The other day I had to configure a Static nat entry on a 8.2 ASA. It had been a while since I had done this since almost everything I work with is 8.3 and above. I thought I would make an entry for myself and maybe to help someone along the way.
Example – I have public IP 1.1.1.10 and I need to forward in port 443 to my internal server of 192.168.1.10. I have an access-list Outside-IN applied to my outside interface. Note if the 1.1.1.10 is my outside interface IP (lets say I have only one public IP) then we would use the interface key word
ASA config –
config t
static (inside,outside) tcp 1.1.1.10 443 192.168.1.10 443
access-list Outside-IN permit tcp any host 1.1.1.10 eq 443
or
static (inside,outside) tcp interface 443 192.168.1.10 443
access-list Outside-IN permit tcp any host 1.1.1.10 eq 443
That’s it!
Compared to 8.3 and above –
object network 192.168.1.10
host 192.168.1.10
nat (inside,outside) static interface service tcp 443 443
access-list Outside-IN permit tcp any host 192.168.1.10 eq 443 — Notice the internal IP.
The Pac file can be used with the Explicit proxy of the Fortigate. The PAC file uses Java Script to modify the Explicit proxy to be able to do certain things. For example, if you do not want to use the proxy when going to certain websites/networks, or return different proxies. By returning different proxies you could theoretically load balance requests. I am using this pac file at a school where we proxy all Students Ipad traffic back to the fortigate for web filtering/logging.
The PAC function is FindProxyForURL(url, host). There are a number of functions available – A few are:
dnsDomainis() – Returns the domain name of the requested server
isNET() – This function will return true if the host is in the subnet you are specifying.
For example – (isInNet(host, “192.168.0.0”, “255.240.0.0”)) return “DIRECT”; – This would not proxy traffic for anything on the 192.168.0.0/16 subnet.
shExpmatch() – This will evaluate the URL you enter, and compare with the request. So for example
if (shExpMatch(host, “*.google.com”)) {return “DIRECT”;} – This would not proxy traffic goig to google.com
There are about 10 functions – including Days of the week, time ranges etc. A quick google search will show all – but here is a link from our friends at Websense: http://www.websense.com/content/support/library/web/v76/pac_file_best_practices/PAC_best_pract.aspx
Below is an example of a Fortinet PAC file to bypass the proxy to many websites (return Direct) otherwise return the proxy.
—————
function FindProxyForURL(url, host) {
if (shExpMatch(host, “*.akadns.net”)) {return “DIRECT”;}
if (shExpMatch(host, “*.akamai.net”)) {return “DIRECT”;}
if (shExpMatch(host, “*.akamaiedge.net”)) {return “DIRECT”;}
if (shExpMatch(host, “*.akamaihd.net”)) {return “DIRECT”;}
if (shExpMatch(host, “*.amazon.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.amazonaws.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.apple.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.dropbox.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.edim.co”)) {return “DIRECT”;}
if (shExpMatch(host, “*.edmodo.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.icloud.com”)) {return “DIRECT”;}
if (shExpMatch(host, “*.ket.org”)) {return “DIRECT”;}
if (isInNet(dnsResolve(host), “10.11.0.0”, “255.255.0.0”)) {
return “DIRECT”; — if the server is in my local subnet
}
if (isInNet(dnsResolve(host), “10.44.0.0”, “255.255.0.0”)) {
return “DIRECT”; — or this subnet
}
else{
return “PROXY example:8888; PROXY example2:8888”;
}
}
The other day I needed to lock down who can connect to our Fortigate to register a forticlient. This was very important due to that fact we were pushing VPN policies to our clients.
You can configure a Password for client registration by going to System – Config – Advanced and its right there.
To register the client open Forticlient and at the top right you will register – it will then prompt you for that password before you can register.
As easy as it is, I always forget this command.
The following command will set an interface to defaults. Lets say I have about 10 commands on the interface specifying Voice, Access, Trunk, Spanning tree – etc, and I want to quickly throw that port back to default. I can issue this command
config t
default interface gig 1/0/1
And its back to default, no configuration!
