Dell N2248-ON firmware restore from ONIE Recovery

I have been working a lot with the Dell N-series over last few years, and now the N2248-ON which can run OS10 as well as the default OS6. We upgraded firmware to the latest 6.6.3.10 and all seemed to go well. Somehow it did not and hosed both primary/secondary firmware. The device was boot looping – the only option was to drop into ONIE Recovery and re-install the firmware. Here are the steps I used:

The ONIE recovery area runs a version of Linux. First check out your NIC to make sure it finds it:

ONIE:/ # ifconfig
eth0 Link encap:Ethernet HWaddr 8C:47:BE:97:B5:0F
inet6 addr: fe80::8e47:beff:fe97:b50f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:67 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6904 (6.7 KiB) TX bytes:1198 (1.1 KiB)
Memory:dfe00000-dfe7ffff

Great! Eth0 is found, but of course link status is down. Eth0 is the out of band management interface. We should be able to set an IP address on the interface and install firmware VIA TFTP or USB.

First I will setup and IP that can communicate with my laptop :

ifconfig eth0 192.168.1.100 netmask 255.255.255.0

ONIE:/ # ifconfig
eth0 Link encap:Ethernet HWaddr 8C:47:BE:97:B5:0F
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::8e47:beff:fe97:b50f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:108 errors:0 dropped:0 overruns:0 frame:0
TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10874 (10.6 KiB) TX bytes:7658 (7.4 KiB)
Memory:dfe00000-dfe7ffff

Perfect! My laptop is 192.168.1.99 – and connected directly to the out of band MGMT port.

Next we will TFTP the file up. This file is located in the software archive you download from Dell – Its located in the
“Otherfiles” folder. In this case the file name is onie-installer-x86_64-dellemc_n22xx_6.6.3.10. Next I put this on my TFTP server and we can start the install.

First lets turn off the ONIE-Discovery attempts with the onie-stop command.

Now lets upgrade – Run:

onie-nos-install tftp://192.168.1.99/onie-installer-x86_64-dellemc_n22x
x_6.6.3.10

The onie-nos-install will install the OS back to the device. The firmware took a few minutes to install, with about 4 reboots I think – it was all automatic.

Now lets see if the switch was updated with the “show version” command.

All is good!

Fortiauthenticator – SMS only remote sync rule

I had an issue, well more of a specific formatting issue with Fortiauthenticator that I thought I would share. I have a client who is only use SMS with forticlient via fortiauth. The idea is that the user connects and authenticates to the SSL VPN, and then hits Fortiauth for token code that was sent to the client VIA SMS.

When using SMS with tokens, you have to have the users mobile number entered so it can send to them. Hard coding the users mobile number worked great, but for some reason I could not get the remote sync rule to pull in the mobile phone number. Below are the steps I used to fix this.

First in the remote sync rule under “LDAP User Mapping Attributes” modify the mobile data field with “mobile” all lower case.

Then make sure that in Active Directory the mobile number is entered under the users profile. the Auth says it wants the mobile phone number in a very specific format – +[international_number] – this threw me for a while. In the end the number in AD wasn’t the problem it was the mapping attribute. Below is how to inset the number into AD. Notice the number has +[country code]number. Thats it, after putting that in the remote sync rule worked fine.

Getting Fortiswitch interface statistics

I am more impressed with Fortiswitches every time I work with them. The ability to implement light NAC features, INTRAvlan firewall policies and overall management really gives these switches a feature set to checkout when deciding on new switches.

Below are the steps to quickly get the interface stats such as errors/packets, etc. The commands are ran on the Fortigate, which in this case is controlling the Fortiswitch.

Drop into CLI on the FGT and check what switches are connected by running the command

get switch-controller managed-switch

This command will bring back the names of the manged switches. Locate the switch you want to check the port stats on. For example, we will use the name “FS1D24T419001174”

the command to get the stats are:

diag switch-controller switch-info port-stats FS1D24T419001174 port1

The output is in the image below:

using the top level command diag switch-controller switch-info you can also get LLDP, Power, and lots more info of the managed switch.

Updating Fortigate certificates

Certificates for VPN, SSL Offloading (if using Load balancing), or a signed device cert expire, we all know this. Up until last week I had never updated a signed certificate, I had just created a new CSR, and rekeyed the cert. Updating the certificate the Fortigate is using is very easy, but I had problems with the syntax so I am documenting it here.

The Fortinet KB article to do it is located here:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD35074

I had an issue following the doc so I though I would clear the water and see if I could help someone down the road. Lets say I have sslvpn.travelingpacket.com that will expire in 2 days – I log into my CA (godaddy in my case) and renew the cert. They send the new cert to me, but what do I do with it…

Open the cert with a text editor – maybe notepad – and copy the cert. you should see —BEGIN CERTIFICATE. Copy everything. Then log into the fortigate VIA cli – Putty or some kind of SSL client is way better for doing this then the web client. Then lets modify the certificate

config vpn certificate local

edit sslvpn (or your cert name)

set certificate “—–BEGIN CERTIFICATE—– mPjDQDYkYHKcTrGa6aH7e1w1uM7kdaBAjyAgM7xcmuTrsCeLYfd+BwIDAQABo4IDTDCCA0gwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIorRWhO7dYIKtkziB9KY0
>—–END CERTIFICATE—–“

and Press enter – The issues I had was with the quotes. I tried to first do double quotes, and past the cert in the middle – that does not work. Just simply type in the command set certificate and then a double quote and past the cert whole. After its pastes do the ending quote and press enter. Thats it for modifying the cert – but to enact it we have to remove it from whatever we are using it for, and then add it back. That refreshes the cert. So if your using it for SSL-VPN , go to VPN – SSL-VPN settings – and set the server cert to a different one, press apply, and change it back.

