How to show and clear DHCP bindings on the LAN Huawei VRP (Versatile routing platform) CLI

This is a quick reference guide for clearing DHCP bindings Huawei VRP CLI.

1. display ip pool

The following command will display all the dhcp bindings depending on how it is configured. It will either be interface or pool name. DHCP can either be configured on the interface or globally.

Cisco equivalent “sh ip dhcp binding

display ip pool interface vlanif21 used

display ip pool name testdhcp used

[Huawei]display ip pool ?
   interface     Information of interface pool
   name          Pool name
   vpn-instance  Show IP pool bind the VPN-instance
   |             Matching output

display ip pool interface vlanif21 used  
   Pool-name      : vlanif21
   Pool-No        : 0
   Lease          : 1 Days 0 Hours 0 Minutes
   Domain-name    : -
   DNS-server0    : 8.8.8.8         
   DNS-server1    : 8.8.8.4         
   NBNS-server0   : -               
   Netbios-type   : -               
   Position       : Interface       Status           : Unlocked
   Gateway-0      : 192.168.1.254   
   Mask           : 255.255.255.0
   VPN instance   : --
 
      Start           End     Total  Used  Idle(Expired)  Conflict  Disable
 
  192.168.1.1   192.168.1.254   253     1        252(0)         0        0
 
 Network section : 
 
 Index              IP               MAC      Lease   Status  
 
 252   192.168.1.253    5489-9877-235d      78724   Used

2. Reset ip pool

Cisco equivalent would be “clear ip dhcp binding“.

reset ip pool interface vlanif21 ?
   X.X.X.X   Start IP address
   all       All IP address
   conflict  Conflict IP address
   expired   Expired IP address
   used      Used IP address

or

By pool name

reset ip pool ?
   interface  Interface pool
   name       Pool name




Thank you for reading – please feel free to leave a comment

How to configure an Automation Stitch (email alert) for CPU threshold on a Fortigate.

This is a quick reference on how to configure an Automation Stitch for CPU threshold on a Fortigate.

Please note that I configured this on Fortigate Firmware 6.2.7. You will also need to ensure that SMTP is setup on the Fortigate.

1. Configure CPU Threshold

This is the value at which point the Fortigate will generate a log for CPU usage.

conf system global
set cpu-use-threshold 50

2. Configure Automation Stitch

2.1 GUI

2.1.1 Create New

This can be found under Security Fabric / Automation

2.1.2 Select Trigger for Email

In this case CPU Usage Statistics which is under FortiOS Event Log option.

2.1.3 Select Email

Add the email address that you want the alerts sending to.

2.2 CLI

Configure the SMTP server email configured in step 1 as the “email-from”

config system automation-action
    edit "Nameofstitch_email"
        set action-type email
        set email-to "youremail@gmail.com"
        set email-from "yourgmail@gmail.com"
        set email-subject "configuration change"
        set email-body "%%log%%"
        set minimum-interval 60
        set delay 0
        set required disable
    next
end

4. Test

In order to test this you will need to generate enough traffic to peak the CPU past the minimum 50% . You could use a network stress tester to achieve this. Adding logging, UTM and turning off the CPU offloading on the firewall policy will increase CPU usage.

Thank you for reading and please feel free to leave any feedback.

Checklist for Fortigate admin access over SSL-VPN

This is a Checklist for Fortigate admin access over SSL-VPN

1. Trusted hosts

Ensure that the SSL-VPN source address or SSL-VPN address pool is on the trusted host list for admin access to the Fortigate.

config system admin
    edit "admin" 
        set trusthost5 10.212.134.0 255.255.255.0
        set accprofile "super_admin"
        set vdom "root"
        set password yourpassword
    next
end

2. Allowaccess on Interface

Ensure you have allowed the service or port access on the interface using the following command “set allowaccess ping https ssh” under the interface configuration.

config system interface
    edit "vlan100"
        set vdom "root"
        set ip 10.100.0.254 255.255.255.0
        set allowaccess ping https ssh
        set vlanforward enable
        set device-identification enable
        set role lan
        set snmp-index 12
        set interface "internal5"
        set vlanid 100
    next
end

3. Firewall policy

Ensure you have a firewall policy from the SSL-VPN interface to the LAN to where you intend to connect to.