This command was introduced in IOS 11.1, so it should be in about every switch out there now.
Recently I had a project where 1 Fortigate had two MPLS networks connected for redundant connections. These two MPLS networks were from different providers. I had a few problems where networks from other peers were transiting through my device to be advertised out to these links. I did not want this to happen. There are many ways to do this exact thing, but what I did was use an AS path filter with regular expressions to find anything passing through my remote peers and block them going out on the opposite peer. The image below will sum up what I just wrote a little better:
So as with almost all BGP commands on Fortinet – they have to be done through CLI. The following are the commands needed to create the AS-Path list, Create the Route map, then apply the route map to our neighbor. We are using regular expressions to map grab our AS path, you might say what the heck is a regular expression? Here is a link that explains how to put an expression together http://blog.ine.com/2008/01/06/understanding-bgp-regular-expressions/ . If you notice what I am doing “_65000_” This basically says that if 65000 is in the AS Path block it. the _ is a space so my expression reads – Anything before 65000 or after 65000 gets blocked. For example, if you wanted to block routes that originate from 65000 you could do “_65000” or “_65000$” The dollar sign means that is the end of the string, so nothing else beyond that.
config router aspath-list
edit Match-L3
config rule
edit 10
set action deny
set regexp _65000_
end
next
edit Match-WS
config rule
edit 10
set action deny
set regexp _65400_
end
end
config router route-map
edit Block-WS
config rule
edit 10
set match-as-path Match-WS
next
edit 11 — Note- There is a deny all on the Routemap, this rule 11 basically says permit anything else
end
next
edit Block-L3
config rule
edit 10
set match-as-path Match-L3
next — Note- There is a deny all on the Routemap, this rule 11 basically says permit anything else
edit 11
end
end
config neighbor
edit “2.2.2.1”
set capability-default-originate enable
set remote-as 65400
set route-map-out “Block-L3”
set send-community6 disable
next
edit “1.1.1.1”
set remote-as 65000
set route-map-out “Block-WS”
set send-community6 disable
next
end
Now we have to flush those routes, we can do this with the command:
exe router clear bgp ip 1.1.1.1 soft out
exe router clear bgp ip 2.2.2.1 soft out
After you clear you should see a good drop in routes being advertised to those neighbors.
get router infor bgp neigh 1.1.1.1 advertised-routes
Sometimes it is necessary to track an interface state to bring down a certain route.
In my case I have a Multihomed scenario, and two routers. In this case the upstream routers do not know about each other, the downstream routers make the routing decisions for the network.
I have a static route configured pointed to the ISP, I am redistributing that static route to my clients through OSPF. If the state goes down on the interface then the router will take it out of its routing table. You can do this by pining an IP address, UDP Jitter, State, etc.. many ways.
Commands:
config t
track 100 interface GigabitEthernet0/2 line-protocol
ip route 0.0.0.0 0.0.0.0 1.1.1.1 track 100
exit
You can use commands like:
show track
show track int
show track bri
The other day I had to copy the config of an ASA and a PIX to other devices. They both had VPNS to different sites and I had to have those keys as no one documented them.
A few different ways to get those keys are:
ASA
Option 1: Login using ASDM and make a full backup including preshared keys
Option 2: Run the cli command :
more system:running-config
Option 3: Copy running config to a TFTP/FTP server
PIX
The above options exist for the PIX as well. I have read that the more command will work , but it did not for me. Then I found this option to get the Keys on the pix:
Enable http server, create a username and go to https://pix-ip/config the key is then shown in clear text.
Commands to do that:
config t
http server enable
http 0.0.0.0 0.0.0.0 inside
username admin password password
The go to the web interface.
Today I had an issue while configuring two 60c’s in an HA configuration. This usually takes about 2 minutes and is extremely easy. Unless your hardware doesn’t match. HA requires that hardware matches on the two different units. When these were purchased the hardware did match, but at sometime in the past, one was RMAed and we received one with a hard drive. This broke the HA capability.