Ruckus ICX integration with Fortinac

This entry shows how I have been setting up ICX switches with Fortinac.

In this scenario my Fortinac is located at 192.168.226.248, the switch is 192.168.226.53, and my SNMP community is “snmp”. I know very secure. The switch I am working with is a Ruckus 7250 running SPR08092a.bin

These are the settings that I am putting into my switch:

logging host 192.168.226.248
snmp-server host 192.168.226.248 version v2c snmp

snmp-server enable traps mac-notification
snmp-server enable traps link-up
snmp-server enable traps link-down

On the NAC we have to add the switch, and make sure we have a CLI user account, and SNMP creds that work. We can test this within NAC to make sure things are up and going.

1

After we add the device, we can validate the settings

validate

After the device has been added you should see your interfaces/devices/status all show up.

 

 

FortiNAC – Finding the UUID and MAC to license device

When you setup Fortinac you have to license it, and Fortinet asks you what the MAC and UUID of the device are when registering the license. You can get this information by SSH’ing into the NAC and running the following commands:

 sysinfo -v | grep -i UU   — This will bring back the UUID

and to get the mac – run  ifconfig eth0

Copy those two settings into the registration of the license, and you can then get the license key.

Fortiauthenticator: Troubleshooting with tcpdump

Had a strange issue the other day with a FAC, where it would not send emails to users with their assigned tokens, but would send emails just fine any other time. I wanted to capture all outgoing traffic to see if SMTP messages were really being sent.

Fortiauth has Tcpdump built in, and is very easy to run.

First SSH into the FAC, from there you have some execute options. Below shows the tcpdump options:

exe tcpdump?
tcpdump Examine local network traffic.
tcpdumpfile Same as tcpdump, but write output to a file downloadable via GUI.
exe tcpdump

If you run ‘exe tcpdump’ it will spit all the traffic to the screen, but if you run ‘exe tcpdumpfile’ it will log the output to a .pcap that is downloadable from the GUI. This gives you the option to open it in Wireshark and analyze.

nac-1

To download the .pcap open your Fortiauth append /debug to the web address for example: https://10.110.2.60/debug. From here you will be prompted with what you want to debug, and at the bottom is the option to open the “CLI Packet Capture” this gives you the option to download the pcap.

nac-2

Thats it! Thank you Fortinet.

 

 

 

How to find NPS client Radius Shared Secret Key

Overtime we forget things, especially Shared secret radius keys. This is pretty common, and I run into it a lot. For example – lets say a you setup NPS (Network Policy Server) and a Wireless controller for 802.1x auth, or a ASA doing radius authentication years ago. Some how or another that key was lost – no worries, you can get that back from the NPS server itself.

In just a few simple steps you can get that key back. So lets start by opening up NPS and then selecting “Radius Clients and Servers” and dropping down “Radius Clients”

NPS-1

In this example I am using a Ruckus Smartzone – lets say I forget the password. I can just right click on the client and select “Save and apply as Template.

NPS-2

Next we can create a new radius client by right clicking on “Radius Clients” and once the client info pops up to fill in, we will select to create it from the template, and select the template we made.

NPS-3

NPS-4

To see the *** Password, uncheck the box “Select and existing template” and then select the “Generate” Radio button – and bam! there is the PSK.

NPS-5

Fortigate: Creating a static route in FortiOS 6.2

This entry details how to create a static route in both the GUI and CLI of the Fortigate firewall. Specifically I am using FortiOS 6.2.4 but its pretty much been the same for years.

Lets start by talking through the things that will be needed to create the static route.

Subnet – this is what we want to route to, for a default route its 0.0.0.0/0 but if we wanted a more specific route, lets say to 192.168.100.0/24.

Destination Interface – Next hop interface we want to send traffic out of.

Gateway address – Directly connected interface neighbor that we want the next hop for 192.168.100.0/24 to be.

Administrative Distance– is a feature used by routers to select the best path to a destination when multiple paths to the same destination are present. Lowest AD wins and will be placed in the routing table.

Advanced optionPriority – To build on AD definition – What if two routes exist in the routing table to the same destination with the same AD? This is where Priority comes in. Lowest priority wins. By selecting a priority you can have multiple routes to the same destination in the routing table, but one would be preferred over the other. This comes in very hand for Reverse Path forwarding issues.

So after all that’s said, we need to route 192.168.100.0/24 to our LAN interface with a next hop of 192.168.1.2.

First lets create this in the GUI. Navigate to network – static routes – and create a new one.

Create-new.

Now we will just insert the needed info. I am leaving the AD at 10 – which is default.

Route-Create

Press OK – and Bam! route created. We can check that the route has been created and is the routing table by going to monitor – routing monitor.

filter

Next lets do the same thing in CLI.

First route creation. When you create the route edit the next available sequence number. In this case its 46.

CLI-creation

You can see if your route is in the routing table in CLI by running the command “get router info routing-table all” but in this case I am using the static option, and grepping just what I need to see.

grep

Finding vlan settings on HP Procurve switch

Finding what vlans are set on a switch port is a very needed thing for almost any config changes in Procurve software. This entry shows a quick way to check the vlans both tagged/untagged on a procurve. This works for all procurve I believe, but I am testing on a J9773A 2530 switch. This is a simple entry but might help someone out.

To show vlans associated with the ports the command “show vlan ports X” can be used, and to find out more info like tagged/untagged you can add the “detail” to the command to get more info. For example to get info for port 1

Show vlan ports 1

show-vlan

And more info:

show vlan ports 1 detail

show-vlan-detail