servers behind the Fortigate</h2>
<p>I haven't enabled NAT in the security rule, so servers can see real source IP of the connecting client. It is easy to fix - just enable NAT in security rule.</p>
<div class="highlight"><pre><span></span><code><span class="nv">config</span><span class="w"> </span><span class="nv">firewall</span><span class="w"> </span><span class="nv">policy</span><span class="w"> </span>
<span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">srcintf</span><span class="w"> </span><span class="s2">"port1"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">dstintf</span><span class="w"> </span><span class="s2">"port2"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">srcaddr</span><span class="w"> </span><span class="s2">"all"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">dstaddr</span><span class="w"> </span><span class="s2">"LDC_UDP_PORT_53"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">action</span><span class="w"> </span><span class="nv">accept</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">schedule</span><span class="w"> </span><span class="s2">"always"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">service</span><span class="w"> </span><span class="s2">"DNS"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">logtraffic</span><span class="w"> </span><span class="nv">all</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">nat</span><span class="w"> </span><span class="nv">enable</span><span class="w"> </span><span class="o"><---</span><span class="w"> </span><span class="nv">Enable</span><span class="w"> </span><span class="nv">interface</span><span class="w"> </span><span class="nv">based</span><span class="w"> </span><span class="nv">NAT</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="k">end</span><span class="w"></span>
</code></pre></div>
<p>BEFORE (sniffer on server 2): </p>
<div class="highlight"><pre><span></span><code><span class="n">root</span><span class="nv">@ubuntu2</span><span class="err">:</span><span class="o">~</span><span class="err">#</span><span class="w"> </span><span class="n">tcpdump</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="o">-</span><span class="n">i</span><span class="w"> </span><span class="n">ens34</span><span class="w"> </span><span class="n">port</span><span class="w"> </span><span class="mi">53</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="k">host</span><span class="w"> </span><span class="mf">10.10.10.14</span><span class="w"></span>
<span class="n">listening</span><span class="w"> </span><span class="k">on</span><span class="w"> </span><span class="n">ens34</span><span class="p">,</span><span class="w"> </span><span class="n">link</span><span class="o">-</span><span class="n">type</span><span class="w"> </span><span class="n">EN10MB</span><span class="w"> </span><span class="p">(</span><span class="n">Ethernet</span><span class="p">),</span><span class="w"> </span><span class="n">capture</span><span class="w"> </span><span class="k">size</span><span class="w"> </span><span class="mi">262144</span><span class="w"> </span><span class="n">bytes</span><span class="w"></span>
<span class="mi">09</span><span class="err">:</span><span class="mi">52</span><span class="err">:</span><span class="mf">10.405443</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="mf">192.168.13.17.1362</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.10.10.14.53</span><span class="err">:</span><span class="w"> </span><span class="k">domain</span><span class="w"> </span><span class="o">[</span><span class="n">length 0 < 12</span><span class="o">]</span><span class="w"> </span><span class="p">(</span><span class="n">invalid</span><span class="p">)</span><span class="w"></span>
<span class="mi">09</span><span class="err">:</span><span class="mi">52</span><span class="err">:</span><span class="mf">11.407252</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="mf">192.168.13.17.1363</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.10.10.14.53</span><span class="err">:</span><span class="w"> </span><span class="k">domain</span><span class="w"> </span><span class="o">[</span><span class="n">length 0 < 12</span><span class="o">]</span><span class="w"> </span><span class="p">(</span><span class="n">invalid</span><span class="p">)</span><span class="w"></span>
</code></pre></div>
<p>AFTER: </p>
<div class="highlight"><pre><span></span><code>root@ubuntu2:~# tcpdump -n -i ens34 port <span class="m">53</span> and host <span class="m">10</span>.10.10.14
listening on ens34, link-type EN10MB <span class="o">(</span>Ethernet<span class="o">)</span>, capture size <span class="m">262144</span> bytes
<span class="m">09</span>:53:07.391346 IP <span class="m">10</span>.10.10.91.63343 > <span class="m">10</span>.10.10.14.53: domain <span class="o">[</span>length <span class="m">0</span> < <span class="m">12</span><span class="o">]</span> <span class="o">(</span>invalid<span class="o">)</span>
<span class="m">09</span>:53:08.391830 IP <span class="m">10</span>.10.10.91.63344 > <span class="m">10</span>.10.10.14.53: domain <span class="o">[</span>length <span class="m">0</span> < <span class="m">12</span><span class="o">]</span> <span class="o">(</span>invalid<span class="o">)</span>
</code></pre></div>
<h2>Case 2: Load balance HTTPS for the web site, making servers to see Fortigate as source IP of requests, but sending the real client's IP in X-Forwarded-For header</h2>
<p>I will configure Fortigate to serve the domain <em>yurisk.com</em> via HTTPS on port 443 and IP of 192.168.13.56 to clients. At the same time, from Fortigate to the real servers the connections will be un-encrypted to the port 80 of the servers. </p>
<p>I will use SSL certificate issued by trusted CA provider to prevent browser error messages.</p>
<p>Step 1: Import SSL certificate for the <em>yurisk.com</em> domain to Fortigate.<br>
<strong>System -> Certificates -> Import -> Local Certificate -> Certificate -> Upload ...</strong>.<br>
In this case the certificate is named yurisk_com.crt.</p>
<p><img alt="fortigate-virtual-ip-load-balance-import-site-certificate.png" src="/assets/fortigate-virtual-ip-load-balance-import-site-certificate.png"> </p>
<p>Step 2: Switch (if not already) to Proxy mode from Flow mode. </p>
<div class="highlight"><pre><span></span><code> config system setting
<span class="nb">set</span> inspection-mode proxy
end
</code></pre></div>
<p>Step 3: Create VIP as the load balancer setting HTTPS as server type. Monitor I created earlier, see above.</p>
<div class="highlight"><pre><span></span><code>config firewall vip
edit <span class="s2">"HTTPS_LDB"</span>
<span class="nb">set</span> <span class="nb">type</span> server-load-balance
<span class="nb">set</span> extip <span class="m">192</span>.168.13.56
<span class="nb">set</span> extintf <span class="s2">"port1"</span>
<span class="nb">set</span> server-type https
<span class="nb">set</span> http-ip-header <span class="nb">enable</span> <-- Causes Fortigate to send X-Forwarded-For header with the real IP of client
<span class="nb">set</span> color <span class="m">3</span>
<span class="nb">set</span> ldb-method round-robin
<span class="nb">set</span> persistence http-cookie <-- enables persistence by inserting own cookie
<span class="nb">set</span> extport <span class="m">443</span>
config realservers
edit <span class="m">1</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.13
<span class="nb">set</span> port <span class="m">80</span>
<span class="nb">set</span> healthcheck <span class="nb">enable</span>
<span class="nb">set</span> monitor <span class="s2">"HTTP_MNTR"</span>
next
edit <span class="m">2</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.14
<span class="nb">set</span> port <span class="m">80</span>
<span class="nb">set</span> healthcheck <span class="nb">enable</span>
<span class="nb">set</span> monitor <span class="s2">"HTTP_MNTR"</span>
next
end
<span class="nb">set</span> http-multiplex <span class="nb">enable</span> <-- prerequisite <span class="k">for</span> X-Forwarded-For header sending
<span class="nb">set</span> ssl-certificate <span class="s2">"yurisk_com"</span> <-- Sets certificate to present clients
<span class="nb">set</span> ssl-mode half <-- encrypt only client-to-Fortigate connection, leave Fortigate-to-server <span class="k">in</span> clear text
next
end
</code></pre></div>
<p>In GUI the final result looks (not all options are available in GUI, e.g. health monitor for each server we can only set in CLI):</p>
<p><img alt="fortigate virtual ip load balance virtual https server configured" src="/assets/fortigate-virtual-ip-load-balance-virtual-https-server-configured.png"></p>
<p>Step 4: Use the VIP in the security rule: </p>
<div class="highlight"><pre><span></span><code>config firewall policy
edit <span class="m">2</span>
<span class="nb">set</span> name <span class="s2">"HTTPS_LDB"</span>
<span class="nb">set</span> uuid 8d77d4dc-a62f-51ea-27ab-61a3f99fe71b
<span class="nb">set</span> srcintf <span class="s2">"port1"</span>
<span class="nb">set</span> dstintf <span class="s2">"port2"</span>
<span class="nb">set</span> srcaddr <span class="s2">"all"</span>
<span class="nb">set</span> dstaddr <span class="s2">"HTTPS_LDB"</span>
<span class="nb">set</span> action accept
<span class="nb">set</span> schedule <span class="s2">"always"</span>
<span class="nb">set</span> service <span class="s2">"ALL"</span>
<span class="nb">set</span> fsso disable
<span class="nb">set</span> nat <span class="nb">enable</span>
next
end
</code></pre></div>
<h3>Verification</h3>
<p>Sniffer on real server 10.10.10.14, the client 192.168.13.17 is browsing to https://yurisk.com: </p>
<div class="highlight"><pre><span></span><code><span class="m">02</span>:01:07.132439 IP <span class="m">10</span>.10.10.91.22815 > <span class="m">10</span>.10.10.14.80: <-- As NAT is enabled, Fortigate sends
<-- requests with its own IP as <span class="nb">source</span>
GET / HTTP/1.1
Host:yurisk.com
User-Agent: Mozilla/5 <span class="m">0</span> <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv: <span class="m">77</span>.0<span class="o">)</span> Gecko/20100101 Firefox/77.0
Accept: image /webp,*/*
Accept-Language: en-US,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span><span class="m">05</span>
Accept-Encoding: gzip, deflate, br DNT: <span class="m">1</span>
Connection: keep-alive
Cookie: <span class="nv">FGTServer</span><span class="o">=</span>F541F452FE3E1121DC3229A7362B3680731BE80C73AEAD68701A70FEDC4152D55F
Pragma: no-cache
Cache-Control: no-cache
X-Forwarded-For : <span class="m">192</span>.168.13.17 <-- This is the real IP of the client browsing to the website
</code></pre></div>
<p>The monitoring HTTP service looks on the server side like that: </p>
<div class="highlight"><pre><span></span><code>GET /monitor.txt HTTP/1.0
User-Agent: FortiGate <span class="o">(</span>FortiOS <span class="m">4</span>.0<span class="o">)</span>
</code></pre></div>
<p>In <code>diagnose debug flow</code> session it looks like:</p>
<div class="highlight"><pre><span></span><code><span class="c1"># id=20085 trace_id=6 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=6, 192.168.13.17:60904->192.168.13.56:443) from port1. flag [S], seq 2924331034, ack 0, win 64240"</span>
<span class="nv">id</span><span class="o">=</span><span class="m">20085</span> <span class="nv">trace_id</span><span class="o">=</span><span class="m">6</span> <span class="nv">func</span><span class="o">=</span>init_ip_session_common <span class="nv">line</span><span class="o">=</span><span class="m">5682</span> <span class="nv">msg</span><span class="o">=</span><span class="s2">"allocate a new session-000054d0"</span>
<span class="nv">id</span><span class="o">=</span><span class="m">20085</span> <span class="nv">trace_id</span><span class="o">=</span><span class="m">6</span> <span class="nv">func</span><span class="o">=</span>fw_pre_route_handler <span class="nv">line</span><span class="o">=</span><span class="m">183</span> <span class="nv">msg</span><span class="o">=</span><span class="s2">"VIP-10.10.10.14:80, outdev-port1"</span>
<span class="nv">id</span><span class="o">=</span><span class="m">20085</span> <span class="nv">trace_id</span><span class="o">=</span><span class="m">6</span> <span class="nv">func</span><span class="o">=</span>__ip_session_run_tuple <span class="nv">line</span><span class="o">=</span><span class="m">3359</span> <span class="nv">msg</span><span class="o">=</span><span class="s2">"DNAT 192.168.13.56:443->10.10.10.14:80"</span>
<span class="nv">id</span><span class="o">=</span><span class="m">20085</span> <span class="nv">trace_id</span><span class="o">=</span><span class="m">6</span> <span class="nv">func</span><span class="o">=</span>vf_ip_route_input_common <span class="nv">line</span><span class="o">=</span><span class="m">2591</span> <span class="nv">msg</span><span class="o">=</span><span class="s2">"find a route: flag=04000000 gw-10.10.10.14 via port2"</span>
<span class="nv">id</span><span class="o">=</span><span class="m">20085</span> <span class="nv">trace_id</span><span class="o">=</span><span class="m">6</span> <span class="nv">func</span><span class="o">=</span>fw_forward_handler <span class="nv">line</span><span class="o">=</span><span class="m">753</span> <span class="nv">msg</span><span class="o">=</span><span class="s2">"Allowed by Policy-2: AV"</span>
<span class="nv">id</span><span class="o">=</span><span class="m">20085</span> <span class="nv">trace_id</span><span class="o">=</span><span class="m">6</span> <span class="nv">func</span><span class="o">=</span>av_receive <span class="nv">line</span><span class="o">=</span><span class="m">305</span> <span class="nv">msg</span><span class="o">=</span><span class="s2">"send to application layer"</span>
</code></pre></div>
<h2>Case 3: Load balancing SSH connections</h2>
<div class="highlight"><pre><span></span><code>FG3-AS1680 <span class="c1"># </span>
config firewall ldb-monitor
edit <span class="s2">"PING_MNTR"</span>
<span class="nb">set</span> <span class="nb">type</span> ping
next
end
</code></pre></div>
<div class="highlight"><pre><span></span><code>config firewall vip
edit <span class="s2">"LOAD_BALANCE_IN"</span>
<span class="nb">set</span> <span class="nb">type</span> server-load-balance
<span class="nb">set</span> extip <span class="m">192</span>.168.13.55
<span class="nb">set</span> extintf <span class="s2">"port2"</span>
<span class="nb">set</span> server-type tcp
<span class="nb">set</span> ldb-method round-robin
<span class="nb">set</span> extport <span class="m">22</span>
config realservers
edit <span class="m">1</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.13
<span class="nb">set</span> port <span class="m">22</span>
<span class="nb">set</span> healthcheck <span class="nb">enable</span>
<span class="nb">set</span> monitor <span class="s2">"PING_MNTR"</span>
next
edit <span class="m">2</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.14
<span class="nb">set</span> port <span class="m">22</span>
<span class="nb">set</span> healthcheck <span class="nb">enable</span>
<span class="nb">set</span> monitor <span class="s2">"PING_MNTR"</span>
next
end
next
end
</code></pre></div>
<p>Verification. </p>
<div class="highlight"><pre><span></span><code>port2 <span class="k">in</span> <span class="m">13</span>.13.13.6.2625 -> <span class="m">192</span>.168.13.55.22:
port1 out <span class="m">13</span>.13.13.6.2625 -> <span class="m">10</span>.10.10.13.22:
port2 <span class="k">in</span> <span class="m">13</span>.13.13.6.2626 -> <span class="m">192</span>.168.13.55.22:
port1 out <span class="m">13</span>.13.13.6.2626 -> <span class="m">10</span>.10.10.14.22:
</code></pre></div>
<h2>Resources</h2>
<ul>
<li>Debug commands: <a href="https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-load-balancing-52/ldb-diagnose.htm" target=_blank rel="noopener">https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-load-balancing-52/ldb-diagnose.htm</a> </li>
<li>HTTP to HTTPS redirect feature: <a href="https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/304594/http-to-https-redirect-for-load-balancing" target=_blank rel="noopener"> https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/304594/http-to-https-redirect-for-load-balancing</a> </li>
</ul>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Fortigate DoS/DDoS sensor/policy rules configuration and verification2020-05-29T14:56:12+00:002020-05-29T14:56:12+00:00Yuri Slobodyanyuktag:yurisk.info,2020-05-29:/2020/05/29/fortigate-dos-ddos-policy-configuration/<p>Facts to know: </p>
<ul>
<li>You use Dos protection by creating Dos policy (<strong>Policy & Objects -> IPv4/Ipv6 DoS Policy</strong>) in which you enable/modify anomalies. </li>
<li>The list of anomalies is pre-set in any policy you create. You only have the choice which ones to enable and which ones not to. </li>
<li>All anomalies …</li></ul><p>Facts to know: </p>
<ul>
<li>You use Dos protection by creating Dos policy (<strong>Policy & Objects -> IPv4/Ipv6 DoS Policy</strong>) in which you enable/modify anomalies. </li>
<li>The list of anomalies is pre-set in any policy you create. You only have the choice which ones to enable and which ones not to. </li>
<li>All anomalies are set by default to <strong>Pass</strong> the offending traffic and are disabled, so make sure under the given anomaly to set <code>status enable</code> and action to <code>block</code>. On Fortigates with hardware NP modules, you also have <strong>Proxy</strong> as an action in <code>tcp_syn_flood</code> protection to enable, which makes Fortigate to proxy SYN connections. </li>
<li>You can (actually must) specify: source/destination IPs to match the DoS policy (<code>all</code> can be used), service (<code>ALL</code> can be used), and incoming interface to apply the DoS policy to. </li>
<li>Thresholds for anomalies are configurable and do what they say - once traffic matched by this policy exceeds the threshold, it gets blocked. No learning or adaptive thresholds here. </li>
<li>By default, only exceeding the threshold packets get blocked. To block the sender IP completely, you can use <code>set qurantine</code> parameter under the specific anomaly. </li>
<li>Dos sensor/policy protects against INCOMING traffic for the specified interface.</li>
<li>For smarter anti-DDoS solution Fortinet have FortiDDoS physical appliance. </li>
<li>Fortigate applies Dos protection early in the policy matching, before the Security policy is checked, so it consumes less resources than blocking the same traffic in Security rules. This means, though, that even if some security rule allows traffic, if such traffic exceeds DoS thresholds it may be blocked.</li>
<li>Note: in previous versions of FortiOS the feature was called <em>DoS sensor</em>, so I mention it for easier reference only. In FortiOS 6.x and newer it is called DoS Policy. </li>
<li>From my personal experience, to protect large networks with this DoS feature of Fortigate is more hassle than help. The false positives, especially for TCP SYN and alike protections, would block legitimate clients to the internal servers available from the Internet due to sudden surge of the client requests. You would need then to fix the thresholds, then again... For small networks, and those that do not have accessible from the outside servers, it may be a nice to have feature. </li>
</ul>
<h3>Configuring DoS policy.</h3>
<p>I enable just <code>icmp_flood</code> anomaly here and change the threshold to 10 packets per second sent to destination of 12.12.12.3 : </p>
<div class="highlight"><pre><span></span><code>config firewall DoS-policy
edit <span class="m">1</span>
<span class="nb">set</span> interface <span class="s2">"port1"</span>
<span class="nb">set</span> srcaddr <span class="s2">"all"</span>
<span class="nb">set</span> dstaddr <span class="s2">"12.12.12.3"</span>
<span class="nb">set</span> service <span class="s2">"ALL_ICMP"</span>
config anomaly
edit <span class="s2">"tcp_syn_flood"</span>
<span class="nb">set</span> threshold <span class="m">2000</span>
next
edit <span class="s2">"tcp_port_scan"</span>
<span class="nb">set</span> threshold <span class="m">1000</span>
next
edit <span class="s2">"tcp_src_session"</span>
<span class="nb">set</span> threshold <span class="m">5000</span>
next
edit <span class="s2">"tcp_dst_session"</span>
<span class="nb">set</span> threshold <span class="m">5000</span>
next
edit <span class="s2">"udp_flood"</span>
<span class="nb">set</span> threshold <span class="m">2000</span>
next
edit <span class="s2">"udp_scan"</span>
<span class="nb">set</span> threshold <span class="m">2000</span>
next
edit <span class="s2">"udp_src_session"</span>
<span class="nb">set</span> threshold <span class="m">5000</span>
next
edit <span class="s2">"udp_dst_session"</span>
<span class="nb">set</span> threshold <span class="m">5000</span>
next
edit <span class="s2">"icmp_flood"</span>
<span class="nb">set</span> status <span class="nb">enable</span>
<span class="nb">set</span> action block
<span class="nb">set</span> threshold <span class="m">10</span>
next
edit <span class="s2">"icmp_sweep"</span>
<span class="nb">set</span> threshold <span class="m">100</span>
next
edit <span class="s2">"icmp_src_session"</span>
<span class="nb">set</span> threshold <span class="m">300</span>
next
edit <span class="s2">"icmp_dst_session"</span>
<span class="nb">set</span> threshold <span class="m">1000</span>
next
edit <span class="s2">"ip_src_session"</span>
<span class="nb">set</span> threshold <span class="m">5000</span>
next
edit <span class="s2">"ip_dst_session"</span>
<span class="nb">set</span> threshold <span class="m">5000</span>
next
edit <span class="s2">"sctp_flood"</span>
<span class="nb">set</span> threshold <span class="m">2000</span>
next
edit <span class="s2">"sctp_scan"</span>
<span class="nb">set</span> threshold <span class="m">1000</span>
next
edit <span class="s2">"sctp_src_session"</span>
<span class="nb">set</span> threshold <span class="m">5000</span>
next
edit <span class="s2">"sctp_dst_session"</span>
<span class="nb">set</span> threshold <span class="m">5000</span>
next
end
next
end
</code></pre></div>
<h3>Verification</h3>
<p>Sending 5 packets per second, traffic is NOT blocked: </p>
<div class="highlight"><pre><span></span><code>root@ubuntu:~# ping -i <span class="m">0</span>.2 <span class="m">12</span>.12.12.3
PING <span class="m">12</span>.12.12.3 <span class="o">(</span><span class="m">12</span>.12.12.3<span class="o">)</span> <span class="m">56</span><span class="o">(</span><span class="m">84</span><span class="o">)</span> bytes of data.
<span class="m">64</span> bytes from <span class="m">12</span>.12.12.3: <span class="nv">icmp_seq</span><span class="o">=</span><span class="m">1</span> <span class="nv">ttl</span><span class="o">=</span><span class="m">255</span> <span class="nv">time</span><span class="o">=</span><span class="m">3</span>.03 ms
<span class="m">64</span> bytes from <span class="m">12</span>.12.12.3: <span class="nv">icmp_seq</span><span class="o">=</span><span class="m">2</span> <span class="nv">ttl</span><span class="o">=</span><span class="m">255</span> <span class="nv">time</span><span class="o">=</span><span class="m">1</span>.96 ms
<span class="m">64</span> bytes from <span class="m">12</span>.12.12.3: <span class="nv">icmp_seq</span><span class="o">=</span><span class="m">3</span> <span class="nv">ttl</span><span class="o">=</span><span class="m">255</span> <span class="nv">time</span><span class="o">=</span><span class="m">0</span>.469 ms
<span class="m">64</span> bytes from <span class="m">12</span>.12.12.3: <span class="nv">icmp_seq</span><span class="o">=</span><span class="m">4</span> <span class="nv">ttl</span><span class="o">=</span><span class="m">255</span> <span class="nv">time</span><span class="o">=</span><span class="m">0</span>.318 ms
<span class="m">64</span> bytes from <span class="m">12</span>.12.12.3: <span class="nv">icmp_seq</span><span class="o">=</span><span class="m">5</span> <span class="nv">ttl</span><span class="o">=</span><span class="m">255</span> <span class="nv">time</span><span class="o">=</span><span class="m">0</span>.405 ms
<span class="m">64</span> bytes from <span class="m">12</span>.12.12.3: <span class="nv">icmp_seq</span><span class="o">=</span><span class="m">6</span> <span class="nv">ttl</span><span class="o">=</span><span class="m">255</span> <span class="nv">time</span><span class="o">=</span><span class="m">0</span>.497 ms
</code></pre></div>
<p>Sending roughly 10 packets per second - Fortigate starts to block excessive icmp packets.</p>
<div class="highlight"><pre><span></span><code>root@ubuntu:~# ping -i <span class="m">0</span>.1 <span class="m">12</span>.12.12.3
PING <span class="m">12</span>.12.12.3 <span class="o">(</span><span class="m">12</span>.12.12.3<span class="o">)</span> <span class="m">56</span><span class="o">(</span><span class="m">84</span><span class="o">)</span> bytes of data.
<span class="m">64</span> bytes from <span class="m">12</span>.12.12.3: <span class="nv">icmp_seq</span><span class="o">=</span><span class="m">1</span> <span class="nv">ttl</span><span class="o">=</span><span class="m">255</span> <span class="nv">time</span><span class="o">=</span><span class="m">1</span>.33 ms
<span class="m">64</span> bytes from <span class="m">12</span>.12.12.3: <span class="nv">icmp_seq</span><span class="o">=</span><span class="m">2</span> <span class="nv">ttl</span><span class="o">=</span><span class="m">255</span> <span class="nv">time</span><span class="o">=</span><span class="m">0</span>.712 ms
...
--- <span class="m">12</span>.12.12.3 ping statistics ---
<span class="m">143</span> packets transmitted, <span class="m">115</span> received, <span class="m">19</span>% packet loss, <span class="nb">time</span> 14526ms
</code></pre></div>
<p>To see the active attacks/blocked anomalies (block happens when <code>freq</code> goes 10 or higher): </p>
<h3>diagnose ips anomaly list</h3>
<div class="highlight"><pre><span></span><code>FG3-AS1680 <span class="c1"># diagnose ips anomaly list</span>
list nids meter:
<span class="nv">id</span><span class="o">=</span>icmp_flood <span class="nv">ip</span><span class="o">=</span><span class="m">12</span>.12.12.3 <span class="nv">dos_id</span><span class="o">=</span><span class="m">1</span> <span class="nv">exp</span><span class="o">=</span><span class="m">993</span> <span class="nv">pps</span><span class="o">=</span><span class="m">1</span> <span class="nv">freq</span><span class="o">=</span><span class="m">14</span>
</code></pre></div>
<p>Next, I add second policy with destination address <code>all</code> but also with qurantine enabled.</p>
<div class="highlight"><pre><span></span><code>config firewall DoS-policy
edit <span class="m">2</span>
<span class="nb">set</span> interface <span class="s2">"port1"</span>
<span class="nb">set</span> srcaddr <span class="s2">"all"</span>
<span class="nb">set</span> dstaddr <span class="s2">"all"</span>
<span class="nb">set</span> service <span class="s2">"ALL"</span>
config anomaly
edit <span class="s2">"icmp_flood"</span>
<span class="nb">set</span> status <span class="nb">enable</span>
<span class="nb">set</span> log <span class="nb">enable</span>
<span class="nb">set</span> quarantine attacker
<span class="nb">set</span> quarantine-expiry 2m <-- to <span class="nb">set</span> to <span class="m">2</span> min I entered: 000d00h02m
<span class="nb">set</span> quarantine-log disable
<span class="nb">set</span> threshold <span class="m">10</span>
next
</code></pre></div>
<p>Exceeding the threshold: </p>
<div class="highlight"><pre><span></span><code>root@ubuntu:~# ping -c <span class="m">2000</span> -i <span class="m">0</span>.01 <span class="m">13</span>.13.13.6
PING <span class="m">13</span>.13.13.6 <span class="o">(</span><span class="m">13</span>.13.13.6<span class="o">)</span> <span class="m">56</span><span class="o">(</span><span class="m">84</span><span class="o">)</span> bytes of data.
<span class="m">64</span> bytes from <span class="m">13</span>.13.13.6: <span class="nv">icmp_seq</span><span class="o">=</span><span class="m">1</span> <span class="nv">ttl</span><span class="o">=</span><span class="m">254</span> <span class="nv">time</span><span class="o">=</span><span class="m">0</span>.741 ms
<span class="m">64</span> bytes from <span class="m">13</span>.13.13.6: <span class="nv">icmp_seq</span><span class="o">=</span><span class="m">2</span> <span class="nv">ttl</span><span class="o">=</span><span class="m">254</span> <span class="nv">time</span><span class="o">=</span><span class="m">1</span>.82 ms
<span class="m">64</span> bytes from <span class="m">13</span>.13.13.6: <span class="nv">icmp_seq</span><span class="o">=</span><span class="m">3</span> <span class="nv">ttl</span><span class="o">=</span><span class="m">254</span> <span class="nv">time</span><span class="o">=</span><span class="m">1</span>.89 ms
--- <span class="m">13</span>.13.13.6 ping statistics ---
<span class="m">2000</span> packets transmitted, <span class="m">11</span> received, <span class="m">99</span>% packet loss, <span class="nb">time</span> 24308ms
</code></pre></div>
<p>As you can see, 1st 10 packets were allowed, the 11th packet triggered the following block.</p>
<div class="highlight"><pre><span></span><code>FG3-AS1680 <span class="c1"># diagnose ips anomaly list</span>
<span class="nv">id</span><span class="o">=</span>icmp_flood <span class="nv">ip</span><span class="o">=</span><span class="m">13</span>.13.13.6 <span class="nv">dos_id</span><span class="o">=</span><span class="m">2</span> <span class="nv">exp</span><span class="o">=</span><span class="m">998</span> <span class="nv">pps</span><span class="o">=</span><span class="m">38</span> <span class="nv">freq</span><span class="o">=</span><span class="m">83</span>
</code></pre></div>
<p>Also, because I set qurantine period for 2 minutes, even after stopping the attack traffic, the sending server is blocked from sending ANY packets to the target 13.13.13.6 for the next 2 minutes:</p>
<div class="highlight"><pre><span></span><code>root@ubuntu:~# ping <span class="m">13</span>.13.13.6
PING <span class="m">13</span>.13.13.6 <span class="o">(</span><span class="m">13</span>.13.13.6<span class="o">)</span> <span class="m">56</span><span class="o">(</span><span class="m">84</span><span class="o">)</span> bytes of data.
--- <span class="m">13</span>.13.13.6 ping statistics ---
<span class="m">11</span> packets transmitted, <span class="m">0</span> received, <span class="m">100</span>% packet loss, <span class="nb">time</span> 10029ms
</code></pre></div>
<h3>Releasing the blocked senders</h3>
<p>Fortigate does not show us the source IPs of the blocked hosts, just the target IP, still, we can clear the blocked attackers list and allow the blocked senders to pass through. If they again send the excessive traffic, they will be blocked again, i.e the clear action is real-time and not permanent. Also, for the senders blocked with the quarantine, clearing the list will still keep them blocked until the qurantine expiration.</p>
<div class="highlight"><pre><span></span><code>FG3-AS1680 <span class="c1"># diagnose ips anomaly list</span>
list nids meter:
<span class="nv">id</span><span class="o">=</span>icmp_flood <span class="nv">ip</span><span class="o">=</span><span class="m">12</span>.12.12.3 <span class="nv">dos_id</span><span class="o">=</span><span class="m">1</span> <span class="nv">exp</span><span class="o">=</span><span class="m">999</span> <span class="nv">pps</span><span class="o">=</span><span class="m">2</span> <span class="nv">freq</span><span class="o">=</span><span class="m">20</span>
</code></pre></div>
<p>Clear the list: </p>
<h3>diagnose ips anomaly clear</h3>
<div class="highlight"><pre><span></span><code>FG3-AS1680 <span class="c1"># diagnose ips anomaly clear</span>
FG3-AS1680 <span class="c1"># diagnose ips anomaly list</span>
list nids meter:
total <span class="c1"># of nids meters: 0.</span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Fortigate BGP cookbook of example configuration and debug commands2020-05-20T10:59:25+00:002020-05-25T13:00:00+02:00Yuri Slobodyanyuktag:yurisk.info,2020-05-20:/2020/05/20/fortigate-bgp-cookbook-of-example-configuration-and-debug/<p>Last updated: August 2020 <br>
PDF version of this post: <a href="/assets/Fortigate-BGP-cookbook-of-example-configuration-and-debug-commands.pdf">Fortigate BGP cookbook of example configuration and debug commands.pdf</a> </p>
<p><a href="#ee1">BGP with two ISPs for multi-homing, each advertising default gateway and full routing table. Uses route-map, prefix list, weight</a> <br>
<a href="#ee2">Prevent our Fortigate from becoming a transit AS, do not advertise learned …</a></p><p>Last updated: August 2020 <br>
PDF version of this post: <a href="/assets/Fortigate-BGP-cookbook-of-example-configuration-and-debug-commands.pdf">Fortigate BGP cookbook of example configuration and debug commands.pdf</a> </p>
<p><a href="#ee1">BGP with two ISPs for multi-homing, each advertising default gateway and full routing table. Uses route-map, prefix list, weight</a> <br>
<a href="#ee2">Prevent our Fortigate from becoming a transit AS, do not advertise learned via eBGP routes. Uses route-map, aspath-list</a> <br>
<a href="#ee3">Force FG1 to advertise default route without having one in RIB and without using blackhole routing. Uses default-originate</a> <br>
<a href="#ee4">Limit announced connected routes to 3.3.3.3 only. Uses route-map with redistribution</a> <br>
<a href="#ee5">Secure BGP session between ISP1 and FG3 with one way hash. Uses MD5 authentication</a><br>
<a href="#ee6">Make sure we can see received routing advertisements before and after any filtering is applied. Uses soft reconfiguration</a> <br>
<a href="#ee7">Set up BGP peering between FG3 and FG1 using loopback in FG3</a> <br>
<a href="#ee8">Remotely Triggered Black Hole Routing configuration</a></p>
<p>The BGP configuration flow in general is:</p>
<p><img alt="fortigate bgp cookbook configuration flow" src="/assets/fortigate-bgp-cookbook-case1.svg"></p>
<p><strong>List of all useful BGP debug and verification commands:</strong><br>
show router bgp<br>
get router info bgp summary<br>
get router info bgp network <prefix><br>
get router info routing-table bgp<br>
get router info bgp neighbors<br>
get router info bgp neighbors <IP of the neighbor> advertised-routes<br>
get router info bgp neighbors <IP of the neighbor> routes<br>
get router info bgp neighbors <IP of the neighbor> received-routes<br>
diagnose sys tcpsock | grep 179<br>
diagnose ip router bgp level info<br>
diagnose ip router bgp all enable<br>
exec router clear bgp all </p>
<p><a name="ee1"></a></p>
<h2>BGP with two ISPs for multi-homing, each advertising default gateway and full routing table</h2>
<p>Task: Configure 2 BGP peerings with different providers, each ISP advertising to us (FG3, AS 1680) both, default and Internet routes. Limit the learned routes from each ISP to default route only. Advertise to both ISPs our internal network of 10.10.10.1, making sure clients on the Internet prefer ISP1 (AS 111) to reach this network. Also we want to use ISP1 to reach the Internet, and only if it fails to use ISP2. </p>
<p>Solution. </p>
<p>The topology of this case:</p>
<p><img alt="Fortigate BGP case 1 network topology diagram" src="/assets/Fortigate-BGP-case-1.svg"></p>
<p><strong>FG3, AS1680:</strong></p>
<ul>
<li>Create prefix list to allow ONLY default route (0.0.0.0/0) and deny everything else. </li>
</ul>
<div class="highlight"><pre><span></span><code>config router prefix-list
edit <span class="s2">"accept-dflt-only"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> prefix <span class="m">0</span>.0.0.0 <span class="m">0</span>.0.0.0
<span class="nb">unset</span> ge
<span class="nb">unset</span> le
next
end
next
end
</code></pre></div>
<ul>
<li>
<p>Prefer ISP1 to reach the Internet, having ISP2 as backup in case of failure. The easiest way to do so is via <code>weight</code> setting, which can be used inside <code>config neighbor</code> to set the weight for ALL routes learned from this neighbor. Or it can be used by first <code>config route prefix-list</code> to match specific route(s), then setting the weight for these specific matched routes inside <code>config router route-map</code>, which in turn will be applied to the neighbor. The other way would be to increase Local Preference of the routes learned from ISP1, but this would require to configure route-map, an additional extra step.<br>
Here we are not trying to prefer specific routes via ISP1 but all routes learned from it, so I will set <em>weight</em> on the neighbor.</p>
</li>
<li>
<p>The next step is to make sure my advertised route 10.10.10.1 is reachable via both ISPs, but is preferred by Internet clients via ISP1. Usually you do it by prepending your own AS number to the advertised route(s). I create route-map to do so:</p>
</li>
</ul>
<div class="highlight"><pre><span></span><code>config router route-map
edit <span class="s2">"prepend-out"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> set-aspath <span class="s2">"1680 1680"</span>
next
end
next
end
</code></pre></div>
<ul>
<li>Now I can configure both BGP peers on FG3, including redistributing the connected networks (here it is 10.10.10.1/32 of the loopback interface) to BGP: </li>
</ul>
<div class="highlight"><pre><span></span><code>config router bgp
<span class="nb">set</span> as <span class="m">1680</span>
config neighbor
edit <span class="s2">"12.12.12.12"</span>
<span class="nb">set</span> prefix-list-in <span class="s2">"accept-dflt-only"</span>
<span class="nb">set</span> remote-as <span class="m">111</span>
<span class="nb">set</span> weight <span class="m">10</span>
next
edit <span class="s2">"13.13.13.6"</span>
<span class="nb">set</span> prefix-list-in <span class="s2">"accept-dflt-only"</span>
<span class="nb">set</span> remote-as <span class="m">222</span>
<span class="nb">set</span> route-map-out <span class="s2">"prepend-out"</span>
next
end
config redistribute <span class="s2">"connected"</span>
<span class="nb">set</span> status <span class="nb">enable</span>
end
</code></pre></div>
<h3>Verification.</h3>
<p>As remote peers are not configured yet, the status will be oscillating between Active and Connect:</p>
<h3>get router info bgp summary</h3>
<div class="highlight"><pre><span></span><code>FG3-AS1680 <span class="c1"># get router info bgp summary</span>
BGP router identifier <span class="m">10</span>.10.10.1, <span class="nb">local</span> AS number <span class="m">1680</span>
BGP table version is <span class="m">1</span>
<span class="m">1</span> BGP AS-PATH entries
<span class="m">0</span> BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
<span class="m">12</span>.12.12.12 <span class="m">4</span> <span class="m">111</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> never Active
<span class="m">13</span>.13.13.6 <span class="m">4</span> <span class="m">222</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> never Active
...
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
<span class="m">12</span>.12.12.12 <span class="m">4</span> <span class="m">111</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> never Active
<span class="m">13</span>.13.13.6 <span class="m">4</span> <span class="m">222</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> never Connect
</code></pre></div>
<p><strong>FG1, FG6</strong>.<br>
BGP settings of both peers are almost identical (except local to each AS number and FG3 peering IP) so I will list just FG1. One note: unlike in <em>FG3</em>, which distributes into BGP the directly connected loopback 10.10.10.1, I need both Fortigates here to advertise default route 0.0.0.0/0 which they don't have. As I mentioned in the Configuration Flow graph - BGP will only advertise routes present in the active routing table (RIB) by default. The Fortigate has 2 ways to circumvent this BGP standard requirement: we can announce the default route with <code>capability-default-originate</code>, and for other routes we can use <code>set network-import-check disable</code>. But I am not using either of them here. <br>
To satisfy this condition, I add blackhole route to the 0.0.0.0/0 route, in Cisco world it is called "route to Null0". This adds 0.0.0.0/0 as static route which I can redistribute into BGP.<br>
<em>Note 1</em>: Additionally, to simulate "Internet" IPs, I added 8.8.8.8 as loopback in both FG1 and FG6 and redistribute them via <code>redistribute connected</code>.</p>
<p><em>Note 2</em>: Important point I glossed over in FG3 is <code>router-id</code>. Fortigate (as well as Cisco and most others) will take the highest IP address on the loopback interface available unless explicitly set. In this specific setup I have 8.8.8.8 address on both FG1 and FG6 set on their loopbacks to advertise them as "Internet" addresses to FG3. And this may cause a problem - if any BGP peer detects its own router-id coming from the peer, the BGP session will be torn down with NOTIFICATION sent. So, here it is a must, but generally is a good idea to set <code>router-id</code> manually to unique IP address. I will add unique router-id to FG3 and FG6. </p>
<p>When such situation of duplicate router-id happens, Fortigate will show the error: </p>
<div class="highlight"><pre><span></span><code>BGP: <span class="m">12</span>.12.12.12-Outgoing <span class="o">[</span>DECODE<span class="o">]</span> Open: Invalid Router ID <span class="m">8</span>.8.8.8
</code></pre></div>
<p><strong>FG1</strong>:</p>
<div class="highlight"><pre><span></span><code>config router static
edit <span class="m">1</span>
<span class="nb">set</span> dst <span class="m">0</span>.0.0.0/0
<span class="nb">set</span> blackhole <span class="nb">enable</span>
next
end
</code></pre></div>
<h3>Verification</h3>
<p>Note: to save me typing, I add this alias to show routing table:</p>
<div class="highlight"><pre><span></span><code>config system <span class="nb">alias</span>
edit <span class="s2">"rt"</span>
<span class="nb">set</span> <span class="nb">command</span> <span class="s2">"get router info routing all"</span>
next
end
</code></pre></div>
<p>So when you see it in the output instead of the full command <code>get router info routing all</code> know it is an alias, and not a secret hidden command in Fortigate :).</p>
<div class="highlight"><pre><span></span><code><span class="c1"># alias rt</span>
Routing table <span class="k">for</span> <span class="nv">VRF</span><span class="o">=</span><span class="m">0</span>
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external <span class="nb">type</span> <span class="m">1</span>, N2 - OSPF NSSA external <span class="nb">type</span> <span class="m">2</span>
E1 - OSPF external <span class="nb">type</span> <span class="m">1</span>, E2 - OSPF external <span class="nb">type</span> <span class="m">2</span>
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* <span class="m">0</span>.0.0.0/0 <span class="o">[</span><span class="m">10</span>/0<span class="o">]</span> is a summary, Null <--- This is the default route we want to be present <span class="k">in</span> the RIB and now it is.
C <span class="m">2</span>.2.2.2/32 is directly connected, Loop1
C <span class="m">8</span>.8.8.8/32 is directly connected, Loop2
C <span class="m">13</span>.13.13.0/24 is directly connected, port1
</code></pre></div>
<ul>
<li>Now let's configre the BGP on FG1:</li>
</ul>
<div class="highlight"><pre><span></span><code>config router bgp
<span class="nb">set</span> as <span class="m">111</span>
<span class="nb">set</span> router-id <span class="m">1</span>.1.1.1
config neighbor
edit <span class="s2">"12.12.12.3"</span>
<span class="nb">set</span> remote-as <span class="m">1680</span>
next
end
config redistribute <span class="s2">"connected"</span>
<span class="nb">set</span> status <span class="nb">enable</span>
config redistribute <span class="s2">"static"</span>
<span class="nb">set</span> status <span class="nb">enable</span>
end
</code></pre></div>
<h2>Verification</h2>
<p>First, let's see if the BGP peering with two ISPs has been established (yes, it has).<br>
On FG3: </p>
<div class="highlight"><pre><span></span><code>FG3-AS1680 <span class="c1"># get router info bgp summary</span>
BGP router identifier <span class="m">10</span>.10.10.1, <span class="nb">local</span> AS number <span class="m">1680</span>
BGP table version is <span class="m">7</span>
<span class="m">3</span> BGP AS-PATH entries
<span class="m">0</span> BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
<span class="m">12</span>.12.12.12 <span class="m">4</span> <span class="m">111</span> <span class="m">126</span> <span class="m">297</span> <span class="m">5</span> <span class="m">0</span> <span class="m">0</span> <span class="m">00</span>:02:35 <span class="m">1</span>
<span class="m">13</span>.13.13.6 <span class="m">4</span> <span class="m">222</span> <span class="m">121</span> <span class="m">288</span> <span class="m">6</span> <span class="m">0</span> <span class="m">0</span> <span class="m">00</span>:02:12 <span class="m">1</span>
Total number of neighbors <span class="m">2</span>
</code></pre></div>
<p>Let's see if we are getting default route from both peers: </p>
<h3>get router info bgp network 0.0.0.0/0</h3>
<div class="highlight"><pre><span></span><code>FG3-AS1680 <span class="c1"># get router info bgp network 0.0.0.0/0</span>
BGP routing table entry <span class="k">for</span> <span class="m">0</span>.0.0.0/0
Paths: <span class="o">(</span><span class="m">2</span> available, best <span class="c1">#2, table Default-IP-Routing-Table) <--- Yes, we do</span>
Advertised to non peer-group peers:
<span class="m">13</span>.13.13.6 <--- This is not good, <span class="nb">read</span> further why
<span class="m">222</span>
<span class="m">13</span>.13.13.6 from <span class="m">13</span>.13.13.6 <span class="o">(</span><span class="m">6</span>.6.6.6<span class="o">)</span>
Origin incomplete metric <span class="m">0</span>, localpref <span class="m">100</span>, valid, external
Last update: Wed May <span class="m">20</span> <span class="m">12</span>:06:00 <span class="m">2020</span>
<span class="m">111</span>
<span class="m">12</span>.12.12.12 from <span class="m">12</span>.12.12.12 <span class="o">(</span><span class="m">1</span>.1.1.1<span class="o">)</span> <--- default route from ISP1
Origin incomplete metric <span class="m">0</span>, localpref <span class="m">100</span>, weight <span class="m">10</span>, valid, external, best <--- preferred because its weight is <span class="m">10</span>
Last update: Wed May <span class="m">20</span> <span class="m">12</span>:05:58 <span class="m">2020</span> <--- the 2nd ISP peer has weight not set, think <span class="m">0</span>
</code></pre></div>
<p><em>Now we need to make sure we advertise our network 10.10.10.1 to both peers</em>:</p>
<p>This is what we advertise to ISP1: </p>
<h3>FG3-AS1680 #get router info bgp neighbors 12.12.12.12 advertised-routes</h3>
<div class="highlight"><pre><span></span><code>BGP table version is <span class="m">3</span>, <span class="nb">local</span> router ID is <span class="m">10</span>.10.10.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> <span class="m">3</span>.3.3.3/32 <span class="m">12</span>.12.12.3 <span class="m">32768</span> <span class="m">0</span> ?
*> <span class="m">10</span>.10.10.1/32 <span class="m">12</span>.12.12.3 <span class="m">32768</span> <span class="m">0</span> ?
*> <span class="m">12</span>.12.12.0/24 <span class="m">12</span>.12.12.3 <span class="m">32768</span> <span class="m">0</span> ?
*> <span class="m">13</span>.13.13.0/24 <span class="m">12</span>.12.12.3 <span class="m">32768</span> <span class="m">0</span> ?
Total number of prefixes <span class="m">4</span>
</code></pre></div>
<p>Looks good - we advertise 10.10.10.1, as well as other <em>directly connected</em> networks from <em>port1</em>, <em>port2</em>, and <em>loopback</em>.</p>
<p><em>And what do we advertise to the ISP2?</em> </p>
<h3>FG3-AS1680 # get router info bgp neighbors 13.13.13.6 advertised-routes</h3>
<div class="highlight"><pre><span></span><code>BGP table version is <span class="m">3</span>, <span class="nb">local</span> router ID is <span class="m">10</span>.10.10.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> <span class="m">0</span>.0.0.0/0 <span class="m">13</span>.13.13.3 <span class="m">10</span> <span class="m">0</span> <span class="m">1680</span> <span class="m">1680</span> <span class="m">111</span> ?
*> <span class="m">3</span>.3.3.3/32 <span class="m">13</span>.13.13.3 <span class="m">32768</span> <span class="m">0</span> <span class="m">1680</span> <span class="m">1680</span> ? <--- route-map prepends twice AS <span class="m">1680</span>
*> <span class="m">10</span>.10.10.1/32 <span class="m">13</span>.13.13.3 <span class="m">32768</span> <span class="m">0</span> <span class="m">1680</span> <span class="m">1680</span> ?
*> <span class="m">12</span>.12.12.0/24 <span class="m">13</span>.13.13.3 <span class="m">32768</span> <span class="m">0</span> <span class="m">1680</span> <span class="m">1680</span> ?
*> <span class="m">13</span>.13.13.0/24 <span class="m">13</span>.13.13.3 <span class="m">32768</span> <span class="m">0</span> <span class="m">1680</span> <span class="m">1680</span> ?
Total number of prefixes <span class="m">5</span>
</code></pre></div>
<p>As you probably noticed there are too many routes! Indeed we have a problem here - instead of advertising just our (AS 1680) routes as we do to the ISP1, we advertise also the routes we learned from ISP1 (0.0.0.0/0)! We have become <strong>transit AS</strong> - if ISP2 does not filter incoming from us routes, their clients may potentially reach networks behind ISP1 via us, and for free. Also ISP1 may see our re-advertisements of their routes as BGP hijacking, and be very unhappy about that. To fix this issue we need to implement route filtering, be it on ISP1 & ISP2 sides, or on our outgoing advertisements. I will look into it in the next scenario.</p>
<p>The good news is that the route-map prepending AS 1680 to make ISP2 less preferred for our network works.</p>
<p><em>Let's have a look at the work the <code>prefix-list</code> filtering is doing on FG3</em>. The BGP debug should show it:</p>
<h3>FG3-AS1680 # diagnose ip router bgp level info</h3>
<p>Here I set BGP debug level to INFO, as the default level of ERROR will not show enough information. Next I can run the debug.</p>
<h3>diagnose ip router bgp all enable</h3>
<p>Unfortunately as the BGP session is already established nothing really happens, so I clear ALL BGP sessions (not something you want to do on production Fortigate lightly): </p>
<h3>exec router clear bgp all</h3>
<div class="highlight"><pre><span></span><code>BGP: <span class="m">13</span>.13.13.6-Outgoing <span class="o">[</span>FSM<span class="o">]</span> State: OpenConfirm Event: <span class="m">26</span>
<span class="nv">id</span><span class="o">=</span><span class="m">20300</span> <span class="nv">logdesc</span><span class="o">=</span><span class="s2">"BGP neighbor status changed"</span> <span class="nv">msg</span><span class="o">=</span><span class="s2">"BGP: %BGP-5-ADJCHANGE: neighbor 13.13.13.6 Up "</span> <--- The BGP session with ISP2 is established
BGP: <span class="m">13</span>.13.13.6-Outgoing <span class="o">[</span>DECODE<span class="o">]</span> Update: NLRI Len<span class="o">(</span><span class="m">15</span><span class="o">)</span>
BGP: <span class="m">13</span>.13.13.6-Outgoing <span class="o">[</span>FSM<span class="o">]</span> State: Established Event: <span class="m">27</span>
BGP: <span class="m">13</span>.13.13.6-Outgoing <span class="o">[</span>RIB<span class="o">]</span> Update: Received Prefix <span class="m">0</span>.0.0.0/0 <--- And here we can see prefix-list filtering
BGP: <span class="m">13</span>.13.13.6-Outgoing <span class="o">[</span>RIB<span class="o">]</span> Update: Prefix <span class="m">13</span>.13.13.0/24 denied due to filter <--- <span class="k">in</span> action , <span class="m">0</span>.0.0.0/0 is accepted but
BGP: <span class="m">13</span>.13.13.6-Outgoing <span class="o">[</span>RIB<span class="o">]</span> Update: Prefix <span class="m">8</span>.8.8.8/32 denied due to filter <--- the rest of received routes are discarded
BGP: <span class="m">13</span>.13.13.6-Outgoing <span class="o">[</span>RIB<span class="o">]</span> Update: Prefix <span class="m">2</span>.2.2.2/32 denied due to filter
</code></pre></div>
<p>Disable all debug: </p>
<h3>diagnose debug reset</h3>
<p><a name="ee2"></a> </p>
<h2>Prevent our Fortigate from becoming a transit AS, do not advertise learned via eBGP routes.</h2>
<p>As seen in the previous case, without any filtering on FG3 everything it learns from its BGP peers and is being installed in its routing table will be advertised to all the BGP peers. </p>
<p>We can prevent it in few ways:<br>
- Filter outgoing advertisements to include only our networks by IPs (not very scalable, but granular)<br>
- Filter outgoing advertisements using AS number (much more scalable, but not granular)</p>
<p>First is to explicitly allow our own networks in outgoing advertisements and block everything else.
About blocking everything else - both prefix lists and ACLs have implicit deny any any, so it is not necessary to explicitly deny everything else. </p>
<h3>Matching networks using prefix lists</h3>
<p>Prefix lists use Prefix (network) and the Prefix Length (subnet mask length in bits) to look at when comparing the routes.<br>
Some examples of using prefix lists:</p>
<table class="w3-table w3-striped w3-border">
<tr class="w3-green">
<th>Prefix </th>
<th> What matches</th>
</tr>
<tr>
<td> 0.0.0.0/0 le 32</td>
<td> Matches ANY prefix of ANY length</td>
</tr>
<tr>
<td>0.0.0.0/0 ge 24 le 24</td>
<td>Matches ANY network/prefix with subnet 24 bits long</td>
</tr>
<tr>
<td> 0.0.0.0/0 ge 24</td>
<td> Matches any network with subnet mask of 24 bits or longer. Usually used by uplink providers to block incoming routes which are too specific, for preserving manageable size of the routing table.
</td>
</tr>
<tr>
<td>0.0.0.0/0 </td>
<td>Matches default route only</td>
</tr>
<tr>
<td> 10.0.0.0/8</td>
<td>Matches </td>
</tr>
<tr>
<td> 13.13.0.0/16 ge 25 </td>
<td> Match any network prefix in range of 13.13.0.0/16 i.e. from 13.13.0.0 to 13.13.255.255, provided it also has bit mask length of 25 bits or longer. E.g. 13.13.123.0/25, 13.13.123.128/25 but not 13.13.0.0/24</td>
</tr>
<tr>
<td> 13.13.0.0/16 ge 25 le 30</td>
<td> Match networks in range of 13.13.0.0 - 13.13.255.255 with bit mask of 25 or longer up to and including 30 bits.</td>
</tr>
</table>
<p>The following prefix-list will allow just networks 10.10.10.1/32 and 3.3.3.3/32:</p>
<div class="highlight"><pre><span></span><code>config router prefix-list
edit <span class="s2">"own-nets-only-out"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> prefix <span class="m">10</span>.10.10.1 <span class="m">255</span>.255.255.255
<span class="nb">unset</span> ge
<span class="nb">unset</span> le
next
edit <span class="m">2</span>
<span class="nb">set</span> prefix <span class="m">3</span>.3.3.3 <span class="m">255</span>.255.255.255
<span class="nb">unset</span> ge
<span class="nb">unset</span> le
next
end
next
</code></pre></div>
<p>What is left is to apply the prefix list outbound to both peers on FG3:</p>
<div class="highlight"><pre><span></span><code>config router bgp
<span class="nb">set</span> as <span class="m">1680</span>
config neighbor
edit <span class="s2">"12.12.12.12"</span>
<span class="nb">set</span> prefix-list-in <span class="s2">"accept-dflt-only"</span>
<span class="nb">set</span> prefix-list-out <span class="s2">"own-nets-only-out"</span>
<span class="nb">set</span> remote-as <span class="m">111</span>
<span class="nb">set</span> weight <span class="m">10</span>
next
edit <span class="s2">"13.13.13.6"</span>
<span class="nb">set</span> prefix-list-in <span class="s2">"accept-dflt-only"</span>
<span class="nb">set</span> prefix-list-out <span class="s2">"own-nets-only-out"</span>
<span class="nb">set</span> remote-as <span class="m">222</span>
<span class="nb">set</span> route-map-out <span class="s2">"prepend-out"</span>
next
end
</code></pre></div>
<p>The advertised routes before:</p>
<div class="highlight"><pre><span></span><code>FG3-AS1680 <span class="c1"># get router info bgp neighbors 13.13.13.6 advertised-routes</span>
Network Next Hop Metric LocPrf Weight RouteTag Path
*> <span class="m">0</span>.0.0.0/0 <span class="m">13</span>.13.13.3 <span class="m">10</span> <span class="m">0</span> <span class="m">1680</span> <span class="m">1680</span> <span class="m">111</span> ?
*> <span class="m">3</span>.3.3.3/32 <span class="m">13</span>.13.13.3 <span class="m">32768</span> <span class="m">0</span> <span class="m">1680</span> <span class="m">1680</span> ?
*> <span class="m">10</span>.10.10.1/32 <span class="m">13</span>.13.13.3 <span class="m">32768</span> <span class="m">0</span> <span class="m">1680</span> <span class="m">1680</span> ?
*> <span class="m">12</span>.12.12.0/24 <span class="m">13</span>.13.13.3 <span class="m">32768</span> <span class="m">0</span> <span class="m">1680</span> <span class="m">1680</span> ?
*> <span class="m">13</span>.13.13.0/24 <span class="m">13</span>.13.13.3 <span class="m">32768</span> <span class="m">0</span> <span class="m">1680</span> <span class="m">1680</span> ?
Total number of prefixes <span class="m">5</span>
FG3-AS1680 <span class="c1">#get router info bgp neighbors 12.12.12.12 advertised-routes </span>
BGP table version is <span class="m">3</span>, <span class="nb">local</span> router ID is <span class="m">10</span>.10.10.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> <span class="m">3</span>.3.3.3/32 <span class="m">12</span>.12.12.3 <span class="m">32768</span> <span class="m">0</span> ?
*> <span class="m">10</span>.10.10.1/32 <span class="m">12</span>.12.12.3 <span class="m">32768</span> <span class="m">0</span> ?
*> <span class="m">12</span>.12.12.0/24 <span class="m">12</span>.12.12.3 <span class="m">32768</span> <span class="m">0</span> ?
*> <span class="m">13</span>.13.13.0/24 <span class="m">12</span>.12.12.3 <span class="m">32768</span> <span class="m">0</span> ?
Total number of prefixes <span class="m">4</span>
</code></pre></div>
<p>And after applying the prefix list:</p>
<div class="highlight"><pre><span></span><code>FG3-AS1680 <span class="c1"># get router info bgp neighbors 13.13.13.6 advertised-routes </span>
Network Next Hop Metric LocPrf Weight RouteTag Path
*> <span class="m">3</span>.3.3.3/32 <span class="m">13</span>.13.13.3 <span class="m">32768</span> <span class="m">0</span> <span class="m">1680</span> <span class="m">1680</span> ?
*> <span class="m">10</span>.10.10.1/32 <span class="m">13</span>.13.13.3 <span class="m">32768</span> <span class="m">0</span> <span class="m">1680</span> <span class="m">1680</span> ?
Total number of prefixes <span class="m">2</span>
FG3-AS1680 <span class="c1"># get router info bgp neighbors 12.12.12.12 advertised-routes</span>
Network Next Hop Metric LocPrf Weight RouteTag Path
*> <span class="m">3</span>.3.3.3/32 <span class="m">12</span>.12.12.3 <span class="m">32768</span> <span class="m">0</span> ?
*> <span class="m">10</span>.10.10.1/32 <span class="m">12</span>.12.12.3 <span class="m">32768</span> <span class="m">0</span> ?
Total number of prefixes <span class="m">2</span>
</code></pre></div>
<p>Also note that to ISP2 peer both networks are advertised with AS 1680 prepended, this is because route-map is applied latest in the incoming/outgoing routes processing.</p>
<h2>Matching networks using AS PATH list</h2>
<p>BGP advertised routes bear with them quite a lot of information on which we can match/filter and do other manipulation to our liking. One of the <strong>Well-known mandatory</strong> (i.e. present in EVERY route advertisement/withdrawal in BGP, the others being <b>ORIGIN</b>, and <b> NEXT_HOP</b>) is the <b>AS_PATH</b> attribute. So we can use it to allow advertising only our own routes with AS PATH lists.
AS path lists use regular expressions to match the AS numbers in the path. The regex differs slightly from the familiar PCRE/sed. Special symbols understood:</p>
<p><table class="w3-table w3-striped w3-border">
<tr class="w3-green">
<th>Symbol</th>
<th> What matches</th>
</tr>
<tr>
<td><code>.</code> </td>
<td>Any single character, including space</td>
</tr>
<tr>
<td><code>*</code></td>
<td>Zero or more instance of preceding pattern</td>
</tr>
<tr>
<td><code>+</code></td>
<td> One or more instance of preceding pattern</td>
</tr>
<tr>
<td> <code>?</code> </td>
<td> Zero or one instance of preceding pattern</td>
</tr>
<tr>
<td> <code>^</code></td>
<td> Beginning of the string. Also can be used to negate inside class [^ ]</td>
</tr>
<tr>
<td> <code>$</code></td>
<td> End of the string</td>
</tr>
<tr>
<td> <code>_</code></td>
<td> (Underscore, special for AS Path lists) Matches comma, left brace (<code>{</code>), right brace (<code>}</code>), left parenthesis, right parenthesis, beginning of the string, end of the string, and a space.
</td>
</tr>
<tr>
<td> <code>[ ]</code> </td>
<td> Range of characters, can use <code>-</code> to skip specifying all the range.</td>
</tr></p>
</table>
<p>Let's look at some examples of matching AS numbers.
<table class="w3-table w3-striped w3-border">
<tr class="w3-green">
<th>AS PATH regex</th>
<th> What matches</th>
</tr>
<tr>
<td> <code>^$</code> </td>
<td> Local routes only. In other words - match routes with empty AS path. </td>
</tr>
<tr>
<td><code>.*</code></td>
<td> All and any routes </td>
</tr>
<tr>
<td> <code>^111$</code> </td>
<td> Routes originating from a directly attached peer, i.e routes that have just one AS number in their path. Here it is routes originated by ISP1 (AS 111).</td>
</tr>
<tr>
<td> <code>_111$</code> </td>
<td> Routes originated by the specified AS, but not necessarily learned directly from the source AS. If the given AS 111 advertises its routes to say AS 333, and we have peering with this AS 333, then we could learn routes from AS 333 that were originated by AS 111 and their AS path would look <code>333 111</code>, and they would be matched. Also, we don't impose length limit on AS path here, so the path <code>777 999 333 111</code> would match as well.</td>
</tr>
<tr>
<td> <code>_111_</code> </td>
<td> Routes that passed on their way the specified AS, without looking in which order. This will match routes with AS paths like: <code>333 111 777 999</code>, <code>111 777</code>, <code>111</code> (see table above as <code>_</code> will match as <code>$</code> and <code>^</code> as well) </td>
</tr>
</table></p>
<p>Now back to our FG3, let's create and apply AS path list filtering to advertise only our own nets to the BGP peers.</p>
<p>Step 1. Create aspath-list matching local routes:</p>
<div class="highlight"><pre><span></span><code>config router aspath-list
edit <span class="s2">"LocalRoutesOnly"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> action permit
<span class="nb">set</span> regexp <span class="s2">"^</span>$<span class="s2">"</span>
next
end
next
end
</code></pre></div>
<p>Step 2. Create if needed (for ISP1) and/or edit existing route-map (for ISP2 there is already <code>prepend-out</code> for prepending AS) that uses the aspath-list for matching.</p>
<div class="highlight"><pre><span></span><code>config router route-map
edit <span class="s2">"prepend-out"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> match-as-path <span class="s2">"LocalRoutesOnly"</span> <-- adding the match <span class="k">for</span> <span class="nb">local</span> routes only
<span class="nb">set</span> set-aspath <span class="s2">"1680 1680"</span>
next
end
next
edit <span class="s2">"LocalRoutesOut"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> match-as-path <span class="s2">"LocalRoutesOnly"</span>
next
end
next
end
</code></pre></div>
<p>Step 3. Finally, apply route-map LocalRoutesOut to ISP1 and refreshing BGP session with ISP2 to activate the changes.<br>
<strong>NOTE:</strong> You do NOT need to reset/clear/soft clear BGP session in Fortigate after changing filtering of any kind (route-maps, prefix-lists, as-paths) for them to take effect. All modern versions of FortiGate have <em>route-refresh</em> capability turned on by default, so any change in filtering takes effect 2-3 minutes after being configured. Just wait a bit.</p>
<div class="highlight"><pre><span></span><code>config router bgp
<span class="nb">set</span> as <span class="m">1680</span>
config neighbor
edit <span class="s2">"12.12.12.12"</span>
<span class="nb">set</span> prefix-list-in <span class="s2">"accept-dflt-only"</span>
<span class="nb">set</span> remote-as <span class="m">111</span>
<span class="nb">set</span> route-map-out <span class="s2">"LocalRoutesOut"</span> <-- I removed here prefix-list <span class="s2">""</span>own-nets-only-out<span class="s2">"</span>
<span class="s2">"</span> as unnecessary anymore
<span class="nb">set</span> weight <span class="m">10</span>
next
edit <span class="s2">"13.13.13.6"</span>
<span class="nb">set</span> prefix-list-in <span class="s2">"accept-dflt-only"</span>
<span class="nb">set</span> remote-as <span class="m">222</span>
<span class="nb">set</span> route-map-out <span class="s2">"prepend-out"</span>
next
end
config redistribute <span class="s2">"connected"</span>
<span class="nb">set</span> status <span class="nb">enable</span>
end
</code></pre></div>
<h3>Verification</h3>
<p>ISP1, routes received from FG3:</p>
<div class="highlight"><pre><span></span><code>FG1-AS111 <span class="c1"># get router info bgp neighbor 12.12.12.3 routes</span>
Network Next Hop Metric LocPrf Weight RouteTag Path
*> <span class="m">3</span>.3.3.3/32 <span class="m">12</span>.12.12.3 <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">1680</span> ?
*> <span class="m">10</span>.10.10.1/32 <span class="m">12</span>.12.12.3 <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">1680</span> ?
* <span class="m">12</span>.12.12.0/24 <span class="m">12</span>.12.12.3 <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">1680</span> ?
*> <span class="m">13</span>.13.13.0/24 <span class="m">12</span>.12.12.3 <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">1680</span> ?
</code></pre></div>
<p>If you noticed, here FG3 advertises 12.12.12.0 and 13.13.13.0 nets as well as these are directly connected to its WAN interfaces. The prefix-list <em>own-nets-only-out</em> set previously on Fortigate FG3 listed just 10.10.10.0 and 3.3.3.3 explicitly, thus denying anything else, including 12.12.12.0 and 13.13.13.0. </p>
<p>ISP2: </p>
<div class="highlight"><pre><span></span><code>FG6-AS222 <span class="c1"># get router info bgp neighbors 13.13.13.3 routes</span>
Network Next Hop Metric LocPrf Weight RouteTag Path
*> <span class="m">3</span>.3.3.3/32 <span class="m">13</span>.13.13.3 <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">1680</span> <span class="m">1680</span> <span class="m">1680</span> ?
*> <span class="m">10</span>.10.10.1/32 <span class="m">13</span>.13.13.3 <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">1680</span> <span class="m">1680</span> <span class="m">1680</span> ?
*> <span class="m">12</span>.12.12.0/24 <span class="m">13</span>.13.13.3 <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">1680</span> <span class="m">1680</span> <span class="m">1680</span> ?
* <span class="m">13</span>.13.13.0/24 <span class="m">13</span>.13.13.3 <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">1680</span> <span class="m">1680</span> <span class="m">1680</span> ?
</code></pre></div>
<h3>Matching networks using ACLs</h3>
<p>Lastly, for the completeness sake, let's do the filtering with ACLs. The major issue with ACLs is that the pain is not worth the gain - they are not intuitive, and you spend more time calculating needed ACL wildcards than actually configuring them. And all that for no advantage whatsoever over the prefix lists. ACLs in BGP context appeared like 30 years ago in Cisco, before the prefix lists were available, and ever since they are supported for no obvious reason (to me, except one - for CCIE R&S exam where Cisco folks love to use them to confuse/make suffer the candidates). Fortinet, probably not to feel outdone, implemented it as well. I, personally, have never seen them being used in real life.</p>
<p>So, matching our loopback networks 3.3.3.3/32, 10.10.10.1/32, and directly attached 12.12.12.0/24, and 13.13.13.0/24 with ACls will look like:</p>
<div class="highlight"><pre><span></span><code>config router access-list
edit <span class="s2">"own-nets-only"</span>
config rule
edit <span class="m">1</span>
<span class="nb">unset</span> prefix <-- Funny thing, even though inside ACL, still Fortigate allows us to use
prefix with subnet mask as <span class="k">in</span> prefix-lists, i.e. <span class="m">10</span>.10.10.1/32
<span class="nb">set</span> wildcard <span class="m">10</span>.10.10.1 <span class="m">0</span>.0.0.0
next
edit <span class="m">2</span>
<span class="nb">unset</span> prefix
<span class="nb">set</span> wildcard <span class="m">3</span>.3.3.3 <span class="m">0</span>.0.0.0
next
edit <span class="m">3</span>
<span class="nb">unset</span> prefix
<span class="nb">set</span> wildcard <span class="m">12</span>.12.12.0 <span class="m">0</span>.0.0.255
next
edit <span class="m">4</span>
<span class="nb">unset</span> prefix
<span class="nb">set</span> wildcard <span class="m">13</span>.13.13.0 <span class="m">0</span>.0.0.255
next
end
next
end
</code></pre></div>
<p>Step 2: create route-map to use the ACL (only for ISP1).</p>
<div class="highlight"><pre><span></span><code>config router route-map
edit <span class="s2">"LocalOutACL"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> match-ip-address <span class="s2">"own-nets-only"</span>
next
end
next
end
</code></pre></div>
<p>For ISP1 I will use the existing route-map "prepend-out".</p>
<p>Step 3: apply the route-map in outbound direction.</p>
<div class="highlight"><pre><span></span><code>FG3-AS1680 <span class="c1"># show router bgp</span>
config router bgp
<span class="nb">set</span> as <span class="m">1680</span>
config neighbor
edit <span class="s2">"12.12.12.12"</span>
<span class="nb">set</span> prefix-list-in <span class="s2">"accept-dflt-only"</span>
<span class="nb">set</span> remote-as <span class="m">111</span>
<span class="nb">set</span> route-map-out <span class="s2">"LocalOutACL"</span>
<span class="nb">set</span> weight <span class="m">10</span>
next
edit <span class="s2">"13.13.13.6"</span>
<span class="nb">set</span> prefix-list-in <span class="s2">"accept-dflt-only"</span>
<span class="nb">set</span> remote-as <span class="m">222</span>
<span class="nb">set</span> route-map-out <span class="s2">"prepend-out"</span>
next
end
</code></pre></div>
<p><a name="ee3"></a> </p>
<h2>Force FG1 to advertise default route without having one in RIB and without using blackhole routing. Uses default-originate</h2>
<p>Fortigate can advertise the default route to its peers, even if there is no such route in by using <code>capability-default-originate enable</code> command
under the neighbor configuration.</p>
<div class="highlight"><pre><span></span><code>FG1-AS111 <span class="c1"># show router bgp</span>
config router bgp
<span class="nb">set</span> as <span class="m">111</span>
<span class="nb">set</span> router-id <span class="m">1</span>.1.1.1
config neighbor
edit <span class="s2">"12.12.12.3"</span>
<span class="nb">set</span> capability-default-originate <span class="nb">enable</span> <-- This will cause FG1 to advertise <span class="m">0</span>.0.0.0/0
<span class="nb">set</span> remote-as <span class="m">1680</span>
next
config redistribute <span class="s2">"static"</span>
end
</code></pre></div>
<p>Verify:</p>
<div class="highlight"><pre><span></span><code>FG1-AS111 <span class="c1"># get router info bgp neighb 12.12.12.3 advertised-routes</span>
Network Next Hop Metric LocPrf Weight RouteTag Path
*> <span class="m">0</span>.0.0.0/0 <span class="m">12</span>.12.12.12 <span class="m">100</span> <span class="m">32768</span> <span class="m">0</span> i
*> <span class="m">1</span>.1.1.1/32 <span class="m">12</span>.12.12.12 <span class="m">32768</span> <span class="m">0</span> ?
*> <span class="m">8</span>.8.8.8/32 <span class="m">12</span>.12.12.12 <span class="m">32768</span> <span class="m">0</span> ?
*> <span class="m">12</span>.12.12.0/24 <span class="m">12</span>.12.12.12 <span class="m">32768</span> <span class="m">0</span> ?
</code></pre></div>
<p><a name="ee4"></a> </p>
<h2>Limit announced connected routes to 3.3.3.3 only. Uses route-map with redistribution</h2>
<p>Redistribute statements under router BGP configuration support using route-maps to limit what routes get distributed into BGP and which do not.
Let's limit the routes FG1 announces to just 3.3.3.3/32 of its loopback.</p>
<p>Step 1 Create prefix list to match the route:</p>
<div class="highlight"><pre><span></span><code>config router prefix-list
edit <span class="s2">"allow-3.3.3.3-only"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> prefix <span class="m">3</span>.3.3.3 <span class="m">255</span>.255.255.255
<span class="nb">unset</span> ge
<span class="nb">unset</span> le
next
end
</code></pre></div>
<p>Step 2 Update/create route-map to use the prefix-list.</p>
<div class="highlight"><pre><span></span><code> edit <span class="s2">"redist-3.3.3.3-only"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> match-ip-address <span class="s2">"allow-3.3.3.3-only"</span>
next
end
next
</code></pre></div>
<p>Step 3 Use this route-map.</p>
<div class="highlight"><pre><span></span><code>config router bgp
config redistribute <span class="s2">"connected"</span>
<span class="nb">set</span> status <span class="nb">enable</span>
<span class="nb">set</span> route-map <span class="s2">"redist-3.3.3.3-only"</span>
end
</code></pre></div>
<p><a name="ee5"></a> </p>
<h2>Secure BGP session between ISP1 and FG3 with one way hash. Uses MD5 authentication</h2>
<p>BGP has MD5 hashing to prevent adversary changes to the advertisements and potential DDoS attack by sending TCP RST packets (to sabotage an existing and legal session).<br>
Naturally, you have to configure the same password on both BGP peers. The configuration itself is one line under neighbor configuration - <code>password</code>.
E.g. FG3:</p>
<div class="highlight"><pre><span></span><code> config neighbor
edit <span class="s2">"12.12.12.12"</span>
<span class="nb">set</span> remote-as <span class="m">111</span>
<span class="nb">set</span> route-map-out <span class="s2">"LocalOutACL"</span>
<span class="nb">set</span> weight <span class="m">10</span>
<span class="nb">set</span> password secretsuperpassword
</code></pre></div>
<p>More interesting though is to see what happens when misconfiguration occurs.</p>
<p><strong>Case 1 FG3 has the password set, FG1 has not</strong>.
As BGP RFC requires, the peer with BGP authentication enabled should drop and NOT acknowledge or give any other information when it receives unauthenticated packet. So, basically BGP sessions times out: </p>
<div class="highlight"><pre><span></span><code>FG3-AS1680 <span class="c1"># diagnose ip router bgp level info</span>
FG3-AS1680 <span class="c1"># diagnose ip router bgp all enable</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>FG1 <span class="o">(</span>on which I initiated BGP session reset<span class="o">)</span>:
BGP: <span class="m">12</span>.12.12.3-Outgoing <span class="o">[</span>ENCODE<span class="o">]</span> Msg-Hdr: Type <span class="m">3</span> <-- Type <span class="m">3</span> is NOTIFICATION
BGP: %BGP-3-NOTIFICATION: sending to <span class="m">12</span>.12.12.3 <span class="m">6</span>/0 <span class="o">(</span>CeaseUnspecified Error Subcode<span class="o">)</span> <span class="m">0</span> data-bytes <span class="o">[]</span>
FG1-AS111 <span class="c1"># BGP: [GRST] Timer Announce Defer: Check</span>
<span class="nv">id</span><span class="o">=</span><span class="m">20300</span> <span class="nv">logdesc</span><span class="o">=</span><span class="s2">"BGP neighbor status changed"</span> <span class="nv">msg</span><span class="o">=</span><span class="s2">"BGP: %BGP-5-ADJCHANGE: neighbor 12.12.12.3 Down BGP Notification CEASE"</span>
<span class="nv">id</span><span class="o">=</span><span class="m">20300</span> <span class="nv">logdesc</span><span class="o">=</span><span class="s2">"BGP neighbor status changed"</span> <span class="nv">msg</span><span class="o">=</span><span class="s2">"BGP: %BGP-5-ADJCHANGE: neighbor 12.12.12.3 Down User reset"</span>
BGP: <span class="m">12</span>.12.12.3-Outgoing <span class="o">[</span>FSM<span class="o">]</span> State: Idle Event: <span class="m">3</span> <-- This Fortigate falls back to Idle state
FG3-AS1680: <span class="o">(</span>pretty much the same<span class="o">)</span>
BGP: <span class="m">12</span>.12.12.12-Outgoing <span class="o">[</span>ENCODE<span class="o">]</span> Msg-Hdr: Type <span class="m">3</span>
BGP: %BGP-3-NOTIFICATION: sending to <span class="m">12</span>.12.12.12 <span class="m">4</span>/0 <span class="o">(</span>Hold Timer Expired/Unspecified Error Subcode<span class="o">)</span> <span class="m">0</span> data-bytes <span class="o">[]</span>
BGP: <span class="o">[</span>GRST<span class="o">]</span> Timer Announce Defer: Check
<span class="nv">id</span><span class="o">=</span><span class="m">20300</span> <span class="nv">logdesc</span><span class="o">=</span><span class="s2">"BGP neighbor status changed"</span> <span class="nv">msg</span><span class="o">=</span><span class="s2">"BGP: %BGP-5-ADJCHANGE: neighbor 12.12.12.12 Down Hold Timer Expired"</span>
<span class="nv">id</span><span class="o">=</span><span class="m">20300</span> <span class="nv">logdesc</span><span class="o">=</span><span class="s2">"BGP neighbor status changed"</span> <span class="nv">msg</span><span class="o">=</span><span class="s2">"BGP: %BGP-5-ADJCHANGE: neighbor 12.12.12.12 Down BGP Notification FSM-ERR"</span>
</code></pre></div>
<p>After that, there is nothing to point on mismatch in BGP session authentication, just time out:</p>
<div class="highlight"><pre><span></span><code>FG1-AS111 <span class="c1">#</span>
BGP: <span class="m">12</span>.12.12.3-Outgoing <span class="o">[</span>NETWORK<span class="o">]</span> <span class="nv">FD</span><span class="o">=</span><span class="m">21</span>, Sock Status: <span class="m">110</span>-Connection timed out
BGP: <span class="m">12</span>.12.12.3-Outgoing <span class="o">[</span>FSM<span class="o">]</span> State: Connect Event: <span class="m">18</span>
FG3-AS1680 <span class="c1">#</span>
BGP: <span class="m">12</span>.12.12.12-Outgoing <span class="o">[</span>NETWORK<span class="o">]</span> <span class="nv">FD</span><span class="o">=</span><span class="m">23</span>, Sock Status: <span class="m">110</span>-Connection timed out
BGP: <span class="m">12</span>.12.12.12-Outgoing <span class="o">[</span>FSM<span class="o">]</span> State: Connect Event: <span class="m">18</span>
</code></pre></div>
<p><strong>Case 2: One of the peers has wrong password set</strong>.</p>
<p>Well, here we have no clue from the Fortigate as well, just the same connection time out:</p>
<div class="highlight"><pre><span></span><code>BGP: %BGP-3-NOTIFICATION: sending to <span class="m">12</span>.12.12.3 <span class="m">4</span>/0 <span class="o">(</span>Hold Timer Expired/Unspecified Error Subcode<span class="o">)</span> <span class="m">0</span> data-bytes <span class="o">[]</span>
BGP: <span class="o">[</span>GRST<span class="o">]</span> Timer Announce Defer: Check
<span class="nv">id</span><span class="o">=</span><span class="m">20300</span> <span class="nv">logdesc</span><span class="o">=</span><span class="s2">"BGP neighbor status changed"</span> <span class="nv">msg</span><span class="o">=</span><span class="s2">"BGP: %BGP-5-ADJCHANGE: neighbor 12.12.12.3 Down Hold Timer Expired"</span>
<span class="nv">id</span><span class="o">=</span><span class="m">20300</span> <span class="nv">logdesc</span><span class="o">=</span><span class="s2">"BGP neighbor status changed"</span> <span class="nv">msg</span><span class="o">=</span><span class="s2">"BGP: %BGP-5-ADJCHANGE: neighbor 12.12.12.3 Down BGP Notification FSM-ERR"</span>
BGP: <span class="m">12</span>.12.12.3-Outgoing <span class="o">[</span>NETWORK<span class="o">]</span> <span class="nv">FD</span><span class="o">=</span><span class="m">21</span>, Sock Status: <span class="m">110</span>-Connection timed out
BGP: <span class="m">12</span>.12.12.3-Outgoing <span class="o">[</span>FSM<span class="o">]</span> State: Connect Event: <span class="m">18</span>
</code></pre></div>
<p><a name="ee6"></a> </p>
<h2>Make sure we can see received routing advertisements before and after any filtering is applied. Uses soft reconfiguration</h2>
<p>The inconvenience of not seeing received from a peer routes before we apply local manipulation/filtering actions can be fixed with <strong>soft reconfiguration</strong>, which is disabled by default.
This feature, once enabled, forces Fortigate to keep in memory all received routes from the neighbor BEFORE any local filtering is being applied. The downside is that memory consumption goes up.
Today, this functionality is only good as visual aid in debugging the changes situations because <strong>route refresh</strong> capability (details here <a href="/assets/rfc2918.txt" target=_blank rel="noopener">RFC 2918</a> and <a href=/assets/rfc7313.txt target=_blank rel="noopener">RFC 7313</a>) is by default enabled in Fortigate, so any changes to the BGP policy we make on Fortigate are applied almost immediately (few seconds delay). </p>
<p>Still, the feature is there and we can enable with <code>soft-reconfiguration enable</code>.</p>
<div class="highlight"><pre><span></span><code>FG3-AS1680 <span class="o">(</span>neighbor<span class="o">)</span> <span class="c1"># show</span>
config neighbor
edit <span class="s2">"12.12.12.12"</span>
<span class="nb">set</span> soft-reconfiguration <span class="nb">enable</span>
<span class="nb">set</span> remote-as <span class="m">111</span>
<span class="nb">set</span> route-map-out <span class="s2">"LocalOutACL"</span>
<span class="nb">set</span> prefix-list-in <span class="s2">"accept-dflt-only"</span>
<span class="nb">set</span> weight <span class="m">10</span>
next
</code></pre></div>
<p>Now we can query for routes received from 12.12.12.12 (ISP1) BEFORE the policy <em>accept-dflt-only</em> is applied allowing just default route :</p>
<p>BEFORE filtering is applied:</p>
<div class="highlight"><pre><span></span><code>FG3-AS1680 <span class="c1"># get router info bgp neighbors 12.12.12.12 received-routes</span>
Network Next Hop Metric LocPrf Weight RouteTag Path
*> <span class="m">0</span>.0.0.0/0 <span class="m">12</span>.12.12.12 <span class="m">0</span> <span class="m">0</span> <span class="m">111</span> i
*> <span class="m">1</span>.1.1.1/32 <span class="m">12</span>.12.12.12 <span class="m">0</span> <span class="m">0</span> <span class="m">111</span> ?
*> <span class="m">8</span>.8.8.8/32 <span class="m">12</span>.12.12.12 <span class="m">0</span> <span class="m">0</span> <span class="m">111</span> ?
*> <span class="m">12</span>.12.12.0/24 <span class="m">12</span>.12.12.12 <span class="m">0</span> <span class="m">0</span> <span class="m">111</span> ?
Total number of prefixes <span class="m">4</span>
</code></pre></div>
<p>And AFTER:</p>
<div class="highlight"><pre><span></span><code>FG3-AS1680 <span class="c1"># get router info bgp neighbors 12.12.12.12 routes</span>
Network Next Hop Metric LocPrf Weight RouteTag Path
*> <span class="m">0</span>.0.0.0/0 <span class="m">12</span>.12.12.12 <span class="m">0</span> <span class="m">10</span> <span class="m">0</span> <span class="m">111</span> i
Total number of prefixes <span class="m">1</span>
</code></pre></div>
<p><a name="ee7"></a> </p>
<h2>Set up BGP peering between FG3 and FG1 using loopback in FG3</h2>
<p>In production you use loopbacks as source interface for BGP sessions mostly to ensure continuous BGP peering in case the physical link to the BGP peer goes down. In this case, if you have redundant links/paths to the same BGP peer via other, still functional interfaces, the BGP session will work uninterrupted.</p>
<p>In loopback as source interface case you have to account for 2 things:</p>
<ul>
<li>Loopback is an interface by all means, so you have to add security rules to allow traffic (TCP port 179 in BGP's case) to/from it for BGP session to be established. The rule from loopback outbound is enough for Fortigate to be BGP client, always establishing connection to the peer. </li>
<li>Loopback adds 1 routing hop so for eBGP sessions you have to enable eBGP multihop for session to come up. You do it on the remote peer at least.</li>
</ul>
<p>Configure FG3.<br>
Configure security rule to allow outgoing from Loop2 connections:</p>
<div class="highlight"><pre><span></span><code>configure firewall policy
<span class="nb">set</span> srcintf <span class="s2">"Loop2"</span>
<span class="nb">set</span> dstintf <span class="s2">"port1"</span>
<span class="nb">set</span> srcaddr <span class="s2">"all"</span>
<span class="nb">set</span> dstaddr <span class="s2">"all"</span>
<span class="nb">set</span> action accept
<span class="nb">set</span> status <span class="nb">enable</span>
<span class="nb">set</span> schedule <span class="s2">"always"</span>
<span class="nb">set</span> service <span class="s2">"ALL"</span>
next
</code></pre></div>
<p>The BGP neighbor configuration to use Loop2 as the source interface:</p>
<div class="highlight"><pre><span></span><code>config router bgp
<span class="nb">set</span> as <span class="m">1680</span>
config neighbor
edit <span class="s2">"12.12.12.12"</span>
<span class="nb">set</span> soft-reconfiguration <span class="nb">enable</span>
<span class="nb">set</span> interface <span class="s2">"Loop2"</span>
<span class="nb">set</span> prefix-list-in <span class="s2">"accept-dflt-only"</span>
<span class="nb">set</span> remote-as <span class="m">111</span>
<span class="nb">set</span> route-map-out <span class="s2">"LocalOutACL"</span>
<span class="nb">set</span> update-source <span class="s2">"Loop2"</span> <-- This causes FG3 to <span class="nb">source</span> BGP packets from Loop2
<span class="nb">set</span> weight <span class="m">10</span>
next
</code></pre></div>
<p>Configuration of FG1.<br>
Create new peer with ip of 3.3.3.3 and add the multi-hop capability:</p>
<div class="highlight"><pre><span></span><code>config router bgp
<span class="nb">set</span> as <span class="m">111</span>
<span class="nb">set</span> router-id <span class="m">1</span>.1.1.1
config neighbor
next
edit <span class="s2">"3.3.3.3"</span>
<span class="nb">set</span> capability-default-originate <span class="nb">enable</span>
<span class="nb">set</span> ebgp-enforce-multihop <span class="nb">enable</span>
<span class="nb">set</span> remote-as <span class="m">1680</span>
next
end
</code></pre></div>
<h3>Verification</h3>
<p>To see that FG3 is indeed client and FG1 (12.12.12.12) is server for this peering: </p>
<h3>diagnose sys tcpsock | grep 179</h3>
<div class="highlight"><pre><span></span><code>FG3-AS1680 <span class="c1"># diag sys tcpsock | grep 179</span>
<span class="m">0</span>.0.0.0:179->0.0.0.0:0->state<span class="o">=</span>listen <span class="nv">err</span><span class="o">=</span><span class="m">0</span> <span class="nv">sockflag</span><span class="o">=</span>0x1 <span class="nv">rma</span><span class="o">=</span><span class="m">0</span> <span class="nv">wma</span><span class="o">=</span><span class="m">0</span> <span class="nv">fma</span><span class="o">=</span><span class="m">0</span> <span class="nv">tma</span><span class="o">=</span><span class="m">0</span>
<span class="m">3</span>.3.3.3:21989->12.12.12.12:179->state<span class="o">=</span>estabilshed <span class="nv">err</span><span class="o">=</span><span class="m">0</span> <span class="nv">sockflag</span><span class="o">=</span>0x1 <span class="nv">rma</span><span class="o">=</span><span class="m">0</span> <span class="nv">wma</span><span class="o">=</span><span class="m">0</span> <span class="nv">fma</span><span class="o">=</span><span class="m">0</span> <span class="nv">tma</span><span class="o">=</span><span class="m">0</span>
<span class="m">13</span>.13.13.3:3345->13.13.13.6:179->state<span class="o">=</span>estabilshed <span class="nv">err</span><span class="o">=</span><span class="m">0</span> <span class="nv">sockflag</span><span class="o">=</span>0x1 <span class="nv">rma</span><span class="o">=</span><span class="m">0</span> <span class="nv">wma</span><span class="o">=</span><span class="m">0</span> <span class="nv">fma</span><span class="o">=</span><span class="m">0</span> <span class="nv">tma</span><span class="o">=</span><span class="m">0</span>
</code></pre></div>
<p>Multi-hop neighbor enabled: </p>
<div class="highlight"><pre><span></span><code>FG1-AS111 <span class="c1"># get router info bgp neighbors </span>
BGP neighbor is <span class="m">3</span>.3.3.3, remote AS <span class="m">1680</span>, <span class="nb">local</span> AS <span class="m">111</span>, external link
BGP version <span class="m">4</span>, remote router ID <span class="m">10</span>.10.10.1
BGP <span class="nv">state</span> <span class="o">=</span> Established, up <span class="k">for</span> <span class="m">00</span>:13:42
....
External BGP neighbor may be up to <span class="m">255</span> hops away. <-- Multi hop setting is active
Local host: <span class="m">12</span>.12.12.12, Local port: <span class="m">179</span>
Foreign host: <span class="m">3</span>.3.3.3, Foreign port: <span class="m">21989</span>
</code></pre></div>
<p><a name="ee8"></a></p>
<h2>Remotely Triggered Black Hole Routing configuration</h2>
<p>Task: Build RTBH solution for ISP on Fortigate firewalls only. The solution will include the trigger Fortigate named <em>Null</em>, client facing PE Fortigate <em>JLM-Edge</em>, Route Reflector for iBGP peerings <em>TLV-RR</em>, and 2 border Fortigates, each connected to Tier 1 uplinks: <em>NYC-brdr</em> and <em>LON-brdr</em>. The solution will enable an operator to remove the attacked/victim network from the backbone and block all incoming packets to it on borders. Additionally, the operator will have the choice to withdraw the network either on London or NYC border separately, or on both. Also, it will be possible to block a route inside the Backbone only.<br>
To verify the configuration, we will assume the client's network IP of 192.168.15.15/32 is under a DDoS attack, and we want to withdraw it from the backbone routing tables without affecting the whole class C 192.168.15.0/24 network of the client.</p>
<p>NOTE: All IPs/ASes/Names are fictitious. </p>
<p>The workflow for the operator should be: She receives alert on client's network being attacked. She enters <em>Null</em> Fortigate and sets static route to the network choosing where border-wise she wants to block the attacked network.</p>
<p>The diagram for this scenario:</p>
<p><img alt="BGP RTBH Fortigates only diagram" src="/assets/fortigate-rtbh-bgp-diagram.png"></p>
<p>The solution here will adhere to the <a href="https://www.cisco.com/c/dam/en_us/about/security/intelligence/blackhole.pdf" target=_blank rel="noopener"> Remotely Triggered Black Hole Filtering—destination Based And Source Based</a>
except that the final step - routing "dummy" IP address to <em>Null0</em> interface, which works in Cisco, will not work in Fortigate - from trial and error, I had to route such dummy IP to Loopback and thus drop packets on it. The Fortinet documentation has no explanation for this, and no one I asked knew the answer why it is so. </p>
<p>The issue with <strong>type blackhole</strong> static route is that when dynamically learned via BGP route is allocated such blackhole-ed route as next hop, the Fortigate does NOT install the learned network in RIB. I will try opening ticket to may be find the answer, follow here if interested: <a "href=https://forum.fortinet.com/FindPost/188960" target=_blank rel="noopener"> BGP does not install route in RIB if the next hop is a blackhole, RTBH configuration </a></p>
<p>Let's get back to our RTBH.<br>
The configuration steps will be:<br>
1. Set up iBGP sessions between all Fortigates and the Route Reflector <em>TLV-RR</em>. As in real ISP I'll be using Loopbacks in the range 10.10.10.x/32 on each Fortigate to establish iBGP sessions. These Loopbacks, in turn, I will advertise in OSPF.<br>
2. On <em>Null</em><br>
a. Create Loopbacks for each blocking case: London only, NYC only, All borders, Backbone. We have to use Loopbacks for marking the routes as Fortigate has no notion of <strong>tag</strong> (as Cisco do) to be later matched in route-map, but it can match in route-map based on the <em>device</em> used in creating the static route.<br>
b. Create route map to use in static to BGP redistribution. This route-map will match the Loopback set in the static route and will set the needed community accordingly. <br>
c. I will set <em>Null</em> as Route Reflector to have maximum flexibility. This way I can block any route anywhere I want to: only on London border, or only in Backbone. If I used <em>TLV-RR</em> for this, the route would be blocked in the Backbone as well, and to prevent this would require lots of filtering on the RR. <br>
3. On <em>NYC-brdr</em> and <em>LON-brdr</em> create route-map to match the advertised by <em>Null</em> (via <em>TLV-RR</em>) communities and set next hop to the dummy IP of 192.0.2.1/32 which is configured on a Loopback, this way dropping incoming packets.<br>
4. Configure firewall policies to allow BGP TCP sessions to the loopbacks to be established.</p>
<h4>Configuration</h4>
<p>While I configured all this using steps defined above, I will show the final configuration with comments to see the whole picture better. </p>
<p>The Route-reflector (RR) specific configuration is on the RR itself <em>TLV-RR</em>, its client Fortigates will not even know they are peering with a RR. And on RR the configuration is one line <strong>set route-reflector-client enable</strong>.</p>
<p><strong>TLV-RR</strong>: </p>
<div class="highlight"><pre><span></span><code>TLV-RR <span class="c1"># show sys int</span>
config system interface
edit <span class="s2">"port1"</span>
<span class="nb">set</span> vdom <span class="s2">"root"</span>
<span class="nb">set</span> ip <span class="m">217</span>.132.10.16 <span class="m">255</span>.255.255.0
<span class="nb">set</span> allowaccess ping
<span class="nb">set</span> <span class="nb">type</span> physical
<span class="nb">set</span> snmp-index <span class="m">1</span>
next
edit <span class="s2">"Loop1"</span>
<span class="nb">set</span> vdom <span class="s2">"root"</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.16 <span class="m">255</span>.255.255.255
<span class="nb">set</span> allowaccess ping
<span class="nb">set</span> <span class="nb">type</span> loopback
<span class="nb">set</span> snmp-index <span class="m">6</span>
next
end
config router ospf
<span class="nb">set</span> router-id <span class="m">10</span>.10.10.16
config area
edit <span class="m">0</span>.0.0.0
next
end
config network
edit <span class="m">1</span>
<span class="nb">set</span> prefix <span class="m">10</span>.10.10.0 <span class="m">255</span>.255.255.0
next
edit <span class="m">2</span>
<span class="nb">set</span> prefix <span class="m">217</span>.132.10.0 <span class="m">255</span>.255.255.0
next
end
config router bgp
<span class="nb">set</span> as <span class="m">1680</span>
<span class="nb">set</span> router-id <span class="m">10</span>.10.10.16
config neighbor
edit <span class="s2">"10.10.10.15"</span>
<span class="nb">set</span> next-hop-self <span class="nb">enable</span>
<span class="nb">set</span> description <span class="s2">"JLM-Edge iBGP"</span>
<span class="nb">set</span> remote-as <span class="m">1680</span>
<span class="nb">set</span> update-source <span class="s2">"Loop1"</span>
<span class="nb">set</span> route-reflector-client <span class="nb">enable</span>
next
edit <span class="s2">"10.10.10.14"</span>
<span class="nb">set</span> description <span class="s2">"iBGP to Null Fortigate"</span>
<span class="nb">set</span> remote-as <span class="m">1680</span>
<span class="nb">set</span> update-source <span class="s2">"Loop1"</span>
<span class="nb">set</span> route-reflector-client <span class="nb">enable</span>
next
edit <span class="s2">"10.10.10.12"</span>
<span class="nb">set</span> description <span class="s2">"iBGP to NYC-brdr"</span>
<span class="nb">set</span> remote-as <span class="m">1680</span>
<span class="nb">set</span> update-source <span class="s2">"Loop1"</span>
<span class="nb">set</span> route-reflector-client <span class="nb">enable</span>
next
edit <span class="s2">"10.10.10.13"</span>
<span class="nb">set</span> description <span class="s2">"iBGP to LON-brdr"</span>
<span class="nb">set</span> remote-as <span class="m">1680</span>
<span class="nb">set</span> update-source <span class="s2">"Loop1"</span>
<span class="nb">set</span> route-reflector-client <span class="nb">enable</span>
next
end
<span class="c1">#### Rules to allow BGP (here I opened Any Any)</span>
config firewall policy
edit <span class="m">1</span>
<span class="nb">set</span> uuid e7648854-d704-51ea-8d3c-c3df80fa4145
<span class="nb">set</span> srcintf <span class="s2">"port1"</span>
<span class="nb">set</span> dstintf <span class="s2">"Loop1"</span>
<span class="nb">set</span> srcaddr <span class="s2">"all"</span>
<span class="nb">set</span> dstaddr <span class="s2">"all"</span>
<span class="nb">set</span> action accept
<span class="nb">set</span> status <span class="nb">enable</span>
<span class="nb">set</span> schedule <span class="s2">"always"</span>
<span class="nb">set</span> service <span class="s2">"ALL"</span>
next
end
</code></pre></div>
<p><strong>JLM-Edge</strong>: </p>
<div class="highlight"><pre><span></span><code>config system interface
edit <span class="s2">"port1"</span>
<span class="nb">set</span> vdom <span class="s2">"root"</span>
<span class="nb">set</span> ip <span class="m">217</span>.132.10.15 <span class="m">255</span>.255.255.0
<span class="nb">set</span> allowaccess ping
<span class="nb">set</span> <span class="nb">type</span> physical
<span class="nb">set</span> snmp-index <span class="m">1</span>
next
edit <span class="s2">"Loop1"</span>
<span class="nb">set</span> vdom <span class="s2">"root"</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.15 <span class="m">255</span>.255.255.255
<span class="nb">set</span> allowaccess ping
<span class="nb">set</span> <span class="nb">type</span> loopback
<span class="nb">set</span> snmp-index <span class="m">6</span>
config router static
edit <span class="m">1</span>
<span class="nb">set</span> dst <span class="m">192</span>.168.15.0 <span class="m">255</span>.255.255.0 <-- Using blackhole just to emulate client<span class="err">'</span>s network
<span class="nb">set</span> blackhole <span class="nb">enable</span>
next
edit <span class="m">2</span>
<span class="nb">set</span> dst <span class="m">192</span>.0.2.1 <span class="m">255</span>.255.255.255 <-- To blackhole received from Null routes
<span class="nb">set</span> device <span class="s2">"Loop1"</span>
next
<span class="nv">end</span>
<span class="o">====</span><span class="nv">OSPF</span><span class="o">====</span>
config router ospf
<span class="nb">set</span> router-id <span class="m">10</span>.10.10.15
config area
edit <span class="m">0</span>.0.0.0
next
end
config network
edit <span class="m">1</span>
<span class="nb">set</span> prefix <span class="m">10</span>.10.10.0 <span class="m">255</span>.255.255.0
next
edit <span class="m">2</span>
<span class="nb">set</span> prefix <span class="m">217</span>.132.10.0 <span class="m">255</span>.255.255.0
next
<span class="nv">end</span>
<span class="o">====</span><span class="nv">BGP</span><span class="o">====</span>
config router community-list
edit <span class="s2">"Null-community"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> action permit
<span class="nb">set</span> match <span class="s2">"972:66"</span> <-- match community <span class="k">in</span> incoming advertisements from Null
<-- match only routes marked to be blocked <span class="k">in</span> the backbone
<-- and ignore routes marked <span class="k">for</span> borders like <span class="s2">"999"</span> <span class="s2">"777"</span> etc
next
end
next
end
config router route-map
edit <span class="s2">"static-to-bgp"</span> <-- Route-map to mark valid ISP nets and so NOT to be blocked on borders
config rule <-- because using route-maps on peers on borders you have to allow or
edit <span class="m">1</span> <-- default action <span class="k">for</span> a route-map is <span class="s2">"deny"</span>
<span class="nb">set</span> set-community <span class="s2">"972"</span>
next
end
next
edit <span class="s2">"Null-in"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> match-community <span class="s2">"Null-community"</span>
<span class="nb">set</span> set-ip-nexthop <span class="m">192</span>.0.2.1
next
end
next
end
config router bgp
<span class="nb">set</span> as <span class="m">1680</span>
<span class="nb">set</span> router-id <span class="m">10</span>.10.10.15
<span class="nb">set</span> ibgp-multipath <span class="nb">enable</span>
config neighbor
edit <span class="s2">"10.10.10.16"</span>
<span class="nb">set</span> description <span class="s2">"to TLV-RR"</span>
<span class="nb">set</span> remote-as <span class="m">1680</span>
<span class="nb">set</span> update-source <span class="s2">"Loop1"</span>
next
edit <span class="s2">"10.10.10.14"</span>
<span class="nb">set</span> description <span class="s2">"to Null"</span>
<span class="nb">set</span> remote-as <span class="m">1680</span>
<span class="nb">set</span> route-map-in <span class="s2">"Null-in"</span>
<span class="nb">set</span> update-source <span class="s2">"Loop1"</span>
next
end
config redistribute <span class="s2">"static"</span>
<span class="nb">set</span> status <span class="nb">enable</span>
<span class="nb">set</span> route-map <span class="s2">"static-to-bgp"</span>
end
config firewall policy
edit <span class="m">1</span>
<span class="nb">set</span> uuid bbbca664-d704-51ea-fd5b-3f412ea323a7
<span class="nb">set</span> srcintf <span class="s2">"port1"</span>
<span class="nb">set</span> dstintf <span class="s2">"Loop1"</span>
<span class="nb">set</span> srcaddr <span class="s2">"all"</span>
<span class="nb">set</span> dstaddr <span class="s2">"all"</span>
<span class="nb">set</span> action accept
<span class="nb">set</span> status <span class="nb">enable</span>
<span class="nb">set</span> schedule <span class="s2">"always"</span>
<span class="nb">set</span> service <span class="s2">"ALL"</span>
next
end
</code></pre></div>
<p><strong>Null</strong>: </p>
<div class="highlight"><pre><span></span><code><span class="c1">#### OSPF</span>
config router ospf
<span class="nb">set</span> router-id <span class="m">10</span>.10.10.14
config area
edit <span class="m">0</span>.0.0.0
next
end
config network
edit <span class="m">1</span>
<span class="nb">set</span> prefix <span class="m">10</span>.10.10.0 <span class="m">255</span>.255.255.0
next
edit <span class="m">2</span>
<span class="nb">set</span> prefix <span class="m">217</span>.132.10.0 <span class="m">255</span>.255.255.0
next
end
<span class="c1">#### Interfaces</span>
config system interface
edit <span class="s2">"port1"</span>
<span class="nb">set</span> vdom <span class="s2">"root"</span>
<span class="nb">set</span> ip <span class="m">217</span>.132.10.14 <span class="m">255</span>.255.255.0
<span class="nb">set</span> allowaccess ping
<span class="nb">set</span> <span class="nb">type</span> physical
<span class="nb">set</span> snmp-index <span class="m">1</span>
edit <span class="s2">"Loop1"</span>
<span class="nb">set</span> vdom <span class="s2">"root"</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.14 <span class="m">255</span>.255.255.255
<span class="nb">set</span> <span class="nb">type</span> loopback
<span class="nb">set</span> snmp-index <span class="m">6</span>
edit <span class="s2">"BlockNYonly"</span> <-- device to route static via to block <span class="k">in</span> NYC border only
<span class="nb">set</span> vdom <span class="s2">"root"</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.133 <span class="m">255</span>.255.255.255 <-- The IP is of no importance as long as it is <span class="k">in</span> RIB
<span class="nb">set</span> <span class="nb">type</span> loopback <-- of both border routers, otherwise they will ignore
<span class="nb">set</span> snmp-index <span class="m">7</span> <-- routes with such next hop
next
edit <span class="s2">"BlockLONonly"</span> <-- device to route static via to block <span class="k">in</span> LON border only
<span class="nb">set</span> vdom <span class="s2">"root"</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.134 <span class="m">255</span>.255.255.255
<span class="nb">set</span> <span class="nb">type</span> loopback
<span class="nb">set</span> snmp-index <span class="m">8</span>
next
edit <span class="s2">"BlockALLabroad"</span> <-- device to route static via to block <span class="k">in</span> both borders
<span class="nb">set</span> vdom <span class="s2">"root"</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.135 <span class="m">255</span>.255.255.255
<span class="nb">set</span> <span class="nb">type</span> loopback
<span class="nb">set</span> snmp-index <span class="m">9</span>
next
edit <span class="s2">"BlockInBackbone"</span>
<span class="nb">set</span> vdom <span class="s2">"root"</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.137 <span class="m">255</span>.255.255.255
<span class="nb">set</span> <span class="nb">type</span> loopback
<span class="nb">set</span> snmp-index <span class="m">10</span>
next
end
<span class="c1">#### BGP</span>
<span class="c1">#### Now I will use the devices set above to match them in route-map and set communities</span>
config router route-map
edit <span class="s2">"static-to-blackhole-redustribute"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> match-interface <span class="s2">"BlockNYonly"</span>
<span class="nb">set</span> set-community <span class="s2">"777"</span>
<span class="nb">set</span> set-local-preference <span class="m">110</span> <-- this ensures forceful route installation <span class="k">in</span> the RIB
next <-- not relying on whole BGP best route decision tree,
edit <span class="m">2</span> <-- the default being <span class="m">100</span>
<span class="nb">set</span> match-interface <span class="s2">"BlockALLabroad"</span>
<span class="nb">set</span> set-community <span class="s2">"888"</span>
<span class="nb">set</span> set-local-preference <span class="m">110</span>
next
edit <span class="m">3</span>
<span class="nb">set</span> match-interface <span class="s2">"BlockLONonly"</span>
<span class="nb">set</span> set-community <span class="s2">"999"</span>
<span class="nb">set</span> set-local-preference <span class="m">110</span>
next
edit <span class="m">4</span>
<span class="nb">set</span> match-interface <span class="s2">"BlockInBackbone"</span>
<span class="nb">set</span> set-community <span class="s2">"972:66"</span>
<span class="nb">set</span> set-local-preference <span class="m">110</span>
next
end
next
end
config router bgp
<span class="nb">set</span> as <span class="m">1680</span>
<span class="nb">set</span> router-id <span class="m">10</span>.10.10.14
config neighbor
edit <span class="s2">"10.10.10.12"</span>
<span class="nb">set</span> description <span class="s2">"NYC-brdr peer"</span>
<span class="nb">set</span> remote-as <span class="m">1680</span>
<span class="nb">set</span> update-source <span class="s2">"Loop1"</span>
<span class="nb">set</span> route-reflector-client <span class="nb">enable</span>
next
edit <span class="s2">"10.10.10.13"</span>
<span class="nb">set</span> description <span class="s2">"LON-brdr"</span>
<span class="nb">set</span> remote-as <span class="m">1680</span>
<span class="nb">set</span> update-source <span class="s2">"Loop1"</span>
<span class="nb">set</span> route-reflector-client <span class="nb">enable</span>
next
edit <span class="s2">"10.10.10.15"</span>
<span class="nb">set</span> description <span class="s2">"JLM-Edge"</span>
<span class="nb">set</span> remote-as <span class="m">1680</span>
<span class="nb">set</span> update-source <span class="s2">"Loop1"</span>
<span class="nb">set</span> route-reflector-client <span class="nb">enable</span>
next
end
config redistribute <span class="s2">"static"</span>
<span class="nb">set</span> status <span class="nb">enable</span>
<span class="nb">set</span> route-map <span class="s2">"static-to-blackhole-redustribute"</span>
<span class="c1">#### Security rules</span>
con fig firewall policy
edit <span class="m">1</span>
<span class="nb">set</span> uuid 91f83000-d704-51ea-c18a-05722bcbe7de
<span class="nb">set</span> srcintf <span class="s2">"port1"</span>
<span class="nb">set</span> dstintf <span class="s2">"Loop1"</span>
<span class="nb">set</span> srcaddr <span class="s2">"all"</span>
<span class="nb">set</span> dstaddr <span class="s2">"all"</span>
<span class="nb">set</span> action accept
<span class="nb">set</span> status <span class="nb">enable</span>
<span class="nb">set</span> schedule <span class="s2">"always"</span>
<span class="nb">set</span> service <span class="s2">"BGP"</span> <span class="s2">"ALL_ICMP"</span>
next
end
</code></pre></div>
<p><strong>NYC-brdr</strong>: </p>
<div class="highlight"><pre><span></span><code>config system interface
edit <span class="s2">"port1"</span>
<span class="nb">set</span> vdom <span class="s2">"root"</span>
<span class="nb">set</span> ip <span class="m">11</span>.11.11.2 <span class="m">255</span>.255.255.0
<span class="nb">set</span> allowaccess ping
<span class="nb">set</span> <span class="nb">type</span> physical
<span class="nb">set</span> snmp-index <span class="m">1</span>
next
edit <span class="s2">"port2"</span>
<span class="nb">set</span> vdom <span class="s2">"root"</span>
<span class="nb">set</span> ip <span class="m">217</span>.132.10.12 <span class="m">255</span>.255.255.0
<span class="nb">set</span> allowaccess ping
<span class="nb">set</span> <span class="nb">type</span> physical
<span class="nb">set</span> snmp-index <span class="m">2</span>
next
edit <span class="s2">"Loop1"</span>
<span class="nb">set</span> vdom <span class="s2">"root"</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.12 <span class="m">255</span>.255.255.255
<span class="nb">set</span> allowaccess ping
<span class="nb">set</span> <span class="nb">type</span> loopback
<span class="nb">set</span> snmp-index <span class="m">6</span>
next
end
<span class="c1">#### OSPF</span>
config router ospf
<span class="nb">set</span> router-id <span class="m">10</span>.10.10.12
config area
edit <span class="m">0</span>.0.0.0
next
end
config network
edit <span class="m">1</span>
<span class="nb">set</span> prefix <span class="m">10</span>.10.10.0 <span class="m">255</span>.255.255.0
next
edit <span class="m">2</span>
<span class="nb">set</span> prefix <span class="m">217</span>.132.10.0 <span class="m">255</span>.255.255.0
next
end
<span class="c1">#### Static route to dummy IP</span>
config router static
edit <span class="m">1</span>
<span class="nb">set</span> status disable
<span class="nb">set</span> dst <span class="m">192</span>.0.2.1 <span class="m">255</span>.255.255.255 <-- This one does NOT work <span class="k">in</span> Fortigate, so <span class="nb">set</span> status to disable
<span class="nb">set</span> blackhole <span class="nb">enable</span>
next
edit <span class="m">2</span>
<span class="nb">set</span> dst <span class="m">192</span>.0.2.1 <span class="m">255</span>.255.255.255 <-- Dummy IP address to use as next hop <span class="k">for</span> the blocked net
<span class="nb">set</span> device <span class="s2">"Loop1"</span>
next
end
<span class="c1">#### BGP</span>
config router community-list <-- Community list to match all possible communities received from
<-- Null and other routers via RR
edit <span class="s2">"blackhole-777"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> action permit
<span class="nb">set</span> match <span class="s2">"777"</span> <-- Block on NYC only
next
end
next
edit <span class="s2">"blackhole-888"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> action permit
<span class="nb">set</span> match <span class="s2">"888"</span> <-- Block on all borders
next
end
next
edit <span class="s2">"blackhole-999"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> action permit
<span class="nb">set</span> match <span class="s2">"999"</span> <-- Block on LON border only
next
end
next
edit <span class="s2">"972"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> action permit
<span class="nb">set</span> match <span class="s2">"972"</span> <-- Explicit allow <span class="k">for</span> the rest of the networks
next
end
next
end
<span class="c1">#### Route-map to set next hop to dummy 192.0.2.1 based on received community</span>
config router route-map
edit <span class="s2">"core-in"</span>
config rule
edit <span class="m">4</span>
<span class="nb">set</span> match-community <span class="s2">"972"</span>
next
end
next
edit <span class="s2">"null-in"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> match-community <span class="s2">"blackhole-777"</span>
<span class="nb">set</span> set-community <span class="s2">"no-export"</span> <-- Also crucial NOT to advertise to Uplink Providers
<span class="nb">set</span> set-ip-nexthop <span class="m">192</span>.0.2.1
next
edit <span class="m">2</span>
<span class="nb">set</span> match-community <span class="s2">"blackhole-888"</span>
<span class="nb">set</span> set-community <span class="s2">"no-export"</span>
<span class="nb">set</span> set-ip-nexthop <span class="m">192</span>.0.2.1
next
edit <span class="m">3</span>
<span class="nb">set</span> action deny
<span class="nb">set</span> match-community <span class="s2">"blackhole-999"</span> <-- This community is <span class="s2">"block on LON only"</span>
<-- so we match and deny it from being learned
on NYC border
next
end
next
end
config router bgp
<span class="nb">set</span> as <span class="m">1680</span>
<span class="nb">set</span> router-id <span class="m">10</span>.10.10.12
config neighbor
edit <span class="s2">"10.10.10.16"</span>
<span class="nb">set</span> next-hop-self <span class="nb">enable</span>
<span class="nb">set</span> remote-as <span class="m">1680</span>
<span class="nb">set</span> route-map-in <span class="s2">"core-in"</span>
<span class="nb">set</span> update-source <span class="s2">"Loop1"</span>
next
edit <span class="s2">"11.11.11.1"</span>
<span class="nb">set</span> remote-as <span class="m">111</span>
next
edit <span class="s2">"10.10.10.14"</span>
<span class="nb">set</span> description <span class="s2">"to Null"</span>
<span class="nb">set</span> next-hop-self <span class="nb">enable</span>
<span class="nb">set</span> remote-as <span class="m">1680</span>
<span class="nb">set</span> route-map-in <span class="s2">"null-in"</span>
<span class="nb">set</span> update-source <span class="s2">"Loop1"</span>
next
end
<span class="c1">#### Security Policy</span>
config firewall policy
edit <span class="m">1</span>
<span class="nb">set</span> uuid 5d023b0c-d704-51ea-5e81-8f7b62bf960f
<span class="nb">set</span> srcintf <span class="s2">"port2"</span>
<span class="nb">set</span> dstintf <span class="s2">"Loop1"</span>
<span class="nb">set</span> srcaddr <span class="s2">"all"</span>
<span class="nb">set</span> dstaddr <span class="s2">"all"</span>
<span class="nb">set</span> action accept
<span class="nb">set</span> status <span class="nb">enable</span>
<span class="nb">set</span> schedule <span class="s2">"always"</span>
<span class="nb">set</span> service <span class="s2">"BGP"</span> <span class="s2">"ALL_ICMP"</span>
next
edit <span class="m">2</span>
<span class="nb">set</span> uuid 7b44234a-d7cd-51ea-adfe-8b7ecc491823
<span class="nb">set</span> srcintf <span class="s2">"port1"</span>
<span class="nb">set</span> dstintf <span class="s2">"port2"</span>
<span class="nb">set</span> srcaddr <span class="s2">"all"</span>
<span class="nb">set</span> dstaddr <span class="s2">"all"</span>
<span class="nb">set</span> action accept
<span class="nb">set</span> status <span class="nb">enable</span>
<span class="nb">set</span> schedule <span class="s2">"always"</span>
<span class="nb">set</span> service <span class="s2">"ALL_ICMP"</span>
next
end
</code></pre></div>
<p><strong>LON-brdr</strong>: </p>
<div class="highlight"><pre><span></span><code>config system interface
edit <span class="s2">"port1"</span>
<span class="nb">set</span> vdom <span class="s2">"root"</span>
<span class="nb">set</span> ip <span class="m">22</span>.22.22.2 <span class="m">255</span>.255.255.0
<span class="nb">set</span> allowaccess ping ssh
<span class="nb">set</span> <span class="nb">type</span> physical
<span class="nb">set</span> snmp-index <span class="m">1</span>
next
edit <span class="s2">"port2"</span>
<span class="nb">set</span> vdom <span class="s2">"root"</span>
<span class="nb">set</span> ip <span class="m">217</span>.132.10.13 <span class="m">255</span>.255.255.0
<span class="nb">set</span> allowaccess ping ssh
<span class="nb">set</span> <span class="nb">type</span> physical
<span class="nb">set</span> snmp-index <span class="m">2</span>
next
edit <span class="s2">"Loop1"</span>
<span class="nb">set</span> vdom <span class="s2">"root"</span>
<span class="nb">set</span> ip <span class="m">10</span>.10.10.13 <span class="m">255</span>.255.255.255
<span class="nb">set</span> <span class="nb">type</span> loopback
<span class="nb">set</span> snmp-index <span class="m">6</span>
next
config router ospf
<span class="nb">set</span> router-id <span class="m">10</span>.10.10.13
config area
edit <span class="m">0</span>.0.0.0
next
end
config network
edit <span class="m">1</span>
<span class="nb">set</span> prefix <span class="m">10</span>.10.10.0 <span class="m">255</span>.255.255.0
next
edit <span class="m">2</span>
<span class="nb">set</span> prefix <span class="m">217</span>.132.10.0 <span class="m">255</span>.255.255.0
next
end
<span class="c1">#### Static route to dummy IP</span>
config router static
edit <span class="m">1</span>
<span class="nb">set</span> dst <span class="m">192</span>.0.2.1 <span class="m">255</span>.255.255.255
<span class="nb">set</span> device <span class="s2">"Loop1"</span>
next
end
<span class="c1">#### Community list to match all possible communities in incoming advertisements</span>
config router community-list
edit <span class="s2">"blackhole-777"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> action permit
<span class="nb">set</span> match <span class="s2">"777"</span>
next
end
next
edit <span class="s2">"blackhole-888"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> action permit
<span class="nb">set</span> match <span class="s2">"888"</span>
next
end
next
edit <span class="s2">"blackhole-999"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> action permit
<span class="nb">set</span> match <span class="s2">"999"</span>
next
end
next
edit <span class="s2">"972"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> action permit
<span class="nb">set</span> match <span class="s2">"972"</span>
next
end
next
end
config router route-map
edit <span class="s2">"null-in"</span>
config rule
edit <span class="m">1</span>
<span class="nb">set</span> action deny
<span class="nb">set</span> match-community <span class="s2">"blackhole-777"</span>
next
edit <span class="m">2</span>
<span class="nb">set</span> match-community <span class="s2">"blackhole-888"</span>
<span class="nb">set</span> set-community <span class="s2">"no-export"</span>
<span class="nb">set</span> set-ip-nexthop <span class="m">192</span>.0.2.1
next
edit <span class="m">3</span>
<span class="nb">set</span> match-community <span class="s2">"blackhole-999"</span>
<span class="nb">set</span> set-community <span class="s2">"no-export"</span>
<span class="nb">set</span> set-ip-nexthop <span class="m">192</span>.0.2.1
next
end
next
end
config router bgp
<span class="nb">set</span> as <span class="m">1680</span>
<span class="nb">set</span> router-id <span class="m">10</span>.10.10.13
config neighbor
edit <span class="s2">"10.10.10.16"</span>
<span class="nb">set</span> next-hop-self <span class="nb">enable</span>
<span class="nb">set</span> remote-as <span class="m">1680</span>
<span class="nb">set</span> route-map-in <span class="s2">"core-in"</span>
<span class="nb">set</span> update-source <span class="s2">"Loop1"</span>
next
edit <span class="s2">"22.22.22.1"</span>
<span class="nb">set</span> remote-as <span class="m">222</span>
next
edit <span class="s2">"10.10.10.14"</span>
<span class="nb">set</span> next-hop-self <span class="nb">enable</span>
<span class="nb">set</span> description <span class="s2">"Null"</span>
<span class="nb">set</span> remote-as <span class="m">1680</span>
<span class="nb">set</span> route-map-in <span class="s2">"null-in"</span>
<span class="nb">set</span> update-source <span class="s2">"Loop1"</span>
next
end
config firewall policy
edit <span class="m">1</span>
<span class="nb">set</span> uuid 0e33f9de-d704-51ea-1b88-c04fbc5dd50e
<span class="nb">set</span> srcintf <span class="s2">"port2"</span>
<span class="nb">set</span> dstintf <span class="s2">"Loop1"</span>
<span class="nb">set</span> srcaddr <span class="s2">"all"</span>
<span class="nb">set</span> dstaddr <span class="s2">"all"</span>
<span class="nb">set</span> action accept
<span class="nb">set</span> status <span class="nb">enable</span>
<span class="nb">set</span> schedule <span class="s2">"always"</span>
<span class="nb">set</span> service <span class="s2">"BGP"</span> <span class="s2">"ALL_ICMP"</span>
next
edit <span class="m">2</span>
<span class="nb">set</span> uuid b3b2409e-da26-51ea-6424-b69bc5e89403
<span class="nb">set</span> srcintf <span class="s2">"port1"</span>
<span class="nb">set</span> dstintf <span class="s2">"port2"</span>
<span class="nb">set</span> srcaddr <span class="s2">"all"</span>
<span class="nb">set</span> dstaddr <span class="s2">"all"</span>
<span class="nb">set</span> action accept
<span class="nb">set</span> status <span class="nb">enable</span>
<span class="nb">set</span> schedule <span class="s2">"always"</span>
<span class="nb">set</span> service <span class="s2">"ALL_ICMP"</span>
next
end
</code></pre></div>
<p><strong>Note</strong>: The following configs of Cisco CSR1000 and Juniper vSRX are not related to the Fortigate and can be any other devices, but if you'd like to set up the same environment, here they are:</p>
<p><strong>Cisco CSR1000</strong>: </p>
<div class="highlight"><pre><span></span><code>CSR1000-LON#show run
version <span class="m">15</span>.6
hostname CSR1000-LON
! Loopbacks below simulate <span class="s2">"Internet"</span> routes, just <span class="k">for</span> verification later
interface Loopback1
ip address <span class="m">22</span>.22.1.1 <span class="m">255</span>.255.255.255
!
interface Loopback2
ip address <span class="m">22</span>.22.2.2 <span class="m">255</span>.255.255.255
!
interface GigabitEthernet1
ip address <span class="m">22</span>.22.22.1 <span class="m">255</span>.255.255.0
negotiation auto
!
interface GigabitEthernet2
no ip address
shutdown
negotiation auto
!
router bgp <span class="m">222</span>
bgp log-neighbor-changes
neighbor <span class="m">22</span>.22.22.2 remote-as <span class="m">1680</span>
!
address-family ipv4
redistribute connected
neighbor <span class="m">22</span>.22.22.2 activate
neighbor <span class="m">22</span>.22.22.2 send-community
exit-address-family
!
</code></pre></div>
<p><strong>Juniper vSRX JUNOS 12.1X47-D20.7</strong>: </p>
<div class="highlight"><pre><span></span><code>root@JuniperSRX-NYC# show <span class="p">|</span> display <span class="nb">set</span>
<span class="nb">set</span> version <span class="m">12</span>.1X47-D20.7
<span class="nb">set</span> system host-name JuniperSRX-NYC
<span class="nb">set</span> system root-authentication encrypted-password <span class="s2">"</span><span class="nv">$1$fFpvN</span><span class="s2">/YL</span><span class="nv">$XD</span><span class="s2">/nQzMH6v8OtcZCeW/0v/"</span>
<span class="nb">set</span> system services ssh
<span class="nb">set</span> system services web-management http interface ge-0/0/0.0
<span class="c1"># Interface</span>
<span class="nb">set</span> interfaces ge-0/0/0 unit <span class="m">0</span> family inet address <span class="m">11</span>.11.11.1/24
<span class="nb">set</span> interfaces lo0 unit <span class="m">0</span> family inet address <span class="m">11</span>.11.1.1/32
<span class="nb">set</span> interfaces lo0 unit <span class="m">0</span> family inet address <span class="m">11</span>.11.3.1/32
<span class="c1"># BGP </span>
<span class="nb">set</span> routing-options router-id <span class="m">11</span>.11.11.1
<span class="nb">set</span> routing-options autonomous-system <span class="m">111</span>
<span class="nb">set</span> protocols bgp group eBGP <span class="nb">type</span> external
<span class="nb">set</span> protocols bgp group eBGP local-address <span class="m">11</span>.11.11.1
<span class="nb">set</span> protocols bgp group eBGP peer-as <span class="m">1680</span>
<span class="nb">set</span> protocols bgp group eBGP neighbor <span class="m">11</span>.11.11.2 <span class="nb">export</span> connected-to-bgp
<span class="nb">set</span> policy-options policy-statement connected-to-bgp from protocol direct
<span class="nb">set</span> policy-options policy-statement connected-to-bgp <span class="k">then</span> accept
<span class="c1"># Firewall, defaults plus untrust zone configs to allow BGP and pings</span>
<span class="nb">set</span> security policies from-zone trust to-zone trust policy default-permit match source-address any
<span class="nb">set</span> security policies from-zone trust to-zone trust policy default-permit match destination-address any
<span class="nb">set</span> security policies from-zone trust to-zone trust policy default-permit match application any
<span class="nb">set</span> security policies from-zone trust to-zone trust policy default-permit <span class="k">then</span> permit
<span class="nb">set</span> security policies from-zone trust to-zone untrust policy default-permit match source-address any
<span class="nb">set</span> security policies from-zone trust to-zone untrust policy default-permit match destination-address any
<span class="nb">set</span> security policies from-zone trust to-zone untrust policy default-permit match application any
<span class="nb">set</span> security policies from-zone trust to-zone untrust policy default-permit <span class="k">then</span> permit
<span class="nb">set</span> security policies from-zone untrust to-zone trust policy default-deny match source-address any
<span class="nb">set</span> security policies from-zone untrust to-zone trust policy default-deny match destination-address any
<span class="nb">set</span> security policies from-zone untrust to-zone trust policy default-deny match application any
<span class="nb">set</span> security policies from-zone untrust to-zone trust policy default-deny <span class="k">then</span> deny
<span class="nb">set</span> security policies from-zone untrust to-zone untrust policy default-permit match source-address any
<span class="nb">set</span> security policies from-zone untrust to-zone untrust policy default-permit match destination-address any
<span class="nb">set</span> security policies from-zone untrust to-zone untrust policy default-permit match application any
<span class="nb">set</span> security policies from-zone untrust to-zone untrust policy default-permit <span class="k">then</span> permit
<span class="nb">set</span> security zones security-zone trust tcp-rst
<span class="nb">set</span> security zones security-zone trust host-inbound-traffic system-services ping
<span class="nb">set</span> security zones security-zone trust host-inbound-traffic protocols bgp
<span class="nb">set</span> security zones security-zone untrust screen untrust-screen
<span class="c1"># Allow BGP incoming (not enabled by default), but also ping only for verification</span>
<span class="nb">set</span> security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
<span class="nb">set</span> security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
<span class="nb">set</span> security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
<span class="nb">set</span> security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
<span class="nb">set</span> security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
<span class="nb">set</span> security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
<span class="nb">set</span> security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols bgp
<span class="c1"># Redundant firewall packet (stateless) filter, not used afterwards</span>
<span class="nb">set</span> firewall filter CPP-IN term BGP-ICMP-in from protocol icmp
<span class="nb">set</span> firewall filter CPP-IN term BGP-ICMP-in <span class="k">then</span> accept
<span class="nb">set</span> firewall filter CPP-IN term ALLOWALL <span class="k">then</span> accept
</code></pre></div>
<h3>Verification</h3>
<p>I will try to block the address 192.168.15.15/32 on London border only. For this I will add static route to it on <em>Null</em> Fortigate with
the outgoing device being "BlockLONonly": </p>
<div class="highlight"><pre><span></span><code>Null <span class="o">(</span>static<span class="o">)</span> <span class="c1">#</span>
config router static
edit <span class="m">5</span>
<span class="nb">set</span> dst <span class="m">192</span>.168.15.15 <span class="m">255</span>.255.255.255
<span class="nb">set</span> device <span class="s2">"BlockLONonly"</span>
next
end
</code></pre></div>
<p>Let's make sure it is indeed advertised to borders and advertised with the correct community (999):</p>
<h3>get router info bgp neighbors 10.10.10.16 advertised</h3>
<div class="highlight"><pre><span></span><code>Null <span class="c1"># get router info bgp neighbors 10.10.10.16 advertised</span>
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i192.168.15.15/32 <span class="m">10</span>.10.10.14 <span class="m">110</span> <span class="m">32768</span> <span class="m">0</span> ? <-- advertised and with the correct Local Preference of <span class="m">110</span>
Total number of prefixes <span class="m">1</span>
</code></pre></div>
<h3>get router info bgp network 192.168.15.15/32</h3>
<div class="highlight"><pre><span></span><code>Null <span class="c1"># get router info bgp network 192.168.15.15/32</span>
BGP routing table entry <span class="k">for</span> <span class="m">192</span>.168.15.15/32
Paths: <span class="o">(</span><span class="m">1</span> available, best <span class="c1">#1, table Default-IP-Routing-Table)</span>
Advertised to non peer-group peers:
<span class="m">10</span>.10.10.16
Local
<span class="m">0</span>.0.0.0 from <span class="m">0</span>.0.0.0 <span class="o">(</span><span class="m">10</span>.10.10.14<span class="o">)</span>
Origin incomplete, localpref <span class="m">110</span>, weight <span class="m">32768</span>, valid, sourced, best
Community: <span class="m">0</span>:999 <-- The correct community is <span class="nb">set</span>
Last update: Sun Aug <span class="m">9</span> <span class="m">09</span>:32:16 <span class="m">2020</span>
</code></pre></div>
<p>Next is to make sure the advertised route is received by <em>LON-brdr</em> and is installed with the next hop being local Loopback.</p>
<h3>get router info bgp neighbors 10.10.10.14 routes</h3>
<div class="highlight"><pre><span></span><code>LON-brdr <span class="c1"># get router info bgp neighbors 10.10.10.14 routes</span>
BGP table version is <span class="m">14</span>, <span class="nb">local</span> router ID is <span class="m">10</span>.10.10.13
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i192.168.15.15/32 <span class="m">192</span>.0.2.1 <span class="m">0</span> <span class="m">110</span> <span class="m">0</span> <span class="m">0</span> ?
Total number of prefixes <span class="m">1</span>
<--- the route is indeed advertised and <span class="nb">local</span> route-map sets next hop to <span class="m">192</span>.0.2.1 as expected, good.
</code></pre></div>
<p>Let's see the RIB of the London border: </p>
<div class="highlight"><pre><span></span><code>LON-brdr <span class="c1"># alias rt</span>
Routing table <span class="k">for</span> <span class="nv">VRF</span><span class="o">=</span><span class="m">0</span>
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external <span class="nb">type</span> <span class="m">1</span>, N2 - OSPF NSSA external <span class="nb">type</span> <span class="m">2</span>
E1 - OSPF external <span class="nb">type</span> <span class="m">1</span>, E2 - OSPF external <span class="nb">type</span> <span class="m">2</span>
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
O <span class="m">10</span>.10.10.12/32 <span class="o">[</span><span class="m">110</span>/101<span class="o">]</span> via <span class="m">217</span>.132.10.12, port2, <span class="m">06</span>:19:21
C <span class="m">10</span>.10.10.13/32 is directly connected, Loop1
O <span class="m">10</span>.10.10.14/32 <span class="o">[</span><span class="m">110</span>/101<span class="o">]</span> via <span class="m">217</span>.132.10.14, port2, <span class="m">06</span>:19:21
O <span class="m">10</span>.10.10.15/32 <span class="o">[</span><span class="m">110</span>/101<span class="o">]</span> via <span class="m">217</span>.132.10.15, port2, <span class="m">03</span>:16:15
O <span class="m">10</span>.10.10.16/32 <span class="o">[</span><span class="m">110</span>/101<span class="o">]</span> via <span class="m">217</span>.132.10.16, port2, <span class="m">06</span>:19:21
O <span class="m">10</span>.10.10.133/32 <span class="o">[</span><span class="m">110</span>/101<span class="o">]</span> via <span class="m">217</span>.132.10.14, port2, <span class="m">06</span>:19:21
O <span class="m">10</span>.10.10.134/32 <span class="o">[</span><span class="m">110</span>/101<span class="o">]</span> via <span class="m">217</span>.132.10.14, port2, <span class="m">06</span>:19:21
O <span class="m">10</span>.10.10.135/32 <span class="o">[</span><span class="m">110</span>/101<span class="o">]</span> via <span class="m">217</span>.132.10.14, port2, <span class="m">06</span>:19:21
O <span class="m">10</span>.10.10.137/32 <span class="o">[</span><span class="m">110</span>/101<span class="o">]</span> via <span class="m">217</span>.132.10.14, port2, <span class="m">00</span>:43:27
B <span class="m">11</span>.11.1.1/32 <span class="o">[</span><span class="m">200</span>/0<span class="o">]</span> via <span class="m">10</span>.10.10.12 <span class="o">(</span>recursive via <span class="m">217</span>.132.10.12<span class="o">)</span>, <span class="m">02</span>:25:11
B <span class="m">11</span>.11.3.1/32 <span class="o">[</span><span class="m">200</span>/0<span class="o">]</span> via <span class="m">10</span>.10.10.12 <span class="o">(</span>recursive via <span class="m">217</span>.132.10.12<span class="o">)</span>, <span class="m">02</span>:25:11
B <span class="m">11</span>.11.11.0/24 <span class="o">[</span><span class="m">200</span>/0<span class="o">]</span> via <span class="m">10</span>.10.10.12 <span class="o">(</span>recursive via <span class="m">217</span>.132.10.12<span class="o">)</span>, <span class="m">02</span>:25:11
B <span class="m">22</span>.22.1.1/32 <span class="o">[</span><span class="m">20</span>/0<span class="o">]</span> via <span class="m">22</span>.22.22.1, port1, <span class="m">06</span>:20:02
B <span class="m">22</span>.22.2.2/32 <span class="o">[</span><span class="m">20</span>/0<span class="o">]</span> via <span class="m">22</span>.22.22.1, port1, <span class="m">06</span>:20:02
C <span class="m">22</span>.22.22.0/24 is directly connected, port1
S <span class="m">192</span>.0.2.1/32 <span class="o">[</span><span class="m">10</span>/0<span class="o">]</span> is directly connected, Loop1
B <span class="m">192</span>.168.15.0/24 <span class="o">[</span><span class="m">200</span>/0<span class="o">]</span> via <span class="m">10</span>.10.10.15 <span class="o">(</span>recursive via <span class="m">217</span>.132.10.15<span class="o">)</span>, <span class="m">00</span>:21:24
B <span class="m">192</span>.168.15.15/32 <span class="o">[</span><span class="m">200</span>/0<span class="o">]</span> via <span class="m">192</span>.0.2.1 <span class="o">(</span>recursive is directly connected, Loop1<span class="o">)</span>, <span class="m">00</span>:02:52
<--- The required IP is installed <span class="k">in</span> RIB with the next hop being dummy address, so packets to it will be dropped. At the same <span class="nb">time</span> the whole network <span class="m">192</span>.168.15.0/24 is unaffected as expected.
</code></pre></div>
<p>Make sure this blocked network is not advertised to our eBGP peers by mistake:</p>
<div class="highlight"><pre><span></span><code>LON-brdr <span class="c1"># get router info bgp network 192.168.15.15/32</span>
BGP routing table entry <span class="k">for</span> <span class="m">192</span>.168.15.15/32
Paths: <span class="o">(</span><span class="m">1</span> available, best <span class="c1">#1, table Default-IP-Routing-Table, not advertised to EBGP peer) <-- Good, no eBGP ads to CSR1000</span>
Not advertised to any peer
<span class="m">192</span>.0.2.1 from <span class="m">10</span>.10.10.14 <span class="o">(</span><span class="m">10</span>.10.10.14<span class="o">)</span>
Origin incomplete metric <span class="m">0</span>, localpref <span class="m">110</span>, valid, internal, best
Community: no-export
Last update: Sun Aug <span class="m">9</span> <span class="m">13</span>:08:06 <span class="m">2020</span>
</code></pre></div>
<p>We can also ping from CSR1000: </p>
<div class="highlight"><pre><span></span><code>CSR1000-LON#ping <span class="m">192</span>.168.15.15
Type escape sequence to abort.
Sending <span class="m">5</span>, <span class="m">100</span>-byte ICMP Echos to <span class="m">192</span>.168.15.15, timeout is <span class="m">2</span> seconds:
.....
