Categories
Networking

Filtering (BGP) routes

Last time setup some IPsec S2S connections between multiple Fortigate firewalls and of course running BGP between them.

In short:

Hub site must know all routes from Spokes. But only transport 192.168.1.0/24 via BGP.

Spoke A (IP 192.168.254.2)must know only the route to the Hub
– Default route will remain on spoke location

Spoke B (IP 192.168.254.4) must know only the route to the Hub
– Default route will remain on spoke location

Since i’m running BGP all sites known each others routes and this is not what i want. Of course i know and configure the equipment in Spoke A & B, but let’s assume i don’t have that control. Then i want to use route-maps to filter :). And a route map can a prefix-list to make advanced filtering possible instead of a basic ACL.

So let’s start:

Prefix-list configuration:

config router prefix-list
    edit "only-local"
        config rule
            edit 1
                set prefix 192.168.1.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
end

Route-map configuration:

config router route-map
    edit "only_local_subnets"
        config rule
            edit 1
                set match-ip-address "only-local"
            next
        end
    next
end

BGP configuration:

config router bgp
    set as 65401
    set router-id 1.1.1.1
    config neighbor
        edit "192.168.254.2"
            set soft-reconfiguration enable
            set remote-as 65402
            set route-map-out "only_local_subnets"
            set send-community6 disable
            set keep-alive-timer 1
            set holdtime-timer 5
            set connect-timer 5
        next
        edit "192.168.254.4"
            set soft-reconfiguration enable
            set remote-as 65403
            set route-map-out "only_local_subnets"
            set send-community6 disable
            set keep-alive-timer 1
            set holdtime-timer 5
            set connect-timer 5
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
    end
    config redistribute "static"
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end  
    config redistribute6 "isis"
    end
end

Categories
Networking

FortiNet CLI Cheat Sheet

The following table lists show / diag/ update/ config commands for FortiGate, which can be handy. Will update this list once in a while

CommandWhat does it do?
config system arp-tableAdd static ARP entries
config system interfaceShow all NIC’s
config router prefix-listAdd a prefix-list
Type show, to see current prefix-lists.
config router route-mapAdd a route-map
Type show, to see current route maps
diag debug crashlog readGet crash log – shows the crashlog in a readable format.
diag debug ratingShow list of FortiGuard Services
diag ip arp delete <interface name> <IP address>Remove a single ARP table entry
diag ip arp list View ARP cache
diagnose debug enable > diagnose debug application fnbamd -1 Debug LDAP or Radius
diag debug reset
diag ip router bgp all enable
diag ip router bgp level info
diag debug enable
Debug BGP
diag debug disableDisable Debug output
diagnose firewall ipgeo country-listShow Geo IP countries
diagnose firewall ipgeo ip-list allShow Geo IP IPv4 address list
diagnose hardware deviceinfo nicShow hardware info for NIC
diagnose hardware deviceinfo nic <nic>Show device information for specific NIC: 
diagnose hardware sysinfo shmShow shared memory information – Look if conservemode is 1
diagnose sys ha hadiff statusShow a HA diff:
diagnose sys ha reset uptimeExecute a fail-over
diagnose sys kill process_id 15Kill processes – uses a unconditional kill. 
diagnose sys session listShow session table
diagnose sys tcpsockList open networking ports:
diagnose sys topShow top with processes: 
exec router clear bgp allClear all BGP sessions
exec router clear bgp all softSoft Clear all BGP (this will refresh the BGP routing table, but BGP session remains)
exec router clear bgp ip soft x.x.x.xSoft Clear BGP for specific neighbor
exec ha manage 0/1Manage other cluster member through HA interface
exec log displayDisplay log 
exec ping <dst>Execute a ping
exec ping-optionsSet specific ping options
exec ping-options source Set specific source IP
exec tac reportGenerate a TAC report
exec telnet ip:portExecute a telnet
exec ssh ip:portExecute a SSH client
exec tracerouteExecute a traceroute 
exec clear system arp tableClear ARP cache
exec log filterSet a log filter
exec update-geo-ipUpdate Geo IP addresses
exec update-avUpdate Antivirus Database
exec update-ipsUpdate IPS Database
get router info routing-table allShow routing table
get router info routing-table databaseShow routing database 
get router info routing-table bgpShow BGP routes
get router info routing-table ospfShow OSPF routes
get router info routing-table connectedShow Direct Connected routes
get router info routing-table details <host>Get routing information for specific <host> 
get router info bgp summaryShow BGP Peer status and received prefixes
get router route-mapShow available route-maps
get router prefix-listShow available prefix-lists
get system arpShow ARP table
get system checksum statusShow HA checksum
get system ha statusShow HA status
get system performance statusShow performance usage
get system performance topShow top – , use SHIFT+M to sort on memory usage. 
get system session listShort list for session table
get system statusShow system status 
get vpn ipsec tunnel detailsShow details for IPSEC VPN tunnel
get vpn ipsec tunnel summaryShow summary list of IPSEC VPN tunnels 
Categories
Other

Exchange Hybrid – Free/Busy information not working

When upgrading an SSL cert last week i had to run the Exchange Hybrid Configuration Wizard again. Of course when you update something like this or the AD Connect something is broken….

