Author: admin@labtinker.net

Firewalls Networking
21 March 2024

FortiGate SDWAN – Out of the Lab

I was recently involved in a project to roll out FortiGate SDWAN on what sounded like an almost text book scenario: two Hubs and two Branches. Obviously, I won’t post the client’s configs in this post but I will attach some configs from a lab that I created to generate configurations and test generally. (Please review with caution. I did a lot of tweaking and […]

Firewalls Networking
18 July 2023

BFG, BGP and BFD

If you were a Big Friendly Giant and wanted fast BGP convergence,you might well investigate BFD. (OK, now I have justified my alliteration we can move on) In the previous post, we had a resilient BGP topology which I will remind us of here: When the FG1 Fortigate was shutdown it took BGP between two and three minutes to re-route traffic through FG2. Popular wisdom […]

Firewalls Networking
28 June 2023

Fortigate and BGP

Last week I attended an event at Fortinet’s offices in London which are on the 26th floor of a building in the City. With a view like this you’d be forgiven for spending a lot of time looking out of the window Today, I’d like to tinker with BGP on Fortigates. (I have to declare an interest I got a couple of pens, a nice […]

Encryption Firewalls
26 April 2023

IKEy no Likey NAT-T

I was recently drafted into help fix a VPN between a Fortigate in Azure and a good old fashioned on-prem ASA. The former had been deployed by some ARM templates and the latter had some config in place but ,it transpired, not enough. Fixing it brought to light two issues. The first is my offering to the Googlesphere: Issue One Do you know that happy […]

Personal
5 March 2023

The Top Right Corner

In football there are free-kicks so superbly taken that commentators will say the goalie had no chance. The ball was so perfectly arced into the top right corner that there was nothing the hapless keeper could have done to stop it. What brings me to this? A trouble-shooting scenario where the issue was so deviously constructed – albeit not on purpose – that it felt […]

Firewalls Networking
30 October 2022

Forti SD-WAN DIA (and GNS3 Cloud types!)

I’ve been looking at SD-WAN recently and labbed up a simple implementation to test this using GNS3. This is the setup: The southern cloud to the left allows management access to the Fortigate and the cloud next to it is a connection to a VMWare Workstation Linux box. The clouds north of the Fortigate are both GNS3 Nat clouds out to the Internet. It occurs […]

Networking
7 August 2022

MPLS and MP-BGP

To me MPLS has always been a cloud on a network diagram that was someone else’s problem. But I decided to lab it up and see how it worked. Happily, I found someone who had described how to set up the lab to do just this: https://packetlife.net/blog/2011/may/16/creating-mpls-vpn/ The rest of the post assumes you have read this link but I will repeat or emphasise relevant […]

Firewalls
2 July 2022

As Easy as Falling of a Log

I encountered one of those smallish problems where I needed to do something slightly out of the ordinary and felt the need to share it here to spare someone a precious few moments re-inventing… not so much the wheel… as the perhaps the furry dice. And so to the problem: I have/had an overly permissive rule on an ASA and after putting more granular rules […]

DNS Firewalls
11 June 2022

Call the DNS Doctor

I never really knew DNS doctoring was much of a thing until I encountered it: essentially getting your firewall to alter or doctor DNS responses. One use case for this might be that you can have your internal hosts receive an internal DNS address whilst keeping them pointing to an external ISP’s DNS. I could go on but somebody already has: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html So I thought […]

Firewalls
30 April 2022

Cisco Firepower and non-std SSH

At my new place of work I have encountered Cisco’s NGFW offering: Firepower. The firewall policies are administered on an FMC (Firewall Management Center) and pushed or deployed to enforcement modules called FTDs (Firepower Threat Defense) . Instead of FTD’s you can do this on ASAs with an SFR module but I digress . Posts passim will testify that I like to test NGFWs by […]