config firewall policy
    edit 3
        set name "SSL_VPN_LAN"
        set srcintf "ssl.root"
        set dstintf "vlan100"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "SSL_VPN"
    next

4. Routing table

Ensure you have a route to the Firewall interface. You may have split-tunneling specifying the routable addresses by SSL-VPN any route not specified will route locally via users local internet breakout. 10.100.0.0/24 is the LAN network directly connected to the firewall. You can specify just the individual firewall interface address if you wanted to.

config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set web-mode enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set split-tunneling-routing-address "10.100.0.0/24"
        config bookmark-group
            edit "gui-bookmarks"
            next
        end
    next
end

If using Windows you can check the routing table by running the command route print.

C:\WINDOWS\system32>route print

Please let me know what you thought of the guide and if it worked, what issues you ran into or if anything wasn’t clear. Thank you for reading.

How to configure a SSL-VPN with certificate authentication on a Fortigate.

This is a detailed guide on how to configure a SSL VPN with certificate authentication on a Fortigate. We will be using OPENSSL to generate the CA and certificates.

1. Generate the CA or root certificate (Certificate Authority)

You will need to generate a root certificate to sign the Server and Client certificate. You will need to install the CA and Server Certificate on the Fortigate and the Client PKCS#12 certificate on the end user computer where the Forticlient VPN application is installed. This will create a chain of trust called public key infrastructure (PKI).

1.1 Create the directories to hold the CA certificate.

sudo mkdir /etc/ssl/CA
sudo mkdir /etc/ssl/newcerts

1.2 Create additional CA files

The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, and another file to record which certificates have been issued:

sudo sh -c "echo '01' > /etc/ssl/CA/serial"
sudo touch /etc/ssl/CA/index.txt

1.3 Edit the config file – nano /etc/ssl/openssl.cnf

This specifies the file locations for OPENSSL.

nano /etc/ssl/openssl.cnf
dir             = /etc/ssl              # Where everything is kept
database        = $dir/CA/index.txt     # database index file.
certificate     = $dir/certs/cacert.pem # The CA certificate
serial          = $dir/CA/serial        # The current serial number
private_key     = $dir/private/cakey.pem# The private key

1.4 Generate Root Certificate

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Please note that your Organization Name (O) needs to match on all your certificates that will be forming the chain of trust.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

You will need to ensure that your organization unit name (OU) is unique on each certificate in terms of the above. Steps 2 and 3 cover the Certificate Signing Request of both Server and Client where you will need to take into account these values.

1.5 Install the Root Certificate and Key

sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

2. Generate Server CSR (Certificate Signing Request) and Key

2.1 Generate Server Key

openssl genrsa -des3 -out server.key 2048

The next set of commands is so that you don’t have to enter a passphrase to generate the CSR (Certificate Signing Request)

openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

2.2 Generate Server CSR

Please note the following need to be accurate for it to work – the organization (o) need to match on all 3 certificates

openssl req -new -key server.key -out server.csr

3. Generate Client CSR (Certificate Signing Request) and key

Repeat step 2 – replacing the word server with client. You should have the following files.

root@dhcp-server:/home/david# ls
client.csr  client.key server.csr  server.key

4. Sign both the Server and Client CSR’s

This will create the server and client certificate.

sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf
sudo openssl ca -in client.csr -config /etc/ssl/openssl.cnf

You will now have both the .crt files

root@dhcp-server:/home/david# ls
client.crt  client.key  server.crt  server.key

5. Generate the .pfx file or pkcs12 Client certificate

This will be installed on the host where application is installed

openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile client.crt

You should now have the following files:

root@dhcp-server:/home/david# ls
client.crt  client.key  client.pfx  server.crt  server.key

6. Copy the CA certificate back to your home directory

cp /etc/ssl/certs/cacert.pem /home/david/

You will now have all the files you need for certificate authentication.

root@dhcp-server:/home/david# ls
cacert.pem  client.crt  client.key  client.pfx  server.crt  server.key

7. Install the Client certificate on the users computer

Copy the client.pfx to the users computer and double click the file. Using the Windows certificate wizard install the certificate to the personal certificate store.