Success rate is <span class="m">0</span> percent <span class="o">(</span><span class="m">0</span>/5<span class="o">)</span>
</code></pre></div>
<p>ANd from vSRX (NYC) which can (potentially) reach the net. As I don't have this IP 192.168.15.15 set on any interface, the ping will reach the <em>JLM-Edge</em> and then will be dropped:</p>
<div class="highlight"><pre><span></span><code>root@JuniperSRX-NYC# run ping <span class="m">192</span>.168.15.15
PING <span class="m">192</span>.168.15.15 <span class="o">(</span><span class="m">192</span>.168.15.15<span class="o">)</span>: <span class="m">56</span> data bytes
<span class="m">92</span> bytes from <span class="m">217</span>.132.10.15: Destination Net Unreachable <-- <span class="m">217</span>.132.10.15 is WAN IP of JLM-Edge
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
<span class="m">4</span> <span class="m">5</span> <span class="m">00</span> <span class="m">0054</span> 16a8 <span class="m">0</span> <span class="m">0000</span> 3f <span class="m">01</span> 7f3e <span class="m">11</span>.11.11.1 <span class="m">192</span>.168.15.15
</code></pre></div>
<h2>Additional Resources</h2>
<ul>
<li>This Fortigate BGP Cookbook on Github so you can follow for updates: <a href="https://github.com/yuriskinfo/cookbooks/blob/master/fortigate-bgp-cookbook.md" target=_blank rel="noopener">https://github.com/yuriskinfo/cookbooks/blob/master/fortigate-bgp-cookbook.md</a> </li>
<li>My Complete Fortigate Debug Cheat Sheet: <a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc" rel="noopener">Fortigate debug and diagnose commands complete cheat sheet</a> | <a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.pdf" rel=noopener>PDF</a> </li>
<li>My earlier blog post <a href="https://yurisk.info/2010/03/26/fortigate-bgp-configure-and-debug/"> Fortigate BGP - configure and debug</a> </li>
</ul>
<h2>References</h2>
<ul>
<li>BLACKHOLE Community RFC <a href="https://yurisk.info/assets/rfc7999.txt" target=_blank rel="noopener">rfc7999</a> </li>
</ul>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>AWS cli cookbook2020-04-19T11:59:25+00:002020-04-19T11:59:25+00:00Yuri Slobodyanyuktag:yurisk.info,2020-04-19:/2020/04/19/aws-cli-cookbook/<p><a href="#ee1">Get a list of all the buckets under user account</a><br>
<a href="#ee2">Recursively list contents of a given bucket <em>yurisk.info</em></a><br>
<a href="#ee3">Recursively list contents of a given bucket printing sizes in a friendly format</a><br>
<a href="#ee4">List contents of a bucket, add summary for number of objects and their total size</a><br>
<a href="#ee5">Get access-list associated …</a></p><p><a href="#ee1">Get a list of all the buckets under user account</a><br>
<a href="#ee2">Recursively list contents of a given bucket <em>yurisk.info</em></a><br>
<a href="#ee3">Recursively list contents of a given bucket printing sizes in a friendly format</a><br>
<a href="#ee4">List contents of a bucket, add summary for number of objects and their total size</a><br>
<a href="#ee5">Get access-list associated with the bucket provided you have permissions to do so on this bucket</a><br>
<a href="#ee6">Create bucket in default region specified in configuration file</a><br>
<a href="#ee7">Create the bucket in a given region</a><br>
<a href="#ee8">Delete an empty bucket, if it is not empty fails with the error <code>BucketNotEmpty</code></a><br>
<a href="#ee9">Force deleting non empty bucket provided that objects in it have not been versioned</a><br>
<a href="#ee10">Simulate removing without deleting anything</a><br>
<a href="#ee11">Delete recursively contents of a bucket, bucket itself is not deleted</a><br>
<a href="#ee12">Delete recursively all files in a bucket except JPEG and PNG</a><br>
<a href="#ee13">Delete only files with a given extension (here JPG)</a><br>
<a href="#ee14">Delete an empty bucket</a><br>
<a href="#ee15">Set the existing S3 bucket <em>yurisk.info</em> for hosting the website with the default served document being index.html and the error page for any 4xx response error codes being error.html</a><br>
<a href="#ee16">Make sure HTML pages of the bucket are accessible by anyone for reading</a><br>
<a href="#ee17">Verify the website configuration</a><br>
<a href="#ee18">Delete website configuration from a bucket (doesn't delete any objects iside the bucket)</a> <br>
<a href="#ee19">Upload local file <em>index.html</em> to the bucket <em>yurisk.info</em> at the location <em>/tag/nmap/</em> and set website redirection to the <em>http://yurisk.info</em>, also set ACL to <code>public-read</code></a> <br>
<a href="##20">Create expiring link/hot-link to the object in s3 bucket, pre-sign link</a> </p>
<p><a name="ee1"></a> </p>
<h3>Get a list of all the buckets under user account</h3>
<div class="highlight"><pre><span></span><code> aws s3 ls
</code></pre></div>
<p><a name="ee2"></a> </p>
<h3>Recursively list contents of a given bucket</h3>
<p>The bucket here is <em>yurisk.info</em>. </p>
<div class="highlight"><pre><span></span><code> aws s3 ls yurisk.info --recursive
</code></pre></div>
<p><a name="ee3"></a> </p>
<h3>Recursively list contents of a given bucket printing sizes in a friendly format</h3>
<div class="highlight"><pre><span></span><code> aws s3 ls yurisk.com --recursive --human
</code></pre></div>
<p><a name="ee4"></a> </p>
<h3>List contents of a bucket, add summary for number of objects and their total size</h3>
<div class="highlight"><pre><span></span><code>aws s3 ls yurisk.info --summarize --human --recursive
</code></pre></div>
<p><a name="ee5"></a> </p>
<h3>Get access-list associated with the bucket provided you have permissions to do so on this bucket</h3>
<div class="highlight"><pre><span></span><code>aws s3api get-bucket-acl --bucket yurisk.info
</code></pre></div>
<p><a name="ee6"></a> </p>
<h3>Create bucket in default region specified in configuration file</h3>
<div class="highlight"><pre><span></span><code>aws s3 mb s3://testbucket
</code></pre></div>
<p><a name="ee7"></a> </p>
<h3>Create the bucket in a given region</h3>
<div class="highlight"><pre><span></span><code>aws s3 mb s3://testbucket --region us-east-1
</code></pre></div>
<p><a name="ee8"></a> </p>
<h3>Delete an empty bucket, if it is not empty fails with the error <code>BucketNotEmpty</code></h3>
<div class="highlight"><pre><span></span><code>aws s3 rb yurisk.info
</code></pre></div>
<p><a name="ee9"></a> </p>
<h3>Force deleting non empty bucket provided that objects in it have not been versioned</h3>
<div class="highlight"><pre><span></span><code>aws s3 rb s3://yurisk.com --force
</code></pre></div>
<p><a name="ee10"></a> </p>
<h3>Simulate removing without deleting anything</h3>
<div class="highlight"><pre><span></span><code>aws s3 rm s3://yurisk.info --dryrun --rec
</code></pre></div>
<p><a name="ee11"></a> </p>
<h3>Delete recursively contents of a bucket, bucket itself is not deleted</h3>
<div class="highlight"><pre><span></span><code>aws s3 rm s3://yurisk.info --recursive
</code></pre></div>
<p><a name="ee12"></a> </p>
<h3>Delete recursively all files in a bucket except JPEG and PNG</h3>
<div class="highlight"><pre><span></span><code>aws s3 rm s3://yurisk.info --recursive --exclude <span class="s2">"*.jpg"</span> --exclude <span class="s2">"*.png"</span>
</code></pre></div>
<p><a name="ee13"></a> </p>
<h3>Delete only files with a given extension (here JPG)</h3>
<div class="highlight"><pre><span></span><code>aws s3 rm s3://yurisk.info --recursive --exclude <span class="s2">"*"</span> --include <span class="s2">"*.jpg"</span>
</code></pre></div>
<p><a name="ee14"></a> </p>
<h3>Delete an empty bucket</h3>
<div class="highlight"><pre><span></span><code>aws s3api delete-bucket --bucket yurisk.info
</code></pre></div>
<p><a name="ee15"></a> </p>
<h3>Set the existing S3 bucket <em>yurisk.info</em> for hosting the website with the default served document being <em>index.html</em> and the error page for any 4xx response error codes being <em>error.html</em></h3>
<div class="highlight"><pre><span></span><code>aws s3 website s3://yurisk.info/ --index-document index.html --error-document error.html
</code></pre></div>
<p><a name="ee16"></a> </p>
<h3>Make sure HTML pages of the bucket are accessible by anyone for reading</h3>
<div class="highlight"><pre><span></span><code>aws s3api get-bucket-acl --bucket yurisk.info
</code></pre></div>
<p><a name="ee17"></a> </p>
<h3>Verify the website configuration</h3>
<div class="highlight"><pre><span></span><code>aws s3api get-bucket-website --bucket yurisk.info
</code></pre></div>
<p><a name="ee18"></a> </p>
<h3>Delete website configuration from a bucket (doesn't delete any objects inside the bucket)</h3>
<div class="highlight"><pre><span></span><code>aws s3api delete-bucket-website --bucket yurisk.info
</code></pre></div>
<p><a name="ee19"></a> </p>
<h3>Upload local file <em>index.html</em> to the bucket <em>yurisk.info</em> at the location <em>/tag/nmap/</em> and set website redirection to the <em>http://yurisk.info</em>, also set ACL to <code>public-read</code></h3>
<div class="highlight"><pre><span></span><code>aws s3api put-object --bucket yurisk.info --key /tag/nmap/index.html --website-redirect-location http://yurisk.info --body C:/Users/yurisk.info/tag/nmap/index.html --acl public-read
</code></pre></div>
<p><a name="ee20"></a> </p>
<h3>Create expiring link/hot-link to the object in s3 bucket, pre-sign link</h3>
<div class="highlight"><pre><span></span><code>aws s3 presign s3://yurisk.info/download.me --expires-in <span class="m">259200</span> --profile awsadminprofile --region eu-west-1
</code></pre></div>
<p>Here:<br>
<code>download.me</code> - object in S3 to create download link to. NOTE: You don't have to make this object public in any way, still, anyone with the link will have read access to it.<br>
<code>--expires-in 259200</code> - Expiration time starting from now in <strong>seconds</strong>/ Here it is set to 3 days. If this parameter is absent, the default expiration is 3600 seconds or 1 hour.<br>
<code>--region <name></code> - region location of the object, if it is different from the default one set in your AWS profile. <br>
<code>--profile</code> - optional. Only needed if you ahve multiple AWS IAM user profiles configured on the host. </p>
<p>Output: </p>
<div class="highlight"><pre><span></span><code>ttps://yurisk.info.s3.amazonaws.com/download.me?AWSAccessKeyId<span class="o">=</span>AKIA2QEA3PKXP5TYM2GO<span class="p">&</span><span class="nv">Signature</span><span class="o">=</span>0WU7257sOAy9odrh6Fs88d0Vp94%3D<span class="p">&</span><span class="nv">Expires</span><span class="o">=</span><span class="m">1599498917</span>
</code></pre></div>
<p>The <code>expires</code> here is epoch time when the link expires.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>RAD ETX 203, 205, 220 debug and information commands2020-03-21T12:18:03+00:002020-03-21T12:18:03+00:00Yuri Slobodyanyuktag:yurisk.info,2020-03-21:/2020/03/21/rad-etx-203-203-220-debug-and-information-commands-examples/<div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_cheat_sheet_of_debug_commands">Cheat sheet of debug commands</a></li>
<li><a href="#_examples">Examples</a>
<ul class="sectlevel2">
<li><a href="#_show_configure_port_summary">show configure port summary</a></li>
<li><a href="#_show_config_port_eth_4_2_status">show config port eth 4/2 status</a></li>
<li><a href="#_show_config_port_eth_4_1_statistics">show config port eth 4/1 statistics</a></li>
<li><a href="#_measuring_the_traffic_rate_passing_the_interface">Measuring the traffic rate passing the interface</a></li>
<li><a href="#_run_ping_between_2_etxes">Run ping between 2 ETXes</a></li>
<li><a href="#_show_config_system_system_date">show config system system-date</a></li>
<li><a href="#_show_configure_flows_summary_brief">show configure flows summary brief</a></li>
<li><a href="#_show_configure_flows_summary_detail">show configure …</a></li></ul></li></ul></div><div id="toc" class="toc">
<div id="toctitle">Table of Contents</div>
<ul class="sectlevel1">
<li><a href="#_cheat_sheet_of_debug_commands">Cheat sheet of debug commands</a></li>
<li><a href="#_examples">Examples</a>
<ul class="sectlevel2">
<li><a href="#_show_configure_port_summary">show configure port summary</a></li>
<li><a href="#_show_config_port_eth_4_2_status">show config port eth 4/2 status</a></li>
<li><a href="#_show_config_port_eth_4_1_statistics">show config port eth 4/1 statistics</a></li>
<li><a href="#_measuring_the_traffic_rate_passing_the_interface">Measuring the traffic rate passing the interface</a></li>
<li><a href="#_run_ping_between_2_etxes">Run ping between 2 ETXes</a></li>
<li><a href="#_show_config_system_system_date">show config system system-date</a></li>
<li><a href="#_show_configure_flows_summary_brief">show configure flows summary brief</a></li>
<li><a href="#_show_configure_flows_summary_detail">show configure flows summary detail</a></li>
<li><a href="#_show_config_reporting_brief_alarm_log">show config reporting brief-alarm-log</a></li>
</ul>
</li>
<li><a href="#_resources">Resources</a></li>
</ul>
</div>
<div class="paragraph">
<p>Carrier Ethernet Devices by <a href="https://www.rad.com/">RAD</a> (ETX-203AX, ETX-203AM, ETX-203AX-T, ETX-205A, ETX-220A) are quite popular with telco companies around the world for connecting end clients to the backbone at layer 2. And while reference documentation is available, I couldn’t find the debug/information commands digest on the Internet at all. This post, I hope, comes to fill the gap.</p>
</div>
<div class="paragraph">
<p>The commands below are meant to be run on the device CLI itself, not on
provisioning system of some kind (e.g RADvision). I show examples of using them below as well.</p>
</div>
<div class="sect1">
<h2 id="_cheat_sheet_of_debug_commands">Cheat sheet of debug commands</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show configure port summary</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show port summary: state (up/down), speed</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show config port <em>name</em> status</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show port status: administrative and operational states, speed/duplex,
connector type, MAC address, and most important (for fiber) - RX/TX signal power
(dBm)</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show config port <em>name</em> statistics</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Statistics of the port: total bits/frames passed,maximum/minimum bits/sec
seen, and most interesting - CRC errors, error frames, oversize frames,
discards.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>config port ethernet <em>number</em></strong>
</p><p class="tableblock"><strong>clear-statistics</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Clear all statistics/counters for this port.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>config flow</strong>
</p><p class="tableblock"><strong>flow <em>flow-name</em></strong>
</p><p class="tableblock"><strong>show statistics running</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show detailed counters for the given flow, will include <code>bps</code>, max/min <code>bps</code>
seen after reboot, <code>drops</code> if any.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>config port <em>name</em></strong>
</p><p class="tableblock"><strong>rate-measure interval <em>seconds</em></strong>
</p><p class="tableblock"><strong>show rate</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show port utilization in bits/sec in real-time</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><em>Responder:</em>
</p><p class="tableblock"><strong>config flow</strong>
</p><p class="tableblock"><strong>service-ping-response local-ip 13.13.13.2/30 next-hop 13.13.13.1 egress-port
ethernet 4/2 vlan 777</strong>
</p><p class="tableblock"><em>Ping sender:</em>
</p><p class="tableblock"><strong>config flow</strong>
</p><p class="tableblock">service-ping local-ip 13.13.13.1/30 dst-ip 13.13.13.2 next-hop 13.13.13.2
egress-port ethernet 4/1 vlan 777 number-of-packets 10 payload-size 1450</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Send ping over the client vlan (here 777) from ETX to ETX to measure latency
and packet loss. You configure one ETX as responder and another one as sender.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show configure flows summary brief</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">List all flows configured on this ETX briefly</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show configure flows summary details</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">List all flows configured on this ETX with details</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>config flow <em>name</em></strong>
</p><p class="tableblock"><strong>mac-learning</strong>
</p><p class="tableblock"><strong>show mac-table</strong>
</p><p class="tableblock"><strong>no mac-learning</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Enable MAC address learning inside a flow and show the MAC table. The <em>flow</em>
should be the one where
those MAC addresses are supposed to be learned, and in the appropriate
direction. E.g. if the equipment of the end client is connected to ETX port
<code>ethernet 0/10</code>, then you should run this command under the flow that has
<code>ingress port 0/10</code>, to see if the ETX can see client’s equipment. WARNING:
after showing the results, make sure to disable the MAC learning, as it may
interfere with the client’s traffic.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show config system system-date</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show system time of the appliance, important for logs/alarms correlation.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show config reporting brief-alarm-log</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show alarms log, their severity/state/last raised time</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>exit all</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Exit all sub-configuration modes to the top level.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show file startup</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show startup configuration.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>save</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Save the configuration.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="_examples">Examples</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="_show_configure_port_summary">show configure port summary</h3>
<div class="paragraph">
<p>Output:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>Port Number Name Admin Oper Speed
-----------------------------------------------------------------------------
Ethernet 0/101 MNG-ETH Up Up 100000000
Ethernet 1/1 ETH-1/1 Up Up 1000000000
Ethernet 1/2 ETH-1/2 Up Down 1000000000
Ethernet 1/3 ETH-1/3 Up Down 1000000000
Ethernet 1/4 ETH-1/4 Up Down 1000000000
Ethernet 1/5 ETH-1/5 Up Down 1000000000</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_config_port_eth_4_2_status">show config port eth 4/2 status</h3>
<div class="listingblock">
<div class="content">
<pre>Name ETH-4/2
Administrative Status : Up
Operational Status : Up
Connector Type : XFP In
Auto Negotiation : Disabled
Speed And Duplex : 10G FX Full Duplex
MAC Address : 00-20-D2-AA-AA-AA
SFP
-----------------------------------------------------------------------------
Connector Type : LC
Manufacturer Name : MRV
Manufacturer Part Number : XFP-10GD-SX
Typical Maximum Range (Meter): 82
Wave Length (nm) : 850.00
Fiber Type : MM
RX Power (dBm) : -3.1 dBm
TX Power (dBm) : -2.6 dBm
Laser Bias (mA) : 2.0 mA
Laser Temperature (Celsius) : 39.0 C
Power Supply (V) : 3.02 V</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_config_port_eth_4_1_statistics">show config port eth 4/1 statistics</h3>
<div class="listingblock">
<div class="content">
<pre>Rates Sampling Window
-----------------------------------------------------------------------------
Window Size [Min.] : 15
Window Remain Time [Min.] : 9
Running
-----------------------------------------------------------------------------
Counter Rx Tx
Total Frames 2049273965 12684791780
Total Octets 1035148165812 8985802047420
Total Frames/Sec 226 927
Total Bits/Sec 376416 7256088
Minimum Bits/Sec 138984 5216176
Maximum Bits/Sec 16865840 42490664
Total Bits/Sec (L1) 412603 7404440
Minimum Bits/Sec (L1) 167304 5355056
Maximum Bits/Sec (L1) 16986640 42612264
Total Bits/Sec (L2) 376416 7256088
Minimum Bits/Sec (L2) 138984 5216176
Maximum Bits/Sec (L2) 16865840 42490664
Unicast Frames 1112614221 12425146359
Multicast Frames 866141791 108411074
Broadcast Frames 70518377 151236130
CRC Errors 1
Error Frames 0
L2CP Discarded 0
OAM Discarded 0
Unknown Protocol Discarded 0
CRC Errors/Sec 0
Jabber Errors 0
Oversize Frames 0 0
Unmapped Cos Frames 0 --
MTU Discarded -- 0
64 Octets 21190551 42432272
65-127 Octets 1180598932 4979404426
128-255 Octets 196747840 843109301
256-511 Octets 58653981 985646955
512-1023 Octets 34030086 667058975
1024-1518 Octets 36603900 4471126030
1519-2047 Octets 521449100 696016158
2048-Max Octets 0 0
MTU Discarded Flow -- --</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_measuring_the_traffic_rate_passing_the_interface">Measuring the traffic rate passing the interface</h3>
<div class="listingblock">
<div class="content">
<pre>ETX220AA>config>port>eth(4/1)# rate-measure interval 10
ETX220AA>config>port>eth(4/1)# show rate
ETX220AA>config>port>eth(4/1)# show rate
Name : ETH-4/1
Status : In Progress
Time Left to Elapse (Sec) : 7
ETX220AA>config>port>eth(4/1)#
Name : ETH-4/1
Status : Passed
Start Time : 22-03-2020 13:11:30 UTC +03:00
Duration (Sec) : 10
L1 L2
Rx Rate (bps) : 186987.20 156491.20
Tx Rate (bps) : 6879152.00 6729664.00</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_run_ping_between_2_etxes">Run ping between 2 ETXes</h3>
<div class="listingblock">
<div class="content">
<pre>ETX220AA>config>flows# service-ping local-ip 13.13.13.1/30 dst-ip 13.13.13.2 next-hop 13.13.13.2 egress-port ethernet 4/1 vlan 777 number-of-packets 10 payload-size 1450
# Redundant next-hop for destination in local-ip subnet
Reply from 13.13.13.2: bytes = 1450, packet number = 0, time <= 6 ms
Reply from 13.13.13.2: bytes = 1450, packet number = 1, time <= 2 ms
Reply from 13.13.13.2: bytes = 1450, packet number = 2, time <= 3 ms
Reply from 13.13.13.2: bytes = 1450, packet number = 3, time <= 3 ms
Reply from 13.13.13.2: bytes = 1450, packet number = 4, time <= 3 ms
Reply from 13.13.13.2: bytes = 1450, packet number = 5, time <= 3 ms
Reply from 13.13.13.2: bytes = 1450, packet number = 6, time <= 3 ms
Reply from 13.13.13.2: bytes = 1450, packet number = 7, time <= 3 ms
Reply from 13.13.13.2: bytes = 1450, packet number = 8, time <= 3 ms
Reply from 13.13.13.2: bytes = 1450, packet number = 9, time <= 3 ms
10 packets transmitted. 10 packets received, 0% packet loss
round-trip (ms) min/avg/max = 2/3/6</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_config_system_system_date">show config system system-date</h3>
<div class="listingblock">
<div class="content">
<pre>22-03-2020 13:18:39 UTC +03:00</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_configure_flows_summary_brief">show configure flows summary brief</h3>
<div class="listingblock">
<div class="content">
<pre>Name Ingress
Admin | Oper | Classification Egress
Client-A-flow-1 Ethernet 1
Up | Up | Client-A-classifier-50M- Ethernet 3
Client-A-flow-2 Ethernet 3
Up | Up | Client-A-classifier2-50M Ethernet 1</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_configure_flows_summary_detail">show configure flows summary detail</h3>
<div class="listingblock">
<div class="content">
<pre>Name : Client-A-flow-1
Type :
Admin Status : Up
Operational Status : Up
Service Name : Client-A-Service-50M-ETH
Test : Off
Classifier : Client-A-classifier-50M
Ingress Port : Ethernet 1
Egress Port : Ethernet 3
Name : Client-A-flow-2
Type :
Admin Status : Up
Operational Status : Up
Service Name : Client-A-Service-50M-ETH
Test : Off
Classifier : Client-A-classifier2-50M
Policer : S.50M_NEW
Ingress Port : Ethernet 3
Egress Port : Ethernet 1</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_config_reporting_brief_alarm_log">show config reporting brief-alarm-log</h3>
<div class="listingblock">
<div class="content">
<pre>Last Acknowledge On : -- --
Critical Major Minor
Total : 0 22 0
Since Ack : 0 22 0
Source Name Last Raised Last Cleared Total Times
Severity Since Ack
System pm_process_disabled 2020-02-10 -- 1
Major 11:15:00.07 -- 1
Station Clock Port 1 los 2020-01-21 -- 1
Major 02:34:08.07 -- 1
Domain 1 station_clock_unlock 2020-01-21 -- 1
Major 02:33:24.07 -- 1
Ethernet 1/1 los 2020-01-21 2020-01-21 1
Major 02:34:09.07 02:34:09.09 1
Ethernet 1/2 los 2020-01-21 -- 1
Major 02:34:07.07 -- 1</pre>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_resources">Resources</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://yurisk.info/2020/01/13/MRV-Optiswitch-OS904-OS906-OS912-debug-and-diagnostic-commands/">MRV Optiswitch OS904 OS906 OS912 debug and diagnostic commands</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>Curl examples cookbook2020-03-13T11:59:25+00:002020-06-07T11:11:00+02:00Yuri Slobodyanyuktag:yurisk.info,2020-03-13:/2020/03/13/curl-cookbook/<p>Last updated: 19 December 2020<br>
<a href="#ee19">Get coronavirus/Covid-19 statistics for your country, real-time or historical</a><br>
<a href="#ee0">Force curl not to show the progress bar</a><br>
<a href="#ee1">Download a web page via GET request setting Chrome version 74 as the User-Agent.</a> <br>
<a href="#ee2">Download a web page via GET request setting Googlebot version 2.1 as …</a></p><p>Last updated: 19 December 2020<br>
<a href="#ee19">Get coronavirus/Covid-19 statistics for your country, real-time or historical</a><br>
<a href="#ee0">Force curl not to show the progress bar</a><br>
<a href="#ee1">Download a web page via GET request setting Chrome version 74 as the User-Agent.</a> <br>
<a href="#ee2">Download a web page via GET request setting Googlebot version 2.1 as the User-Agent</a> <br>
<a href="#ee3">Download a page via https ignoring certificate errors</a> <br>
<a href="#ee4">Download a page using SOCKS5 proxy listening on 127.0.0.1 port 10443</a> <br>
<a href="#ee5">Download a page using SOCKS5 proxy listening on 127.0.0.1 port 10443 and use remote host to resolve the hostname</a> <br>
<a href="#ee6">Download a page and report time spent in every step starting with resolving</a> <br>
<a href="#ee27">Resolve IP address to the owner's Autonomous System Number by sending POST query with form fields to the Team Cymru whois server</a><br>
<a href="#ee7">Make sure Curl follows redirections (<code>Location:</code>) automatically, also using the correct <code>Referer</code> on each redirection</a> <br>
<a href="#ee8">Send GET request with digest authentication</a> <br>
<a href="#ee9">Download a remote file only if it's newer than the local copy</a> <br>
<a href="#ee10">Enable support for compressed encoding in response, as the real browser would do</a> <br>
<a href="#ee11">Verify CORS functionality of a website</a> <br>
<a href="#ee12">Convert Curl command into ready to be compiled C source file</a> <br>
<a href="#ee13">Display just the HTTP response code</a> <br>
<a href="#ee25">Get a page using specific version of HTTP protocol</a> <br>
<a href="#ee14">Download file with SCP protocol</a> <br>
<a href="#ee15">Get external IP address of the machine where the curl is installed</a><br>
<a href="#ee16">Send e-mail via SMTP</a> <br>
<a href="#ee17">Make curl resolve a hostname to the custom IP address you specify without modifying hosts file or using DNS server hacks</a><br>
<a href="#ee18">Show how many redirects were followed fetching the URL</a> <br>
<a href="#ee20">Use your browser to prepare the complete curl command via "copy as curl" feature</a><br>
<a href="#ee21">Test if a website supports the given cipher suite, e.g. obsolete sslv3</a><br>
<a href="#ee22">Fetch multiple pages with predictable pattern in their URLs</a><br>
<a href="#ee23">How to prevent errors on URLs that contain brackets</a><br>
<a href="#ee24">Github: list names of all public repositories for a given user</a><br>
<a href="#ee26">Display weather report for a given city</a> <br>
<a href="#ee30">Check if your Fortigate firewall is vulnerable to CVE-2018-13379</a> </p>
<p><a name="ee19"></a> </p>
<h3>Get coronavirus/Covid-19 statistics for your country, real-time or historical</h3>
<p>Add your country code after the slash, e.g. for Israel "il". </p>
<div class="highlight"><pre><span></span><code>$ curl -L -s covid19.trackercli.com/il
╔══════════════════════════════════════════════════════════════════════╗
║ COVID-19 Tracker CLI v3.1.0 - Israel Update ║
╟──────────────────────────────────────────────────────────────────────╢
║ As of <span class="m">4</span>/6/2020, <span class="m">6</span>:55:12 AM <span class="o">[</span>Date:4/6/2020<span class="o">]</span> ║
╟─────────────╤──────────────╤───────────╤─────────────╤───────────────╢
║ Cases │ Deaths │ Recovered │ Active │ Cases/Million ║
╟─────────────┼──────────────┼───────────┼─────────────┼───────────────╢
║ <span class="m">8</span>,611 │ <span class="m">51</span> │ <span class="m">585</span> │ <span class="m">7</span>,975 │ <span class="m">995</span> ║
╟─────────────┼──────────────┼───────────┼─────────────┼───────────────╢
║ Today Cases │ Today Deaths │ Critical │ Mortality % │ Recovery % ║
╟─────────────┼──────────────┼───────────┼─────────────┼───────────────╢
║ <span class="m">181</span> │ <span class="m">2</span> │ <span class="m">141</span> │ <span class="m">0</span>.59 │ <span class="m">6</span>.79 ║
╟─────────────╧──────────────╧───────────╧─────────────╧───────────────╢
║ Source: https://www.worldometers.info/coronavirus/ ║
╟──────────────────────────────────────────────────────────────────────╢
║ Code: https://github.com/warengonzaga/covid19-tracker-cli ║
╚══════════════════════════════════════════════════════════════════════╝
</code></pre></div>
<p>Historical data: </p>
<div class="highlight"><pre><span></span><code>$ curl -L -s covid19.trackercli.com/history/il
</code></pre></div>
<p><a name="ee0"></a></p>
<h3>Force curl not to show the progress bar</h3>
<p>Use <code>-s</code> option to make it silent: </p>
<div class="highlight"><pre><span></span><code>curl -o index.html -s https://yurisk.info
</code></pre></div>
<hr>
<p><a name="ee1"></a></p>
<h3>Download a web page via GET request setting Chrome version 74 as the User-Agent.</h3>
<p>Use <code>-A</code> to set User-Agent. </p>
<div class="highlight"><pre><span></span><code>curl -o Index.html -A <span class="s2">"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span> http://example.com
</code></pre></div>
<p>Resources: <a href="https://developers.whatismybrowser.com/useragents/explore/" target="_blank" rel="noopener"> https://developers.whatismybrowser.com/useragents/explore/</a></p>
<p><hr>
<a name="ee2"></a></p>
<h3>Download a web page via GET request setting Googlebot version 2.1 as the User-Agent.</h3>
<div class="highlight"><pre><span></span><code>curl -o Index.html -A <span class="s2">"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"</span> http://example.com
</code></pre></div>
<p><hr>
<a name="ee3"></a></p>
<h3>Download a page via https ignoring certificate errors</h3>
<p>Add <code>-k</code> to ignore any SSL certificate warnings/errors.</p>
<div class="highlight"><pre><span></span><code>curl -k -o Index.html https://example.com
</code></pre></div>
<p><a name="ee4"></a> </p>
<h3>Download a page using SOCKS5 proxy listening on 127.0.0.1 port 10443</h3>
<div class="highlight"><pre><span></span><code>curl -x socks5://localhost:10443 https://yurisk.info
</code></pre></div>
<p><a name="ee5"></a></p>
<h3>Download a page using SOCKS5 proxy listening on 127.0.0.1 port 10443 and use remote host to resolve the hostname</h3>
<div class="highlight"><pre><span></span><code>curl -x socks5h://localhost:10443 https://yurisk.info
</code></pre></div>
<p>The idea here is to tunnel DNS requests to the remote end of the tunnel as well, for example for privacy concerns to prevent <a href="https://en.wikipedia.org/wiki/DNS_leak" target="_blank" rel="noopener">DNS leak</a>.</p>
<p><a name="ee6"></a> </p>
<h3>Download a page and report time spent in every step starting with resolving:</h3>
<p>Source: <a href="https://stackoverflow.com/questions/18215389/how-do-i-measure-request-and-response-times-at-once-using-curl" target="_blank" rel="noopener"> Stackoverflow</a></p>
<ul>
<li>Step 1: Put the parameters to write into a file called say <em>curl-params</em> (just for the convenience instead of CLI): </li>
</ul>
<div class="highlight"><pre><span></span><code> time_namelookup: %<span class="o">{</span>time_namelookup<span class="o">}</span><span class="se">\n</span>
time_connect: %<span class="o">{</span>time_connect<span class="o">}</span><span class="se">\n</span>
time_appconnect: %<span class="o">{</span>time_appconnect<span class="o">}</span><span class="se">\n</span>
time_pretransfer: %<span class="o">{</span>time_pretransfer<span class="o">}</span><span class="se">\n</span>
time_redirect: %<span class="o">{</span>time_redirect<span class="o">}</span><span class="se">\n</span>
time_starttransfer: %<span class="o">{</span>time_starttransfer<span class="o">}</span><span class="se">\n</span>
----------<span class="se">\n</span>
time_total: %<span class="o">{</span>time_total<span class="o">}</span><span class="se">\n</span>
</code></pre></div>
<ul>
<li>Step 2: Run the curl supplying this file <em>curl-params</em>:</li>
</ul>
<div class="highlight"><pre><span></span><code>curl -w <span class="s2">"@curl-params"</span> -o /dev/null -s https://example.com
</code></pre></div>
<div class="highlight"><pre><span></span><code> time_namelookup: <span class="m">0</span>.062
time_connect: <span class="m">0</span>.062
time_appconnect: <span class="m">0</span>.239
time_pretransfer: <span class="m">0</span>.239
time_redirect: <span class="m">0</span>.000
time_starttransfer: <span class="m">0</span>.240
----------
time_total: <span class="m">0</span>.241
</code></pre></div>
<p><a name="ee27"></a><br>
<a href="#ee27">Resolve IP address to the owner's Autonomous System Number by sending POST query with form fields to the Team Cymru whois server</a> <br>
When sending any POST data with form fields, the first task is to get all the fields. The easiest way to do it is to browse to the page, fill the form, open the HTML code and write down fields and their values. I did it for the page at <a href="https://asn.cymru.com/" target=_blank rel="noopener">https://asn.cymru.com/</a> and noted 5 fields to fill with values, the field to place IP address to query for is <code>bulk_paste</code>. In curl you specify field values with <code>-F 'name=value'</code> option:</p>
<div class="highlight"><pre><span></span><code>curl -s -X POST -F <span class="s1">'action=do_whois'</span> -F <span class="s1">'family=ipv4'</span> -F <span class="s1">'method_whois=whois'</span> -F <span class="s1">'bulk_paste=35.1.33.192'</span> -F <span class="s1">'submit_paste=Submit'</span> https://asn.cymru.com/cgi-bin/whois.cgi <span class="p">|</span> grep <span class="s2">"|"</span>
</code></pre></div>
<p>Output: </p>
<div class="highlight"><pre><span></span><code><PRE>AS <span class="p">|</span> IP <span class="p">|</span> AS Name
<span class="m">36375</span> <span class="p">|</span> <span class="m">35</span>.1.33.192 <span class="p">|</span> UMICH-AS-5, US
</code></pre></div>
<p>Resources: <a href="https://ec.haxx.se/http/http-post" target=_blank rel="noopener">https://ec.haxx.se/http/http-post</a></p>
<p><a name="ee7"></a> </p>
<h3>Make sure Curl follows redirections (<code>Location:</code>) automatically, using the correct <code>Referer</code> on each redirection</h3>
<div class="highlight"><pre><span></span><code>curl -L -e <span class="s1">';auto'</span> -o index.html https://example.com
</code></pre></div>
<p>NOTE: All the downloaded pages will be appended to the same output file, here <em>index.html</em>. </p>
<p><a name="ee8"></a> </p>
<h3>Send GET request with digest authentication</h3>
<div class="highlight"><pre><span></span><code>curl --digest http://user:pass@example.com/login
</code></pre></div>
<p><a name="ee9"></a></p>
<h3>Download a remote file only if it's newer than the local copy</h3>
<div class="highlight"><pre><span></span><code>curl -z index.html -o index.html https://example.com/index.html
</code></pre></div>
<p>NOTE: file to compare/download, here <em>index.html</em>, is compared for timestamp only, no content hashing or anything else.</p>
<p><a name="ee10"></a> </p>
<h3>Enable support for compressed encoding in response, as a real browser would do</h3>
<div class="highlight"><pre><span></span><code>curl -compressed -o w3.css https://yurisk.info/theme/css/w3.css
</code></pre></div>
<p>Note: this option causes curl to sent <code>Accept-Encoding: gzip</code> in the request.</p>
<p><a name="ee11"></a></p>
<h3>Verify CORS functionality of a website</h3>
<div class="highlight"><pre><span></span><code>curl -H <span class="s2">"Access-Control-Request-Method: GET"</span> -H <span class="s2">"Origin: http://localhost"</span> --head https://yurisk.info/2020/03/05/fortiweb-cookbook-content-routing-based-on-url-in-request-configuration/pic1.png
</code></pre></div>
<p>Output:</p>
<div class="highlight"><pre><span></span><code>Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
</code></pre></div>
<p><a name="ee12"></a></p>
<h3>Convert Curl command into ready to be compiled C source file</h3>
<div class="highlight"><pre><span></span><code>curl -o index.html https://yurisk.info --libcurl index.c
</code></pre></div>
<p>The output file index.c will contain the source code to implement the same command using Curl C library:</p>
<div class="highlight"><pre><span></span><code><span class="cm">/********* Sample code generated by the curl command line tool **********</span>
<span class="cm"> * All curl_easy_setopt() options are documented at:</span>
<span class="cm"> * https://curl.haxx.se/libcurl/c/curl_easy_setopt.html</span>
<span class="cm"> ************************************************************************/</span><span class="w"></span>
<span class="cp">#include</span><span class="w"> </span><span class="cpf"><curl/curl.h></span><span class="cp"></span>
<span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">argc</span><span class="p">,</span><span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">argv</span><span class="p">[])</span><span class="w"></span>
<span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">CURLcode</span><span class="w"> </span><span class="n">ret</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="n">CURL</span><span class="w"> </span><span class="o">*</span><span class="n">hnd</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="n">hnd</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">curl_easy_init</span><span class="p">();</span><span class="w"></span>
<span class="w"> </span><span class="n">curl_easy_setopt</span><span class="p">(</span><span class="n">hnd</span><span class="p">,</span><span class="w"> </span><span class="n">CURLOPT_BUFFERSIZE</span><span class="p">,</span><span class="w"> </span><span class="mf">102400L</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="n">curl_easy_setopt</span><span class="p">(</span><span class="n">hnd</span><span class="p">,</span><span class="w"> </span><span class="n">CURLOPT_URL</span><span class="p">,</span><span class="w"> </span><span class="s">"https://yurisk.info"</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="n">curl_easy_setopt</span><span class="p">(</span><span class="n">hnd</span><span class="p">,</span><span class="w"> </span><span class="n">CURLOPT_USERAGENT</span><span class="p">,</span><span class="w"> </span><span class="s">"curl/7.66.0"</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="n">curl_easy_setopt</span><span class="p">(</span><span class="n">hnd</span><span class="p">,</span><span class="w"> </span><span class="n">CURLOPT_MAXREDIRS</span><span class="p">,</span><span class="w"> </span><span class="mf">50L</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="n">curl_easy_setopt</span><span class="p">(</span><span class="n">hnd</span><span class="p">,</span><span class="w"> </span><span class="n">CURLOPT_HTTP_VERSION</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">long</span><span class="p">)</span><span class="n">CURL_HTTP_VERSION_2TLS</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="n">curl_easy_setopt</span><span class="p">(</span><span class="n">hnd</span><span class="p">,</span><span class="w"> </span><span class="n">CURLOPT_SSH_KNOWNHOSTS</span><span class="p">,</span><span class="w"> </span><span class="s">"/home/yuri/.ssh/known_hosts"</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="n">curl_easy_setopt</span><span class="p">(</span><span class="n">hnd</span><span class="p">,</span><span class="w"> </span><span class="n">CURLOPT_TCP_KEEPALIVE</span><span class="p">,</span><span class="w"> </span><span class="mf">1L</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="cm">/* Here is a list of options the curl code used that cannot get generated</span>
<span class="cm"> as source easily. You may select to either not use them or implement</span>
<span class="cm"> them yourself.</span>
<span class="cm"> CURLOPT_WRITEDATA set to a objectpointer</span>
<span class="cm"> CURLOPT_INTERLEAVEDATA set to a objectpointer</span>
<span class="cm"> CURLOPT_WRITEFUNCTION set to a functionpointer</span>
<span class="cm"> CURLOPT_READDATA set to a objectpointer</span>
<span class="cm"> CURLOPT_READFUNCTION set to a functionpointer</span>
<span class="cm"> CURLOPT_SEEKDATA set to a objectpointer</span>
<span class="cm"> CURLOPT_SEEKFUNCTION set to a functionpointer</span>
<span class="cm"> CURLOPT_ERRORBUFFER set to a objectpointer</span>
<span class="cm"> CURLOPT_STDERR set to a objectpointer</span>
<span class="cm"> CURLOPT_HEADERFUNCTION set to a functionpointer</span>
<span class="cm"> CURLOPT_HEADERDATA set to a objectpointer</span>
<span class="cm"> */</span><span class="w"></span>
<span class="w"> </span><span class="n">ret</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">curl_easy_perform</span><span class="p">(</span><span class="n">hnd</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="n">curl_easy_cleanup</span><span class="p">(</span><span class="n">hnd</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="n">hnd</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nb">NULL</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="p">(</span><span class="kt">int</span><span class="p">)</span><span class="n">ret</span><span class="p">;</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
<span class="cm">/**** End of sample code ****/</span><span class="w"></span>
</code></pre></div>
<p>You can now compile it to executable, provided you have <code>libcurl</code> library and its headers installed: <code>gcc index.c -lcurl -o index</code></p>
<p><a name="ee13"></a> </p>
<h3>Display just the HTTP response code</h3>
<div class="highlight"><pre><span></span><code>curl -w <span class="s1">'%{http_code}'</span> --silent -o /dev/null https://yurisk.info
</code></pre></div>
<p>Output: </p>
<div class="highlight"><pre><span></span><code><span class="m">200</span>
</code></pre></div>
<p><a name="ee25"></a> </p>
<h3>Get a page using specific version of HTTP protocol</h3>
<div class="highlight"><pre><span></span><code> curl --http2 -s -O https://yurisk.info
</code></pre></div>
<p>hh</p>
<p><a name="ee14"></a> </p>
<h3>Download file with SCP protocol</h3>
<div class="highlight"><pre><span></span><code> curl scp://99.23.5.18:/root/pdf.pdf -o pdf.pdf -u root
</code></pre></div>
<p>Note: curl checks <code>~/.ssh/known_hosts</code> file to verify authenticity of the remote server. If the remote server is not already in the <code>known_hosts</code>, curl will refuse to connect. To prevent it - connect to the remote server via SSH, this will add it to the known hosts. Also, curl should be compiled with support for <code>libssh2</code> library.</p>
<p><a name="ee15"></a> </p>
<h3>Get external IP address of the machine where the curl is installed</h3>
<div class="highlight"><pre><span></span><code> curl -s http://whatismyip.akamai.com/
<span class="m">87</span>.123.255.103
</code></pre></div>
<p><a name="ee16"></a> </p>
<h3>Send e-mail via SMTP</h3>
<p>First, put the message body and From/To/Subject fields in a file: </p>
<div class="highlight"><pre><span></span><code><span class="c1"># cat message.txt</span>
From: Joe Dow <joedow@example.com>
To: Yuri <yuri@yurisk.info>
Subject: Testing curl SMTP sending
Hi, curl can now send e-mails as well!
</code></pre></div>
<p>Now, send the e-mail using the created file and setting e-mail envelope on the CLI:</p>
<div class="highlight"><pre><span></span><code>curl -v smtp://aspmx.l.google.com/smtp.example.com --mail-from Joedow@example.com --mail-rcpt yuri@yurisk.info --upload-file message.txt
</code></pre></div>
<p>Here:<br>
<code>aspmx.l.google.com</code> - the mail server for the recipient domain (<code>curl</code> does NOT look for the MX record itself).<br>
<code>smtp.example.com</code> (Optional) - domain the <code>curl</code> will use in greeting the mail server (HELO/EHLO).<br>
<code>--mail-from</code> - sender address set in the envelope.<br>
<code>--mail-rcpt</code> - recipient for the mail set in the envelope.</p>
<p>NOTE: the mail sending is subject to all the anti-spam checks by the receiving mail server, so I recommend to run this with the <code>-v</code> option set to see what is going on in real-time.</p>
<p><a name="ee17"></a></p>
<h3>Make curl resolve a hostname to the custom IP address you specify without modifying hosts file or using DNS server hacks</h3>
<p>Useful to test local copy of a website.<br>
Problem: You want curl to reach a website "example.com" at IP address 127.0.0.1 without changing local <code>hosts</code> file or setting up fake DNS server.<br>
Solution: Use <code>--resolve</code> to specify IP address for a hostname, so curl uses it without querying real DNS servers.</p>
<div class="highlight"><pre><span></span><code>curl -v --resolve <span class="s2">"example.com:80:127.0.0.1"</span> http://example.com
</code></pre></div>
<div class="highlight"><pre><span></span><code>* Added example.com:80:127.0.0.1 to DNS cache
* Hostname example.com was found <span class="k">in</span> DNS cache
* Trying <span class="m">127</span>.0.0.1:80...
* Connected to example.com <span class="o">(</span><span class="m">127</span>.0.0.1<span class="o">)</span> port <span class="m">80</span> <span class="o">(</span><span class="c1">#0)</span>
> GET / HTTP/1.1
> Host: example.com
> User-Agent: curl/7.67.0
> Accept: */*
</code></pre></div>
<p><a name="ee18"></a></p>
<h3>Show how many redirects were followed fetching the URL</h3>
<p>Use <code>num_redirects</code> variable for that: </p>
<div class="highlight"><pre><span></span><code> curl -w <span class="s1">'%{num_redirects}'</span> -L -o /dev/null https://cnn.com -s
<span class="m">2</span>
</code></pre></div>
<p><a name="ee20"></a> </p>
<h3>Use your browser to prepare the complete curl command via "copy as curl" feature</h3>
<p>We can use a regular browser to prepare the complete curl command by just browsing to the target site. For that:<br>
1. Open Developer Tools - <strong>F12</strong> (works in Chrome and Firefox)<br>
2. Browse to the target site/page.<br>
3. In the "Network" tab of the Developer Tools find the item you want to GET with curl, right click on it, find menu "Copy as cURL", click on it - this copies to the clipboard ready-to-run curl command to that asset.</p>
<p><a name="ee21"></a> </p>
<h3>Test if a website supports the given cipher suite, e.g. obsolete sslv3 & DES</h3>
<p>Helps to monitor servers for obsolete or not yet widely supported cipher suites.
Check if site supports sslv3 (old and dangerously broken): </p>
<div class="highlight"><pre><span></span><code>curl -k https://yurisk.info:443 -v --sslv3
</code></pre></div>
<p>Output: </p>
<div class="highlight"><pre><span></span><code>curl: <span class="o">(</span><span class="m">35</span><span class="o">)</span> error:1408F10B:SSL routines:ssl3_get_record:wrong version number
</code></pre></div>
<p>Check if the newest (experimental as of 2020) TLS v1.3 is enabled: </p>
<div class="highlight"><pre><span></span><code>curl -k https://yurisk.info:443 -v --tlsv1.3
</code></pre></div>
<p>Output: </p>
<div class="highlight"><pre><span></span><code>* OpenSSL SSL_connect: SSL_ERROR_ZERO_RETURN <span class="k">in</span> connection to yurisk.info:443
* Marked <span class="k">for</span> <span class="o">[</span>closure<span class="o">]</span>: Failed HTTPS connection
</code></pre></div>
<p>Check if a site supports easily breakable DES algorithm: </p>
<div class="highlight"><pre><span></span><code>curl -k -o /dev/null https://yurisk.info:443 --ciphers DES
</code></pre></div>
<p>Output: </p>
<div class="highlight"><pre><span></span><code>curl: <span class="o">(</span><span class="m">59</span><span class="o">)</span> failed setting cipher list: DES
</code></pre></div>
<p><a name="ee22"></a></p>
<h3>Fetch multiple pages with predictable pattern in their URLs</h3>
<p>If a website has a repeating pattern in naming its resources, we can use <strong>URL globbing</strong>. curl understands ranges <code>[start-end]</code> and lists <code>{item1,item2,...}</code>. Ranges can be alphanumeric and are inclusive, i.e. [0-100] starts at 0 and includes up to 100. Ranges optionally accept step/increment value: <code>[10-100:2]</code>, here 2 is added on each step. We can use both, ranges and lists, in the same URL. <br>
<em>Output files</em>: curl remembers the matched glob patterns and we can use them with <code>-o</code> to specify custom output filenames.</p>
<ol>
<li>Fetch all pages in https://yurisk.info/category/checkpoint-ngngx<i>NNN</i>.html where <em>NNN</em> goes from 2 to 9. Pay attention to the single quotes - when using on the Bash command line, the range <code>[]</code> and list <code>{}</code> operators would be otherwise interpreted by the Bash itself instead of curl.</li>
</ol>
<div class="highlight"><pre><span></span><code>curl -s -O <span class="s1">'https://yurisk.info/category/checkpoint-ngngx[2-9].html'</span>
</code></pre></div>
<p>Output directory: </p>
<div class="highlight"><pre><span></span><code>ls
checkpoint-ngngx2.html
checkpoint-ngngx3.html
checkpoint-ngngx4.html
checkpoint-ngngx5.html
checkpoint-ngngx6.html
checkpoint-ngngx7.html
checkpoint-ngngx8.html
checkpoint-ngngx9.html
</code></pre></div>
<ol>
<li>Fetch all pages <em>cisco.html,fortinet.html,linux.html,checkpoint-ngngx.html</em> inside the <em>category</em> folder: </li>
</ol>
<div class="highlight"><pre><span></span><code> curl -O <span class="s1">'https://yurisk.info/category/{cisco,fortinet,linux,checkpoint-ngngx}.html'</span>
</code></pre></div>
<p>Output: </p>
<div class="highlight"><pre><span></span><code>ls -1 *.html
checkpoint-ngngx.html
cisco.html
fortinet.html
linux.html
</code></pre></div>
<ol>
<li>Download pages with alphabetical ranges.</li>
</ol>
<div class="highlight"><pre><span></span><code>curl-O -s https://yurisk.info/test<span class="o">[</span>a-z<span class="o">]</span>
</code></pre></div>
<p><a name="ee23"></a> </p>
<h3>How to prevent errors on URLs that contain brackets</h3>
<p>If the curl uses brackets (square and curly) for ranges (<a name="ee22">see above</a>), how do we work with URLs containing such symbols? By using the <code>-g</code> option to curl which turns off globbing. It also means we can't use ranges with URLs that contain brackets.</p>
<div class="highlight"><pre><span></span><code>curl -g https://example.com/<span class="o">{</span>ids<span class="o">}</span>?site<span class="o">=</span>example.gov
</code></pre></div>
<p><a name="ee24"></a> </p>
<h3>Github: list names of all public repositories for a given user</h3>
<p>To query the user's repositories, the URL should have the form of <code>https://api.github.com/users/<username>/repos</code>. For example, let's get all the repositories for <code>curl</code> project:</p>
<div class="highlight"><pre><span></span><code> curl -s https://api.github.com/users/curl/repos <span class="p">|</span> awk <span class="s1">'/\wname/'</span>
</code></pre></div>
<p>Output: </p>
<div class="highlight"><pre><span></span><code> <span class="s2">"full_name"</span>: <span class="s2">"curl/build-images"</span>,
<span class="s2">"full_name"</span>: <span class="s2">"curl/curl"</span>,
<span class="s2">"full_name"</span>: <span class="s2">"curl/curl-cheat-sheet"</span>,
<span class="s2">"full_name"</span>: <span class="s2">"curl/curl-docker"</span>,
<span class="s2">"full_name"</span>: <span class="s2">"curl/curl-for-win"</span>,
<span class="s2">"full_name"</span>: <span class="s2">"curl/curl-fuzzer"</span>,
<span class="s2">"full_name"</span>: <span class="s2">"curl/curl-up"</span>,
<span class="s2">"full_name"</span>: <span class="s2">"curl/curl-www"</span>,
<span class="s2">"full_name"</span>: <span class="s2">"curl/doh"</span>,
<span class="s2">"full_name"</span>: <span class="s2">"curl/fcurl"</span>,
<span class="s2">"full_name"</span>: <span class="s2">"curl/h2c"</span>,
<span class="s2">"full_name"</span>: <span class="s2">"curl/stats"</span>,
</code></pre></div>
<p><em>Note:</em> Github imposes rate limits on the unauthorized requests, currently 60 requests/hour is the maximum. You can check how many queries are left with the <em>X-Ratelimit-Remaining</em> header:</p>
<div class="highlight"><pre><span></span><code> curl -s -i https://api.github.com/users/curl/repos <span class="p">|</span> grep X-Ratelimit-Remaining
X-Ratelimit-Remaining: <span class="m">54</span><span class="sb">`</span>
</code></pre></div>
<p><a name="ee26"></a> </p>
<h3>Display weather report for a given city</h3>
<p>There are many websites to query for weather information on the CLI, most popular seems to be wttr.in, so let's use it to get the weather in Milan: </p>
<div class="highlight"><pre><span></span><code> curl wttr.in/Milan
</code></pre></div>
<p>Output:</p>
<div class="highlight"><pre><span></span><code>Weather report: Milan
<span class="se">\ </span> / Partly cloudy
_ /<span class="s2">""</span>.-. <span class="m">17</span> °C
<span class="se">\_</span><span class="o">(</span> <span class="o">)</span>. ↓ <span class="m">6</span> km/h
/<span class="o">(</span>___<span class="o">(</span>__<span class="o">)</span> <span class="m">10</span> km
<span class="m">0</span>.0 mm
┌─────────────┐
┌──────────────────────────────┬───────────────────────┤ Mon <span class="m">04</span> May ├───────────────────────┬──────────────────────────────┐
│ Morning │ Noon └──────┬──────┘ Evening │ Night │
├──────────────────────────────┼──────────────────────────────┼──────────────────────────────┼──────────────────────────────┤
│ .-. Light rain │ .-. Light rain │ Overcast │ Cloudy │
│ <span class="o">(</span> <span class="o">)</span>. <span class="m">17</span> °C │ <span class="o">(</span> <span class="o">)</span>. <span class="m">18</span> °C │ .--. <span class="m">17</span> °C │ .--. <span class="m">12</span> °C │
│ <span class="o">(</span>___<span class="o">(</span>__<span class="o">)</span> ↖ <span class="m">26</span>-36 km/h │ <span class="o">(</span>___<span class="o">(</span>__<span class="o">)</span> ↖ <span class="m">20</span>-28 km/h │ .-<span class="o">(</span> <span class="o">)</span>. ↗ <span class="m">15</span>-24 km/h │ .-<span class="o">(</span> <span class="o">)</span>. ↗ <span class="m">13</span>-21 km/h │
│ ‘ ‘ ‘ ‘ <span class="m">9</span> km │ ‘ ‘ ‘ ‘ <span class="m">9</span> km │ <span class="o">(</span>___.__<span class="o">)</span>__<span class="o">)</span> <span class="m">10</span> km │ <span class="o">(</span>___.__<span class="o">)</span>__<span class="o">)</span> <span class="m">10</span> km │
│ ‘ ‘ ‘ ‘ <span class="m">1</span>.4 mm <span class="p">|</span> <span class="m">66</span>% │ ‘ ‘ ‘ ‘ <span class="m">1</span>.9 mm <span class="p">|</span> <span class="m">65</span>% │ <span class="m">0</span>.0 mm <span class="p">|</span> <span class="m">0</span>% │ <span class="m">0</span>.0 mm <span class="p">|</span> <span class="m">0</span>% │
└──────────────────────────────┴──────────────────────────────┴──────────────────────────────┴──────────────────────────────┘
┌─────────────┐
┌──────────────────────────────┬───────────────────────┤ Tue <span class="m">05</span> May ├───────────────────────┬──────────────────────────────┐
│ Morning │ Noon └──────┬──────┘ Evening │ Night │
├──────────────────────────────┼──────────────────────────────┼──────────────────────────────┼──────────────────────────────┤
│ <span class="se">\ </span> / Partly cloudy │ <span class="se">\ </span> / Partly cloudy │ <span class="se">\ </span> / Partly cloudy │ Overcast │
│ _ /<span class="s2">""</span>.-. <span class="m">19</span> °C │ _ /<span class="s2">""</span>.-. <span class="m">20</span> °C │ _ /<span class="s2">""</span>.-. <span class="m">20</span> °C │ .--. <span class="m">19</span> °C │
│ <span class="se">\_</span><span class="o">(</span> <span class="o">)</span>. ↘ <span class="m">9</span>-14 km/h │ <span class="se">\_</span><span class="o">(</span> <span class="o">)</span>. ↙ <span class="m">9</span>-13 km/h │ <span class="se">\_</span><span class="o">(</span> <span class="o">)</span>. ↙ <span class="m">14</span>-21 km/h │ .-<span class="o">(</span> <span class="o">)</span>. ↙ <span class="m">23</span>-34 km/h │
│ /<span class="o">(</span>___<span class="o">(</span>__<span class="o">)</span> <span class="m">10</span> km │ /<span class="o">(</span>___<span class="o">(</span>__<span class="o">)</span> <span class="m">10</span> km │ /<span class="o">(</span>___<span class="o">(</span>__<span class="o">)</span> <span class="m">10</span> km │ <span class="o">(</span>___.__<span class="o">)</span>__<span class="o">)</span> <span class="m">10</span> km │
│ <span class="m">0</span>.0 mm <span class="p">|</span> <span class="m">0</span>% │ <span class="m">0</span>.0 mm <span class="p">|</span> <span class="m">0</span>% │ <span class="m">0</span>.0 mm <span class="p">|</span> <span class="m">0</span>% │ <span class="m">0</span>.0 mm <span class="p">|</span> <span class="m">0</span>% │
└──────────────────────────────┴──────────────────────────────┴──────────────────────────────┴──────────────────────────────┘
</code></pre></div>
<p><a name="ee30"></a></p>
<h3>Check if your Fortigate firewall is vulnerable to CVE-2018-13379</h3>
<p>This vulnerability allows to steal SSL VPN credentials from the Fortigate cache.
Here the Fortigate IP is 192.168.18.31 and VPN SSL listens on the default port of 10443:</p>
<div class="highlight"><pre><span></span><code>curl -k https://192.168.18.31:10443//remote/fgt_lang?lang<span class="o">=</span>/../../../..//////////dev/cmdb/sslvpn_websession --output -
</code></pre></div>
<p>If you see VPN credentials in the output, then this Fortigate is indeed vulnerable and you should update its firmware ASAP and reset all local users passwords. More info: https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2018-13379</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Fortiweb Cookbook: content routing based on URL configuration example2020-03-05T10:59:25+00:002020-03-05T10:59:25+00:00Yuri Slobodyanyuktag:yurisk.info,2020-03-05:/2020/03/05/fortiweb-cookbook-content-routing-based-on-url-in-request-configuration/<p>I wrote this step by step walkthrough as an answer for the forum.fortinet.com here https://forum.fortinet.com/FindPost/183028 . This example uses Fortiweb 6.2.2 but the configuration is valid at least starting with 5.x. </p>
<p><strong>Problem</strong>: You want to route user requests according to the …</p><p>I wrote this step by step walkthrough as an answer for the forum.fortinet.com here https://forum.fortinet.com/FindPost/183028 . This example uses Fortiweb 6.2.2 but the configuration is valid at least starting with 5.x. </p>
<p><strong>Problem</strong>: You want to route user requests according to the URL they are trying to access. When a user enters http://example.com/server1 you want her to be routed to the server1 (10.10.10.10) and port 22. And when she enters http://example.com/server2, you want her to reach server2 (10.10.10.15) on port 3030.</p>
<p><strong>Solution</strong>: Create Content Routing Policy with 2 rules, each using regex to match the URL in the HTTP request and route to the appropriate server pool.</p>
<p>Now the configuation:</p>
<ol>
<li>Create usual VIP representing the external IP of the domain example.com, here it is 15.15.15.15:</li>
</ol>
<p><img alt="create VIP for external IP" src="/assets/pic1.png"></p>
<ol>
<li>Create Virtual Server using the above VIP:</li>
</ol>
<p><img alt="virtual server" src="/assets/pic2.png"></p>
<ol>
<li>Create 2 physical servers, for each server in a farm using ports 22 and 3030 accordingly, here server1 is 10.10.10.10 port 22 and server2 is 10.10.10.15 port 3030:</li>
</ol>
<p><img alt="physical servers" src="/assets/pic3.png"></p>
<p><img alt="physical servers 2" src="/assets/pic4.png"></p>
<ol>
<li>Now, to the HTTP Content Routing. Here we define parameters to route to different servers by. To do so we create 2 policies – first matching “server1” in URL (and route to server 1 10.10.10.10 by using it in the Server Pool menu), and the 2nd matching “server2”:</li>
</ol>
<p><img alt="Content routing match rules" src="/assets/pic5.png"></p>
<p><img alt="Content routing3" src="/assets/pic6.png"></p>
<p>And for the 2nd server:</p>
<p><img alt="Content routing3" src="/assets/pic7.png"></p>
<p><img alt="Content routing3" src="/assets/pic8.png"></p>
<ol>
<li>Finally, we tie all this together in the Server Policy of type HTTP Content Routing:</li>
</ol>
<p><img alt="Content routing3" src="/assets/pic9.png"></p>
<p>The CLI commands of the above configuration are:</p>
<div class="highlight"><pre><span></span><code><span class="n">config</span><span class="w"> </span><span class="n">server</span><span class="o">-</span><span class="n">policy</span><span class="w"> </span><span class="n">vserver</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="s">"forum-fortinet-vserver"</span><span class="w"></span>
<span class="w"> </span><span class="n">config</span><span class="w"> </span><span class="n">vip</span><span class="o">-</span><span class="n">list</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="mh">1</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">vip</span><span class="w"> </span><span class="n">forum</span><span class="o">-</span><span class="n">ftnt</span><span class="o">-</span><span class="n">VIP</span><span class="w"></span>
<span class="w"> </span><span class="n">next</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
<span class="w"> </span><span class="n">next</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
<span class="n">config</span><span class="w"> </span><span class="n">server</span><span class="o">-</span><span class="n">policy</span><span class="w"> </span><span class="n">server</span><span class="o">-</span><span class="n">pool</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="s">"forum-ftnt-srv1"</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">flag</span><span class="w"> </span><span class="mh">1</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">server</span><span class="o">-</span><span class="n">pool</span><span class="o">-</span><span class="n">id</span><span class="w"> </span><span class="mh">6459952352137344822</span><span class="w"></span>
<span class="w"> </span><span class="n">config</span><span class="w"> </span><span class="n">pserver</span><span class="o">-</span><span class="n">list</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="mh">1</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">ip</span><span class="w"> </span><span class="mf">10.10.10.10</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">port</span><span class="w"> </span><span class="mh">22</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">server</span><span class="o">-</span><span class="n">id</span><span class="w"> </span><span class="mh">383198561119413223</span><span class="w"></span>
<span class="w"> </span><span class="n">next</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
<span class="w"> </span><span class="n">next</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="s">"forum-ftnt-srv2"</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">flag</span><span class="w"> </span><span class="mh">1</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">server</span><span class="o">-</span><span class="n">pool</span><span class="o">-</span><span class="n">id</span><span class="w"> </span><span class="mh">2056232527958881701</span><span class="w"></span>
<span class="w"> </span><span class="n">config</span><span class="w"> </span><span class="n">pserver</span><span class="o">-</span><span class="n">list</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="mh">1</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">ip</span><span class="w"> </span><span class="mf">10.10.10.15</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">port</span><span class="w"> </span><span class="mh">3030</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">server</span><span class="o">-</span><span class="n">id</span><span class="w"> </span><span class="mh">15928736989441525913</span><span class="w"></span>
<span class="w"> </span><span class="n">next</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
<span class="w"> </span><span class="n">next</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
<span class="w"> </span><span class="n">config</span><span class="w"> </span><span class="n">server</span><span class="o">-</span><span class="n">policy</span><span class="w"> </span><span class="n">http</span><span class="o">-</span><span class="n">content</span><span class="o">-</span><span class="n">routing</span><span class="o">-</span><span class="n">policy</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="s">"forum-ftnt-to-srv1-port22"</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">server</span><span class="o">-</span><span class="n">pool</span><span class="w"> </span><span class="n">forum</span><span class="o">-</span><span class="n">ftnt</span><span class="o">-</span><span class="n">srv1</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">http</span><span class="o">-</span><span class="n">content</span><span class="o">-</span><span class="n">routing</span><span class="o">-</span><span class="n">id</span><span class="w"> </span><span class="mh">14533533740472441776</span><span class="w"></span>
<span class="w"> </span><span class="n">config</span><span class="w"> </span><span class="n">content</span><span class="o">-</span><span class="n">routing</span><span class="o">-</span><span class="n">match</span><span class="o">-</span><span class="n">list</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="mh">1</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">match</span><span class="o">-</span><span class="n">object</span><span class="w"> </span><span class="n">http</span><span class="o">-</span><span class="n">request</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">match</span><span class="o">-</span><span class="n">condition</span><span class="w"> </span><span class="n">match</span><span class="o">-</span><span class="kt">reg</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">match</span><span class="o">-</span><span class="n">expression</span><span class="w"> </span><span class="n">server1</span><span class="w"></span>
<span class="w"> </span><span class="n">next</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
<span class="w"> </span><span class="n">next</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="s">"forum-ftnt-to-srv2-port3030"</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">server</span><span class="o">-</span><span class="n">pool</span><span class="w"> </span><span class="n">forum</span><span class="o">-</span><span class="n">ftnt</span><span class="o">-</span><span class="n">srv2</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">http</span><span class="o">-</span><span class="n">content</span><span class="o">-</span><span class="n">routing</span><span class="o">-</span><span class="n">id</span><span class="w"> </span><span class="mh">9634759790203390436</span><span class="w"></span>
<span class="w"> </span><span class="n">config</span><span class="w"> </span><span class="n">content</span><span class="o">-</span><span class="n">routing</span><span class="o">-</span><span class="n">match</span><span class="o">-</span><span class="n">list</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="mh">1</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">match</span><span class="o">-</span><span class="n">object</span><span class="w"> </span><span class="n">http</span><span class="o">-</span><span class="n">request</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">match</span><span class="o">-</span><span class="n">condition</span><span class="w"> </span><span class="n">match</span><span class="o">-</span><span class="kt">reg</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">match</span><span class="o">-</span><span class="n">expression</span><span class="w"> </span><span class="n">server2</span><span class="w"></span>
<span class="w"> </span><span class="n">next</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
<span class="w"> </span><span class="n">next</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
<span class="w"> </span><span class="n">config</span><span class="w"> </span><span class="n">server</span><span class="o">-</span><span class="n">policy</span><span class="w"> </span><span class="n">policy</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="s">"forum-ftnt-tosrv1-srv2"</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">deployment</span><span class="o">-</span><span class="n">mode</span><span class="w"> </span><span class="n">http</span><span class="o">-</span><span class="n">content</span><span class="o">-</span><span class="n">routing</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">vserver</span><span class="w"> </span><span class="n">forum</span><span class="o">-</span><span class="n">fortinet</span><span class="o">-</span><span class="n">vserver</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="n">HTTP</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">replacemsg</span><span class="w"> </span><span class="n">Predefined</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">policy</span><span class="o">-</span><span class="n">id</span><span class="w"> </span><span class="mh">12611187490543522760</span><span class="w"></span>
<span class="w"> </span><span class="n">config</span><span class="w"> </span><span class="n">http</span><span class="o">-</span><span class="n">content</span><span class="o">-</span><span class="n">routing</span><span class="o">-</span><span class="n">list</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="mh">1</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">content</span><span class="o">-</span><span class="n">routing</span><span class="o">-</span><span class="n">policy</span><span class="o">-</span><span class="n">name</span><span class="w"> </span><span class="n">forum</span><span class="o">-</span><span class="n">ftnt</span><span class="o">-</span><span class="n">to</span><span class="o">-</span><span class="n">srv1</span><span class="o">-</span><span class="n">port22</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">profile</span><span class="o">-</span><span class="n">inherit</span><span class="w"> </span><span class="n">enable</span><span class="w"></span>
<span class="w"> </span><span class="n">next</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="mh">2</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">content</span><span class="o">-</span><span class="n">routing</span><span class="o">-</span><span class="n">policy</span><span class="o">-</span><span class="n">name</span><span class="w"> </span><span class="n">forum</span><span class="o">-</span><span class="n">ftnt</span><span class="o">-</span><span class="n">to</span><span class="o">-</span><span class="n">srv2</span><span class="o">-</span><span class="n">port3030</span><span class="w"></span>
<span class="w"> </span><span class="n">set</span><span class="w"> </span><span class="n">profile</span><span class="o">-</span><span class="n">inherit</span><span class="w"> </span><span class="n">enable</span><span class="w"></span>
<span class="w"> </span><span class="n">next</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
<span class="w"> </span><span class="n">next</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Fortigate - enable e-mail as a two-factor authentication for a user and increase token timeout2020-03-01T11:59:25+00:002020-03-01T11:59:25+00:00Yuri Slobodyanyuktag:yurisk.info,2020-03-01:/2020/03/01/fortigate-enable-e-mail-as-mfa-and-increase-token-validity-time/<p>I'll say outright that FortiToken (be it a mobile app or a physical token) is the most secure and preferable way today for multi-factor authentication. The other two - SMS message and e-mail message are vulnerable to many attacks, including not so technically sofisticated SIM swapping. But sometimes less secure method …</p><p>I'll say outright that FortiToken (be it a mobile app or a physical token) is the most secure and preferable way today for multi-factor authentication. The other two - SMS message and e-mail message are vulnerable to many attacks, including not so technically sofisticated SIM swapping. But sometimes less secure method is better than none. Two catches with using an e-mail as MFA on Fortigate though: </p>
<ul>
<li>It is not availabe in the GUI until you turn it on at the CLI.</li>
<li>
<p>e-mails tend to get delayed sometimes, and the default validity time for any Fortigate produced token code (SMS, e-mail, FortiToken) is 60 seconds. If user doesn't enter the token code within 60 seconds of issuing - code becomes invalid. It is usually not a problem, but recently I had to enable e-mail MFA for the client's branch in remote location with substantial e-mail delays being a norm. So optionally below you can find how to increase the default timeout.</p>
</li>
<li>
<p>Enable e-mail option as MFA for a user:</p>
</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="n">config</span><span class="w"> </span><span class="k">user</span><span class="w"> </span><span class="k">local</span><span class="w"></span>
<span class="w"> </span><span class="n">edit</span><span class="w"> </span><span class="ss">"Carmen"</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="n">password</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">two</span><span class="o">-</span><span class="n">factor</span><span class="w"> </span><span class="n">email</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">email</span><span class="o">-</span><span class="k">to</span><span class="w"> </span><span class="ss">"carmen@nasa.gov"</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="k">end</span><span class="w"></span>
</code></pre></div>
<ol>
<li>(Optional) Increase token code validity from 1 to 2 minutes:</li>
</ol>
<div class="highlight"><pre><span></span><code>FG2 # config system global
FG2 (global) # set two-factor-email-expiry ?
two-factor-email-expiry Enter an integer value from <30> to <300> (default = <60>).
FG2 (global) # set two-factor-email-expiry 120
</code></pre></div>
<p>Additionally, we have to increase the default time of 5 seconds the Fortigate will wait between asking for the one-time code and user entering it. This configuraiton, btw, sets authentication timeout for ANY remote server authentication - LDAP, Radius etc.</p>
<div class="highlight"><pre><span></span><code>config sys global
set remoteauthtimeout <1-300>
</code></pre></div>
<p>The default is 5 seconds.</p>
<p>Now the option for e-mail as 2-factor authentication appears in GUI:</p>
<p><img alt="pic 1" src="email-two-factor.png"></p>
<p>And if not set already, of course, configure mail server that Fortigate will use to relay mails with
OTP:</p>
<div class="highlight"><pre><span></span><code><span class="n">config</span><span class="w"> </span><span class="n">sys</span><span class="w"> </span><span class="n">email</span><span class="o">-</span><span class="n">server</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">reply</span><span class="o">-</span><span class="k">to</span><span class="w"> </span><span class="n">fgt1800F</span><span class="nv">@mydomain</span><span class="p">.</span><span class="n">com</span><span class="w"></span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">server</span><span class="w"> </span><span class="mf">3.3.3.3</span><span class="w"></span>
<span class="k">end</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Fortigate CLI command alias to create shortcuts and save time2020-02-10T12:18:03+00:002020-02-10T12:18:03+00:00Yuri Slobodyanyuktag:yurisk.info,2020-02-10:/2020/02/10/fortigate-command-alias-to-save-time-on-cli/<p>Fortigate CLI commands can be long, like really long. And it is no fun to get an error running a command of 6 words because of the typo!
The solution to this is simple - <strong>command aliases</strong>. Coming from the Cisco world I got used to creating command aliases as a …</p><p>Fortigate CLI commands can be long, like really long. And it is no fun to get an error running a command of 6 words because of the typo!
The solution to this is simple - <strong>command aliases</strong>. Coming from the Cisco world I got used to creating command aliases as a way to save time typing, which, multiplied by the hundreds of devices I have access to, saves a lot of time. Saving time typing is the reason I don't use Putty but instead invested in myself and bought SecureCRT by VanDyke. I once calculated what CLI automation saves me - the whole 4 hours of work monthly!<br>
So let's get back to the Fortigate. It has the command alias capability that allows to configure a shortcut to the full syntax CLI command and save it in the configuration. Fortigate aliases have some limitations and features, here is the list: </p>
<ul>
<li>Aliases are available on Fortigate only, i.e.no Fortiweb/FortiManager/etc. (pity) </li>
<li>Configured aliases are saved in the configuration and so survive reboots and upgrades (good) </li>
<li>Aliases are available at the top level only. That is, if we are inside configuration subtree no aliases for us. E.g. we can set/use aliases for commands run at # prompt, but once we enter say interface configuration, no aliases are available (bad, but read on) </li>
<li>Commands in aliases are not limited in the depth of subconfiguration tree. It means, while they have to start at the top level, they don't have to end there. E.g. we can create alias that combines commands like <code>config system interface</code> <code>edit port1</code> <code>set status disable</code> in one alias (good) </li>
<li>Alias can combine multiple commands run in sequence (good) </li>
<li>Alias can NOT accept arguments. If we have an alias <code>shint</code> for <code>show system interface</code>, we cannot add an interface name to it as an argument when running it - <code>alias shint port1</code> will report error (bad) </li>
<li>To use alias you specify word <code>alias</code> before it (see below examples).</li>
</ul>
<p>To configure alias we use <code>config system alias</code> command, here are some aliases I use:</p>
<div class="highlight"><pre><span></span><code><span class="nv">config</span><span class="w"> </span><span class="nv">system</span><span class="w"> </span><span class="nv">alias</span><span class="w"></span>
<span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="s2">"rt"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">command</span><span class="w"> </span><span class="s2">"get router info routing all"</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="s2">"rt6"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">command</span><span class="w"> </span><span class="s2">"get router info6 routing-table"</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="s2">"gip"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">command</span><span class="w"> </span><span class="s2">"get router info protocols"</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="k">end</span><span class="w"></span>
</code></pre></div>
<p>E.g. to get routing table: </p>
<p><code># alias rt</code> </p>
<div class="highlight"><pre><span></span><code><span class="nv">Routing</span><span class="w"> </span><span class="nv">table</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">VRF</span><span class="o">=</span><span class="mi">0</span><span class="w"></span>
<span class="nv">Codes</span>:<span class="w"> </span><span class="nv">K</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">kernel</span>,<span class="w"> </span><span class="nv">C</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">connected</span>,<span class="w"> </span><span class="nv">S</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">static</span>,<span class="w"> </span><span class="nv">R</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">RIP</span>,<span class="w"> </span><span class="nv">B</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">BGP</span><span class="w"></span>
<span class="w"> </span><span class="nv">O</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">OSPF</span>,<span class="w"> </span><span class="nv">IA</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">OSPF</span><span class="w"> </span><span class="nv">inter</span><span class="w"> </span><span class="nv">area</span><span class="w"></span>
<span class="w"> </span><span class="nv">N1</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">OSPF</span><span class="w"> </span><span class="nv">NSSA</span><span class="w"> </span><span class="nv">external</span><span class="w"> </span><span class="nv">type</span><span class="w"> </span><span class="mi">1</span>,<span class="w"> </span><span class="nv">N2</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">OSPF</span><span class="w"> </span><span class="nv">NSSA</span><span class="w"> </span><span class="nv">external</span><span class="w"> </span><span class="nv">type</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="w"> </span><span class="nv">E1</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">OSPF</span><span class="w"> </span><span class="nv">external</span><span class="w"> </span><span class="nv">type</span><span class="w"> </span><span class="mi">1</span>,<span class="w"> </span><span class="nv">E2</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">OSPF</span><span class="w"> </span><span class="nv">external</span><span class="w"> </span><span class="nv">type</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="w"> </span><span class="nv">i</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">IS</span><span class="o">-</span><span class="nv">IS</span>,<span class="w"> </span><span class="nv">L1</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">IS</span><span class="o">-</span><span class="nv">IS</span><span class="w"> </span><span class="nv">level</span><span class="o">-</span><span class="mi">1</span>,<span class="w"> </span><span class="nv">L2</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">IS</span><span class="o">-</span><span class="nv">IS</span><span class="w"> </span><span class="nv">level</span><span class="o">-</span><span class="mi">2</span>,<span class="w"> </span><span class="nv">ia</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">IS</span><span class="o">-</span><span class="nv">IS</span><span class="w"> </span><span class="nv">inter</span><span class="w"> </span><span class="nv">area</span><span class="w"></span>
<span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">candidate</span><span class="w"> </span><span class="nv">default</span><span class="w"></span>
<span class="nv">S</span><span class="o">*</span><span class="w"> </span><span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="w"> </span>[<span class="mi">10</span><span class="o">/</span><span class="mi">0</span>]<span class="w"> </span><span class="nv">via</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">13</span>.<span class="mi">1</span>,<span class="w"> </span><span class="nv">port1</span><span class="w"></span>
<span class="nv">C</span><span class="w"> </span><span class="mi">10</span>.<span class="mi">10</span>.<span class="mi">17</span>.<span class="mi">0</span><span class="o">/</span><span class="mi">24</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">directly</span><span class="w"> </span><span class="nv">connected</span>,<span class="w"> </span><span class="nv">port3</span><span class="w"></span>
<span class="nv">C</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">13</span>.<span class="mi">0</span><span class="o">/</span><span class="mi">24</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">directly</span><span class="w"> </span><span class="nv">connected</span>,<span class="w"> </span><span class="nv">port1</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>What GEO location database Fortinet products are using?2020-02-09T12:18:03+00:002020-02-09T12:18:03+00:00Yuri Slobodyanyuktag:yurisk.info,2020-02-09:/2020/02/09/what-geo-location-database-fortinet-are-using/<p>This is the easiest question I got asked about the Fortigate/FortiWeb/etc.
The GEO location database provider for all the Fortinet products has been the same for many years - it is <a href="https://www.maxmind.com/en/home" target="_blank" rel=”noopener” > Maxmind.com</a>. </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on …</em></p><p>This is the easiest question I got asked about the Fortigate/FortiWeb/etc.
The GEO location database provider for all the Fortinet products has been the same for many years - it is <a href="https://www.maxmind.com/en/home" target="_blank" rel=”noopener” > Maxmind.com</a>. </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Fortigate has iperf client for traffic testing built in, here are all the details2020-01-24T12:18:03+00:002020-01-24T12:18:03+00:00Yuri Slobodyanyuktag:yurisk.info,2020-01-24:/2020/01/24/fortigate-iperf-traffic-test-built-in-client-cli/<p>Starting with the FortiOS 5.x Fortinet have a built-in <strong>iperf3</strong> client in Fortigate so we can load test connected lines. If new to iperf, please read more here <a href="https://iperf.fr" target="_blank" rel=noopener> iperf.fr</a>. <br>
iperf in Fortigate comes with some limitations and quirks, so let's have a better look at them:<br>
- The version …</p><p>Starting with the FortiOS 5.x Fortinet have a built-in <strong>iperf3</strong> client in Fortigate so we can load test connected lines. If new to iperf, please read more here <a href="https://iperf.fr" target="_blank" rel=noopener> iperf.fr</a>. <br>
iperf in Fortigate comes with some limitations and quirks, so let's have a better look at them:<br>
- The version of <strong>iperf</strong> used (in 5.x and 6.x firmware so far) is 3.0.9. This means it will not work with the iperf2 and its subversions.<br>
- The tool can work as CLIENT only, i.e. it does not accept <strong>-s</strong> option. This means we can NOT run iperf test between 2 Fortigates, one of the peers has to be some Linux/Windows server with <strong>iperf3 -s</strong> running. It does NOT mean we can test only one direction, though - the command accepts <strong>-R</strong> option for reverse traffic.<br>
- As you will see below, the command asks for Client and Server interfaces. The Server interface means on which Fortigate interface the remote server is located. The Client interface means ... I guess where the client is located. For wan testing I put it the same interface as the server-facing one. <br>
- The tool accepts most of the command line options as a regular <strong>iperf3</strong>, except those mentioned already. <br>
- In Fortigate with VDOMs enabled, <strong>iperf</strong> is available in the Global context only, i.e. outside of any VDOM.</p>
<p>So let's configure and run the test.<br>
The default configuration is like shown below and it will run iperf test of the throughput between 2 interfaces of the Fortigate itself, not very interesting: </p>
<p><strong>diagnose traffictest show</strong> Show the current configuration: </p>
<div class="highlight"><pre><span></span><code>server-intf: port1
client-intf: port3
port: 162
proto: TCP
</code></pre></div>
<p>To run the test, let's set the port to 5201, protocol to TCP and client interface to port1 (Server interface is set to port1 by default already): </p>
<p><strong>diagnose traffictest port</strong> 5201<br>
<strong>diagnose traffictest proto</strong> 0 <code>NOTE: 1 is for UDP and 0 is for TCP.</code> <br>
<strong>diagnose traffictest client-intf</strong> port1 </p>
<p>We are ready to run the iperf test. On the remote server 199.23.6.18 I have <strong>iperf3 -s</strong> running. <br>
So, on the Fortigate I run: </p>
<p><strong>diagnose traffictest run -c 199.23.6.18</strong>: </p>
<div class="highlight"><pre><span></span><code>Connecting to host 199.23.6.18, port 5201
[ 5] local 172.31.44.106 port 50670 connected to 199.23.6.18 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 24.8 MBytes 208 Mbits/sec 271 2.22 MBytes
[ 5] 1.00-2.00 sec 39.9 MBytes 335 Mbits/sec 5 1.03 MBytes
[ 5] 2.00-3.00 sec 14.7 MBytes 123 Mbits/sec 131 619 KBytes
[ 5] 3.00-4.00 sec 12.3 MBytes 103 Mbits/sec 1 594 KBytes
[ 5] 4.00-5.00 sec 8.02 MBytes 67.2 Mbits/sec 1 361 KBytes
[ 5] 5.00-6.00 sec 7.83 MBytes 65.7 Mbits/sec 0 385 KBytes
[ 5] 6.00-7.00 sec 7.83 MBytes 65.7 Mbits/sec 0 397 KBytes
[ 5] 7.00-8.00 sec 7.83 MBytes 65.7 Mbits/sec 0 403 KBytes
[ 5] 8.00-9.00 sec 7.83 MBytes 65.7 Mbits/sec 0 404 KBytes
[ 5] 9.00-10.00 sec 7.83 MBytes 65.7 Mbits/sec 0 419 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 139 MBytes 116 Mbits/sec 409 sender
[ 5] 0.00-10.00 sec 137 MBytes 115 Mbits/sec receiver
</code></pre></div>
<p>Now let's run load test using UDP, and bandwidth of 50 Mb/sec.<br>
<strong>dia traffic protocol 1</strong> <code>NOTE: this is not strictly needed if we use -u below, but why not ...</code><br>
<strong>dia traffic run -c 199.23.6.18 -u -b 50M</strong></p>
<p>To see all the available options for Fortigate version of the iperf3, run:<br>
<strong>dia traffictest run -h</strong> </p>
<div class="highlight"><pre><span></span><code><span class="n">FG1</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">dia</span><span class="w"> </span><span class="n">traffictest</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="o">-</span><span class="n">h</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">f</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="nf">format</span><span class="w"> </span><span class="o">[</span><span class="n">kmgKMG</span><span class="o">]</span><span class="w"> </span><span class="nf">format</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="nl">report</span><span class="p">:</span><span class="w"> </span><span class="n">Kbits</span><span class="p">,</span><span class="w"> </span><span class="n">Mbits</span><span class="p">,</span><span class="w"> </span><span class="n">KBytes</span><span class="p">,</span><span class="w"> </span><span class="n">MBytes</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">i</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="k">interval</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">seconds</span><span class="w"> </span><span class="ow">between</span><span class="w"> </span><span class="n">periodic</span><span class="w"> </span><span class="n">bandwidth</span><span class="w"> </span><span class="n">reports</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">F</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="k">file</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">xmit</span><span class="o">/</span><span class="n">recv</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">specified</span><span class="w"> </span><span class="k">file</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">A</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="n">affinity</span><span class="w"> </span><span class="n">n</span><span class="o">/</span><span class="n">n</span><span class="p">,</span><span class="n">m</span><span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">CPU</span><span class="w"> </span><span class="n">affinity</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">V</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="n">verbose</span><span class="w"> </span><span class="n">more</span><span class="w"> </span><span class="n">detailed</span><span class="w"> </span><span class="k">output</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">J</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="n">json</span><span class="w"> </span><span class="k">output</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">JSON</span><span class="w"> </span><span class="nf">format</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">d</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="n">debug</span><span class="w"> </span><span class="n">emit</span><span class="w"> </span><span class="n">debugging</span><span class="w"> </span><span class="k">output</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">v</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="n">version</span><span class="w"> </span><span class="n">show</span><span class="w"> </span><span class="n">version</span><span class="w"> </span><span class="n">information</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">quit</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">h</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="n">help</span><span class="w"> </span><span class="n">show</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">message</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">quit</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">b</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="n">bandwidth</span><span class="w"> </span><span class="err">#</span><span class="o">[</span><span class="n">KMG</span><span class="o">][</span><span class="n">/#</span><span class="o">]</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">bandwidth</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">bits</span><span class="o">/</span><span class="n">sec</span><span class="w"> </span><span class="p">(</span><span class="mi">0</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">unlimited</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="p">(</span><span class="k">default</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">Mbit</span><span class="o">/</span><span class="n">sec</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">UDP</span><span class="p">,</span><span class="w"> </span><span class="n">unlimited</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">TCP</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="p">(</span><span class="n">optional</span><span class="w"> </span><span class="n">slash</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">packet</span><span class="w"> </span><span class="nf">count</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">burst</span><span class="w"> </span><span class="n">mode</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">t</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="nc">time</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="nc">time</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">seconds</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">transmit</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="k">default</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="n">secs</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="n">bytes</span><span class="w"> </span><span class="err">#</span><span class="o">[</span><span class="n">KMG</span><span class="o">]</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">bytes</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">transmit</span><span class="w"> </span><span class="p">(</span><span class="n">instead</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="o">-</span><span class="n">t</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">k</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="n">blockcount</span><span class="w"> </span><span class="err">#</span><span class="o">[</span><span class="n">KMG</span><span class="o">]</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">blocks</span><span class="w"> </span><span class="p">(</span><span class="n">packets</span><span class="p">)</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">transmit</span><span class="w"> </span><span class="p">(</span><span class="n">instead</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="o">-</span><span class="n">t</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">l</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="nf">len</span><span class="w"> </span><span class="err">#</span><span class="o">[</span><span class="n">KMG</span><span class="o">]</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">buffer</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">read</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="k">write</span><span class="w"></span>
<span class="w"> </span><span class="p">(</span><span class="k">default</span><span class="w"> </span><span class="mi">128</span><span class="w"> </span><span class="n">KB</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">TCP</span><span class="p">,</span><span class="w"> </span><span class="mi">8</span><span class="w"> </span><span class="n">KB</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">UDP</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">P</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="n">parallel</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">parallel</span><span class="w"> </span><span class="n">client</span><span class="w"> </span><span class="n">streams</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">run</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">R</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="nf">reverse</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="nf">reverse</span><span class="w"> </span><span class="n">mode</span><span class="w"> </span><span class="p">(</span><span class="n">server</span><span class="w"> </span><span class="n">sends</span><span class="p">,</span><span class="w"> </span><span class="n">client</span><span class="w"> </span><span class="n">receives</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">w</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="k">window</span><span class="w"> </span><span class="err">#</span><span class="o">[</span><span class="n">KMG</span><span class="o">]</span><span class="w"> </span><span class="n">TCP</span><span class="w"> </span><span class="k">window</span><span class="w"> </span><span class="k">size</span><span class="w"> </span><span class="p">(</span><span class="n">socket</span><span class="w"> </span><span class="n">buffer</span><span class="w"> </span><span class="k">size</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">C</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="n">linux</span><span class="o">-</span><span class="n">congestion</span><span class="w"> </span><span class="o"><</span><span class="n">algo</span><span class="o">></span><span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">TCP</span><span class="w"> </span><span class="n">congestion</span><span class="w"> </span><span class="n">control</span><span class="w"> </span><span class="n">algorithm</span><span class="w"> </span><span class="p">(</span><span class="n">Linux</span><span class="w"> </span><span class="k">only</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">M</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="k">set</span><span class="o">-</span><span class="n">mss</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">TCP</span><span class="w"> </span><span class="n">maximum</span><span class="w"> </span><span class="n">segment</span><span class="w"> </span><span class="k">size</span><span class="w"> </span><span class="p">(</span><span class="n">MTU</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="mi">40</span><span class="w"> </span><span class="n">bytes</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">N</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="n">nodelay</span><span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">TCP</span><span class="w"> </span><span class="k">no</span><span class="w"> </span><span class="n">delay</span><span class="p">,</span><span class="w"> </span><span class="n">disabling</span><span class="w"> </span><span class="n">Nagle</span><span class="s1">'s Algorithm</span>
<span class="s1"> -4, --version4 only use IPv4</span>
<span class="s1"> -6, --version6 only use IPv6</span>
<span class="s1"> -S, --tos N set the IP '</span><span class="n">type</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">service</span><span class="s1">'</span>
<span class="s1"> -L, --flowlabel N set the IPv6 flow label (only supported on Linux)</span>
<span class="s1"> -Z, --zerocopy use a '</span><span class="n">zero</span><span class="w"> </span><span class="n">copy</span><span class="err">'</span><span class="w"> </span><span class="k">method</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">sending</span><span class="w"> </span><span class="k">data</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">O</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="n">omit</span><span class="w"> </span><span class="n">N</span><span class="w"> </span><span class="n">omit</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">first</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="n">seconds</span><span class="w"></span>
<span class="w"> </span><span class="o">-</span><span class="n">T</span><span class="p">,</span><span class="w"> </span><span class="o">--</span><span class="n">title</span><span class="w"> </span><span class="nf">str</span><span class="w"> </span><span class="k">prefix</span><span class="w"> </span><span class="k">every</span><span class="w"> </span><span class="k">output</span><span class="w"> </span><span class="n">line</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">string</span><span class="w"></span>
<span class="w"> </span><span class="o">--</span><span class="k">get</span><span class="o">-</span><span class="n">server</span><span class="o">-</span><span class="k">output</span><span class="w"> </span><span class="k">get</span><span class="w"> </span><span class="n">results</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">server</span><span class="w"></span>
<span class="o">[</span><span class="n">KMG</span><span class="o">]</span><span class="w"> </span><span class="n">indicates</span><span class="w"> </span><span class="n">options</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">support</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">K</span><span class="o">/</span><span class="n">M</span><span class="o">/</span><span class="n">G</span><span class="w"> </span><span class="n">suffix</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">kilo</span><span class="o">-</span><span class="p">,</span><span class="w"> </span><span class="n">mega</span><span class="o">-</span><span class="p">,</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="n">giga</span><span class="o">-</span><span class="w"></span>
</code></pre></div>
<h2>Note</h2>
<p>Beware of CPU load the <strong>iperf</strong> tool can cause itself on Fortigate when testing - this is not usually a problem for newer models, but I've seen some quite large D series models reaching almost 100% on <strong>iperf</strong> test. </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>MRV Optiswitch OS904 OS906 OS912 debug and diagnostic commands2020-01-13T10:55:25+00:002020-01-13T10:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2020-01-13:/2020/01/13/MRV-Optiswitch-OS904-OS906-OS912-debug-and-diagnostic-commands/<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p><a href="https://en.wikipedia.org/wiki/MRV_Communications">MRV Communications</a> (acquired in 2017 by ADVA Optical Networking) is an Israeli company known for their optical network equipment, most notably their Optiswitch Carrier Ethernet Switch series. The switches (OS904, OS906G, OS912) are not available for purchase from them anymore, but if you work for a telco company, you surely …</p></div></div></div><div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p><a href="https://en.wikipedia.org/wiki/MRV_Communications">MRV Communications</a> (acquired in 2017 by ADVA Optical Networking) is an Israeli company known for their optical network equipment, most notably their Optiswitch Carrier Ethernet Switch series. The switches (OS904, OS906G, OS912) are not available for purchase from them anymore, but if you work for a telco company, you surely still have these boxes around doing their work.</p>
</div>
<div class="paragraph">
<p>Unfortunately, with the merger and the end of sale, all the documentation disappeared as well. To help you a bit I bring below some debug and diagnostic commands to be run on the CLI. You can still find the datasheet here <a href="https://www.cornet-solutions.co.jp/pdf/mrv_os_900_sdb_a4_hi.pdf">www.cornet-solutions.co.jp/pdf/mrv_os_900_sdb_a4_hi.pdf</a></p>
</div>
<table class="tableblock frame-all grid-all spread">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>no cli-paging/cli-paging</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Enable/disable paging the output.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show <smth> | <include/begin/end/exclude> <search term></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Pipe output of some <code>show</code> command, e.g. find specific MAC address: <code>show lt | include B1:12</code> (search terms are case sensitive). Also can pipe to few Linux commands, e.g. count number of learned/dynamic MACs: <code>show lt | grep -c "DYNAMIC"</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show run</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show the running configuration</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show port</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show port summary: state (on/off), speed, media (copper/sfp), duplex state</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show interface</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">List of logical/vlan interfaces, MAC addresses, IP address (if any)</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show port detail <em>n</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show details of the port number <em>n</em>: media type, speed/duplex configured and actual, state, shaping applied.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show port statistics <em>n</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show real-time statistics: packets/bytes received/sent, CRC and other error count</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show l2cntrl-protocol-counters</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show counters of received/transmitted Layer 2 control protocols - LACP, MSTP, RSTP, OAM.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show run ports</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show running configuration for all ports</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show port tag</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show tagging/vlans configured on each port</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show port sfp-diag <em>n</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show real-time diagnostic data for the interface: TX/RX power in dBm, voltage, temperature</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show port sfp-params</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Physical parameters of the SFP interface</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show port rate <em>portnumber</em> time <em>seconds</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show the rate of the traffic passing the interface real-time</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>monitor port statistics <em>portnumber</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show the same data as <code>show port statistics</code> but refresh every other second</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>(config)# port state disable/enable <em>portnumber</em></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Disable/enable MRV port number <code>portnumber</code> (shut/no shut in Cisco terminology). Make sure you don’t disable th eport you are connected through.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>(config)# port media-select <sfp/sfp100/copper/auto/sgmii></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Set manually type of physical interface installed in MRV.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>(config)# port speed <10/100/1000/auto> <<em>portnumber</em>/all></strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Force specific speed settting for a port.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show lt [port <<em>portnumber</em>> tag all]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show MAC address table - static and learned dynamic. Output also gives timestamp when MAC address displayed was last changed. Optionally, specify port to show only MACs on this port.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>(config)# clear lt</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Delete all learned MAC addresses from Learning Table.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show syslog <all/debug/info/warning/error/fatal> [<em>start-date</em>] [<em>end-date</em>]</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show logs per their severity. Optional start/end dates are in format <code>mm-dd-ff:mm:ss</code> . If remote syslog is configured in the MRV, there will be NO local logs, to verify - look in configuration <code>show run | i rsyslog</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>clear syslog</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Delete all local log entries.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show ver</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show the device model, hardware, fan status, OS installed, MAC address, serial number and uptime.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show time</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show system time. Important for checking alarms and logs</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>show cpu</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">CPU properties</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="_examples">Examples</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="_show_syslog_info">show syslog info</h3>
<div class="listingblock">
<div class="content">
<pre>Feb 16 14:04:20 sw-1 sport_srv[667]: INFO, port_tbl.c(681), - Port 3:TO_CLIENT_LAN: link changed UP->DOWN
Feb 16 14:06:13 sw-1 sport_srv[667]: INFO, port_tbl.c(681), - Port 3:TO_CLIENT_LAN: link changed DOWN->UP</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_interface">show interface</h3>
<div class="listingblock">
<div class="content">
<pre> INTERFACES TABLE
================
Name M Device IP State MAC Tag Ports
-------------------------------------------------------------------------------
vif327 * vif327 172.35.101.118/25 UP 3C:A7:2B:11:22:33 327 6
vif777 vif777 - UP 3C:A7:2B:11:22:33 777 3,5
vif277 vif277 - UP 3C:A7:2B:11:22:33 277 2,6
vif555 vif555 - UP 3C:A7:2B:11:22:33 555 4,6
agFPGA vif333 - UP 3C:A7:2B:11:22:33 333
vif0 vif0 - UP 3C:A7:2B:11:22:33 0001 1</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_port_tag">show port tag</h3>
<div class="listingblock">
<div class="content">
<pre>Value of ethertype 1 is 0x8100 (default value)
Value of ethertype 2 is 0x8100 (default value)
PORT TAG CONFIGURATION
======================
port OUTBOUND-TAGGED DEF/EFF-TAG NUM-TAGS ETHERTYPE TAGS-LIST
------------------------------------------------------------------------------
1 q-in-q 777 0 CORE1:0x8100
2 q-in-q 1151 1 CORE1:0x8100 1735
3 untagged 778 1 CORE1:0x8100 778
4 q-in-q 3069 1 CORE1:0x8100 3069
5 tagged 0 1 CORE1:0x8100 778
6 tagged 0 3 CORE1:0x8100 301,1735,3069</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_run_ports">show run ports</h3>
<div class="listingblock">
<div class="content">
<pre>port media-select sfp 5-6
port media-select copper 1-4
port description 1 TO_CLIENT_LAN
port description 2 TO_CLIENT_LAN6
port description 3 TO_CLIENT_15LAN
port speed 1000 3-4,6
port duplex full 3-4,6
port l2protocol-tunnel cdp 1,4-5
port l2protocol-tunnel dtp 1,4-5
port l2protocol-tunnel pagp 1,4-5
port l2protocol-tunnel udld 1,4-5
port l2protocol-tunnel lamp 1,4-5
port l2protocol-tunnel efm 1,4-5
port l2protocol-tunnel dot1x 1,4-5
port l2protocol-tunnel elmi 1,4-5
port l2protocol-tunnel lldp 1,4-5
port l2protocol-tunnel garp 1,4-5
port l2protocol-tunnel stp 1,4-5
port l2protocol-tunnel vtp 1,4-5
port l2protocol-tunnel lacp 1,4-5
! Flood limiting configuration
port flood-limiting rate 16m 1-2,4,6
port flood-limiting multicast 1-2,4,6
port flood-limiting broadcast 1-2,4,6
port flood-limiting tcp-syn 1-2,4,6
!
! Port shaping configuration
port ingress-shaping rate 200m burst-size 500K 1
port ingress-shaping rate 500m burst-size 500K 2
port ingress-shaping rate 200m burst-size 500K 4
port mtu-size 1 9000
port mtu-size 2 9000
port mtu-size 3 9000
port mtu-size 4 9000
port mtu-size 5 9000
port mtu-size 6 9000
!
! Port tag configuration
port tag-outbound-mode q-in-q 1 777
port tag-outbound-mode q-in-q 2 1151
port tag-outbound-mode q-in-q 4 3069
port tag-outbound-mode tagged 5-6
!
! Port access-group configuration
port acl-binding-mode by-port 1-2,4
port access-group extra MARK-GOLD 1-2</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_port_detail_1">show port detail 1</h3>
<div class="listingblock">
<div class="content">
<pre>Port 1 details:
-------------------
Description : TO_CLIENT_LAN
Type : ETH10/100/1000
Media-select mode : COPPER
Link : ON Copper (22w5d23h7m54s)
Duplex state : FULL
PHY : COMBO+100FX
Speed selected : AUTO
Actual speed : 1 Gbps
Auto-Neg Advertise : Default
Selected cross mode : AUTO
Actual cross mode : MDI-X
Bypass mode : ENABLE
State : ENABLE
Priority : 1
Ingress-shaping : rate 200m, burst-size 500K
Flow control mode : off
Ethertype : CORE1:0x8100
OutBound Tagged : q-in-q
DEI Remarking : Unsupported
UDLD Protocol : -
Flood limiting : rate 16m
Flood limiting : multicast
Flood limiting : broadcast
Flood limiting : tcp-syn</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_port_statistics_1">show port statistics 1</h3>
<div class="listingblock">
<div class="content">
<pre>PORTS STATISTICS
================
Port 1 Ethernet counters
---------------------------
Good bytes received : 21109023744
Good packets received : 229858629
Good unicast packets received : 44563
Good broadcast packets received : 189225588
Good multicast packets received : 40588478
Bytes transmitted : 24736
Packets transmitted : 184
Unicast packets transmitted : 0
Broadcast packets transmitted : 22
Multicast packets transmitted : 162
CRC or Alignment error received : 0
Undersize received : 0
Oversize received : 0
Fragments received : 0
Jabber received : 0
Collisions received and transmitted : 0
Incoming packets discarded : 0
Port 1 RMON Packet Size Distribution Counters
------------------------------------------------
- 64 Octets : 7651257
65- 127 Octets : 219471486
128- 255 Octets : 1965361
256- 511 Octets : 762381
512-1023 Octets : 832
1024- Octets : 7496</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_monitor_port_statistics_6">monitor port statistics 6</h3>
<div class="listingblock">
<div class="content">
<pre>================
PORTS STATISTICS
Port 6 Ethernet counters
---------------------------
Good bytes received : 40184915539765
Good packets received : 38232352643
Good unicast packets received : 38183697762 72
Good broadcast packets received : 7212122 037
Good multicast packets received : 41442759 26
Bytes transmitted : 26733233507233
Packets transmitted : 32870177824
Unicast packets transmitted : 32764627741 95
Broadcast packets transmitted : 80848488 19087
Multicast packets transmitted : 24701595 91071
CRC or Alignment error received : 0 232343275 13
Undersize received : 0 183688400 61
Oversize received : 0 12122 825
Fragments received : 0 442753 59 38
Jabber received : 0 733232292897
Collisions received and transmitted : 0 870173381
Incoming packets discarded : 0 764623299 87
Broadcast packets transmitted : 80848488 95
Multicast packets transmitted : 24701594 14
CRC or Alignment error received : 0 848488 85197
Undersize received : 0 701593 01
Oversize received : 0 764602923
Fragments received : 0 848488
Jabber received : 0 701590
Collisions received and transmitted : 0
Incoming packets discarded : 0
Collisions received and transmitted : 0
Incoming packets discarded : 0
Jabber received : 0
Collisions received and transmitted : 0
Incoming packets discarded : 0</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_port_rate_6_time_10">show port rate 6 time 10</h3>
<div class="listingblock">
<div class="content">
<pre>The answer will be ready in 10 seconds
Results for port 6:
Tx: 4779 Kbps, 1805 pps, rate 5.068 Mbps
Rx: 26639 Kbps, 3439 pps, rate 27.189 Mbps</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_port_sfp_params">show port sfp-params</h3>
<div class="listingblock">
<div class="content">
<pre>SFP ports internal EEPROM data
================================
Port 1: Failed to get EEPROM Data, SFP is not inserted
Port 5: SFP EEPROM Parameters
**************************************************************************
Identifier is SFP
Connector code is LC
Transceiver subcode is Base-BX10
Serial encoding mechanism is 8B10B
The nominal bit rate is 1300 Megabits/sec.
Link length using single mode (9 micron) is greater than 20000 m.
Link length using 50 micron multi-mode fiber is not supported.
Link length using 62.5 micron multi-mode fiber is not supported.
Vendor name is OEM
Vendor PN is SFP-BD-BX43-M
Vendor revision is 1.0
Vendor SN is GS1601156303
Nominal transmitter output wavelength at room temperature is 1490.00 nm.</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_port_sfp_diag_5">show port sfp-diag 5</h3>
<div class="listingblock">
<div class="content">
<pre>SFP ports internal EEPROM data
================================
Port 5: SFP Digital Diagnostics
****************************************************
Description Real-Time Value
-------------------- ---------------
Temperature (C)/(F): 33/91
Voltage (V): 3.3292
TX Bias (mA): 17.658
Tx Power (dBm)/(mW): -6.0/0.252
Rx Power (dBm)/(mW): -8.2/0.151
****************************************************</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_lt_port_5_interface_all">show lt port 5 interface all</h3>
<div class="listingblock">
<div class="content">
<pre>INDEX MAC ADDRESS VID PORT MODE LAST CHANGE
-------------------------------------------------------------------
1 84:78:AC:11:22:33 901 5 DYNAMIC 03/12/2020 10:55:00</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_time">show time</h3>
<div class="paragraph">
<p><code>Sun Apr 5 12:35:58 ISR 2020</code></p>
</div>
</div>
<div class="sect2">
<h3 id="_show_ver">show ver</h3>
<div class="listingblock">
<div class="content">
<pre>MRV OptiSwitch 912C
=========================
Hardware
--------
Board serial number: 1212121212
Unit serial number : 12312312318
CPU: FERO5181, 400Mhz with 64MB flash and 256MB Dram memory
CPU Hardware: id 1, version 1
Device Hardware version: 1
Device temperature: 33C / 91F (normal)
FPGA HW type: 2
FPGA version: 0x2E
Power Supplies:
unit 1 AC: INSTALLED & ACTIVE (hw-type 1)
unit 2 AC: INSTALLED & ACTIVE (hw-type 1)
Fans:
Fan 1: ACTIVE
Valid ports: 1-12 (extra features: 1-10)
Valid e-ports: None
Software
--------
MasterOS version: 2_1_7B
Build time: Wed Jun 15 15:23:42 IDT 2011
Based on:
Linux CUST-8348-OS912AC2-1 2.6.22.7 #734 Tue Jan 4 10:08:14 IST 2011 armv5tejl
ZebOS 5.2 (arm-none-linux-gnueabi).
Driver v1.9.3.2, cpssDxCh v3.2.p2_Release
Base MAC address: 3C:A7:2B:11:22:33
Supported features:
-------------------
MSTP - Yes
G.8032 - Yes
ROUTING - Yes
RIP - Yes
OSPF - Yes
ISIS - Yes
BGP - Yes
MPLS - No
LDP - No
RSVP - No
WEB - No
IPv6 - No
Nextragen SIP test agent - Yes
up 1173 days 4:51
users: remote - 1, console is closed</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_ver_inc_up">show ver | inc up</h3>
<div class="listingblock">
<div class="content">
<pre>up 1173 days 4:51</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_show_cpu">show cpu</h3>
<div class="listingblock">
<div class="content">
<pre>Processor : ARM926EJ-S rev 0 (v5l)
BogoMIPS : 266.24
Features : swp half thumb fastmult edsp
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part : 0x926
CPU revision : 0
Cache type : write-back
Cache clean : cp15 c7 ops
Cache lockdown : format C
Cache format : Harvard
I size : 32768
I assoc : 1
I line length : 32
I sets : 1024
D size : 32768
D assoc : 1
D line length : 32
D sets : 1024
Hardware : Feroceon
Revision : 0000
Serial : 0000000000000000
vendor : Marvell FEROCEON
machine : MRV SBC</pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_resources">Resources</h3>
<div class="ulist">
<ul>
<li>
<p><a href="https://yurisk.info/2020/03/21/rad-etx-203-203-220-debug-and-information-commands-examples/">RAD ETX 203, 205, 220 debug and information commands</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>
</div>Fortigate ssh access with public key authentication2018-01-05T11:18:03+00:002018-01-05T11:18:03+00:00Yuri Slobodyanyuktag:yurisk.info,2018-01-05:/2018/01/05/Fortinet-Fortigate-ssh-access-with-certificate-authentication/<p>Entering each time username and password isn’t fun when doing it daily to the same equipment. Saving password in some automated script (Paramiko, Expect, etc) is not very secure per se. Using the SSH private/public key pair, on the other hand, answers all the needs – easy, secure, time …</p><p>Entering each time username and password isn’t fun when doing it daily to the same equipment. Saving password in some automated script (Paramiko, Expect, etc) is not very secure per se. Using the SSH private/public key pair, on the other hand, answers all the needs – easy, secure, time saving. Here is how to enable SSH authentication for an admin user in Fortigate:</p>
<p>Step1: <strong>Create public and private keys</strong>.<br>
On linux command line we run: <strong>$ ssh-keygen</strong> </p>
<div class="highlight"><pre><span></span><code><span class="n">Generating</span><span class="w"> </span><span class="k">public</span><span class="o">/</span><span class="n">private</span><span class="w"> </span><span class="n">rsa</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="n">pair</span><span class="p">.</span><span class="w"></span>
<span class="n">Enter</span><span class="w"> </span><span class="k">file</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">which</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">save</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="p">(</span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">myuser</span><span class="o">/</span><span class="p">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_rsa</span><span class="p">)</span><span class="err">:</span><span class="w"></span>
<span class="n">Enter</span><span class="w"> </span><span class="n">passphrase</span><span class="w"> </span><span class="p">(</span><span class="n">empty</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">no</span><span class="w"> </span><span class="n">passphrase</span><span class="p">)</span><span class="err">:</span><span class="w"></span>
<span class="n">Enter</span><span class="w"> </span><span class="n">same</span><span class="w"> </span><span class="n">passphrase</span><span class="w"> </span><span class="nl">again</span><span class="p">:</span><span class="w"></span>
<span class="n">Your</span><span class="w"> </span><span class="n">identification</span><span class="w"> </span><span class="n">has</span><span class="w"> </span><span class="n">been</span><span class="w"> </span><span class="n">saved</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">myuser</span><span class="o">/</span><span class="p">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_rsa</span><span class="p">.</span><span class="w"></span>
<span class="n">Your</span><span class="w"> </span><span class="k">public</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="n">has</span><span class="w"> </span><span class="n">been</span><span class="w"> </span><span class="n">saved</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">myuser</span><span class="o">/</span><span class="p">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_rsa</span><span class="p">.</span><span class="n">pub</span><span class="p">.</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="n">fingerprint</span><span class="w"> </span><span class="k">is</span><span class="err">:</span><span class="w"></span>
<span class="nl">be</span><span class="p">:</span><span class="mi">1</span><span class="nl">b</span><span class="p">:</span><span class="mi">3</span><span class="nl">c</span><span class="p">:</span><span class="nl">e0</span><span class="p">:</span><span class="mi">1</span><span class="nl">e</span><span class="p">:</span><span class="mi">7</span><span class="nl">d</span><span class="p">:</span><span class="mi">1</span><span class="nl">e</span><span class="p">:</span><span class="mi">29</span><span class="err">:</span><span class="mi">04</span><span class="err">:</span><span class="mi">27</span><span class="err">:</span><span class="mi">1</span><span class="nl">d</span><span class="p">:</span><span class="mi">1</span><span class="nl">d</span><span class="p">:</span><span class="mi">11</span><span class="err">:</span><span class="mi">41</span><span class="err">:</span><span class="mi">33</span><span class="err">:</span><span class="mi">54</span><span class="w"> </span><span class="n">myuser</span><span class="nv">@myhost</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="k">key</span><span class="err">'</span><span class="n">s</span><span class="w"> </span><span class="n">randomart</span><span class="w"> </span><span class="nc">image</span><span class="w"> </span><span class="k">is</span><span class="err">:</span><span class="w"></span>
<span class="o">+</span><span class="c1">--[ RSA 2048]----+ </span>
</code></pre></div>
<p>Step 2. <strong>Import PUBLIC key saved in Step 1 in the file id_rsa.pub to the Fortigate:</strong></p>
<p><strong>config system admin</strong><br>
(config)# <strong>edit myuser</strong><br>
(myuser)# <strong>set ssh-public-key1</strong> "ssh-rsa AAAAB3Nza .. … …<key copy paste goes here, remove the host myhost> …. 0lTo9P myuser" </p>
<p>Step 3. Connect using the the generated keys:<br>
<strong>ssh -i /home/myuser/.ssh/id_rsa ip-of-the-fortigate</strong></p>
<p>Step 4 (Optional, but recommended). <strong>Disable password-based authentication for admin user altogether</strong></p>
<p>You still can connect with a password, even if a public key authenticaiton is enabled. The one does not disable the other. But for better security you could disable password authentication for an admin user and leave only public key-based one. First, make sure you can connect with your public key just fine. Then:</p>
<div class="highlight"><pre><span></span><code>#<span class="w"> </span><span class="nv">config</span><span class="w"> </span><span class="nv">sys</span><span class="w"> </span><span class="nv">global</span><span class="w"></span>
<span class="ss">(</span><span class="nv">global</span><span class="ss">)</span><span class="w"> </span>#<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">admin</span><span class="o">-</span><span class="nv">ssh</span><span class="o">-</span><span class="nv">password</span><span class="w"> </span><span class="nv">disable</span><span class="w"></span>
<span class="ss">(</span><span class="nv">global</span><span class="ss">)</span><span class="w"> </span>#<span class="w"> </span><span class="k">end</span><span class="w"></span>
</code></pre></div>
<p>That is it, of course it will work for other Fortinet products having SSH access like Fortimail, FortiAnalyzer, etc .</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>HIEW tutorial hexadecimal editor part 6 using HEM modules2017-09-05T13:55:25+00:002017-09-05T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2017-09-05:/2017/09/05/HIEW-tutorial-hexadecimal-editor-part-6-using-HEM-modules/<iframe width="560" height="315" src="https://www.youtube.com/embed/8rIovtQRp1s" frameborder="0" allowfullscreen></iframe>
<p><br /></p>
<p>Commands used in the video: </p>
<table>
<thead>
<tr>
<th>Command</th>
<th>Action</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>F11</strong></td>
<td>To open dialog window displaying the list of available on this PC modules</td>
</tr>
<tr>
<td><strong>F9</strong></td>
<td>Unload previously loaded module, making it inactive</td>
</tr>
<tr>
<td><strong>Enter</strong></td>
<td>Once pointing on the highlighted module pressing Enter loads and runs it</td>
</tr>
</tbody>
</table>
<p>See also other posts in the series:<br>
<a href="https://yurisk.info/2017/05/23/HIEW-hex-editor-tutorials-series-part-1-the-history/index.html">Part …</a></p><iframe width="560" height="315" src="https://www.youtube.com/embed/8rIovtQRp1s" frameborder="0" allowfullscreen></iframe>
<p><br /></p>
<p>Commands used in the video: </p>
<table>
<thead>
<tr>
<th>Command</th>
<th>Action</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>F11</strong></td>
<td>To open dialog window displaying the list of available on this PC modules</td>
</tr>
<tr>
<td><strong>F9</strong></td>
<td>Unload previously loaded module, making it inactive</td>
</tr>
<tr>
<td><strong>Enter</strong></td>
<td>Once pointing on the highlighted module pressing Enter loads and runs it</td>
</tr>
</tbody>
</table>
<p>See also other posts in the series:<br>
<a href="https://yurisk.info/2017/05/23/HIEW-hex-editor-tutorials-series-part-1-the-history/index.html">Part 1</a><br>
<a href="https://yurisk.info/2017/05/24/HIEW-hex-editor-tutorials-series-part-2-basics/index.html">Part 2</a><br>
<a href="https://yurisk.info/2017/07/03/HIEW-hex-editor-tutorials-series-part-3-navigation/index.html">Part 3</a><br>
<a href="https://yurisk.info/2017/07/03/HIEW-hex-editor-tutorials-series-part-4-crypt-xor/index.html">Part 4</a><br>
<a href="https://yurisk.info/2017/07/29/HIEW-tutorial-hexadecimal-editor-part-5-using-Crypto-module-to-program-a-keygen/index.html">Part 5</a> </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Checkpoint How to use R80.10 API for Automation and Streamlined Security webcast main points2017-08-17T08:55:25+00:002017-08-17T08:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2017-08-17:/2017/08/17/Checkpoint-How-to-use-R80.10-API-for-Automation-and-Streamlined-Security-webcast/<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>Just took part in the webcast by Checkpoint How to use R80.10 API for Automation and Streamlined Security and here are some thoughts about it.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>API is all about working with Management server (but read on)</p>
</li>
<li>
<p>We can set some things on a firewall Gateway as well via API …</p></li></ul></div></div></div><div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>Just took part in the webcast by Checkpoint How to use R80.10 API for Automation and Streamlined Security and here are some thoughts about it.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>API is all about working with Management server (but read on)</p>
</li>
<li>
<p>We can set some things on a firewall Gateway as well via API and Management Server, but very few.</p>
</li>
<li>
<p>Web API works as Rest API (JSON/XML), so any automation tool that can emit HTTP requests will work.</p>
</li>
<li>
<p>Web API requests are sent to <code>r80-mgmt-ip/web_api/</code> after client has authenticated to the Management Server.</p>
</li>
<li>
<p>Almost everything in R80 Management Server is stored in the database not proprietary local files as before.</p>
</li>
<li>
<p>The Workflow is such:</p>
<div class="ulist">
<ul>
<li>
<p>Login to <code>mgmt-ip/web_api/login</code></p>
</li>
<li>
<p>Send some API action via HTTPS <code>mgmt/web_api/add-host</code> (changes are not implemented/saved yet)</p>
</li>
<li>
<p>Publish them htps://mgmt/web_api/publish (changes are saved)</p>
</li>
<li>
<p>Finally Install Policy <code>mgmt/web_api/install_policy</code> (Optionally but recommended) On each sent (usually using POST) request for changes verify that you got 200 OK reponse</p>
</li>
</ul>
</div>
</li>
</ul>
</div>
<div class="paragraph">
<p>Actually there are few programming interfaces so to speak:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Web API as described above, most suited for automation.</p>
</li>
<li>
<p><strong>mgmt_cli</strong>: standalone tool (both for Gaia OS and Windows Management ) that communicates with Management locally, thus can be scripted on the server (Windows batch/Powershell/etc, Linux shell scripting/Python/etc)</p>
</li>
<li>
<p><strong>SmartConsole cli</strong>: built-in shell inside the SmartConsole. You just click its link/icon in the SmartConsole and get the shell (emulation). While it is not very suitable for automation, you can still prepare bunch of cli commands to copy and paste to this shell.</p>
</li>
<li>
<p><strong>Gaia cli</strong>: the classic Gaia shell (clish) programmable locally via Bash scripting.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>The main advantage of the API is in automating daily tasks. Some tasks I can think of: deploying gateways to the cloud (AWS/Azure), creating/deleting/editing objects and rules in the Rule Base, creating your own custom web interfaces to the management server and many more. In the webcast, the presenter Ryan Darst showed in real time how using Ansible playbook he could deploy 2 firewall Gateways from scratch into the Amazon AWS cloud, then create their rule bases with network objects, setting on the way all the needed properties of the gateway – IP addresses, routing, anti-spoofing and such. It took some 10-12 minutes from starting Ansible deployment to having fully functional 2 gateways in the cloud that could pass and secure traffic for the networks behind them.</p>
</div>
<div class="paragraph">
<p>Doing non trivial things is not, on the other hand, the target of the API. That is, changing the underlying Gaia operating system, doing backups and other things that we are used of doing via bash scripts on the gateway remain as such. This is logical after all, the API in general are designed to automate “boring” daily tasks of large volume and also give management access/capabilities to the less qualified folks. You can for example build web interface and make available very specific tasks and commands to your SOC team, without giving them the powers to destroy something.</p>
</div>
<div class="paragraph">
<p>In the Enterprise environment, where it is a small team/one person manages the firewall such API usage is less useful, but still, occasionally we can automate time consuming tasks of bulk creation/deletion/import/export of the network objects or rules.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_related">Related</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://yurisk.info/2021/05/09/checkpoint-api-tutorial-part1-getting-started/">Checkpoint API tutorial, part 1 - getting started</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>
</div>
</div>HIEW tutorial hexadecimal editor part 5 using Crypto module to program a keygen2017-07-29T13:55:25+00:002017-07-29T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2017-07-29:/2017/07/29/HIEW-tutorial-hexadecimal-editor-part-5-using-Crypto-module-to-program-a-keygen/<iframe width="560" height="315" src="https://www.youtube.com/embed/2JoMSbUY6YA" frameborder="0" allowfullscreen></iframe>
<p><br /></p>
<p>Commands used in the video: </p>
<table>
<thead>
<tr>
<th>Command</th>
<th>Action</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>F3 + F7</strong></td>
<td>Open the Crypto window to start entering ASM commands to be run by HIEW on the file contents</td>
</tr>
<tr>
<td><strong>Ctrl + F7</strong></td>
<td>Re-open the Crypto window to change the commands</td>
</tr>
<tr>
<td><strong>F7</strong></td>
<td>Apply the entered commands to the data at the current cursor position …</td></tr></tbody></table><iframe width="560" height="315" src="https://www.youtube.com/embed/2JoMSbUY6YA" frameborder="0" allowfullscreen></iframe>
<p><br /></p>
<p>Commands used in the video: </p>
<table>
<thead>
<tr>
<th>Command</th>
<th>Action</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>F3 + F7</strong></td>
<td>Open the Crypto window to start entering ASM commands to be run by HIEW on the file contents</td>
</tr>
<tr>
<td><strong>Ctrl + F7</strong></td>
<td>Re-open the Crypto window to change the commands</td>
</tr>
<tr>
<td><strong>F7</strong></td>
<td>Apply the entered commands to the data at the current cursor position, one piece of data at a time.</td>
</tr>
</tbody>
</table>
<p>Download Crackme #4 by fant0m from the website crackmes.de used as an example in this video.
See also other posts in the series:<br>
<a href="https://yurisk.info/2017/05/23/HIEW-hex-editor-tutorials-series-part-1-the-history/index.html">Part 1</a><br>
<a href="https://yurisk.info/2017/05/24/HIEW-hex-editor-tutorials-series-part-2-basics/index.html">Part 2</a><br>
<a href="https://yurisk.info/2017/07/03/HIEW-hex-editor-tutorials-series-part-3-navigation/index.html">Part 3</a><br>
<a href="https://yurisk.info/2017/07/03/HIEW-hex-editor-tutorials-series-part-4-crypt-xor/index.html">Part 4</a>
<a href="https://yurisk.info/2017/09/05/HIEW-tutorial-hexadecimal-editor-part-6-using-HEM-modules/index.html">Part 6</a> </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>HIEW tutorial hexadecimal editor part 3 Navigation2017-07-03T13:55:25+00:002017-07-03T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2017-07-03:/2017/07/03/HIEW-hex-editor-tutorials-series-part-3-navigation/<iframe width="560" height="315" src="https://www.youtube.com/embed/VUy1trkN25Q" frameborder="0" allowfullscreen></iframe>
<p><br /></p>
<p>Commands used in the video: </p>
<table>
<thead>
<tr>
<th>Commands</th>
<th>Action</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>F8 + F5</strong></td>
<td>jump to the Entry Point in the program.</td>
</tr>
<tr>
<td><strong>Shift + "+"</strong></td>
<td>Add a bookmark at the current cursor position.</td>
</tr>
<tr>
<td><strong>Alt + 1 / Alt + 2 / Alt + nn</strong></td>
<td>Jump to the 1st, 2nd , nn-th bookmark.</td>
</tr>
<tr>
<td><strong>Alt + "-"</strong></td>
<td>Remove the bookmark at the current position.</td>
</tr>
<tr>
<td><strong>Alt + 0</strong></td>
<td>Remove …</td></tr></tbody></table><iframe width="560" height="315" src="https://www.youtube.com/embed/VUy1trkN25Q" frameborder="0" allowfullscreen></iframe>
<p><br /></p>
<p>Commands used in the video: </p>
<table>
<thead>
<tr>
<th>Commands</th>
<th>Action</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>F8 + F5</strong></td>
<td>jump to the Entry Point in the program.</td>
</tr>
<tr>
<td><strong>Shift + "+"</strong></td>
<td>Add a bookmark at the current cursor position.</td>
</tr>
<tr>
<td><strong>Alt + 1 / Alt + 2 / Alt + nn</strong></td>
<td>Jump to the 1st, 2nd , nn-th bookmark.</td>
</tr>
<tr>
<td><strong>Alt + "-"</strong></td>
<td>Remove the bookmark at the current position.</td>
</tr>
<tr>
<td><strong>Alt + 0</strong></td>
<td>Remove all bookmarks in a file.</td>
</tr>
<tr>
<td><strong>Ctrl + F5</strong></td>
<td>Set offset calculation to any other than default start.</td>
</tr>
<tr>
<td><strong>Ctrl + F10</strong></td>
<td>Open a dialog box to save the current bookmarks/cursor state, later to be loaded to continue the work.</td>
</tr>
<tr>
<td><strong>hiew32.exe /SAV=c:\temp\hiew-test.sav</strong></td>
<td>Open the file using the previously saved file state in the custom file hiew-test.sav</td>
</tr>
</tbody>
</table>
<p>See also other posts in the series:<br>
<a href="https://yurisk.info/2017/05/23/HIEW-hex-editor-tutorials-series-part-1-the-history/index.html">Part 1</a><br>
<a href="https://yurisk.info/2017/05/24/HIEW-hex-editor-tutorials-series-part-2-basics/index.html">Part 2</a><br>
<a href="https://yurisk.info/2017/07/03/HIEW-hex-editor-tutorials-series-part-4-crypt-xor/index.html">Part 4</a><br>
<a href="https://yurisk.info/2017/07/29/HIEW-tutorial-hexadecimal-editor-part-5-using-Crypto-module-to-program-a- keygen/index.html">Part 5</a><br>
<a href="https://yurisk.info/2017/09/05/HIEW-tutorial-hexadecimal-editor-part-6-using-HEM-modules/index.html">Part 6</a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>HIEW tutorial hexadecimal editor part 4 encrypting decrypting with XOR2017-07-03T13:55:25+00:002017-07-03T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2017-07-03:/2017/07/03/HIEW-hex-editor-tutorials-series-part-4-crypt-xor/<iframe width="560" height="315" src="https://www.youtube.com/embed/2JoMSbUY6YA" frameborder="0" allowfullscreen></iframe>
<p><br />
Commands used in the video:</p>
<table>
<thead>
<tr>
<th>Command</th>
<th>Action</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>F3 + F8</strong></td>
<td>Set the XOR ASCII/Hex string to be used as a key to XOR with the file data</td>
</tr>
<tr>
<td><strong>F8</strong></td>
<td>Apply 1 step of XOR operation to the data at the current cursor position.</td>
</tr>
</tbody>
</table>
<p>cryptopals.com challenge Challenge used as an example …</p><iframe width="560" height="315" src="https://www.youtube.com/embed/2JoMSbUY6YA" frameborder="0" allowfullscreen></iframe>
<p><br />
Commands used in the video:</p>
<table>
<thead>
<tr>
<th>Command</th>
<th>Action</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>F3 + F8</strong></td>
<td>Set the XOR ASCII/Hex string to be used as a key to XOR with the file data</td>
</tr>
<tr>
<td><strong>F8</strong></td>
<td>Apply 1 step of XOR operation to the data at the current cursor position.</td>
</tr>
</tbody>
</table>
<p>cryptopals.com challenge Challenge used as an example in this video.
See also other posts in the series:<br>
<a href="https://yurisk.info/2017/05/23/HIEW-hex-editor-tutorials-series-part-1-the-history/index.html">Part 1</a><br>
<a href="https://yurisk.info/2017/05/24/HIEW-hex-editor-tutorials-series-part-2-basics/index.html">Part 2</a><br>
<a href="https://yurisk.info/2017/07/03/HIEW-hex-editor-tutorials-series-part-3-navigation/index.html">Part 3</a><br>
<a href="https://yurisk.info/2017/07/29/HIEW-tutorial-hexadecimal-editor-part-5-using-Crypto-module-to-program-a-keygen/index.html">Part 5</a> <br>
<a href="https://yurisk.info/2017/09/05/HIEW-tutorial-hexadecimal-editor-part-6-using-HEM-modules/index.html">Part 6</a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Binary obfuscation - String obfuscating in C2017-06-25T13:55:25+00:002017-06-25T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2017-06-25:/2017/06/25/binary-obfuscation-string-obfuscating-in-C/<p>The first step in reversing any binary for any purpose is to try and elicit any meaningful information that is most easy to retrieve. One such information is clear text strings in the binary. They may disclose a lot of information if the programmer did not take care to remove …</p><p>The first step in reversing any binary for any purpose is to try and elicit any meaningful information that is most easy to retrieve. One such information is clear text strings in the binary. They may disclose a lot of information if the programmer did not take care to remove them. The funniest cases are when a programmer wants to stay anonymous (say malware author) and still leaves the various info left in the binary by the compiler/linker (Microsoft Visual Studio is notorious for that) which includes his host folder structure, his operating system’s username, local time etc. Just as an example let’s look at the Hacknet <a href="https://en.wikipedia.org/wiki/Hacknet">https://en.wikipedia.org/wiki/Hacknet</a> (cute “hacking” environment and ambience emulator for those who want to feel themselves “hacker”), which is on sale at Steam right now for 3$ and see what we can deduct from its binary.
I am using HIEW hex editor but of course any hex editor or even plain Linux <code>strings</code> tool will do. But before looking at the strings let’s have a peek at the executable file headers: <br>
<img alt="screenshot of headers" src="https://yurisk.info/images/Hacknet-binary-analysis-headers.png"><br>
From it we can say:</p>
<ol>
<li>Linker version 11.0 says that the file was compiled with the Microsoft compiler released as part of the Visual Studio 2012. en.wikipedia.org/wiki/Microsoft_Visual_C</li>
<li>Magic optional header 010B means it is a 32-bit executable , 64-bit would have it 020B.</li>
<li>OS version and subsystem of 4.0 means that most probably Steam which bundled this binary set these numbers artificially for compatibility – Windows internal version of 4.0 is Windows NT, I doubt the software author wrote it on Windows NT in Visual Studio 2012 .</li>
<li>Subsystem Console means that the software from the beginning was defined as Windows console project in Visual studio, that is, does not include any GUI libraries or code.</li>
</ol>
<p>Not bad for a mere header. Now to the strings. The default minimum string length of 4 characters finds us 16162 strings, too many , I will increase the minimum string length to 25 characters. Almost immediately we can see this string:<br>
<img alt="strings in binary" src="https://yurisk.info/images/hacknet-binary-analysis-xna-string.png"><br>
Which confirms our suggestion that it was written in Microsoft Visual studio on Windows, XNA Game development platform from Microsoft says so en.wikipedia.org/wiki/Microsoft_XNA . Also most probably author used FNA framework to port the game to Linux OS for which it is also available. This also suggests the game was written in C# . This string indeed proves it is a Steam uploaded game:<br>
<img alt="strings" src="https://yurisk.info/images/hacknet-binary-analysis-steam.png"><br>
Here we can even see the page URL for sending victory mail. It is, by the way, sometimes used by malware writers to set a trap – URL which no one will visit but only those looking at it in the binary:<br>
<img alt="fig 3" src="https://yurisk.info/images/hacknet-binary-analysis-email.png"><br>
And the final piece of information is here:<br>
<img alt="fig 4" src="https://yurisk.info/images/hacknet-binary-analysis-final.png"> </p>
<p>which confirms all we suggested earlier, giving us in addition the full path to MS Visual Studio project/debug location on the author machine and his user – <strong>Matt</strong>, which coincides with the author real name – Matt Trobbiani. And of course not mentioned in this post there are tens of thousands of strings of in- game text and function names.<br>
Now to the strings obfuscation itself. There are few ways to obfuscate/encrypt them in the binary so that you deobfuscate/decrypt them in real time just before actually using in the code flow. Sure you cannot protect anything like that – because of that it is called obfuscation, but it can make work of a reverser a bit harder, that is it.<br>
First, the easiest, way to hide the strings is by adding/subtracting an integer value before compiling the file, then having a routine to do a reverse mathematical addition/subtraction to get in the memory the needed string, use it, then discard or again obfuscate it. This will make a gibberish out of a string but will look like a suspicious string still. Of course it will only work with ASCII strings, which here are treated as integers. The source code is in C to give an example. I mangle/obfuscate string “secret password” via macro compiler preprocessor HIDE_LETTER, then de-obfuscate it using UNHIDE_STRING at run time. I plan on running a series of posts about obfuscation so stay tuned. </p>
<div class="highlight"><pre><span></span><code><span class="cp">#include</span><span class="w"> </span><span class="cpf"><stdio.h></span><span class="cp"></span>
<span class="cp">#define HIDE_LETTER(a) (a) + 0x50</span>
<span class="cp">#define UNHIDE_STRING(str) do { char * ptr = str ; while (*ptr) *ptr++ -= 0x50; } while(0)</span>
<span class="cp">#define HIDE_STRING(str) do {char * ptr = str ; while (*ptr) *ptr++ += 0x50;} while(0)</span>
<span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">()</span><span class="w"></span>
<span class="p">{</span><span class="w"> </span><span class="c1">// store the "secret password" as mangled byte array in binary</span>
<span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="n">str1</span><span class="p">[]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">HIDE_LETTER</span><span class="p">(</span><span class="sc">'s'</span><span class="p">)</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="n">HIDE_LETTER</span><span class="p">(</span><span class="sc">'e'</span><span class="p">)</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="n">HIDE_LETTER</span><span class="p">(</span><span class="sc">'c'</span><span class="p">)</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="n">HIDE_LETTER</span><span class="p">(</span><span class="sc">'r'</span><span class="p">)</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="n">HIDE_LETTER</span><span class="p">(</span><span class="sc">'e'</span><span class="p">)</span><span class="w"> </span>
<span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="n">HIDE_LETTER</span><span class="p">(</span><span class="sc">'t'</span><span class="p">)</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="n">HIDE_LETTER</span><span class="p">(</span><span class="sc">' '</span><span class="p">)</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="n">HIDE_LETTER</span><span class="p">(</span><span class="sc">'p'</span><span class="p">)</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="n">HIDE_LETTER</span><span class="p">(</span><span class="sc">'a'</span><span class="p">)</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="n">HIDE_LETTER</span><span class="p">(</span><span class="sc">'s'</span><span class="p">),</span><span class="w"></span>
<span class="w"> </span><span class="n">HIDE_LETTER</span><span class="p">(</span><span class="sc">'s'</span><span class="p">)</span><span class="w"> </span><span class="p">,</span><span class="n">HIDE_LETTER</span><span class="p">(</span><span class="sc">'w'</span><span class="p">)</span><span class="w"> </span><span class="p">,</span><span class="n">HIDE_LETTER</span><span class="p">(</span><span class="sc">'o'</span><span class="p">)</span><span class="w"> </span><span class="p">,</span><span class="n">HIDE_LETTER</span><span class="p">(</span><span class="sc">'r'</span><span class="p">)</span><span class="w"> </span><span class="p">,</span><span class="n">HIDE_LETTER</span><span class="p">(</span><span class="sc">'d'</span><span class="p">),</span><span class="sc">'\0'</span><span class="w"> </span><span class="p">};</span><span class="w"> </span>
<span class="w"> </span><span class="n">UNHIDE_STRING</span><span class="p">(</span><span class="n">str1</span><span class="p">);</span><span class="w"> </span><span class="c1">// unmangle the string in-place</span>
<span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Here goes the secret we hide: %s"</span><span class="p">,</span><span class="w"> </span><span class="n">str1</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="n">HIDE_STRING</span><span class="p">(</span><span class="n">str1</span><span class="p">);</span><span class="w"> </span><span class="c1">//mangle back</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>How to manually install Security Policy via cli on Checkpoint Gaia.2017-06-05T11:44:46+00:002017-06-05T11:44:46+00:00Yuri Slobodyanyuktag:yurisk.info,2017-06-05:/2017/06/05/How-to-manually-install-Security-Policy-via-cli-on-checkpoint-gaia/<p>The usual way to install a policy is by clicking Install in the SmartDashboard of course, but if need arises to do so from the command line of the Checkpoint Management server we do it this way: </p>
<h3>fwm load <Name of the policy> <name of the firewall gateway object as …</h3><p>The usual way to install a policy is by clicking Install in the SmartDashboard of course, but if need arises to do so from the command line of the Checkpoint Management server we do it this way: </p>
<h3>fwm load <Name of the policy> <name of the firewall gateway object as appears in management server></h3>
<p>All the names in the command are case sensitive.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>The one command to clear ALL the connections on a Checkpoint firewall - use with care2017-06-05T09:44:46+00:002017-06-05T09:44:46+00:00Yuri Slobodyanyuktag:yurisk.info,2017-06-05:/2017/06/05/The-one-command-to-clear-all-the-connections-on-a-checkpoint-firewall-use-with-care/<p>Checkpoint firewalls are pretty dynamic and interactive to our changes, for the most of the changes done by administrator it is enough to install the policy for the changes to take immediate effect. In the rare cases when changes (seemingly) do not take effect, it is probably because the particular …</p><p>Checkpoint firewalls are pretty dynamic and interactive to our changes, for the most of the changes done by administrator it is enough to install the policy for the changes to take immediate effect. In the rare cases when changes (seemingly) do not take effect, it is probably because the particular connection got stuck in the connection table of the firewall. There are 2 ways to fix it: the elegant and the axe way. I will post the elegant way some other day, which includes deleting only the specific stuck connection entry from the connections table, but this post is about the axe way – clearing ALL connection entries from the table in one go. This means, of course, temporary disconnection for all traffic passing the firewall, therefore use it with caution. Here it is: </p>
<h3>fw tab –t connections –x</h3>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>What ports 18190 18209 18210 18211 in Checkpoint are used for2017-06-05T08:44:46+00:002017-06-05T08:44:46+00:00Yuri Slobodyanyuktag:yurisk.info,2017-06-05:/2017/06/05/What-ports-18190-18209-18210-18211-in-Checkpoint-are-used-for/<p>What ports 18190, 18209, 18210, 18211, in Checkpoint are used for ?
For the correct functioning the Checkpoint uses quite a lot of ports, some are a must some or not. The ports listed above are in ‘a must’ category. Let’s see:<br>
<strong>18190</strong> for R77.x/<strong>19009</strong> for R80+ (NOTE …</p><p>What ports 18190, 18209, 18210, 18211, in Checkpoint are used for ?
For the correct functioning the Checkpoint uses quite a lot of ports, some are a must some or not. The ports listed above are in ‘a must’ category. Let’s see:<br>
<strong>18190</strong> for R77.x/<strong>19009</strong> for R80+ (NOTE: R77.x versions used 18190 exclusively, starting with R80.x the port changed to <strong>19009</strong> while still using 18190 for legacy apps only, e.g. when opening SmartDashboard for Mobile Access configuration. So, for exam takers - the 19009 is the port used by SmartConsole) The <strong>CPMI (Checkpoint Management Interface)</strong> is used by SmartConsole client to connect and manage the Management server. This is the port to check if trying to connect by SmartConsole you get the error “Please verify that Management is running and you are allowed to connect by GUI client”.<br>
<strong>18209</strong> <strong>SIC (Secure Internal Communications)</strong> protocol uses this port for all SIC conversations between the Management server and the firewall modules managed by it. This is the port to check when you try to install the Security Policy and it fails with an error “could not establish connection …” .<br>
<strong>18210, 18211</strong> These ports are used for the internal certificate exchange between ICA ( Internal Certificate Authority) which is part of the Management server and Checkpoint firewall modules. You don’t need this port constantly, the firewall modules and Management server exchange certificates once in a while, but still – all the communication between Management server and firewall modules is encrypted using these certificates, and if the certificate is expired and the new one cannot be downloaded the SIC will break.</p>
<p>For the degailed list of ports in Checkpoint, see Heiko post on <a href="https://community.checkpoint.com/t5/Security-Gateways/R81-x-Ports-Used-for-Communication-by-Various-Check-Point/td-p/38153">Checkpoint Community</a> </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>HIEW Hex editor tutorials series , part 2 – the basics.2017-05-24T13:55:25+00:002020-07-16T20:37:00+02:00Yuri Slobodyanyuktag:yurisk.info,2017-05-24:/2017/05/24/HIEW-hex-editor-tutorials-series-part-2-basics/<iframe width="560" height="315" src="https://www.youtube.com/embed/M1wvTE988dw" frameborder="0" allowfullscreen></iframe>
<p>Round up of the basic HIEW commands used:</p>
<table>
<thead>
<tr>
<th>Command</th>
<th>Action</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Change the color scheme</strong></td>
<td>edit hiew8.ini the last section "Colors", set ColorMain = 0x07 to have the black background.</td>
</tr>
<tr>
<td><strong>ESC</strong></td>
<td>To exit any window/mode without saving the changes.</td>
</tr>
<tr>
<td><strong>F1</strong></td>
<td>Context-sensitive help.</td>
</tr>
<tr>
<td><strong>F3</strong></td>
<td>Enter the Edit mode.</td>
</tr>
<tr>
<td><strong>ENTER</strong></td>
<td>In the …</td></tr></tbody></table><iframe width="560" height="315" src="https://www.youtube.com/embed/M1wvTE988dw" frameborder="0" allowfullscreen></iframe>
<p>Round up of the basic HIEW commands used:</p>
<table>
<thead>
<tr>
<th>Command</th>
<th>Action</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Change the color scheme</strong></td>
<td>edit hiew8.ini the last section "Colors", set ColorMain = 0x07 to have the black background.</td>
</tr>
<tr>
<td><strong>ESC</strong></td>
<td>To exit any window/mode without saving the changes.</td>
</tr>
<tr>
<td><strong>F1</strong></td>
<td>Context-sensitive help.</td>
</tr>
<tr>
<td><strong>F3</strong></td>
<td>Enter the Edit mode.</td>
</tr>
<tr>
<td><strong>ENTER</strong></td>
<td>In the read mode, switch between Hex/Decode/Text modes.</td>
</tr>
<tr>
<td><strong>F7</strong></td>
<td>Open a search window</td>
</tr>
<tr>
<td><strong>Ctrl + Enter</strong></td>
<td>continue searching.</td>
</tr>
<tr>
<td><strong>Alt + F1</strong></td>
<td>Change location addressing mode.</td>
</tr>
<tr>
<td><strong>F9</strong></td>
<td>Save the changes.</td>
</tr>
<tr>
<td><strong>F6</strong></td>
<td>In Decode/Disassembled mode, find cross-references.</td>
</tr>
<tr>
<td>*</td>
<td>In Read mode, select block(s) of bytes.</td>
</tr>
<tr>
<td><strong>F8</strong></td>
<td>Show the file header.</td>
</tr>
<tr>
<td><strong>F8 -> F6 ->F3</strong></td>
<td>In Hex/Decode modes, show then edit file header sections.</td>
</tr>
<tr>
<td><strong>Alt + F6</strong></td>
<td>Show all strings in a file.</td>
</tr>
<tr>
<td><strong>+/-</strong></td>
<td>See above, increase/decrease minimal string lentgh.</td>
</tr>
<tr>
<td><strong>F5</strong></td>
<td>Go to offset.</td>
</tr>
<tr>
<td><strong>Alt + F7</strong></td>
<td>Change the search direction.</td>
</tr>
</tbody>
</table>
<p>Sample "serial1.exe" program used in the tutorial:<br>
Compiled binary "serial1.exe": https://blog-assets-public-all.s3.amazonaws.com/serial1.exe <br>
NOTE: Today almost all OS will flag any executable you download as "malicious/harmful" etc. (and good they do so), so be warned. The virustotal rating of the file is quite good, just 7 detections of 72 :) <a href="https://www.virustotal.com/gui/file/b38128c26bc792989b23d70684498ea2612639c11047e2cd6c3a1114a9ad1e92/detection" target=_blank rel="noopener">https://www.virustotal.com/gui/file/b38128c26bc792989b23d70684498ea2612639c11047e2cd6c3a1114a9ad1e92/detection</a> </p>
<p>Its SHA256 hash (use PowerShell command Get-FileHash "serial1.exe") to verify:B38128C26BC792989B23D70684498EA2612639C11047E2CD6C3A1114A9AD1E92 </p>
<p>The source code (compiled in Microsoft Viual Studio 2015):</p>
<div class="highlight"><pre><span></span><code><span class="cp">#include</span><span class="w"> </span><span class="cpf">"stdafx.h"</span><span class="cp"></span>
<span class="cp">#include</span><span class="w"> </span><span class="cpf"><stdio.h></span><span class="cp"></span>
<span class="cp">#include</span><span class="w"> </span><span class="cpf"><string.h></span><span class="cp"></span>
<span class="c1">// this example and all the following will be posted on my site https://yurisk.info</span>
<span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">()</span><span class="w"></span>
<span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="n">serial_input</span><span class="p">[</span><span class="mi">6</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">""</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="n">serial_correct</span><span class="p">[</span><span class="mi">6</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"23845"</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">result</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Please enter the serial of 5 numbers:"</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="n">fgets</span><span class="p">(</span><span class="n">serial_input</span><span class="p">,</span><span class="w"> </span><span class="mi">6</span><span class="p">,</span><span class="w"> </span><span class="n">stdin</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="n">result</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">strncmp</span><span class="p">(</span><span class="n">serial_input</span><span class="p">,</span><span class="w"> </span><span class="n">serial_correct</span><span class="p">,</span><span class="w"> </span><span class="mi">5</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">result</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span>
<span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Wrong serial!, quitting ..</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Great, you have the correct serial !</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span><span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>
<p>See also other posts in the series:<br>
<a href="https://yurisk.info/2017/05/23/HIEW-hex-editor-tutorials-series-part-1-the-history/index.html">Part 1</a><br>
<a href="https://yurisk.info/2017/07/03/HIEW-hex-editor-tutorials-series-part-3-navigation/index.html">Part 3</a><br>
<a href="https://yurisk.info/2017/07/03/HIEW-hex-editor-tutorials-series-part-4-crypt-xor/index.html">Part 4</a><br>
<a href="https://yurisk.info/2017/07/29/HIEW-tutorial-hexadecimal-editor-part-5-using-Crypto-module-to-program-a- keygen/index.html">Part 5</a><br>
<a href="https://yurisk.info/2017/09/05/HIEW-tutorial-hexadecimal-editor-part-6-using-HEM-modules/index.html">Part 6</a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>HIEW Hex editor tutorials series , part 1 – the history.2017-05-23T13:55:25+00:002017-05-23T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2017-05-23:/2017/05/23/HIEW-hex-editor-tutorials-series-part-1-the-history/<p>The story of this hex editor started in the dark 90-s. The first name was ViHE (Viewer-HexEditor) and was released by its author Eugene Suslikov as a free software in early 1991. As he stated back then “for occasional looking into and changing few bytes in a file, like 7xh …</p><p>The story of this hex editor started in the dark 90-s. The first name was ViHE (Viewer-HexEditor) and was released by its author Eugene Suslikov as a free software in early 1991. As he stated back then “for occasional looking into and changing few bytes in a file, like 7xh -> EBh”. Later that year the name changed to Hiew (Hacker's view), still being the free software and also it supported DOS and OS/2. As the researching software protection and circumventing it deemed back then to be the best way to learn assembly and programming, the disassemblers and hex editors got popularity and fame. Starting 1999 and version 6.15 the HIEW became shareware. The last version to support OS/2 was 6.85 in the year 2002. Along the shareware version author started providing the demo version with limited features. The current version is 8.53 and has the following features:</p>
<ul>
<li>Can open/view files of any size</li>
<li>Has built in disassembler, not a competitor to the IDA but still pretty good Supports 32/64-bit executables</li>
<li>Knows ELF/COFF/NE (16-bit, pretty rare today https://en.wikipedia.org/wiki/New_Executable) / LE (Successor of the NE, used in OS/2 and Windows Vxd http://fileformats.archiveteam.org/wiki/Linear_Executable / LX OS/2 successor of the NE format / Mach-O)</li>
<li>Search of the strings/hex values/ASM instructions</li>
<li>Simple crypt/decrypt system</li>
<li>Keyboard macros</li>
<li>HIEW External Module support allows to extend the functionality by exposing the API</li>
<li>ARMv6 disassembler</li>
</ul>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>XCK and CRK file formats for binary patching in Windows.2017-05-22T13:55:25+00:002017-05-22T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2017-05-22:/2017/05/22/XCK-and-CRK-file-formats-for-binary-patching-in-windows/<p>Do not bother Googling these file types as they belong with the era before Google even existed. In these pre-Google Dark Ages there were people taking pride in circumventing software protections or cracking in other words, and believe or not – absolutely for free. Yep, even DMCA didn’t exist back …</p><p>Do not bother Googling these file types as they belong with the era before Google even existed. In these pre-Google Dark Ages there were people taking pride in circumventing software protections or cracking in other words, and believe or not – absolutely for free. Yep, even DMCA didn’t exist back then. But this post is about technical side anyway. So, in these days of distributing software via BBS and floppies disk space played an important role and to save bytes, the crackers were distributing not the cracked software but the patch instructions to be applied to the original software to remove the protection. These patching instructions were placed in the XCK/CRK text files to be supplied to the dedicated binary patchers. You can still find those patchers on the Net even though they are DOS programs: <strong>Cracker</strong> by <em>Corner Crackers</em>, 1991; <strong>Cracker Advanced</strong> by <em>Professor Nimnull</em> ; <strong>Program Cracker</strong> by <em>Dr.Stein's labs</em>, 1993; <strong>Crack Studio</strong> by <em>Turansoft</em>, 1997 . You can download them for example from (http://old-dos.ru/) website. The process was simple – a cracker was removing in some way the protection, then he/she run a software that compared the differences between the original file and the patched one (most popular being <strong>C2U.exe</strong>), and dumped them in hex format to the text file .CRK or .XCK to be later supplied to a patcher. The binary diff is still around as part of Windows 10, the good old <code>fc \B <original file> <patched file>></code> patchme.crk . Here is example:</p>
<p>HIEW\PROJECTS><strong>fc /B serial_orig.exe serial1.exe</strong> </p>
<div class="highlight"><pre><span></span><code>Comparing files serial_orig.exe and SERIAL1.EXE
00003F08: 74 EB
00003F09: EB 16
</code></pre></div>
<p>The CRK / CRA / XCK files basically contained the same information enclosed inside [BeginCRK] and [EndCRK] tags – 1st comes byte offset into the file, next is byte value in the original unpatched file at this location to be changed, followed by the new byte value to be placed at this location. That is it. In the above example the instruction <strong>JZ</strong> (0x74) is to be changed to plain <strong>JMPS</strong> (EB). This example is part of the tutorial series I record about <strong>HIEW</strong> hex editor, later to be posted on the Youtube. The rest of the CRK/CRA/XCK file was mostly dedicated to bragging and self-promotion. For the history I will list the fields that were usually found in the complete CRK/CRA/XCK file along with my comments after //:</p>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">BeginXCK</span><span class="o">]</span><span class="w"> </span><span class="o">//</span><span class="n">Beginning</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">file</span><span class="w"></span>
<span class="nl">Description</span><span class="p">:</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="n">Description</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">targeted</span><span class="w"> </span><span class="n">software</span><span class="w"></span>
<span class="n">Crack</span><span class="w"> </span><span class="o">[</span><span class="n">subject</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="n">What</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">being</span><span class="w"> </span><span class="n">cracked</span><span class="w"> </span><span class="p">(</span><span class="n">serial</span><span class="o">/</span><span class="nc">time</span><span class="w"> </span><span class="k">limit</span><span class="o">/</span><span class="n">floppy</span><span class="w"> </span><span class="n">protection</span><span class="o">/</span><span class="n">etc</span><span class="p">)</span><span class="w"></span>
<span class="n">Crack</span><span class="w"> </span><span class="k">by</span><span class="err">:</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="n">Author</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">crack</span><span class="w"></span>
<span class="n">Crack</span><span class="w"> </span><span class="n">made</span><span class="w"> </span><span class="k">at</span><span class="err">:</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="nc">Date</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">crack</span><span class="w"></span>
<span class="n">Used</span><span class="w"> </span><span class="nl">packer</span><span class="p">:</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="n">Whether</span><span class="w"> </span><span class="ow">some</span><span class="w"> </span><span class="n">packer</span><span class="w"> </span><span class="n">was</span><span class="w"> </span><span class="n">used</span><span class="w"></span>
<span class="n">Target</span><span class="w"> </span><span class="nl">OS</span><span class="p">:</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="n">Target</span><span class="w"> </span><span class="n">OS</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="n">e</span><span class="p">.</span><span class="n">g</span><span class="p">.</span><span class="w"> </span><span class="n">DOS</span><span class="o">/</span><span class="n">Win95</span><span class="w"></span>
<span class="nl">URL</span><span class="p">:</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">program</span><span class="w"> </span><span class="n">had</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">website</span><span class="w"></span>
<span class="nl">Protection</span><span class="p">:</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="k">level</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">software</span><span class="w"> </span><span class="n">protection</span><span class="w"> </span><span class="n">difficulty</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="k">percent</span><span class="p">,</span><span class="w"> </span><span class="n">subjective</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">cracker</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">course</span><span class="w"></span>
<span class="k">Language</span><span class="err">:</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="n">Guessed</span><span class="w"> </span><span class="n">programming</span><span class="w"> </span><span class="k">language</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">original</span><span class="w"> </span><span class="n">software</span><span class="w"></span>
<span class="k">Size</span><span class="err">:</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="n">software</span><span class="w"> </span><span class="k">size</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">bytes</span><span class="w"></span>
<span class="n">Type</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="nl">Hack</span><span class="p">:</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">crack</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="n">e</span><span class="p">.</span><span class="n">g</span><span class="p">.</span><span class="w"> </span><span class="n">JMP</span><span class="w"> </span><span class="n">correction</span><span class="w"></span>
<span class="n">Used</span><span class="w"> </span><span class="nl">Tools</span><span class="p">:</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="n">tools</span><span class="w"> </span><span class="n">used</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">beat</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">protection</span><span class="p">,</span><span class="w"> </span><span class="n">e</span><span class="p">.</span><span class="n">g</span><span class="p">.</span><span class="w"> </span><span class="n">HIEW</span><span class="o">/</span><span class="n">Soft</span><span class="o">-</span><span class="n">Ice</span><span class="w"></span>
<span class="k">Under</span><span class="w"> </span><span class="nl">Music</span><span class="p">:</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="n">Music</span><span class="w"> </span><span class="n">being</span><span class="w"> </span><span class="n">listened</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="n">cracking</span><span class="p">,</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">those</span><span class="w"> </span><span class="n">days</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">should</span><span class="w"> </span><span class="n">have</span><span class="w"> </span><span class="n">been</span><span class="w"> </span><span class="n">HMR</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="ow">some</span><span class="w"> </span><span class="n">kind</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">sound</span><span class="w"> </span><span class="n">cool</span><span class="w"></span>
<span class="o">[</span><span class="n">BeginCRK</span><span class="o">]</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="n">actual</span><span class="w"> </span><span class="n">patch</span><span class="w"> </span><span class="n">information</span><span class="w"> </span><span class="n">starts</span><span class="w"> </span><span class="n">here</span><span class="w"></span>
<span class="n">Original_software_name</span><span class="w"></span>
<span class="n">Filename</span><span class="p">.</span><span class="n">exe</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="k">file</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">patched</span><span class="w"></span>
<span class="mi">00003</span><span class="nl">F08</span><span class="p">:</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="n">EB</span><span class="w"></span>
<span class="o">[</span><span class="n">EndCRK</span><span class="o">]</span><span class="w"></span>
<span class="o">[</span><span class="n">EndXCK</span><span class="o">]</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>NMAP UDP DNS scan unexpected packets sending2017-05-21T13:55:25+00:002017-05-21T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2017-05-21:/2017/05/21/nmap-udp-dns-scan-unexpected-packets-sending/<p>I got the other day an automated mail alert from some ID/IPS equipment that ‘ a NULL DNS scan was detected and blocked from your IP’. NULL DNS scan? I wasn’t sending any such packets, not to mention I have no idea what they mean by that. After some …</p><p>I got the other day an automated mail alert from some ID/IPS equipment that ‘ a NULL DNS scan was detected and blocked from your IP’. NULL DNS scan? I wasn’t sending any such packets, not to mention I have no idea what they mean by that. After some packet level investigation here is what happened.
I was scanning the Internet space for <strong>open DNS resolvers</strong> for my security project, and was doing it with <code>nmap –sU –p 53 –n -script=dns-recursion</code>. This scan in turn is supposed to send dull and completely legitimate A record query for a www.wikipedia.org domain and if the target answers it, then it is an open DNS resolver. Still, somehow it triggered an alert on NULL DNS, which does exist by the way as an experimental record but has nothing to do with the NMAP scan.
Doing the scan again with wireshark running I saw to my surprise the following packet (usually 2 of them) being send before NMAP sends the aforementioned www.wikipedia.org request: </p>
<p><img alt="Wireshark screenshot" src="https://yurisk.info/images/wireshark-dns-scan.png"> </p>
<p>called <strong>Server Status request</strong> (OPCODE 2 see details here https://www.ietf.org/rfc/rfc1035.txt) and was meant to be used by DNS server admins for various management and health check purposes. And of course it is highly unexpected and naturally rejected when coming from the Internet. But why does NMAP send this packet?
Turns out (thanks to David Fifield, one of the NMAP developers) when NMAP does UDP scan, beyond what you specify on the cli it adds various payloads depending on the destination port, all taken from /usr/share/nmap/nmap-payloads. The port 53 UDP scan has there the payload:</p>
<div class="highlight"><pre><span></span><code># DNSStatusRequest udp 53 "\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00"
</code></pre></div>
<p>which includes a lot of x00 in the packet, which in turn seems to trigger the alert on NULL scan.