Before the Free/Busy was working from Microsoft 365 Exchange Online to the On-Prem environment.

After checking the relationship i saw that the sharing code was empty again.

Get-OrganizationRelationship | select TargetSharingEpr

Resulted in an empty response. To fix the Free/Busy time this needs to be filled in, in there are subdomains. If you have let’s @test.com it’s fine, but if you have @nl.test.com it goes wrong. Because it tries to reach autodiscover.nl.test.com instead of autodiscover.test.com. Even if you have some CNAME records, it takes to long.

Instead of letting autodiscover finding out what the URL is, as told in the beginning, i had this issue in the past, simply put the Hybrid servers in the TargetSharingEpr directly. So https://hybrid.test.com/ews/exchange.asmx

Set-OrganizationRelationship -TargetSharingEpr https://hybrid.test.com/ews/exchange.asmx -Identity yourmicrosoftidentity

After this, the Free/Busy will work again.

Categories
Exchange Microsoft NetScaler

Converting SSL certicates

Often when we you buy / get a new certificate you need to have another certificate depending on your needs.

PEM Format

The PEM format is the most common format that CA’s issue certificates in. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.

Apache and other similar servers like Citrix NetScaler use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.

DER Format

The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. All types of certificates and private keys can be encoded in DER format. DER is typically used with JAVA related platforms.

PKCS#7/P7B Format

The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain “—–BEGIN PKCS7—–” and “—–END PKCS7—–” statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.

PKCS#12/PFX Format

The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statments) to its own individual text file and save them as certificate.cer, CACert.cer, and privateKey.key respectively.

OpenSSL Commands to Convert SSL Certificates

There are several online convertors for SSL certificates but I urge you to use convert the certificate locally via OpenSSL. You don’t wont to store your PRIVATE key on someone else it’s machine. If you do it locally you have the private key on your machine. I good point here is that you should have some form of disk encryption on your laptop in event that your PC/laptop is stolen that the keys remain safe. Use the following OpenSSL commands to convert SSL certificate to different formats:

OpenSSL Convert PEM

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

OpenSSL Convert DER

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

OpenSSL Convert P7B

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx

OpenSSL Convert PFX

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

 

Categories
Other

Policy Based Routing HPE Aruba 3800 series

Today busy with some Policy Based Routing (PBR) routing on an HPE Aruba 3800 series switch.

Situation:

pbr-3800

The default gateway is set to 172.16.1.1 which is ISP A a line dedicated for business traffic.

So in the config of the switch

ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip routing

Let’s assume that we have another ISP, named B which needs to used for Office 365 in particular Exchange Online. Of course the best option would be to change the default gateway because Microsoft has a lot of IP addreses which are changing on regular basis. So my advice would be to set the default gateway to ISP B and make a PBR for the things that should go to ISP A. Users of VLAN 5 needs to have this in place.

We start by creating a Class which contains the IP version 4 address for Exchange Online listed on this Microsoft page. The class name is case sensitive, also please not that we can’t use normal subnetmasks (the switch accepts it, but it’s not working) we should use Wildcard masking over here.