8. Import CA Certificate to Fortigate

Import the cacert.pem file to your Fortigate. Under System/Certificates – Click Import and then CA Certificate. Then you will need to Click File and then the Upload button. You will now see the certificate installed

You will now see the certificate installed under Remote CA Certificates.

9. Import Server Certificate to Fortigate

You will need both server.crt and server.key for this. Again click Import and then time click local certificate. Upload the server and key file to the Fortigate as per below. Alternately you could generate the PKCS#12 or .pfx file (as was done withe client certificate).

You will now see the certificate on the Fortigate under local certificates. Please refer to the picture in step 8.

PLEASE NOTE: The following steps will assume that you have a working SSL VPN configuration and will not go through in detail the workings of a SSL-VPN setup.

10. Configure PKI user

10.1 You will need to specify a username, your CA certificate, and subject.

config user peer
    edit "yourusername"
        set ca "CA_Cert_1"
        set subject "C"
    next
end

10.2 Obtaining the subject from the certificate

root@dhcp-server:/home/david# openssl x509 -noout -in client.crt -subject
subject=C = UK, ST = Some-State, O = SecNetLinux, OU = Client, CN = Client

Once this has been completed you will see the PKI option on the GUI and can then put the PKI users that you have created into the corresponding SSLVPN groups.

10.3 Add two factor authentication

11. Configure the SSL-VPN settings

You will set the server certificate which you uploaded earlier ( set servercert “SSLSERVER” ) and also set the reqclientcert to enable. I have also set the default-portal to web-access although we will be using Forticlient.

config vpn ssl settings
    set reqclientcert enable
    set servercert "SSLSERVER"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set source-interface "wan1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
    config authentication-rule
        edit 1
            set groups "SSL_VPN"
            set portal "full-access"
        next
    end
end

Again I have not gone through too much detail regarding the SSL-VPN setup. You will need make sure you have your firewall policies, portal mappings etc in place for this to work. This guide assumes you have a working SSL-VPN configuration in place and that you are adding additional authentication.

12. Configure Forticlient

You will see once you have successfully installed the Client certificate as per step 7 it will populate the drop down next to Client Certificate.

13. Troubleshooting Commands on the Fortigate

diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application sslvpn -1
diagnose debug enable

Please let me know what you thought of the guide and if it worked, what issues you ran into or if anything wasn’t clear. Thank you for reading.

How to run a packet capture on a Fortigate (CLI)

This is a quick reference guide showing how to run a packet capture on a Fortigate. it is important to remember that the packet capture will only show packets that are being handled via the Kernal (Not being offloaded to an ASIC) you can however disable this on the policy as follows:

1 – Disable ASIC offload for traffic (Optional)

I have put optional as you don’t need to but ensures you get the packets to look at.

config firewall policy
edit <policy id>
set auto-asic-offload disable
end

2 – Setup the capture

The syntax is a spin off tcpdump, essentially it is tcpdump under the hood but most filters will work. the syntax is as follows, options and verbose level are optional. I ussually use verbose 4 so I can see the interface names

diagnose sniffer packet <interface> "<options>" <verbose level> <count> <timestamp format>

all flags / options apart from interface are optional

interface – The actual interface you want the sniffer to run on or capture packets on, you can use the word any for all interfaces or specify the name of the interface

options – The tcpdump filter options you want to use, these must be surrounded by double or single quotes

verbose level – This can be a number between 1 and 6 and is defined as follows:

1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name

count – limit of packets you want to count, when this number is reached sniffer will stop, use 0 for unlimited

timestamp format – The format for timestamp, by default it is the number in seconds and milliseconds from when you started the capture to when the displayed packet is recieved on the listening interface. Other options are a or l, a for absolute time and l for local time.

3 – example 1 – all icmp

This example is to capture all icmp traffic and show the interface name

diagnose sniffer packet any "icmp" 4

I setup a test ping to the Fortigate whilst the sniffer was running

Brierley-FW01 # diagnose sniffer packet any "icmp" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[icmp]
2.216830 port2 in 172.16.10.200 -> 172.16.10.2: icmp: echo request
2.216853 port2 out 172.16.10.2 -> 172.16.10.200: icmp: echo reply
3.221063 port2 in 172.16.10.200 -> 172.16.10.2: icmp: echo request
3.221086 port2 out 172.16.10.2 -> 172.16.10.200: icmp: echo reply
4.233794 port2 in 172.16.10.200 -> 172.16.10.2: icmp: echo request
4.233816 port2 out 172.16.10.2 -> 172.16.10.200: icmp: echo reply
5.244740 port2 in 172.16.10.200 -> 172.16.10.2: icmp: echo request
5.244761 port2 out 172.16.10.2 -> 172.16.10.200: icmp: echo reply