NMAP sends such payloads in UDP scan in order not to send an empty UDP packet, i.e. it thinks “something is better than nothing”. To fix this there are 2 ways:</p>
<ol>
<li>specify 0 data length for UDP packet: "--data-length 0"</li>
<li>comment out with # the needed port section in /usr/share/nmap/nmap-payloads</li>
</ol>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Last measure for the desperate case of a lost access to the Check Point firewall2017-04-18T13:55:25+00:002017-04-18T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2017-04-18:/2017/04/18/last-measure-for-the-desperate-case-of-a-lost-access-to-the-Check-Point-firewall/<p>It may happen to anyone – mistaken security rule “Any Any Drop”, or using dynamic object for URL block. The end result – after the policy install you have no administrative access to the firewall with SmartDashboard/ssh/https. For this case Check Point came with <strong>fw unloadlocal</strong> console/SSH expert level …</p><p>It may happen to anyone – mistaken security rule “Any Any Drop”, or using dynamic object for URL block. The end result – after the policy install you have no administrative access to the firewall with SmartDashboard/ssh/https. For this case Check Point came with <strong>fw unloadlocal</strong> console/SSH expert level command to unload the Security Policy. Unlike the <strong>Initial policy</strong> when installing the firewall, here you get a firewall without ANY policy – open by any port from any source. So probably a good idea to do so after you physically disconnect the firewall from the Internet. Next step is to connect to this “naked” firewall with SmartDashboard and fix the mistake that caused this situation and install the fixed Security policy. </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>How many times can we change IP address of the Check Point license?2017-03-11T13:55:25+00:002017-03-11T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2017-03-11:/2017/03/11/How-many-times-can-we-change-ip-address-of-the-Check-Point-license/<p><strong>TLDR: 6 times</strong>. <br>
Today most licenses are of a central type so we rarely need to change their IP address as IP address of the Management server does not change that often. Still, if this happens then there is an option to change IP address or re-license the existing license …</p><p><strong>TLDR: 6 times</strong>. <br>
Today most licenses are of a central type so we rarely need to change their IP address as IP address of the Management server does not change that often. Still, if this happens then there is an option to change IP address or re-license the existing license. Don’t take my word for this as this is completely up to Check Point to change it any time but currently they allow to do so <strong>6 times</strong>, after which you would need either contact them to settle this or buy a new license. </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>NMAP run stages flow diagram2017-01-25T13:55:25+00:002017-01-25T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2017-01-25:/2017/01/25/nmap-run-stages-flow-diagram/<p>NMAP scanner has become over the years so friendly that it is not apparent what is going on when it runs. Below is a typicsl NMAP workflow:<br>
<img alt="Nmap Flow diagram" src="https://yurisk.info/2017/01/25/nmap-run-stages-flow-diagram/NMAP_scan_flow.gif"></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Hex editor of binary files on Linux2017-01-13T13:55:25+00:002020-06-21T23:18:00+02:00Yuri Slobodyanyuktag:yurisk.info,2017-01-13:/2017/01/13/hex-editor-of-binary-files-on-linux/<p>Reading this thread on Stackoverflow http://stackoverflow.com/questions/5498197/need-a-good-hex-editor-for-linux I wondered how come with so many hex editors in Linux there is not really the best one. In Windows it is easier - the expensive WinHex or the affordable Hiew. Anyway, as to the Linux I always use <strong>Vim …</strong></p><p>Reading this thread on Stackoverflow http://stackoverflow.com/questions/5498197/need-a-good-hex-editor-for-linux I wondered how come with so many hex editors in Linux there is not really the best one. In Windows it is easier - the expensive WinHex or the affordable Hiew. Anyway, as to the Linux I always use <strong>Vim</strong>:<br>
Entering <code>%!xxd</code> to switch to Hex editing mode,setting <code>:set binary</code> and after finishing the edit issuing <code>%!xxd -r</code> back to binary to be able to save the edited file. Do not save in the Hex editing mode - the file will be saved as ASCII hex representation file, always revert back to binary.</p>
<p>In steps:<br>
1. Open a file in Vim as usual.<br>
2. Switch from binary representation <code>:%!xxd</code> using external <strong>xxd</strong> tool.<br>
3. Set mode to binary <code>:set binary</code> so Vim does NOT automatically add linefeed (0xA) on saving.<br>
4. Do the edits (edit hex values, ignore ASCII column and line numbers).<br>
5. Switch back <code>:%xxd -r</code> to convert hexdump back into binary.<br>
6. Write the changes back to file and quit <code>wq</code>.</p>
<p><em>Note</em>: If the righthand ASCII column and line numbers which are not part of the binary distract, you can display the file contents without them using <code>:%!xxd -p</code> and <code>:%!xxd -r -p</code>.</p>
<p>For the list of available Hex editors, see <a href="https://en.wikipedia.org/wiki/Comparison_of_hex_editors" target=_blank rel="noopener"> WIkipedia: Comparison of hex editors</a>.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Ever wondered how much does ip addresses allocation cost to your service provier ?2017-01-07T13:55:25+00:002017-01-07T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2017-01-07:/2017/01/07/how-much-ip-addresses-allocation-costs-to-your-provider/<p>Ever wondered how much does IP addresses allocation really cost to your provider? Well, that is easy. If we talk about the RIPE IP address space (majority today) then they have published their fees for PI (Provider Independent) allocations for LIRs (Local Internet Registry) which is by coincidence your ISP …</p><p>Ever wondered how much does IP addresses allocation really cost to your provider? Well, that is easy. If we talk about the RIPE IP address space (majority today) then they have published their fees for PI (Provider Independent) allocations for LIRs (Local Internet Registry) which is by coincidence your ISP is. Here it is: </p>
<table>
<thead>
<tr>
<th>all prices Euro</th>
<th>2014</th>
<th>2015</th>
<th>2016</th>
<th>2017</th>
</tr>
</thead>
<tbody>
<tr>
<td>Annual fee per LIR</td>
<td>1750 + 50 per PI assignment</td>
<td>1600 + 50 per PI assignment</td>
<td>1400 + 50 per PI assignment</td>
<td>1400 + 50 per PI assignment</td>
</tr>
</tbody>
</table>
<p>Taken from ftp://ftp.ripe.net/ripe/docs/ripe-666.pdf </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Public DNS servers open to any on the Internet2017-01-03T11:55:25+00:002017-01-03T11:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2017-01-03:/2017/01/03/public-dns-servers-open-to-any/<div class="paragraph">
<p>Following the good will by Google many other providers made their DNS servers available to us without any limitations as recursive resolvers. As they do not announce it widely enough you may not have heard abouth them, here is the list of these DNS servers:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>OpenDNS/Cisco Umbrella: <code><strong>208.67 …</strong></code></p></li></ul></div><div class="paragraph">
<p>Following the good will by Google many other providers made their DNS servers available to us without any limitations as recursive resolvers. As they do not announce it widely enough you may not have heard abouth them, here is the list of these DNS servers:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>OpenDNS/Cisco Umbrella: <code><strong>208.67.222.220</strong></code> and <code><strong>208.67.222.222</strong></code></p>
</li>
<li>
<p>Hurricane Electric (he.net): <code>74.82.42.42</code></p>
</li>
<li>
<p>OpenNIC (<a href="https://www.opennicproject.org/" class="bare">https://www.opennicproject.org/</a>): <code>50.116.23.211</code></p>
</li>
<li>
<p>VeriSign: <code>64.6.64.6</code> and <code>64.6.64.4</code></p>
</li>
<li>
<p>Comode Secure DNS: <code>8.20.247.20</code> and <code>8.26.56.26</code></p>
</li>
<li>
<p>Level3: <code>209.244.0.3</code> and <code>209.244.0.4</code></p>
</li>
<li>
<p>DynDNS: <code>216.146.35.35</code> and <code>216.146.35.36</code></p>
</li>
</ul>
</div>
<div class="paragraph">
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>
</div>Linux ip route command reference by example2016-12-19T13:55:25+00:002016-12-19T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2016-12-19:/2016/12/19/linux-ip-route-command-reference-by-example/<ul>
<li><a href="#ip-address---manage-ip-addresses-on-interfaces">ip address - Manage IP address(es) on interfaces</a></li>
<li><a href="#ip-route---manage-routing-table">ip route - Manage routing table</a></li>
<li><a href="#ip-link---link-management">ip link - Link Management</a></li>
<li><a href="#interface--grouping">Interface Grouping.</a></li>
<li><a href="#ip-neighbor---managing-arp-table">ip neighbor - Managing ARP table</a></li>
<li><a href="#tunnel-interfaces">Tunnel interfaces</a></li>
<li><a href="#gre">GRE</a></li>
</ul>
<p>NOTE: All the commands below take effect immediately after you hit Enter, and do NOT survive reboot.</p>
<p><a name="ip-address---manage-ip-addresses-on-interfaces"></a></p>
<h3>ip address - Manage IP address(es …</h3><ul>
<li><a href="#ip-address---manage-ip-addresses-on-interfaces">ip address - Manage IP address(es) on interfaces</a></li>
<li><a href="#ip-route---manage-routing-table">ip route - Manage routing table</a></li>
<li><a href="#ip-link---link-management">ip link - Link Management</a></li>
<li><a href="#interface--grouping">Interface Grouping.</a></li>
<li><a href="#ip-neighbor---managing-arp-table">ip neighbor - Managing ARP table</a></li>
<li><a href="#tunnel-interfaces">Tunnel interfaces</a></li>
<li><a href="#gre">GRE</a></li>
</ul>
<p>NOTE: All the commands below take effect immediately after you hit Enter, and do NOT survive reboot.</p>
<p><a name="ip-address---manage-ip-addresses-on-interfaces"></a></p>
<h3>ip address - Manage IP address(es) on interfaces</h3>
<div class="highlight"><pre><span></span><code> ip address show <span class="c1">#show all IP addresses (also ip ad sh), mtu, MAC addresses</span>
ip address show ens36 <span class="c1">#show IP addresses of a particular interface</span>
ip address show up <span class="c1">#only show IPs of those interfaces that are up</span>
ip address show dynamic<span class="p">|</span>permanent <span class="c1">#show dynamic (DHCP) or static IPv6/IPv4 addresss</span>
ip address add <span class="m">192</span>.0.2.1/27 dev ens36 <span class="c1">#add a new IP address to the interface</span>
</code></pre></div>
<p>First address you added will be used as SOURCE address for outgoing traffic by default, it is often called primary address . Receiving will do for all added IPs </p>
<div class="highlight"><pre><span></span><code> ip address add <span class="m">192</span>.0.2.1/29 dev ens36 label ens36:hahaha <span class="c1"># add IP and label it</span>
ip address delete <span class="m">192</span>.0.2.1/29 dev ens36 <span class="c1"># delete Ip address from interface</span>
ip address flush dev ens36 <span class="c1"># delete all IPs from an interface</span>
</code></pre></div>
<p><a name="ip-route---manage-routing-table"></a></p>
<h3>ip route - Manage routing table</h3>
<p>If you set up a static route and interface through which it is available goes down - the route is removed from active routing table as well. Also you cannot add route via inaccessible gateways.</p>
<div class="highlight"><pre><span></span><code> ip route <span class="o">[</span>show<span class="o">]</span> / ip ro <span class="c1"># Show the routing table, includes IPv4 and IPv6</span>
ip -6 route <span class="c1"># show only IPv6 , which are not shown by def</span>
ip -4 route
ip route add default via <span class="m">10</span>.10.10.1 <span class="c1"># Add default route via next hop</span>
ip route add default dev ens36 <span class="c1"># Add default route via interface</span>
ip route add <span class="m">0</span>.0.0.0/0 dev ens36 <span class="c1"># Add default route via the interface</span>
ip route delete default dev ens36 <span class="c1"># Delete Default route</span>
ip route show root <span class="m">192</span>.0.2.0/24 <span class="c1"># you can use supernet to include multiple more specific routes to show, i.e. show this net and SMALLER subnets</span>
ip route show match <span class="m">192</span>.0.2.0/29 <span class="c1"># show routes to this and LARGER nets</span>
ip route show exact <span class="m">192</span>.168.13.0/24 <span class="c1"># show routes to EXACT network only</span>
ip route get <span class="m">192</span>.176.12.1/24 <span class="c1"># simulate resolving of a route in real time</span>
ip route add <span class="m">192</span>.192.13.1/24 via <span class="m">10</span>.13.77.1 <span class="c1"># Add new route to 192.192.13.1/24 via nexthop</span>
ip route add <span class="m">192</span>.192.13.1/24 dev ens36 <span class="c1"># Add new route to 192.192.13.1/24 via interface</span>
ip route delete <span class="m">192</span>.192.13.1/24 via <span class="m">10</span>.13.77.1 <span class="c1"># Delete specific route</span>
ip route delete <span class="m">192</span>.192.13.1/24 <span class="c1"># Delete specific route</span>
ip route change <span class="m">192</span>.192.13.1/24 dev ens32 <span class="c1"># change some params of existing route</span>
ip route replace <span class="m">192</span>.192.13.1/24 dev ens36 <span class="c1"># replace if exists add if not</span>
ip -6 route add default via <span class="m">2001</span>:db8 <span class="c1"># Add IPv6 default route</span>
ip route add blackhole <span class="m">192</span>.1.1.0/24 <span class="c1"># Black hole some route</span>
ip route add unreachable <span class="m">10</span>.10.10.0/24 <span class="c1"># Block destination route, sends “Host unreachable”</span>
ip route add prohibit <span class="m">10</span>.1.1.1/32 <span class="c1"># Block destination route, sends ICMP “Administratively prohibited”</span>
ip route add throw <span class="m">10</span>.1.1.1/32 <span class="c1"># Block destination route, sends “net unreachable”</span>
ip route add <span class="m">10</span>.10.10.0/24 via <span class="m">10</span>.1.1.1 metric <span class="m">5</span> <span class="c1"># Add route with custom metrics</span>
ip route add default nexthop via <span class="m">10</span>.10.10.1 weight <span class="m">1</span> nexthop dev ens33 weight <span class="m">10</span> <span class="c1"># Add 2 default routes with custom weight, higher weight is preferred</span>
</code></pre></div>
<p><a name="ip-link---link-management"></a></p>
<h3>ip link - Link Management</h3>
<div class="highlight"><pre><span></span><code> ip link show <span class="p">|</span> ip link <span class="p">|</span> ip link list <span class="c1"># Show all available interfaces/links</span>
ip link show ens33 <span class="c1"># Show information about specific interface</span>
ip link <span class="nb">set</span> dev eth0 down <span class="p">|</span> up <span class="c1"># Set interface down or up</span>
ip link <span class="nb">set</span> <dev> name <new name> <span class="c1"># Rename/Add alternative name to the interface, 1st bring interface down</span>
ip link <span class="nb">set</span> dev eth0 address <span class="m">02</span>:11:22:cc:33:11 <span class="c1"># Change MAC address of the interface</span>
ip link <span class="nb">set</span> dev tun0 mtu <span class="m">1480</span> <span class="c1"># Set MTU size of interface</span>
ip link delete <dev> <span class="c1"># Delete interface, relevant to VLAn and bridges only</span>
ip link <span class="nb">set</span> dev ens36 arp off<span class="p">|</span>on <span class="c1"># disable/enable ARP on interface</span>
ip link <span class="nb">set</span> dev ens36 multicast on<span class="p">|</span>off <span class="c1"># disable/enable multicast on interface</span>
ip link add name eth0.110 link eth0 <span class="nb">type</span> vlan id <span class="m">110</span> <span class="c1"># Add new VLAN 110 on eth0</span>
ip link add name eth0.100 link eth0 <span class="nb">type</span> vlan proto <span class="m">802</span>.1ad id <span class="m">100</span>
ip link add name eth0.100.200 link eth0.100 <span class="nb">type</span> vlan proto <span class="m">802</span>.1q id <span class="m">200</span>
// QinQ encapsulation <span class="o">(</span>available since kernel <span class="m">3</span>.10<span class="o">)</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code> ip link add name peth0 link eth0 <span class="nb">type</span> macvlan
ip link add name dummy10 <span class="nb">type</span> dummy <span class="c1"># Create new interface</span>
ip link add name br0 <span class="nb">type</span> bridge <span class="c1"># Create bridge interface</span>
ip link <span class="nb">set</span> dev eth0 master br0 <span class="c1"># Add eth0 to the bridge</span>
ip link <span class="nb">set</span> dev eth0 nomaster
ip link add ifb10 <span class="nb">type</span> ifb <span class="c1"># Intermediate functional block interface</span>
</code></pre></div>
<p><a name="interface--grouping"></a></p>
<h3>Interface Grouping.</h3>
<p>Links not assigned to any group belong to group 0. Group names are stored in /etc/iproute2/group file, up to 255 groups are possible. </p>
<div class="highlight"><pre><span></span><code> ip link <span class="nb">set</span> dev eth0 group <span class="m">33</span>
ip link <span class="nb">set</span> dev eth0 group <span class="m">0</span>
ip link <span class="nb">set</span> group <span class="m">33</span> down
ip link <span class="nb">set</span> group <span class="m">33</span> mtu <span class="m">1300</span>
ip link list group <span class="m">33</span>
</code></pre></div>
<p><a name="ip-neighbor---managing-arp-table"></a></p>
<h3>ip neighbor - Managing ARP table</h3>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nv">ip</span><span class="w"> </span><span class="nv">neighbor</span><span class="w"> </span><span class="k">show</span><span class="w"> </span>#<span class="w"> </span><span class="k">Show</span><span class="w"> </span><span class="nv">MAC</span><span class="w"> </span><span class="nv">addresses</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">neighbors</span><span class="w"> </span>
<span class="w"> </span><span class="nv">ip</span><span class="w"> </span><span class="o">-</span><span class="mi">6</span><span class="w"> </span><span class="nv">neighbor</span><span class="w"> </span><span class="k">show</span><span class="w"></span>
<span class="w"> </span><span class="nv">ip</span><span class="w"> </span><span class="nv">neighbor</span><span class="w"> </span><span class="k">show</span><span class="w"> </span><span class="nv">dev</span><span class="w"> </span><span class="nv">eth0</span><span class="w"> </span>#<span class="w"> </span><span class="k">show</span><span class="w"> </span><span class="nv">MAC</span><span class="w"> </span><span class="nv">addresses</span><span class="w"> </span><span class="nv">learned</span><span class="w"> </span><span class="nv">on</span><span class="w"> </span><span class="nv">interface</span><span class="w"> </span><span class="nv">eth0</span><span class="w"></span>
<span class="w"> </span><span class="nv">ip</span><span class="w"> </span><span class="nv">neighbor</span><span class="w"> </span><span class="nv">flush</span><span class="w"> </span><span class="nv">dev</span><span class="w"> </span><span class="nv">eth0</span><span class="w"> </span>#<span class="w"> </span><span class="nv">Delete</span><span class="w"> </span><span class="nv">all</span><span class="w"> </span><span class="nv">cached</span><span class="w"> </span><span class="nv">MAC</span><span class="w"> </span><span class="nv">addresses</span><span class="w"> </span><span class="nv">on</span><span class="w"> </span><span class="nv">interface</span><span class="w"> </span><span class="nv">eth0</span><span class="w"></span>
<span class="w"> </span><span class="nv">ip</span><span class="w"> </span><span class="nv">neighbor</span><span class="w"> </span><span class="nv">add</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">1</span>.<span class="mi">1</span>.<span class="mi">1</span><span class="w"> </span><span class="nv">lladdr</span><span class="w"> </span><span class="mi">22</span>:<span class="mi">33</span>:<span class="mi">44</span>:<span class="mi">55</span>:<span class="nv">ff</span>:<span class="mi">11</span><span class="w"> </span><span class="nv">dev</span><span class="w"> </span><span class="nv">eth0</span><span class="w"></span>
<span class="w"> </span><span class="nv">ip</span><span class="w"> </span><span class="nv">neighbor</span><span class="w"> </span><span class="nv">delete</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">1</span>.<span class="mi">1</span>.<span class="mi">1</span><span class="w"> </span><span class="nv">lladdr</span><span class="w"> </span><span class="mi">22</span>:<span class="mi">33</span>:<span class="mi">44</span>:<span class="mi">55</span>:<span class="nv">ff</span>:<span class="mi">11</span><span class="w"> </span><span class="nv">dev</span><span class="w"> </span><span class="nv">eth0</span><span class="w"></span>
</code></pre></div>
<p><a name="tunnel-interfaces"></a></p>
<h3>Tunnel interfaces</h3>
<p>IPIP, SIT (IPV6 in IPV4), IP 6IP6 (IPv6 in IPv6), IPIP6 (IPv4 in IPv6), GRE, VTI kernel 3.6 or later (IPv4 in IPSec) Tunnels are created in DOWN state, dont forget to bring them up</p>
<div class="highlight"><pre><span></span><code> ip tunnel add tun0 mode ipip <span class="nb">local</span> <span class="m">192</span>.0.2.1 remote <span class="m">198</span>.13.22.12
ip link <span class="nb">set</span> dev tun0 up
ip address add <span class="m">10</span>.1.1.1/30 dev tun0
ip tunnel add tun9 mode sit <span class="nb">local</span> <span class="m">192</span>.0.2.1 remote <span class="m">198</span>.21.33.13
ip link <span class="nb">set</span> dev tun9 up
ip addres add <span class="m">2001</span>:db8:1::1/64
</code></pre></div>
<p><em>Gretap tunnel</em> - encapsulate ETH into IPv4 , used to connect L2 segments over L3. L2 interface.</p>
<div class="highlight"><pre><span></span><code> <span class="c1"># ip link add gretap0 type gretap local 192.0.2.1 remote 198.21.13.14</span>
</code></pre></div>
<p><a name="gre"></a></p>
<h4>GRE</h4>
<div class="highlight"><pre><span></span><code> ip tunnel add tun7 mode gre <span class="nb">local</span> <span class="m">192</span>.0.2.1 remote <span class="m">197</span>.13.12.1
ip link <span class="nb">set</span> dev tun7 up
ip address add <span class="m">192</span>.168.1.1/30 dev tun7
ip tunnel add tun11 mode gre <span class="nb">local</span> <span class="m">192</span>.0.2.1 key <span class="m">1234</span> <span class="c1"># GRE point to multipoint</span>
ip link <span class="nb">set</span> dev tun11 up
ip add add <span class="m">10</span>.1.1.1/24 dev tun11
ip neighbor add <span class="m">10</span>.1.1.2/24 lladdr <span class="m">192</span>.0.2.1 dev tun11
ip tunnel delete tun11
ip tunnel change tun0 remote <span class="m">194</span>.13.221.1
ip tunnel show
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Free public NTP servers from Google2016-12-10T13:55:25+00:002016-12-10T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2016-12-10:/2016/12/10/free-public-ntp-servers-from-google/<p>It has passed somewhat unnoticed but Google have made available to us their free, accessible to all NTP servers. I have been using their DNS servers for years without any issues so will trust their NTP ones as well. So far works just fine. For a single server we can …</p><p>It has passed somewhat unnoticed but Google have made available to us their free, accessible to all NTP servers. I have been using their DNS servers for years without any issues so will trust their NTP ones as well. So far works just fine. For a single server we can use time.google.com and for multiple servers, even though they all seem to be in the same class C yet I get different latencies - from 85 msec up to 185 msec, we can use <br>
<strong>time1.google.com</strong> <br>
<strong>time2.google.com</strong><br>
<strong>time3.google.com</strong><br>
<strong>time4.google.com</strong> </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Disconnect VPN or Mobile Access or SNX user from Check Point firewall2016-12-01T13:55:25+00:002016-12-01T13:55:25+00:00Yuri Slobodyanyuktag:yurisk.info,2016-12-01:/2016/12/01/disconnect-vpn-or-mobile-access-or-snx-user-from-check-point-firewall/<p>You may need occasionally to disconnect some or all connected users from the firewall forcibly. There are few ways I can think about to do so, for example installing Security Policy clears the cached authentication of the remote users, and while it does not disconnect them it will force a …</p><p>You may need occasionally to disconnect some or all connected users from the firewall forcibly. There are few ways I can think about to do so, for example installing Security Policy clears the cached authentication of the remote users, and while it does not disconnect them it will force a user to reenter his/her credentials. So, if you say want to disconnect a user you could expire it in SmartDashboard or change its password and then push the Security Policy. But actually there is an easier way to do it : just go to the SmartView Monitor -> Users -> click on any of the options: Users by Gateway, Users by Name, All Users, CheckPoint Mobile Users and after finding the user you want to disconnect, right click on it and Reset Tunnel. Here is the screenshot of this procedure: <br>
<img alt="fig 1" src="https://yurisk.info/2016/12/01/disconnect-vpn-or-mobile-access-or-snx-user-from-check-point-firewall/disconnect-vpn-snx-user-checkpoint.png"></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>On what Linux version do Check Point firewalls run ?2016-11-12T08:44:46+00:002016-11-12T08:44:46+00:00Yuri Slobodyanyuktag:yurisk.info,2016-11-12:/2016/11/12/on-what-linux-version-do-check-point-firewalls-run/<p>Throughout its history CheckPoint firewall changed versions and names, incorporated other products. The last, so far, evolution has been the Gaia operating system released in 2012. All this holds true of course but nevertheless the base platform for the firewall all these years has been Red Hat Enterprise Linux server …</p><p>Throughout its history CheckPoint firewall changed versions and names, incorporated other products. The last, so far, evolution has been the Gaia operating system released in 2012. All this holds true of course but nevertheless the base platform for the firewall all these years has been Red Hat Enterprise Linux server of different versions. The latest one used for the whole R75 and R77 line of firewalls is based on Red Hat RHEL 5.2 that was first released in 2008. This in part explains why even new firewalls still work on the old kernel 2.18. It doesn’t mean something bad in terms of its security, to remind - 'based on' means even though it is based on RHEL 5.2 it is still heavily secured and stripped down. In their latest communications Checkpoint promise in 1st quarter of 2017 to upgrade Gaia to the kernel version 3.10 as part of the move to Red Hat RHEL 7. </p>
<p><strong>Update 2021</strong>: it took Checkpoint time, but on 4th of July 2019 they released R80.30 with the kernel version of 3.10. </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Configure SSL protocol version used in SSL VPN by Check Point2016-11-01T08:44:46+00:002016-11-01T08:44:46+00:00Yuri Slobodyanyuktag:yurisk.info,2016-11-01:/2016/11/01/Configure-SSL-protocol-version-used-in-SSL-VPN-by-Check-Point/<p>With a lot of attention recently to the SSL protocol vulnerabilities browser vendors increase security of their SSL implementation almost daily. One of the recommendations is to use the most up to date SSL version available. Check Point for its SSL based VPNs (by the way it is the same …</p><p>With a lot of attention recently to the SSL protocol vulnerabilities browser vendors increase security of their SSL implementation almost daily. One of the recommendations is to use the most up to date SSL version available. Check Point for its SSL based VPNs (by the way it is the same configuration for Endpoint clients) like SNX SSL and Mobile Access can support SSL versions in the range SSLv3 up to TLS 1.2. So if your clients’ browsers support it you can force the specific SSL version for their connections. Warning: do NOT set minimal SSL version higher than TLS 1.0 because this would cause internal communication of applications of the Check Point itself to fail. You set the parameters here: <strong>SmartDashboard -> Global Properties -> SmartDashboard Customization- > Configure -> Portal Properties-> snx_ssl_max_ver and snx_ssl_min_ver</strong></p>
<p><img alt="fig 1" src="https://yurisk.info/2016/11/1/Configure-SSL-protocol-version-used-in-SSL-VPN-by-Check-Point/checkpoint-ssl-options.png"></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Add free disk space to Check Point appliance hard disk2016-08-13T08:44:46+00:002016-08-13T08:44:46+00:00Yuri Slobodyanyuktag:yurisk.info,2016-08-13:/2016/08/13/Add-free-disk-space-to-Check-Point-appliance-hard-disk/<p>With previous generation of Check Point UTM appliances (so called UTM-1 which included UTM 132, 270, 450 etc.) it was a really nagging issue when firewall run out of space on its hard disk. It was especially problematic for the root partition cause it is used for update downloads, upgrade …</p><p>With previous generation of Check Point UTM appliances (so called UTM-1 which included UTM 132, 270, 450 etc.) it was a really nagging issue when firewall run out of space on its hard disk. It was especially problematic for the root partition cause it is used for update downloads, upgrade files etc. It is less of a problem today as Check Point folks made root partition by default much bigger than the old UTM-1 one, still from time to time you may need to increase root or some other partition to add free space to the firewall. As Check Point is a Linux in disguise to do so is actually easy using native Linux tools . Fortunately UTM appliances come with quite a bit of Unallocated space you can see with fdisk -l. This unallocated space is used to store images for factory reset in case of need so do not go wild using it up. For resizing to take effect you will have to reboot the firewall afterwards. Here are commands to be run in expert mode: Let's say I want to add 15 Gb to the root partition: </p>
<div class="highlight"><pre><span></span><code>Checkpoint# lvresize -L 15GB vg_splat/lv_current
Checkpoint# resize2fs /dev/mapper/vg_splat-lv_current
</code></pre></div>
<p>That is it . BTW Officially, it is not supported by Checkpoint to modify the size of partitions / file systems on Check Point appliances. Still, many times I've done it I didn't experience any issues, but be aware. </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Check Point Gaia route missing after adding via ip route add problem2016-06-21T08:44:46+00:002016-06-21T08:44:46+00:00Yuri Slobodyanyuktag:yurisk.info,2016-06-21:/2016/06/21/Check-Point-Gaia-route-missing-after-adding-via-ip-route-add-problem/<p>Check Point Gaia route missing after adding via ip route add problem</p>
<p>Well, it is actually a feature not a bug of all Check Point firewalls working on Gaia. If you haven't noticed as opposed to good old SPLAT firewall platform the Gaia is selective about which routes to propagate …</p><p>Check Point Gaia route missing after adding via ip route add problem</p>
<p>Well, it is actually a feature not a bug of all Check Point firewalls working on Gaia. If you haven't noticed as opposed to good old SPLAT firewall platform the Gaia is selective about which routes to propagate. I guess it was done on purpose to give more control to the administrator over the routing table. One of the quirks of it is when you add a route via SSH the Linux way you don’t get any error but this new route does not show anywhere – neither in Gaia nor on Linux level. On the other hand if you add the very same route via Gaia GUI or in clish – works fine. The culprit for this behavior is this setting you can change in Gaia https GUI: <br>
<img alt="fig 1" src="https://yurisk.info/2016/06/21/Check-Point-Gaia-route-missing-after-adding-via-ip-route-add-problem/Gaia-ip-route-kernel-propagate-option.png"> </p>
<p>Go to Gaia https: Advanced Routing -> Routing Options -> and click to select on “Kernel Routes” -> then Apply. That is it – now if you add routes in expert mode with ip route add 192.13.13.0/24 via 192.168.13.254 this newly added static route will appear on both Gaia and Linux OS with the mark K for Kernel: </p>
<p><strong>show route</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">Codes</span><span class="o">:</span><span class="w"> </span><span class="n">C</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Connected</span><span class="o">,</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Static</span><span class="o">,</span><span class="w"> </span><span class="n">R</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">RIP</span><span class="o">,</span><span class="w"> </span><span class="n">B</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">BGP</span><span class="w"> </span><span class="o">(</span><span class="n">D</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Default</span><span class="o">),</span><span class="w"></span>
<span class="n">O</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">OSPF</span><span class="w"> </span><span class="n">IntraArea</span><span class="w"> </span><span class="o">(</span><span class="n">IA</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">InterArea</span><span class="o">,</span><span class="w"> </span><span class="n">E</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">External</span><span class="o">,</span><span class="w"> </span><span class="n">N</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">NSSA</span><span class="o">)</span><span class="w"></span>
<span class="n">A</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Aggregate</span><span class="o">,</span><span class="w"> </span><span class="n">K</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Kernel</span><span class="w"> </span><span class="n">Remnant</span><span class="o">,</span><span class="w"> </span><span class="n">H</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Hidden</span><span class="o">,</span><span class="w"> </span><span class="n">P</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Suppressed</span><span class="o">,</span><span class="w"></span>
<span class="n">U</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Unreachable</span><span class="o">,</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Inactive</span><span class="w"></span>
<span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">/</span><span class="mi">0</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">211.254</span><span class="o">,</span><span class="w"> </span><span class="n">eth0</span><span class="o">,</span><span class="w"> </span><span class="n">cost</span><span class="w"> </span><span class="mi">0</span><span class="o">,</span><span class="w"> </span><span class="n">age</span><span class="w"> </span><span class="mi">16426</span><span class="w"></span>
<span class="n">C</span><span class="w"> </span><span class="mf">127.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">/</span><span class="mi">8</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">directly</span><span class="w"> </span><span class="n">connected</span><span class="o">,</span><span class="w"> </span><span class="n">lo</span><span class="w"></span>
<span class="n">K</span><span class="w"> </span><span class="mf">192.13</span><span class="o">.</span><span class="mf">13.0</span><span class="o">/</span><span class="mi">24</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">13.254</span><span class="o">,</span><span class="w"> </span><span class="n">eth0</span><span class="o">,</span><span class="w"> </span><span class="n">cost</span><span class="w"> </span><span class="mi">0</span><span class="o">,</span><span class="w"> </span><span class="n">age</span><span class="w"> </span><span class="mi">25</span><span class="w"></span>
</code></pre></div>
<p>When working with routes/networking on the command line make sure to read these as well:<br>
<a href="https://yurisk.info/2011/10/27/all-you-need-to-know-about-networking-in-checkpoint-firewall-secureplatform-faq/">All you need to know about networking in Checkpoint firewall SecurePlatform FAQ</a><br>
<a href="https://yurisk.info/2014/02/10/convert-checkpoint-splat-routes-into-gaia-configuration-commands/">Convert Checkpoint SPLAT routes into Gaia configuration commands</a> </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>RHEL get firewall zones and their interfaces in one go2016-06-13T08:12:21+00:002016-06-13T08:12:21+00:00Yuri Slobodyanyuktag:yurisk.info,2016-06-13:/2016/06/13/one-liner-to-get-firewall-zones-and-their-interfaces/<p>The <strong>firewall-cmd</strong> doesn't have an option to show all zones and to which one the server interfaces belong, so here is a one-line to show that: </p>
<p>#<strong>for ii in `ls /usr/lib/firewalld/zones/`; do echo ${ii%%.xml}: ; firewall-cmd --zone=${ii%%.xml} --list-interfaces; done</strong><br>
The output:</p>
<div class="highlight"><pre><span></span><code><span class="n">block</span><span class="o">:</span><span class="w"></span>
<span class="n">dmz</span><span class="o">:</span><span class="w"></span>
<span class="n">drop</span><span class="o">:</span><span class="w"></span>
<span class="n">external …</span></code></pre></div><p>The <strong>firewall-cmd</strong> doesn't have an option to show all zones and to which one the server interfaces belong, so here is a one-line to show that: </p>
<p>#<strong>for ii in `ls /usr/lib/firewalld/zones/`; do echo ${ii%%.xml}: ; firewall-cmd --zone=${ii%%.xml} --list-interfaces; done</strong><br>
The output:</p>
<div class="highlight"><pre><span></span><code><span class="n">block</span><span class="o">:</span><span class="w"></span>
<span class="n">dmz</span><span class="o">:</span><span class="w"></span>
<span class="n">drop</span><span class="o">:</span><span class="w"></span>
<span class="n">external</span><span class="o">:</span><span class="w"></span>
<span class="n">home</span><span class="o">:</span><span class="w"></span>
<span class="kd">internal</span><span class="o">:</span><span class="w"></span>
<span class="kd">public</span><span class="o">:</span><span class="w"></span>
<span class="n">eno16777736</span><span class="w"> </span><span class="n">eno50332184</span><span class="w"></span>
<span class="n">trusted</span><span class="o">:</span><span class="w"></span>
<span class="n">work</span><span class="o">:</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>fw ctl zdebug drop - Check Point firewall ultimate debug command2016-05-21T08:44:46+00:002016-05-21T08:44:46+00:00Yuri Slobodyanyuktag:yurisk.info,2016-05-21:/2016/05/21/fw-ctl-zdebug-drop-check-point-firewall-ultimate-debug-command/<p>Check Point provided us many ways to debug issues. Some are easier, some are harder.
The first thing to do when you have dropped traffic is to see whether the packets are being dropped by the firewall or not. The first impulse is to look at SmartView Tracker's logs and …</p><p>Check Point provided us many ways to debug issues. Some are easier, some are harder.
The first thing to do when you have dropped traffic is to see whether the packets are being dropped by the firewall or not. The first impulse is to look at SmartView Tracker's logs and that's ok, unless of course you have some Security Rules without log enabled on them. But there has always been available this command that gives us real time insight of what is being dropped at the KERNEL level! What can be better ? You may use it in cases when <strong>fw monitor</strong> or SmartView Tracker logs do not give conclusive results. Or, you can use it as the first command as I do - this saves time loading all the logs or decluttering fw monitor output. The command, run in the expert mode, is <strong>fw ctl zdebug drop</strong> :</p>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">Expert@GW77:0</span><span class="o">]</span><span class="err">#</span><span class="w"> </span><span class="n">fw</span><span class="w"> </span><span class="n">ctl</span><span class="w"> </span><span class="n">zdebug</span><span class="w"> </span><span class="k">drop</span><span class="w"></span>
<span class="n">Defaulting</span><span class="w"> </span><span class="ow">all</span><span class="w"> </span><span class="n">kernel</span><span class="w"> </span><span class="n">debugging</span><span class="w"> </span><span class="n">options</span><span class="w"></span>
<span class="n">Initialized</span><span class="w"> </span><span class="n">kernel</span><span class="w"> </span><span class="n">debugging</span><span class="w"> </span><span class="n">buffer</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">size</span><span class="w"> </span><span class="mi">1023</span><span class="n">K</span><span class="w"></span>
<span class="n">Updated</span><span class="w"> </span><span class="n">kernel</span><span class="err">'</span><span class="n">s</span><span class="w"> </span><span class="n">debug</span><span class="w"> </span><span class="k">variable</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">module</span><span class="w"> </span><span class="n">fw</span><span class="w"></span>
<span class="n">Kernel</span><span class="w"> </span><span class="n">debugging</span><span class="w"> </span><span class="n">buffer</span><span class="w"> </span><span class="k">size</span><span class="err">:</span><span class="w"> </span><span class="mi">1023</span><span class="n">KB</span><span class="w"></span>
<span class="k">Module</span><span class="err">:</span><span class="w"> </span><span class="n">kiss</span><span class="w"></span>
<span class="n">Enabled</span><span class="w"> </span><span class="n">Kernel</span><span class="w"> </span><span class="n">debugging</span><span class="w"> </span><span class="nl">options</span><span class="p">:</span><span class="w"> </span><span class="k">None</span><span class="w"></span>
<span class="k">Module</span><span class="err">:</span><span class="w"> </span><span class="n">kissflow</span><span class="w"></span>
<span class="n">Enabled</span><span class="w"> </span><span class="n">Kernel</span><span class="w"> </span><span class="n">debugging</span><span class="w"> </span><span class="nl">options</span><span class="p">:</span><span class="w"> </span><span class="n">error</span><span class="w"> </span><span class="n">warning</span><span class="w"></span>
<span class="n">Messaging</span><span class="w"> </span><span class="n">threshold</span><span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">type</span><span class="o">=</span><span class="n">Info</span><span class="w"> </span><span class="n">freq</span><span class="o">=</span><span class="n">Common</span><span class="w"></span>
<span class="k">Module</span><span class="err">:</span><span class="w"> </span><span class="n">fw</span><span class="w"></span>
<span class="n">Enabled</span><span class="w"> </span><span class="n">Kernel</span><span class="w"> </span><span class="n">debugging</span><span class="w"> </span><span class="nl">options</span><span class="p">:</span><span class="w"> </span><span class="k">drop</span><span class="w"></span>
<span class="n">Messaging</span><span class="w"> </span><span class="n">threshold</span><span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">type</span><span class="o">=</span><span class="n">Info</span><span class="w"> </span><span class="n">freq</span><span class="o">=</span><span class="n">Common</span><span class="w"></span>
<span class="p">...</span><span class="w"></span>
<span class="p">;</span><span class="o">[</span><span class="n">fw4_0</span><span class="o">]</span><span class="p">;</span><span class="n">FW</span><span class="o">-</span><span class="mi">1</span><span class="err">:</span><span class="w"> </span><span class="n">Initializing</span><span class="w"> </span><span class="n">debugging</span><span class="w"> </span><span class="n">buffer</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">size</span><span class="w"> </span><span class="mi">1023</span><span class="n">K</span><span class="p">;</span><span class="w"></span>
<span class="p">;</span><span class="o">[</span><span class="n">fw4_0</span><span class="o">]</span><span class="p">;</span><span class="n">Setting</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">debug</span><span class="w"> </span><span class="k">module</span><span class="w"> </span><span class="nl">fw</span><span class="p">:</span><span class="w"> </span><span class="k">drop</span><span class="p">;</span><span class="w"></span>
</code></pre></div>
<p>On loaded firewall it is advisable to limit output to the terminal for decluttering using <em>grep</em>:<br>
[Expert@GW77:0]# <strong>fw ctl zdebug drop | grep 192.168.21</strong> </p>
<div class="highlight"><pre><span></span><code><span class="p">;</span><span class="o">[</span><span class="n">fw4_0</span><span class="o">]</span><span class="p">;</span><span class="nl">fw_log_drop_ex</span><span class="p">:</span><span class="w"> </span><span class="n">Packet</span><span class="w"> </span><span class="n">proto</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="mf">192.168.21.1</span><span class="err">:</span><span class="mi">2048</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="mf">192.168.21.2</span><span class="err">:</span><span class="mi">19709</span><span class="w"> </span><span class="n">dropped</span><span class="w"> </span><span class="k">by</span><span class="w"> </span><span class="n">fw_handle_first_packet</span><span class="w"> </span><span class="nl">Reason</span><span class="p">:</span><span class="w"> </span><span class="n">Rulebase</span><span class="w"> </span><span class="k">drop</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="k">rule</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
</code></pre></div>
<p>Here you can clearly see that ICMP is being dropped on Security Rule 1 (which blocks all ICMP). The tool becomes even more interesting when a firewall drops some packets NOT on rules, but say on IP Options set field.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Do not miss Netflow capability of Check Point Gaia R77 and above2016-04-21T08:44:46+00:002016-04-21T08:44:46+00:00Yuri Slobodyanyuktag:yurisk.info,2016-04-21:/2016/04/21/Do-not-miss-Netflow-capability-of-Check-Point-Gaia-R77-and-above/<p>Do not miss Netflow capability of Check Point Gaia R77 and above. In the past measuring the traffic passing through firewall wasn't easy - you had to either query interface counters via SNMP or run custom Bash scripts on the firewall itself to get interface statistics. The problem with both of …</p><p>Do not miss Netflow capability of Check Point Gaia R77 and above. In the past measuring the traffic passing through firewall wasn't easy - you had to either query interface counters via SNMP or run custom Bash scripts on the firewall itself to get interface statistics. The problem with both of the ways was that you didn't get exact results. And to get insight into what kind of packets are going through the firewall wasn't possible to do easily at all.
Sure, you have always had SmartView Monitor dashboard to see real-time statistics, but you need a separate license for that.
Finally, starting with R76 for regular firewall and R75.40VS for virtual one we have Netflow export capability available in Gaia OS. It supports Netflow version 5 and 9. I haven't tried version 9 but all common version 5 works as expected. Features and limitations:<br>
- SecureXL (i.e. hardware acceleration) should be enabled for correct results (most of today's firewalls have it on anyway).
- You can set up to 3 external collectors to receive Netflow data. Of course it means that the same Netflow packet will be sent 3 times, I don't see reason to do so.
- You can specify source IP address for outgoing Netflow packets, the defult is IP of the interface where packets leave.
- Do not forget to set Netflow version, as default is 9.</p>
<p>To configure and enable Netflow on Gaia clish (here I send Netflow to 192.168.13.77 port 2055, version 5) : </p>
<div class="highlight"><pre><span></span><code><span class="n">gateway1</span><span class="o">></span><span class="w"> </span><span class="n">add</span><span class="w"> </span><span class="n">netflow</span><span class="w"> </span><span class="n">collector</span><span class="w"> </span><span class="n">ip</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">13.77</span><span class="w"> </span><span class="n">port</span><span class="w"> </span><span class="mi">2055</span><span class="w"> </span><span class="k">export</span><span class="o">-</span><span class="n">format</span><span class="w"> </span><span class="n">Netflow_V5</span><span class="w"></span>
<span class="n">gateway1</span><span class="o">></span><span class="w"> </span><span class="n">save</span><span class="w"> </span><span class="n">config</span><span class="w"></span>
</code></pre></div>
<p>Vefiy: </p>
<div class="highlight"><pre><span></span><code><span class="nv">gateway1</span><span class="o">></span><span class="w"> </span><span class="k">show</span><span class="w"> </span><span class="nv">netflow</span><span class="w"> </span><span class="nv">all</span><span class="w"></span>
<span class="nv">Address</span><span class="w"> </span><span class="nv">Port</span><span class="w"> </span><span class="nv">Format</span><span class="w"> </span><span class="nv">Src</span><span class="w"> </span><span class="nv">Addr</span><span class="w"> </span><span class="nv">Enable</span><span class="w"></span>
<span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">13</span>.<span class="mi">77</span><span class="w"> </span><span class="mi">2055</span><span class="w"> </span><span class="nv">Netflow_V5</span><span class="w"> </span><span class="nv">yes</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Change colors of ls output in the bash shell2016-02-20T16:10:17+00:002016-02-20T16:10:17+00:00Yuri Slobodyanyuktag:yurisk.info,2016-02-20:/2016/02/20/change-colors-of-ls-output-in-the-bash-shell/<p>Usually colorization is put in action via alias : <strong>alias ls='ls --color=auto'</strong><br>
You can turn off the colors each time you run ls: <strong>ls --color=never</strong> or change the alias itself to disable fancy colors permanently or even simple <strong>\ls</strong> . But to change the colors you'd need to cause …</p><p>Usually colorization is put in action via alias : <strong>alias ls='ls --color=auto'</strong><br>
You can turn off the colors each time you run ls: <strong>ls --color=never</strong> or change the alias itself to disable fancy colors permanently or even simple <strong>\ls</strong> . But to change the colors you'd need to cause <em>dircolors</em> utility to read your own color database when the login session starts. So let's do just that<br>
1) Export existing db:<br>
# <strong>dircolors -p > dircolors.db</strong><br>
2) edit :<br>
# <strong>vi dircolors.db</strong><br>
e.g. change directories color from blue to red:
di=01;34 -> di=01;31<br>
3) save changes<br>
4) make bash to reload color scheme:<br>
# <strong>eval</strong> `dircolors dircolors.db`<br>
5) put <strong>eval `dircolors $HOME/dircolors.db`</strong> into .profile file at the end of it.<br>
That is it.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>How to know Checkpoint UTM Appliance model from the cli2016-01-22T16:11:43+00:002016-01-22T16:11:43+00:00Yuri Slobodyanyuktag:yurisk.info,2016-01-22:/2016/01/22/how-to-know-checkpoint-utm-appliance-model-from-the-cli/<p>Many times you get to work on some UTM appliance remotely via ssh and need to know which exact model it is. It takes just one cli Expert level command to know: <strong>dmidecode | grep "Product Name"</strong>. Then you go and compare the output with the UTM models table which Tobias …</p><p>Many times you get to work on some UTM appliance remotely via ssh and need to know which exact model it is. It takes just one cli Expert level command to know: <strong>dmidecode | grep "Product Name"</strong>. Then you go and compare the output with the UTM models table which Tobias Lachmann diligently compiled for us [<del>Determine appliance hardware from command line</del>] .<br>
<strong>As of 09/07/2016 Tobias' website is down</strong>. So to preserve the useful info I put the list of UTM models to compare with: </p>
<table>
<thead>
<tr>
<th>Output</th>
<th>UTM model</th>
</tr>
</thead>
<tbody>
<tr>
<td>G-50</td>
<td>Check Point 21400</td>
</tr>
<tr>
<td>P-230</td>
<td>Check Point 12600</td>
</tr>
<tr>
<td>P-220</td>
<td>Check Point 12400</td>
</tr>
<tr>
<td>P-210</td>
<td>Check Point 12200</td>
</tr>
<tr>
<td>T-180</td>
<td>Check Point 4800</td>
</tr>
<tr>
<td>T-160</td>
<td>Check Point 4600</td>
</tr>
<tr>
<td>T-140</td>
<td>Check Point 4400</td>
</tr>
<tr>
<td>T-120</td>
<td>Check Point 4200</td>
</tr>
<tr>
<td>T-110</td>
<td>Check Point 2200</td>
</tr>
<tr>
<td>L-50</td>
<td>Security Gateway 80</td>
</tr>
<tr>
<td>P-30</td>
<td>Power-1 11000 Series VSX-1 11000 Series</td>
</tr>
<tr>
<td>P-20</td>
<td>Power-1 9070 Connectra 9072 VSX-1 9070</td>
</tr>
<tr>
<td>P-10</td>
<td>Power-1 5070</td>
</tr>
<tr>
<td>U-40</td>
<td>UTM-1 3070 Connectra 3070 Smart-1 3074 VSX-1 3070</td>
</tr>
<tr>
<td>U-30</td>
<td>UTM-1 2070</td>
</tr>
<tr>
<td>U-20</td>
<td>UTM-1 1070</td>
</tr>
<tr>
<td>U-15</td>
<td>UTM-1 570</td>
</tr>
<tr>
<td>U-10</td>
<td>UTM-1 270 Connectra 270</td>
</tr>
<tr>
<td>U-5</td>
<td>UTM-1 130</td>
</tr>
<tr>
<td>C6P_UTM</td>
<td>UTM-1 2050</td>
</tr>
<tr>
<td>C6_UTM</td>
<td>UTM-1 1050</td>
</tr>
<tr>
<td>C2_UTM</td>
<td>UTM-1 450</td>
</tr>
<tr>
<td>IP-150</td>
<td>IP-150</td>
</tr>
<tr>
<td>IP-282</td>
<td>IP-282</td>
</tr>
<tr>
<td>IP-295</td>
<td>IP-295</td>
</tr>
<tr>
<td>IP-395</td>
<td>IP-395</td>
</tr>
<tr>
<td>IP-565</td>
<td>IP-565</td>
</tr>
<tr>
<td>IP-695</td>
<td>IP-695</td>
</tr>
<tr>
<td>IP-1285</td>
<td>IP-1285</td>
</tr>
<tr>
<td>IP-2455</td>
<td>IP-2455</td>
</tr>
<tr>
<td>U-31</td>
<td>IPS-1 2076</td>
</tr>
<tr>
<td>P-11</td>
<td>IPS-1 5076</td>
</tr>
<tr>
<td>P-21</td>
<td>IPS-1 9076</td>
</tr>
<tr>
<td>U-42</td>
<td>DLP-1 2571</td>
</tr>
<tr>
<td>P-22</td>
<td>DLP-1 9571</td>
</tr>
<tr>
<td>S-10</td>
<td>Smart-1 5</td>
</tr>
<tr>
<td>S-20</td>
<td>Smart-1 25</td>
</tr>
<tr>
<td>S-21</td>
<td>Smart-1 25</td>
</tr>
<tr>
<td>S-30</td>
<td>Smart-1 50</td>
</tr>
<tr>
<td>S-40</td>
<td>Smart-1 150</td>
</tr>
</tbody>
</table>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Undocumented command to install policy on Locally managed Checkpoint UTM 1100 series appliance2016-01-14T17:44:46+00:002016-01-14T17:44:46+00:00Yuri Slobodyanyuktag:yurisk.info,2016-01-14:/2016/01/14/undocumented-command-to-install-policy-on-locally-managed-checkpoint-utm-1100-series-appliance/<p>I was trying the other day to exclude on UTM 1180 gateway some IP address and service combination from being encrypted inside VPN tunnel and noted that any changes you do to the firewall files on the CLI, in this case - crypt.def, do not take effect . It is actually …</p><p>I was trying the other day to exclude on UTM 1180 gateway some IP address and service combination from being encrypted inside VPN tunnel and noted that any changes you do to the firewall files on the CLI, in this case - crypt.def, do not take effect . It is actually logical as every SK asking you to do such changes also specifies that "Changes are to be done on SmartCenter/Management server and then you are to install Security Policy" . The catch here is "installing the policy" - if it is what is known as Locally managed UTM, i.e. you manage it via its Web interface, you have no such action - "install policy" .
One solution would be to restart the UTM - works, but kinda harsh. The other solution is this undocumented (not listed in any Checkpoint documentation I searched) command :<br>
<em>You should be in Expert mode to run it . Also pay attention to the output - there should be no errors.</em></p>
<p><strong># fw_configload</strong></p>
<div class="highlight"><pre><span></span><code>FW.pf:
Compiled OK.
Resolver Error 0 (no error)
Resolver Error 0 (no error)
Resolver Error 0 (no error)
Resolver Error 0 (no error)
</code></pre></div>
<p><em>Update 2019</em>: Checkpoint have caught up (thanks to Albrecht from community.checkpoint.com for noticing) and now the once undocumented command is explained in their SecureKnowledgebase - sk97949, sk100278 and sk108274</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Useful CLI commands for Cisco CUCM, Cisco Unity Connection and IM and Presence2015-08-15T18:31:28+00:002015-08-15T18:31:28+00:00Yuri Slobodyanyuktag:yurisk.info,2015-08-15:/2015/08/15/useful-cli-commands-for-cisco-cucm/<p>Note: For quick reference, I put all the commands below as a cheat sheet PDF:
<a href="https://yurisk.info/assets/Cisco-CUCM-CLI-useful-commands-cheat-sheet.pdf" rel="noopener">Useful CLI commands for Cisco CUCM, Cisco Unity Connection and IM and Presence</a></p>
<p>I don’t work on the command line of CUCM often, but when the need arises here is the short list of …</p><p>Note: For quick reference, I put all the commands below as a cheat sheet PDF:
<a href="https://yurisk.info/assets/Cisco-CUCM-CLI-useful-commands-cheat-sheet.pdf" rel="noopener">Useful CLI commands for Cisco CUCM, Cisco Unity Connection and IM and Presence</a></p>
<p>I don’t work on the command line of CUCM often, but when the need arises here is the short list of commands to keep.
For ssh connection you use the <em>OS Administration</em> username/password created during the CUCM installation. BTW the CLI commands below are valid for all the products: Cisco Unified Collaboration Manager (CUCM), Cisco Unity Connection (CUC) and IM & Presence as well. <br>
As Cisco do not want us to mess with the underlying OS, our interaction is limited to a very restricted kind of shell (you get <strong>admin:</strong> prompt after entering it). So you don’t have access to the Linux commands, but you do have a predefined set of CUCM commands of which I present most useful ones here.
When in doubt about the command syntax - use <strong>tab/?</strong> completion to get all possible options. </p>
<ul>
<li>General health status info, the first command I run to see unusual CPU/IO load , uptime:<br>
<strong>show status</strong></li>
</ul>
<div class="highlight"><pre><span></span><code><span class="n">admin</span><span class="p">:</span><span class="n">show</span><span class="w"> </span><span class="n">status</span><span class="w"></span>
<span class="n">Host</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">CUCMPUB</span><span class="w"></span>
<span class="n">Date</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">Fri</span><span class="w"> </span><span class="n">Oct</span><span class="w"> </span><span class="mi">11</span><span class="p">,</span><span class="w"> </span><span class="mi">2019</span><span class="w"> </span><span class="mi">09</span><span class="p">:</span><span class="mi">51</span><span class="p">:</span><span class="mi">53</span><span class="w"></span>
<span class="n">Time</span><span class="w"> </span><span class="n">Zone</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">Israel</span><span class="w"> </span><span class="n">Daylight</span><span class="w"> </span><span class="n">Time</span><span class="w"> </span><span class="p">(</span><span class="n">Asia</span><span class="o">/</span><span class="n">Jerusalem</span><span class="p">)</span><span class="w"></span>
<span class="n">Locale</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">en_US</span><span class="o">.</span><span class="n">UTF</span><span class="o">-</span><span class="mi">8</span><span class="w"></span>
<span class="n">Product</span><span class="w"> </span><span class="n">Ver</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="mf">11.5</span><span class="o">.</span><span class="mf">1.14900</span><span class="o">-</span><span class="mi">11</span><span class="w"></span>
<span class="n">Unified</span><span class="w"> </span><span class="n">OS</span><span class="w"> </span><span class="n">Version</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="mf">6.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">-</span><span class="mi">2</span><span class="w"></span>
<span class="n">Uptime</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="mi">09</span><span class="p">:</span><span class="mi">51</span><span class="p">:</span><span class="mi">55</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="mi">403</span><span class="w"> </span><span class="n">days</span><span class="p">,</span><span class="w"> </span><span class="mi">20</span><span class="p">:</span><span class="mi">41</span><span class="p">,</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">user</span><span class="p">,</span><span class="w"> </span><span class="nb">load</span><span class="w"> </span><span class="n">average</span><span class="p">:</span><span class="w"> </span><span class="mf">0.12</span><span class="p">,</span><span class="w"> </span><span class="mf">0.09</span><span class="p">,</span><span class="w"> </span><span class="mf">0.09</span><span class="w"></span>
<span class="n">CPU</span><span class="w"> </span><span class="n">Idle</span><span class="p">:</span><span class="w"> </span><span class="mf">97.44</span><span class="o">%</span><span class="w"> </span><span class="n">System</span><span class="p">:</span><span class="w"> </span><span class="mf">01.54</span><span class="o">%</span><span class="w"> </span><span class="n">User</span><span class="p">:</span><span class="w"> </span><span class="mf">01.03</span><span class="o">%</span><span class="w"></span>
<span class="w"> </span><span class="n">IOWAIT</span><span class="p">:</span><span class="w"> </span><span class="mf">00.00</span><span class="o">%</span><span class="w"> </span><span class="n">IRQ</span><span class="p">:</span><span class="w"> </span><span class="mf">00.00</span><span class="o">%</span><span class="w"> </span><span class="n">Soft</span><span class="p">:</span><span class="w"> </span><span class="mf">00.00</span><span class="o">%</span><span class="w"></span>
<span class="n">Memory</span><span class="w"> </span><span class="n">Total</span><span class="p">:</span><span class="w"> </span><span class="mi">8062468</span><span class="n">K</span><span class="w"></span>
<span class="w"> </span><span class="n">Free</span><span class="p">:</span><span class="w"> </span><span class="mi">124588</span><span class="n">K</span><span class="w"></span>
<span class="w"> </span><span class="n">Used</span><span class="p">:</span><span class="w"> </span><span class="mi">7937880</span><span class="n">K</span><span class="w"></span>
<span class="w"> </span><span class="n">Cached</span><span class="p">:</span><span class="w"> </span><span class="mi">3378724</span><span class="n">K</span><span class="w"></span>
<span class="w"> </span><span class="n">Shared</span><span class="p">:</span><span class="w"> </span><span class="mi">278436</span><span class="n">K</span><span class="w"></span>
<span class="w"> </span><span class="n">Buffers</span><span class="p">:</span><span class="w"> </span><span class="mi">303324</span><span class="n">K</span><span class="w"></span>
<span class="w"> </span><span class="n">Total</span><span class="w"> </span><span class="n">Free</span><span class="w"> </span><span class="n">Used</span><span class="w"></span>
<span class="n">Disk</span><span class="o">/</span><span class="n">active</span><span class="w"> </span><span class="mi">19805456</span><span class="n">K</span><span class="w"> </span><span class="mi">6083384</span><span class="n">K</span><span class="w"> </span><span class="mi">13519528</span><span class="n">K</span><span class="w"> </span><span class="p">(</span><span class="mi">69</span><span class="o">%</span><span class="p">)</span><span class="w"></span>
<span class="n">Disk</span><span class="o">/</span><span class="n">inactive</span><span class="w"> </span><span class="mi">19805456</span><span class="n">K</span><span class="w"> </span><span class="mi">16939384</span><span class="n">K</span><span class="w"> </span><span class="mi">1853336</span><span class="n">K</span><span class="w"> </span><span class="p">(</span><span class="mi">10</span><span class="o">%</span><span class="p">)</span><span class="w"></span>
<span class="n">Disk</span><span class="o">/</span><span class="n">logging</span><span class="w"> </span><span class="mi">69235192</span><span class="n">K</span><span class="w"> </span><span class="mi">35162600</span><span class="n">K</span><span class="w"> </span><span class="mi">30548960</span><span class="n">K</span><span class="w"> </span><span class="p">(</span><span class="mi">47</span><span class="o">%</span><span class="p">)</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Checking the NTP time status (NTP source, synchronization, stratum)</li>
</ul>
<p><strong>utils ntp status</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">admin</span><span class="o">:</span><span class="n">utils</span><span class="w"> </span><span class="n">ntp</span><span class="w"> </span><span class="n">status</span><span class="w"></span>
<span class="n">ntpd</span><span class="w"> </span><span class="o">(</span><span class="n">pid</span><span class="w"> </span><span class="mi">15265</span><span class="o">)</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">running</span><span class="o">...</span><span class="w"></span>
<span class="w"> </span><span class="n">remote</span><span class="w"> </span><span class="n">refid</span><span class="w"> </span><span class="n">st</span><span class="w"> </span><span class="n">t</span><span class="w"> </span><span class="n">when</span><span class="w"> </span><span class="n">poll</span><span class="w"> </span><span class="n">reach</span><span class="w"> </span><span class="n">delay</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="n">jitter</span><span class="w"></span>
<span class="o">==============================================================================</span><span class="w"></span>
<span class="o">*</span><span class="mf">192.168</span><span class="o">.</span><span class="mf">17.250</span><span class="w"> </span><span class="mf">216.239</span><span class="o">.</span><span class="mf">35.0</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="n">u</span><span class="w"> </span><span class="mi">588</span><span class="w"> </span><span class="mi">1024</span><span class="w"> </span><span class="mi">377</span><span class="w"> </span><span class="mf">0.624</span><span class="w"> </span><span class="o">-</span><span class="mf">0.579</span><span class="w"> </span><span class="mf">0.845</span><span class="w"></span>
<span class="n">synchronised</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">NTP</span><span class="w"> </span><span class="n">server</span><span class="w"> </span><span class="o">(</span><span class="mf">192.168</span><span class="o">.</span><span class="mf">17.250</span><span class="o">)</span><span class="w"> </span><span class="n">at</span><span class="w"> </span><span class="n">stratum</span><span class="w"> </span><span class="mi">3</span><span class="w"></span>
<span class="w"> </span><span class="n">time</span><span class="w"> </span><span class="n">correct</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">within</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="n">ms</span><span class="w"></span>
<span class="w"> </span><span class="n">polling</span><span class="w"> </span><span class="n">server</span><span class="w"> </span><span class="n">every</span><span class="w"> </span><span class="mi">1024</span><span class="w"> </span><span class="n">s</span><span class="w"></span>
<span class="n">Current</span><span class="w"> </span><span class="n">time</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">UTC</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">Fri</span><span class="w"> </span><span class="n">Oct</span><span class="w"> </span><span class="mi">11</span><span class="w"> </span><span class="mi">06</span><span class="o">:</span><span class="mi">54</span><span class="o">:</span><span class="mi">15</span><span class="w"> </span><span class="n">UTC</span><span class="w"> </span><span class="mi">2019</span><span class="w"></span>
<span class="n">Current</span><span class="w"> </span><span class="n">time</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">Asia</span><span class="o">/</span><span class="n">Jerusalem</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">Fri</span><span class="w"> </span><span class="n">Oct</span><span class="w"> </span><span class="mi">11</span><span class="w"> </span><span class="mi">09</span><span class="o">:</span><span class="mi">54</span><span class="o">:</span><span class="mi">15</span><span class="w"> </span><span class="n">IDT</span><span class="w"> </span><span class="mi">2019</span><span class="w"></span>
</code></pre></div>
<p>Here:<br>
<code>192.168.17.250</code> - NTP time data source for the CUCM and most probably for the IP phones<br>
<code>216.239.35.0</code> - NTP source from which the 192.168.17.250 server gets its time in turn. It has stratum 2 here. </p>
<ul>
<li>The best friend in need - ping, to debug reachability/packet loss/latency issues:<br>
<strong>utils network ping ?</strong></li>
</ul>
<p>Syntax:<br>
<code>ping dest [count VALUE] [size VALUE]</code><br>
<em>dest</em> mandatory dotted IP or host name<br>
<em>count</em> optional count value (default is 4)<br>
<em>size</em> optional size of ping packet in bytes (default is 56) </p>
<p><strong>utils network ping 8.8.8.8 count 10 size 1300</strong></p>
<div class="highlight"><pre><span></span><code>PING 8.8.8.8 (8.8.8.8) 1300(1328) bytes of data.
1308 bytes from 8.8.8.8: icmp_seq=0 ttl=50 time=58.2 ms
1308 bytes from 8.8.8.8: icmp_seq=1 ttl=50 time=57.8 ms
</code></pre></div>
<ul>
<li>Close friend of ping - traceroute:<br>
<strong>utils network traceroute 8.8.8.8</strong> </li>
</ul>
<div class="highlight"><pre><span></span><code><span class="mf">1</span><span class="w"> </span><span class="mf">192.168.17.254</span><span class="w"> </span><span class="p">(</span><span class="mf">192.168.10.254</span><span class="p">)</span><span class="w"> </span><span class="mf">0.336</span><span class="w"> </span><span class="n">ms</span><span class="w"> </span><span class="mf">0.296</span><span class="w"> </span><span class="n">ms</span><span class="w"> </span><span class="mf">0.331</span><span class="w"> </span><span class="n">ms</span><span class="w"></span>
<span class="o"><</span><span class="w"> </span><span class="n">cut</span><span class="w"> </span><span class="kr">for</span><span class="w"> </span><span class="n">clarity</span><span class="o">></span><span class="w"> </span><span class="mf">...</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Show routing table:<br>
<strong>show tech network routes</strong></li>
</ul>
<div class="highlight"><pre><span></span><code><span class="o">--------------------</span><span class="w"> </span><span class="k">show</span><span class="w"> </span><span class="nv">platform</span><span class="w"> </span><span class="nv">network</span><span class="w"> </span><span class="o">--------------------</span><span class="w"></span>
<span class="nv">Routes</span>:<span class="w"></span>
<span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">17</span>.<span class="mi">0</span><span class="o">/</span><span class="mi">24</span><span class="w"> </span><span class="nv">dev</span><span class="w"> </span><span class="nv">eth0</span><span class="w"> </span><span class="nv">proto</span><span class="w"> </span><span class="nv">kernel</span><span class="w"> </span><span class="nv">scope</span><span class="w"> </span><span class="nv">link</span><span class="w"> </span><span class="nv">src</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">17</span>.<span class="mi">1</span><span class="w"></span>
<span class="mi">169</span>.<span class="mi">254</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="o">/</span><span class="mi">16</span><span class="w"> </span><span class="nv">dev</span><span class="w"> </span><span class="nv">eth0</span><span class="w"> </span><span class="nv">scope</span><span class="w"> </span><span class="nv">link</span><span class="w"></span>
<span class="nv">default</span><span class="w"> </span><span class="nv">via</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">17</span>.<span class="mi">254</span><span class="w"> </span><span class="nv">dev</span><span class="w"> </span><span class="nv">eth0</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Show established connections with the process using the port: </li>
</ul>
<p><strong>show network status [process nodns search [search term]]</strong> </p>
<p>Here I search for all established connections on port 5060 of CUCM (192.168.17.1) (namely SIP phones and SIP trunks): </p>
<div class="highlight"><pre><span></span><code><span class="k">show</span><span class="w"> </span><span class="nv">network</span><span class="w"> </span><span class="nv">status</span><span class="w"> </span><span class="nv">process</span><span class="w"> </span><span class="nv">nodns</span><span class="w"> </span><span class="nv">search</span><span class="w"> </span><span class="mi">5060</span><span class="w"></span>
<span class="nv">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">17</span>.<span class="mi">1</span>:<span class="mi">5060</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">211</span>.<span class="mi">29</span>:<span class="mi">51971</span><span class="w"> </span><span class="nv">ESTABLISHED</span><span class="w"> </span><span class="mi">28364</span><span class="o">/</span><span class="nv">ccm</span><span class="w"></span>
<span class="nv">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">17</span>.<span class="mi">1</span>:<span class="mi">5060</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">211</span>.<span class="mi">30</span>:<span class="mi">50617</span><span class="w"> </span><span class="nv">ESTABLISHED</span><span class="w"> </span><span class="mi">28364</span><span class="o">/</span><span class="nv">ccm</span><span class="w"></span>
<span class="nv">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">17</span>.<span class="mi">1</span>:<span class="mi">5060</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">211</span>.<span class="mi">38</span>:<span class="mi">51212</span><span class="w"> </span><span class="nv">ESTABLISHED</span><span class="w"> </span><span class="mi">28364</span><span class="o">/</span><span class="nv">ccm</span><span class="w"></span>
<span class="nv">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">17</span>.<span class="mi">1</span>:<span class="mi">5060</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">209</span>.<span class="mi">73</span>:<span class="mi">51438</span><span class="w"> </span><span class="nv">ESTABLISHED</span><span class="w"> </span><span class="mi">28364</span><span class="o">/</span><span class="nv">ccm</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Working with ARP table:<br>
<strong>utils network arp delete</strong> - delete some ARP entry<br>
<strong>utils network arp list</strong> - list the ARP table<br>
<strong>utils network arp set</strong><br>
<strong>utils network arp list</strong> </li>
</ul>
<div class="highlight"><pre><span></span><code>Address HWtype HWaddress Flags Mask Iface
192.168.10.198 ether E0:5F:B9:XX:XX:XX C eth0
192.168.10.254 ether 44:D3:CA:XX:XX:XX C eth0
</code></pre></div>
<ul>
<li>Show open and accessible over the network ports with listening daemons:<br>
<strong>show network ipprefs public</strong></li>
</ul>
<div class="highlight"><pre><span></span><code><span class="n">Application</span><span class="w"> </span><span class="n">IPProtocol</span><span class="w"> </span><span class="n">PortValue</span><span class="w"> </span><span class="kr">Type</span><span class="w"> </span><span class="n">XlatedPort</span><span class="w"> </span><span class="n">Status</span><span class="w"> </span><span class="n">Description</span><span class="w"></span>
<span class="o">------------</span><span class="w"> </span><span class="o">------------</span><span class="w"> </span><span class="o">------------</span><span class="w"> </span><span class="o">------------</span><span class="w"> </span><span class="o">------------</span><span class="w"> </span><span class="o">------------</span><span class="w"> </span><span class="o">------------</span><span class="w"></span>
<span class="n">sshd</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">22</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">sftp</span><span class="w"> </span><span class="kr">and</span><span class="w"> </span><span class="n">ssh</span><span class="w"> </span><span class="n">access</span><span class="w"></span>
<span class="n">clm</span><span class="w"> </span><span class="n">udp</span><span class="w"> </span><span class="mi">8500</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">cluster</span><span class="w"> </span><span class="n">manager</span><span class="w"></span>
<span class="n">clm</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">8500</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">cluster</span><span class="w"> </span><span class="n">manager</span><span class="w"></span>
<span class="n">tomcat</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">8443</span><span class="w"> </span><span class="n">translated</span><span class="w"> </span><span class="mi">443</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">secure</span><span class="w"> </span><span class="n">web</span><span class="w"> </span><span class="n">access</span><span class="w"></span>
<span class="n">tomcat</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">8080</span><span class="w"> </span><span class="n">translated</span><span class="w"> </span><span class="mi">80</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">web</span><span class="w"> </span><span class="n">access</span><span class="w"></span>
<span class="n">ntpd</span><span class="w"> </span><span class="n">udp</span><span class="w"> </span><span class="mi">123</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">network</span><span class="w"> </span><span class="n">time</span><span class="w"> </span><span class="n">sync</span><span class="o"><!--</span><span class="w"> </span><span class="n">more</span><span class="w"> </span><span class="o">--></span><span class="w"></span>
<span class="n">taps</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">9050</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">Cisco</span><span class="w"> </span><span class="n">TAPS</span><span class="w"> </span><span class="kr">service</span><span class="w"></span>
<span class="n">soapmonitor</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">5007</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">soapmonitor</span><span class="w"> </span><span class="n">port</span><span class="w"></span>
<span class="n">dhcpd</span><span class="w"> </span><span class="n">udp</span><span class="w"> </span><span class="mi">67</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">DHCP</span><span class="w"> </span><span class="n">server</span><span class="w"> </span><span class="n">port</span><span class="w"></span>
<span class="n">ccm</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">8002</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">CCM</span><span class="w"> </span><span class="n">SDL</span><span class="w"> </span><span class="n">Link</span><span class="w"></span>
<span class="n">ccm</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">1720</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">H225</span><span class="w"> </span><span class="n">SIGNAL</span><span class="w"></span>
<span class="n">ccm</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">2000</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">SCCP</span><span class="o">-</span><span class="n">SIG</span><span class="w"></span>
<span class="n">ccm</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">2001</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">TITAN</span><span class="w"> </span><span class="n">CONVERT</span><span class="w"></span>
<span class="n">ccm</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">2002</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">VEGA</span><span class="w"> </span><span class="n">CONVERT</span><span class="w"></span>
<span class="n">ccm</span><span class="w"> </span><span class="n">udp</span><span class="w"> </span><span class="mi">2427</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">MGCP</span><span class="w"></span>
<span class="n">ccm</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">2428</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">MGCPBH</span><span class="w"></span>
<span class="n">ccm</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">5060</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">SIP</span><span class="w"> </span><span class="n">Listener</span><span class="w"> </span><span class="n">Port</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">TCP</span><span class="w"></span>
<span class="n">ccm</span><span class="w"> </span><span class="n">udp</span><span class="w"> </span><span class="mi">5060</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">SIP</span><span class="w"> </span><span class="n">Listener</span><span class="w"> </span><span class="n">Port</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">UDP</span><span class="w"></span>
<span class="kr">ALL</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">32768</span><span class="o">:</span><span class="mi">61000</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">generic</span><span class="w"> </span><span class="n">ephemeral</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="n">ports</span><span class="w"></span>
<span class="kr">ALL</span><span class="w"> </span><span class="n">udp</span><span class="w"> </span><span class="mi">32768</span><span class="o">:</span><span class="mi">61000</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">generic</span><span class="w"> </span><span class="n">ephemeral</span><span class="w"> </span><span class="n">udp</span><span class="w"> </span><span class="n">ports</span><span class="w"></span>
<span class="n">CTIManager</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">2748</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">CTIManager</span><span class="w"> </span><span class="n">QBE</span><span class="w"> </span><span class="n">TCP</span><span class="w"></span>
<span class="n">CTIManager</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">8003</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">CTI</span><span class="w"> </span><span class="n">SDL</span><span class="w"> </span><span class="n">Link</span><span class="w"></span>
<span class="n">acserver</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">1101</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">Attendent</span><span class="w"> </span><span class="n">Console</span><span class="w"> </span><span class="n">RMI</span><span class="w"> </span><span class="n">callback</span><span class="w"></span>
<span class="n">acserver</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">1102</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">Attendent</span><span class="w"> </span><span class="n">Console</span><span class="w"> </span><span class="n">RMI</span><span class="w"> </span><span class="n">server</span><span class="w"></span>
<span class="n">acserver</span><span class="w"> </span><span class="n">udp</span><span class="w"> </span><span class="mi">3223</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">Attendent</span><span class="w"> </span><span class="n">Console</span><span class="w"> </span><span class="n">Call</span><span class="w"> </span><span class="n">Control</span><span class="w"></span>
<span class="n">ctftp</span><span class="w"> </span><span class="n">udp</span><span class="w"> </span><span class="mi">69</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">TFTP</span><span class="w"> </span><span class="n">access</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">CUCM</span><span class="w"> </span><span class="n">TFTP</span><span class="w"> </span><span class="n">Server</span><span class="w"></span>
<span class="n">ctftp</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">6970</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">HTTP</span><span class="w"> </span><span class="n">access</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">CUCM</span><span class="w"> </span><span class="n">TFTP</span><span class="w"> </span><span class="n">Server</span><span class="w"></span>
<span class="n">ipvms</span><span class="w"> </span><span class="n">udp</span><span class="w"> </span><span class="mi">24576</span><span class="o">:</span><span class="mi">32767</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="n">Voice</span><span class="w"> </span><span class="n">Media</span><span class="w"> </span><span class="n">Streaming</span><span class="w"> </span><span class="n">Driver</span><span class="w"> </span><span class="n">RTP</span><span class="w"></span>
<span class="n">ma</span><span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="mi">2912</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="n">Manager</span><span class="w"> </span><span class="n">Assistant</span><span class="w"></span>
<span class="n">snmpdm</span><span class="w"> </span><span class="n">udp</span><span class="w"> </span><span class="mi">161</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">SNMP</span><span class="w"></span>
</code></pre></div>
<p>Also:</p>
<p><strong>show open ports</strong><br>
<strong>show open ports all</strong><br>
<strong>show open ports regexp</strong></p>
<ul>
<li>Show number of open connections . While the number of connections does NOT equal number of registered phones, if there is some network connectivity issue this number will be unusually low. E.g. on this CUCM there are 52 SIP registered phones:<br>
<strong>show network ip_conntrack</strong></li>
</ul>
<div class="highlight"><pre><span></span><code><span class="mf">301</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Show the hardware server on which the CUCM is installed:<br>
<strong>show hardware</strong> </li>
</ul>
<div class="highlight"><pre><span></span><code>HW Platform : VMware Virtual Machine
Processors : 2
Type : Intel(R) Xeon(R) Silver 4114 CPU @ 2.20GHz
CPU Speed : 2200
Memory : 8192 MBytes
Object ID : 1.3.6.1.4.1.9.1.1348
OS Version : UCOS 6.0.0.0-2.i386
Serial Number : VMware-56 4d 7a aa bb cc dd ee-ee ff 11 22 33 44 55 77
</code></pre></div>
<ul>
<li>Show list of running processes (Linux style):<br>
<strong>show process list</strong></li>
</ul>
<div class="highlight"><pre><span></span><code><span class="nv">PID</span><span class="w"> </span><span class="nv">ARGS</span><span class="w"></span>
<span class="w"> </span><span class="nv">PID</span><span class="w"> </span><span class="nv">COMMAND</span><span class="w"></span>
<span class="mi">1</span><span class="w"> </span><span class="nv">init</span><span class="w"> </span>[<span class="mi">3</span>]<span class="w"></span>
<span class="mi">2</span><span class="w"> </span>[<span class="nv">migration</span><span class="o">/</span><span class="mi">0</span>]<span class="w"></span>
<span class="o"><</span><span class="nv">cut</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">brevity</span><span class="o">></span><span class="w"></span>
</code></pre></div>
<ul>
<li>Show I/O stats:<br>
<strong>utils iostat</strong></li>
</ul>
<div class="highlight"><pre><span></span><code>Executing command... Please be patient
Linux 2.6.32-573.18.1.el6.x86_64 (CUCMPUB) 10/11/2019 _x86_64_ (2 CPU)
10/11/2019 10:06:07 AM
avg-cpu: %user %nice %system %iowait %steal %idle
5.64 0.00 4.21 0.01 0.00 90.14
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s avgrq-sz avgqu-sz await svctm %util
scd0 0.00 0.00 0.00 0.00 0.00 0.00 8.00 0.00 1.16 1.16 0.00
sda 0.02 19.67 0.22 42.42 2.48 496.75 11.71 0.01 0.22 0.03 0.14
</code></pre></div>
<ul>
<li>And the last resort - restarting specific service or the whole CUCM. Usually when things go rough and it is not possible to access GUI - be it weird CPU overload or web service stuck, I do restart to the whole CUCM with: </li>
</ul>
<p><strong>utils system {restart | shutdown | switch-version}</strong></p>
<p>in VMware you can also reboot the virtual machine hosting CUCM.</p>
<ul>
<li>Stop/start specific service, but be aware the services list is limited to:<br>
<strong>utils service stop</strong></li>
</ul>
<div class="highlight"><pre><span></span><code><span class="nv">Invalid</span><span class="w"> </span><span class="nv">service</span><span class="w"> </span><span class="nv">name</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">start</span><span class="o">/</span><span class="nv">stop</span>,<span class="w"> </span><span class="nv">valid</span><span class="w"> </span><span class="nv">names</span><span class="w"> </span><span class="nv">are</span>:<span class="w"></span>
<span class="w"> </span><span class="nv">System</span><span class="w"> </span><span class="nv">SSH</span><span class="w"></span>
<span class="w"> </span><span class="nv">Cluster</span><span class="w"> </span><span class="nv">Manager</span><span class="w"></span>
<span class="w"> </span><span class="nv">Service</span><span class="w"> </span><span class="nv">Manager</span><span class="w"></span>
<span class="w"> </span><span class="nv">A</span><span class="w"> </span><span class="nv">Cisco</span><span class="w"> </span><span class="nv">DB</span><span class="w"></span>
<span class="w"> </span><span class="nv">Cisco</span><span class="w"> </span><span class="nv">Tomcat</span><span class="w"></span>
<span class="w"> </span><span class="nv">Cisco</span><span class="w"> </span><span class="nv">Database</span><span class="w"> </span><span class="nv">Layer</span><span class="w"> </span><span class="nv">Monitor</span><span class="w"></span>
<span class="w"> </span><span class="nv">Cisco</span><span class="w"> </span><span class="nv">CallManager</span><span class="w"> </span><span class="nv">Serviceability</span><span class="w"></span>
<span class="w"> </span><span class="o"><</span><span class="nv">cut</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">brevity</span><span class="o">></span><span class="w"></span>
</code></pre></div>
<p><strong>utils service</strong><br>
<strong>utils service auto-restart</strong><br>
<strong>utils service list</strong><br>
<strong>utils service restart</strong><br>
<strong>utils service start</strong><br>
<strong>utils service stop</strong></p>
<ul>
<li>
<p>Get the disk usage:<br>
<strong>show diskusage activelog</strong></p>
</li>
<li>
<p>Show logged in admins:<br>
<strong>show logins</strong></p>
</li>
</ul>
<div class="highlight"><pre><span></span><code>administ pts/0 192.168.7.1 Wed Aug 12 09:56 still logged in
</code></pre></div>
<ul>
<li>Changing password for yourself/another user . Be very careful with changing password of course. </li>
</ul>
<p><strong>set password { age* | complexity* | expiry* | inactivity* | user* }</strong></p>
<ul>
<li>Show user expiration: </li>
</ul>
<p><strong>show password expiry user list</strong> </p>
<div class="highlight"><pre><span></span><code><span class="k">show</span><span class="w"> </span><span class="nv">password</span><span class="w"> </span><span class="nv">expiry</span><span class="w"> </span><span class="nv">user</span><span class="w"> </span><span class="nv">list</span><span class="w"></span>
<span class="nv">Password</span><span class="w"> </span><span class="nv">age</span><span class="w"> </span><span class="nv">limits</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">OS</span><span class="w"> </span><span class="nv">CLI</span><span class="w"> </span><span class="nv">users</span><span class="w"> </span><span class="nv">are</span>:<span class="w"></span>
<span class="o">=================================================</span><span class="w"></span>
<span class="o">|</span><span class="nv">MAX</span><span class="o">-</span><span class="nv">age</span><span class="o">|</span><span class="w"> </span><span class="nv">MIN</span><span class="o">-</span><span class="nv">age</span><span class="o">|</span><span class="w"></span>
<span class="o">|</span><span class="w"> </span><span class="nv">Days</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nv">Days</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nv">UserID</span><span class="w"></span>
<span class="o">|=======|</span><span class="w"> </span><span class="o">========|</span><span class="w"> </span><span class="o">=============================</span><span class="w"></span>
<span class="o">|</span><span class="w"> </span><span class="mi">99999</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nv">administrator</span><span class="w"></span>
</code></pre></div>
<h3>The commands below are mostly relevant to the now EOL hardware server used for CUCM Cisco 7800 Series Media Convergence Servers</h3>
<ul>
<li>Show the status of the fans (irrelevant for VMware based install):<br>
<strong>show environment fans</strong> </li>
</ul>
<div class="highlight"><pre><span></span><code>(RPMS) Lower Critical
ID Current Threshold Status
Fan Sensor 1 7800 4200 OK
Fan Sensor 2 7950 4200 OK
Fan Sensor 3 7800 4200 OK
Fan Sensor 4 7350 4200 OK
Fan Sensor 5 7200 4200 OK
</code></pre></div>
<ul>
<li>Show the server temperature (irrelevant for VMware based install):<br>
<strong>show environment temperatures</strong></li>
</ul>
<div class="highlight"><pre><span></span><code>(Celcius) Non-Critical Critical Threshold Threshold
ID Current Lower Upper Lower Upper Location Temperature Sensor
1 24 53 54 55 62 1
</code></pre></div>
<ul>
<li>Show the server hardware (irrelevant for VMware based install):<br>
<strong>show hardware</strong></li>
</ul>
<div class="highlight"><pre><span></span><code>HW Platform : 7825I4
Processors : 1
Type : Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz
CPU Speed : 3000
Memory : 2048 MBytes
</code></pre></div>
<ul>
<li>Show physical memory (irrelevant for VMware based install):<br>
<strong>show memory modules</strong></li>
</ul>
<div class="highlight"><pre><span></span><code>Bank Locator Size Active Status
DIMM 1 DIMM 1 1024 MB TRUE OK
DIMM 3 DIMM 3 1024 MB TRUE OK
</code></pre></div>
<ul>
<li>Show interface status to see whether it is duplex full or not etc. (more useful for hardware based servers than VMware ones):<br>
<strong>show network eth0</strong></li>
</ul>
<div class="highlight"><pre><span></span><code>Ethernet 0
DHCP : disabled Status : up
IP Address : 192.168.10.1 IP Mask : 255.255.255.000
Link Detected: yes Mode : Auto enabled, Full, 100 Mbits/s
Duplicate IP : no
DNS Not configured.
Gateway : 192.168.10.254 on Ethernet 0
</code></pre></div>
<ul>
<li>Show the firewall status. Being a Red Hat server CUCM includes iptables to work with firewall which is on by default, but I never had the need to change rules or turn it off:<br>
<strong>utils firewall ipv4 debug</strong><br>
<strong>utils firewall ipv4 disable</strong><br>
<strong>utils firewall ipv4 enable</strong><br>
<strong>utils firewall ipv4 list</strong> - List all the rules<br>
<strong>utils firewall ipv4 status</strong> - see whether the firewall on or off</li>
</ul>
<h3>Additional Resources</h3>
<ul>
<li><a href="https://yurisk.info/2014/05/12/cisco-cucm-cdr-report-call-duration-and-called-numbers-extraction-script/"> Cisco CUCM CDR report - call duration and called numbers extraction script</a> </li>
</ul>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Cisco reflexive access-lists are still on CCNP Security exam2015-07-24T08:44:46+00:002015-07-24T08:44:46+00:00Yuri Slobodyanyuktag:yurisk.info,2015-07-24:/2015/07/24/cisco-reflexive-access-lists-are-still-on-ccnp-security-exam/<p>Today I was surprised to hear from someone who just took one of the CCNP Security exams that they still test for Reflexive access-lists - what a nostalgy. I was sure it has long been ousted by ip inspect and Zone Based Firewall, but no - it is still tested and still …</p><p>Today I was surprised to hear from someone who just took one of the CCNP Security exams that they still test for Reflexive access-lists - what a nostalgy. I was sure it has long been ousted by ip inspect and Zone Based Firewall, but no - it is still tested and still available in the newest IOS images of at least ISR routers. If you, like me, are rusty on its config, here it is how to allow from inside outbound everything: </p>
<div class="highlight"><pre><span></span><code>ip access-list extended OUTBOUND
permit tcp any any reflect MIRROR
permit udp any any reflect MIRROR
permit icmp any any reflect MIRROR
</code></pre></div>
<p>Then the access-list to put on external facing interface inbound: </p>
<div class="highlight"><pre><span></span><code>ip access-list extended INBOUND
evaluate MIRROR
</code></pre></div>
<p>And finally apply it: </p>
<div class="highlight"><pre><span></span><code>#<span class="nv">conf</span><span class="w"> </span><span class="nv">t</span><span class="w"></span>
<span class="ss">(</span><span class="nv">config</span><span class="ss">)</span>#<span class="w"> </span><span class="nv">interface</span><span class="w"> </span><span class="nv">FastEthernet</span><span class="w"> </span><span class="mi">0</span><span class="o">/</span><span class="mi">1</span><span class="w"> </span>
<span class="ss">(</span><span class="nv">config</span><span class="o">-</span><span class="k">if</span><span class="ss">)</span>#<span class="w"> </span><span class="nv">ip</span><span class="w"> </span><span class="nv">access</span><span class="o">-</span><span class="nv">group</span><span class="w"> </span><span class="nv">OUTBOUND</span><span class="w"> </span><span class="nv">out</span><span class="w"> </span>
<span class="ss">(</span><span class="nv">config</span><span class="o">-</span><span class="k">if</span><span class="ss">)</span>#<span class="w"> </span><span class="nv">ip</span><span class="w"> </span><span class="nv">access</span><span class="o">-</span><span class="nv">group</span><span class="w"> </span><span class="nv">INBOUND</span><span class="w"> </span><span class="nv">in</span><span class="w"></span>
</code></pre></div>
<p>Do not forget of course its drawbacks:
- It does not work well with complex protocols like FTP
- It is not exactly stateful - what happens is that router dynamically adds non-stateful entries in INBOUND access list that mirror the passing traffic, expiring it after some time. In doing so Cisco router looks only on destination/source IP address and port.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>How to know if a license or a subscription is about to expire for Check Point product2015-07-13T08:44:46+00:002015-07-13T08:44:46+00:00Yuri Slobodyanyuktag:yurisk.info,2015-07-13:/2015/07/13/how-to-know-if-a-license-or-a-subscription-is-about-to-expire-for-check-point-product/<p>There are two ways to be warned when some license or subscription based service from Check Point is about to expire:<br>
- Every time we login into the SmartUpdate (part of the SmartConsole suite) if there are any licenses/services to expire within next 30 days we’ll see a pop …</p><p>There are two ways to be warned when some license or subscription based service from Check Point is about to expire:<br>
- Every time we login into the SmartUpdate (part of the SmartConsole suite) if there are any licenses/services to expire within next 30 days we’ll see a pop up with licenses/contracts to expire in red
- If you have (and if not - make sure you do have) User Center account attached to your Checkpoint account - you will get to the registered email address a reminder, again within 30 days of expiration.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Overlooked but nice utility from Checkpoint - cpview2015-06-14T08:44:46+00:002015-06-14T08:44:46+00:00Yuri Slobodyanyuktag:yurisk.info,2015-06-14:/2015/06/14/overlooked-but-nice-utility-from-checkpoint-cpview/<p>Checkpoint has made available starting with <strong>R77.30</strong> this helpful diagnostics and debug utility called <strong>cpview</strong> of which not many are aware. This is basically a Bash script that runs a bunch of native Checkpoint commands in the background and displays the output on the terminal while updating the data …</p><p>Checkpoint has made available starting with <strong>R77.30</strong> this helpful diagnostics and debug utility called <strong>cpview</strong> of which not many are aware. This is basically a Bash script that runs a bunch of native Checkpoint commands in the background and displays the output on the terminal while updating the data every other second.<br>
- Running the command (you have to be in the Expert mode):<br>
<strong># cpview</strong> <br>
- File location:<br>
<strong># which cpview</strong><br>
<code>alias cpview='/bin/cpview_start.sh'</code><br>
<code>/bin/cpview_start.sh</code><br>
- Some of the commands the utility runs:<br>
<strong>fw ctl pstat <br>
fw ctl multik stat<br>
fw ctl affinity -l -r</strong><br>
Example output:<br>
<a href="http://yurisk.info/wp-content/uploads/2015/06/cpview1.png"><img alt="cpview" src="http://yurisk.info/wp-content/uploads/2015/06/cpview1-150x150.png"></a><br>
Even more, this tool keeps history, by default a month's worth of data, so if you do any debug - make a habit of using it always.
You can find more information in SK 101878 article at the Checkpoint site:<br>
<a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk101878">CPView Utility</a> </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Checkpoint Mobile Access support for SHA-256 SSL certificates2015-06-10T17:55:01+00:002015-06-10T17:55:01+00:00Yuri Slobodyanyuktag:yurisk.info,2015-06-10:/2015/06/10/checkpoint-mobile-access-support-for-sha-256-ssl-certificates/<p>The new era of sha-256 (as opposed to sha-1) signed SSL certificates is slowly gaining the pace, not without a gentle push from the <a href="http://googleonlinesecurity.blogspot.co.il/2014/09/gradually-sunsetting-sha-1.html">browser providers </a>. And Checkpoint is catching up in its new version R77.30 for Open Servers.
While on both versions - 77.20 and 77.30 <strong>cpopenssl …</strong></p><p>The new era of sha-256 (as opposed to sha-1) signed SSL certificates is slowly gaining the pace, not without a gentle push from the <a href="http://googleonlinesecurity.blogspot.co.il/2014/09/gradually-sunsetting-sha-1.html">browser providers </a>. And Checkpoint is catching up in its new version R77.30 for Open Servers.
While on both versions - 77.20 and 77.30 <strong>cpopenssl</strong> package gives the same version info they do differ: </p>
<p>[caption id="attachment_2053" align="aligncenter" width="150"]<a href="http://yurisk.info/wp-content/uploads/2015/06/sha256.png"><img alt="cpopenssl command accepting -sha-256 option" src="http://yurisk.info/wp-content/uploads/2015/06/sha256-150x144.png"></a> openssl in R77.30 now supports SHA-256 certificates[/caption]</p>
<p>It doesn't mean earlier versions do not support SHA256 certificates - just that you cannot issue CSR requests signed with SHA256. Nevertheless, your SSL certificate provider technically is very much able to issue SHA-256 certificate based on SHA-1 signed CSR requests as both are not really related.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>SNMP in Gaia default community string2014-07-07T07:35:23+00:002014-07-07T07:35:23+00:00Yuri Slobodyanyuktag:yurisk.info,2014-07-07:/2014/07/07/snmp-in-gaia-default-community-string/<p>Configuring SNMP in Gaia as opposed to SPLAT has been made much simpler. So simple that it is easy to overlook that default configured read-only community is <strong>public</strong> .<br>
So , it is a good idea to change it while enabling SNMP: </p>
<div class="highlight"><pre><span></span><code>set snmp agent on
set snmp agent-version any
set snmp …</code></pre></div><p>Configuring SNMP in Gaia as opposed to SPLAT has been made much simpler. So simple that it is easy to overlook that default configured read-only community is <strong>public</strong> .<br>
So , it is a good idea to change it while enabling SNMP: </p>
<div class="highlight"><pre><span></span><code>set snmp agent on
set snmp agent-version any
set snmp community NotPublic read-only
</code></pre></div>
<p>PS. Another 'feature' of the SNMP is that you can either enable SNMP version 1 and 2 or version 3. Trying to enable just version 2c is not possible.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>RIPE database query for a route object, or why my network is not advertised2014-05-14T19:11:37+00:002014-05-14T19:11:37+00:00Yuri Slobodyanyuktag:yurisk.info,2014-05-14:/2014/05/14/ripe-database-query-for-a-route-object-or-why-my-network-is-not-advertised-via-bgp-to-the-world/<p>via BGP to the world
wordpress_id: 2027
category: Cisco
tags: Cisco, Linux</p>
<hr>
<p>Once it was a nice-to-have configuration that most ISPs in the world ignored anyway, but today it is a must if you are planning to advertise your networks via BGP through your uplink provider - your <strong>route object</strong> in …</p><p>via BGP to the world
wordpress_id: 2027
category: Cisco
tags: Cisco, Linux</p>
<hr>
<p>Once it was a nice-to-have configuration that most ISPs in the world ignored anyway, but today it is a must if you are planning to advertise your networks via BGP through your uplink provider - your <strong>route object</strong> in the AS whois database of the uplink provider. If not - you will happily advertise your networks, the uplink provider will duly advertise them to its uplink peers, which will check AS registry database of your provider and not finding this route object will silently drop the advertising. <br>
Of course it is duty of your transit ISP provider to update their records with your network, but after all, you are the one most interested - so as they say in Russian " Доверяй но проверяй " , and here is how to do it:<br>
<strong>whois -h whois.ripe.net -- '-a -r -i or -T route AS1680' | grep route</strong><br>
In this example I assume your uplink provider is Netvision with AS1680 , replace AS number with the correct one.
Output will look like: </p>
<div class="highlight"><pre><span></span><code><span class="n">route</span><span class="o">:</span><span class="w"> </span><span class="mf">109.186</span><span class="o">.</span><span class="mf">0.0</span><span class="o">/</span><span class="mi">16</span><span class="w"></span>
<span class="n">route</span><span class="o">:</span><span class="w"> </span><span class="mf">109.253</span><span class="o">.</span><span class="mf">0.0</span><span class="o">/</span><span class="mi">16</span><span class="w"></span>
<span class="n">route</span><span class="o">:</span><span class="w"> </span><span class="mf">117.121</span><span class="o">.</span><span class="mf">245.0</span><span class="o">/</span><span class="mi">24</span><span class="w"></span>
<span class="n">route</span><span class="o">:</span><span class="w"> </span><span class="mf">138.134</span><span class="o">.</span><span class="mf">0.0</span><span class="o">/</span><span class="mi">16</span><span class="w"></span>
<span class="n">route</span><span class="o">:</span><span class="w"> </span><span class="mf">147.161</span><span class="o">.</span><span class="mf">0.0</span><span class="o">/</span><span class="mi">16</span><span class="w"></span>
<span class="o">...</span><span class="w"></span>
</code></pre></div>
<p>If you don't find in such listing your network - Houston, you have a problem here.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Cisco CUCM CDR report - call duration and called numbers extraction script2014-05-12T07:53:24+00:002014-05-12T07:53:24+00:00Yuri Slobodyanyuktag:yurisk.info,2014-05-12:/2014/05/12/cisco-cucm-cdr-report-call-duration-and-called-numbers-extraction-script/<p>Yesterday I had to extract some data from a CDR report for a client, namely call start time, its duration and the called number. And while I am sure Google has zillion scripts to be found, it was much faster to hack this one-liner in AWK .<br>
The script extracts the …</p><p>Yesterday I had to extract some data from a CDR report for a client, namely call start time, its duration and the called number. And while I am sure Google has zillion scripts to be found, it was much faster to hack this one-liner in AWK .<br>
The script extracts the following fields from the CDR report in this order:<br>
<em>dateTimeOrigination</em> - for outgoing calls it is the time the device goes off hook<br>
<em>callingPartyNumber</em> - initiator of the call<br>
<em>finalCalledPartyNumber</em> - the reached/dialed number (after forwarding if any)<br>
<em>duration</em> - duration of the call<br>
The extracted data is placed in CSV format to be easily imported into Microsoft Excel.
Enjoy. Any questions - feel free to ask.</p>
<div class="highlight"><pre><span></span><code> awk -F, <span class="s1">'BEGIN {OFS=","} {print strftime("%c",$5),$9,$31,$56}'</span> report_cdr
</code></pre></div>
<p>Output:</p>
<div class="highlight"><pre><span></span><code>Sun 04 May 2014 01:54:37 PM IDT,0555555555,2988,41
Sun 04 May 2014 01:55:07 PM IDT,2908,0555555555,25
</code></pre></div>
<p>In case you want to extract some other fields from CDR , here is the full list of available values and their position. For explanation you can look here - <a href="https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/service/11_5_1/cdrdef/cucm_b_cucm-cdr-administration-guide-1151/cucm_b_cucm-cdr-administration-guide-1151_chapter_0101.html" target="_blank" rel="noopener">Cisco Call Detail Records Field Descriptions</a></p>
<div class="highlight"><pre><span></span><code><span class="mi">1</span><span class="w"> </span><span class="n">cdrRecordType</span><span class="w"></span>
<span class="mi">2</span><span class="w"> </span><span class="n">globalCallID_callManagerId</span><span class="w"></span>
<span class="mi">3</span><span class="w"> </span><span class="n">globalCallID_callId</span><span class="w"></span>
<span class="mi">4</span><span class="w"> </span><span class="n">origLegCallIdentifier</span><span class="w"></span>
<span class="mi">5</span><span class="w"> </span><span class="n">dateTimeOrigination</span><span class="w"></span>
<span class="mi">6</span><span class="w"> </span><span class="n">origNodeId</span><span class="w"></span>
<span class="mi">7</span><span class="w"> </span><span class="n">origSpan</span><span class="w"></span>
<span class="mi">8</span><span class="w"> </span><span class="n">origIpAddr</span><span class="w"></span>
<span class="mi">9</span><span class="w"> </span><span class="n">callingPartyNumber</span><span class="w"></span>
<span class="mi">10</span><span class="w"> </span><span class="n">callingPartyUnicodeLoginUserID</span><span class="w"></span>
<span class="mi">11</span><span class="w"> </span><span class="n">origCause_location</span><span class="w"></span>
<span class="mi">12</span><span class="w"> </span><span class="n">origCause_value</span><span class="w"></span>
<span class="mi">13</span><span class="w"> </span><span class="n">origPrecedenceLevel</span><span class="w"></span>
<span class="mi">14</span><span class="w"> </span><span class="n">origMediaTransportAddress_IP</span><span class="w"></span>
<span class="mi">15</span><span class="w"> </span><span class="n">origMediaTransportAddress_Port</span><span class="w"></span>
<span class="mi">16</span><span class="w"> </span><span class="n">origMediaCap_payloadCapability</span><span class="w"></span>
<span class="mi">17</span><span class="w"> </span><span class="n">origMediaCap_maxFramesPerPacket</span><span class="w"></span>
<span class="mi">18</span><span class="w"> </span><span class="n">origMediaCap_g723BitRate</span><span class="w"></span>
<span class="mi">19</span><span class="w"> </span><span class="n">origVideoCap_Codec</span><span class="w"></span>
<span class="mi">20</span><span class="w"> </span><span class="n">origVideoCap_Bandwidth</span><span class="w"></span>
<span class="mi">21</span><span class="w"> </span><span class="n">origVideoCap_Resolution</span><span class="w"></span>
<span class="mi">22</span><span class="w"> </span><span class="n">origVideoTransportAddress_IP</span><span class="w"></span>
<span class="mi">23</span><span class="w"> </span><span class="n">origVideoTransportAddress_Port</span><span class="w"></span>
<span class="mi">24</span><span class="w"> </span><span class="n">origRSVPAudioStat</span><span class="w"></span>
<span class="mi">25</span><span class="w"> </span><span class="n">origRSVPVideoStat</span><span class="w"></span>
<span class="mi">26</span><span class="w"> </span><span class="n">destLegIdentifier</span><span class="w"></span>
<span class="mi">27</span><span class="w"> </span><span class="n">destNodeId</span><span class="w"></span>
<span class="mi">28</span><span class="w"> </span><span class="n">destSpan</span><span class="w"></span>
<span class="mi">29</span><span class="w"> </span><span class="n">destIpAddr</span><span class="w"></span>
<span class="mi">30</span><span class="w"> </span><span class="n">originalCalledPartyNumber</span><span class="w"></span>
<span class="mi">31</span><span class="w"> </span><span class="n">finalCalledPartyNumber</span><span class="w"></span>
<span class="mi">32</span><span class="w"> </span><span class="n">finalCalledPartyUnicodeLoginUserID</span><span class="w"></span>
<span class="mi">33</span><span class="w"> </span><span class="n">destCause_location</span><span class="w"></span>
<span class="mi">34</span><span class="w"> </span><span class="n">destCause_value</span><span class="w"></span>
<span class="mi">35</span><span class="w"> </span><span class="n">destPrecedenceLevel</span><span class="w"></span>
<span class="mi">36</span><span class="w"> </span><span class="n">destMediaTransportAddress_IP</span><span class="w"></span>
<span class="mi">37</span><span class="w"> </span><span class="n">destMediaTransportAddress_Port</span><span class="w"></span>
<span class="mi">38</span><span class="w"> </span><span class="n">destMediaCap_payloadCapability</span><span class="w"></span>
<span class="mi">39</span><span class="w"> </span><span class="n">destMediaCap_maxFramesPerPacket</span><span class="w"></span>
<span class="mi">40</span><span class="w"> </span><span class="n">destMediaCap_g723BitRate</span><span class="w"></span>
<span class="mi">41</span><span class="w"> </span><span class="n">destVideoCap_Codec</span><span class="w"></span>
<span class="mi">42</span><span class="w"> </span><span class="n">destVideoCap_Bandwidth</span><span class="w"></span>
<span class="mi">43</span><span class="w"> </span><span class="n">destVideoCap_Resolution</span><span class="w"></span>
<span class="mi">44</span><span class="w"> </span><span class="n">destVideoTransportAddress_IP</span><span class="w"></span>
<span class="mi">45</span><span class="w"> </span><span class="n">destVideoTransportAddress_Port</span><span class="w"></span>
<span class="mi">46</span><span class="w"> </span><span class="n">destRSVPAudioStat</span><span class="w"></span>
<span class="mi">47</span><span class="w"> </span><span class="n">destRSVPVideoStat</span><span class="w"></span>
<span class="mi">48</span><span class="w"> </span><span class="n">dateTimeConnect</span><span class="w"></span>
<span class="mi">49</span><span class="w"> </span><span class="n">dateTimeDisconnect</span><span class="w"></span>
<span class="mi">50</span><span class="w"> </span><span class="n">lastRedirectDn</span><span class="w"></span>
<span class="mi">51</span><span class="w"> </span><span class="n">pkid</span><span class="w"></span>
<span class="mi">52</span><span class="w"> </span><span class="n">originalCalledPartyNumberPartition</span><span class="w"></span>
<span class="mi">53</span><span class="w"> </span><span class="n">callingPartyNumberPartition</span><span class="w"></span>
<span class="mi">54</span><span class="w"> </span><span class="n">finalCalledPartyNumberPartition</span><span class="w"></span>
<span class="mi">55</span><span class="w"> </span><span class="n">lastRedirectDnPartition</span><span class="w"></span>
<span class="mi">56</span><span class="w"> </span><span class="n">duration</span><span class="w"></span>
<span class="mi">57</span><span class="w"> </span><span class="n">origDeviceName</span><span class="w"></span>
<span class="mi">58</span><span class="w"> </span><span class="n">destDeviceName</span><span class="w"></span>
<span class="mi">59</span><span class="w"> </span><span class="n">origCallTerminationOnBehalfOf</span><span class="w"></span>
<span class="mi">60</span><span class="w"> </span><span class="n">destCallTerminationOnBehalfOf</span><span class="w"></span>
<span class="mi">61</span><span class="w"> </span><span class="n">origCalledPartyRedirectOnBehalfOf</span><span class="w"></span>
<span class="mi">62</span><span class="w"> </span><span class="n">lastRedirectRedirectOnBehalfOf</span><span class="w"></span>
<span class="mi">63</span><span class="w"> </span><span class="n">origCalledPartyRedirectReason</span><span class="w"></span>
<span class="mi">64</span><span class="w"> </span><span class="n">lastRedirectRedirectReason</span><span class="w"></span>
<span class="mi">65</span><span class="w"> </span><span class="n">destConversationId</span><span class="w"></span>
<span class="mi">66</span><span class="w"> </span><span class="n">globalCallId_ClusterID</span><span class="w"></span>
<span class="mi">67</span><span class="w"> </span><span class="n">joinOnBehalfOf</span><span class="w"></span>
<span class="mi">68</span><span class="w"> </span><span class="n">comment</span><span class="w"></span>
<span class="mi">69</span><span class="w"> </span><span class="n">authCodeDescription</span><span class="w"></span>
<span class="mi">70</span><span class="w"> </span><span class="n">authorizationLevel</span><span class="w"></span>
<span class="mi">71</span><span class="w"> </span><span class="n">clientMatterCode</span><span class="w"></span>
<span class="mi">72</span><span class="w"> </span><span class="n">origDTMFMethod</span><span class="w"></span>
<span class="mi">73</span><span class="w"> </span><span class="n">destDTMFMethod</span><span class="w"></span>
<span class="mi">74</span><span class="w"> </span><span class="n">callSecuredStatus</span><span class="w"></span>
<span class="mi">75</span><span class="w"> </span><span class="n">origConversationId</span><span class="w"></span>
<span class="mi">76</span><span class="w"> </span><span class="n">origMediaCap_Bandwidth</span><span class="w"></span>
<span class="mi">77</span><span class="w"> </span><span class="n">destMediaCap_Bandwidth</span><span class="w"></span>
<span class="mi">78</span><span class="w"> </span><span class="n">authorizationCodeValue</span><span class="w"></span>
<span class="mi">79</span><span class="w"> </span><span class="n">outpulsedCallingPartyNumber</span><span class="w"></span>
<span class="mi">80</span><span class="w"> </span><span class="n">outpulsedCalledPartyNumber</span><span class="w"></span>
<span class="mi">81</span><span class="w"> </span><span class="n">origIpv4v6Addr</span><span class="w"></span>
<span class="mi">82</span><span class="w"> </span><span class="n">destIpv4v6Addr</span><span class="w"></span>
<span class="mi">83</span><span class="w"> </span><span class="n">origVideoCap_Codec_Channel2</span><span class="w"></span>
<span class="mi">84</span><span class="w"> </span><span class="n">origVideoCap_Bandwidth_Channel2</span><span class="w"></span>
<span class="mi">85</span><span class="w"> </span><span class="n">origVideoCap_Resolution_Channel2</span><span class="w"></span>
<span class="mi">86</span><span class="w"> </span><span class="n">origVideoTransportAddress_IP_Channel2</span><span class="w"></span>
<span class="mi">87</span><span class="w"> </span><span class="n">origVideoTransportAddress_Port_Channel2</span><span class="w"></span>
<span class="mi">88</span><span class="w"> </span><span class="n">origVideoChannel_Role_Channel2</span><span class="w"></span>
<span class="mi">89</span><span class="w"> </span><span class="n">destVideoCap_Codec_Channel2</span><span class="w"></span>
<span class="mi">90</span><span class="w"> </span><span class="n">destVideoCap_Bandwidth_Channel2</span><span class="w"></span>
<span class="mi">91</span><span class="w"> </span><span class="n">destVideoCap_Resolution_Channel2</span><span class="w"></span>
<span class="mi">92</span><span class="w"> </span><span class="n">destVideoTransportAddress_IP_Channel2</span><span class="w"></span>
<span class="mi">93</span><span class="w"> </span><span class="n">destVideoTransportAddress_Port_Channel2</span><span class="w"></span>
<span class="mi">94</span><span class="w"> </span><span class="n">destVideoChannel_Role_Channel2</span><span class="w"></span>
<span class="mi">95</span><span class="w"> </span><span class="n">incomingProtocolID</span><span class="w"></span>
<span class="mi">96</span><span class="w"> </span><span class="n">incomingProtocolCallRef</span><span class="w"></span>
<span class="mi">97</span><span class="w"> </span><span class="n">outgoingProtocolID</span><span class="w"></span>
<span class="mi">98</span><span class="w"> </span><span class="n">outgoingProtocolCallRef</span><span class="w"></span>
<span class="mi">99</span><span class="w"> </span><span class="n">currentRoutingReason</span><span class="w"></span>
<span class="mi">100</span><span class="w"> </span><span class="n">origRoutingReason</span><span class="w"></span>
<span class="mi">101</span><span class="w"> </span><span class="n">lastRedirectingRoutingReason</span><span class="w"></span>
<span class="mi">102</span><span class="w"> </span><span class="n">huntPilotDN</span><span class="w"></span>
<span class="mi">103</span><span class="w"> </span><span class="n">huntPilotPartition</span><span class="w"></span>
<span class="mi">104</span><span class="w"> </span><span class="n">calledPartyPatternUsage</span><span class="w"></span>
<span class="mi">105</span><span class="w"> </span><span class="n">outpulsedOriginalCalledPartyNumber</span><span class="w"></span>
<span class="mi">106</span><span class="w"> </span><span class="n">outpulsedLastRedirectingNumber</span><span class="w"></span>
<span class="mi">107</span><span class="w"> </span><span class="n">wasCallQueued</span><span class="w"></span>
<span class="mi">108</span><span class="w"> </span><span class="n">totalWaitTimeInQueue</span><span class="w"></span>
<span class="mi">109</span><span class="w"> </span><span class="n">callingPartyNumber_uri</span><span class="w"></span>
<span class="mi">110</span><span class="w"> </span><span class="n">originalCalledPartyNumber_uri</span><span class="w"></span>
<span class="mi">111</span><span class="w"> </span><span class="n">finalCalledPartyNumber_uri</span><span class="w"></span>
<span class="mi">112</span><span class="w"> </span><span class="n">lastRedirectDn_uri</span><span class="w"></span>
<span class="mi">113</span><span class="w"> </span><span class="n">mobileCallingPartyNumber</span><span class="w"></span>
<span class="mi">114</span><span class="w"> </span><span class="n">finalMobileCalledPartyNumber</span><span class="w"></span>
<span class="mi">115</span><span class="w"> </span><span class="n">origMobileDeviceName</span><span class="w"></span>
<span class="mi">116</span><span class="w"> </span><span class="n">destMobileDeviceName</span><span class="w"></span>
<span class="mi">117</span><span class="w"> </span><span class="n">origMobileCallDuration</span><span class="w"></span>
<span class="mi">118</span><span class="w"> </span><span class="n">destMobileCallDuration</span><span class="w"></span>
<span class="mi">119</span><span class="w"> </span><span class="n">mobileCallType</span><span class="w"></span>
<span class="mi">120</span><span class="w"> </span><span class="n">originalCalledPartyPattern</span><span class="w"></span>
<span class="mi">121</span><span class="w"> </span><span class="n">finalCalledPartyPattern</span><span class="w"></span>
<span class="mi">122</span><span class="w"> </span><span class="n">lastRedirectingPartyPattern</span><span class="w"></span>
<span class="mi">123</span><span class="w"> </span><span class="n">huntPilotPattern</span><span class="w"></span>
</code></pre></div>
<h3>Additional Resources</h3>
<ul>
<li><a href="https://yurisk.info/2015/08/15/useful-cli-commands-for-cisco-cucm/">Useful CLI commands for Cisco CUCM, Cisco Unity Connection and IM and Presence</a></li>
</ul>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Convert Checkpoint SPLAT routes into Gaia route configuration commands2014-02-10T20:50:06+00:002014-02-10T20:50:06+00:00Yuri Slobodyanyuktag:yurisk.info,2014-02-10:/2014/02/10/convert-checkpoint-splat-routes-into-gaia-configuration-commands/<h2>`</h2>
<p>Hi there, not much of a script , just the one-liner to turn output of the Secure Platform cli command <em>route/ip route list</em> into the ready for copy&paste; list of Gaia clish commands.<br>
Be aware I am not doing any error checking, so examine the final result before applying to …</p><h2>`</h2>
<p>Hi there, not much of a script , just the one-liner to turn output of the Secure Platform cli command <em>route/ip route list</em> into the ready for copy&paste; list of Gaia clish commands.<br>
Be aware I am not doing any error checking, so examine the final result before applying to a production system.<br>
You should run it on SPLAT cli being in expert mode.<br>
<strong>ip route list | awk '/via/ {print " set static-route ",$1," nexthop gateway address " $3," on "}'</strong> </p>
<div class="highlight"><pre><span></span><code>set static-route 172.19.0.0/16 nexthop gateway address 172.12.255.4 on
set static-route 172.20.0.0/16 nexthop gateway address 10.20.20.6 on
set static-route default nexthop gateway address 19.9.15.33 on
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>PTR bulk DNS resolver in Perl to see what is in the name2013-07-28T16:09:40+00:002013-07-28T16:09:40+00:00Yuri Slobodyanyuktag:yurisk.info,2013-07-28:/2013/07/28/ptr-bulk-resolver-in-perl-to-see-what-is-in-the-name/<p>There are many ways to do PTR resolving in bulk, and this is just one of them. It doesn't pretend to be the fastest/coolest/best, the only thing
I can claim - it works. </p>
<div class="highlight"><pre><span></span><code> <span class="c1"># Yuri</span>
<span class="c1"># 19.02.2013</span>
<span class="c1"># this script accepts range of IP addresses to do PTr resolving for …</span></code></pre></div><p>There are many ways to do PTR resolving in bulk, and this is just one of them. It doesn't pretend to be the fastest/coolest/best, the only thing
I can claim - it works. </p>
<div class="highlight"><pre><span></span><code> <span class="c1"># Yuri</span>
<span class="c1"># 19.02.2013</span>
<span class="c1"># this script accepts range of IP addresses to do PTr resolving for</span>
<span class="c1"># the range has to be in this format: startIp-endIp.startIp-endIp.startIp-endIp.startIp-endIp.</span>
<span class="c1"># Only answers are printed, i.e. if there is no answer nothing is printed</span>
<span class="k">use</span> <span class="nn">warnings</span><span class="p">;</span>
<span class="k">use</span> <span class="nn">strict</span><span class="p">;</span>
<span class="k">use</span> <span class="nn">Net::DNS</span> <span class="p">;</span>
<span class="k">my</span> <span class="nv">$res</span> <span class="o">=</span> <span class="nn">Net::DNS::Resolver</span><span class="o">-></span><span class="k">new</span><span class="p">();</span>
<span class="k">my</span> <span class="nv">$input</span> <span class="o">=</span> <span class="nb">shift</span> <span class="p">;</span>
<span class="nv">$input</span> <span class="o">=~</span><span class="sr"> /(.+)-(.+)\.(.+)-(.+)\.(.+)-(.+)\.(.+)-(.+)/</span> <span class="p">;</span>
<span class="k">print</span> <span class="s">"Resolving ptrs for the following range: $input\n"</span> <span class="p">;</span>
<span class="k">print</span> <span class="s">"Started working at: "</span> <span class="o">.</span> <span class="nb">scalar</span> <span class="nb">gmtime</span> <span class="o">.</span> <span class="s">"\n"</span> <span class="p">;</span>
<span class="k">my</span> <span class="p">(</span><span class="nv">$oct1_start</span><span class="p">,</span><span class="nv">$oct1_end</span><span class="p">,</span><span class="nv">$oct2_start</span><span class="p">,</span><span class="nv">$oct2_end</span><span class="p">,</span><span class="nv">$oct3_start</span><span class="p">,</span><span class="nv">$oct3_end</span><span class="p">,</span><span class="nv">$oct4_start</span><span class="p">,</span><span class="nv">$oct4_end</span><span class="p">)</span> <span class="o">=</span> <span class="p">(</span><span class="nv">$1</span><span class="p">,</span><span class="nv">$2</span><span class="p">,</span><span class="nv">$3</span><span class="p">,</span><span class="nv">$4</span><span class="p">,</span><span class="nv">$5</span><span class="p">,</span><span class="nv">$6</span><span class="p">,</span><span class="nv">$7</span><span class="p">,</span><span class="nv">$8</span><span class="p">)</span> <span class="p">;</span>
<span class="k">foreach</span> <span class="k">my</span> <span class="nv">$oct1</span> <span class="p">(</span><span class="nv">$oct1_start</span><span class="o">..</span><span class="nv">$oct1_end</span><span class="p">)</span> <span class="p">{</span>
<span class="k">foreach</span> <span class="k">my</span> <span class="nv">$oct2</span> <span class="p">(</span><span class="nv">$oct2_start</span><span class="o">..</span><span class="nv">$oct2_end</span><span class="p">)</span> <span class="p">{</span>
<span class="k">foreach</span> <span class="k">my</span> <span class="nv">$oct3</span> <span class="p">(</span><span class="nv">$oct3_start</span><span class="o">..</span><span class="nv">$oct3_end</span><span class="p">)</span> <span class="p">{</span>
<span class="k">foreach</span> <span class="k">my</span> <span class="nv">$oct4</span> <span class="p">(</span><span class="nv">$oct4_start</span><span class="o">..</span><span class="nv">$oct4_end</span><span class="p">)</span> <span class="p">{</span>
<span class="k">my</span> <span class="nv">$answer</span> <span class="o">=</span> <span class="nv">$res</span><span class="o">-></span><span class="n">query</span><span class="p">(</span><span class="s">"${oct1}.${oct2}.${oct3}.${oct4}"</span><span class="p">)</span> <span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="nb">defined</span> <span class="nv">$answer</span><span class="p">)</span> <span class="p">{</span>
<span class="k">my</span> <span class="nv">@ptr</span> <span class="o">=</span> <span class="nv">$answer</span><span class="o">-></span><span class="n">answer</span><span class="p">;</span>
<span class="k">foreach</span> <span class="k">my</span> <span class="nv">$record_ptr</span> <span class="p">(</span><span class="nv">@ptr</span><span class="p">)</span> <span class="p">{</span>
<span class="c1">#print " NEw " . $record_ptr->print ;</span>
<span class="k">my</span> <span class="nv">$str</span> <span class="o">=</span> <span class="nb">substr</span><span class="p">(</span><span class="nv">$record_ptr</span><span class="o">-></span><span class="n">string</span><span class="p">,</span><span class="nb">rindex</span><span class="p">(</span><span class="nv">$record_ptr</span><span class="o">-></span><span class="n">string</span><span class="p">,</span><span class="s">'R'</span><span class="p">)</span><span class="o">+</span><span class="mi">1</span><span class="p">)</span> <span class="p">;</span>
<span class="k">print</span> <span class="s">"$oct1.$oct2.$oct3.$oct4 "</span> <span class="o">.</span> <span class="nv">$str</span> <span class="o">.</span> <span class="s">"\n"</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span> <span class="p">}</span> <span class="p">}}</span>
<span class="k">print</span> <span class="s">"Run completed at: "</span> <span class="o">.</span> <span class="nb">scalar</span> <span class="nb">gmtime</span> <span class="o">.</span> <span class="s">"\n"</span> <span class="p">;</span>
</code></pre></div>
<p>Example run: <strong> #perl script.pl 194-194.90-90.33-33.0-255</strong></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Bash script to generate random passwords2013-06-25T13:15:45+00:002013-06-25T13:15:45+00:00Yuri Slobodyanyuktag:yurisk.info,2013-06-25:/2013/06/25/bash-script-to-generate-random-passwords/<p>Here I stumbled on an intro into Bash scripting for NetOps by John Kristoff " Introduction to Shell and Perl scripting for Network Operators" https://www.cymru.com/jtk/talks/nanog54-intro-scripting.pdf and could't help but do it my way. Here it is, bash script that generates random password of printable …</p><p>Here I stumbled on an intro into Bash scripting for NetOps by John Kristoff " Introduction to Shell and Perl scripting for Network Operators" https://www.cymru.com/jtk/talks/nanog54-intro-scripting.pdf and could't help but do it my way. Here it is, bash script that generates random password of printable characters, up to 15 at least.</p>
<div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span>
<span class="normal"> 2</span>
<span class="normal"> 3</span>
<span class="normal"> 4</span>
<span class="normal"> 5</span>
<span class="normal"> 6</span>
<span class="normal"> 7</span>
<span class="normal"> 8</span>
<span class="normal"> 9</span>
<span class="normal">10</span>
<span class="normal">11</span>
<span class="normal">12</span>
<span class="normal">13</span>
<span class="normal">14</span></pre></div></td><td class="code"><div><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="c1"># usage: randompass.sh [n] [count] - n is number of characters in password</span>
<span class="c1"># to generate 9 by default, and count - number of passwords to generate, 1 by default</span>
<span class="nv">n</span><span class="o">=</span><span class="si">${</span><span class="nv">1</span><span class="k">:-</span><span class="nv">9</span><span class="si">}</span>
<span class="nv">counter</span><span class="o">=</span><span class="si">${</span><span class="nv">2</span><span class="k">:-</span><span class="nv">1</span><span class="si">}</span>
<span class="k">for</span> ii <span class="k">in</span> <span class="sb">`</span>seq <span class="m">1</span> <span class="nv">$counter</span><span class="sb">`</span> <span class="p">;</span><span class="k">do</span>
dd <span class="nv">count</span><span class="o">=</span><span class="m">1</span> <span class="nv">bs</span><span class="o">=</span><span class="m">15</span> <span class="k">if</span><span class="o">=</span>/dev/urandom <span class="m">2</span>>/dev/null <span class="p">|</span>
od -a <span class="p">|</span>
sed <span class="s1">'2d'</span> <span class="p">|</span>
sed <span class="s1">'s/0000000 \(.*\)/\1/'</span> <span class="p">|</span>
tr -d <span class="s1">' '</span> <span class="p">|</span> cut -c <span class="m">1</span>-<span class="nv">$n</span> <span class="p">|</span>
sed <span class="s1">'s/\([a-z]\)/\U&/3'</span> <span class="p">|</span>
sed <span class="s1">'s/\([A-Z]\)/\l&/4'</span>
<span class="k">done</span>
</code></pre></div></td></tr></table></div>
<p><a href="http://yurisk.info/randompass.tar.gz"> Download the script </a>
Example. </p>
<p>#randompass.sh 7 7</p>
<div class="highlight"><pre><span></span><code><span class="n">o</span><span class="o">&</span><span class="n">sOh</span><span class="p">;</span><span class="o">~</span><span class="n">K</span><span class="w"></span>
<span class="n">deL</span><span class="p">(</span><span class="n">HMd</span><span class="w"></span>
<span class="n">dc23DBg</span><span class="w"></span>
<span class="s">HK?S@iE</span><span class="w"></span>
<span class="n">_</span>$<span class="n">SL</span><span class="o">*</span><span class="n">Ad</span><span class="w"></span>
<span class="n">si</span><span class="o">|</span><span class="p">}</span><span class="n">Del</span><span class="w"></span>
<span class="c">%I-ba<B</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Disabling SSL Deep inspection proxy in Fortigate should be easier2013-05-04T11:18:03+00:002013-05-04T11:18:03+00:00Yuri Slobodyanyuktag:yurisk.info,2013-05-04:/2013/05/04/disabling-ssl-deep-inspection-proxy-in-fortigate-should-be-easier/<p>This one can be filed under Fortinet ‘undocumented/unwanted’ feature rather than bug.The case in question: Fortigate 80C , firmware 4 something, all subscriptions are up-to-date, no crazy configurations, all looks fine... Until client adds to his LAN some back-up device that works by gathering data from clients installed on …</p><p>This one can be filed under Fortinet ‘undocumented/unwanted’ feature rather than bug.The case in question: Fortigate 80C , firmware 4 something, all subscriptions are up-to-date, no crazy configurations, all looks fine... Until client adds to his LAN some back-up device that works by gathering data from clients installed on PCs and then pushes updates from behind Fortigate to the Internet residing cloud storage.</p>
<p>The problem with it occurred on install of the backup box and its reason also was clear as vodka - the backup box uses POP3s protocol (POP3 encrypted with SSL using certificates) to communicate with cloud servers and when this communication is passing the Fortigate, the Fortigate intercepts it for SSL Deep inspection (man-in-the-middle) and presents to the cloud servers its own (i.e. Fortigate) SSL certificate, thus preventing the bakup box to use its own SSL certificate. The remote cloud servers, of course, refuse to accept it.</p>
<p>So, what’s the fuss? Just disable SSL inspection and that’s it, no ? According to the Fortinet yes, <a href="http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD31820">http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD31820</a> “ FortiGate Intercepts POP3S, SMTPS and IMAPS certificates “ . But the real life says no.</p>
<p>First, the document above lists commands that Fortigate 80C didn’t recognize, ok , no big deal. We tried to remove any protection profile from hosts in question, add protection profile with HTTPS inspection disabled - still nada .</p>
<p>In the end, as the client didn’t really need this feature at all, we just disabled SSL inspection for good, and it finally did the job.</p>
<p>The steps and output from the device are below.</p>
<p>FGT80C # <strong>get firewall ssl setting</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">caname</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">Fortinet_CA_SSLProxy</span><span class="w"></span>
<span class="n">cert</span><span class="o">-</span><span class="n">cache</span><span class="o">-</span><span class="n">capacity</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="mi">100</span><span class="w"></span>
<span class="n">cert</span><span class="o">-</span><span class="n">cache</span><span class="o">-</span><span class="n">timeout</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="mi">10</span><span class="w"></span>
<span class="n">no</span><span class="o">-</span><span class="n">matching</span><span class="o">-</span><span class="n">cipher</span><span class="o">-</span><span class="n">action</span><span class="o">:</span><span class="w"> </span><span class="n">bypass</span><span class="w"></span>
<span class="n">proxy</span><span class="o">-</span><span class="n">connect</span><span class="o">-</span><span class="n">timeout</span><span class="o">:</span><span class="w"> </span><span class="mi">30</span><span class="w"></span>
<span class="n">session</span><span class="o">-</span><span class="n">cache</span><span class="o">-</span><span class="n">capacity</span><span class="o">:</span><span class="w"> </span><span class="mi">500</span><span class="w"></span>
<span class="n">session</span><span class="o">-</span><span class="n">cache</span><span class="o">-</span><span class="n">timeout</span><span class="o">:</span><span class="w"> </span><span class="mi">20</span><span class="w"></span>
<span class="n">ssl</span><span class="o">-</span><span class="n">dh</span><span class="o">-</span><span class="n">bits</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="mi">1024</span><span class="w"></span>
<span class="n">ssl</span><span class="o">-</span><span class="n">max</span><span class="o">-</span><span class="n">version</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">tls</span><span class="o">-</span><span class="mf">1.0</span><span class="w"></span>
<span class="n">ssl</span><span class="o">-</span><span class="n">min</span><span class="o">-</span><span class="n">version</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">ssl</span><span class="o">-</span><span class="mf">3.0</span><span class="w"></span>
<span class="n">ssl</span><span class="o">-</span><span class="n">send</span><span class="o">-</span><span class="n">empty</span><span class="o">-</span><span class="n">frags</span><span class="o">:</span><span class="w"> </span><span class="n">enable</span><span class="w"></span>
</code></pre></div>
<p>Get the statistics/diagnostics info about SSL Proxy in Fortigate:</p>
<p>FGT80C # <strong>diagnose test application ssl 0</strong></p>
<div class="highlight"><pre><span></span><code>SSL Proxy Test Usage
1: Dump Memory Usage
2: Drop all connections
3: Display PID
4: Display connection stat
5: Toggle AV Bypass mode
6: Display memory statistics
44: Display info per connection
11: Display connection TTL list
12: Clear the SSL certificate cache
13: Clear the SSL session cache
14: Display PKey file checksum
15: Clear the SSL server name cache
99: Restart proxy
SSL Proxy stats:
</code></pre></div>
<p>FGT80C # <strong>diagnose test application ssl 4</strong></p>
<div class="highlight"><pre><span></span><code><span class="nv">Current</span><span class="w"> </span><span class="nv">connections</span><span class="w"> </span><span class="ss">(</span><span class="nv">all</span><span class="w"> </span><span class="nv">proxies</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">12</span><span class="o">/</span><span class="mi">8048</span><span class="w"></span>
<span class="nv">Running</span><span class="w"> </span><span class="nv">time</span><span class="w"> </span><span class="ss">(</span><span class="nv">HH</span>:<span class="nv">MM</span>:<span class="nv">SS</span>:<span class="nv">usec</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">57</span>:<span class="mi">21</span>:<span class="mi">06</span>.<span class="mi">569388</span><span class="w"></span>
<span class="nv">Bytes</span><span class="w"> </span><span class="nv">sent</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">499</span><span class="w"> </span><span class="ss">(</span><span class="nv">kb</span><span class="ss">)</span><span class="w"></span>
<span class="nv">Bytes</span><span class="w"> </span><span class="nv">received</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">909</span><span class="w"> </span><span class="ss">(</span><span class="nv">kb</span><span class="ss">)</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">alloc</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">accept</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">bind</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="k">connect</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">read</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">write</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">retry</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">poll</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">unhandled</span><span class="w"> </span><span class="nv">state</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">SSL</span><span class="w"> </span><span class="nv">handshake</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">SSL</span><span class="w"> </span><span class="nv">internal</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Last</span><span class="w"> </span><span class="nv">Error</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">IPC</span><span class="w"> </span><span class="nv">Connection</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="w"></span>
<span class="nv">IPC</span><span class="w"> </span><span class="nv">Hand</span><span class="o">-</span><span class="nv">off</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">7838</span><span class="w"></span>
<span class="nv">IPC</span><span class="w"> </span><span class="nv">Packet</span><span class="w"> </span><span class="nv">Sent</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">IPC</span><span class="w"> </span><span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="k">connect</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">IPC</span><span class="w"> </span><span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">handoff</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">IPC</span><span class="w"> </span><span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="k">send</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">IPC</span><span class="w"> </span><span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">socketpair</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">IPC</span><span class="w"> </span><span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nb">timeout</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Client</span><span class="w"> </span><span class="nv">cipher</span><span class="w"> </span><span class="nv">failure</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Server</span><span class="w"> </span><span class="nv">cipher</span><span class="w"> </span><span class="nv">failure</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">SSL</span><span class="w"> </span><span class="nv">decryption</span><span class="w"> </span><span class="nv">failure</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">SSL</span><span class="w"> </span><span class="nv">internal</span><span class="w"> </span><span class="nv">error</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">SSL</span><span class="w"> </span><span class="nv">public</span><span class="w"> </span><span class="nv">key</span><span class="w"> </span><span class="nv">too</span><span class="w"> </span><span class="nv">big</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Total</span><span class="w"> </span><span class="nv">Connections</span><span class="w"> </span><span class="nv">Proxied</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Web</span><span class="w"> </span><span class="nv">request</span><span class="w"> </span><span class="nv">backlog</span><span class="w"> </span><span class="nv">drop</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Web</span><span class="w"> </span><span class="nv">response</span><span class="w"> </span><span class="nv">backlog</span><span class="w"> </span><span class="nv">drop</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">AV</span><span class="w"> </span><span class="nv">Bypass</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">off</span><span class="w"></span>
<span class="nv">Drop</span><span class="w"> </span><span class="nv">on</span><span class="w"> </span><span class="nv">backlog</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">on</span><span class="w"></span>
<span class="nv">Accounting</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">off</span><span class="w"></span>
</code></pre></div>
<p>This one is important, it shows connections under SSL inspection
Here 13.43.12.77 is remote cloud server (sanitized) and 192.168.10.150 is backup box in LAN.</p>
<p>FGT80C# <strong>diagnose test application ssl 44</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">Current</span><span class="w"> </span><span class="n">https</span><span class="w"> </span><span class="n">connections</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="n">Current</span><span class="w"> </span><span class="n">imaps</span><span class="w"> </span><span class="n">connections</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="n">proxy</span><span class="o">=</span><span class="n">pop3s</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">8070</span><span class="w"> </span><span class="n">clt</span><span class="o">=</span><span class="mi">45</span><span class="p">(</span><span class="n">r</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">w</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">srv</span><span class="o">=</span><span class="mi">46</span><span class="p">(</span><span class="n">r</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="n">w</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">c</span><span class="o">:</span><span class="mf">192.168.10.150</span><span class="o">:</span><span class="mi">36905</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="n">s</span><span class="o">:</span><span class="mf">13.43.12.77</span><span class="o">:</span><span class="mi">995</span><span class="w"> </span><span class="n">c2s</span><span class="o">/</span><span class="n">s2c</span><span class="o">=</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="w"> </span><span class="n">state</span><span class="o">=</span><span class="n">SSL_CONTINUE_SETUP_STATE</span><span class="w"> </span><span class="n">duration</span><span class="o">=</span><span class="mi">0</span><span class="w"> </span><span class="kr">expire</span><span class="o">=</span><span class="mi">3541</span><span class="w"></span>
<span class="n">proxy</span><span class="o">=</span><span class="n">pop3s</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">8069</span><span class="w"> </span><span class="n">clt</span><span class="o">=</span><span class="mi">43</span><span class="p">(</span><span class="n">r</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">w</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">srv</span><span class="o">=</span><span class="mi">44</span><span class="p">(</span><span class="n">r</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="n">w</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">c</span><span class="o">:</span><span class="mf">192.168.10.150</span><span class="o">:</span><span class="mi">56246</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="n">s</span><span class="o">:</span><span class="mf">13.43.12.77</span><span class="o">:</span><span class="mi">995</span><span class="w"> </span><span class="n">c2s</span><span class="o">/</span><span class="n">s2c</span><span class="o">=</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="w"> </span><span class="n">state</span><span class="o">=</span><span class="n">SSL_CONTINUE_SETUP_STATE</span><span class="w"> </span><span class="n">duration</span><span class="o">=</span><span class="mi">0</span><span class="w"> </span><span class="kr">expire</span><span class="o">=</span><span class="mi">3540</span><span class="w"></span>
<span class="n">proxy</span><span class="o">=</span><span class="n">pop3s</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">8068</span><span class="w"> </span><span class="n">clt</span><span class="o">=</span><span class="mi">41</span><span class="p">(</span><span class="n">r</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">w</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">srv</span><span class="o">=</span><span class="mi">42</span><span class="p">(</span><span class="n">r</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="n">w</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">c</span><span class="o">:</span><span class="mf">192.168.10.150</span><span class="o">:</span><span class="mi">56245</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="n">s</span><span class="o">:</span><span class="mf">13.43.12.77</span><span class="o">:</span><span class="mi">995</span><span class="w"> </span><span class="n">c2s</span><span class="o">/</span><span class="n">s2c</span><span class="o">=</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="w"> </span><span class="n">state</span><span class="o">=</span><span class="n">SSL_CONTINUE_SETUP_STATE</span><span class="w"> </span><span class="n">duration</span><span class="o">=</span><span class="mi">0</span><span class="w"> </span><span class="kr">expire</span><span class="o">=</span><span class="mi">3401</span><span class="w"></span>
<span class="n">proxy</span><span class="o">=</span><span class="n">pop3s</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">8067</span><span class="w"> </span><span class="n">clt</span><span class="o">=</span><span class="mi">26</span><span class="p">(</span><span class="n">r</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">w</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">srv</span><span class="o">=</span><span class="mi">27</span><span class="p">(</span><span class="n">r</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="n">w</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">c</span><span class="o">:</span><span class="mf">192.168.10.150</span><span class="o">:</span><span class="mi">36902</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="n">s</span><span class="o">:</span><span class="mf">13.43.12.77</span><span class="o">:</span><span class="mi">995</span><span class="w"> </span><span class="n">c2s</span><span class="o">/</span><span class="n">s2c</span><span class="o">=</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="w"> </span><span class="n">state</span><span class="o">=</span><span class="n">SSL_CONTINUE_SETUP_STATE</span><span class="w"> </span><span class="n">duration</span><span class="o">=</span><span class="mi">0</span><span class="w"> </span><span class="kr">expire</span><span class="o">=</span><span class="mi">3399</span><span class="w"></span>
<span class="n">proxy</span><span class="o">=</span><span class="n">pop3s</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">8039</span><span class="w"> </span><span class="n">clt</span><span class="o">=</span><span class="mi">24</span><span class="p">(</span><span class="n">r</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">w</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">srv</span><span class="o">=</span><span class="mi">25</span><span class="p">(</span><span class="n">r</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="n">w</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">c</span><span class="o">:</span><span class="mf">192.168.10.150</span><span class="o">:</span><span class="mi">40980</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="n">s</span><span class="o">:</span><span class="mf">13.43.12.77</span><span class="o">:</span><span class="mi">995</span><span class="w"> </span><span class="n">c2s</span><span class="o">/</span><span class="n">s2c</span><span class="o">=</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="w"> </span><span class="n">state</span><span class="o">=</span><span class="n">SSL_CONTINUE_SETUP_STATE</span><span class="w"> </span><span class="n">duration</span><span class="o">=</span><span class="mi">0</span><span class="w"> </span><span class="kr">expire</span><span class="o">=</span><span class="mi">2625</span><span class="w"></span>
<span class="n">proxy</span><span class="o">=</span><span class="n">pop3s</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">8032</span><span class="w"> </span><span class="n">clt</span><span class="o">=</span><span class="mi">35</span><span class="p">(</span><span class="n">r</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">w</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">srv</span><span class="o">=</span><span class="mi">36</span><span class="p">(</span><span class="n">r</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="n">w</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">c</span><span class="o">:</span><span class="mf">192.168.10.150</span><span class="o">:</span><span class="mi">39432</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="n">s</span><span class="o">:</span><span class="mf">13.43.12.77995</span><span class="w"> </span><span class="n">c2s</span><span class="o">/</span><span class="n">s2c</span><span class="o">=</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="w"> </span><span class="n">state</span><span class="o">=</span><span class="n">SSL_CONTINUE_SETUP_STATE</span><span class="w"> </span><span class="n">duration</span><span class="o">=</span><span class="mi">0</span><span class="w"> </span><span class="kr">expire</span><span class="o">=</span><span class="mi">2424</span><span class="w"></span>
<span class="n">proxy</span><span class="o">=</span><span class="n">pop3s</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">8029</span><span class="w"> </span><span class="n">clt</span><span class="o">=</span><span class="mi">28</span><span class="p">(</span><span class="n">r</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">w</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">srv</span><span class="o">=</span><span class="mi">29</span><span class="p">(</span><span class="n">r</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="n">w</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">c</span><span class="o">:</span><span class="mf">192.168.10.150</span><span class="o">:</span><span class="mi">39429</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="n">s</span><span class="o">:</span><span class="mf">13.43.12.77</span><span class="o">:</span><span class="mi">995</span><span class="w"> </span><span class="n">c2s</span><span class="o">/</span><span class="n">s2c</span><span class="o">=</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="w"> </span><span class="n">state</span><span class="o">=</span><span class="n">SSL_CONTINUE_SETUP_STATE</span><span class="w"> </span><span class="n">duration</span><span class="o">=</span><span class="mi">0</span><span class="w"> </span><span class="kr">expire</span><span class="o">=</span><span class="mi">2415</span><span class="w"></span>
<span class="n">Current</span><span class="w"> </span><span class="n">pop3s</span><span class="w"> </span><span class="n">connections</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">12</span><span class="w"></span>
<span class="n">Current</span><span class="w"> </span><span class="n">smtps</span><span class="w"> </span><span class="n">connections</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="n">Current</span><span class="w"> </span><span class="n">ftps</span><span class="w"> </span><span class="n">connections</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Disable SSL proxy for AV scanning :</li>
</ul>
<p>FGT80C # <strong>diagnose test application ssl 5</strong></p>
<div class="highlight"><pre><span></span><code>SSL AV Bypass is now on
</code></pre></div>
<p>FGT80C3909621311 # <strong>diagnose test application ssl 4</strong></p>
<div class="highlight"><pre><span></span><code><span class="nv">Current</span><span class="w"> </span><span class="nv">connections</span><span class="w"> </span><span class="ss">(</span><span class="nv">all</span><span class="w"> </span><span class="nv">proxies</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">12</span><span class="o">/</span><span class="mi">8048</span><span class="w"></span>
<span class="nv">Running</span><span class="w"> </span><span class="nv">time</span><span class="w"> </span><span class="ss">(</span><span class="nv">HH</span>:<span class="nv">MM</span>:<span class="nv">SS</span>:<span class="nv">usec</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">57</span>:<span class="mi">22</span>:<span class="mi">37</span>.<span class="mi">346514</span><span class="w"></span>
<span class="nv">Bytes</span><span class="w"> </span><span class="nv">sent</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">499</span><span class="w"> </span><span class="ss">(</span><span class="nv">kb</span><span class="ss">)</span><span class="w"></span>
<span class="nv">Bytes</span><span class="w"> </span><span class="nv">received</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">909</span><span class="w"> </span><span class="ss">(</span><span class="nv">kb</span><span class="ss">)</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">alloc</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">accept</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">bind</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="k">connect</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">read</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">write</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">retry</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">poll</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">unhandled</span><span class="w"> </span><span class="nv">state</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">SSL</span><span class="w"> </span><span class="nv">handshake</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">SSL</span><span class="w"> </span><span class="nv">internal</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Last</span><span class="w"> </span><span class="nv">Error</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">IPC</span><span class="w"> </span><span class="nv">Connection</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="w"></span>
<span class="nv">IPC</span><span class="w"> </span><span class="nv">Hand</span><span class="o">-</span><span class="nv">off</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">7839</span><span class="w"></span>
<span class="nv">IPC</span><span class="w"> </span><span class="nv">Packet</span><span class="w"> </span><span class="nv">Sent</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">IPC</span><span class="w"> </span><span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="k">connect</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">IPC</span><span class="w"> </span><span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">handoff</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">IPC</span><span class="w"> </span><span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="k">send</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">IPC</span><span class="w"> </span><span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nv">socketpair</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">IPC</span><span class="w"> </span><span class="nv">Error</span><span class="w"> </span><span class="nv">Count</span><span class="w"> </span><span class="ss">(</span><span class="nb">timeout</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Client</span><span class="w"> </span><span class="nv">cipher</span><span class="w"> </span><span class="nv">failure</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Server</span><span class="w"> </span><span class="nv">cipher</span><span class="w"> </span><span class="nv">failure</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">SSL</span><span class="w"> </span><span class="nv">decryption</span><span class="w"> </span><span class="nv">failure</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">SSL</span><span class="w"> </span><span class="nv">internal</span><span class="w"> </span><span class="nv">error</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">SSL</span><span class="w"> </span><span class="nv">public</span><span class="w"> </span><span class="nv">key</span><span class="w"> </span><span class="nv">too</span><span class="w"> </span><span class="nv">big</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Total</span><span class="w"> </span><span class="nv">Connections</span><span class="w"> </span><span class="nv">Proxied</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Web</span><span class="w"> </span><span class="nv">request</span><span class="w"> </span><span class="nv">backlog</span><span class="w"> </span><span class="nv">drop</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">Web</span><span class="w"> </span><span class="nv">response</span><span class="w"> </span><span class="nv">backlog</span><span class="w"> </span><span class="nv">drop</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">AV</span><span class="w"> </span><span class="nv">Bypass</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">on</span><span class="w"></span>
<span class="nv">Drop</span><span class="w"> </span><span class="nv">on</span><span class="w"> </span><span class="nv">backlog</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">on</span><span class="w"></span>
<span class="nv">Accounting</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">off</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Making sure it worked:</li>
</ul>
<p>FGT80C3909621311 # <strong>diagnose test application ssl 44</strong></p>
<div class="highlight"><pre><span></span><code>Current https connections = 0
Current imaps connections = 0
Current pop3s connections = 0
Current smtps connections = 0
Current ftps connections = 0
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>md5 sha256 sha-1 tiger and whirlpool sum checker for Windows2012-10-08T09:47:56+00:002012-10-08T09:47:56+00:00Yuri Slobodyanyuktag:yurisk.info,2012-10-08:/2012/10/08/md5-sha256-sha-1-tiger-and-whirlpool-sum-checker-for-windows/<p>Trying out Amazon <a href="https://console.aws.amazon.com/glacier/"> AWS Glacier </a> with <a href="http://fastglacier.com">fastglacier.com</a> as the upload GUI app I looked at few SHA256 sum calculating tools, and found this one by <a href="http://sourceforge.net/projects/md5deep/"> Jesse Kornblum </a> to be the best for Windows.
It has some quite useful options like recursive folders calculation, file size limitation, reading file names …</p><p>Trying out Amazon <a href="https://console.aws.amazon.com/glacier/"> AWS Glacier </a> with <a href="http://fastglacier.com">fastglacier.com</a> as the upload GUI app I looked at few SHA256 sum calculating tools, and found this one by <a href="http://sourceforge.net/projects/md5deep/"> Jesse Kornblum </a> to be the best for Windows.
It has some quite useful options like recursive folders calculation, file size limitation, reading file names from file and hash comparing. Be aware it is command-line only.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Checkpoint SNX 75 does work on Mac OS X 10.8 Mountain Lion2012-08-03T04:05:20+00:002012-08-03T04:05:20+00:00Yuri Slobodyanyuktag:yurisk.info,2012-08-03:/2012/08/03/checkpoint-snx-75-does-work-on-mac-os-x-10-8-mountain-lion/<p>While not mentioned explicitly in <a href="https://downloads.checkpoint.com/dc/download.htm?ID=12503">Release Notes for SNX 75</a> (it lists there only Mac OS X 10.7, 10.7.1, 10.7.2 Lion, 32-bit and 64-bit as supported versions) , it does work with new version of Apple Mac. Yesterday I did it for R71.40 and it …</p><p>While not mentioned explicitly in <a href="https://downloads.checkpoint.com/dc/download.htm?ID=12503">Release Notes for SNX 75</a> (it lists there only Mac OS X 10.7, 10.7.1, 10.7.2 Lion, 32-bit and 64-bit as supported versions) , it does work with new version of Apple Mac. Yesterday I did it for R71.40 and it worked just fine, you have to install hotfix though - SNX_MACOS.linux.tgz .</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Agressive scans from 69.175.126.170 - HD Moore is trying to save the Internet2012-07-31T12:50:09+00:002012-07-31T12:50:09+00:00Yuri Slobodyanyuktag:yurisk.info,2012-07-31:/2012/07/31/agressive-scans-from-69-175-126-170-hd-moore-is-trying-to-save-the-internet/<p>I've been seeing this for some time so you will see it soon too. We speak here mostly about SNMP probes coming from a set of very specific IPs. If you do a search on IP you get to the webpage below http://critical.io (web site is not up …</p><p>I've been seeing this for some time so you will see it soon too. We speak here mostly about SNMP probes coming from a set of very specific IPs. If you do a search on IP you get to the webpage below http://critical.io (web site is not up anymore), explaining to the reader that it constitutes a vulnerability/misconfiguration disclosure effort by HD Moore exercised on the wide Internet for our own good . <del>I haven't had answer from Hd Moore himself (probably because of Defcon:) ) so can't really deny nor confirm this claim I did heard</del> I did hear from him, it is indeed scans done by him.
Anyway, as the scans are much more frequent/agressive than usual attack/scan attempts I see everyday, I decided , while not seeing them as any threat, to filter them out and here are IP addresses if you decide too.
IPs:
<code>69.175.126.168/29 69.175.126.170
184.154.42.192/29 184.154.42.194
173.236.44.96/29 173.236.44.98
69.175.54.104/29 69.175.54.106
173.236.30.120/29 173.236.30.122
96.127.150.216/29 96.127.150.218</code>
Screenshot of the website hosted on aforementioned IPs:</p>
<p><a href="http://yurisk.info/wp-content/uploads/2012/07/criticalio.jpg"><img alt="screenshot of the critical.io webpage" src="http://yurisk.info/wp-content/uploads/2012/07/criticalio-150x150.jpg"></a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>SCP file transfers and Checkpoint R75 problems2012-07-23T09:00:37+00:002012-07-23T09:00:37+00:00Yuri Slobodyanyuktag:yurisk.info,2012-07-23:/2012/07/23/scp-and-checkpoint-r75-problems/<p>There is a known issue with transferring big files (bigger than 1 Mb) from/to SecurePlatform firewall by Checkpoint. The file transfer fails with some error about buffers. The problem is that Checkpoint SPLAT comes with old opensshd daemon , which has a bug in it dated 2006 ( <a href="https://bugzilla.redhat.com/show_bug.cgi?id=184357">https://bugzilla.redhat …</a></p><p>There is a known issue with transferring big files (bigger than 1 Mb) from/to SecurePlatform firewall by Checkpoint. The file transfer fails with some error about buffers. The problem is that Checkpoint SPLAT comes with old opensshd daemon , which has a bug in it dated 2006 ( <a href="https://bugzilla.redhat.com/show_bug.cgi?id=184357">https://bugzilla.redhat.com/show_bug.cgi?id=184357</a> ) causing transfer to fail if SCP client is trying to use buffer bigger than 1 Mb . And as (the only) Windows based client WinSCP (that in turn uses putty code) has been using buffer larger than that for ages, trying to use versions of WinSCP newer than 3.x results in failure .
Checkpoint have a hotfix for that, according to SK sk66195, but the less intrusive alternative is to use older versions - pscp 0.60 and Winscp 3.x (e.g. 3.7.4)</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>How to enroll Cisco VPN client with IOS CA2012-04-16T17:23:20+00:002012-04-16T17:23:20+00:00Yuri Slobodyanyuktag:yurisk.info,2012-04-16:/2012/04/16/how-to-enroll-vpn-client-with-ios-ca/<p>It is worth mentioning that Cisco IOS routers can serve as CA servers as well. The example configurations are easy to find on the cisco.com (see link below). The only trick to know not stated in the documentation - when enrolling Cisco VPN client with IOS CA the syntax you …</p><p>It is worth mentioning that Cisco IOS routers can serve as CA servers as well. The example configurations are easy to find on the cisco.com (see link below). The only trick to know not stated in the documentation - when enrolling Cisco VPN client with IOS CA the syntax you put as url should look:<br>
http://192.182.12.1:80/cgi-bin/pkiclient.exe<br>
I attach below screenshot so you can see what I mean.
Some references as well:<br>
<a href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/12-4t/sec-pki-12-4t-book/sec-cfg-mng-cert-serv.html"> www.cisco.com </a> <br>
<img alt="URL to use when enrolling with Cisco CA" src="https://yurisk.info/wp-content/uploads/2012/04/certenrol.png"></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Check duplex and speed settings of all interfaces in one go2012-02-16T18:36:39+00:002012-02-16T18:36:39+00:00Yuri Slobodyanyuktag:yurisk.info,2012-02-16:/2012/02/16/check-duplex-and-speed-settings-of-all-interfaces-in-one-go/<p>One of the first things you do when checking connectivity issues on the Checkpoint (or any networking gear for that matter) is to see speed and duplex parameters of the interfaces. But have you tried to do it on a firewall with 15-20 interfaces ?
No fun entering one by one …</p><p>One of the first things you do when checking connectivity issues on the Checkpoint (or any networking gear for that matter) is to see speed and duplex parameters of the interfaces. But have you tried to do it on a firewall with 15-20 interfaces ?
No fun entering one by one interfaces' names. Here is the one-liner I use to get speed and duplex settings of all interfaces in one go. All VLAN interfaces of course just take this parameter from underlying physical one.<br>
<strong># for ii in $(ifconfig | awk ' /Ethernet/ {print $1}') ;do ethtool $ii; done | egrep 'eth|Speed|Duplex'</strong></p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth0</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">100</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth1</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth1</span><span class="mf">.150</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth1</span><span class="mf">.160</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth1</span><span class="mf">.161</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth1</span><span class="mf">.270</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth1</span><span class="mf">.271</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="o"><!--</span><span class="w"> </span><span class="n">more</span><span class="w"> </span><span class="o">--></span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth1</span><span class="mf">.281</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth1</span><span class="mf">.35</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth2</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">100</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth3</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth4</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth4</span><span class="mf">.112</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth4</span><span class="mf">.211</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth4</span><span class="mf">.311</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth4</span><span class="mf">.71</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth4</span><span class="mf">.72</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth4</span><span class="mf">.73</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth4</span><span class="mf">.413</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth4</span><span class="mf">.419</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth4</span><span class="mf">.451</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth4</span><span class="mf">.407</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth4</span><span class="mf">.408</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth5</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Settings</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">eth7</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Speed</span><span class="o">:</span><span class="w"> </span><span class="mi">1000</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="n">Duplex</span><span class="o">:</span><span class="w"> </span><span class="kr">Full</span><span class="w"></span>
</code></pre></div>
<p>The alternative, via <strong>ip address</strong> command, way is: </p>
<p><strong># for ii in $(ip address | awk -F: ' /UP/ {print $2}') ;do ethtool $ii; done | egrep 'Settings|Speed|Duplex'</strong> </p>
<div class="highlight"><pre><span></span><code><span class="nv">Settings</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">lo</span>:<span class="w"></span>
<span class="nv">Settings</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">eth1</span>:<span class="w"></span>
<span class="w"> </span><span class="nv">Speed</span>:<span class="w"> </span><span class="mi">1000</span><span class="nv">Mb</span><span class="o">/</span><span class="nv">s</span><span class="w"></span>
<span class="w"> </span><span class="nv">Duplex</span>:<span class="w"> </span><span class="nv">Full</span><span class="w"></span>
<span class="nv">Settings</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">eth5</span>:<span class="w"></span>
<span class="w"> </span><span class="nv">Speed</span>:<span class="w"> </span><span class="mi">1000</span><span class="nv">Mb</span><span class="o">/</span><span class="nv">s</span><span class="w"></span>
<span class="w"> </span><span class="nv">Duplex</span>:<span class="w"> </span><span class="nv">Full</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Funny way to expire Antispam license in Checkpoint2012-02-13T16:19:35+00:002012-02-13T16:19:35+00:00Yuri Slobodyanyuktag:yurisk.info,2012-02-13:/2012/02/13/funny-way-to-expire-antispam-license-in-checkpoint/<p>After years with Checkpoint products I came to conclusion that if you don't have logical explanation why something doesn't work, it is most probably license issue.
My client stopped getting emails behind UTM-132 at some remote branch . Doing the basics - telnet to port 25 (Checkpoint answered as it should), Exchange …</p><p>After years with Checkpoint products I came to conclusion that if you don't have logical explanation why something doesn't work, it is most probably license issue.
My client stopped getting emails behind UTM-132 at some remote branch . Doing the basics - telnet to port 25 (Checkpoint answered as it should), Exchange answering on port 25 as well didn't come up with anything.
Then I looked at mail spool in the Checkpoint and voila, all the emails that didn't reach internal Exchange were stuck there for no obvious reason.<br>
The reason became obvious when I looked at the SmartTracker and saw "AntiSpam service license expired" message . Only then did I recall that this UTM had once Total security license that included the Antispam , but had expired long ago.
Why upon expiring license Checkpoint instead of passing mails without Antispam filtering decided to "hijack" the mails is left without answer.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Finally GEO location blocking has arrived to Fortigate2012-02-09T18:35:47+00:002012-02-09T18:35:47+00:00Yuri Slobodyanyuktag:yurisk.info,2012-02-09:/2012/02/09/finally-geo-location-blocking-has-arrived-to-fortigate/<p>It was predictable thing for Fortinet to do as everyone else has already been doing so.
I haven’t verified myself but according to the informed source (can only say his name - Hen) they are using
<a href="http://www.maxmind.com/"> Maxmind database</a> . So let’s see how to do it .<br>
First you create in …</p><p>It was predictable thing for Fortinet to do as everyone else has already been doing so.
I haven’t verified myself but according to the informed source (can only say his name - Hen) they are using
<a href="http://www.maxmind.com/"> Maxmind database</a> . So let’s see how to do it .<br>
First you create in New Address dialog window the Geography type object specifying the country. As you can only pick one country per address use Address Groups to combine few countries together.
After creating such Address object you can use it in Firewall Policy just as you would the usual Address.
The only reason I can think of why you would use Geo location block is to lower noise/size of logs by silently dropping traffic from unwanted countries.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Convert Fortigate diagnose sniffer packet output into tcpdump format understood by Wireshark2012-02-06T18:06:31+00:002012-02-06T18:06:31+00:00Yuri Slobodyanyuktag:yurisk.info,2012-02-06:/2012/02/06/convert-fortigate-diagnose-sniffer-packet-output-into-tcpdump-format-understood-by-wireshark/<p>Running <strong>diagnose sniffer packet</strong> on Fortinet Fortigate unit outputs human-readable packet information and packet data . Only that sometimes you would like to have the traffic sniffed at Fortigate in Wireshark-readable format so that it can be analyzed by all powerful Wireshark. <br>
For this case Fortinet came up with the script …</p><p>Running <strong>diagnose sniffer packet</strong> on Fortinet Fortigate unit outputs human-readable packet information and packet data . Only that sometimes you would like to have the traffic sniffed at Fortigate in Wireshark-readable format so that it can be analyzed by all powerful Wireshark. <br>
For this case Fortinet came up with the script and application that takes text output of this sniffer command and parses it into tcpdump format (.cap) which you can later open in Wireshark.<br>
I guess there are other scripts available that do just that (after all it is just parsing the text file) , but from Fortinet you can find it here:
<a href="https://kb.fortinet.com/kb/viewContent.do?externalId=11186&sliceId=1">kb.fortinet.com/kb/viewContent.do?externalId=11186&sliceId;=1</a> </p>
<p>Or by searching their website for:<br>
<strong>fgt2eth.pli</strong><br>
<strong>fgt2eth.zip</strong></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>awk weekly - Security rule hits statistics . Checkpoint2012-01-31T10:50:36+00:002012-01-31T10:50:36+00:00Yuri Slobodyanyuktag:yurisk.info,2012-01-31:/2012/01/31/awk-weekly-rule-hits-statistics-checkpoint/<p>As I mentioned before once you export firewall logs into human-readable format you can do lots of interesting things - for example script that gives statistics of how many times each Security rule was hit .
Be aware that this counts explicit Security rules only - i.e. the ones you see in …</p><p>As I mentioned before once you export firewall logs into human-readable format you can do lots of interesting things - for example script that gives statistics of how many times each Security rule was hit .
Be aware that this counts explicit Security rules only - i.e. the ones you see in Security tab of the Smartdashboard. No other rules you usually see in Smartview Tracker are counted - e.g. SmartDefense,Web Filtering etc. Also afterwards I sort it by number of hits to see what rules are used most:</p>
<div class="highlight"><pre><span></span><code><span class="n">awk</span><span class="w"> </span><span class="o">-</span><span class="n">F</span><span class="err">\</span><span class="p">;</span><span class="w"> </span><span class="s1">' {match($0,/rule: +([0-9]+)/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: " rule_number " Hits: " rule_count[rule_number]}'</span><span class="w"> </span><span class="p">.</span><span class="o">/</span><span class="n">fw</span><span class="p">.</span><span class="nf">log</span><span class="p">.</span><span class="n">txt</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">sort</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="o">-</span><span class="n">k5</span><span class="w"> </span>
</code></pre></div>
<div class="highlight"><pre><span></span><code> Rule number: Hits: 1197330 <span class="nt"><strong></span> Ignore this line as it counts non-matched lines I dont want to filter with additional conditions and added time processing<span class="nt"></strong></span>
Rule number: 2 Hits: 9
Rule number: 5 Hits: 366
Rule number: 11 Hits: 12296
Rule number: 9 Hits: 14457
Rule number: 0 Hits: 17094
Rule number: 1 Hits: 44066
Rule number: 7 Hits: 233643
Rule number: 10 Hits: 366275
Rule number: 6 Hits: 424639
</code></pre></div>
<p><strong>Update 2012</strong> Below is the script to use Rule ID instead of Rule sequential numbers - this way changing rules order will not affect statistics. The script matches also non-security rules - e.g. email session id, that are a bit shorter then Rule ID, but I didn't want to slow down the processing with additional formatting .</p>
<div class="highlight"><pre><span></span><code><span class="n">awk</span><span class="w"> </span><span class="o">-</span><span class="n">F</span><span class="err">\</span><span class="p">;</span><span class="w"> </span><span class="s1">' {match($0,/{([[:print:]]+)}/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: " rule_number " Hits: " rule_count[rule_number]}'</span><span class="w"> </span><span class="p">.</span><span class="o">/</span><span class="n">fw</span><span class="p">.</span><span class="nf">log</span><span class="p">.</span><span class="n">txt</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">sort</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="o">-</span><span class="n">k5</span><span class="w"> </span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nv">Rule</span><span class="w"> </span><span class="nv">number</span>:<span class="w"> </span><span class="nv">D199972C</span><span class="o">-</span><span class="nv">ED3E</span><span class="o">-</span><span class="mi">4</span><span class="nv">EB4</span><span class="o">-</span><span class="mi">8</span><span class="nv">B83</span><span class="o">-</span><span class="mi">813333156</span><span class="nv">D18</span><span class="w"> </span><span class="nv">Hits</span>:<span class="w"> </span><span class="mi">175</span><span class="w"></span>
<span class="w"> </span><span class="nv">Rule</span><span class="w"> </span><span class="nv">number</span>:<span class="w"> </span><span class="mi">85</span><span class="nv">A905A7</span><span class="o">-</span><span class="mi">951</span><span class="nv">E</span><span class="o">-</span><span class="mi">4100</span><span class="o">-</span><span class="nv">A4BA</span><span class="o">-</span><span class="nv">E13333151D29</span><span class="w"> </span><span class="nv">Hits</span>:<span class="w"> </span><span class="mi">219</span><span class="w"></span>
<span class="w"> </span><span class="nv">Rule</span><span class="w"> </span><span class="nv">number</span>:<span class="w"> </span><span class="mi">81333316</span><span class="o">-</span><span class="nv">E942</span><span class="o">-</span><span class="mi">4313</span><span class="o">-</span><span class="nv">BB7D</span><span class="o">-</span><span class="nv">E1333315802F</span><span class="w"> </span><span class="nv">Hits</span>:<span class="w"> </span><span class="mi">1519</span><span class="w"></span>
<span class="w"> </span><span class="nv">Rule</span><span class="w"> </span><span class="nv">number</span>:<span class="w"> </span><span class="mi">71333215</span><span class="o">-</span><span class="mi">2</span><span class="nv">DB5</span><span class="o">-</span><span class="mi">4</span><span class="nv">A3A</span><span class="o">-</span><span class="mi">95</span><span class="nv">BC</span><span class="o">-</span><span class="mi">5080</span><span class="nv">AD0F5564</span><span class="w"> </span><span class="nv">Hits</span>:<span class="w"> </span><span class="mi">2298</span><span class="w"></span>
<span class="w"> </span><span class="nv">Rule</span><span class="w"> </span><span class="nv">number</span>:<span class="w"> </span><span class="mi">11331315</span><span class="o">-</span><span class="nv">AE52</span><span class="o">-</span><span class="mi">44</span><span class="nv">E0</span><span class="o">-</span><span class="nv">A42A</span><span class="o">-</span><span class="mi">711029</span><span class="nv">B5768E</span><span class="w"> </span><span class="nv">Hits</span>:<span class="w"> </span><span class="mi">3755</span><span class="w"></span>
<span class="w"> </span><span class="nv">Rule</span><span class="w"> </span><span class="nv">number</span>:<span class="w"> </span><span class="mi">01333315</span><span class="o">-</span><span class="nv">D290</span><span class="o">-</span><span class="mi">4</span><span class="nv">B05</span><span class="o">-</span><span class="nv">AFE7</span><span class="o">-</span><span class="mi">23</span><span class="nv">BF24D889FF</span><span class="w"> </span><span class="nv">Hits</span>:<span class="w"> </span><span class="mi">4116</span><span class="w"></span>
<span class="w"> </span><span class="nv">Rule</span><span class="w"> </span><span class="nv">number</span>:<span class="w"> </span><span class="mi">121</span><span class="nv">FA62F</span><span class="o">-</span><span class="mi">3885</span><span class="o">-</span><span class="mi">4328</span><span class="o">-</span><span class="mi">8090</span><span class="o">-</span><span class="nv">BF1333315eB1</span><span class="w"> </span><span class="nv">Hits</span>:<span class="w"> </span><span class="mi">399793</span><span class="w"></span>
<span class="w"> </span><span class="nv">Rule</span><span class="w"> </span><span class="nv">number</span>:<span class="w"> </span><span class="nv">FE40E076</span><span class="o">-</span><span class="nv">BAEB</span><span class="o">-</span><span class="mi">4979</span><span class="o">-</span><span class="mi">8</span><span class="nv">E41</span><span class="o">-</span><span class="mi">5</span><span class="nv">EF1333315e6</span><span class="w"> </span><span class="nv">Hits</span>:<span class="w"> </span><span class="mi">440101</span><span class="w"></span>
<span class="w"> </span><span class="nv">Rule</span><span class="w"> </span><span class="nv">number</span>:<span class="w"> </span><span class="nv">BB3F6772</span><span class="o">-</span><span class="mi">4</span><span class="nv">D38</span><span class="o">-</span><span class="mi">4</span><span class="nv">D5A</span><span class="o">-</span><span class="mi">952</span><span class="nv">A</span><span class="o">-</span><span class="mi">301333315</span><span class="nv">de8</span><span class="w"> </span><span class="nv">Hits</span>:<span class="w"> </span><span class="mi">1354341</span><span class="w"></span>
<span class="w"> </span><span class="nv">Running</span><span class="w"> </span><span class="nv">time</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">a</span><span class="w"> </span><span class="nv">file</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="mi">900</span><span class="w"> </span><span class="nv">Mb</span><span class="w"> </span><span class="nv">with</span><span class="w"> </span><span class="mi">4</span>.<span class="mi">7</span><span class="w"> </span><span class="nv">million</span><span class="w"> </span><span class="nv">records</span><span class="w"></span>
<span class="w"> </span><span class="nv">real</span><span class="w"> </span><span class="mi">5</span><span class="nv">m50</span>.<span class="mi">287</span><span class="nv">s</span><span class="w"></span>
<span class="w"> </span><span class="nv">user</span><span class="w"> </span><span class="mi">4</span><span class="nv">m22</span>.<span class="mi">890</span><span class="nv">s</span><span class="w"></span>
<span class="w"> </span><span class="nv">sys</span><span class="w"> </span><span class="mi">0</span><span class="nv">m3</span>.<span class="mi">190</span><span class="nv">s</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Time-based access limiting on Checkpoint or any Linux for any network service2011-11-14T21:08:16+00:002011-11-14T21:08:16+00:00Yuri Slobodyanyuktag:yurisk.info,2011-11-14:/2011/11/14/time-based-access-limiting-on-checkpoint-or-any-linux-for-that-matter/<p>Time-based access-lists in Cisco world are available since ... last century for sure. But is it possible that Linux doesn't have anything like that ? No way - of course it can do and do it better. Here is how .
