How to install OpenVPN Server

Below you will find how to install OpenVPN server.  At the end of the article;

1- We will have a VPN server running under linux..
2- We will be using linux pam accounts to authenticate clients
3- All clients connected can access local network and each other
4- All clients will use the VPN server to access the internet.
5- VPN server will act as Remote to Site
6- We will have a sample windows client configuration to connect.

Setup
Ubuntu Server 12.04
WAN 192.168.1.33/30
LAN 172.16.70.0/24
VPN 10.8.0.0/24
Continue reading “How to install OpenVPN Server”

Excluding Network from BGP on Fortigate

Assuming you are re-distributing your fortigate networks and you want to exclude one or some of your networks from distribution.

Here is an example config.

PS: replace “XXX” with your config..

config router prefix-list
edit "youaclname"
config rule
edit 1
set prefix "IPaddress "SubnetMask"
unset ge
unset le
next
end

config router route-map
edit "rmap-bgp"
config rule
edit 1
set action deny
set match-ip-address "youraclname"
next
edit 2
next
end
next
end

config router bgp
set as XXXX
set log-neighbour-changes enable
config neighbor
edit "neigbourIP"
set remote-as XXXX
set route-map-out "rmap-bgp"
set send-community6 disable
next
end
config redistribute "connected"
set status enable
end
config redistribute "rip"
end
config redistribute "ospf"
end
config redistribute "static"
end
config redistribute "isis"
end
config redistribute6 "connected"
end
config redistribute6 "rip"
end
config redistribute6 "ospf"
end
config redistribute6 "static"
end
config redistribute6 "isis"
end
set router-id XXX.XXX.XXX.XXX
end

Fortigate 3810A TFTP Error – Open boot device failed

You may meet “Open boot device failed” if you are upload a firmware via TFTP. I think Fortigate 3810A doesnt support Fresh firmware install via TFTP for FortiOS 5.0

The workaround is to upload latest 4.x release via TFTP then upgrade to 5.0 via GUI.
As the time I write this post latest release for 5.x is GA patch 6 and for 4.x is MR3Path15.

Netscaler VIP Realtime traffic usage

I googled everywhere, checked documents and cant reach any information how to measure how much traffic is passing through loadbalancer individual VIPs.

So my solutions is to measure RX/TX bytes/s via SNMP. To accomplish it follow the steps below.

Requirement
An SNMP browser ( I used Ireasoning MIB Browser )
Netscaler SNMPv2 MIBs ( you may download it from your Netscaler appliance )

I assume that your appliance SNMP enabled and functioning normally.

Load the MIB you downloaded from netscaler and enter the SNMP settings. Navigate to nsVserverGroup with MIB browser and send SNMP walk.

mib

You have get the names starting with vsvrName on the left side. Select your favorite VIP :)

Now lets take the first line in out example. Full OID will be like below

.1.3.6.1.4.1.5951.4.1.3.1.1.1.5.67.101.98.105.116

so crop the vsvrName part and you will have you unique OID for your VIP

.1.3.6.1.4.1.5951.4.1.3.1.1.1.    5.67.101.98.105.116 < this is out VIP

Now, we have to put RX or TX rate OID in front of 5.67.101.98.105.116
. Let’s find the RX

check the list below and find the lines starting with vsvrRxBytesRate. You may check any value you want because we want to learn what OID is representing vsvrRxBytesRate

mib2

so as you can see .1.3.6.1.4.1.5951.4.1.3.1.1.44.16.79.68.67.95.65.112.112.95.83.77.84.80.95.49.48.49 is whole OID and .1.3.6.1.4.1.5951.4.1.3.1.1.44. is representing the vsvrRxBytesRate

Now if you combine both OID you will get the RX bytes/s of that VIP. But this is not a gauge, it is a value.. It may not as good as traffic counter but the best you can do is that :)

.1.3.6.1.4.1.5951.4.1.3.1.1.44.5.67.101.98.105.116

After you had the value multiply with 8 to get the bits value and divide it to 1024 to get kbits/s..

Also there are lots of other OID pick as you want using this method.

 

 

 

Automating Fortigate Backups

As you know we cant schedule fortigate backups. So you may schedule a cron job to backup your fortigate box and send the backup via ftp.