So with the verbose 4 flag I can see the request is coming in on port 2 (The icmp echo request) and the reply is being sent out via port 2. This makes sense as I a pinging the interface itself. I also get the timestamp right at the beginning which is by default relative to the time you started sniffing, so in my case, it was 2.216830 seconds after I entered the command that I received the echo request. You can change this so it shows an actual timestamp.

Brierley-FW01 # diagnose sniffer packet any "icmp" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[icmp]
2021-01-25 09:39:15.604359 port2 in 172.16.10.200 -> 172.16.10.2: icmp: echo request
2021-01-25 09:39:15.604412 port2 out 172.16.10.2 -> 172.16.10.200: icmp: echo reply
2021-01-25 09:39:16.608767 port2 in 172.16.10.200 -> 172.16.10.2: icmp: echo request
2021-01-25 09:39:16.608788 port2 out 172.16.10.2 -> 172.16.10.200: icmp: echo reply
2021-01-25 09:39:17.619909 port2 in 172.16.10.200 -> 172.16.10.2: icmp: echo request
2021-01-25 09:39:17.619931 port2 out 172.16.10.2 -> 172.16.10.200: icmp: echo reply
2021-01-25 09:39:18.630056 port2 in 172.16.10.200 -> 172.16.10.2: icmp: echo request
2021-01-25 09:39:18.630079 port2 out 172.16.10.2 -> 172.16.10.200: icmp: echo reply

Same example however I add an additional flag which again is optional. 0 for the number of packets (Which means unlimited) and l for local time, this uses the time local to the Firewall defined under system time.
You can now see I have some output with an actual timestamp.

Other examples

These are some examples for the filter (The bit between the quotes) common ones which are good and I use most times. Obviously you can get extremely complex with it but here are a few examples

By ip address (Either source or destination)

diagnose sniffer packet any "host 10.1.1.1" 4

Replace 10.1.1.1 with the IP address.

By network

so if you want to sniff track to or from 10.1.1.0/24 you would use this

diagnose sniffer packet any "net 10.1.1.0/24" 4

Replace the network with any you need

By port number

This is useful if you are looking for traffic on a certain port

diagnose sniffer packet any "port 2222" 4

Again replace the port number with whatever port you need. This is for both TCP & UDP.

source or destination

Use this if you want to see traffic as the source or the destination. Useful if you only want initiatng traffic to be shown.

diagnose sniffer packet any "src 10.1.1.1" 4
diagnose sniffer packet any "dst 10.1.1.1" 4

Protocol

You can filter by protocol e.g. tcp, udp icmp and so on

diagnose sniffer packet any "tcp" 4

This for example would show only TCP traffic

Using AND

So if you need source = 10.1.1.1 and destination = 8.8.8.8 and its icmp you could string them together.

AND logic says both must be true.

diagnose sniffer packet any "src 10.1.1.1 and dst 8.8.8.8 and icmp

Using OR

The logic of or is if one of the statement is true, whereas AND you need both to be true.

diagnose sniffer packet any "src 10.1.1.1 or src 10.1.1.2" 4

So if the source is either 10.1.1.1 or 10.1.1.2 this also means if there is traffic from both of these then it will show as the filter is run against each packet.

Combining AND and OR

So lets say you need the source is 10.1.1.1 or 10.1.1.2 and the port is 22 and the protocol is tcp you would have to use brackets as follows.

diagnose sniffer packet any "(src 10.1.1.1 or src 10.1.1.2) and (port 22 and tcp)" 4

Notice how I put them in brackets, this bit is done first so I am saying source is 10.1.1.1 or 10.1.1.2 AND port is 22 and its tcp.

If you don’t use brackets its will still take it as a valid filter but it won’t yield what you want it to.

Using ! to negate

You can negate most things, so anything but this , not this.
So all ports except port 22 would be

diagnose sniffer packet any "!port 22" 4

Again you could add multiple to this list.

