Filtering (BGP) routes

Last time setup some IPsec S2S connections between multiple Fortigate firewalls and of course running BGP between them.

In short:

Hub site must know all routes from Spokes. But only transport via BGP.

Spoke A (IP know only the route to the Hub
– Default route will remain on spoke location

Spoke B (IP must know only the route to the Hub
– Default route will remain on spoke location

Since i’m running BGP all sites known each others routes and this is not what i want. Of course i know and configure the equipment in Spoke A & B, but let’s assume i don’t have that control. Then i want to use route-maps to filter :). And a route map can a prefix-list to make advanced filtering possible instead of a basic ACL.

So let’s start:

Prefix-list configuration:

config router prefix-list
    edit "only-local"
        config rule
            edit 1
                set prefix
                unset ge
                unset le

Route-map configuration:

config router route-map
    edit "only_local_subnets"
        config rule
            edit 1
                set match-ip-address "only-local"

BGP configuration:

config router bgp
    set as 65401
    set router-id
    config neighbor
        edit ""
            set soft-reconfiguration enable
            set remote-as 65402
            set route-map-out "only_local_subnets"
            set send-community6 disable
            set keep-alive-timer 1
            set holdtime-timer 5
            set connect-timer 5
        edit ""
            set soft-reconfiguration enable
            set remote-as 65403
            set route-map-out "only_local_subnets"
            set send-community6 disable
            set keep-alive-timer 1
            set holdtime-timer 5
            set connect-timer 5
    config redistribute "connected"
        set status enable
    config redistribute "rip"
    config redistribute "ospf"
    config redistribute "static"
    config redistribute "isis"
    config redistribute6 "connected"
    config redistribute6 "rip"
    config redistribute6 "ospf"
    config redistribute6 "static"
    config redistribute6 "isis"


FortiNet CLI Cheat Sheet

The following table lists show / diag/ update/ config commands for FortiGate, which can be handy. Will update this list once in a while

CommandWhat does it do?
config system arp-tableAdd static ARP entries
config system interfaceShow all NIC’s
config router prefix-listAdd a prefix-list
Type show, to see current prefix-lists.
config router route-mapAdd a route-map
Type show, to see current route maps
diag debug crashlog readGet crash log – shows the crashlog in a readable format.
diag debug ratingShow list of FortiGuard Services
diag ip arp delete <interface name> <IP address>Remove a single ARP table entry
diag ip arp list View ARP cache
diagnose debug enable > diagnose debug application fnbamd -1 Debug LDAP or Radius
diag debug reset
diag ip router bgp all enable
diag ip router bgp level info
diag debug enable
Debug BGP
diag debug disableDisable Debug output
diagnose firewall ipgeo country-listShow Geo IP countries
diagnose firewall ipgeo ip-list allShow Geo IP IPv4 address list
diagnose hardware deviceinfo nicShow hardware info for NIC
diagnose hardware deviceinfo nic <nic>Show device information for specific NIC: 
diagnose hardware sysinfo shmShow shared memory information – Look if conservemode is 1
diagnose sys ha hadiff statusShow a HA diff:
diagnose sys ha reset uptimeExecute a fail-over
diagnose sys kill process_id 15Kill processes – uses a unconditional kill. 
diagnose sys session listShow session table
diagnose sys tcpsockList open networking ports:
diagnose sys topShow top with processes: 
exec router clear bgp allClear all BGP sessions
exec router clear bgp all softSoft Clear all BGP (this will refresh the BGP routing table, but BGP session remains)
exec router clear bgp ip soft x.x.x.xSoft Clear BGP for specific neighbor
exec ha manage 0/1Manage other cluster member through HA interface
exec log displayDisplay log 
exec ping <dst>Execute a ping
exec ping-optionsSet specific ping options
exec ping-options source Set specific source IP
exec tac reportGenerate a TAC report
exec telnet ip:portExecute a telnet
exec ssh ip:portExecute a SSH client
exec tracerouteExecute a traceroute 
exec clear system arp tableClear ARP cache
exec log filterSet a log filter
exec update-geo-ipUpdate Geo IP addresses
exec update-avUpdate Antivirus Database
exec update-ipsUpdate IPS Database
get router info routing-table allShow routing table
get router info routing-table databaseShow routing database 
get router info routing-table bgpShow BGP routes
get router info routing-table ospfShow OSPF routes
get router info routing-table connectedShow Direct Connected routes
get router info routing-table details <host>Get routing information for specific <host> 
get router info bgp summaryShow BGP Peer status and received prefixes
get router route-mapShow available route-maps
get router prefix-listShow available prefix-lists
get system arpShow ARP table
get system checksum statusShow HA checksum
get system ha statusShow HA status
get system performance statusShow performance usage
get system performance topShow top – , use SHIFT+M to sort on memory usage. 
get system session listShort list for session table
get system statusShow system status 
get vpn ipsec tunnel detailsShow details for IPSEC VPN tunnel
get vpn ipsec tunnel summaryShow summary list of IPSEC VPN tunnels 
diag vpn ipsec statusVerify IPsec Offload to Network Processors (NP)
diag vpn tunnel listnpu_flag=00 Means that ingress & egress ESP packets are not offloaded
npu_flag=01 Means only egress ESP packets can be offloaded, ingress ESP packets will be handled by the kernel
npu_flag=02 Means only ingress ESP packets can be offloaded, egress ESP packets will be handled by the kernel
npu_flag=03 Means that both ingress & egress ESP packets will be offloaded

