The Packets, Life and everything
I like the the Idea to configure static routing over firewall objects. This avoids the static route limit on FortiGate Firewall. config firewall address edit "N.203.0.113.0--24" set allow-routing enable set subnet 203.0.113.0 255.255.255.0 next end config firewall addrgrp edit "R.Networks" set allow-routing enable set member "N.203.0.113.0--24" next end config router static edit 0 set gateway …
Continue reading "Fortinet – Static routes with Firewall objects"
Recently, we encountered significant CPU and memory utilization spikes on one of our Fortigate Firewalls. Despite consistently handling around 1.5 million sessions for several months without any problems, the situation took a turn for the worse. The firewall became unresponsive through the Command Line Interface (CLI), and at that time, we hadn't configured a dedicated …
Basic Packet Capture tcpdump -i eth0 This captures and displays packets on interface eth0. Capture Packets from a Specific Port tcpdump -i eth0 port 80 This captures packets on port 80 (HTTP traffic) on eth0. Capture Packets with a Specific Host as Source or Destination tcpdump -i eth0 host 192.168.1.100 This captures packets either from …
HP IRF (Intelligent Resilient Framework) are similar to Cisco VSS Prepare the Switch irf portsirf port membersHistoryLinks Some basic information only Prepare the Switch renumber if needed irf member 1 renumber 2 irf ports every switch has two ports irf-port <member>/1 irf-port <member>/2 irf port members irf-port 2/1 port group interface Ten-GigabitEthernet 2/0/21 port group …
How to convert letters to lower case in BashUPPERCASE using bashlowercase using bash How to convert letters to lower case in Bash echo "THIS IS MY DATA" | tr '[:upper:]' '[:lower:]' UPPERCASE using bash # y="this Is A test" # echo "${y^^}" THIS IS A TEST lowercase using bash # x="THIS IS a TeSt"# echo "${x,,}"this is …
just some notes about FirewallD and nftables firewall-cmd --zone public --add-rich-rule 'rule service name="ssh" accept limit value="1/m"' firewall-cmd --zone=trusted --add-source=-your-own-IP-here- firewall-cmd --runtime-to-permanent vi /etc/firewalld/policies/dns.xml <?xml version="1.0" encoding="utf-8"?> <policy target="CONTINUE"> <service name="dns"/> <rule> <service name="dns"/> <accept> <limit value="5000/m"/> </accept> </rule> <ingress-zone name="ANY"/> <egress-zone name="HOST"/> </policy> firewall-cmd --reload firewall-cmd --info-policy=dns dns (active) priority: -1 target: CONTINUE ingress-zones: …
It is a good idea to do basic DoS Protection, even internaly. Configuring DoS policyVerificationdiagnose ips anomaly listReleasing the blocked sendersdiagnose ips anomaly clearLinks Configuring DoS policy This will configure a basic DoS Policy for Traffic with default values and block violations for 2 Minutes. config firewall DoS-policy edit 1 set name "ALL DoS-Policy" set …
Force VPN Tunnels to the CPUFirst you need to force the Encrypted traffic over the CPU. Take packet captures from the GUI It is somehow counter intuitive but we need to take care that the IPSec session is not offloaded into Hardware. This basically the Opposite as described in Ensuring IPSec traffic is offloaded for …
Continue reading "Fortigate – IPSec Troubleshooting – VPN Analyse"
Sometimes there is the need to have an forwarding only name server. named.conf/etc/resolv.confDocker enviroments named.conf controls { net 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; }; key "rndc-key" { algorithm "hmac-md5"; secret "somesecret-for-rndc"; }; options { directory "/etc/named.d"; listen-on { 127.0.0.1; }; max-cache-ttl 600; max-ncache-ttl 300; forward only; forwarders { <IP of SERVER1>; …
Continue reading "Bind9 – Caching only DNS Server with Logging"
For certain environments like docker / kubernets hosts i find it usefull to have a permanent query log in place. As the time writing query logging with systemd-resolved can only be achived with debug enabled. Personalty i do not like to run a daemon needlessly in debug mode.With Bind9 it is easy to have a …
Using piHole for a while at home, i feeld that i wanted to bring things back to my already running bind9 name servers. Please do not misunderstand me PiHole is really a great solution. Bind has the option to build up a DNS Firewall. Enable the RPZ Zoneload the zone filethe zone file Build a …
Continue reading "DNS Firewall or Bind9 Response Policy Zones (RPZ)"
Patrick Marc's Networks 