Category: Firewalls

Authentication Firewalls
13 November 2024

Palo Alto Admin authentication with Entra ID and Duo MFA

I wanted to try out Cisco Duo MFA using SAML and loyal readers of this blog will know in posts passim I set up authentication for a Palo Alto firewall administrator using SAML and ADFS so it seemed a natural progression to try this using Microsoft’s Entra ID (formerly Azure AD) with Cisco Duo. Microsoft Entra ID, which will act as the SAML primary authentication […]

Encryption Firewalls
21 July 2024

An Image Problem II

Cyberratings.org, a non-profit technical testing organisation, recently released a report on eight NGFW firewalls. Seven of the vendors’ products tested received a recommended rating and one, Cisco, received a caution for their Firepower Threat Defense product . CyberRatings Announces Enterprise Firewall Test Results – CyberRatings The full report is behind a paywall but more insight is provided here: https://www.sdxcentral.com/articles/analysis/ciscos-enterprise-firewall-receives-caution-rating-from-cyberratings/2024/06 I happened on this through an […]

Firewalls
4 May 2024

An Image Problem

They say write about what you know. Even if what you know about is reimaging Cisco firewalls? They probably didn’t mean write about that but never mind we’ll press on and not hold our breaths for the movie to come out. For reasons I won’t go into I recently had to re-image a Cisco FMC 1600 and two 3100 series FTDs. My main takeaway from […]

Firewalls Networking
21 March 2024

FortiGate SDWAN – Out of the Lab

I was recently involved in a project to roll out FortiGate SDWAN on what sounded like an almost text book scenario: two Hubs and two Branches. Obviously, I won’t post the client’s configs in this post but I will attach some configs from a lab that I created to generate configurations and test generally. (Please review with caution. I did a lot of tweaking and […]

Firewalls Networking
18 July 2023

BFG, BGP and BFD

If you were a Big Friendly Giant and wanted fast BGP convergence,you might well investigate BFD. (OK, now I have justified my alliteration we can move on) In the previous post, we had a resilient BGP topology which I will remind us of here: When the FG1 Fortigate was shutdown it took BGP between two and three minutes to re-route traffic through FG2. Popular wisdom […]

Firewalls Networking
28 June 2023

Fortigate and BGP

Last week I attended an event at Fortinet’s offices in London which are on the 26th floor of a building in the City. With a view like this you’d be forgiven for spending a lot of time looking out of the window Today, I’d like to tinker with BGP on Fortigates. (I have to declare an interest I got a couple of pens, a nice […]

Encryption Firewalls
26 April 2023

IKEy no Likey NAT-T

I was recently drafted into help fix a VPN between a Fortigate in Azure and a good old fashioned on-prem ASA. The former had been deployed by some ARM templates and the latter had some config in place but ,it transpired, not enough. Fixing it brought to light two issues. The first is my offering to the Googlesphere: Issue One Do you know that happy […]

Firewalls Networking
9 January 2023

Forti SD-WAN Hub and Spoke: Part Two

Picking up from the previous post, we now are going to test the resilience of our Hub and Spoke SD-WAN topology using the tests described in the Fortigate design reference guide below: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-self-healing-with-bgp/559415/overview The following diagram is from the above post’s ‘Testing and Verification section’ which I’m essentially following (though I’m using port1 and port2 not port2 and port3). Having cited my source and given […]

Firewalls Networking
5 January 2023

Forti SD-WAN Hub and Spoke: Part One

UPDATE: I couldn’t get this working without the frig detailed below. However, there’s probably still some value in this post. (Translation: I’m too lazy to do a similar one) but I did get hold of some evaluation licenses and set up topology the detalied in the link below using FortiOS 7.2.5 – and it worked fine. https://docs.fortinet.com/document/fortimanager/7.2.0/single-datacenter-for-enterprise/503190I If you’re deploying an SD-WAN topology of any […]

Firewalls Networking
30 October 2022

Forti SD-WAN DIA (and GNS3 Cloud types!)

I’ve been looking at SD-WAN recently and labbed up a simple implementation to test this using GNS3. This is the setup: The southern cloud to the left allows management access to the Fortigate and the cloud next to it is a connection to a VMWare Workstation Linux box. The clouds north of the Fortigate are both GNS3 Nat clouds out to the Internet. It occurs […]