Monthly Archives: May 2014

Fortigate and VRRP

Fortigate supports many HA options. They have a great active/passive HA option, as well as Active/Active. VRRP is another option that is supported. VRRP (Virtual Routing Redundancy Protocol) is a open standards protocol that helps eliminates the single point of failure for a network by allowing another device to take over routing automatically.

Basically one router is the Master (active), the other is a Backup (passive), the selection of which device is active or passive is based priorities of each device, highest priority (1-255) is the most preferable. The priority of 100 is default, and 255 the best. There is a heartbeat which is just a Multicast packet,  that goes across a link that both devices use (normal lan link is fine). If for some reason that heartbeat is lost , then the backup router will take over as the master.

VRRP is a great way to make sure that if one router fails the passive router will become active and take over routing for the network.  VRRP creates a virtual mac address that is shared between the two devices, the active device answers for the virtual mac and takes control of the Virtual IP that is also shared between the two.

You can use VRRP to load balance traffic as well. Load balancing is achieved by using to different VRRP groups, and balancing which router is primary for what group. The below image should help clarify what I mean.

 

Image

You can use those two VRRP groups as primary and secondary’s for the default gateway in different vlans. So in this case, you could have Vlan 10’s default gateway on Fortigate A, and Vlan 20’s on Fortigate B, therefore having fail-over for both, but splitting up the load. This might be a great thing to do if you have a HA cluster of 60C’s, and they just cant handle the full traffic load in a HA scenario. Remember. each config is different on these firewalls, there is no config sync. There is an option to sync sessions between the firewalls, so that if one firewall were to fail, things would pick right back up and not have to establish the sessions again.

Things to note in this config – There is already an IP address assigned to the Vlan interface for management when when the VRRP address might not be active. I am also using the Preempt option to make sure Active is always Active if its online. The Physical interface the Vlans are configured on are trunks on both links going to Fort-A, and Fort-B.

Config time:

The config for VRRP is interface based, and CLI only.

Fortigate A:

config system interface

edit vlan-10

config vrrp
edit 10
set vrip 10.10.10.1
set priority 255
set status enable
set preempt enable
end
set vrrp-virtual-mac enable
next

edit Vlan-20
config vrrp
edit 20
set vrip 10.10.20.1
set priority 100
set status enable
end
set vrrp-virtual-mac enable
end

Fortigate B:

config system interface

edit vlan-10

config vrrp
edit 10
set vrip 10.10.10.1
set priority 100
set status enable
end
set vrrp-virtual-mac enable
next

edit Vlan-20
config vrrp
edit 20
set vrip 10.10.20.1
set priority 255
set status enable
set preempt enable
end
set vrrp-virtual-mac enable
end

This config will do exactly what we want, create a Virtual IP that is shared, and make sure the configured active (priority) unit takes back over the role of active if it goes offline and comes back online (preempt),

Using Logrotate in Vyatta to manage logs

Logrotate is a tool that is built into Debian which is really what Vyatta is built on. Logrotate is a tool that allows automatic rotation, compression, removal, and mailing of log files.  Each log file may be handled daily, weekly, monthly, or when it grows too large. Recently I had an issue where all the space on my Vyatta was filled up, after some investigation it was the auth.log that had reached a couple hundred mb. After clearing it I was fine. After more investigation I found that auth.log was never in the logrotate config.

Below is an example. In this example if the size of the log file gets above 50m it will copy itself (by rotating), compress the copy and then start logging to the new auth.log. In another 50m it will rotate back. So at most I would have 100m of auth.log.

/var/log/auth.log {
size 50M
rotate 2
create
compress
}

I would just edit the /etc/logrotate.conf file and add this in.

 

Fortigate HTTPS inspection Certificate error fixes

*Note – Most of these issues have been fixed in 5.2. By default now, if you select https inspection – Certificate inspection you will just get a blank page when you go to a https that is not allowed.

The Fortigate Web filter is amazing! I think it stands up to the best web filters out there.

But, like all webfilters SSL can be a bit tricky. Fortigate offers its own SSL Certifcate “Fortigate-CA-Proxy” to the client when it does a few things:

1. Deep packet inspection (imagine a man in the middle attack). This way the Fortigate sees all traffic that comes in the session even if it was encrypted.

