First plug in your usb to serial adapter and find the devicename using the Terminal program, mine is listed here:
Then start the screen command with the devicename and baudrate
screen /dev/tty.usbserial-AH06ORK9 9600
If you want to keep a log you can do so with
When your finished exit with :
Thanks Jeff Huckaby at Rackaid for this nice post.
OK, so you’ve created your ipsec vpn tunnels and added the corresponding static routes, but which path does the VPN traffic take if your tunnel is down ?
Right, it uses the next best route in the routing table and chances are this is your default route pointing to your internet router…
But luckily you did add a blackhole route for this traffic, preventing this:
So next time your VPN tunnel is down, traffic will be dropped by the Fortigate and not use your default route again.
Or you can use the CLI for this:
config router static
set blackhole enable
set dst 172.16.0.0/12
First check if and how traffic enters the device. Use the filter option.
Make sure traffic offloading to the NP is disabled for the policy in question, (remove this command when done):
config firewall policy
set auto-asic-offload disable
Using the FortiOS packet sniffer
Assgined Internet Protocol numbers
Then check the flow through the firewall and find out the policy id
Using debug flow
Find the system session and PolicyID
session info: proto=1 proto_state=00 duration=96 <snip>
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
total session 2
Then use show firewall policy <id> to list the policy used for the traffic:
FGT60ELexThuis # show firewall policy 3
config firewall policy
set name "Lex"
set uuid d42a3556-cb66-51e7-e20b-6be8577def0b
set srcintf "internal"
set dstintf "wan1"
set srcaddr "Lex zolder" "Laptop Lex" "PC Huiskamer"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set av-profile "Quick block"
set ips-sensor "protect_client"
set application-list "block-botnet-monitor"
set profile-protocol-options "custom-default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
via console access 9600,n,8,1:
logon immediately after login prompt with:
Change old password with:
In a unit where vdoms are not enabled:
config system admin
set password <psswrd>
In a unit where vdoms are enabled:
config system admin
set password <psswrd>
reset to factory default with:
Switch to VDOMs:
config system global
set vdom-admin enable
Select Global from GUI and create VDOMS from there,
Set dedicated mgmt port in ROOT vdom via Network>Interfaces
Create VDOMS as needed, add interfaces, configure administrators
Check Cookbook for more info
FOR /L %i in (1,1,255) do @ping -n 1 172.17.1.%i | find “TTL”
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\llu> FOR /L %i in (1,1,255) do @ping -n 1 172.17.1.%i | find “TTL”
Reply from 172.17.1.1: bytes=32 time=1ms TTL=255
Reply from 172.17.1.4: bytes=32 time=1ms TTL=255
Reply from 172.17.1.34: bytes=32 time<1ms TTL=128
Reply from 172.17.1.41: bytes=32 time<1ms TTL=128
Reply from 172.17.1.46: bytes=32 time<1ms TTL=128
Reply from 172.17.1.49: bytes=32 time<1ms TTL=128
Reply from 172.17.1.51: bytes=32 time<1ms TTL=128
Reply from 172.17.1.56: bytes=32 time=6ms TTL=128
Reply from 172.17.1.58: bytes=32 time=10ms TTL=128
Reply from 172.17.1.60: bytes=32 time<1ms TTL=128
Reply from 172.17.1.67: bytes=32 time<1ms TTL=128
Reply from 172.17.1.68: bytes=32 time<1ms TTL=128
Reply from 172.17.1.76: bytes=32 time<1ms TTL=128
Reply from 172.17.1.79: bytes=32 time<1ms TTL=128
Reply from 172.17.1.84: bytes=32 time<1ms TTL=128
Reply from 172.17.1.86: bytes=32 time<1ms TTL=128
Reply from 172.17.1.88: bytes=32 time<1ms TTL=128
Reply from 172.17.1.93: bytes=32 time<1ms TTL=128
Reply from 172.17.1.94: bytes=32 time<1ms TTL=128
Reply from 172.17.1.95: bytes=32 time=1ms TTL=128
Reply from 172.17.1.96: bytes=32 time=2ms TTL=128
PEM is the most common format in which Certificate Authorities (CA) issue certificates. These are more widely used by Unix/Linux users.
If you see “Proc-type” present in a PEM format certificate it means that it is encrypted and these are called as base-64 encoded DER certificates.
The public part of the certificate will be represented in “—–BEGIN PUBLIC KEY—–” and “—–END PUBLIC KEY—–“
Whereas the private part of the certificate will be represented in “—–BEGIN RSA PRIVATE KEY—–” and “—–END RSA PRIVATE KEY—–“.
PEM format can contain any or all of the client/server certificate, intermediate certificate, root CA and the private key.
- They are Base64 encoded ASCII files
- They have extensions such as .pem, .crt, .cer, .key
- Apache and similar servers uses PEM format certificates
DER is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format.
This format supports storage of single certificate and does not include private key for the intermediate/root CA.
- They are Binary format files
- They have extensions .cer and .der
DER is typically used in Java platform
This format contains only certificate or certificate chain but does not store the private key.
This format is usually used by CA’s to provide certificate chains to users.
PFX Format (PKCS#12)
PFX is a format for storing a server certificate or any intermediate certificate along with private key in one encrypted file. PFX follows Public Key Cryptography Standard(PKCS). The term PFX is used interchangeably with PKCS#12.
snmp oid 126.96.36.199.4.1.3097.6.3.80.0:
Edit Tunnel Route Settings in Branche Office IPSec Tunnel:
Specify REAL ip addresses in Local and Remote
Specify NAT range in Settings 1:1 NAT
Today I looked into a Netscaler VPX Gateway with network issues.
Response was slow and users reported this error when connecting to Citrix backend servers:
“Failed with status 1110″ When Launching Desktops or Apps Through NetScaler Gateway”
I checked the eventlog on the vpx with: shell nsconmsg -K /var/nslog/newnslog -d event and found a log full of these errors:
2546 245 PPE-0 MonServiceBinding_srv-xdc01.office.local:80_(sta)(vpndbssvc_-1250801384): UP; Last response: Success – Probe to STA server succeeded. Tue Oct 25 06:53:13 2016
2547 484 PPE-0 MonServiceBinding_srv-xdc01.office.local:80_(sta)(vpndbssvc_-1250801384): DOWN; Last response: Failure – TCP connection successful, but application timed out Tue Oct 25 07:01:19 2016
After looking around in the Systems menu I disabled Mac Based Forwarding and enabled TCP Window Scaling as per CTX121149.
The network issued were gone and no more application time-out failures in the eventlog…
More about Mac Based Forwarding here.