The Packets, Life and everything
As we all some times reflect on the ever-evolving landscape of networking, we can't help but acknowledge the inevitability of change. Brands merge, companies evolve, and documentation that once seemed abundant can become a rare treasure. It's a relic from a time when our network thrived under the banner of a once-proud name. As I …
"Reminder to self regarding routing information: This document is derived from Fortinet KB Articles and covers topics such as accessing FIB/RIB routing data via the CLI, understanding the routing process in FortiGate (route-lookup-process), handling multiple default routes when SD-WAN rules are not the preferred option, and more." Routing in FortiGate (route-lookup-process) How does FortiGate decide …
Continue reading "FortiGate – Viewing FIB/RIB routing information in CLI"
Short collection of what is my IP Servers. ifconfig.io ifconfig.me ifconfig.co icanhazip.com Usage curl ifconfig.co/port/22 SD-WAN As a personal note route ifconfig.* over the primary connection on the Fortigate firewall and icanhazip.com over the secondary config firewall address edit "ifconfig.co" set type fqdn set fqdn "ifconfig.co" next edit "ifconfig.me" set type fqdn set fqdn "ifconfig.me" …
Recently, I've been tasked with automating the provisioning of certain network equipment. To achieve this, we've created the initial configuration using an Ansible playbook in conjunction with a Jinja2 template. This setup allows the DHCP server to instruct the switch to retrieve the configuration file via TFTP, and we've also made provisions for firmware updates …
Continue reading "Zero Touch Provisioning for HPE / Aruba Network Equipment"
I like the the Idea to configure static routing over firewall objects. This avoids the static route limit on FortiGate Firewall. config firewall address edit "N.203.0.113.0--24" set allow-routing enable set subnet 203.0.113.0 255.255.255.0 next end config firewall addrgrp edit "R.Networks" set allow-routing enable set member "N.203.0.113.0--24" next end config router static edit 0 set gateway …
Continue reading "Fortinet – Static routes with Firewall objects"
Recently, we encountered significant CPU and memory utilization spikes on one of our Fortigate Firewalls. Despite consistently handling around 1.5 million sessions for several months without any problems, the situation took a turn for the worse. The firewall became unresponsive through the Command Line Interface (CLI), and at that time, we hadn't configured a dedicated …
Basic Packet Capture tcpdump -i eth0 This captures and displays packets on interface eth0. Capture Packets from a Specific Port tcpdump -i eth0 port 80 This captures packets on port 80 (HTTP traffic) on eth0. Capture Packets with a Specific Host as Source or Destination tcpdump -i eth0 host 192.168.1.100 This captures packets either from …
It is a good idea to do basic DoS Protection, even internaly. Configuring DoS policyVerificationdiagnose ips anomaly listReleasing the blocked sendersdiagnose ips anomaly clearLinks Configuring DoS policy This will configure a basic DoS Policy for Traffic with default values and block violations for 2 Minutes. config firewall DoS-policy edit 1 set name "ALL DoS-Policy" set …
I had again the need to calculate proxy performance. So a few notes on this topic. Time to First Byte Using Curl Jon Fox published an post how to find the time to first byte (TTFB) with curl. curl -w "Connect time: %{time_connect} Time to first byte: %{time_starttransfer} Total time: %{time_total} \n" -o /dev/null [url to …
My personal collection of CheckPoint Commands. Most of them work best in expert mode. [Expert@gateway:0]# CommandDescriptioncpconfigchange SIC, licenses and morecpview -tshow top style performance counterscphaprob statlist the state of the high availability cluster members. Should show active and standby devices.cphaprob -a ifdisplay status of monitored interfaces in a clustercphaprob -l listdisplay registered cluster devices and …
ip access-list standard dialer1-acl    permit 10.0.0.0 255.0.0.0   permit 192.168.2.0 255.255.255.0 ip access-list standard vlan4-nat-acl    permit 10.0.0.0 255.255.255.0 route-map dialer1-nat permit 10 match ip address dialer1-acl match interface dialer1  route-map vlan4-nat permit 10   match ip address vlan4-acl    match interface vlan4 ip nat inside source route-map vlan4-nat interface vlan4 route-map vlan4-route permit …
Patrick Marc's Networks 