2. When it sends its replacement message (Blocked) to the client.

Some problems come up with this. The cert has to be trusted by clients, this can be easily done if you have a internal CA, or you could create a Windows group policy to push the certificate into their trusted store. I know you might ask, what if I get a signed cert for this? The certificate is a CA-True certificate. That basically means you would have to get a certificate from a trusted publisher that says you are a public CA. I would say most CA’s would not give us one. But what if you want SSL inspection for Guest clients but don’t want them to see the cert error? The answer lies below friends. Something to remember is you have to have SSL inspection enabled on the firewall policy to get HTTPS inspection to work.

To have the Fortigate block the website without giving an error there are a few things that need to be done:

1. Select the webfilter to use https-url-scan to only look at the URL, not to use deep scanning

2. set the Fortigate to not respond with a replacement message. Remember it responds with a HTTPS blocked page – so  therefore you see the HTTPS cert.

As of Patch 7 this is a CLI command.

To enable HTTPS-url-scan which looks that the URL not the traffic going through:

config webfilter profile

edit default (or your profile name)

set options https-url-scan

end

To disable the HTTPS replacement message:

config webfilter profile

edit default (or your profile name)

set https-replacemsg disable

end

To give an example:

Lets say I block the category “social networking” and go to http://facebook.com it will be blocked. If I go to https://facebook.com it will show a blank screen – no error message, but will not work. Before enabling these commands I would see the error message, then after accepting the cert I would see the block page.

Note* there might be a way to have the replacement message be http, instead of https. I am looking into this.

 

Time based Policy-map for traffic policing

Recently I was tasked to resolve a problem where a video stream on Saturday and Sunday would get very choppy. This video stream is for a church and as you would expect needs to be perfect. There are multiple remote sites each connected to an MPLS back to the core site which is where the video stream originates. Each site has a 100Mb MPLS link back to the core site.

We wanted to make sure that on Saturday and Sunday that normal traffic (web, file shares) would be capped at around half the useable bandwidth, and the other half was for the stream. This is much more bandwidth than what the stream needs, but we want to make sure its plenty.

So, what we did was implement time based ACLs for both the traffic we want to prioritize, and another ACL for all default traffic that we want to police. We used a ‘any-any’ ACL instead of the class-default because we have to make it time based.

Some of the things to note – the Burst rate really mattered here. I followed the formula from Cisco RATE-SPEED/8 * 1.5. Using this formula solved my issues and things flowed exactly the way I wanted them to.

To test I changed the time on the router to look like Saturday, and then used Iperf to push traffic.

The system clock on the router has to be correct, else everything can be very screwed up. You might be saying why did you use a policer instead of a shaper? good question. I would have used a shaper if my 3750’s supported it. A shaper would have been a better solution here.

Steps

– Create Time-range

– Create ACLs using time range

– create class maps

– create policy maps

– apply policy-map to interface

 

First to create the time-range to match the times we wanted we used the following commands:

config t

time-range Weekend-Service

periodic Saturday 13:00 to Sunday 15:00

exit

Next I created the ACL to match the priority traffic and default traffic

ip access-list ext Priority-traffic

10 permit ip host 10.0.0.1 any time-range Weekend-Service

exit

ip access-list ext Default-Traffic

10 permit ip any any time-range Weekend-Service

exit

Then I created the class and policy map, and attached it to the interface.

Class-map match any Priority-Traffic
match access-group Priority-Traffic
exit

class-map match-any Default-Traffic
match access-group Default-Traffic
exit

policy-map Stream
class Priority-Traffic
set ip dscp ef
exit

class Default-Traffic
police 50000000 937500
set ip dscp default
exit

int gig 1/0
policy-map input stream
exit

There are many commands to test the status, one command is “show policy-map interface”

Linux network interface perference

Sometimes you have multiple nics on a Linux host and need to have one be a backup for anything other than its own subnet. Lets say both these nics have default routes and we need to go out of eth0 by default. There are multiple ways to do this.

One was is to modify the interface config and add a Metric. A lower metric is more preferable.

