When Brocade purchased Vyatta I was nervous, but they have done a really good job with it. They keep it updated, and now have added a lot of functionality and increased services with the 6400 version. Both the 5600 (pretty much old vyatta) and the newer 6400 Vyatta IOS are for free from Brocade fro 60 days.
This blog entry is just showing some very simple things such as adding a IP address to an interface and enabling the HTTPS and SSH service. In another entry i will show how to use other user authentication methods for user logins. Although all of these commands are very easy, this post could help someone who might be in a bind.
Configure an IP address.
The Vrouter CLI has always been intuitive for me. Each config option is really an objects configuration. You can delete the config altogether or just an individual config setting of the object. To set the IP address first you have to go into configure mode.
configure
set int ethernet eth0 address 192.168.252.1/24
commit — remember nothing is set, until this is entered.
The image below shows these commands in the actual CLI.
We can also save the config in config mode by issuing the command “save”.
That’s, it we have now set an IP address.So on to enabling SSH and HTTPS access.
HTTPS
To enable HTTPS we need to issue the command (from config mode)
set service https
commit
As you can see from the image below, after those commands are entered the Vyatta generates a certificate, and restarts its web server.
SSH
Enabling SSH is as easy as the other commands.
From config mode
set service ssh enable
commit
You also have options to allow root login, set the listen address, and change the port.
*Note – Most of these issues have been fixed in 5.2. By default now, if you select https inspection – Certificate inspection you will just get a blank page when you go to a https that is not allowed.
The Fortigate Web filter is amazing! I think it stands up to the best web filters out there.
But, like all webfilters SSL can be a bit tricky. Fortigate offers its own SSL Certifcate “Fortigate-CA-Proxy” to the client when it does a few things:
1. Deep packet inspection (imagine a man in the middle attack). This way the Fortigate sees all traffic that comes in the session even if it was encrypted.
2. When it sends its replacement message (Blocked) to the client.
Some problems come up with this. The cert has to be trusted by clients, this can be easily done if you have a internal CA, or you could create a Windows group policy to push the certificate into their trusted store. I know you might ask, what if I get a signed cert for this? The certificate is a CA-True certificate. That basically means you would have to get a certificate from a trusted publisher that says you are a public CA. I would say most CA’s would not give us one. But what if you want SSL inspection for Guest clients but don’t want them to see the cert error? The answer lies below friends. Something to remember is you have to have SSL inspection enabled on the firewall policy to get HTTPS inspection to work.
To have the Fortigate block the website without giving an error there are a few things that need to be done:
1. Select the webfilter to use https-url-scan to only look at the URL, not to use deep scanning
2. set the Fortigate to not respond with a replacement message. Remember it responds with a HTTPS blocked page – so therefore you see the HTTPS cert.
As of Patch 7 this is a CLI command.
To enable HTTPS-url-scan which looks that the URL not the traffic going through:
config webfilter profile
edit default (or your profile name)
set options https-url-scan
end
To disable the HTTPS replacement message:
config webfilter profile
edit default (or your profile name)
set https-replacemsg disable
end
To give an example:
Lets say I block the category “social networking” and go to http://facebook.com it will be blocked. If I go to https://facebook.com it will show a blank screen – no error message, but will not work. Before enabling these commands I would see the error message, then after accepting the cert I would see the block page.
Note* there might be a way to have the replacement message be http, instead of https. I am looking into this.
Recent Comments