Thoughts?

So that’s a brief info into what you could potentially use the Fortigate’s built in packet capture for.
It comes in handy when troubleshooting a firewall issue. Couple this with a packet flow (More on that another time) and you can debug most situations for firewall policies.
It is also useful for routing , you may sometimes receive the traffic on the incorrect interface which will cause the reverse path lookup to fail as an anti-spoofing mechanism that most stateful firewall’s incorporate.

Thanks for reading, if you have any questions about this or need some help on a specific filter please feel free to leave a comment or get in touch.
If you are interested in looking more into the filters then look at tcpdump most of these will work.

How to check the routing table on a Fortigate (CLI)

This is a quick reference guide detailing how to check the routing table on a Fortigate using the CLI.

1 – Log on using SSH

2 – View the full routing table

get router info routing-table all

This will output the full routing table

3 – Query a specific route

get router info routing-table details <route>

e.g.

Brierley-FW01 # get router info routing-table details 172.16.10.3

Routing table for VRF=0
Routing entry for 172.16.10.0/24
  Known via "connected", distance 0, metric 0, best
  * is directly connected, port2 distance 0


OR

Brierley-FW01 # get router info routing-table details 172.16.10.0/24

Routing table for VRF=0
Routing entry for 172.16.10.0/24
  Known via "connected", distance 0, metric 0, best
  * is directly connected, port2 distance 0

OR

Brierley-FW01 # get router info routing-table details 172.16.10.1/24

Routing table for VRF=0
Routing entry for 172.16.10.0/24
  Known via "connected", distance 0, metric 0, best
  * is directly connected, port2 distance 0


As you can see you can query the routing table using either the IP, if multiple routes are found then it will show all. The network and mask or ip and mask in slash format.

Thanks for reading

How to Format a HDD/Storage device in Linux and mount it

Intro

Whether you want to wipe everything off your disk or you need to change the filesystem type formatting a disk in Linux is not like Windows. My use case is: I have a disk already formatted to work with my Xbox console. I now don’t need it but I want to use it in my unRaid system as a backup location.

How to?

1 – Plug your device in
Using whatever connection you have, mine was a USB3.0 device so I plugged it in via USB, the same applies if this is SATA/e-SATA or SAS etc.

2 – SSH to your device
First ssh onto your server/device using putty or any other ssh client.
Log in.

You will be prompted as follows:

SSH to your device

In my case the server’s name is BRIERLEYS and I have logged in using the root account.

3 – Find your device

You need to see if your device has been recognised. If it is a new device use the following:

Command

Output
In this example I have removed my other disks from the output but you will see something along these lines. If you have multiple devices you need some way of identifying it physically. A good way is the drive size, and only add one at a time. Logically the letter will increment. So the next disk or storage device I put in will be sdg.

root@BRIERLEYS:~# fdisk -l | grep '^Disk'
Disk /dev/sdf: 1.84 TiB, 2000398933504 bytes, 3907029167 sectors
Disk model: Expansion

The command above uses fdisk and we use | and grep to essentially filter the output. Theres a little bit of regex which is saying anything beginning with Disk. The carrot (^) means start with.

Keep a note of the disk e.g. /dev/sdf in this example.

* If using a VM it will be something like vd or whatever the drive prefix you have setup.

4 – Format disk

Now we have identified our disk we can format it. You should pick your filesystem. I could use ext4 as this is a stable filesystem used by default for most Linux Distoros. Its the replacement for EXT3 which is older.
However as this is an external drive and I want to use it for backing up files I will use exFAT, this is a Microsoft filesystem but will work on Linux also. It supports files over 4GB and it means if I need to pull data from it I can just move it to any laptop without having to mess around.

The command I will use is:


mkfs.ntfs -F /dev/sdf

Note the -F flag, this will force mkfs to make a filesystem even if the disk is an entire device, use this if you are sure and you don’t mind everything being wiped.

Your output will be something similar to:

/dev/sdf is entire device, not just one partition.
mkntfs forced anyway.
Cluster size has been automatically set to 4096 bytes.
Initializing device with zeroes:   0%

Let it complete and we can then use fdisk to setup a partition
5 – Use fdisk
Next we will use fdisk, this utility allows us to setup the partitions. fdisk is always my preffered option as for example parted (Another way) is not always included with your Linux system and saves having to install something else.
We have our disk so we use this now.

root@BRIERLEYS:~# fdisk /dev/sdf

Welcome to fdisk (util-linux 2.34).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0x690ab6b7.