Access control based on time of the day is available via pam module …</p><p>Time-based access-lists in Cisco world are available since ... last century for sure. But is it possible that Linux doesn't have anything like that ? No way - of course it can do and do it better. Here is how .
Access control based on time of the day is available via pam module, and as almost all software today supports working with pam modules, it means it is available universally.
Steps to do for any networking service:</p>
<ul>
<li>
<p>Enable pam_time.so module for the software of interest in its config file in /etc/pam.d ;</p>
</li>
<li>
<p>Configure time range(s) when this service is accepting connections using file /etc/security/time.conf</p>
</li>
<li>
<p>Most probably restart the service and we are set. </p>
</li>
</ul>
<p>E.g. Let's restrict user ftp_user so that it is able to connect to vsftpd daemon only during working hours of the weekdays.<br>
- Add to file /etc/pam.d/vsftpd the following line <br>
<code>account required /lib/security/pam_time.so</code><br>
- Set time limits in /etc/security/time.conf with this line <br>
<code>vsftpd;*;ftp_user;Wk0800-1700</code>
- Restart vsftpd to force it using pam_time.so module (need to do it just first time)<br>
<code>#service vsftpd restart</code></p>
<p>And now during the off-limit hours the ftp_user will not be able to connect by FTP, that is it .</p>
<p>For Checkpoint all the above holds true, but as you don't have much servers there , the most probable candidate for such restrictions is ssh daemon. For example firewall that the client has access by ssh to it as well - while mail alerts for such access (see <a href="http://yurisk.info/2010/02/01/mail-alert-on-ssh-login-or-any-other-rule-hit-in-checkpoint/"> Mail alert on ssh access in Checkpoint</a>) will warn me about such access, it does me no good if someone on client side accesses the firewall at 02:00 am at night and I get alert .
Example for limiting ssh access to the firewall to working hours only.<br>
/etc/security/time.conf : <br>
<code>sshd;*;client_user;Wk0900-1900</code><br>
/etc/pam.d/sshd :<br>
<code>account required /lib/security/pam_time.so</code></p>
<p><strong>Related</strong>:<br>
- <a href="https://yurisk.info/2011/04/05/two-tips-to-secure-ssh-access-from-specific-ips-to-specific-users-in-checkpoint-or-any-linux/">Two tips to secure SSH access from specific IPs to specific users in Checkpoint or any Linux</a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Set NTP time source on Checkpoint to have correct log timestamps2011-11-12T17:29:44+00:002011-11-12T17:29:44+00:00Yuri Slobodyanyuktag:yurisk.info,2011-11-12:/2011/11/12/set-ntp-time-source-on-checkpoint-to-have-correct-log-timestamps/<p>It is hard to argue that logs are as good as correct they are. And correct timestamps of the logs are crucial to this. Internal clock is prone to drifting with time, in my experience I've seen some UTM appliances to drift as much as 40 minutes in just one …</p><p>It is hard to argue that logs are as good as correct they are. And correct timestamps of the logs are crucial to this. Internal clock is prone to drifting with time, in my experience I've seen some UTM appliances to drift as much as 40 minutes in just one year ! Even worse is that you can never be sure of the drift distribution over time - it may be incremental drift every day, or sudden jump due to who knows what. </p>
<p>To prevent this from happening I use NTP time synchronization on all of my servers/firewalls. If you have been in system administration for some time it is old news for you - just use ntpd daemon and pool.ntp.org servers located close to you, and you are set in 5 minutes. </p>
<p>In Checkpoint they took the hardening of the underlying OS to extreme and supplied only outdated ntpdate utility for the task, no ntpd for us.
Not a big deal - I use the cron job below to run every 30 minutes ntpdate to update the firewall clock and so better be you.
Cheers </p>
<div class="highlight"><pre><span></span><code> 30 * * * * /usr/sbin/ntpdate 1.uk.pool.ntp.org > dev/null
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>All you need to know about networking in Checkpoint firewall SecurePlatform FAQ2011-10-27T13:32:13+00:002011-10-27T13:32:13+00:00Yuri Slobodyanyuktag:yurisk.info,2011-10-27:/2011/10/27/all-you-need-to-know-about-networking-in-checkpoint-firewall-secureplatform-faq/<p>Q. How do I see available interfaces, errors on them , IP addresses . </p>
<p>Q. How do I see routing table of the firewall. </p>
<p>Q. How do I see duplex, speed, physical link status of the interface . </p>
<p>Q. How do I manually set duplex, speed, autonegotiation settings of an interface. </p>
<p>Q. How …</p><p>Q. How do I see available interfaces, errors on them , IP addresses . </p>
<p>Q. How do I see routing table of the firewall. </p>
<p>Q. How do I see duplex, speed, physical link status of the interface . </p>
<p>Q. How do I manually set duplex, speed, autonegotiation settings of an interface. </p>
<p>Q. How do I save changes to the interface duplex ,speed or autonegotiaiton permanently. </p>
<p>Q. How do I add, delete, change routes. </p>
<p>Q. How do I delete, change IP address on the interface. </p>
<p>Q. How do I add, change, delete VLAN . </p>
<p>Q. How do I see existing VLANs . </p>
<p>Q. Can I combine few interfaces into one logical interface . </p>
<p>Q. How do I shut and unshut an interface. </p>
<p>Q. How do I see available interfaces, errors on them , IP addresses .</p>
<p>A. # <strong>ifconfig</strong></p>
<p>Q. How do I see routing table of the firewall.</p>
<p>A. # <strong>route -en</strong></p>
<div class="highlight"><pre><span></span><code> Destination Gateway Genmask Flags MSS Window irtt Iface<span class="nt"><br></br></span>
19.247.195.20 0.0.0.0 255.255.255.252 U 0 0 0 External<span class="nt"><br></br></span>
10.123.123.0 0.0.0.0 255.255.255.224 U 0 0 0 Lan1<span class="nt"><br></br></span>
</code></pre></div>
<p>Legend:<br>
Gateway - via which gateway this network is available, 0.0.0.0 means this network is configured locally on the interface<br>
Iface - name of the interface via which this network is reachable</p>
<p>Q. How do I see duplex, speed, physical link status of the interface .</p>
<p>A. # <strong>ethtool <name of the interface you want to check, names are case-sensitive></strong><br>
e.g. # <strong>ethtool External</strong> </p>
<div class="highlight"><pre><span></span><code><span class="n">Settings</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">External</span><span class="o">:</span><span class="w"> </span>
<span class="w"> </span><span class="n">Supported</span><span class="w"> </span><span class="n">ports</span><span class="o">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="n">TP</span><span class="w"> </span><span class="n">MII</span><span class="w"> </span><span class="p">]</span><span class="w"></span>
<span class="w"> </span><span class="n">Supported</span><span class="w"> </span><span class="n">link</span><span class="w"> </span><span class="n">modes</span><span class="o">:</span><span class="w"> </span><span class="mi">10</span><span class="n">baseT</span><span class="o">/</span><span class="n">Half</span><span class="w"> </span><span class="mi">10</span><span class="n">baseT</span><span class="o">/</span><span class="n">Full</span><span class="w"></span>
<span class="w"> </span><span class="mi">100</span><span class="n">baseT</span><span class="o">/</span><span class="n">Half</span><span class="w"> </span><span class="mi">100</span><span class="n">baseT</span><span class="o">/</span><span class="n">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Supports</span><span class="w"> </span><span class="k">auto</span><span class="o">-</span><span class="n">negotiation</span><span class="o">:</span><span class="w"> </span><span class="n">Yes</span><span class="w"></span>
<span class="w"> </span><span class="n">Advertised</span><span class="w"> </span><span class="n">link</span><span class="w"> </span><span class="n">modes</span><span class="o">:</span><span class="w"> </span><span class="mi">10</span><span class="n">baseT</span><span class="o">/</span><span class="n">Half</span><span class="w"> </span><span class="mi">10</span><span class="n">baseT</span><span class="o">/</span><span class="n">Full</span><span class="w"></span>
<span class="w"> </span><span class="mi">100</span><span class="n">baseT</span><span class="o">/</span><span class="n">Half</span><span class="w"> </span><span class="mi">100</span><span class="n">baseT</span><span class="o">/</span><span class="n">Full</span><span class="w"></span>
<span class="w"> </span><span class="n">Advertised</span><span class="w"> </span><span class="k">auto</span><span class="o">-</span><span class="n">negotiation</span><span class="o">:</span><span class="w"> </span><span class="n">Yes</span><span class="w"></span>
<span class="w"> </span><span class="nl">Speed</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="n">Mb</span><span class="o">/</span><span class="n">s</span><span class="w"></span>
<span class="w"> </span><span class="nl">Duplex</span><span class="p">:</span><span class="w"> </span><span class="n">Full</span><span class="w"></span>
<span class="w"> </span><span class="nl">Port</span><span class="p">:</span><span class="w"> </span><span class="n">MII</span><span class="w"></span>
<span class="w"> </span><span class="nl">PHYAD</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="nl">Transceiver</span><span class="p">:</span><span class="w"> </span><span class="n">internal</span><span class="w"></span>
<span class="w"> </span><span class="n">Auto</span><span class="o">-</span><span class="n">negotiation</span><span class="o">:</span><span class="w"> </span><span class="n">on</span><span class="w"></span>
<span class="w"> </span><span class="n">Supports</span><span class="w"> </span><span class="n">Wake</span><span class="o">-</span><span class="n">on</span><span class="o">:</span><span class="w"> </span><span class="n">g</span><span class="w"></span>
<span class="w"> </span><span class="n">Wake</span><span class="o">-</span><span class="n">on</span><span class="o">:</span><span class="w"> </span><span class="n">g</span><span class="w"></span>
<span class="w"> </span><span class="n">Current</span><span class="w"> </span><span class="n">message</span><span class="w"> </span><span class="n">level</span><span class="o">:</span><span class="w"> </span><span class="mh">0x00000007</span><span class="w"> </span><span class="p">(</span><span class="mi">7</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="n">Link</span><span class="w"> </span><span class="n">detected</span><span class="o">:</span><span class="w"> </span><span class="n">yes</span><span class="w"></span>
</code></pre></div>
<p>Q. How do I manually set duplex, speed, autonegotiation settings of an interface.</p>
<p>A. # <strong>ethtool -s <name of interface> speed 100</strong><br>
<strong>ethtool -s <name of interface> duplex full</strong><br>
<strong>ethtool -s <name of interface> autoneg off</strong><br>
IMPORTANT: the changes above will be active until reboot of the firewall, to set them
permanently see below.</p>
<p>Q. How do I save changes to the interface duplex ,speed or autonegotiaiton permanently.</p>
<p>A. # <strong>eth_set <interface> [10h|10f|100h|100f|1000h|1000f|autoneg]</strong><br>
e.g # eth_set Lan1 100f</p>
<p>Q. How do I add, delete, change routes.</p>
<p>A. Using #<strong>sysconfig</strong> utility and its interactive menu (option 6) .</p>
<p>Q. How do I delete, change IP address on the interface</p>
<p>A. # <strong>sysconfig</strong> then option 5 .</p>
<p>Q. How do I add, change, delete VLAN .</p>
<p>A. # <strong>sysconfig</strong> , then option 5 .</p>
<p>Q. How do I see existing VLANs .</p>
<p>A Either via #<strong>sysconfig</strong> , then option 5 or ifconfig, VLAN interfaces will have format of <physical interface name>.<vlan number> .<br>
e.g. # ifconfig<br>
<code>eth7.301 Link encap:Ethernet HWaddr 00:1B:4A:CF:26:71</code></p>
<p>Q. Can I combine few interfaces into one logical interface .</p>
<p>A. Yes , such interface is called Bond. Note that out of all interfaces added to the Bond interface, only one will be active and passing the traffic, the rest will be in standby mode in case active interface fails.
NOTE 2 In new versions it is possible to have bond in Load Sharing mode.</p>
<p>Q. How do I shut and unshut an interface. </p>
<p>A. #<strong>ifconfig <interface name > down</strong><br>
#<strong>ifconfig <interface name > up</strong></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Enable 2 factor authentication to protect your Gmail account if you have not2011-10-26T11:34:42+00:002011-10-26T11:34:42+00:00Yuri Slobodyanyuktag:yurisk.info,2011-10-26:/2011/10/26/enable-2-factor-authentication-to-protect-your-gmail-account-if-you-have-not-done-so/<p>done so already
wordpress_id: 1728
category: Linux
tags: Linux</p>
<hr>
<p>Today i did an improvised poll at work who is using the 2 factor authentication with their Gmail mail account and got only one positive answer - me :) . The question was in turn inspired by the article in Atlantic Monthly where <a href="http://www.theatlantic.com/magazine/archive/2011/11/hacked/8673/1/"> James …</a></p><p>done so already
wordpress_id: 1728
category: Linux
tags: Linux</p>
<hr>
<p>Today i did an improvised poll at work who is using the 2 factor authentication with their Gmail mail account and got only one positive answer - me :) . The question was in turn inspired by the article in Atlantic Monthly where <a href="http://www.theatlantic.com/magazine/archive/2011/11/hacked/8673/1/"> James Fallows </a> depicts in detail his wife's Gmail account being hacked and how much trouble it was to get it back. I can only add that not using absolutely free and easy feature to safeguard your precious asset, mail account - is pretty reckless in our time . Just imagine what it would be to have ALL your Gmail inbox emptied and have your access to the account lost due to a hack ...<br>
I've always known that the best way to solve the problems is to prevent them from occurring at all, so go ahead and use this Gmail feature and have less problems in life to solve .<br>
My personal experience of few months is that it works with any mobile provider in Israel and it is pretty much ' set and forget ' type of configuration, just be able to receive once a month SMS , it can't be any easier I guess. <a href="http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html"> Advanced sign-in security for your Google account </a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Watch your DNS records day and night with Nagios plugins2011-10-09T10:11:22+00:002011-10-09T10:11:22+00:00Yuri Slobodyanyuktag:yurisk.info,2011-10-09:/2011/10/09/watch-your-dns-records-day-and-night-with-nagios/<p>Domain records are most visible vulnerable and many time crucial asset of the company.
Attackers need not break your firewall protection, find and develop exploits for software running on your server to cut off your company from mails - it is enough for them to cause a change of MX record …</p><p>Domain records are most visible vulnerable and many time crucial asset of the company.
Attackers need not break your firewall protection, find and develop exploits for software running on your server to cut off your company from mails - it is enough for them to cause a change of MX record and it's done - no incoming mails.
I've seen real life example of this happening with huge company when due to human error made to MX record that went unnoticed the company didn't get mails.
While there are companies making millions on protecting domains (do whois on Google.com,Facebook.com to see example) you can at least spot potential problems automatically in no time with Nagios.
The plugin to watch for DNS record is called <strong>check_dns</strong> and works this way - you configure which hostname to query and what the IP address for it should be , if the IP returned doesn't much the one configured the Critical condition occurs and alert is fired.<br>
This is the simplest of possible checks - to check hostname to IP mapping, more advanced checks are possible with <strong>check_dig</strong> plugin.<br>
Example - if IP of the hostname mx20.013net.net that handles mail for my provider changes from 194.90.9.19, the alert will be sent:<br>
<code>check_dns -H mx20.013net.net -a 194.90.9.19 -s 8.8.8.8</code></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Limit maximum size of scanned files in Fortigate firmware 42011-10-03T17:58:46+00:002011-10-03T17:58:46+00:00Yuri Slobodyanyuktag:yurisk.info,2011-10-03:/2011/10/03/limit-maximum-size-of-scanned-files-in-fortigate-firmware-4/<p>Today I had to lower scanned files size on FOrtigate 80C. In the past it was a matter of few clicks in the good old version 3 via management GUI but in version 4 I spent some 20 minutes digging its GUI high and low and then finally opened Command …</p><p>Today I had to lower scanned files size on FOrtigate 80C. In the past it was a matter of few clicks in the good old version 3 via management GUI but in version 4 I spent some 20 minutes digging its GUI high and low and then finally opened Command Reference and found how to do it the CLI way.
Here is the solution :</p>
<p>FTG80C# <strong>config antivirus service http</strong><br>
FTG80C(http)# sho </p>
<div class="highlight"><pre><span></span><code><span class="nv">config</span><span class="w"> </span><span class="nv">antivirus</span><span class="w"> </span><span class="nv">service</span><span class="w"> </span><span class="s2">"http"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">scan</span><span class="o">-</span><span class="nv">bzip2</span><span class="w"> </span><span class="nv">disable</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">uncompnestlimit</span><span class="w"> </span><span class="mi">12</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">uncompsizelimit</span><span class="w"> </span><span class="mi">10</span><span class="w"></span>
<span class="k">end</span><span class="w"></span>
</code></pre></div>
<p>FTG80C(http) # <strong>set uncompsizelimit 2</strong><br>
FTG80C(http) # <strong>end</strong></p>
<p>FTG80C# <strong>qconfig antivirus service ftp</strong>
FTG80C(ftp) # <strong>set</strong></p>
<div class="highlight"><pre><span></span><code>scan-bzip2 enable scanning of bzip2 compressed files
uncompnestlimit uncompnestlimit
uncompsizelimit uncompsizelimit
</code></pre></div>
<p>FTG80C(ftp) # <strong>set uncompsizelimit</strong></p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nv">max</span><span class="w"> </span><span class="nv">uncompressed</span><span class="w"> </span><span class="nv">size</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">scan</span><span class="w"> </span><span class="ss">(</span><span class="mi">1</span><span class="o">-</span><span class="mi">50</span><span class="nv">MB</span><span class="w"> </span><span class="nv">or</span><span class="w"> </span><span class="nv">use</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">unlimited</span><span class="ss">)</span><span class="w"></span>
</code></pre></div>
<p>FTG80C(ftp) # <strong>set uncompsizelimit 2</strong><br>
FTG80C(ftp) # <strong>end</strong></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>'Archive IOS running configuration automatically for possible rollback '2011-09-23T18:56:22+00:002011-09-23T18:56:22+00:00Yuri Slobodyanyuktag:yurisk.info,2011-09-23:/2011/09/23/archive-ios-running-configuration-automatically-for-possible-rollback/<p>Here is a feature that will save you time and frustration in many possible scenarios - especially when managing Cisco routers in multi-user environment. Once enabled archiving saves periodically copy of the running configuration of IOS router to the flash or remote server. So
next time something stops working after changes …</p><p>Here is a feature that will save you time and frustration in many possible scenarios - especially when managing Cisco routers in multi-user environment. Once enabled archiving saves periodically copy of the running configuration of IOS router to the flash or remote server. So
next time something stops working after changes and you don't know which one caused this - just revert back to the working configuration that is readily available.
http://vimeo.com/29482850</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Configure DVTI hairpinning on Cisco router for safe browsing2011-08-13T08:29:06+00:002011-08-13T08:29:06+00:00Yuri Slobodyanyuktag:yurisk.info,2011-08-13:/2011/08/13/configure-dvti-hairpinning-on-cisco-router-for-safe-browsing/<p>Today i am posting the video showing how to configure Dynamic Virtual Tunnel Interface (DVTI) on Cisco IOS router. DVTI for remote access has been available for a long time already and actually comes to gradually replace the old way of dynamic crypto maps, but as always people are hard …</p><p>Today i am posting the video showing how to configure Dynamic Virtual Tunnel Interface (DVTI) on Cisco IOS router. DVTI for remote access has been available for a long time already and actually comes to gradually replace the old way of dynamic crypto maps, but as always people are hard to get out of the rut so mainly this great feature goes unnoticed.
In this specific setup I am using DVTI for hairpinning - i.e. I will connect using CIsco VPN client to the router and will tunnel ALL of my traffic through this connection, no split tunnel.
The main benefit of DVTI here is that using DVTI interface I can assign it ip nat inside and router will take care of NAT translating my traffic when sending it clear text to the Internet.
Enjoy </p>
<p>As always you can watch all my videos on Vimeo - <a href="http://vimeo.com/yurisk"> vimeo.com/yurisk.info</a>, also you can download there videos as files. </p>
<p>http://vimeo.com/27369998</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Enable RADIUS Authentication for SSH and WEBGui access to the Checkpoint firewall2011-08-02T06:58:29+00:002011-08-02T06:58:29+00:00Yuri Slobodyanyuktag:yurisk.info,2011-08-02:/2011/08/02/enable-radius-authentication-for-ssh-and-webgui-access-to-the-checkpoint-firewall/<p>User actions accountability is one of the building blocks of Non-repudiation in Security.
In Checkpoint , nevertheless, the default (and widely used) user authentication for SSH and WEBGui sessions is local. Actually Checkpoint thought about that long ago and have been offering Radius authentication for users accessing the SecurePlatform and Gaia …</p><p>User actions accountability is one of the building blocks of Non-repudiation in Security.
In Checkpoint , nevertheless, the default (and widely used) user authentication for SSH and WEBGui sessions is local. Actually Checkpoint thought about that long ago and have been offering Radius authentication for users accessing the SecurePlatform and Gaia via SSH or Webgui for quite long time. I'll put the discussion why they did it as a separately priced feature aside. </p>
<p>But if you have SecurePlatform Pro license for NGX R65 or earlier or Advanced Networking Blade for R70 or later then you can use it once Pro features are enabled on the SPLAT.
To help you configuring this I recorded this video , so be secure and enjoy. </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Encrypting preshared keys stored on the cisco IOS router2011-07-15T08:37:19+00:002011-07-15T08:37:19+00:00Yuri Slobodyanyuktag:yurisk.info,2011-07-15:/2011/07/15/encypting-preshared-keys-stored-on-the-cisco-ios-router/<p>You never know where your router may end up . It may be RMA'ed without proper wiping the configuration first, it may be plain simple stolen. In any of these or other unfortunate cases the last thing you would want is for the attacker get passwords or other security information stored …</p><p>You never know where your router may end up . It may be RMA'ed without proper wiping the configuration first, it may be plain simple stolen. In any of these or other unfortunate cases the last thing you would want is for the attacker get passwords or other security information stored on the router. </p>
<p>One piece of such information is preshared key(s) , that by default are stored in clear text. </p>
<p>To address this potential threat Cisco, starting IOS 12.3, provide AES encryption feature on IOS routers to encrypt the stored preshared keys. In video below I recorded you can see the walkthrough to enable and manage this security feature. </p>
<p>Enjoy. As always suggestions, critics, comments are welcome .<br>
NB - Narration is in English.<br>
http://vimeo.com/26338845</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Cisco router – how to schedule an unattended reload with EEM2011-06-22T18:34:06+00:002011-06-22T18:34:06+00:00Yuri Slobodyanyuktag:yurisk.info,2011-06-22:/2011/06/22/cisco-how-to-schedule-an-unattended-reload-with-eem/<p>Today a colleague of mine asked if I had a ready-to-use template to schedule a reload of Cisco IOS router .
- "Of course, piece of cake, there should be millions of hits on it in Google" , was my thought. So, after 30 minutes of searching the mighty Google and being surprised …</p><p>Today a colleague of mine asked if I had a ready-to-use template to schedule a reload of Cisco IOS router .
- "Of course, piece of cake, there should be millions of hits on it in Google" , was my thought. So, after 30 minutes of searching the mighty Google and being surprised to have found nothing I dragged from my notes this recipe dated 2007 but still valid as ever.<br>
Enjoy.<br>
<strong>NB</strong> Word of warning to those trying to do it with built in <strong>KRON</strong> service of IOS – rebooting a router requires to answer “yes” at the CLI prompt and therefore will NOT work with KRON, only <strong>EEM</strong> can do it. </p>
<p>IOS used and tested – IOS 12.4T</p>
<div class="highlight"><pre><span></span><code><span class="n">conf</span><span class="w"> </span><span class="n">t</span><span class="w"> </span>
<span class="n">Edge</span><span class="p">(</span><span class="n">config</span><span class="p">)</span><span class="c1">#event manager applet ReloadMe </span><span class="w"></span>
<span class="n">Edge</span><span class="p">(</span><span class="n">config</span><span class="o">-</span><span class="n">applet</span><span class="p">)</span><span class="c1">#event timer cron name ReloadMe cron-entry "05 09 * * *" </span><span class="w"></span>
<span class="n">Edge</span><span class="p">(</span><span class="n">config</span><span class="o">-</span><span class="n">applet</span><span class="p">)</span><span class="c1">#action 33 reload </span><span class="w"></span>
<span class="n">wr</span><span class="w"> </span><span class="n">mem</span><span class="w"> </span>
</code></pre></div>
<p>This will reload router every day at 09:05, for other formats see man page for cron in Linux</p>
<p>sh run </p>
<div class="highlight"><pre><span></span><code><span class="n">event</span><span class="w"> </span><span class="n">manager</span><span class="w"> </span><span class="n">applet</span><span class="w"> </span><span class="n">ReloadMe</span><span class="w"> </span>
<span class="n">event</span><span class="w"> </span><span class="n">timer</span><span class="w"> </span><span class="n">cron</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">ReloadMe</span><span class="w"> </span><span class="n">cron</span><span class="o">-</span><span class="n">entry</span><span class="w"> </span><span class="s2">"05 09 * * *"</span><span class="w"> </span>
<span class="n">action</span><span class="w"> </span><span class="mi">33</span><span class="w"> </span><span class="n">reload</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Enable SNMP v3 in Checkpoint video walkthrough2011-04-28T07:25:16+00:002011-04-28T07:25:16+00:00Yuri Slobodyanyuktag:yurisk.info,2011-04-28:/2011/04/28/enable-snmp-v3-in-checkpoint-walkthrough/<p>SNMP version 3 has been with us for so many years but so very few Checkpoint folks use it that I decided to do this screencast/video showing how to enable and use SNMP v3 in Checkpoint firewall. NOTE - the language of narration is Hebrew .</p>
<p>http://vimeo.com/22473169</p>
<p><em>Follow …</em></p><p>SNMP version 3 has been with us for so many years but so very few Checkpoint folks use it that I decided to do this screencast/video showing how to enable and use SNMP v3 in Checkpoint firewall. NOTE - the language of narration is Hebrew .</p>
<p>http://vimeo.com/22473169</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Two tips to secure SSH access from specific IPs to specific users in Checkpoint or any Linux2011-04-05T07:06:06+00:002011-04-05T07:06:06+00:00Yuri Slobodyanyuktag:yurisk.info,2011-04-05:/2011/04/05/two-tips-to-secure-ssh-access-from-specific-ips-to-specific-users-in-checkpoint-or-any-linux/<p>Today I'll bring you two tips to secure SSH access to the Checkpoint firewall/Linux server beyond firewall rules itself. SSH access is the most powerful way to own the firewall so it should be secured to the paranoid level and even then it is never enough. </p>
<p><strong>Tip 1 Change …</strong></p><p>Today I'll bring you two tips to secure SSH access to the Checkpoint firewall/Linux server beyond firewall rules itself. SSH access is the most powerful way to own the firewall so it should be secured to the paranoid level and even then it is never enough. </p>
<p><strong>Tip 1 Change the listening port.</strong> <br>
You may say obscurity is not security but I will not agree - any measure that makes attacking your system harder without much burden on you is valid. After all there is no such thing total security, only endless arms race. Checkpoint just being a Linux in disguise uses OpenSSH server so changing the port is done via :<br>
NOTE before changing listening port don't forget to allow incoming connection on this port in firewall rules.</p>
<p><strong>/etc/ssh/sshd_config</strong> <br>
<code>#Port 22</code></p>
<p>You change the above line to (if say I want to change port to 5022):</p>
<p><code>Port 5022</code></p>
<p>Then save , then restart the SSH daemon:</p>
<p>[Expert@fireball]#<strong>service sshd restart</strong></p>
<p>Now you connect to the firewall <strong>#ssh -p 5022 user@IP</strong> </p>
<p><strong>Tip 2 Limit SSH access per user and per IP address</strong> </p>
<p>Openssh provides the possibility to restrict access for specific user to specific IP addresses. I will look here at few potential scenarios. </p>
<p><strong>Case 1 Limit all SSH users to access from specific IP </strong>, here from network 99.19.19.0/24: </p>
<p>At the bottom of the same file /etc/ssh/sshd_config I add:</p>
<div class="highlight"><pre><span></span><code><span class="n">AllowUsers</span><span class="w"> </span><span class="o">*</span><span class="mf">@99.19.19</span><span class="p">.</span><span class="o">*</span><span class="w"></span>
</code></pre></div>
<p>Save , restart SSH daemon and this will take effect - only users coming from network
99.19.19.0/24 will be able to login by ssh , any other source IP will always get "Wrong username or password" </p>
<p><strong>Case 2 Limit some users to access from specific IPs but allow others from Any.</strong><br>
Checkpoint comes with default user admin that people often do not change, and I concluded over the years that changing people's bad behavior is much harder than changing firewalls. So I do this:
When both me and client are managing the firewall, I create the username for me , here <em>yurisk</em> and restrict the username <em>admin</em> to internal networks (for emergency cases) and his specific IP. Here my user is <em>yurisk</em>, client's user is <em>admin</em>, the LAN is 10.88.88.0/24 and client's WAN IP is 123.123.123.10</p>
<p>/etc/ssh/sshd_config: </p>
<div class="highlight"><pre><span></span><code><span class="n">AllowUsers</span><span class="w"> </span><span class="n">admin</span><span class="mf">@123.123.123.10</span><span class="w"> </span><span class="n">admin</span><span class="mf">@10.88.88</span><span class="p">.</span><span class="o">*</span><span class="w"> </span><span class="n">yurisk</span><span class="w"></span>
</code></pre></div>
<p>Now the user <em>admin</em> will be able to connect from 123.123.123.123 or 10.88.88.0/24 IP addresses only, while <em>yurisk</em> will be able to connect from anywhere.</p>
<h3>Resources</h3>
<ul>
<li>You may want to additionally limit access to SSH by time of the day, here is how to do it: <a href="https://yurisk.info/2011/11/14/time-based-access-limiting-on-checkpoint-or-any-linux-for-that-matter/">Time-based access limiting on Checkpoint or any Linux for any network service</a> </li>
<li>To prevent SSH session disconnect on time out, make sure to increase your session time, see <a href="https://yurisk.info/2008/09/15/ssh-session-timeout-in-checkpoint-ngngx/"> Increase SSH session timeout in Checkpoint Firewall</a> </li>
<li>SSH log rotation in Checkpoint is excessive, deleting logs too fast, make sure to increase the SSH log retention, see <a href="https://yurisk.info/2009/12/14/increase-and-rotate-ssh-log-files-in-checkpoint/">Increase the limit and rotate SSH log files in Checkpoint firewall</a> </li>
</ul>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>'How to separate inbound and outbound data graphs in Nfsen Netflow tool '2011-03-28T06:39:28+00:002011-03-28T06:39:28+00:00Yuri Slobodyanyuktag:yurisk.info,2011-03-28:/2011/03/28/how-to-separate-inbound-and-outbound-data-graphs-in-nfsen-netflow-tool/<p>As I said already (<a href="https://yurisk.info/2010/10/14/do-not-miss-the-long-awaited-addition-to-the-fortigate-4-mr2-sflow-data-export/"> here</a> and <a href="https://yurisk.info/2010/12/12/best-open-source-netflowsflow-analyzing-software/"> here </a> ) for gathering Netflow data, especially with security in mind, I deem <a href="http://nfsen.sourceforge.net/">Nfsen/nfdump</a> to be the best. And with some easy 2-minutes tweaking I can always make it do exactly what I want.
By default when you configure Cisco to export both ingress …</p><p>As I said already (<a href="https://yurisk.info/2010/10/14/do-not-miss-the-long-awaited-addition-to-the-fortigate-4-mr2-sflow-data-export/"> here</a> and <a href="https://yurisk.info/2010/12/12/best-open-source-netflowsflow-analyzing-software/"> here </a> ) for gathering Netflow data, especially with security in mind, I deem <a href="http://nfsen.sourceforge.net/">Nfsen/nfdump</a> to be the best. And with some easy 2-minutes tweaking I can always make it do exactly what I want.
By default when you configure Cisco to export both ingress and egress Netflow data from the interface Nfdump/Nfsen will accept and process it fine BUT ... will show it on the same timeline with the same color and so overlapping over each other. That means you will see only the largest values. To fix it you create additional (from Live) profile with separate Channels, each representing direction of the traffic - inbound or outbound. Then for each channel you set appropriate filter - IN for incoming traffic , OUT for outgoing traffic (all respective to the interface being monitored), followed by SNMP ifIndex of the interface in the router. Picture is worth 1024 words they say , so see below screenshots how I did it for one of my clients. </p>
<p><a href="https://yurisk.info/Nfsen_custom_profile.png"><img alt="Nfsen custom profile with channels" src="https://yurisk.info/wp-content/uploads/2011/03/Nfsen_custom_profile-150x150.png"></a> </p>
<p><a href="https://yurisk.info/Nfsen_custom_profile2.png"><img alt="Nfsen custom profile with channels" src="https://yurisk.info/wp-content/uploads/2011/03/Nfsen_custom_profile2-150x150.png"></a></p>
<p><strong>Additional resources:</strong> <br>
- <a href="https://yurisk.info/2020/09/20/nfdump-netflow-usage-examples-cookbook/">Nfdump netflow/sflow cookbook of examples</a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>You can be Nmap hacker too - contribute new signatures in few easy steps and feel proud of yourself2011-03-24T09:07:19+00:002011-03-24T09:07:19+00:00Yuri Slobodyanyuktag:yurisk.info,2011-03-24:/2011/03/24/you-can-be-nmap-hacker-too-contribute-new-signatures-in-few-easy-steps-and-feel-proud-of-yourself/<p><a href="https://insecure.org">NMAP</a> is probably the most known long standing and community involved security-related project in the Open Source universe ever. And it is quite naturally to think that there is nothing left to be done to improve it by end users like us, and of course the opposite is the case …</p><p><a href="https://insecure.org">NMAP</a> is probably the most known long standing and community involved security-related project in the Open Source universe ever. And it is quite naturally to think that there is nothing left to be done to improve it by end users like us, and of course the opposite is the case. If we forget for a second all the complex C/C++/Lua/etc coding involved to sharpen the algorithms and performance of the Nmap, after all it is a signature based network scanner that is as good as its signatures are. And here you can never get enough.
Just find some over the shelf network equipment, run a scan on it , be surprised that it is not recognized by Nmap and contribute its signature back to the Nmap community, then buy yourself a beer and put a sign in your cube " I contributed to Nmap" :)
- So how do you do this? Piece of cake.<br>
When running scan with -sV option (version detection of the software) if the target is not known to the Nmap it will print out as the output the Nmap-style fingerprint of the scanned service. It is ok to just take copy and paste it here : <a href="https://insecure.org/cgi-bin/submit.cgi">https://insecure.org/cgi-bin/submit.cgi</a>, but then I wouldn't write this article. So let's do some practice.
There is a nice anti-spam and anti-virus appliance called PineApp Mailsecure , produced by Israel company named <a href="https://web.archive.org/web/20100216211706/http://www2.pineapp.com/">Pineapp</a> and which is quite popular at least here in Israel. Unfortunately Nmap does not recognize it beyond having an opened port of 25.
Here is the result of the Nmap scan.</p>
<p><strong>nmap -v -n -sV -P0 12.12.12.12</strong></p>
<div class="highlight"><pre><span></span><code><span class="nt">Starting</span><span class="w"> </span><span class="nt">Nmap</span><span class="w"> </span><span class="nt">5</span><span class="p">.</span><span class="nc">21</span><span class="w"> </span><span class="o">(</span><span class="w"> </span><span class="nt">http</span><span class="o">://</span><span class="nt">nmap</span><span class="p">.</span><span class="nc">org</span><span class="w"> </span><span class="o">)</span><span class="w"> </span><span class="nt">at</span><span class="w"> </span><span class="nt">2091-03-17</span><span class="w"> </span><span class="nt">15</span><span class="p">:</span><span class="nd">41</span><span class="w"> </span><span class="nt">IST</span><span class="w"></span>
<span class="nt">NSE</span><span class="o">:</span><span class="w"> </span><span class="nt">Loaded</span><span class="w"> </span><span class="nt">4</span><span class="w"> </span><span class="nt">scripts</span><span class="w"> </span><span class="nt">for</span><span class="w"> </span><span class="nt">scanning</span><span class="o">.</span><span class="w"></span>
<span class="nt">Initiating</span><span class="w"> </span><span class="nt">SYN</span><span class="w"> </span><span class="nt">Stealth</span><span class="w"> </span><span class="nt">Scan</span><span class="w"> </span><span class="nt">at</span><span class="w"> </span><span class="nt">15</span><span class="p">:</span><span class="nd">41</span><span class="w"></span>
<span class="nt">Scanning</span><span class="w"> </span><span class="nt">12</span><span class="p">.</span><span class="nc">12</span><span class="p">.</span><span class="nc">12</span><span class="p">.</span><span class="nc">12</span><span class="w"> </span><span class="cp">[</span><span class="mi">1000</span><span class="w"> </span><span class="nx">ports</span><span class="cp">]</span><span class="w"></span>
<span class="nt">Discovered</span><span class="w"> </span><span class="nt">open</span><span class="w"> </span><span class="nt">port</span><span class="w"> </span><span class="nt">25</span><span class="o">/</span><span class="nt">tcp</span><span class="w"> </span><span class="nt">on</span><span class="w"> </span><span class="nt">12</span><span class="p">.</span><span class="nc">12</span><span class="p">.</span><span class="nc">12</span><span class="p">.</span><span class="nc">12</span><span class="w"></span>
<span class="nt">Completed</span><span class="w"> </span><span class="nt">SYN</span><span class="w"> </span><span class="nt">Stealth</span><span class="w"> </span><span class="nt">Scan</span><span class="w"> </span><span class="nt">at</span><span class="w"> </span><span class="nt">15</span><span class="p">:</span><span class="nd">41</span><span class="o">,</span><span class="w"> </span><span class="nt">4</span><span class="p">.</span><span class="nc">88s</span><span class="w"> </span><span class="nt">elapsed</span><span class="w"> </span><span class="o">(</span><span class="nt">1000</span><span class="w"> </span><span class="nt">total</span><span class="w"> </span><span class="nt">ports</span><span class="o">)</span><span class="w"></span>
<span class="nt">Initiating</span><span class="w"> </span><span class="nt">Service</span><span class="w"> </span><span class="nt">scan</span><span class="w"> </span><span class="nt">at</span><span class="w"> </span><span class="nt">15</span><span class="p">:</span><span class="nd">41</span><span class="w"></span>
<span class="nt">Scanning</span><span class="w"> </span><span class="nt">2</span><span class="w"> </span><span class="nt">services</span><span class="w"> </span><span class="nt">on</span><span class="w"> </span><span class="nt">12</span><span class="p">.</span><span class="nc">12</span><span class="p">.</span><span class="nc">12</span><span class="p">.</span><span class="nc">12</span><span class="w"></span>
<span class="nt">Completed</span><span class="w"> </span><span class="nt">Service</span><span class="w"> </span><span class="nt">scan</span><span class="w"> </span><span class="nt">at</span><span class="w"> </span><span class="nt">15</span><span class="p">:</span><span class="nd">41</span><span class="o">,</span><span class="w"> </span><span class="nt">13</span><span class="p">.</span><span class="nc">88s</span><span class="w"> </span><span class="nt">elapsed</span><span class="w"> </span><span class="o">(</span><span class="nt">2</span><span class="w"> </span><span class="nt">services</span><span class="w"> </span><span class="nt">on</span><span class="w"> </span><span class="nt">1</span><span class="w"> </span><span class="nt">host</span><span class="o">)</span><span class="w"></span>
<span class="nt">NSE</span><span class="o">:</span><span class="w"> </span><span class="nt">Script</span><span class="w"> </span><span class="nt">scanning</span><span class="w"> </span><span class="nt">12</span><span class="p">.</span><span class="nc">12</span><span class="p">.</span><span class="nc">12</span><span class="p">.</span><span class="nc">12</span><span class="o">.</span><span class="w"></span>
<span class="nt">NSE</span><span class="o">:</span><span class="w"> </span><span class="nt">Script</span><span class="w"> </span><span class="nt">Scanning</span><span class="w"> </span><span class="nt">completed</span><span class="o">.</span><span class="w"></span>
<span class="nt">Nmap</span><span class="w"> </span><span class="nt">scan</span><span class="w"> </span><span class="nt">report</span><span class="w"> </span><span class="nt">for</span><span class="w"> </span><span class="nt">12</span><span class="p">.</span><span class="nc">12</span><span class="p">.</span><span class="nc">12</span><span class="p">.</span><span class="nc">12</span><span class="w"></span>
<span class="nt">Host</span><span class="w"> </span><span class="nt">is</span><span class="w"> </span><span class="nt">up</span><span class="w"> </span><span class="o">(</span><span class="nt">0</span><span class="p">.</span><span class="nc">015s</span><span class="w"> </span><span class="nt">latency</span><span class="o">).</span><span class="w"></span>
<span class="nt">Not</span><span class="w"> </span><span class="nt">shown</span><span class="o">:</span><span class="w"> </span><span class="nt">996</span><span class="w"> </span><span class="nt">filtered</span><span class="w"> </span><span class="nt">ports</span><span class="w"></span>
<span class="nt">PORT</span><span class="w"> </span><span class="nt">STATE</span><span class="w"> </span><span class="nt">SERVICE</span><span class="w"> </span><span class="nt">VERSION</span><span class="w"></span>
<span class="nt">25</span><span class="o">/</span><span class="nt">tcp</span><span class="w"> </span><span class="nt">open</span><span class="w"> </span><span class="nt">smtp</span><span class="w"></span>
<span class="nt">113</span><span class="o">/</span><span class="nt">tcp</span><span class="w"> </span><span class="nt">closed</span><span class="w"> </span><span class="nt">auth</span><span class="w"></span>
<span class="nt">1</span><span class="w"> </span><span class="nt">service</span><span class="w"> </span><span class="nt">unrecognized</span><span class="w"> </span><span class="nt">despite</span><span class="w"> </span><span class="nt">returning</span><span class="w"> </span><span class="nt">data</span><span class="o">.</span><span class="w"> </span><span class="nt">If</span><span class="w"> </span><span class="nt">you</span><span class="w"> </span><span class="nt">know</span><span class="w"> </span><span class="nt">the</span><span class="w"> </span><span class="nt">service</span><span class="o">/</span><span class="nt">version</span><span class="o">,</span><span class="w"> </span><span class="nt">please</span><span class="w"> </span><span class="nt">submit</span><span class="w"> </span><span class="nt">the</span><span class="w"> </span><span class="nt">following</span><span class="w"> </span><span class="nt">fingerprint</span><span class="w"> </span><span class="nt">at</span><span class="w"> </span><span class="nt">http</span><span class="o">://</span><span class="nt">www</span><span class="p">.</span><span class="nc">insecure</span><span class="p">.</span><span class="nc">org</span><span class="o">/</span><span class="nt">cgi-bin</span><span class="o">/</span><span class="nt">servicefp-submit</span><span class="p">.</span><span class="nc">cgi</span><span class="w"> </span><span class="o">:</span><span class="w"></span>
<span class="nt">SF-Port25-TCP</span><span class="p">:</span><span class="nd">V</span><span class="o">=</span><span class="nt">5</span><span class="p">.</span><span class="nc">21</span><span class="o">%</span><span class="nt">I</span><span class="o">=</span><span class="nt">7</span><span class="o">%</span><span class="nt">D</span><span class="o">=</span><span class="nt">3</span><span class="o">/</span><span class="nt">19</span><span class="o">%</span><span class="nt">Time</span><span class="o">=</span><span class="nt">4D14329D</span><span class="o">%</span><span class="nt">P</span><span class="o">=</span><span class="nt">i686-pc-linux-gnu</span><span class="o">%</span><span class="nt">r</span><span class="o">(</span><span class="nt">NULL</span><span class="o">,</span><span class="nt">2</span><span class="w"></span>
<span class="nt">SF</span><span class="p">:</span><span class="nd">5</span><span class="o">,</span><span class="s2">"220\x20Ready\x20to\x20receive\x20mail\x20-=-\x20ESMTP\r\n"</span><span class="o">)%</span><span class="nt">r</span><span class="o">(</span><span class="nt">Hello</span><span class="o">,</span><span class="w"></span>
<span class="nt">SF</span><span class="p">:</span><span class="nd">8E</span><span class="o">,</span><span class="s2">"220\x20Ready\x20to\x20receive\x20mail\x20-=-\x20ESMTP\r\n250-Ready\</span>
<span class="s2">SF:x20to\x20receive\x20mail\x20-=-\r\n250-AUTH\x20LOGIN\x20PLAIN\r\n250-AU</span>
<span class="s2">SF:TH=LOGIN\x20PLAIN\r\n250-PIPELINING\r\n250\x208BITMIME\r\n"</span><span class="o">)%</span><span class="nt">r</span><span class="o">(</span><span class="nt">Help</span><span class="o">,</span><span class="nt">28</span><span class="o">,</span><span class="w"></span>
<span class="nt">SF</span><span class="o">:</span><span class="s2">"451\x20Rejected\x20due\x20to\x20illegal\x20pipelining\r\n"</span><span class="o">)%</span><span class="nt">r</span><span class="o">(</span><span class="nt">GenericL</span><span class="w"></span>
<span class="nt">SF</span><span class="p">:</span><span class="nd">ines</span><span class="o">,</span><span class="nt">28</span><span class="o">,</span><span class="s2">"451\x20Rejected\x20due\x20to\x20illegal\x20pipelining\r\n"</span><span class="o">);</span><span class="w"></span>
<span class="nt">Read</span><span class="w"> </span><span class="nt">data</span><span class="w"> </span><span class="nt">files</span><span class="w"> </span><span class="nt">from</span><span class="o">:</span><span class="w"> </span><span class="o">/</span><span class="nt">usr</span><span class="o">/</span><span class="nt">local</span><span class="o">/</span><span class="nt">share</span><span class="o">/</span><span class="nt">nmap</span><span class="w"></span>
</code></pre></div>
<p>So let's fix this,but first some preliminary knowledge of importance.
All its service signatures Nmap keeps in the file <strong>nmap-service-probes</strong> that has some predefined keywords that are easy to remember and use :<br>
-First we want to create a probe to define what string to which port to send, it goes like this:<br>
In our case the target service is SMTP so no changes are due to the existing probe,</p>
<p><code>Probe TCP Hello q|EHLO\r\n|</code></p>
<p>The above means send word EHLO once connected.<br>
Next line starts with the word <strong>rarity</strong> and its value. The higher the number the less is the probability of running this service probe, leave it as is in our case, as it will be run if previous port scanning reports port 25 as open.
<strong>rarity 8</strong>.<br>
The rarity line is followed by the list of ports for which this service probe will be triggered once they are reported as open. Again , in our case we leave it as is:
<strong>ports 25,587,3025</strong><br>
Then goes <strong>sslports</strong> keyword to specify SSL enabled ports, finally followed by <strong>totalwaitms</strong> also of no interest here .
Now we come to the good stuff - many lines doing matches of different vendors/equipment that all and each start with keyword <strong>match</strong>. let's have a closer look at it:
match m|matching regex pattern Perl style| [version/device/hardware optional info]
The best way to get it is via an existing match in the file:</p>
<div class="highlight"><pre><span></span><code>match smtp m|^220\s+(DP-\d+)\r\n250-Hello\r\n250-DSN\r\n| p/Panasonic smtpd/ v/$1/ i/Panasonic printer/ d/printer/
</code></pre></div>
<p>It basically says:<br>
Send EHLO command to the target,check output the output from the target and look for string that starts with 220 followed by printable string of variable length, followed
by word DP- then decimal number, note - here () allow to later reference the matched part of the string inside (), followed by Return and New Line char (\r\n), followed by word "250-DSN" and finally followed by return + new line (\r\n). If such match is found then print to the terminal string "Panasonic smtpd" , in version field (v/$1/) print what was matched by (DP-\d+) and in device type field print printer (d/printer/).
That is it to it. Now let's create a signature for the PineApp.
We have 2 options here - to actually run a scan against the PineApp target and decipher the output, or , what I do here, use the common sense.
First I will try to do what Nmap Probe EHLo does - namely connect by telnet to port 25 and issue EHLO command. After that I will try to compile a regex expression matching the output.</p>
<p>[root@darkstar ~]# <strong>telnet 12.12.12.12 25</strong> </p>
<div class="highlight"><pre><span></span><code>Trying 12.12.12.12...
Connected to earth.planet.co (12.12.12.12).
Escape character is '^]'.
220 Ready to receive mail -=- ESMTP
helo a
250 Ready to receive mail -=-
quit
221 Ready to receive mail -=-
Connection closed by foreign host.
</code></pre></div>
<p>Well, the regex is not that hard to do here:<br>
<code>match smtp m|^220 Ready to receive mail -=- ESMTP\r\n| p/PineApp Mail-secure/ i/PineApp Av and Antispam mail gateway/ o/Linux/</code>
I edit /usr/local/share/nmap/nmap-service-probes and insert the above regex under Probe TCP Hello where the matches start, save it and run the Nmap on the same host not recognized before:</p>
<p><strong>#nmap -n -sV -P0 12.12.12.12</strong></p>
<div class="highlight"><pre><span></span><code><span class="nv">Starting</span><span class="w"> </span><span class="nv">Nmap</span><span class="w"> </span><span class="mi">5</span>.<span class="mi">21</span><span class="w"> </span><span class="ss">(</span><span class="w"> </span><span class="nv">http</span>:<span class="o">//</span><span class="nv">nmap</span>.<span class="nv">org</span><span class="w"> </span><span class="ss">)</span><span class="w"> </span><span class="nv">at</span><span class="w"> </span><span class="mi">2091</span><span class="o">-</span><span class="mi">03</span><span class="o">-</span><span class="mi">17</span><span class="w"> </span><span class="mi">15</span>:<span class="mi">46</span><span class="w"> </span><span class="nv">IST</span><span class="w"></span>
<span class="nv">Nmap</span><span class="w"> </span><span class="nv">scan</span><span class="w"> </span><span class="nv">report</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="mi">12</span>.<span class="mi">12</span>.<span class="mi">12</span>.<span class="mi">12</span><span class="w"></span>
<span class="nv">Host</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">up</span><span class="w"> </span><span class="ss">(</span><span class="mi">0</span>.<span class="mi">012</span><span class="nv">s</span><span class="w"> </span><span class="nv">latency</span><span class="ss">)</span>.<span class="w"></span>
<span class="nv">Not</span><span class="w"> </span><span class="nv">shown</span>:<span class="w"> </span><span class="mi">996</span><span class="w"> </span><span class="nv">filtered</span><span class="w"> </span><span class="nv">ports</span><span class="w"></span>
<span class="nv">PORT</span><span class="w"> </span><span class="nv">STATE</span><span class="w"> </span><span class="nv">SERVICE</span><span class="w"> </span><span class="nv">VERSION</span><span class="w"></span>
<span class="mi">25</span><span class="o">/</span><span class="nv">tcp</span><span class="w"> </span><span class="nv">open</span><span class="w"> </span><span class="nv">smtp</span><span class="w"> </span><span class="nv">PineApp</span><span class="w"> </span><span class="nv">Mail</span><span class="o">-</span><span class="nv">secure</span><span class="w"> </span><span class="ss">(</span><span class="nv">PineApp</span><span class="w"> </span><span class="nv">Av</span><span class="w"> </span><span class="nv">and</span><span class="w"> </span><span class="nv">Antispam</span><span class="w"> </span><span class="nv">mail</span><span class="w"> </span><span class="nv">gateway</span><span class="ss">)</span><span class="w"></span>
<span class="mi">113</span><span class="o">/</span><span class="nv">tcp</span><span class="w"> </span><span class="nv">closed</span><span class="w"> </span><span class="nv">auth</span><span class="w"></span>
<span class="nv">Service</span><span class="w"> </span><span class="nv">Info</span>:<span class="w"> </span><span class="nv">OS</span>:<span class="w"> </span><span class="nv">Linux</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Checkpoint firewall VPN debug cheat sheet2011-03-23T07:52:51+00:002011-03-23T07:52:51+00:00Yuri Slobodyanyuktag:yurisk.info,2011-03-23:/2011/03/23/checkpoint-firewall-vpn-debug-cheat-sheet/<p>I love cheat sheets. Once I learn some product or technology to the level of understanding how it works I find the cheat sheets with all the options to run it and keep it handy. In case of the Checkpoint firewalls such cheat sheets are pretty much absent so I …</p><p>I love cheat sheets. Once I learn some product or technology to the level of understanding how it works I find the cheat sheets with all the options to run it and keep it handy. In case of the Checkpoint firewalls such cheat sheets are pretty much absent so I will throw from time to time here cheat sheets from me.
NB And to those claiming you need to know (read - memorize) everything, send them to Albert Einstein quote that when asked what the speed of light is, answered "I don't memorize things that can be found in any reference".
Today I'll do VPN debug , basic stuff, no thrills. But we all started somewhere. <br>
<a href="http://yurisk.info/wp-content/uploads/2011/03/VPN_DEBUG_cheat_sheet.pdf">Checkpoint VPN debug cheat sheet</a><br>
<a href="http://yurisk.info/VPN_debug_cheat_sheet_p1.png"><img alt="Checkpoint VPN debug cheat sheet , page 1" src="http://yurisk.info/wp-content/uploads/2011/03/VPN_debug_cheat_sheet_p1-150x150.png"></a><br>
<a href="http://yurisk.info/VPN_debug_cheat_sheet_p2.png"><img alt="Checkpoint VPN debug cheat sheet , page 2" src="http://yurisk.info/wp-content/uploads/2011/03/VPN_debug_cheat_sheet_p2-150x150.png"></a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>RSA servers have been hacked2011-03-18T08:36:05+00:002011-03-18T08:36:05+00:00Yuri Slobodyanyuktag:yurisk.info,2011-03-18:/2011/03/18/rsa-servers-have-been-hacked/<p>Anything connected to the Internet will be hacked in someday and RSA is no exception.The
open letter is here <a href="https://web.archive.org/web/20111105174519/http://www.sec.gov/Archives/edgar/data/790070/000119312511070159/dex992.htm"> RSA Open Letter</a>, but more interesting are best practices published in response to the attack. </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish …</em></p><p>Anything connected to the Internet will be hacked in someday and RSA is no exception.The
open letter is here <a href="https://web.archive.org/web/20111105174519/http://www.sec.gov/Archives/edgar/data/790070/000119312511070159/dex992.htm"> RSA Open Letter</a>, but more interesting are best practices published in response to the attack. </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Cisco Netflow performance data2011-03-13T10:45:06+00:002011-03-13T10:45:06+00:00Yuri Slobodyanyuktag:yurisk.info,2011-03-13:/2011/03/13/cisco-netflow-performance-data/<p>Not much of a post but link to the Cisco site stating how much Netflow loads the Cisco routers:
<a href="https://community.cisco.com/t5/routing/netflow-cpu-impact/m-p/1171800/highlight/true"> Netflow data sheet</a>
I, personally, do a lot of Netflow monitoring and can say that on unloaded routers , passing 2-5 mbits/sec of traffic, the additional load will be some 1-2 …</p><p>Not much of a post but link to the Cisco site stating how much Netflow loads the Cisco routers:
<a href="https://community.cisco.com/t5/routing/netflow-cpu-impact/m-p/1171800/highlight/true"> Netflow data sheet</a>
I, personally, do a lot of Netflow monitoring and can say that on unloaded routers , passing 2-5 mbits/sec of traffic, the additional load will be some 1-2% of CPU cycles. For the most loaded pair of routers I do monitoring for , two Cisco 2800 passing about 70 Mbits/sec of traffic and creating about 900 Mbytes of Netflow data a day each, enabling Netflow added 8% of CPU load and they cope with it perfectly well.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>My Amazon book list for CCIE Security Lab exam2011-02-18T11:24:40+00:002011-02-18T11:24:40+00:00Yuri Slobodyanyuktag:yurisk.info,2011-02-18:/2011/02/18/my-amazon-book-list-for-ccie-security-lab-exam/<p>Not limited to CCIE Security Lab only, of course, here is the list of books I find really useful in preparing for the Lab .
<a href="http://a.co/4Z1nhdG"> Amazon Listmania list </a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Cisco ASA 5500 Series Content Security and Control Security Services Module or just CSC-SSM and how it looks2011-02-17T08:11:47+00:002011-02-17T08:11:47+00:00Yuri Slobodyanyuktag:yurisk.info,2011-02-17:/2011/02/17/cisco-asa-5500-series-content-security-and-control-security-services-module-or-just-csc-ssm-and-how-it-looks/<p>While the reason for me getting involved with this ASA 5510 module is of less interest (client was getting notification message " LogServer has recently stopped on InterScan for CSC SSM" , more about that at the end of the post) , the module itself looks cute , so I bring here some output …</p><p>While the reason for me getting involved with this ASA 5510 module is of less interest (client was getting notification message " LogServer has recently stopped on InterScan for CSC SSM" , more about that at the end of the post) , the module itself looks cute , so I bring here some output to give you a taste what it is.
- <strong>General status of the module from ASA CLI prompt.</strong></p>
<p>See that some traffic actually gets redirected to the module.
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class global-class
csc fail-open</p>
<h1><strong>show service-policy</strong></h1>
<div class="highlight"><pre><span></span><code>Class-map: global-class
CSC: packet sent 324010194
CSC: packet received 359600712
</code></pre></div>
<h1><strong>show module 1 det</strong></h1>
<div class="highlight"><pre><span></span><code><span class="nv">Getting</span><span class="w"> </span><span class="nv">details</span><span class="w"> </span><span class="nv">from</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">Service</span><span class="w"> </span><span class="nv">Module</span>,<span class="w"> </span><span class="nv">please</span><span class="w"> </span><span class="k">wait</span>...<span class="w"></span>
<span class="nv">ASA</span><span class="w"> </span><span class="mi">5500</span><span class="w"> </span><span class="nv">Series</span><span class="w"> </span><span class="nv">Content</span><span class="w"> </span><span class="nv">Security</span><span class="w"> </span><span class="nv">Services</span><span class="w"> </span><span class="nv">Module</span><span class="o">-</span><span class="mi">10</span><span class="w"></span>
<span class="nv">Model</span>:<span class="w"> </span><span class="nv">ASA</span><span class="o">-</span><span class="nv">SSM</span><span class="o">-</span><span class="nv">CSC</span><span class="o">-</span><span class="mi">10</span><span class="o">-</span><span class="nv">K9</span><span class="w"></span>
<span class="nv">Hardware</span><span class="w"> </span><span class="nv">version</span>:<span class="w"> </span><span class="mi">1</span>.<span class="mi">0</span><span class="w"></span>
<span class="nv">Serial</span><span class="w"> </span><span class="nv">Number</span>:<span class="w"> </span><span class="nv">JAF777777</span><span class="w"></span>
<span class="nv">Firmware</span><span class="w"> </span><span class="nv">version</span>:<span class="w"> </span><span class="mi">1</span>.<span class="mi">0</span><span class="ss">(</span><span class="mi">11</span><span class="ss">)</span><span class="mi">5</span><span class="w"></span>
<span class="nv">Software</span><span class="w"> </span><span class="nv">version</span>:<span class="w"> </span><span class="nv">CSC</span><span class="w"> </span><span class="nv">SSM</span><span class="w"> </span><span class="mi">6</span>.<span class="mi">3</span>.<span class="mi">1172</span>.<span class="mi">4</span><span class="w"></span>
<span class="nv">MAC</span><span class="w"> </span><span class="nv">Address</span><span class="w"> </span><span class="nv">Range</span>:<span class="w"> </span><span class="nv">c333</span>.<span class="mi">7333</span>.<span class="nv">b333</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">c333</span>.<span class="mi">7333</span>.<span class="nv">b333</span><span class="w"></span>
<span class="nv">App</span>.<span class="w"> </span><span class="nv">name</span>:<span class="w"> </span><span class="nv">CSC</span><span class="w"> </span><span class="nv">SSM</span><span class="w"></span>
<span class="nv">App</span>.<span class="w"> </span><span class="nv">Status</span>:<span class="w"> </span><span class="nv">Up</span><span class="w"></span>
<span class="nv">App</span>.<span class="w"> </span><span class="nv">Status</span><span class="w"> </span><span class="nv">Desc</span>:<span class="w"> </span><span class="nv">CSC</span><span class="w"> </span><span class="nv">SSM</span><span class="w"> </span><span class="nv">scan</span><span class="w"> </span><span class="nv">services</span><span class="w"> </span><span class="nv">are</span><span class="w"> </span><span class="nv">available</span><span class="w"></span>
<span class="nv">App</span>.<span class="w"> </span><span class="nv">version</span>:<span class="w"> </span><span class="mi">6</span>.<span class="mi">3</span>.<span class="mi">1172</span>.<span class="mi">4</span><span class="w"></span>
<span class="nv">Data</span><span class="w"> </span><span class="nv">plane</span><span class="w"> </span><span class="nv">Status</span>:<span class="w"> </span><span class="nv">Up</span><span class="w"></span>
<span class="nv">Status</span>:<span class="w"> </span><span class="nv">Up</span><span class="w"></span>
<span class="nv">HTTP</span><span class="w"> </span><span class="nv">Service</span>:<span class="w"> </span><span class="nv">Up</span><span class="w"></span>
<span class="nv">Mail</span><span class="w"> </span><span class="nv">Service</span>:<span class="w"> </span><span class="nv">Up</span><span class="w"></span>
<span class="nv">FTP</span><span class="w"> </span><span class="nv">Service</span>:<span class="w"> </span><span class="nv">Up</span><span class="w"></span>
<span class="nv">Activated</span>:<span class="w"> </span><span class="nv">Yes</span><span class="w"></span>
<span class="nv">Mgmt</span><span class="w"> </span><span class="nv">IP</span><span class="w"> </span><span class="nv">addr</span>:<span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">21</span>.<span class="mi">119</span><span class="w"></span>
<span class="nv">Mgmt</span><span class="w"> </span><span class="nv">web</span><span class="w"> </span><span class="nv">port</span>:<span class="w"> </span><span class="mi">8443</span><span class="w"></span>
</code></pre></div>
<h1><strong>show module all</strong></h1>
<div class="highlight"><pre><span></span><code><span class="c">Mod Card Type Model Serial No</span><span class="nt">.</span><span class="c"></span>
<span class="nb">---</span><span class="c"> </span><span class="nb">--------------------------------------------</span><span class="c"> </span><span class="nb">------------------</span><span class="c"> </span><span class="nb">-----------</span><span class="c"></span>
<span class="c">0 ASA 5510 Adaptive Security Appliance ASA5510 JMX333333</span>
<span class="c">1 ASA 5500 Series Content Security Services Mo ASA</span><span class="nb">-</span><span class="c">SSM</span><span class="nb">-</span><span class="c">CSC</span><span class="nb">-</span><span class="c">10</span><span class="nb">-</span><span class="c">K9 JAF333333</span>
<span class="c">Mod MAC Address Range Hw Version Fw Version Sw Version</span>
<span class="nb">---</span><span class="c"> </span><span class="nb">---------------------------------</span><span class="c"> </span><span class="nb">------------</span><span class="c"> </span><span class="nb">------------</span><span class="c"> </span><span class="nb">---------------</span><span class="c"></span>
<span class="c">0 3333</span><span class="nt">.</span><span class="c">3333</span><span class="nt">.</span><span class="c">3333 to 3333</span><span class="nt">.</span><span class="c">3333</span><span class="nt">.</span><span class="c">3333 2</span><span class="nt">.</span><span class="c">0 1</span><span class="nt">.</span><span class="c">0(11)5 8</span><span class="nt">.</span><span class="c">2(3)</span>
<span class="c">1 3333</span><span class="nt">.</span><span class="c">3333</span><span class="nt">.</span><span class="c">3333 to 3333</span><span class="nt">.</span><span class="c">3333</span><span class="nt">.</span><span class="c">3333 1</span><span class="nt">.</span><span class="c">0 1</span><span class="nt">.</span><span class="c">0(11)5 CSC SSM 6</span><span class="nt">.</span><span class="c">3</span><span class="nt">.</span><span class="c">1172</span><span class="nt">.</span><span class="c">4</span>
<span class="c">Mod SSM Application Name Status SSM Application Version</span>
<span class="nb">---</span><span class="c"> </span><span class="nb">------------------------------</span><span class="c"> </span><span class="nb">----------------</span><span class="c"> </span><span class="nb">--------------------------</span><span class="c"></span>
<span class="c">1 CSC SSM Up 6</span><span class="nt">.</span><span class="c">3</span><span class="nt">.</span><span class="c">1172</span><span class="nt">.</span><span class="c">4</span>
<span class="c">Mod Status Data Plane Status Compatibility</span>
<span class="nb">---</span><span class="c"> </span><span class="nb">------------------</span><span class="c"> </span><span class="nb">---------------------</span><span class="c"> </span><span class="nb">-------------</span><span class="c"></span>
<span class="c">0 Up Sys Not Applicable</span>
<span class="c">1 Up Up</span>
</code></pre></div>
<ul>
<li><strong>Now let's enter the module itself</strong></li>
</ul>
<h1><strong>session 1</strong></h1>
<div class="highlight"><pre><span></span><code><span class="n">Opening</span><span class="w"> </span><span class="n">command</span><span class="w"> </span><span class="n">session</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">slot</span><span class="w"> </span><span class="mf">1.</span><span class="w"></span>
<span class="n">Connected</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">slot</span><span class="w"> </span><span class="mf">1.</span><span class="w"> </span><span class="n">Escape</span><span class="w"> </span><span class="n">character</span><span class="w"> </span><span class="n">sequence</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="s1">'CTRL-^X'</span><span class="o">.</span><span class="w"></span>
<span class="n">login</span><span class="p">:</span><span class="w"> </span><span class="n">cisco</span><span class="w"></span>
<span class="n">Password</span><span class="p">:</span><span class="w"></span>
<span class="o">***</span><span class="n">NOTICE</span><span class="o">***</span><span class="w"></span>
<span class="n">This</span><span class="w"> </span><span class="n">product</span><span class="w"> </span><span class="n">contains</span><span class="w"> </span><span class="n">cryptographic</span><span class="w"> </span><span class="n">features</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">subject</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">United</span><span class="w"> </span><span class="n">States</span><span class="w"></span>
<span class="ow">and</span><span class="w"> </span><span class="n">local</span><span class="w"> </span><span class="n">country</span><span class="w"> </span><span class="n">laws</span><span class="w"> </span><span class="n">governing</span><span class="w"> </span><span class="n">import</span><span class="p">,</span><span class="w"> </span><span class="k">export</span><span class="p">,</span><span class="w"> </span><span class="n">transfer</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">use</span><span class="o">.</span><span class="w"> </span><span class="n">Delivery</span><span class="w"></span>
<span class="n">of</span><span class="w"> </span><span class="n">Cisco</span><span class="w"> </span><span class="n">cryptographic</span><span class="w"> </span><span class="n">products</span><span class="w"> </span><span class="n">does</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">imply</span><span class="w"> </span><span class="n">third</span><span class="o">-</span><span class="n">party</span><span class="w"> </span><span class="n">authority</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">import</span><span class="p">,</span><span class="w"></span>
<span class="k">export</span><span class="p">,</span><span class="w"> </span><span class="n">distribute</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="n">use</span><span class="w"> </span><span class="n">encryption</span><span class="o">.</span><span class="w"> </span><span class="n">Importers</span><span class="p">,</span><span class="w"> </span><span class="n">exporters</span><span class="p">,</span><span class="w"> </span><span class="n">distributors</span><span class="w"> </span><span class="ow">and</span><span class="w"></span>
<span class="n">users</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">responsible</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">compliance</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">U</span><span class="o">.</span><span class="n">S</span><span class="o">.</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">local</span><span class="w"> </span><span class="n">country</span><span class="w"> </span><span class="n">laws</span><span class="o">.</span><span class="w"> </span><span class="n">By</span><span class="w"> </span><span class="n">using</span><span class="w"></span>
<span class="n">this</span><span class="w"> </span><span class="n">product</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">agree</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">comply</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">applicable</span><span class="w"> </span><span class="n">laws</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">regulations</span><span class="o">.</span><span class="w"> </span><span class="n">If</span><span class="w"> </span><span class="n">you</span><span class="w"></span>
<span class="n">are</span><span class="w"> </span><span class="n">unable</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">comply</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">U</span><span class="o">.</span><span class="n">S</span><span class="o">.</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">local</span><span class="w"> </span><span class="n">laws</span><span class="p">,</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">product</span><span class="w"> </span><span class="n">immediately</span><span class="o">.</span><span class="w"></span>
<span class="n">A</span><span class="w"> </span><span class="n">summary</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">U</span><span class="o">.</span><span class="n">S</span><span class="o">.</span><span class="w"> </span><span class="n">laws</span><span class="w"> </span><span class="n">governing</span><span class="w"> </span><span class="n">Cisco</span><span class="w"> </span><span class="n">cryptographic</span><span class="w"> </span><span class="n">products</span><span class="w"> </span><span class="n">may</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">found</span><span class="w"> </span><span class="n">at</span><span class="p">:</span><span class="w"></span>
<span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">www</span><span class="o">.</span><span class="n">cisco</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">wwl</span><span class="o">/</span><span class="k">export</span><span class="o">/</span><span class="n">crypto</span><span class="o">/</span><span class="k">tool</span><span class="o">/</span><span class="n">stqrg</span><span class="o">.</span><span class="n">html</span><span class="w"></span>
<span class="n">If</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">require</span><span class="w"> </span><span class="n">further</span><span class="w"> </span><span class="n">assistance</span><span class="w"> </span><span class="n">please</span><span class="w"> </span><span class="n">contact</span><span class="w"> </span><span class="n">us</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="n">sending</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="n">to</span><span class="w"></span>
<span class="k">export</span><span class="err">@</span><span class="n">cisco</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="w"></span>
<span class="n">Trend</span><span class="w"> </span><span class="n">Micro</span><span class="w"> </span><span class="n">InterScan</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">Cisco</span><span class="w"> </span><span class="n">CSC</span><span class="w"> </span><span class="n">SSM</span><span class="w"> </span><span class="n">Setup</span><span class="w"> </span><span class="n">Main</span><span class="w"> </span><span class="n">Menu</span><span class="w"></span>
<span class="o">---------------------------------------------------------------------</span><span class="w"></span>
<span class="mf">1.</span><span class="w"> </span><span class="n">Network</span><span class="w"> </span><span class="n">Settings</span><span class="w"></span>
<span class="mf">2.</span><span class="w"> </span><span class="n">Date</span><span class="o">/</span><span class="n">Time</span><span class="w"> </span><span class="n">Settings</span><span class="w"></span>
<span class="mf">3.</span><span class="w"> </span><span class="n">Product</span><span class="w"> </span><span class="n">Information</span><span class="w"></span>
<span class="mf">4.</span><span class="w"> </span><span class="n">Service</span><span class="w"> </span><span class="n">Status</span><span class="w"></span>
<span class="mf">5.</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="n">Management</span><span class="w"></span>
<span class="mf">6.</span><span class="w"> </span><span class="n">Restore</span><span class="w"> </span><span class="n">Factory</span><span class="w"> </span><span class="n">Default</span><span class="w"> </span><span class="n">Settings</span><span class="w"></span>
<span class="mf">7.</span><span class="w"> </span><span class="n">Troubleshooting</span><span class="w"> </span><span class="n">Tools</span><span class="w"></span>
<span class="mf">8.</span><span class="w"> </span><span class="n">Reset</span><span class="w"> </span><span class="n">Management</span><span class="w"> </span><span class="n">Port</span><span class="w"> </span><span class="n">Access</span><span class="w"> </span><span class="n">Control</span><span class="w"> </span><span class="n">List</span><span class="w"></span>
<span class="mf">9.</span><span class="w"> </span><span class="n">Ping</span><span class="w"></span>
<span class="mf">10.</span><span class="w"> </span><span class="n">Exit</span><span class="w"> </span><span class="o">...</span><span class="w"></span>
<span class="n">Enter</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="p">[</span><span class="mi">1</span><span class="o">-</span><span class="mi">10</span><span class="p">]:</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Are all services are actually running ?</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="n">Enter</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="p">[</span><span class="mi">1</span><span class="o">-</span><span class="mi">10</span><span class="p">]:</span><span class="w"> </span><span class="mi">4</span><span class="w"></span>
<span class="n">Service</span><span class="w"> </span><span class="n">Status</span><span class="w"></span>
<span class="o">---------------------------------------------------------------------</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="n">CSC</span><span class="w"> </span><span class="n">SSM</span><span class="w"> </span><span class="n">RegServer</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">running</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="n">CSC</span><span class="w"> </span><span class="n">SSM</span><span class="w"> </span><span class="n">URLFD</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">running</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="n">CSC</span><span class="w"> </span><span class="n">SSM</span><span class="w"> </span><span class="n">ScanServer</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">running</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="n">CSC</span><span class="w"> </span><span class="n">SSM</span><span class="w"> </span><span class="n">HTTP</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">running</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="n">CSC</span><span class="w"> </span><span class="n">SSM</span><span class="w"> </span><span class="n">FTP</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">running</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="n">CSC</span><span class="w"> </span><span class="n">SSM</span><span class="w"> </span><span class="n">Notification</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">running</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="n">CSC</span><span class="w"> </span><span class="n">SSM</span><span class="w"> </span><span class="n">Mail</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">running</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="n">CSC</span><span class="w"> </span><span class="n">SSM</span><span class="w"> </span><span class="n">GUI</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">running</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="n">CSC</span><span class="w"> </span><span class="n">SSM</span><span class="w"> </span><span class="n">SysMonitor</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">running</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="n">CSC</span><span class="w"> </span><span class="n">SSM</span><span class="w"> </span><span class="n">Failoverd</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">running</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="n">CSC</span><span class="w"> </span><span class="n">SSM</span><span class="w"> </span><span class="n">LogServer</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">running</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="n">CSC</span><span class="w"> </span><span class="n">SSM</span><span class="w"> </span><span class="n">SyslogAdaptor</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">running</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="n">CSC</span><span class="w"> </span><span class="n">SSM</span><span class="w"> </span><span class="n">Syslog</span><span class="o">-</span><span class="n">ng</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">running</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="n">CSC</span><span class="w"> </span><span class="n">SSM</span><span class="w"> </span><span class="n">TMCM</span><span class="o">-</span><span class="n">Agent</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">enabled</span><span class="w"></span>
<span class="o">-</span><span class="w"> </span><span class="n">Troubleshooting</span><span class="w"> </span><span class="n">information</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">rather</span><span class="w"> </span><span class="n">overwhelming</span><span class="w"></span>
<span class="n">Enter</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="p">[</span><span class="mi">1</span><span class="o">-</span><span class="mi">7</span><span class="p">]:</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="n">Troubleshooting</span><span class="w"> </span><span class="n">Tools</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Show</span><span class="w"> </span><span class="n">System</span><span class="w"> </span><span class="n">Information</span><span class="w"></span>
<span class="o">---------------------------------------------------------------------</span><span class="w"></span>
<span class="mf">1.</span><span class="w"> </span><span class="n">Show</span><span class="w"> </span><span class="n">System</span><span class="w"> </span><span class="n">Information</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">Screen</span><span class="w"></span>
<span class="mf">2.</span><span class="w"> </span><span class="n">Upload</span><span class="w"> </span><span class="n">System</span><span class="w"> </span><span class="n">Information</span><span class="w"></span>
<span class="mf">3.</span><span class="w"> </span><span class="n">Return</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">Troubleshooting</span><span class="w"> </span><span class="n">Tools</span><span class="w"> </span><span class="n">Menu</span><span class="w"></span>
<span class="n">Enter</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="p">[</span><span class="mi">1</span><span class="o">-</span><span class="mi">3</span><span class="p">]:</span><span class="w"> </span><span class="mi">1</span><span class="w"></span>
<span class="o">++++++++++++++++++++++</span><span class="w"></span>
<span class="n">Thu</span><span class="w"> </span><span class="n">Feb</span><span class="w"> </span><span class="mi">17</span><span class="w"> </span><span class="mi">08</span><span class="p">:</span><span class="mi">04</span><span class="p">:</span><span class="mi">17</span><span class="w"> </span><span class="n">IST</span><span class="w"> </span><span class="mi">2011</span><span class="w"> </span><span class="p">(</span><span class="mi">2</span><span class="p">)</span><span class="w"></span>
<span class="n">System</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">Up</span><span class="w"></span>
<span class="c1">#@ Product Information</span><span class="w"></span>
<span class="n">Trend</span><span class="w"> </span><span class="n">Micro</span><span class="w"> </span><span class="n">InterScan</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">Cisco</span><span class="w"> </span><span class="n">CSC</span><span class="w"> </span><span class="n">SSM</span><span class="w"></span>
<span class="n">Version</span><span class="p">:</span><span class="w"> </span><span class="mf">6.3</span><span class="o">.</span><span class="mf">1172.4</span><span class="w"></span>
<span class="n">Upgrade</span><span class="w"> </span><span class="n">History</span><span class="p">:</span><span class="w"> </span><span class="mf">6.3</span><span class="o">.</span><span class="mf">1172.4</span><span class="w"></span>
<span class="n">Engineering</span><span class="w"> </span><span class="n">Build</span><span class="p">:</span><span class="w"></span>
<span class="n">SSM</span><span class="w"> </span><span class="n">Model</span><span class="p">:</span><span class="w"> </span><span class="n">SSM</span><span class="o">-</span><span class="mi">10</span><span class="w"></span>
<span class="n">SSM</span><span class="w"> </span><span class="n">S</span><span class="o">/</span><span class="n">N</span><span class="p">:</span><span class="w"> </span><span class="n">JAF7777777</span><span class="w"></span>
<span class="c1">#@ Scan Engine and Pattern Information</span><span class="w"></span>
<span class="n">Virus</span><span class="w"> </span><span class="n">Scan</span><span class="w"> </span><span class="n">Engine</span><span class="p">:</span><span class="w"> </span><span class="mf">9.2</span><span class="o">.</span><span class="mi">1012</span><span class="w"> </span><span class="p">(</span><span class="n">Updated</span><span class="p">:</span><span class="w"> </span><span class="mi">2010</span><span class="o">-</span><span class="mi">10</span><span class="o">-</span><span class="mi">14</span><span class="w"> </span><span class="mi">07</span><span class="p">:</span><span class="mi">51</span><span class="p">:</span><span class="mi">11</span><span class="p">)</span><span class="w"></span>
<span class="n">Virus</span><span class="w"> </span><span class="n">Pattern</span><span class="p">:</span><span class="w"> </span><span class="mf">7.841</span><span class="o">.</span><span class="mi">00</span><span class="w"> </span><span class="p">(</span><span class="n">Updated</span><span class="p">:</span><span class="w"> </span><span class="mi">2011</span><span class="o">-</span><span class="mi">02</span><span class="o">-</span><span class="mi">17</span><span class="w"> </span><span class="mi">05</span><span class="p">:</span><span class="mi">51</span><span class="p">:</span><span class="mi">23</span><span class="p">)</span><span class="w"></span>
<span class="n">Spyware</span><span class="o">/</span><span class="n">Grayware</span><span class="w"> </span><span class="n">Pattern</span><span class="p">:</span><span class="w"> </span><span class="mf">1.151</span><span class="o">.</span><span class="mi">00</span><span class="w"> </span><span class="p">(</span><span class="n">Updated</span><span class="p">:</span><span class="w"> </span><span class="mi">2011</span><span class="o">-</span><span class="mi">02</span><span class="o">-</span><span class="mi">17</span><span class="w"> </span><span class="mi">06</span><span class="p">:</span><span class="mi">51</span><span class="p">:</span><span class="mi">20</span><span class="p">)</span><span class="w"></span>
<span class="n">AntiSpam</span><span class="w"> </span><span class="n">Engine</span><span class="p">:</span><span class="w"> </span><span class="mf">6.5</span><span class="o">.</span><span class="mi">1024</span><span class="w"> </span><span class="p">(</span><span class="n">Updated</span><span class="p">:</span><span class="w"> </span><span class="mi">2010</span><span class="o">-</span><span class="mi">10</span><span class="o">-</span><span class="mi">14</span><span class="w"> </span><span class="mi">07</span><span class="p">:</span><span class="mi">51</span><span class="p">:</span><span class="mi">54</span><span class="p">)</span><span class="w"></span>
<span class="n">AntiSpam</span><span class="w"> </span><span class="n">Rule</span><span class="p">:</span><span class="w"> </span><span class="mi">17960</span><span class="w"> </span><span class="p">(</span><span class="n">Updated</span><span class="p">:</span><span class="w"> </span><span class="mi">2011</span><span class="o">-</span><span class="mi">02</span><span class="o">-</span><span class="mi">16</span><span class="w"> </span><span class="mi">16</span><span class="p">:</span><span class="mi">53</span><span class="p">:</span><span class="mi">55</span><span class="p">)</span><span class="w"></span>
<span class="n">IntelliTrap</span><span class="w"> </span><span class="n">Pattern</span><span class="p">:</span><span class="w"> </span><span class="mf">0.151</span><span class="o">.</span><span class="mi">00</span><span class="w"> </span><span class="p">(</span><span class="n">Updated</span><span class="p">:</span><span class="w"> </span><span class="mi">2011</span><span class="o">-</span><span class="mi">02</span><span class="o">-</span><span class="mi">01</span><span class="w"> </span><span class="mi">09</span><span class="p">:</span><span class="mi">07</span><span class="p">:</span><span class="mi">20</span><span class="p">)</span><span class="w"></span>
<span class="n">IntelliTrap</span><span class="w"> </span><span class="n">Exception</span><span class="w"> </span><span class="n">Pattern</span><span class="p">:</span><span class="w"> </span><span class="mf">0.631</span><span class="o">.</span><span class="mi">00</span><span class="w"> </span><span class="p">(</span><span class="n">Updated</span><span class="p">:</span><span class="w"> </span><span class="mi">2011</span><span class="o">-</span><span class="mi">02</span><span class="o">-</span><span class="mi">15</span><span class="w"> </span><span class="mi">08</span><span class="p">:</span><span class="mi">51</span><span class="p">:</span><span class="mi">15</span><span class="p">)</span><span class="w"></span>
<span class="c1">#@ License Information</span><span class="w"></span>
<span class="n">Product</span><span class="p">:</span><span class="n">Base</span><span class="w"> </span><span class="n">License</span><span class="w"></span>
<span class="n">License</span><span class="w"> </span><span class="n">profile</span><span class="w"> </span><span class="n">host</span><span class="w"> </span><span class="n">info</span><span class="w"> </span><span class="n">check</span><span class="w"> </span><span class="n">OK</span><span class="o">.</span><span class="w"></span>
<span class="n">Version</span><span class="p">:</span><span class="n">Standard</span><span class="w"></span>
<span class="n">Activation</span><span class="w"> </span><span class="n">Code</span><span class="p">:</span><span class="n">PX</span><span class="o">-</span><span class="n">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span><span class="w"></span>
<span class="n">Seats</span><span class="p">:</span><span class="mi">000100</span><span class="w"></span>
<span class="n">Status</span><span class="p">:</span><span class="n">Activated</span><span class="w"></span>
<span class="n">Expiration</span><span class="w"> </span><span class="n">date</span><span class="p">:</span><span class="mi">10</span><span class="o">/</span><span class="mi">6</span><span class="o">/</span><span class="mi">2011</span><span class="w"></span>
<span class="n">Product</span><span class="p">:</span><span class="n">Plus</span><span class="w"> </span><span class="n">License</span><span class="w"></span>
<span class="n">License</span><span class="w"> </span><span class="n">profile</span><span class="w"> </span><span class="n">host</span><span class="w"> </span><span class="n">info</span><span class="w"> </span><span class="n">check</span><span class="w"> </span><span class="n">OK</span><span class="o">.</span><span class="w"></span>
<span class="n">Version</span><span class="p">:</span><span class="n">Standard</span><span class="w"></span>
<span class="n">Activation</span><span class="w"> </span><span class="n">Code</span><span class="p">:</span><span class="n">PX</span><span class="o">-</span><span class="n">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span><span class="w"></span>
<span class="n">Status</span><span class="p">:</span><span class="n">Activated</span><span class="w"></span>
<span class="n">Expiration</span><span class="w"> </span><span class="n">date</span><span class="p">:</span><span class="mi">10</span><span class="o">/</span><span class="mi">6</span><span class="o">/</span><span class="mi">2011</span><span class="w"></span>
<span class="n">Daily</span><span class="w"> </span><span class="n">Node</span><span class="w"> </span><span class="n">Count</span><span class="p">:</span><span class="w"> </span><span class="mi">221</span><span class="w"></span>
<span class="n">Current</span><span class="w"> </span><span class="n">Node</span><span class="w"> </span><span class="n">Count</span><span class="p">:</span><span class="w"> </span><span class="mi">85</span><span class="w"></span>
<span class="c1">#@ Kernel Information</span><span class="w"></span>
<span class="n">Linux</span><span class="w"> </span><span class="n">ssm</span><span class="w"> </span><span class="mf">2.6</span><span class="o">.</span><span class="mf">17.8</span><span class="w"> </span><span class="c1">#13 PREEMPT Fri Nov 6 06:32:00 PST 2009 i686 unknown</span><span class="w"></span>
<span class="n">ASDP</span><span class="w"> </span><span class="n">Driver</span><span class="w"> </span><span class="mf">1.1</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">UP</span><span class="p">:</span><span class="w"></span>
<span class="n">Total</span><span class="w"> </span><span class="n">Connection</span><span class="w"> </span><span class="n">Records</span><span class="p">:</span><span class="w"> </span><span class="mi">159623</span><span class="w"></span>
<span class="n">Connection</span><span class="w"> </span><span class="n">Records</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">Use</span><span class="p">:</span><span class="w"> </span><span class="mi">156</span><span class="w"></span>
<span class="n">Free</span><span class="w"> </span><span class="n">Connection</span><span class="w"> </span><span class="n">Records</span><span class="p">:</span><span class="w"> </span><span class="mi">159467</span><span class="w"></span>
<span class="o">------</span><span class="w"> </span><span class="n">Shared</span><span class="w"> </span><span class="n">Memory</span><span class="w"> </span><span class="n">Segments</span><span class="w"> </span><span class="o">--------</span><span class="w"></span>
<span class="n">key</span><span class="w"> </span><span class="n">shmid</span><span class="w"> </span><span class="n">owner</span><span class="w"> </span><span class="n">perms</span><span class="w"> </span><span class="n">bytes</span><span class="w"> </span><span class="n">nattch</span><span class="w"> </span><span class="n">status</span><span class="w"></span>
<span class="mh">0x00003186</span><span class="w"> </span><span class="mi">4653056</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">666</span><span class="w"> </span><span class="mi">2621440</span><span class="w"> </span><span class="mi">1</span><span class="w"></span>
<span class="mh">0x00000000</span><span class="w"> </span><span class="mi">4456449</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">600</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="n">dest</span><span class="w"></span>
<span class="mh">0x00000000</span><span class="w"> </span><span class="mi">4620290</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">600</span><span class="w"> </span><span class="mi">1000000</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">dest</span><span class="w"></span>
<span class="mh">0x00000000</span><span class="w"> </span><span class="mi">4685827</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">600</span><span class="w"> </span><span class="mi">1048576</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">dest</span><span class="w"></span>
<span class="mh">0x00000000</span><span class="w"> </span><span class="mi">4718596</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">600</span><span class="w"> </span><span class="mi">1048576</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">dest</span><span class="w"></span>
<span class="mh">0x00000000</span><span class="w"> </span><span class="mi">4325381</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">600</span><span class="w"> </span><span class="mi">24632</span><span class="w"> </span><span class="mi">22</span><span class="w"> </span><span class="n">dest</span><span class="w"></span>
<span class="o">------</span><span class="w"> </span><span class="n">Semaphore</span><span class="w"> </span><span class="n">Arrays</span><span class="w"> </span><span class="o">--------</span><span class="w"></span>
<span class="n">key</span><span class="w"> </span><span class="n">semid</span><span class="w"> </span><span class="n">owner</span><span class="w"> </span><span class="n">perms</span><span class="w"> </span><span class="n">nsems</span><span class="w"></span>
<span class="mh">0x000207fb</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">777</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="mh">0x00020823</span><span class="w"> </span><span class="mi">32769</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">777</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="mh">0x00020802</span><span class="w"> </span><span class="mi">65538</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">777</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="mh">0x000207db</span><span class="w"> </span><span class="mi">98307</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">777</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="mh">0x00020fa1</span><span class="w"> </span><span class="mi">131076</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">777</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="mh">0x9abbcf71</span><span class="w"> </span><span class="mi">1277957</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">660</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="mh">0x325cb3f2</span><span class="w"> </span><span class="mi">1310726</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">660</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="mh">0x000207d3</span><span class="w"> </span><span class="mi">229383</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">777</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="mh">0x9abbceae</span><span class="w"> </span><span class="mi">262152</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">660</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="mh">0x001503cf</span><span class="w"> </span><span class="mi">327689</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">777</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="mh">0x929c6e9c</span><span class="w"> </span><span class="mi">360458</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">660</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="mh">0x0012040e</span><span class="w"> </span><span class="mi">393227</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">777</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="mh">0x000e039b</span><span class="w"> </span><span class="mi">425996</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">777</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="mh">0x00020863</span><span class="w"> </span><span class="mi">458765</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">777</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="mh">0x00020fe4</span><span class="w"> </span><span class="mi">1048590</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">777</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="o">------</span><span class="w"> </span><span class="n">Message</span><span class="w"> </span><span class="n">Queues</span><span class="w"> </span><span class="o">--------</span><span class="w"></span>
<span class="n">key</span><span class="w"> </span><span class="n">msqid</span><span class="w"> </span><span class="n">owner</span><span class="w"> </span><span class="n">perms</span><span class="w"> </span><span class="n">used</span><span class="o">-</span><span class="n">bytes</span><span class="w"> </span><span class="n">messages</span><span class="w"></span>
<span class="c1">#@ Disk Information</span><span class="w"></span>
<span class="n">Filesystem</span><span class="w"> </span><span class="mi">1</span><span class="n">k</span><span class="o">-</span><span class="n">blocks</span><span class="w"> </span><span class="n">Used</span><span class="w"> </span><span class="n">Available</span><span class="w"> </span><span class="n">Use</span><span class="o">%</span><span class="w"> </span><span class="n">Mounted</span><span class="w"> </span><span class="n">on</span><span class="w"></span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">hda2</span><span class="w"> </span><span class="mi">223843</span><span class="w"> </span><span class="mi">166878</span><span class="w"> </span><span class="mi">45407</span><span class="w"> </span><span class="mi">79</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">mnt</span><span class="o">/</span><span class="n">rw</span><span class="w"></span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">hda2</span><span class="w"> </span><span class="mi">223843</span><span class="w"> </span><span class="mi">166878</span><span class="w"> </span><span class="mi">45407</span><span class="w"> </span><span class="mi">79</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">dev</span><span class="w"></span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">hda2</span><span class="w"> </span><span class="mi">223843</span><span class="w"> </span><span class="mi">166878</span><span class="w"> </span><span class="mi">45407</span><span class="w"> </span><span class="mi">79</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="w"></span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">hda2</span><span class="w"> </span><span class="mi">223843</span><span class="w"> </span><span class="mi">166878</span><span class="w"> </span><span class="mi">45407</span><span class="w"> </span><span class="mi">79</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="w"></span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">hda2</span><span class="w"> </span><span class="mi">223843</span><span class="w"> </span><span class="mi">166878</span><span class="w"> </span><span class="mi">45407</span><span class="w"> </span><span class="mi">79</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">modules</span><span class="w"></span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">hda2</span><span class="w"> </span><span class="mi">223843</span><span class="w"> </span><span class="mi">166878</span><span class="w"> </span><span class="mi">45407</span><span class="w"> </span><span class="mi">79</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">opt</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">256000</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">256000</span><span class="w"> </span><span class="mi">0</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">trend</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="n">temp</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">50176</span><span class="w"> </span><span class="mi">22844</span><span class="w"> </span><span class="mi">27332</span><span class="w"> </span><span class="mi">46</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">trend</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="nb">log</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">4096</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">4096</span><span class="w"> </span><span class="mi">0</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">trend</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="n">quarantine</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">5120</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">5120</span><span class="w"> </span><span class="mi">0</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">trend</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="n">queue</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">103424</span><span class="w"> </span><span class="mi">4912</span><span class="w"> </span><span class="mi">98512</span><span class="w"> </span><span class="mi">5</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">trend</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="n">tmpfs</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">101376</span><span class="w"> </span><span class="mi">18032</span><span class="w"> </span><span class="mi">83344</span><span class="w"> </span><span class="mi">18</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">trend</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">mail</span><span class="o">/</span><span class="n">cache</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">100352</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">100352</span><span class="w"> </span><span class="mi">0</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">coredump</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">8192</span><span class="w"> </span><span class="mi">180</span><span class="w"> </span><span class="mi">8012</span><span class="w"> </span><span class="mi">2</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="w"></span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">boot</span><span class="w"> </span><span class="mi">19067</span><span class="w"> </span><span class="mi">8401</span><span class="w"> </span><span class="mi">9682</span><span class="w"> </span><span class="mi">46</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">boot</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">205824</span><span class="w"> </span><span class="mi">40</span><span class="w"> </span><span class="mi">205784</span><span class="w"> </span><span class="mi">0</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">tmp</span><span class="w"></span>
<span class="n">Filesystem</span><span class="w"> </span><span class="n">Inodes</span><span class="w"> </span><span class="n">Used</span><span class="w"> </span><span class="n">Available</span><span class="w"> </span><span class="n">Use</span><span class="o">%</span><span class="w"> </span><span class="n">Mounted</span><span class="w"> </span><span class="n">on</span><span class="w"></span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">hda2</span><span class="w"> </span><span class="mi">58000</span><span class="w"> </span><span class="mi">2503</span><span class="w"> </span><span class="mi">55497</span><span class="w"> </span><span class="mi">4</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">mnt</span><span class="o">/</span><span class="n">rw</span><span class="w"></span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">hda2</span><span class="w"> </span><span class="mi">58000</span><span class="w"> </span><span class="mi">2503</span><span class="w"> </span><span class="mi">55497</span><span class="w"> </span><span class="mi">4</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">dev</span><span class="w"></span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">hda2</span><span class="w"> </span><span class="mi">58000</span><span class="w"> </span><span class="mi">2503</span><span class="w"> </span><span class="mi">55497</span><span class="w"> </span><span class="mi">4</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="w"></span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">hda2</span><span class="w"> </span><span class="mi">58000</span><span class="w"> </span><span class="mi">2503</span><span class="w"> </span><span class="mi">55497</span><span class="w"> </span><span class="mi">4</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="w"></span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">hda2</span><span class="w"> </span><span class="mi">58000</span><span class="w"> </span><span class="mi">2503</span><span class="w"> </span><span class="mi">55497</span><span class="w"> </span><span class="mi">4</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">modules</span><span class="w"></span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">hda2</span><span class="w"> </span><span class="mi">58000</span><span class="w"> </span><span class="mi">2503</span><span class="w"> </span><span class="mi">55497</span><span class="w"> </span><span class="mi">4</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">opt</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">126902</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">126897</span><span class="w"> </span><span class="mi">0</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">trend</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="n">temp</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">126902</span><span class="w"> </span><span class="mi">36</span><span class="w"> </span><span class="mi">126866</span><span class="w"> </span><span class="mi">0</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">trend</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="nb">log</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">126902</span><span class="w"> </span><span class="mi">9</span><span class="w"> </span><span class="mi">126893</span><span class="w"> </span><span class="mi">0</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">trend</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="n">quarantine</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">126902</span><span class="w"> </span><span class="mi">11</span><span class="w"> </span><span class="mi">126891</span><span class="w"> </span><span class="mi">0</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">trend</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="n">queue</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">126902</span><span class="w"> </span><span class="mi">58</span><span class="w"> </span><span class="mi">126844</span><span class="w"> </span><span class="mi">0</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">trend</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="n">tmpfs</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">126902</span><span class="w"> </span><span class="mi">21</span><span class="w"> </span><span class="mi">126881</span><span class="w"> </span><span class="mi">0</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">trend</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">mail</span><span class="o">/</span><span class="n">cache</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">126902</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">126901</span><span class="w"> </span><span class="mi">0</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">coredump</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">126902</span><span class="w"> </span><span class="mi">71</span><span class="w"> </span><span class="mi">126831</span><span class="w"> </span><span class="mi">0</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="w"></span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">boot</span><span class="w"> </span><span class="mi">4944</span><span class="w"> </span><span class="mi">25</span><span class="w"> </span><span class="mi">4919</span><span class="w"> </span><span class="mi">1</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">boot</span><span class="w"></span>
<span class="n">none</span><span class="w"> </span><span class="mi">126902</span><span class="w"> </span><span class="mi">12</span><span class="w"> </span><span class="mi">126890</span><span class="w"> </span><span class="mi">0</span><span class="o">%</span><span class="w"> </span><span class="o">/</span><span class="n">tmp</span><span class="w"></span>
</code></pre></div>
<h1><strong>Detail file listing:</strong></h1>
<h1>@ File Descriptor Information</h1>
<div class="highlight"><pre><span></span><code><span class="n">file</span><span class="o">:</span><span class="w"> </span><span class="mi">829</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">98926</span><span class="w"></span>
<span class="n">inode</span><span class="o">:</span><span class="w"> </span><span class="mi">7949</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
</code></pre></div>
<h1>@ Memory Information</h1>
<h1>Detail (meminfo):</h1>
<div class="highlight"><pre><span></span><code><span class="n">MemTotal</span><span class="p">:</span><span class="w"> </span><span class="mi">1015216</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">MemFree</span><span class="p">:</span><span class="w"> </span><span class="mi">451272</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">Buffers</span><span class="p">:</span><span class="w"> </span><span class="mi">12344</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">Cached</span><span class="p">:</span><span class="w"> </span><span class="mi">233652</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">SwapCached</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">Active</span><span class="p">:</span><span class="w"> </span><span class="mi">421388</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">Inactive</span><span class="p">:</span><span class="w"> </span><span class="mi">113212</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">HighTotal</span><span class="p">:</span><span class="w"> </span><span class="mi">131072</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">HighFree</span><span class="p">:</span><span class="w"> </span><span class="mi">240</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">LowTotal</span><span class="p">:</span><span class="w"> </span><span class="mi">884144</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">LowFree</span><span class="p">:</span><span class="w"> </span><span class="mi">451032</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">SwapTotal</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">SwapFree</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">Dirty</span><span class="p">:</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">Writeback</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">Mapped</span><span class="p">:</span><span class="w"> </span><span class="mi">318252</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">Slab</span><span class="p">:</span><span class="w"> </span><span class="mi">22296</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">CommitLimit</span><span class="p">:</span><span class="w"> </span><span class="mi">507608</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">Committed_AS</span><span class="p">:</span><span class="w"> </span><span class="mi">2035636</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">PageTables</span><span class="p">:</span><span class="w"> </span><span class="mi">3396</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">VmallocTotal</span><span class="p">:</span><span class="w"> </span><span class="mi">114680</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">VmallocUsed</span><span class="p">:</span><span class="w"> </span><span class="mi">1812</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">VmallocChunk</span><span class="p">:</span><span class="w"> </span><span class="mi">112736</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="n">HugePages_Total</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="n">HugePages_Free</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="n">HugePages_Rsvd</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="n">Hugepagesize</span><span class="p">:</span><span class="w"> </span><span class="mi">4096</span><span class="w"> </span><span class="n">kB</span><span class="w"></span>
<span class="c1"># Reported to ASDM:</span><span class="w"></span>
<span class="n">mem_unknown</span><span class="o">=</span><span class="mi">61440</span><span class="w"></span>
<span class="n">mem_cached</span><span class="o">=</span><span class="mi">233644</span><span class="w"></span>
<span class="n">mem_total</span><span class="o">=</span><span class="mi">1015216</span><span class="w"></span>
<span class="n">mem_est_free</span><span class="o">=</span><span class="mi">591156</span><span class="w"></span>
<span class="n">mem_buffers</span><span class="o">=</span><span class="mi">12344</span><span class="w"></span>
<span class="n">mem_free</span><span class="o">=</span><span class="mi">452608</span><span class="w"></span>
<span class="n">mem_used</span><span class="o">=</span><span class="mi">424060</span><span class="w"></span>
<span class="n">mem_tmpfs</span><span class="o">=</span><span class="mi">46000</span><span class="w"></span>
<span class="c1">#@ Process Information</span><span class="w"></span>
<span class="n">top</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="mi">08</span><span class="p">:</span><span class="mi">04</span><span class="p">:</span><span class="mi">18</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="mi">8</span><span class="w"> </span><span class="n">days</span><span class="p">,</span><span class="w"> </span><span class="mi">11</span><span class="p">:</span><span class="mi">49</span><span class="p">,</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">user</span><span class="p">,</span><span class="w"> </span><span class="nb">load</span><span class="w"> </span><span class="n">average</span><span class="p">:</span><span class="w"> </span><span class="mf">0.08</span><span class="p">,</span><span class="w"> </span><span class="mf">0.07</span><span class="p">,</span><span class="w"> </span><span class="mf">0.03</span><span class="w"></span>
<span class="n">Tasks</span><span class="p">:</span><span class="w"> </span><span class="mi">68</span><span class="w"> </span><span class="n">total</span><span class="p">,</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="n">running</span><span class="p">,</span><span class="w"> </span><span class="mi">65</span><span class="w"> </span><span class="n">sleeping</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">stopped</span><span class="p">,</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">zombie</span><span class="w"></span>
<span class="n">Cpu</span><span class="p">(</span><span class="n">s</span><span class="p">):</span><span class="w"> </span><span class="mf">0.5</span><span class="o">%</span><span class="n">us</span><span class="p">,</span><span class="w"> </span><span class="mf">1.9</span><span class="o">%</span><span class="n">sy</span><span class="p">,</span><span class="w"> </span><span class="mf">2.2</span><span class="o">%</span><span class="n">ni</span><span class="p">,</span><span class="w"> </span><span class="mf">93.5</span><span class="o">%</span><span class="n">id</span><span class="p">,</span><span class="w"> </span><span class="mf">0.1</span><span class="o">%</span><span class="n">wa</span><span class="p">,</span><span class="w"> </span><span class="mf">0.0</span><span class="o">%</span><span class="n">hi</span><span class="p">,</span><span class="w"> </span><span class="mf">1.8</span><span class="o">%</span><span class="n">si</span><span class="p">,</span><span class="w"> </span><span class="mf">0.0</span><span class="o">%</span><span class="n">st</span><span class="w"></span>
<span class="n">Mem</span><span class="p">:</span><span class="w"> </span><span class="mi">1015216</span><span class="n">k</span><span class="w"> </span><span class="n">total</span><span class="p">,</span><span class="w"> </span><span class="mi">563944</span><span class="n">k</span><span class="w"> </span><span class="n">used</span><span class="p">,</span><span class="w"> </span><span class="mi">451272</span><span class="n">k</span><span class="w"> </span><span class="n">free</span><span class="p">,</span><span class="w"> </span><span class="mi">12344</span><span class="n">k</span><span class="w"> </span><span class="n">buffers</span><span class="w"></span>
<span class="n">Swap</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="n">k</span><span class="w"> </span><span class="n">total</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="n">k</span><span class="w"> </span><span class="n">used</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="n">k</span><span class="w"> </span><span class="n">free</span><span class="p">,</span><span class="w"> </span><span class="mi">233652</span><span class="n">k</span><span class="w"> </span><span class="n">cached</span><span class="w"></span>
<span class="n">PID</span><span class="w"> </span><span class="n">USER</span><span class="w"> </span><span class="n">PR</span><span class="w"> </span><span class="n">NI</span><span class="w"> </span><span class="n">VIRT</span><span class="w"> </span><span class="n">RES</span><span class="w"> </span><span class="n">SHR</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="o">%</span><span class="n">CPU</span><span class="w"> </span><span class="o">%</span><span class="n">MEM</span><span class="w"> </span><span class="n">TIME</span><span class="o">+</span><span class="w"> </span><span class="n">COMMAND</span><span class="w"></span>
<span class="mi">10541</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">697</span><span class="n">m</span><span class="w"> </span><span class="mi">85</span><span class="n">m</span><span class="w"> </span><span class="mi">5528</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">11.8</span><span class="w"> </span><span class="mf">8.7</span><span class="w"> </span><span class="mi">1</span><span class="p">:</span><span class="mf">02.42</span><span class="w"> </span><span class="n">iwss</span><span class="o">-</span><span class="n">process</span><span class="w"></span>
<span class="mi">8125</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2992</span><span class="w"> </span><span class="mi">1276</span><span class="w"> </span><span class="mi">1108</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">3.9</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">74</span><span class="p">:</span><span class="mf">01.21</span><span class="w"> </span><span class="n">sysmonitor</span><span class="w"></span>
<span class="mi">1</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2364</span><span class="w"> </span><span class="mi">520</span><span class="w"> </span><span class="mi">444</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">01.28</span><span class="w"> </span><span class="n">init</span><span class="w"></span>
<span class="mi">2</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">34</span><span class="w"> </span><span class="mi">19</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">R</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">01.34</span><span class="w"> </span><span class="n">ksoftirqd</span><span class="o">/</span><span class="mi">0</span><span class="w"></span>
<span class="mi">3</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="o">-</span><span class="mi">5</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.11</span><span class="w"> </span><span class="n">events</span><span class="o">/</span><span class="mi">0</span><span class="w"></span>
<span class="mi">4</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="o">-</span><span class="mi">5</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.01</span><span class="w"> </span><span class="n">khelper</span><span class="w"></span>
<span class="mi">5</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="o">-</span><span class="mi">5</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">kthread</span><span class="w"></span>
<span class="mi">7</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="o">-</span><span class="mi">5</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">kblockd</span><span class="o">/</span><span class="mi">0</span><span class="w"></span>
<span class="mi">8</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="o">-</span><span class="mi">5</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">kseriod</span><span class="w"></span>
<span class="mi">67</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">15</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">pdflush</span><span class="w"></span>
<span class="mi">69</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">25</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">kswapd0</span><span class="w"></span>
<span class="mi">70</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">11</span><span class="w"> </span><span class="o">-</span><span class="mi">5</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">aio</span><span class="o">/</span><span class="mi">0</span><span class="w"></span>
<span class="mi">205</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">11</span><span class="w"> </span><span class="o">-</span><span class="mi">5</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">10.24</span><span class="w"> </span><span class="n">kjournald</span><span class="w"></span>
<span class="mi">7718</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">11</span><span class="w"> </span><span class="o">-</span><span class="mi">5</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">kjournald</span><span class="w"></span>
<span class="mi">7965</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">23</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">11244</span><span class="w"> </span><span class="mi">5524</span><span class="w"> </span><span class="mi">1164</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.5</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.39</span><span class="w"> </span><span class="n">urlfd</span><span class="w"></span>
<span class="mi">7967</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">26060</span><span class="w"> </span><span class="mi">3596</span><span class="w"> </span><span class="mi">2024</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.4</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">30.17</span><span class="w"> </span><span class="n">regserver</span><span class="w"></span>
<span class="mi">8040</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2364</span><span class="w"> </span><span class="mi">572</span><span class="w"> </span><span class="mi">484</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.17</span><span class="w"> </span><span class="n">crond</span><span class="w"></span>
<span class="mi">8066</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2372</span><span class="w"> </span><span class="mi">588</span><span class="w"> </span><span class="mi">504</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.01</span><span class="w"> </span><span class="n">getty</span><span class="w"></span>
<span class="mi">8069</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">17</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2368</span><span class="w"> </span><span class="mi">584</span><span class="w"> </span><span class="mi">504</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">getty</span><span class="w"></span>
<span class="mi">8072</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2368</span><span class="w"> </span><span class="mi">588</span><span class="w"> </span><span class="mi">508</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">getty</span><span class="w"></span>
<span class="mi">8077</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2368</span><span class="w"> </span><span class="mi">596</span><span class="w"> </span><span class="mi">508</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">klogd</span><span class="w"></span>
<span class="mi">8078</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">-</span><span class="mi">20</span><span class="w"> </span><span class="mi">52456</span><span class="w"> </span><span class="mi">1316</span><span class="w"> </span><span class="mi">1056</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">15.75</span><span class="w"> </span><span class="n">servmod</span><span class="w"></span>
<span class="mi">8079</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2080</span><span class="w"> </span><span class="mi">988</span><span class="w"> </span><span class="mi">824</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.02</span><span class="w"> </span><span class="n">bash</span><span class="w"></span>
<span class="mi">8118</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2048</span><span class="w"> </span><span class="mi">952</span><span class="w"> </span><span class="mi">820</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">issyslog</span><span class="w"></span>
<span class="mi">8124</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2368</span><span class="w"> </span><span class="mi">716</span><span class="w"> </span><span class="mi">596</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">03.36</span><span class="w"> </span><span class="n">top2ini</span><span class="w"></span>
<span class="mi">8127</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">21</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">3764</span><span class="w"> </span><span class="mi">1396</span><span class="w"> </span><span class="mi">1200</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.20</span><span class="w"> </span><span class="n">sshd</span><span class="w"></span>
<span class="mi">8128</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">15</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2368</span><span class="w"> </span><span class="mi">564</span><span class="w"> </span><span class="mi">476</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">08.42</span><span class="w"> </span><span class="n">telnetd</span><span class="w"></span>
<span class="mi">8143</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">3144</span><span class="w"> </span><span class="mi">1440</span><span class="w"> </span><span class="mi">1092</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">01.23</span><span class="w"> </span><span class="n">issyslog</span><span class="o">.</span><span class="n">exe</span><span class="w"></span>
<span class="mi">8147</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">1652</span><span class="w"> </span><span class="mi">528</span><span class="w"> </span><span class="mi">444</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.20</span><span class="w"> </span><span class="n">vmstat</span><span class="w"></span>
<span class="mi">8213</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">9448</span><span class="w"> </span><span class="mi">1132</span><span class="w"> </span><span class="mi">932</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.13</span><span class="w"> </span><span class="n">failoverd</span><span class="w"></span>
<span class="mi">8237</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">15</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">1760</span><span class="w"> </span><span class="mi">764</span><span class="w"> </span><span class="mi">588</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.15</span><span class="w"> </span><span class="n">syslog</span><span class="o">-</span><span class="n">ng</span><span class="w"></span>
<span class="mi">8262</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">21</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">383</span><span class="n">m</span><span class="w"> </span><span class="mi">112</span><span class="n">m</span><span class="w"> </span><span class="mi">17</span><span class="n">m</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">11.3</span><span class="w"> </span><span class="mi">1</span><span class="p">:</span><span class="mf">15.03</span><span class="w"> </span><span class="n">java</span><span class="w"></span>
<span class="mi">10404</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">Z</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">cat</span><span class="w"></span>
<span class="mi">23838</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">13564</span><span class="w"> </span><span class="mi">2256</span><span class="w"> </span><span class="mi">1832</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.2</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.02</span><span class="w"> </span><span class="n">isdelvd</span><span class="w"></span>
<span class="mi">23975</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">52700</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">6132</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">08.88</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24041</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">52700</span><span class="w"> </span><span class="mi">32</span><span class="n">m</span><span class="w"> </span><span class="mi">3024</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.3</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.04</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24042</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53280</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5644</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.77</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24043</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53216</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5680</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.74</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24044</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53152</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5564</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.69</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24045</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53332</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5708</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.95</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24046</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53244</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5728</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">01.09</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24047</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53280</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5672</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">01.02</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24048</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53152</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5636</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.69</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24049</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53280</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5672</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">01.15</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24050</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53152</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5636</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.94</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24051</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53152</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5608</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.77</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24052</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53328</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5716</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">01.06</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24053</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53152</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5680</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">01.03</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24054</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53244</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5720</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.93</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24055</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53292</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5624</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.76</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24056</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53252</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5684</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.79</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24057</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53284</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5736</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.83</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24058</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53152</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5608</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.69</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24059</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53152</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5640</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.87</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24060</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53292</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5624</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.84</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">24061</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53152</span><span class="w"> </span><span class="mi">35</span><span class="n">m</span><span class="w"> </span><span class="mi">5616</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">3.6</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.97</span><span class="w"> </span><span class="n">imssd</span><span class="w"></span>
<span class="mi">25989</span><span class="w"> </span><span class="n">isvw</span><span class="w"> </span><span class="mi">25</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">7676</span><span class="w"> </span><span class="mi">1432</span><span class="w"> </span><span class="mi">928</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.01</span><span class="w"> </span><span class="n">tmlogserv</span><span class="w"></span>
<span class="mi">8575</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">21</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">22812</span><span class="w"> </span><span class="mi">2776</span><span class="w"> </span><span class="mi">2312</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.3</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">isftpd</span><span class="w"></span>
<span class="mi">8585</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">21</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">35308</span><span class="w"> </span><span class="mi">3360</span><span class="w"> </span><span class="mi">2580</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.3</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.66</span><span class="w"> </span><span class="n">isftpd</span><span class="w"></span>
<span class="mi">10351</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">15</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">pdflush</span><span class="w"></span>
<span class="mi">10476</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">53824</span><span class="w"> </span><span class="mi">48</span><span class="n">m</span><span class="w"> </span><span class="mi">3804</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">4.9</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">01.63</span><span class="w"> </span><span class="n">scanserver</span><span class="w"></span>
<span class="mi">12539</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">15</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2072</span><span class="w"> </span><span class="mi">928</span><span class="w"> </span><span class="mi">676</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">login</span><span class="w"></span>
<span class="mi">12569</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2912</span><span class="w"> </span><span class="mi">1884</span><span class="w"> </span><span class="mi">868</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.2</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.82</span><span class="w"> </span><span class="n">setup</span><span class="o">.</span><span class="n">bin</span><span class="w"></span>
<span class="mi">14363</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2212</span><span class="w"> </span><span class="mi">1128</span><span class="w"> </span><span class="mi">832</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">sh</span><span class="w"></span>
<span class="mi">14364</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">16</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2368</span><span class="w"> </span><span class="mi">452</span><span class="w"> </span><span class="mi">380</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">more</span><span class="w"></span>
<span class="mi">14365</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2268</span><span class="w"> </span><span class="mi">752</span><span class="w"> </span><span class="mi">400</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">sh</span><span class="w"></span>
<span class="mi">14491</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2268</span><span class="w"> </span><span class="mi">692</span><span class="w"> </span><span class="mi">340</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">sh</span><span class="w"></span>
<span class="mi">14492</span><span class="w"> </span><span class="n">root</span><span class="w"> </span><span class="mi">21</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">1992</span><span class="w"> </span><span class="mi">836</span><span class="w"> </span><span class="mi">652</span><span class="w"> </span><span class="n">R</span><span class="w"> </span><span class="mf">0.0</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mf">00.00</span><span class="w"> </span><span class="n">top</span><span class="w"></span>
<span class="c1">#@ Hardware Information</span><span class="w"></span>
<span class="n">SSM</span><span class="o">-</span><span class="n">IPS10</span><span class="o">-</span><span class="n">K9</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x00</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x0040</span><span class="w"> </span><span class="n">CONTROLLER</span><span class="w"> </span><span class="n">TYPE</span><span class="w"> </span><span class="mi">1177</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x01</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x0041</span><span class="w"> </span><span class="n">HW</span><span class="w"> </span><span class="n">REV</span><span class="w"> </span><span class="mf">1.0</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x02</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x00CB</span><span class="w"> </span><span class="n">PID</span><span class="w"> </span><span class="n">ASA</span><span class="o">-</span><span class="n">SSM</span><span class="o">-</span><span class="n">CSC</span><span class="o">-</span><span class="mi">10</span><span class="o">-</span><span class="n">K9</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x03</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x0089</span><span class="w"> </span><span class="n">VID</span><span class="w"> </span><span class="n">V02</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x04</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x0087</span><span class="w"> </span><span class="n">TOP</span><span class="w"> </span><span class="mi">68</span><span class="w"> </span><span class="n">LEVEL</span><span class="w"> </span><span class="n">PN</span><span class="w"> </span><span class="mi">22</span><span class="o">-</span><span class="mi">444</span><span class="o">-</span><span class="mi">02</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x05</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x0082</span><span class="w"> </span><span class="n">PCB</span><span class="w"> </span><span class="mi">73</span><span class="w"> </span><span class="n">LEVEL</span><span class="w"> </span><span class="n">PN</span><span class="w"> </span><span class="mi">22</span><span class="o">-</span><span class="mi">444</span><span class="o">-</span><span class="mi">02</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x06</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x0042</span><span class="w"> </span><span class="n">PCB</span><span class="w"> </span><span class="n">REV</span><span class="w"> </span><span class="mf">65.48</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x07</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x00C1</span><span class="w"> </span><span class="n">PCB</span><span class="w"> </span><span class="n">SN</span><span class="w"> </span><span class="n">JAF7777777</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x08</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x00C2</span><span class="w"> </span><span class="n">CHASSIS</span><span class="w"> </span><span class="n">SN</span><span class="w"> </span><span class="n">JAF7777777</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x09</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x0088</span><span class="w"> </span><span class="n">NEW</span><span class="w"> </span><span class="n">DEVIATION</span><span class="w"> </span><span class="n">NUM</span><span class="w"> </span><span class="mi">00000000</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x0A</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x00C4</span><span class="w"> </span><span class="n">MFG</span><span class="w"> </span><span class="n">TEST</span><span class="w"> </span><span class="n">INFO</span><span class="w"> </span><span class="mi">0000000000000000</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x0B</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x0081</span><span class="w"> </span><span class="n">RMA</span><span class="w"> </span><span class="n">NUM</span><span class="w"> </span><span class="mi">00000000</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x0C</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x0004</span><span class="w"> </span><span class="n">RMA</span><span class="w"> </span><span class="n">HIST</span><span class="w"> </span><span class="n">INFO</span><span class="w"> </span><span class="mi">00</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x0D</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x00C6</span><span class="w"> </span><span class="n">CLEI</span><span class="w"> </span><span class="n">CODES</span><span class="w"> </span><span class="n">COUCAB5CAB</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x0E</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x00DA</span><span class="w"> </span><span class="n">DESC</span><span class="w"> </span><span class="n">ASA</span><span class="w"> </span><span class="mi">5500</span><span class="w"> </span><span class="n">Series</span><span class="w"> </span><span class="n">Content</span><span class="w"> </span><span class="n">Security</span><span class="w"> </span><span class="n">Services</span><span class="w"> </span><span class="n">Module</span><span class="o">-</span><span class="mi">10</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x0F</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x00C3</span><span class="w"> </span><span class="n">CHASSIS</span><span class="w"> </span><span class="n">MAC</span><span class="w"> </span><span class="n">ADDR</span><span class="w"> </span><span class="n">C8</span><span class="p">:</span><span class="mi">4</span><span class="n">C</span><span class="p">:</span><span class="mi">33</span><span class="p">:</span><span class="mi">33</span><span class="p">:</span><span class="mi">33</span><span class="p">:</span><span class="mi">03</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x10</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x0043</span><span class="w"> </span><span class="n">MAC</span><span class="w"> </span><span class="n">ADDR_BLK</span><span class="w"> </span><span class="n">SZ</span><span class="w"> </span><span class="mi">1</span><span class="w"></span>
<span class="n">field</span><span class="w"> </span><span class="mh">0x11</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mh">0x008C</span><span class="w"> </span><span class="n">UNKNOWN</span><span class="w"> </span><span class="n">TYPE</span><span class="w"> </span><span class="mi">01000</span><span class="n">B05</span><span class="w"></span>
<span class="c1">#@ Ethernet Interface Information</span><span class="w"></span>
<span class="n">cisco_asd</span><span class="w"> </span><span class="n">Link</span><span class="w"> </span><span class="n">encap</span><span class="p">:</span><span class="n">UNSPEC</span><span class="w"> </span><span class="n">HWaddr</span><span class="w"> </span><span class="mi">00</span><span class="o">-</span><span class="mi">00</span><span class="o">-</span><span class="mi">00</span><span class="o">-</span><span class="mi">00</span><span class="o">-</span><span class="mi">00</span><span class="o">-</span><span class="mi">00</span><span class="o">-</span><span class="mi">00</span><span class="o">-</span><span class="mi">00</span><span class="o">-</span><span class="mi">00</span><span class="o">-</span><span class="mi">00</span><span class="o">-</span><span class="mi">00</span><span class="o">-</span><span class="mi">00</span><span class="o">-</span><span class="mi">00</span><span class="o">-</span><span class="mi">00</span><span class="o">-</span><span class="mi">00</span><span class="o">-</span><span class="mi">00</span><span class="w"></span>
<span class="n">UP</span><span class="w"> </span><span class="n">MTU</span><span class="p">:</span><span class="mi">1496</span><span class="w"> </span><span class="n">Metric</span><span class="p">:</span><span class="mi">1</span><span class="w"></span>
<span class="n">RX</span><span class="w"> </span><span class="n">packets</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">errors</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">dropped</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">overruns</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">frame</span><span class="p">:</span><span class="mi">0</span><span class="w"></span>
<span class="n">TX</span><span class="w"> </span><span class="n">packets</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">errors</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">dropped</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">overruns</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">carrier</span><span class="p">:</span><span class="mi">0</span><span class="w"></span>
<span class="n">collisions</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">txqueuelen</span><span class="p">:</span><span class="mi">0</span><span class="w"></span>
<span class="n">RX</span><span class="w"> </span><span class="n">bytes</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="p">(</span><span class="mf">0.0</span><span class="w"> </span><span class="n">B</span><span class="p">)</span><span class="w"> </span><span class="n">TX</span><span class="w"> </span><span class="n">bytes</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="p">(</span><span class="mf">0.0</span><span class="w"> </span><span class="n">B</span><span class="p">)</span><span class="w"></span>
<span class="n">dummy0</span><span class="w"> </span><span class="n">Link</span><span class="w"> </span><span class="n">encap</span><span class="p">:</span><span class="n">Ethernet</span><span class="w"> </span><span class="n">HWaddr</span><span class="w"> </span><span class="mi">0</span><span class="n">E</span><span class="p">:</span><span class="mi">66</span><span class="p">:</span><span class="mi">36</span><span class="p">:</span><span class="mi">3</span><span class="n">C</span><span class="p">:</span><span class="n">B8</span><span class="p">:</span><span class="mi">59</span><span class="w"></span>
<span class="n">BROADCAST</span><span class="w"> </span><span class="n">NOARP</span><span class="w"> </span><span class="n">MTU</span><span class="p">:</span><span class="mi">1500</span><span class="w"> </span><span class="n">Metric</span><span class="p">:</span><span class="mi">1</span><span class="w"></span>
<span class="n">RX</span><span class="w"> </span><span class="n">packets</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">errors</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">dropped</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">overruns</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">frame</span><span class="p">:</span><span class="mi">0</span><span class="w"></span>
<span class="n">TX</span><span class="w"> </span><span class="n">packets</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">errors</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">dropped</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">overruns</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">carrier</span><span class="p">:</span><span class="mi">0</span><span class="w"></span>
<span class="n">collisions</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">txqueuelen</span><span class="p">:</span><span class="mi">0</span><span class="w"></span>
<span class="n">RX</span><span class="w"> </span><span class="n">bytes</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="p">(</span><span class="mf">0.0</span><span class="w"> </span><span class="n">B</span><span class="p">)</span><span class="w"> </span><span class="n">TX</span><span class="w"> </span><span class="n">bytes</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="p">(</span><span class="mf">0.0</span><span class="w"> </span><span class="n">B</span><span class="p">)</span><span class="w"></span>
<span class="n">eth0</span><span class="w"> </span><span class="n">Link</span><span class="w"> </span><span class="n">encap</span><span class="p">:</span><span class="n">Ethernet</span><span class="w"> </span><span class="n">HWaddr</span><span class="w"> </span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">02</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">02</span><span class="w"></span>
<span class="n">UP</span><span class="w"> </span><span class="n">BROADCAST</span><span class="w"> </span><span class="n">RUNNING</span><span class="w"> </span><span class="n">MULTICAST</span><span class="w"> </span><span class="n">MTU</span><span class="p">:</span><span class="mi">1796</span><span class="w"> </span><span class="n">Metric</span><span class="p">:</span><span class="mi">1</span><span class="w"></span>
<span class="n">RX</span><span class="w"> </span><span class="n">packets</span><span class="p">:</span><span class="mi">219824061</span><span class="w"> </span><span class="n">errors</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">dropped</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">overruns</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">frame</span><span class="p">:</span><span class="mi">0</span><span class="w"></span>
<span class="n">TX</span><span class="w"> </span><span class="n">packets</span><span class="p">:</span><span class="mi">239771533</span><span class="w"> </span><span class="n">errors</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">dropped</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">overruns</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">carrier</span><span class="p">:</span><span class="mi">0</span><span class="w"></span>
<span class="n">collisions</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">txqueuelen</span><span class="p">:</span><span class="mi">1000</span><span class="w"></span>
<span class="n">RX</span><span class="w"> </span><span class="n">bytes</span><span class="p">:</span><span class="mi">2266716309</span><span class="w"> </span><span class="p">(</span><span class="mf">2.1</span><span class="w"> </span><span class="n">GiB</span><span class="p">)</span><span class="w"> </span><span class="n">TX</span><span class="w"> </span><span class="n">bytes</span><span class="p">:</span><span class="mi">2448412682</span><span class="w"> </span><span class="p">(</span><span class="mf">2.2</span><span class="w"> </span><span class="n">GiB</span><span class="p">)</span><span class="w"></span>
<span class="n">Base</span><span class="w"> </span><span class="n">address</span><span class="p">:</span><span class="mh">0xcc00</span><span class="w"> </span><span class="n">Memory</span><span class="p">:</span><span class="n">f8100000</span><span class="o">-</span><span class="n">f8120000</span><span class="w"></span>
<span class="n">eth1</span><span class="w"> </span><span class="n">Link</span><span class="w"> </span><span class="n">encap</span><span class="p">:</span><span class="n">Ethernet</span><span class="w"> </span><span class="n">HWaddr</span><span class="w"> </span><span class="n">C8</span><span class="p">:</span><span class="mi">4</span><span class="n">C</span><span class="p">:</span><span class="mi">33</span><span class="p">:</span><span class="mi">33</span><span class="p">:</span><span class="mi">33</span><span class="p">:</span><span class="mi">03</span><span class="w"></span>
<span class="n">inet</span><span class="w"> </span><span class="n">addr</span><span class="p">:</span><span class="mf">192.168</span><span class="o">.</span><span class="mf">21.119</span><span class="w"> </span><span class="n">Bcast</span><span class="p">:</span><span class="mf">192.168</span><span class="o">.</span><span class="mf">255.255</span><span class="w"> </span><span class="n">Mask</span><span class="p">:</span><span class="mf">255.255</span><span class="o">.</span><span class="mf">0.0</span><span class="w"></span>
<span class="n">UP</span><span class="w"> </span><span class="n">BROADCAST</span><span class="w"> </span><span class="n">RUNNING</span><span class="w"> </span><span class="n">MULTICAST</span><span class="w"> </span><span class="n">MTU</span><span class="p">:</span><span class="mi">1500</span><span class="w"> </span><span class="n">Metric</span><span class="p">:</span><span class="mi">1</span><span class="w"></span>
<span class="n">RX</span><span class="w"> </span><span class="n">packets</span><span class="p">:</span><span class="mi">7022387</span><span class="w"> </span><span class="n">errors</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">dropped</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">overruns</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">frame</span><span class="p">:</span><span class="mi">0</span><span class="w"></span>
<span class="n">TX</span><span class="w"> </span><span class="n">packets</span><span class="p">:</span><span class="mi">2435439</span><span class="w"> </span><span class="n">errors</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">dropped</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">overruns</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">carrier</span><span class="p">:</span><span class="mi">0</span><span class="w"></span>
<span class="n">collisions</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">txqueuelen</span><span class="p">:</span><span class="mi">100</span><span class="w"></span>
<span class="n">RX</span><span class="w"> </span><span class="n">bytes</span><span class="p">:</span><span class="mi">1155121379</span><span class="w"> </span><span class="p">(</span><span class="mf">1.0</span><span class="w"> </span><span class="n">GiB</span><span class="p">)</span><span class="w"> </span><span class="n">TX</span><span class="w"> </span><span class="n">bytes</span><span class="p">:</span><span class="mi">510057499</span><span class="w"> </span><span class="p">(</span><span class="mf">486.4</span><span class="w"> </span><span class="n">MiB</span><span class="p">)</span><span class="w"></span>
<span class="n">Base</span><span class="w"> </span><span class="n">address</span><span class="p">:</span><span class="mh">0xbc00</span><span class="w"> </span><span class="n">Memory</span><span class="p">:</span><span class="n">f8200000</span><span class="o">-</span><span class="n">f8220000</span><span class="w"></span>
<span class="n">eth2</span><span class="w"> </span><span class="n">Link</span><span class="w"> </span><span class="n">encap</span><span class="p">:</span><span class="n">Ethernet</span><span class="w"> </span><span class="n">HWaddr</span><span class="w"> </span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">02</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">01</span><span class="w"></span>
<span class="n">inet</span><span class="w"> </span><span class="n">addr</span><span class="p">:</span><span class="mf">127.0</span><span class="o">.</span><span class="mf">2.1</span><span class="w"> </span><span class="n">Bcast</span><span class="p">:</span><span class="mf">127.0</span><span class="o">.</span><span class="mf">255.255</span><span class="w"> </span><span class="n">Mask</span><span class="p">:</span><span class="mf">255.255</span><span class="o">.</span><span class="mf">0.0</span><span class="w"></span>
<span class="n">UP</span><span class="w"> </span><span class="n">BROADCAST</span><span class="w"> </span><span class="n">RUNNING</span><span class="w"> </span><span class="n">MULTICAST</span><span class="w"> </span><span class="n">MTU</span><span class="p">:</span><span class="mi">1500</span><span class="w"> </span><span class="n">Metric</span><span class="p">:</span><span class="mi">1</span><span class="w"></span>
<span class="n">RX</span><span class="w"> </span><span class="n">packets</span><span class="p">:</span><span class="mi">757828</span><span class="w"> </span><span class="n">errors</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">dropped</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">overruns</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">frame</span><span class="p">:</span><span class="mi">0</span><span class="w"></span>
<span class="n">TX</span><span class="w"> </span><span class="n">packets</span><span class="p">:</span><span class="mi">196896</span><span class="w"> </span><span class="n">errors</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">dropped</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">overruns</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">carrier</span><span class="p">:</span><span class="mi">0</span><span class="w"></span>
<span class="n">collisions</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">txqueuelen</span><span class="p">:</span><span class="mi">1000</span><span class="w"></span>
<span class="n">RX</span><span class="w"> </span><span class="n">bytes</span><span class="p">:</span><span class="mi">84163835</span><span class="w"> </span><span class="p">(</span><span class="mf">80.2</span><span class="w"> </span><span class="n">MiB</span><span class="p">)</span><span class="w"> </span><span class="n">TX</span><span class="w"> </span><span class="n">bytes</span><span class="p">:</span><span class="mi">18269211</span><span class="w"> </span><span class="p">(</span><span class="mf">17.4</span><span class="w"> </span><span class="n">MiB</span><span class="p">)</span><span class="w"></span>
<span class="n">Interrupt</span><span class="p">:</span><span class="mi">169</span><span class="w"> </span><span class="n">Memory</span><span class="p">:</span><span class="n">f8300000</span><span class="o">-</span><span class="n">f8300fff</span><span class="w"></span>
<span class="n">lo</span><span class="w"> </span><span class="n">Link</span><span class="w"> </span><span class="n">encap</span><span class="p">:</span><span class="n">Local</span><span class="w"> </span><span class="n">Loopback</span><span class="w"></span>
<span class="n">inet</span><span class="w"> </span><span class="n">addr</span><span class="p">:</span><span class="mf">127.0</span><span class="o">.</span><span class="mf">0.1</span><span class="w"> </span><span class="n">Mask</span><span class="p">:</span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.255</span><span class="w"></span>
<span class="n">UP</span><span class="w"> </span><span class="n">LOOPBACK</span><span class="w"> </span><span class="n">RUNNING</span><span class="w"> </span><span class="n">MTU</span><span class="p">:</span><span class="mi">16436</span><span class="w"> </span><span class="n">Metric</span><span class="p">:</span><span class="mi">1</span><span class="w"></span>
<span class="n">RX</span><span class="w"> </span><span class="n">packets</span><span class="p">:</span><span class="mi">116078</span><span class="w"> </span><span class="n">errors</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">dropped</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">overruns</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">frame</span><span class="p">:</span><span class="mi">0</span><span class="w"></span>
<span class="n">TX</span><span class="w"> </span><span class="n">packets</span><span class="p">:</span><span class="mi">116078</span><span class="w"> </span><span class="n">errors</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">dropped</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">overruns</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">carrier</span><span class="p">:</span><span class="mi">0</span><span class="w"></span>
<span class="n">collisions</span><span class="p">:</span><span class="mi">0</span><span class="w"> </span><span class="n">txqueuelen</span><span class="p">:</span><span class="mi">0</span><span class="w"></span>
<span class="n">RX</span><span class="w"> </span><span class="n">bytes</span><span class="p">:</span><span class="mi">14822499</span><span class="w"> </span><span class="p">(</span><span class="mf">14.1</span><span class="w"> </span><span class="n">MiB</span><span class="p">)</span><span class="w"> </span><span class="n">TX</span><span class="w"> </span><span class="n">bytes</span><span class="p">:</span><span class="mi">14822499</span><span class="w"> </span><span class="p">(</span><span class="mf">14.1</span><span class="w"> </span><span class="n">MiB</span><span class="p">)</span><span class="w"></span>
<span class="c1">#@ Connection Information</span><span class="w"></span>
<span class="n">sockets</span><span class="p">:</span><span class="w"> </span><span class="n">used</span><span class="w"> </span><span class="mi">271</span><span class="w"></span>
<span class="n">TCP</span><span class="p">:</span><span class="w"> </span><span class="n">inuse</span><span class="w"> </span><span class="mi">231</span><span class="w"> </span><span class="n">orphan</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="n">tw</span><span class="w"> </span><span class="mi">395</span><span class="w"> </span><span class="n">alloc</span><span class="w"> </span><span class="mi">233</span><span class="w"> </span><span class="n">mem</span><span class="w"> </span><span class="mi">40</span><span class="w"></span>
<span class="n">UDP</span><span class="p">:</span><span class="w"> </span><span class="n">inuse</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="n">RAW</span><span class="p">:</span><span class="w"> </span><span class="n">inuse</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="n">FRAG</span><span class="p">:</span><span class="w"> </span><span class="n">inuse</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">memory</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="n">Active</span><span class="w"> </span><span class="n">Internet</span><span class="w"> </span><span class="n">connections</span><span class="w"> </span><span class="p">(</span><span class="n">only</span><span class="w"> </span><span class="n">servers</span><span class="p">)</span><span class="w"></span>
<span class="n">Proto</span><span class="w"> </span><span class="n">Recv</span><span class="o">-</span><span class="n">Q</span><span class="w"> </span><span class="n">Send</span><span class="o">-</span><span class="n">Q</span><span class="w"> </span><span class="n">Local</span><span class="w"> </span><span class="n">Address</span><span class="w"> </span><span class="n">Foreign</span><span class="w"> </span><span class="n">Address</span><span class="w"> </span><span class="n">State</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="mi">20000</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="o">*</span><span class="w"> </span><span class="n">LISTEN</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">127.0</span><span class="o">.</span><span class="mf">0.1</span><span class="p">:</span><span class="mi">5060</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="o">*</span><span class="w"> </span><span class="n">LISTEN</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">127.0</span><span class="o">.</span><span class="mf">0.1</span><span class="p">:</span><span class="mi">8005</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="o">*</span><span class="w"> </span><span class="n">LISTEN</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="mi">8009</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="o">*</span><span class="w"> </span><span class="n">LISTEN</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="mi">110</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="o">*</span><span class="w"> </span><span class="n">LISTEN</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="mi">80</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="o">*</span><span class="w"> </span><span class="n">LISTEN</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="mi">1812</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="o">*</span><span class="w"> </span><span class="n">LISTEN</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="mi">21</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="o">*</span><span class="w"> </span><span class="n">LISTEN</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="mi">65014</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="o">*</span><span class="w"> </span><span class="n">LISTEN</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="mi">22</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="o">*</span><span class="w"> </span><span class="n">LISTEN</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="mi">23</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="o">*</span><span class="w"> </span><span class="n">LISTEN</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="mi">8888</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="o">*</span><span class="w"> </span><span class="n">LISTEN</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="mi">7000</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="o">*</span><span class="w"> </span><span class="n">LISTEN</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="mi">25</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="o">*</span><span class="w"> </span><span class="n">LISTEN</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="mi">8443</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="o">*</span><span class="w"> </span><span class="n">LISTEN</span><span class="w"></span>
<span class="n">udp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">127.0</span><span class="o">.</span><span class="mf">0.1</span><span class="p">:</span><span class="mi">32792</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">:</span><span class="o">*</span><span class="w"></span>
<span class="n">Active</span><span class="w"> </span><span class="n">UNIX</span><span class="w"> </span><span class="n">domain</span><span class="w"> </span><span class="n">sockets</span><span class="w"> </span><span class="p">(</span><span class="n">only</span><span class="w"> </span><span class="n">servers</span><span class="p">)</span><span class="w"></span>
<span class="n">Proto</span><span class="w"> </span><span class="n">RefCnt</span><span class="w"> </span><span class="n">Flags</span><span class="w"> </span><span class="n">Type</span><span class="w"> </span><span class="n">State</span><span class="w"> </span><span class="n">I</span><span class="o">-</span><span class="n">Node</span><span class="w"> </span><span class="n">Path</span><span class="w"></span>
<span class="n">unix</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="n">ACC</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="n">STREAM</span><span class="w"> </span><span class="n">LISTENING</span><span class="w"> </span><span class="mi">11391777</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="n">sshttp</span><span class="o">.</span><span class="n">sock</span><span class="w"></span>
<span class="n">unix</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="n">ACC</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="n">STREAM</span><span class="w"> </span><span class="n">LISTENING</span><span class="w"> </span><span class="mi">11391785</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="n">ssptnupdt</span><span class="o">.</span><span class="n">sock</span><span class="w"></span>
<span class="n">unix</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="n">ACC</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="n">STREAM</span><span class="w"> </span><span class="n">LISTENING</span><span class="w"> </span><span class="mi">11391778</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="n">ssftp</span><span class="o">.</span><span class="n">sock</span><span class="w"></span>
<span class="n">unix</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="n">ACC</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="n">STREAM</span><span class="w"> </span><span class="n">LISTENING</span><span class="w"> </span><span class="mi">11391779</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="n">sssmtp</span><span class="o">.</span><span class="n">sock</span><span class="w"></span>
<span class="n">unix</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="n">ACC</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="n">STREAM</span><span class="w"> </span><span class="n">LISTENING</span><span class="w"> </span><span class="mi">11391780</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="n">sspop3</span><span class="o">.</span><span class="n">sock</span><span class="w"></span>
<span class="n">unix</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="n">ACC</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="n">STREAM</span><span class="w"> </span><span class="n">LISTENING</span><span class="w"> </span><span class="mi">11391781</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">isvw</span><span class="o">/</span><span class="n">ssfiletype</span><span class="o">.</span><span class="n">sock</span><span class="w"></span>
<span class="n">unix</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="n">ACC</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="n">STREAM</span><span class="w"> </span><span class="n">LISTENING</span><span class="w"> </span><span class="mi">11253560</span><span class="w"> </span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="nb">log</span><span class="w"></span>
<span class="n">unix</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="n">ACC</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="n">STREAM</span><span class="w"> </span><span class="n">LISTENING</span><span class="w"> </span><span class="mi">2257</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="nb">log</span><span class="o">.</span><span class="n">sock</span><span class="w"></span>
<span class="n">unix</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="n">ACC</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="n">STREAM</span><span class="w"> </span><span class="n">LISTENING</span><span class="w"> </span><span class="mi">2259</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="nb">log</span><span class="o">.</span><span class="n">sock2</span><span class="w"></span>
<span class="n">unix</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="n">ACC</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="n">STREAM</span><span class="w"> </span><span class="n">LISTENING</span><span class="w"> </span><span class="mi">1530</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">urlf</span><span class="o">.</span><span class="n">sock</span><span class="w"></span>
<span class="n">Active</span><span class="w"> </span><span class="n">Internet</span><span class="w"> </span><span class="n">connections</span><span class="w"> </span><span class="p">(</span><span class="n">w</span><span class="o">/</span><span class="n">o</span><span class="w"> </span><span class="n">servers</span><span class="p">)</span><span class="w"></span>
<span class="n">Proto</span><span class="w"> </span><span class="n">Recv</span><span class="o">-</span><span class="n">Q</span><span class="w"> </span><span class="n">Send</span><span class="o">-</span><span class="n">Q</span><span class="w"> </span><span class="n">Local</span><span class="w"> </span><span class="n">Address</span><span class="w"> </span><span class="n">Foreign</span><span class="w"> </span><span class="n">Address</span><span class="w"> </span><span class="n">State</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">209.26</span><span class="o">.</span><span class="mf">19.126</span><span class="p">:</span><span class="mi">80</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">1.31</span><span class="p">:</span><span class="mi">42573</span><span class="w"> </span><span class="n">TIME_WAIT</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">194.18</span><span class="o">.</span><span class="mf">243.10</span><span class="p">:</span><span class="mi">80</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">2.54</span><span class="p">:</span><span class="mi">4818</span><span class="w"> </span><span class="n">FIN_WAIT2</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">134.11</span><span class="o">.</span><span class="mf">14.127</span><span class="p">:</span><span class="mi">80</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">1.125</span><span class="p">:</span><span class="mi">3274</span><span class="w"> </span><span class="n">TIME_WAIT</span><span class="w"></span>
<span class="n">tcp</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">150.127</span><span class="o">.</span><span class="mf">24.146</span><span class="p">:</span><span class="mi">80</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">2.54</span><span class="p">:</span><span class="mi">4840</span><span class="w"> </span><span class="n">FIN_WAIT2</span><span class="w"></span>
</code></pre></div>
<p>References:<br>
Product data sheet - <a href="http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6823/product_data_sheet0900aecd80402e4f_ps6120_Products_Data_Sheet.html">CSC module datasheet</a></p>
<p>And about the error message - it is a known bug that will be fixed in the next release of the firmware for the module . Still, I opened the ticket with TAC and they provided interim patch to take care of this restartin gLogServer service. Also , they (Cisco) say it is harmless bug not causing any outage.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>How to enable SCP protocol on Checkpoint firewall for transferring files - video2011-01-04T20:31:00+00:002011-01-04T20:31:00+00:00Yuri Slobodyanyuktag:yurisk.info,2011-01-04:/2011/01/04/how-to-enable-scp-protocol-on-checkpoint-firewall-for-transferring-files-video/<p>Hi everyone, in this video I tell and show how to enable SCP file transfer in Checkpoint firewall. I am beta testing it at the present therefore a bit shy to present to the wide audience, but be sure to check later when this idea of my site goes public …</p><p>Hi everyone, in this video I tell and show how to enable SCP file transfer in Checkpoint firewall. I am beta testing it at the present therefore a bit shy to present to the wide audience, but be sure to check later when this idea of my site goes public . Thanks and see you soon.</p>
<p>http://vimeo.com/18436944</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>New Year present from Checkpoint - R75 download2010-12-31T12:21:16+00:002010-12-31T12:21:16+00:00Yuri Slobodyanyuktag:yurisk.info,2010-12-31:/2010/12/31/new-year-present-from-checkpoint/<p><a href="http://yurisk.info/wp-content/uploads/2010/12/Santaishere.jpg">New Year present from Checkpoint - R75</a> Well, saying 'present' I was a bit sarcastic - just another release in the NGX family - R75 , that is now available for download: <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk58362"> R75 release</a> .</p>
<p>So go ahead , install it , use it, enjoy its new features and bugs and report back to the <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doHome"> mothership </a>.
<strong>Note …</strong></p><p><a href="http://yurisk.info/wp-content/uploads/2010/12/Santaishere.jpg">New Year present from Checkpoint - R75</a> Well, saying 'present' I was a bit sarcastic - just another release in the NGX family - R75 , that is now available for download: <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk58362"> R75 release</a> .</p>
<p>So go ahead , install it , use it, enjoy its new features and bugs and report back to the <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doHome"> mothership </a>.
<strong>Note</strong> At the present trial download of R75 is not available but you can download R71.10 that isn't that different . The usual way to go - <a href="https://www.checkpoint.com/demos/"> Trial software from Checkpoint</a>.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Check Point Certified Master Architect Certification is more accessible than ever2010-12-25T15:52:51+00:002010-12-25T15:52:51+00:00Yuri Slobodyanyuktag:yurisk.info,2010-12-25:/2010/12/25/check-point-certified-master-architect-certification-is-more-accessible-than-ever/<p>Hello, fellow checkpoint-heads.
I know you have been waiting for this for a long long time, and now it happens - Checkpoint announced that Check Point Certified Master Architect Certification lab can be taken at "convenience of your desktop" - that is Online. You don't need to ride your horses over the …</p><p>Hello, fellow checkpoint-heads.
I know you have been waiting for this for a long long time, and now it happens - Checkpoint announced that Check Point Certified Master Architect Certification lab can be taken at "convenience of your desktop" - that is Online. You don't need to ride your horses over the dusty Texas any more, for mere 1500US$ you can take it online and be happy ever after (me thinks you will be happy anyway, cause if you can throw away easily 1500 bucks you are all set already).
In addition their CCSA/CCSE training classes are also available online,details on their website.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Best open source Netflow/sFlow analyzing software2010-12-12T20:47:54+00:002010-12-12T20:47:54+00:00Yuri Slobodyanyuktag:yurisk.info,2010-12-12:/2010/12/12/best-open-source-netflowsflow-analyzing-software/<p>People ask me frequently what software I would recommend for Netflow analysis , especially with security implementations in mind. I made my choice a long ago and haven't been complaining so far - <a href="http://nfsen.sourceforge.net/">Nfsen</a> graphical frontend that has Nfdump as its data processing backend . It provides most flexibility, configurability; its filter syntax …</p><p>People ask me frequently what software I would recommend for Netflow analysis , especially with security implementations in mind. I made my choice a long ago and haven't been complaining so far - <a href="http://nfsen.sourceforge.net/">Nfsen</a> graphical frontend that has Nfdump as its data processing backend . It provides most flexibility, configurability; its filter syntax is very tcpdump-like; graphic front provides just enough of interactivity; the alerts system is just amazing.Moreover it supports not only Netflow but sFlow as well,so all Fortigate appliances with the last OS can be monitored this way.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Class A 2.0.0.0 is inaccessible from behind Edge devices bug2010-12-04T18:25:28+00:002010-12-04T18:25:28+00:00Yuri Slobodyanyuktag:yurisk.info,2010-12-04:/2010/12/04/class-a-2-0-0-0-is-inaccessible-from-behind-edge-devices-bug/<p>This is a not critical but rather annoying bug in the <strong>Checkpoint Edge</strong> devices firmware 8.1.x preventing any host behind it to reach class A network <strong>2.0.0.0/8</strong> . If you notice this problem then it is most probably because recently the pool 2.16.0 …</p><p>This is a not critical but rather annoying bug in the <strong>Checkpoint Edge</strong> devices firmware 8.1.x preventing any host behind it to reach class A network <strong>2.0.0.0/8</strong> . If you notice this problem then it is most probably because recently the pool 2.16.0.0/13 was assigned to Akamai Technologies . Checkpoint have a bug-fix firmware for that , so open a ticket with them and you will get one.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>IP address pools of Facebook to block, if you need to2010-11-15T12:14:15+00:002010-11-15T12:14:15+00:00Yuri Slobodyanyuktag:yurisk.info,2010-11-15:/2010/11/15/ip-address-pools-of-facebook/<p>Once upon a time I <a href="https://yurisk.info/2009/04/09/black-hole-routing-to-the-rescue-fortigate-os-4-surprise/">mentioned</a> that blocking Facebook is easy as they have a uniform IP addresses pool . Since then they added more , here is the new and old pools:</p>
<div class="highlight"><pre><span></span><code> NetRange: 69.63.176.0 - 69.63.191.255
CIDR: 69.63.176.0/20
OriginAS: AS32934
NetName: TFBNET2 …</code></pre></div><p>Once upon a time I <a href="https://yurisk.info/2009/04/09/black-hole-routing-to-the-rescue-fortigate-os-4-surprise/">mentioned</a> that blocking Facebook is easy as they have a uniform IP addresses pool . Since then they added more , here is the new and old pools:</p>
<div class="highlight"><pre><span></span><code> NetRange: 69.63.176.0 - 69.63.191.255
CIDR: 69.63.176.0/20
OriginAS: AS32934
NetName: TFBNET2
NetHandle: NET-69-63-176-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Assignment
NameServer: NS5.FACEBOOK.COM
NameServer: NS3.FACEBOOK.COM
NameServer: NS4.FACEBOOK.COM
RegDate: 2007-02-07
Updated: 2010-07-08
NetRange: 66.220.144.0 - 66.220.159.255
CIDR: 66.220.144.0/20
OriginAS: AS32934
NetName: TFBNET3
NetHandle: NET-66-220-144-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Assignment
NameServer: NS5.FACEBOOK.COM
NameServer: NS3.FACEBOOK.COM
NameServer: NS4.FACEBOOK.COM
RegDate: 2009-02-13
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Grab bag of IPF firewall commands for FreeBSD and Solaris 102010-11-14T12:05:44+00:002010-11-14T12:05:44+00:00Yuri Slobodyanyuktag:yurisk.info,2010-11-14:/2010/11/14/grab-bag-of-ipf-commands-for-freebsd-and-solaris-10/<p>Nothing new here , just a round-up of the commands/configs I happen to need from time to time. Google probably has better references for that.I talk about Pf firewall used in FreeBSD, OpenBSD and Solaris systems. </p>
<h2>Enable and disable firewall:</h2>
<h3>pfctl –e</h3>
<p>Enable packet filter real time </p>
<h3>pfctl –ef …</h3><p>Nothing new here , just a round-up of the commands/configs I happen to need from time to time. Google probably has better references for that.I talk about Pf firewall used in FreeBSD, OpenBSD and Solaris systems. </p>
<h2>Enable and disable firewall:</h2>
<h3>pfctl –e</h3>
<p>Enable packet filter real time </p>
<h3>pfctl –ef /etc/pf.conf</h3>
<div class="highlight"><pre><span></span><code><span class="n">Enable</span><span class="w"> </span><span class="n">packet</span><span class="w"> </span><span class="n">filter</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="nb">load</span><span class="w"> </span><span class="n">rules</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">pf</span><span class="o">.</span><span class="n">conf</span><span class="w"></span>
</code></pre></div>
<h3>pfctl –d</h3>
<p>Disable packet filter </p>
<h2>Enable/disable permanently to survive reboot</h2>
<p>OpenBSD :</p>
<div class="highlight"><pre><span></span><code>/etc/rc.conf.local:
pf=YES
pf_rules=/etc/pf.conf
</code></pre></div>
<p>FreeBSD:</p>
<div class="highlight"><pre><span></span><code><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">default</span><span class="o">/</span><span class="n">rc</span><span class="o">.</span><span class="n">conf</span><span class="p">:</span><span class="w"> </span>
<span class="w"> </span><span class="n">pf_enable</span><span class="o">=</span><span class="s2">"YES"</span><span class="w"> </span>
<span class="w"> </span><span class="n">pf_rules</span><span class="o">=</span><span class="s2">"/etc/pf.conf"</span><span class="w"> </span>
<span class="w"> </span><span class="n">pf_program</span><span class="o">=</span><span class="s2">"/sbin/pfctl"</span><span class="w"> </span>
<span class="w"> </span><span class="n">pflog_enable</span><span class="o">=</span><span class="s2">"YES"</span><span class="w"> </span>
<span class="w"> </span><span class="n">pflog_logfile</span><span class="o">=</span><span class="s2">"/var/log/pflog"</span><span class="w"></span>
</code></pre></div>
<p><strong>Working with rules.</strong></p>
<h3>pfctl –F all</h3>
<p>Flush (remove) all the active rules from the running packet filter , means PERMIT ANY ANY. </p>
<h3>pfctl –n –f /etc/pf.conf</h3>
<div class="highlight"><pre><span></span><code><span class="n">just</span><span class="w"> </span><span class="n">parse</span><span class="w"> </span><span class="n">rules</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">actually</span><span class="w"> </span><span class="n">loading</span><span class="w"> </span><span class="n">them</span><span class="p">,</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">check</span><span class="w"> </span><span class="n">syntax</span><span class="w"></span>
</code></pre></div>
<h3>pfctl -f /etc/pf.conf</h3>
<div class="highlight"><pre><span></span><code>Load rules from file
</code></pre></div>
<p>Order of rules in the file :
options, normalization, queuing, translation, and filtering rules.</p>
<h2>Show commands.</h2>
<h3>pfctl –s info</h3>
<p>Show filter information </p>
<h3>pfctl -s rules</h3>
<p>Show the currently loaded filter rules </p>
<h3>pfctl -s state</h3>
<p>Show the contents of the state table. </p>
<h3>pfctl -s all</h3>
<p>Show all of the above</p>
<p>Simplest set of rules - block all the incoming but ssh, allow all the outgoing from the server:</p>
<div class="highlight"><pre><span></span><code>block in all
pass out all keep state
pass in proto tcp from any to any port 22
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>The D-day for CheckPoint UTM-1 Edge Appliances happened today - reboots are reported all over the world2010-10-31T11:26:39+00:002010-10-31T11:26:39+00:00Yuri Slobodyanyuktag:yurisk.info,2010-10-31:/2010/10/31/the-d-day-for-checkpoint-utm-1-edge-appliances-happened-today-reboots-are-reported-all-over-the-world/<p><img alt="D-day of Edge UTM Edge devices" src="http://yurisk.info/wp-content/uploads/2010/10/nuclear_blast.gif"></p>
<p>Today we have got reports from the clients that all their Check Point UTM-1 Edge devices did a reboot early at night, at about 03:00 AM Israel time 31st of October. While no official press-release has been seen so far from the Checkpoint, looking at <a href="https://www.cpug.org/forums/archive/index.php/t-14606.html">cpug.org posts </a> where …</p><p><img alt="D-day of Edge UTM Edge devices" src="http://yurisk.info/wp-content/uploads/2010/10/nuclear_blast.gif"></p>
<p>Today we have got reports from the clients that all their Check Point UTM-1 Edge devices did a reboot early at night, at about 03:00 AM Israel time 31st of October. While no official press-release has been seen so far from the Checkpoint, looking at <a href="https://www.cpug.org/forums/archive/index.php/t-14606.html">cpug.org posts </a> where people from around the globe report the same I can assume with high degree of certainty that indeed it was the case.</p>
<p><strong>Update 2 Nov</strong> Checkpoint released SecureKnowledge (sk56641) note where they say yeah it happened, caused by bug, next time it will happen in 13 years from now when no Edge of this series is supposed to be in use .
