We stumbled over a situation where the wan environment did not advertise lower mtu values properly or fragments where routed over a different path. To FIX this we set the MTU / MSS values on the route. vi /etc/network/st_routes 10.0.0.0/8 via 10.52.192.81 dev eth0 mtu 1150 advmss 1100 default metric 0 via 10.52.192.81 This is …
FortiGate Cluster Deployment – Zero Touch / Low Touch Debugging Notes
After a long day of back-and-forth debugging, here are some takeaways from trying to deploy a FortiGate cluster with dedicated management interfaces: FortiGates must without current support contract, needs to have the same version allready installed and FortiManager enforce Firmware needs to be set to this Version. Otherwhise this fails. FortiManager 6.4.14 and configure dedicated …
Continue reading "FortiGate Cluster Deployment – Zero Touch / Low Touch Debugging Notes"
Check Point – Interfaces
Those are my personal notes towards the certification and do not reflect any training from Check PointFor official Information please refer to sk163417. Primary InterfacesGaia Operating System ShellsCLIGUISmart Console Primary Interfaces Gaia Operating System Shells CLI Gaia Clish - Default Shell Bash - Export Mode Shell GUI Gaia Portal browser based shell Smart Console Smart …
Check Point – CCSE – Day29 – Training Day 3
So aproaching the last day of CCSE training. Many thanks to Yasushi Kono for the interersting days, a lot of fun and insides. Finshed this day. Those are my personal notes towards the certification and do not reflect any training from Check PointFor official Information please refer to sk163417. Start08:30End17:00 Chapter 7: Advanced Site-to-Site VPN …
Continue reading "Check Point – CCSE – Day29 – Training Day 3"
Check Point – CCSE – Day30 – Training Day 2
Those are my personal notes towards the certification and do not reflect any training from Check PointFor official Information please refer to sk163417. Start08:30End17:30 Chapter 3: Advanced Gateway Deployment (Continued)Chapter 4: Advanced Policy ConfigurationPolicy LayersDynamic ObjectsChapter 5: Advanced User Access ManagementChapter 6: Custom Thread PreventionChapter 7: Advanced Site-to-Site VPN Chapter 3: Advanced Gateway Deployment (Continued) …
Continue reading "Check Point – CCSE – Day30 – Training Day 2"
TCP Session Closing
Customer was approaching us if we see an issue to change the tcp behavior of an application interface, due to timing concerns on the server side. -> TCP [SYN] <- TCP [SYN,ACK] -> TCP [ACK] -> COPT [CR] <- COPT [CC] -> COPT [DT] <- TCP [ACK] -> COPT [DR] <- TCP [ACK] -> TCP …
BGP – Check Point Clish
Adding Check Point to the BGP setup. clish configshow bgp summaryshow bgp peer 10.255.2.5 detailedshow bgp peer 10.255.2.5 receivedshow route bgpRestarting BGP Peers in Gaia Clish clish config set as 65532 set bgp external remote-as 65001 on set bgp external remote-as 65001 peer 10.255.2.5 on set bgp external remote-as 65001 peer 10.255.2.5 route-refresh on set inbound-route-filter …
Check Point – CCSE – Day31 – Training Day 1
Those are my personal notes towards the certification and do not reflect any training from Check PointFor official Information please refer to sk163417. Chapter 1: Introduction to Advanced DeploymentsChapter 2: Management High AvailabilitySyncronization Deployment Sync FailuersActive and Standby Changeover Backup and RestoreDedicated Log Server SmartEvent Server Chapter 3: Advanced Gateway Deployment Chapter 1: Introduction to …
Continue reading "Check Point – CCSE – Day31 – Training Day 1"
BGP – Asymmetric Routing Fortigate or when it is the policy
Change the Setup to have two dedicated links from the fortigate to the Edgerouter. Internal6 and 7 on the Fortigate and eth4 on the edgerouters. Note to myself Policy blocked the traffic. Needed to change the source interfaces to include i6 and i7. config firewall policy edit 1 set srcintf internal1.997 next end Links https://community.fortinet.com/t5/FortiGate/Technical-Note-Reverse-Path-Forwarding-RPF-implementation-and/ta-p/194382
BGP – Do not advertise a network
Remove routes from Advertisement on a Forigate firewall Not to myself: 10.255.32.0/20 was wired on C1, local pref was missing. so it might make sens to add this to all incoming routes 'set local-preference 100', incoming there is no issue. show router route-map show router route-map config router route-map edit "EBGP-OUT-R2" config rule edit 1 …
BGP – Prevent becoming a Transit-AS
AS-Path FilteringNo-export CommunityPrefix-list FilteringDistribute List Filtering AS-Path Filtering ip as-path access-list 1 permit ^$ neighbor x.x.x.x filter-list 1 out No-export Community ip bgp-community new-format route-map NO-EXPORT ​set community no-export neighbor x.x.x.x route-map NO-EXPORT in neighbor x.x.x.x send-community Prefix-list Filtering ip prefix-list NO-TRANSIT permit x.x.x.x/x neighbor x.x.x.x prefix-list NO-TRANSIT out Distribute List Filtering access-list x deny x.x.x.x y.y.y.y …
Patrick Marc's Networks 