Command (m for help):

Once you hit enter fdisk will launch. Hitting m followed by enter will show you the available options. But basic usage is:

  • m – print help
  • p – print the partition table
  • n – create a new partition
  • d – delete a partition
  • q – quit without saving changes
  • w – write the new partition table and exit

Hit the P key followed by enter to see the current partition table. We know it will be blank but just so we can see.

root@BRIERLEYS:~# fdisk /dev/sdf

Welcome to fdisk (util-linux 2.34).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0xf1173745.

Command (m for help): p
Disk /dev/sdf: 1.84 TiB, 2000398933504 bytes, 3907029167 sectors
Disk model: Expansion
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xf1173745

Command (m for help):

Now we can create a new partition, we basically enter n then p followed by enter untill its done

Command (m for help): n
Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-3907029166, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-3907029166, default 3907029166):

Created a new partition 1 of type 'Linux' and of size 1.8 TiB.

Keep note of the sector sizes, if you don’t want to use all of your disk for this partition then amend the Last sector. If you have another partition and you re-run this the first sector will be the next available sector after the last sector of the other partition.

  • NOW SAVE – whilst still in fdisk enter w followed by hitting return it should then drop you out of fdisk and provide some output as follows
Command (m for help): w

The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

root@BRIERLEYS:~#

7 – Mount (If required)

This step is optional, for me I don’t need to mount this as I do it all on unRAID itself, if you need to mount the disk to the current system the best way is adding it to fstab, this way it is permeant as this will run at boot.

Add to FSTAB

edit fstab

nano /etc/fstab

Append this to the bottom

/dev/sdf               /mountpoint           filesystem    defaults        1 2

Amend to match your details. The mountpoint must exist, this is where you will access it. Please bare in mind that if you are logged on as a user for example bob and you don’t have access to /root for example then you cannot mount it here it will fail.

8 – test fstab

To test your fstab without rebooting just enter

mount -a

This will mount all your mounts specified (Hence the a for all)

Closing thoughts

As with anything Linux there are a number of different ways to do something. make sure you pay close attention to the output and if you are stuck or have any questions please let us know.

Thanks for reading

Huawei VRP(Versatile routing platform)

Intro
This is just a quick intro guide into Huawei Versatile routing platform. We tend to do a lot of work on these day to day but documentation is very sparse.

We are going to aim to put a few guides on here for common scenarios and command line options.

What is Huawei VRP?

Huawei essentially have their own* OS which allows configuration via the commandline. These routers are pretty popular as they do provide a lot of functionality. They do have downsides though (I’ll get to that) but overall they are very capable. One of the main advantages is price, they are cheaper in comparison to a Cisco equivalent mainly due to the fact that their chipsets for DSL / VDSL is their own. Whereas Cisco or Juniper use a 3rd Party and have to therefore buy the chips, Huawei have their own.

Downsides
So there are some downsides with this. When buying one or looking at the specs they are good on paper, all singing all dancing , can do this can do that etc. however when you have a large estate of them and you work on them day to day you notice some of the issues they have. Here are a few I have personally come accorss:

  • Cisco but not – So as you probably know Cisco filed against Huawei stating intellectual property, basically Huawei had copied portions of Cisco IOS. It is so similar it is uncanny but its not similar enough. It becomes more of an annoyance so for example to configure a Huawei you enter system-view, to run a show command its display. Its only a small thing but its annoying when jumping between OS’s. Its not different enough to think agh yes its an Huawei, because they server the same purpose as a Cisco I find myself jumping on and forgetting its a Huawei.
  • Save sometimes doesn’t apply – Usually you except a command to be saved when you enter it, although it mine show in the current-config it sometimes doesn’t apply / become active / work until you reboot. They are unreliable and if something doesn’t work which you apply its usually “Its a Huawei, give it a reboot”
  • Reboot takes forever – This is the biggest annoyance in my opinion, coupled with the above a reboot takes literally 10 minutes or so, its the biggest downside of Huawei’s.
  • Routing metrics are odd – The admin distance of the routing protocols is so odd, for example by default an OSPF route is preferred over a static route, its not a major issue but its more of a why?

