Setting up Duo 2FA for Fortigate admin authentication

I protect any account I have with two factor auth, at least the ones that support it (this site for example has 2FA for admin logon), it’s not that inconvenient (especially not with Authy/Duo) and greatly increases security of your critical accounts. Let’s start with the endgame: However, I haven’t protected my publicly accessible firewall with 2FA - mainly because there is no real built in method for using industry standard apps with it....

August 31, 2016 · Myles Gray

Enabling Mini Jumbo Frames (RFC4638) on OpenReach FTTC

I swapped out my single Fortigate 100D at home a while back for a cluster of two in active/passive, as part of this migration, that I have written about before I needed to terminate any DHCP or PPPoE interfaces on a different piece of kit than the clustered firewalls. I have had this in the lab for a while on a Cisco 2811 router set up pretty much exactly like I had in the previous article....

August 28, 2016 · Myles Gray

Raspberry Pi with Dynamic-DNS using Cloudflare

My lab is not what you’d call typical in any way, a kit list will i’m sure come up in a future post, but I have what is analogous to a “primary” DC and a “backup” DC with regard to physical premises. The problem is, I live in the secondary with other human beings, meaning power draw and noise are to be kept to a minimum. I also don’t have the luxury of having a /29 of public addresses at the second site, or even a static address at all....

April 8, 2016 · Myles Gray

VMware NIC Load Balancing and Teaming, the Math

While doing some research for NSX setups I found the urge to delve deeper into the calculations of some of ESXi’s load-balancing and teaming types that are available, below I have outlined the scenarios, calculations (where appropriate) and recommendations when it comes to choosing a NIC load balancing and teaming type. Virtual Port ID Your VMs all have single vNICs, You have multiple physical switches, the pNICs from the servers are striped across them, the switches aren’t stacked/don’t have an awareness of each other/are from different vendors (point here, completely different, no collaboration between equipment - any brownfield environment)....

August 11, 2015 · Myles Gray

vSphere HA Configuration fails: Operation Timed Out

I recently rebuilt my lab and added 2x new ESXi hosts, I re-used my old single host in the process which I upgraded from ESXi 5.5 to 6.0 and patched to the same level as the new hosts. Everything was working as expected until it came for the time to enable HA. My old host claimed the master roll and thus the other boxes had to connect to it as slaves, however, these failed with “HA Agent Unreachable” and “Operation Timed Out” errors....

July 22, 2015 · Myles Gray

Specifying outbound NAT address for policy on a Fortigate

Sometimes you need your devices (say an SMTP server) to have a specific outbound public IP for things like reverse-DNS look-ups to ensure mail delivery and reputation, or maybe you want traffic from particular devices or policies to go out an IP for means of tracking. It is not immediately obvious on Fortigates how to do this, typically, when you create a policy and NAT traffic out through it, the Fortigate will use its’ own public IP assigned by the ISP to originate the traffic from, if you have got a static IP and use an unnumbered address from your ISP then you might be lucky and your R-DNS might match this, however, in most cases you will have a separate Virtual IP for your SMTP server that is different to this and thus you need the R-DNS lookup to match that of the A-Record....

June 19, 2015 · Myles Gray

Scanning for network vulnerabilities using nmap

This article is a bit of a divergence for me, I recently had the need to scan an entire network for a particularly nasty Microsoft security vulnerability MS15-034 ↗. There are a few ways to check for this, the first is obvious, check what servers have IIS installed. However, this bug isn’t limited to IIS, rather anything using HTTP.sys and, of course, a HTTP server can be spun up on any port you want so we need to check for servers that have HTTP exposed on any port from 1-65535....

June 17, 2015 · Myles Gray

Fortigate Unnumbered IP against PPPoE Interface

I ran into some very strange behaviour on a BT Business Fiber connection with PPPoE and static IPs assigned by the ISP on a Fortigate firewall. A site-to-site IPSec VPN was required, however the tunnel kept terminating as BT assign a dynamic address with the PPPoE connection, then the static IPs are typically ingested through the use of Virtual-IPs on the fortigate unit, however IPSec requires the use of the router WAN address and it needs to be static....

June 12, 2015 · Myles Gray

Enabling PXE boot options on Fortigate DHCP

I have been recently setting up The Foreman ↗ as a Puppet ↗ management front end to allow me to quickly provision Linux based VMs on my VMware cluster - more on that setup in another article. I had to create a PXE boot environment for The Foreman to fully automate the provisioning of the VMs, I run a Fortigate 100D ↗ in my lab from which DHCP is served, as you may or may not know, the PXE boot options are served from DHCP ↗....

December 7, 2014 · Myles Gray

Deploying Cisco VIRL on VMware Workstation – Caveats

I recently tried to deploy Cisco VIRL on VMWare Workstation 10 - the install instructions ↗ are for v8 - there are a few differences I noted. It doesn’t account for the host-only network installed by default so increment all vmnets by 1 The labelling for VT-x/EPT has changed, it now lives under Settings -> Hardware -> Processors -> Virtualisation engine -> Preferred mode: You need to explicitly select Intel VT-x/EPT or AMD-V/RVI mode After this entering the sudo kvm-ok command in the VIRL CLI still output KVM acceleration can NOT be used....

December 3, 2014 · Myles Gray