<a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk56641"> Checkpoint note</a>. </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>The easiest way to disclose Cisco routers on the network and how to fix it2010-10-29T15:43:10+00:002010-10-29T15:43:10+00:00Yuri Slobodyanyuktag:yurisk.info,2010-10-29:/2010/10/29/the-easiest-way-to-disclose-cisco-route-on-the-network-and-how-to-fix-it/<p>Cisco gear has a well-known behaviour pattern that when you telnet to some weird and closed port on Cisco you get the uniform response of “Connection refused” . To add more precision it happens when a terminal line management access is enabled on the Cisco but your IP is not in …</p><p>Cisco gear has a well-known behaviour pattern that when you telnet to some weird and closed port on Cisco you get the uniform response of “Connection refused” . To add more precision it happens when a terminal line management access is enabled on the Cisco but your IP is not in the access-list allowing access to the device. The funny thing about that is that only Cisco seem to do it , and given so, it makes exposing a Cisco device a no-brainer. I tested it on few dozens of Cisco routers and it only confirmed this observation. Also I tested telneting to the other vendors’ equipment and always got back time out. So far I’ve tried Juniper, Brocade, IBM, Huawei. To somehow fix this situation Cisco actually have a feature in their <strong>Control Plane Protection</strong> toolbox just for that. Below I bring the configuration from IOS router that causes the router to time out connection attempts to the closed ports.</p>
<div class="highlight"><pre><span></span><code><span class="n">class-map</span> <span class="nb">type</span> <span class="n">port-filter</span> <span class="n">match-any</span> <span class="n">CLOSED_PORTS</span>
<span class="nb">match</span> <span class="n">closed-ports</span>
<span class="n">policy-map</span> <span class="nb">type</span> <span class="n">port-filter</span> <span class="n">FILTER_CLOSED_PORTS</span>
<span class="k">class</span> <span class="n">CLOSED_PORTS</span>
<span class="n">drop</span>
<span class="n">control-plane</span> <span class="n">host</span>
<span class="n">service-policy</span> <span class="nb">type</span> <span class="n">port-filter</span> <span class="n">input</span> <span class="n">FILTER_CLOSED_PORTS</span>
</code></pre></div>
<p><strong>Testing.</strong><br>
Before the configuration: </p>
<h1><strong>telnet 19.6.24.51 444</strong></h1>
<div class="highlight"><pre><span></span><code><span class="nv">Trying</span><span class="w"> </span><span class="mi">19</span>.<span class="mi">6</span>.<span class="mi">24</span>.<span class="mi">51</span>...<span class="w"> </span>
<span class="nv">telnet</span>:<span class="w"> </span><span class="k">connect</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">address</span><span class="w"> </span><span class="mi">19</span>.<span class="mi">6</span>.<span class="mi">24</span>.<span class="mi">51</span>:<span class="w"> </span><span class="nv">Connection</span><span class="w"> </span><span class="nv">refused</span><span class="w"></span>
</code></pre></div>
<p>After the configuration: </p>
<p>[root@darkstar ~]# telnet 19.6.24.51 444 </p>
<div class="highlight"><pre><span></span><code><span class="nv">Trying</span><span class="w"> </span><span class="mi">19</span>.<span class="mi">6</span>.<span class="mi">24</span>.<span class="mi">51</span>...<span class="w"> </span>
<span class="nv">telnet</span>:<span class="w"> </span><span class="k">connect</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">address</span><span class="w"> </span><span class="mi">19</span>.<span class="mi">6</span>.<span class="mi">24</span>.<span class="mi">51</span>:<span class="w"> </span><span class="nv">Connection</span><span class="w"> </span><span class="nv">timed</span><span class="w"> </span><span class="nv">out</span><span class="w"> </span>
<span class="nv">telnet</span>:<span class="w"> </span><span class="nv">Unable</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="k">connect</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">remote</span><span class="w"> </span><span class="nv">host</span>:<span class="w"> </span><span class="nv">Connection</span><span class="w"> </span><span class="nv">timed</span><span class="w"> </span><span class="nv">out</span><span class="w"></span>
</code></pre></div>
<p>NB Unfortunately it is a half-solution cause if telnet access is enabled on the Cisco then connection attempts to the port 23 will elicit the same “Connection refused” . To close even this disclosure hole , disable telnet as the management protocol and switch to SSH.<br>
NB2 The good news for the pentesters out there is that rare ISP implement such protections</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Too much of the Zeus on TV2010-10-25T12:26:22+00:002010-10-25T12:26:22+00:00Yuri Slobodyanyuktag:yurisk.info,2010-10-25:/2010/10/25/too-much-of-the-zeus-on-tv/<p>At 19th of October the <a href="http://www.1tv.ru/">1st Russia channel </a> aired the TV show called "Пусть говорят, Однажды в Америке" , dedicated to Zeus trojan story. You all saw and heard about this FBI operation that brought some 38 people to the captivity. The talk show on the most
available and popular Russian …</p><p>At 19th of October the <a href="http://www.1tv.ru/">1st Russia channel </a> aired the TV show called "Пусть говорят, Однажды в Америке" , dedicated to Zeus trojan story. You all saw and heard about this FBI operation that brought some 38 people to the captivity. The talk show on the most
available and popular Russian public channel brought parents/relatives of the arrested
suspects and the girl that by her words took part in this scam a year before.
The majority of the people in the studio clearly stated that these guys and gals are
plain thieves (except their parents , understood) – a major progress I should say, over the years. The sum up of the main points comes next:
- Those are low rank droppers/mules;
- They didn't have personal direct contact with any of the masterminds of the scam. All their communication was through ICQ/forums/ all things Internet
- For them it was just another way to earn the money. Sounds plausible as there were other youngsters at the same apartment that came through the same student exchange program and still choose NOT to get involved as had other income.
- All claim that agreed to do it only because were in a dire financial situation. Also
probably true. Even tough according to the exchange program they all are provided with work on their arrival to the US. Also the girl in studio (Anna Savenko [Анна Савенко]) noted that she agreed to be a scammer after she was fired from the work.
- All of them were recruited into this by people already in the business and were told the same story of " Many American companies try to lower their taxes by transferring money to people like her " . Lame story for those willing to believe and feel good about themselves.
- They were encouraged by the absence of the minimal vigilance by the US banks. Anna recalled that she opened the account (with fake passport) and when she came to the bank to withdraw the money, the clerk asked her where she was expecting money from , and she could only say "Don't know" and still was given the cash.
- Russia as a state pretty much doesn't give a heck about those citizens in jail - pro bono advocates is their way to go (if they only were spies ...)<br>
if your Russian is good enough try searching the Net for ""Пусть говорят, Однажды в Америке SATRIP" and you will get the show recording in full.
Link to the show forum , just in case: http://forum.1tv.ru/index.php?showtopic=427318</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Convert mb4 to mp3 files in one run with ffmpeg2010-10-23T08:38:40+00:002010-10-23T08:38:40+00:00Yuri Slobodyanyuktag:yurisk.info,2010-10-23:/2010/10/23/convert-mb4-to-mp3-files-in-one-run-with-ffmpeg/<p>Folks at Defcon.org have been somewhat inconsistent in publishing their conference audio archives - once they do it in mb4 format, once in mp3 . As I listen to them on my mobile phone during my commuting to the work and it doesn't accept anything but mp3 I had to first …</p><p>Folks at Defcon.org have been somewhat inconsistent in publishing their conference audio archives - once they do it in mb4 format, once in mp3 . As I listen to them on my mobile phone during my commuting to the work and it doesn't accept anything but mp3 I had to first convert all audio files from mb4 to mp3 format. Not a problem though, the one-liner below will find all files ending with .mb4 in the current folder and convert them to .mp3 files preserving the filenames.</p>
<div class="highlight"><pre><span></span><code><span class="nv">find</span><span class="w"> </span>.<span class="w"> </span><span class="o">-</span><span class="nv">iname</span><span class="w"> </span><span class="s2">"*.m4b"</span><span class="w"> </span><span class="o">-</span><span class="k">exec</span><span class="w"> </span><span class="nv">ffmpeg</span><span class="w"> </span><span class="o">-</span><span class="nv">i</span><span class="w"> </span>{}<span class="w"> </span><span class="o">-</span><span class="nv">acodec</span><span class="w"> </span><span class="nv">libmp3lame</span><span class="w"> </span>{}.<span class="nv">mp3</span><span class="w"> </span>\<span class="c1">;</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Do not miss the long awaited addition to the Fortigate 4 MR2 – sFlow data export2010-10-14T20:38:54+00:002010-10-14T20:38:54+00:00Yuri Slobodyanyuktag:yurisk.info,2010-10-14:/2010/10/14/do-not-miss-the-long-awaited-addition-to-the-fortigate-4-mr2-sflow-data-export/<p>Great news – now Fortigate supports exporting data flows statistics to an external server using <a href="https://en.wikipedia.org/wiki/SFlow">sFlow protocol</a> (twin of Netflow from the Cisco world). I configured it in about a minute and it just works. To collect the sFlow data I use <a href="http://nfsen.sourceforge.net/">nfdump/Nfsen</a> , that I found to be the most …</p><p>Great news – now Fortigate supports exporting data flows statistics to an external server using <a href="https://en.wikipedia.org/wiki/SFlow">sFlow protocol</a> (twin of Netflow from the Cisco world). I configured it in about a minute and it just works. To collect the sFlow data I use <a href="http://nfsen.sourceforge.net/">nfdump/Nfsen</a> , that I found to be the most stable and versatile, not to mention being the rare one supporting both Netflow and sFlow.
You first set external server IP and destination port , here it is 10.99.99.158 and UDP 7774, and then enable flow export per interface. Example follows, here I did it on Fortigate 100.</p>
<h1><strong>show system sflow</strong></h1>
<div class="highlight"><pre><span></span><code><span class="nv">config</span><span class="w"> </span><span class="nv">system</span><span class="w"> </span><span class="nv">sflow</span><span class="w"></span>
<span class="nv">set</span><span class="w"> </span><span class="nv">collector</span><span class="o">-</span><span class="nv">ip</span><span class="w"> </span><span class="mi">10</span>.<span class="mi">99</span>.<span class="mi">99</span>.<span class="mi">158</span><span class="w"></span>
<span class="nv">set</span><span class="w"> </span><span class="nv">collector</span><span class="o">-</span><span class="nv">port</span><span class="w"> </span><span class="mi">7774</span><span class="w"></span>
<span class="k">end</span><span class="w"></span>
</code></pre></div>
<h1><strong>show system interface dmz1</strong></h1>
<div class="highlight"><pre><span></span><code><span class="nv">config</span><span class="w"> </span><span class="nv">system</span><span class="w"> </span><span class="nv">interface</span><span class="w"></span>
<span class="nv">edit</span><span class="w"> </span><span class="s2">"dmz1"</span><span class="w"></span>
<span class="nv">set</span><span class="w"> </span><span class="nv">vdom</span><span class="w"> </span><span class="s2">"root"</span><span class="w"></span>
<span class="nv">set</span><span class="w"> </span><span class="nv">ip</span><span class="w"> </span><span class="mi">10</span>.<span class="mi">99</span>.<span class="mi">99</span>.<span class="mi">254</span><span class="w"> </span><span class="mi">255</span>.<span class="mi">255</span>.<span class="mi">255</span>.<span class="mi">0</span><span class="w"></span>
<span class="nv">set</span><span class="w"> </span><span class="nv">allowaccess</span><span class="w"> </span><span class="nv">ping</span><span class="w"> </span><span class="nv">https</span><span class="w"> </span><span class="nv">ssh</span><span class="w"> </span><span class="nv">snmp</span><span class="w"></span>
<span class="nv">set</span><span class="w"> </span><span class="nv">type</span><span class="w"> </span><span class="nv">physical</span><span class="w"></span>
<span class="nv">set</span><span class="w"> </span><span class="nv">wccp</span><span class="w"> </span><span class="nv">enable</span><span class="w"></span>
<span class="nv">set</span><span class="w"> </span><span class="nv">sflow</span><span class="o">-</span><span class="nv">sampler</span><span class="w"> </span><span class="nv">enable</span><span class="w"></span>
<span class="k">next</span><span class="w"></span>
<span class="k">end</span><span class="w"></span>
</code></pre></div>
<p><a href="https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD32024&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=5703765&stateId=0%200%205701875">Fortigate article</a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Darknet can't lie - most of the attacks, scans and other interesting things2010-10-12T10:33:01+00:002010-10-12T10:33:01+00:00Yuri Slobodyanyuktag:yurisk.info,2010-10-12:/2010/10/12/darknet-cant-lie-most-of-the-attacks-scans-and-other-interesting-things-come-from-behind-the-great-firewall-of-china/<p>indeed come from behind the Great Firewall of China.
wordpress_id: 1230
category: Linux
tags: awk weekly </p>
<hr>
<p>Working for Telco company entitles me to various perks, one of them is unlimited connection to the Internet with wealth of unallocated yet IP addresses. So to use it somehow I set up a …</p><p>indeed come from behind the Great Firewall of China.
wordpress_id: 1230
category: Linux
tags: awk weekly </p>
<hr>
<p>Working for Telco company entitles me to various perks, one of them is unlimited connection to the Internet with wealth of unallocated yet IP addresses. So to use it somehow I set up a little Darknet (details what it means can be found here <a href="http://www.team-cymru.org/Services/darknets.html"> Darknet Project </a> ) <img alt="Most malware comes from China" src="https://yurisk.info/wp-content/uploads/2010/10/Hackers_attack2-300x199.gif">and gather some statistics. First the volume of unsolicited and malicious traffic is staggering . Mostly it is traffic to Windows sharing - port 445 , then brute force - port 22, then strange ports used by new malware in the wild .Second, the interesting information pretty much stops here - as nothing listens on my side of the Darknet I don't get more insight. As comes from this I am working on the next stage of the Darknet - HoneyNet. Once done, I'll post here the findings.
To give you a glimpse of the Ips and ports involved in probes here is the non-sanitized sorted list of the alien IPs , destination ports, protocols and number of packets seen.This is the day's worth statistics <a href="https://yurisk.info/The_Darknet_probing_IPSS.txt.gz"> Bad guys and gals IPs</a><br>
To get this list from Tcpdump capture I used one-liner: [root@darkstar]# <strong>tshark -n -r honey_bunny.cap42 | awk ' $3~/[0-9]+./ {print $3,$6,$9}' | sort -n -k1,1 | uniq -c > Darknet_probing_IPs.txt</strong></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Funny things people do - how to turn Checkpoint UTM 450 into Windows Media player2010-10-07T19:23:34+00:002010-10-07T19:23:34+00:00Yuri Slobodyanyuktag:yurisk.info,2010-10-07:/2010/10/07/funny-things-people-do-how-to-turn-checkpoint-utm-450-into-windows-media-player/<p>Someone has finally found the best use of the Checkpoint UTM 450 - turned it into the Windows Media player and recorded the instructions so others may follow. In case you still wonder - yes , it certainly voids the warranty. Enjoy <a href="https://www.youtube.com/watch?v=gUleb72-8Os"> youtube.com </a> And to those very few that will try to …</p><p>Someone has finally found the best use of the Checkpoint UTM 450 - turned it into the Windows Media player and recorded the instructions so others may follow. In case you still wonder - yes , it certainly voids the warranty. Enjoy <a href="https://www.youtube.com/watch?v=gUleb72-8Os"> youtube.com </a> And to those very few that will try to do it - word of caution: UTM 450 makes such noise you will not be able to put it in your living room.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>You need no MX record to get mails2010-10-07T07:51:52+00:002010-10-07T07:51:52+00:00Yuri Slobodyanyuktag:yurisk.info,2010-10-07:/2010/10/07/you-need-no-mx-record-to-get-mails/<p>That one is funny. One client of ours that is actually themselves provide ISP services
in a far-far-away land asked to add PTR record for their mail server . But that was dull,
the interesting part was that their domain had absolutely NO MX record ! Only A record for the mail …</p><p>That one is funny. One client of ours that is actually themselves provide ISP services
in a far-far-away land asked to add PTR record for their mail server . But that was dull,
the interesting part was that their domain had absolutely NO MX record ! Only A record for the mail server host . I had always thought if there is no MX record for the destination domain sending mail server should bail out and I was wrong. A SMTP RFC 5321 actually states that if there no MX record exists for the domain the sender should try delivering the mail to A record of the domain <a href="https://yurisk.info/assets/rfc5321.txt">RFC 5321 section 5 </a>. Be aware though that MX record should be completely absent, so say if MX record does exist but points to a not responding server is a different case - in such case sender should fail the delivery. <br>
The funny thing about that is that they have been working without MX record for about 2 years and have had no problems with receiving the mails, just amazing how RFC-compliant mail servers in the wild are.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Skynet got blacklisted - Google mail servers entered RBL of Sorbs.net2010-10-05T16:11:59+00:002010-10-05T16:11:59+00:00Yuri Slobodyanyuktag:yurisk.info,2010-10-05:/2010/10/05/skynet-got-blacklisted-google-mail-servers-entered-rbl-of-sorbs-net/<p>When yesterday my client sent me the headers of blocked by eSafe <a href="http://www.aladdin.com">(Aladdin) </a> mails I was quite surprised - the message said " Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this …</p><p>When yesterday my client sent me the headers of blocked by eSafe <a href="http://www.aladdin.com">(Aladdin) </a> mails I was quite surprised - the message said " Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 574 574 MAIL REFUSED - IP (74.125.82.172) is in RBL black list recent.spam.dnsbl.sorbs.net (state 18). " What? Google servers got blacklisted ? No way .<br>
I also expected Sorbs.net to be wiped out from the Earth rather quickly for such act of aggression against <a href="http://en.wikipedia.org/wiki/Skynet_(Terminator)">Skynet</a> , also known as <a href="http://google.com">Google.com </a> but nothing actually happened. So just for the fun of it I checked another IP of theirs - 74.125.82.48, also blocked. In short the class-C 74.125.82.0 got listed (screenshot follows). From
practical point of view - make sure if your device is using <a href="http://www.Sorbs.net">www.Sorbs.net </a>to put this pool in exclusion list, as I did in the eSafe of the client.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>How come assigning VPN user to specific group takes just one command but no one does it ?2010-10-04T10:36:29+00:002010-10-04T10:36:29+00:00Yuri Slobodyanyuktag:yurisk.info,2010-10-04:/2010/10/04/how-come-assigning-vpn-user-to-specific-group-takes-just-one-command-but-no-one-does-it/<p><strong>Group locking</strong>, as Cisco call it, has been available since ancient IOS 12.2(13)T (circa 2003) and still – most of the set ups I see of clients’ VPN servers at most use different VPN groups for different privilege access requirements and blissfully ignore the fact that all it …</p><p><strong>Group locking</strong>, as Cisco call it, has been available since ancient IOS 12.2(13)T (circa 2003) and still – most of the set ups I see of clients’ VPN servers at most use different VPN groups for different privilege access requirements and blissfully ignore the fact that all it takes to get more enabled access is to know the pre-shared key of the other VPN group. And believe me - it is not that hard when group pre-share key (PSK) is known to half of the company. So if you happen to stumble on this post bear with me and let’s fast forward from accepted practices of 90’s to 2010.
Below are possible ways to lock users connecting to Cisco device (IOS router and ASA to be precise) to predefined VPN groups and do it forcefully so that even if the end user knows the PSK of other VPN group(s) she won’t be able to connect with it.</p>
<p><strong>Case 1. Cisco IOS router acting as Ezvpn server , users are authenticated locally by the router.</strong>
Let's name it - group is JUNIPER , and the local user is John.Chambers and we want to confine this user to this group for ever.<br>
Enable group locking for specific group (don't forget to do the same for all VPN groups)</p>
<p>R1(config)<strong>#crypto isakmp client configuration group JUNIPER</strong><br>
R1(config-isakmp-group)#<strong>group-lock</strong></p>
<p>Now restrict user to be able to use this group only. For that you have to reconfigure user to look like username followed by delimeter (that can be any of @, %, /, ) and then group name , to be concrete:</p>
<p>R1(config)#<strong>username John.Chambers@JUNIPER secret Idontworkforsalaryanymore</strong></p>
<p>From now on user John.Chambers will be able to authenticate with Cisco only using John.Chambers@JUNIPER . It overrides any user for VPN connection that already exists, that is if there is already user John.Chambers it will not be able to connect with the group JUNIPER . On the other hand anyone getting PSK of the VPN group JUNIPER will fail authentication if the user is not explicitly reconfigured in the new format.<br>
<strong>Case 2 . Cisco IOS router users are authenticated using external Radius server.</strong> Unlike local authentication, with Radius you create the user as usual – John.Chambers but then assign it in the Settings cisco-av-pair attribute called user-vpn-group, like this:<br>
<strong>ipsec:user-vpn-group=JUNIPER</strong><br>
<strong>Case 3.ASA Local username authentication.</strong><br>
No fancy username/group configuration here, you just lock username to a group under general attributes of the user.</p>
<p>ASA1(config)# <strong>username John.Chambers password Idontworkforsalaryanymore</strong><br>
ASA1(config)# <strong>username John.Chambers attributes</strong><br>
ASA1(config-username)# <strong>group-lock value JUNIPER</strong></p>
<p><strong>Case 4. ASA Radius authentication .</strong><br>
Here also the VPn group is forced for the user settings using the following attribute:<br>
<strong>[3076\085] Tunnel-Group-Lock JUNIPER</strong></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Turn the Checkpoint firewall into network-neutral router and do it in 2 minutes.2010-09-30T20:54:36+00:002010-09-30T20:54:36+00:00Yuri Slobodyanyuktag:yurisk.info,2010-09-30:/2010/09/30/turn-the-checkpoint-firewall-into-network-neutral-router-and-do-it-in-2-minutes-time-starts-now/<p>It was rather unusual request of the client that for no matter which reasons asked me to “shut down the Checkpoint firewall”. What ? “Shutdown, you know, that it just passes the traffic from interface to interface by its routing table no checking , also I need to add few routes on …</p><p>It was rather unusual request of the client that for no matter which reasons asked me to “shut down the Checkpoint firewall”. What ? “Shutdown, you know, that it just passes the traffic from interface to interface by its routing table no checking , also I need to add few routes on the way, Okay ?” . The allocated downtime was up to few minutes , so I understood that no testing/return back/etc could be done beforehand but did what I knew and it actually worked. Here is the things I changed .<br>
<strong>Shutdown Checkpoint with #cpstop</strong> . I looked for ways to shutdown the firewall kernel module completely but hadn’t found , so warned the client if someone does restart to the machine all is back again. <br>
The following settings I set in file /etc/sysctl.conf and after saving changes activated them with <strong>#sysctl –p</strong> </p>
<div class="highlight"><pre><span></span><code><span class="o">**</span><span class="nv">net</span>.<span class="nv">ipv4</span>.<span class="nv">conf</span>.<span class="nv">default</span>.<span class="nv">rp_filter</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="o">**</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="nv">Disable</span><span class="w"> </span><span class="nv">RPF</span><span class="w"> </span><span class="nv">checks</span>,<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">some</span><span class="w"> </span><span class="nv">reason</span><span class="w"> </span><span class="nv">it</span><span class="w"> </span><span class="nv">blocked</span><span class="w"> </span><span class="nv">routed</span><span class="w"> </span><span class="nv">networks</span><span class="w"> </span><span class="nv">and</span><span class="w"> </span><span class="nv">timelimit</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="nv">minutes</span><span class="w"> </span><span class="nv">didn</span><span class="err">'t allow debug . </span>
<span class="err">**net.ipv4.ip_forward = 1** // Enable routing </span>
<span class="o">**</span><span class="nv">net</span>.<span class="nv">ipv4</span>.<span class="nv">conf</span>.<span class="nv">default</span>.<span class="nv">arp_filter</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="o">**</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="nv">Disable</span><span class="w"> </span><span class="nv">ARp</span><span class="w"> </span><span class="nv">filtering</span><span class="w"> </span>,<span class="w"> </span><span class="nv">meaningful</span><span class="w"> </span><span class="nv">with</span><span class="w"> </span><span class="nv">networks</span><span class="w"> </span><span class="nv">that</span><span class="w"> </span><span class="nv">are</span><span class="w"> </span><span class="nv">reachable</span><span class="w"> </span><span class="nv">through</span><span class="w"> </span><span class="nv">multiple</span><span class="w"> </span><span class="nv">interfaces</span><span class="w"> </span>,<span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="nv">it</span><span class="w"> </span><span class="nv">wasn</span><span class="err">'t the case just to make sure.</span>
<span class="err">**net.ipv4.conf.all.arp_filter = 0**</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Number of connected SecureClient or Secureremote users2010-09-07T12:42:17+00:002010-09-07T12:42:17+00:00Yuri Slobodyanyuktag:yurisk.info,2010-09-07:/2010/09/07/number-of-connected-secureclient-or-secureremote-users/<p>Here is how to see number of connected to the gateway users. Nothing special/interesting and I am sure somewhere in the SecureKnowledgeBase it is to be found but with recent licensing improvements people ask a lot about that.<br>
<strong>VALS</strong> - real-time number of currently connected users.<br>
<strong>PEAK</strong> - largest number of …</p><p>Here is how to see number of connected to the gateway users. Nothing special/interesting and I am sure somewhere in the SecureKnowledgeBase it is to be found but with recent licensing improvements people ask a lot about that.<br>
<strong>VALS</strong> - real-time number of currently connected users.<br>
<strong>PEAK</strong> - largest number of users seen since last reboot</p>
<h1><strong>fw tab -t userc_users -s</strong></h1>
<div class="highlight"><pre><span></span><code>HOST NAME ID #VALS #PEAK #SLINKS
localhost userc_users 73 1 3 0
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Checkpoint - turn netconf.C routes into linux route command2010-09-07T10:34:37+00:002010-09-07T10:34:37+00:00Yuri Slobodyanyuktag:yurisk.info,2010-09-07:/2010/09/07/turn-netconf-c-routes-into-linux-route-command/<p>I must confess that I prefer good solutions today over perfect solutions tomorrow.
So when the need aroused to do a script that takes netconf.C and transforms all the
route statements in it to the general linux form of "route add xxx" I did this one-liner you can see …</p><p>I must confess that I prefer good solutions today over perfect solutions tomorrow.
So when the need aroused to do a script that takes netconf.C and transforms all the
route statements in it to the general linux form of "route add xxx" I did this one-liner you can see below. The script looks ugly and sketchy but it works.</p>
<div class="highlight"><pre><span></span><code><span class="nv">awk</span><span class="w"> </span><span class="s1">' (/dest/ || /via/) && ! /127.0.0.0/ '</span><span class="w"> </span><span class="o">/</span><span class="nv">etc</span><span class="o">/</span><span class="nv">sysconfig</span><span class="o">/</span><span class="nv">netconf</span>.<span class="nv">C</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nv">sed</span><span class="w"> </span><span class="s1">'s/[():]/ /g'</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nv">sed</span><span class="w"> </span><span class="s1">' s/^.* via/ gw/'</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nv">sed</span><span class="w"> </span><span class="s1">' s/^.*dest / route add -net /'</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nv">awk</span><span class="w"> </span><span class="s1">' {if($0~/\/32/) { gsub(/-net/,"-host "); print} else print} '</span><span class="o">|</span><span class="w"> </span><span class="nv">awk</span><span class="w"> </span><span class="s1">' {if(NR % 2 == 1) {gsub(/$/," "); printf($0)} else print} '</span><span class="w"></span>
</code></pre></div>
<p>After you run it on the gateway you will get something like that to the stdout:</p>
<div class="highlight"><pre><span></span><code>route add -net "192.168.9.0/22" gw 10.20.20.6
route add -net "172.16.11.0/24" gw 10.20.20.6
route add -net "172.16.12.0/24" gw 10.20.20.6
route add -net "172.16.13.0/24" gw 10.20.20.6
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>snmp-map in ASA is for passing through traffic only2010-08-28T04:53:42+00:002010-08-28T04:53:42+00:00Yuri Slobodyanyuktag:yurisk.info,2010-08-28:/2010/08/28/snmp-map-in-asa-is-for-passing-through-traffic-only/<p>I don’t know who to blame – me for not being attentive or Cisco documentation for being vague, but when I read about <strong>snmp-map</strong> inspection that allows you to block selectively by SNMP version I decided it was the way to protect ASA itself from such queries. And only with …</p><p>I don’t know who to blame – me for not being attentive or Cisco documentation for being vague, but when I read about <strong>snmp-map</strong> inspection that allows you to block selectively by SNMP version I decided it was the way to protect ASA itself from such queries. And only with the help of Netpro forum at Cisco.com did I learn that this feature is designed to inspect the SNMP traffic that passes THROUGH the ASA and not destined to the ASA itself.
So if you want to limit what version of SNMP ASA will use to answer queries , use usual snmp-server host …
For those who do want to block passing through the ASA SNMP of say version 1 and 2c , here is how:</p>
<p>Louvre(config)#<strong>snmp-map no-v1or2-here</strong><br>
<strong>deny version 1</strong> <br>
<strong>deny version 2c</strong></p>
<p>Now define with access-list what traffic to inspect, you may use specific IPs or just general SNMP ports – udp 161 and 162:</p>
<p>Louvre# <strong>sh run access-list no-v3</strong> </p>
<p><strong>access-list no-v1or2-here extended permit udp any any eq snmptrap</strong><br>
<strong>access-list no-v1or2-here extended permit udp any any eq snmp</strong></p>
<p>Bind ACL to class-map:</p>
<p>Louvre(config)# <strong>class-map snmp-block-v2or1</strong><br>
<strong>match access-list no-v1or2-here</strong></p>
<p>Use the class-map in policy map with enabling snmp-map inspection :</p>
<p>Louvre(config)# <strong>policy-map no-snmp-v2or1</strong><br>
<strong>class snmp-block-v2or1</strong><br>
inspect snmp no-v1or2-here</p>
<p>And finally apply the policy map on some interface</p>
<p>Louvre(config)# <strong>service-policy no-snmp-v2or1interface outside</strong></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>ASA 8.2 now speaks SNMP v3 decently2010-08-25T18:43:55+00:002010-08-25T18:43:55+00:00Yuri Slobodyanyuktag:yurisk.info,2010-08-25:/2010/08/25/asa-8-2-now-speaks-snmp-v3-decently/<p>This article is all about SNMP in ASA. ASA has much less configuration options than IOS does, and this is good. Starting version 8.2 ASA supports version 3 of the SNMP protocol which adds new security model to the whole SNMP stack. But first we will start with old …</p><p>This article is all about SNMP in ASA. ASA has much less configuration options than IOS does, and this is good. Starting version 8.2 ASA supports version 3 of the SNMP protocol which adds new security model to the whole SNMP stack. But first we will start with old fashioned SNMP v2c (c is for ‘community’) . It takes about 15 secs to do it:</p>
<div class="highlight"><pre><span></span><code><span class="nv">snmp</span><span class="o">-</span><span class="nv">server</span><span class="w"> </span><span class="nv">location</span><span class="w"> </span>“<span class="mi">935</span><span class="w"> </span><span class="nv">Pennsylvania</span><span class="w"> </span><span class="nv">Avenue</span>,<span class="w"> </span><span class="nv">NW</span>”<span class="w"></span>
<span class="nv">snmp</span><span class="o">-</span><span class="nv">server</span><span class="w"> </span><span class="nv">contact</span><span class="w"> </span>“<span class="nv">Don</span>’<span class="nv">t</span><span class="w"> </span><span class="k">call</span><span class="w"> </span><span class="nl">us</span><span class="w"> </span><span class="nv">we</span>’<span class="nv">ll</span><span class="w"> </span><span class="k">call</span><span class="w"> </span><span class="nl">you</span>”<span class="w"></span>
<span class="nv">snmp</span><span class="o">-</span><span class="nv">server</span><span class="w"> </span><span class="nv">community</span><span class="w"> </span><span class="o">*****</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="nv">Note</span><span class="w"> </span><span class="nv">this</span><span class="w"> </span><span class="nv">community</span><span class="w"> </span><span class="nv">will</span><span class="w"> </span><span class="nv">be</span><span class="w"> </span><span class="nv">used</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nv">more</span><span class="w"> </span><span class="nv">specific</span><span class="w"> </span><span class="nv">one</span><span class="w"> </span><span class="nv">isn</span>’<span class="nv">t</span><span class="w"> </span><span class="nv">given</span><span class="w"> </span><span class="nv">per</span><span class="w"> </span><span class="nv">host</span><span class="w"></span>
<span class="nv">snmp</span><span class="o">-</span><span class="nv">server</span><span class="w"> </span><span class="nv">enable</span><span class="w"> </span><span class="nv">traps</span><span class="w"> </span><span class="nv">snmp</span><span class="w"> </span><span class="nv">authentication</span><span class="w"> </span><span class="nv">linkup</span><span class="w"> </span><span class="nv">linkdown</span><span class="w"> </span><span class="nv">coldstart</span><span class="w"> </span><span class="o">//</span><span class="nv">specific</span><span class="w"> </span><span class="nv">traps</span><span class="w"></span>
<span class="nv">snmp</span><span class="o">-</span><span class="nv">server</span><span class="w"> </span><span class="nv">enable</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="nv">you</span><span class="w"> </span><span class="nv">enable</span><span class="w"> </span><span class="nv">server</span><span class="w"> </span>
<span class="nv">snmp</span><span class="o">-</span><span class="nv">server</span><span class="w"> </span><span class="nv">listen</span><span class="o">-</span><span class="nv">port</span><span class="w"> </span><span class="mi">161</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="nv">in</span><span class="w"> </span><span class="nv">case</span><span class="w"> </span><span class="nv">you</span><span class="w"> </span><span class="nv">want</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">change</span>,<span class="w"> </span><span class="nv">who</span><span class="w"> </span><span class="nv">knows</span><span class="w"> </span>…<span class="w"></span>
<span class="nv">snmp</span><span class="o">-</span><span class="nv">server</span><span class="w"> </span><span class="nv">host</span><span class="w"> </span><span class="nv">outside</span><span class="w"> </span><span class="mi">195</span>.<span class="mi">95</span>.<span class="mi">193</span>.<span class="mi">8</span><span class="w"> </span><span class="nv">community</span><span class="w"> </span><span class="o">******</span><span class="w"> </span><span class="nv">version</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="nv">udp</span><span class="o">-</span><span class="nv">port</span><span class="w"> </span><span class="mi">162</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="nv">only</span><span class="w"> </span><span class="nv">now</span><span class="w"> </span><span class="nv">SNMP</span><span class="w"> </span><span class="nv">polling</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">enabled</span><span class="w"> </span><span class="nv">and</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">given</span><span class="w"> </span><span class="nv">host</span><span class="w"> </span>,<span class="w"> </span><span class="nv">also</span><span class="w"> </span><span class="nv">version</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="nv">and</span><span class="w"> </span><span class="nv">port</span><span class="w"> </span><span class="mi">162</span><span class="w"> </span><span class="nv">on</span><span class="w"> </span><span class="nv">SNMP</span><span class="w"> </span><span class="nv">management</span><span class="w"> </span><span class="ss">(</span><span class="mi">195</span>.<span class="mi">95</span>.<span class="mi">193</span>.<span class="mi">8</span><span class="ss">)</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="k">send</span><span class="w"> </span><span class="nv">traps</span><span class="w"></span>
<span class="nv">no</span><span class="w"> </span><span class="nv">snmp</span><span class="o">-</span><span class="nv">server</span><span class="w"> </span><span class="nv">enable</span><span class="w"> </span><span class="nv">traps</span><span class="w"> </span><span class="nv">ipsec</span><span class="w"> </span><span class="nv">start</span><span class="w"> </span><span class="nv">stop</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="nv">To</span><span class="w"> </span><span class="nv">disable</span><span class="w"> </span><span class="nv">specific</span><span class="w"> </span><span class="nv">traps</span><span class="w"> </span>
</code></pre></div>
<p>As you already know this setup will exchange community strings in clear text and also no packet is cryptographically authenticated/verified. What a shame for “Adaptive Security Appliance” . The fix is on the way. It is called SNMP v3 and has 3 security levels to choose from:
<strong>noAuthNoPriv</strong> – packets are neither authenticated nor encrypted . Basically the model used so far by SNMP v1 and v2c – everything clear text. </p>
<p><strong>authNoPriv</strong> - packets are authenticated , that is user is sent in clear text but its password is not , (configurable) MD5 or SHA algorithm. </p>
<p><strong>authPriv</strong> - the highest level, all SNMP packets are both authenticated using MD5 or SHA and their content is encrypted with DES/3DES/AES (128,196,256) algorithm. </p>
<p>Using the list above let’s configure our ASA for each level .
General steps:</p>
<ul>
<li>Configure snmp-server group for every security level you want to use ;</li>
<li>Creatre user for each security level you wan to use and assign it to the snmp-server group of your choice</li>
<li>Create usual snmp-server host entry but adding version 3 and username to be used by this host. <strong>NOTE</strong> You can have only one such command per host but no matter which out of 3 security levels you specify in this command it will allow the other 2 to be used in querying as well</li>
</ul>
<p><strong>noAuthNoPriv.</strong> </p>
<div class="highlight"><pre><span></span><code>snmp-server group v3-noauth v3 noauth
snmp-server user Jambo v3-noauth v3
snmp-server host outside 199.252.47.11 version 3 Jambo
</code></pre></div>
<p>Querying the ASA:</p>
<div class="highlight"><pre><span></span><code>snmpwalk -v 3 -u Jambo -l noauthnopriv 155.7.145.89
</code></pre></div>
<p><strong>authNoPriv.</strong> </p>
<div class="highlight"><pre><span></span><code>snmp-server group V3-auth v3 auth
snmp-server user AUTH V3-auth v3 auth md5 12345678
</code></pre></div>
<p>Minimum pass length is 8 , and while ASA seems not to care it is a violation and snmpwalk will complain on pass < 8 and bail out . </p>
<div class="highlight"><pre><span></span><code>snmp-server host outside 199.252.47.11 version 3 AUTH
</code></pre></div>
<p>Querying the ASA:</p>
<div class="highlight"><pre><span></span><code>snmpwalk -v 3 -u AUTH -a md5 -A 12345678 -l authnopriv 155.7.145.89
</code></pre></div>
<p><strong>authPriv.</strong> </p>
<p>Here everything will be encrypted.</p>
<div class="highlight"><pre><span></span><code>snmp-server group v3-priv v3 priv
snmp-server user very_secure v3-priv v3 auth md5 12345678 v3-priv v3 auth md5 12345678 priv aes 128 12345678
snmp-server host outside 199.252.47.11 version 3 very_secure
</code></pre></div>
<p>N.B. To my surprise there is no such thing as <strong>debug snmp</strong> . Actually it does exist, but entering this command gives no error and produces no debug either.
Noticed by the way. In logs you can see all the passwords you entered while configuring SNMP, not very secure I would rather say .</p>
<p>(config)# sh log | grep snmp</p>
<div class="highlight"><pre><span></span><code><span class="c">%ASA-5-111008: User 'enable_15' executed the 'snmp-server user AUTH V3-auth v3 auth md5 12345678' command.</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>sla monitor in Cisco ASA land2010-08-24T13:14:49+00:002010-08-24T13:14:49+00:00Yuri Slobodyanyuktag:yurisk.info,2010-08-24:/2010/08/24/sla-monitor-in-cisco-asa-land/<p>SLA monitoring is finally here. What is it useful for ? To add/remove dynamically routes in ASA depending on results of the SLA status.
Below is configuration steps but while there are many words in the command itself there are not much options there , so the command is long but …</p><p>SLA monitoring is finally here. What is it useful for ? To add/remove dynamically routes in ASA depending on results of the SLA status.
Below is configuration steps but while there are many words in the command itself there are not much options there , so the command is long but pretty uniform.</p>
<p>TokyoASA1(config)# <strong>sla monitor 33</strong>
TokyoASA1(config-sla-monitor)# <strong>type echo protocol ipIcmpEcho 150.6.2.2 int outside type echo</strong>
TokyoASA1(config-sla-monitor-echo)# ? </p>
<div class="highlight"><pre><span></span><code><span class="nv">default</span><span class="w"> </span><span class="nv">Set</span><span class="w"> </span><span class="nv">a</span><span class="w"> </span><span class="nv">command</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">its</span><span class="w"> </span><span class="nv">defaults</span><span class="w"> </span>
<span class="w"> </span><span class="k">exit</span><span class="w"> </span><span class="k">Exit</span><span class="w"> </span><span class="nv">probe</span><span class="w"> </span><span class="nv">configuration</span><span class="w"> </span>
<span class="w"> </span><span class="nv">frequency</span><span class="w"> </span><span class="nv">Frequency</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">an</span><span class="w"> </span><span class="nv">operation</span><span class="w"> </span>
<span class="w"> </span><span class="nv">no</span><span class="w"> </span><span class="nv">Negate</span><span class="w"> </span><span class="nv">a</span><span class="w"> </span><span class="nv">command</span><span class="w"> </span><span class="nv">or</span><span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">its</span><span class="w"> </span><span class="nv">defaults</span><span class="w"> </span>
<span class="w"> </span><span class="nv">num</span><span class="o">-</span><span class="nv">packets</span><span class="w"> </span><span class="nv">Number</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">Packets</span><span class="w"> </span>
<span class="w"> </span><span class="nv">request</span><span class="o">-</span><span class="nv">data</span><span class="o">-</span><span class="nv">size</span><span class="w"> </span><span class="nv">Request</span><span class="w"> </span><span class="nv">data</span><span class="w"> </span><span class="nv">size</span><span class="w"> </span>
<span class="w"> </span><span class="nv">threshold</span><span class="w"> </span><span class="nv">Operation</span><span class="w"> </span><span class="nv">threshold</span><span class="w"> </span><span class="nv">in</span><span class="w"> </span><span class="nv">milliseconds</span><span class="w"> </span>
<span class="w"> </span><span class="nb">timeout</span><span class="w"> </span><span class="nb">Timeout</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">an</span><span class="w"> </span><span class="nv">operation</span><span class="w"> </span>
<span class="w"> </span><span class="nv">tos</span><span class="w"> </span><span class="nv">Type</span><span class="w"> </span><span class="nv">Of</span><span class="w"> </span><span class="nv">Service</span><span class="w"> </span>
</code></pre></div>
<p>TokyoASA1(config-sla-monitor-echo)# frequency ? </p>
<div class="highlight"><pre><span></span><code>sla-monitor-echo mode commands/options:
<1-604800> Frequency in seconds
</code></pre></div>
<p>TokyoASA1(config)# sla monitor schedule 33 ? </p>
<div class="highlight"><pre><span></span><code>ageout How long to keep this Entry when inactive
life Length of time to execute in seconds
recurring Probe to be scheduled automatically every day
start-time When to start this entry
</code></pre></div>
<p>TokyoASA1(config)# <strong>sla monitor schedule 33 life forever start after 00:05:00</strong> </p>
<p>Now create tracking process to be later applied to the static route:</p>
<p>TokyoASA1(config)# <strong>track 1 rtr 33 reachability</strong> </p>
<p>And finally we create static route and attach to it the created track :</p>
<p>TokyoASA1(config)# <strong>route outside 0 0 136.6.123.3 track 1</strong></p>
<p>Now let's see some statistics on the track:</p>
<p>TokyoASA1# <strong>sh track</strong> </p>
<div class="highlight"><pre><span></span><code><span class="nv">Track</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span>
<span class="w"> </span><span class="nv">Response</span><span class="w"> </span><span class="nv">Time</span><span class="w"> </span><span class="nv">Reporter</span><span class="w"> </span><span class="mi">33</span><span class="w"> </span><span class="nv">reachability</span><span class="w"> </span>
<span class="w"> </span><span class="nv">Reachability</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">Down</span><span class="w"> </span>
<span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="nv">change</span>,<span class="w"> </span><span class="nv">last</span><span class="w"> </span><span class="nv">change</span><span class="w"> </span><span class="mi">00</span>:<span class="mi">04</span>:<span class="mi">03</span><span class="w"> </span>
<span class="w"> </span><span class="nv">Latest</span><span class="w"> </span><span class="nv">operation</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nv">code</span>:<span class="w"> </span><span class="nv">Unknown</span><span class="w"> </span>
<span class="w"> </span><span class="nv">Tracked</span><span class="w"> </span><span class="nv">by</span>:<span class="w"> </span>
<span class="w"> </span><span class="nv">STATIC</span><span class="o">-</span><span class="nv">IP</span><span class="o">-</span><span class="nv">ROUTING</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span>
</code></pre></div>
<p>The final configuration looks like</p>
<div class="highlight"><pre><span></span><code>sla monitor 33
type echo protocol ipIcmpEcho 150.6.2.2 interface outside
num-packets 3
request-data-size 1500
timeout 30
frequency 5
sla monitor schedule 33 life forever start-time after 00:05:00
</code></pre></div>
<p>TokyoASA1# <strong>sh sla monitor configuration</strong></p>
<div class="highlight"><pre><span></span><code><span class="nv">Entry</span><span class="w"> </span><span class="nv">number</span>:<span class="w"> </span><span class="mi">33</span><span class="w"> </span>
<span class="nv">Owner</span>:<span class="w"> </span>
<span class="nv">Tag</span>:<span class="w"> </span>
<span class="nv">Type</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">operation</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">perform</span>:<span class="w"> </span><span class="nv">echo</span><span class="w"> </span>
<span class="nv">Target</span><span class="w"> </span><span class="nv">address</span>:<span class="w"> </span><span class="mi">150</span>.<span class="mi">6</span>.<span class="mi">2</span>.<span class="mi">2</span><span class="w"> </span>
<span class="nv">Interface</span>:<span class="w"> </span><span class="nv">outside</span><span class="w"> </span>
<span class="nv">Number</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">packets</span>:<span class="w"> </span><span class="mi">3</span><span class="w"> </span>
<span class="nv">Request</span><span class="w"> </span><span class="nv">size</span><span class="w"> </span><span class="ss">(</span><span class="nv">ARR</span><span class="w"> </span><span class="nv">data</span><span class="w"> </span><span class="nv">portion</span><span class="ss">)</span>:<span class="w"> </span><span class="mi">1500</span><span class="w"> </span>
<span class="nv">Operation</span><span class="w"> </span><span class="nb">timeout</span><span class="w"> </span><span class="ss">(</span><span class="nv">milliseconds</span><span class="ss">)</span>:<span class="w"> </span><span class="mi">30</span><span class="w"> </span>
<span class="nv">Type</span><span class="w"> </span><span class="nv">Of</span><span class="w"> </span><span class="nv">Service</span><span class="w"> </span><span class="nv">parameters</span>:<span class="w"> </span><span class="mi">0</span><span class="nv">x0</span><span class="w"> </span>
<span class="nv">Verify</span><span class="w"> </span><span class="nv">data</span>:<span class="w"> </span><span class="nv">No</span><span class="w"> </span>
<span class="nv">Operation</span><span class="w"> </span><span class="nv">frequency</span><span class="w"> </span><span class="ss">(</span><span class="nv">seconds</span><span class="ss">)</span>:<span class="w"> </span><span class="mi">5</span><span class="w"> </span>
<span class="k">Next</span><span class="w"> </span><span class="nv">Scheduled</span><span class="w"> </span><span class="nv">Start</span><span class="w"> </span><span class="nv">Time</span>:<span class="w"> </span><span class="nv">Start</span><span class="w"> </span><span class="nv">Time</span><span class="w"> </span><span class="nv">already</span><span class="w"> </span><span class="nv">passed</span><span class="w"> </span>
<span class="nv">Group</span><span class="w"> </span><span class="nv">Scheduled</span><span class="w"> </span>:<span class="w"> </span><span class="nv">FALSE</span><span class="w"> </span>
<span class="nv">Life</span><span class="w"> </span><span class="ss">(</span><span class="nv">seconds</span><span class="ss">)</span>:<span class="w"> </span><span class="nv">Forever</span><span class="w"> </span>
<span class="nv">Entry</span><span class="w"> </span><span class="nv">Ageout</span><span class="w"> </span><span class="ss">(</span><span class="nv">seconds</span><span class="ss">)</span>:<span class="w"> </span><span class="nv">never</span><span class="w"> </span>
<span class="nv">Recurring</span><span class="w"> </span><span class="ss">(</span><span class="nv">Starting</span><span class="w"> </span><span class="nv">Everyday</span><span class="ss">)</span>:<span class="w"> </span><span class="nv">FALSE</span><span class="w"> </span>
<span class="nv">Status</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">entry</span><span class="w"> </span><span class="ss">(</span><span class="nv">SNMP</span><span class="w"> </span><span class="nv">RowStatus</span><span class="ss">)</span>:<span class="w"> </span><span class="nv">Active</span><span class="w"> </span>
<span class="nv">Enhanced</span><span class="w"> </span><span class="nv">History</span>:<span class="w"></span>
</code></pre></div>
<p>TokyoASA1# <strong>sh sla monitor configuration operational-state</strong> </p>
<div class="highlight"><pre><span></span><code>Entry number: 33
Modification time: 15:14:04.168 UTC Sun May 23 2010
Number of Octets Used by this Entry: 1480
Number of operations attempted: 48
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 15:22:59.169 UTC Sun May 23 2010
RTT Values:
RTTAvg: 1RTTMin: 1RTTMax: 1
NumOfRTT: 3RTTSum: 3RTTSum2: 3
</code></pre></div>
<p>TokyoASA1# debug sla monitor ? </p>
<p>error Output IP SLA Monitor Error Messages
trace Output IP SLA Monitor Trace Messages </p>
<p>TokyoASA1# <strong>debug sla monitor trace</strong> </p>
<div class="highlight"><pre><span></span><code>TokyoASA1# IP SLA Monitor(33) Scheduler: Starting an operation
IP SLA Monitor(33) echo operation: Sending an echo operation
IP SLA Monitor(33) echo operation: RTT=0 OK
IP SLA Monitor(33) echo operation: RTT=0 OK
IP SLA Monitor(33) echo operation: RTT=1 OK
IP SLA Monitor(33) Scheduler: Updating result
IP SLA Monitor(33) Scheduler: Starting an operation
IP SLA Monitor(33) echo operation: Sending an echo operation
IP SLA Monitor(33) echo operation: RTT=0 OK
IP SLA Monitor(33) echo operation: RTT=0 OK
IP SLA Monitor(33) echo operation: RTT=1 OK
</code></pre></div>
<p>And by the way it really works - when track is down the route to which it is attached magically disappeared
from the routing table as should.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Teach Cisco ASA to speak NTP2010-08-24T06:14:16+00:002010-08-24T06:14:16+00:00Yuri Slobodyanyuktag:yurisk.info,2010-08-24:/2010/08/24/teach-asa-to-speak-ntp/<p>Time is precious, even more when you need accurate logging . Let's configure NTP time synchronization on our ASA 5510.
Configs are pretty simple, but worth remembering a thing or two.</p>
<ul>
<li>ASA can not be NTP server as opposed to IOS. </li>
<li>You can use <strong>prefer</strong> optional keyword with ntp server command …</li></ul><p>Time is precious, even more when you need accurate logging . Let's configure NTP time synchronization on our ASA 5510.
Configs are pretty simple, but worth remembering a thing or two.</p>
<ul>
<li>ASA can not be NTP server as opposed to IOS. </li>
<li>You can use <strong>prefer</strong> optional keyword with ntp server command but ... it works if you have multiple servers having "the same accuracy" by Cisco.com words. In people's language they mean the same stratum. If your Cisco ASA has 2 NTP servers configured - one of stratum 2 and other of stratum 3 , even if you put stratum 3 server as preferred the one of stratum 2 will be selected.</li>
<li>Authentication is available but oprional. The only algorithm of choice is MD5.</li>
<li>You can have multiple trusted keys at the same time, I guess they will be tried in turn (needs verification).</li>
</ul>
<p>Ok then, let's configure it - NTP server is 153.6.3.3, use authentication, MD5.</p>
<p>TokyoASA1(config)#<strong>ntp authentication-key 1 md5 CISCO</strong> <br>
TokyoASA1(config)#<strong>ntp trusted-key 1</strong> <br>
TokyoASA1(config)#<strong>ntp server 153.6.3.3 ?</strong> </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nv">key</span><span class="w"> </span><span class="nv">Configure</span><span class="w"> </span><span class="nv">peer</span><span class="w"> </span><span class="nv">authentication</span><span class="w"> </span><span class="nv">key</span><span class="w"> </span>
<span class="w"> </span><span class="nv">prefer</span><span class="w"> </span><span class="nv">Prefer</span><span class="w"> </span><span class="nv">this</span><span class="w"> </span><span class="nv">peer</span><span class="w"> </span><span class="nv">when</span><span class="w"> </span><span class="nv">possible</span><span class="w"> </span>
<span class="w"> </span><span class="nv">source</span><span class="w"> </span><span class="nv">Interface</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">source</span><span class="w"> </span><span class="nv">address</span><span class="w"> </span>
</code></pre></div>
<p>TokyoASA1(config)#<strong>ntp server 153.6.3.3 key 1</strong> <br>
TokyoASA1(config)#<strong>ntp authenticate</strong></p>
<div class="highlight"><pre><span></span><code>**Debug**:
TokyoASA1#**debug ntp ?**
</code></pre></div>
<p>adjust NTP clock adjustments <br>
authentication NTP authentication <br>
events NTP events <br>
loopfilter NTP loop filter <br>
packets NTP packets <br>
params NTP clock parameters <br>
select NTP clock selection <br>
sync NTP clock synchronization <br>
validity NTP peer clock validity</p>
<div class="highlight"><pre><span></span><code>**Verification**:
TokyoASA1#**sh ntp stat**
</code></pre></div>
<p>Clock is unsynchronized, stratum 16, no reference clock <br>
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6 <br>
reference time is cfa3cae4.3dd6a89e (15:40:20.241 UTC Sun Aug 23 2010) <br>
clock offset is -377969342.9594 msec, root delay is 2.04 msec <br>
root dispersion is 15262547.68 msec, peer dispersion is 16000.00 msec </p>
<div class="highlight"><pre><span></span><code>TokyoASA1# **sh ntp ass**
</code></pre></div>
<div class="highlight"><pre><span></span><code> address ref clock st when poll reach delay offset disp
</code></pre></div>
<p>~153.6.3.3 .LOCL. 1 26 64 0 2.0 -37796 16000. </p>
<ul>
<li>master (synced), # master (unsynced), + selected, - candidate, ~ configured </li>
</ul>
<div class="highlight"><pre><span></span><code><span class="nv">Some</span><span class="w"> </span><span class="nv">debug</span><span class="w"> </span><span class="nv">output</span><span class="w"> </span><span class="nv">comes</span><span class="w"> </span><span class="k">next</span><span class="w"> </span>:<span class="w"> </span>
</code></pre></div>
<p>TokyoASA1# NTP: Authentication key 1 <br>
NTP: 153.6.3.3 reachable <br>
NTP: sync change <br>
NTP: peer stratum change </p>
<div class="highlight"><pre><span></span><code>TokyoASA1#**sh ntp stat**
</code></pre></div>
<p>Clock is synchronized, stratum 2, reference is 153.6.3.3 <br>
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6 <br>
reference time is cf9e06b2.e6239822 (06:41:54.898 UTC Wed May 19 2010) <br>
clock offset is -2.9681 msec, root delay is 1.95 msec <br>
root dispersion is 21.58 msec, peer dispersion is 18.57 msec
```</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Redundant interfaces in Cisco ASA2010-08-23T17:54:08+00:002010-08-23T17:54:08+00:00Yuri Slobodyanyuktag:yurisk.info,2010-08-23:/2010/08/23/redundant-interfaces-in-cisco-asa/<p>In Cisco ASA they called it <strong>interface redundancy</strong>. The idea is to provide for the physical link failure. That is – you combine two physical interfaces on the ASA into a virtual one, then you configure all the Layer 3 parameters on this virtual interface. At the same time only ONE …</p><p>In Cisco ASA they called it <strong>interface redundancy</strong>. The idea is to provide for the physical link failure. That is – you combine two physical interfaces on the ASA into a virtual one, then you configure all the Layer 3 parameters on this virtual interface. At the same time only ONE of the interfaces in a group is active (that is - no load sharing), if it fails ASA transparently switches to the next available interface in a group and all the traffic passes through it. By default the first added to the group interface becomes active and all the rest become passive. At the end of the article there is some dry theory and facts, but now let’s plunge into code.<br>
<strong>Warning !</strong> The moment you assign some physical interface to be a member of the redundant virtual interface ALL the existing configs on such interface are wiped out.
Create redundant interface (group) and assign 2 physical interfaces to it :</p>
<p>Santa#<strong>conf t</strong><br>
Santa(config)# <strong>interface Redundant1</strong><br>
Santa(config-if)# <strong>member-interface Ethernet0/0</strong><br>
Santa(config-if)# <strong>member-interface Ethernet0/2</strong><br>
Santa(config-if)#<strong>no nameif</strong><br>
Santa(config-if)#<strong>no security-level</strong><br>
Santa(config-if)#<strong>no ip address</strong> </p>
<p>Now basically we can start configuring nameif , IP address and security level for this Redundant1 interface but let’s be more creative and create some VLANs on it.</p>
<p>So far :</p>
<p>Santa#<strong>show run int</strong></p>
<div class="highlight"><pre><span></span><code>interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
no nameif
no security-level
no ip address
</code></pre></div>
<p>Santa(config)# <strong>interface Redundant1.120</strong><br>
Santa(config-subif)# <strong>vlan 120</strong><br>
Santa(config-subif)# <strong>nameif dmz</strong><br>
Santa(config-subif)# <strong>security-level 50</strong><br>
Santa(config-subif)# <strong>ip address 10.0.0.12 255.255.255.0</strong> </p>
<p>To remind you,the state of the physical interfaces comprising the Redundant 1 is :</p>
<div class="highlight"><pre><span></span><code>interface Ethernet0/2
no nameif
no security-level
no ip address
interface Ethernet0/0
no nameif
no security-level
no ip address
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
no nameif
no security-level
no ip address
</code></pre></div>
<p>Santa(config)# <strong>interface Redundant1.100</strong><br>
Santa(config-subif)# <strong>vlan 100</strong><br>
Santa(config-subif)# <strong>nameif outside</strong><br>
Santa(config-subif)# <strong>security-level 0</strong><br>
Santa(config-subif)# <strong>ip address 139.61.77.12 255.255.255.0</strong> </p>
<p>Now some verification is due (pay attention to the bottom of the output where you can see which interface is currently active and how many state changes have happened so far) :</p>
<p>Santa# <strong>sh int redundant 1 detail</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">Interface</span><span class="w"> </span><span class="n">Redundant1</span><span class="w"> </span><span class="s">""</span><span class="p">,</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">up</span><span class="p">,</span><span class="w"> </span><span class="n">line</span><span class="w"> </span><span class="n">protocol</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">up</span><span class="w"></span>
<span class="n">Hardware</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">i82546GB</span><span class="w"> </span><span class="n">rev03</span><span class="p">,</span><span class="w"> </span><span class="n">BW</span><span class="w"> </span><span class="mh">1000</span><span class="w"> </span><span class="n">Mbps</span><span class="p">,</span><span class="w"> </span><span class="n">DLY</span><span class="w"> </span><span class="mh">10</span><span class="w"> </span><span class="n">usec</span><span class="w"></span>
<span class="n">Auto</span><span class="o">-</span><span class="n">Duplex</span><span class="p">(</span><span class="n">Full</span><span class="o">-</span><span class="n">duplex</span><span class="p">),</span><span class="w"> </span><span class="n">Auto</span><span class="o">-</span><span class="n">Speed</span><span class="p">(</span><span class="mh">100</span><span class="w"> </span><span class="n">Mbps</span><span class="p">)</span><span class="w"></span>
<span class="n">Available</span><span class="w"> </span><span class="n">but</span><span class="w"> </span><span class="k">not</span><span class="w"> </span><span class="n">configured</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">nameif</span><span class="w"></span>
<span class="n">MAC</span><span class="w"> </span><span class="n">address</span><span class="w"> </span><span class="mh">001</span><span class="n">b</span><span class="p">.</span><span class="n">d589</span><span class="mf">.9892</span><span class="p">,</span><span class="w"> </span><span class="n">MTU</span><span class="w"> </span><span class="k">not</span><span class="w"> </span><span class="n">set</span><span class="w"></span>
<span class="n">IP</span><span class="w"> </span><span class="n">address</span><span class="w"> </span><span class="n">unassigned</span><span class="w"></span>
<span class="mh">1870</span><span class="w"> </span><span class="n">packets</span><span class="w"> </span><span class="k">input</span><span class="p">,</span><span class="w"> </span><span class="mh">150617</span><span class="w"> </span><span class="n">bytes</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">no</span><span class="w"> </span><span class="n">buffer</span><span class="w"></span>
<span class="n">Received</span><span class="w"> </span><span class="mh">1329</span><span class="w"> </span><span class="n">broadcasts</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">runts</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">giants</span><span class="w"></span>
<span class="mh">0</span><span class="w"> </span><span class="k">input</span><span class="w"> </span><span class="n">errors</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">CRC</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">frame</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">overrun</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">ignored</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">abort</span><span class="w"></span>
<span class="mh">766</span><span class="w"> </span><span class="n">L2</span><span class="w"> </span><span class="n">decode</span><span class="w"> </span><span class="n">drops</span><span class="w"></span>
<span class="mh">264</span><span class="w"> </span><span class="n">packets</span><span class="w"> </span><span class="k">output</span><span class="p">,</span><span class="w"> </span><span class="mh">24326</span><span class="w"> </span><span class="n">bytes</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">underruns</span><span class="w"></span>
<span class="mh">0</span><span class="w"> </span><span class="k">output</span><span class="w"> </span><span class="n">errors</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">collisions</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">interface</span><span class="w"> </span><span class="n">resets</span><span class="w"></span>
<span class="mh">0</span><span class="w"> </span><span class="n">babbles</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">late</span><span class="w"> </span><span class="n">collisions</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">deferred</span><span class="w"></span>
<span class="mh">0</span><span class="w"> </span><span class="n">lost</span><span class="w"> </span><span class="n">carrier</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">no</span><span class="w"> </span><span class="n">carrier</span><span class="w"></span>
<span class="k">input</span><span class="w"> </span><span class="n">queue</span><span class="w"> </span><span class="p">(</span><span class="n">curr</span><span class="o">/</span><span class="n">max</span><span class="w"> </span><span class="n">packets</span><span class="p">)</span><span class="o">:</span><span class="w"> </span><span class="n">hardware</span><span class="w"> </span><span class="p">(</span><span class="mh">9</span><span class="o">/</span><span class="mh">18</span><span class="p">)</span><span class="w"> </span><span class="n">software</span><span class="w"> </span><span class="p">(</span><span class="mh">0</span><span class="o">/</span><span class="mh">0</span><span class="p">)</span><span class="w"></span>
<span class="k">output</span><span class="w"> </span><span class="n">queue</span><span class="w"> </span><span class="p">(</span><span class="n">curr</span><span class="o">/</span><span class="n">max</span><span class="w"> </span><span class="n">packets</span><span class="p">)</span><span class="o">:</span><span class="w"> </span><span class="n">hardware</span><span class="w"> </span><span class="p">(</span><span class="mh">0</span><span class="o">/</span><span class="mh">2</span><span class="p">)</span><span class="w"> </span><span class="n">software</span><span class="w"> </span><span class="p">(</span><span class="mh">0</span><span class="o">/</span><span class="mh">0</span><span class="p">)</span><span class="w"></span>
<span class="n">Control</span><span class="w"> </span><span class="n">Point</span><span class="w"> </span><span class="n">Interface</span><span class="w"> </span><span class="nl">States:</span><span class="w"></span>
<span class="n">Interface</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="mh">10</span><span class="w"></span>
<span class="n">Interface</span><span class="w"> </span><span class="n">config</span><span class="w"> </span><span class="n">status</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">active</span><span class="w"></span>
<span class="n">Interface</span><span class="w"> </span><span class="n">state</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">active</span><span class="w"></span>
<span class="n">Redundancy</span><span class="w"> </span><span class="nl">Information:</span><span class="w"></span>
<span class="n">Member</span><span class="w"> </span><span class="n">Ethernet0</span><span class="o">/</span><span class="mh">0</span><span class="p">(</span><span class="n">Active</span><span class="p">),</span><span class="w"> </span><span class="n">Ethernet0</span><span class="o">/</span><span class="mh">2</span><span class="w"></span>
<span class="n">Last</span><span class="w"> </span><span class="n">switchover</span><span class="w"> </span><span class="n">at</span><span class="w"> </span><span class="mh">07</span><span class="o">:</span><span class="mh">25</span><span class="o">:</span><span class="mh">35</span><span class="w"> </span><span class="n">UTC</span><span class="w"> </span><span class="n">August</span><span class="w"> </span><span class="mh">19</span><span class="w"> </span><span class="mh">2010</span><span class="w"></span>
</code></pre></div>
<p>And what about some debug ? Of course:</p>
<p>Santa(config)# <strong>debug redundant-interface ?</strong></p>
<p>exec mode commands/options:<br>
<strong>error</strong> errors<br>
<strong>event</strong> events</p>
<p>Now let’s initiate shut on physical interface Ethernet0/2 that is now active:</p>
<div class="highlight"><pre><span></span><code><span class="nv">redundant</span><span class="w"> </span><span class="nv">interface</span><span class="w"> </span><span class="nv">Redundant1</span><span class="w"> </span><span class="nv">switchover</span>,<span class="w"> </span><span class="nv">active</span><span class="w"> </span><span class="nv">idx</span><span class="w"> </span><span class="mi">1</span>,<span class="w"> </span><span class="nv">stby</span><span class="w"> </span><span class="nv">idx</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">redundant</span><span class="w"> </span><span class="nv">interface</span><span class="w"> </span><span class="nv">Redundant1</span><span class="w"> </span><span class="nv">switching</span><span class="w"> </span><span class="nv">active</span><span class="w"> </span><span class="nv">from</span><span class="w"> </span><span class="nv">Ethernet0</span><span class="o">/</span><span class="mi">2</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">Ethernet0</span><span class="o">/</span><span class="mi">0</span>.<span class="w"></span>
<span class="k">Send</span><span class="w"> </span><span class="nv">gratuitous</span><span class="w"> </span><span class="nv">ARP</span><span class="w"> </span><span class="nv">on</span><span class="w"> </span><span class="nv">Redundant1</span>.<span class="mi">100</span>.<span class="w"></span>
<span class="k">Send</span><span class="w"> </span><span class="nv">gratuitous</span><span class="w"> </span><span class="nv">ARP</span><span class="w"> </span><span class="nv">on</span><span class="w"> </span><span class="nv">Redundant1</span>.<span class="mi">120</span>.<span class="w"></span>
<span class="nv">redundant</span><span class="w"> </span><span class="nv">interface</span><span class="w"> </span><span class="nv">Redundant1</span><span class="w"> </span><span class="nv">switch</span><span class="w"> </span><span class="nv">active</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">Ethernet0</span><span class="o">/</span><span class="mi">0</span><span class="w"> </span><span class="nv">done</span>.<span class="w"></span>
</code></pre></div>
<p>Switch has happened, now verify it:</p>
<p>Santa(config-if)# <strong>sh int redundant 1 det</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">Interface</span><span class="w"> </span><span class="n">Redundant1</span><span class="w"> </span><span class="s">""</span><span class="p">,</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">up</span><span class="p">,</span><span class="w"> </span><span class="n">line</span><span class="w"> </span><span class="n">protocol</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">up</span><span class="w"></span>
<span class="n">Hardware</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">i82546GB</span><span class="w"> </span><span class="n">rev03</span><span class="p">,</span><span class="w"> </span><span class="n">BW</span><span class="w"> </span><span class="mh">1000</span><span class="w"> </span><span class="n">Mbps</span><span class="p">,</span><span class="w"> </span><span class="n">DLY</span><span class="w"> </span><span class="mh">10</span><span class="w"> </span><span class="n">usec</span><span class="w"></span>
<span class="n">Auto</span><span class="o">-</span><span class="n">Duplex</span><span class="p">(</span><span class="n">Full</span><span class="o">-</span><span class="n">duplex</span><span class="p">),</span><span class="w"> </span><span class="n">Auto</span><span class="o">-</span><span class="n">Speed</span><span class="p">(</span><span class="mh">100</span><span class="w"> </span><span class="n">Mbps</span><span class="p">)</span><span class="w"></span>
<span class="n">Available</span><span class="w"> </span><span class="n">but</span><span class="w"> </span><span class="k">not</span><span class="w"> </span><span class="n">configured</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">nameif</span><span class="w"></span>
<span class="n">MAC</span><span class="w"> </span><span class="n">address</span><span class="w"> </span><span class="mh">001</span><span class="n">b</span><span class="p">.</span><span class="n">d589</span><span class="mf">.9892</span><span class="p">,</span><span class="w"> </span><span class="n">MTU</span><span class="w"> </span><span class="k">not</span><span class="w"> </span><span class="n">set</span><span class="w"></span>
<span class="n">IP</span><span class="w"> </span><span class="n">address</span><span class="w"> </span><span class="n">unassigned</span><span class="w"></span>
<span class="mh">2284</span><span class="w"> </span><span class="n">packets</span><span class="w"> </span><span class="k">input</span><span class="p">,</span><span class="w"> </span><span class="mh">187559</span><span class="w"> </span><span class="n">bytes</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">no</span><span class="w"> </span><span class="n">buffer</span><span class="w"></span>
<span class="n">Received</span><span class="w"> </span><span class="mh">1544</span><span class="w"> </span><span class="n">broadcasts</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">runts</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">giants</span><span class="w"></span>
<span class="mh">0</span><span class="w"> </span><span class="k">input</span><span class="w"> </span><span class="n">errors</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">CRC</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">frame</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">overrun</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">ignored</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">abort</span><span class="w"></span>
<span class="mh">797</span><span class="w"> </span><span class="n">L2</span><span class="w"> </span><span class="n">decode</span><span class="w"> </span><span class="n">drops</span><span class="w"></span>
<span class="mh">296</span><span class="w"> </span><span class="n">packets</span><span class="w"> </span><span class="k">output</span><span class="p">,</span><span class="w"> </span><span class="mh">27430</span><span class="w"> </span><span class="n">bytes</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">underruns</span><span class="w"></span>
<span class="mh">0</span><span class="w"> </span><span class="k">output</span><span class="w"> </span><span class="n">errors</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">collisions</span><span class="p">,</span><span class="w"> </span><span class="mh">1</span><span class="w"> </span><span class="n">interface</span><span class="w"> </span><span class="n">resets</span><span class="w"></span>
<span class="mh">0</span><span class="w"> </span><span class="n">babbles</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">late</span><span class="w"> </span><span class="n">collisions</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">deferred</span><span class="w"></span>
<span class="mh">0</span><span class="w"> </span><span class="n">lost</span><span class="w"> </span><span class="n">carrier</span><span class="p">,</span><span class="w"> </span><span class="mh">0</span><span class="w"> </span><span class="n">no</span><span class="w"> </span><span class="n">carrier</span><span class="w"></span>
<span class="k">input</span><span class="w"> </span><span class="n">queue</span><span class="w"> </span><span class="p">(</span><span class="n">curr</span><span class="o">/</span><span class="n">max</span><span class="w"> </span><span class="n">packets</span><span class="p">)</span><span class="o">:</span><span class="w"> </span><span class="n">hardware</span><span class="w"> </span><span class="p">(</span><span class="mh">8</span><span class="o">/</span><span class="mh">18</span><span class="p">)</span><span class="w"> </span><span class="n">software</span><span class="w"> </span><span class="p">(</span><span class="mh">0</span><span class="o">/</span><span class="mh">0</span><span class="p">)</span><span class="w"></span>
<span class="k">output</span><span class="w"> </span><span class="n">queue</span><span class="w"> </span><span class="p">(</span><span class="n">curr</span><span class="o">/</span><span class="n">max</span><span class="w"> </span><span class="n">packets</span><span class="p">)</span><span class="o">:</span><span class="w"> </span><span class="n">hardware</span><span class="w"> </span><span class="p">(</span><span class="mh">0</span><span class="o">/</span><span class="mh">5</span><span class="p">)</span><span class="w"> </span><span class="n">software</span><span class="w"> </span><span class="p">(</span><span class="mh">0</span><span class="o">/</span><span class="mh">0</span><span class="p">)</span><span class="w"></span>
<span class="n">Control</span><span class="w"> </span><span class="n">Point</span><span class="w"> </span><span class="n">Interface</span><span class="w"> </span><span class="nl">States:</span><span class="w"></span>
<span class="n">Interface</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="mh">10</span><span class="w"></span>
<span class="n">Interface</span><span class="w"> </span><span class="n">config</span><span class="w"> </span><span class="n">status</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">active</span><span class="w"></span>
<span class="n">Interface</span><span class="w"> </span><span class="n">state</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">active</span><span class="w"></span>
<span class="n">Redundancy</span><span class="w"> </span><span class="nl">Information:</span><span class="w"></span>
<span class="n">Member</span><span class="w"> </span><span class="n">Ethernet0</span><span class="o">/</span><span class="mh">0</span><span class="p">(</span><span class="n">Active</span><span class="p">),</span><span class="w"> </span><span class="n">Ethernet0</span><span class="o">/</span><span class="mh">2</span><span class="w"></span>
<span class="n">Last</span><span class="w"> </span><span class="n">switchover</span><span class="w"> </span><span class="n">at</span><span class="w"> </span><span class="mh">07</span><span class="o">:</span><span class="mh">57</span><span class="o">:</span><span class="mh">11</span><span class="w"> </span><span class="n">UTC</span><span class="w"> </span><span class="n">August</span><span class="w"> </span><span class="mh">19</span><span class="w"> </span><span class="mh">2010</span><span class="w"></span>
</code></pre></div>
<p>Having done a bit practice the dry theory comes next.</p>
<ul>
<li>You can define up to 8 Redundant interfaces (if you have ASA 5580 why not?);</li>
<li>All the interfaces in the same group should be of the same type (Ethernet with Fiber won’t go well) ;</li>
<li>Only one interface is passing production traffic at any given moment;</li>
<li>Redundant interface gets by default MAC address of the first added to it interface, configurable;<</li>
<li>When fail over happens to the second interface, it takes over MAC address of its previously active neighbour to prevent loss of traffic. If MAC is configured especially and manually it remains the same;</li>
<li>You can force some interface to become Active using the command: Santa# <strong>redundant-interface redundant active-member <if_name></strong></li>
<li>Redundant interfaces are compatible with fail over feature.</li>
</ul>
<p>For even more information , see:<br>
<a href="https://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/intrface.html">ASA 8.3 interface configuration </a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Find SmartCenter address on the firewall module2010-08-23T16:52:37+00:002010-08-23T16:52:37+00:00Yuri Slobodyanyuktag:yurisk.info,2010-08-23:/2010/08/23/find-smartcenter-address-on-the-firewall-module/<p>I am sure there are gazillion ways to find the IP address of the managing this module SmartCenter/ Security Management Server, but here comes the one I use. Works on firewall module as well as on the SmartCenter itself , even more - gives the same result, surprising no ?</p>
<p>[Expert@FW-XL1]# <strong>fw …</strong></p><p>I am sure there are gazillion ways to find the IP address of the managing this module SmartCenter/ Security Management Server, but here comes the one I use. Works on firewall module as well as on the SmartCenter itself , even more - gives the same result, surprising no ?</p>
<p>[Expert@FW-XL1]# <strong>fw tab -t management_list -f</strong> </p>
<div class="highlight"><pre><span></span><code><span class="nt">Using</span><span class="w"> </span><span class="nt">cptfmt</span><span class="w"> </span>
<span class="nt">localhost</span><span class="o">:</span><span class="w"> </span>
<span class="nt">Date</span><span class="o">:</span><span class="w"> </span><span class="nt">Aug</span><span class="w"> </span><span class="nt">23</span><span class="o">,</span><span class="w"> </span><span class="nt">2010</span><span class="w"> </span>
<span class="nt">19</span><span class="p">:</span><span class="nd">26</span><span class="p">:</span><span class="nd">11</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">22</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+)====================================(+);</span><span class="w"> </span>
<span class="nt">Table_Name</span><span class="o">:</span><span class="w"> </span>
<span class="nt">management_list</span><span class="o">;</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">Attributes</span><span class="o">:</span><span class="w"> </span><span class="nt">static</span><span class="o">,</span><span class="w"> </span><span class="nt">id</span><span class="w"> </span><span class="nt">3</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"> </span>
<span class="nt">19</span><span class="p">:</span><span class="nd">26</span><span class="p">:</span><span class="nd">11</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">22</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="nt">Key</span><span class="o">:</span><span class="w"> </span><span class="nt">c2ac5801</span><span class="o">,</span><span class="w"> </span><span class="nt">c2ac5801</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Playing with RIP on ASA2010-08-23T05:32:22+00:002010-08-23T05:32:22+00:00Yuri Slobodyanyuktag:yurisk.info,2010-08-23:/2010/08/23/playing-with-rip-on-asa/<p>Cisco ASA and RIP<br>
RIP has been with ASA for years and in this article I will try to cover all possible scenarios in configuring, misconfiguring. debugging and verifying it. As I come up with new ideas how to break the RIP on ASA I will update this article as …</p><p>Cisco ASA and RIP<br>
RIP has been with ASA for years and in this article I will try to cover all possible scenarios in configuring, misconfiguring. debugging and verifying it. As I come up with new ideas how to break the RIP on ASA I will update this article as well.
As it would be expected ASA has a bit limited version of RIP daemon as compared with IOS one. Major tasks you my be required to do :</p>
<ul>
<li>Enable RIP on the ASA;</li>
<li>Dictate the version to work with – RIP v1 or RIP v2;</li>
<li>Specify networks RIP protocol will be active for;</li>
<li>Exclude some interfaces from active advertising RIP on them but allow to get</li>
<li>RIP updates on them , i.e. passive interface(s);</li>
<li>Decide whether you want auto-summarization or not. Default is on;</li>
<li>Enable Rip updates authentication and whether it should be encrypted (MD5 mode) or clear text (text mode);</li>
<li>If using authentication define authentication keys under relevant interfaces;</li>
<li>To make your life harder you will be asked to redistribute;</li>
<li>Finally verify and debug RIP operation.</li>
</ul>
<p>SO let’s get our hands dirty. </p>
<p>Enable RIP routing process.</p>
<div class="highlight"><pre><span></span><code>ASA#conf t
ASA(config)# router rip
TokyoASA(config-router)#
</code></pre></div>
<p>Set it to run exclusively version 2 . ASA doesn’t know to mix version
2 and 1 as IOS does.</p>
<div class="highlight"><pre><span></span><code>TokyoASA(config-router)# version 2
</code></pre></div>
<p>Networks to be active for . You should specify classful nets or even if you specify anything different after you enter such networks ASA will automatically turn them into classful ones anyway.</p>
<div class="highlight"><pre><span></span><code>TokyoASA(config-router)# network 5.0.0.0
</code></pre></div>
<p>Verifying configuration so far: </p>
<div class="highlight"><pre><span></span><code>TokyoASA(config-router)# sh run router
router rip
network 5.0.0.0
version 2
</code></pre></div>
<p>You will most probably want to disable summarization :</p>
<div class="highlight"><pre><span></span><code>TokyoASA(config-router)# no auto-summary
</code></pre></div>
<p>Exclude some interface from advertising on it:<br>
- To suppress on ALL interfaces in one go:</p>
<div class="highlight"><pre><span></span><code>TokyoASA(config-router)# passive-interface default
</code></pre></div>
<ul>
<li>To be more specific:</li>
</ul>
<div class="highlight"><pre><span></span><code>TokyoASA(config-router)# passive-interface outside
</code></pre></div>
<p>Authentication is configured exclusively under the interface :
- Dictate which authentication mode to use.</p>
<div class="highlight"><pre><span></span><code><span class="nv">TokyoASA</span><span class="ss">(</span><span class="nv">config</span><span class="o">-</span><span class="k">if</span><span class="ss">)</span>#<span class="w"> </span><span class="nv">rip</span><span class="w"> </span><span class="nv">authentication</span><span class="w"> </span><span class="nv">mode</span><span class="w"> </span><span class="nv">md5</span><span class="w"> </span>
</code></pre></div>
<ul>
<li>Specify the key (password) and its id.</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="nv">TokyoASA</span><span class="ss">(</span><span class="nv">config</span><span class="o">-</span><span class="k">if</span><span class="ss">)</span>#<span class="w"> </span><span class="nv">rip</span><span class="w"> </span><span class="nv">authentication</span><span class="w"> </span><span class="nv">key</span><span class="w"> </span><span class="nv">MYKEY</span><span class="w"> </span><span class="nv">key_id</span><span class="w"> </span><span class="mi">33</span><span class="w"> </span>
</code></pre></div>
<p>Here is how it looks in show run interface :</p>
<div class="highlight"><pre><span></span><code>interface Ethernet0/0
nameif outside
security-level 0
ip address 136.6.12.12 255.255.255.0
rip authentication mode md5
rip authentication key <removed> key_id 33
</code></pre></div>
<p><strong>Redistribute.</strong> Just redistributing learned in other ways networks into the RIP would be boring. As usual you redistribute connected, static, ospf and rip (when working with the rest of the protocols).</p>
<div class="highlight"><pre><span></span><code>TokyoASA(config-router)# redistribute ?
router mode commands/options:
connected Connected
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
static Static routes
</code></pre></div>
<p>Much more interesting is to implement some policy while redistributing using route-maps. As expected route-maps here are not what we used to know in IOS.
So what can you match for me ?</p>
<div class="highlight"><pre><span></span><code><span class="nv">TokyoASA</span><span class="ss">(</span><span class="nv">config</span><span class="o">-</span><span class="nv">route</span><span class="o">-</span><span class="nv">map</span><span class="ss">)</span>#<span class="w"> </span><span class="nv">match</span><span class="w"> </span>?<span class="w"> </span>
<span class="nv">route</span><span class="o">-</span><span class="nv">map</span><span class="w"> </span><span class="nv">mode</span><span class="w"> </span><span class="nv">commands</span><span class="o">/</span><span class="nv">options</span>:<span class="w"></span>
<span class="w"> </span><span class="nv">interface</span><span class="w"> </span><span class="nv">Match</span><span class="w"> </span><span class="nv">first</span><span class="w"> </span><span class="nv">hop</span><span class="w"> </span><span class="nv">interface</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">route</span><span class="w"> </span>
<span class="w"> </span><span class="nv">ip</span><span class="w"> </span><span class="nv">Match</span><span class="w"> </span><span class="nv">IP</span><span class="w"> </span><span class="nv">address</span><span class="w"> </span><span class="nv">or</span><span class="w"> </span><span class="k">next</span><span class="o">-</span><span class="nv">hop</span><span class="w"> </span><span class="nv">or</span><span class="w"> </span><span class="nv">route</span><span class="o">-</span><span class="nv">source</span><span class="w"> </span>
<span class="w"> </span><span class="nv">metric</span><span class="w"> </span><span class="nv">Match</span><span class="w"> </span><span class="nv">metric</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">route</span><span class="w"> </span>
<span class="w"> </span><span class="nv">route</span><span class="o">-</span><span class="nv">type</span><span class="w"> </span><span class="nv">Match</span><span class="w"> </span><span class="nv">route</span><span class="o">-</span><span class="nv">type</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">route</span><span class="w"> </span>
</code></pre></div>
<p>The most familiar and useful match on ACL lies here:</p>
<div class="highlight"><pre><span></span><code><span class="nv">TokyoASA</span><span class="ss">(</span><span class="nv">config</span><span class="o">-</span><span class="nv">route</span><span class="o">-</span><span class="nv">map</span><span class="ss">)</span>#<span class="w"> </span><span class="nv">match</span><span class="w"> </span><span class="nv">ip</span><span class="w"> </span>?<span class="w"> </span>
<span class="nv">route</span><span class="o">-</span><span class="nv">map</span><span class="w"> </span><span class="nv">mode</span><span class="w"> </span><span class="nv">commands</span><span class="o">/</span><span class="nv">options</span>:<span class="w"> </span>
<span class="w"> </span><span class="nv">address</span><span class="w"> </span><span class="nv">Match</span><span class="w"> </span><span class="nv">address</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">route</span><span class="w"> </span><span class="nv">or</span><span class="w"> </span><span class="nv">match</span><span class="w"> </span><span class="nv">packet</span><span class="w"> </span>
<span class="w"> </span><span class="k">next</span><span class="o">-</span><span class="nv">hop</span><span class="w"> </span><span class="nv">Match</span><span class="w"> </span><span class="k">next</span><span class="o">-</span><span class="nv">hop</span><span class="w"> </span><span class="nv">address</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">route</span><span class="w"> </span>
<span class="w"> </span><span class="nv">route</span><span class="o">-</span><span class="nv">source</span><span class="w"> </span><span class="nv">Match</span><span class="w"> </span><span class="nv">advertising</span><span class="w"> </span><span class="nv">source</span><span class="w"> </span><span class="nv">address</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">route</span><span class="w"> </span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>TokyoASA(config-route-map)# match ip address FILTER-ACL
TokyoASA(config-route-map)# route-map RIPv2 permit 10
match ip address FILTER-ACL
match interface inside
TokyoASA(config-router)# redistribute connected route-map RIPv2 metric 13
</code></pre></div>
<p>About rest of the match conditions, I’ll cover them when talking about OSPF in ASA.</p>
<div class="highlight"><pre><span></span><code>TokyoASA(config-route-map)# match route-type ?
route-map mode commands/options:
external Match external route (OSPF type 1/2)
internal Match internal route (including OSPF intra/inter area)
local Match locally generated route
nssa-external Match nssa-external route (OSPF type 1/2)
</code></pre></div>
<p><strong>Filtering out routes in updates.</strong><br>
If you want to filter some networks in updates use distribute-list.</p>
<div class="highlight"><pre><span></span><code>TokyoASA(config-router)# distribute-list MYACL ?
router mode commands/options:
in Filter incoming routing updates
out Filter outgoing routing updates
</code></pre></div>
<p><strong>Now some debug is due.</strong><br>
Enable rip debug: </p>
<div class="highlight"><pre><span></span><code>TokyoASA1# debug rip
TokyoASA1# sh debug
debug rip routing
debug rip database
debug rip events
</code></pre></div>
<p>Normal functioning protocol debug output: </p>
<div class="highlight"><pre><span></span><code><span class="n">add</span><span class="w"> </span><span class="mf">10.0</span><span class="o">.</span><span class="mf">2.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">,</span><span class="w"> </span><span class="n">connected</span><span class="w"> </span><span class="n">metric</span><span class="w"> </span><span class="p">[</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="p">]</span><span class="n">network</span><span class="w"></span>
<span class="mf">0.0</span><span class="o">.</span><span class="mf">6.136</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">now</span><span class="w"> </span><span class="n">variably</span><span class="w"> </span><span class="n">masked</span><span class="w"> </span>
<span class="n">add</span><span class="w"> </span><span class="mf">136.6</span><span class="o">.</span><span class="mf">0.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">0.0</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">,</span><span class="w"> </span><span class="n">connected</span><span class="w"> </span><span class="n">metric</span><span class="w"> </span><span class="p">[</span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="p">]</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">-</span><span class="n">DB</span><span class="p">:</span><span class="w"> </span><span class="n">redist</span><span class="w"> </span><span class="mf">10.0</span><span class="o">.</span><span class="mf">0.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="p">(</span><span class="n">metric</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">last</span><span class="w"> </span><span class="n">interface</span><span class="w"> </span><span class="n">dmz1</span><span class="p">)</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">RIP</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">-</span><span class="n">DB</span><span class="p">:</span><span class="w"> </span><span class="n">redist</span><span class="w"> </span><span class="mf">10.0</span><span class="o">.</span><span class="mf">2.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="p">(</span><span class="n">metric</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">last</span><span class="w"> </span><span class="n">interface</span><span class="w"> </span><span class="n">dmz1</span><span class="p">)</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">RIP</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">-</span><span class="n">DB</span><span class="p">:</span><span class="w"> </span><span class="n">Get</span><span class="w"> </span><span class="n">redist</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">network</span><span class="w"> </span><span class="mf">10.0</span><span class="o">.</span><span class="mf">2.0</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">-</span><span class="n">DB</span><span class="p">:</span><span class="w"> </span><span class="n">adding</span><span class="w"> </span><span class="mf">10.0</span><span class="o">.</span><span class="mf">2.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span><span class="p">(</span><span class="n">metric</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">Ethernet0</span><span class="o">/</span><span class="mf">2.120</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">RIP</span><span class="w"> </span><span class="n">database</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">-</span><span class="n">DB</span><span class="p">:</span><span class="w"> </span><span class="n">rip_create_ndb</span><span class="w"> </span><span class="n">create</span><span class="w"> </span><span class="mf">10.0</span><span class="o">.</span><span class="mf">2.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">best</span><span class="w"> </span><span class="n">metric</span><span class="w"> </span><span class="mi">4294967295</span><span class="p">)</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">-</span><span class="n">DB</span><span class="p">:</span><span class="w"> </span><span class="n">rip_create_rdb</span><span class="w"> </span><span class="n">Create</span><span class="w"> </span><span class="mf">10.0</span><span class="o">.</span><span class="mf">2.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">metric</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">,</span><span class="w"> </span><span class="n">Ethernet0</span><span class="o">/</span><span class="mf">2.120</span><span class="p">(</span><span class="n">permanent</span><span class="p">)</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">-</span><span class="n">DB</span><span class="p">:</span><span class="w"> </span><span class="n">add</span><span class="w"> </span><span class="mf">10.0</span><span class="o">.</span><span class="mf">2.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span><span class="p">(</span><span class="n">metric</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">Ethernet0</span><span class="o">/</span><span class="mf">2.120</span><span class="w"> </span><span class="p">(</span><span class="n">donot_age</span><span class="p">)</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">-</span><span class="n">DB</span><span class="p">:</span><span class="w"> </span><span class="n">Adding</span><span class="w"> </span><span class="n">new</span><span class="w"> </span><span class="n">rndb</span><span class="w"> </span><span class="n">entry</span><span class="w"> </span><span class="mf">10.0</span><span class="o">.</span><span class="mf">2.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">-</span><span class="n">DB</span><span class="p">:</span><span class="w"> </span><span class="n">rip_create_ndb</span><span class="w"> </span><span class="n">create</span><span class="w"> </span><span class="mf">10.0</span><span class="o">.</span><span class="mf">0.0</span><span class="w"> </span><span class="mf">255.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">best</span><span class="w"> </span><span class="n">metric</span><span class="w"> </span><span class="mi">4294967295</span><span class="p">)</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">-</span><span class="n">DB</span><span class="p">:</span><span class="w"> </span><span class="n">rip_create_rdb</span><span class="w"> </span><span class="n">Create</span><span class="w"> </span><span class="mf">10.0</span><span class="o">.</span><span class="mf">0.0</span><span class="w"> </span><span class="mf">255.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">metric</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="p">,</span><span class="w"> </span><span class="n">Null0</span><span class="p">(</span><span class="n">permanent</span><span class="p">)</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">-</span><span class="n">DB</span><span class="p">:</span><span class="w"> </span><span class="n">Created</span><span class="w"> </span><span class="n">rip</span><span class="w"> </span><span class="n">ndb</span><span class="w"> </span><span class="n">summary</span><span class="w"> </span><span class="n">entry</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="mf">10.0</span><span class="o">.</span><span class="mf">0.0</span><span class="w"> </span><span class="mf">255.0</span><span class="o">.</span><span class="mf">0.0</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">-</span><span class="n">DB</span><span class="p">:</span><span class="w"> </span><span class="n">Adding</span><span class="w"> </span><span class="n">new</span><span class="w"> </span><span class="n">rndb</span><span class="w"> </span><span class="n">entry</span><span class="w"> </span><span class="mf">10.0</span><span class="o">.</span><span class="mf">0.0</span><span class="w"> </span><span class="mf">255.0</span><span class="o">.</span><span class="mf">0.0</span><span class="w"> </span><span class="n">rip_route_adjust</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">dmz1</span><span class="w"> </span><span class="n">coming</span><span class="w"> </span><span class="n">up</span><span class="w"> </span>
<span class="n">RIP</span><span class="p">:</span><span class="w"> </span><span class="n">sending</span><span class="w"> </span><span class="n">request</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">dmz1</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="mf">224.0</span><span class="o">.</span><span class="mf">0.9</span><span class="w"> </span><span class="n">rip_route_adjust</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">dmz1</span><span class="w"> </span><span class="n">coming</span><span class="w"> </span><span class="n">up</span><span class="w"> </span>
<span class="n">RIP</span><span class="p">:</span><span class="w"> </span><span class="n">sending</span><span class="w"> </span><span class="n">request</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">dmz1</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="mf">224.0</span><span class="o">.</span><span class="mf">0.9</span><span class="w"> </span>
<span class="n">RIP</span><span class="p">:</span><span class="w"> </span><span class="n">sending</span><span class="w"> </span><span class="n">v2</span><span class="w"> </span><span class="n">flash</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="mf">224.0</span><span class="o">.</span><span class="mf">0.9</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">dmz1</span><span class="w"> </span><span class="p">(</span><span class="mf">10.0</span><span class="o">.</span><span class="mf">2.120</span><span class="p">)</span><span class="w"> </span>
<span class="n">RIP</span><span class="p">:</span><span class="w"> </span><span class="n">build</span><span class="w"> </span><span class="n">flash</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="n">entries</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">suppressing</span><span class="w"> </span><span class="nb nb-Type">null</span><span class="w"> </span><span class="n">update</span><span class="w"> </span>
<span class="n">RIP</span><span class="p">:</span><span class="w"> </span><span class="n">sending</span><span class="w"> </span><span class="n">v2</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="mf">224.0</span><span class="o">.</span><span class="mf">0.9</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">dmz1</span><span class="w"> </span><span class="p">(</span><span class="mf">10.0</span><span class="o">.</span><span class="mf">2.120</span><span class="p">)</span><span class="w"> </span>
<span class="n">RIP</span><span class="p">:</span><span class="w"> </span><span class="n">build</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="n">entries</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">suppressing</span><span class="w"> </span><span class="nb nb-Type">null</span><span class="w"> </span><span class="n">update</span><span class="w"> </span>
</code></pre></div>
<p>Now the authentication has been enabled but keys on 2 peers are not the same:</p>
<div class="highlight"><pre><span></span><code><span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">sending</span><span class="w"> </span><span class="n">v2</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="mf">224.0</span><span class="o">.</span><span class="mf">0.9</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">inside</span><span class="w"> </span><span class="o">(</span><span class="mf">136.6</span><span class="o">.</span><span class="mf">121.12</span><span class="o">)</span><span class="w"></span>
<span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">build</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="n">entries</span><span class="w"> </span>
<span class="mf">10.0</span><span class="o">.</span><span class="mf">0.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">,</span><span class="w"> </span><span class="n">metric</span><span class="w"> </span><span class="mi">1</span><span class="o">,</span><span class="w"> </span><span class="n">tag</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">136.6</span><span class="o">.</span><span class="mf">23.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">,</span><span class="w"> </span><span class="n">metric</span><span class="w"> </span><span class="mi">2</span><span class="o">,</span><span class="w"> </span><span class="n">tag</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">136.6</span><span class="o">.</span><span class="mf">123.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">,</span><span class="w"> </span><span class="n">metric</span><span class="w"> </span><span class="mi">1</span><span class="o">,</span><span class="w"> </span><span class="n">tag</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">136.6</span><span class="o">.</span><span class="mf">124.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">,</span><span class="w"> </span><span class="n">metric</span><span class="w"> </span><span class="mi">1</span><span class="o">,</span><span class="w"> </span><span class="n">tag</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">Update</span><span class="w"> </span><span class="n">contains</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="n">routes</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">Update</span><span class="w"> </span><span class="n">queued</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">sending</span><span class="w"> </span><span class="n">v2</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="mf">224.0</span><span class="o">.</span><span class="mf">0.9</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">dmz1</span><span class="w"> </span><span class="o">(</span><span class="mf">10.0</span><span class="o">.</span><span class="mf">0.120</span><span class="o">)</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">build</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="n">entries</span><span class="w"> </span>
<span class="mf">136.6</span><span class="o">.</span><span class="mf">23.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">,</span><span class="w"> </span><span class="n">metric</span><span class="w"> </span><span class="mi">2</span><span class="o">,</span><span class="w"> </span><span class="n">tag</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">136.6</span><span class="o">.</span><span class="mf">121.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">,</span><span class="w"> </span><span class="n">metric</span><span class="w"> </span><span class="mi">1</span><span class="o">,</span><span class="w"> </span><span class="n">tag</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">136.6</span><span class="o">.</span><span class="mf">123.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">,</span><span class="w"> </span><span class="n">metric</span><span class="w"> </span><span class="mi">1</span><span class="o">,</span><span class="w"> </span><span class="n">tag</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">136.6</span><span class="o">.</span><span class="mf">124.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">,</span><span class="w"> </span><span class="n">metric</span><span class="w"> </span><span class="mi">1</span><span class="o">,</span><span class="w"> </span><span class="n">tag</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">Update</span><span class="w"> </span><span class="n">contains</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="n">routes</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">Update</span><span class="w"> </span><span class="n">queued</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">Update</span><span class="w"> </span><span class="n">sent</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">inside</span><span class="w"> </span><span class="n">rip</span><span class="o">-</span><span class="n">len</span><span class="o">:</span><span class="mi">92</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">Update</span><span class="w"> </span><span class="n">sent</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">dmz1</span><span class="w"> </span><span class="n">rip</span><span class="o">-</span><span class="n">len</span><span class="o">:</span><span class="mi">92</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">ignored</span><span class="w"> </span><span class="n">v2</span><span class="w"> </span><span class="n">packet</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="mf">136.6</span><span class="o">.</span><span class="mf">123.3</span><span class="w"> </span><span class="o">(</span><span class="n">invalid</span><span class="w"> </span><span class="n">authentication</span><span class="o">)</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">sending</span><span class="w"> </span><span class="n">v2</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="mf">224.0</span><span class="o">.</span><span class="mf">0.9</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">inside</span><span class="w"> </span><span class="o">(</span><span class="mf">136.6</span><span class="o">.</span><span class="mf">121.12</span><span class="o">)</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">build</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="n">entries</span><span class="w"> </span>
<span class="mf">10.0</span><span class="o">.</span><span class="mf">0.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">,</span><span class="w"> </span><span class="n">metric</span><span class="w"> </span><span class="mi">1</span><span class="o">,</span><span class="w"> </span><span class="n">tag</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">136.6</span><span class="o">.</span><span class="mf">23.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">,</span><span class="w"> </span><span class="n">metric</span><span class="w"> </span><span class="mi">2</span><span class="o">,</span><span class="w"> </span><span class="n">tag</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">136.6</span><span class="o">.</span><span class="mf">123.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">,</span><span class="w"> </span><span class="n">metric</span><span class="w"> </span><span class="mi">1</span><span class="o">,</span><span class="w"> </span><span class="n">tag</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">136.6</span><span class="o">.</span><span class="mf">124.0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">,</span><span class="w"> </span><span class="n">metric</span><span class="w"> </span><span class="mi">1</span><span class="o">,</span><span class="w"> </span><span class="n">tag</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">Update</span><span class="w"> </span><span class="n">contains</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="n">routes</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">Update</span><span class="w"> </span><span class="n">queued</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">sending</span><span class="w"> </span><span class="n">v2</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="mf">224.0</span><span class="o">.</span><span class="mf">0.9</span><span class="w"> </span><span class="n">via</span><span class="w"> </span><span class="n">dmz1</span><span class="w"> </span><span class="o">(</span><span class="mf">10.0</span><span class="o">.</span><span class="mf">0.120</span><span class="o">)</span><span class="w"> </span>
<span class="n">RIP</span><span class="o">:</span><span class="w"> </span><span class="n">build</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="n">entries</span><span class="w"> </span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Subnet calculator in Checkpoint firewall2010-08-22T09:03:55+00:002010-08-22T09:03:55+00:00Yuri Slobodyanyuktag:yurisk.info,2010-08-22:/2010/08/22/subnet-calculator-in-checkpoint/<p>Should you ever forget intricacies of the subnetting Checkpoint have subnetting calculator right in their firewalls - <strong>ipcalc</strong>.<br>
Given subnet show the 1st Ip (network) : </p>
<h3>ipcalc -n 192.168.34.45/27</h3>
<p><code>NETWORK=192.168.34.32</code> </p>
<p>Given subnet show the last IP (broadcast) : </p>
<h3>ipcalc -b 192.168.34.45/27 …</h3><p>Should you ever forget intricacies of the subnetting Checkpoint have subnetting calculator right in their firewalls - <strong>ipcalc</strong>.<br>
Given subnet show the 1st Ip (network) : </p>
<h3>ipcalc -n 192.168.34.45/27</h3>
<p><code>NETWORK=192.168.34.32</code> </p>
<p>Given subnet show the last IP (broadcast) : </p>
<h3>ipcalc -b 192.168.34.45/27</h3>
<div class="highlight"><pre><span></span><code> BROADCAST=192.168.34.63
</code></pre></div>
<p>Be careful though what you feed as no proof-reading is done by the ipcalc : </p>
<h3>ipcalc -b 192.168.34.45/33</h3>
<div class="highlight"><pre><span></span><code>BROADCAST=255.255.255.255
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Restart Checkpoint Smart Center/Management Server only, without traffic interruption2010-08-19T18:38:53+00:002010-08-19T18:38:53+00:00Yuri Slobodyanyuktag:yurisk.info,2010-08-19:/2010/08/19/restart-checkpoint-smart-center-only/<p>It comes to the top 10 questions I hear on a daily basis so here is how to restart Checkpoint Smart Center only (Security Management Server). It is especially useful in Standalone firewall topology, where the Management Server and Firewall module are installed on the same machine and you don't …</p><p>It comes to the top 10 questions I hear on a daily basis so here is how to restart Checkpoint Smart Center only (Security Management Server). It is especially useful in Standalone firewall topology, where the Management Server and Firewall module are installed on the same machine and you don't want to just reboot it. This way firewalling will run uninterrupted with no down time.<br>
First, stop the SmartCenter (Management Server) :<br>
<strong>cpwd_admin stop -name FWM -path "$FWDIR/bin/fw" -command " fw kill fwm"</strong> </p>
<p>Now start it again :<br>
<strong>cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"</strong> </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>List of valid domain names for load testing DNS2010-08-14T09:45:19+00:002010-08-14T09:45:19+00:00Yuri Slobodyanyuktag:yurisk.info,2010-08-14:/2010/08/14/list-of-valid-domain-names/<p>I am currently running a bunch of tests on DNS resolver software called <a href="http://www.unbound.net/"> Unbound </a> to see what it is worth and for that needed a list of valid domain names in different but controllable TLDs. The only resource to download such list I could find was 3 million records file …</p><p>I am currently running a bunch of tests on DNS resolver software called <a href="http://www.unbound.net/"> Unbound </a> to see what it is worth and for that needed a list of valid domain names in different but controllable TLDs. The only resource to download such list I could find was 3 million records file from Nominum <a href="ftp://ftp.nominum.com/pub/nominum/dnsperf/data/queryfile-example-3million.gz">Sample query data file for use with resperf</a> . Only that it contains all kinds of record types : A, PTR, AAAA and I want list of domain names where I can modify query type but also that it will be of a specific TLD sample.
Say all domains in .ASIA only TLD . To compile such list I took a word list , added to each word specific extensions and then run against some DNS server. Then I filtered the answers to include only existing resolvable domains that return at least 1 answer to query ANY. So far I did it for extensions : .ASIA .COM .CA .BIZ .EDU .EU .FR .INFO .MIL .NET .ORG .RU and it brought 831903 valid domains.<br>
You can download the final list of those domains here : <a href="http://yurisk.info/domain_list.txt.gz"> Domain list 831903 domains </a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Restart SNMP daemon on Checkpoint2010-08-14T06:26:48+00:002010-08-14T06:26:48+00:00Yuri Slobodyanyuktag:yurisk.info,2010-08-14:/2010/08/14/restart-snmp-daemon-on-checkpoint/<p>While not being anything noticeable by itself, the problem was that all monitored snmp values were normal but cpu showed 100% on the Open server with 8 CPUs , it
did remind me that you should always record the current state before doing the changes.
As I said it was an …</p><p>While not being anything noticeable by itself, the problem was that all monitored snmp values were normal but cpu showed 100% on the Open server with 8 CPUs , it
did remind me that you should always record the current state before doing the changes.
As I said it was an open server that client monitors with snmp and suddenly it alerted on CPU 100% and as this server has 8 CPUs it was clear that snmp daemon feels bad.
Also the solution was obvious – restart the snmp daemon on the Checkpoint server.
So I found all the instances of snmp running : </p>
<p><strong>ps ax | grep snmp</strong></p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="mi">1061</span><span class="w"> </span><span class="err">?</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mi">08</span><span class="w"> </span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">snmpd</span><span class="w"> </span><span class="o">-</span><span class="n">Lsd</span><span class="w"> </span><span class="o">-</span><span class="n">Lf</span><span class="w"> </span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="nb nb-Type">null</span><span class="w"> </span><span class="o">-</span><span class="n">p</span><span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">snmpd</span><span class="w"> </span><span class="o">-</span><span class="n">a</span><span class="w"> </span><span class="o">-</span><span class="n">c</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">snmp</span><span class="o">/</span><span class="n">snmpd</span><span class="o">.</span><span class="n">users</span><span class="o">.</span><span class="n">conf</span><span class="w"> </span><span class="mi">161</span><span class="w"> </span>
<span class="w"> </span><span class="mi">1066</span><span class="w"> </span><span class="err">?</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mi">00</span><span class="w"> </span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">cpsnmpagentx</span><span class="w"> </span>
<span class="w"> </span><span class="mi">5808</span><span class="w"> </span><span class="err">?</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mi">00</span><span class="w"> </span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">CPshrd</span><span class="o">-</span><span class="n">R65</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">cpsnmpd</span><span class="w"> </span><span class="o">-</span><span class="n">p</span><span class="w"> </span><span class="mi">260</span><span class="w"> </span>
<span class="w"> </span><span class="mi">18973</span><span class="w"> </span><span class="n">ttyp1</span><span class="w"> </span><span class="n">S</span><span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="mi">00</span><span class="w"> </span><span class="n">grep</span><span class="w"> </span><span class="n">snmp</span><span class="w"></span>
</code></pre></div>
<p>Then sent kill signal to each one of them , all went ok. But then my ssh session got abruptly disconnected for unrelated reason, so I didn’t have the list of commands and their options seen above and therefore couldn’t restart them. I do have the privilege of access to the heap of other Checkpoint machines so I just enterd one of them and copied snmp daemon commands from there, but if had no such alternative the time consuming search on the Google/cpug.org would have been granted.<br>
Conclusion – before altering some state take note of the current one and record it somewhere (Notepad++ rules here).</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Query non-standard port of SNMP with snmpwalk2010-08-11T06:14:45+00:002010-08-11T06:14:45+00:00Yuri Slobodyanyuktag:yurisk.info,2010-08-11:/2010/08/11/query-non-standard-port-of-snmp/<p><em>TLDR</em>: <strong>Add colon to the IP address (no space), then the custom port.</strong></p>
<p>Sometimes the simple things are the ones to perplex us the most . Today I needed to add an SNMP monitoring of the Radware Linkproof load balancer listening on the port 7777 . Not a big deal, I thought …</p><p><em>TLDR</em>: <strong>Add colon to the IP address (no space), then the custom port.</strong></p>
<p>Sometimes the simple things are the ones to perplex us the most . Today I needed to add an SNMP monitoring of the Radware Linkproof load balancer listening on the port 7777 . Not a big deal, I thought. But before doing it in the monitoring system I wanted to be sure and tried to query the Linkproof using snmpwalk . To much of my surprise in its help there was no mentioning how to do it . Searching the Google brought me the option of –p <port> that didn't work though. The solution is actually quite simple – immediately after the
IP of the device put the port number after the colon e.g. for the port 7777: <br>
root@darkstar# snmpwalk -v 2c -c notpublic 12.120.186.8:<strong>7777</strong> </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Break free from the GUI dependency – checking Fortigate logs on the cli.2010-07-15T19:14:04+00:002010-07-15T19:14:04+00:00Yuri Slobodyanyuktag:yurisk.info,2010-07-15:/2010/07/15/break-free-from-the-gui-dependency-checking-fortigate-logs-on-the-cli/<p>Fortinet are doing a lot to keep us away from the command line. And that’s ok in 95% of the cases. But sooner or later you come to meet the 5% of the bad and the ugly when you have no access to the GUI at all. One late …</p><p>Fortinet are doing a lot to keep us away from the command line. And that’s ok in 95% of the cases. But sooner or later you come to meet the 5% of the bad and the ugly when you have no access to the GUI at all. One late evening [ and I am sure all security/networking equipment long ago conspired against us to cause troubles at abnormal/non-working hours only] one of the clients asked if I can check something. </p>
<p>To check something I needed access to the Fortigate logs. All good and well if it were not for the excruciatingly slow connection (in your case it may be blocked GUI management ports, out of band console access, high Fortigate CPU utilization) that made the GUI unusable. As I had not slightest inclination to turn late evening into early morning I did SSH to the machine, run <strong>#show log</strong> and <strong>#get log</strong> commands … and got logging configuration settings on the firewall. But where are the logs? </p>
<p>Here: </p>
<p>FGT# <strong>execute log display</strong></p>
<p>Hurray ! I got lots of lines running on the terminal, only that it was traffic log and I wanted Event log, and moreover it showed only first 100 lines out of 3400 and I wanted it all. So let’s do it by steps.
Step 1 – know what is served </p>
<p>Run this first to see what you will be presented and what not: </p>
<p>FGT-ugly # <strong>execute log filter dump</strong></p>
<p><code>category: traffic</code> // each type of log is called category , see later </p>
<p><code>device: memory</code> // from where logs are to be read </p>
<p><code>roll: 0</code> // archived version </p>
<p><code>start-line: 1</code> // on which line of the logs to start presenting </p>
<p><code>view-lines: 700</code> // how many lines to show</p>
<p>Step 2 – I want Event logs now ! </p>
<p>FGT# <strong>execute log filter category</strong> //this way you can see all available logs</p>
<div class="highlight"><pre><span></span><code>Available categories:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: anomaly
8: voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns
</code></pre></div>
<p>FGT# <strong>execute log filter category 1</strong> // switch to Event log </p>
<p>Left is how many lines to show at once:<br>
FGT# <strong>execute log filter view-lines</strong> <code><number 5 – 1000></code> // Aha, so we can see maximum 1000 lines per go. Not a problem actually cause every time you hit #<code>execute log display</code> starting line is increased for the next time by the number of lines shown.
To conclude it all I enabled logging in Putty through which I connected to the firewall and run: </p>
<p>FGT# <strong>execute log display</strong></p>
<div class="highlight"><pre><span></span><code><span class="mf">3011</span><span class="w"> </span><span class="nb">log</span><span class="n">s</span><span class="w"> </span><span class="n">found</span><span class="mf">.</span><span class="w"> </span>
<span class="mf">1000</span><span class="w"> </span><span class="nb">log</span><span class="n">s</span><span class="w"> </span><span class="kr">return</span><span class="n">ed</span><span class="mf">.</span><span class="w"> </span>
<span class="mf">1</span><span class="p">:</span><span class="w"> </span><span class="mf">2010</span><span class="o">-</span><span class="mf">07</span><span class="o">-</span><span class="mf">13</span><span class="w"> </span><span class="mf">19</span><span class="p">:</span><span class="mf">10</span><span class="p">:</span><span class="mf">58</span><span class="w"> </span><span class="nb">log</span><span class="n">_id</span><span class="o">=</span><span class="mf">0143040704</span><span class="w"> </span><span class="n">type</span><span class="o">=</span><span class="n">event</span><span class="w"> </span><span class="n">subtype</span><span class="o">=</span><span class="n">his</span><span class="o">-</span><span class="n">performance</span><span class="w"> </span><span class="n">pri</span><span class="o">=</span><span class="n">information</span><span class="w"> </span><span class="n">vd</span><span class="o">=</span><span class="s">"root"</span><span class="w"> </span><span class="n">action</span><span class="o">=</span><span class="n">perf</span><span class="o">-</span><span class="n">stats</span><span class="w"> </span><span class="n">cpu</span><span class="o">=</span><span class="mf">0</span><span class="w"> </span><span class="n">mem</span><span class="o">=</span><span class="mf">10</span><span class="w"> </span><span class="kr">to</span><span class="n">tal_session</span><span class="o">=</span><span class="mf">4</span><span class="w"> </span><span class="n">msg</span><span class="o">=</span><span class="s">"Performance statistics"</span><span class="w"> </span>
<span class="mf">2</span><span class="p">:</span><span class="w"> </span><span class="mf">2010</span><span class="o">-</span><span class="mf">07</span><span class="o">-</span><span class="mf">1319</span><span class="p">:</span><span class="mf">05</span><span class="p">:</span><span class="mf">58</span><span class="w"> </span><span class="nb">log</span><span class="n">_id</span><span class="o">=</span><span class="mf">0143040704</span><span class="w"> </span><span class="n">type</span><span class="o">=</span><span class="n">event</span><span class="w"> </span><span class="n">subtype</span><span class="o">=</span><span class="n">his</span><span class="o">-</span><span class="n">performance</span><span class="w"> </span><span class="n">pri</span><span class="o">=</span><span class="n">information</span><span class="w"> </span><span class="n">vd</span><span class="o">=</span><span class="s">"root"</span><span class="w"> </span><span class="n">action</span><span class="o">=</span><span class="n">perf</span><span class="o">-</span><span class="n">stats</span><span class="w"> </span><span class="n">cpu</span><span class="o">=</span><span class="mf">0</span><span class="w"> </span><span class="n">mem</span><span class="o">=</span><span class="mf">10</span><span class="w"> </span><span class="kr">to</span><span class="n">tal_session</span><span class="o">=</span><span class="mf">7</span><span class="w"> </span><span class="n">msg</span><span class="o">=</span><span class="s">"Performance statistics"</span><span class="w"> </span>
<span class="mf">3</span><span class="p">:</span><span class="w"> </span><span class="mf">2010</span><span class="o">-</span><span class="mf">07</span><span class="o">-</span><span class="mf">1319</span><span class="p">:</span><span class="mf">01</span><span class="p">:</span><span class="mf">28</span><span class="w"> </span><span class="nb">log</span><span class="n">_id</span><span class="o">=</span><span class="mf">0104032001</span><span class="w"> </span><span class="n">type</span><span class="o">=</span><span class="n">event</span><span class="w"> </span><span class="n">subtype</span><span class="o">=</span><span class="n">admin</span><span class="w"> </span><span class="n">vd</span><span class="o">=</span><span class="n">root</span><span class="w"> </span><span class="n">pri</span><span class="o">=</span><span class="n">information</span><span class="w"> </span><span class="n">user</span><span class="o">=</span><span class="s">"admin"</span><span class="w"> </span><span class="n">ui</span><span class="o">=</span><span class="n">https</span><span class="p">(</span><span class="mf">21.14.127.14</span><span class="p">)</span><span class="w"> </span><span class="n">action</span><span class="o">=</span><span class="nb">log</span><span class="n">in</span><span class="w"> </span><span class="n">status</span><span class="o">=</span><span class="n">success</span><span class="w"> </span><span class="n">reason</span><span class="o">=</span><span class="n">none</span><span class="w"> </span><span class="n">profile</span><span class="o">=</span><span class="s">"super_admin"</span><span class="w"> </span><span class="n">msg</span><span class="o">=</span><span class="s">"Administrator admin logged in successfully from https(21.14.127.14)"</span><span class="w"> </span>
<span class="mf">4</span><span class="p">:</span><span class="w"> </span><span class="mf">2010</span><span class="o">-</span><span class="mf">07</span><span class="o">-</span><span class="mf">1319</span><span class="p">:</span><span class="mf">00</span><span class="p">:</span><span class="mf">58</span><span class="w"> </span><span class="nb">log</span><span class="n">_id</span><span class="o">=</span><span class="mf">0143040704</span><span class="w"> </span><span class="n">type</span><span class="o">=</span><span class="n">event</span><span class="w"> </span><span class="n">subtype</span><span class="o">=</span><span class="n">his</span><span class="o">-</span><span class="n">performance</span><span class="w"> </span><span class="n">pri</span><span class="o">=</span><span class="n">information</span><span class="w"> </span><span class="n">vd</span><span class="o">=</span><span class="s">"root"</span><span class="w"> </span><span class="n">action</span><span class="o">=</span><span class="n">perf</span><span class="o">-</span><span class="n">stats</span><span class="w"> </span><span class="n">cpu</span><span class="o">=</span><span class="mf">0</span><span class="w"> </span><span class="n">mem</span><span class="o">=</span><span class="mf">10</span><span class="w"> </span><span class="kr">to</span><span class="n">tal_session</span><span class="o">=</span><span class="mf">5</span><span class="w"> </span><span class="n">msg</span><span class="o">=</span><span class="s">"Performance statistics"</span><span class="w"> </span>
<span class="mf">5</span><span class="p">:</span><span class="w"> </span><span class="mf">2010</span><span class="o">-</span><span class="mf">07</span><span class="o">-</span><span class="mf">1318</span><span class="p">:</span><span class="mf">55</span><span class="p">:</span><span class="mf">58</span><span class="w"> </span><span class="nb">log</span><span class="n">_id</span><span class="o">=</span><span class="mf">0143040704</span><span class="w"> </span><span class="n">type</span><span class="o">=</span><span class="n">event</span><span class="w"> </span><span class="n">subtype</span><span class="o">=</span><span class="n">his</span><span class="o">-</span><span class="n">performance</span><span class="w"> </span><span class="n">pri</span><span class="o">=</span><span class="n">information</span><span class="w"> </span><span class="n">vd</span><span class="o">=</span><span class="s">"root"</span><span class="w"> </span><span class="n">action</span><span class="o">=</span><span class="n">perf</span><span class="o">-</span><span class="n">stats</span><span class="w"> </span><span class="n">cpu</span><span class="o">=</span><span class="mf">0</span><span class="w"> </span><span class="n">mem</span><span class="o">=</span><span class="mf">10</span><span class="w"> </span><span class="kr">to</span><span class="n">tal_session</span><span class="o">=</span><span class="mf">8</span><span class="w"> </span><span class="n">msg</span><span class="o">=</span><span class="s">"Performance statistics"</span><span class="w"> </span>
<span class="mf">6</span><span class="p">:</span><span class="w"> </span><span class="mf">2010</span><span class="o">-</span><span class="mf">07</span><span class="o">-</span><span class="mf">1318</span><span class="p">:</span><span class="mf">54</span><span class="p">:</span><span class="mf">09</span><span class="w"> </span><span class="nb">log</span><span class="n">_id</span><span class="o">=</span><span class="mf">0104032003</span><span class="w"> </span><span class="n">type</span><span class="o">=</span><span class="n">event</span><span class="w"> </span><span class="n">subtype</span><span class="o">=</span><span class="n">admin</span><span class="w"> </span><span class="n">vd</span><span class="o">=</span><span class="n">root</span><span class="w"> </span><span class="n">pri</span><span class="o">=</span><span class="n">information</span><span class="w"> </span><span class="n">user</span><span class="o">=</span><span class="s">"admin"</span><span class="w"> </span><span class="n">ui</span><span class="o">=</span><span class="n">https</span><span class="p">(</span><span class="mf">21.14.127.14</span><span class="p">)</span><span class="w"> </span><span class="n">action</span><span class="o">=</span><span class="nb">log</span><span class="n">out</span><span class="w"> </span><span class="n">status</span><span class="o">=</span><span class="n">success</span><span class="w"> </span><span class="n">reason</span><span class="o">=</span><span class="n">timeout</span><span class="w"> </span><span class="n">msg</span><span class="o">=</span><span class="s">"Administrator admin timed out on https</span><span class="w"></span>
</code></pre></div>
<p>Reference of all log messages Fortigate :<br>
<a href="https://docs.fortinet.com/document/fortigate/5.6.8/fortios-log-message-reference"> FortiGate_Log_Message_Reference</a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>MAC finder script2010-07-02T05:35:37+00:002010-07-02T05:35:37+00:00Yuri Slobodyanyuktag:yurisk.info,2010-07-02:/2010/07/02/mac-finder-script/<p>While I don't like going down to Layer 2 , recently I had to do it - I didn't know IP address of the Cisco router I wanted to connect to but I had access to the Cisco router sitting in the same network. That would be pretty easy to do <strong>#show …</strong></p><p>While I don't like going down to Layer 2 , recently I had to do it - I didn't know IP address of the Cisco router I wanted to connect to but I had access to the Cisco router sitting in the same network. That would be pretty easy to do <strong>#show arp</strong> on this router and then search on Google to whom belongs each MAC if it wasn't the subnet mask of /26. Copy pasting each entry of the ARP table into Google didn't look like a lot of fun. So I wrote a python script that reads MAC addresses in bulk from command line and using downloaded beforehand database of MAC-vendor translations prints vendor for each MAC address. It works for <strong>#show arp</strong> on CIsco,<strong>#show mac-address-table</strong> on Cisco switches, <strong>#arp -en</strong> on Linux (means including Checkpoint), <strong>#arp -a</strong> on Freebsd ,<strong>#show arp</strong> of Junos from Juniper, <strong>#get sys arp</strong> on Fortigate.<br>
Below is the script.<br>
Here:<br>
<strong>mac-database.txt</strong> - file containing MAC-vendor translation in format "MAC 6 hex digits as a sequence" "VENDOR", I used <a href="http://standards-oui.ieee.org/oui.txt"> http://standards-oui.ieee.org/oui.txt </a> as the source with a bit of sed, but if you want ready to use file I recommend <strong>nmap-mac-prefixes</strong> from nmap source-code distribution <a href="http://nmap.org/svn/nmap-mac-prefixes">http://nmap.org/svn/nmap-mac-prefixes</a>
Download script (to make sure formatting is preserved, an important thing for Python)
<a href="https://yurisk.info/scripts/mac-finder.py">https://yurisk.info/scripts/mac-finder.py</a><br>
Script AND mac database from nmap project - <a href="https://yurisk.info/scripts/mac.tar.gz"> https://yurisk.info/scripts/mac.tar.gz</a></p>
<div class="highlight"><pre><span></span><code> <span class="c1">#!/usr/bin/python</span>
<span class="c1">#This script accepts MAC addresses from the command line and</span>
<span class="c1">#prints vendor for each mac address</span>
<span class="c1"># Author:Yuri, yurisk@yurisk.info,06.2010</span>
<span class="kn">import</span> <span class="nn">sys</span>
<span class="kn">import</span> <span class="nn">re</span>
<span class="c1">#This function removes from MACs colon or dot and returns MAC as a sequence of HEX chars</span>
<span class="k">def</span> <span class="nf">dotreplace</span><span class="p">(</span><span class="n">matchobj</span><span class="p">):</span>
<span class="k">if</span> <span class="n">matchobj</span><span class="o">.</span><span class="n">group</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">==</span> <span class="s1">'.'</span><span class="p">:</span>
<span class="k">return</span> <span class="s1">''</span>
<span class="k">elif</span> <span class="n">matchobj</span><span class="o">.</span><span class="n">group</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">==</span> <span class="s1">':'</span><span class="p">:</span>
<span class="k">return</span> <span class="s1">''</span>
<span class="c1">#open file with MAC addresses and vendors database,it has form xxxx <Vendor></span>
<span class="n">macs</span><span class="o">=</span><span class="nb">open</span><span class="p">(</span><span class="s1">'mac-database.txt'</span><span class="p">,</span><span class="s1">'r'</span><span class="p">)</span>
<span class="n">macs_lines</span><span class="o">=</span><span class="n">macs</span><span class="o">.</span><span class="n">readlines</span><span class="p">()</span>
<span class="c1">#Read from stdinput</span>
<span class="n">data</span> <span class="o">=</span> <span class="n">sys</span><span class="o">.</span><span class="n">stdin</span><span class="o">.</span><span class="n">readlines</span><span class="p">()</span>
<span class="k">for</span> <span class="n">ppp</span> <span class="ow">in</span> <span class="n">data</span><span class="p">:</span>
<span class="n">popa</span><span class="o">=</span><span class="n">re</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="s1">'.*([a-f0-9]</span><span class="si">{4}</span><span class="s1">\.[a-f0-9]</span><span class="si">{4}</span><span class="s1">\.[a-f0-9]</span><span class="si">{4}</span><span class="s1">).*'</span><span class="p">,</span><span class="n">ppp</span><span class="p">,</span><span class="n">re</span><span class="o">.</span><span class="n">IGNORECASE</span><span class="p">)</span>
<span class="k">if</span> <span class="n">popa</span><span class="p">:</span>
<span class="n">newpopa</span><span class="o">=</span><span class="n">re</span><span class="o">.</span><span class="n">sub</span><span class="p">(</span><span class="s1">'\.'</span><span class="p">,</span> <span class="n">dotreplace</span><span class="p">,</span><span class="n">popa</span><span class="o">.</span><span class="n">group</span><span class="p">(</span><span class="mi">1</span><span class="p">))[</span><span class="mi">0</span><span class="p">:</span><span class="mi">6</span><span class="p">]</span>
<span class="n">newpopa_re</span><span class="o">=</span><span class="n">re</span><span class="o">.</span><span class="n">compile</span><span class="p">(</span><span class="n">newpopa</span><span class="p">,</span><span class="n">re</span><span class="o">.</span><span class="n">IGNORECASE</span><span class="p">)</span>
<span class="k">for</span> <span class="n">mac_db</span> <span class="ow">in</span> <span class="n">macs_lines</span><span class="p">:</span>
<span class="n">vendor</span><span class="o">=</span><span class="n">re</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="n">newpopa_re</span><span class="p">,</span><span class="n">mac_db</span><span class="p">)</span>
<span class="k">if</span> <span class="n">vendor</span><span class="p">:</span>
<span class="nb">print</span> <span class="n">ppp</span><span class="o">.</span><span class="n">strip</span><span class="p">(),</span><span class="n">mac_db</span><span class="p">[</span><span class="mi">7</span><span class="p">:]</span>
<span class="n">popalinux</span> <span class="o">=</span> <span class="n">re</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="s1">'.*([a-f0-9]</span><span class="si">{2}</span><span class="s1">:[a-f0-9]</span><span class="si">{2}</span><span class="s1">:[a-f0-9]</span><span class="si">{2}</span><span class="s1">:[a-f0-9]</span><span class="si">{2}</span><span class="s1">:[a-f0-9]</span><span class="si">{2}</span><span class="s1">:[a-f0-9]</span><span class="si">{2}</span><span class="s1">).*'</span><span class="p">,</span><span class="n">ppp</span><span class="p">,</span><span class="n">re</span><span class="o">.</span><span class="n">IGNORECASE</span><span class="p">)</span>
<span class="k">if</span> <span class="n">popalinux</span><span class="p">:</span>
<span class="n">newpopalinux</span><span class="o">=</span><span class="n">re</span><span class="o">.</span><span class="n">sub</span><span class="p">(</span><span class="s1">':'</span><span class="p">,</span><span class="n">dotreplace</span><span class="p">,</span><span class="n">popalinux</span><span class="o">.</span><span class="n">group</span><span class="p">(</span><span class="mi">1</span><span class="p">))[</span><span class="mi">0</span><span class="p">:</span><span class="mi">6</span><span class="p">]</span>
<span class="n">newpopalinux_re</span><span class="o">=</span><span class="n">re</span><span class="o">.</span><span class="n">compile</span><span class="p">(</span><span class="n">newpopalinux</span><span class="p">,</span><span class="n">re</span><span class="o">.</span><span class="n">IGNORECASE</span><span class="p">)</span>
<span class="k">for</span> <span class="n">mac_db</span> <span class="ow">in</span> <span class="n">macs_lines</span><span class="p">:</span>
<span class="n">vendor</span><span class="o">=</span><span class="n">re</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="n">newpopalinux_re</span><span class="p">,</span><span class="n">mac_db</span><span class="p">)</span>
<span class="k">if</span> <span class="n">vendor</span><span class="p">:</span>
<span class="nb">print</span> <span class="n">ppp</span><span class="o">.</span><span class="n">strip</span><span class="p">(),</span><span class="n">mac_db</span><span class="p">[</span><span class="mi">7</span><span class="p">:]</span>
<span class="n">popadash</span> <span class="o">=</span> <span class="n">re</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="s1">'.*([a-f0-9]</span><span class="si">{2}</span><span class="s1">-[a-f0-9]</span><span class="si">{2}</span><span class="s1">-[a-f0-9]</span><span class="si">{2}</span><span class="s1">-[a-f0-9]</span><span class="si">{2}</span><span class="s1">-[a-f0-9]</span><span class="si">{2}</span><span class="s1">-[a-f0-9]</span><span class="si">{2}</span><span class="s1">).*'</span><span class="p">,</span><span class="n">ppp</span><span class="p">,</span><span class="n">re</span><span class="o">.</span><span class="n">IGNORECASE</span><span class="p">)</span>
<span class="k">if</span> <span class="n">popadash</span><span class="p">:</span>
<span class="n">newpopadash</span><span class="o">=</span><span class="n">re</span><span class="o">.</span><span class="n">sub</span><span class="p">(</span><span class="s1">'-'</span><span class="p">,</span><span class="n">dotreplace</span><span class="p">,</span><span class="n">popadash</span><span class="o">.</span><span class="n">group</span><span class="p">(</span><span class="mi">1</span><span class="p">))[</span><span class="mi">0</span><span class="p">:</span><span class="mi">6</span><span class="p">]</span>
<span class="n">newpopadash_re</span><span class="o">=</span><span class="n">re</span><span class="o">.</span><span class="n">compile</span><span class="p">(</span><span class="n">newpopadash</span><span class="p">,</span><span class="n">re</span><span class="o">.</span><span class="n">IGNORECASE</span><span class="p">)</span>
<span class="k">for</span> <span class="n">mac_db</span> <span class="ow">in</span> <span class="n">macs_lines</span><span class="p">:</span>
<span class="n">vendor</span><span class="o">=</span><span class="n">re</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="n">newpopadash_re</span><span class="p">,</span><span class="n">mac_db</span><span class="p">)</span>
<span class="k">if</span> <span class="n">vendor</span><span class="p">:</span>
<span class="nb">print</span> <span class="n">ppp</span><span class="o">.</span><span class="n">strip</span><span class="p">(),</span><span class="n">mac_db</span><span class="p">[</span><span class="mi">7</span><span class="p">:]</span>
</code></pre></div>
<p>Running it:</p>
<p>[root@darkstar ]#./mac-finder.py</p>
<p>Now I copy paste output from arp -a in BSD: </p>
<div class="highlight"><pre><span></span><code><span class="err">$</span><span class="w"> </span><span class="n">arp</span><span class="w"> </span><span class="o">-</span><span class="n">a</span><span class="w"> </span>
<span class="p">(</span><span class="mf">10.99.99.150</span><span class="p">)</span><span class="w"> </span><span class="k">at</span><span class="w"> </span><span class="mi">00</span><span class="err">:</span><span class="mi">50</span><span class="err">:</span><span class="mi">56</span><span class="err">:</span><span class="mi">95</span><span class="err">:</span><span class="mi">74</span><span class="err">:</span><span class="mi">72</span><span class="w"> </span><span class="k">on</span><span class="w"> </span><span class="n">em0</span><span class="w"> </span><span class="o">[</span><span class="n">ethernet</span><span class="o">]</span><span class="w"> </span>
<span class="w"> </span><span class="p">(</span><span class="mf">10.99.99.254</span><span class="p">)</span><span class="w"> </span><span class="k">at</span><span class="w"> </span><span class="mi">00</span><span class="err">:</span><span class="mi">09</span><span class="err">:</span><span class="mi">0</span><span class="nl">f</span><span class="p">:</span><span class="mi">31</span><span class="err">:</span><span class="nl">c8</span><span class="p">:</span><span class="mi">24</span><span class="w"> </span><span class="k">on</span><span class="w"> </span><span class="n">em0</span><span class="w"> </span><span class="o">[</span><span class="n">ethernet</span><span class="o">]</span><span class="w"> </span>
<span class="o"><</span><span class="n">Hit</span><span class="w"> </span><span class="n">CTRL</span><span class="o">+</span><span class="n">D</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">signal</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">end</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="k">input</span><span class="o">></span><span class="w"> </span>
<span class="w"> </span><span class="p">(</span><span class="mf">10.99.99.150</span><span class="p">)</span><span class="w"> </span><span class="k">at</span><span class="w"> </span><span class="mi">00</span><span class="err">:</span><span class="mi">50</span><span class="err">:</span><span class="mi">56</span><span class="err">:</span><span class="mi">95</span><span class="err">:</span><span class="mi">74</span><span class="err">:</span><span class="mi">72</span><span class="w"> </span><span class="k">on</span><span class="w"> </span><span class="n">em0</span><span class="w"> </span><span class="o">[</span><span class="n">ethernet</span><span class="o">]</span><span class="w"> </span><span class="n">VMware</span><span class="p">,</span><span class="w"> </span><span class="n">Inc</span><span class="p">.</span><span class="w"> </span>
<span class="w"> </span><span class="p">(</span><span class="mf">10.99.99.254</span><span class="p">)</span><span class="w"> </span><span class="k">at</span><span class="w"> </span><span class="mi">00</span><span class="err">:</span><span class="mi">09</span><span class="err">:</span><span class="mi">0</span><span class="nl">f</span><span class="p">:</span><span class="mi">31</span><span class="err">:</span><span class="nl">c8</span><span class="p">:</span><span class="mi">24</span><span class="w"> </span><span class="k">on</span><span class="w"> </span><span class="n">em0</span><span class="w"> </span><span class="o">[</span><span class="n">ethernet</span><span class="o">]</span><span class="w"> </span><span class="n">Fortinet</span><span class="w"> </span><span class="n">Inc</span><span class="p">.</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Visio stencils for Cisco, Juniper, Fortinet, Checkpoint, Avaya Updated for 20202010-06-26T12:43:25+00:002010-06-26T12:43:25+00:00Yuri Slobodyanyuktag:yurisk.info,2010-06-26:/2010/06/26/visio-stencils-for-cisco-juniper-fortinet-checkpoint-avaya/<p>Updated for 2022.<br>
Some links to download Microsoft Visio stencils of the most popular vendors. </p>
<p><a href="https://www.juniper.net/us/en/products-services/icons-stencils/">Juniper</a> </p>
<p><a href="https://www.cisco.com/c/en/us/products/visio-stencil-listing.html">Cisco</a> </p>
<p><a href="https://support.avaya.com/support/en/helpcenter/GenericDetail/C20097681410857094">Avaya</a> </p>
<p><a href="https://github.com/lateralblast/vss/tree/master/bluecoat">BlueCoat</a> </p>
<p><a href="https://www.fortinet.com/resources/icon-library">Fortinet</a> </p>
<p><a href="https://www.paloaltonetworks.com/company/press-kit.html">Palo Alto Networks</a> </p>
<p><a href="https://download.emc.com/downloads/DL70823_Unity_Visio_Stencils.zip?source=OLS">Dell</a> Requires registration </p>
<p>Checkpoint happen not to have official stencils set, only Nokia appliances stuff can be found. So someone volunteered and using icons/press releases/PowerPoint …</p><p>Updated for 2022.<br>
Some links to download Microsoft Visio stencils of the most popular vendors. </p>
<p><a href="https://www.juniper.net/us/en/products-services/icons-stencils/">Juniper</a> </p>
<p><a href="https://www.cisco.com/c/en/us/products/visio-stencil-listing.html">Cisco</a> </p>
<p><a href="https://support.avaya.com/support/en/helpcenter/GenericDetail/C20097681410857094">Avaya</a> </p>
<p><a href="https://github.com/lateralblast/vss/tree/master/bluecoat">BlueCoat</a> </p>
<p><a href="https://www.fortinet.com/resources/icon-library">Fortinet</a> </p>
<p><a href="https://www.paloaltonetworks.com/company/press-kit.html">Palo Alto Networks</a> </p>
<p><a href="https://download.emc.com/downloads/DL70823_Unity_Visio_Stencils.zip?source=OLS">Dell</a> Requires registration </p>
<p>Checkpoint happen not to have official stencils set, only Nokia appliances stuff can be found. So someone volunteered and using icons/press releases/PowerPoint presentations done by the Checkpoint turned it into the Visio stencils:<br>
<a href="http://fireverse.org/official-unofficial-check-point-visio-stencil/">fireverse.org</a> <br>
Additional place to look is <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk101866">Checkpoint.com</a> which actually redirects to <a href="https://visiostencils.com/mcs/CPST.html">Netxoom company</a> </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Where do I download the Checkpoint Splat/Gaia image2010-06-26T07:15:18+00:002010-06-26T07:15:18+00:00Yuri Slobodyanyuktag:yurisk.info,2010-06-26:/2010/06/26/where-do-i-download-the-checkpoint-splat-image/<p>The answer is surprisingly simple – at the <a href="http://www.Checkpoint.com"> Checkpoint.com</a> . On the home page there is a link to download their products <a href="https://www.checkpoint.com/demos/"> Try Our Products </a> (SPLAT, SmartDefense, Endpoint). You need a free General account in UserCenter, then you fill general questions form and get a link to download the real production …</p><p>The answer is surprisingly simple – at the <a href="http://www.Checkpoint.com"> Checkpoint.com</a> . On the home page there is a link to download their products <a href="https://www.checkpoint.com/demos/"> Try Our Products </a> (SPLAT, SmartDefense, Endpoint). You need a free General account in UserCenter, then you fill general questions form and get a link to download the real production image of whatever you chose to download. You get an evaluation license for 30 days at the same page , without any license upon install you get unlimited 15-days trial.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>8 Things to do before opening ticket with Checkpoint2010-06-25T10:40:53+00:002010-06-25T10:40:53+00:00Yuri Slobodyanyuktag:yurisk.info,2010-06-25:/2010/06/25/things-to-do-before-opening-ticket-with-checkpoint/<p>I’ve been doing Checkpoint quite a lot, actually for years now. And this inevitably involves
communicating with the <strong>Checkpoint Technical Assistance Centre (TAC)</strong> . And while
you can easily come up with impression that it is pretty bad (look around at cpug.org) for heated flames about that), my view …</p><p>I’ve been doing Checkpoint quite a lot, actually for years now. And this inevitably involves
communicating with the <strong>Checkpoint Technical Assistance Centre (TAC)</strong> . And while
you can easily come up with impression that it is pretty bad (look around at cpug.org) for heated flames about that), my view is that a lot depends on you. The way you manage the ticket and interaction with the Checkpoint TAC is often more important than anything else for successful resolution of the case. </p>
<p>To assist in that I prepared this list of things to do and have in mind before you actually call the TAC and open a case. In my experience following these simple steps will shorten the time and save you nerves substantially.</p>
<p><strong>1. Understand and state the problem exactly.</strong> </p>
<p>Clearly defined problem is half the solution. The problem should be described in measurable terms not qualitative ones.
Not "VPN tunnels flap and fail all the time" but "VPN tunnel between this and this peers is coming up for 3-5 minutes then goes down for 10 minutes also communication between sites stops and I see in SmartViewTracker the following... "
Not "If I enable URL filtering all works slow" but "If I enable URL filtering it takes 40 seconds to load the same page that I load in 3 secs without URL-filtering, my download rates from different sites decrease by such and such numbers and in logs I see …"
Screenshots of the error messages are very welcome. </p>
<p><strong>2. "… burden of proof is on the defendant" – gather all needed info even before you get asked to.</strong> </p>
<p>Have you worked in a TAC ? No ? Then let me illustrate. The answering Supporter has no slightest idea what the equipment is on your site, what the IP addresses are, whether load-balancers/nat-devices/traffic accelerators are involved, not to mention yours being the 10th case today, in short - he/she knows nothing about your topology, but you ,on the other hand ,having worked for years with the same set up come to think that this knowledge is a known fact to everyone. So please don’t – when approaching the TAC think of it as preparing a presentation that describes your network topology in 10 minutes to a complete stranger on the street (no need to practice this though :)).
Topology info you will most probably need to supply:
IP addresses of interfaces and routes of all the devices that are involved in the traffic having a problem.
All NAT/IPS/load balancing/acceleration tempering going on in your network .
Changes in topology that were done just before the problem occurred.</p>
<p><strong>3. Provide Cpinfo files from all the Checkpoint devices involved.</strong> </p>
<p>Checkpoint Support engineer most probably has no access to your firewall. And still she/he has to fully understand its configuration and state. The closest to accessing the firewall thing is providing Cpinfo file. If you have a distributed Checkpoint setup do it for all devices as well.
It is also advisable to make sure that all your devices have the latest Cpinfo utility installed [sk30567]. Unfortunately regular users can’t download it from Checkpoint Usercenter you will need at least Partner account with them.</p>
<p>NOTE Regarding handing over files to the Checkpoint TAC. When you supply them Cpinfo files you provide complete information about your firewall – its rules, objects and their properties etc. Think of it as if you were giving them the one-to-one copy of the firewall. So if you have some privacy/confidentiality reservations take it into account .</p>
<p><strong>4. Do a packet capture that also includes the problematic traffic.</strong> </p>
<p>Should you have any sort of case demanding serious debug be prepared to attach to the case captured traffic while replicating the problem. Of course consider the load on the firewall but usually to see if there are any drops on the traffic Checkpoint will ask you to do <strong><a href="http://yurisk.info/2009/12/12/fw-monitor-command-reference/">fw monitor</a> –o capture.cap</strong> .
Supplement this capture with output of <strong>fw ctl zdebug drop > dropped.txt</strong></p>
<p><strong>5.If opening the case through the Checkpoint website and the problem is rather urgent do a follow up call [ Contact list](https://www.checkpoint.com/about-us/contact-us/</strong> </p>
<p>When you open a case it is being put in the queue of all other cases waiting to be assigned to Support Engineers. It happens on FIFO basis (each severity level has its own queue I guess). So it may wait there for few good hours. In such cases and when the case justifies it you may call the TAC and ask the person (not demand) to speed up assigning your case to the Technical Engineer. I used this procedure and usually the case was assigned to someone 15 minutes after my call.</p>
<p><strong>6.Provide correct and most available means to contact you back.</strong> </p>
<p>Nothing can be more disheartening for a Supporter than to get a case and then chase you for hours/days.</p>
<p><strong>7. If you work for Checkpoint Partner or proudly hold CCSE/CCSE+ certs do actually some debug yourself ;).</strong>
Working for Checkpoint Partner (as I do) in my opinion not only gives us immediate unrestricted access to the TAC but also the responsibility to do as much as possible to debug the problem ourselves (moreover it sucks to look amateurish) . I should state that I don’t always follow this advice but always try to.
Make the “The NGX Advanced Technical Reference Guide (ATRG) “ [sk31221] your night reading and you will decrease the number of open tickets by 50% guaranteed .
When you do relevant debug even without being able to understand results you save many hours of waiting for the TAC Supporter to just ask you for the very same debug and its logs.</p>
<p><strong>8. In case of emergency call 911 and ask for remote session.</strong> </p>
<p>In urgent cases when you experience heavy downtime be prepared and even ask for remote session with the Supporter that got your case. Checkpoint have the TeamViewer-alike software that will allow them to connect to your workstation while it is connected to the firewall. Also the last time I checked this software had no (identifiable) keyloggers/Trojans so don’t worry :).</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Solaris interfaces – create assign delete2010-06-16T18:27:10+00:002010-06-16T18:27:10+00:00Yuri Slobodyanyuktag:yurisk.info,2010-06-16:/2010/06/16/solaris-interfaces-create-assign-delete/<p>Working with interfaces in Solaris is pretty much the same as in Linux - you've got <strong>ifconfig, netstat,route</strong>. It looks in output a bit different but if you're used to the *BSD way of things you'll find yourself at home. So the most basic thing follows - bring interface up, assign …</p><p>Working with interfaces in Solaris is pretty much the same as in Linux - you've got <strong>ifconfig, netstat,route</strong>. It looks in output a bit different but if you're used to the *BSD way of things you'll find yourself at home. So the most basic thing follows - bring interface up, assign ipv4 address, save the change to survive reboot.<br>
<strong>Plumb.</strong> First step sounds a bit strange - plumbing, but is actually very simple (no need to call for Mario) . You just plumb the interface (I talk about Ethernet-type interfaces) to the IP stack.
- Interface before plumbing : </p>
<p>bash-3.00# <strong>ifconfig e1000g2</strong></p>
<p><code>ifconfig: status: SIOCGLIFFLAGS: e1000g2: no such interface</code></p>
<p>Even an unplumbed interface can be seen with:</p>
<p>bash-3.00# <strong>dladm show-link</strong></p>
<div class="highlight"><pre><span></span><code>e1000g0 type: non-vlan mtu: 1500 device: e1000g0
e1000g1 type: non-vlan mtu: 1500 device: e1000g1
e1000g2 type: non-vlan mtu: 1500 device: e1000g2
</code></pre></div>
<ul>
<li>Now plumbing:</li>
</ul>
<p>bash-3.00# <strong>ifconfig e1000g2 plumb</strong><br>
bash-3.00# <strong>ifconfig e1000g2</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">e1000g2</span><span class="o">:</span><span class="w"> </span><span class="n">flags</span><span class="o">=</span><span class="mi">1000842</span><span class="o"><</span><span class="n">BROADCAST</span><span class="o">,</span><span class="n">RUNNING</span><span class="o">,</span><span class="n">MULTICAST</span><span class="o">,</span><span class="n">IPv4</span><span class="o">></span><span class="w"> </span><span class="n">mtu</span><span class="w"> </span><span class="mi">1500</span><span class="w"> </span><span class="n">index</span><span class="w"> </span><span class="mi">4</span><span class="w"></span>
<span class="w"> </span><span class="n">inet</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="mf">0.0</span><span class="w"> </span><span class="n">netmask</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="n">ether</span><span class="w"> </span><span class="mi">00</span><span class="o">:</span><span class="n">E0</span><span class="o">:</span><span class="mi">9</span><span class="n">F</span><span class="o">:</span><span class="mi">67</span><span class="o">:</span><span class="mi">98</span><span class="o">:</span><span class="n">fb</span><span class="w"></span>
</code></pre></div>
<p><strong>Assing IP and bring it up.</strong> <br>
This one is well known.</p>
<p>bash-3.00# <strong>ifconfig e1000g2 inet 192.2.2.3/24 up</strong><br>
bash-3.00# <strong>ifconfig e1000g2</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">e1000g2</span><span class="o">:</span><span class="w"> </span><span class="n">flags</span><span class="o">=</span><span class="mi">1000843</span><span class="o"><</span><span class="n">UP</span><span class="o">,</span><span class="n">BROADCAST</span><span class="o">,</span><span class="n">RUNNING</span><span class="o">,</span><span class="n">MULTICAST</span><span class="o">,</span><span class="n">IPv4</span><span class="o">></span><span class="w"> </span><span class="n">mtu</span><span class="w"> </span><span class="mi">1500</span><span class="w"> </span><span class="n">index</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span>
<span class="w"> </span><span class="n">inet</span><span class="w"> </span><span class="mf">192.2</span><span class="o">.</span><span class="mf">2.3</span><span class="w"> </span><span class="n">netmask</span><span class="w"> </span><span class="n">ffffff00</span><span class="w"> </span><span class="n">broadcast</span><span class="w"> </span><span class="mf">192.2</span><span class="o">.</span><span class="mf">2.255</span><span class="w"> </span>
<span class="w"> </span><span class="n">ether</span><span class="w"> </span><span class="mi">00</span><span class="o">:</span><span class="n">E0</span><span class="o">:</span><span class="mi">9</span><span class="n">F</span><span class="o">:</span><span class="mi">67</span><span class="o">:</span><span class="mi">98</span><span class="o">:</span><span class="n">fb</span><span class="w"></span>
</code></pre></div>
<p><strong>Make this change permanent</strong><br>
So far so good. But if youo restart the machine now it will lose its interface settings. To save them you create a text file named <strong>/etc/hostname.<interface name></strong> In my case it will be <strong>/etc/hostname.e1000g2</strong> , this alone would plumb interface on start, and now put the IP address inside it in the form '192.2.2.3/24' . That is it.</p>
<p>To see if interface is up or down as a device and its duplex/speed parameters:</p>
<p>bash-3.00# <strong>dladm show-dev</strong></p>
<div class="highlight"><pre><span></span><code>e1000g0 link: up speed: 1000 Mbps duplex: full
e1000g1 link: up speed: 1000 Mbps duplex: full
e1000g2 link: up speed: 1000 Mbps duplex: full
</code></pre></div>
<p><strong>Create/delete logical interface</strong> In Cisco world you would call it assigning secondary ip to the interface. </p>
<p>bash-3.00# <strong>ifconfig e1000g1 addif 193.92.13.3/24</strong><br>
<code>Created new logical interface e1000g1:1</code><br>
bash-3.00# <strong>ifconfig e1000g1:1 up</strong><br>
bash-3.00# <strong>ifconfig e1000g1:1</strong> </p>
<div class="highlight"><pre><span></span><code><span class="n">e1000g1</span><span class="o">:</span><span class="mi">1</span><span class="o">:</span><span class="w"> </span><span class="n">flags</span><span class="o">=</span><span class="mi">1000843</span><span class="o"><</span><span class="n">UP</span><span class="o">,</span><span class="n">BROADCAST</span><span class="o">,</span><span class="n">RUNNING</span><span class="o">,</span><span class="n">MULTICAST</span><span class="o">,</span><span class="n">IPv4</span><span class="o">></span><span class="w"> </span><span class="n">mtu</span><span class="w"> </span><span class="mi">1500</span><span class="w"> </span><span class="n">index</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span>
<span class="n">inet</span><span class="w"> </span><span class="mf">193.92</span><span class="o">.</span><span class="mf">13.3</span><span class="w"> </span><span class="n">netmask</span><span class="w"> </span><span class="n">ffffff00</span><span class="w"> </span><span class="n">broadcast</span><span class="w"> </span><span class="mf">193.92</span><span class="o">.</span><span class="mf">13.255</span><span class="w"> </span>
</code></pre></div>
<p>Remove logical interface:</p>
<p>bash-3.00# <strong>ifconfig e1000g1 removeif 193.92.13.3</strong><br>
bash-3.00# <strong>ifconfig e1000g1:1</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">ifconfig</span><span class="o">:</span><span class="w"> </span><span class="n">status</span><span class="o">:</span><span class="w"> </span><span class="n">SIOCGLIFFLAGS</span><span class="o">:</span><span class="w"> </span><span class="n">e1000g1</span><span class="o">:</span><span class="mi">1</span><span class="o">:</span><span class="w"> </span><span class="n">no</span><span class="w"> </span><span class="n">such</span><span class="w"> </span><span class="kd">interface</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>How to choose the password that noone can guess and you cant remember2010-06-09T10:29:21+00:002010-06-09T10:29:21+00:00Yuri Slobodyanyuktag:yurisk.info,2010-06-09:/2010/06/09/how-to-choose-the-password-that-noone-can-guess-and-you-cant-remember/<p>Of course you know what the good password should be - random letters including capitals, peppered with numbers and enhanced with printable control characters.