class ipv4 “Office365-Subnets”
5 match ip 0.0.0.0 255.255.255.255 13.107.6.152 0.0.0.1
10 match ip 0.0.0.0 255.255.255.255 13.107.9.152 0.0.0.1
15 match ip 0.0.0.0 255.255.255.255 13.107.18.10 0.0.0.1
20 match ip 0.0.0.0 255.255.255.255 13.107.19.10 0.0.0.1
25 match ip 0.0.0.0 255.255.255.255 23.103.160.0 0.0.15.255
30 match ip 0.0.0.0 255.255.255.255 23.103.224.0 0.0.31.255
35 match ip 0.0.0.0 255.255.255.255 40.96.0.0 0.7.255.255
40 match ip 0.0.0.0 255.255.255.255 40.104.0.0 0.3.255.255
45 match ip 0.0.0.0 255.255.255.255 70.37.151.128 0.0.0.127
50 match ip 0.0.0.0 255.255.255.255 111.221.112.0 0.0.7.255
55 match ip 0.0.0.0 255.255.255.255 131.253.33.215 0.0.0.0
60 match ip 0.0.0.0 255.255.255.255 132.245.1.128 0.0.0.127
65 match ip 0.0.0.0 255.255.255.255 132.245.2.0 0.0.1.255
70 match ip 0.0.0.0 255.255.255.255 132.245.4.0 0.0.3.255
75 match ip 0.0.0.0 255.255.255.255 132.245.8.0 0.0.7.255
80 match ip 0.0.0.0 255.255.255.255 132.245.16.0 0.0.15.255
85 match ip 0.0.0.0 255.255.255.255 132.245.32.0 0.0.31.255
90 match ip 0.0.0.0 255.255.255.255 132.245.64.0 0.0.31.255
95 match ip 0.0.0.0 255.255.255.255 132.245.96.0 0.0.15.255
100 match ip 0.0.0.0 255.255.255.255 132.245.113.128 0.0.0.127
105 match ip 0.0.0.0 255.255.255.255 132.245.114.0 0.0.1.255
110 match ip 0.0.0.0 255.255.255.255 132.245.116.0 0.0.3.255
115 match ip 0.0.0.0 255.255.255.255 132.245.120.0 0.0.7.255
120 match ip 0.0.0.0 255.255.255.255 132.245.129.128 0.0.0.127
125 match ip 0.0.0.0 255.255.255.255 132.245.130.0 0.0.1.255
130 match ip 0.0.0.0 255.255.255.255 132.245.132.0 0.0.3.255
135 match ip 0.0.0.0 255.255.255.255 132.245.136.0 0.0.7.255
140 match ip 0.0.0.0 255.255.255.255 132.245.144.0 0.0.15.255
145 match ip 0.0.0.0 255.255.255.255 132.245.160.0 0.0.31.255
150 match ip 0.0.0.0 255.255.255.255 132.245.192.0 0.0.63.255
155 match ip 0.0.0.0 255.255.255.255 134.170.68.0 0.0.1.255
160 match ip 0.0.0.0 255.255.255.255 157.56.96.16 0.0.0.15
165 match ip 0.0.0.0 255.255.255.255 157.56.96.224 0.0.0.15
170 match ip 0.0.0.0 255.255.255.255 157.56.106.128 0.0.0.15
175 match ip 0.0.0.0 255.255.255.255 157.56.232.0 0.0.7.255
180 match ip 0.0.0.0 255.255.255.255 157.56.240.0 0.0.15.255
185 match ip 0.0.0.0 255.255.255.255 191.232.96.0 0.0.31.255
190 match ip 0.0.0.0 255.255.255.255 191.234.6.152 0.0.0.0
195 match ip 0.0.0.0 255.255.255.255 191.234.140.0 0.0.3.255
200 match ip 0.0.0.0 255.255.255.255 191.234.224.0 0.0.3.255
205 match ip 0.0.0.0 255.255.255.255 204.79.197.215 0.0.0.0
210 match ip 0.0.0.0 255.255.255.255 206.191.224.0 0.0.31.255
215 match ip 0.0.0.0 255.255.255.255 207.46.150.128 0.0.0.127
220 match ip 0.0.0.0 255.255.255.255 207.46.203.128 0.0.0.63
exit

Now we have a class we can bind it in a policy and set the next-hop to 172.16.1.2.

policy pbr “POL-Office365-Subnets”
     5 class ipv4 “Office365-Subnets”
      action ip next-hop 172.16.1.2
      exit
   exit

Since the implementation of HPE states that we need to map to a VLAN and we only created a policy but didn’t bind it anywhere we have to do the following:

vlan 5
   name “test”
   untagged 1
   ip address 192.168.1.0 255.255.255.0
   service-policy “POL-Office365-Subnets” in
   exit

Keep in mind that you only can bind one PBR to a VLAN. You can enter again the command service-policy “POL-test” in and give enter, you won’t get a warning but you simply override the PBR. Also you can only set the PBR to incoming packets on a VLAN.

