Blog - Niello - Hugo Theme

FortiGate Scripting

2020-05-26 22:51 | 2 minute read

FortiGate Scripts I’ve been doing quite a bit of scripting for FortiGates recently. Much of it in TCL. FortiManager is capapble of running TCL scripts, which allow for the script to make decisions. For example, I have a script that will check the name of the FortiGate it is running on, then based on the hostname, it will assign different values to the device. I needed to write this script so I could roll out ADVPN to multiple sites, for a client.

Optimization

2020-04-05 23:42 | 3 minute read

Problems My site was not available over HTTPS. My site was slow to load. Investigation - HTTPS This site is hosted on GitHub, so going through their documentation it looked like I should have been able to use a CDN and still have GitHub generate a cert for the site. However, it was not. Solution - HTTPS As an experiment I disabled the CDN, to see if GitHub would be able to generate the certificate - this worked pretty quickly and in the end was pretty simple. I was trying to do something fancy and ended up in a situation where the CDN wasn’t really doing everything it could, and neither was GitHub.

Home Lab

2020-04-04 22:43 | 2 minute read

Home Lab Build This seems like good time to dust off the home lab gear. So I’ve pulled the hardware out and made sure everything has downloaded all the updates. My lab is pretty simple. The network is a FortiGate, FortiSwitch and FortiAP. The compute and storage is a desktop that I’ve jammed as many SSDs into as I can. I’m running Hyper-V on Windows 10, because it is simple and provides the features I need.

Training Report - Day 1

2020-04-03 22:44 | 1 minute read

How the new plan went The training was executed as planned. Twenty seconds of work, followed by twenty seconds of rest was not much of a stimulus. The two minutes of rest at the end was enough to nearly fully recover between rounds. Three rounds was sufficient to get my heart rate up, warm up joints and generally get my day started. Skipping easy didn’t go as poorly as I expected - in regards to stepping on the rope - but my calves need to get used to the jumping.

Training in Isolation

2020-04-02 22:40 | 4 minute read

In the Before Time Before everybody had to stay home all the time, I would be at the local gym 3 days a week working out with barbells. I would squat, either bench or overhead press, deadlift and then do chin ups. Simple, effective, full body and as heavy as I could make it. My goal for 2020 was to deadlift 555 pounds for a set of 5 reps. I was deadlifting 380 pounds for 5 reps before the gym closed, so I am not likely to hit my goal this year. This is fine - things happen. 555 pounds was a stretch to begin with. I had calculated in early January that I needed to add about 4 pounds to my deadlift a week for 40 weeks to hit this goal. But I re-aggivated a shoulder injury and that set me back a bit in February. So with the gym closed - and not having a home gym - I’ve got to come up with something else.

FortiGate SD-WAN Setup

2020-04-01 21:35 | 2 minute read

Minimal Requirements Here are the quick and dirty steps to get SD-WAN up and running on a FortiGate. I’m running FortiOS 6.2.3 on 60E. SD-WAN Interface Under Network -> SD-WAN: Set the Status to Enabled Add at least one available port to the SD-WAN Interface Members Hit Apply Perfomance Metrics Under Network -> Performance SLA: Create a new SLA Give it a Name For Protocol pick Ping Add two IPs for servers to run ping tests against - I’d recommend 1.1.1.1 and 8.8.8.8, since they are Anycast and globaly respond quickly, but you might want to add one of your ISP’s upstream routers. You need to put two addresses in here. (Can be FQDNs) Add the Interface(s) [WAN1 or WAN2, etc.] you want to use this test to the Participants box Make sure “Enable probe packets” is selected - should be by defualt Hit Ok Route Under Network -> Static Routes:

4 Segment Network

2020-04-01 21:00 | 6 minute read

Purpose How do you design a well-organized, well managed network for small/medium business? Let’s layout some assumptions: There are server in the office The servers are in either in a well-organized closet or in a server room (they are not in a Colo - but access is restricted) There may be some amount of Cloud/SaaS applications This is not a VDI environment (we could sketch that out in a different post) Security is a concern - but not security at any cost Let’s start with what I generally see As a consultant, I’ve been engaged by dozens of small/medium size businesses and many large businesses. What I tend to see in the small/medium group is a flat network using a single subnet - a /24 or less common a /16. There is only one VLAN and all the Servers, Switches, Hypervisors and Desktops are in the broadcast domain. If I was an attacker, this would be a “Target Rich Environment”…

Hashing

2020-03-30 21:22 | 2 minute read

What is Hashing Very simplified: Hashing is a mathmatical operation used to take an Input and turn it into a different Output. More specifically: the hasning function will take an input of variable size and produce an output of a fixed size. The mathmatical process should not be reversible, the same input should always yield a constant output, a small change to the input should have a large change on the output, and two different inputs should never generate the same output.

Crypto Cipher Suite Comparison

2020-03-29 11:26 | 5 minute read

Components As detailed in my post on Cryptographic Cipher Suites each of the suites has a Protocol, a Key Exchange algorithm, a Signature Authentication algorithm, an Encryption algorithm, and a Message Authentication algorithm. Here we are going to compare these different components and highlight the cipher suites currently considered strong*. * currently only means at the time of this writting - a flaw could be found in the algorithm or in the implementation of the algorithm at any time, so do additional research to confirm the current strength of the cipher suite. You’ve been warned…

Cryptographic Cipher Suites

2020-03-28 10:54 | 2 minute read

What are Cryptographic Cipher Suites Cipher suites are a combination of different algorithms the system will use to encrypt the communication. Each operating system/application will have a set of suites it is capable of supporting. Let’s take a few examples - using the IANA names: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_NULL_SHA Each of these suites has a Protocol, a Key Exchange algorithm, a Signature Authentication algorithm, an Encryption algorithm, and a Message Authentication algorithm.