This entry shows how I have been setting up ICX switches with Fortinac.
In this scenario my Fortinac is located at 192.168.226.248, the switch is 192.168.226.53, and my SNMP community is “snmp”. I know very secure. The switch I am working with is a Ruckus 7250 running SPR08092a.bin
These are the settings that I am putting into my switch:
logging host 192.168.226.248
snmp-server host 192.168.226.248 version v2c snmp
snmp-server enable traps mac-notification
snmp-server enable traps link-up
snmp-server enable traps link-down
On the NAC we have to add the switch, and make sure we have a CLI user account, and SNMP creds that work. We can test this within NAC to make sure things are up and going.
After we add the device, we can validate the settings
After the device has been added you should see your interfaces/devices/status all show up.
When you setup Fortinac you have to license it, and Fortinet asks you what the MAC and UUID of the device are when registering the license. You can get this information by SSH’ing into the NAC and running the following commands:
sysinfo -v | grep -i UU — This will bring back the UUID
and to get the mac – run ifconfig eth0
Copy those two settings into the registration of the license, and you can then get the license key.
Had a strange issue the other day with a FAC, where it would not send emails to users with their assigned tokens, but would send emails just fine any other time. I wanted to capture all outgoing traffic to see if SMTP messages were really being sent.
Fortiauth has Tcpdump built in, and is very easy to run.
First SSH into the FAC, from there you have some execute options. Below shows the tcpdump options:
exe tcpdump?
tcpdump Examine local network traffic.
tcpdumpfile Same as tcpdump, but write output to a file downloadable via GUI.
exe tcpdump
If you run ‘exe tcpdump’ it will spit all the traffic to the screen, but if you run ‘exe tcpdumpfile’ it will log the output to a .pcap that is downloadable from the GUI. This gives you the option to open it in Wireshark and analyze.
To download the .pcap open your Fortiauth append /debug to the web address for example: https://10.110.2.60/debug. From here you will be prompted with what you want to debug, and at the bottom is the option to open the “CLI Packet Capture” this gives you the option to download the pcap.
Thats it! Thank you Fortinet.
Overtime we forget things, especially Shared secret radius keys. This is pretty common, and I run into it a lot. For example – lets say a you setup NPS (Network Policy Server) and a Wireless controller for 802.1x auth, or a ASA doing radius authentication years ago. Some how or another that key was lost – no worries, you can get that back from the NPS server itself.
In just a few simple steps you can get that key back. So lets start by opening up NPS and then selecting “Radius Clients and Servers” and dropping down “Radius Clients”
In this example I am using a Ruckus Smartzone – lets say I forget the password. I can just right click on the client and select “Save and apply as Template.
Next we can create a new radius client by right clicking on “Radius Clients” and once the client info pops up to fill in, we will select to create it from the template, and select the template we made.
To see the *** Password, uncheck the box “Select and existing template” and then select the “Generate” Radio button – and bam! there is the PSK.
This entry details how to create a static route in both the GUI and CLI of the Fortigate firewall. Specifically I am using FortiOS 6.2.4 but its pretty much been the same for years.
Lets start by talking through the things that will be needed to create the static route.
– Subnet – this is what we want to route to, for a default route its 0.0.0.0/0 but if we wanted a more specific route, lets say to 192.168.100.0/24.
– Destination Interface – Next hop interface we want to send traffic out of.
– Gateway address – Directly connected interface neighbor that we want the next hop for 192.168.100.0/24 to be.
– Administrative Distance– is a feature used by routers to select the best path to a destination when multiple paths to the same destination are present. Lowest AD wins and will be placed in the routing table.
Advanced option – Priority – To build on AD definition – What if two routes exist in the routing table to the same destination with the same AD? This is where Priority comes in. Lowest priority wins. By selecting a priority you can have multiple routes to the same destination in the routing table, but one would be preferred over the other. This comes in very hand for Reverse Path forwarding issues.
So after all that’s said, we need to route 192.168.100.0/24 to our LAN interface with a next hop of 192.168.1.2.
First lets create this in the GUI. Navigate to network – static routes – and create a new one.
.
Now we will just insert the needed info. I am leaving the AD at 10 – which is default.
Press OK – and Bam! route created. We can check that the route has been created and is the routing table by going to monitor – routing monitor.
Next lets do the same thing in CLI.
First route creation. When you create the route edit the next available sequence number. In this case its 46.
You can see if your route is in the routing table in CLI by running the command “get router info routing-table all” but in this case I am using the static option, and grepping just what I need to see.
Finding what vlans are set on a switch port is a very needed thing for almost any config changes in Procurve software. This entry shows a quick way to check the vlans both tagged/untagged on a procurve. This works for all procurve I believe, but I am testing on a J9773A 2530 switch. This is a simple entry but might help someone out.
To show vlans associated with the ports the command “show vlan ports X” can be used, and to find out more info like tagged/untagged you can add the “detail” to the command to get more info. For example to get info for port 1
Show vlan ports 1
And more info:
show vlan ports 1 detail
Recent Comments