Some show commands:

show policy POL-Office365-Subnets

Output
Statements for policy “POL-Office365-Subnets”
policy pbr “POL-Office365-Subnets”
     5 class ipv4 “Office365-Subnets”
      action ip next-hop 172.16.1.2
      exit
   exit

 show statistics policy POL-Office365-Subnets vlan 5 in

Output:
 Hit Counts for Policy POL-Office365-Subnets

  Total

 5 class ipv4 Office365-Subnets action ignore
(       0 )      5 match ip 0.0.0.0 255.255.255.255 13.107.6.152 0.0.0.1
(       0 )      10 match ip 0.0.0.0 255.255.255.255 13.107.9.152 0.0.0.1
(       0 )      15 match ip 0.0.0.0 255.255.255.255 13.107.18.10 0.0.0.1
(       0 )      20 match ip 0.0.0.0 255.255.255.255 13.107.19.10 0.0.0.1
(       0 )      25 match ip 0.0.0.0 255.255.255.255 23.103.160.0 0.0.15.255
(       0 )      30 match ip 0.0.0.0 255.255.255.255 23.103.224.0 0.0.31.255
(       0 )      35 match ip 0.0.0.0 255.255.255.255 40.96.0.0 0.7.255.255
(       0 )      40 match ip 0.0.0.0 255.255.255.255 40.104.0.0 0.3.255.255
(       0 )      45 match ip 0.0.0.0 255.255.255.255 70.37.151.128 0.0.0.127
(       0 )      50 match ip 0.0.0.0 255.255.255.255 111.221.112.0 0.0.7.255
(       0 )      55 match ip 0.0.0.0 255.255.255.255 131.253.33.215 0.0.0.0
(       0 )      60 match ip 0.0.0.0 255.255.255.255 132.245.1.128 0.0.0.127
(       0 )      65 match ip 0.0.0.0 255.255.255.255 132.245.2.0 0.0.1.255
(       0 )      70 match ip 0.0.0.0 255.255.255.255 132.245.4.0 0.0.3.255
(       0 )      75 match ip 0.0.0.0 255.255.255.255 132.245.8.0 0.0.7.255
(       0 )      80 match ip 0.0.0.0 255.255.255.255 132.245.16.0 0.0.15.255
(       0 )      85 match ip 0.0.0.0 255.255.255.255 132.245.32.0 0.0.31.255
(       0 )      90 match ip 0.0.0.0 255.255.255.255 132.245.64.0 0.0.31.255
(       0 )      95 match ip 0.0.0.0 255.255.255.255 132.245.96.0 0.0.15.255
(       0 )      100 match ip 0.0.0.0 255.255.255.255 132.245.113.128 0.0.0.127
(       0 )      105 match ip 0.0.0.0 255.255.255.255 132.245.114.0 0.0.1.255
(       0 )      110 match ip 0.0.0.0 255.255.255.255 132.245.116.0 0.0.3.255
(       0 )      115 match ip 0.0.0.0 255.255.255.255 132.245.120.0 0.0.7.255
(       0 )      120 match ip 0.0.0.0 255.255.255.255 132.245.129.128 0.0.0.127
(       0 )      125 match ip 0.0.0.0 255.255.255.255 132.245.130.0 0.0.1.255
(       0 )      130 match ip 0.0.0.0 255.255.255.255 132.245.132.0 0.0.3.255
(       0 )      135 match ip 0.0.0.0 255.255.255.255 132.245.136.0 0.0.7.255
(       0 )      140 match ip 0.0.0.0 255.255.255.255 132.245.144.0 0.0.15.255
(       0 )      145 match ip 0.0.0.0 255.255.255.255 132.245.160.0 0.0.31.255
(       0 )      150 match ip 0.0.0.0 255.255.255.255 132.245.192.0 0.0.63.255
(       0 )      155 match ip 0.0.0.0 255.255.255.255 134.170.68.0 0.0.1.255
(       0 )      160 match ip 0.0.0.0 255.255.255.255 157.56.96.16 0.0.0.15
(       0 )      165 match ip 0.0.0.0 255.255.255.255 157.56.96.224 0.0.0.15
(       0 )      170 match ip 0.0.0.0 255.255.255.255 157.56.106.128 0.0.0.15
(       0 )      175 match ip 0.0.0.0 255.255.255.255 157.56.232.0 0.0.7.255
(       0 )      180 match ip 0.0.0.0 255.255.255.255 157.56.240.0 0.0.15.255
(       0 )      185 match ip 0.0.0.0 255.255.255.255 191.232.96.0 0.0.31.255
(       0 )      190 match ip 0.0.0.0 255.255.255.255 191.234.6.152 0.0.0.0
(       0 )      195 match ip 0.0.0.0 255.255.255.255 191.234.140.0 0.0.3.255
(       0 )      200 match ip 0.0.0.0 255.255.255.255 191.234.224.0 0.0.3.255
(       0 )      205 match ip 0.0.0.0 255.255.255.255 204.79.197.215 0.0.0.0
(       0 )      210 match ip 0.0.0.0 255.255.255.255 206.191.224.0 0.0.31.255
(       0 )      215 match ip 0.0.0.0 255.255.255.255 207.46.150.128 0.0.0.127
(       0 )      220 match ip 0.0.0.0 255.255.255.255 207.46.203.128 0.0.0.63