The only problem with these recommendations is that there are very few people in the world that can memorize such incomprehensible sequence of chars. So if someone …</p><p>Of course you know what the good password should be - random letters including capitals, peppered with numbers and enhanced with printable control characters.
The only problem with these recommendations is that there are very few people in the world that can memorize such incomprehensible sequence of chars. So if someone does decide to follow , it such passwords end up being written on the paper and stuck to the monitor (on its back).
I never followed such recommendations but nevertheless found the way to come up with hard to break passwords. Here it is - I just take easily memorizeable sentence from some verse/prose , take first letters of each word, capitalize first letter and then add some easy to remembr number that change from password to password .Example follows.
This is how the 1st sentence from e.e. cummings turns into password:
<strong>Anyone lived in a pretty how town -> Aliapht6622</strong> </p>
<p>As I said previously these are passwords I use also for SSH user access and for the last year brute force efforts went down the drains (so far).
The topic of passwords is actually a big one , and more of human psychology kind rather than crypto-randomness sort of things.
For more about that look for example here:<br>
<a href="https://www.schneier.com/blog/archives/2007/01/choosing_secure.html">www.schneier.com</a><br>
Another way to come up with random but easy to pronounce words for passwords can be done with scientific approach:<br>
<a href="https://www.multicians.org/thvv/gpw-js.html">www.multicians.org</a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Top 10 usernames used in SSH brute force2010-06-04T09:08:23+00:002010-06-04T09:08:23+00:00Yuri Slobodyanyuktag:yurisk.info,2010-06-04:/2010/06/04/top-10-usernames-used-in-ssh-brute-force/<p>As a follow up to yesterday's post I thought it would be interesting to know statistics of the usernames used in those brute force probes. Find below awk/sed script to get usernames for failed ssh login attempts from OpenSSH daemon and sort it for statistics. Also I attach the …</p><p>As a follow up to yesterday's post I thought it would be interesting to know statistics of the usernames used in those brute force probes. Find below awk/sed script to get usernames for failed ssh login attempts from OpenSSH daemon and sort it for statistics. Also I attach the list of the usernames I got from my server. The full list of usernames can be found at the end.</p>
<p>The script:</p>
<div class="highlight"><pre><span></span><code><span class="nx">awk</span> <span class="s1">'/Failed password for/ '</span> <span class="o">/</span><span class="nx">var</span><span class="o">/</span><span class="kr">log</span><span class="o">/</span><span class="nx">secure</span><span class="o">*</span> <span class="o">|</span> <span class="nx">sed</span> <span class="s1">'s/.* \([[:print:]]\+\) from .*/ \1 /g '</span> <span class="o">|</span> <span class="nx">sort</span> <span class="o">|</span> <span class="nx">uniq</span> <span class="o">-</span><span class="nx">c</span> <span class="o">|</span> <span class="nx">sort</span> <span class="o">-</span><span class="nx">n</span> <span class="o">-</span><span class="nx">k1</span>
</code></pre></div>
<p>And the winners are:
The table listing top 10 usernames used in real cracking attampts on SSH service</p>
<table>
<thead>
<tr>
<th>Username</th>
<th>Number of times seen</th>
</tr>
</thead>
<tbody>
<tr>
<td>mysql</td>
<td>232</td>
</tr>
<tr>
<td>info</td>
<td>252</td>
</tr>
<tr>
<td>postgres</td>
<td>317</td>
</tr>
<tr>
<td>guest</td>
<td>435</td>
</tr>
<tr>
<td>nagios</td>
<td>452</td>
</tr>
<tr>
<td>user</td>
<td>459</td>
</tr>
<tr>
<td>oracle</td>
<td>598</td>
</tr>
<tr>
<td>admin</td>
<td>884</td>
</tr>
<tr>
<td>test</td>
<td>1017</td>
</tr>
<tr>
<td>root</td>
<td>22058</td>
</tr>
</tbody>
</table>
<p>Full list of the usernames <a href="http://yurisk.info/usernames.log">Usernames.log</a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>SSH brute force is on the rise, awk script to count failed SSH attempts2010-06-03T19:31:43+00:002010-06-03T19:31:43+00:00Yuri Slobodyanyuktag:yurisk.info,2010-06-03:/2010/06/03/ssh-brute-force-on-the-rise/<p>SSH brute forcing is still in high demand. I have , for my own testing and pleasure, virtual servers scattered around the world. All of them being of the Linux/BSD family I manage by SSH. Also I have on purpose no static IP at home for various reasons (saving me …</p><p>SSH brute forcing is still in high demand. I have , for my own testing and pleasure, virtual servers scattered around the world. All of them being of the Linux/BSD family I manage by SSH. Also I have on purpose no static IP at home for various reasons (saving me money being one of them). And to manage those servers by SSH I implement a very simple security rule – from Any to SSH port allow. Port is left to be standard one – 22. After all that time my server was broken into just once , when I gave access by SSH to the colleague of mine and later he changed the password to something crackable in 5 secs. Since then I - first don’t give ssh access to colleagues :), and second - look from time to time at ssh failed attempts logs for amusement.</p>
<p>My observations so far are :<br>
- ssh brute forcing is still/yet/again extremely popular and increasing . On average after unfirewalled access to port 22 is discovered it goes to ~ 5000-6000 attempts per day .
- crackers do have some means of communicating between them (market economy ?) – my servers have static IPs and first days after its set up brute force login attempts are as low as 2-10 a day. But once the server IP has been discovered by determined crackers it goes up in numbers very quickly.
- origins of the attacks correlate pretty well with the known sources of Spam/Malware : Brazil, China, US etc.
If you’d like to look at your SSH logs and do some stats on failed attempts here is the awk one-liner I use. Enjoy.</p>
<div class="highlight"><pre><span></span><code><span class="n">awk</span><span class="w"> </span><span class="o">--</span><span class="n">re</span><span class="o">-</span><span class="k">interval</span><span class="w"> </span><span class="s1">'/authentication failure/ {}</span>
<span class="s1">/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]/ {match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]/,IP); IPS[IP[0]]++ } END { for (cracker_ips in IPS) print cracker_ips " " IPS[cracker_ips]}'</span><span class="w"> </span><span class="o">/</span><span class="nf">var</span><span class="o">/</span><span class="nf">log</span><span class="o">/</span><span class="n">secure</span><span class="mf">.1</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">sort</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="o">-</span><span class="n">k2</span><span class="w"></span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="mf">190.202.85.3</span><span class="w"> </span><span class="mf">1</span><span class="w"></span>
<span class="mf">194.192.14.7</span><span class="w"> </span><span class="mf">1</span><span class="w"></span>
<span class="mf">212.111.199.3</span><span class="w"> </span><span class="mf">1</span><span class="w"></span>
<span class="mf">222.124.195.1</span><span class="w"> </span><span class="mf">1</span><span class="w"></span>
<span class="mf">210.71.71.1</span><span class="w"> </span><span class="mf">2</span><span class="w"></span>
<span class="mf">89.138.195.1</span><span class="w"> </span><span class="mf">5</span><span class="w"></span>
<span class="mf">212.156.65.7</span><span class="w"> </span><span class="mf">25</span><span class="w"></span>
<span class="mf">202.117.51.2</span><span class="w"> </span><span class="mf">32</span><span class="w"></span>
<span class="mf">210.51.48.7</span><span class="w"> </span><span class="mf">32</span><span class="w"></span>
<span class="mf">115.146.138.5</span><span class="w"> </span><span class="mf">47</span><span class="w"></span>
<span class="mf">60.191.98.5</span><span class="w"> </span><span class="mf">88</span><span class="w"></span>
<span class="mf">174.120.208.5</span><span class="w"> </span><span class="mf">107</span><span class="w"></span>
<span class="mf">61.129.60.2</span><span class="w"> </span><span class="mf">165</span><span class="w"></span>
<span class="mf">202.103.180.4</span><span class="w"> </span><span class="mf">175</span><span class="w"></span>
<span class="mf">213.251.192.2</span><span class="w"> </span><span class="mf">239</span><span class="w"></span>
<span class="mf">91.82.101.4</span><span class="w"> </span><span class="mf">242</span><span class="w"></span>
<span class="mf">220.173.60.6</span><span class="w"> </span><span class="mf">264</span><span class="w"></span>
<span class="mf">12.11.210.3</span><span class="w"> </span><span class="mf">271</span><span class="w"></span>
<span class="mf">144.16.72.1</span><span class="w"> </span><span class="mf">291</span><span class="w"></span>
<span class="mf">212.118.5.1</span><span class="w"> </span><span class="mf">360</span><span class="w"></span>
<span class="mf">66.11.122.1</span><span class="w"> </span><span class="mf">384</span><span class="w"></span>
<span class="mf">211.160.160.1</span><span class="w"> </span><span class="mf">703</span><span class="w"></span>
<span class="mf">190.12.66.1</span><span class="w"> </span><span class="mf">999</span><span class="w"></span>
<span class="mf">83.19.184.3</span><span class="w"> </span><span class="mf">1176</span><span class="w"></span>
<span class="mf">67.213.8.2</span><span class="w"> </span><span class="mf">4955</span><span class="w"></span>
<span class="mf">199.187.120.2</span><span class="w"> </span><span class="mf">5312</span><span class="w"></span>
<span class="mf">95.0.180.2</span><span class="w"> </span><span class="mf">6680</span><span class="w"></span>
<span class="mf">85.131.163.5</span><span class="w"> </span><span class="mf">7685</span><span class="w"></span>
</code></pre></div>
<p>NB Crackers IPs are not sanitized</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Change IP address on the interface without losing the connection2010-06-02T17:22:59+00:002010-06-02T17:22:59+00:00Yuri Slobodyanyuktag:yurisk.info,2010-06-02:/2010/06/02/change-ip-address-on-the-interface-without-losing-the-connection/<p>I happen from time to time to configure from scratch some Checkpoint UTM/Open Server that is thousand miles away. And from experience the best way to do it is when you have out-of-band fast access to the firewall. Of course not always such well-organized beforehand set up is available …</p><p>I happen from time to time to configure from scratch some Checkpoint UTM/Open Server that is thousand miles away. And from experience the best way to do it is when you have out-of-band fast access to the firewall. Of course not always such well-organized beforehand set up is available. Just like today when I was asked how to change IP address on the interfcae through which you are connected to the firewall.
Ok, to be more specific - client had been connected with his UTM through some ISP that included also IP addresses on the WAN (External) interface of the firewall. Time has come to change ISP and accordingly its IP addresses.
All went surprisingly well, my collegue added new IP address on the External interface as the Secondary IP and from then on he could access/manage firewall through this new IP without a hitch. There is one but though - SSL VPN service was still listening on the old IP and didn't work because of that. So we had to remove the new IP as Secondary and put it as the Primary one. For this he asked my opinion , I set up some improvised lab and here is how to do it .</p>
<ol>
<li>First, for unmanned location I set up in cron to do restart in say 10-15 minutes from now so if something goes wrong restart will discard any changes done in step 2:</li>
</ol>
<p>[Expert@R71]#<strong>crontab -l</strong> </p>
<div class="highlight"><pre><span></span><code>#<span class="w"> </span><span class="k">DO</span><span class="w"> </span><span class="nv">NOT</span><span class="w"> </span><span class="nv">EDIT</span><span class="w"> </span><span class="nv">THIS</span><span class="w"> </span><span class="nv">FILE</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">master</span><span class="w"> </span><span class="nv">and</span><span class="w"> </span><span class="nv">reinstall</span>.<span class="w"> </span>
#<span class="w"> </span><span class="ss">(</span><span class="o">/</span><span class="nv">tmp</span><span class="o">/</span><span class="nv">crontab</span>.<span class="mi">5649</span><span class="w"> </span><span class="nv">installed</span><span class="w"> </span><span class="nv">on</span><span class="w"> </span><span class="nv">Wed</span><span class="w"> </span><span class="nv">Jun</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="mi">11</span>:<span class="mi">25</span>:<span class="mi">53</span><span class="w"> </span><span class="mi">2010</span><span class="ss">)</span><span class="w"> </span>
#<span class="w"> </span><span class="ss">(</span><span class="nv">Cron</span><span class="w"> </span><span class="nv">version</span><span class="w"> </span><span class="o">--</span><span class="w"> </span>$<span class="nv">Id</span>:<span class="w"> </span><span class="nv">crontab</span>.<span class="nv">c</span>,<span class="nv">v</span><span class="w"> </span><span class="mi">2</span>.<span class="mi">13</span><span class="w"> </span><span class="mi">1994</span><span class="o">/</span><span class="mi">01</span><span class="o">/</span><span class="mi">17</span><span class="w"> </span><span class="mi">03</span>:<span class="mi">20</span>:<span class="mi">37</span><span class="w"> </span><span class="nv">vixie</span><span class="w"> </span><span class="nv">Exp</span><span class="w"> </span>$<span class="ss">)</span><span class="w"> </span>
<span class="mi">27</span><span class="w"> </span><span class="mi">11</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">/</span><span class="nv">sbin</span><span class="o">/</span><span class="nv">reboot</span><span class="w"></span>
</code></pre></div>
<ol>
<li>Connected through the ssh I did the following two commands on the same line that when finished should not even disconnect you from the ssh. It brings down secondary IP (aliased interface) and assigns this IP to the External interface as the usual Primary one.</li>
</ol>
<p><strong>ifconfig External:0 down ; ifconfig External 192.168.2.22 netmask 255.255.255.0</strong></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Schedule fw monitor to run unattended via cron2010-05-29T08:43:48+00:002010-05-29T08:43:48+00:00Yuri Slobodyanyuktag:yurisk.info,2010-05-29:/2010/05/29/schedule-fw-monitor-to-run-unattended/<p>Not a groundbreaking idea but worth remembering that you can also run scheduled fw monitor using the cron. In case you have some problem occurring at the late night hours or you want to run debug at night when system is loaded less or put your case here this is …</p><p>Not a groundbreaking idea but worth remembering that you can also run scheduled fw monitor using the cron. In case you have some problem occurring at the late night hours or you want to run debug at night when system is loaded less or put your case here this is one of the ways to do it.
First, the script named timed_fw_monitor.sh that starts the <a href="https://yurisk.info/2009/12/12/fw-monitor-command-reference/">fw monitor</a>:</p>
<div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span>
<span class="normal">3</span>
<span class="normal">4</span></pre></div></td><td class="code"><div><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="c1"># We have to source Checkpoint environment variables for fw monitor to work</span>
. /etc/profile.d/CP.sh
/opt/CPsuite-R71/fw1/bin/fw monitor -o /home/lambada/capture.cap -e <span class="s1">'accept icmp or port(25);'</span>
</code></pre></div></td></tr></table></div>
<p>Then of course I will want to stop fw monitor , here is the script named stop_fw_monitor.sh that I also put in cron jobs that stops previously started fw monitor :</p>
<div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span></pre></div></td><td class="code"><div><pre><span></span><code><span class="ch">#!/bin/bash</span>
ps ax <span class="p">|</span> grep <span class="s1">'capture.cap'</span> <span class="p">|</span> grep -v grep <span class="p">|</span> awk <span class="s1">'{ print ("kill -s 3 " $1) | "/bin/bash" }'</span>
</code></pre></div></td></tr></table></div>
<p>Now my crontab looks like this:</p>
<div class="highlight"><pre><span></span><code>#<span class="w"> </span><span class="k">DO</span><span class="w"> </span><span class="nv">NOT</span><span class="w"> </span><span class="nv">EDIT</span><span class="w"> </span><span class="nv">THIS</span><span class="w"> </span><span class="nv">FILE</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">master</span><span class="w"> </span><span class="nv">and</span><span class="w"> </span><span class="nv">reinstall</span>.<span class="w"></span>
#<span class="w"> </span><span class="ss">(</span><span class="o">/</span><span class="nv">tmp</span><span class="o">/</span><span class="nv">crontab</span>.<span class="mi">4760</span><span class="w"> </span><span class="nv">installed</span><span class="w"> </span><span class="nv">on</span><span class="w"> </span><span class="nv">Sat</span><span class="w"> </span><span class="nv">May</span><span class="w"> </span><span class="mi">29</span><span class="w"> </span><span class="mi">11</span>:<span class="mi">00</span>:<span class="mi">22</span><span class="w"> </span><span class="mi">2010</span><span class="ss">)</span><span class="w"></span>
#<span class="w"> </span><span class="ss">(</span><span class="nv">Cron</span><span class="w"> </span><span class="nv">version</span><span class="w"> </span><span class="o">--</span><span class="w"> </span>$<span class="nv">Id</span>:<span class="w"> </span><span class="nv">crontab</span>.<span class="nv">c</span>,<span class="nv">v</span><span class="w"> </span><span class="mi">2</span>.<span class="mi">13</span><span class="w"> </span><span class="mi">1994</span><span class="o">/</span><span class="mi">01</span><span class="o">/</span><span class="mi">17</span><span class="w"> </span><span class="mi">03</span>:<span class="mi">20</span>:<span class="mi">37</span><span class="w"> </span><span class="nv">vixie</span><span class="w"> </span><span class="nv">Exp</span><span class="w"> </span>$<span class="ss">)</span><span class="w"></span>
<span class="mi">03</span><span class="w"> </span><span class="mi">23</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">/</span><span class="nv">home</span><span class="o">/</span><span class="nv">lambada</span><span class="o">/</span><span class="nv">timed_fw_monitor</span>.<span class="nv">sh</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="o">/</span><span class="nv">dev</span><span class="o">/</span><span class="nv">null</span><span class="w"></span>
<span class="mi">17</span><span class="w"> </span><span class="mi">23</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">/</span><span class="nv">home</span><span class="o">/</span><span class="nv">lambada</span><span class="o">/</span><span class="nv">stop_fw_monitor</span>.<span class="nv">sh</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="o">/</span><span class="nv">dev</span><span class="o">/</span><span class="nv">null</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>SMTP inspection with policy-map in ASA2010-05-26T18:14:26+00:002010-05-26T18:14:26+00:00Yuri Slobodyanyuktag:yurisk.info,2010-05-26:/2010/05/26/smtp-inspection-with-policy-map-in-asa/<p>This is the first time I was disappointed by the cisco.com . I had a simple task at hand – configure SMTP inspection in ASA 8.0(3) and cisco.com documentation didn’t help me at all. But first the task:Secure internal mail server by preventing it from sending …</p><p>This is the first time I was disappointed by the cisco.com . I had a simple task at hand – configure SMTP inspection in ASA 8.0(3) and cisco.com documentation didn’t help me at all. But first the task:Secure internal mail server by preventing it from sending spam outbound. It comes to mind two very simple but largely effective measures – block mails with From: field set to any domain but ours, and block attempts to relay Through the internal mail server mails destined to any domain but ours. In Checkpoint I can do it quite simply with SMTP Resource. Unfortunately in ASA it is not the case. Let’s look at final SMTP inspection I configured in ASA.
Input : </p>
<p>Internal server having outside IP address of 199.202.2.3 serves two domains <strong>apple.com</strong> and <strong>microsoft.com</strong>
Task: <br>
- block mails with <strong>From:</strong> field set to any domain but apple.com or microsoft.com<br>
- block mail relying for any domain but microsoft.com or apple.com </p>
<p>NOTE. Here I did this config on the production ASA so had no room for experimenting with all “what ifs” Identify mails direction from inside server outbound. I did it as didn’t find reliable info about sender-address match condition – does it match in any direction if applied globally on all traffic ? I mean , if it just looks at <em>Mail from:</em> field and acts on mails in both directions then it would block mails coming in from any domain but client’s own. </p>
<p>To prevent even checking this on client I did this ACL that will apply this SMTP inspection to outgoing mails anyway.</p>
<div class="highlight"><pre><span></span><code>BigInJapan(config)#access-list Mail-server permit tcp host 199.202.2.3 any eq 25
</code></pre></div>
<p>To block mails with From filed other than client’s domains I use regex that matches client’s domains and the use negation with NOT.</p>
<div class="highlight"><pre><span></span><code><span class="n">BigInJapan</span><span class="p">(</span><span class="n">config</span><span class="p">)</span><span class="err">#</span><span class="w"> </span><span class="n">regex</span><span class="w"> </span><span class="n">PermittedSenders</span><span class="w"> </span><span class="ss">"@microsoft.com|@apple.com "</span><span class="w"></span>
</code></pre></div>
<p>Create policy-map where all the tweaked parameters are set (as of ASA 8.2 there is still no class-map type inspect esmtp) .</p>
<div class="highlight"><pre><span></span><code>BigInJapan (config)# policy-map type inspect esmtp NoSpamOutside
</code></pre></div>
<p>Match all mails that Mail from field is anything but *@microsoft.com or *@apple.com. Action is reset and log.
It is more secure I guess to drop instead of reset as in drop malware would have to wait until some timeout, but I didn’t care here anyway.</p>
<div class="highlight"><pre><span></span><code><span class="n">BigInJapan</span><span class="p">(</span><span class="n">config</span><span class="o">-</span><span class="n">pmap</span><span class="p">)#</span><span class="w"> </span><span class="n">match</span><span class="w"> </span><span class="k">not</span><span class="w"> </span><span class="n">sender</span><span class="o">-</span><span class="n">address</span><span class="w"> </span><span class="n">regex</span><span class="w"> </span><span class="n">PermittedSenders</span><span class="w"> </span>
<span class="n">BigInJapan</span><span class="p">(</span><span class="n">config</span><span class="o">-</span><span class="n">pmap</span><span class="o">-</span><span class="n">c</span><span class="p">)#</span><span class="w"> </span><span class="n">reset</span><span class="w"> </span><span class="n">log</span><span class="w"> </span>
<span class="n">BigInJapan</span><span class="p">(</span><span class="n">config</span><span class="o">-</span><span class="n">pmap</span><span class="o">-</span><span class="n">c</span><span class="p">)#</span><span class="w"> </span><span class="n">exit</span><span class="w"></span>
</code></pre></div>
<p>Various parameters. Here you set internal domain the mail server is serving, so trying to deliver mails to any other domain would be seen as illegal relaying and dropped. But also I was surprised to know here that policy-map mail-relay parameter can be used only once, leaving you without this protection if you have multiple domains served from the same server. So below is theoretical configuration if my client had just one domain on his server. </p>
<div class="highlight"><pre><span></span><code><span class="nv">BigInJapan</span><span class="ss">(</span><span class="nv">config</span><span class="o">-</span><span class="nv">pmap</span><span class="ss">)</span>#<span class="w"> </span><span class="nv">parameters</span><span class="w"></span>
<span class="nv">BigInJapan</span><span class="ss">(</span><span class="nv">config</span><span class="o">-</span><span class="nv">pmap</span><span class="o">-</span><span class="nv">p</span><span class="ss">)</span>#<span class="w"> </span><span class="nv">mail</span><span class="o">-</span><span class="nv">relay</span><span class="w"> </span><span class="nv">apple</span>.<span class="nv">com</span><span class="w"> </span><span class="nv">action</span><span class="w"> </span><span class="nv">drop</span><span class="o">-</span><span class="nv">connection</span><span class="w"> </span><span class="nv">log</span><span class="w"> </span>
<span class="nv">BigInJapan</span><span class="ss">(</span><span class="nv">config</span><span class="o">-</span><span class="nv">pmap</span><span class="o">-</span><span class="nv">p</span><span class="ss">)</span>#<span class="w"> </span><span class="k">exit</span><span class="w"> </span>
<span class="nv">BigInJapan</span><span class="ss">(</span><span class="nv">config</span><span class="o">-</span><span class="nv">pmap</span><span class="ss">)</span>#<span class="w"> </span><span class="k">exit</span><span class="w"></span>
</code></pre></div>
<p>Now create general policy-map to tie it all together.</p>
<div class="highlight"><pre><span></span><code><span class="nv">BigInJapan</span><span class="ss">(</span><span class="nv">config</span><span class="ss">)</span>#<span class="w"> </span><span class="nv">policy</span><span class="o">-</span><span class="nv">map</span><span class="w"> </span><span class="nv">NoSpamFromUs</span><span class="w"> </span>
<span class="nv">BigInJapan</span><span class="ss">(</span><span class="nv">config</span><span class="o">-</span><span class="nv">pmap</span><span class="ss">)</span>#<span class="w"> </span><span class="nv">class</span><span class="w"> </span><span class="nv">Mail</span><span class="o">-</span><span class="nv">server</span><span class="w"> </span>
<span class="nv">BigInJapan</span><span class="ss">(</span><span class="nv">config</span><span class="o">-</span><span class="nv">pmap</span><span class="o">-</span><span class="nv">c</span><span class="ss">)</span>#<span class="w"> </span><span class="nv">inspect</span><span class="w"> </span><span class="nv">esmtp</span><span class="w"> </span><span class="nv">NoSpamOutside</span><span class="w"> </span>
<span class="nv">BigInJapan</span><span class="ss">(</span><span class="nv">config</span><span class="o">-</span><span class="nv">pmap</span><span class="o">-</span><span class="nv">c</span><span class="ss">)</span>#<span class="w"> </span><span class="k">exit</span><span class="w"> </span>
<span class="nv">BigInJapan</span><span class="ss">(</span><span class="nv">config</span><span class="o">-</span><span class="nv">pmap</span><span class="ss">)</span>#<span class="w"> </span><span class="k">exit</span><span class="w"></span>
</code></pre></div>
<p>And apply it on some interface.</p>
<p><strong>Important:</strong> according to Hucaby’s ASA handbook application protocol inspection is applied AFTER the NAT rules are done, so you need to use in your class-map/ACL IPs that are after the translation. Internal IP of the mail server is 192.168.3.3 that is statically NATed to 199.202.2.3, so I used 199.202.2.3 in class-map’s ACL. </p>
<p>On which interface to apply the policy-map I guess doesn’t matter but to be sure I did it on the outside.</p>
<div class="highlight"><pre><span></span><code>BigInJapan(config)# service-policy NoSpamFromUs interface outside
</code></pre></div>
<p>Link to Inspection page in ASA 8.<br>
<a href="https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html"> Applying Application Layer Protocol Inspection </a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Alert on change of SOA in domain2010-05-22T12:27:57+00:002010-05-22T12:27:57+00:00Yuri Slobodyanyuktag:yurisk.info,2010-05-22:/2010/05/22/alert-on-change-of-soa-in-domain/<p>This comes from unpleasant experience of mine. One of my clients’ domain records (MX for the case involved) was mistakenly changed. While it was a human error and trying to fix humans is rolling the rock of Sisyphus,damage would be much lesser had I known about the change immediately …</p><p>This comes from unpleasant experience of mine. One of my clients’ domain records (MX for the case involved) was mistakenly changed. While it was a human error and trying to fix humans is rolling the rock of Sisyphus,damage would be much lesser had I known about the change immediately . To take care of this side of the story I wrote awk one-liner that when invoked by cron compares SOA of the domain with the one saved locally in the file. If there is a discrepancy the mail is sent.<br>
I tried to find more elegant solution on Google but found zillions of tools too complex for such a simple task.</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="err">#!</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">bash</span><span class="w"></span>
<span class="w"> </span><span class="n">awk</span><span class="w"> </span><span class="s1">' BEGIN {"dig +short soa yurisk.info"| getline</span>
<span class="s1"> SOA_NOW=$3</span>
<span class="s1"> getline SOA < "serial-yurisk.info"</span>
<span class="s1"> if (SOA_NOW != SOA) { print (" mail -c yurisk@yurisk.info -s \"SOA of domain yurisk.info has changed\" president@whitehouse.gov") | "/bin/bash" }}'</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>FTP inside VPN Checkpoint troubles2010-05-19T18:38:05+00:002010-05-19T18:38:05+00:00Yuri Slobodyanyuktag:yurisk.info,2010-05-19:/2010/05/19/ftp-inside-vpn-checkpoint-troubles/<p>Do we need to fix all the problems all the time ? My answer is no. Also I believe in good solution today and dismiss ideal solutions tomorrow. Let me show this on the real case with one of the clients.
Client has Checkpoint, lots of Checkpoint, just heaps of it …</p><p>Do we need to fix all the problems all the time ? My answer is no. Also I believe in good solution today and dismiss ideal solutions tomorrow. Let me show this on the real case with one of the clients.
Client has Checkpoint, lots of Checkpoint, just heaps of it. And all their work is based on VPN site to site communication between myriad of remote branches and the central office. All being VPNed. One of the services running inside those endless tunnels is plain old FTP. To be more precise scriptable scheduled transfer of files. </p>
<p>It has been working like that for years until it started making troubles. Not all sites in one go, just one site a day or a week, only that multiplied by the sheer number of the branches it became an avalanche.
Following usual path I tried to fix things by myself, and it worked at the beginning. But then number of troublesome sites increased, at some point I attached Checkpoint to the process. They didn't see some
major problem, just many seemingly unrelated local ones. </p>
<p>Also the FTP problems differed: </p>
<ul>
<li>download of small files went ok but on files > 1Mb it got stuck; </li>
<li>download of any single file was ok, but multiple files got it stuck; </li>
<li>files got transferred but with file size 0; </li>
</ul>
<p>And all this had no obvious reasons - FTP drops here and there. Little by little I found myself fighting the windmills. Could it be solved ? I guess so . How much time ? Months . </p>
<p>Then I solved this problem quite simple - the client didn't care a bit what file protocol is being used as long as it is scriptable and Windows-friendly. So I run a test, and offered him to use SSH/SCP inside VPN tunnels instead of FTP. </p>
<p>The results of the tests were funny - from the same remote server, and all the rest being the same moving
files with scp (pscp.exe) annihilated all the problems seen with the FTP. That is it. <br>
See you.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Configure VLAN Solaris way2010-05-16T17:28:58+00:002010-05-16T17:28:58+00:00Yuri Slobodyanyuktag:yurisk.info,2010-05-16:/2010/05/16/configure-vlan-solaris-way/<p>To create VLAN in Solaris you have to first decide where the <strong>Physical Point of Attachment (PPA)</strong> will be. In other words you have to attach VLAN to some physical interface on the server , as of now interface types that support VLANs are:<br>
- ce<br>
- bge<br>
- xge<br>
- e1000g </p>
<p>After you decided …</p><p>To create VLAN in Solaris you have to first decide where the <strong>Physical Point of Attachment (PPA)</strong> will be. In other words you have to attach VLAN to some physical interface on the server , as of now interface types that support VLANs are:<br>
- ce<br>
- bge<br>
- xge<br>
- e1000g </p>
<p>After you decided on the PPA and the VLAN ID using this formula the whole name for the new VLAN interface is calculated:</p>
<div class="highlight"><pre><span></span><code>VLAN int name = physical interface driver name + VLAN ID \*1000 + physical device instance
</code></pre></div>
<p>In my case creating vlan 777 attached to the physical interface e1000g0 yields this:</p>
<p>Int name = e1000g + 777*1000 + 0 = e1000g777000</p>
<p>Usual plumbing and IP assigning to do:</p>
<p>Solaris_star#<strong>ifconfig e1000g777000 plumb</strong>
Solaris_star#<strong>ifconfig e1000g777000 inet 10.11.11.2/24</strong>
Solaris_star#<strong>ifconfig e1000g777000 up</strong></p>
<p>Verify:</p>
<p>Solaris_star#<strong>dladm show-link</strong></p>
<div class="highlight"><pre><span></span><code>e1000g0 type: non-vlan mtu: 1500 device: e1000g0
1000g777000 type: vlan 777 mtu: 1500 device: e1000g0
e1000g1 type: non-vlan mtu: 1500 device: e1000g1
e1000g2 type: non-vlan mtu: 1500 device: e1000g2
</code></pre></div>
<p>Solaris_star# ifconfig e1000g777000</p>
<p>e1000g777000: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 4
inet 10.11.11.2 netmask ffffff00 broadcast 10.11.11.255
ether 0:c:29:67:98:e7</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>md5 and sha1 hashing in Solaris2010-05-15T10:57:38+00:002010-05-15T10:57:38+00:00Yuri Slobodyanyuktag:yurisk.info,2010-05-15:/2010/05/15/md5-and-sha1-hashing-in-solaris/<p>How do you calculate md5 hash ? md5sum of course, I thought ,coming from the Linux world and was wrong. In Solaris , again, all that comes from the open source projects is add-at-your-own-risk paradigm. Instead, the native crypto provider supplies hash calculations with the <strong>digest</strong> command: </p>
<p><strong># digest -l</strong><br>
sha1<br>
md5<br>
sha256 …</p><p>How do you calculate md5 hash ? md5sum of course, I thought ,coming from the Linux world and was wrong. In Solaris , again, all that comes from the open source projects is add-at-your-own-risk paradigm. Instead, the native crypto provider supplies hash calculations with the <strong>digest</strong> command: </p>
<p><strong># digest -l</strong><br>
sha1<br>
md5<br>
sha256<br>
sha384<br>
sha512</p>
<p><strong>Solaris-star# digest -v -a md5 sntp.py</strong> </p>
<p><code>md5 (sntp.py) = 0e306d35ef7da1a47c51590fe70b3144</code></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Encrypting local files in Solaris2010-05-15T10:36:59+00:002010-05-15T10:36:59+00:00Yuri Slobodyanyuktag:yurisk.info,2010-05-15:/2010/05/15/encrypting-local-files-in-solaris/<p>How do I encrypt local file in Solaris ? On Linux I use either OpenSSL or GPG but these are both open source projects not native in the Solaris land. For this Solaris has <strong>encrypt/decrypt</strong> tools which do what their name say. And of course we talk here about symmetric …</p><p>How do I encrypt local file in Solaris ? On Linux I use either OpenSSL or GPG but these are both open source projects not native in the Solaris land. For this Solaris has <strong>encrypt/decrypt</strong> tools which do what their name say. And of course we talk here about symmetric encryption. Options for encrypt/decrypt are succinct – list available algorithms, specify input/output file(s), and optional specify file containing the key or otherwise type it on terminal. Few examples are to follow. </p>
<ul>
<li>List algos</li>
</ul>
<p># <strong>encrypt –l</strong> </p>
<div class="highlight"><pre><span></span><code> Algorithm Keysize: Min Max (bits)
------------------------------------------
aes 128 256
arcfour 8 2048
des 64 64
3des 192 192
</code></pre></div>
<ul>
<li>Now let’s encrypt something (file smtp_send.py ) with AES algorithm. </li>
</ul>
<p># <strong>encrypt -a aes -i smtp_send.py -o smtp_send.py.enc</strong><br>
Enter key: </p>
<p># <strong>file smtp_send.py.enc</strong> </p>
<div class="highlight"><pre><span></span><code> smtp_send.py.enc: data
</code></pre></div>
<ul>
<li>And what about decrypting ? </li>
</ul>
<p># <strong>decrypt -a aes -i smtp_send.py.enc -o smtp_send.py.dec</strong><br>
Enter key: </p>
<ul>
<li>In case you wish to use key stored in a file (I personally don’t do it as it is too easy to forget to delete the key file). </li>
</ul>
<p># <strong>encrypt -a aes –k key_in_a_file.txt -i smtp_send.py -o smtp_send.py.enc</strong></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Authenticating ssh access on the Checkpoint using external Radius server2010-05-01T11:43:40+00:002010-05-01T11:43:40+00:00Yuri Slobodyanyuktag:yurisk.info,2010-05-01:/2010/05/01/authenticating-ssh-access-on-the-checkpoint-using-external-radius-server/<p>Radius Athentication - I got asked few times on this feature, and as surfing through the Checkpoint docs can be a bit tedious, I‘ll put it here. SSH user authentication against external server, in this case using Radius protocol, is possible but only if you have <strong>VPN Pro</strong> featured firewall …</p><p>Radius Athentication - I got asked few times on this feature, and as surfing through the Checkpoint docs can be a bit tedious, I‘ll put it here. SSH user authentication against external server, in this case using Radius protocol, is possible but only if you have <strong>VPN Pro</strong> featured firewall and accordingly VPN Pro license (Advanced Networking Blade if using Blades). Then using firewall’s WebGUI you will have an option to configure external Radius server to authenticate operating system users. See screenshots below.<br>
<a href="http://yurisk.info/Radius1big.png"><img alt="Radius Authentication option in WebGUI" src="http://yurisk.info/Radius1verysmall.png"></a> </p>
<p><a href="http://yurisk.info/Radius2big.png"><img alt="Radius Authentication option in WebGUI" src="http://yurisk.info/Radius2verysmall.png"></a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>How to know UTM appliance version on the CLI2010-04-23T04:48:36+00:002010-04-23T04:48:36+00:00Yuri Slobodyanyuktag:yurisk.info,2010-04-23:/2010/04/23/how-to-know-utm-appliance-version-on-the-cli/<p>This one will be short, just a link to the Tobias Lachmann blog where he shows how using dmidecode you can know what is the version of the UTM you are logged in.
Determine UTM-1 appliance series from cli ~~blog.lachmann.org/?p=172~~ <a href="https://yurisk.info/2016/01/22/how-to-know-checkpoint-utm-appliance-model-from-the-cli/index.html">the site is down, look here …</a></p><p>This one will be short, just a link to the Tobias Lachmann blog where he shows how using dmidecode you can know what is the version of the UTM you are logged in.
Determine UTM-1 appliance series from cli ~~blog.lachmann.org/?p=172~~ <a href="https://yurisk.info/2016/01/22/how-to-know-checkpoint-utm-appliance-model-from-the-cli/index.html">the site is down, look here instead:</a> </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>fw ctl or checkpoint tables by any other name2010-04-09T05:34:54+00:002010-04-09T05:34:54+00:00Yuri Slobodyanyuktag:yurisk.info,2010-04-09:/2010/04/09/fw-ctl-or-checkpoint-tables-by-any-other-name/<p>Today I want to draw your attention to often overlooked information source – Checkpoint state tables. While running, the firewall creates, keeps and updates various tables it needs for correct functioning. These tables contain parameters that are mostly of use for firewall itself, but you can query them on the cli …</p><p>Today I want to draw your attention to often overlooked information source – Checkpoint state tables. While running, the firewall creates, keeps and updates various tables it needs for correct functioning. These tables contain parameters that are mostly of use for firewall itself, but you can query them on the cli, sometimes even flush them as well.
To see all tables with its contents you type:<br>
[Expert@Hollywood]# <strong>fw tab</strong><br>
To see only table names:<br>
[Expert@Hollywood] <strong>fw tab | grep "-------"</strong> </p>
<div class="highlight"><pre><span></span><code><span class="nb">--------</span><span class="c"> vsx_firewalled </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> firewalled_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> external_firewalled_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> management_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> external_management_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> log_server_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> tcp_services </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> udp_services </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> internal_interface_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> topology_range_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> gui_clients_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> cp_NG_products_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> smtp_av_user_config_match_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> smtp_av_scan_exclusion </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> http_av_user_config_match_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> http_av_scan_exclusion </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> pop3_av_user_config_match_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> pop3_av_scan_exclusion </span><span class="nb">--------</span><span class="nv"><</span><span class="c">!</span><span class="nb">--</span><span class="c"> more </span><span class="nb">--</span><span class="nv">></span><span class="c"></span>
<span class="nb">--------</span><span class="c"> aspam_unique_id </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> aspam_directional_match_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> aspam_smtp_ip_match_tab_src </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> aspam_pop3_ip_match_tab_src </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> aspam_scan_all_traffic </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> auth_rules_on_gw </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> content_security_uf </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> content_security_av </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> content_security_aspam </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> content_security_next_proxy </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> cs_next_proxy_host </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> cs_next_proxy_port </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> module_content_security </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> report_server_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> smartPortal_server_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> abacus_server_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> event_analyzers_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ua_server_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ua_products_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> rtm_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> cvp_servers_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ufp_servers_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> cpmi_clients_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> radius_servers_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> tacacs_servers_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ldap_servers_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> NG_policy_server_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> physical_servers_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> load_servers_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> drop_rejct_rules </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> gsn_quota </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> no_nat_comm_4 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> community_no_nat </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> http_services </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ftp_services </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> smtp_services </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> pop3_services </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> cifs_services </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dns_services </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sip_services </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> mgcp_services </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dns_rand_servers </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> aspam_wb_ip </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> mgcp_cmd </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sip_method </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> non_scv_hosts </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> gtp_apn_params </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ssl_tunnels_excluded_services </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ssl_tunnels_excluded_clients </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> syslg_relay_servers_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dcerpc_maps </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dcerpc_rmaps </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dcerpc_binds </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dcerpc_epm_requests </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dcerpc_map_ports </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dcerpc_udp_maps </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dcerpc_udp_rmaps </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dcerpc_udp_epm_requests </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dcerpc_udp_hpov_maps </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dcerpc_logs </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dcerpc_reply_any_port </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dcom_objects </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dcom_remote_activations </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dcom_call_ids </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dcom_high_port </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dcom_sysact_state </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> compiled_cifs_resources </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> userc_rules </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> userc_bind </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> userc_key </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> userc_users </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> userc_pending </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> userc_slan </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> userc_dtm_cache </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> pending </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> rpc_serv_hosts </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> rpc_serv </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> rpc_sessions </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> pmap_req </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> pmap_not_responding </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> logged </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> trapped </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> check_alive </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> auth_services </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> client_auth </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> client_was_auth </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> autoclntauth_fold </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> session_requests </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> pending_session_requests </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sso_requests </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> auth_status </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> av_cache </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> proxied_conns </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> genufp_requests </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> genufp_matched </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> genufp_mismatched </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> icmp_requests </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> icmp_replies </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> icmp_errors </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> forbidden_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ipufp_cache </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ufp_statistic </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dynobj_cache </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dns_rand_to_sid </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dns_sid_to_rand </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dns_response_misses </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> snid_enc_keys </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> resolve_hostbyname_cache </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> resolve_hostbyaddr_cache </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> voip_host_connections </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> cac_codecs </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sip_state </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> earlynat_sport </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sip_dynamic_port </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sip_cseq </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> mgcp_conn </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> mgcp_tid </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> mgcp_registration </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> mgcp_earlynat_tid </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> mgcp_dynamic_port </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ssl_v3_conns </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ssh2_syn_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ssh2_client_seq </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> p2p_sessions </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> edonkey_clients </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> p2p_packets </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> pptp_state </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> first_master </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> mapped_if </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> fwx_sticky_port </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> allowed_ip_options </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> allowed_ipopts_proto </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> hide_behind_low_ports </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> cluster_mcast_nolog </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> hide_services_ports </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> no_hide_services_ports </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> no_fold_services_ports </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> nokia_no_fold_ports </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> no_misp_services_ports </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> pop3d_clients </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> epq_quarantined_host </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> aspam_syn_cache </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> tcp_services_props </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> udp_services_props </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> other_services_props </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> adp_ca_brightstor_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> rc4_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Objhbbbjb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjUOdnB </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjSRqhab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjLALMqb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjsFK9hb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Obj4kPyz </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjO80qQb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjolM2n </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> mhis_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Obja2fNE </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjQvSXqb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjGiirDb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> http_hand_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Objn_q2i </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Objo2Goeb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjdSJuO </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjqYUGFb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> contnt_prot_state_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> backweb_connections </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> freetel_connections </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> iiop_requests </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> x11verify_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> wf_connections </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> exchange_notifies </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> rtsp_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ncp_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> e2e_gwbw_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpn_range_gateways </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpn_range_gateways_valid </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> cvp_connections </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> p2p_logged </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> welchia_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ssh_sessions </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> gif_rerun_tbl </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> aviwave_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> png_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> emf_wmf_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjIqngWb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Obj1Pjdc </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjEcVuT </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjBYyIB </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> mpe_pme_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjipTMsb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjAIP_g </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Obj1_j2Qb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjsRmHN </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjgGBn_b </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Obj8YTItb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> office_rerun_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> block_office_ppt_start </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> block_office_offset </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> block_office_retrans </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjYpZWX </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjLRkIWb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjiMhGQ </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjdZJgJb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Obji4D8J </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjTBbSbb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjFYJhJb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjK3HfXb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Obj3Izhfc </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjATGcAb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> snmp_pdu_types </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjPKm54b </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjpZHv1 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjNPV8V </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Objmeh8Ub </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Obj0XzAN </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjXatVDb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> syslog_dates </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> buf_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> cram_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> imap_log_tbl </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> imap_except_tbl </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> flac_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sami_tbl </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjajI9Rb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjCGXEdb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> pct_opcode_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> pct_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Obj1e5hC </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjRztz7 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjaxeIAb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjwNbxib </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> word_plflfo_tbl </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> word_sprm_tbl </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjkxWEfc </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Obj217K1 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> flash_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjjoQvm </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjUZxDgc </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjlgJhcc </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjaLxvLb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> rtf_fmp_parse27_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ssl_counter_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dns_bruth_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dns_bruth_tab_case </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dns_bruth_res_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> pdf_jbig_tbl </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjO5atzb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjCy5LO </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjmbEnl </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjxZiyv </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Obj8sHTQb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjCMpyg </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjMbgQeb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjHh3It </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjsYf1n </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ldap_leak_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjhPV7z </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjEkdpjc </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjH3V57 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> pe_parser_tbl </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Obj6a6Th </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjHkxoe </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Obj6yDZpb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjRpdDu </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjiB_Z4b </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ms_proj_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ObjyXqwA </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sdupdate_dynamic_tab_attrs </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpn_active </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> encryption_requests </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> decryption_pending </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> rdp_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> rdp_dont_trap </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> userc_encapsulating_clients </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> MSPI_cluster_feedback </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> MSPI_cluster_feedback_new </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> L2TP_MSPI_cluster_feedback </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> MSPI_cluster_update </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> L2TP_MSPI_cluster_update </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> MSPI_cluster_request </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> MSPI_feedback_to_delete </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ATLAS_ROBO_Objects </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> DAG_ID_to_IP </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> DAG_IP_to_ID </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ipsec_crypt_pending </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> inbound_SPI </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> outbound_SPI </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> resolving_requests </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> MSPI_requests </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> SPI_requests </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> resolving_req_connections </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> MSPI_req_connections </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> user_auth_groups </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> IKE_SA_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> new_IKE_SA_update </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> IPSEC_userc_dont_trap_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> SEP_my_IKE_packet </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> tcpt_external_ip </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> L2TP_tunnels </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> L2TP_sessions </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> L2TP_lookup </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpn_if_peer_mspi </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpn_interfaces_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> peer_vpn_if_mapping </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> MSPI_by_methods </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> MSPI_cluster_map </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> resolved_interface </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> MEP_chosen_gw </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> crypt_resolver_db </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> MEP_ls </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> userc_resolve_dont_trap </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> fwz_crypt_pending </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> crypt_resolver_uptag </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> cryptlog_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> udp_enc_cln_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> cluster_connections_nat </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> IPSEC_mtu_icmp </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> IPSEC_mtu_icmp_wait </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> XPO_names </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> communities_names </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> peers_names </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> local_vpn_routing </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> VIN_SA_to_delete </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> udp_response_nat </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> marcipan_mapping </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> marcipan_ippool_users </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> marcipan_ippool_allocated </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> reliable_trap </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> peers_count </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> IKE_peers </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ipalloc_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> persistent_tunnels </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dhcp_nat_params_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> my_daip_ip_to_id </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> om_assigned_ips </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> om_radius </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> tnlmon_listener_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> tnlmon_life_sign </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> preferred_MEP_gw </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> tnlmon_job_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> udp_enc_route_refcount </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> reload_policy_timer </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> http_vpnd_cookies </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sslt_om_ip_params </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ssl_tunnel_id_to_mspi </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> http_ics_pre_auth_cookies </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpnd_ics_report_suid </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpn_queues </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ike2esp </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> peer2ike </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ike2peer </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> initial_contact_pending </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> user_properties </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> rdp_state_repository </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ike_state_repository </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> get_topology_state_repository </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ike_temp_DAG_IP_to_ID </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> resolved_link </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> orig_route_params </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> cluster_active_robo </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> edge_clusters </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> outbound_spi_by_peer </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> robo_active_link </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> src_ip_by_peer </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> natt_port </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> frl_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sslt_disconnect_reasons </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpn_best_route_cache </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> TunnelTest_NAT </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> slp_active_users </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dag_dhcp_requests </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> net_quota_exclusion_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sr_enc_domain </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sr_enc_domain_valid </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpn_enc_domain </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpn_enc_domain_valid </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpn_methods </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpn_routing </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpn_enable_routing </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpn_enable_internet_routing </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> static_interface_resolve </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> daip_ranges </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Robo_ranges </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Robo_ids </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Robo_allowed_ranges </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> Robo_clusters </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sdb_edge_clusters </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> community_domain_4 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> community_excl_udp_4 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> om_protected_group </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> gw_properties </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpn_rulematch </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> comm_conn_level </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ca_servers_addresses </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> target_list10 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> rulenum_list13 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> rulenum_list14 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> rulenum_list15 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> fwportscn_vertical_exclude </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> fw_allow_out_of_tcp_always </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> spii_proto_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> DAG_range </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> NAT_src_intvl_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> NAT_dst_intvl_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> NAT_src_any_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> NAT_dst_any_list </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> NAT_rules </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> full_service_list11 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> full_service_list12 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ip_list1 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ip_list2 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ip_list3 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ip_list4 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ip_list5 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ip_list6 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ip_list7 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ip_list8 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ip_list9 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dir_scan_addrs_list1 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> valid_addrs_list1 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> dir_scan_addrs_list2 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> valid_addrs_list2 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> gw2gw_communities_ids </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> tcpt_gws </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> svm_profiler </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> svm_range_gateways </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> svm_range_gateways_valid </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> svm_e2e_gwbw_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpncl_om2cookier </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpncl_cookier2om </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpncl_ccc_iphone_sessions </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpncl_ccc_sessions </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> vpncl_cpras_topology_policy_id </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sockstress_blocked </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sockstress_suspicious </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sockstress_local </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sockstress_src </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sam_L2_requests </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sam_blocked_ips_v2 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sam_requests_v2 </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sam_uid </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sam_L2_src_dst_requests </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> mrt_sync_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> closed_conns </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> fwarp_arpq_tbl </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> fwneighq_tbl </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> strmap_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> fwha_VPN_hash_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> cpas_cookie_hash </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> cpas_pmtu </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> h323_registration </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> rules_uid_new_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> uid2kbuf </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> tab_name_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sip_registration </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> fwx_cache </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> redirected_conns </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> h323_gk_pending_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> cphwd_vpndb </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> host_ip_addrs_all </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> excessive_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> scv_held_packets_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> conn_info </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> chain_log_unification_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> fwx_pending </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> scv_ps_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> scv_gw_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> string_dictionary_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sam_log </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sam_requests </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> sam_blocked_ips </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> spii_global_pset2kbuf_map </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> spii_multi_pset2kbuf_map </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> ws_protection_scheme_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> saved_kbuf_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> son_conns </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> parent_conn </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> connections </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> fwx_cntl_dyn_tab </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> h323_tracer_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> fwx_auth </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> host_ip_addrs </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> hold_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> frag_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> arp_table </span><span class="nb">--------</span><span class="c"></span>
<span class="nb">--------</span><span class="c"> fwx_alloc </span><span class="nb">--------</span><span class="c"></span>
</code></pre></div>
<p>Now round up of some useful for whatever reason tables you should know about.
NOTE - When service is not loaded corresponding table isnt as well<br>
<strong>fw tab -t http_av_scan_exclusion</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">localhost</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="n">Table</span><span class="w"> </span><span class="n">http_av_scan_exclusion</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">loaded</span><span class="p">:</span><span class="w"> </span><span class="n">Invalid</span><span class="w"> </span><span class="n">argument</span><span class="w"></span>
</code></pre></div>
<p>Most of the time values in these tables are presented as integer or hex values , and almost always they contain IP addresses. Adding <strong>-f</strong> option to the command deciphers output a bit but not completely , so IP integer-to-decimal converter will be very handy.</p>
<p>To see local encryption domain of this gateway without entering SmartDashboard:
<strong>fw tab -f -t vpn_enc_domain</strong></p>
<div class="highlight"><pre><span></span><code><span class="nt">Using</span><span class="w"> </span><span class="nt">cptfmt</span><span class="w"></span>
<span class="nt">localhost</span><span class="o">:</span><span class="w"></span>
<span class="nt">Date</span><span class="o">:</span><span class="w"> </span><span class="nt">Apr</span><span class="w"> </span><span class="nt">7</span><span class="o">,</span><span class="w"> </span><span class="nt">2010</span><span class="w"></span>
<span class="w"> </span><span class="nt">8</span><span class="p">:</span><span class="nd">26</span><span class="p">:</span><span class="nd">33</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+)====================================(+);</span><span class="w"> </span><span class="nt">Table_Name</span><span class="o">:</span><span class="w"> </span><span class="nt">vpn_enc_domain</span><span class="o">;</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">Attributes</span><span class="o">:</span><span class="w"> </span><span class="nt">static</span><span class="o">,</span><span class="w"> </span><span class="nt">id</span><span class="w"> </span><span class="nt">381</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"> </span>
<span class="nt">8</span><span class="p">:</span><span class="nd">26</span><span class="p">:</span><span class="nd">33</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">First</span><span class="o">:</span><span class="w"> </span><span class="nt">10</span><span class="p">.</span><span class="nc">20</span><span class="p">.</span><span class="nc">201</span><span class="p">.</span><span class="nc">1</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Last</span><span class="o">:</span><span class="w"> </span><span class="nt">10</span><span class="p">.</span><span class="nc">20</span><span class="p">.</span><span class="nc">201</span><span class="p">.</span><span class="nc">3</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"></span>
<span class="nt">8</span><span class="p">:</span><span class="nd">26</span><span class="p">:</span><span class="nd">33</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">First</span><span class="o">:</span><span class="w"> </span><span class="nt">172</span><span class="p">.</span><span class="nc">18</span><span class="p">.</span><span class="nc">1</span><span class="p">.</span><span class="nc">0</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Last</span><span class="o">:</span><span class="w"> </span><span class="nt">172</span><span class="p">.</span><span class="nc">18</span><span class="p">.</span><span class="nc">1</span><span class="p">.</span><span class="nc">255</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"></span>
<span class="nt">8</span><span class="p">:</span><span class="nd">26</span><span class="p">:</span><span class="nd">33</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">First</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">20</span><span class="p">.</span><span class="nc">251</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Last</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">20</span><span class="p">.</span><span class="nc">253</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"> </span>
<span class="o">;</span><span class="nt">8</span><span class="p">:</span><span class="nd">26</span><span class="p">:</span><span class="nd">33</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">First</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">21</span><span class="p">.</span><span class="nc">0</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Last</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">21</span><span class="p">.</span><span class="nc">255</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"></span>
<span class="nt">8</span><span class="p">:</span><span class="nd">26</span><span class="p">:</span><span class="nd">33</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">First</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">22</span><span class="p">.</span><span class="nc">11</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Last</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">22</span><span class="p">.</span><span class="nc">12</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"></span>
</code></pre></div>
<p>Another command that gives the local encryption domain, on few firewalls I tried the output was the same , so Don’t know what the difference
<strong>fw tab -f -t vpn_enc_domain_valid</strong></p>
<div class="highlight"><pre><span></span><code><span class="nt">Using</span><span class="w"> </span><span class="nt">cptfmt</span><span class="w"></span>
<span class="nt">localhost</span><span class="o">:</span><span class="w"></span>
<span class="nt">Date</span><span class="o">:</span><span class="w"> </span><span class="nt">Apr</span><span class="w"> </span><span class="nt">7</span><span class="o">,</span><span class="w"> </span><span class="nt">2010</span><span class="w"></span>
<span class="w"> </span><span class="nt">8</span><span class="p">:</span><span class="nd">52</span><span class="p">:</span><span class="nd">30</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+)====================================(+);</span><span class="w"> </span><span class="nt">Table_Name</span><span class="o">:</span><span class="w"> </span><span class="nt">sr_enc_domain_valid</span><span class="o">;</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">Attributes</span><span class="o">:</span><span class="w"> </span><span class="nt">static</span><span class="o">,</span><span class="w"> </span><span class="nt">id</span><span class="w"> </span><span class="nt">380</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"> </span>
<span class="nt">8</span><span class="p">:</span><span class="nd">52</span><span class="p">:</span><span class="nd">30</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">First</span><span class="o">:</span><span class="w"> </span><span class="nt">10</span><span class="p">.</span><span class="nc">20</span><span class="p">.</span><span class="nc">201</span><span class="p">.</span><span class="nc">1</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Last</span><span class="o">:</span><span class="w"> </span><span class="nt">10</span><span class="p">.</span><span class="nc">20</span><span class="p">.</span><span class="nc">201</span><span class="p">.</span><span class="nc">3</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"> </span>
<span class="nt">8</span><span class="p">:</span><span class="nd">52</span><span class="p">:</span><span class="nd">30</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">First</span><span class="o">:</span><span class="w"> </span><span class="nt">172</span><span class="p">.</span><span class="nc">18</span><span class="p">.</span><span class="nc">1</span><span class="p">.</span><span class="nc">0</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Last</span><span class="o">:</span><span class="w"> </span><span class="nt">172</span><span class="p">.</span><span class="nc">18</span><span class="p">.</span><span class="nc">1</span><span class="p">.</span><span class="nc">255</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="nt">8</span><span class="p">:</span><span class="nd">52</span><span class="p">:</span><span class="nd">30</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">First</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">20</span><span class="p">.</span><span class="nc">251</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Last</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">20</span><span class="p">.</span><span class="nc">253</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"> </span>
<span class="nt">8</span><span class="p">:</span><span class="nd">52</span><span class="p">:</span><span class="nd">30</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">First</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">21</span><span class="p">.</span><span class="nc">0</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Last</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">21</span><span class="p">.</span><span class="nc">255</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"> </span>
<span class="nt">8</span><span class="p">:</span><span class="nd">52</span><span class="p">:</span><span class="nd">30</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">First</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">22</span><span class="p">.</span><span class="nc">11</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Last</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">22</span><span class="p">.</span><span class="nc">12</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"></span>
</code></pre></div>
<p>See encryption domain for Secure Remote users:<br>
<strong>fw tab -f -t sr_enc_domain_valid</strong></p>
<div class="highlight"><pre><span></span><code><span class="nt">Using</span><span class="w"> </span><span class="nt">cptfmt</span><span class="w"></span>
<span class="nt">localhost</span><span class="o">:</span><span class="w"></span>
<span class="nt">Date</span><span class="o">:</span><span class="w"> </span><span class="nt">Apr</span><span class="w"> </span><span class="nt">7</span><span class="o">,</span><span class="w"> </span><span class="nt">2010</span><span class="w"></span>
<span class="w"> </span><span class="nt">8</span><span class="p">:</span><span class="nd">52</span><span class="p">:</span><span class="nd">30</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+)====================================(+);</span><span class="w"> </span><span class="nt">Table_Name</span><span class="o">:</span><span class="w"> </span><span class="nt">sr_enc_domain_valid</span><span class="o">;</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">Attributes</span><span class="o">:</span><span class="w"> </span><span class="nt">static</span><span class="o">,</span><span class="w"> </span><span class="nt">id</span><span class="w"> </span><span class="nt">380</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="nt">8</span><span class="p">:</span><span class="nd">52</span><span class="p">:</span><span class="nd">30</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">First</span><span class="o">:</span><span class="w"> </span><span class="nt">10</span><span class="p">.</span><span class="nc">20</span><span class="p">.</span><span class="nc">201</span><span class="p">.</span><span class="nc">1</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Last</span><span class="o">:</span><span class="w"> </span><span class="nt">10</span><span class="p">.</span><span class="nc">20</span><span class="p">.</span><span class="nc">201</span><span class="p">.</span><span class="nc">3</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="nt">8</span><span class="p">:</span><span class="nd">52</span><span class="p">:</span><span class="nd">30</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">First</span><span class="o">:</span><span class="w"> </span><span class="nt">172</span><span class="p">.</span><span class="nc">18</span><span class="p">.</span><span class="nc">1</span><span class="p">.</span><span class="nc">0</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Last</span><span class="o">:</span><span class="w"> </span><span class="nt">172</span><span class="p">.</span><span class="nc">18</span><span class="p">.</span><span class="nc">1</span><span class="p">.</span><span class="nc">255</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="nt">8</span><span class="p">:</span><span class="nd">52</span><span class="p">:</span><span class="nd">30</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">First</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">20</span><span class="p">.</span><span class="nc">251</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Last</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">20</span><span class="p">.</span><span class="nc">253</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="nt">8</span><span class="p">:</span><span class="nd">52</span><span class="p">:</span><span class="nd">30</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">First</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">21</span><span class="p">.</span><span class="nc">0</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Last</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">21</span><span class="p">.</span><span class="nc">255</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="nt">8</span><span class="p">:</span><span class="nd">52</span><span class="p">:</span><span class="nd">30</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">First</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">22</span><span class="p">.</span><span class="nc">11</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Last</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">22</span><span class="p">.</span><span class="nc">12</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"></span>
</code></pre></div>
<p>To see SPI database entries of established VPN tunnels and its parameters:<br>
#<strong>fw tab -f -t inbound_SPI</strong></p>
<div class="highlight"><pre><span></span><code><span class="nt">Using</span><span class="w"> </span><span class="nt">cptfmt</span><span class="w"></span>
<span class="nt">localhost</span><span class="o">:</span><span class="w"></span>
<span class="nt">Date</span><span class="o">:</span><span class="w"> </span><span class="nt">Apr</span><span class="w"> </span><span class="nt">7</span><span class="o">,</span><span class="w"> </span><span class="nt">2010</span><span class="w"></span>
<span class="w"> </span><span class="nt">8</span><span class="p">:</span><span class="nd">34</span><span class="p">:</span><span class="nd">56</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+)====================================(+);</span><span class="w"> </span><span class="nt">Table_Name</span><span class="o">:</span><span class="w"> </span><span class="nt">inbound_SPI</span><span class="o">;</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">Attributes</span><span class="o">:</span><span class="w"> </span><span class="nt">dynamic</span><span class="o">,</span><span class="w"> </span><span class="nt">id</span><span class="w"> </span><span class="nt">289</span><span class="o">,</span><span class="w"> </span><span class="nt">attributes</span><span class="o">:</span><span class="w"> </span><span class="nt">keep</span><span class="o">,</span><span class="w"> </span><span class="nt">sync</span><span class="o">,</span><span class="w"> </span><span class="nt">expires</span><span class="w"> </span><span class="nt">3600</span><span class="o">,</span><span class="w"> </span><span class="nt">limit</span><span class="w"> </span><span class="nt">40800</span><span class="o">,</span><span class="w"> </span><span class="nt">hashsize</span><span class="w"> </span><span class="nt">65536</span><span class="o">,</span><span class="w"> </span><span class="nt">kbuf</span><span class="w"> </span><span class="nt">1</span><span class="w"> </span><span class="nt">3</span><span class="o">,</span><span class="w"> </span><span class="nt">free</span><span class="w"> </span><span class="nt">function</span><span class="w"> </span><span class="nt">f9b32640</span><span class="w"> </span><span class="nt">0</span><span class="o">,</span><span class="w"> </span><span class="nt">post</span><span class="w"> </span><span class="nt">sync</span><span class="w"> </span><span class="nt">handler</span><span class="w"> </span><span class="nt">f9b22330</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="nt">8</span><span class="p">:</span><span class="nd">34</span><span class="p">:</span><span class="nd">56</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">29</span><span class="p">.</span><span class="nc">25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="nt">SPI</span><span class="o">:</span><span class="w"> </span><span class="nt">d21c5e68</span><span class="o">;</span><span class="w"> </span><span class="nt">CPTFMT_sep</span><span class="o">:</span><span class="w"> </span><span class="o">;;</span><span class="w"> </span><span class="nt">Protocol</span><span class="o">:</span><span class="w"> </span><span class="nt">IPSEC_ESP_SA</span><span class="o">(</span><span class="nt">2</span><span class="o">);</span><span class="w"> </span><span class="o">,</span><span class="nt">Schema</span><span class="o">:</span><span class="w"> </span><span class="nt">IKE</span><span class="o">(</span><span class="nt">3</span><span class="o">);</span><span class="w"> </span><span class="o">,</span><span class="nt">me</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">22</span><span class="p">.</span><span class="nc">11</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">peer</span><span class="o">:</span><span class="w"> </span><span class="nt">122</span><span class="p">.</span><span class="nc">18</span><span class="p">.</span><span class="nc">9</span><span class="p">.</span><span class="nc">20</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">owner</span><span class="o">:</span><span class="w"> </span><span class="nt">127</span><span class="p">.</span><span class="nc">0</span><span class="p">.</span><span class="nc">0</span><span class="p">.</span><span class="nc">1</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">MyRange</span><span class="p">:</span><span class="nd">First</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">21</span><span class="p">.</span><span class="nc">0</span><span class="o">;</span><span class="w"> </span><span class="nt">Last</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">21</span><span class="p">.</span><span class="nc">255</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">PeerRange</span><span class="p">:</span><span class="nd">First</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">214</span><span class="p">.</span><span class="nc">0</span><span class="o">;</span><span class="w"> </span><span class="nt">PeerLast</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">214</span><span class="p">.</span><span class="nc">255</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">HWInitialized</span><span class="o">:</span><span class="w"> </span><span class="nt">NO</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">MSPI</span><span class="o">:</span><span class="w"> </span><span class="nt">13</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Host</span><span class="o">:</span><span class="w"> </span><span class="nt">192</span><span class="p">.</span><span class="nc">168</span><span class="p">.</span><span class="nc">22</span><span class="p">.</span><span class="nc">11</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="nt">Peer</span><span class="o">:</span><span class="w"> </span><span class="nt">122</span><span class="p">.</span><span class="nc">18</span><span class="p">.</span><span class="nc">9</span><span class="p">.</span><span class="nc">20</span><span class="o">;</span><span class="w"> </span><span class="nt">Expires</span><span class="o">:</span><span class="w"> </span><span class="nt">2149</span><span class="o">/</span><span class="nt">3610</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"></span>
</code></pre></div>
<p>To see the active VPN peers with IKE phase up
<strong>fw tab -f -t IKE_peers</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">Date</span><span class="o">:</span><span class="w"> </span><span class="n">Apr</span><span class="w"> </span><span class="mi">7</span><span class="o">,</span><span class="w"> </span><span class="mi">2010</span><span class="w"></span>
<span class="w"> </span><span class="mi">8</span><span class="o">:</span><span class="mi">36</span><span class="o">:</span><span class="mi">36</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+)====================================(+);</span><span class="w"> </span><span class="n">Table_Name</span><span class="o">:</span><span class="w"> </span><span class="n">IKE_peers</span><span class="o">;</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="n">Attributes</span><span class="o">:</span><span class="w"> </span><span class="kd">dynamic</span><span class="o">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">333</span><span class="o">,</span><span class="w"> </span><span class="n">attributes</span><span class="o">:</span><span class="w"> </span><span class="n">keep</span><span class="o">,</span><span class="w"> </span><span class="n">sync</span><span class="o">,</span><span class="w"> </span><span class="n">expires</span><span class="w"> </span><span class="n">never</span><span class="o">,</span><span class="w"> </span><span class="n">limit</span><span class="w"> </span><span class="mi">25000</span><span class="o">,</span><span class="w"> </span><span class="n">hashsize</span><span class="w"> </span><span class="mi">512</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">8</span><span class="o">:</span><span class="mi">36</span><span class="o">:</span><span class="mi">36</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="n">IkePeer</span><span class="o">:</span><span class="w"> </span><span class="mf">212.13</span><span class="o">.</span><span class="mf">12.128</span><span class="o">;</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="n">Expires</span><span class="o">:</span><span class="w"> </span><span class="mi">876861451</span><span class="o">/</span><span class="mi">2147483647</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">8</span><span class="o">:</span><span class="mi">36</span><span class="o">:</span><span class="mi">36</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="n">IkePeer</span><span class="o">:</span><span class="w"> </span><span class="mf">212.13</span><span class="o">.</span><span class="mf">12.129</span><span class="o">;</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="n">Expires</span><span class="o">:</span><span class="w"> </span><span class="mi">876861451</span><span class="o">/</span><span class="mi">2147483647</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
</code></pre></div>
<p>Here you can see what port is used for NAT traversal:<br>
<strong>fw tab -f -t natt_port</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">Date</span><span class="o">:</span><span class="w"> </span><span class="n">Apr</span><span class="w"> </span><span class="mi">7</span><span class="o">,</span><span class="w"> </span><span class="mi">2010</span><span class="w"></span>
<span class="w"> </span><span class="mi">8</span><span class="o">:</span><span class="mi">37</span><span class="o">:</span><span class="mi">34</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+)====================================(+);</span><span class="w"> </span><span class="n">Table_Name</span><span class="o">:</span><span class="w"> </span><span class="n">natt_port</span><span class="o">;</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="n">Attributes</span><span class="o">:</span><span class="w"> </span><span class="kd">dynamic</span><span class="o">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">369</span><span class="o">,</span><span class="w"> </span><span class="n">attributes</span><span class="o">:</span><span class="w"> </span><span class="n">expires</span><span class="w"> </span><span class="n">never</span><span class="o">,</span><span class="w"> </span><span class="n">limit</span><span class="w"> </span><span class="mi">25000</span><span class="o">,</span><span class="w"> </span><span class="n">hashsize</span><span class="w"> </span><span class="mi">4</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">8</span><span class="o">:</span><span class="mi">37</span><span class="o">:</span><span class="mi">34</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="n">Key</span><span class="o">:</span><span class="w"> </span><span class="mi">00001194</span><span class="o">;</span><span class="w"> </span><span class="n">Expires</span><span class="o">:</span><span class="w"> </span><span class="mi">876861393</span><span class="o">/</span><span class="mi">2147483647</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="o">**</span><span class="n">The</span><span class="w"> </span><span class="n">value</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">hex</span><span class="w"> </span><span class="mh">0x1194</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">4500</span><span class="w"> </span><span class="o">**</span><span class="w"></span>
</code></pre></div>
<p>List table of Security Associations
<strong>fw tab -f -t IKE_SA_table</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">Date</span><span class="o">:</span><span class="w"> </span><span class="n">Apr</span><span class="w"> </span><span class="mi">7</span><span class="o">,</span><span class="w"> </span><span class="mi">2010</span><span class="w"></span>
<span class="w"> </span><span class="mi">8</span><span class="o">:</span><span class="mi">41</span><span class="o">:</span><span class="mi">47</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+)====================================(+);</span><span class="w"> </span><span class="n">Table_Name</span><span class="o">:</span><span class="w"> </span><span class="n">IKE_SA_table</span><span class="o">;</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="n">Attributes</span><span class="o">:</span><span class="w"> </span><span class="kd">dynamic</span><span class="o">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">297</span><span class="o">,</span><span class="w"> </span><span class="n">attributes</span><span class="o">:</span><span class="w"> </span><span class="n">keep</span><span class="o">,</span><span class="w"> </span><span class="n">sync</span><span class="o">,</span><span class="w"> </span><span class="n">expires</span><span class="w"> </span><span class="mi">3600</span><span class="o">,</span><span class="w"> </span><span class="n">limit</span><span class="w"> </span><span class="mi">40400</span><span class="o">,</span><span class="w"> </span><span class="n">hashsize</span><span class="w"> </span><span class="mi">65536</span><span class="o">,</span><span class="w"> </span><span class="n">implies</span><span class="w"> </span><span class="mi">296</span><span class="o">,</span><span class="w"> </span><span class="n">kbuf</span><span class="w"> </span><span class="mi">1</span><span class="o">,</span><span class="w"> </span><span class="n">free</span><span class="w"> </span><span class="kd">function</span><span class="w"> </span><span class="n">f9b22830</span><span class="w"> </span><span class="mi">0</span><span class="o">,</span><span class="w"> </span><span class="n">post</span><span class="w"> </span><span class="n">sync</span><span class="w"> </span><span class="n">handler</span><span class="w"> </span><span class="n">f9b25d80</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">8</span><span class="o">:</span><span class="mi">41</span><span class="o">:</span><span class="mi">47</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="o">,</span><span class="n">CookieI</span><span class="o">:</span><span class="w"> </span><span class="mi">1</span><span class="n">a4406adfa1e1b26</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="n">CookieR</span><span class="o">:</span><span class="w"> </span><span class="n">a64bea22245f2ac2</span><span class="o">;</span><span class="w"> </span><span class="n">CPTFMT_sep</span><span class="o">:</span><span class="w"> </span><span class="o">;;</span><span class="w"> </span><span class="n">EncryptAlg</span><span class="o">:</span><span class="w"> </span><span class="mi">0</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="n">HashAlg</span><span class="o">:</span><span class="w"> </span><span class="mi">0</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="n">DH_Group</span><span class="o">:</span><span class="w"> </span><span class="mi">0</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="n">AuthMethod</span><span class="o">:</span><span class="w"> </span><span class="mi">1</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="n">Flags</span><span class="o">:</span><span class="w"> </span><span class="mi">0</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="n">RenegotiationTime</span><span class="o">:</span><span class="w"> </span><span class="mi">2046191617</span><span class="o">;</span><span class="w"> </span><span class="n">Expires</span><span class="o">:</span><span class="w"> </span><span class="mi">20089</span><span class="o">/</span><span class="mi">86399</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
</code></pre></div>
<p>Pretty much the same data , number of peers</p>
<p><strong>fw tab -f -t peers_count</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">Date</span><span class="o">:</span><span class="w"> </span><span class="n">Apr</span><span class="w"> </span><span class="mi">7</span><span class="o">,</span><span class="w"> </span><span class="mi">2010</span><span class="w"></span>
<span class="w"> </span><span class="mi">8</span><span class="o">:</span><span class="mi">46</span><span class="o">:</span><span class="mi">48</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+)====================================(+);</span><span class="w"> </span><span class="n">Table_Name</span><span class="o">:</span><span class="w"> </span><span class="n">peers_count</span><span class="o">;</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="n">Attributes</span><span class="o">:</span><span class="w"> </span><span class="kd">dynamic</span><span class="o">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">332</span><span class="o">,</span><span class="w"> </span><span class="n">attributes</span><span class="o">:</span><span class="w"> </span><span class="n">keep</span><span class="o">,</span><span class="w"> </span><span class="n">expires</span><span class="w"> </span><span class="n">never</span><span class="o">,</span><span class="w"> </span><span class="n">limit</span><span class="w"> </span><span class="mi">10200</span><span class="o">,</span><span class="w"> </span><span class="n">hashsize</span><span class="w"> </span><span class="mi">16384</span><span class="o">,</span><span class="w"> </span><span class="n">kbuf</span><span class="w"> </span><span class="mi">1</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">8</span><span class="o">:</span><span class="mi">46</span><span class="o">:</span><span class="mi">48</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="n">IPsec</span><span class="w"> </span><span class="n">peer</span><span class="o">:</span><span class="w"> </span><span class="mf">31.112</span><span class="o">.</span><span class="mf">182.6</span><span class="o">;</span><span class="w"> </span><span class="n">CPTFMT_sep</span><span class="o">:</span><span class="w"> </span><span class="o">;;</span><span class="w"> </span><span class="o">,</span><span class="n">Ref</span><span class="o">-</span><span class="n">count</span><span class="o">:</span><span class="w"> </span><span class="mi">2</span><span class="o">;</span><span class="w"> </span><span class="n">Expires</span><span class="o">:</span><span class="w"> </span><span class="mi">876860840</span><span class="o">/</span><span class="mi">2147483647</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">8</span><span class="o">:</span><span class="mi">46</span><span class="o">:</span><span class="mi">48</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="n">IPsec</span><span class="w"> </span><span class="n">peer</span><span class="o">:</span><span class="w"> </span><span class="mf">122.18</span><span class="o">.</span><span class="mf">9.20</span><span class="o">;</span><span class="w"> </span><span class="n">CPTFMT_sep</span><span class="o">:</span><span class="w"> </span><span class="o">;;</span><span class="w"> </span><span class="o">,</span><span class="n">Ref</span><span class="o">-</span><span class="n">count</span><span class="o">:</span><span class="w"> </span><span class="mi">1</span><span class="o">;</span><span class="w"> </span><span class="n">Expires</span><span class="o">:</span><span class="w"> </span><span class="mi">876860840</span><span class="o">/</span><span class="mi">2147483647</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
</code></pre></div>
<p>List of hosts with which this firewall has currently open sessions (whatever they may be ): <br>
<strong>fw tab -f -t static_interface_resolve</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">Date</span><span class="o">:</span><span class="w"> </span><span class="n">Apr</span><span class="w"> </span><span class="mi">7</span><span class="o">,</span><span class="w"> </span><span class="mi">2010</span><span class="w"></span>
<span class="w"> </span><span class="mi">8</span><span class="o">:</span><span class="mi">55</span><span class="o">:</span><span class="mi">59</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+)====================================(+);</span><span class="w"> </span><span class="n">Table_Name</span><span class="o">:</span><span class="w"> </span><span class="n">static_interface_resolve</span><span class="o">;</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="n">Attributes</span><span class="o">:</span><span class="w"> </span><span class="kd">static</span><span class="o">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">387</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">8</span><span class="o">:</span><span class="mi">55</span><span class="o">:</span><span class="mi">59</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="n">Peer_interface</span><span class="o">:</span><span class="w"> </span><span class="mf">10.20</span><span class="o">.</span><span class="mf">20.1</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="n">Peer_main_addr</span><span class="o">:</span><span class="w"> </span><span class="mf">21.23</span><span class="o">.</span><span class="mf">9.2</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">8</span><span class="o">:</span><span class="mi">55</span><span class="o">:</span><span class="mi">59</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="n">Peer_interface</span><span class="o">:</span><span class="w"> </span><span class="mf">58.13</span><span class="o">.</span><span class="mf">2.78</span><span class="o">;</span><span class="w"> </span><span class="n">Peer_resolved_addr</span><span class="o">:</span><span class="w"> </span><span class="mf">58.13</span><span class="o">.</span><span class="mf">2.78</span><span class="o">;</span><span class="w"> </span><span class="o">,</span><span class="n">Peer_main_addr</span><span class="o">:</span><span class="w"> </span><span class="mf">58.13</span><span class="o">.</span><span class="mf">2.78</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
</code></pre></div>
<p>To list NAT rules numbers as appear in the SmartDashboard that have Any as destination and as source correspondingly:<br>
#<strong>fw tab -f -t NAT_dst_any_list</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">Date</span><span class="o">:</span><span class="w"> </span><span class="n">Apr</span><span class="w"> </span><span class="mi">7</span><span class="o">,</span><span class="w"> </span><span class="mi">2010</span><span class="w"></span>
<span class="w"> </span><span class="mi">9</span><span class="o">:</span><span class="mi">01</span><span class="o">:</span><span class="mi">13</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+)====================================(+);</span><span class="w"> </span><span class="n">Table_Name</span><span class="o">:</span><span class="w"> </span><span class="n">NAT_dst_any_list</span><span class="o">;</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="n">Attributes</span><span class="o">:</span><span class="w"> </span><span class="kd">static</span><span class="o">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">434</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">9</span><span class="o">:</span><span class="mi">01</span><span class="o">:</span><span class="mi">13</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="n">Key</span><span class="o">:</span><span class="w"> </span><span class="mi">0000000</span><span class="n">a</span><span class="o">,</span><span class="w"> </span><span class="mi">0000000</span><span class="n">a</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"> </span><span class="c1">//Rule number 10</span>
<span class="w"> </span><span class="mi">9</span><span class="o">:</span><span class="mi">01</span><span class="o">:</span><span class="mi">13</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="n">Key</span><span class="o">:</span><span class="w"> </span><span class="mi">0000000</span><span class="n">c</span><span class="o">,</span><span class="w"> </span><span class="mi">0000000</span><span class="n">c</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"> </span><span class="c1">//Rule number 12</span>
<span class="w"> </span><span class="mi">9</span><span class="o">:</span><span class="mi">01</span><span class="o">:</span><span class="mi">13</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="n">Key</span><span class="o">:</span><span class="w"> </span><span class="mi">0000000</span><span class="n">e</span><span class="o">,</span><span class="w"> </span><span class="mi">0000000</span><span class="n">e</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
</code></pre></div>
<p>#<strong>fw tab -f -t NAT_src_any_list</strong> </p>
<div class="highlight"><pre><span></span><code><span class="n">Date</span><span class="o">:</span><span class="w"> </span><span class="n">Apr</span><span class="w"> </span><span class="mi">7</span><span class="o">,</span><span class="w"> </span><span class="mi">2010</span><span class="w"></span>
<span class="w"> </span><span class="mi">9</span><span class="o">:</span><span class="mi">00</span><span class="o">:</span><span class="mi">31</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+)====================================(+);</span><span class="w"> </span><span class="n">Table_Name</span><span class="o">:</span><span class="w"> </span><span class="n">NAT_src_any_list</span><span class="o">;</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="n">Attributes</span><span class="o">:</span><span class="w"> </span><span class="kd">static</span><span class="o">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">433</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">9</span><span class="o">:</span><span class="mi">00</span><span class="o">:</span><span class="mi">31</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="n">Key</span><span class="o">:</span><span class="w"> </span><span class="mi">00000006</span><span class="o">,</span><span class="w"> </span><span class="mi">00000006</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"> </span><span class="c1">// Rule number 6</span>
<span class="w"> </span><span class="mi">9</span><span class="o">:</span><span class="mi">00</span><span class="o">:</span><span class="mi">31</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="n">Key</span><span class="o">:</span><span class="w"> </span><span class="mi">00000007</span><span class="o">,</span><span class="w"> </span><span class="mi">00000007</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"> </span><span class="c1">// Rule number 7</span>
</code></pre></div>
<p>List all NAT rules .<br>
Here all IP addresses are in hexadecimal representation . To translate it to usual decimal one I translate (say using calc.exe) Hex -> Integer , then using some Internet converter , Integer -> decimal . In () are my comments
<strong>fw tab -f -t NAT_rules</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">Date</span><span class="o">:</span><span class="w"> </span><span class="n">Apr</span><span class="w"> </span><span class="mi">7</span><span class="o">,</span><span class="w"> </span><span class="mi">2010</span><span class="w"></span>
<span class="w"> </span><span class="mi">9</span><span class="o">:</span><span class="mi">02</span><span class="o">:</span><span class="mi">19</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+)====================================(+);</span><span class="w"> </span><span class="n">Table_Name</span><span class="o">:</span><span class="w"> </span><span class="n">NAT_rules</span><span class="o">;</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="n">Attributes</span><span class="o">:</span><span class="w"> </span><span class="kd">static</span><span class="o">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">435</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">9</span><span class="o">:</span><span class="mi">02</span><span class="o">:</span><span class="mi">19</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">29.25</span><span class="o">></span><span class="w"> </span><span class="n">Key</span><span class="o">:</span><span class="w"> </span><span class="mi">00000001</span><span class="o">(</span><span class="n">Rule</span><span class="w"> </span><span class="n">number</span><span class="o">);</span><span class="w"> </span><span class="n">CPTFMT_sep</span><span class="o">:</span><span class="w"> </span><span class="o">;;</span><span class="w"> </span><span class="n">Data</span><span class="o">:</span><span class="w"> </span><span class="mi">00000000</span><span class="o">,</span><span class="w"> </span><span class="mi">00000000</span><span class="o">,</span><span class="w"> </span><span class="n">ff000001</span><span class="w"> </span><span class="o">(</span><span class="mf">255.0</span><span class="o">.</span><span class="mf">0.1</span><span class="o">)</span><span class="w"> </span><span class="o">,</span><span class="w"> </span><span class="n">BD8AFF3C</span><span class="w"> </span><span class="o">(</span><span class="mf">189.138</span><span class="o">.</span><span class="mf">255.60</span><span class="w"> </span><span class="n">Original</span><span class="w"> </span><span class="n">Src</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">Nat</span><span class="w"> </span><span class="n">rule</span><span class="o">),</span><span class="w"> </span><span class="n">BD8AFF3C</span><span class="o">,</span><span class="w"> </span><span class="n">c0a8d1fd</span><span class="w"> </span><span class="o">(</span><span class="mf">192.168</span><span class="o">.</span><span class="mf">209.253</span><span class="w"> </span><span class="n">Translated</span><span class="w"> </span><span class="n">source</span><span class="w"> </span><span class="n">IP</span><span class="o">),</span><span class="w"> </span><span class="n">ff010202</span><span class="w"> </span><span class="o">(</span><span class="mf">255.1</span><span class="o">.</span><span class="mf">2.2</span><span class="o">),</span><span class="w"> </span><span class="n">C0A81596</span><span class="w"> </span><span class="o">(</span><span class="mf">192.168</span><span class="o">.</span><span class="mf">21.150</span><span class="w"> </span><span class="n">Original</span><span class="w"> </span><span class="n">packet</span><span class="w"> </span><span class="n">destination</span><span class="o">)</span><span class="w"> </span><span class="o">,</span><span class="w"> </span><span class="n">C0A81596</span><span class="o">,</span><span class="w"> </span><span class="n">C0A81596</span><span class="o">,</span><span class="w"> </span><span class="mi">00000000</span><span class="o">,</span><span class="w"> </span><span class="mi">00000000</span><span class="o">,</span><span class="w"> </span><span class="mi">00000000</span><span class="o">,</span><span class="w"> </span><span class="mi">00000000</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
</code></pre></div>
<p>List open connection to/from the firewall:<br>
#<strong>fw tab -f -t connections</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">Date</span><span class="o">:</span><span class="w"> </span><span class="n">Apr</span><span class="w"> </span><span class="mi">7</span><span class="o">,</span><span class="w"> </span><span class="mi">2010</span><span class="w"></span>
<span class="mi">10</span><span class="o">:</span><span class="mi">22</span><span class="o">:</span><span class="mi">43</span><span class="w"> </span><span class="mf">80.19</span><span class="o">.</span><span class="mf">1.150</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+)====================================(+);</span><span class="w"> </span><span class="n">Table_Name</span><span class="o">:</span><span class="w"> </span><span class="n">connections</span><span class="o">;</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">(+);</span><span class="w"> </span><span class="n">Attributes</span><span class="o">:</span><span class="w"> </span><span class="kd">dynamic</span><span class="o">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">8158</span><span class="o">,</span><span class="w"> </span><span class="n">attributes</span><span class="o">:</span><span class="w"> </span><span class="n">keep</span><span class="o">,</span><span class="w"> </span><span class="n">sync</span><span class="o">,</span><span class="w"> </span><span class="n">aggressive</span><span class="w"> </span><span class="n">aging</span><span class="o">,</span><span class="w"> </span><span class="n">kbuf</span><span class="w"> </span><span class="mi">17</span><span class="w"> </span><span class="mi">18</span><span class="w"> </span><span class="mi">19</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">21</span><span class="w"> </span><span class="mi">22</span><span class="w"> </span><span class="mi">23</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="mi">25</span><span class="w"> </span><span class="mi">26</span><span class="w"> </span><span class="mi">27</span><span class="w"> </span><span class="mi">28</span><span class="w"> </span><span class="mi">29</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="mi">31</span><span class="o">,</span><span class="w"> </span><span class="n">expires</span><span class="w"> </span><span class="mi">60</span><span class="o">,</span><span class="w"> </span><span class="n">refresh</span><span class="o">,</span><span class="w"> </span><span class="n">limit</span><span class="w"> </span><span class="mi">75000</span><span class="o">,</span><span class="w"> </span><span class="n">hashsize</span><span class="w"> </span><span class="mi">262144</span><span class="o">,</span><span class="w"> </span><span class="n">free</span><span class="w"> </span><span class="kd">function</span><span class="w"> </span><span class="n">f9faf4e0</span><span class="w"> </span><span class="mi">0</span><span class="o">,</span><span class="w"> </span><span class="n">post</span><span class="w"> </span><span class="n">sync</span><span class="w"> </span><span class="n">handler</span><span class="w"> </span><span class="n">f9fa3470</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
<span class="mi">10</span><span class="o">:</span><span class="mi">22</span><span class="o">:</span><span class="mi">43</span><span class="w"> </span><span class="mf">80.19</span><span class="o">.</span><span class="mf">1.150</span><span class="o">></span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="o">-----------------------------------(+);</span><span class="w"> </span><span class="n">Direction</span><span class="o">:</span><span class="w"> </span><span class="mi">1</span><span class="o">;</span><span class="w"> </span><span class="n">Source</span><span class="o">:</span><span class="w"> </span><span class="mf">172.17</span><span class="o">.</span><span class="mf">110.111</span><span class="o">;</span><span class="w"> </span><span class="n">SPort</span><span class="o">:</span><span class="w"> </span><span class="mi">1517</span><span class="o">;</span><span class="w"> </span><span class="n">Dest</span><span class="o">:</span><span class="w"> </span><span class="mf">210.48</span><span class="o">.</span><span class="mf">77.30</span><span class="o">;</span><span class="w"> </span><span class="n">DPort</span><span class="o">:</span><span class="w"> </span><span class="mi">443</span><span class="o">;</span><span class="w"> </span><span class="n">Protocol</span><span class="o">:</span><span class="w"> </span><span class="n">tcp</span><span class="o">;</span><span class="w"> </span><span class="n">CPTFMT_sep_1</span><span class="o">:</span><span class="w"> </span><span class="o">->;</span><span class="w"> </span><span class="n">Direction_1</span><span class="o">:</span><span class="w"> </span><span class="mi">0</span><span class="o">;</span><span class="w"> </span><span class="n">Source_1</span><span class="o">:</span><span class="w"> </span><span class="mf">172.17</span><span class="o">.</span><span class="mf">110.111</span><span class="o">;</span><span class="w"> </span><span class="n">SPort_1</span><span class="o">:</span><span class="w"> </span><span class="mi">1517</span><span class="o">;</span><span class="w"> </span><span class="n">Dest_1</span><span class="o">:</span><span class="w"> </span><span class="mf">210.48</span><span class="o">.</span><span class="mf">77.30</span><span class="o">;</span><span class="w"> </span><span class="n">DPort_1</span><span class="o">:</span><span class="w"> </span><span class="mi">443</span><span class="o">;</span><span class="w"> </span><span class="n">Protocol_1</span><span class="o">:</span><span class="w"> </span><span class="n">tcp</span><span class="o">;</span><span class="w"> </span><span class="n">FW_symval</span><span class="o">:</span><span class="w"> </span><span class="mi">2</span><span class="o">;</span><span class="w"> </span><span class="n">product</span><span class="o">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="o">;</span><span class="w"></span>
</code></pre></div>
<p>Something that has to do with IPS I guess:<br>
<strong>fw tab -f -t string_dictionary_table</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">Date</span><span class="p">:</span><span class="w"> </span><span class="n">Apr</span><span class="w"> </span><span class="mi">7</span><span class="p">,</span><span class="w"> </span><span class="mi">2010</span><span class="w"></span>
<span class="mi">10</span><span class="p">:</span><span class="mi">23</span><span class="p">:</span><span class="mi">52</span><span class="w"> </span><span class="mf">80.19</span><span class="o">.</span><span class="mf">1.150</span><span class="o">></span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">(</span><span class="o">+</span><span class="p">)</span><span class="o">====================================</span><span class="p">(</span><span class="o">+</span><span class="p">);</span><span class="w"> </span><span class="n">Table_Name</span><span class="p">:</span><span class="w"> </span><span class="n">string_dictionary_table</span><span class="p">;</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">(</span><span class="o">+</span><span class="p">);</span><span class="w"> </span><span class="n">Attributes</span><span class="p">:</span><span class="w"> </span><span class="n">dynamic</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">8135</span><span class="p">,</span><span class="w"> </span><span class="n">attributes</span><span class="p">:</span><span class="w"> </span><span class="n">keep</span><span class="w"> </span><span class="n">level</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="n">kbuf</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="n">expires</span><span class="w"> </span><span class="n">never</span><span class="p">,</span><span class="w"> </span><span class="n">limit</span><span class="w"> </span><span class="mi">32768</span><span class="p">,</span><span class="w"> </span><span class="n">hashsize</span><span class="w"> </span><span class="mi">4096</span><span class="p">;</span><span class="w"> </span><span class="n">product</span><span class="p">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
<span class="mi">10</span><span class="p">:</span><span class="mi">23</span><span class="p">:</span><span class="mi">52</span><span class="w"> </span><span class="mf">80.19</span><span class="o">.</span><span class="mf">1.150</span><span class="o">></span><span class="w"> </span><span class="n">Expires</span><span class="p">:</span><span class="w"> </span><span class="mi">876858615</span><span class="o">/</span><span class="mi">2147483647</span><span class="p">;</span><span class="w"> </span><span class="n">product</span><span class="p">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">10</span><span class="p">:</span><span class="mi">23</span><span class="p">:</span><span class="mi">52</span><span class="w"> </span><span class="mf">80.19</span><span class="o">.</span><span class="mf">1.150</span><span class="o">></span><span class="w"> </span><span class="n">Expires</span><span class="p">:</span><span class="w"> </span><span class="mi">876858615</span><span class="o">/</span><span class="mi">2147483647</span><span class="p">;</span><span class="w"> </span><span class="n">product</span><span class="p">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">10</span><span class="p">:</span><span class="mi">23</span><span class="p">:</span><span class="mi">52</span><span class="w"> </span><span class="mf">80.19</span><span class="o">.</span><span class="mf">1.150</span><span class="o">></span><span class="w"> </span><span class="n">Hash</span><span class="p">:</span><span class="w"> </span><span class="n">dc17462d0fdcfdfd42c80679dbd63b4</span><span class="p">;</span><span class="w"> </span><span class="n">ID</span><span class="p">:</span><span class="w"> </span><span class="mi">3672</span><span class="p">;</span><span class="w"> </span><span class="n">Data</span><span class="p">:</span><span class="w"> </span><span class="n">Microsoft</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="n">search</span><span class="o">-</span><span class="n">ms</span><span class="w"> </span><span class="n">protocol</span><span class="w"> </span><span class="n">handler</span><span class="w"> </span><span class="n">command</span><span class="w"> </span><span class="n">execution</span><span class="w"> </span><span class="p">(</span><span class="n">MS08</span><span class="o">-</span><span class="mi">075</span><span class="p">);</span><span class="w"> </span><span class="n">Expires</span><span class="p">:</span><span class="w"> </span><span class="mi">876858615</span><span class="o">/</span><span class="mi">2147483647</span><span class="p">;</span><span class="w"> </span><span class="n">product</span><span class="p">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">10</span><span class="p">:</span><span class="mi">23</span><span class="p">:</span><span class="mi">52</span><span class="w"> </span><span class="mf">80.19</span><span class="o">.</span><span class="mf">1.150</span><span class="o">></span><span class="w"> </span><span class="n">Expires</span><span class="p">:</span><span class="w"> </span><span class="mi">876858615</span><span class="o">/</span><span class="mi">2147483647</span><span class="p">;</span><span class="w"> </span><span class="n">product</span><span class="p">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">10</span><span class="p">:</span><span class="mi">23</span><span class="p">:</span><span class="mi">52</span><span class="w"> </span><span class="mf">80.19</span><span class="o">.</span><span class="mf">1.150</span><span class="o">></span><span class="w"> </span><span class="n">Expires</span><span class="p">:</span><span class="w"> </span><span class="mi">876858615</span><span class="o">/</span><span class="mi">2147483647</span><span class="p">;</span><span class="w"> </span><span class="n">product</span><span class="p">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">10</span><span class="p">:</span><span class="mi">23</span><span class="p">:</span><span class="mi">52</span><span class="w"> </span><span class="mf">80.19</span><span class="o">.</span><span class="mf">1.150</span><span class="o">></span><span class="w"> </span><span class="n">Hash</span><span class="p">:</span><span class="w"> </span><span class="n">e36d6da340f3ce9df3d02fd991b07765</span><span class="p">;</span><span class="w"> </span><span class="n">ID</span><span class="p">:</span><span class="w"> </span><span class="mi">822</span><span class="p">;</span><span class="w"> </span><span class="n">Data</span><span class="p">:</span><span class="w"> </span><span class="n">Command</span><span class="w"> </span><span class="s1">'</span><span class="si">%s</span><span class="s1">'</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">out</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">expected</span><span class="w"> </span><span class="n">state</span><span class="w"> </span><span class="s1">'</span><span class="si">%s</span><span class="s1">'</span><span class="p">;</span><span class="w"> </span><span class="n">Expires</span><span class="p">:</span><span class="w"> </span><span class="mi">876858615</span><span class="o">/</span><span class="mi">2147483647</span><span class="p">;</span><span class="w"> </span><span class="n">product</span><span class="p">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">10</span><span class="p">:</span><span class="mi">23</span><span class="p">:</span><span class="mi">52</span><span class="w"> </span><span class="mf">80.19</span><span class="o">.</span><span class="mf">1.150</span><span class="o">></span><span class="w"> </span><span class="n">Hash</span><span class="p">:</span><span class="w"> </span><span class="n">c377d9acdbb7a8a3cd182b514df494d</span><span class="p">;</span><span class="w"> </span><span class="n">ID</span><span class="p">:</span><span class="w"> </span><span class="mi">657</span><span class="p">;</span><span class="w"> </span><span class="n">Data</span><span class="p">:</span><span class="w"> </span><span class="n">smtp_block_bin_enable</span><span class="p">;</span><span class="w"> </span><span class="n">Expires</span><span class="p">:</span><span class="w"> </span><span class="mi">876858615</span><span class="o">/</span><span class="mi">2147483647</span><span class="p">;</span><span class="w"> </span><span class="n">product</span><span class="p">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">10</span><span class="p">:</span><span class="mi">23</span><span class="p">:</span><span class="mi">52</span><span class="w"> </span><span class="mf">80.19</span><span class="o">.</span><span class="mf">1.150</span><span class="o">></span><span class="w"> </span><span class="n">Hash</span><span class="p">:</span><span class="w"> </span><span class="mi">34</span><span class="n">bd42a272028c23476653dfcbac806d</span><span class="p">;</span><span class="w"> </span><span class="n">ID</span><span class="p">:</span><span class="w"> </span><span class="mi">648</span><span class="p">;</span><span class="w"> </span><span class="n">Data</span><span class="p">:</span><span class="w"> </span><span class="n">Out</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">bounds</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">an</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="n">was</span><span class="w"> </span><span class="n">given</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">references</span><span class="w"> </span><span class="n">outside</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">packet</span><span class="p">;</span><span class="w"> </span><span class="n">Expires</span><span class="p">:</span><span class="w"> </span><span class="mi">876858615</span><span class="o">/</span><span class="mi">2147483647</span><span class="p">;</span><span class="w"> </span><span class="n">product</span><span class="p">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">10</span><span class="p">:</span><span class="mi">23</span><span class="p">:</span><span class="mi">52</span><span class="w"> </span><span class="mf">80.19</span><span class="o">.</span><span class="mf">1.150</span><span class="o">></span><span class="w"> </span><span class="n">Hash</span><span class="p">:</span><span class="w"> </span><span class="n">b8d505cb64b542f15dcea55a93802fb</span><span class="p">;</span><span class="w"> </span><span class="n">ID</span><span class="p">:</span><span class="w"> </span><span class="mi">2681</span><span class="p">;</span><span class="w"> </span><span class="n">Data</span><span class="p">:</span><span class="w"> </span><span class="n">Cisco</span><span class="w"> </span><span class="n">IOS</span><span class="w"> </span><span class="n">IPv4</span><span class="w"> </span><span class="n">Packets</span><span class="w"> </span><span class="n">Denial</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">Service</span><span class="p">;</span><span class="w"> </span><span class="n">Expires</span><span class="p">:</span><span class="w"> </span><span class="mi">876858615</span><span class="o">/</span><span class="mi">2147483647</span><span class="p">;</span><span class="w"> </span><span class="n">product</span><span class="p">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">10</span><span class="p">:</span><span class="mi">23</span><span class="p">:</span><span class="mi">52</span><span class="w"> </span><span class="mf">80.19</span><span class="o">.</span><span class="mf">1.150</span><span class="o">></span><span class="w"> </span><span class="n">Hash</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="n">f7c4e2db021c4977c2a92b48bb97ed</span><span class="p">;</span><span class="w"> </span><span class="n">ID</span><span class="p">:</span><span class="w"> </span><span class="mi">2241</span><span class="p">;</span><span class="w"> </span><span class="n">Data</span><span class="p">:</span><span class="w"> </span><span class="n">Invalid</span><span class="w"> </span><span class="n">SIT</span><span class="w"> </span><span class="n">field</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">SA</span><span class="w"> </span><span class="n">payload</span><span class="w"> </span><span class="n">header</span><span class="p">;</span><span class="w"> </span><span class="n">Expires</span><span class="p">:</span><span class="w"> </span><span class="mi">876858615</span><span class="o">/</span><span class="mi">2147483647</span><span class="p">;</span><span class="w"> </span><span class="n">product</span><span class="p">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">10</span><span class="p">:</span><span class="mi">23</span><span class="p">:</span><span class="mi">52</span><span class="w"> </span><span class="mf">80.19</span><span class="o">.</span><span class="mf">1.150</span><span class="o">></span><span class="w"> </span><span class="n">Hash</span><span class="p">:</span><span class="w"> </span><span class="mi">29</span><span class="n">aa7499fca2d0cdc9f9d954c9a7b7d2</span><span class="p">;</span><span class="w"> </span><span class="n">ID</span><span class="p">:</span><span class="w"> </span><span class="mi">979</span><span class="p">;</span><span class="w"> </span><span class="n">Data</span><span class="p">:</span><span class="w"> </span><span class="n">Virtual</span><span class="w"> </span><span class="n">defragmentation</span><span class="w"> </span><span class="n">error</span><span class="p">:</span><span class="w"> </span><span class="n">Memory</span><span class="w"> </span><span class="n">failure</span><span class="p">;</span><span class="w"> </span><span class="n">Expires</span><span class="p">:</span><span class="w"> </span><span class="mi">876858615</span><span class="o">/</span><span class="mi">2147483647</span><span class="p">;</span><span class="w"> </span><span class="n">product</span><span class="p">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">10</span><span class="p">:</span><span class="mi">23</span><span class="p">:</span><span class="mi">52</span><span class="w"> </span><span class="mf">80.19</span><span class="o">.</span><span class="mf">1.150</span><span class="o">></span><span class="w"> </span><span class="n">Hash</span><span class="p">:</span><span class="w"> </span><span class="n">de1c15759f50957189b1ba346bfc07fa</span><span class="p">;</span><span class="w"> </span><span class="n">ID</span><span class="p">:</span><span class="w"> </span><span class="mi">655</span><span class="p">;</span><span class="w"> </span><span class="n">Data</span><span class="p">:</span><span class="w"> </span><span class="n">Security</span><span class="w"> </span><span class="n">violation</span><span class="p">;</span><span class="w"> </span><span class="n">Expires</span><span class="p">:</span><span class="w"> </span><span class="mi">876858615</span><span class="o">/</span><span class="mi">2147483647</span><span class="p">;</span><span class="w"> </span><span class="n">product</span><span class="p">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="mi">10</span><span class="p">:</span><span class="mi">23</span><span class="p">:</span><span class="mi">52</span><span class="w"> </span><span class="mf">80.19</span><span class="o">.</span><span class="mf">1.150</span><span class="o">></span><span class="w"> </span><span class="n">More_Entries</span><span class="p">:</span><span class="w"> </span><span class="mi">7782</span><span class="p">;</span><span class="w"> </span><span class="n">product</span><span class="p">:</span><span class="w"> </span><span class="n">VPN</span><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">FireWall</span><span class="o">-</span><span class="mi">1</span><span class="p">;</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Solaris – configure ftp server2010-03-31T09:58:32+00:002010-03-31T09:58:32+00:00Yuri Slobodyanyuktag:yurisk.info,2010-03-31:/2010/03/31/solaris-configure-ftp-server/<h1>SUN Solaris FTP</h1>
<p>SUN Solaris comes with ftp daemon based on WU-FTPd Washington University project.
While not being very enthusiastic about its vulnerabilities discovered over the years and being rather abandoned by its developers ,still, it comes installed by default and as long as Sun ok with that it is …</p><h1>SUN Solaris FTP</h1>
<p>SUN Solaris comes with ftp daemon based on WU-FTPd Washington University project.
While not being very enthusiastic about its vulnerabilities discovered over the years and being rather abandoned by its developers ,still, it comes installed by default and as long as Sun ok with that it is ok with me too.
Below I will shortly introduce configuring it for local user access as well as anonymous one.<br>
By default FTP daemon (<strong>in.ftpd</strong>) is disabled. Here is the initial state you have it : </p>
<p>root@Solaris# <strong>svcs ftp</strong></p>
<div class="highlight"><pre><span></span><code> STATE STIME FMRI
disabled 7:21:44 svc:/network/ftp:default
</code></pre></div>
<p>As ftpd is the <strong>inet</strong> managed daemon more information can be queried from inetadm: </p>
<p>root@Solaris# <strong>inetadm -l svc:/network/ftp:default</strong> </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nv">SCOPE</span><span class="w"> </span><span class="nv">NAME</span><span class="o">=</span><span class="nv">VALUE</span><span class="w"></span>
<span class="w"> </span><span class="nv">name</span><span class="o">=</span><span class="s2">"ftp"</span><span class="w"></span>
<span class="w"> </span><span class="nv">endpoint_type</span><span class="o">=</span><span class="s2">"stream"</span><span class="w"></span>
<span class="w"> </span><span class="nv">proto</span><span class="o">=</span><span class="s2">"tcp6"</span><span class="w"></span>
<span class="w"> </span><span class="nv">isrpc</span><span class="o">=</span><span class="nv">FALSE</span><span class="w"></span>
<span class="w"> </span><span class="k">wait</span><span class="o">=</span><span class="nv">FALSE</span><span class="w"></span>
<span class="w"> </span><span class="k">exec</span><span class="o">=</span><span class="s2">"/usr/sbin/in.ftpd -a"</span><span class="w"></span>
<span class="w"> </span><span class="nv">user</span><span class="o">=</span><span class="s2">"root"</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">bind_addr</span><span class="o">=</span><span class="s2">""</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">bind_fail_max</span><span class="o">=-</span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">bind_fail_interval</span><span class="o">=-</span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">max_con_rate</span><span class="o">=-</span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">max_copies</span><span class="o">=-</span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">con_rate_offline</span><span class="o">=-</span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">failrate_cnt</span><span class="o">=</span><span class="mi">40</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">failrate_interval</span><span class="o">=</span><span class="mi">60</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">inherit_env</span><span class="o">=</span><span class="nv">TRUE</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">tcp_trace</span><span class="o">=</span><span class="nv">FALSE</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">tcp_wrappers</span><span class="o">=</span><span class="nv">FALSE</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">connection_backlog</span><span class="o">=</span><span class="mi">10</span><span class="w"></span>
</code></pre></div>
<p>Insecure you say , well , you are right – let’s sharpen it a bit. Enable more detailed logging: </p>
<p>root@Solaris# <strong>inetadm -m svc:/network/ftp:default tcp_trace=TRUE</strong><br>
root@Solaris# <strong>inetadm -l svc:/network/ftp</strong> </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nv">SCOPE</span><span class="w"> </span><span class="nv">NAME</span><span class="o">=</span><span class="nv">VALUE</span><span class="w"></span>
<span class="w"> </span><span class="nv">name</span><span class="o">=</span><span class="s2">"ftp"</span><span class="w"></span>
<span class="w"> </span><span class="nv">endpoint_type</span><span class="o">=</span><span class="s2">"stream"</span><span class="w"></span>
<span class="w"> </span><span class="nv">proto</span><span class="o">=</span><span class="s2">"tcp6"</span><span class="w"></span>
<span class="w"> </span><span class="nv">isrpc</span><span class="o">=</span><span class="nv">FALSE</span><span class="w"></span>
<span class="w"> </span><span class="k">wait</span><span class="o">=</span><span class="nv">FALSE</span><span class="w"></span>
<span class="w"> </span><span class="k">exec</span><span class="o">=</span><span class="s2">"/usr/sbin/in.ftpd -a"</span><span class="w"></span>
<span class="w"> </span><span class="nv">user</span><span class="o">=</span><span class="s2">"root"</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">bind_addr</span><span class="o">=</span><span class="s2">""</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">bind_fail_max</span><span class="o">=-</span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">bind_fail_interval</span><span class="o">=-</span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">max_con_rate</span><span class="o">=-</span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">max_copies</span><span class="o">=-</span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">con_rate_offline</span><span class="o">=-</span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">failrate_cnt</span><span class="o">=</span><span class="mi">40</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">failrate_interval</span><span class="o">=</span><span class="mi">60</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">inherit_env</span><span class="o">=</span><span class="nv">TRUE</span><span class="w"></span>
<span class="w"> </span><span class="nv">tcp_trace</span><span class="o">=</span><span class="nv">TRUE</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">tcp_wrappers</span><span class="o">=</span><span class="nv">FALSE</span><span class="w"></span>
<span class="w"> </span><span class="nv">default</span><span class="w"> </span><span class="nv">connection_backlog</span><span class="o">=</span><span class="mi">10</span><span class="w"></span>
</code></pre></div>
<p>When option <strong>–a</strong> is given (and it is by default) then ftpd will consult <strong>/etc/ftpd/ftpaccess</strong> file for additional restrictions and tweaks. Here are the few that are worth enabling. Uncomment following lines to have more verbose logging available: </p>
<div class="highlight"><pre><span></span><code> log transfers real,guest,anonymous inbound,outbound
xferlog format %T %Xt %R %Xn %XP %Xy %Xf %Xd %Xm %U ftp %Xa %u %Xc %Xs %Xr
</code></pre></div>
<p>Make sure these changes are applied: </p>
<p>root@Solaris# <strong>svcadm refresh svc:/network/ftp:default</strong> </p>
<h2>Configure anonymous access.</h2>
<p>All the configs done so far will allow only local valid users to connect by ftp and be automatically placed in their respective home directories. To allow <strong>anonymou</strong>s ftp access with dedicated chrooted for that folder there is a special set of tools to use. Actually it is just one script that does all the hard work behind the scenes – creates ftp user, creates directory tree , sets up needed permissions, and sets up chrooted environment for the anonymous ftp user. </p>
<p>root@Solaris# <strong>ftpconfig /export/home/ftp_pub</strong> </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="n">Updating</span><span class="w"> </span><span class="n">user</span><span class="w"> </span><span class="n">ftp</span><span class="w"></span>
<span class="w"> </span><span class="n">Creating</span><span class="w"> </span><span class="n">directory</span><span class="w"> </span><span class="o">/</span><span class="k">export</span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">ftp_pub</span><span class="w"></span>
<span class="w"> </span><span class="n">Updating</span><span class="w"> </span><span class="n">directory</span><span class="w"> </span><span class="o">/</span><span class="k">export</span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">ftp_pub</span><span class="w"></span>
</code></pre></div>
<p>That is all, now you can login anonymously and download anything from <strong>/export/home/ftp_pub/pub</strong> directory. To also allow upload there , change the upload option in <strong>/etc/ftpd/ftpaccess</strong> and set accordingly permissions on the Solaris level for the directory pub (777): </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="n">upload</span><span class="w"> </span><span class="k">class</span><span class="o">=</span><span class="n">anonusers</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">/</span><span class="n">pub</span><span class="w"> </span><span class="n">yes</span><span class="w"></span>
<span class="w"> </span><span class="c1">#upload class=anonusers * * no nodirs</span><span class="w"></span>
</code></pre></div>
<p>And finally enable it: </p>
<p>root@Solaris# <strong>svcadm enable ftp</strong></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Fortigate BGP - configure and debug2010-03-26T14:56:12+00:002020-06-13T12:00:00+02:00Yuri Slobodyanyuktag:yurisk.info,2010-03-26:/2010/03/26/fortigate-bgp-configure-and-debug/<p>Everyone today speaks BGP: Cisco ,Juniper and ScreenOS firewalls, Fortigate does it, even SonicWall have it as planned feature. The opportunity to see how it works on Fortinet Fortigate firewall recently presented itself and here is the sum up of how I configured and debugged Fortigate BGP set up.</p>
<p>Task …</p><p>Everyone today speaks BGP: Cisco ,Juniper and ScreenOS firewalls, Fortigate does it, even SonicWall have it as planned feature. The opportunity to see how it works on Fortinet Fortigate firewall recently presented itself and here is the sum up of how I configured and debugged Fortigate BGP set up.</p>
<p>Task at hand: configure on Fortigate the BGP peering with Bogon Route project by Team Cymru <a href="https://team-cymru.com/community-services/bogon-reference" target=_blank rel="noopener">https://team-cymru.com/community-services/bogon-reference</a> . In few words they advertise to you routes that are never to be seen in your network for legitimate reasons. Those are networks not only from RFC 1918 but those reserved by RIPE for special purposes, and those unallocated to anyone as of now.
What we need to know for this set up is this: </p>
<ul>
<li>They advertise all the networks with <code>no-export</code> community </li>
<li>also they attach <code>65333:888</code> community </li>
<li>they use md5 password authentication </li>
<li>they don't expect you to advertise to them anything </li>
<li>in advertised networks next hop is their advertising router </li>
<li>their AS number is 65333 </li>
</ul>
<p>Based on all the above my Fortigate BGP peer had to :</p>
<ul>
<li>enable multihop eBGP peering</li>
<li>use MD5 password authentication</li>
<li>have route-map to attach <code>no-export</code> community so that we don't inadvertently advertise learned routes to other peers ( just safety net , in case their BGP peer stops attaching no-export community to their routes) </li>
<li>set next hop for the learned routes to <strong>Null 0</strong> interface (Cisco naming, Fortigate has 'blackhole' instead).</li>
</ul>
<p>Let's start configuring something. Important surprise here – in Fortigate GUI regarding BGP you can only set 3 parameters: <em>As number , Peer Ip</em> and <em>networks</em> to be advertised, the rest is to be done on the command line (new versions of FortiOS add more, but still CLI is the way to go). So here it goes: </p>
<p>1.Configure route-map to set <code>no-export</code> community on learned networks and force next hop to be some reserved Ip (192.0.2.1 ) that in turn is statically routed to Null interface ,</p>
<div class="highlight"><pre><span></span><code><span class="nv">config</span><span class="w"> </span><span class="nv">router</span><span class="w"> </span><span class="nv">route</span><span class="o">-</span><span class="nv">map</span><span class="w"></span>
<span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="s2">"NO-EXPORT"</span><span class="w"></span>
<span class="w"> </span><span class="nv">config</span><span class="w"> </span><span class="nv">rule</span><span class="w"></span>
<span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="mi">3</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">set</span><span class="o">-</span><span class="nv">community</span><span class="w"> </span><span class="s2">"no-advertise"</span><span class="w"> </span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">set</span><span class="o">-</span><span class="nv">ip</span><span class="o">-</span><span class="nv">nexthop</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="k">End</span><span class="w"> </span>
</code></pre></div>
<p>2.Configure BGP peer</p>
<div class="highlight"><pre><span></span><code><span class="ss">(</span><span class="nv">root</span><span class="ss">)</span><span class="w"> </span>#<span class="w"> </span><span class="k">show</span><span class="w"> </span><span class="nv">router</span><span class="w"> </span><span class="nv">bgp</span><span class="w"></span>
<span class="nv">config</span><span class="w"> </span><span class="nv">router</span><span class="w"> </span><span class="nv">bgp</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">as</span><span class="w"> </span><span class="mi">65002</span><span class="w"></span>
<span class="w"> </span><span class="nv">config</span><span class="w"> </span><span class="nv">neighbor</span><span class="w"></span>
<span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="mi">84</span>.<span class="mi">22</span>.<span class="mi">96</span>.<span class="mi">5</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">ebgp</span><span class="o">-</span><span class="nv">enforce</span><span class="o">-</span><span class="nv">multihop</span><span class="w"> </span><span class="nv">enable</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">remote</span><span class="o">-</span><span class="nv">as</span><span class="w"> </span><span class="mi">65333</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">route</span><span class="o">-</span><span class="nv">map</span><span class="o">-</span><span class="nv">in</span><span class="w"> </span><span class="s2">"NO-EXPORT"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">password</span><span class="w"> </span><span class="s2">"yuiyui"</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
<span class="w"> </span><span class="nv">config</span><span class="w"> </span><span class="nv">redistribute</span><span class="w"> </span><span class="s2">"connected"</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">status</span><span class="w"> </span><span class="nv">enable</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
</code></pre></div>
<p>3.Configure static blackhole route for the reserved IP used as the next hop for this.</p>
<div class="highlight"><pre><span></span><code><span class="ss">(</span><span class="nv">root</span><span class="ss">)</span><span class="w"> </span>#<span class="w"> </span><span class="nv">sh</span><span class="w"> </span><span class="nv">router</span><span class="w"> </span><span class="nv">static</span><span class="w"></span>
<span class="nv">config</span><span class="w"> </span><span class="nv">router</span><span class="w"> </span><span class="nv">static</span><span class="w"></span>
<span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="mi">3</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">blackhole</span><span class="w"> </span><span class="nv">enable</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">dst</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">255</span>.<span class="mi">255</span>.<span class="mi">255</span>.<span class="mi">255</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="k">End</span><span class="w"></span>
</code></pre></div>
<p>Verification. <br>
All configs are as good as the proof that they work.<br>
- List briefly all the peers</p>
<p>(root) # <strong>get router info bgp summary</strong> </p>
<div class="highlight"><pre><span></span><code> BGP router identifier 10.250.250.2, local AS number 65002
BGP table version is 159
2 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
84.22.96.5 4 65333 4 6 159 0 0 00:00:48 0
Total number of neighbors 1
</code></pre></div>
<ul>
<li>List all BGP neighbors and their peering state: </li>
</ul>
<p>My-FG (root) # <strong>get router info bgp neighbors</strong></p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nt">BGP</span><span class="w"> </span><span class="nt">neighbor</span><span class="w"> </span><span class="nt">is</span><span class="w"> </span><span class="nt">84</span><span class="p">.</span><span class="nc">22</span><span class="p">.</span><span class="nc">96</span><span class="p">.</span><span class="nc">5</span><span class="o">,</span><span class="w"> </span><span class="nt">remote</span><span class="w"> </span><span class="nt">AS</span><span class="w"> </span><span class="nt">65333</span><span class="o">,</span><span class="w"> </span><span class="nt">local</span><span class="w"> </span><span class="nt">AS</span><span class="w"> </span><span class="nt">65002</span><span class="o">,</span><span class="w"> </span><span class="nt">external</span><span class="w"> </span><span class="nt">link</span><span class="w"></span>
<span class="w"> </span><span class="nt">BGP</span><span class="w"> </span><span class="nt">version</span><span class="w"> </span><span class="nt">4</span><span class="o">,</span><span class="w"> </span><span class="nt">remote</span><span class="w"> </span><span class="nt">router</span><span class="w"> </span><span class="nt">ID</span><span class="w"> </span><span class="nt">84</span><span class="p">.</span><span class="nc">22</span><span class="p">.</span><span class="nc">96</span><span class="p">.</span><span class="nc">5</span><span class="w"></span>
<span class="w"> </span><span class="nt">BGP</span><span class="w"> </span><span class="nt">state</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nt">Established</span><span class="o">,</span><span class="w"> </span><span class="nt">up</span><span class="w"> </span><span class="nt">for</span><span class="w"> </span><span class="nt">00</span><span class="p">:</span><span class="nd">00</span><span class="p">:</span><span class="nd">58</span><span class="w"></span>
<span class="w"> </span><span class="nt">Last</span><span class="w"> </span><span class="nt">read</span><span class="w"> </span><span class="nt">00</span><span class="p">:</span><span class="nd">00</span><span class="p">:</span><span class="nd">58</span><span class="o">,</span><span class="w"> </span><span class="nt">hold</span><span class="w"> </span><span class="nt">time</span><span class="w"> </span><span class="nt">is</span><span class="w"> </span><span class="nt">180</span><span class="o">,</span><span class="w"> </span><span class="nt">keepalive</span><span class="w"> </span><span class="nt">interval</span><span class="w"> </span><span class="nt">is</span><span class="w"> </span><span class="nt">60</span><span class="w"> </span><span class="nt">seconds</span><span class="w"></span>
<span class="w"> </span><span class="nt">Configured</span><span class="w"> </span><span class="nt">hold</span><span class="w"> </span><span class="nt">time</span><span class="w"> </span><span class="nt">is</span><span class="w"> </span><span class="nt">180</span><span class="o">,</span><span class="w"> </span><span class="nt">keepalive</span><span class="w"> </span><span class="nt">interval</span><span class="w"> </span><span class="nt">is</span><span class="w"> </span><span class="nt">60</span><span class="w"> </span><span class="nt">seconds</span><span class="w"></span>
<span class="w"> </span><span class="nt">Neighbor</span><span class="w"> </span><span class="nt">capabilities</span><span class="o">:</span><span class="w"></span>
<span class="w"> </span><span class="nt">Route</span><span class="w"> </span><span class="nt">refresh</span><span class="o">:</span><span class="w"> </span><span class="nt">advertised</span><span class="w"> </span><span class="nt">and</span><span class="w"> </span><span class="nt">received</span><span class="w"> </span><span class="o">(</span><span class="nt">old</span><span class="w"> </span><span class="nt">and</span><span class="w"> </span><span class="nt">new</span><span class="o">)</span><span class="w"></span>
<span class="w"> </span><span class="nt">Address</span><span class="w"> </span><span class="nt">family</span><span class="w"> </span><span class="nt">IPv4</span><span class="w"> </span><span class="nt">Unicast</span><span class="o">:</span><span class="w"> </span><span class="nt">advertised</span><span class="w"> </span><span class="nt">and</span><span class="w"> </span><span class="nt">received</span><span class="w"></span>
<span class="w"> </span><span class="nt">Received</span><span class="w"> </span><span class="nt">4</span><span class="w"> </span><span class="nt">messages</span><span class="o">,</span><span class="w"> </span><span class="nt">0</span><span class="w"> </span><span class="nt">notifications</span><span class="o">,</span><span class="w"> </span><span class="nt">0</span><span class="w"> </span><span class="nt">in</span><span class="w"> </span><span class="nt">queue</span><span class="w"></span>
<span class="w"> </span><span class="nt">Sent</span><span class="w"> </span><span class="nt">6</span><span class="w"> </span><span class="nt">messages</span><span class="o">,</span><span class="w"> </span><span class="nt">0</span><span class="w"> </span><span class="nt">notifications</span><span class="o">,</span><span class="w"> </span><span class="nt">0</span><span class="w"> </span><span class="nt">in</span><span class="w"> </span><span class="nt">queue</span><span class="w"></span>
<span class="w"> </span><span class="nt">Route</span><span class="w"> </span><span class="nt">refresh</span><span class="w"> </span><span class="nt">request</span><span class="o">:</span><span class="w"> </span><span class="nt">received</span><span class="w"> </span><span class="nt">0</span><span class="o">,</span><span class="w"> </span><span class="nt">sent</span><span class="w"> </span><span class="nt">0</span><span class="w"></span>
<span class="w"> </span><span class="nt">Minimum</span><span class="w"> </span><span class="nt">time</span><span class="w"> </span><span class="nt">between</span><span class="w"> </span><span class="nt">advertisement</span><span class="w"> </span><span class="nt">runs</span><span class="w"> </span><span class="nt">is</span><span class="w"> </span><span class="nt">30</span><span class="w"> </span><span class="nt">seconds</span><span class="w"></span>
<span class="w"> </span><span class="nt">For</span><span class="w"> </span><span class="nt">address</span><span class="w"> </span><span class="nt">family</span><span class="o">:</span><span class="w"> </span><span class="nt">IPv4</span><span class="w"> </span><span class="nt">Unicast</span><span class="w"></span>
<span class="w"> </span><span class="nt">BGP</span><span class="w"> </span><span class="nt">table</span><span class="w"> </span><span class="nt">version</span><span class="w"> </span><span class="nt">160</span><span class="o">,</span><span class="w"> </span><span class="nt">neighbor</span><span class="w"> </span><span class="nt">version</span><span class="w"> </span><span class="nt">159</span><span class="w"></span>
<span class="w"> </span><span class="nt">Index</span><span class="w"> </span><span class="nt">3</span><span class="o">,</span><span class="w"> </span><span class="nt">Offset</span><span class="w"> </span><span class="nt">0</span><span class="o">,</span><span class="w"> </span><span class="nt">Mask</span><span class="w"> </span><span class="nt">0x8</span><span class="w"></span>
<span class="w"> </span><span class="nt">Community</span><span class="w"> </span><span class="nt">attribute</span><span class="w"> </span><span class="nt">sent</span><span class="w"> </span><span class="nt">to</span><span class="w"> </span><span class="nt">this</span><span class="w"> </span><span class="nt">neighbor</span><span class="w"> </span><span class="o">(</span><span class="nt">both</span><span class="o">)</span><span class="w"></span>
<span class="w"> </span><span class="nt">Inbound</span><span class="w"> </span><span class="nt">path</span><span class="w"> </span><span class="nt">policy</span><span class="w"> </span><span class="nt">configured</span><span class="w"></span>
<span class="w"> </span><span class="nt">Route</span><span class="w"> </span><span class="nt">map</span><span class="w"> </span><span class="nt">for</span><span class="w"> </span><span class="nt">incoming</span><span class="w"> </span><span class="nt">advertisements</span><span class="w"> </span><span class="nt">is</span><span class="w"> </span><span class="o">*</span><span class="nt">NO-EXPORT</span><span class="w"></span>
<span class="w"> </span><span class="nt">0</span><span class="w"> </span><span class="nt">accepted</span><span class="w"> </span><span class="nt">prefixes</span><span class="w"></span>
<span class="w"> </span><span class="nt">19</span><span class="w"> </span><span class="nt">announced</span><span class="w"> </span><span class="nt">prefixes</span><span class="w"></span>
<span class="w"> </span><span class="nt">Connections</span><span class="w"> </span><span class="nt">established</span><span class="w"> </span><span class="nt">1</span><span class="o">;</span><span class="w"> </span><span class="nt">dropped</span><span class="w"> </span><span class="nt">0</span><span class="w"></span>
<span class="w"> </span><span class="nt">External</span><span class="w"> </span><span class="nt">BGP</span><span class="w"> </span><span class="nt">neighbor</span><span class="w"> </span><span class="nt">may</span><span class="w"> </span><span class="nt">be</span><span class="w"> </span><span class="nt">up</span><span class="w"> </span><span class="nt">to</span><span class="w"> </span><span class="nt">255</span><span class="w"> </span><span class="nt">hops</span><span class="w"> </span><span class="nt">away</span><span class="o">.</span><span class="w"></span>
<span class="w"> </span><span class="nt">Local</span><span class="w"> </span><span class="nt">host</span><span class="o">:</span><span class="w"> </span><span class="nt">10</span><span class="p">.</span><span class="nc">250</span><span class="p">.</span><span class="nc">250</span><span class="p">.</span><span class="nc">2</span><span class="o">,</span><span class="w"> </span><span class="nt">Local</span><span class="w"> </span><span class="nt">port</span><span class="o">:</span><span class="w"> </span><span class="nt">9188</span><span class="w"></span>
<span class="w"> </span><span class="nt">Foreign</span><span class="w"> </span><span class="nt">host</span><span class="o">:</span><span class="w"> </span><span class="nt">84</span><span class="p">.</span><span class="nc">22</span><span class="p">.</span><span class="nc">96</span><span class="p">.</span><span class="nc">5</span><span class="o">,</span><span class="w"> </span><span class="nt">Foreign</span><span class="w"> </span><span class="nt">port</span><span class="o">:</span><span class="w"> </span><span class="nt">179</span><span class="w"></span>
<span class="w"> </span><span class="nt">Nexthop</span><span class="o">:</span><span class="w"> </span><span class="nt">10</span><span class="p">.</span><span class="nc">250</span><span class="p">.</span><span class="nc">250</span><span class="p">.</span><span class="nc">1</span><span class="w"></span>
</code></pre></div>
<ul>
<li>See the routes learned through the BGP protocol: </li>
</ul>
<p>(root) # <strong>get router info bgp network</strong></p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nv">BGP</span><span class="w"> </span><span class="nv">table</span><span class="w"> </span><span class="nv">version</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="mi">161</span>,<span class="w"> </span><span class="nv">local</span><span class="w"> </span><span class="nv">router</span><span class="w"> </span><span class="nv">ID</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="mi">10</span>.<span class="mi">250</span>.<span class="mi">250</span>.<span class="mi">2</span><span class="w"></span>
<span class="w"> </span><span class="nv">Status</span><span class="w"> </span><span class="nv">codes</span>:<span class="w"> </span><span class="nv">s</span><span class="w"> </span><span class="nv">suppressed</span>,<span class="w"> </span><span class="nv">d</span><span class="w"> </span><span class="nv">damped</span>,<span class="w"> </span><span class="nv">h</span><span class="w"> </span><span class="nv">history</span>,<span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nv">valid</span>,<span class="w"> </span><span class="o">></span><span class="w"> </span><span class="nv">best</span>,<span class="w"> </span><span class="nv">i</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">internal</span>,<span class="w"></span>
<span class="w"> </span><span class="nv">S</span><span class="w"> </span><span class="nv">Stale</span><span class="w"></span>
<span class="w"> </span><span class="nv">Origin</span><span class="w"> </span><span class="nv">codes</span>:<span class="w"> </span><span class="nv">i</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">IGP</span>,<span class="w"> </span><span class="nv">e</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">EGP</span>,<span class="w"> </span>?<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">incomplete</span><span class="w"></span>
<span class="w"> </span><span class="nv">Network</span><span class="w"> </span><span class="k">Next</span><span class="w"> </span><span class="nv">Hop</span><span class="w"> </span><span class="nv">Metric</span><span class="w"> </span><span class="nv">LocPrf</span><span class="w"> </span><span class="nv">Weight</span><span class="w"> </span><span class="nv">Path</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">5</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">14</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">23</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">31</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">36</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">37</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">39</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">42</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">49</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">100</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">101</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">102</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">103</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">104</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">105</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">106</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">169</span>.<span class="mi">254</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">172</span>.<span class="mi">16</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="o">/</span><span class="mi">12</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">176</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="o">/</span><span class="mi">8</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">177</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="o">/</span><span class="mi">8</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">179</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="o">/</span><span class="mi">8</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">181</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="o">/</span><span class="mi">8</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
<span class="w"> </span><span class="o">*></span><span class="w"> </span><span class="mi">185</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">0</span><span class="o">/</span><span class="mi">8</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">0</span>.<span class="mi">2</span>.<span class="mi">1</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="nv">i</span><span class="w"></span>
</code></pre></div>
<ul>
<li>List routes that are currently installed in the routing table that were learned by BGP:</li>
</ul>
<p>(root) # <strong>get router info routing-table bgp</strong></p>
<div class="highlight"><pre><span></span><code> B 5.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B 14.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B 23.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B 31.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B 36.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B 37.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B 39.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B 42.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
</code></pre></div>
<p>After all is configured and saved (and probably doesn't work) comes the bgp debug round.</p>
<ul>
<li>Set to INFO level the debug (by default the debug level is ERROR, which is usually not enough): </li>
</ul>
<p>(root)# <strong>diagnose ip router bgp level info</strong></p>
<ul>
<li>Enable bgp debug on the Fortigate:</li>
</ul>
<p>(root)# <strong>diag ip router bgp all enable</strong></p>
<ul>
<li>To verify that debug is on:</li>
</ul>
<p>(root)# <strong>diag ip router bgp show</strong></p>
<div class="highlight"><pre><span></span><code> BGP debugging status:
BGP events debugging is on
BGP debug level: INFO
</code></pre></div>
<ul>
<li>If nothing happens you may try clearing all BGP sessions (WARNING: tears down all BGP sessions established on the Fortigate):</li>
</ul>
<p>(root)# <strong>exec router clear bgp all</strong></p>
<ul>
<li>To stop the debug:</li>
</ul>
<p>(root)# <strong>diagnose ip router bgp all disable</strong> <br>
-or-<br>
(root)# <strong>diagnose debug reset</strong></p>
<p>The good way to judge something new is to compare it with something you already know. To continue with that logic I cross-reference BGP debug output seen on Cisco with the one seen on the Fortigate BGP peer. That way you can decide what is more informative and who wins the race (Cisco of course, what you thought?).</p>
<p><strong>Case 1</strong>
<em>One of the peers is configured with wrong AS number.</em><br>
In Fortigate you see this: </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">FSM</span><span class="o">]</span><span class="w"> </span><span class="k">State</span><span class="err">:</span><span class="w"> </span><span class="n">Idle</span><span class="w"> </span><span class="nl">Event</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="w"></span>
<span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">NETWORK</span><span class="o">]</span><span class="w"> </span><span class="n">FD</span><span class="o">=</span><span class="mi">15</span><span class="p">,</span><span class="w"> </span><span class="n">Sock</span><span class="w"> </span><span class="nl">Status</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="o">-</span><span class="n">Success</span><span class="w"></span>
<span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">FSM</span><span class="o">]</span><span class="w"> </span><span class="k">State</span><span class="err">:</span><span class="w"> </span><span class="k">Connect</span><span class="w"> </span><span class="nl">Event</span><span class="p">:</span><span class="w"> </span><span class="mi">17</span><span class="w"></span>
<span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">ENCODE</span><span class="o">]</span><span class="w"> </span><span class="n">Msg</span><span class="o">-</span><span class="nl">Hdr</span><span class="p">:</span><span class="w"> </span><span class="n">Type</span><span class="w"> </span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">ENCODE</span><span class="o">]</span><span class="w"> </span><span class="k">Open</span><span class="err">:</span><span class="w"> </span><span class="n">Ver</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="n">MyAS</span><span class="w"> </span><span class="mi">65002</span><span class="w"> </span><span class="n">Holdtime</span><span class="w"> </span><span class="mi">180</span><span class="w"></span>
<span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">ENCODE</span><span class="o">]</span><span class="w"> </span><span class="k">Open</span><span class="err">:</span><span class="w"> </span><span class="n">Msg</span><span class="o">-</span><span class="k">Size</span><span class="w"> </span><span class="mi">45</span><span class="w"></span>
<span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">DECODE</span><span class="o">]</span><span class="w"> </span><span class="n">Msg</span><span class="o">-</span><span class="nl">Hdr</span><span class="p">:</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">23</span><span class="w"></span>
<span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="o">%</span><span class="n">BGP</span><span class="o">-</span><span class="mi">3</span><span class="o">-</span><span class="nl">NOTIFICATION</span><span class="p">:</span><span class="w"> </span><span class="n">received</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="mf">84.22.96.5</span><span class="w"> </span><span class="mi">2</span><span class="o">/</span><span class="mi">2</span><span class="w"> </span><span class="p">(</span><span class="k">OPEN</span><span class="w"> </span><span class="n">Message</span><span class="w"> </span><span class="n">Error</span><span class="o">/</span><span class="n">Bad</span><span class="w"> </span><span class="n">Peer</span><span class="w"> </span><span class="k">AS</span><span class="p">.)</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="k">data</span><span class="o">-</span><span class="n">bytes</span><span class="w"></span>
</code></pre></div>
<p>Now let's compare to the debug from Cisco:</p>
<p>#<strong>debug ip bgp events</strong> </p>
<div class="highlight"><pre><span></span><code> Mar 24 13:14:55.572: %BGP-3-NOTIFICATION: sent to neighbor 10.250.250.2
2/2 (peer in wrong AS) 2 bytes FDEA FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 002D 0104 FAEA
01B4 0AFA EA02 1302 0201 1400 0100 0132 0222 0012 0222 00
</code></pre></div>
<p><strong>Case 2</strong>
<em>MD5 authentication is set on Cisco but not on the Fortigate.</em> Again for comparison BGP<br>
debug from Fortigate and from Cisco. </p>
<p>Cisco:</p>
<div class="highlight"><pre><span></span><code> Jan 5 10:42:14.299: %TCP-6-BADAUTH: No MD5 digest from 10.250.250.2 (1037) to 84.22.96.5(179)
</code></pre></div>
<p>Fortigate:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">FSM</span><span class="o">]</span><span class="w"> </span><span class="k">State</span><span class="err">:</span><span class="w"> </span><span class="k">Connect</span><span class="w"> </span><span class="nl">Event</span><span class="p">:</span><span class="w"> </span><span class="mi">9</span><span class="w"></span>
<span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="o">[</span><span class="n">RIB</span><span class="o">]</span><span class="w"> </span><span class="n">Scanning</span><span class="w"> </span><span class="n">BGP</span><span class="w"> </span><span class="n">Network</span><span class="w"> </span><span class="n">Routes</span><span class="p">...</span><span class="w"></span>
<span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">FSM</span><span class="o">]</span><span class="w"> </span><span class="k">State</span><span class="err">:</span><span class="w"> </span><span class="k">Connect</span><span class="w"> </span><span class="nl">Event</span><span class="p">:</span><span class="w"> </span><span class="mi">9</span><span class="w"></span>
<span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="o">[</span><span class="n">RIB</span><span class="o">]</span><span class="w"> </span><span class="n">Scanning</span><span class="w"> </span><span class="n">BGP</span><span class="w"> </span><span class="n">Network</span><span class="w"> </span><span class="n">Routes</span><span class="p">...</span><span class="w"></span>
</code></pre></div>
<p><strong>Case 3</strong> (that actually happened when I configured this Fortigate) is <em>mismatched MD5 password on either side</em></p>
<p>Fortigate:<br>
Doing summary listing showed peering as down : </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="mi">84</span>.<span class="mi">22</span>.<span class="mi">96</span>.<span class="mi">5</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="mi">65333</span><span class="w"> </span><span class="mi">934</span><span class="w"> </span><span class="mi">1036</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="nv">never</span><span class="w"> </span><span class="k">Connect</span><span class="w"> </span>
</code></pre></div>
<p>Cisco: </p>
<div class="highlight"><pre><span></span><code> *Mar 24 13:40:28.800: BGP: Regular scanner event timer
*Mar 24 13:40:28.800: BGP: Import timer expired. Walking from 1 to 1
*Mar 24 13:40:42.764: %TCP-6-BADAUTH: Invalid MD5 digest from 10.250.250.2(11064) to 84.22.96.5(179)
</code></pre></div>
<p><strong>Case 4</strong> <em>On Cisco ttl-security is enabled while on Forigate ebgp multi-hop is not .</em>
There is no such thing as TTL security on the Fortigate by the way, all you can do to handle this state is enable ebgp-multihop and then it starts sending BGP packets with ttl = 255 .</p>
<p>Cisco: </p>
<div class="highlight"><pre><span></span><code> Jan 7 13:01:36.992: %BGP-4-INCORRECT_TTL: Discarded message with TTL 2 from 10.250.250.2
</code></pre></div>
<p>Forigate: </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">FSM</span><span class="o">]</span><span class="w"> </span><span class="k">State</span><span class="err">:</span><span class="w"> </span><span class="n">OpenConfirm</span><span class="w"> </span><span class="nl">Event</span><span class="p">:</span><span class="w"> </span><span class="mi">11</span><span class="w"></span>
<span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">ENCODE</span><span class="o">]</span><span class="w"> </span><span class="n">Msg</span><span class="o">-</span><span class="nl">Hdr</span><span class="p">:</span><span class="w"> </span><span class="n">Type</span><span class="w"> </span><span class="mi">4</span><span class="w"></span>
<span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">ENCODE</span><span class="o">]</span><span class="w"> </span><span class="nl">Keepalive</span><span class="p">:</span><span class="w"> </span><span class="mi">13548</span><span class="w"> </span><span class="n">KAlive</span><span class="w"> </span><span class="n">msg</span><span class="p">(</span><span class="n">s</span><span class="p">)</span><span class="w"> </span><span class="n">sent</span><span class="w"></span>
<span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">FSM</span><span class="o">]</span><span class="w"> </span><span class="k">State</span><span class="err">:</span><span class="w"> </span><span class="n">OpenConfirm</span><span class="w"> </span><span class="nl">Event</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="w"></span>
<span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">ENCODE</span><span class="o">]</span><span class="w"> </span><span class="n">Msg</span><span class="o">-</span><span class="nl">Hdr</span><span class="p">:</span><span class="w"> </span><span class="n">Type</span><span class="w"> </span><span class="mi">3</span><span class="w"></span>
<span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="o">%</span><span class="n">BGP</span><span class="o">-</span><span class="mi">3</span><span class="o">-</span><span class="nl">NOTIFICATION</span><span class="p">:</span><span class="w"> </span><span class="n">sending</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="mf">84.22.96.5</span><span class="w"> </span><span class="mi">4</span><span class="o">/</span><span class="mi">0</span><span class="w"> </span><span class="p">(</span><span class="k">Hold</span><span class="w"> </span><span class="n">Timer</span><span class="w"> </span><span class="n">Expired</span><span class="o">/</span><span class="n">Unspecified</span><span class="w"> </span><span class="n">Error</span><span class="w"> </span><span class="n">Subcode</span><span class="p">)</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="k">data</span><span class="o">-</span><span class="n">bytes</span><span class="w"></span>
<span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">FSM</span><span class="o">]</span><span class="w"> </span><span class="k">State</span><span class="err">:</span><span class="w"> </span><span class="n">Idle</span><span class="w"> </span><span class="nl">Event</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="w"></span>
<span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">NETWORK</span><span class="o">]</span><span class="w"> </span><span class="n">FD</span><span class="o">=</span><span class="mi">14</span><span class="p">,</span><span class="w"> </span><span class="n">Sock</span><span class="w"> </span><span class="nl">Status</span><span class="p">:</span><span class="w"> </span><span class="mi">111</span><span class="o">-</span><span class="k">Connection</span><span class="w"> </span><span class="n">refused</span><span class="w"></span>
<span class="w"> </span><span class="nl">BGP</span><span class="p">:</span><span class="w"> </span><span class="mf">84.22.96.5</span><span class="o">-</span><span class="n">Outgoing</span><span class="w"> </span><span class="o">[</span><span class="n">FSM</span><span class="o">]</span><span class="w"> </span><span class="k">State</span><span class="err">:</span><span class="w"> </span><span class="k">Connect</span><span class="w"> </span><span class="nl">Event</span><span class="p">:</span><span class="w"> </span><span class="mi">18</span><span class="w"></span>
</code></pre></div>
<p><strong>Bonus Case</strong> Bug-not-a-feature thing on the Fortigate – when configuring MD5 password for BGP authentication you get Cross-Site vulnerability protection for free :) Don't ask me how XSS is connected to cli configuration of BGP …</p>
<p><strong>set password <2AEARep></strong></p>
<div class="highlight"><pre><span></span><code><span class="n">Error</span><span class="o">:</span><span class="n">The</span><span class="w"> </span><span class="n">string</span><span class="w"> </span><span class="n">contains</span><span class="w"> </span><span class="n">XSS</span><span class="w"> </span><span class="n">vulnerability</span><span class="w"> </span><span class="n">characters</span><span class="w"></span>
<span class="n">value</span><span class="w"> </span><span class="n">parse</span><span class="w"> </span><span class="n">error</span><span class="w"> </span><span class="n">before</span><span class="w"> </span><span class="s1">''</span><span class="w"></span>
<span class="n">Command</span><span class="w"> </span><span class="n">fail</span><span class="o">.</span><span class="w"> </span><span class="n">Return</span><span class="w"> </span><span class="n">code</span><span class="w"> </span><span class="o">-</span><span class="mi">173</span><span class="w"></span>
</code></pre></div>
<p><strong>Update 2020</strong>: You can find more example configurations in my new article <a href="https://yurisk.info/2020/05/20/fortigate-bgp-cookbook-of-example-configuration-and-debug/">Fortigate BGP Cookbook of example configurations</a></p>
<p>And all Fortigate BGP debug commands in my Fortigate Complete Cheat Sheet:
<a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc" rel="noopener">Fortigate debug and diagnose commands complete cheat sheet</a> | <a href="https://github.com/yuriskinfo/cheat-sheets/blob/master/cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.pdf" rel=noopener>PDF</a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Scan of the week – scan by country scan by continent2010-03-22T21:15:09+00:002010-03-22T21:15:09+00:00Yuri Slobodyanyuktag:yurisk.info,2010-03-22:/2010/03/22/scan-of-the-week-scan-by-country-scan-by-continent/<p>Dis+claimer - all this stuff I bring to your attention is for educational purposes only, and what may be fine and ok here and for me can easily get you somewhere else in trouble so use your discretion here .
Happy scanning.</p>
<p><em>"...Don't know much about geography"</em> as the song goes …</p><p>Dis+claimer - all this stuff I bring to your attention is for educational purposes only, and what may be fine and ok here and for me can easily get you somewhere else in trouble so use your discretion here .
Happy scanning.</p>
<p><em>"...Don't know much about geography"</em> as the song goes was ok in 1958 but can be embarrassing in our times of globalization. So let's fill the gap using the <a href="http://nmap.org"><strong>NMAP</strong></a> . Say you
are investigating the issue of negative attitude towards foreigners in Russia , and as part of the research
you just have to see active members of the movement(s) in question voicing their opinions. Only that many
times access to such forums or messageboards is limited by their admins to Russia's IPs only. So to get there you need a free open Russian proxy. So let's see how to find one.</p>
<h2>Round 1-Gimme the addresses.</h2>
<p>IP geolocation databases as it is known in the Net , or simply GeoIP databases are compilation of IP ranges per their assigned country. Take it with a bit of salt as accuracy is the issue here. The one of the most known and used free GeoIP source is <a href="http://maxmind.com"> Maxmind.com</a> free database that is updated once per month (good enough for this).
The Maxmind database comes as binary proprietary format file you can work with using 3rd party tools or as CSV file I will be using here. Download it as <a href="http://www.maxmind.com/app/geolitecountry"> Geolite country </a> , unzip and you have GeoIpCountryCSV.csv . Format of the records in it goes like this -</p>
<div class="highlight"><pre><span></span><code> "1.0.0.0","1.0.0.255","16777216","16777471","AP","Asia/Pacific Region"
"1.1.1.0","1.1.1.255","16843008","16843263","AU","Australia"
"1.2.3.0","1.2.3.255","16909056","16909311","AU","Australia"
"1.50.0.0","1.50.3.255","20054016","20055039","AP","Asia/Pacific Region"
</code></pre></div>
<p>The purpose here is to :</p>
<ol>
<li>
<p>Find all IP ranges that belong to the country of interest</p>
</li>
<li>
<p>Reformat found IP ranges into the presentation suitable for the NMAP</p>
</li>
</ol>
<p><code>awk -F, '/RU/ { gsub(/"/,"",$0); print $1 "-" $2} ' GeoIPCountryWhois.csv > IPs.data</code></p>
<div class="highlight"><pre><span></span><code> head IPs.data
62.5.128.0-62.5.255.255
62.12.80.0-62.12.81.255
62.16.32.0-62.16.66.255
</code></pre></div>
<ul>
<li>After I found all Russian IPs reformat it to the NMAP eatable form</li>
</ul>
<div class="highlight"><pre><span></span><code>awk -F\. '{split($4,aaa,"-"); print $1"-"aaa[2]"."$2"-"$5 "." $3"-"$6"."aaa[1]"-"$7}' IPs.data > scan.me
</code></pre></div>
<div class="highlight"><pre><span></span><code> head scan.me
62-62.5-5.128-255.0-255
62-62.12-12.80-81.0-255
62-62.16-16.32-66.0-255
62-62.16-16.68-127.0-255
62-62.32-32.64-95.0-255
</code></pre></div>
<h2>Round 2 - find me some proxy</h2>
<p>Here I will use LUA script from NSE repository of the nmap called http-open-proxy </p>
<p><code>nmap -n -PN -oN proxy-check.grep --script=http-open-proxy -iL scan.me -p 8080,3128</code></p>
<p>That completes this opening article of the <strong>Scan of the week</strong> united with <strong>Awk weekly</strong> . Hope you found it educational enough and see you next time.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Install native telnet client on Checkpoint firewall2010-03-20T05:38:21+00:002010-03-20T05:38:21+00:00Yuri Slobodyanyuktag:yurisk.info,2010-03-20:/2010/03/20/install-native-telnet-client-on-checkpoint-firewall/<p>Some time ago <a href="https://yurisk.info/2008/09/10/telnet-from-inside-checkpoint-firewall">Telnet from inside Checkpoint firewall </a>I wrote how to use awk to imitate telnet in Checkpoint firewall. Later in comments to that post the reader pointed out that there is a native telnet client located on the Splat installation iso image.
That’s true , only I think …</p><p>Some time ago <a href="https://yurisk.info/2008/09/10/telnet-from-inside-checkpoint-firewall">Telnet from inside Checkpoint firewall </a>I wrote how to use awk to imitate telnet in Checkpoint firewall. Later in comments to that post the reader pointed out that there is a native telnet client located on the Splat installation iso image.
That’s true , only I think you not always have installation image at hand. For that you can instead use
standalone download SecurePlatformAddOn_R55.tgz https://www.checkpoint.com/techsupport/downloads/bin/firewall1/r55/secureplatform/SecurePlatformAddOn_R55.tgz While it states R55 in its name the telnet client software it has inside works well even with R70 and also on Splat platforms with 2.6 kernel. Indeed the telnet client that comes with the R70 installation image is bigger by file size but bears the same version name anyway.
In addition there is another useful utility in this package – well known wget. So consider installing it too.
After downloading it go by the usual RPM package install procedure – unzip, untar , rpm –Uvh <name></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Traffic shaping in Checkpoint the Linux way2010-03-13T17:19:37+00:002010-03-13T17:19:37+00:00Yuri Slobodyanyuktag:yurisk.info,2010-03-13:/2010/03/13/traffic-shaping-in-checkpoint-the-linux-way/<p>Quite often I need to work on the Checkpoint firewall access to which in SmartDashboard is close to impossible due to the overloaded internet connection to the firewall and there is no out of band access alternative.<br>
Other times doing debug produces huge files (we talk gigabytes here) and if …</p><p>Quite often I need to work on the Checkpoint firewall access to which in SmartDashboard is close to impossible due to the overloaded internet connection to the firewall and there is no out of band access alternative.<br>
Other times doing debug produces huge files (we talk gigabytes here) and if I download such files from the firewall through scp as is it will use up all the bandwidth of the line causing slowness to the client.<br>
For such and alike cases there is a perfect tool provided by Linux kernel - <strong>Quality of service (QOS)</strong>, which allows us to limit used bandwidth with very flexible filter criteria. QOS in Linux is subject enough complicated and extensive not to be dealt in a short post , so I just present some ready to use copy-paste configs just for that. For in-depth coverage see <a href="https://lartc.org/howto/">lartc.org/howto</a><br>
And of course if your firewall has Floodguard license and feature installed (Checkpoint implementation of Quality of service) then you can achieve the same through rules in QOS tab in Smartdashboard.</p>
<ol>
<li>Limiting myself - when downloading some huge file from the firewall I want to limit my traffic to some specific rate.<br>
Here:<br>
eth0 - outgoing interface;<br>
100Mbit - physical rate of the interface;<br>
300Kbit - rate limit I impose on traffic destined to my management station where I download the file;<br>
39.139.3.4 - my management IP.</li>
</ol>
<div class="highlight"><pre><span></span><code>tc qdisc add dev eth0 root handle 33: htb
tc class add dev eth0 parent 33: classid 33:10 htb rate 100mbit
tc class add dev eth0 parent 33:10 classid 33:200 htb rate 300Kbit
tc filter add dev eth0 parent 33: protocol ip prio 2 u32 match ip dst 39.139.3.4/32 flowid 33:200
</code></pre></div>
<ol>
<li>Line is overloaded and I can't connect with SmartDashboard but still have ssh access.
Here:<br>
30Kbit - rate limit I impose on ANY traffic except to my management IP , see next rule;<br>
200Kbit - rate limit on traffic to my management station.</li>
</ol>
<div class="highlight"><pre><span></span><code>tc qdisc add dev eth0 root handle 33: htb
tc class add dev eth0 parent 33: classid 33:10 htb rate 100mbit
tc class add dev eth0 parent 33:10 classid 33:100 htb rate 30Kbit
tc filter add dev eth0 protocol ip parent 33:0 prio 5 u32 match ip dst any flowid 33:100
tc class add dev eth0 parent 33:10 classid 33:200 htb rate 200Kbit
tc filter add dev eth0 parent 33: protocol ip prio 2 u32 match ip dst 39.139.3.4/32 flowid 33:200
</code></pre></div>
<p>NOTE QOS in Linux as presented here works on egress , i.e. it can limit traffic leaving the interface .
Script above therefore limits what would be upload leaving to the Internet from the firewall.