The error I kept seeing was about the hardware not being the same. The error was: “slave and master have different hdisk status. Cannot work with HA master. Shutdown the box! The system is halted.”
This command can get you past that:
exec ha ignore-hardware-revision enable
This will allow the HA cluster to ignore the hardware-revision for the frigates and come up.
There are a lot more things that will cause problems, for example if your drives have been formatted with a pervious version of fortios. You might need to run :
exe formatlogdisk
Fortigate supports many HA options. They have a great active/passive HA option, as well as Active/Active. VRRP is another option that is supported. VRRP (Virtual Routing Redundancy Protocol) is a open standards protocol that helps eliminates the single point of failure for a network by allowing another device to take over routing automatically.
Basically one router is the Master (active), the other is a Backup (passive), the selection of which device is active or passive is based priorities of each device, highest priority (1-255) is the most preferable. The priority of 100 is default, and 255 the best. There is a heartbeat which is just a Multicast packet, that goes across a link that both devices use (normal lan link is fine). If for some reason that heartbeat is lost , then the backup router will take over as the master.
VRRP is a great way to make sure that if one router fails the passive router will become active and take over routing for the network. VRRP creates a virtual mac address that is shared between the two devices, the active device answers for the virtual mac and takes control of the Virtual IP that is also shared between the two.
You can use VRRP to load balance traffic as well. Load balancing is achieved by using to different VRRP groups, and balancing which router is primary for what group. The below image should help clarify what I mean.
You can use those two VRRP groups as primary and secondary’s for the default gateway in different vlans. So in this case, you could have Vlan 10’s default gateway on Fortigate A, and Vlan 20’s on Fortigate B, therefore having fail-over for both, but splitting up the load. This might be a great thing to do if you have a HA cluster of 60C’s, and they just cant handle the full traffic load in a HA scenario. Remember. each config is different on these firewalls, there is no config sync. There is an option to sync sessions between the firewalls, so that if one firewall were to fail, things would pick right back up and not have to establish the sessions again.
Things to note in this config – There is already an IP address assigned to the Vlan interface for management when when the VRRP address might not be active. I am also using the Preempt option to make sure Active is always Active if its online. The Physical interface the Vlans are configured on are trunks on both links going to Fort-A, and Fort-B.
Config time:
The config for VRRP is interface based, and CLI only.
Fortigate A:
config system interface
edit vlan-10
config vrrp
edit 10
set vrip 10.10.10.1
set priority 255
set status enable
set preempt enable
end
set vrrp-virtual-mac enable
next
edit Vlan-20
config vrrp
edit 20
set vrip 10.10.20.1
set priority 100
set status enable
end
set vrrp-virtual-mac enable
end
Fortigate B:
config system interface
edit vlan-10
config vrrp
edit 10
set vrip 10.10.10.1
set priority 100
set status enable
end
set vrrp-virtual-mac enable
next
edit Vlan-20
config vrrp
edit 20
set vrip 10.10.20.1
set priority 255
set status enable
set preempt enable
end
set vrrp-virtual-mac enable
end
This config will do exactly what we want, create a Virtual IP that is shared, and make sure the configured active (priority) unit takes back over the role of active if it goes offline and comes back online (preempt),
Logrotate is a tool that is built into Debian which is really what Vyatta is built on. Logrotate is a tool that allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large. Recently I had an issue where all the space on my Vyatta was filled up, after some investigation it was the auth.log that had reached a couple hundred mb. After clearing it I was fine. After more investigation I found that auth.log was never in the logrotate config.
Below is an example. In this example if the size of the log file gets above 50m it will copy itself (by rotating), compress the copy and then start logging to the new auth.log. In another 50m it will rotate back. So at most I would have 100m of auth.log.
/var/log/auth.log {
size 50M
rotate 2
create
compress
}
I would just edit the /etc/logrotate.conf file and add this in.
TravelingPacket - A blog of network musings 