For a fast tunnel npu_flag=03 is essential

Exchange Hybrid – Free/Busy information not working

When upgrading an SSL cert last week i had to run the Exchange Hybrid Configuration Wizard again. Of course when you update something like this or the AD Connect something is broken….

Before the Free/Busy was working from Microsoft 365 Exchange Online to the On-Prem environment.

After checking the relationship i saw that the sharing code was empty again.

Get-OrganizationRelationship | select TargetSharingEpr

Resulted in an empty response. To fix the Free/Busy time this needs to be filled in, in there are subdomains. If you have let’s it’s fine, but if you have it goes wrong. Because it tries to reach instead of Even if you have some CNAME records, it takes to long.

Instead of letting autodiscover finding out what the URL is, as told in the beginning, i had this issue in the past, simply put the Hybrid servers in the TargetSharingEpr directly. So

Set-OrganizationRelationship -TargetSharingEpr -Identity yourmicrosoftidentity

After this, the Free/Busy will work again.

Exchange Microsoft NetScaler

Converting SSL certicates

Often when we you buy / get a new certificate you need to have another certificate depending on your needs.

PEM Format

The PEM format is the most common format that CA’s issue certificates in. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.

Apache and other similar servers like Citrix NetScaler use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.

DER Format

The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. All types of certificates and private keys can be encoded in DER format. DER is typically used with JAVA related platforms.

PKCS#7/P7B Format

The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain “—–BEGIN PKCS7—–” and “—–END PKCS7—–” statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.

PKCS#12/PFX Format

The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statments) to its own individual text file and save them as certificate.cer, CACert.cer, and privateKey.key respectively.

OpenSSL Commands to Convert SSL Certificates

There are several online convertors for SSL certificates but I urge you to use convert the certificate locally via OpenSSL. You don’t wont to store your PRIVATE key on someone else it’s machine. If you do it locally you have the private key on your machine. I good point here is that you should have some form of disk encryption on your laptop in event that your PC/laptop is stolen that the keys remain safe. Use the following OpenSSL commands to convert SSL certificate to different formats:

OpenSSL Convert PEM

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

OpenSSL Convert DER

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

OpenSSL Convert P7B

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx

OpenSSL Convert PFX

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes



Policy Based Routing HPE Aruba 3800 series

Today busy with some Policy Based Routing (PBR) routing on an HPE Aruba 3800 series switch.