Requirements :
Any Linux Server
FTP Server ( may be the same linux machine )

First we need an expect script to send commands to fortigate box then we will execute it via sh script.I wish someone can port it to powershell :)
Continue reading “Automating Fortigate Backups”

How to clear Fortigate webcache via CLI

diag wacs clear

Fortigate HA reverts back to standalone

When you confiugre HA Cluster with Fortigate it reverts backto standalone mode but accepts the other changes like heartbeats,groupname etc…
Then I realised that the all network interfaces must be configured to manual. If you have any DHCP or PPPOE configuration on your interfaces Fortigate doesnt accept HA modes and reverts back to Standalone mode.There is no error message or warning..

Fortigate ASIC-offloading and SNMP Traffic Counters

A strange problem…  If you have created VLAN based interface, SNMP traffic counters returns wrong. You have to disable session offloading to NP or SP processors. Tested under 1240b.. so you may disable ASIC offloading by firewall policy for test purposes. Then you will see that SNMP traffic counters will get higher.

Also you may disable fastpath,SP load balancing, network accelerators, or NP ASIC offloading globally but it is not recommended on production systems. Be sure what you are doing.

to disable NP ASIC Offloading Globally( this is a temp command it will return defaults after reboot. )

diag npu “npu version” fastpath disable “NP ID”

npu version is np4 on 1240b .. for 3810a it is np1.
npu ID can be from get hardware npu np4 list. also you will see which ports it is enabled on.

Here is an example for policy based(more realible way :) ),

Fortigate1240b # config vdom

Fortigate1240b (vdom) # edit MytestVdom
current vf=MytestVdom:7

Fortigate1240b (MytestVdom) # config firewall policy

Fortigate1240b (policy) # edit 44

Fortigate1240b (44) # sh
config firewall policy
edit 44
set srcintf “VLAN78”
set dstintf “VLAN66_OUT”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
next
end

Fortigate1240b (44) # set auto-asic-offload disable

Fortigate1240b (44) # sh
config firewall policy
edit 44
set srcintf “VLAN78”
set dstintf “VLAN66_OUT”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
set auto-asic-offload disable
next
end

Fortigate1240b (44) #

look at the difference below after disabling offloading..

traffic-chart

PS : This is fixed with FortiOS 5.x

How to send realtime logs to FortiAnalyzer

When you configure your Fortigate box to send the logs to a Fortianalyzer box, it sends the logs in a scheduled basis. and when you test connectivity you may notice a warning saying “Logs not received” in connection status.

You should configure your fortigate box to send logs in realtime.

Go to CLI. Output should be like this.

Forti # config log fortianalyzer setting

Forti (setting) # sh
config log fortianalyzer setting
set status enable
set server 10.10.10.11
end

Forti (setting) # set upload-option realtime

Forti (setting) # end

Forti # get log fortianalyzer setting
status : enable
ips-archive : enable
max-buffer-size : 1
buffer-max-send : 1000
address-mode : static
server : 10.10.10.11
enc-algorithm : default
localid : (null)
conn-timeout : 10
monitor-keepalive-period: 5
monitor-failure-retry-period: 5
source-ip : 0.0.0.0
upload-option : realtime

Now we can test and see if it is working fine via GUI

FortiOS v5.0 at a glance..

Today I spent a few minutes to review new FortiOS major release version 5.

There are some reasonable changes at GUI.. At first sight, VDOMs are seperated from GLOBAL Menu.. A new feature we can now assign device based rules. Also Policy screen has some modifications .. Now we have to select two types of Policy before creating a new one.

Firewall and VPN.. Actually we had these ones already. But now they are more user-friendly in the GUI.
Firewall policy got three sub-types.. We have to select one of them ( Address , Identity Based or the new one “Device Identity” )..VPN policy has also 2 types. as you can guess.. SSL and IPSEC..

Device-Based rules has a simple idea behind it. You simply group devices by their MAC addresses. Indeed, we will be able to add MAC-Based Policy from now on..

In short words.. FortiOS v5.0 will not bring incredible features.. It just have some GUI modifications and some minor features against their major release.. But there should be lots of improvement in the background.. I will review it later but at first sight, v5 is disappointment for me.