The command would be:

vi /etc/networking/interfaces

or

vi /etc/networking/eth0

then add

METRIC 1 (0 is highest, 1 would make it very prefreable)

save the file, then restart networking:

/etc/init.d/network restart

Another way is to use the command ifmetric command to set the metric of the route.

ifmetric INTERFACE [METRIC]

Using the ifmetric I do belive does not set it permenatly.

HP vs Cisco Vlan trunking

Whenever I talk to networking people about integrating or replacing Cisco switches with HP they always talk about how difficult it was to get them to pass vlan info. This is because the terminology is totally different between the two.

In the Cisco world a “Trunk” port will pass all vlan tags by default. What does this mean? It means that the port can accept/pass IP packets with different Vlan tags. Basically the trunk port is a member of every vlan, and therefore will pass traffic from every vlan its a member of. In HP the word Trunk means link aggregation example is LACP. Basically taking 2 or more links and combining them. HP uses the phrase “tagged”.

So what is a VLAN tag?

Image

The “Vlan ID” is a 12-bit value in the IP header of the Ethernet frame that specifies which vlan that frame belongs, and thus virtually separates traffic.

So to configure a port as a trunk in Cisco the command is “switchport mode trunk”. This will allow the port to access every vlan , and understand/pass the frames with any tag.

In HP world you would “tag” multiple vlans on a single port. The “tag” command basically means that the port can pass/understand frames in those “tagged” vlans on that port. So lets say we have 2 vlans, and we want a switch to pass frames on both vlans to another port, then we would configure the port as tagged in both Vlans. Commands would be:

int 24

tagged vlan 120,140

Now that port will accept tags from both vlans and pass them along.

 

Access ports or Untagged

An access port in Cisco is a port who’s traffic will be tagged by the switch for the vlan the port is set to access. For example if the command on the port is “Switchport access vlan 120” then all untagged (default) traffic will be tagged for vlan 120 by the switch. This is done because the host itself is not tagging frames, but sending everything untagged.

In HP this access port would be “untagged”. This means that the traffic leaving the port will come in untagged, but will be tagged with vlan X by the switch. So the command – “untagged vlan 120” means all traffic will be in vlan 120.

Commands:

Trunk ports

Trunk (cisco)

int gig 1/0/24

switchport mode trunk

exit

Trunk (HP)

int 24

tagged 120,140

exit

Access ports (this port is in this vlan)

Access (cisco)

int gig 1/0/24

switchport mode access

switchport access vlan 120

Access (HP)

int 24

untagged 120

 

Fortigate interface Speed/duplex

Hard coding speed and duplex settings on a device is very important. Some times it is essential to hard code your settings to work with and ISP or neighboring device. To change the speed/duplex settings manually you will need to use a CLI command. The default setting is to Auto Negotiate, but as we all know sometimes on the ISP or local side it can negotiate to half duplex, or never correctly negotiate.

Check Speed/Duplex

How check speed and duplex of the interface:

Fortinet now has the ability to see speed/duplex by hovering over the interfaces in the GUI. This option became available in MR5 patch 4 i think.

Image

To check this through the CLI there are a few ways to accomplish this. two command that can do this are:

get system interface physical

Image

This command shows the IP, status, and speed/duplex.

The next command is:

get hardware nic X

Image

This command gives you much more info, such as errors and drops.

 

Setting speed/duplex

To set the Speed and Duplex of the interface to 1 gig full duplex use the cli commands:

Config system interface

edit X

set speed 1000full

end

Image

Thats, it! Notice that get system hardware nic gives you all kinds of stats about that interface.

Cisco ACL Logging: log-input

Using ACL logging can be a very useful tool not only to get info about whats going on, but also for troubleshooting. One way to get much more robust logging is to use the log-input at the end of the ACE.

The log-input command shows the normal things such as source ip/port and destination ip/port but will also so the ingress interface and mac address of the source. Very cool! The following is and example of the output:

*May  1 22:33:38.799: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted
   tcp 192.168.1.3(1025) (Ethernet0/0 000e.9b5a.9839) -> 192.168.2.1(22), 1 packet 
*May  1 22:39:15.075: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted
   tcp 192.168.1.3(1025) (Ethernet0/0 000e.9b5a.9839) -> 192.168.2.1(22), 9 packets