Fortigate Book
Fortigate 100D
Amazon Books Discount
Most Recent Articles
CCIE notes – Security part 2
Layer 3 Security
Recommendation
1. Enable secure Telnet access to a router and use SSH
2. Enable SNMP security, adding SNMPv3 support
3. Turn off unnecessary services on the router platform
4. Turn on logging to provide on audit trail
5. Enable protocol authentication
6. Enable CEF
General Layer3 Security Considerations
1. Smurf Attacks
- a large number of ICMP Echo Requires with same typical IP address in the packet
- the destination address is a subnet broadcast address, also known as a direct broadcast address
Solutions
Read MoreCCIE notes – Security part 1
Router & Switch Device Security
- to encrypt passwords with the following command #service password-encryption
- “#no service password-encryption” – does not automatically decrypt the password. It waits until a new password is added.
- #enable secret – encrypts the password as md5
- #enable password – type 7 password
- #username password <pass> – encrypts the password as MD5
AAA – Authentication, Authorization and Accounting
Radius vs Tacacs
| RADIUS | TACACS | |
| Scope of Encryption: Packet Payload or just Password | Password Only | Entire Payload |
| Layer 4 Protocol | UDP | TCP |
| Well Known ports | 1812/1645 | 49/49 |
| Standard or Cisco Propriety | Standard | Cisco |
CCIE notes – MPLS
Below are some notes from my CCIE written. Hope you enjoy them
MPLS IP Forwarding: Data Plane
- MPLS routers inject (push) or remove (pop) or forwards packets based on labels
- MPLS relies on the CEF while expanding the logic and data structures as well
LSR (Label Switch Router)
- any router that has awareness of MPLS Labels
FIB – used for incoming unlabled packets
LFIB – used for incoming labeled packets
MPLS header and Label
- header of 4 bytes, located before the IP header
MPLS header
Fortigate CFG_CMDBAPI_ERR Error
Hello,
It seems there is a new error that i found on a few Fortigate firewalls: CFG_CMDBAPI_ERR
To fix the issue you can do 2 things:
1. Upgrade the Fortigate to the latest version
2. Reboot the IPS of the Fortigate (this is was it causing the issue). Below is the command(through CLI):
diagnose test application ipsmonitor 99
Hope it helps!
Read MoreHow to setup a SSL VPN on Fortigate
Hello,
I did not update the blog from some time. I have been studying for my CCIE R&S Lab exam (just passed the written) and i didn’t have time to create some blog posts. With the help of a colleague of mine (Paul Z.) i managed to create this post. See below the way you create an SSL VPN on the Fortigate:
How to setup a SSL VPN on Fortigate (FortiOS 4.0MR3) – Step by step guide:
1. Go to System->Admin->Settings
Here you can setup the port on which the SSL VPN portal will be listening on:
2. Go to Firewall->Address->Address and create a new address object, with the IP range that your SSL VPN users will be assigned:
3. Go to VPN->SSL->Config and tick, “Enable SSL-VPN”. If you only have one SSLVPN range coming into your firewall, at this screen you would also have to select it from IP Pools menu, if you have more than one, than you will define each Range in the portal. When you are done, click “Apply”.
Read MoreFortigate FortiOS 5 preview
Hello,
I have found the following video on Youtube that presents the FortiOS 5 in 5 minutes.
The new features look really good.
Check it out:
What do you think?!
Read More