Good Things?

So its not all bad, this isn’t a post about why Huawei’s are rubbish and you shouldn’t buy one, its more of an intro into what we have seen whilst working with them on a larger scale. Here are some of what I consider to be upsides

  • Vendor support is ace – They actually are really good, one example I have is we had WiFi issues accross a whole estate for a customer where speeds were actually terrible for any device for a certain model and firmware, unfortunately we rolled this out to 500+ sites. The support worked with us labbing this up and the long and short is they wrote a new patch which could be applied to the router and solved it. I have never gotten support like that from a vendor before.
  • They are capable – The devices themselves are actually very capable its just configuring them which is a pain. They support everything you would excpect from an enterprise grade router.
  • Cost – They are obviously a little bit cheaper than a Cisco and pretty much do the same thing.

Thoughts?

Thanks for reading, like I say its a brief intro into Huawei VRP, I aim to write a few guides for this including a Cisco to Huawei command reference to help get you started.
If you have any specific queries or anything you might want a hand on please give us a shout or leave a comment bellow.

Until next time …

How to configure route leaking between VRFs Fortigate CLI

This is a detailed guide on how to configure route leaking between VRFs on a Fortigate using the CLI

In this scenario I will be leaking the default route into another VRF.

You will need to configure a BGP neighbor in order for this to work. This can be any BGP neighbor. In this example I have connected another router to the dmz interface and configured BGP so that a neighbor relationship will form over this link.

1. Configure Vdom-mode

You will need to set the Fortigate to multi-vdom mode so that you can create two Inter-vdom links and put them in the two separate VRF’s. Multi-vdom means that you can create more than one Virtual Firewall on a single box. The Inter-vdom links that you create will remain in the root vdom.

config system global
    set vdom-mode multi-vdom

2. Allow overlapping of subnets

By default the Fortigate will not allow you to configure duplicate or overlapping networks on the same vdom. The two Inter-vdom links will be on the same subnet.

configure vdom
edit root
config system settings
    set allow-subnet-overlap enable

3. Configure Inter-Vdom Links

Configure the two Inter-Vdom Links in the same subnet. You will see that the links are put in their respective vrfs with the following commands set vrf (<0> to <31>).

config vdom
edit root
config system interface
edit "npu0_vlink0"
        set vdom "root"
        set vrf 1
        set ip 10.200.0.1 255.255.255.0
        set allowaccess ping https ssh snmp http
        set type physical
        set snmp-index 13
    next
    edit "npu0_vlink1"
        set vdom "root"
        set vrf 2
        set ip 10.200.0.2 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
        set type physical
        set snmp-index 14

You will need to put your physical or virtual interfaces into their respective VRF’s – for example:

config system interface
edit "wan1"
        set vdom "root"
        set vrf 1
        set ip x.x.x.x 255.255.255.252
next 
  edit "vlan100"
        set vdom "root"
        set vrf 2
        set ip 10.100.0.254 255.255.255.0
end

You will see that I have put my wan interface in into one of the VRF’s. This is because I am going to leak the default route from vrf 1 into vrf 2 so that vlan 100 will have internet access.

4. Configure prefix-list

Configure the prefix-list of the routes that you are wanting to leak. In this case I will be leaking the source subnet 10.100.0.0/24 (so the return route) of VRF 2 and the default route in VRF 1.

config router prefix-list
    edit "1"
        config rule
            edit 1
                set prefix 0.0.0.0 0.0.0.0
                unset ge
                unset le
            next
        end
    next
    edit "2"
        config rule
            edit 1
                set prefix 10.100.0.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
end

5. Configure route-map

The route map is used to identify the subnets used in the VRF Leaking and matched against the prefix-list in the previous step.

config router route-map
 edit "VRF1Routes"
        config rule
            edit 1
                set match-ip-address "1"
                unset set-ip-nexthop
                unset set-ip6-nexthop
                unset set-ip6-nexthop-local
                unset set-originator-id
            next
        end
    next
    edit "VRF2Routes"
        config rule
            edit 1
                set match-ip-address "2"
                unset set-ip-nexthop
                unset set-ip6-nexthop
                unset set-ip6-nexthop-local
                unset set-originator-id
            next
        end
    next
end

