Serial console connection from your mac using a usb-to- serial adapter

First plug in your usb to serial adapter and find the devicename using the Terminal program, mine is listed here:

ls /dev/tty.*

/dev/tty.usbserial-AH06ORK9

Then start the screen command with the devicename and baudrate

screen /dev/tty.usbserial-AH06ORK9 9600

If you want to keep a log you can do so with

Control-a H

When your finished exit with :

Control-a Control-\    

Thanks Jeff Huckaby at Rackaid for this nice post.

Hits: 4

Blackhole Routing

OK, so you’ve created your ipsec vpn tunnels and added the corresponding static routes, but which path does the VPN traffic take if your tunnel is down ?

Right, it uses the next best route in the routing table and chances are this is your default route pointing to your internet router…

But luckily you did add a blackhole route for this traffic, preventing this:

 

 

 

 

 

So next time your VPN tunnel is down, traffic will be dropped by the Fortigate and not use your default route again.

Or you can use the CLI for this:

config router static
edit 0
set blackhole enable
set dst 172.16.0.0/12
next
end

Hits: 6

Troubleshooting Fortigate using CLI

First check if and how traffic enters the device. Use the filter option.

Using the FortiOS  packet sniffer

Assgined Internet Protocol numbers

Then check the flow through the firewall and find out the policy id

Using debug flow

Find the system session and PolicyID

session info: proto=1 proto_state=00 duration=96 <snip>
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
<snip>
total session 2

Then use  show firewall policy <id> to list the policy used for the traffic:

FGT60ELexThuis # show firewall policy 3
config firewall policy
edit 3
set name "Lex"
set uuid d42a3556-cb66-51e7-e20b-6be8577def0b
set srcintf "internal"
set dstintf "wan1"
set srcaddr "Lex zolder" "Laptop Lex" "PC Huiskamer"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set av-profile "Quick block"
set ips-sensor "protect_client"
set application-list "block-botnet-monitor"
set profile-protocol-options "custom-default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end

 

 

 

Hits: 38

Fortigate Password recovery

https://docs.fortinet.com/uploaded/files/1708/Resetting_a_lost_admin_password.pdf

via console access 9600,n,8,1:

logon immediately after login prompt with:

username: maintainer

password: bcpbFGT60E4Q16092486

(bcpb+serialnr)

Change old password with:

In a unit where vdoms are not enabled:

config system admin
edit admin
set password <psswrd>
end
In a unit where vdoms are enabled:

config global
config system admin
edit admin
set password <psswrd>
end

 

reset to factory default with:

exec factoryreset

Hits: 26

Fortigate Tips & Tricks

Switch to VDOMs:

GUI:

Dashboard>System>VirtualDomain

CLI:

config system global
  set vdom-admin enable
end

Select Global from GUI and create VDOMS from there,

Set dedicated mgmt port in ROOT vdom via Network>Interfaces

Create VDOMS as needed, add interfaces, configure administrators

Check Cookbook for more info

Hits: 149

Ping sweep using command line

FOR /L %i in (1,1,255) do @ping -n 1 172.17.1.%i | find “TTL”

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\llu> FOR /L %i in (1,1,255) do @ping -n 1 172.17.1.%i | find “TTL”
Reply from 172.17.1.1: bytes=32 time=1ms TTL=255
Reply from 172.17.1.4: bytes=32 time=1ms TTL=255
Reply from 172.17.1.34: bytes=32 time<1ms TTL=128
Reply from 172.17.1.41: bytes=32 time<1ms TTL=128
Reply from 172.17.1.46: bytes=32 time<1ms TTL=128
Reply from 172.17.1.49: bytes=32 time<1ms TTL=128
Reply from 172.17.1.51: bytes=32 time<1ms TTL=128
Reply from 172.17.1.56: bytes=32 time=6ms TTL=128
Reply from 172.17.1.58: bytes=32 time=10ms TTL=128
Reply from 172.17.1.60: bytes=32 time<1ms TTL=128
Reply from 172.17.1.67: bytes=32 time<1ms TTL=128
Reply from 172.17.1.68: bytes=32 time<1ms TTL=128
Reply from 172.17.1.76: bytes=32 time<1ms TTL=128
Reply from 172.17.1.79: bytes=32 time<1ms TTL=128
Reply from 172.17.1.84: bytes=32 time<1ms TTL=128
Reply from 172.17.1.86: bytes=32 time<1ms TTL=128
Reply from 172.17.1.88: bytes=32 time<1ms TTL=128
Reply from 172.17.1.93: bytes=32 time<1ms TTL=128
Reply from 172.17.1.94: bytes=32 time<1ms TTL=128
Reply from 172.17.1.95: bytes=32 time=1ms TTL=128
Reply from 172.17.1.96: bytes=32 time=2ms TTL=128

 

Hits: 85

Certificate types PEM, DER, PKCS#7 and PKX(PKCS#12)

PEM Format
PEM is the most common format in which Certificate Authorities (CA) issue certificates. These are more widely used by Unix/Linux users.
If you see “Proc-type” present in a PEM format certificate it means that it is encrypted and these are called as base-64 encoded DER certificates.
The public part of the certificate will be represented in 
—–BEGIN PUBLIC KEY—–” and “—–END PUBLIC KEY—–
Whereas the private part of the certificate will be represented in  “—–BEGIN RSA PRIVATE KEY—–” and “—–END RSA PRIVATE KEY—–“.
PEM format can contain any or all of the client/server certificate, intermediate certificate, root CA and the private key.

  • They are Base64 encoded ASCII files
  • They have extensions such as .pem, .crt, .cer, .key
  • Apache and similar servers uses PEM format certificates

DER Format
DER is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format.
This format supports storage of single certificate and does not include private key for the intermediate/root CA.

  • They are Binary format files
  • They have extensions .cer and .der

DER is typically used in Java platform

PKCS#7
This format contains only certificate or certificate chain but does not store the private key.
This format is usually used by CA’s to provide certificate chains to users.

PFX Format (PKCS#12)
PFX is a format for storing a server certificate or any intermediate certificate along with private key in one encrypted file. PFX follows Public Key Cryptography Standard(PKCS). The term PFX is used interchangeably with PKCS#12.

Hits: 76

Netscaler Bad performance

Today I looked into a Netscaler VPX Gateway with network issues.

netscaler_logo2
Response was slow and users reported this error when connecting to Citrix backend servers:

“Failed with status 1110″ When Launching Desktops or Apps Through NetScaler Gateway”

I checked the eventlog on the vpx with: shell nsconmsg -K /var/nslog/newnslog -d event  and found a log full of these errors:

2546 245 PPE-0 MonServiceBinding_srv-xdc01.office.local:80_(sta)(vpndbssvc_-1250801384): UP; Last response: Success – Probe to STA server succeeded. Tue Oct 25 06:53:13 2016
2547 484 PPE-0 MonServiceBinding_srv-xdc01.office.local:80_(sta)(vpndbssvc_-1250801384): DOWN; Last response: Failure – TCP connection successful, but application timed out Tue Oct 25 07:01:19 2016

After looking around in the Systems menu I disabled Mac Based Forwarding and enabled TCP Window Scaling  as per CTX121149.

The network issued were gone and no more application time-out failures in the eventlog…

More about Mac Based Forwarding  here.

 

 

Hits: 143