The default gateway is set to which is ISP A a line dedicated for business traffic.

So in the config of the switch

ip route
ip routing

Let’s assume that we have another ISP, named B which needs to used for Office 365 in particular Exchange Online. Of course the best option would be to change the default gateway because Microsoft has a lot of IP addreses which are changing on regular basis. So my advice would be to set the default gateway to ISP B and make a PBR for the things that should go to ISP A. Users of VLAN 5 needs to have this in place.

We start by creating a Class which contains the IP version 4 address for Exchange Online listed on this Microsoft page. The class name is case sensitive, also please not that we can’t use normal subnetmasks (the switch accepts it, but it’s not working) we should use Wildcard masking over here.

class ipv4 “Office365-Subnets”
5 match ip
10 match ip
15 match ip
20 match ip
25 match ip
30 match ip
35 match ip
40 match ip
45 match ip
50 match ip
55 match ip
60 match ip
65 match ip
70 match ip
75 match ip
80 match ip
85 match ip
90 match ip
95 match ip
100 match ip
105 match ip
110 match ip
115 match ip
120 match ip
125 match ip
130 match ip
135 match ip
140 match ip
145 match ip
150 match ip
155 match ip
160 match ip
165 match ip
170 match ip
175 match ip
180 match ip
185 match ip
190 match ip
195 match ip
200 match ip
205 match ip
210 match ip
215 match ip
220 match ip

Now we have a class we can bind it in a policy and set the next-hop to

policy pbr “POL-Office365-Subnets”
     5 class ipv4 “Office365-Subnets”
      action ip next-hop

Since the implementation of HPE states that we need to map to a VLAN and we only created a policy but didn’t bind it anywhere we have to do the following:

vlan 5
   name “test”
   untagged 1
   ip address
   service-policy “POL-Office365-Subnets” in

Keep in mind that you only can bind one PBR to a VLAN. You can enter again the command service-policy “POL-test” in and give enter, you won’t get a warning but you simply override the PBR. Also you can only set the PBR to incoming packets on a VLAN.

Some show commands:

show policy POL-Office365-Subnets

Statements for policy “POL-Office365-Subnets”
policy pbr “POL-Office365-Subnets”
     5 class ipv4 “Office365-Subnets”
      action ip next-hop

 show statistics policy POL-Office365-Subnets vlan 5 in

 Hit Counts for Policy POL-Office365-Subnets


 5 class ipv4 Office365-Subnets action ignore
(       0 )      5 match ip
(       0 )      10 match ip
(       0 )      15 match ip
(       0 )      20 match ip
(       0 )      25 match ip
(       0 )      30 match ip
(       0 )      35 match ip
(       0 )      40 match ip
(       0 )      45 match ip
(       0 )      50 match ip
(       0 )      55 match ip
(       0 )      60 match ip
(       0 )      65 match ip
(       0 )      70 match ip
(       0 )      75 match ip
(       0 )      80 match ip
(       0 )      85 match ip
(       0 )      90 match ip
(       0 )      95 match ip
(       0 )      100 match ip
(       0 )      105 match ip
(       0 )      110 match ip
(       0 )      115 match ip
(       0 )      120 match ip
(       0 )      125 match ip
(       0 )      130 match ip
(       0 )      135 match ip
(       0 )      140 match ip
(       0 )      145 match ip
(       0 )      150 match ip
(       0 )      155 match ip
(       0 )      160 match ip
(       0 )      165 match ip
(       0 )      170 match ip
(       0 )      175 match ip
(       0 )      180 match ip
(       0 )      185 match ip
(       0 )      190 match ip
(       0 )      195 match ip
(       0 )      200 match ip
(       0 )      205 match ip
(       0 )      210 match ip
(       0 )      215 match ip
(       0 )      220 match ip