6. Configure VRF Leaking

I have included my full BGP configuration. As mentioned at the beginning the BGP neighbour connects to the dmz interface and you will need to specify this in your BGP configuration with the following command set update-source “yourinterface”. In order for the VRF leaking to work you need any up neighbour. Under the config vrf-leak the edit <no.> is the ” vrf Origin VRF ID <0 – 31>”. Under the config target the edit is the target or destination vrf “vrf Target VRF ID <0 – 31>”. Make sure that you assign the correct route map to each.

config router bgp
    set as 65536
    set router-id 1.1.1.1
    config neighbor
        edit "192.168.1.254"
            set remote-as 65535
            set update-source "dmz"
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
    end
    config redistribute "static"
        set status enable
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end
    config redistribute6 "isis"
    end
    config vrf-leak
        edit "2"
            config target
                edit "1"
                    set route-map "VRF2Routes"
                    set interface "npu0_vlink1"
                next
            end
        next
        edit "1"
            config target
                edit "2"
                    set route-map "VRF1Routes"
                    set interface "npu0_vlink0"
                next
            end
        next
    end
end

7. Check the routing table

get router info routing-table all

## lines omitted for brevity ##

Routing table for VRF=1
S*      0.0.0.0/0 [10/0] via 10.50.0.254, wan1
B       10.100.0.0/24 [20/0] via 10.200.0.2, npu0_vlink0, 05:18:07
C       10.200.0.0/24 is directly connected, npu0_vlink0

Routing table for VRF=2
B*      0.0.0.0/0 [20/0] via 10.200.0.1, npu0_vlink1, 05:15:02
C       10.100.0.0/24 is directly connected, vlan100
C       10.200.0.0/24 is directly connected, npu0_vlink1
C       192.168.1.0/24 is directly connected, dmz
B       192.168.2.0/24 [20/0] via 192.168.1.254, dmz, 03:00:13

8. Configure firewall policies

This is an example of a firewall policy setup. You will need to configure a policy from the physical or VLAN interface to the VDOM-Link in VRF 2 and then a policy from the VDOM-Link to the WAN interface in VRF 1. I have also configure policies for a VIP (Virtual IP ) for connecting via Public IP to the server.

9. Test

david@WonderSH:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  _gateway (10.100.0.254)  0.587 ms  0.319 ms  0.326 ms
 2  10.200.0.1 (10.200.0.1)  0.354 ms  0.367 ms  0.351 ms
 3  vodafone.connect (10.50.0.254)  5.202 ms  4.974 ms  4.777 ms

If you feel that there is anything you can add or have a question please feel free to leave a comment below.

How to configure an Automation Stitch (email alert) on a Fortigate using Gmail SMTP.

This is a quick reference on how to configure an Automation Stitch on a Fortigate using Gmail SMTP.

Please note that I configured this on Fortigate Firmware 6.2.7

1. Configure SMTP server on Fortigate.

Probably easiest to just copy and paste the below into the CLI (with your details) – otherwise you can find the settings under system/settings on the GUI. You will need to add the gmail account that will act as the serving account for the alerts emails.

config system email-server
    set server "smtp.gmail.com"
    set port 465
    set authenticate enable
    set username "yourgmail@gmail.com"
    set password yourpassword
    set security smtps
end

2. Allow Fortigate access to GMAIL account.

You will need to go into your Gmail account – and allow access as per screenshot. (turn on Less secure app access).

3. Configure Automation Stitch

3.1 GUI

3.1.1 Create New

This can be found under Security Fabric / Automation

3.1.2 Select trigger for email

3.1.3 Select Email

Add the email address that you want the alerts sending to.

3.2 CLI

Configure the SMTP server email configured in step 1 as the “email-from”

config system automation-action
    edit "Nameofstitch_email"
        set action-type email
        set email-to "youremail@gmail.com"
        set email-from "yourgmail@gmail.com"
        set email-subject "configuration change"
        set email-body "%%log%%"
        set minimum-interval 60
        set delay 0
        set required disable
    next
end

4. Test

You will need to test this by doing the action for what the stitch is setup up for. You can set it up to alert for admin successful logout or reboot for example and test this way.

Thank you for reading and please feel free to leave any feedback.