Monthly Archives: July 2014

Password protect Forticlient registration

The other day I needed to lock down who can connect to our Fortigate to register a forticlient. This was very important due to that fact we were pushing VPN policies to our clients.

You can configure a Password for client registration by going to System – Config – Advanced and its right there.

Capture

To register the client open Forticlient and at the top right you will register – it will then prompt you for that password before you can register.

regi

Cisco Switch – Set interface back to defaults with one command

As easy as it is, I always forget this command.

The following command will set an interface to defaults. Lets say I have about 10 commands on the interface specifying Voice, Access, Trunk, Spanning tree – etc, and I want to quickly throw that port back to default. I can issue this command

config t
default interface gig 1/0/1

And its back to default, no configuration!

This command was introduced in IOS 11.1, so it should be in about every switch out there now.

Fortinet AS Path filtering with Regular Expressions

Recently I had a project where 1 Fortigate had two MPLS networks connected for redundant connections. These two MPLS networks were from different providers. I had a few problems where networks from other peers were transiting through my device to be advertised out to these links. I did not want this to happen. There are many ways to do this exact thing, but what I did was use an AS path filter with regular expressions to find anything passing through my remote peers and block them going out on the opposite peer. The image below will sum up what I just wrote a little better:

Path-filtering

So as with almost all BGP commands on Fortinet – they have to be done through CLI. The following are the commands needed to create the AS-Path list, Create the Route map, then apply the route map to our neighbor. We are using regular expressions to map grab our AS path, you might say what the heck is a regular expression? Here is a link that explains how to put an expression together http://blog.ine.com/2008/01/06/understanding-bgp-regular-expressions/ . If you notice what I am doing “_65000_” This basically says that if 65000 is in the AS Path block it. the _ is a space so my expression reads – Anything before 65000 or after 65000 gets blocked. For example, if you wanted to block routes that originate from 65000 you could do “_65000” or “_65000$” The dollar sign means that is the end of the string, so nothing else beyond that.

config router aspath-list
edit Match-L3
config rule
edit 10
set action deny
set regexp _65000_
end
next

edit Match-WS
config rule
edit 10
set action deny
set regexp _65400_
end
end

config router route-map
edit Block-WS
config rule
edit 10
set match-as-path Match-WS
next
edit 11 — Note- There is a deny all on the Routemap, this rule 11 basically says permit anything else
end
next

edit Block-L3
config rule
edit 10
set match-as-path Match-L3
next — Note- There is a deny all on the Routemap, this rule 11 basically says permit anything else
edit 11
end
end

config neighbor
edit “2.2.2.1”
set capability-default-originate enable
set remote-as 65400
set route-map-out “Block-L3”
set send-community6 disable
next

edit “1.1.1.1”
set remote-as 65000
set route-map-out “Block-WS”
set send-community6 disable
next
end

Now we have to flush those routes, we can do this with the command:

exe router clear bgp ip 1.1.1.1 soft out
exe router clear bgp ip 2.2.2.1 soft out

After you clear you should see a good drop in routes being advertised to those neighbors.

get router infor  bgp neigh 1.1.1.1 advertised-routes

 

Cisco IP-SLA to track interface state

Sometimes it is necessary to track an interface state to bring down a certain route.

In my case I have a Multihomed scenario, and two routers. In this case the upstream routers do not know about each other, the downstream routers make the routing decisions for the network.

I have a static route configured pointed to the ISP, I am redistributing that static route to my clients through OSPF. If the state goes down on the interface then the router will take it out of its routing table. You can do this by pining an IP address, UDP Jitter, State, etc.. many ways.

Commands:

config t
track 100 interface GigabitEthernet0/2 line-protocol
ip route 0.0.0.0 0.0.0.0 1.1.1.1 track 100

exit

You can use commands like:
show track
show track int
show track bri