To limit some heavy download the same technique should be applied on Internal,facing the LAN, interface. Usually nevertheless the moment you throttle the upload modern applications will detect it and slow down download as well , but your mileage may vary.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>awk weekly rule hits statistics checkpoint again2010-03-13T11:22:21+00:002010-03-13T11:22:21+00:00Yuri Slobodyanyuktag:yurisk.info,2010-03-13:/2010/03/13/awk-weekly-rule-hits-statistics-checkpoint-again/<p>I updated the script and moved it to the 1st page : <a href="https://yurisk.info/2012/01/31/awk-weekly-rule-hits-statistics-checkpoint/">http://yurisk.info/2012/01/31/awk-weekly-rule-hits-statistics-checkpoint-again/</a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>awk weekly – Checkpoint Anti Spam statistics or viva les Open Relays2010-03-08T20:56:38+00:002010-03-08T20:56:38+00:00Yuri Slobodyanyuktag:yurisk.info,2010-03-08:/2010/03/08/awk-weekly-checkpoint-anti-spam-statistics-or-viva-la-open-relays/<p>Goooood day everyone again,
today I have had another fight with the spam that my client fell victim of. Once upon a time there was not so powerful UTM providing internet to not so crowded office in not so security-aware Central Europe.
All would be good and well if not …</p><p>Goooood day everyone again,
today I have had another fight with the spam that my client fell victim of. Once upon a time there was not so powerful UTM providing internet to not so crowded office in not so security-aware Central Europe.
All would be good and well if not this problem - they could not send emails outside as the IP of the firewall entered every imaginable blacklist on the Earth. Hmm, but the firewall has AntiSpam subscription service up and running.
LAN is blocked on port 25 outbound except the Exchange. Antivirus is everywhere so low chance of spam coming from LAN. In SmartView Tracker lots of SMTP rule logs in red - spam entering Exchange is blocked .</p>
<p>So what the ...? tcpdump with -w option for 5 minutes was all I needed to see that Exchange was open relay and kindly offered to relay spam from everyone to everywhere.
To really measure the impact of the event I had to have some statistics and Checkpoint didn't help me much with that , eventhough this UTM has also SmartView Monitor license it is not suited for the task. So I exported fw.log on the UTM into text human-awk-readable format , that took some 40 mins on 300 Mb log file and produced text file of 475 Mb, and then did whatever I wanted with the data using awk.
Now get some action:<br>
Script 1 - Find all mails rejected in direction from LAN (interface Internal, remember it is UTM) to the Internet (interface External) , then gather statistics of how many mails came from what ip [less relevant here as all mails come from Exchnage, but in environment where hosts send mails directly outside it is] and show us :</p>
<div class="highlight"><pre><span></span><code><span class="err">#</span><span class="w"> </span><span class="n">awk</span><span class="w"> </span><span class="o">-</span><span class="n">F</span><span class="err">\</span><span class="p">;</span><span class="w"> </span><span class="s1">'/Internal to External/ && /reject/ {print $2}'</span><span class="w"> </span><span class="p">.</span><span class="o">/</span><span class="n">fw</span><span class="p">.</span><span class="nf">log</span><span class="p">.</span><span class="n">txt</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">awk</span><span class="w"> </span><span class="s1">' {match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/,IP); IPS[IP[0]]++ } END { for (spammer_ips in IPS) print spammer_ips " " IPS[spammer_ips]}'</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">sort</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="o">-</span><span class="n">k2</span><span class="p">,</span><span class="mi">2</span><span class="w"></span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="mf">192.168.14.12</span><span class="w"> </span><span class="mf">402804</span><span class="w"></span>
</code></pre></div>
<p>Yahooooo! In the timeframe of 28 hours there were blocked <strong>402804</strong> mails as spam coming from Exchange!
Not bad at all - all this without any malware installed on the client side [my educated by Wireshark guess here as I dont have access to the Exchange],just amazing!</p>
<p>Now let's have a look at overal number of mails that was accepted and sent outside to the Internet :
Script 2 - Find all mails accepted in direction from LAN (interface Internal) to the Internet (interface External) , then gather statistics of how many mails came from what ip and show us :</p>
<div class="highlight"><pre><span></span><code><span class="err">#</span><span class="w"> </span><span class="n">awk</span><span class="w"> </span><span class="o">-</span><span class="n">F</span><span class="err">\</span><span class="p">;</span><span class="w"> </span><span class="s1">'/Internal to External/ && /accept/ {print $2}'</span><span class="w"> </span><span class="p">.</span><span class="o">/</span><span class="n">fw</span><span class="p">.</span><span class="nf">log</span><span class="p">.</span><span class="n">txt</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">awk</span><span class="w"> </span><span class="s1">' {match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/,IP); IPS[IP[0]]++ } END { for (spammer_ips in IPS) print spammer_ips " " IPS[spammer_ips]}'</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">sort</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="o">-</span><span class="n">k2</span><span class="p">,</span><span class="mi">2</span><span class="w"></span>
<span class="mf">192.168.14.12</span><span class="w"> </span><span class="mi">257940</span><span class="w"></span>
</code></pre></div>
<p>Wow! in addition to 402804 mails blocked by Checkpoint firewall as spam 257940 mails were sent out as clean, given that this is a very small office hardly sending 300 mails a day we get ratio of 39% spam passing through the Checkpoint Antispam , pity . Antispam blocking rate of 61% ? In 21st century ? Wake up !</p>
<p>Just for statistics I also calculated how many spam emails were blocked from outside inbound:
Script 3 - gather how many mails from outside coming in were rejected by Checkpoint as spam.</p>
<div class="highlight"><pre><span></span><code># awk -F\; '/External to Internal/ && /reject/ {print $2}' ./fw.log.txt | wc
</code></pre></div>
<div class="highlight"><pre><span></span><code># 5593 11186 112648
</code></pre></div>
<p>So only 5593 incoming spam emails and almost half a million outgoing ones - that's what I call effectiveness.
Script 4 - gather statistics on blocked emails and IPs it came from:</p>
<div class="highlight"><pre><span></span><code><span class="err">#</span><span class="w"> </span><span class="n">awk</span><span class="w"> </span><span class="o">-</span><span class="n">F</span><span class="err">\</span><span class="p">;</span><span class="w"> </span><span class="s1">'/External to Internal/ && /reject/ {print $2}'</span><span class="w"> </span><span class="p">.</span><span class="o">/</span><span class="n">fw</span><span class="p">.</span><span class="nf">log</span><span class="p">.</span><span class="n">txt</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">awk</span><span class="w"> </span><span class="s1">' {match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/,IP); IPS[IP[0]]++ } END { for (spam_ips in IPS) print spam_ips " " IPS[spam_ips]}'</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">sort</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="o">-</span><span class="n">k2</span><span class="p">,</span><span class="mi">2</span><span class="w"> </span>
</code></pre></div>
<p>And here are some results </p>
<div class="highlight"><pre><span></span><code><span class="mf">93.81.26.2</span><span class="w"> </span><span class="mf">75</span><span class="w"></span>
<span class="mf">91.121.114.1</span><span class="w"> </span><span class="mf">81</span><span class="w"></span>
<span class="mf">220.168.57.1</span><span class="w"> </span><span class="mf">87</span><span class="w"></span>
<span class="mf">58.9.205.2</span><span class="w"> </span><span class="mf">129</span><span class="w"></span>
<span class="mf">122.102.101.1</span><span class="w"> </span><span class="mf">149</span><span class="w"></span>
<span class="mf">58.137.99.7</span><span class="w"> </span><span class="mf">160</span><span class="w"></span>
<span class="mf">189.35.231.6</span><span class="w"> </span><span class="mf">189</span><span class="w"></span>
<span class="mf">60.248.174.6</span><span class="w"> </span><span class="mf">631</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Cisco IPS sensor – initial setup2010-02-28T16:05:30+00:002010-02-28T16:05:30+00:00Yuri Slobodyanyuktag:yurisk.info,2010-02-28:/2010/02/28/cisco-ips-sensor-initial-setup/<p>I am using Cisco IPS sensor 4235 unless specified otherwise </p>
<p>Initial Configuration. </p>
<p>By default , out of the box the sensor has the following defaults:</p>
<p>Management IP: 10.1.9.201/24<br>
Default gateway: 10.1.9.1 Allowed access: from the network 10.1.9.201/24<br>
Telnet access: disabled …</p><p>I am using Cisco IPS sensor 4235 unless specified otherwise </p>
<p>Initial Configuration. </p>
<p>By default , out of the box the sensor has the following defaults:</p>
<p>Management IP: 10.1.9.201/24<br>
Default gateway: 10.1.9.1 Allowed access: from the network 10.1.9.201/24<br>
Telnet access: disabled<br>
HTTPS: port 443 </p>
<p>As most likely your network has different network address the first thing to do is change management IP, default gateway and allowed management access network(s)/IP. You do so by connecting with console to it .
You can configure these basic network settings in 2 ways: enter all the configuration commands on CLI (if you know them) or run interactive menu-type setup by issuing on the CLI: <strong>#setup</strong>. I’ll show both ways but let's start with the setup menu.<br>
A short remark – IPS sensor is the one of not so many devices in the Cisco family that configuring/managing/communicating with it using its GUI interface is the recommended and preferred way . It is much more intuitive, simple, produces the very same configuration at the device as done in CLI. The only time you may need to do stuff with CLI is initial setup and debug.</p>
<p>Configuring minimal required settings through setup menu:</p>
<ol>
<li>Connect to the device by terminal </li>
<li>enter default user/password: cisco/cisco (or see the documentation coming with the device);</li>
<li>run: </li>
</ol>
<p>sensor#<strong>setup</strong></p>
<ul>
<li>First you are presented with the whole configuration currently set, just hit Space key until it reaches the end and asks whether you want to enter the setup dialog , print yes and Enter:</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="k">Continue</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">configuration</span><span class="w"> </span><span class="n">dialog</span><span class="vm">?</span><span class="o">[</span><span class="n">yes</span><span class="o">]</span><span class="err">:</span><span class="w"> </span>
<span class="w"> </span><span class="n">Enter</span><span class="w"> </span><span class="k">host</span><span class="w"> </span><span class="n">name</span><span class="o">[</span><span class="n">sensor</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="n">IPS4235</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="n">Here</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">hostname</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">IPS4235</span><span class="w"></span>
<span class="w"> </span><span class="n">Enter</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="n">interface</span><span class="o">[</span><span class="n">10.1.9.201/24,10.1.9.1</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="mf">10.0.0.33</span><span class="o">/</span><span class="mi">24</span><span class="p">,</span><span class="mf">10.0.0.254</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="n">Pay</span><span class="w"> </span><span class="n">attention</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">syntax</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">specifying</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">management</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="n">its</span><span class="w"> </span><span class="n">subnet</span><span class="w"> </span><span class="n">mask</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="k">default</span><span class="w"> </span><span class="n">gateway</span><span class="w"></span>
<span class="w"> </span><span class="n">Enter</span><span class="w"> </span><span class="n">telnet</span><span class="o">-</span><span class="n">server</span><span class="w"> </span><span class="n">status</span><span class="o">[</span><span class="n">disabled</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="n">enable</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">say</span><span class="w"> </span><span class="n">yes</span><span class="w"> </span><span class="n">here</span><span class="w"> </span><span class="n">but</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="k">are</span><span class="w"> </span><span class="n">advised</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">say</span><span class="w"> </span><span class="k">no</span><span class="w"> </span><span class="k">on</span><span class="w"> </span><span class="n">production</span><span class="w"> </span><span class="n">devices</span><span class="w"></span>
<span class="w"> </span><span class="n">Enter</span><span class="w"> </span><span class="n">web</span><span class="o">-</span><span class="n">server</span><span class="w"> </span><span class="n">port</span><span class="o">[</span><span class="n">443</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="k">Default</span><span class="w"> </span><span class="n">https</span><span class="w"> </span><span class="n">listening</span><span class="w"> </span><span class="n">port</span><span class="w"></span>
<span class="w"> </span><span class="k">Modify</span><span class="w"> </span><span class="k">current</span><span class="w"> </span><span class="n">access</span><span class="w"> </span><span class="n">list</span><span class="vm">?</span><span class="o">[</span><span class="n">no</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="n">yes</span><span class="w"></span>
<span class="w"> </span><span class="k">Current</span><span class="w"> </span><span class="n">access</span><span class="w"> </span><span class="n">list</span><span class="w"> </span><span class="nl">entries</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="k">No</span><span class="w"> </span><span class="n">entries</span><span class="w"></span>
<span class="w"> </span><span class="nl">Permit</span><span class="p">:</span><span class="w"> </span><span class="mf">10.0.0.100</span><span class="o">/</span><span class="mi">32</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">allow</span><span class="w"> </span><span class="n">management</span><span class="w"> </span><span class="n">access</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">device</span><span class="w"> </span><span class="n">form</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="k">specific</span><span class="w"> </span><span class="n">station</span><span class="w"> </span>
<span class="w"> </span><span class="nl">Permit</span><span class="p">:</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="n">Hit</span><span class="w"> </span><span class="n">Enter</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">move</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">next</span><span class="w"> </span><span class="n">menu</span><span class="w"> </span><span class="n">item</span><span class="w"></span>
<span class="w"> </span><span class="k">Modify</span><span class="w"> </span><span class="k">system</span><span class="w"> </span><span class="n">clock</span><span class="w"> </span><span class="n">settings</span><span class="vm">?</span><span class="o">[</span><span class="n">no</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="k">no</span><span class="w"></span>
<span class="w"> </span><span class="k">Modify</span><span class="w"> </span><span class="n">summer</span><span class="w"> </span><span class="nc">time</span><span class="w"> </span><span class="n">settings</span><span class="vm">?</span><span class="o">[</span><span class="n">no</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="k">no</span><span class="w"></span>
<span class="w"> </span><span class="k">Modify</span><span class="w"> </span><span class="k">system</span><span class="w"> </span><span class="n">timezone</span><span class="vm">?</span><span class="o">[</span><span class="n">no</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="k">no</span><span class="w"></span>
<span class="w"> </span><span class="k">Modify</span><span class="w"> </span><span class="n">interface</span><span class="o">/</span><span class="n">virtual</span><span class="w"> </span><span class="n">sensor</span><span class="w"> </span><span class="n">configuration</span><span class="vm">?</span><span class="o">[</span><span class="n">no</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="k">no</span><span class="w"></span>
<span class="w"> </span><span class="k">Modify</span><span class="w"> </span><span class="k">default</span><span class="w"> </span><span class="n">threat</span><span class="w"> </span><span class="n">prevention</span><span class="w"> </span><span class="n">settings</span><span class="vm">?</span><span class="o">[</span><span class="n">no</span><span class="o">]</span><span class="err">:</span><span class="w"> </span>
<span class="w"> </span><span class="o">------</span><span class="n">cut</span><span class="w"> </span><span class="n">here</span><span class="o">------------</span><span class="w"></span>
<span class="w"> </span><span class="k">exit</span><span class="w"> </span><span class="k">exit</span><span class="w"> </span>
</code></pre></div>
<p>Upon finishing all the menu items in the dialog you are presented with the configuration you just entered :</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nv">The</span><span class="w"> </span><span class="nv">following</span><span class="w"> </span><span class="nv">configuration</span><span class="w"> </span><span class="nv">was</span><span class="w"> </span><span class="nv">entered</span>.<span class="w"> </span>
<span class="w"> </span><span class="nv">service</span><span class="w"> </span><span class="nv">host</span><span class="w"> </span>
<span class="w"> </span><span class="nv">network</span><span class="o">-</span><span class="nv">settings</span><span class="w"> </span>
<span class="w"> </span><span class="nv">host</span><span class="o">-</span><span class="nv">ip</span><span class="w"> </span><span class="mi">10</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">33</span><span class="o">/</span><span class="mi">24</span>,<span class="mi">10</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">254</span><span class="w"> </span>
<span class="w"> </span><span class="nv">host</span><span class="o">-</span><span class="nv">name</span><span class="w"> </span><span class="nv">IPS4235</span><span class="w"> </span>
<span class="w"> </span><span class="nv">telnet</span><span class="o">-</span><span class="nv">option</span><span class="w"> </span><span class="nv">enabled</span><span class="w"> </span>
<span class="w"> </span><span class="nv">access</span><span class="o">-</span><span class="nv">list</span><span class="w"> </span><span class="mi">10</span>.<span class="mi">0</span>.<span class="mi">0</span>.<span class="mi">100</span><span class="o">/</span><span class="mi">32</span><span class="w"> </span>
<span class="w"> </span><span class="nv">ftp</span><span class="o">-</span><span class="nb">timeout</span><span class="w"> </span><span class="mi">300</span><span class="w"> </span>
<span class="w"> </span><span class="nv">no</span><span class="w"> </span><span class="nv">login</span><span class="o">-</span><span class="nv">banner</span><span class="o">-</span><span class="nv">text</span><span class="w"> </span>
<span class="w"> </span><span class="k">exit</span><span class="w"> </span>
<span class="w"> </span><span class="nv">time</span><span class="o">-</span><span class="nv">zone</span><span class="o">-</span><span class="nv">settings</span><span class="w"> </span>
<span class="w"> </span><span class="k">exit</span><span class="w"> </span>
<span class="w"> </span><span class="nv">summertime</span><span class="o">-</span><span class="nv">option</span><span class="w"> </span><span class="nv">disabled</span><span class="w"> </span>
<span class="w"> </span><span class="nv">ntp</span><span class="o">-</span><span class="nv">option</span><span class="w"> </span><span class="nv">disabled</span><span class="w"> </span>
<span class="w"> </span><span class="k">exit</span><span class="w"> </span>
<span class="w"> </span><span class="nv">service</span><span class="w"> </span><span class="nv">web</span><span class="o">-</span><span class="nv">server</span><span class="w"> </span><span class="nv">port</span><span class="w"> </span><span class="mi">443</span><span class="w"> </span>
</code></pre></div>
<p>At the end of the output you are given the following choices:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="o">[</span><span class="n">0</span><span class="o">]</span><span class="w"> </span><span class="k">Go</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">command</span><span class="w"> </span><span class="n">prompt</span><span class="w"> </span><span class="k">without</span><span class="w"> </span><span class="n">saving</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">config</span><span class="p">.</span><span class="w"> </span>
<span class="w"> </span><span class="o">[</span><span class="n">1</span><span class="o">]</span><span class="w"> </span><span class="k">Return</span><span class="w"> </span><span class="n">back</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">setup</span><span class="w"> </span><span class="k">without</span><span class="w"> </span><span class="n">saving</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">config</span><span class="p">.</span><span class="w"> </span>
<span class="w"> </span><span class="o">[</span><span class="n">2</span><span class="o">]</span><span class="w"> </span><span class="k">Save</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">configuration</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="k">exit</span><span class="w"> </span><span class="n">setup</span><span class="p">.</span><span class="w"> </span>
<span class="w"> </span><span class="n">Enter</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">selection</span><span class="o">[</span><span class="n">2</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span>
</code></pre></div>
<p>Then device asks to reboot in order for the changes to take effect – confirm that.<br>
After reboot you may enter the sensor using supported browser by the management IP: https://10.0.0.33<br>
Also make sure the station you are connecting from has Java virtual machine installed as the GUI is entirely based on it.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>awk weekly - how to see Checkpoint logs on command line2010-02-26T20:12:57+00:002010-02-26T20:12:57+00:00Yuri Slobodyanyuktag:yurisk.info,2010-02-26:/2010/02/26/awk-weekly-how-to-see-checkpoint-logs-on-command-line/<p>Until recently I had never had any need to work with Checkpoint log files without SmartView Tracker. But there is always first time . Client complained on some dropped mail traffic and to even say if there is any problem or not I had to look at relevant logs, not a …</p><p>Until recently I had never had any need to work with Checkpoint log files without SmartView Tracker. But there is always first time . Client complained on some dropped mail traffic and to even say if there is any problem or not I had to look at relevant logs, not a big deal except that I had only ssh access to the firewall . Checkpoint provided for such cases <strong>fw log</strong> log extracting utility that reads the binary log file (<strong>fw.log</strong> by default) you feed and outputs it in human-readable format. That’s good, but its filtering possibilities are quite bad . You can see all available options with <strong>fw log –h</strong>, but selection is limited to <em>source, start/end time,action (drop/reject/etc)</em> . No port or direction filtering . And specifically it was a busy firewall – some 80 mbytes of traffic passing at any given moment and log is the default action on all rules. So using fw log filters would help me not. </p>
<p>Here is how I solved this with the help of awk:</p>
<ol>
<li>I exported to text format file all logs using:</li>
</ol>
<div class="highlight"><pre><span></span><code># fw log -n> fw_log.txt &
</code></pre></div>
<p>Note <em>–n</em> option to fw log here – it prevents resolving IP/ports to names , which shortens processing time by ~70%. </p>
<ol>
<li>Then I just used all-powerful awk to search the text file to show the client what was the reason (Exchange in LAN was sending heaps of spam that Anti-Spam stopped at its best but nevertheless some spam leaked and caused RBL blocking of the external Checkpoint firewall IP) :</li>
</ol>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">Expert@Orlean</span><span class="o">]</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">awk</span><span class="w"> </span><span class="s1">'/Anti Spam/ && /Internal to External/'</span><span class="w"> </span><span class="n">fw_log</span><span class="p">.</span><span class="n">txt</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">awk</span><span class="w"> </span><span class="o">-</span><span class="nl">F</span><span class="p">:</span><span class="w"> </span><span class="s1">' {print $5 $6}'</span><span class="w"></span>
</code></pre></div>
<div class="highlight"><pre><span></span><code> 192.168.143.12; dst 65.55.37.88; proto
192.168.143.12; dst 65.55.92.136; proto
192.168.143.12; dst 65.55.92.136; proto
192.168.143.12; dst 203.216.247.184; proto
</code></pre></div>
<p>Here:<br>
External, Internal - UTM appliance interface names and direction of the Anti-Spam scanning.<br>
NOTE: exporting logs from binary to text takes a bit of time, depends on situation. Enabling name resolving sky-rocketed the processing time to 15 minutes , but on the other hand gave some additional insight : </p>
<div class="highlight"><pre><span></span><code> Exchange; dst col0-mc2-f.col0.hotmail.com; proto
Exchange; dst mx1.hotmail.com; proto
Exchange; dst mx1.hotmail.com; proto
Exchange; dst mta19.mail.vip.tnz.yahoo.co.jp; proto
Exchange; dst bay0-mc2-f.bay0.hotmail.com; proto
Exchange; dst mx3.hotmail.com; proto
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Difference between ebgp-multihop and ttl-security.2010-02-26T18:39:12+00:002010-02-26T18:39:12+00:00Yuri Slobodyanyuktag:yurisk.info,2010-02-26:/2010/02/26/difference-between-ebgp-multihop-and-ttl-security/<p>Once upon a time reading some CCIE paper at work I asked myself a question : “Why would someone bother to invent ttl-security and even write <a href="https://yurisk.info/assets/rfc5082.txt">RFC 5082 The Generalized TTL Security Mechanism (GTSM)</a> about it when <em>multi-hop EBGP</em> feature provides the same end result ?” .
First some background. For some reasons …</p><p>Once upon a time reading some CCIE paper at work I asked myself a question : “Why would someone bother to invent ttl-security and even write <a href="https://yurisk.info/assets/rfc5082.txt">RFC 5082 The Generalized TTL Security Mechanism (GTSM)</a> about it when <em>multi-hop EBGP</em> feature provides the same end result ?” .
First some background. For some reasons BGP peering was envisioned as TCP connection between directly connected routers, by default. To proceed with this design (worth checking BGP RFCs if it was actually an obligation) vendors (Cisco,Juniper and even Fortinet) implemented all BGP protocol communication using <strong>TTL=1</strong> in TCP packets being exchanged. As the logical consequence of this if a router was placed more than 1 hop away from its peer BGP session could not be established. To provide for such set ups when peers are many hops away the <strong>ebgp-multihop</strong> term was coined – on configuration level you can specify that BGP peer is that hops far away and override this limit of "directly connected". </p>
<p>What happens in fact is that when you specify such multi-hop BGP peer the router starts sending BGP packets with TTL being equal to the number of hops you set . That means if I set peer to be 3 hops away and some attacker tries to spoof legit peer’s IP but is 4 hops away – such attack won’t succeed cause my router will receive spoofed BGP packets ok but will send replies with TTL of 3 which will expire just 1 hop away from the attacker.</p>
<p>Questionable , but security . So why ttl security?<br>
This feature indeed enforces that BGP peer is no more than given hops away . And here comes the difference – it enforces it <strong>inbound</strong> . It works this way – after you enable ttl security on the BGP peer session and specify how many hops away this peer is allowed to be, your router checks incoming TCP packets from this peer and does this simple calculation ; configured value <= 255 – hops-away-to-peer , if it holds true your router goes on with establishing BGP session , if not – session is shut down. Regarding outgoing TTL values – may be it is Cisco-only thing, may be not , but the moment you enable ttl security for some BGP peer on Cisco the router itself starts sending BGP-related packets to this peer with initial ttl being equal to 255. I guess it is logical that if you enforce on your side ttl security the peering side will want to do the same.</p>
<p>When ttl rule is broken we see in the debug session:<br>
<code>Dec 27 19:08:04.103: %BGP-4-INCORRECT_TTL: Discarded message with TTL 1 from 124.2.11.15</code></p>
<p>And neighbor status is: </p>
<div class="highlight"><pre><span></span><code>Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
124.2.11.15 4 13462 33 63 0 0 0 00:04:31 Idle
</code></pre></div>
<h1>sh ip bgp neighbors 124.2.11.15</h1>
<p><code>BGP neighbor is 124.2.11.15, remote AS 13462, external link
BGP version 4, remote router ID 0.0.0.0
BGP state = Closing</code></p>
<p><strong>Additional resources</strong>:<br>
- <a href="https://yurisk.info/2020/05/20/fortigate-bgp-cookbook-of-example-configuration-and-debug/">Fortigate BGP cookbook of example configuration and debug commands</a>.<br>
- <a href="https://yurisk.info/2010/03/26/fortigate-bgp-configure-and-debug/">Fortigate BGP - configure and debug</a>. </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>VPN client stops working in visitor mode after major update2010-02-25T10:10:35+00:002010-02-25T10:10:35+00:00Yuri Slobodyanyuktag:yurisk.info,2010-02-25:/2010/02/25/vpn-client-stops-working-in-visitor-mode-after-major-update/<p>Yesterday I looked at the Checkpoint VPN Secure Client issue . After an upgrade from NGX R65 to R70 VPN client doesn't connect when Visitor mode is enabled . The moment you disable Visitor mode the same client to the same firewall works just fine. This happens often so I bring it …</p><p>Yesterday I looked at the Checkpoint VPN Secure Client issue . After an upgrade from NGX R65 to R70 VPN client doesn't connect when Visitor mode is enabled . The moment you disable Visitor mode the same client to the same firewall works just fine. This happens often so I bring it here . Actually I see it as the "it is a feature not a bug" case - after major upgrades to the firewall, the Management WebGUI (the one you use after fresh install to run the wizard) listening port will be reset to its default value of 443. This, in turn, prevents any other daemon/service listening on this port , so Visitor mode (I guess also SSL Extender) will not work. To fix it you just change listening port for WebGUI. Now lets get to SSH. To see the problem: </p>
<p>#<strong>lsof -i -n | grep https</strong> </p>
<div class="highlight"><pre><span></span><code> cp_http_s 1864 nobody 11u IPv4 14977 TCP *:https (LISTEN)
</code></pre></div>
<p>To fix the problem: </p>
<p>#[Expert@fw]# <strong>webui disable</strong> </p>
<div class="highlight"><pre><span></span><code> Shutting down cp_http_server_wd: [ OK ]
</code></pre></div>
<p>[Expert@fw]# <strong>webui enable 4445</strong></p>
<div class="highlight"><pre><span></span><code> Running cp_http_server_wd: [ OK ]
</code></pre></div>
<p>Now WebGUI wil be listening on port 4445 , and vpnd as should will be listening on 443: </p>
<p>[Expert@fw]# <strong>lsof -i -n | awk '/https/ || /4445/'</strong></p>
<div class="highlight"><pre><span></span><code> vpnd 3564 root 26u IPv4 29060053 TCP *:https (LISTEN)
cp_http_s 10300 nobody 5u IPv4 29100889 TCP *:4445 (LISTEN)
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>fw monitor add-on - using tables in Checkpoint fw monitor capture tool2010-02-13T17:12:00+00:002010-02-13T17:12:00+00:00Yuri Slobodyanyuktag:yurisk.info,2010-02-13:/2010/02/13/fw-monitor-add-on/<p>There is something I didn’t include in the previous post <a href="http://yurisk.info/2009/12/12/fw-monitor-command-reference/"> fw monitor command reference </a> about <strong>fw monitor</strong> as I think it is rather optional and you can do well without it . I talk about using <strong>tables</strong> in defining filter expressions. INSPECT – proprietary scripting language by the Checkpoint on which …</p><p>There is something I didn’t include in the previous post <a href="http://yurisk.info/2009/12/12/fw-monitor-command-reference/"> fw monitor command reference </a> about <strong>fw monitor</strong> as I think it is rather optional and you can do well without it . I talk about using <strong>tables</strong> in defining filter expressions. INSPECT – proprietary scripting language by the Checkpoint on which filtering expressions are based allows creating tables.
I won’t delve into INSPECT syntax (for today) but will list the following examples you can easily modify to suit your needs.</p>
<p>Legend:<br>
{} – delimit the table<br>
<,> - specify range of values inside (e.g. <22,25> means from 22 up to 25 inclusive)<br>
ifid – interface identifier </p>
<p><code>#fw monitor -e "bad_ports = static {22,25,443}; accept dport in bad_ports;"</code> packets with destination port being equal to 22,25 or 443 </p>
<p><code>#fw monitor -e " bad_ports = static {<22,25>} ; accept dport in bad_ports;"</code> packets with destination ports being equal to 22,23,24 or 25 </p>
<p><code># fw monitor -e " bad_ports = static {<22,25>,<80,443>} ; accept dport in bad_ports;"</code> packets with destination ports being in ranges 22-25 or 80-443 </p>
<p><code>#fw monitor -e "bad_nets = static {<194.1.0.0,194.1.255.255>} ;accept src in bad_nets;"</code> packets originated in range of networks 194.1.0.0 - 194.1.255.255 </p>
<p><strong>#fw ctl iflist</strong> Here we can see what are the index values of each interface card </p>
<div class="highlight"><pre><span></span><code> 0 : Internal
1 : External
</code></pre></div>
<p><code>#fw monitor -e "bad_nets = static {<194.1.0.0,194.1.255.255>} ;accept src in bad_nets and ifid=0;"</code> packets originated from the range of networks 194.1.0.0 - 194.1.255.255 and captured on interface eth3 only </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Fortigate firewall demo free access. Also FortiManager and FortiAnalyzer2010-02-03T18:37:25+00:002010-02-03T18:37:25+00:00Yuri Slobodyanyuktag:yurisk.info,2010-02-03:/2010/02/03/fortigate-firewall-demo-free-access-also-fortimanager-and-fortianalyzer/<p><strong>UPDATE 2019:</strong> I updated the access details below. Also, if you work for a Fortinet partner you can request access to the demo
appliances via Partner's Portal.<br>
As someone said best things in life are free.
Here are links to the demo Forigate firewall, ForiAnalyzer and FortiManager open to access …</p><p><strong>UPDATE 2019:</strong> I updated the access details below. Also, if you work for a Fortinet partner you can request access to the demo
appliances via Partner's Portal.<br>
As someone said best things in life are free.
Here are links to the demo Forigate firewall, ForiAnalyzer and FortiManager open to access from anywhere . So that you can
familiarize yourself with the Management GUI look and feel.<br>
NOTE: Access is read-only.<br>
NOTE 2: No , it is not me being so generous, it's Fortinet caring for us. </p>
<p><strong>Fortigate 2000E :</strong><br>
user:demo<br>
password: demo<br>
<a href="https://fortigate.com"> fortigate.com</a><br>
<del><strong>ForiAnalyzer 800:</strong></del><ins> No longer available</ins><br>
user:demo<br>
password: fortianalyzer<br>
https://www.fortianalyzer.com <br>
<del><strong>FortiManager 400:</strong></del><ins> No longer available</ins> <br>
user:demo<br>
password: fortimanager<br>
https://www.fortimanager.com </p>
<p><img alt="Fortigate demo access" src="https://yurisk.info/images/fortigate-demo-access.PNG"></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Mail alert on ssh login or any other rule hit in Checkpoint2010-02-01T10:56:36+00:002010-02-01T10:56:36+00:00Yuri Slobodyanyuktag:yurisk.info,2010-02-01:/2010/02/01/mail-alert-on-ssh-login-or-any-other-rule-hit-in-checkpoint/<p>I once showed<a href="https://yurisk.info/2009/09/18/ssh-login-alert-by-mail-linux-or-unix-based-systems/"> SSH login alert</a> the way to send mail alert on successful login by ssh to any Linux-based machine , including Checkpoint firewalls. Now, thanks to folks at <a href="http://cpug.org">cpug.org</a> that draw my attention to it, I will show how to get mail Alert on ANY rule in the …</p><p>I once showed<a href="https://yurisk.info/2009/09/18/ssh-login-alert-by-mail-linux-or-unix-based-systems/"> SSH login alert</a> the way to send mail alert on successful login by ssh to any Linux-based machine , including Checkpoint firewalls. Now, thanks to folks at <a href="http://cpug.org">cpug.org</a> that draw my attention to it, I will show how to get mail Alert on ANY rule in the security rulebase of the firewall, and also simplified script using Checkpoint version Of the sendmail. </p>
<p>First , rules alerts – on any rule in the Security Rulebase you can set in its <strong>Track</strong> column to <strong>Mail</strong> . Now all hits On such rule will be sending mail alerts to specified recipient(s) through the specified mail server (Checkpoint doesn't have a mail server of its own) . So, if you create rule that allows access by SSH you can set in Track Mail and each time this rule is used to access the firewall mail will be sent. </p>
<p>Now to configure mail server settings, you do it in
<strong>Policy -> Global Properties -> Log and Alert -> Alert Commands , check " Send mail alert to SmartviewView Monitor" and "Run mail alert script"</strong>. In the "Run mail alert script" field set to the string of form:</p>
<div class="highlight"><pre><span></span><code><span class="n">internal_sendmail</span><span class="w"> </span><span class="o">-</span><span class="n">s</span><span class="w"> </span><span class="o">[</span><span class="n">subject of the mail</span><span class="o">]</span><span class="w"> </span><span class="o">-</span><span class="n">t</span><span class="w"> </span><span class="o">[</span><span class="n">ip of mail server to receive mail goes here</span><span class="o">]</span><span class="w"> </span><span class="o">-</span><span class="n">f</span><span class="w"> </span><span class="o">[</span><span class="n">from_who_field_in_mail</span><span class="o">]</span><span class="w"> </span><span class="o">[</span><span class="n">to_whom_send_this_mail</span><span class="o">]</span><span class="w"> </span>
</code></pre></div>
<p>e.g. </p>
<div class="highlight"><pre><span></span><code><span class="n">internal_sendmail</span><span class="w"> </span><span class="o">-</span><span class="n">s</span><span class="w"> </span><span class="n">SSH_login_alert</span><span class="w"> </span><span class="o">-</span><span class="n">t</span><span class="w"> </span><span class="mf">63.161.169.140</span><span class="w"> </span><span class="o">-</span><span class="n">f</span><span class="w"> </span><span class="n">yurisk</span><span class="nv">@yurisk</span><span class="p">.</span><span class="n">info</span><span class="w"> </span><span class="n">president</span><span class="nv">@whitehouse</span><span class="p">.</span><span class="n">gov</span><span class="w"></span>
</code></pre></div>
<p>The mail you get on such alert looks like:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nt">6Jan2010</span><span class="w"> </span><span class="nt">7</span><span class="p">:</span><span class="nd">29</span><span class="p">:</span><span class="nd">55</span><span class="w"> </span><span class="nt">accept</span><span class="w"> </span><span class="nt">fw-tokyo</span><span class="w"> </span><span class="o">></span><span class="nt">External</span><span class="w"> </span><span class="nt">mail</span><span class="w"> </span><span class="nt">rule</span><span class="o">:</span><span class="w"> </span><span class="nt">2</span><span class="o">;</span><span class="w"> </span>
<span class="nt">rule_uid</span><span class="o">:</span><span class="w"> </span><span class="p">{</span><span class="err">85A905A7-951E-4100-A23A-E280FAAA1D29</span><span class="p">}</span><span class="o">;</span><span class="w"> </span><span class="nt">SmartDefense</span><span class="w"> </span><span class="nt">profile</span><span class="o">:</span><span class="w"> </span><span class="nt">Default_Protection</span><span class="o">;</span><span class="w"> </span><span class="nt">service_id</span><span class="o">:</span><span class="w"> </span><span class="nt">ssh</span><span class="o">;</span><span class="w"> </span><span class="nt">src</span><span class="o">:</span><span class="w"> </span><span class="nt">my-management-host</span><span class="o">;</span><span class="w"> </span><span class="nt">dst</span><span class="o">:</span><span class="w"> </span><span class="nt">fw-tokyo</span><span class="w"> </span><span class="o">;</span><span class="w"> </span>
<span class="nt">proto</span><span class="o">:</span><span class="w"> </span><span class="nt">tcp</span><span class="o">;</span><span class="w"> </span><span class="nt">product</span><span class="o">:</span><span class="w"> </span><span class="nt">VPN-1</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="nt">FireWall-1</span><span class="o">;</span><span class="w"> </span><span class="nt">service</span><span class="o">:</span><span class="w"> </span><span class="nt">ssh</span><span class="o">;</span><span class="w"> </span><span class="nt">s_port</span><span class="o">:</span><span class="w"> </span><span class="nt">47145</span><span class="o">;</span><span class="w"></span>
</code></pre></div>
<p>NOTE. Some don'ts </p>
<ul>
<li>You can't send to multiple recepients; </li>
<li>Do not set such Mail ALert on a rule with high hits not to overload the firewall</li>
<li>The mail server you specify should be the one accepting mails for the recepient's address or be doing
mail relay without authentication. And no, Checkpoint sendmail doesn't support authentication.</li>
</ul>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Capture packets at IOS Cisco router or finally we have a sniffer2010-02-01T07:33:06+00:002010-02-01T07:33:06+00:00Yuri Slobodyanyuktag:yurisk.info,2010-02-01:/2010/02/01/capture-packets-at-ios-cisco-router-or-finally-we-have-a-sniffer/<p>Finally it is here – built-in sniffer on the Cisco IOS platform ! Starting IOS 12.4(20) release Cisco introduces brand new feature called <strong>Embedded Packet Capture (EPC)</strong> that allows us to capture raw packets on the Cisco router and then later analyze it offline.<br>
It can capture any traffic passing …</p><p>Finally it is here – built-in sniffer on the Cisco IOS platform ! Starting IOS 12.4(20) release Cisco introduces brand new feature called <strong>Embedded Packet Capture (EPC)</strong> that allows us to capture raw packets on the Cisco router and then later analyze it offline.<br>
It can capture any traffic passing through the router, destined to it, or originated from it . The captured packets are stored in DRAM of the router from where you can upload the capture file using HTTP/SCP/HTTPS/TFTP/FTP anywhere and then dissect it. The capture is stored using PCAP format , so any protocol dissector will understand this file, including the favorite one WIreshark/Ethereal.<br>
Now some limitations:<br>
- CEF has to be enabled on the router;<br>
- The capture is stored in the DRAM , so you’d better have enough of it;<br>
- While no maximum capture buffer or packet size is stated I guess it depends on the platform (see tests below);<br>
- IOS has to be 12.4(20) or higher.<br>
Let's now look at steps to configure the capture on the router and then look at the results.
Configuration involves 5 steps:</p>
<ol>
<li>Create named capture buffer in router memory (including filters what to capture and what not to). Multiple buffers simultaneously are supported;</li>
<li>Create named capture point , again, multiple capture points active at the same time are possible. Using multiple capture buffers and capture points gives us full flexibility in the process – I can say capture packets at the same time inbound on incoming interface and
store it to the memory buffer A while the same traffic going outbound on outgoing interface capture to another buffer B and have this
way capture of the same traffic at 2 distinct points on the router. Your imagination is the limit here.</li>
<li>Associate capture buffers with capture points;</li>
<li>Start/stop capture;</li>
<li>Export captured packets as PCAP file elsewhere or see it in raw format on the router itself (in case binary is your first language).</li>
</ol>
<p>Now I will walk through configuring,all this is being done on Cisco 2821 (250 Mb of DRAM). IOS is being Cisco IOS Software, 2800 Software (C2800NM-IPBASEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)
1. Create named capture buffer in memory. Packets are stored there, as this is DRAM storage if router does restart all capture data will be lost. You also specify filter for which packets are to be captured , if none given it will capture ALL packets at the
capture point. Not surprisingly for filtering you use access-lists, standard or extended, named or numbered.</p>
<p>In my testing I am trying to capture all SMTP traffic passing through the interface Giga0/1. Accordingly the ACL for it will be:</p>
<p>Eldorado(config)#<strong>ip access-list extended MAIL_TEST</strong><br>
Eldorado (config-ext-nacl)# <strong>permit tcp any any eq smtp</strong> </p>
<p>Now I create capture buffer in the memory:</p>
<p>Eldorado #<strong>monitor capture buffer MAIL filter access-list MAIL_TEST</strong> </p>
<p>NOTE: Fo the particular platform (cisco 2821) the limits and defaults for the buffer are these:</p>
<p>Eldorado#<strong>monitor capture buffer MAIL size ?</strong> </p>
<div class="highlight"><pre><span></span><code> <1-5127gt; Buffer size in Kbytes : 512K or less (default is 256K)
</code></pre></div>
<p>NOTE 2: In Cisco.com documentation this and other commands related to capture have options that trying to use them gave error. For example Command reference gives option to configure length of the packet to be captured (instead of default 68 bytes) :</p>
<p>Eldorado #<strong>monitor capture buffer MAIL length</strong>
^
% Invalid input detected at '^' marker. </p>
<ol>
<li>Creating capture point (i.e. where to capture packets on the router):</li>
</ol>
<p>Eldorado# <strong>monitor capture point ip cef GIGA GigabitEthernet0/1 both</strong></p>
<p>Here I specify interface GigabitEthernet0/1 as point of capture and also set that traffic is to be captured in both directions (or you can use in/out instead)</p>
<ol>
<li>Associate capture buffer with capture point (it does not start capture yet):</li>
</ol>
<p>Eldorado#<strong>monitor capture point associate GIGA MAIL</strong></p>
<ol>
<li>Start capturing packets:</li>
</ol>
<p>Eldorado#<strong>monitor capture point start GIGA</strong></p>
<p>4.1. Stop capture (optional) , you can export capture in the next step without stopping it:</p>
<p>Eldorado# <strong>monitor capture point stop GIGA</strong></p>
<ol>
<li>Export captured packets as file to external server , here I use SCP as protocol:</li>
</ol>
<p>Eldorado#<strong>monitor capture buffer MAIL export scp://rumba@216.163.142.1:/capture.cap</strong> </p>
<div class="highlight"><pre><span></span><code>Writing capture.cap
Password:
Sink: C0644 309346 capture.cap
!!
Eldorado#
</code></pre></div>
<ul>
<li>Now you can see the capture file with Wireshark .
There is it to it.</li>
</ul>
<p>Verifying.
- To see parameters of the capture:</p>
<p>Eldorado#<strong>show monitor capture buffer all parameters</strong></p>
<div class="highlight"><pre><span></span><code> Capture buffer size (linear buffer)
Buffer Size : 262144 bytes, Max Element Size : 68 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Configuration:
monitor capture buffer siz
Capture buffer MAIL (circular buffer)
Buffer Size : 512000 bytes, Max Element Size : 1024 bytes, Packets : 363
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : GIGA, Status : Inactive
Configuration:
monitor capture buffer MAIL size 500 max-size 1024 circular
monitor capture point associate GIGA MAIL
monitor capture buffer MAIL filter access-list MAIL_TEST
</code></pre></div>
<ul>
<li>Seeing contents of the captured packets on the router :</li>
</ul>
<h1><strong>show monitor capture buffer MAIL dump</strong></h1>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="mi">08</span><span class="err">:</span><span class="mi">18</span><span class="err">:</span><span class="mf">59.995</span><span class="w"> </span><span class="n">UTC</span><span class="w"> </span><span class="n">Jan</span><span class="w"> </span><span class="mi">25</span><span class="w"> </span><span class="mi">2010</span><span class="w"> </span><span class="err">:</span><span class="w"> </span><span class="n">IPv4</span><span class="w"> </span><span class="n">LES</span><span class="w"> </span><span class="n">CEF</span><span class="w"> </span><span class="err">:</span><span class="w"> </span><span class="n">Gi0</span><span class="o">/</span><span class="mi">1</span><span class="w"> </span><span class="k">None</span><span class="w"></span>
<span class="w"> </span><span class="mi">45514</span><span class="nl">C50</span><span class="p">:</span><span class="w"> </span><span class="mi">002414</span><span class="n">F7</span><span class="w"> </span><span class="p">.</span><span class="err">$</span><span class="p">.</span><span class="n">w</span><span class="w"></span>
<span class="w"> </span><span class="mi">45514</span><span class="nl">C60</span><span class="p">:</span><span class="w"> </span><span class="mi">2723001</span><span class="n">F</span><span class="w"> </span><span class="mf">9E4</span><span class="n">cd37F</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="w"> </span><span class="n">dd379aaa</span><span class="w"> </span><span class="s1">'A...F&...E..0W.</span>
<span class="s1"> 45514C70: dd379aaa dd379aaa dd379aaa dd379aaa @.-.Eב#X.3,,.M%</span>
<span class="s1"> 45514C80: 03e4cda 03e4cda 03e4cda 03e4cda ../..&....s@yh</span>
<span class="s1"> 45514C90: 00000204 23ee3444 000000 .....d.....</span>
<span class="s1"> 08:19:00.699 UTC Jan 25 2010 : IPv4 LES CEF : Gi0/1 None</span>
<span class="s1"> 45514C50: 002414F7 .$.w</span>
<span class="s1"> 45514C60: 03e4cda 03e4cda 03e4cda 03e4cda '</span><span class="n">A</span><span class="p">...</span><span class="n">F</span><span class="o">&</span><span class="p">...</span><span class="n">E</span><span class="p">..</span><span class="n">KYj</span><span class="w"></span>
<span class="w"> </span><span class="mi">45514</span><span class="nl">C70</span><span class="p">:</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="w"> </span><span class="err">@</span><span class="p">.</span><span class="o">-</span><span class="p">.</span><span class="n">#4</span><span class="err">$</span><span class="n">f</span><span class="p">.</span><span class="o">%%</span><span class="w"></span>
<span class="w"> </span><span class="mi">45514</span><span class="nl">C80</span><span class="p">:</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="p">..</span><span class="o">/</span><span class="p">..</span><span class="err">'</span><span class="o">|</span><span class="n">S</span><span class="o">^^^</span><span class="mi">0</span><span class="err">]</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">45514</span><span class="nl">C90</span><span class="p">:</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="p">..</span><span class="n">EHLO</span><span class="w"> </span><span class="n">smtp02</span><span class="p">.</span><span class="n">bi</span><span class="w"></span>
<span class="w"> </span><span class="mi">45514</span><span class="nl">CA0</span><span class="p">:</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="w"> </span><span class="mf">03e4</span><span class="n">cda</span><span class="w"> </span><span class="n">s</span><span class="p">.</span><span class="n">eu</span><span class="p">.</span><span class="n">blackberry</span><span class="p">.</span><span class="w"></span>
<span class="w"> </span><span class="mi">45514</span><span class="nl">CB0</span><span class="p">:</span><span class="w"> </span><span class="mi">636</span><span class="n">F6D0D</span><span class="w"> </span><span class="mi">0</span><span class="n">A00</span><span class="w"> </span><span class="n">com</span><span class="p">...</span><span class="w"> </span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Enabling antispam or antivirus on the Checkpoint gateway blocks smtp or http traffic2010-01-26T19:48:26+00:002010-01-26T19:48:26+00:00Yuri Slobodyanyuktag:yurisk.info,2010-01-26:/2010/01/26/enabling-antispam-or-antivirus-on-the-checkpoint-gateway-blocks-smtp-or-http-services/<p>Recently I was unplesantly presented with "it is not a bug ,it is a feature" case with the Checkpoint .
There was some UTM with TS (Total Security) valid license that includes antivirus and antispam services that client paid for and even asked to enable. So far so good. Part of …</p><p>Recently I was unplesantly presented with "it is not a bug ,it is a feature" case with the Checkpoint .
There was some UTM with TS (Total Security) valid license that includes antivirus and antispam services that client paid for and even asked to enable. So far so good. Part of the routine I checked on Gateway properties Antivirus and Antispam features , in Content inspection picked this UTM as enforcing Antispam/Antivirus policy , did install and .. got a call from the client that they can't send/receive mails . In SmartView Tracker I saw the error of invalid license (it was the most clever disguise Checkpoint could come up with) , on command line fw monitor proved connections to port 25 arrive perfectly and pass pre/post insert points inbound but then nothing happens. Trying to telnet port 25 to the external ip of the mail server got me opened session , then connection was reset.
Only with the help of Checkpoint support (that actually were surprised that after all these years with their
product I haven't seen this "feature" yet) did I find that issue is known one and caused by that to represent the mail server in LAN I created a MANUAL NAT rule . And ANY security server inside Checkpoint has to
know from security rules or from object properties its ip before and after NAT.</p>
<p>So to fix the situation you have to either :</p>
<ul>
<li>replace manual NAT rules with automatic ones;</li>
<li>in security rules relevant to the server in question use BOTH internal and external IPs (that was
what I did and it works ever since - see screenshot below).</li>
</ul>
<p>I did the rules similar to this:
<a href="http://yurisk.info/rulebase_smtp1.png"> <img alt="rulebase for SMTP server inside" src="http://yurisk.info/rulebase_smtp1.png"> </a></p>
<p>NB there exist Secureknowledge base articles for it :
sk34862
sk32198 </p>
<p>PS I talk here about SMTP but enabling Antivirus for the webserver in LAN with static NAT will have the same
devastating result.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>IP Options are evil - drop them , drop them on Cisco Asa/IOS Microsoft ISA2010-01-23T19:51:22+00:002010-01-23T19:51:22+00:00Yuri Slobodyanyuktag:yurisk.info,2010-01-23:/2010/01/23/ip-options-are-evil-%e2%80%93-drop-them-drop-them-on-cisco-asaios-microsoft-isa-juniper-or-checkpoint/<p>Juniper or Checkpoint
wordpress_id: 419
category: Linux
tags: Checkpoint, Solaris, Linux, Cisco</p>
<hr>
<p>As you probably noticed IP header has variable length placeholder for the IP Options field. It has been there since the beginning , once a good idea for debug now turned into trouble. RFC 791 states that hosts/routers …</p><p>Juniper or Checkpoint
wordpress_id: 419
category: Linux
tags: Checkpoint, Solaris, Linux, Cisco</p>
<hr>
<p>As you probably noticed IP header has variable length placeholder for the IP Options field. It has been there since the beginning , once a good idea for debug now turned into trouble. RFC 791 states that hosts/routers supporting IP protocol <strong>must</strong> implement Ip Options field . It is up to the vendor to decide what to do with this optional field, but it must understand it. Still, wouldn’t be a problem if not modern architecture of the routing equipment that was designed to do most efficiently Routing , i.e. pass from interface to interface gigabytes of traffic. Therefore routing functions are highly optimized and most of the time are implemented in hardware . All other types of traffic unfortunately are not, and in most of the cases processing , let's call it Control traffic, is being left to the router CPU and done in software. That brought the troubles into the IP world – relatively small amount of control traffic (including Ip Options packets) may bring down otherwise powerful router in just minutes.</p>
<p>To prevent this attack vendors implemented protection measures to drop entirely or selectively IP packets that has Ip Options field set. Below is quick cheat sheet how to do it in some gear : </p>
<ul>
<li><strong>Checkpoint firewall NG/NGX</strong> - packets with Ip Options are dropped by default except for the "Router Alert" option (0x94) for the IGMPv2 and PIM protocols [or so CP claim, will have to verify later] and not even logged. To start logging dropped packets go to Policy -> Global Properties -> Log and Alerts -> check Ip dropped packets : Log
There is a value related to it that is on by default : Global Properties -> SmartDashboard customization -> Advanced Configuration -> Configure -> Firewall 1 -> Stateful inspection -> enable_ip_options (check/uncheck) but unchecking it removes from firewall VM chain module that inspects these Options at all and all Ip Options packets are dropped . So all packets bearing Ip Options are happily dropped even before security rules , here:</li>
</ul>
<p>[Expert@splat60]# <strong>fw ctl chain</strong></p>
<div class="highlight"><pre><span></span><code>in chain (9):
0: -7f800000 (9095dd60) (ffffffff) IP Options Strip (ipopt_strip)
1: - 1fffff6 (9095ee80) (00000001) Stateless verifications (asm)
</code></pre></div>
<p>Also Checkpoint say you can decide which Ip Options will be allowed later BUT only when installing the firewall: “The set of permitted options must be configured during installation … the enable_ip_options setting in SmartDashboard is then used to enable or disable this functionality. Contact Check Point support for instructions on configuring the set of allowed IP options.”</p>
<ul>
<li><strong>Microsoft ISA 2000 server:</strong></li>
<li>If <em>Enable Packet Filtering</em> is not checked then do it in IP Packet Filters -> Properties - > General tab. On the Packet Filters tab check Enable Filtering IP Options . </li>
<li>
<p><strong>Microsoft ISA 2004 Server:</strong>
- IP options filtering is enabled by default
- Go to Configuration node of the server in question in Management console -> General -> Additional Security Policy
Define IP Preferences . Here you will have 3 options to deal with Ip Options packets:<br>
a) Deny packets with any IP options;
b) Deny packets with selected IP options;
c) Deny packets with all except selected IP options
The same options are available in <strong>ISA 2006</strong>, click on Configure IP Protection link - > IP Preference settings</p>
</li>
<li>
<p><strong>IOS Cisco router :</strong></p>
</li>
<li>
<p><strong>Juniper router:</strong><br>
You just add <strong>ip-options</strong> term to the filter and apply it to the interface of interest. In the example below I block only Route Record type of Ip Options, if you use any then it will block any type:</p>
</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="k">[edit firewall family inet filter NOICMP term 3]</span><span class="w"></span>
<span class="w"> </span><span class="na">firewall {</span><span class="w"></span>
<span class="w"> </span><span class="na">family inet {</span><span class="w"></span>
<span class="w"> </span><span class="na">filter NOICMP {</span><span class="w"></span>
<span class="w"> </span><span class="na">term 1 {</span><span class="w"></span>
<span class="w"> </span><span class="na">from {</span><span class="w"></span>
<span class="w"> </span><span class="na">address {</span><span class="w"></span>
<span class="w"> </span><span class="na">192.168.2.100/32;</span><span class="w"></span>
<span class="w"> </span><span class="na">}</span><span class="w"></span>
<span class="w"> </span><span class="na">}</span><span class="w"></span>
<span class="w"> </span><span class="na">then {</span><span class="w"></span>
<span class="w"> </span><span class="na">reject;</span><span class="w"></span>
<span class="w"> </span><span class="na">}</span><span class="w"></span>
<span class="w"> </span><span class="na">}</span><span class="w"></span>
<span class="w"> </span><span class="na">term 2 {</span><span class="w"></span>
<span class="w"> </span><span class="na">from {</span><span class="w"></span>
<span class="w"> </span><span class="na">ip-options route-record;</span><span class="w"></span>
<span class="w"> </span><span class="na">}</span><span class="w"></span>
<span class="w"> </span><span class="na">then {</span><span class="w"></span>
<span class="w"> </span><span class="na">reject;</span><span class="w"></span>
<span class="w"> </span><span class="na">}</span><span class="w"></span>
<span class="w"> </span><span class="na">}</span><span class="w"></span>
<span class="w"> </span><span class="na">term 3 {</span><span class="w"></span>
<span class="w"> </span><span class="na">from {</span><span class="w"></span>
<span class="w"> </span><span class="na">address {</span><span class="w"></span>
<span class="w"> </span><span class="na">192.168.2.0/24;</span><span class="w"></span>
<span class="w"> </span><span class="na">}</span><span class="w"></span>
<span class="w"> </span><span class="na">}</span><span class="w"></span>
<span class="w"> </span><span class="na">then accept;</span><span class="w"></span>
<span class="w"> </span><span class="na">}</span><span class="w"></span>
<span class="w"> </span><span class="na">}</span><span class="w"></span>
<span class="w"> </span><span class="na">}</span><span class="w"></span>
<span class="w"> </span><span class="na">}</span><span class="w"></span>
</code></pre></div>
<p>Apply to the interface:</p>
<div class="highlight"><pre><span></span><code> interfaces {
em0 {
unit 0 {
enable;
family inet {
filter {
input NOICMP;
}
address 192.168.2.133/24;
}
}
}
</code></pre></div>
<p>Other possible arguments to ip-options clause: </p>
<div class="highlight"><pre><span></span><code>set term 3 from ip-options ?
Possible completions:
<range> Range of values
[ Open a set of values
any Any IP option
loose-source-route Loose source route
route-record Route record
router-alert Router alert
security Security
stream-id Stream ID
strict-source-route Strict source route
timestamp Timestamp
</code></pre></div>
<ul>
<li><strong>Windows 2008.</strong><br>
By default it doesnt allow/forward packets with Source Routing set, and that's good. For completeness
here is how to enable (or check whether it is enabled) source-routed forwarding:</li>
</ul>
<div class="highlight"><pre><span></span><code>BillG> netsh interface ipv4 set global sourceroutingbehavior=drop| forward| dontforward
</code></pre></div>
<ul>
<li>or-</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="n">Registry</span><span class="o">:</span><span class="w"></span>
<span class="n">HKEY_LOCAL_MACHINE</span><span class="o">\</span><span class="n">SYSTEM</span><span class="o">\</span><span class="n">CurrentControlSet</span><span class="o">\</span><span class="n">Services</span><span class="o">\</span><span class="n">Tcpip</span><span class="o">\</span><span class="n">Parameter</span><span class="w"></span>
<span class="n">Key</span><span class="o">:</span><span class="w"> </span><span class="n">DisableIPSourceRouting</span><span class="w"></span>
<span class="n">DWORD</span><span class="w"> </span><span class="n">value</span><span class="o">:</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
</code></pre></div>
<p><strong>Verify:</strong>
In Security any measure/protection/method is as good as the proof you can present that it actually works.
Windows:<br>
- Ping with Record Route field set:<br>
BillG> ping –r 9 192.2.2.1<br>
- Ping with Strict Routing field set:<br>
BillG> ping –k <1st_hop_router_IP> <2nd_hop_router_IP…> <target><br>
- Ping with Loose Routing field set:<br>
BillG> ping -j <1st_hop_router_IP> <2nd_hop_router_IP…> <target><br>
- Ping with Timestamp option set:<br>
BillG> ping –s 3 8.8.8.8<br>
Linux:<br>
- Ping with Record Route field set:<br>
root@darktstar:~/nmap#ping -R 8.8.8.8<br>
- Ping with Timestamp option set:<br>
root@darkstar:~/nmap#ping -T tsonly 8.8.8.8<br>
Linux,BSD,Unix :<br>
This handy utility sends bunch of packets to the target to test what Ip Options the target supports:<br>
freebsd#fragtest ip-opt 192.168.2.133<br>
ip-opt: sec lsrr ts esec cipso satid ssrr<br>
I run fragroute above against Juniper (8.3) that was configured in the example earlier to block only Record Route option, as you can see it is indeed missing in the output list that enumerates what Ip Options the target supports [ see Reference for fragroute details]</p>
<p>References for further details:<br>
Juniper: <a href="http://www.amazon.com/JUNOS-Enterprise-Routing-Practical-Certification/dp/0596514425/ref=sr_1_1?ie=UTF8&s=books&qid=1264336662&sr=1-1">JUNOS Enterprise Routing, 1st Edition, By Doug Marschke; Harry Reynolds, 2008</a><br>
Microsoft ISA : <a href="http://www.amazon.com/Microsoft-ISA-Server-2006-Unleashed/dp/0672329190">Microsoft® ISA Server 2006 Unleashed ,By Michael Noel, 2007</a><br>
Fragroute <a href="http://monkey.org/~dugsong/fragroute/">http://monkey.org/~dugsong/fragroute/</a><br>
Windows 2008: <a href="http://www.microsoft.com/learning/en/us/book.aspx?ID=11630&locale=en-us">Windows® Server 2008 TCP/IP Protocols and Services,By Joseph Davies, 2008 </a> </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>'Cisco log: Missing cef table for tableid 65535 during CEF samecable event'2010-01-21T10:39:19+00:002010-01-21T10:39:19+00:00Churatag:yurisk.info,2010-01-21:/2010/01/21/cisco-log-missing-cef-table-for-tableid-65535-during-cef-samecable-event/<p>Today I've noticed some strange error on my Cisco 1841 router : </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="c">%FIB-4-FIBCBLK: Missing cef table for tableid 65535 during CEF samecable event</span><span class="w"></span>
</code></pre></div>
<p>After searching the net, i've found some Cisco bug that describes this. </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="err">"FIB-4-FIBCBLK errors with dns view </span>
<span class="err"> Symptoms</span><span class="w"></span>
<span class="w"> </span><span class="nv">Message</span><span class="w"> </span><span class="s2">"%FIB-4-FIBCBLK: Missing cef table for tableid 65535 during CEF …</span></code></pre></div><p>Today I've noticed some strange error on my Cisco 1841 router : </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="c">%FIB-4-FIBCBLK: Missing cef table for tableid 65535 during CEF samecable event</span><span class="w"></span>
</code></pre></div>
<p>After searching the net, i've found some Cisco bug that describes this. </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="err">"FIB-4-FIBCBLK errors with dns view </span>
<span class="err"> Symptoms</span><span class="w"></span>
<span class="w"> </span><span class="nv">Message</span><span class="w"> </span><span class="s2">"%FIB-4-FIBCBLK: Missing cef table for tableid 65535 during CEF samecable event"</span><span class="w"> </span><span class="nv">displayed</span><span class="w"> </span><span class="nv">on</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">console</span><span class="w"> </span><span class="nv">logs</span>.<span class="w"></span>
<span class="w"> </span><span class="nv">Conditions</span><span class="w"></span>
<span class="w"> </span><span class="nv">The</span><span class="w"> </span><span class="nv">message</span><span class="w"> </span><span class="nv">seems</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">be</span><span class="w"> </span><span class="nv">generated</span><span class="w"> </span><span class="nv">anytime</span><span class="w"> </span><span class="nv">a</span><span class="w"> </span><span class="nv">dns</span><span class="w"> </span><span class="nv">request</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">made</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">router</span><span class="w"> </span><span class="nv">where</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">router</span><span class="w"> </span><span class="k">then</span><span class="w"> </span><span class="nv">has</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">use</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">dns</span><span class="w"> </span><span class="nv">forwarder</span><span class="w"></span>
<span class="w"> </span><span class="nv">Workaround</span><span class="w"></span>
<span class="w"> </span><span class="nv">No</span><span class="w"> </span><span class="nv">workaround</span><span class="err">"</span><span class="w"></span>
</code></pre></div>
<p>This happens when you have DNS server on the device and it needs to grab the answer from the device configured DNS server (A.K.A DNS Forwarder), and each request will cause this error log.</p>
<p>According to Cisco, the affected device list does not include my MD release - 12.4(25b), however i do see it (bugId=CSCsx53968)</p>
<p>List of IOS with the Fix : </p>
<div class="highlight"><pre><span></span><code> 12.2(33)XNE
12.4(24.6)T1
12.4(15)T9
12.2(32.8.11)SR183
12.2(32.8.1)REC186
12.4(20)T3
12.2(33.1.3)MCP5
15.0(1)M
12.4(24)T1
12.2(32.8.1)REE186
12.4(22)T2
12.4(22)MDA1
12.4(24)YG
12.4(24)GC1
12.4(22)XR
12.4(24)MD
12.4(22)YE2
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Scheduled Daily Reboot of FortiGate2010-01-19T07:43:54+00:002010-01-19T07:43:54+00:00Churatag:yurisk.info,2010-01-19:/2010/01/19/scheduleddaily-reboot-of-fortigate/<p>Recently I had to do late night restart of a Fortigate and was looking for "Reload in..."
I found it, but in Fortigate it is a little different.
It's called <strong>Daily Restart</strong>, and if you want to use it once you need to remember to remove this command later.</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nv">config …</span></code></pre></div><p>Recently I had to do late night restart of a Fortigate and was looking for "Reload in..."
I found it, but in Fortigate it is a little different.
It's called <strong>Daily Restart</strong>, and if you want to use it once you need to remember to remove this command later.</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nv">config</span><span class="w"> </span><span class="nv">system</span><span class="w"> </span><span class="nv">global</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">daily</span><span class="o">-</span><span class="nv">restart</span><span class="w"> </span><span class="nv">enable</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">restart</span><span class="w"> </span><span class="nv">time</span><span class="w"> </span><span class="mi">04</span>:<span class="mi">00</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"></span>
</code></pre></div>
<p>Now the FortiGate is configured to reboot at 4 AM (System Time).<br>
Don't forget to update the system clock (Use NTP, Always keeps it synced)</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Cisco ASA privilege separation for a local user or read only user on ASA2010-01-18T15:52:24+00:002010-01-18T15:52:24+00:00Yuri Slobodyanyuktag:yurisk.info,2010-01-18:/2010/01/18/cisco-asa-privilege-separation-for-a-local-user/<p>Today I had the need to create a user in ASA that would have <strong>read-only</strong> permissions and also could issue only 2 commands: <code>show run</code> and <code>show conn</code>. Here is how to do it.</p>
<p>We talk here about user with a local authentication (with TACACS it is much easier).
Just …</p><p>Today I had the need to create a user in ASA that would have <strong>read-only</strong> permissions and also could issue only 2 commands: <code>show run</code> and <code>show conn</code>. Here is how to do it.</p>
<p>We talk here about user with a local authentication (with TACACS it is much easier).
Just as in Cisco routers you assign specific command(s) to some privilege level different from its default level , then create user with this privilege level :</p>
<h3>Step 1: Assign command(s) to a specific privilege level ( I pick here level 3 , but it may be any but 15):</h3>
<p>(config)#<code>privilege show level 3 mode exec command running-config</code><br>
(config)# <code>privilege show level 3 mode exec command conn</code></p>
<h3>Step 2: create username with the privilege equal to the privilege of the command you want him to have:</h3>
<p>(config)# <code>username Joedoe password asdlgfuwe privilege 3</code> </p>
<p>Now you have 2 options - create general <strong>enable</strong> password for this level (3 here) ,so any user after successful login can enter <strong>> enable 3</strong> and enter it to get to the level 3 enable mode. Or , as I did here, not creating enable level 3 password at all and the user will have to enter its privilege level using <strong>login</strong> command. </p>
<p>NOTE: There <strong>has</strong> to be <em>authorization</em> enabled for CLI accessing users, or even with the privileges assigned, the new user will still have the privilege of 15! You enable local authorization with:</p>
<p>(config)# <code>aaa authorization command LOCAL</code></p>
<p>This command relates to administrative access to ASA only, so VPN local-authenticated users will NOT be affected, for example, which is good.</p>
<h3>Step 3: Now user can connect by ssh (if coming from allowed IP of course) :</h3>
<div class="highlight"><pre><span></span><code><span class="cp">#ssh Joedoe@10.10.10.7 </span>
<span class="n">Joedoe</span><span class="mf">@10.10.10.7</span><span class="w"> </span>
<span class="nl">password</span><span class="p">:</span><span class="o"><</span><span class="n">enter</span><span class="w"> </span><span class="n">user</span><span class="err">'</span><span class="n">s</span><span class="w"> </span><span class="n">pass</span><span class="w"> </span><span class="n">here</span><span class="o">></span><span class="w"> </span>
<span class="n">ASA</span><span class="o">></span><span class="n">login</span><span class="w"> </span>
<span class="nl">Username</span><span class="p">:</span><span class="w"> </span><span class="n">Joedoe</span><span class="w"> </span>
<span class="nl">Password</span><span class="p">:</span><span class="w"> </span><span class="o">**********</span><span class="w"> </span>
<span class="cp"># sh curpriv</span>
<span class="nl">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">Joedoe</span><span class="w"></span>
<span class="n">Current</span><span class="w"> </span><span class="n">privilege</span><span class="w"> </span><span class="n">level</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="mi">3</span><span class="w"></span>
<span class="n">Current</span><span class="w"> </span><span class="n">Mode</span><span class="o">/</span><span class="n">s</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">P_PRIV</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Print rulebase in Checkpoint firewall2009-12-31T13:57:33+00:002009-12-31T13:57:33+00:00Yuri Slobodyanyuktag:yurisk.info,2009-12-31:/2009/12/31/print-rulebase-in-checkpoint/<p>The best place to hide something is to place it before your eyes. Recently I discovered a cool feature of the Checkpoint SmartDashboard - ability to print rules directly from the Dashboard , you just go to <strong>File -> Print -> Rule Base..</strong> and that's it. Just amazing , I have been using Dashboards throughout …</p><p>The best place to hide something is to place it before your eyes. Recently I discovered a cool feature of the Checkpoint SmartDashboard - ability to print rules directly from the Dashboard , you just go to <strong>File -> Print -> Rule Base..</strong> and that's it. Just amazing , I have been using Dashboards throughout these years hundreds of times and never noticed it. Seems like you have to learn all your life to just return to the place you started from :) .<br>
<strong>Happy New Year All!</strong> </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Checkpoint – back up centrally for recovery.2009-12-30T22:02:07+00:002009-12-30T22:02:07+00:00Yuri Slobodyanyuktag:yurisk.info,2009-12-30:/2009/12/30/checkpoint-back-up-centrally-for-recovery/<p>Backing up firewall configs for disaster recovery is tedious and mundane task. And if you have enough firewalls doing it manually becomes impractical . To address this case I set up a highly secured server that periodically runs script backing up the clients’ firewalls.</p>
<p>I use here poll model – this central …</p><p>Backing up firewall configs for disaster recovery is tedious and mundane task. And if you have enough firewalls doing it manually becomes impractical . To address this case I set up a highly secured server that periodically runs script backing up the clients’ firewalls.</p>
<p>I use here poll model – this central server connects by SSH to the remote firewalls ,issues <code>upgrade_export</code> command then downloads backup using SCP and finally deletes the backup from the firewall itself.<br>
Advantage of such a schema as opposed to the push model where firewalls push backups to the central server I see in that:<br>
- I can secure this server much more as no remotely accessible services are running (so no remote exploit is possible)<br>
- I can have rule in firewall before this server Inbound - > Deny Any Any<br>
- I centrally manage the backup script , if something changes I fix just one script .<br>
Disadvantage – password to enter the firewalls is stored clear text in the script.<br>
Now to the script – I did it in Expect to make life easier , in short it just emulates interactive login by SSH, then runs <code>upgrade_export command</code>, downloads by SCP the backup file, also creating file with md5sum of the backup and downloading it as well. The final action is to login by SSH back and remove the backup file from the firewall.<br>
It names file by adding current date to the IP of the firewall. No error checking is done.
Files used in script:<br>
<em>hosts</em> - file containing IPs of the firewalls to backup in the form <IP of firewall> one per line .</p>
<p>The script goes next (at the end you can download script as file to fix lines wrapping):</p>
<div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span>
<span class="normal"> 2</span>
<span class="normal"> 3</span>
<span class="normal"> 4</span>
<span class="normal"> 5</span>
<span class="normal"> 6</span>
<span class="normal"> 7</span>
<span class="normal"> 8</span>
<span class="normal"> 9</span>
<span class="normal">10</span>
<span class="normal">11</span>
<span class="normal">12</span>
<span class="normal">13</span>
<span class="normal">14</span>
<span class="normal">15</span>
<span class="normal">16</span>
<span class="normal">17</span>
<span class="normal">18</span>
<span class="normal">19</span>
<span class="normal">20</span>
<span class="normal">21</span>
<span class="normal">22</span>
<span class="normal">23</span>
<span class="normal">24</span>
<span class="normal">25</span>
<span class="normal">26</span>
<span class="normal">27</span>
<span class="normal">28</span>
<span class="normal">29</span>
<span class="normal">30</span>
<span class="normal">31</span>
<span class="normal">32</span>
<span class="normal">33</span>
<span class="normal">34</span>
<span class="normal">35</span>
<span class="normal">36</span>
<span class="normal">37</span>
<span class="normal">38</span>
<span class="normal">39</span>
<span class="normal">40</span>
<span class="normal">41</span>
<span class="normal">42</span>
<span class="normal">43</span>
<span class="normal">44</span>
<span class="normal">45</span>
<span class="normal">46</span>
<span class="normal">47</span>
<span class="normal">48</span>
<span class="normal">49</span>
<span class="normal">50</span>
<span class="normal">51</span>
<span class="normal">52</span>
<span class="normal">53</span>
<span class="normal">54</span>
<span class="normal">55</span>
<span class="normal">56</span>
<span class="normal">57</span>
<span class="normal">58</span>
<span class="normal">59</span>
<span class="normal">60</span>
<span class="normal">61</span>
<span class="normal">62</span>
<span class="normal">63</span>
<span class="normal">64</span>
<span class="normal">65</span>
<span class="normal">66</span>
<span class="normal">67</span>
<span class="normal">68</span>
<span class="normal">69</span>
<span class="normal">70</span>
<span class="normal">71</span>
<span class="normal">72</span>
<span class="normal">73</span>
<span class="normal">74</span>
<span class="normal">75</span></pre></div></td><td class="code"><div><pre><span></span><code><span class="cp">#!/usr/local/bin/expect</span>
<span class="cp">#set timeout to suffice for the largest backup file to download</span>
<span class="n">set</span><span class="w"> </span><span class="n">timeout</span><span class="w"> </span><span class="mi">3000</span><span class="w"></span>
<span class="w"> </span>
<span class="cp">#set password to enter the firewall</span>
<span class="n">set</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="err">“</span><span class="n">password</span><span class="err">”</span><span class="w"></span>
<span class="n">set</span><span class="w"> </span><span class="n">username</span><span class="w"> </span><span class="err">“</span><span class="n">admin</span><span class="err">”</span><span class="w"></span>
<span class="cp">#set format for naming files</span>
<span class="n">set</span><span class="w"> </span><span class="n">timeand_date</span><span class="w"> </span><span class="p">[</span><span class="n">clock</span><span class="w"> </span><span class="n">format</span><span class="w"> </span><span class="p">[</span><span class="n">clock</span><span class="w"> </span><span class="n">seconds</span><span class="p">]</span><span class="w"> </span><span class="o">-</span><span class="n">format</span><span class="w"> </span><span class="o">%</span><span class="n">B</span><span class="o">-%</span><span class="n">Y</span><span class="o">-%</span><span class="n">m</span><span class="o">-%</span><span class="n">d</span><span class="p">]</span><span class="w"></span>
<span class="cp">#open hosts file that contains IPs of the firewalls and read it in a loop</span>
<span class="n">set</span><span class="w"> </span><span class="n">ff</span><span class="w"> </span><span class="p">[</span><span class="n">open</span><span class="w"> </span><span class="s">"hosts"</span><span class="w"> </span><span class="n">r</span><span class="p">]</span><span class="w"></span>
<span class="k">while</span><span class="w"> </span><span class="p">{[</span><span class="n">gets</span><span class="w"> </span><span class="n">$ff</span><span class="w"> </span><span class="n">hostName</span><span class="p">]</span><span class="w"> </span><span class="o">>=</span><span class="w"> </span><span class="mi">0</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span>
<span class="w"> </span><span class="n">puts</span><span class="w"> </span><span class="s">"Entering $hostName"</span><span class="w"></span>
<span class="w"> </span><span class="n">spawn</span><span class="w"> </span><span class="n">ssh</span><span class="w"> </span><span class="o">-</span><span class="n">l</span><span class="w"> </span><span class="n">$username</span><span class="w"> </span><span class="n">$hostName</span><span class="w"></span>
<span class="w"> </span><span class="n">expect</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="p">{[</span><span class="n">Pp</span><span class="p">]</span><span class="n">assword</span><span class="o">:</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"$password</span><span class="se">\r</span><span class="s">"</span><span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="s">"(yes*no)"</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"yes</span><span class="se">\r</span><span class="s">"</span><span class="w"></span>
<span class="w"> </span><span class="n">expect</span><span class="w"> </span><span class="p">{[</span><span class="n">Pp</span><span class="p">]</span><span class="n">assword</span><span class="o">:</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"$password</span><span class="se">\r</span><span class="s">"</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="p">}}</span><span class="w"></span>
<span class="w"> </span>
<span class="cp">#increase timeout of SSH session</span>
<span class="w"> </span><span class="n">expect</span><span class="w"> </span><span class="p">{</span><span class="o">*</span><span class="err">#</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"TMOUT=900</span><span class="se">\r</span><span class="s">"</span><span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="n">expect</span><span class="w"> </span><span class="p">{</span><span class="o">*</span><span class="err">#</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"export TMOUT</span><span class="se">\r</span><span class="s">"</span><span class="p">}</span><span class="w"></span>
<span class="cp">#Create backup directory</span>
<span class="w"> </span><span class="n">expect</span><span class="w"> </span><span class="p">{</span><span class="o">*</span><span class="err">#</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"mkdir /var/Upgrade_export_backups</span><span class="se">\r</span><span class="s">"</span><span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="n">expect</span><span class="w"> </span><span class="p">{</span><span class="o">*</span><span class="err">#</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"cd /var/Upgrade_export_backups</span><span class="se">\r</span><span class="s">"</span><span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="cp">#Issue the upgrade_export command</span>
<span class="w"> </span><span class="n">expect</span><span class="w"> </span><span class="p">{</span><span class="o">*</span><span class="err">#</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"> </span>
<span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"\$FWDIR/bin/upgrade_tools/upgrade_export $timeand_date$hostName</span><span class="se">\r</span><span class="s">"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span>
<span class="w"> </span><span class="n">expect</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="p">{</span><span class="n">ready</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"</span><span class="se">\r</span><span class="s">"</span><span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="p">{(</span><span class="n">y</span><span class="o">/</span><span class="n">n</span><span class="p">)</span><span class="w"> </span><span class="p">[</span><span class="n">n</span><span class="p">]}</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"yes</span><span class="se">\r</span><span class="s">"</span><span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
<span class="cp">#Calculate md5sum of the newly created backup file and save it to file</span>
<span class="n">expect</span><span class="w"> </span><span class="p">{</span><span class="o">*</span><span class="err">#</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="n">send</span><span class="w"> </span><span class="s">"md5sum $timeand_date$hostName.tgz > $timeand_date$hostName.md5sum</span><span class="se">\r</span><span class="s">"</span><span class="p">}</span><span class="w"></span>
<span class="w"> </span>
<span class="n">expect</span><span class="w"> </span><span class="p">{</span><span class="o">*</span><span class="err">#</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"exit</span><span class="se">\r</span><span class="s">"</span><span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="n">spawn</span><span class="w"> </span><span class="n">scp</span><span class="w"> </span><span class="p">[</span><span class="n">$username</span><span class="p">@</span><span class="n">$hostName</span><span class="o">:/</span><span class="n">var</span><span class="o">/</span><span class="n">Upgrade_export_backups</span><span class="o">/</span><span class="err">\</span><span class="p">{</span><span class="n">$timeand_date$hostName</span><span class="p">.</span><span class="n">md5sum</span><span class="p">,</span><span class="n">$timeand_date$hostName</span><span class="p">.</span><span class="n">tgz</span><span class="err">\</span><span class="p">](</span><span class="n">mailto</span><span class="o">:</span><span class="n">$username</span><span class="p">@</span><span class="n">$hostName</span><span class="o">:/</span><span class="n">var</span><span class="o">/</span><span class="n">Upgrade_export_backups</span><span class="o">/</span><span class="err">\</span><span class="p">{</span><span class="n">$timeand_date$hostName</span><span class="p">.</span><span class="n">md5sum</span><span class="p">,</span><span class="n">$timeand_date$hostName</span><span class="p">.</span><span class="n">tgz</span><span class="err">\</span><span class="p">)}</span><span class="w"> </span><span class="p">.</span><span class="w"></span>
<span class="n">expect</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="p">{[</span><span class="n">Pp</span><span class="p">]</span><span class="n">assword</span><span class="o">:</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"$password</span><span class="se">\r</span><span class="s">"</span><span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="n">expect</span><span class="w"> </span><span class="p">{</span><span class="err">#</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="cp">#send "exit\r"</span>
<span class="p">}</span><span class="w"></span>
<span class="w"> </span>
<span class="w"> </span><span class="n">spawn</span><span class="w"> </span><span class="n">ssh</span><span class="w"> </span><span class="o">-</span><span class="n">l</span><span class="w"> </span><span class="n">$username</span><span class="w"> </span><span class="n">$hostName</span><span class="w"></span>
<span class="w"> </span><span class="n">expect</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="p">{[</span><span class="n">Pp</span><span class="p">]</span><span class="n">assword</span><span class="o">:</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"$password</span><span class="se">\r</span><span class="s">"</span><span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="s">"(yes*no)"</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"yes</span><span class="se">\r</span><span class="s">"</span><span class="w"></span>
<span class="w"> </span><span class="n">expect</span><span class="w"> </span><span class="p">{[</span><span class="n">Pp</span><span class="p">]</span><span class="n">assword</span><span class="o">:</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"$password</span><span class="se">\r</span><span class="s">"</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="p">}}</span><span class="w"></span>
<span class="w"> </span>
<span class="cp">#remove created backup file</span>
<span class="w"> </span><span class="n">expect</span><span class="w"> </span><span class="p">{</span><span class="o">*</span><span class="err">#</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"cd /var/Upgrade_export_backups</span><span class="se">\r</span><span class="s">"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span>
<span class="w"> </span><span class="n">expect</span><span class="w"> </span><span class="p">{</span><span class="o">*</span><span class="err">#</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"> </span>
<span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"rm -f $timeand_date$hostName.tgz</span><span class="se">\r</span><span class="s">"</span><span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="n">expect</span><span class="w"> </span><span class="p">{</span><span class="o">*</span><span class="err">#</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">send</span><span class="w"> </span><span class="s">"exit</span><span class="se">\r</span><span class="s">"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span>
<span class="p">}</span><span class="w"></span>
<span class="n">close</span><span class="w"> </span><span class="n">$ff</span><span class="w"></span>
<span class="w"> </span><span class="n">interact</span><span class="w"></span>
</code></pre></div></td></tr></table></div>
<p><a href="backup.tcl"> Script as a file </a></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Checkpoint winscp troubles2009-12-19T10:47:57+00:002009-12-19T10:47:57+00:00Yuri Slobodyanyuktag:yurisk.info,2009-12-19:/2009/12/19/checkpoint-winscp-troubles/<p>Checkpoint firewalls have 3 means of transferring files in/out - <strong>ftp</strong> (client ) , <strong>SCP</strong> (server and client) and <strong>SFTP</strong> (haven't tried it yet) .
At some stage of the debug/upgrade process you will have to move files in either direction. The most secure is SCP protocol. On windows platforms picking the …</p><p>Checkpoint firewalls have 3 means of transferring files in/out - <strong>ftp</strong> (client ) , <strong>SCP</strong> (server and client) and <strong>SFTP</strong> (haven't tried it yet) .
At some stage of the debug/upgrade process you will have to move files in either direction. The most secure is SCP protocol. On windows platforms picking the GUI SCP client is not hard - you only have WinSCP as your choice. And being otherwise reliable and easy to use software it just doesn't work with Checkpoint sometimes. Here is how make sure it works. </p>
<p>But first few prerequisites:<br>
To allow SCP connection to the firewall you have to :<br>
- create file named <strong>/etc/scpusers</strong><br>
- add to it user per line - with which user you will be connecting <br>
- make sure that for this user(s) shell is set to <strong>/bin/bash</strong> in <strong>/etc/passwd</strong> file<br>
- and of course allow SSH protocol connection from your host to the firewall. </p>
<p>After all the above done you connect using WinSCP, all goes well, try to download some file and ...<br>
<img alt="Winscp fails when trying to download/upload some file from/to firewall" src="/assets/winscp_error.png"> </p>
<p>Error happens...<br>
The easiest way is to .. NOT use WinSCP but instead use wonderful software PSCP from Putty author that doesn't have GUI but works flawlessly with Checkpoint always (Ok, the issue is with some versions of WinSCP only, so you CAN use it but have to find the appropriate version).<br>
Download it here <a href="http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html"> www.chiark.greenend.org.uk/~sgtatham </a> , read instructions and have no regrets ever after.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>ARP table overflow in Checkpoint and Linux in general2009-12-15T13:40:56+00:002009-12-15T13:40:56+00:00Yuri Slobodyanyuktag:yurisk.info,2009-12-15:/2009/12/15/arp-table-overflow-in-checkpoint-nad-linux-in-general/<p>Not specific to the Checkpoint but rather any Linux-based system issue
Problem usually shows itself in randomly distributed inability of stations to pass the firewall, slowness and other network problems follow.<br>
In <strong>/var/log/message</strong> you see the following record:<br>
<code>kernel: Neighbour table overflow.</code><br>
That means ARP table has reached …</p><p>Not specific to the Checkpoint but rather any Linux-based system issue
Problem usually shows itself in randomly distributed inability of stations to pass the firewall, slowness and other network problems follow.<br>
In <strong>/var/log/message</strong> you see the following record:<br>
<code>kernel: Neighbour table overflow.</code><br>
That means ARP table has reached its maximum allowed limit and no new ARP entries are being learnt.</p>
<p>You can either find reason for sudden ARP requests influx or adjust ARP table limits accordingly.
The default maximum value for Gaia is 4096.<br>
You adjust ARP table limits either editing this file (then change survives reboot): </p>
<p><strong>/etc/sysctl.conf</strong><br>
If not present add these lines at the end, and try not to delete by mistake anything: </p>
<div class="highlight"><pre><span></span><code>net.ipv4.neigh.default.gc_thresh1 = 1024
net.ipv4.neigh.default.gc_thresh2 = 4096
net.ipv4.neigh.default.gc_thresh3 = 16384
</code></pre></div>
<ul>
<li>Then issue command:<br>
<strong># sysctl -p</strong> </li>
<li>Or if you want to increase it temporarily until reboot: </li>
</ul>
<div class="highlight"><pre><span></span><code>#echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
#echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
#echo 16384 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
</code></pre></div>
<p>And the short explanation follows.<br>
<strong>gc</strong> in the above means <em>Garbage Collector (GC)</em>.<br>
net.ipv4.neigh.default.gc_thresh1 - sets minimum number of ARP entries in the cache.
Until this value is reached GC doesnt run at all.<br>
net.ipv4.neigh.default.gc_thresh2 - sets soft maximum number of ARP entries in the cache.
GC allows ARP cache to pass this limit for 5 seconds and then starts cleaning.<br>
net.ipv4.neigh.default.gc_thresh3 - sets hard limit of ARP entries in the cache.
After it is reached no more ARP entries are being added. </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Increase log size in eSafe2009-12-14T12:26:38+00:002009-12-14T12:26:38+00:00Yuri Slobodyanyuktag:yurisk.info,2009-12-14:/2009/12/14/310/<p><strong>HISTORICAL NOTE</strong> Aladdin was an Israeli company known for its security eTokens and mail filtering appliances - <strong>eSafe</strong>. In 2009 it was bought by Safenet primarily for the token/DRM line, and soon the eSafe appliance was discontinued. Later the Safenet was in turn acquired by Gemalto. You can read about …</p><p><strong>HISTORICAL NOTE</strong> Aladdin was an Israeli company known for its security eTokens and mail filtering appliances - <strong>eSafe</strong>. In 2009 it was bought by Safenet primarily for the token/DRM line, and soon the eSafe appliance was discontinued. Later the Safenet was in turn acquired by Gemalto. You can read about Aladdin at <a href="https://en.wikipedia.org/wiki/Aladdin_Knowledge_Systems">Aladdin Wiki</a> </p>
<p>Session logs in eSafe are essential for debugging . By default ,nevertheless each Session log file is limited to 100 megabytes in size , after reaching this limit eSafe stops writing the Session logs until the next log rotation - that is midnight.<br>
To fix this , edit the file <strong>/opt/eSafe/eSafeCR/esafecfg.ini</strong>: </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="p">[</span><span class="n">ALERT</span><span class="w"> </span><span class="n">GENERAL</span><span class="p">]</span><span class="w"> </span>
<span class="w"> </span><span class="n">Size</span><span class="w"> </span><span class="n">limit</span><span class="o">=</span><span class="mi">2</span><span class="w"></span>
<span class="w"> </span><span class="n">Last</span><span class="w"> </span><span class="n">overflow</span><span class="o">=</span><span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="n">Minimum</span><span class="w"> </span><span class="n">free</span><span class="w"> </span><span class="n">disk</span><span class="w"> </span><span class="n">space</span><span class="o">=</span><span class="mi">2000</span><span class="w"></span>
<span class="w"> </span><span class="n">Block</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">internal</span><span class="w"> </span><span class="n">error</span><span class="o">=</span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="n">File</span><span class="w"> </span><span class="n">name</span><span class="o">=^</span><span class="n">M</span><span class="w"></span>
<span class="w"> </span><span class="n">Report</span><span class="w"> </span><span class="n">days</span><span class="o">=</span><span class="mi">10</span><span class="w"></span>
<span class="w"> </span><span class="n">Session</span><span class="w"> </span><span class="n">log</span><span class="w"> </span><span class="n">days</span><span class="o">=</span><span class="mi">7</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="o">**</span><span class="n">Session</span><span class="w"> </span><span class="n">log</span><span class="w"> </span><span class="n">days</span><span class="o">=</span><span class="w"> </span><span class="mi">365</span><span class="o">**</span><span class="w"></span>
<span class="w"> </span><span class="n">Report</span><span class="w"> </span><span class="n">max</span><span class="w"> </span><span class="n">length</span><span class="o">=</span><span class="mi">100</span><span class="w"></span>
<span class="w"> </span><span class="n">Session</span><span class="w"> </span><span class="n">log</span><span class="w"> </span><span class="n">max</span><span class="w"> </span><span class="n">length</span><span class="o">=</span><span class="mi">100</span><span class="w"> </span><span class="o">=></span><span class="w"> </span><span class="o">**</span><span class="n">Session</span><span class="w"> </span><span class="n">log</span><span class="w"> </span><span class="n">max</span><span class="w"> </span><span class="n">length</span><span class="o">=</span><span class="mi">500</span><span class="o">**</span><span class="w"></span>
<span class="w"> </span><span class="n">Log</span><span class="w"> </span><span class="n">sessions</span><span class="o">=</span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="n">Detailed</span><span class="w"> </span><span class="n">log</span><span class="w"> </span><span class="n">sessions</span><span class="o">=</span><span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="n">Log</span><span class="w"> </span><span class="n">System</span><span class="w"> </span><span class="n">Info</span><span class="w"> </span><span class="n">Interval</span><span class="o">=</span><span class="mi">10</span><span class="w"></span>
<span class="w"> </span><span class="n">MMS</span><span class="w"> </span><span class="n">block</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">internal</span><span class="w"> </span><span class="n">error</span><span class="o">=</span><span class="mi">1</span><span class="w"></span>
<span class="w"> </span><span class="n">SessionLog</span><span class="w"> </span><span class="n">To</span><span class="w"> </span><span class="n">EventLog</span><span class="o">=</span><span class="mi">0</span><span class="w"> </span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Increase the limit and rotate SSH log files in Checkpoint firewall2009-12-14T12:16:26+00:002009-12-14T12:16:26+00:00Yuri Slobodyanyuktag:yurisk.info,2009-12-14:/2009/12/14/increase-and-rotate-ssh-log-files-in-checkpoint/<p>All modern Operating Sytems today provide extensive logging facilities, and Linux on which Checkpoint products are based is no exception.
I talk about the SSHD daemon, not Secure Rules, logs. The SSHD logs, located in /var/log/ are rotated by default every 4 logfiles.
I found it very useful to …</p><p>All modern Operating Sytems today provide extensive logging facilities, and Linux on which Checkpoint products are based is no exception.
I talk about the SSHD daemon, not Secure Rules, logs. The SSHD logs, located in /var/log/ are rotated by default every 4 logfiles.
I found it very useful to keep ssh access logs for a longer period, especially when client also has access to the firewall and does changes on his/her own.
To tune parameters of the SSH logging edit <strong>/etc/cpshell/log_rotation.conf</strong> (no need to restart anything) : </p>
<div class="highlight"><pre><span></span><code> #cat **/etc/cpshell/log_rotation.conf**
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="c1"># File max size backlog</span><span class="w"></span>
<span class="w"> </span><span class="c1"># By default max size is 65536 bytes and backlog (how many files to retain) is 4, I usually change it to the values before:</span><span class="w"></span>
<span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">messages</span><span class="w"> </span><span class="mi">65536</span><span class="w"> </span><span class="mi">256</span><span class="w"></span>
<span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">routing_messages</span><span class="w"> </span><span class="mi">64536</span><span class="w"> </span><span class="mi">256</span><span class="w"></span>
<span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">wtmp</span><span class="w"> </span><span class="mi">65536</span><span class="w"> </span><span class="mi">256</span><span class="w"></span>
<span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">lastlog</span><span class="w"> </span><span class="mi">262400</span><span class="w"> </span><span class="mi">256</span><span class="w"></span>
<span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">secure</span><span class="w"> </span><span class="mi">64536</span><span class="w"> </span><span class="mi">256</span><span class="w"></span>
<span class="w"> </span><span class="o">$</span><span class="n">CPDIR</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">cpstart</span><span class="o">.</span><span class="n">log</span><span class="w"> </span><span class="mi">1048576</span><span class="w"> </span><span class="mi">4</span><span class="w"></span>
<span class="w"> </span><span class="c1"># Files after this line will not be shown by log command</span><span class="w"></span>
<span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">CPbackup</span><span class="o">.</span><span class="n">elg</span><span class="w"> </span><span class="mi">64536</span><span class="w"> </span><span class="mi">4</span><span class="w"></span>
<span class="w"> </span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">CPbackup</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">backup_logs</span><span class="o">.</span><span class="n">elg</span><span class="w"> </span><span class="mi">64536</span><span class="w"> </span><span class="mi">4</span><span class="w"></span>
<span class="w"> </span><span class="o">$</span><span class="n">FWDIR</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">fwd</span><span class="o">.</span><span class="n">elg</span><span class="w"> </span><span class="mi">1048576</span><span class="w"> </span><span class="mi">4</span><span class="w"></span>
<span class="w"> </span><span class="o">$</span><span class="n">FWDIR</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">dtlsd</span><span class="o">.</span><span class="n">elg</span><span class="w"> </span><span class="mi">1048576</span><span class="w"> </span><span class="mi">4</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>fw monitor command reference CheckPoint firewall2009-12-12T13:55:25+00:002020-07-05T11:09:00+02:00Yuri Slobodyanyuktag:yurisk.info,2009-12-12:/2009/12/12/fw-monitor-command-reference/<p>Updated: 07 July 2020<br>
This is a quick reference sheet of all usable options for the fw monitor tool .At the end I put a list of fw monitor examples. The previous experience with the tool is assumed, i'll just say that if you are serious about debugging Checkpoint products …</p><p>Updated: 07 July 2020<br>
This is a quick reference sheet of all usable options for the fw monitor tool .At the end I put a list of fw monitor examples. The previous experience with the tool is assumed, i'll just say that if you are serious about debugging Checkpoint products learn it and learn it well.</p>
<p><strong>Note</strong>: Before R80.20 you would have to disable SecureXL acceleration with <strong>fwaccel off</strong> for <em>fw monitor</em> to see ALL the connection packets and filter them as needed. Starting with R80.20 you don't have to do it anymore, fw monitor sees accelerated traffic as well. BUT ... in such case the fw monitor filters given with -e do NOT work - that is, even if you set a filter, fw monitor will show ALL accelerated packets ignoring the filter. So turning off <strong>fwaccel off</strong> before sniffing, then turning back on <strong>fwaccel on</strong> might still be a good idea. As alternative for such a case, Checkpoint offer <strong>-F</strong> filter that DOES filter accelerated packets without <strong>fwaccel off</strong>, but it can filter only on IP address and ports, a fraction of capabilities of the <strong>-e</strong> filters. Also it is not implemented on R80.30. </p>
<p>For IPv6 traffic you would use <strong>fw6 monitor</strong>. </p>
<p>By default the fw monitor sniffing driver is inserted into the 4 locations on
the Firewall kernel chain .
<strong>Here they are</strong>:</p>
<p><strong>i (PREIN)</strong> – inbound direction before firewall Virtual Machine (VM, and it is CP terminology) . Most important fact to know about that is that this packet capturing location shows packets BEFORE any security rule in the policy is applied. That is, no matter what rules say a packet should at least be seen here, this would prove that packets actually reach the firewall at all.<br>
<strong>I (POSTIN)</strong> – inbound direction after firewall VM.<br>
<strong>o (PREOUT)</strong> – outbound direction before firewall VM,<br>
<strong>O (POSTOUT)</strong> - outbound direction after firewall VM. </p>
<p>You can change point of insertion within the fw chain with : </p>
<h3>fw monitor –pi|I|O|o <em>position</em></h3>
<p>Frequently, for debug purposes, you need to insert in ALL positions, be aware causes CPU load: </p>
<h3>fw monitor -p all</h3>
<p>The easiest way to specify where to insert is to first see the chain: </p>
<h3>fw ctl chain</h3>
<p>Then give position relative to any module you see there: </p>
<div class="highlight"><pre><span></span><code><span class="p">[</span><span class="n">Expert</span><span class="err">@</span><span class="n">CP80</span><span class="o">.</span><span class="mi">30</span><span class="n">T200</span><span class="p">:</span><span class="mi">0</span><span class="p">]</span><span class="c1"># fw ctl chain</span><span class="w"></span>
<span class="ow">in</span><span class="w"> </span><span class="n">chain</span><span class="w"> </span><span class="p">(</span><span class="mi">11</span><span class="p">):</span><span class="w"></span>
<span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="w"> </span><span class="o">-</span><span class="mi">7</span><span class="n">fffffff</span><span class="w"> </span><span class="p">(</span><span class="mi">0000000000000000</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000000</span><span class="p">)</span><span class="w"> </span><span class="n">SecureXL</span><span class="w"> </span><span class="n">inbound</span><span class="w"> </span><span class="p">(</span><span class="n">sxl_in</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">1</span><span class="p">:</span><span class="w"> </span><span class="o">-</span><span class="mi">7</span><span class="n">ffffffe</span><span class="w"> </span><span class="p">(</span><span class="mi">0000000000000000</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000000</span><span class="p">)</span><span class="w"> </span><span class="n">SecureXL</span><span class="w"> </span><span class="n">inbound</span><span class="w"> </span><span class="n">CT</span><span class="w"> </span><span class="p">(</span><span class="n">sxl_ct</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">2</span><span class="p">:</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="mi">1</span><span class="n">fffff8</span><span class="w"> </span><span class="p">(</span><span class="n">ffffffff89f8de30</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000001</span><span class="p">)</span><span class="w"> </span><span class="n">Stateless</span><span class="w"> </span><span class="n">verifications</span><span class="w"> </span><span class="p">(</span><span class="ow">in</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="n">asm</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">3</span><span class="p">:</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="mi">1</span><span class="n">fffff7</span><span class="w"> </span><span class="p">(</span><span class="n">ffffffff89f91ef0</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000001</span><span class="p">)</span><span class="w"> </span><span class="n">fw</span><span class="w"> </span><span class="n">multik</span><span class="w"> </span><span class="n">misc</span><span class="w"> </span><span class="n">proto</span><span class="w"> </span><span class="n">forwarding</span><span class="w"></span>
<span class="w"> </span><span class="mi">4</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">(</span><span class="n">ffffffff8a4233e0</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000001</span><span class="p">)</span><span class="w"> </span><span class="n">fw</span><span class="w"> </span><span class="n">VM</span><span class="w"> </span><span class="n">inbound</span><span class="w"> </span><span class="p">(</span><span class="n">fw</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">5</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">(</span><span class="n">ffffffff89f92720</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000001</span><span class="p">)</span><span class="w"> </span><span class="n">fw</span><span class="w"> </span><span class="n">SCV</span><span class="w"> </span><span class="n">inbound</span><span class="w"> </span><span class="p">(</span><span class="n">scv</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">6</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="p">(</span><span class="n">ffffffff89b454f0</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000003</span><span class="p">)</span><span class="w"> </span><span class="n">fw</span><span class="w"> </span><span class="n">offload</span><span class="w"> </span><span class="n">inbound</span><span class="w"> </span><span class="p">(</span><span class="n">offload_in</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">7</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="p">(</span><span class="n">ffffffff8a4152a0</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000001</span><span class="p">)</span><span class="w"> </span><span class="n">fw</span><span class="w"> </span><span class="n">post</span><span class="w"> </span><span class="n">VM</span><span class="w"> </span><span class="n">inbound</span><span class="w"> </span><span class="p">(</span><span class="n">post_vm</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">8</span><span class="p">:</span><span class="w"> </span><span class="mi">100000</span><span class="w"> </span><span class="p">(</span><span class="n">ffffffff8a3cb780</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000001</span><span class="p">)</span><span class="w"> </span><span class="n">fw</span><span class="w"> </span><span class="n">accounting</span><span class="w"> </span><span class="n">inbound</span><span class="w"> </span><span class="p">(</span><span class="n">acct</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">9</span><span class="p">:</span><span class="w"> </span><span class="mi">7</span><span class="n">f730000</span><span class="w"> </span><span class="p">(</span><span class="n">ffffffff89523010</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000001</span><span class="p">)</span><span class="w"> </span><span class="n">passive</span><span class="w"> </span><span class="n">streaming</span><span class="w"> </span><span class="p">(</span><span class="ow">in</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="n">pass_str</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">10</span><span class="p">:</span><span class="w"> </span><span class="mi">7</span><span class="n">f750000</span><span class="w"> </span><span class="p">(</span><span class="n">ffffffff8a171d10</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000001</span><span class="p">)</span><span class="w"> </span><span class="n">TCP</span><span class="w"> </span><span class="n">streaming</span><span class="w"> </span><span class="p">(</span><span class="ow">in</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="n">cpas</span><span class="p">)</span><span class="w"></span>
<span class="n">out</span><span class="w"> </span><span class="n">chain</span><span class="w"> </span><span class="p">(</span><span class="mi">9</span><span class="p">):</span><span class="w"></span>
<span class="w"> </span><span class="mi">0</span><span class="p">:</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="mi">1</span><span class="n">fffff0</span><span class="w"> </span><span class="p">(</span><span class="n">ffffffff8a167e70</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000001</span><span class="p">)</span><span class="w"> </span><span class="n">TCP</span><span class="w"> </span><span class="n">streaming</span><span class="w"> </span><span class="p">(</span><span class="n">out</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="n">cpas</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">1</span><span class="p">:</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="mi">1</span><span class="n">ffff50</span><span class="w"> </span><span class="p">(</span><span class="n">ffffffff89523010</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000001</span><span class="p">)</span><span class="w"> </span><span class="n">passive</span><span class="w"> </span><span class="n">streaming</span><span class="w"> </span><span class="p">(</span><span class="n">out</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="n">pass_str</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">2</span><span class="p">:</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="mi">1</span><span class="n">f00000</span><span class="w"> </span><span class="p">(</span><span class="n">ffffffff89f8de30</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000001</span><span class="p">)</span><span class="w"> </span><span class="n">Stateless</span><span class="w"> </span><span class="n">verifications</span><span class="w"> </span><span class="p">(</span><span class="n">out</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="n">asm</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">3</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">(</span><span class="n">ffffffff8a4233e0</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000001</span><span class="p">)</span><span class="w"> </span><span class="n">fw</span><span class="w"> </span><span class="n">VM</span><span class="w"> </span><span class="n">outbound</span><span class="w"> </span><span class="p">(</span><span class="n">fw</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">4</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="p">(</span><span class="n">ffffffff8a4152a0</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000001</span><span class="p">)</span><span class="w"> </span><span class="n">fw</span><span class="w"> </span><span class="n">post</span><span class="w"> </span><span class="n">VM</span><span class="w"> </span><span class="n">outbound</span><span class="w"> </span><span class="p">(</span><span class="n">post_vm</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">5</span><span class="p">:</span><span class="w"> </span><span class="mi">7</span><span class="n">f000000</span><span class="w"> </span><span class="p">(</span><span class="n">ffffffff8a3cb780</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000001</span><span class="p">)</span><span class="w"> </span><span class="n">fw</span><span class="w"> </span><span class="n">accounting</span><span class="w"> </span><span class="n">outbound</span><span class="w"> </span><span class="p">(</span><span class="n">acct</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">6</span><span class="p">:</span><span class="w"> </span><span class="mi">7</span><span class="n">f700000</span><span class="w"> </span><span class="p">(</span><span class="n">ffffffff8a168820</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000001</span><span class="p">)</span><span class="w"> </span><span class="n">TCP</span><span class="w"> </span><span class="n">streaming</span><span class="w"> </span><span class="n">post</span><span class="w"> </span><span class="n">VM</span><span class="w"> </span><span class="p">(</span><span class="n">cpas</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">7</span><span class="p">:</span><span class="w"> </span><span class="mi">7</span><span class="n">f900000</span><span class="w"> </span><span class="p">(</span><span class="mi">0000000000000000</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000000</span><span class="p">)</span><span class="w"> </span><span class="n">SecureXL</span><span class="w"> </span><span class="n">outbound</span><span class="w"> </span><span class="p">(</span><span class="n">sxl_out</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="mi">8</span><span class="p">:</span><span class="w"> </span><span class="mi">7</span><span class="n">fa00000</span><span class="w"> </span><span class="p">(</span><span class="mi">0000000000000000</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mi">00000000</span><span class="p">)</span><span class="w"> </span><span class="n">SecureXL</span><span class="w"> </span><span class="n">deliver</span><span class="w"> </span><span class="p">(</span><span class="n">sxl_deliver</span><span class="p">)</span><span class="w"></span>
</code></pre></div>
<p>E.g. to insert pre-inbound before the <strong>asm</strong> module: <code>fw monitor -pi asm</code> <br>
Note: you can insert the sniffer where the Checkpoint will allow, e.g. trying to insert before SecureXL chain point <strong>sxl_in</strong> will give warning and will insert before the <strong>asm</strong> point anyway.</p>
<p>Now the usage itself: </p>
<h3>fw monitor</h3>
<div class="highlight"><pre><span></span><code><span class="n">Usage</span><span class="o">:</span><span class="w"> </span><span class="n">fw</span><span class="w"> </span><span class="n">monitor</span><span class="w"> </span><span class="o">[-</span><span class="w"> </span><span class="n">u</span><span class="o">|</span><span class="n">s</span><span class="o">]</span><span class="w"> </span><span class="o">[-</span><span class="n">i</span><span class="o">]</span><span class="w"> </span><span class="o">[-</span><span class="n">d</span><span class="o">]</span><span class="w"> </span><span class="o">[-</span><span class="n">T</span><span class="o">]</span><span class="w"> </span><span class="o"><{-</span><span class="n">e</span><span class="w"></span>
<span class="n">expression</span><span class="o">}+|-</span><span class="n">f</span><span class="w"> </span><span class="o"><</span><span class="n">filter</span><span class="o">-</span><span class="n">file</span><span class="o">|->></span><span class="w"> </span><span class="o">[-</span><span class="n">l</span><span class="w"> </span><span class="n">len</span><span class="o">]</span><span class="w"> </span><span class="o">[-</span><span class="n">m</span><span class="w"> </span><span class="n">mask</span><span class="o">]</span><span class="w"> </span><span class="o">[-</span><span class="n">x</span><span class="w"> </span><span class="n">offset</span><span class="o">[,</span><span class="n">len</span><span class="o">]]</span><span class="w"></span>
<span class="o">[-</span><span class="n">o</span><span class="w"> </span><span class="o"><</span><span class="n">file</span><span class="o">>]</span><span class="w"> </span><span class="o"><[-</span><span class="n">pi</span><span class="w"> </span><span class="n">pos</span><span class="o">]</span><span class="w"> </span><span class="o">[-</span><span class="n">pI</span><span class="w"> </span><span class="n">pos</span><span class="o">]</span><span class="w"> </span><span class="o">[-</span><span class="n">po</span><span class="w"> </span><span class="n">pos</span><span class="o">]</span><span class="w"> </span><span class="o">[-</span><span class="n">pO</span><span class="w"> </span><span class="n">pos</span><span class="o">]</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="o">-</span><span class="n">p</span><span class="w"> </span><span class="n">all</span><span class="w"> </span><span class="o">[-</span><span class="n">a</span><span class="w"></span>
<span class="o">]></span><span class="w"> </span><span class="o">[-</span><span class="n">ci</span><span class="w"> </span><span class="n">count</span><span class="o">]</span><span class="w"> </span><span class="o">[-</span><span class="n">co</span><span class="w"> </span><span class="n">count</span><span class="o">]</span><span class="w"></span>
</code></pre></div>
<p>Round up of options:</p>
<p>-m <em>mask</em> , which point of capture is to be displayed, possible values: i,I,o,O<br>
-d/-D debug output from fw monitor itself, not very useful IMO.<br>
-u|s print also connection/session Universal ID<br>
-i after writing each packet flush stdout<br>
-T add timestamp <br>
-e <em>expr</em> expression to filter the packets (in detail later)<br>
-f <em>filter-file</em> the same as above but read filter expression from file<br>
-l <em>len</em> packet length to capture </p>
<p><strong>Expressions</strong><br>
On the very low level fw monitor understands byte offsets from the header
start. So to specify for example 20th byte of the IP packet (that is source IP)
you can just use:</p>
<h3>fw monitor -e 'accept [12,b]=8.8.8.8;'</h3>
<p>Where:<br>
12 – offset in bytes from the beginning of the packet<br>
b – mandatory, means big endian order.<br>
4 – not seen here but size (in bytes) of how many bytes to look for from the starting offset (default is 4 ) </p>
<p>To look for source port 53 (UDP/TCP) in raw packet: </p>
<h3>fw monitor -m i -e 'accept [20:2,b]=53;'</h3>
<p>Here I say to fw monitor to look at 2 bytes at offset 20.</p>
<p>While this way of looking at packets is the most general and therefore includes
all cases, you rarely have the need for such a granular looking glass. In 99%
of the cases you will be doing alright with a limited known set of expressions.
Just for that Checkpoint predefined and kindly provided us in every Splat/Gaia
installation with definition files that give meaningful synonyms to the most
used patterns. There are few definition files but they circularly reference
each other providing multiple synonyms for the same pattern.
I put all those predefined patterns in the list below for the easy to use
reference.</p>
<table width="100%" border="2" id="table1" >
<tbody >
<tr class="w3-green">
Summary table of possible filter expressions to be fed to the fw
monitor
</tr>
<tr >
<td colspan="2" id="a11" ><b>Specifying Hosts</b>
</td>
</tr>
<tr class="sec1" >
<td > host(IP-address)
</td>
<td > to or from this host
</td>
</tr>
<tr class="sec1" >
<td > src=IP-address
</td>
<td > where source ip = IP-address
</td>
</tr>
<tr class="sec1" >
<td > dst=IP_address
</td>
<td > where destination ip = IP_address
</td>
</tr>
<tr class="sec1" >
<td > net(network_address,netmask)
</td>
<td > to or from this network
</td>
</tr>
<tr class="sec1" >
<td > to_net(network_address,netmask)
</td>
<td > to this network
</td>
</tr>
<tr class="sec1" >
<td > from_net(network_address,netmask)
</td>
<td > from this network
</td>
</tr>
<tr >
<td colspan="2" >
</td>
</tr>
<tr class="sec2" >
<td colspan="2" ><b>Specifying ports</b>
</td>
</tr>
<tr class="sec2" >
<td > port(port_number)
</td>
<td > having this source or destination port
</td>
</tr>
<tr class="sec2" >
<td > sport=port_number
</td>
<td > having this source port
</td>
</tr>
<tr class="sec2" >
<td > dport=port_number
</td>
<td > having this destination port
</td>
</tr>
<tr class="sec2" >
<td > tcpport(port_number)
</td>
<td > having this source or destination port that is also TCP
</td>
</tr>
<tr class="sec2" >
<td > udpport(port_number)
</td>
<td > having this source or destination port that is also UDP
</td>
</tr>
<tr >
<td colspan="2" >
</td>
</tr>
<tr class="sec3" >
<td > <b>Specifying protocols</b>
</td>
<td >
</td>
</tr>
<tr class="sec3" >
<td > ip_p=<protocol_number_as_per_IANA>
</td>
<td > this way you can specifiy any known protocol by its registered
number in IANA. For detailed list of protocol numbers see <a href="https://yurisk.info/assets/protocol-numbers.txt" >IANA Protocol Numbers</a>
</td>
</tr>
<tr class="sec3" >
<td > icmp
</td>
<td > what it says , icmp protocol
</td>
</tr>
<tr class="sec3" >
<td > tcp
</td>
<td > TCP
</td>
</tr>
<tr class="sec3" >
<td > udp
</td>
<td > UDP
</td>
</tr>
<tr class="sec3" >
<td colspan="2" >
</td>
</tr>
<tr class="sec45" >
<td > <b>Protocol specific options</b>
</td>
<td >
</td>
</tr>
<tr id="d444" class="sec4" >
<td colspan="2" > <b>IP</b>
</td>
</tr>
<tr class="sec4" >
<td > ip_tos = <value>
</td>
<td > TOS field of the IP packet
</td>
</tr>
<tr class="sec4" >
<td > ip_len = <length_in_bytes>
</td>
<td > Length of the IP packet in bytes
</td>
</tr>
<tr class="sec4" >
<td > ip_src/ ip_dst = <IP_address>
</td>
<td > Source or destination IP address of the packet
</td>
</tr>
<tr class="sec4" >
<td > ip_p =<protocol_number_as_per_IANA>
</td>
<td > See above
</td>
</tr>
<tr id="d777" class="sec7" >
<td colspan="2" ><b>ICMP</b>
</td>
</tr>
<tr class="sec7" >
<td > echo_reply
</td>
<td > ICMP reply packets
</td>
</tr>
<tr class="sec7" >
<td > echo_req
</td>
<td > Echo requests
</td>
</tr>
<tr class="sec7" >
<td > ping
</td>
<td > Echo requests and echo replies
</td>
</tr>
<tr class="sec7" >
<td > icmp_error
</td>
<td > ICMP error messages (Redirect,Unreachables,Time exceeded,Source
quench,Parameter problem)
</td>
</tr>
<tr class="sec7" >
<td > traceroute
</td>
<td > Traceroute as implemented in Unix (UDP packets to high ports)
</td>
</tr>
<tr class="sec7" >
<td > tracert
</td>
<td > Traceroute as implemented in Windows (ICMP packets , TTL
<30)
</td>
</tr>
<tr class="sec7" >
<td > icmp_type = <ICMP types as per RFC>
</td>
<td > catch packets of certain type
</td>
</tr>
<tr class="sec7" >
<td > icmp_code = <ICMP type as per RFC>
</td>
<td > catch packets of certain code
</td>
</tr>
<tr class="sec7" >
<td colspan="2" > ICMP types and where applicable respective codes:ICMP_ECHOREPLY
ICMP_UNREACH
ICMP_UNREACH_NET
ICMP_UNREACH_HOST
ICMP_UNREACH_PROTOCOL
ICMP_UNREACH_PORT
ICMP_UNREACH_NEEDFRAG
ICMP_UNREACH_SRCFAIL
ICMP_SOURCEQUENCH
ICMP_REDIRECT
ICMP_REDIRECT_NET
ICMP_REDIRECT_HOST
ICMP_REDIRECT_TOSNET
ICMP_REDIRECT_TOSHOST
ICMP_ECHO
ICMP_ROUTERADVERT
ICMP_ROUTERSOLICIT
ICMP_TIMXCEED
ICMP_TIMXCEED_INTRANS
ICMP_TIMXCEED_REASS
ICMP_PARAMPROB
ICMP_TSTAMP
ICMP_TSTAMPREPLY
ICMP_IREQ
ICMP_IREQREPLY
ICMP_MASKREQ
ICMP_MASKREPLY
</td>
</tr>
<tr class="sec7" >
<td > icmp_ip_len = <length>
</td>
<td > Length of ICMP packet
</td>
</tr>
<tr class="sec7" >
<td > icmp_ip_ttl = <TTL>
</td>
<td > TTL of ICMP packet, use with icmp protocol otherwise will catch ANY
packet with TTL given
</td>
</tr>
<tr class="sec7" >
<td colspan="2" > < cut here----bunch of other icmp-related fields
like ID ,sequence I don’t see any value in bringing here-->
</td>
</tr>
<tr id="d888" class="sec8" >
<td colspan="2" > <b>TCP</b>
</td>
</tr>
<tr class="sec8" >
<td > syn
</td>
<td > SYN flag set
</td>
</tr>
<tr class="sec8" >
<td > fin
</td>
<td > FIN flag set
</td>
</tr>
<tr class="sec8" >
<td > rst
</td>
<td > RST flag set
</td>
</tr>
<tr class="sec8" >
<td > ack
</td>
<td > ACK flag set
</td>
</tr>
<tr class="sec8" >
<td > first
</td>
<td > first packet (means SYN is set but ACK is not)
</td>
</tr>
<tr class="sec8" >
<td > not_first
</td>
<td > not first packet (SYN is not set)
</td>
</tr>
<tr class="sec8" >
<td > established
</td>
<td > established connection (means ACK is set but SYN is not)
</td>
</tr>
<tr class="sec8" >
<td > last
</td>
<td > last packet in stream (ACK and FIN are set)
</td>
</tr>
<tr class="sec8" >
<td > tcpdone
</td>
<td > RST or FIN are set
</td>
</tr>
<tr class="sec8" >
<td colspan="2" > th_flags - more general way to match the flags inside
TCP packets
</td>
</tr>
<tr class="sec8" >
<td > th_flags = TH_PUSH
</td>
<td > Push flag set
</td>
</tr>
<tr class="sec8" >
<td > th_flags = TH_URG
</td>
<td > Urgent flag set
</td>
</tr>
<tr id="d999" class="sec9" >
<td colspan="2" ><b>UDP</b>
</td>
</tr>
<tr class="sec9" >
<td > uh_ulen = <length_in_bytes>
</td>
<td > Length of the UDP header (doesnt include IP header)
</td>
</tr>
</tbody></table>
<p>And the last thing to remember before we move to examples - expressions support logical operators and numerical values support relative operators:</p>
<p><strong>and</strong> - logical AND<br>
<strong>or</strong> - logical OR<br>
<strong>not</strong>- logical NOT<br>
<strong>></strong> MORE than<br>
<strong><</strong> LESS than<br>
<strong>>=</strong> MORE than or EQUAL to<br>
<strong><=</strong> LESS than or EQUAL to<br>
You can combine logical expressions and influence order by using () to group.</p>
<p>Below is laundry list of examples to showcase the reference table above.</p>
<h3>fw monitor -m i -e 'accept host(208.44.108.136) ;'</h3>
<p>packets where the source or destination IP is 208.44.108.136, show before "i" chain point. </p>
<h3>fw monitor -e 'accept src=216.12.145.20 ;'</h3>
<p>packets where source ip = 216.12.145.20 </p>
<h3>fw monitor -e 'accept src=216.12.145.20 or dst= 216.12.145.20;'</h3>
<p>packets where source or destination ip = 216.12.145.20</p>
<h3>fw monitor -e 'accept port(25) ;'</h3>
<p>packets where destination or source port = 25 </p>
<h3>fw monitor -e 'accept dport=80 ;'</h3>
<p>packets where destination port = 80 </p>
<h3>fw monitor -e 'accept sport>22 and dport>22 ; '</h3>
<p>packets with source and destination ports greater than 22 </p>
<h3>fw monitor -e 'accept ip_len = 1477;'</h3>
<p>packets where their length equals exactly 1477 bytes </p>
<h3>fw monitor -e 'accept icmp_type=ICMP_UNREACH;'</h3>
<p>ICMP packets of Unreachable type </p>
<h3>fw monitor -e 'accept from_net(216.163.137.68,24);'</h3>
<p>packets having source IP in the network 216.163.137.0/24 </p>
<h3>fw monitor -e 'accept from_net(216.163.137.68,24) and port(25) and dst=8.8.8.8 ;'</h3>
<p>packets coming from network 216.163.137.0/24 that are destined to the host 8.8.8.8 and having source or destination port = 25 </p>
<h3>fw monitor -m i -x 40,450 -e 'accept port(80);'</h3>
<p>incoming packets before any rules are applied also display contents of the packet starting at 40th byte of 450 bytes length </p>
<h3>fw monitor -m i -pi -ipopt_strip -e 'accept host(66.240.206.90);'</h3>
<p>incoming packets from/to host 66.240.206.90 , insert sniffer before module named ipopt_strip </p>
<h3>fw monitor -D -m i -pi -ipopt_strip -e 'accept host(66.240.206.90);'</h3>
<p>same as above but add debug info</p>
<p><strong>Resources:</strong></p>
<ul>
<li><a href="https://yurisk.info/wp-content/uploads/2009/12/yurisk.info_fw-monitor-reference.pdf">PDF version of fw monitor command reference</a></li>
<li><a href="https://yurisk.info/2010/02/13/fw-monitor-add-on/">using tables in Checkpoint fw monitor capture tool</a></li>
</ul>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>copy http flash – download from HTTP server to the Cisco router2009-10-20T19:06:33+00:002009-10-20T19:06:33+00:00Yuri Slobodyanyuktag:yurisk.info,2009-10-20:/2009/10/20/copy-http-flash-download-from-http-server-to-the-cisco-router/<p>You may need to download a remote file (usually IOS image, but anything goes) to the Cisco router via HTTP.
The command is simple, but be aware of few caveats:<br>
Router# <strong>copy http[:full URI specification] flash[: local path to save the file]</strong> </p>
<p>The caveats you should know: </p>
<p>- router first …</p><p>You may need to download a remote file (usually IOS image, but anything goes) to the Cisco router via HTTP.
The command is simple, but be aware of few caveats:<br>
Router# <strong>copy http[:full URI specification] flash[: local path to save the file]</strong> </p>
<p>The caveats you should know: </p>
<p>- router first resolves the server's domain name to the IP, then uses this IP as the <strong>Host header</strong> in the communication with the remote HTTP server. This is important when you try to download something from the webserver already configured for the <strong>Virtual hosts</strong>. Because then webserver looks at this header and searches for the matching local file according to its internal logic.<br>
For example if using Apache configured for named Virtual hosting you should put the file to be downloaded in the <strong>default Virtual host</strong>, i.e. first virtual host in the Apache configuration file. Let’s look at the example.<br>
Here we have the partial Apache config file : </p>
<div class="highlight"><pre><span></span><code> #The file we want to download is in /usr/local/apache2/htdocs/mrtg/test.bin
#Here comes the 1st VirtualHost entry
<span class="nt"><VirtualHost</span> <span class="err">*:80</span><span class="nt">></span>
ServerAdmin [admin@yurisk.net](mailto:admin@yurisk.net)
DocumentRoot "/usr/local/apache2/htdocs/mrtg"
# as this this the 1st Virtual Host entry server names below are irrelevant for our case
ServerName mrtg.yurisk.info
ServerAlias mrtg. yurisk.net
ErrorLog "logs/mrtg.yurisk.info-error_log"
CustomLog "logs/mrtg.yurisk.info-custom_log" common
<span class="nt"><Directory</span> <span class="nt">/></span>
Options FollowSymLinks
AllowOverride None
#Here I set up a basic authentication with local user/pass file, you may omit this
AuthType Basic
AuthName "By My Invitation only :)"
AuthUserFile /usr/local/apache2/passwords
Require valid-user
Options None
#Uncomment below if not using the authentication
# Order allow,deny
# Allow from any
<span class="nt"></Directory></span>
<span class="nt"><VirtualHost</span> <span class="err">*:80</span><span class="nt">></span>
</code></pre></div>
<p>- it is always a good idea to verify the downloaded file with md5 sum. The command: </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="c1">#verify /md5 flash:<downloaded file name></span><span class="w"></span>
</code></pre></div>
<p>- This command also supports copying from HTTPs, but it would add unwanted SSL encrypt/decrypt overload so I haven’t tested it , yet. </p>
<p>Now the real life example: </p>
<div class="highlight"><pre><span></span><code> Tair#copy [http://qwerty:12345](http://qwerty:12345/)@ 214.90.51.41/test.bin flash
Destination filename [test.bin]?
Loading http:// qwerty:12345@ 214.90.51.41/test.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
5120000 bytes copied in 17.924 secs (285651 bytes/sec)
Tair # verify /md5 flash:test.bin
...........................................................................................................................................................................................
.............................................................................................................................................................................................
..........................................................................................................................Done!
verify /md5 (flash:test.bin) = e8c39d44aafc82b035dfc7ad16fc2183
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>SSH login alert by mail Linux or Unix based systems2009-09-18T10:24:40+00:002009-09-18T10:24:40+00:00Yuri Slobodyanyuktag:yurisk.info,2009-09-18:/2009/09/18/ssh-login-alert-by-mail-linux-or-unix-based-systems/<p>You can get mail lerts on SSH login to any Linux server using the script below. This script sends mail to predefined email address each time someone successfully logs in by SSH to the machine.</p>
<p>I take advantage here of the built-in feature of the OpenSSH daemon – if you create …</p><p>You can get mail lerts on SSH login to any Linux server using the script below. This script sends mail to predefined email address each time someone successfully logs in by SSH to the machine.</p>
<p>I take advantage here of the built-in feature of the OpenSSH daemon – if you create text file containing commands (as if you typed them on the command line), and name it either <strong>/etc./ssh/sshrc</strong> or <strong><user home dir>/.ssh/rc</strong> , these commands in file will be run each time user logs in through SSH daemon to the system. The file has to be readable by the user logging in through SSH.</p>
<p><strong>Note 1:</strong><br>
file /etc/ssh/sshrc is applied globally to any user logging in, unless:<br>
file <user home dir>/.ssh/rc overrides action of /etc/ssh/sshrc . Caveat here – it is enough for a user to put in his home .ssh directory empty file named rc and it will disable /etc/ssh/sshrc including mail alerts sent from it. Actually it is not that big of an issue as you may create rc file in the home directory of the user yourself, give it 644 permissions and while user will know what is going on when doing ssh login he/she won’t be able to do anything about that.</p>
<p>So to script itself.
Here:<br>
<code>yurisk@yurisk.info</code> – mail to which I get mail alert<br>
<code>mail.yurisk.info</code> - mail server that accepts mails destined for yurisk.info domain (its MX record)<br>
<code>SENDING_HOST</code> - hostname of sending host, will be included in the subject so later I can create mail inbox rule to pay appropriate attention to such mails<br>
<code>USER_ID</code> - output of the #id command so I will also be able to filter incoming messages on the user logged in</p>
<p>/etc/ssh/mail_alert.awk</p>
<div class="highlight"><pre><span></span><code><span class="k">BEGIN</span><span class="w"> </span><span class="err">{</span><span class="w"></span>
<span class="err">#</span><span class="w"> </span><span class="k">Set</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="ow">some</span><span class="w"> </span><span class="n">info</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">included</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">mail</span><span class="w"></span>
<span class="err">#</span><span class="w"> </span><span class="k">As</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">see</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">prefer</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">use</span><span class="w"> </span><span class="k">absolute</span><span class="w"> </span><span class="n">pathnames</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="n">but</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">don</span><span class="err">'</span><span class="n">t</span><span class="w"> </span><span class="n">have</span><span class="w"> </span><span class="k">to</span><span class="w"></span>
<span class="err">#</span><span class="w"> </span><span class="n">Find</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">hostname</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">which</span><span class="w"> </span><span class="n">SSH</span><span class="w"> </span><span class="n">login</span><span class="w"> </span><span class="n">happened</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">included</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">Subject</span><span class="w"></span>
<span class="ss">"/bin/hostname"</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">getline</span><span class="w"> </span><span class="n">SENDING_HOST</span><span class="w"></span>
<span class="err">#</span><span class="w"> </span><span class="n">FInd</span><span class="w"> </span><span class="n">ID</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">logged</span><span class="w"></span>
<span class="ss">"/usr/bin/id"</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">getline</span><span class="w"></span>
<span class="nf">USER_ID</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">$</span><span class="mi">1</span><span class="w"></span>
<span class="n">SMTP</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">"/inet/tcp/0/mail.yurisk.info/25"</span><span class="w"></span>
<span class="n">RS</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">ORS</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">"\r\n"</span><span class="w"></span>
<span class="k">print</span><span class="w"> </span><span class="ss">"helo yurisk.info"</span><span class="w"> </span><span class="o">|&</span><span class="w"> </span><span class="n">SMTP</span><span class="w"></span>
<span class="n">SMTP</span><span class="w"> </span><span class="o">|&</span><span class="w"> </span><span class="n">getline</span><span class="w"></span>
<span class="k">print</span><span class="w"> </span><span class="ss">"mail from: <yurisk@yurisk.info>"</span><span class="w"> </span><span class="o">|&</span><span class="w"> </span><span class="n">SMTP</span><span class="w"></span>
<span class="n">SMTP</span><span class="w"> </span><span class="o">|&</span><span class="w"> </span><span class="n">getline</span><span class="w"></span>
<span class="k">print</span><span class="w"> </span><span class="ss">"rcpt to: <yurisk@yurisk.info>"</span><span class="w"> </span><span class="o">|&</span><span class="w"> </span><span class="n">SMTP</span><span class="w"></span>
<span class="n">SMTP</span><span class="w"> </span><span class="o">|&</span><span class="w"> </span><span class="n">getline</span><span class="w"></span>
<span class="k">print</span><span class="w"> </span><span class="ss">"data"</span><span class="w"> </span><span class="o">|&</span><span class="w"> </span><span class="n">SMTP</span><span class="w"></span>
<span class="n">SMTP</span><span class="w"> </span><span class="o">|&</span><span class="w"> </span><span class="n">getline</span><span class="w"></span>
<span class="k">print</span><span class="w"> </span><span class="ss">"Subject:SSH login alert - user "</span><span class="w"> </span><span class="nf">USER_ID</span><span class="w"> </span><span class="ss">"logged in "</span><span class="w"> </span><span class="n">SENDING_HOST</span><span class="w"> </span><span class="o">|&</span><span class="w"> </span><span class="n">SMTP</span><span class="w"></span>
<span class="k">print</span><span class="w"> </span><span class="o">|&</span><span class="w"> </span><span class="n">SMTP</span><span class="w"></span>
<span class="ss">"/usr/bin/w"</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">getline</span><span class="w"></span>
<span class="k">print</span><span class="w"> </span><span class="err">$</span><span class="mi">0</span><span class="w"> </span><span class="o">|&</span><span class="w"> </span><span class="n">SMTP</span><span class="w"></span>
<span class="k">print</span><span class="w"> </span><span class="ss">" He is most free from danger, who, even when safe, is on his guard "</span><span class="w"> </span><span class="o">|&</span><span class="w"> </span><span class="n">SMTP</span><span class="w"></span>
<span class="k">print</span><span class="w"> </span><span class="ss">" "</span><span class="w"> </span><span class="o">|&</span><span class="w"> </span><span class="n">SMTP</span><span class="w"></span>
<span class="k">print</span><span class="w"> </span><span class="ss">"."</span><span class="w"> </span><span class="o">|&</span><span class="w"> </span><span class="n">SMTP</span><span class="w"></span>
<span class="k">print</span><span class="w"> </span><span class="o">|&</span><span class="w"> </span><span class="n">SMTP</span><span class="w"></span>
<span class="k">print</span><span class="w"> </span><span class="ss">"quit"</span><span class="w"> </span><span class="o">|&</span><span class="w"> </span><span class="n">SMTP</span><span class="w"></span>
<span class="err">}</span><span class="w"></span>
</code></pre></div>
<p>- Now the file that is checked on each login for commands ( I put both files in /etc/ssh/) :</p>
<p>/etc/ssh/sshrc<br>
<code>awk -f /etc/ssh/mail_alert.awk > /dev/null</code></p>
<p>Note for FreeBSD (I guess any <em>BSD) users: in </em>rc file above you will have to replace awk with gawk, as in *BSD systems awk behaves as the old-style Unix awk that has no bidirectional pipe to connect to mail server.</p>
<p>PS. You might be asking why awk here ? True, Linux/Unix have perfect tool for sending mails called #mail, but I did it with awk for a reason - not on every (especially if hardened) system you will find mail/telnet/etc utilities with which sending mails is more simple and more reliable. The biggest one is Checkpoint firewall - it has NO mail or telnet clients, neither scripting language beyond AWK and Bash.</p>
<p>The downside of awk is that it is not perfect for more or less complex protocols. So script may stuck / send commands too fast/ etc and therefore be disconnected by the server.</p>
<p>Also if a receiving mail server uses greylisting - this script won't understand it. So check it in interactive session before using. </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Reinstall Checkpoint UTM-1 firewall, the hard way...2009-09-13T17:20:10+00:002009-09-13T17:20:10+00:00Yuri Slobodyanyuktag:yurisk.info,2009-09-13:/2009/09/13/reinstall-checkpoint-utm-firewall-the-hard-way/<p><strong>Update 2022</strong>: This article was written for <strong>UTM-1</strong> appliances, the first appliance offered by Checkpoint in 2009. It is no longer available, nor exists anywhere, to the best of my knowledge. The procedure of reinstalling a Checkpoint Appliance (new ones) has changed, and became much easier. So, see this article …</p><p><strong>Update 2022</strong>: This article was written for <strong>UTM-1</strong> appliances, the first appliance offered by Checkpoint in 2009. It is no longer available, nor exists anywhere, to the best of my knowledge. The procedure of reinstalling a Checkpoint Appliance (new ones) has changed, and became much easier. So, see this article as a historical reference only, not applicable anymore in real life.</p>
<p>Sometimes machines fail , in the end all machines fail some day anyway. When it happens to the firewall (Checkpoint ) it might be a very
frustrating event . By failing I mean machine turns on but doesn’t boot or boots into unusable state.
If you have Checkpoint Open Server (i.e. Checkpoint VPN-1 software installed on a 3rd party server) then most probably you have CD/DVD-drive in it and what left is to find installation CD of the Checkpoint – 30 minutes, some basic rules and your network partially but starts to work.
But if you have a Checkpoint UTM-1 appliance you have a problem. A big one. There is no button to restore to factory defaults nor CD/DVD drive to start formatting/reinstalling the firewall immediately. Not that Checkpoint didn’t think about that situation, just reinstalling/reimaging procedure is a bit involved.
I won’t say new things as all is neatly documented in SecureKnowledgebase of checkpoint.com (sk37231) . I will only list the steps to reimage UTM-1 appliance:<br>
- You download from checkpoint.com a UTM .ISO image matching your UTM version ;<br>
- You burn it to DVD disk (It is 1,5 Gigabyte in size) ;<br>
- You connect USB DVD drive to USB port in UTM, reboot from it and start install from scratch. </p>
<p>That is it.</p>
<p>PS If you happen to forget SSH password of the expert user you are also left with this option to try to boot appliance from some bootable DVD and reset password, or just plain reinstall the whole firewall. So be very careful about SSH passwords for the UTM appliances.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Ping – setting don't fragment bit in Linux/Windows/FreeBSD/Solaris/Cisco/Juniper2009-09-01T08:42:46+00:002009-09-01T08:42:46+00:00Yuri Slobodyanyuktag:yurisk.info,2009-09-01:/2009/09/01/ping-setting-dont-fragment-bit-in-linuxfreebsdsolarisciscojuniper/<ul>
<li><a href="#linux">Linux</a></li>
<li><a href="#windows">Windows</a></li>
<li><a href="#freebsd">FreeBSD</a></li>
<li><a href="#solaris">Solaris</a></li>
<li><a href="#cisco-routers-ios">CISCO routers (IOS)</a></li>
<li><a href="#juniper-routers-junos">Juniper routers (JunOS)</a></li>
</ul>
<p><strong>Ping.</strong><br>
Many times while debugging network problems of various kinds you need to send some packets
of desirable size and don’t fragment bit being set. I list below how to do it for the different equipment/OSes.
Let’s …</p><ul>
<li><a href="#linux">Linux</a></li>
<li><a href="#windows">Windows</a></li>
<li><a href="#freebsd">FreeBSD</a></li>
<li><a href="#solaris">Solaris</a></li>
<li><a href="#cisco-routers-ios">CISCO routers (IOS)</a></li>
<li><a href="#juniper-routers-junos">Juniper routers (JunOS)</a></li>
</ul>
<p><strong>Ping.</strong><br>
Many times while debugging network problems of various kinds you need to send some packets
of desirable size and don’t fragment bit being set. I list below how to do it for the different equipment/OSes.
Let’s start with the most popular operating system among network folks – Linux:</p>
<p><a name="linux"></a></p>
<h1>Linux</h1>
<p>By default ping in any Linux-based system (It also means any distribution – Slackware, Ubuntu, CentOS etc) is sent with <em>Don’t fragment (df)</em> bit set . You don’t need to add any command line switches for that. Here is what you get by default ping in Linux:<br>
Defaults:<br>
Don’t fragment bit (in echo request) - <strong>set</strong><br>
Ip packet size – <strong>84 bytes</strong><br>
Sending interval - <strong>1 second</strong> </p>
<p>Some examples.<br>
- sending station: </p>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">root@lonestar ~</span><span class="o">]</span><span class="err">#</span><span class="w"> </span><span class="n">ping</span><span class="w"> </span><span class="mf">191.91.21.41</span><span class="w"></span>
</code></pre></div>
<p>- receiving station:<br>
[root@darkstar ~]#<strong>tcpdump -s 1500 -n -vv icmp</strong></p>
<div class="highlight"><pre><span></span><code><span class="mi">21</span><span class="err">:</span><span class="mi">23</span><span class="err">:</span><span class="mf">51.598641</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">61</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">20</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">DF</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">84</span><span class="p">)</span><span class="w"> </span><span class="mf">112.225.125.100</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">5392</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">20</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">64</span><span class="w"></span>
<span class="mi">21</span><span class="err">:</span><span class="mi">23</span><span class="err">:</span><span class="mf">51.598817</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">7135</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">none</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">84</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">112.225.125.100</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">5392</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">20</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">64</span><span class="w"></span>
</code></pre></div>
<p>To change sent packet size:
<strong>-s <size> , bytes</strong> (8 bytes of ICMP header will be added automatically).</p>
<p>Sending host:<br>
[root@darkstar ~]#<strong>ping 10.99.99.158 -s 1300</strong></p>
<div class="highlight"><pre><span></span><code>PING 10.99.99.158 (10.99.99.158) 1300(1328) bytes of data.
1308 bytes from 10.99.99.158: icmp_seq=1 ttl=64 time=1.65 ms
</code></pre></div>
<p>Receiving host:<br>
freeBSD#<strong>tcpdump -n -v -s 1500 icmp</strong> </p>
<div class="highlight"><pre><span></span><code><span class="mi">16</span><span class="err">:</span><span class="mi">15</span><span class="err">:</span><span class="mf">11.901787</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">DF</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="n">proto</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">1328</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">44399</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">63</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">1308</span><span class="w"></span>
</code></pre></div>
<p>To change sending interval (mostly used together with large packet size) :<br>
<strong>-i <secs></strong></p>
<p>Sending host:<br>
[root@darkstar ~]#<strong>ping -s 1300 -i 0.2 10.99.99.158</strong></p>
<p>Receiving host:<br>
freeBSD#<strong>tcpdump -n -v -s 1500 icmp</strong></p>
<div class="highlight"><pre><span></span><code><span class="mi">16</span><span class="err">:</span><span class="mi">20</span><span class="err">:</span><span class="mf">11.223481</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">DF</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="n">proto</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">1328</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">1136</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">396</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">1308</span><span class="w"></span>
<span class="mi">16</span><span class="err">:</span><span class="mi">20</span><span class="err">:</span><span class="mf">11.223496</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">805</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">DF</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="n">proto</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">1328</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">1136</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">396</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">1308</span><span class="w"></span>
</code></pre></div>
<p>To force Linux to send pings with DF bit cleared (i.e. not set):<br>
<strong>ping –M don’t</strong></p>
<p>Sending host:</p>
<p>[root@darkstar ~]#<strong>ping -s 1300 -M dont 10.99.99.158</strong></p>
<div class="highlight"><pre><span></span><code>PING 10.99.99.158 (10.99.99.158) 1300(1328) bytes of data.
1308 bytes from 10.99.99.158: icmp_seq=1 ttl=64 time=0.560 ms
</code></pre></div>
<p>Receiving host:</p>
<p>freeBSD#<strong>tcpdump -n -v -s 1500 icmp</strong> </p>
<div class="highlight"><pre><span></span><code><span class="mi">16</span><span class="err">:</span><span class="mi">28</span><span class="err">:</span><span class="mf">33.111903</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">41857</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">none</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="n">proto</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">1328</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">33136</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">6</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">1308</span><span class="w"></span>
<span class="mi">16</span><span class="err">:</span><span class="mi">28</span><span class="err">:</span><span class="mf">33.111920</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">9425</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">none</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="n">proto</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">1328</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">33136</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">6</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">1308</span><span class="w"></span>
</code></pre></div>
<p><strong>SideNote:</strong> FreeBSD ping has a nice add-on (see below) – sweeping size of the packets, while Linux doesn’t have such extra feature,
Below is script to emulate it on Linux: </p>
<div class="highlight"><pre><span></span><code><span class="n">awk</span> <span class="err">'</span> <span class="kr">BEGIN</span> <span class="p">{</span><span class="n">for</span> <span class="p">(</span><span class="n">size</span><span class="o">=</span><span class="mi">100</span><span class="p">;</span><span class="n">size</span><span class="o"><</span><span class="mi">1470</span><span class="p">;</span><span class="n">size</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
<span class="n">cmd</span> <span class="o">=</span> <span class="p">(</span><span class="s">"ping –c 3 –I 0.5 –s "</span> <span class="n">size</span> <span class="s">" "</span> <span class="s">"10.99.99.158"</span><span class="p">)</span>
<span class="n">print</span> <span class="n">cmd</span> <span class="p">|</span> <span class="s">"/bin/bash"</span>
<span class="n">close</span><span class="p">(</span><span class="s">"/bin/bash"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="err">'</span>
</code></pre></div>
<p>Here:<br>
<em>size</em> – size of data in ICMP packet (bytes);<br>
<em>-I 0.5</em> – interval of 5 seconds (optional);<br>
<em>-c 3</em> - number of pings in each size session (NOT optional – or you will enter an endless loop which even Ctrl-C won’t be able to stop )</p>
<p>See it in action:<br>
[root@darkstar ~]#awk ' BEGIN {for (size=100;size<1470;size++) {
cmd = ("ping -c 3 -i 0.5 -s " size " " "10.99.99.158")
print cmd | "/bin/bash"
close("/bin/bash") } } '</p>
<div class="highlight"><pre><span></span><code>PING 10.99.99.158 (10.99.99.158) 100(128) bytes of data.
108 bytes from 10.99.99.158: icmp_seq=1 ttl=64 time=1.75 ms
108 bytes from 10.99.99.158: icmp_seq=2 ttl=64 time=0.276 ms
108 bytes from 10.99.99.158: icmp_seq=3 ttl=64 time=0.201 ms
--- 10.99.99.158 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.201/0.742/1.750/0.713 ms
PING 10.99.99.158 (10.99.99.158) 101(129) bytes of data.
109 bytes from 10.99.99.158: icmp_seq=1 ttl=64 time=0.185 ms
109 bytes from 10.99.99.158: icmp_seq=2 ttl=64 time=0.253 ms
109 bytes from 10.99.99.158: icmp_seq=3 ttl=64 time=0.230 ms
--- 10.99.99.158 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.185/0.222/0.253/0.033 ms
PING 10.99.99.158 (10.99.99.158) 102(130) bytes of data.
110 bytes from 10.99.99.158: icmp_seq=1 ttl=64 time=0.118 ms
110 bytes from 10.99.99.158: icmp_seq=2 ttl=64 time=0.201 ms
110 bytes from 10.99.99.158: icmp_seq=3 ttl=64 time=0.343 ms
--- 10.99.99.158 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.118/0.220/0.343/0.094 ms
PING 10.99.99.158 (10.99.99.158) 103(131) bytes of data.
111 bytes from 10.99.99.158: icmp_seq=1 ttl=64 time=0.565 ms
111 bytes from 10.99.99.158: icmp_seq=2 ttl=64 time=0.182 ms
111 bytes from 10.99.99.158: icmp_seq=3 ttl=64 time=0.329 ms
</code></pre></div>
<p><a name="windows"></a></p>
<h1>Windows</h1>
<p>In Windows, you use <strong>-f</strong> in ping to set "don't fragment" bit.
To discover MTU over the path, you can sweep ping sizes with an increment.
For example, here I start pinging 8.8.8.8 with the size of 1450, send 2 ICMP Echo
Request packets of each size, and increase size by 20 bytes each time.</p>
<div class="highlight"><pre><span></span><code><span class="k">for</span><span class="w"> </span><span class="o">/</span><span class="nv">L</span><span class="w"> </span><span class="o">%</span><span class="nv">A</span><span class="w"> </span><span class="nv">in</span><span class="w"> </span><span class="ss">(</span><span class="mi">1450</span>,<span class="mi">20</span>,<span class="mi">2500</span><span class="ss">)</span><span class="w"> </span><span class="k">do</span><span class="w"> </span><span class="nv">ping</span><span class="w"> </span><span class="o">-</span><span class="nv">f</span><span class="w"> </span><span class="o">-</span><span class="nv">l</span><span class="w"> </span><span class="o">%</span><span class="nv">A</span><span class="w"> </span><span class="o">-</span><span class="nv">n</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="mi">8</span>.<span class="mi">8</span>.<span class="mi">8</span>.<span class="mi">8</span><span class="w"></span>
</code></pre></div>
<p><a name="freebsd"></a></p>
<h1>FreeBSD</h1>
<p>Defaults:
Don’t fragment bit - <strong>not set</strong> ; use <strong>–D</strong> option to set<br>
IP Packet size: <strong>84 bytes</strong> ; use <strong>–s</strong> option to change<br>
Sending interval: <strong>1 sec</strong> ; use <strong>–I secs</strong> to change </p>
<p>e.g. Sending pings of data size 1300 bytes with interval 0.2 seconds with df bit set:</p>
<p>Sending host[10.99.99.158]:
freeBSD# <strong>ping -D -s 1300 -i 0.2 10.99.99.150</strong></p>
<p>Receiving host[10.99.99.150]: </p>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">root@darkstar ~</span><span class="o">]</span><span class="err">#</span><span class="w"> </span><span class="n">tcpdump</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="o">-</span><span class="n">v</span><span class="w"> </span><span class="o">-</span><span class="n">s</span><span class="w"> </span><span class="mi">1500</span><span class="w"> </span><span class="k">host</span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="w"></span>
<span class="mi">20</span><span class="err">:</span><span class="mi">42</span><span class="err">:</span><span class="mf">57.816697</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">11630</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">DF</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">1328</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">10770</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">23</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">1308</span><span class="w"></span>
<span class="mi">20</span><span class="err">:</span><span class="mi">42</span><span class="err">:</span><span class="mf">57.816914</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">33327</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">none</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">1328</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">10770</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">23</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">1308</span><span class="w"></span>
</code></pre></div>
<p><strong>SideNote:</strong> BSD family has a nice additional option not found in most other systems – you can order ping to sweep size of sent packets .
Example follows:</p>
<p>Here sweep range is from 20 bytes up to 1400 bytes, increase step is 300 bytes.</p>
<p>Sending host[10.99.99.158]:
freeBSD#<strong>ping -D -g 20 -G 1400 -h 300 10.99.99.150</strong></p>
<div class="highlight"><pre><span></span><code>PING 10.99.99.150 (10.99.99.150): (20 ... 1400) data bytes
28 bytes from 10.99.99.150: icmp_seq=0 ttl=64 time=1.313 ms
328 bytes from 10.99.99.150: icmp_seq=1 ttl=64 time=0.531 ms
628 bytes from 10.99.99.150: icmp_seq=2 ttl=64 time=0.581 ms
928 bytes from 10.99.99.150: icmp_seq=3 ttl=64 time=0.362 ms
1228 bytes from 10.99.99.150: icmp_seq=4 ttl=64 time=0.223 ms
--- 10.99.99.150 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.223/0.602/1.313/0.377 ms
</code></pre></div>
<p>Receiving host[10.99.99.150]:</p>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">root@darkstar ~</span><span class="o">]</span><span class="err">#</span><span class="w"> </span><span class="n">tcpdump</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="o">-</span><span class="n">v</span><span class="w"> </span><span class="o">-</span><span class="n">s</span><span class="w"> </span><span class="mi">1500</span><span class="w"> </span><span class="k">host</span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="w"></span>
<span class="mi">21</span><span class="err">:</span><span class="mi">50</span><span class="err">:</span><span class="mf">06.942165</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">12828</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">DF</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">48</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">50962</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">28</span><span class="w"></span>
<span class="mi">21</span><span class="err">:</span><span class="mi">50</span><span class="err">:</span><span class="mf">06.944098</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">43255</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">none</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">48</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">50962</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">28</span><span class="w"></span>
<span class="mi">21</span><span class="err">:</span><span class="mi">50</span><span class="err">:</span><span class="mf">07.944761</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">12831</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">DF</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">348</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">50962</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">328</span><span class="w"></span>
<span class="mi">21</span><span class="err">:</span><span class="mi">50</span><span class="err">:</span><span class="mf">07.944826</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">43256</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">none</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">348</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">50962</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">328</span><span class="w"></span>
<span class="mi">21</span><span class="err">:</span><span class="mi">50</span><span class="err">:</span><span class="mf">08.945815</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">12833</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">DF</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">648</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">50962</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">628</span><span class="w"></span>
<span class="mi">21</span><span class="err">:</span><span class="mi">50</span><span class="err">:</span><span class="mf">08.945890</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">43257</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">none</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">648</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">50962</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">628</span><span class="w"></span>
<span class="mi">21</span><span class="err">:</span><span class="mi">50</span><span class="err">:</span><span class="mf">09.946724</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">12835</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">DF</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">948</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">50962</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">928</span><span class="w"></span>
<span class="mi">21</span><span class="err">:</span><span class="mi">50</span><span class="err">:</span><span class="mf">09.946819</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">43258</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">none</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">948</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.158</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">50962</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">928</span><span class="w"></span>
</code></pre></div>
<p><a name="solaris"></a></p>
<h1>Solaris</h1>
<p>Defaults:<br>
Don’t fragment bit - <strong>not set</strong> , and <strong>not changeable</strong> , yes , it sounds strange but Solaris doesn’t
support df bit in its ping utility. You may set df bit in their traceroute program , but it has no provision for changing size of the packet and therefore is of no value for our case.</p>
<p>Non-verbose ; use <strong>–s</strong> to override
IP packet size: <strong>84 bytes</strong></p>
<p>Pinging with defaults:<br>
[root@solaris]:~#<strong>ping -s 10.99.99.150</strong> </p>
<div class="highlight"><pre><span></span><code>PING 10.99.99.150: 56 data bytes
64 bytes from 10.99.99.150: icmp_seq=0. time=0.759 ms
</code></pre></div>
<p>Receiving host:<br>
[root@darkstar ~]# tcpdump -n -v -s 1500 host 10.99.99.159 </p>
<div class="highlight"><pre><span></span><code><span class="mi">20</span><span class="err">:</span><span class="mi">50</span><span class="err">:</span><span class="mf">08.084364</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">255</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">8020</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">none</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">84</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.159</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">9096</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">7</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">64</span><span class="w"></span>
<span class="mi">20</span><span class="err">:</span><span class="mi">50</span><span class="err">:</span><span class="mf">08.084538</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">52389</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">none</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">84</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.159</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">9096</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">7</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">64</span><span class="w"></span>
</code></pre></div>
<p>To change size of sent packet, to say 1300 bytes of data:</p>
<p>[root@solaris]:~# <strong>ping -s 10.99.99.150 1320</strong> </p>
<div class="highlight"><pre><span></span><code><span class="n">PING</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="err">:</span><span class="w"> </span><span class="mi">1320</span><span class="w"> </span><span class="k">data</span><span class="w"> </span><span class="n">bytes</span><span class="w"></span>
<span class="mi">1328</span><span class="w"> </span><span class="n">bytes</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="err">:</span><span class="w"> </span><span class="n">icmp_seq</span><span class="o">=</span><span class="mf">0.</span><span class="w"> </span><span class="nc">time</span><span class="o">=</span><span class="mf">1.610</span><span class="w"> </span><span class="n">ms</span><span class="w"></span>
<span class="mi">1328</span><span class="w"> </span><span class="n">bytes</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="err">:</span><span class="w"> </span><span class="n">icmp_seq</span><span class="o">=</span><span class="mf">1.</span><span class="w"> </span><span class="nc">time</span><span class="o">=</span><span class="mf">0.335</span><span class="w"> </span><span class="n">ms</span><span class="w"></span>
<span class="o">**</span><span class="nl">SideNote</span><span class="p">:</span><span class="o">**</span><span class="w"> </span><span class="n">There</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="k">no</span><span class="w"> </span><span class="k">size</span><span class="w"> </span><span class="n">sweeping</span><span class="w"> </span><span class="n">capability</span><span class="w"> </span><span class="n">built</span><span class="o">-</span><span class="ow">in</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="n">so</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">wrote</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">script</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">emulate</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">feature</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">Solaris</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="nl">well</span><span class="p">:</span><span class="w"></span>
<span class="o">[</span><span class="n">root@solaris</span><span class="o">]</span><span class="err">#</span><span class="w"> </span><span class="n">awk</span><span class="w"> </span><span class="s1">' BEGIN {for (size=100;size<1470;size=size+10) {</span>
<span class="s1">cmd = ("ping -s " "10.99.99.158 " size " 3")</span>
<span class="s1">print cmd | "/bin/bash"</span>
<span class="s1">close("/bin/bash") } } '</span><span class="w"></span>
</code></pre></div>
<p>Here :
<em>size</em> - size of data in ICMP packet , starts at 10 bytes ends at 170 bytes<br>
<em>size+10</em> – size incrementing by 10 bytes each series of pings<br>
<em>3</em> - number of pings in each size set.</p>
<p>Results:<br>
[root@solaris]# awk ' BEGIN {for (size=100;size<1470;size=size+10) {
cmd = ("ping -s " "10.99.99.158 " size " 3")
print cmd | "/bin/bash"
close("/bin/bash") } } '</p>
<div class="highlight"><pre><span></span><code>PING 10.99.99.158: 100 data bytes
108 bytes from 10.99.99.158: icmp_seq=0. time=0.319 ms
108 bytes from 10.99.99.158: icmp_seq=1. time=0.460 ms
108 bytes from 10.99.99.158: icmp_seq=2. time=0.328 ms
----10.99.99.158 PING Statistics----
3 packets transmitted, 3 packets received, 0% packet loss
round-trip (ms) min/avg/max/stddev = 0.319/0.369/0.460/0.079
PING 10.99.99.158: 110 data bytes
118 bytes from 10.99.99.158: icmp_seq=0. time=0.371 ms
118 bytes from 10.99.99.158: icmp_seq=1. time=0.370 ms
118 bytes from 10.99.99.158: icmp_seq=2. time=0.477 ms
----10.99.99.158 PING Statistics----
3 packets transmitted, 3 packets received, 0% packet loss
round-trip (ms) min/avg/max/stddev = 0.370/0.406/0.477/0.061
PING 10.99.99.158: 120 data bytes
128 bytes from 10.99.99.158: icmp_seq=0. time=0.395 ms
128 bytes from 10.99.99.158: icmp_seq=1. time=0.361 ms
128 bytes from 10.99.99.158: icmp_seq=2. time=0.264 ms
</code></pre></div>
<p><a name="cisco-routers-ios"></a></p>
<h1>CISCO routers (IOS)</h1>
<p>Defaults:<br>
IP packet size : <strong>100 bytes</strong> ; use <strong>size <size></strong> to change<br>
Don’t fragment bit - <strong>not set</strong> ; use <strong>df-bit</strong> to set </p>
<p>Running with defaults: </p>
<div class="highlight"><pre><span></span><code>Tokyo#ping 191.91.21.41
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 191.91.21.41, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
</code></pre></div>
<p>Receiving host:<br>
[root@darkstar ~]# tcpdump -n -v -s 1500 icmp </p>
<div class="highlight"><pre><span></span><code><span class="mi">22</span><span class="err">:</span><span class="mi">16</span><span class="err">:</span><span class="mf">53.758056</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">253</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">11</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">none</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="p">)</span><span class="w"> </span><span class="mf">174.93.31.134</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">4</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">80</span><span class="w"></span>
<span class="mi">22</span><span class="err">:</span><span class="mi">16</span><span class="err">:</span><span class="mf">53.758246</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">10923</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">none</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">174.93.31.134</span><span class="w"> </span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">4</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">80</span><span class="w"></span>
</code></pre></div>
<p>Set df bit and size of the packet (Note – when you set size of the ping you set IP packet size and not ICMP data size as in Nix systems).<br>
Repeat count is set to 3 .<br>
Tokyo#ping 191.91.21.41 size 1300 df-bit rep 3 </p>
<div class="highlight"><pre><span></span><code>Type escape sequence to abort.
Sending 3, 1300-byte ICMP Echos to 191.91.21.41, timeout is 2 seconds:
Packet sent with the DF bit set
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 4/4/4 ms
</code></pre></div>
<p>Receiving host:<br>
[root@darkstar ~]# tcpdump -n -v -s 1500 icmp </p>
<div class="highlight"><pre><span></span><code><span class="mi">22</span><span class="err">:</span><span class="mi">18</span><span class="err">:</span><span class="mf">16.657849</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">253</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">21</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">DF</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">1300</span><span class="p">)</span><span class="w"> </span><span class="mf">174.93.31.134</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">6</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">1280</span><span class="w"></span>
<span class="mi">22</span><span class="err">:</span><span class="mi">18</span><span class="err">:</span><span class="mf">16.658028</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">10933</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">none</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">1300</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">174.93.31.134</span><span class="w"> </span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">6</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">1280</span><span class="w"></span>
</code></pre></div>
<p>Sweeping ping size.<br>
This feature is available from extended ping menu:</p>
<div class="highlight"><pre><span></span><code><span class="n">Rio#ping</span><span class="w"></span>
<span class="n">Protocol</span><span class="w"> </span><span class="o">[</span><span class="n">ip</span><span class="o">]</span><span class="err">:</span><span class="w"></span>
<span class="n">Target</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="nl">address</span><span class="p">:</span><span class="w"> </span><span class="mf">191.91.21.41</span><span class="w"></span>
<span class="n">Repeat</span><span class="w"> </span><span class="nf">count</span><span class="w"> </span><span class="o">[</span><span class="n">5</span><span class="o">]</span><span class="err">:</span><span class="w"></span>
<span class="n">Datagram</span><span class="w"> </span><span class="k">size</span><span class="w"> </span><span class="o">[</span><span class="n">100</span><span class="o">]</span><span class="err">:</span><span class="w"></span>
<span class="n">Timeout</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">seconds</span><span class="w"> </span><span class="o">[</span><span class="n">2</span><span class="o">]</span><span class="err">:</span><span class="w"></span>
<span class="n">Extended</span><span class="w"> </span><span class="n">commands</span><span class="w"> </span><span class="o">[</span><span class="n">n</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="n">y</span><span class="w"></span>
<span class="n">Source</span><span class="w"> </span><span class="n">address</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="nl">interface</span><span class="p">:</span><span class="w"></span>
<span class="n">Type</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">service</span><span class="w"> </span><span class="o">[</span><span class="n">0</span><span class="o">]</span><span class="err">:</span><span class="w"></span>
<span class="k">Set</span><span class="w"> </span><span class="n">DF</span><span class="w"> </span><span class="nc">bit</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="n">header</span><span class="vm">?</span><span class="w"> </span><span class="o">[</span><span class="n">no</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="n">y</span><span class="w"></span>
<span class="n">Validate</span><span class="w"> </span><span class="n">reply</span><span class="w"> </span><span class="k">data</span><span class="vm">?</span><span class="w"> </span><span class="o">[</span><span class="n">no</span><span class="o">]</span><span class="err">:</span><span class="w"></span>
<span class="k">Data</span><span class="w"> </span><span class="n">pattern</span><span class="w"> </span><span class="o">[</span><span class="n">0xABCD</span><span class="o">]</span><span class="err">:</span><span class="w"></span>
<span class="n">Loose</span><span class="p">,</span><span class="w"> </span><span class="n">Strict</span><span class="p">,</span><span class="w"> </span><span class="n">Record</span><span class="p">,</span><span class="w"> </span><span class="nc">Timestamp</span><span class="p">,</span><span class="w"> </span><span class="n">Verbose</span><span class="o">[</span><span class="n">none</span><span class="o">]</span><span class="err">:</span><span class="w"></span>
<span class="n">Sweep</span><span class="w"> </span><span class="k">range</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">sizes</span><span class="w"> </span><span class="o">[</span><span class="n">n</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="n">y</span><span class="w"></span>
<span class="n">Sweep</span><span class="w"> </span><span class="nf">min</span><span class="w"> </span><span class="k">size</span><span class="w"> </span><span class="o">[</span><span class="n">36</span><span class="o">]</span><span class="err">:</span><span class="w"></span>
<span class="n">Sweep</span><span class="w"> </span><span class="nf">max</span><span class="w"> </span><span class="k">size</span><span class="w"> </span><span class="o">[</span><span class="n">18024</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="mi">1700</span><span class="w"></span>
<span class="n">Sweep</span><span class="w"> </span><span class="k">interval</span><span class="w"> </span><span class="o">[</span><span class="n">1</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="mi">100</span><span class="w"></span>
<span class="n">Type</span><span class="w"> </span><span class="k">escape</span><span class="w"> </span><span class="k">sequence</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">abort</span><span class="p">.</span><span class="w"></span>
<span class="n">Sending</span><span class="w"> </span><span class="mi">85</span><span class="p">,</span><span class="w"> </span><span class="o">[</span><span class="n">36..1700</span><span class="o">]-</span><span class="n">byte</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">Echos</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="mf">191.91.21.41</span><span class="p">,</span><span class="w"> </span><span class="n">timeout</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="nl">seconds</span><span class="p">:</span><span class="w"></span>
<span class="n">Packet</span><span class="w"> </span><span class="n">sent</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">DF</span><span class="w"> </span><span class="nc">bit</span><span class="w"> </span><span class="k">set</span><span class="w"></span>
<span class="err">!!!!!!!!!!!!!!</span><span class="w"></span>
<span class="n">Receiving</span><span class="w"> </span><span class="k">host</span><span class="err">:</span><span class="w"></span>
<span class="mi">10</span><span class="err">:</span><span class="mi">35</span><span class="err">:</span><span class="mf">22.563851</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">253</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">179</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">DF</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">36</span><span class="p">)</span><span class="w"> </span><span class="mf">174.93.31.134</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">9</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">16</span><span class="w"></span>
<span class="mi">10</span><span class="err">:</span><span class="mi">35</span><span class="err">:</span><span class="mf">22.563891</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">46861</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">none</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">36</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">174.93.31.134</span><span class="w"> </span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">9</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">16</span><span class="w"></span>
<span class="mi">10</span><span class="err">:</span><span class="mi">35</span><span class="err">:</span><span class="mf">22.566205</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">253</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">180</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">DF</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">136</span><span class="p">)</span><span class="w"> </span><span class="mf">174.93.31.134</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">request</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">9</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">116</span><span class="w"></span>
<span class="mi">10</span><span class="err">:</span><span class="mi">35</span><span class="err">:</span><span class="mf">22.566223</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="p">(</span><span class="n">tos</span><span class="w"> </span><span class="mh">0x0</span><span class="p">,</span><span class="w"> </span><span class="n">ttl</span><span class="w"> </span><span class="mi">64</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">46862</span><span class="p">,</span><span class="w"> </span><span class="n">offset</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">flags</span><span class="w"> </span><span class="o">[</span><span class="n">none</span><span class="o">]</span><span class="p">,</span><span class="w"> </span><span class="nl">proto</span><span class="p">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">),</span><span class="w"> </span><span class="nl">length</span><span class="p">:</span><span class="w"> </span><span class="mi">136</span><span class="p">)</span><span class="w"> </span><span class="mf">10.99.99.150</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="mf">174.93.31.134</span><span class="w"> </span><span class="err">:</span><span class="w"> </span><span class="n">ICMP</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="p">,</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">9</span><span class="p">,</span><span class="w"> </span><span class="n">seq</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="n">length</span><span class="w"> </span><span class="mi">116</span><span class="w"></span>
</code></pre></div>
<p><a name="juniper-routers-junos"></a></p>
<h1>Juniper routers (JunOS)</h1>
<p>Defaults:<br>
Ip packet size : <strong>84 bytes</strong><br>
Don’t fragment bit – <strong>not set</strong>; use <strong>do-not-fragment</strong> to set<br>
Interval - 1 sec; use <strong>interval <secs></strong> to change<br>
Sending pings with df bit set and size 1470 bytes<br>
[root@Juniper] ping 192.168.37.29 do-not-fragment size 1470 </p>
<div class="highlight"><pre><span></span><code><span class="nv">ping</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">37</span>.<span class="mi">29</span><span class="w"> </span><span class="k">do</span><span class="o">-</span><span class="nv">not</span><span class="o">-</span><span class="nv">fragment</span><span class="w"> </span><span class="nv">size</span><span class="w"> </span><span class="mi">1470</span><span class="w"></span>
<span class="nv">PING</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">37</span>.<span class="mi">29</span><span class="w"> </span><span class="ss">(</span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">37</span>.<span class="mi">29</span><span class="ss">)</span>:<span class="w"> </span><span class="mi">1470</span><span class="w"> </span><span class="nv">data</span><span class="w"> </span><span class="nv">bytes</span><span class="w"></span>
<span class="mi">1478</span><span class="w"> </span><span class="nv">bytes</span><span class="w"> </span><span class="nv">from</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">37</span>.<span class="mi">29</span>:<span class="w"> </span><span class="nv">icmp_seq</span><span class="o">=</span><span class="mi">0</span><span class="w"> </span><span class="nv">ttl</span><span class="o">=</span><span class="mi">64</span><span class="w"> </span><span class="nv">time</span><span class="o">=</span><span class="mi">1</span>.<span class="mi">434</span><span class="w"> </span><span class="nv">ms</span><span class="w"></span>
<span class="mi">1478</span><span class="w"> </span><span class="nv">bytes</span><span class="w"> </span><span class="nv">from</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">37</span>.<span class="mi">29</span>:<span class="w"> </span><span class="nv">icmp_seq</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="nv">ttl</span><span class="o">=</span><span class="mi">64</span><span class="w"> </span><span class="nv">time</span><span class="o">=</span><span class="mi">0</span>.<span class="mi">210</span><span class="w"> </span><span class="nv">ms</span><span class="w"></span>
<span class="o">---</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">37</span>.<span class="mi">29</span><span class="w"> </span><span class="nv">ping</span><span class="w"> </span><span class="nv">statistics</span><span class="w"> </span><span class="o">---</span><span class="w"></span>
<span class="mi">4</span><span class="w"> </span><span class="nv">packets</span><span class="w"> </span><span class="nv">transmitted</span>,<span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="nv">packets</span><span class="w"> </span><span class="nv">received</span>,<span class="w"> </span><span class="mi">0</span><span class="o">%</span><span class="w"> </span><span class="nv">packet</span><span class="w"> </span><span class="nv">loss</span><span class="w"></span>
<span class="nv">round</span><span class="o">-</span><span class="nv">trip</span><span class="w"> </span><span class="nv">min</span><span class="o">/</span><span class="nv">avg</span><span class="o">/</span><span class="nv">max</span><span class="o">/</span><span class="nv">stddev</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span>.<span class="mi">203</span><span class="o">/</span><span class="mi">0</span>.<span class="mi">513</span><span class="o">/</span><span class="mi">1</span>.<span class="mi">434</span><span class="o">/</span><span class="mi">0</span>.<span class="mi">532</span><span class="w"> </span><span class="nv">ms</span><span class="w"></span>
</code></pre></div>
<p>If packet size is too large and df is set you get this:</p>
<p>[root@Juniper]>ping 192.168.37.29 do-not-fragment size 13000</p>
<div class="highlight"><pre><span></span><code><span class="nv">ping</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">37</span>.<span class="mi">29</span><span class="w"> </span><span class="k">do</span><span class="o">-</span><span class="nv">not</span><span class="o">-</span><span class="nv">fragment</span><span class="w"> </span><span class="nv">size</span><span class="w"> </span><span class="mi">13000</span><span class="w"></span>
<span class="nv">PING</span><span class="w"> </span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">37</span>.<span class="mi">29</span><span class="w"> </span><span class="ss">(</span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">37</span>.<span class="mi">29</span><span class="ss">)</span>:<span class="w"> </span><span class="mi">13000</span><span class="w"> </span><span class="nv">data</span><span class="w"> </span><span class="nv">bytes</span><span class="w"></span>
<span class="nv">ping</span>:<span class="w"> </span><span class="nv">sendto</span>:<span class="w"> </span><span class="nv">Message</span><span class="w"> </span><span class="nv">too</span><span class="w"> </span><span class="nv">long</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Don't rely on SmartViewTracker only - it may lie2009-06-20T14:11:05+00:002009-06-20T14:11:05+00:00Yuri Slobodyanyuktag:yurisk.info,2009-06-20:/2009/06/20/'185'/<p>Funny case of WYSIWYG misleading the uninitiated. The case involved a seemingly normally functioning firewall Checkpoint which after a client created rule to allow FTP from any to his server in DMZ (no Nat involved) refused to allow connections though. The client being quite experienced himself entered SmartViewTracker did filter …</p><p>Funny case of WYSIWYG misleading the uninitiated. The case involved a seemingly normally functioning firewall Checkpoint which after a client created rule to allow FTP from any to his server in DMZ (no Nat involved) refused to allow connections though. The client being quite experienced himself entered SmartViewTracker did filter on the rule (here rule 77) and saw nothing (of course Log was enabled on the rule) . OK, he thought, he canceled the filter and also started looking on the clean up rule that said Any -> Any = Drop (log enabled) and ... again saw no hits at all. And at this stage he approached us with request to check Linkproof leading to this firewall as " it doesnt pass traffic to my FTP server".<br>
I did a usual thing - ssh -> <a href="http://yurisk.info/2009/12/12/fw-monitor-command-reference/">fw monitor </a>on FTP server IP and , hurra, saw me reaching FTP server IP but on input interface only - "Aha, dropped by a rule for sure" , then it took me another minute to prove it (to me and to the client) with this: </p>
<p>Here:<br>
194.99.73.13 - FTP server in DMZ (IP sanitazed of course)<br>
124.92.11.33 - my IP </p>
<p>[Expert@firewall2070]# <strong>fw ctl zdebug drop | grep 194.99.73.13</strong> </p>
<div class="highlight"><pre><span></span><code><span class="n">fw_log_drop</span><span class="o">:</span><span class="w"> </span><span class="n">Packet</span><span class="w"> </span><span class="n">proto</span><span class="o">=</span><span class="mi">6</span><span class="w"> </span><span class="mf">124.92</span><span class="o">.</span><span class="mf">11.33</span><span class="o">:</span><span class="mi">53408</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="mf">194.99</span><span class="o">.</span><span class="mf">73.13</span><span class="o">:</span><span class="mi">21</span><span class="w"> </span><span class="n">dropped</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="n">fwhold_expires</span><span class="w"> </span><span class="n">Reason</span><span class="o">:</span><span class="w"> </span><span class="n">held</span><span class="w"> </span><span class="n">chain</span><span class="w"> </span><span class="n">expired</span><span class="w"></span>
<span class="n">fw_log_drop</span><span class="o">:</span><span class="w"> </span><span class="n">Packet</span><span class="w"> </span><span class="n">proto</span><span class="o">=</span><span class="mi">6</span><span class="w"> </span><span class="mf">124.92</span><span class="o">.</span><span class="mf">11.33</span><span class="o">:</span><span class="mi">53408</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="mf">194.99</span><span class="o">.</span><span class="mf">73.13</span><span class="o">:</span><span class="mi">21</span><span class="w"> </span><span class="n">dropped</span><span class="w"> </span><span class="n">by</span><span class="w"></span>
<span class="w"> </span><span class="n">fw_handle_first_packet</span><span class="w"> </span><span class="n">Reason</span><span class="o">:</span><span class="w"> </span><span class="n">Rulebase</span><span class="w"> </span><span class="n">drop</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">rule</span><span class="w"> </span><span class="mi">77</span><span class="w"></span>
</code></pre></div>
<p>To remind - rule 77 was Any -> 194.99.73.13 (Service FTP) = Allow (log)</p>
<p>Why rule didn't work is another question - but reason was messed up rulebase that client did, when further
down the rulebase was another rule to the same server partly overlapping this rule, the moment I disabled
second rule all started to work.</p>
<p>So conclusion - don't rely on the SmartviewTracker only for debug , there can be too many
reasons why it is not logging/showing logs as should.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Failed to connect to Fortiguard servers2009-06-19T13:44:49+00:002009-06-19T13:44:49+00:00Yuri Slobodyanyuktag:yurisk.info,2009-06-19:/2009/06/19/failed-to-connect-to-fortiguard-servers/<p><strong>Note: This post was written for FortiOS version 2.8 and 3.x so some commands have changed, for updated debug steps please read <A href="https://yurisk.info/2021/02/21/failed-to-connect-to-fortiguard-servers-updated/" rel="noopener">Failed to connect to Fortiguard servers verification and debug updated</a></strong></p>
<p>Today I encountered otherwise easy to diagnose misconfiguration only that Fortinet decided to 'hide' this parameter …</p><p><strong>Note: This post was written for FortiOS version 2.8 and 3.x so some commands have changed, for updated debug steps please read <A href="https://yurisk.info/2021/02/21/failed-to-connect-to-fortiguard-servers-updated/" rel="noopener">Failed to connect to Fortiguard servers verification and debug updated</a></strong></p>
<p>Today I encountered otherwise easy to diagnose misconfiguration only that Fortinet decided to 'hide' this parameter deep enough.<br>
<blockquote>NOTE : Fortiguard is subscription based service when your Fortigate unit periodically
connects to the Fortinet servers (collectively named Fortiguard servers) to get info that enables advanced
features like URL filtering by category/rating, also Fortigate downloads all updates (IPS, AppControl, Antivirus signatures) from them .</blockquote> </p>
<p>Problem - suddenly Fortigate of the client refused to do web/spam filtering while having valid contract subscription. The reason was obvious as in <strong>System -> Maintenance -> Fortiguard</strong> the status was <strong>"Failed to connect "</strong> (or something of a kind don't recall it exactly) . On the same page there is a nice button <strong>"Test Availability"</strong> pushing which would bring error <strong>"Connection failed Check firewall routing table"</strong> .<br>
In most of the cases it is either reachability to the FortiGuard servers issue or Fortigate is trying to update against wrong server.<br>
Doing pings successfully from the firewall <strong>exe ping service.fortiguard.net</strong> (FQDN to use for Fortiguard servers) left me with the 2nd option - wrong Fortiguard server hardcoded somewhere in the configs. Doing<br>
FG100 #<strong>show system fortiguard</strong> Gave only this </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nv">config</span><span class="w"> </span><span class="nv">system</span><span class="w"> </span><span class="nv">fortiguard</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">antispam</span><span class="o">-</span><span class="nv">cache</span><span class="w"> </span><span class="nv">disable</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">webfilter</span><span class="o">-</span><span class="nv">cache</span><span class="w"> </span><span class="nv">disable</span><span class="w"></span>
<span class="w"> </span><span class="k">end</span><span class="w"> </span>
</code></pre></div>
<p>And only running #<strong>get system fortiguard</strong> Gave the needed answer: </p>
<div class="highlight"><pre><span></span><code> hostname : 66.92.33.1
srv-ovrd : disable
port : 53
client-override-status: disable
</code></pre></div>
<p>To fix this I entered:<br>
FG100 #<strong>config system fortiguard</strong><br>
FG100 (fortiguard) #<strong>set</strong><br>
hostname hostname or IP of the FortiGuard server<br>
FG100 (fortiguard) #<strong>set service.fortiguard.net</strong><br>
FG100 (fortiguard) #<strong>next</strong> </p>
<p>FortiOS 3.x and later uses service.fortiguard.net , FortiOS 2.80 used guard.fortinet.net for Webfiltering and
antispam.fortigate.com for Antispam filtering and it is Fortinet recommendation to do so, nevertheless
setting guard.fortinet.net in Fortios 3 works as well (after all they are CNAME'd ) </p>
<p>And while we are on it, here are few useful debug commands for the topic:<br>
- To see real time list of servers to which the firewall tries to connect for Fortiguard service<br>
FG200#<strong>diagnose debug rating</strong></p>
<div class="highlight"><pre><span></span><code> Locale : english
License : Contract
Expiration : Fri Jun 17 02:00:00 2010
Hostname : guard.fortinet.net
-=- Server List (Wed Jun 19 08:12:58 2009) -=-
IP Weight Round-time TZ Packets Curr Lost Total Lost
212.95.252.121 0 85 0 521863 0 113
212.95.252.120 0 89 0 4625 0 5
82.71.226.65 0 97 0 2140 0 34
62.209.40.73 10 105 1 2060 0 0
62.209.40.72 10 103 1 2060 0 0
66.117.56.37 50 158 -5 2060 0 0
69.20.236.180 50 191 -5 2060 0 0
69.20.236.179 50 185 -5 2060 0 0
66.117.56.42 50 164 -5 2061 0 1
72.52.72.243 80 245 -8 2063 0 3
116.58.208.39 80 371 -8 2081 0 21
208.91.112.194 80 233 -8 2075 0 12
216.156.209.26 80 239 -8 2068 0 7
121.111.236.179 90 354 9 2061 0 1
121.111.236.180 90 366 9 2064 0 4
</code></pre></div>
<ul>
<li>
<p>The same for Antispam service<br>
FG200#<strong>diagnose spamfilter fortishield servers</strong></p>
<div class="highlight"><pre><span></span><code><span class="n">Locale</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">english</span><span class="w"></span>
<span class="n">License</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">Contract</span><span class="w"></span>
<span class="n">Expiration</span><span class="w"> </span><span class="o">:</span><span class="n">Fri</span><span class="w"> </span><span class="n">Jun</span><span class="w"> </span><span class="mi">17</span><span class="w"> </span><span class="mi">02</span><span class="o">:</span><span class="mi">00</span><span class="o">:</span><span class="mi">00</span><span class="w"> </span><span class="mi">2010</span><span class="w"></span>
<span class="n">Hostname</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">guard</span><span class="o">.</span><span class="na">fortinet</span><span class="o">.</span><span class="na">net</span><span class="w"></span>
<span class="o">-=-</span><span class="w"> </span><span class="n">Server</span><span class="w"> </span><span class="n">List</span><span class="w"> </span><span class="o">(</span><span class="n">Wed</span><span class="w"> </span><span class="n">Jun</span><span class="w"> </span><span class="mi">19</span><span class="w"> </span><span class="mi">08</span><span class="o">:</span><span class="mi">13</span><span class="o">:</span><span class="mi">39</span><span class="w"> </span><span class="mi">2009</span><span class="o">)</span><span class="w"> </span><span class="o">-=-</span><span class="w"></span>
<span class="n">IP</span><span class="w"> </span><span class="n">Weight</span><span class="w"> </span><span class="n">Round</span><span class="o">-</span><span class="n">time</span><span class="w"> </span><span class="n">TZ</span><span class="w"> </span><span class="n">Packets</span><span class="w"> </span><span class="n">Curr</span><span class="w"> </span><span class="n">Lost</span><span class="w"> </span><span class="n">Total</span><span class="w"> </span><span class="n">Lost</span><span class="w"></span>
<span class="mf">212.95</span><span class="o">.</span><span class="mf">252.121</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">94</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2063</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="mf">212.95</span><span class="o">.</span><span class="mf">252.120</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">96</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2061</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="mf">82.71</span><span class="o">.</span><span class="mf">226.65</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">104</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2076</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">18</span><span class="w"></span>
<span class="mf">62.209</span><span class="o">.</span><span class="mf">40.73</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="mi">113</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">2061</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="mf">62.209</span><span class="o">.</span><span class="mf">40.72</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="mi">111</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">2061</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="mf">66.117</span><span class="o">.</span><span class="mf">56.37</span><span class="w"> </span><span class="mi">50</span><span class="w"> </span><span class="mi">159</span><span class="w"> </span><span class="o">-</span><span class="mi">5</span><span class="w"> </span><span class="mi">2061</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="mf">69.20</span><span class="o">.</span><span class="mf">236.180</span><span class="w"> </span><span class="mi">50</span><span class="w"> </span><span class="mi">199</span><span class="w"> </span><span class="o">-</span><span class="mi">5</span><span class="w"> </span><span class="mi">2061</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="mf">69.20</span><span class="o">.</span><span class="mf">236.179</span><span class="w"> </span><span class="mi">50</span><span class="w"> </span><span class="mi">193</span><span class="w"> </span><span class="o">-</span><span class="mi">5</span><span class="w"> </span><span class="mi">2061</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="mf">66.117</span><span class="o">.</span><span class="mf">56.42</span><span class="w"> </span><span class="mi">50</span><span class="w"> </span><span class="mi">169</span><span class="w"> </span><span class="o">-</span><span class="mi">5</span><span class="w"> </span><span class="mi">2063</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="mf">72.52</span><span class="o">.</span><span class="mf">72.243</span><span class="w"> </span><span class="mi">80</span><span class="w"> </span><span class="mi">273</span><span class="w"> </span><span class="o">-</span><span class="mi">8</span><span class="w"> </span><span class="mi">2065</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">4</span><span class="w"></span>
<span class="mf">116.58</span><span class="o">.</span><span class="mf">208.39</span><span class="w"> </span><span class="mi">80</span><span class="w"> </span><span class="mi">380</span><span class="w"> </span><span class="o">-</span><span class="mi">8</span><span class="w"> </span><span class="mi">2085</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">24</span><span class="w"></span>
<span class="mf">208.91</span><span class="o">.</span><span class="mf">112.194</span><span class="w"> </span><span class="mi">80</span><span class="w"> </span><span class="mi">271</span><span class="w"> </span><span class="o">-</span><span class="mi">8</span><span class="w"> </span><span class="mi">2071</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">8</span><span class="w"></span>
<span class="mf">216.156</span><span class="o">.</span><span class="mf">209.26</span><span class="w"> </span><span class="mi">80</span><span class="w"> </span><span class="mi">261</span><span class="w"> </span><span class="o">-</span><span class="mi">8</span><span class="w"> </span><span class="mi">2064</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">2</span><span class="w"></span>
<span class="mf">121.111</span><span class="o">.</span><span class="mf">236.179</span><span class="w"> </span><span class="mi">90</span><span class="w"> </span><span class="mi">362</span><span class="w"> </span><span class="mi">9</span><span class="w"> </span><span class="mi">2061</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="mf">121.111</span><span class="o">.</span><span class="mf">236.180</span><span class="w"> </span><span class="mi">90</span><span class="w"> </span><span class="mi">370</span><span class="w"> </span><span class="mi">9</span><span class="w"> </span><span class="mi">2062</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">1</span><span class="w"></span>
</code></pre></div>
</li>
<li>
<p>To see on the console the Web filtering doing its work:<br>
FG200#<strong>diagnose debug application urlfilter 1</strong><br>
FG200#<strong>diagnose debug enable</strong> </p>
</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nv">FG200</span><span class="w"> </span>#<span class="w"> </span><span class="nv">id</span><span class="o">=</span><span class="mi">93000</span><span class="w"> </span><span class="nv">pid</span><span class="o">=</span><span class="mi">50</span><span class="w"> </span><span class="nv">main</span><span class="o">-</span><span class="mi">696</span><span class="w"> </span><span class="nv">in</span><span class="w"> </span><span class="nv">main</span>.<span class="nv">c</span><span class="w"> </span><span class="nv">received</span><span class="w"> </span><span class="nv">pkt</span>:<span class="nv">count</span><span class="o">=</span><span class="mi">197</span>,<span class="w"> </span><span class="nv">a</span><span class="o">=/</span><span class="nv">tmp</span><span class="o">/</span>.<span class="nv">thttp</span>.<span class="nv">socket</span><span class="o">/</span><span class="mi">21</span><span class="w"> </span><span class="nv">id</span><span class="o">=</span><span class="mi">22009</span><span class="w"> </span><span class="nv">received</span><span class="w"> </span><span class="nv">a</span><span class="w"> </span><span class="nv">request</span><span class="w"> </span><span class="o">/</span><span class="nv">tmp</span><span class="o">/</span>.<span class="nv">thttp</span>.<span class="nv">socket</span>,<span class="w"> </span><span class="nv">addr_len</span><span class="o">=</span><span class="mi">21</span>:<span class="w"> </span><span class="nv">d</span><span class="o">=</span><span class="nv">www</span>.<span class="nv">cnn</span>.<span class="nv">com</span>:<span class="mi">80</span>,<span class="w"> </span><span class="nv">url</span><span class="o">=/</span><span class="nv">a7Admin</span><span class="o">/</span><span class="nv">SelectImage</span>.<span class="nv">aspx</span>?<span class="k">end</span><span class="o">=</span><span class="nv">document</span>.<span class="nv">f</span>.<span class="nv">largeimage</span>.<span class="nv">value</span><span class="o">&</span><span class="nv">preview</span><span class="o">=</span><span class="nv">document</span>.<span class="nv">getElementById</span><span class="ss">(</span><span class="s1">'oImg2'</span><span class="ss">)</span><span class="o">&</span><span class="nv">w</span><span class="o">=</span><span class="mi">319</span><span class="o">&</span><span class="nv">h</span><span class="o">=</span><span class="mi">215</span>,<span class="w"> </span><span class="nv">id</span><span class="o">=</span><span class="mi">913659</span>,<span class="w"> </span><span class="nv">vfid</span><span class="o">=</span><span class="mi">0</span>,<span class="w"> </span><span class="nv">type</span><span class="o">=</span><span class="mi">0</span>,<span class="w"> </span><span class="nv">client</span><span class="o">=</span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">7</span>.<span class="mi">238</span><span class="w"></span>
<span class="w"> </span><span class="nv">id</span><span class="o">=</span><span class="mi">93000</span><span class="w"> </span><span class="nv">msg</span><span class="o">=</span><span class="s2">"found it in cache"</span><span class="w"></span>
<span class="w"> </span><span class="nv">id</span><span class="o">=</span><span class="mi">93003</span><span class="w"> </span><span class="nv">user</span><span class="o">=</span><span class="s2">"N/A"</span><span class="w"> </span><span class="nv">src</span><span class="o">=</span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">7</span>.<span class="mi">238</span><span class="w"> </span><span class="nv">sport</span><span class="o">=</span><span class="mi">4796</span><span class="w"> </span><span class="nv">dst</span><span class="o">=</span><span class="mi">157</span>.<span class="mi">166</span>.<span class="mi">224</span>.<span class="mi">25</span><span class="w"> </span><span class="nv">dport</span><span class="o">=</span><span class="mi">80</span><span class="w"> </span><span class="nv">service</span><span class="o">=</span><span class="nv">http</span><span class="w"> </span><span class="nv">cat</span><span class="o">=</span><span class="mi">36</span><span class="w"> </span><span class="nv">cat_desc</span><span class="o">=</span><span class="s2">"News and Media"</span><span class="w"> </span><span class="nv">hostname</span><span class="o">=</span><span class="nv">www</span>.<span class="nv">cnn</span>.<span class="nv">com</span><span class="w"> </span><span class="nv">url</span><span class="o">=/</span><span class="nv">a7Admin</span><span class="o">/</span><span class="nv">SelectImage</span>.<span class="nv">aspx</span>?<span class="k">end</span><span class="o">=</span><span class="nv">document</span>.<span class="nv">f</span>.<span class="nv">largeimage</span>.<span class="nv">value</span><span class="o">&</span><span class="nv">preview</span><span class="o">=</span><span class="nv">document</span>.<span class="nv">getElementById</span><span class="ss">(</span><span class="s1">'oImg2'</span><span class="ss">)</span><span class="o">&</span><span class="nv">w</span><span class="o">=</span><span class="mi">319</span><span class="o">&</span><span class="nv">h</span><span class="o">=</span><span class="mi">215</span><span class="w"> </span><span class="nv">status</span><span class="o">=</span><span class="nv">passthrough</span><span class="w"> </span><span class="nv">msg</span><span class="o">=</span><span class="s2">"URL belongs to an allowed category in the policy"</span><span class="w"></span>
<span class="w"> </span><span class="nv">id</span><span class="o">=</span><span class="mi">93000</span><span class="w"> </span><span class="nv">pid</span><span class="o">=</span><span class="mi">50</span><span class="w"> </span><span class="nv">main</span><span class="o">-</span><span class="mi">696</span><span class="w"> </span><span class="nv">in</span><span class="w"> </span><span class="nv">main</span>.<span class="nv">c</span><span class="w"> </span><span class="nv">received</span><span class="w"> </span><span class="nv">pkt</span>:<span class="nv">count</span><span class="o">=</span><span class="mi">255</span>,<span class="w"> </span><span class="nv">a</span><span class="o">=/</span><span class="nv">tmp</span><span class="o">/</span>.<span class="nv">thttp</span>.<span class="nv">socket</span><span class="o">/</span><span class="mi">21</span><span class="w"></span>
<span class="w"> </span><span class="nv">id</span><span class="o">=</span><span class="mi">22009</span><span class="w"> </span><span class="nv">received</span><span class="w"> </span><span class="nv">a</span><span class="w"> </span><span class="nv">request</span><span class="w"> </span><span class="o">/</span><span class="nv">tmp</span><span class="o">/</span>.<span class="nv">thttp</span>.<span class="nv">socket</span>,<span class="w"> </span><span class="nv">addr_len</span><span class="o">=</span><span class="mi">21</span>:<span class="w"> </span><span class="nv">d</span><span class="o">=</span><span class="nv">b</span>.<span class="nv">mail</span>.<span class="nv">google</span>.<span class="nv">com</span>:<span class="mi">80</span>,<span class="w"> </span><span class="nv">url</span><span class="o">=/</span><span class="nv">mail</span><span class="o">/</span><span class="nv">channel</span><span class="o">/</span><span class="nv">bind</span>?<span class="nv">VER</span><span class="o">=</span><span class="mi">6</span><span class="o">&</span><span class="nv">it</span><span class="o">=</span><span class="mi">460207</span><span class="o">&</span><span class="nv">at</span><span class="o">=</span><span class="nv">xn3j2v04hx65iz3ypmmyzptrbkimsf</span><span class="o">&</span><span class="nv">RID</span><span class="o">=</span><span class="nv">rpc</span><span class="o">&</span><span class="nv">SID</span><span class="o">=</span><span class="mi">57</span><span class="nv">A1C77D6AAC35B0</span><span class="o">&</span><span class="nv">CI</span><span class="o">=</span><span class="mi">1</span><span class="o">&</span><span class="nv">AID</span><span class="o">=</span><span class="mi">347</span><span class="o">&</span><span class="nv">TYPE</span><span class="o">=</span><span class="nv">html</span><span class="o">&</span><span class="nv">zx</span><span class="o">=</span><span class="mi">8</span><span class="nv">i5clc</span><span class="o">-</span><span class="nv">olem8j</span><span class="o">&</span><span class="nv">DOMAIN</span><span class="o">=</span><span class="nv">mail</span>.<span class="nv">google</span>.<span class="nv">com</span><span class="o">&</span><span class="nv">t</span><span class="o">=</span><span class="mi">1</span>,<span class="w"> </span><span class="nv">id</span><span class="o">=</span><span class="mi">900542</span>,<span class="w"> </span><span class="nv">vfid</span><span class="o">=</span><span class="mi">0</span>,<span class="w"> </span><span class="nv">type</span><span class="o">=</span><span class="mi">0</span>,<span class="w"> </span><span class="nv">client</span><span class="o">=</span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">7</span>.<span class="mi">56</span><span class="w"></span>
<span class="w"> </span><span class="nv">id</span><span class="o">=</span><span class="mi">93003</span><span class="w"> </span><span class="nv">user</span><span class="o">=</span><span class="s2">"N/A"</span><span class="w"> </span><span class="nv">src</span><span class="o">=</span><span class="mi">192</span>.<span class="mi">168</span>.<span class="mi">7</span>.<span class="mi">56</span><span class="w"> </span><span class="nv">sport</span><span class="o">=</span><span class="mi">4280</span><span class="w"> </span><span class="nv">dst</span><span class="o">=</span><span class="mi">74</span>.<span class="mi">125</span>.<span class="mi">39</span>.<span class="mi">189</span><span class="w"> </span><span class="nv">dport</span><span class="o">=</span><span class="mi">80</span><span class="w"> </span><span class="nv">service</span><span class="o">=</span><span class="nv">http</span><span class="w"> </span><span class="nv">cat</span><span class="o">=</span><span class="mi">23</span><span class="w"> </span><span class="nv">cat_desc</span><span class="o">=</span><span class="s2">"Web-based Email"</span><span class="w"> </span><span class="nv">hostname</span><span class="o">=</span><span class="nv">b</span>.<span class="nv">mail</span>.<span class="nv">google</span>.<span class="nv">com</span><span class="w"> </span><span class="nv">url</span><span class="o">=/</span><span class="nv">mail</span><span class="o">/</span><span class="nv">channel</span><span class="o">/</span><span class="nv">bind</span>?<span class="nv">VER</span><span class="o">=</span><span class="mi">6</span><span class="o">&</span><span class="nv">it</span><span class="o">=</span><span class="mi">460207</span><span class="o">&</span><span class="nv">at</span><span class="o">=</span><span class="nv">xn3j2v04hx65iz3ypmmyzptrbkimsf</span><span class="o">&</span><span class="nv">RID</span><span class="o">=</span><span class="nv">rpc</span><span class="o">&</span><span class="nv">SID</span><span class="o">=</span><span class="mi">57</span><span class="nv">A1C77D6AAC35B0</span><span class="o">&</span><span class="nv">CI</span><span class="o">=</span><span class="mi">1</span><span class="o">&</span><span class="nv">AID</span><span class="o">=</span><span class="mi">347</span><span class="o">&</span><span class="nv">TYPE</span><span class="o">=</span><span class="nv">html</span><span class="o">&</span><span class="nv">zx</span><span class="o">=</span><span class="mi">8</span><span class="nv">i5clc</span><span class="o">-</span><span class="nv">olem8j</span><span class="o">&</span><span class="nv">DOMAIN</span><span class="o">=</span><span class="nv">mail</span>.<span class="nv">google</span>.<span class="nv">com</span><span class="o">&</span><span class="nv">t</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="nv">status</span><span class="o">=</span><span class="nv">passthrough</span><span class="w"> </span><span class="nv">msg</span><span class="o">=</span><span class="s2">"URL belongs to an allowed category in the policy"</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>You can't set duplex/speed settings of the Fortigate interfaces?2009-06-10T18:24:49+00:002009-06-10T18:24:49+00:00Yuri Slobodyanyuktag:yurisk.info,2009-06-10:/2009/06/10/you-cant-set-duplexspeed-settings-of-the-fortigate-interfaces/<p>Sometimes you can't set duplex/speed settings of the Fortigate interfaces.
<strong>Important note: depends on which interface you are trying to set!</strong>.<br>
Upon careful examination turns out that you can't set duplex/speed settings of <strong>4-port switch interfaces only,</strong> i.e. Internal interface of Fortigate 60, 60M, 100A, 200A, and …</p><p>Sometimes you can't set duplex/speed settings of the Fortigate interfaces.
<strong>Important note: depends on which interface you are trying to set!</strong>.<br>
Upon careful examination turns out that you can't set duplex/speed settings of <strong>4-port switch interfaces only,</strong> i.e. Internal interface of Fortigate 60, 60M, 100A, 200A, and FortiWiFi-60 and also LAN interface of 500A . </p>
<p>Tried on FG100A FortiOS v4.0,build0178,090820 (MR1) </p>
<div class="highlight"><pre><span></span><code> FG100 (dmz2) # set speed
100full 100M full-duplex
100half 100M half-duplex
10full 10M full-duplex
10half 10M half-duplex
auto auto adjust speed
</code></pre></div>
<p>Working most of the time with Cisco gear I'm (and others) used to being able to set duplex/speed parameters on the physical interfaces to my liking.
This comes as a necessity when connecting cisco to various equipment of differing quality. So it was a surprise to me when I encountered layer1/layer2 connectivity problem between some Fortigate 200A and Cisco router and tried to set manually duplex full/speed 100 on the Fortigate just to find out that it is impossible to do it on that Fortigate.
It was possible back in the days of FortiOS 2.80 (and early 3.0 - I guess up until MR5) : </p>
<p><strong># conf sys int</strong><br>
(interface)# <strong>edit internal</strong><br>
(internal)# <strong>set speed</strong> </p>
<div class="highlight"><pre><span></span><code> 100full 100M full-duplex
100half 100M half-duplex
10full 10M full-duplex
10half 10M half-duplex
</code></pre></div>
<p>But then Fortinet dropped this option and the only (not direct) explanation found on their site is this memo:
"Locked-down port policies (forcing speed, duplex, and link capabilities with auto-negotiation disabled) are
outdated. Legacy and historical reasons for forced setup with auto-negotiation disabled date
back many years when the technology was new..."</p>
<p>Now we can see what is the negotiated status of the links (this command also shows errors/collisions/MTU on the interface) : </p>
<p>FG100 # <strong>diagnose hardware deviceinfo nic internal</strong></p>
<div class="highlight"><pre><span></span><code> Description VIA VT6102 Rhine-II
Part_Number N/A
Driver_Name via-rhine
Driver_Version 1.1.17
PCI_Vendor 0x1106
PCI_Device_ID 0x3065
PCI_Subsystem_Vendor 0x3065
PCI_Subsystem_ID 0x1106
PCI_Revision_ID 0x74
PCI_Address 0:12.0
PCI_Bus_Type
Memory 0x0000f400
IRQ 11
System_Device_Name internal
Current_HWaddr 00:09:0f:30:32:11 #In HA set up primary member would have different , virtual MAC address
Permanent_HWaddr 00:09:0f:30:32:11
Link up
Speed 100
Duplex forced full
FlowControl off
State up(0x00001103)
MTU_Size 1392
Rx_Packets 89944267
Tx_Packets 73437299
Rx_Bytes 370540924
Tx_Bytes 428118992
Rx_Errors 0
Tx_Errors 0
Rx_Dropped 0
Tx_Dropped 0
Multicast 8810
Collisions 0
Rx_Length_Errors 0
Rx_Over_Errors -0
Rx_CRC_Errors 0
Rx_Frame_Errors 0
Rx_FIFO_Errors 0
Rx_Missed_Errors 0
Tx_Aborted_Errors 0
Tx_Carrier_Errors 0
Tx_FIFO_Errors 0
Tx_Heartbeat_Errors 0
Tx_Window_Errors 0
Tx_Single_Collision_Frames 0
Tx_Multiple_Collision_Frames 0
Rx_Frame_Too_Longs 0
Rx_Symbol_Errors 0
Rx_Control_Unknown_Opcodes 0
Rx_Pause_Frames 0
Tx_Pause_Frames 0
Scatter_Gather OFF
poll_intr_switch 0
rx_tasklet_pkts 92505560
xmit queue 0
recv queue -64
phy_id= 1/1
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Tracking the source of DDOS attack with Cisco IOS ip source tracking2009-05-28T11:23:47+00:002009-05-28T11:23:47+00:00Yuri Slobodyanyuktag:yurisk.info,2009-05-28:/2009/05/28/tracking-the-source-of-dos-attack-with-cisco-ios/<hr>
<p>Problem: Enterprise is under Denial Of Service Attack (DDOS) that brings down key elements of the business or the whole network at all.
To track the attacker is the first step in handling the attack and unless the flood is coming from inside (most probably not in a well managed …</p><hr>
<p>Problem: Enterprise is under Denial Of Service Attack (DDOS) that brings down key elements of the business or the whole network at all.
To track the attacker is the first step in handling the attack and unless the flood is coming from inside (most probably not in a well managed LAN) you will need help of your Service Provider to find out the origin. Unfortunately Service Provider's (SP) backbone is not well suited for such forensics, as its business role is
to provide uninterrupted connectivity to ALL the clients , not only you, so SP will not enable ACLs/ip accounting/Netflow on their backbone to identify where the attack is coming from . And if source Ip of the attack is spoofed you can't do much .</p>
<p>For such cases Cisco came with the nice feature called <strong>ip source tracking</strong> that will gather flow statistics for specific destination IPs (of victim) and periodically will export them for viewing, and will do all this without overloading the backbone router it is enabled on (Of course relevant if your SP is using Cisco gear) . Here are details: </p>
<ul>
<li>Enable it globally for the victim IP , here IP being attacked is 63.45.33.22 </li>
</ul>
<p><strong>PE(config)# ip source-track 63.45.33.22</strong> </p>
<ul>
<li>
<p>If you want (and if this is being done by SP they will probably not) you may create log entries:<br>
<strong>PE(config)# ip source-track syslog-interval 2</strong><br>
Then you will see in logs (good for reminding to disable this afterwards) :<br>
<code>May 28 10:55:47.105: %DOS_TRACK-5-CFG: IP Source Tracker configured for 1 hosts</code> </p>
</li>
<li>
<p>Also you may define how often to export gathered info to be viewed (seems to depend on the platform ) : </p>
</li>
</ul>
<p><strong>PE(config)# ip source-track export-interval 60</strong> </p>
<ul>
<li>And finally , you see the data accumulated so far : </li>
</ul>
<p><strong>PE#sh ip source-track</strong> </p>
<div class="highlight"><pre><span></span><code>Address SrcIF Bytes Pkts Bytes/s Pkts/s
63.45.33.22 Fa0/0 141G 485M 8244 141
</code></pre></div>
<p>Most important here will be the Source interface (in this router there is only 1 ingress interface , in real backbone you will have few feeds) where you see most of the incoming traffic for this destination IP. Then your SP would go to the upstream router connected to this local interface, enable the same source tracking and so on. Up to the last point in the backbone where the attacking traffic enters
the backbone of SP out of some upstream SP . Then SP would have option to contact the abuse of this upstream provider for them to investigate the issue further, or at least divert the attack to the black hole at the entry point, so the end client would not be affected at all.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Checkpoint UTM Appliance or Open Server/Power ?2009-05-08T09:09:08+00:002009-05-08T09:09:08+00:00Yuri Slobodyanyuktag:yurisk.info,2009-05-08:/2009/05/08/utm-or-power-checkpoint/<p>UTM or Power ?
How do you know when logged in with ssh what type of machine you are working with ?
I know 3 ways to find it:</p>
<ol>
<li>By the interfaces names , see the difference:</li>
</ol>
<h4>UTM</h4>
<p>(output edited for conciseness)</p>
<p><strong>[Expert@Firewall]# ifconfig</strong></p>
<div class="highlight"><pre><span></span><code> DMZ Link encap Ethernet HWaddr 00 90 FB …</code></pre></div><p>UTM or Power ?
How do you know when logged in with ssh what type of machine you are working with ?
I know 3 ways to find it:</p>
<ol>
<li>By the interfaces names , see the difference:</li>
</ol>
<h4>UTM</h4>
<p>(output edited for conciseness)</p>
<p><strong>[Expert@Firewall]# ifconfig</strong></p>
<div class="highlight"><pre><span></span><code> DMZ Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.10 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.20 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.30 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.40 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.50 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.60 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.70 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.80 Link encap Ethernet HWaddr 00 90 FB 22 11 00
External Link encap Ethernet HWaddr 00 90 FB 22 11 00
Internal Link encap Ethernet HWaddr 00 90 FB 22 11 00
Lan1 Link encap Ethernet HWaddr 00 90 FB 22 11 00
Lan2 Link encap Ethernet HWaddr 00 90 FB 22 11 00
Lan2.2 Link encap Ethernet HWaddr 00 90 FB 22 11 00
Lan2.3 Link encap Ethernet HWaddr 00 90 FB 22 11 00
Lan2.4 Link encap Ethernet HWaddr 00 90 FB 22 11 00
Lan2.5 Link encap Ethernet HWaddr 00 90 FB 22 11 00
lo Link encap:Local Loopback
</code></pre></div>
<h4>Open Server/VPN Power -</h4>
<p>(output edited for conciseness)<br>
Here you will see usual output as seen on any Linux- installed server.<br>
<strong>[Expert@CP]# ifconfig</strong></p>
<div class="highlight"><pre><span></span><code>eth0 Link encap:Ethernet HWaddr 00:33:12:FD:47:92
eth1 Link encap:Ethernet HWaddr 00:33:12:FD:47:12
eth3 Link encap:Ethernet HWaddr 00:33:12:FD:47:55
lo Link encap:Local Loopback
</code></pre></div>
<ol>
<li>By installed products names (seen it on cpug.org forum somewhere) :</li>
</ol>
<p><strong>[Expert@CP]#sysconfig</strong><br>
-> Option 10 "Product installatiuon.." -> Next -> Yes , it then presents you with products available for
this hardware .</p>
<h4>UTM</h4>
<p>The following products are available in this version<br>
Please select product(s) </p>
<p>1 [x] VPN-1 UTM<br>
2 [ ] UserAuthority<br>
3 [x] SmartCenter UTM <br>
4 [x] Eventia Suite<br>
5 [ ] Integrity<br>
6 [ ] Performance Pack<br>
7 [x] SmartPortal </p>
<h4>VPN Power</h4>
<p>The following products are available in this version<br>
Please select product(s) </p>
<p>1 [x] VPN-1 Power<br>
2 [ ] UserAuthority<br>
3 [x] SmartCenter<br>
4 [ ] Eventia Suite<br>
5 [ ] Integrity<br>
6 [ ] Performance Pack<br>
7 [ ] SmartPortal </p>
<ol>
<li>Yet another way - this time Checkpoint provided us:</li>
</ol>
<p><strong>/bin/is_power<br>
/bin/is_appliance</strong> </p>
<p>When running each of these it prints out to the terminal either 0 or nothing, the tool that prints nothing identifies the
type of the software we are working with.
If you know of other ways to find it feel free to share.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Change password for console expert user Checkpoint Splat2009-05-02T08:50:32+00:002009-05-02T08:50:32+00:00Yuri Slobodyanyuktag:yurisk.info,2009-05-02:/2009/05/02/change-password-for-console-user-checkpoint-splat/<p><strong>Update 2022</strong>: Checkpoint has disabled changing Expert password with <code>passwd</code> altogether. When trying to run the command, no matter what you enter the result will be an error "bad credentials" and "Authentication token manipulation error". You can only change Expert password in Gaia, either in <code>clish</code>, or the WebUI. </p>
<p>As …</p><p><strong>Update 2022</strong>: Checkpoint has disabled changing Expert password with <code>passwd</code> altogether. When trying to run the command, no matter what you enter the result will be an error "bad credentials" and "Authentication token manipulation error". You can only change Expert password in Gaia, either in <code>clish</code>, or the WebUI. </p>
<p>As seen many times Checkpoint has its own way of doing otherwise simple and straightforward tasks. Changing password for shell account is another example.
By default, when installed, Splat creates two console/OS users - admin and root. You can't login remotely (i.e. by ssh) with root as /etc/ssh/sshd_config contains this: </p>
<div class="highlight"><pre><span></span><code>DenyUsers root shutdown halt nobody ntp pcap rpm
AllowGroups root
</code></pre></div>
<p>So , basically you are left with admin user to do all command line tasks (Expert mode) - security flaw by itself, but even more, when you try to change the password of this user by <em>passwd</em> command Checkpoint doesn't let you to. Even worse, it happily goes ahead and notifies you that password has been successfully changed and ... you can still log in only with the old password. The reason is here: </p>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">Expert@cp</span><span class="o">]</span><span class="err">#</span><span class="w"> </span><span class="n">which</span><span class="w"> </span><span class="n">passwd</span><span class="w"></span>
<span class="k">alias</span><span class="w"> </span><span class="n">passwd</span><span class="o">=</span><span class="s1">'/bin/expert_passwd'</span><span class="w"></span>
<span class="w"> </span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">expert_passwd</span><span class="w"></span>
<span class="o">[</span><span class="n">Expert@cp</span><span class="o">]</span><span class="err">#</span><span class="w"></span>
</code></pre></div>
<p>This way Splat tricks you into running some dummy 'passw' of its own that is only good for CPshell
environment. So to really change password of Expert user you have 2 options:<br>
1. Through Web device management GUI (not covered her)
2. Use native passwd , see below</p>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">Expert@cp</span><span class="o">]</span><span class="err">#</span><span class="w"> </span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">passwd</span><span class="w"> </span><span class="n">rambo</span><span class="w"></span>
<span class="n">Changing</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">user</span><span class="w"> </span><span class="n">rambo</span><span class="p">.</span><span class="w"></span>
<span class="k">New</span><span class="w"> </span><span class="n">UNIX</span><span class="w"> </span><span class="nl">password</span><span class="p">:</span><span class="w"></span>
<span class="n">Retype</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">UNIX</span><span class="w"> </span><span class="nl">password</span><span class="p">:</span><span class="w"></span>
<span class="nl">passwd</span><span class="p">:</span><span class="w"> </span><span class="ow">all</span><span class="w"> </span><span class="n">authentication</span><span class="w"> </span><span class="n">tokens</span><span class="w"> </span><span class="n">updated</span><span class="w"> </span><span class="n">successfully</span><span class="p">.</span><span class="w"></span>
<span class="o">[</span><span class="n">Expert@cp</span><span class="o">]</span><span class="err">#</span><span class="w"></span>
</code></pre></div>
<p>Here:<br>
<code>/usr/bin/passwd</code> - Linux native passwd utility<br>
<code>rambo</code> - Expert user I added to the system and then blocked remote login for user admin (or type <strong> admin</strong> for default user).</p>
<p>Adding Expert user.<br>
To add another user with id = 0 use switch -o: </p>
<p>[Expert@cp]# <strong>useradd -u 0 -g 0 -o -s /bin/bash rambo</strong><br>
Then change password as per above and fix /etc/ssh/sshd_config to allow rambo login and block
admin login: </p>
<div class="highlight"><pre><span></span><code>DenyUsers root shutdown halt nobody ntp pcap rpm admin
AllowGroups root
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Debug VPN in Fortigate - seeing is believing2009-04-21T16:54:19+00:002009-04-21T16:54:19+00:00Yuri Slobodyanyuktag:yurisk.info,2009-04-21:/2009/04/21/debug-vpn-in-fortigate-seeing-is-believing/<p>Updated: 2022</p>
<p>You can't really debug VPN problems with static show commands, if VPN fails to function you HAVE to
see it happening real-time. Below I list few debug commands to do just that for IPSEC site-to-site
tunnels in Fortigate. </p>
<p>Here:<br>
192.168.168.254 - IP address on the LAN …</p><p>Updated: 2022</p>
<p>You can't really debug VPN problems with static show commands, if VPN fails to function you HAVE to
see it happening real-time. Below I list few debug commands to do just that for IPSEC site-to-site
tunnels in Fortigate. </p>
<p>Here:<br>
192.168.168.254 - IP address on the LAN interface of the fortigate<br>
10.170.15.131 - IP address on the remote LAN<br>
200.199.20.162 - IP of the wan interface of the local Fortigate<br>
72.21.207.65 - IP of the remote VPN peer </p>
<ol>
<li>Reset debug filters if any<br>
Fortigate-VPN-100 <strong># diag debug reset</strong><br>
Fortigate-VPN-100 <strong># diagnose vpn ike log-filter clear</strong></li>
<li>(Optionally) Set filter to limit debug to a specific VPN tunnel. </li>
<li>First, find the name of the VPN tunnel you want to debug:<br>
Fortigate-VPN-100 <strong># get vpn ike gateway | grep name</strong> <div class="highlight"><pre><span></span><code><span class="n">name</span><span class="o">:</span><span class="w"> </span><span class="n">S2S2</span><span class="o">-</span><span class="n">Phase1</span><span class="w"></span>
<span class="n">name</span><span class="o">:</span><span class="w"> </span><span class="n">Bunuel</span><span class="w"></span>
<span class="n">name</span><span class="o">:</span><span class="w"> </span><span class="n">S2_Teheran</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Set the VPN debug filter to show only messages related to this tunnel (in this case "Bunuel"):<br>
Fortigate-VPN-100 <strong># diagnose vpn ike log-filter name Bunuel</strong> </li>
<li>Make sure the filter is right:<br>
Fortigate-VPN-100 <strong># diagnose vpn ike log-filter list</strong> </li>
</ul>
</li>
</ol>
<div class="highlight"><pre><span></span><code> vd: any
name: Bunuel
interface: any
IPv4 source: any
IPv4 dest: any
IPv6 source: any
IPv6 dest: any
<span class="nb">source</span> port: any
dest port: any
</code></pre></div>
<ol>
<li>
<p>Enable debugging<br>
Fortigate-VPN-100 <strong># diag debug en</strong> </p>
</li>
<li>
<p>Enable debug messages for specific application , here we are interested in IKE (note the debug level of <strong>-1</strong>,
following logic I enabled first +1, 255 etc and surprisingly had no effect at all ):<br>
Fortigate-VPN-100 <strong># diag debug app ike -1</strong><br>
I, personally, prefer also to do a sniffer on the tests I run, so:<br>
Fortigate-VPN-100 <strong># diagnose sniffer packet any 'host 10.170.15.131'</strong><br>
Now open another ssh session to the same Fortigate and do pings to the IP on the other side of the VPN tunnel
with the source IP of internal LAN (if local LAN is part of the encryption domain, or just ask client to do pings from the network in the encryption domain). </p>
</li>
<li>Configure pings to go with the source interface of LAN of the Fortigate:<br>
Fortigate-VPN-100 <strong># exec ping-options source 192.168.168.254</strong> </li>
<li>Now do pings to bring up the VPN tunnel:<br>
Fortigate-VPN-100 <strong># exec ping 10.170.15.131</strong> <div class="highlight"><pre><span></span><code>PING 10.170.15.131 (10.170.15.131): 56 data bytes
64 bytes from 10.170.15.131: icmp_seq=1 ttl=252 time=73.2 ms
64 bytes from 10.170.15.131: icmp_seq=2 ttl=252 time=116.3 ms
64 bytes from 10.170.15.131: icmp_seq=3 ttl=252 time=110.3 ms
64 bytes from 10.170.15.131: icmp_seq=4 ttl=252 time=138.4 ms
</code></pre></div>
</li>
</ol>
<p>When you return to the 1st ssh session you will see the debug output: </p>
<div class="highlight"><pre><span></span><code><span class="n">interfaces</span><span class="o">=[</span><span class="n">any</span><span class="o">]</span><span class="w"></span>
<span class="n">filters</span><span class="o">=[</span><span class="n">host 10.170.15.131</span><span class="o">]</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="nl">Robophone1</span><span class="p">:</span><span class="n">Robophone1</span><span class="o">/</span><span class="mi">2</span><span class="err">:</span><span class="w"> </span><span class="n">IPsec</span><span class="w"> </span><span class="n">SA</span><span class="w"> </span><span class="k">connect</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="mf">200.199.20.162</span><span class="o">-></span><span class="mf">72.21.207.65</span><span class="err">:</span><span class="mi">500</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="n">natt_mode</span><span class="o">=</span><span class="mi">0</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="nl">Robophone1</span><span class="p">:</span><span class="w"> </span><span class="k">using</span><span class="w"> </span><span class="n">existing</span><span class="w"> </span><span class="k">connection</span><span class="p">,</span><span class="w"> </span><span class="n">dpd_fail</span><span class="o">=</span><span class="mi">0</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="nl">Robophone1</span><span class="p">:</span><span class="w"> </span><span class="k">found</span><span class="w"> </span><span class="n">phase2</span><span class="w"> </span><span class="n">Robophone1</span><span class="o">/</span><span class="mi">2</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="nl">Robophone1</span><span class="p">:</span><span class="w"> </span><span class="n">IPsec</span><span class="w"> </span><span class="n">SA</span><span class="w"> </span><span class="k">connect</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="mf">200.199.20.162</span><span class="o">-></span><span class="mf">72.21.207.65</span><span class="err">:</span><span class="mi">500</span><span class="w"> </span><span class="n">negotiating</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="nl">Robophone1</span><span class="p">:</span><span class="mi">1990</span><span class="err">:</span><span class="w"> </span><span class="n">cookie</span><span class="w"> </span><span class="n">d3351433913f978c</span><span class="o">/</span><span class="mi">069</span><span class="nl">bcd9a38263f3a</span><span class="p">:</span><span class="mi">5125</span><span class="n">b9f3</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="nl">Robophone1</span><span class="p">:</span><span class="mi">1990</span><span class="err">:</span><span class="n">Robophone1</span><span class="o">/</span><span class="mi">2</span><span class="err">:</span><span class="mi">471585</span><span class="err">:</span><span class="w"> </span><span class="n">initiator</span><span class="w"> </span><span class="n">selectors</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">200.199.20.162</span><span class="err">:</span><span class="mi">0</span><span class="o">-></span><span class="mf">10.170.15.131</span><span class="err">:</span><span class="mi">0</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="nl">Robophone1</span><span class="p">:</span><span class="mi">1990</span><span class="err">:</span><span class="w"> </span><span class="n">sent</span><span class="w"> </span><span class="n">IKE</span><span class="w"> </span><span class="n">msg</span><span class="w"> </span><span class="p">(</span><span class="n">quick_i1send</span><span class="p">)</span><span class="err">:</span><span class="w"> </span><span class="mf">200.199.20.162</span><span class="err">:</span><span class="mi">500</span><span class="o">-></span><span class="mf">72.21.207.65</span><span class="err">:</span><span class="mi">500</span><span class="p">,</span><span class="w"> </span><span class="nf">len</span><span class="o">=</span><span class="mi">148</span><span class="w"></span>
<span class="nl">Robophone</span><span class="p">:</span><span class="w"> </span><span class="nl">Initiator</span><span class="p">:</span><span class="w"> </span><span class="n">sent</span><span class="w"> </span><span class="mf">72.21.207.65</span><span class="n">quick</span><span class="w"> </span><span class="n">mode</span><span class="w"> </span><span class="n">message</span><span class="w"> </span><span class="n">#1</span><span class="w"> </span><span class="p">(</span><span class="n">OK</span><span class="p">)</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="w"> </span><span class="n">comes</span><span class="w"> </span><span class="mf">72.21.207.65</span><span class="err">:</span><span class="mi">500</span><span class="o">-></span><span class="mf">200.199.20.162</span><span class="err">:</span><span class="mi">500</span><span class="p">,</span><span class="n">ifindex</span><span class="o">=</span><span class="mf">3.</span><span class="p">...</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="w"> </span><span class="n">exchange</span><span class="o">=</span><span class="n">Quick</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="n">d3351433913f978c</span><span class="o">/</span><span class="mi">069</span><span class="nl">bcd9a38263f3a</span><span class="p">:</span><span class="mi">5125</span><span class="n">b9f3</span><span class="w"> </span><span class="nf">len</span><span class="o">=</span><span class="mi">156</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="w"> </span><span class="k">found</span><span class="w"> </span><span class="n">Robophone1</span><span class="w"> </span><span class="mf">200.199.20.1623</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="mf">72.21.207.65</span><span class="err">:</span><span class="mi">500</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="nl">RobophoneRobophone1</span><span class="p">:</span><span class="mi">1990</span><span class="err">:</span><span class="n">Robophone1</span><span class="o">/</span><span class="mi">2</span><span class="err">:</span><span class="mi">471585</span><span class="err">:</span><span class="w"> </span><span class="n">responder</span><span class="w"> </span><span class="n">selectors</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mf">200.199.20.162</span><span class="err">:</span><span class="mi">0</span><span class="o">-></span><span class="mf">10.170.15.131</span><span class="err">:</span><span class="mi">0</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="nl">Robophone1</span><span class="p">:</span><span class="mi">1990</span><span class="err">:</span><span class="w"> </span><span class="n">sent</span><span class="w"> </span><span class="n">IKE</span><span class="w"> </span><span class="n">msg</span><span class="w"> </span><span class="p">(</span><span class="n">quick_i2send</span><span class="p">)</span><span class="err">:</span><span class="w"> </span><span class="mf">200.199.20.162</span><span class="err">:</span><span class="mi">500</span><span class="o">-></span><span class="mf">72.21.207.65</span><span class="err">:</span><span class="mi">500</span><span class="p">,</span><span class="w"> </span><span class="nf">len</span><span class="o">=</span><span class="mi">60</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="nl">Robophone1</span><span class="p">:</span><span class="mi">1990</span><span class="err">:</span><span class="n">Robophone1</span><span class="o">/</span><span class="mi">2</span><span class="err">:</span><span class="mi">471585</span><span class="err">:</span><span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">sa</span><span class="w"> </span><span class="n">life</span><span class="w"> </span><span class="n">soft</span><span class="w"> </span><span class="n">seconds</span><span class="o">=</span><span class="mf">1775.</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="nl">Robophone1</span><span class="p">:</span><span class="mi">1990</span><span class="err">:</span><span class="n">Robophone1</span><span class="o">/</span><span class="mi">2</span><span class="err">:</span><span class="mi">471585</span><span class="err">:</span><span class="w"> </span><span class="k">set</span><span class="w"> </span><span class="n">sa</span><span class="w"> </span><span class="n">life</span><span class="w"> </span><span class="n">hard</span><span class="w"> </span><span class="n">seconds</span><span class="o">=</span><span class="mf">1800.0</span><span class="err">:</span><span class="nl">Robophone1</span><span class="p">:</span><span class="mi">1990</span><span class="err">:</span><span class="n">Robophone1</span><span class="o">/</span><span class="mi">2</span><span class="err">:</span><span class="mi">471585</span><span class="err">:</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="n">SA</span><span class="w"> </span><span class="n">#src</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="n">#dst</span><span class="o">=</span><span class="mi">1</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="nl">Robophone1</span><span class="p">:</span><span class="mi">1990</span><span class="err">:</span><span class="n">Robophone1</span><span class="o">/</span><span class="mi">2</span><span class="err">:</span><span class="mi">471585</span><span class="err">:</span><span class="w"> </span><span class="n">src</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="mf">192.168.168.0</span><span class="o">/</span><span class="mf">255.255.255.0</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="nl">Robophone1</span><span class="p">:</span><span class="mi">1990</span><span class="err">:</span><span class="n">Robophone1</span><span class="o">/</span><span class="mi">2</span><span class="err">:</span><span class="mi">471585</span><span class="err">:</span><span class="w"> </span><span class="n">dst</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mf">10.170.15.131</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="nl">Robophone1</span><span class="p">:</span><span class="mi">1990</span><span class="err">:</span><span class="n">Robophone1</span><span class="o">/</span><span class="mi">2</span><span class="err">:</span><span class="mi">471585</span><span class="err">:</span><span class="w"> </span><span class="n">installed</span><span class="w"> </span><span class="nl">SA</span><span class="p">:</span><span class="w"> </span><span class="n">SPIs</span><span class="o">=</span><span class="mi">2</span><span class="n">f1c289f</span><span class="o">/</span><span class="n">ea7a510d</span><span class="w"></span>
<span class="mi">0</span><span class="err">:</span><span class="nl">Robophone1</span><span class="p">:</span><span class="mi">1990</span><span class="err">:</span><span class="n">Robophone1</span><span class="o">/</span><span class="mi">2</span><span class="err">:</span><span class="mi">471585</span><span class="err">:</span><span class="w"> </span><span class="n">sending</span><span class="w"> </span><span class="n">SNMP</span><span class="w"> </span><span class="n">tunnel</span><span class="w"> </span><span class="n">UP</span><span class="w"> </span><span class="n">trap</span><span class="w"></span>
<span class="nl">Robophone1</span><span class="p">:</span><span class="w"> </span><span class="nl">Initiator</span><span class="p">:</span><span class="w"> </span><span class="n">sent</span><span class="w"> </span><span class="mf">72.21.207.65</span><span class="w"> </span><span class="n">quick</span><span class="w"> </span><span class="n">mode</span><span class="w"> </span><span class="n">message</span><span class="w"> </span><span class="n">#2</span><span class="w"> </span><span class="p">(</span><span class="n">DONE</span><span class="p">)</span><span class="w"></span>
<span class="mf">15.153033</span><span class="w"> </span><span class="mf">10.170.15.131</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="mf">200.199.20.162</span><span class="err">:</span><span class="w"> </span><span class="nl">icmp</span><span class="p">:</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="w"></span>
<span class="mf">16.196213</span><span class="w"> </span><span class="mf">10.170.15.131</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="mf">200.199.20.162</span><span class="err">:</span><span class="w"> </span><span class="nl">icmp</span><span class="p">:</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="w"></span>
<span class="mf">17.190216</span><span class="w"> </span><span class="mf">10.170.15.131</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="mf">200.199.20.162</span><span class="err">:</span><span class="w"> </span><span class="nl">icmp</span><span class="p">:</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="w"></span>
<span class="mf">18.218259</span><span class="w"> </span><span class="mf">10.170.15.131</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="mf">200.199.20.162</span><span class="err">:</span><span class="w"> </span><span class="nl">icmp</span><span class="p">:</span><span class="w"> </span><span class="n">echo</span><span class="w"> </span><span class="n">reply</span><span class="w"></span>
<span class="mi">4</span><span class="w"> </span><span class="n">packets</span><span class="w"> </span><span class="n">received</span><span class="w"> </span><span class="k">by</span><span class="w"> </span><span class="k">filter</span><span class="w"></span>
<span class="mi">0</span><span class="w"> </span><span class="n">packets</span><span class="w"> </span><span class="n">dropped</span><span class="w"> </span><span class="k">by</span><span class="w"> </span><span class="n">kernel</span><span class="w"></span>
</code></pre></div>
<p>Dont forget to disable debug afterwards: </p>
<p>Fortigate-VPN-100 <strong># diag debug app ike 0</strong><br>
-OR-<br>
Fortigate-VPN-100 <strong># diag debug disable</strong> </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Black hole routing to the rescue - Fortigate OS 4 surprise2009-04-09T10:59:25+00:002009-04-09T10:59:25+00:00Yuri Slobodyanyuktag:yurisk.info,2009-04-09:/2009/04/09/black-hole-routing-to-the-rescue-fortigate-os-4-surprise/<p>Many times there is more than one solution to the problem, and the most obvious is not the best one. I
reminded myself this when came to my care Fortigate 60 unit that was periodically blocking traffic,
you know this not-saying-much system alert "..has reached connection limit" and then no …</p><p>Many times there is more than one solution to the problem, and the most obvious is not the best one. I
reminded myself this when came to my care Fortigate 60 unit that was periodically blocking traffic,
you know this not-saying-much system alert "..has reached connection limit" and then no traffic goes from LAN to WAN.
Clearly being a resource starvation issue by users you may never know for sure what causes this
. The only way to pinpoint the misbehaving component is by elimination - disabling one by one until problem disappears. So for this
particular Fortigate it was URL-filtering used to block access to Facebook.com. Unfortunately once this
disabled users in LAN would cause starvation of the bandwidth by accessing (or rather not leaving) this
website. An internal fair use policy issue ? - yes of course, but the only way to implement the policy
was by force in this case. So if not URL-filtering (being the obvious solution) then black-hole routing would
be the better one I thought - but in this FG OS 3 i didnt find such option, and as upgrade to Fortios 4 wasnt
an option I blackholed Facebook.com IP range (thanks to Facebook for the convenience of continuous IP
range ) in the WAN facing Cisco router.<br>
In the Fortigate FortiOS 4 and newer you can configure blackhole routing with no hassle: </p>
<div class="highlight"><pre><span></span><code><span class="nv">FG100</span><span class="w"> </span>#<span class="w"> </span><span class="nv">config</span><span class="w"> </span><span class="nv">router</span><span class="w"> </span><span class="nv">static</span><span class="w"></span>
<span class="nv">FG100</span><span class="w"> </span><span class="ss">(</span><span class="nv">static</span><span class="ss">)</span><span class="w"> </span>#<span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="mi">5</span><span class="w"></span>
<span class="nv">FG100</span><span class="w"> </span><span class="ss">(</span><span class="mi">5</span><span class="ss">)</span><span class="w"> </span>#<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">blackhole</span><span class="w"> </span>?<span class="w"></span>
<span class="nv">disable</span><span class="w"> </span><span class="nv">disable</span><span class="w"> </span><span class="nv">setting</span><span class="w"></span>
<span class="nv">enable</span><span class="w"> </span><span class="nv">enable</span><span class="w"> </span><span class="nv">setting</span><span class="w"></span>
<span class="nv">FG100</span><span class="w"> </span><span class="ss">(</span><span class="mi">5</span><span class="ss">)</span><span class="w"> </span>#<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">blackhole</span><span class="w"> </span><span class="nv">enable</span><span class="w"></span>
<span class="nv">FG100</span><span class="w"> </span><span class="ss">(</span><span class="mi">5</span><span class="ss">)</span><span class="w"> </span>#<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">dst</span><span class="w"> </span><span class="mi">69</span>.<span class="mi">63</span>.<span class="mi">176</span>.<span class="mi">0</span><span class="o">/</span><span class="mi">20</span><span class="w"></span>
<span class="nv">FG100</span><span class="w"> </span><span class="ss">(</span><span class="mi">5</span><span class="ss">)</span><span class="w"> </span>#<span class="w"> </span><span class="k">end</span><span class="w"></span>
</code></pre></div>
<p>Verify: </p>
<div class="highlight"><pre><span></span><code><span class="nv">FG100</span><span class="w"> </span>#<span class="w"> </span><span class="k">show</span><span class="w"> </span><span class="nv">router</span><span class="w"> </span><span class="nv">static</span><span class="w"> </span>
<span class="nv">config</span><span class="w"> </span><span class="nv">router</span><span class="w"> </span><span class="nv">static</span><span class="w"> </span>
<span class="w"> </span><span class="nv">edit</span><span class="w"> </span><span class="mi">5</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">blackhole</span><span class="w"> </span><span class="nv">enable</span><span class="w"></span>
<span class="w"> </span><span class="nv">set</span><span class="w"> </span><span class="nv">dst</span><span class="w"> </span><span class="mi">69</span>.<span class="mi">63</span>.<span class="mi">176</span>.<span class="mi">0</span><span class="w"> </span><span class="mi">255</span>.<span class="mi">255</span>.<span class="mi">240</span>.<span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="k">next</span><span class="w"></span>
<span class="k">end</span><span class="w"></span>
</code></pre></div>
<p>From station in LAN:<br>
# ping 69.63.184.142 </p>
<div class="highlight"><pre><span></span><code>PING 69.63.184.142 (69.63.184.142) 56(84) bytes of data.
From 10.99.99.254 icmp_seq=1 Destination Net Unreachable
From 10.99.99.254 icmp_seq=2 Destination Net Unreachable
</code></pre></div>
<p>Facebook IP range:<br>
whois 69.63.176.140<br>
<pre>[Querying whois.arin.net]
[whois.arin.net]
OrgName: Facebook, Inc.
OrgID: THEFA-3
Address: 156 University Ave, 3rd floor
City: Palo Alto
StateProv: CA
PostalCode: 94301
Country: US
NetRange: 69.63.176.0 - 69.63.191.255
CIDR: 69.63.176.0/20 </pre></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>eSafe Certified Professional2009-03-07T15:30:52+00:002009-03-07T15:30:52+00:00Yuri Slobodyanyuktag:yurisk.info,2009-03-07:/2009/03/07/esafe-certified-professional/<p><strong>HISTORICAL NOTE</strong> Aladdin was an Israeli company known for its security eTokens and mail filtering appliances - <strong>eSafe</strong>. In 2009 it was bought by Safenet primarily for the token/DRM line, and soon the eSafe appliance was discontinued. Later the Safenet was in turn acquired by Gemalto. You can read about …</p><p><strong>HISTORICAL NOTE</strong> Aladdin was an Israeli company known for its security eTokens and mail filtering appliances - <strong>eSafe</strong>. In 2009 it was bought by Safenet primarily for the token/DRM line, and soon the eSafe appliance was discontinued. Later the Safenet was in turn acquired by Gemalto. You can read about Aladdin at <a href="https://en.wikipedia.org/wiki/Aladdin_Knowledge_Systems">Aladdin Wiki</a><br>
Recently I've taken the 2-day course and then successfully passed eSCP certification and here are some impressions about that. First, the main question - what is the gain here? - I will frankly say - I don't know. This cert isn't found under 'most wanted/hot/industry leading' headings anywhere, so whether it's gonna get you an advantage in promotion/job search/etc remains an open question.
The course was fully funded by my work and I took part in it for the benfit of the knowledge I would gain there only.The certification exam is available only after you've passed the course. <br>
The course was administered at 3rd-part learning center but by folks from Aladdin itself ONLY - one of the strong points of the course. As I understood even if the course was given in the heart of Amazonia, Brazil it still would be presented by Aladdin folks, no 'certified instructors' are employed.
There were 2 instructors . While the first instructor was from the Presale team <a href="https://il.linkedin.com/in/liativri">Liat Ivri</a>, she could answer any technical questions I had ("- Can you remind me name of the file to add Ip address to the interface so it survives reboot, unlike ifconfig ?").</p>
<p>The overall course was approximately 20% presentations/talks and 80% hands-on labs. The contents can be seen here, only that we dealt with version 7 only, not 6.2 as in pdf: <a href="ftp://ftp.aladdin.com/pub/marketing/eSafe/Agenda/Expert_Agenda.pdf">
ftp://ftp.aladdin.com/pub/marketing/eSafe/Agenda/Expert_Agenda.pdf</a> .
Every pair of students was given <strong>Hellgate</strong> appliance to play with. And we used it to the full - our team even succeeded to push beyond the limit,crash and do RMA on our HellGate - fastest RMA ever seen - took 5 mins to bring new Hellgate.</p>
<p>Everyone was given a book-sized course material including presentations we heard and labs. The flow was - presentation then lab. Started with reimaging eSafe from usb, then all config labs as per pdf above. The LDAP lab took much more then was allocated for it as many (including me) are not good friends with all the AD/LDAP/OU/CN/DN stuff ,eventhough the AD server was preconfigured and we had to just(?) connect eSafe to it.
Due to time shortage we haven't done Web SSL/Reporter/Proxy (not a big deal for me as I am yet to see any of them in the wild) labs.<br>
All setup had access to the Internet , so URL-filtering we could test real-time.<br>
To conclude - I enjoyed the course, learned lots of new things (my job involves supporting already installed and working eSafe, so I don't do installing/configuring from scratch the appliance, something our integration department always do) and therefore it was worthwhile.
Upon completion we were given link to the password-protected CBT, possibility to open personal account with portal.aladdin.com , link to download eSafe 7.1 ISO disk (every eSafe has built-in evaluation license for 30 days), nice bag, and user/pass and link to the website to take exam.<br>
Now to exam - it was a web based test, with 50 questions and 90 minutes to do it.
The test is pretty easy given you took active part in the course before as it recaptures the same topics. So I did it in about 30 mins, got the web page "Congradulations you passed" and a week later received by a courier framed certificate that I am now eSafe Certified Professional.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Cisco routers ip accounting to see most bandwidth abusing connections2009-01-17T17:15:01+00:002009-01-17T17:15:01+00:00Yuri Slobodyanyuktag:yurisk.info,2009-01-17:/2009/01/17/cisco-ip-accounting-to-begin-with/<p>First of all, Happy New year everyone !<br>
As I promised before (last year :) I'll look at ip accounting in Cisco world. I'll say it at the start - accounting being with us since IOS 10.0 is getting pushed aside by the powerful Netflow feature. And while it is nowhere being …</p><p>First of all, Happy New year everyone !<br>
As I promised before (last year :) I'll look at ip accounting in Cisco world. I'll say it at the start - accounting being with us since IOS 10.0 is getting pushed aside by the powerful Netflow feature. And while it is nowhere being depreciated/end-of-lifed by Cisco , it is presented as being "not enough"for the modern enterprise. </p>
<p>So lets look at accounting closer.<br>
When enabled on the interface it creates database of accounting information containing number of bytes that passed the router between pairs of IP addresses. There are actually more types of accounting but here I'll talk about 2 types only: <strong>IP accounting</strong> and <strong>IP access-list violations accounting</strong>. The first gathers statistics for the traffic passing the router - entering and leaving it (means traffic that destined for or originating from the router itself is not accounted for). The 2nd type gives info about traffic that is being rejected by the router according to applied ACLs. Both types can be enabled for physical/logical interfaces only (so to say VTY is not in the pack). </p>
<p>Both types share the same database memory space. And talking about memory - by default router keeps <strong>512 records</strong>, after these are exhausted no new accounting info is recorded. As usual , this is configurable (see later).</p>
<p><strong>IP accounting</strong> </p>
<p>Here is a sneak preview of accounting at work: </p>
<div class="highlight"><pre><span></span><code>Source Destination Packets Bytes
122.94.42.91 62.20.179.36 2 223
</code></pre></div>
<p>What you see is Ip addresses spotted in the IP packet header as source/destination , number of packets and bytes. The database is updated continuously as traffic passes the router.</p>
<p>IP accounting configuration:</p>
<ul>
<li>enable on the interface of interest (only outbound traffic is recorded), i.e traffic leaving interface</li>
<li>if desired tune number of kept records</li>
<li>see in CLI gathered info</li>
<li>see info through SNMP agent (won't cover here)</li>
<li>clear active accounting database and copy snapshot to checkpoint database (done at once)</li>
<li>see later at any time snapshot in checkpoint database or active records in real-time</li>
</ul>
<p>So here is our CLI:
1. Enable on interface</p>
<p>``` Router(config)#int fa0/1
Router(config-if)#ip accounting [output-packets] </p>
<div class="highlight"><pre><span></span><code><span class="mf">2.</span><span class="w"> </span><span class="o">[</span><span class="n">Optional</span><span class="o">]</span><span class="w"> </span><span class="n">Tune</span><span class="w"> </span><span class="n">maximum</span><span class="w"> </span><span class="n">records</span><span class="w"> </span><span class="k">value</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">desired</span><span class="w"> </span><span class="p">(</span><span class="k">default</span><span class="w"> </span><span class="mi">512</span><span class="p">,</span><span class="w"> </span><span class="n">maximum</span><span class="w"> </span><span class="mi">4294967295</span><span class="p">)</span><span class="err">:</span><span class="w"></span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>Router(config)#ip accounting-threshold 1200
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="mf">3.</span><span class="w"> </span><span class="n">See</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">active</span><span class="w"> </span><span class="n">records</span><span class="w"> </span><span class="n">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="kd">data</span><span class="n">base</span><span class="p">:</span><span class="w"></span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>Router#sh ip account
Source Destination Packets Bytes
68.146.13.6 162.30.79.36 1 129
79.82.168.224 162.30.79.36 1 126
142.53.125.103 162.30.79.36 9237 423360
83.171.0.22 162.30.79.36 1 129
118.181.13.61 162.30.79.36 4 360
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="mf">4.</span><span class="w"> </span><span class="n">Copy</span><span class="w"> </span><span class="n">active</span><span class="w"> </span><span class="kd">data</span><span class="n">base</span><span class="w"> </span><span class="kr">to</span><span class="w"> </span><span class="n">checkpoint</span><span class="w"> </span><span class="kd">data</span><span class="n">base</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">wipe</span><span class="w"> </span><span class="n">out</span><span class="w"> </span><span class="n">active</span><span class="w"> </span><span class="n">db</span><span class="w"> </span><span class="n">records</span><span class="p">:</span><span class="w"></span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>Router#clear ip account
Router#sh ip accounting checkpoint
Source Destination Packets Bytes
68.146.13.6 162.30.79.36 1 129
79.82.168.224 162.30.79.36 1 126
142.53.125.103 162.30.79.36 9237 423360
83.171.0.22 162.30.79.36 1 129
118.181.13.61 162.30.79.36 4 360
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="n">Usage</span><span class="w"> </span><span class="n">tip</span><span class="p">:</span><span class="w"> </span><span class="n">What</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">good</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">at</span><span class="w"> </span><span class="n">all</span><span class="err">?</span><span class="w"> </span><span class="n">As</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">started</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">previuos</span><span class="w"> </span><span class="n">post</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">use</span><span class="w"> </span><span class="n">such</span><span class="w"> </span><span class="n">info</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">provide</span><span class="w"> </span><span class="n">some</span><span class="w"> </span><span class="n">insight</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">client</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">what</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">going</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="p">(</span><span class="ow">or</span><span class="w"> </span><span class="n">rather</span><span class="w"> </span><span class="n">going</span><span class="w"> </span><span class="ow">in</span><span class="o">/</span><span class="n">out</span><span class="p">)</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">his</span><span class="w"> </span><span class="n">network</span><span class="w"> </span><span class="n">at</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">given</span><span class="w"> </span><span class="n">moment</span><span class="o">.</span><span class="w"> </span><span class="n">So</span><span class="p">,</span><span class="w"> </span><span class="n">all</span><span class="w"> </span><span class="n">these</span><span class="w"> </span><span class="n">commands</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">do</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">client</span><span class="s1">'s perimeter equipment which we manage. I have no inclination to do this for client/whoever on my backbone gear, and you would be advised not to.</span>
<span class="mf">5.5</span><span class="p">)</span><span class="w"> </span><span class="n">Some</span><span class="w"> </span><span class="n">extra</span><span class="o">-</span><span class="n">bonus</span><span class="w"> </span><span class="n">configs</span><span class="w"> </span><span class="n">though</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">may</span><span class="w"> </span><span class="n">configure</span><span class="w"> </span><span class="n">ACL</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">filter</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">what</span><span class="w"> </span><span class="n">IP</span><span class="w"> </span><span class="n">addresses</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">gather</span><span class="w"> </span><span class="n">accounting</span><span class="w"> </span><span class="n">info</span><span class="w"> </span><span class="n">only</span><span class="o">.</span><span class="w"> </span><span class="n">While</span><span class="w"> </span><span class="n">trying</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">catch</span><span class="w"> </span><span class="n">who</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">loading</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">network</span><span class="w"> </span><span class="n">would</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">counter</span><span class="o">-</span><span class="n">productive</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">use</span><span class="w"> </span><span class="n">such</span><span class="w"> </span><span class="n">filtering</span><span class="p">,</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">monitoring</span><span class="w"> </span><span class="n">long</span><span class="o">-</span><span class="n">time</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">makes</span><span class="w"> </span><span class="n">sense</span><span class="p">:</span><span class="w"></span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>Router(config)#ip accounting-list 19.90.14.59 0.0.0.0
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="k">Then</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">database</span><span class="w"> </span><span class="nv">will</span><span class="w"> </span><span class="nv">be</span><span class="w"> </span><span class="nv">written</span><span class="w"> </span><span class="nv">only</span><span class="w"> </span><span class="nv">records</span><span class="w"> </span><span class="nv">involving</span><span class="w"> </span><span class="nv">this</span><span class="w"> </span><span class="nv">IP</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span>:<span class="w"></span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>Router#sh ip account
Source Destination Packets Bytes
19.90.14.59 162.30.79.37 7 2912
</code></pre></div>
<p>```
<strong>IP access-list violations accounting.</strong></p>
<p>This accounts for traffic blocked by ACL(s) applied to the interface(s)
- To enable :</p>
<div class="highlight"><pre><span></span><code><span class="nv">Router</span><span class="ss">(</span><span class="nv">config</span><span class="o">-</span><span class="k">if</span><span class="ss">)</span>#<span class="nv">ip</span><span class="w"> </span><span class="nv">accounting</span><span class="w"> </span><span class="nv">access</span><span class="o">-</span><span class="nv">violations</span><span class="w"></span>
</code></pre></div>
<p>Accounting will exclude mls traffic when mls is enabled.</p>
<p>- To see the records:</p>
<div class="highlight"><pre><span></span><code>Router#sh ip accounting access-violations
Source Destination Packets Bytes ACL
Accounting data age is 8
</code></pre></div>
<ul>
<li>Of course to see something you need to have some blocking ACL applied to the
interface(s) beforehand. As I have no ACL on any interface this db is empty.</li>
</ul>
<p><strong>USAGE TIP 2</strong>: If you use this feature to spot most bandwidth abusing flow, you'll love this
one-liner that after you pass to it (through std input) output of
the <em>show ip accounting</em> will sort data by bytes passed in ascending order:
<em>Hint Darkstar is Linux machine, not router itself .</em></p>
<div class="highlight"><pre><span></span><code><span class="n">root</span><span class="nv">@DarkStar</span><span class="err">:</span><span class="o">~</span><span class="err">#</span><span class="w"> </span><span class="n">sort</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="o">-</span><span class="n">k4</span><span class="p">,</span><span class="mi">4</span><span class="w"></span>
<span class="o"><</span><span class="n">NOW</span><span class="w"> </span><span class="n">COPY</span><span class="w"> </span><span class="n">PASTE</span><span class="w"> </span><span class="k">OUTPUT</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">ROUTER</span><span class="w"> </span><span class="n">HERE</span><span class="w"> </span><span class="p">...</span><span class="o">></span><span class="w"></span>
<span class="mf">68.146.13.6</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">129</span><span class="w"></span>
<span class="mf">79.82.168.224</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">126</span><span class="w"></span>
<span class="mf">142.53.125.103</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">9237</span><span class="w"> </span><span class="mi">423360</span><span class="w"></span>
<span class="mf">83.171.0.22</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">129</span><span class="w"></span>
<span class="mf">118.181.13.61</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="mi">360</span><span class="w"></span>
<span class="mf">79.82.168.224</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">126</span><span class="w"></span>
<span class="mf">83.171.0.22</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">129</span><span class="w"></span>
<span class="mf">68.146.13.6</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">129</span><span class="w"></span>
<span class="mf">118.181.13.61</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="mi">360</span><span class="w"></span>
<span class="mf">142.53.125.103</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">9237</span><span class="w"> </span><span class="mi">423360</span><span class="w"></span>
</code></pre></div>
<p><strong>USAGE TIP 3</strong>:<br>
To even further improve on the one-liner above below here is another one-liner that not only sorts accounting data by Bytes field but also sums up bytes per Ip address (here in the 2nd field, but you can esaily modify to your needs): </p>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">root@DarkStar</span><span class="o">]</span><span class="p">(</span><span class="nl">mailto</span><span class="p">:</span><span class="n">root</span><span class="nv">@DarkStar</span><span class="p">)</span><span class="err">:</span><span class="o">~</span><span class="err">#</span><span class="w"> </span><span class="n">sort</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="o">-</span><span class="n">k4</span><span class="p">,</span><span class="mi">4</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">awk</span><span class="w"> </span><span class="s1">'{ips[$2] += $4} END { for (x in ips) print x,ips[x]}'</span><span class="w"></span>
<span class="mf">122.53.125.103</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="mi">120</span><span class="w"></span>
<span class="mf">59.44.58.120</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="mi">417</span><span class="w"></span>
<span class="mf">123.203.142.106</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">177</span><span class="w"></span>
<span class="mf">82.144.177.32</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">234</span><span class="w"></span>
<span class="mf">218.103.137.105</span><span class="w"> </span><span class="mf">162.10.79.36</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">126</span><span class="w"></span>
<span class="mf">80.37.83.120</span><span class="w"> </span><span class="mf">162.10.79.36</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">126</span><span class="w"></span>
<span class="mf">79.182.121.216</span><span class="w"> </span><span class="mf">162.10.79.36</span><span class="w"> </span><span class="mi">9</span><span class="w"> </span><span class="mi">377</span><span class="w"></span>
<span class="mf">207.191.202.251</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">9</span><span class="w"> </span><span class="mi">377</span><span class="w"></span>
<span class="mf">84.195.248.47</span><span class="w"> </span><span class="mf">162.20.79.36</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="mi">304</span><span class="w"></span>
<span class="mf">201.95.211.8</span><span class="w"> </span><span class="mf">162.40.79.36</span><span class="w"> </span><span class="mi">8</span><span class="w"> </span><span class="mi">364</span><span class="w"></span>
<span class="mf">79.180.14.184</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="mi">994</span><span class="w"></span>
<span class="mf">124.64.176.192</span><span class="w"> </span><span class="mf">162.70.79.36</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="mi">227</span><span class="w"></span>
<span class="mf">62.219.133.44</span><span class="w"> </span><span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">72</span><span class="w"> </span><span class="mi">3077</span><span class="w"></span>
<span class="mf">91.196.214.6</span><span class="w"> </span><span class="mf">162.40.79.36</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="mi">160</span><span class="w"></span>
<span class="mf">125.125.227.168</span><span class="w"> </span><span class="mf">162.40.79.36</span><span class="w"> </span><span class="mi">15</span><span class="w"> </span><span class="mi">797</span><span class="w"></span>
<span class="mi">0</span><span class="w"></span>
<span class="mf">162.20.79.36</span><span class="w"> </span><span class="mi">304</span><span class="w"></span>
<span class="mf">162.40.79.36</span><span class="w"> </span><span class="mi">1321</span><span class="w"></span>
<span class="mf">162.30.79.36</span><span class="w"> </span><span class="mi">5396</span><span class="w"></span>
<span class="mf">162.10.79.36</span><span class="w"> </span><span class="mi">629</span><span class="w"></span>
<span class="mf">162.70.79.36</span><span class="w"> </span><span class="mi">227</span><span class="w"></span>
<span class="o">[</span><span class="n">root@DarkStar</span><span class="o">]</span><span class="p">(</span><span class="nl">mailto</span><span class="p">:</span><span class="n">root</span><span class="nv">@DarkStar</span><span class="p">)</span><span class="err">:</span><span class="o">~</span><span class="err">#</span><span class="w"></span>
</code></pre></div>
<p>Here I'll wrap up my short memo with few links for those interested to deep digger :</p>
<ol>
<li>The whole book dedicated to knowing your network better :<br>
Network Management: Accounting and Performance Strategies by Benoit Claise - CCIE No. 2686; Ralf Wolter<br>
<a href="http://www.ciscopress.com/bookstore/product.asp?isbn=1587051982">http://www.ciscopress.com/bookstore/product.asp?isbn=1587051982</a></li>
<li>Cisco IOS command reference:<br>
<a href="https://www.cisco.com/c/en/us/td/docs/ios/redirect/eol.html">http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1091971</a></li>
</ol>
<p>PS Next post I am planning to do on Netflow.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Finding the station/IP using/abusing most of the bandwidth – PIX/ASA2008-12-06T09:13:12+00:002008-12-06T09:13:12+00:00Yuri Slobodyanyuktag:yurisk.info,2008-12-06:/2008/12/06/finding-the-stationip-usingabusing-most-of-the-bandwidth-pixasa/<p>Here is a short how-to I wrote some (well ,long) time ago for the newcomers to our department. It was written for the PIX , but applies to ASA as well in most cases,see for ASA notes for differences.
Usually it starts with client complaining about slow internet, or users …</p><p>Here is a short how-to I wrote some (well ,long) time ago for the newcomers to our department. It was written for the PIX , but applies to ASA as well in most cases,see for ASA notes for differences.
Usually it starts with client complaining about slow internet, or users that already work in net are ok but new ones can't connect, sometimes PIX crashes periodically (depends on case - every few hours), seldom but client directly asks what station in LAN is bombing the PIX with connections.
Here are the steps to try to see what is going on:
1) Always worth knowing the current state of the PIX, lots of connections consume lots of memory
and this after all causes crash/slowness of processing/
Mambo# <strong>show memory</strong></p>
<div class="highlight"><pre><span></span><code>Free memory: 42557840 bytes
Used memory: 24551024 bytes
------------- ----------------
Total memory: 67108864 bytes
</code></pre></div>
<p>2) as you may know PIX is a NAT machine - every connection (outbound/inbound)
should pass NAT translation, which creates (every connection) xlate entry (in IOS it is called
NAT table) (ASA note:you may disable NAT ,not to say it may work in Transparent mode)
Mambo# <strong>show xlate count</strong></p>
<div class="highlight"><pre><span></span><code><span class="mf">1613</span><span class="w"> </span><span class="n">in</span><span class="w"> </span><span class="n">use</span><span class="p">,</span><span class="w"> </span><span class="mf">5246</span><span class="w"> </span><span class="n">most</span><span class="w"> </span><span class="n">used</span><span class="w"></span>
<span class="p">;</span><span class="w"> </span><span class="n">In</span><span class="w"> </span><span class="n">abused</span><span class="w"> </span><span class="n">PIX</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">would</span><span class="w"> </span><span class="n">see</span><span class="w"> </span><span class="n">dozens</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">thousands</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">xlate</span><span class="w"> </span><span class="n">entries</span><span class="p">,</span><span class="w"> </span><span class="n">e</span><span class="mf">.</span><span class="n">g</span><span class="mf">.</span><span class="w"> </span><span class="mf">55550</span><span class="w"></span>
<span class="w"> </span>
<span class="p">;</span><span class="w"> </span><span class="n">beyond</span><span class="w"> </span><span class="n">xlate</span><span class="w"> </span><span class="n">entry</span><span class="p">,</span><span class="w"> </span><span class="n">every</span><span class="w"> </span><span class="n">connection</span><span class="w"> </span><span class="n">creates</span><span class="w"> </span><span class="n">conn</span><span class="w"> </span><span class="n">entry</span><span class="w"> </span><span class="n">in</span><span class="w"> </span><span class="n">PIX</span><span class="w"> </span><span class="n">memory</span><span class="w"> </span><span class="kr">to</span><span class="w"> </span><span class="n">enable</span><span class="w"> </span><span class="n">stateful</span><span class="w"></span>
<span class="p">;</span><span class="n">inspection</span><span class="p">,</span><span class="w"> </span><span class="kr">to</span><span class="w"> </span><span class="n">see</span><span class="w"> </span><span class="n">their</span><span class="w"> </span><span class="n">count</span><span class="w"> </span><span class="n">use</span><span class="w"> </span><span class="p">:</span><span class="w"></span>
<span class="err">```</span><span class="w"> </span>
<span class="n">Mambo</span><span class="err">#</span><span class="w"> </span><span class="o">**</span><span class="n">show</span><span class="w"> </span><span class="n">conn</span><span class="w"> </span><span class="n">count</span><span class="o">**</span><span class="w"></span>
</code></pre></div>
<p>5271 in use, 34824 most used</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span>
<span class="c1">; next command will show on which interface there is more traffic - to know what side of the PIX is being attacked</span><span class="w"></span>
<span class="w"> </span>
<span class="nv">Mambo</span>#<span class="w"> </span><span class="o">**</span><span class="k">show</span><span class="w"> </span><span class="nv">traffic</span><span class="o">**</span><span class="w"> </span>
</code></pre></div>
<p>outside:
received (in 980818.730 secs):
1113941822 packets 498552059 bytes
1004 pkts/sec 0 bytes/sec
transmitted (in 980818.730 secs):
1170564303 packets 2054434346 bytes
1000 pkts/sec 2002 bytes/sec
inside:
received (in 980818.730 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 980818.730 secs):
76 packets 4560 bytes
0 pkts/sec 0 bytes/sec
dmz:
received (in 980818.730 secs):
186616723 packets 3287127501 bytes
1 pkts/sec 3001 bytes/sec
transmitted (in 980818.730 secs):
196403614 packets 1465915834 bytes</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span>
<span class="nv">Now</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">main</span><span class="w"> </span><span class="nv">part</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">how</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">find</span><span class="w"> </span><span class="nv">out</span><span class="w"> </span><span class="nv">which</span><span class="w"> </span><span class="nv">IP</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">abusing</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">resources</span>:<span class="w"></span>
<span class="w"> </span>
<span class="w"> </span>
<span class="nv">Mambo</span>#<span class="w"> </span><span class="o">**</span><span class="k">show</span><span class="w"> </span><span class="nv">local</span><span class="o">-</span><span class="nv">host</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nv">incl</span><span class="w"> </span><span class="nv">host</span><span class="o">|</span><span class="nv">count</span><span class="o">|</span><span class="nv">embryonic</span><span class="o">**</span><span class="w"> </span>
```<span class="w"> </span>
<span class="nv">local</span><span class="w"> </span><span class="nv">host</span>:<span class="w"> </span><span class="o"><</span><span class="mi">10</span>.<span class="mi">10</span>.<span class="mi">1</span>.<span class="mi">142</span><span class="o">></span>,<span class="w"> </span><span class="nv">conn</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="o">/</span><span class="nv">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="nv">embryonic</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="o">/</span><span class="nv">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span>,<span class="w"> </span><span class="nv">incomplete</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">local</span><span class="w"> </span><span class="nv">host</span>:<span class="w"> </span><span class="o"><</span><span class="mi">10</span>.<span class="mi">10</span>.<span class="mi">1</span>.<span class="mi">53</span><span class="o">></span>,<span class="w"> </span><span class="nv">conn</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="o">/</span><span class="nv">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">106</span><span class="o">/</span><span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="nv">embryonic</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="o">/</span><span class="nv">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">106</span><span class="o">/</span><span class="mi">0</span>,<span class="w"> </span><span class="nv">incomplete</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">local</span><span class="w"> </span><span class="nv">host</span>:<span class="w"> </span><span class="o"><</span><span class="mi">10</span>.<span class="mi">10</span>.<span class="mi">1</span>.<span class="mi">205</span><span class="o">></span>,<span class="w"> </span><span class="nv">conn</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="o">/</span><span class="nv">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">14</span><span class="o">/</span><span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="nv">embryonic</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="o">/</span><span class="nv">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span>,<span class="w"> </span><span class="nv">incomplete</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">local</span><span class="w"> </span><span class="nv">host</span>:<span class="w"> </span><span class="o"><</span><span class="mi">10</span>.<span class="mi">10</span>.<span class="mi">1</span>.<span class="mi">191</span><span class="o">></span>,<span class="w"> </span><span class="nv">conn</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="o">/</span><span class="nv">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">4</span><span class="o">/</span><span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="nv">embryonic</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="o">/</span><span class="nv">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span>,<span class="w"> </span><span class="nv">incomplete</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">local</span><span class="w"> </span><span class="nv">host</span>:<span class="w"> </span><span class="o"><</span><span class="mi">10</span>.<span class="mi">10</span>.<span class="mi">1</span>.<span class="mi">193</span><span class="o">></span>,<span class="w"> </span><span class="nv">conn</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="o">/</span><span class="nv">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">4</span><span class="o">/</span><span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="nv">embryonic</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="o">/</span><span class="nv">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="o">/</span><span class="mi">0</span>,<span class="w"> </span><span class="nv">incomplete</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
...................................................................................<span class="w"></span>
<span class="nv">local</span><span class="w"> </span><span class="nv">host</span>:<span class="w"> </span><span class="o"><</span><span class="mi">10</span>.<span class="mi">10</span>.<span class="mi">1</span>.<span class="mi">36</span><span class="o">></span>,<span class="w"> </span><span class="nv">conn</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="o">/</span><span class="nv">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">22</span><span class="o">/</span><span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="nv">embryonic</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="o">/</span><span class="nv">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span>,<span class="w"> </span><span class="nv">incomplete</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
<span class="nv">local</span><span class="w"> </span><span class="nv">host</span>:<span class="w"> </span><span class="o"><</span><span class="mi">10</span>.<span class="mi">10</span>.<span class="mi">1</span>.<span class="mi">180</span><span class="o">></span>,<span class="w"> </span><span class="nv">conn</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="o">/</span><span class="nv">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="o">/</span><span class="mi">0</span><span class="w"></span>
<span class="w"> </span><span class="nv">embryonic</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="o">/</span><span class="nv">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="o">/</span><span class="mi">0</span>,<span class="w"> </span><span class="nv">incomplete</span><span class="ss">(</span><span class="nv">s</span><span class="ss">)</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"></span>
</code></pre></div>
<p>Legend:
<strong>local host</strong> : Local IP of station in LAN<br>
<strong>conn(s)/limit</strong> : number of conn entries (connections) and their possible limit for this IP<br>
<strong>embryonic(s)/limit</strong> : number of embryonic (half-open) connections to this IP and their limit<br>
Looking at this output we could easily find station with most connections.
Next, to get more info (if needed):
Mambo# <strong>sh local-host 10.10.1.19</strong></p>
<div class="highlight"><pre><span></span><code>Interface Inside: 73 active, 96 maximum active, 0 denied
local host: <10.10.1.19>, conn(s)/limit = 105/0
embryonic(s)/limit = 45/0, incomplete(s) = 0
AAA:
Xlate(s):
PAT Global 216.163.137.3(40901) Local 10.10.1.19(3653)
PAT Global 216.163.137.3(30938) Local 10.10.1.19(1439)
PAT Global 216.163.137.3(61195) Local 10.10.1.19(3815)
PAT Global 216.163.137.3(39325) Local 10.10.1.19(2387)
PAT Global 216.163.137.3(12515) Local 10.10.1.19(1043)
PAT Global 216.163.137.3(21891) Local 10.10.1.19(2368)
.......................................................
PAT Global 216.163.137.3(64086) Local 10.10.1.19(4928)
</code></pre></div>
<p>;NOTE - here 216.163.137.3 is IP of outside interface of PIX
To temporary block some station - it will not be able to create new connections
and exsiting ones will be deleted. This block is active until next reboot.
Mambo# <strong>shun 10.10.1.19</strong><br>
To see active shuns:<br>
Mambo# <strong>show shun</strong>
To disable shun:<br>
Mambo# <strong>no shun 10.10.1.19</strong><br>
Personal NOTE: Such call is a sure sign of unordered network administration . And it always starts with the key phrase - "Your line is down, we have no Internet". On my answer, after I look at MRTG
graphs of the client line and see 100% usage, that "Of course , you are using up all your bandwidth" they reply "It is impossible, can you tell me who is abusing the line ?" While I may spend 10 mins
explaing this sysadmin that PIX/ASA/etc is not a statistics/monitoring device and other solutions exist for that and MRTG is free etc., I usually give up on them and save myself 10
mins of my time and just give them what they want . In the next post I will write about doing the same in Cisco router.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Clear ARP table in Checkpoint2008-10-25T10:36:25+00:002008-10-25T10:36:25+00:00Yuri Slobodyanyuktag:yurisk.info,2008-10-25:/2008/10/25/clear-arp-table-in-checkpoint/<p><strong>Update 2022</strong>: On modern Check Point systems you don't have to run the script below (which still works) as they come with up-to-date <strong>iproute2</strong> network tools. So, to clear all dynamic ARP entries learned on a specific interface, use <strong>ip neighbor flush dev <em>interface-name</em></strong>. </p>
<p>Yesterday my colleague asked how to …</p><p><strong>Update 2022</strong>: On modern Check Point systems you don't have to run the script below (which still works) as they come with up-to-date <strong>iproute2</strong> network tools. So, to clear all dynamic ARP entries learned on a specific interface, use <strong>ip neighbor flush dev <em>interface-name</em></strong>. </p>
<p>Yesterday my colleague asked how to clear all entries in the ARP table of the
NGX in question (Splat). I thought the <strong>arp </strong>command of the Linux would include some switch for that case too - but it didn't. To delete ARP entry from the ARP cache you use #arp -d <em>IP address to be deleted</em> , and it has no provision for deleting multiple entries in one go. So here is the one-liner
that does just that - clears all entries in ARP cache. I found it in Google and
slightly rearranged for brevity (note- it is one line of text) :</p>
<p><strong>for ip in $(awk '/([[:digit:]].)+/ {print $1}' /proc/net/arp) ; do arp -d $ip ; done</strong></p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Prevent brute force attack on VTY in Cisco IOS2008-10-10T09:24:03+00:002008-10-10T09:24:03+00:00Yuri Slobodyanyuktag:yurisk.info,2008-10-10:/2008/10/10/guarding-against-brute-force-attack-on-vty-in-cisco-ios/<p>Cisco starting IOS 12.3 introduced a simple but powerful feature to guard against brute force password guessing attack on remote access. The usual template followed when configuring VTY access is: </p>
<ol>
<li>
<p>Configure ACL containing management IPs to be allowed to access the router through VTY</p>
</li>
<li>
<p>(Optional) Restrict VTY access protocol …</p></li></ol><p>Cisco starting IOS 12.3 introduced a simple but powerful feature to guard against brute force password guessing attack on remote access. The usual template followed when configuring VTY access is: </p>
<ol>
<li>
<p>Configure ACL containing management IPs to be allowed to access the router through VTY</p>
</li>
<li>
<p>(Optional) Restrict VTY access protocol to ssh only (transport input ssh)</p>
</li>
<li>
<p>Apply this ACl to VTY : <code>(config-line)# access-class <ACL> inn</code></p>
</li>
<li>
<p>(Optional) Single out one VTY line for a special remote access IP to be used if all VTY lines are currently in use: <code>(config)# line vty 4</code> </p>
</li>
</ol>
<p>Now I enhanced this template with the following features:
- Blocks login for 300 seconds after 5 failed logins within 50 seconds time interval
<code>login block-for 300 attempts 5 within 50</code><br>
- apply specified ACl to VTY line when above event occurs, it is meant to exempt your managemnt IP form being blocked. After timed block expires this ACL gets removed from VTY and previous ACL that was applied before the event is reapplied back</p>
<p><code>login quiet-mode access-class anti-DOS</code></p>
<ul>
<li>
<p>Logging rate-limitation to prevent cluttering logs with failed attempts
<code>`login on-failure log every 10</code> </p>
</li>
<li>
<p>ACL allowing access:</p>
</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="nv">ip</span><span class="w"> </span><span class="nv">access</span><span class="o">-</span><span class="nv">list</span><span class="w"> </span><span class="nv">standard</span><span class="w"> </span><span class="nv">anti</span><span class="o">-</span><span class="nv">DOS</span><span class="w"></span>
<span class="nv">permit</span><span class="w"> </span><span class="mi">193</span>.<span class="mi">193</span>.<span class="mi">193</span>.<span class="mi">33</span><span class="w"></span>
<span class="w"> </span><span class="nv">remark</span><span class="w"> </span><span class="nv">Deny</span><span class="w"> </span><span class="nv">VTY</span><span class="w"> </span><span class="nv">access</span><span class="w"> </span><span class="nv">to</span><span class="w"> </span><span class="nv">anyone</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nv">brute</span><span class="o">-</span><span class="nv">force</span><span class="w"> </span><span class="nv">logins</span><span class="w"> </span><span class="nv">take</span><span class="w"> </span><span class="nv">up</span><span class="w"> </span><span class="nv">all</span><span class="w"> </span><span class="nv">VTY</span><span class="w"> </span><span class="nv">lines</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Another nice feature is delay between login attempts:<br>
<code>Sacramento(config)# login delay 2</code></li>
</ul>
<p>The delay login above is in seconds.<br>
Then in logs you will see the following failed attempts:</p>
<div class="highlight"><pre><span></span><code><span class="o">*</span><span class="nv">May</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="mi">02</span>:<span class="mi">04</span>:<span class="mi">14</span>.<span class="mi">105</span>:<span class="w"> </span><span class="o">%</span><span class="nv">SEC_LOGIN</span><span class="o">-</span><span class="mi">4</span><span class="o">-</span><span class="nv">LOGIN_FAILED</span>:<span class="w"> </span><span class="nv">Login</span><span class="w"> </span><span class="nv">failed</span><span class="w"> </span>[<span class="nv">user</span>:<span class="w"> </span>]<span class="w"> </span>[<span class="nv">Source</span>:<span class="w"> </span><span class="mi">62</span>.<span class="mi">141</span>.<span class="mi">52</span>.<span class="mi">141</span>]<span class="w"> </span>[<span class="nv">localport</span>:<span class="w"> </span><span class="mi">22</span>]<span class="w"> </span>[<span class="nv">Reason</span>:<span class="w"> </span><span class="nv">Login</span><span class="w"> </span><span class="nv">Authentication</span><span class="w"> </span><span class="nv">Failed</span>]<span class="w"> </span><span class="nv">at</span><span class="w"> </span><span class="mi">05</span>:<span class="mi">04</span>:<span class="mi">14</span><span class="w"> </span><span class="nv">Sat</span><span class="w"> </span><span class="nv">May</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="mi">2009</span><span class="w"></span>
<span class="o">*</span><span class="nv">May</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="mi">02</span>:<span class="mi">04</span>:<span class="mi">22</span>.<span class="mi">112</span>:<span class="w"> </span><span class="o">%</span><span class="nv">SEC_LOGIN</span><span class="o">-</span><span class="mi">1</span><span class="o">-</span><span class="nv">QUIET_MODE_ON</span>:<span class="w"> </span><span class="nv">Still</span><span class="w"> </span><span class="nv">timeleft</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">watching</span><span class="w"> </span><span class="nv">failures</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="mi">22</span><span class="w"> </span><span class="nv">secs</span>,<span class="w"> </span>[<span class="nv">user</span>:<span class="w"> </span>]<span class="w"> </span>[<span class="nv">Source</span>:<span class="w"> </span><span class="mi">62</span>.<span class="mi">141</span>.<span class="mi">52</span>.<span class="mi">141</span>]<span class="w"> </span>[<span class="nv">localport</span>:<span class="w"> </span><span class="mi">22</span>]<span class="w"> </span>[<span class="nv">Reason</span>:<span class="w"> </span><span class="nv">Login</span><span class="w"> </span><span class="nv">Authentication</span><span class="w"> </span><span class="nv">Failed</span>]<span class="w"> </span>[<span class="nv">ACL</span>:<span class="w"> </span><span class="nv">anti</span><span class="o">-</span><span class="nv">DOS</span>]<span class="w"> </span><span class="nv">at</span><span class="w"> </span><span class="mi">05</span>:<span class="mi">04</span>:<span class="mi">22</span><span class="w"> </span><span class="nv">Sat</span><span class="w"> </span><span class="nv">May</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="mi">2009</span><span class="w"></span>
<span class="o">*</span><span class="nv">May</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="mi">02</span>:<span class="mi">09</span>:<span class="mi">22</span>.<span class="mi">091</span>:<span class="w"> </span><span class="o">%</span><span class="nv">SEC_LOGIN</span><span class="o">-</span><span class="mi">5</span><span class="o">-</span><span class="nv">QUIET_MODE_OFF</span>:<span class="w"> </span><span class="nv">Quiet</span><span class="w"> </span><span class="nv">Mode</span><span class="w"> </span><span class="nv">is</span><span class="w"> </span><span class="nv">OFF</span>,<span class="w"> </span><span class="nv">because</span><span class="w"> </span><span class="nv">block</span><span class="w"> </span><span class="nv">period</span><span class="w"> </span><span class="nv">timed</span><span class="w"> </span><span class="nv">out</span><span class="w"> </span><span class="nv">at</span><span class="w"> </span><span class="mi">05</span>:<span class="mi">09</span>:<span class="mi">22</span><span class="w"> </span><span class="nv">Sat</span><span class="w"> </span><span class="nv">May</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="mi">2009</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Manage VPN tunnels smartly: forget vpn tu,enter the vpn shell2008-09-23T09:14:42+00:002008-09-23T09:14:42+00:00Yuri Slobodyanyuktag:yurisk.info,2008-09-23:/2008/09/23/manage-vpn-tunnels-smartly-forget-vpn-tuenter-the-vpn-shell/<p>Deleting IKE/IPsec security associations of established VPNs is inevitable part of any VPN related debug. The standard tool promoted by Checkpoint (take CCSA,CCSE etc.,) is <strong>vpn tu</strong> that neveretheless has always had a very annoying bug (feature?) - you can delete ALL VPN tunnels at a time and none …</p><p>Deleting IKE/IPsec security associations of established VPNs is inevitable part of any VPN related debug. The standard tool promoted by Checkpoint (take CCSA,CCSE etc.,) is <strong>vpn tu</strong> that neveretheless has always had a very annoying bug (feature?) - you can delete ALL VPN tunnels at a time and none individually !! It indeed presents option to delete
" Delete all IPsec SAs for a given peer (GW)" - sometimes it just plain doesn't work. And once confronted with this problem that could make debug more devastating than the problem itself I started looking for alternatives. To much of my surprise CP has a perfect alternative for this
- <strong>vpn shell</strong>, that provides acceptable means of managing tunnels. Here are details:<br>
vpn shell can : delete IKE/IPsec SAs selectively, add/delete VTI interfaces,show information about all that.
To enter this shell : </p>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">Expert@gw1</span><span class="o">]</span><span class="err">#</span><span class="w"> </span><span class="n">vpn</span><span class="w"> </span><span class="n">shell</span><span class="w"></span>
<span class="w"> </span><span class="vm">?</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="n">help</span><span class="w"></span>
<span class="w"> </span><span class="p">..</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="k">Go</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">one</span><span class="w"> </span><span class="k">level</span><span class="w"></span>
<span class="w"> </span><span class="n">quit</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Quit</span><span class="w"></span>
<span class="o">[</span><span class="n">interface </span><span class="o">]</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Manipulate</span><span class="w"> </span><span class="n">tunnel</span><span class="w"> </span><span class="n">interfaces</span><span class="w"></span>
<span class="o">[</span><span class="n">show </span><span class="o">]</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Show</span><span class="w"> </span><span class="n">internal</span><span class="w"> </span><span class="k">data</span><span class="w"></span>
<span class="o">[</span><span class="n">tunnels </span><span class="o">]</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Manipulate</span><span class="w"> </span><span class="n">tunnel</span><span class="w"> </span><span class="k">data</span><span class="w"></span>
</code></pre></div>
<p>After hitting enter you are put into subshell that has hierarchy way of moving around, so to continue to show subtree you type <strong>show</strong> and hit Enter: </p>
<div class="highlight"><pre><span></span><code><span class="n">VPN</span><span class="w"> </span><span class="nl">shell</span><span class="p">:</span><span class="o">[</span><span class="n">/</span><span class="o">]</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="n">show</span><span class="w"></span>
<span class="w"> </span><span class="vm">?</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="n">help</span><span class="w"></span>
<span class="w"> </span><span class="p">..</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="k">Go</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">one</span><span class="w"> </span><span class="k">level</span><span class="w"></span>
<span class="o">[</span><span class="n">interface </span><span class="o">]</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Show</span><span class="w"> </span><span class="n">interface</span><span class="p">(</span><span class="n">s</span><span class="p">)</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">their</span><span class="w"> </span><span class="n">status</span><span class="w"></span>
<span class="o">[</span><span class="n">tunnels </span><span class="o">]</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Show</span><span class="w"> </span><span class="n">SA</span><span class="p">(</span><span class="n">s</span><span class="p">)</span><span class="w"></span>
<span class="n">VPN</span><span class="w"> </span><span class="nl">shell</span><span class="p">:</span><span class="o">[</span><span class="n">/show</span><span class="o">]</span><span class="w"> </span><span class="o">></span><span class="w"></span>
</code></pre></div>
<p>Your prompt changes to the path inside vpn shell, to go 1 level up (return) type .. and Enter:</p>
<div class="highlight"><pre><span></span><code><span class="n">VPN</span><span class="w"> </span><span class="nl">shell</span><span class="p">:</span><span class="o">[</span><span class="n">/show</span><span class="o">]</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="p">..</span><span class="w"></span>
<span class="w"> </span><span class="vm">?</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="n">help</span><span class="w"></span>
<span class="w"> </span><span class="p">..</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="k">Go</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">one</span><span class="w"> </span><span class="k">level</span><span class="w"></span>
<span class="w"> </span><span class="n">quit</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Quit</span><span class="w"></span>
<span class="o">[</span><span class="n">interface </span><span class="o">]</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Manipulate</span><span class="w"> </span><span class="n">tunnel</span><span class="w"> </span><span class="n">interfaces</span><span class="w"></span>
<span class="o">[</span><span class="n">show </span><span class="o">]</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Show</span><span class="w"> </span><span class="n">internal</span><span class="w"> </span><span class="k">data</span><span class="w"></span>
<span class="o">[</span><span class="n">tunnels </span><span class="o">]</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Manipulate</span><span class="w"> </span><span class="n">tunnel</span><span class="w"> </span><span class="k">data</span><span class="w"></span>
<span class="n">VPN</span><span class="w"> </span><span class="nl">shell</span><span class="p">:</span><span class="o">[</span><span class="n">/</span><span class="o">]</span><span class="w"> </span><span class="o">></span><span class="w"></span>
</code></pre></div>
<p>In addition if you know the full path inside vpn shell to the command you wish to run you can type it too:</p>
<p>e.g. To see all IKE tunnels: </p>
<div class="highlight"><pre><span></span><code><span class="o">[</span><span class="n">Expert@gw1</span><span class="o">]</span><span class="err">#</span><span class="w"> </span><span class="n">vpn</span><span class="w"> </span><span class="n">shell</span><span class="w"></span>
<span class="w"> </span><span class="vm">?</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="n">help</span><span class="w"></span>
<span class="w"> </span><span class="p">..</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="k">Go</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">one</span><span class="w"> </span><span class="k">level</span><span class="w"></span>
<span class="w"> </span><span class="n">quit</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Quit</span><span class="w"></span>
<span class="o">[</span><span class="n">interface </span><span class="o">]</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Manipulate</span><span class="w"> </span><span class="n">tunnel</span><span class="w"> </span><span class="n">interfaces</span><span class="w"></span>
<span class="o">[</span><span class="n">show </span><span class="o">]</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Show</span><span class="w"> </span><span class="n">internal</span><span class="w"> </span><span class="k">data</span><span class="w"></span>
<span class="o">[</span><span class="n">tunnels </span><span class="o">]</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Manipulate</span><span class="w"> </span><span class="n">tunnel</span><span class="w"> </span><span class="k">data</span><span class="w"></span>
<span class="n">VPN</span><span class="w"> </span><span class="nl">shell</span><span class="p">:</span><span class="o">[</span><span class="n">/</span><span class="o">]</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="n">tunnels</span><span class="w"> </span><span class="n">show</span><span class="w"> </span><span class="n">IKE</span><span class="w"> </span><span class="ow">all</span><span class="w"></span>
<span class="n">Peer</span><span class="w"> </span><span class="mf">193.</span><span class="n">x</span><span class="p">.</span><span class="n">x</span><span class="p">.</span><span class="nl">x</span><span class="p">:</span><span class="w"></span>
<span class="w"> </span><span class="mf">1.</span><span class="w"> </span><span class="n">IKE</span><span class="w"> </span><span class="n">SA</span><span class="w"> </span><span class="o"><</span><span class="mi">8755</span><span class="n">c7fb24a52e9b</span><span class="p">,</span><span class="mi">5</span><span class="n">d46b29d0f0bb5b7</span><span class="o">></span><span class="err">:</span><span class="w"></span>
<span class="n">VPN</span><span class="w"> </span><span class="nl">shell</span><span class="p">:</span><span class="o">[</span><span class="n">/</span><span class="o">]</span><span class="w"> </span><span class="o">></span><span class="w"></span>
</code></pre></div>
<p>e.g. 2 To delete IKE SAs for specific peer:</p>
<div class="highlight"><pre><span></span><code>VPN shell:[/] > tunnels delete IKE peer 193.3.3.3
</code></pre></div>
<p>NOTE: interface subtree is for dealing with VTI interfaces.</p>
<p>And finally to leave the vpn shell to SSH shell:<br>
Get to the root by typing .. as many times as needed and then quit:</p>
<div class="highlight"><pre><span></span><code><span class="n">VPN</span><span class="w"> </span><span class="nl">shell</span><span class="p">:</span><span class="o">[</span><span class="n">/show/tunnels/IKE</span><span class="o">]</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="p">..</span><span class="o">/</span><span class="p">..</span><span class="o">/</span><span class="p">..</span><span class="w"></span>
<span class="w"> </span><span class="vm">?</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="n">help</span><span class="w"></span>
<span class="w"> </span><span class="p">..</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="k">Go</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">one</span><span class="w"> </span><span class="k">level</span><span class="w"></span>
<span class="w"> </span><span class="n">quit</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Quit</span><span class="w"></span>
<span class="o">[</span><span class="n">interface </span><span class="o">]</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Manipulate</span><span class="w"> </span><span class="n">tunnel</span><span class="w"> </span><span class="n">interfaces</span><span class="w"></span>
<span class="o">[</span><span class="n">show </span><span class="o">]</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Show</span><span class="w"> </span><span class="n">internal</span><span class="w"> </span><span class="k">data</span><span class="w"></span>
<span class="o">[</span><span class="n">tunnels </span><span class="o">]</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Manipulate</span><span class="w"> </span><span class="n">tunnel</span><span class="w"> </span><span class="k">data</span><span class="w"></span>
<span class="n">VPN</span><span class="w"> </span><span class="nl">shell</span><span class="p">:</span><span class="o">[</span><span class="n">/</span><span class="o">]</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="n">quit</span><span class="w"></span>
<span class="o">[</span><span class="n">Expert@gw1</span><span class="o">]</span><span class="err">#</span><span class="w"></span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Autologin Expect scripts for telnet/ssh2008-09-21T17:28:02+00:002008-09-21T17:28:02+00:00Yuri Slobodyanyuktag:yurisk.info,2008-09-21:/2008/09/21/autologin-expect-scripts-for-telnetssh/<p>Tired of typing over and over your username/password when using telnet/ssh ? Here are Expect <a href="https://core.tcl-lang.org/expect/index">https://core.tcl-lang.org/expect/index</a> scripts to autologin by Telnet and ssh.</p>
<p>Note: </p>
<ul>
<li>Yes, it is not secure to keep you username/password saved somewhere, so know what you do . In my opinion …</li></ul><p>Tired of typing over and over your username/password when using telnet/ssh ? Here are Expect <a href="https://core.tcl-lang.org/expect/index">https://core.tcl-lang.org/expect/index</a> scripts to autologin by Telnet and ssh.</p>
<p>Note: </p>
<ul>
<li>Yes, it is not secure to keep you username/password saved somewhere, so know what you do . In my opinion as long as this is a dedicated for remote logins server, that has no access from outside, and hardened accordingly (pertinent to the scripts - only owner/root can read user's home folder, etc.,) the risk is acceptable.</li>
</ul>
<p>Note 2: password is saved in a file named "sword"</p>
<div class="highlight"><pre><span></span><code><span class="c">#!/usr/local/bin/expect Change to the location of your Expect package</span>
<span class="w"> </span>
<span class="k">proc</span><span class="w"> </span>Usage<span class="w"> </span><span class="k">{}</span><span class="w"> </span><span class="k">{</span><span class="w"></span>
<span class="w"> </span><span class="nb">puts</span><span class="w"> </span><span class="s2">"\n tel <equipment to enter> \n"</span>
<span class="w"> </span><span class="k">return</span>
<span class="w"> </span><span class="k">}</span>
<span class="w"> </span>
<span class="k">set</span><span class="w"> </span>argnumber<span class="w"> </span><span class="k">[</span><span class="nb">llength</span><span class="w"> </span><span class="nv">$argv</span><span class="k">]</span>
<span class="w"> </span>
<span class="k">if</span><span class="w"> </span><span class="k">{</span><span class="nv">$argnumber</span><span class="o">==</span><span class="nv">0</span><span class="k">}</span><span class="w"> </span><span class="k">{</span><span class="w"></span>
<span class="w"> </span><span class="nb">puts</span><span class="w"> </span><span class="s2">"You need to specify at least one piece of equipment to log into\n"</span>
<span class="w"> </span><span class="nv">Usage</span>
<span class="w"> </span><span class="nb">exit</span>
<span class="w"> </span>
<span class="w"> </span><span class="k">}</span><span class="w"> </span><span class="k">elseif</span><span class="w"> </span><span class="k">{</span><span class="nv">$argnumber</span><span class="o">></span><span class="nv">1</span><span class="k">}</span><span class="w"> </span><span class="k">{</span><span class="w"></span>
<span class="w"> </span><span class="nb">puts</span><span class="w"> </span><span class="s2">"You specified too many arguments, only one please\n"</span>
<span class="w"> </span>
<span class="w"> </span><span class="nv">Usage</span>
<span class="w"> </span><span class="nb">exit</span>
<span class="w"> </span><span class="k">}</span>
<span class="w"> </span>
<span class="k">set</span><span class="w"> </span>hostName<span class="w"> </span><span class="k">[</span><span class="nb">lindex</span><span class="w"> </span><span class="nv">$argv</span><span class="w"> </span><span class="mi">0</span><span class="k">]</span>
<span class="w"> </span>
<span class="w"> </span><span class="nb">puts</span><span class="w"> </span><span class="s2">"Entering $hostName"</span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span>username<span class="w"> </span><span class="s2">"myusername"</span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span>HANDL<span class="w"> </span><span class="k">[</span><span class="nb">open</span><span class="w"> </span><span class="s2">"sword"</span><span class="k">]</span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span>password<span class="w"> </span><span class="k">[</span><span class="nb">gets</span><span class="w"> </span><span class="nv">$HANDL</span><span class="k">]</span>
<span class="w"> </span><span class="nb">close</span><span class="w"> </span><span class="nv">$HANDL</span>
<span class="w"> </span><span class="nv">spawn</span><span class="w"> </span>telnet<span class="w"> </span><span class="nv">$hostName</span>
<span class="w"> </span><span class="nv">expect</span><span class="w"> </span><span class="k">{[</span><span class="nv">Uu</span><span class="k">]</span><span class="nv">sername</span><span class="err">\</span><span class="o">*</span><span class="k">}</span><span class="w"> </span><span class="k">{</span><span class="w"></span>
<span class="w"> </span><span class="nv">send</span><span class="w"> </span><span class="s2">"$username\r"</span>
<span class="w"> </span><span class="k">}</span>
<span class="w"> </span>
<span class="w"> </span><span class="nv">expect</span><span class="w"> </span><span class="k">{[</span><span class="nv">Pp</span><span class="k">]</span><span class="nv">assword</span><span class="o">:</span><span class="k">}</span><span class="w"> </span><span class="k">{</span><span class="w"></span>
<span class="w"> </span><span class="nv">send</span><span class="w"> </span><span class="s2">"$password\r"</span>
<span class="w"> </span><span class="k">}</span>
<span class="w"> </span>
<span class="c">#Cisco specific block - to enter enable level, you may remove this block if not needed</span>
<span class="w"> </span><span class="nv">expect</span><span class="w"> </span><span class="k">{</span><span class="o">*</span><span class="c">#} {</span>
<span class="w"> </span><span class="nv">send</span><span class="w"> </span><span class="s2">"enable\r"</span><span class="w"> </span><span class="k">}</span>
<span class="w"> </span>
<span class="w"> </span><span class="nv">expect</span><span class="w"> </span><span class="k">{[</span><span class="nv">Pp</span><span class="k">]</span><span class="nv">assword</span><span class="o">:</span><span class="k">}</span><span class="w"> </span><span class="k">{</span><span class="w"></span>
<span class="w"> </span><span class="nv">send</span><span class="w"> </span><span class="s2">"$password\r"</span>
<span class="w"> </span><span class="k">}</span>
<span class="w"> </span><span class="c">#End of Cisco specific block</span>
<span class="w"> </span><span class="nv">interact</span>
</code></pre></div>
<p>Now SSH login script: </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="c">#!/usr/local/bin/expect Change to the location of your Expect package</span>
<span class="w"> </span>
<span class="w"> </span><span class="k">proc</span><span class="w"> </span>Usage<span class="w"> </span><span class="k">{}</span><span class="w"> </span><span class="k">{</span><span class="w"></span>
<span class="w"> </span><span class="nb">puts</span><span class="w"> </span><span class="s2">"\n essh <equipment to enter> \n"</span>
<span class="w"> </span><span class="k">return</span>
<span class="w"> </span><span class="k">}</span>
<span class="w"> </span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span>argnumber<span class="w"> </span><span class="k">[</span><span class="nb">llength</span><span class="w"> </span><span class="nv">$argv</span><span class="k">]</span>
<span class="w"> </span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="k">{</span><span class="nv">$argnumber</span><span class="o">==</span><span class="nv">0</span><span class="k">}</span><span class="w"> </span><span class="k">{</span><span class="w"></span>
<span class="w"> </span><span class="nb">puts</span><span class="w"> </span><span class="s2">"You need to specify at least one piece of equipment to log into\n"</span>
<span class="w"> </span><span class="nv">Usage</span>
<span class="w"> </span><span class="nb">exit</span>
<span class="w"> </span>
<span class="w"> </span><span class="k">}</span><span class="w"> </span><span class="k">elseif</span><span class="w"> </span><span class="k">{</span><span class="nv">$argnumber</span><span class="o">></span><span class="nv">1</span><span class="k">}</span><span class="w"> </span><span class="k">{</span><span class="w"></span>
<span class="w"> </span><span class="nb">puts</span><span class="w"> </span><span class="s2">"You specified too many arguments, only one please\n"</span>
<span class="w"> </span>
<span class="w"> </span><span class="nv">Usage</span>
<span class="w"> </span><span class="nb">exit</span>
<span class="w"> </span><span class="k">}</span>
<span class="w"> </span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span>hostName<span class="w"> </span><span class="k">[</span><span class="nb">lindex</span><span class="w"> </span><span class="nv">$argv</span><span class="w"> </span><span class="mi">0</span><span class="k">]</span>
<span class="w"> </span>
<span class="w"> </span><span class="nb">puts</span><span class="w"> </span><span class="s2">"Entering $hostName"</span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span>username<span class="w"> </span><span class="s2">"myusername"</span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span>HANDL<span class="w"> </span><span class="k">[</span><span class="nb">open</span><span class="w"> </span><span class="s2">"sword"</span><span class="k">]</span>
<span class="w"> </span><span class="k">set</span><span class="w"> </span>password<span class="w"> </span><span class="k">[</span><span class="nb">gets</span><span class="w"> </span><span class="nv">$HANDL</span><span class="k">]</span>
<span class="w"> </span><span class="nv">spawn</span><span class="w"> </span>ssh<span class="w"> </span><span class="nv">$hostName</span>
<span class="w"> </span>
<span class="w"> </span><span class="nv">expect</span><span class="w"> </span><span class="k">{[</span><span class="nv">Pp</span><span class="k">]</span><span class="nv">assword</span><span class="o">:</span><span class="k">}</span><span class="w"> </span><span class="k">{</span><span class="w"></span>
<span class="w"> </span><span class="nv">send</span><span class="w"> </span><span class="s2">"$password\r"</span>
<span class="w"> </span><span class="k">}</span>
<span class="w"> </span><span class="c">#Again goes Cisco - specific block , remove if not needed</span>
<span class="w"> </span><span class="nv">expect</span><span class="w"> </span><span class="k">{</span><span class="err">\</span><span class="o">*</span><span class="c">#} {</span>
<span class="w"> </span><span class="nv">send</span><span class="w"> </span><span class="s2">"enable\r"</span><span class="w"> </span><span class="k">}</span>
<span class="w"> </span>
<span class="w"> </span><span class="nv">expect</span><span class="w"> </span><span class="k">{[</span><span class="nv">Pp</span><span class="k">]</span><span class="nv">assword</span><span class="o">:</span><span class="k">}</span><span class="w"> </span><span class="k">{</span><span class="w"></span>
<span class="w"> </span><span class="nv">send</span><span class="w"> </span><span class="s2">"$password\r"</span>
<span class="w"> </span><span class="k">}</span>
<span class="w"> </span><span class="c">#End of Cisco - specific block</span>
<span class="w"> </span><span class="nv">interact</span>
</code></pre></div>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>SSH session timeout in Checkpoint Firewall2008-09-15T18:20:11+00:002008-09-15T18:20:11+00:00Yuri Slobodyanyuktag:yurisk.info,2008-09-15:/2008/09/15/ssh-session-timeout-in-checkpoint-ngngx/<p>It is no fun when in the middle of <a href="http://yurisk.info/2009/12/12/fw-monitor-command-reference/">fw monitor</a> / debug session you get abruptly disconnected on SSH session timeout. Here is how to prevent it in the Checkpoint firewall.
The session timeout is defined in <strong>cat /etc/bashrc</strong>:<br>
# By default, log out the user after <strong>three</strong> minutes of …</p><p>It is no fun when in the middle of <a href="http://yurisk.info/2009/12/12/fw-monitor-command-reference/">fw monitor</a> / debug session you get abruptly disconnected on SSH session timeout. Here is how to prevent it in the Checkpoint firewall.
The session timeout is defined in <strong>cat /etc/bashrc</strong>:<br>
# By default, log out the user after <strong>three</strong> minutes of unattended prompt<br>
<strong>export TMOUT=180</strong><br>
export SHELL=/bin/bash<br>
# Take into account idle setting of cpshell, if available<br>
if [ -f /etc/cpshell/cpshell.state ]; then<br>
idle=$(grep idle /etc/cpshell/cpshell.state | sed s/idle=//)<br>
if [ $idle"UNDEFINED" = "UNDEFINED" ]; then<br>
idle=3<br>
fi<br>
export TMOUT=<code>expr $idle \* 60</code><br>
fi </p>
<p>To change the default timeout for ssh session you can:<br>
1) Set idle variable in /etc/cpshell/cpshell.state to be later multiplied </p>
<div class="highlight"><pre><span></span><code> cat /etc/cpshell/cpshell.state
audit=100
idle=100
scroll=1
</code></pre></div>
<p>2) Change <strong>TMOUT</strong> directly to any number of seconds you wish and export it to activate: </p>
<p><strong>export TMOUT=7000</strong> </p>
<p>I personally when working on client's firewall am setting it manually when long debug session is expected: </p>
<p><strong>[Expert@cp]# TMOUT=700<br>
[Expert@cp]# export TMOUT</strong> </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Telnet from inside Checkpoint firewall2008-09-10T08:00:30+00:002008-09-10T08:00:30+00:00Yuri Slobodyanyuktag:yurisk.info,2008-09-10:/2008/09/10/telnet-from-inside-checkpoint-firewall/<p>UPDATE 2021: While all the below is still correct and works, nowadays, in GAIA we have a telnet client installed by default.</p>
<p>Yesterday I saw a strange problem - connection from outside to Exchange in a LAN times out, while in Tracker all connections to port 25 are in green. Strange …</p><p>UPDATE 2021: While all the below is still correct and works, nowadays, in GAIA we have a telnet client installed by default.</p>
<p>Yesterday I saw a strange problem - connection from outside to Exchange in a LAN times out, while in Tracker all connections to port 25 are in green. Strange was that through VPN client-to-site and from inside LAN all worked prefectly well. So I wasn't sure 100% it wasn't a firewall causing this. The next best way to check it would be telnet from inside NGX (R65 in this case) to port 25 of Exchange by its LAN IP ... only that Checkpoint don't have telnet client included in their Splat . If I had enough time I'd compile telnet client statically on some Linux box with the same kernel/libraries then'd copy it to NGX for testing, but to do it ASAP I hacked a small AWK script that emulates (just enough for a test) telnet, below these scripts .</p>
<p>BTW this script made it 100% clear there was some problem with Exchange over which I had no control - from firewall its port 25 answered very erratically - once ok , 10 times connection refused. So after a double check client found that from LAN and VPN it also wasn't stable as he first thought .</p>
<p>General telnet client script :</p>
<p><strong>[Expert@cp]# awk -v ip=192.168.0.1 -v port=25 -f telnet.awk</strong></p>
<p>Where:<br>
<strong>ip</strong>- IP to connect to<br>
<strong>port</strong> - port to connect to</p>
<div class="highlight"><pre><span></span><code> <span class="c1">#!/usr/bin/awk</span>
<span class="c1">#This is a simple telnet emulation script purpose of which</span>
<span class="c1"># is to try to connect to a given IP on a given port using TCP</span>
<span class="c1"># and print to the terminal few lines received from the server</span>
<span class="c1"># if session is established. It has no functionality but to</span>
<span class="c1"># establish a TCP connection and print out received text from the</span>
<span class="c1"># server, after that it just exits.It was created to debug</span>
<span class="c1"># connectivity issues on Checkpoint NGX firewall that has no built</span>
<span class="c1"># in telnet client .</span>
<span class="c1"># Client</span>
<span class="nb">BEGIN</span> <span class="p">{</span>
<span class="p">(</span><span class="s2">"/inet/tcp/0/"</span> <span class="nx">ip</span> <span class="s2">"/"</span> <span class="nx">port</span> <span class="p">)</span> <span class="o">|</span><span class="err">&</span> <span class="kr">getline</span>
<span class="kr">print</span> <span class="o">$</span><span class="mi">0</span>
<span class="kr">close</span><span class="p">((</span><span class="s2">"/inet/tcp/0/"</span> <span class="nx">ip</span> <span class="s2">"/"</span> <span class="nx">port</span> <span class="p">))</span>
<span class="p">}</span>
<span class="nx">Next</span> <span class="nx">is</span> <span class="nx">the</span> <span class="nx">same</span> <span class="nx">cript</span> <span class="nx">with</span> <span class="nx">add</span> <span class="nx">on</span> <span class="k">for</span> <span class="nx">port</span> <span class="mi">80</span> <span class="o">-</span> <span class="nx">to</span> <span class="nx">get</span> <span class="nx">some</span> <span class="nx">response</span> <span class="nx">from</span> <span class="nx">web</span> <span class="nx">server</span><span class="err">:</span>
<span class="c1">#!/usr/bin/awk</span>
<span class="nb">BEGIN</span> <span class="p">{</span>
<span class="nx">Portandip</span> <span class="o">=</span> <span class="p">(</span><span class="s2">"/inet/tcp/0/"</span> <span class="nx">ip</span> <span class="s2">"/"</span> <span class="nx">port</span> <span class="p">)</span>
<span class="kr">print</span> <span class="s2">"GET / HTTP/1.1\n\n"</span> <span class="o">|</span><span class="err">&</span> <span class="nx">Portandip</span>
<span class="k">while</span> <span class="p">(</span> <span class="p">((</span><span class="s2">"/inet/tcp/0/"</span> <span class="nx">ip</span> <span class="s2">"/"</span> <span class="nx">port</span> <span class="p">)</span> <span class="o">|</span><span class="err">&</span> <span class="kr">getline</span><span class="p">)</span><span class="o">></span><span class="mi">0</span><span class="p">)</span>
<span class="kr">print</span> <span class="o">$</span><span class="mi">0</span>
<span class="kr">close</span><span class="p">((</span><span class="s2">"/inet/tcp/0/"</span> <span class="nx">ip</span> <span class="s2">"/"</span> <span class="nx">port</span> <span class="p">))</span>
<span class="p">}</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>
</code></pre></div>
<p><strong>PS Thanks to Aibulat</strong> (see comments) for info, turns out there is a telnet client available on Splat cd-rom .It is just not installed by default when installing Splat.</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>Aladdin Esafe defaults and some debug commands2008-09-06T08:50:57+00:002008-09-06T08:50:57+00:00Yuri Slobodyanyuktag:yurisk.info,2008-09-06:/2008/09/06/esafe-defaults-and-some-debug-commands/<p><strong>HISTORICAL NOTE</strong> Aladdin was an Israeli company known for its security eTokens and mail filtering appliances - <strong>eSafe</strong>. In 2009 it was bought by Safenet primarily for the token/DRM line, and soon the eSafe appliance was discontinued. Later the Safenet was in turn acquired by Gemalto. You can read about …</p><p><strong>HISTORICAL NOTE</strong> Aladdin was an Israeli company known for its security eTokens and mail filtering appliances - <strong>eSafe</strong>. In 2009 it was bought by Safenet primarily for the token/DRM line, and soon the eSafe appliance was discontinued. Later the Safenet was in turn acquired by Gemalto. You can read about Aladdin at <a href="https://en.wikipedia.org/wiki/Aladdin_Knowledge_Systems">Aladdin Wiki</a><br>
As any other box esafe comes with some default configs , to much of my surprise it takes too long to find them in the Esafe docs, so here they are:</p>
<p>eConsole TCP port: 43970<br>
eConsole UDP port: 43982<br>
Webmin TCP port: 37233 - https to eSafe, when installed on linux [last eSAfe to support
Windows was eSafe 6 FR2] https://ip_address_of_esafe:37233.
default username: root<br>
default password: kn1TG7psLu<br>
Webmin username: admin<br>
Webmin password: esafe<br>
econsole default username: admin<br>
econsole default pasword: no such, you will be asked to set on the first login or during Webmin configuration </p>
<p>Product Configuration file:<br>
/opt/eSafe/eSafeCR/esafecfg.ini<br>
Nitroinspection Configuration file:<br>
/opt/eSafe/esafenipca.ini<br>
eSafe Machine Configuration file:<br>
/opt/eSafe/esafe.ini<br>
eSafe Applifilter Configuration file:<br>
/opt/eSafe/eSafeCR/applifilter2.ini </p>
<p>Spool Directory:<br>
/opt/eSafe/eSafeCR/SPOOL/ </p>
<p>Advanced antispam and URL filtering (cobion) database Directory:<br>
/var/esafe/ofdb/</p>
<p>Session log files:<br>
/opt/eSafe/eSafeCR/SessionLog/ </p>
<p>Machine logs - when debug mode enabled logs get written here:<br>
/var/esafe/log/eSafeCR </p>
<p>Debug procedure, provided load on the machine permits:<br>
(High Debug mode loads the machine a lot!) you may shorten the time of troubleshooting when opening ticket in Aladdin.<br>
You need to re-create the problem first in high debug level (you can do it with eConsole: Options > Troubleshooting... > Clear Log Files > choose High troubleshooting level > re-create the problem > choose "Off" to turn off troubleshooting level)</p>
<p>How to create support file:<br>
cd /opt/eSafe<br>
./esafeinf<br>
Collecting eSafe info and log files, Please wait ...<br>
Information successfully logged in<br>
/var/log/1004562_xxxxxxx3430esglog.tar.gz. </p>
<p>or:</p>
<p>enter Webmin https://ip_address_of_esafe:37233 > Support > Create and download eSafe Support Info file</p>
<p>eSafe Machine configuration script (script has the same functionality as Webmin ):<br>
cd /opt/eSafe<br>
./esgmenu </p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>find tool patterns2008-09-06T07:55:17+00:002020-07-20T08:45:00+02:00Yuri Slobodyanyuktag:yurisk.info,2008-09-06:/2008/09/06/find/<p>These are few Linux <code>find</code> patterns I find useful in a daily work.<br>
The ones below were of great help when I had to clean Esafe that had more than 100,000 files in the spool ! So usual shell wild-card expansion didn't work (try to do <code>ls</code> in a folder …</p><p>These are few Linux <code>find</code> patterns I find useful in a daily work.<br>
The ones below were of great help when I had to clean Esafe that had more than 100,000 files in the spool ! So usual shell wild-card expansion didn't work (try to do <code>ls</code> in a folder with 130000 files ;). I sorted and then removed files by date - files created last 24 hours per remove. </p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="nv">find</span><span class="w"> </span>.<span class="w"> </span><span class="o">-</span><span class="nv">mtime</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">-</span><span class="k">exec</span><span class="w"> </span><span class="nv">rm</span><span class="w"> </span><span class="o">-</span><span class="nv">f</span><span class="w"> </span>{}<span class="w"> </span>\<span class="c1">; </span><span class="w"></span>
<span class="w"> </span><span class="nv">find</span><span class="w"> </span>.<span class="w"> </span><span class="o">-</span><span class="nv">mtime</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span>#<span class="w"> </span><span class="nv">find</span><span class="w"> </span><span class="nv">files</span><span class="w"> </span><span class="nv">created</span><span class="o">/</span><span class="nv">modified</span><span class="w"> </span><span class="nv">within</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">past</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="nv">hours</span><span class="w"> </span>
<span class="w"> </span><span class="nv">find</span><span class="w"> </span>.<span class="w"> </span><span class="o">-</span><span class="nv">mtime</span><span class="w"> </span><span class="o">-</span><span class="mi">1</span><span class="w"> </span>#<span class="w"> </span><span class="nv">find</span><span class="w"> </span><span class="nv">files</span><span class="w"> </span><span class="nv">created</span><span class="o">/</span><span class="nv">modified</span><span class="w"> </span><span class="nv">within</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">past</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="nv">hours</span><span class="w"> </span>
<span class="w"> </span><span class="nv">find</span><span class="w"> </span>.<span class="w"> </span><span class="o">-</span><span class="nv">mtime</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span>#<span class="w"> </span><span class="nv">find</span><span class="w"> </span><span class="nv">files</span><span class="w"> </span><span class="nv">modified</span><span class="w"> </span><span class="nv">between</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="nv">and</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="nv">hours</span><span class="w"> </span><span class="nv">ago</span><span class="w"> </span>
<span class="w"> </span><span class="nv">find</span><span class="w"> </span>.<span class="w"> </span><span class="o">-</span><span class="nv">mtime</span><span class="w"> </span><span class="o">+</span><span class="mi">1</span><span class="w"> </span>#<span class="w"> </span><span class="nv">find</span><span class="w"> </span><span class="nv">files</span><span class="w"> </span><span class="nv">modified</span><span class="w"> </span><span class="nv">more</span><span class="w"> </span><span class="nv">than</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="nv">hours</span><span class="w"> </span><span class="nv">ago</span><span class="w"> </span>
<span class="w"> </span><span class="nv">find</span><span class="w"> </span>.<span class="w"> </span><span class="o">-</span><span class="nv">mmin</span><span class="w"> </span><span class="o">+</span><span class="mi">3</span><span class="w"> </span><span class="o">-</span><span class="nv">mmin</span><span class="w"> </span><span class="o">-</span><span class="mi">10</span><span class="w"> </span>#<span class="w"> </span><span class="nv">find</span><span class="w"> </span><span class="nv">files</span><span class="w"> </span><span class="nv">modifed</span><span class="w"> </span><span class="nv">between</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="nv">and</span><span class="w"> </span><span class="mi">9</span><span class="w"> </span><span class="nv">minutes</span><span class="w"> </span>
<span class="w"> </span><span class="nv">find</span><span class="w"> </span>.<span class="w"> </span><span class="o">-</span><span class="nv">type</span><span class="w"> </span><span class="nv">f</span><span class="w"> </span><span class="o">-</span><span class="nv">size</span><span class="w"> </span><span class="o">+</span><span class="mi">30</span><span class="nv">M</span><span class="w"> </span><span class="o">-</span><span class="nv">ls</span><span class="w"> </span>#<span class="w"> </span><span class="nv">find</span><span class="w"> </span><span class="nv">files</span><span class="w"> </span><span class="nv">larger</span><span class="w"> </span><span class="nv">than</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="nv">Mb</span><span class="w"> </span><span class="nv">and</span><span class="w"> </span><span class="nv">list</span><span class="w"> </span><span class="nv">them</span><span class="w"></span>
</code></pre></div>
<p>Default is logical <strong>AND</strong> between clauses<br>
NB the <code>-regexp</code> switch to the find looks for a complete match !<br>
Finding by permission pattern and then removing:<br>
- Find files that have at LEAST following permissions set an ddelte them<br>
<code>find . -type f -perm -0750 -exec rm -f {} \;</code><br>
- Find files with ANY of the permissions set and delete them:<br>
<code>find . -type f -perm +0750 -exec rm -f {} \;</code><br>
- Find files with pattern EXACTLY matching and delete them :<br>
<code>find . -type f -perm 0750 -exec rm -f {} \;</code><br>
- Find by UID filetype and size and list them:<br>
<code>find . -type f -uid 0 -size +2k -exec ls -l {} \;</code><br>
modifiers to size switch: b w k c</p>
<p><em>Follow me on <a href="https://www.linkedin.com/in/yurislobodyanyuk/">https://www.linkedin.com/in/yurislobodyanyuk/</a> not to miss what I publish on Linkedin, Github, blog, and more.</em></p>