Personal
5 March 2023

The Top Right Corner

In football there are free-kicks so superbly taken that commentators will say the goalie had no chance. The ball was so perfectly arced into the top right corner that there was nothing the hapless keeper could have done to stop it. What brings me to this? A trouble-shooting scenario where the issue was so deviously constructed – albeit not on purpose – that it felt […]

Firewalls Networking
9 January 2023

Forti SD-WAN Hub and Spoke: Part Two

Picking up from the previous post, we now are going to test the resilience of our Hub and Spoke SD-WAN topology using the tests described in the Fortigate design reference guide below: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-self-healing-with-bgp/559415/overview The following diagram is from the above post’s ‘Testing and Verification section’ which I’m essentially following (though I’m using port1 and port2 not port2 and port3). Having cited my source and given […]

Firewalls Networking
5 January 2023

Forti SD-WAN Hub and Spoke: Part One

UPDATE: I couldn’t get this working without the frig detailed below. However, there’s probably still some value in this post. (Translation: I’m too lazy to do a similar one) but I did get hold of some evaluation licenses and set up topology the detalied in the link below using FortiOS 7.2.5 – and it worked fine. https://docs.fortinet.com/document/fortimanager/7.2.0/single-datacenter-for-enterprise/503190I If you’re deploying an SD-WAN topology of any […]

Firewalls Networking
30 October 2022

Forti SD-WAN DIA (and GNS3 Cloud types!)

I’ve been looking at SD-WAN recently and labbed up a simple implementation to test this using GNS3. This is the setup: The southern cloud to the left allows management access to the Fortigate and the cloud next to it is a connection to a VMWare Workstation Linux box. The clouds north of the Fortigate are both GNS3 Nat clouds out to the Internet. It occurs […]

Networking
7 August 2022

MPLS and MP-BGP

To me MPLS has always been a cloud on a network diagram that was someone else’s problem. But I decided to lab it up and see how it worked. Happily, I found someone who had described how to set up the lab to do just this: https://packetlife.net/blog/2011/may/16/creating-mpls-vpn/ The rest of the post assumes you have read this link but I will repeat or emphasise relevant […]

Firewalls
2 July 2022

As Easy as Falling of a Log

I encountered one of those smallish problems where I needed to do something slightly out of the ordinary and felt the need to share it here to spare someone a precious few moments re-inventing… not so much the wheel… as the perhaps the furry dice. And so to the problem: I have/had an overly permissive rule on an ASA and after putting more granular rules […]

DNS Firewalls
11 June 2022

Call the DNS Doctor

I never really knew DNS doctoring was much of a thing until I encountered it: essentially getting your firewall to alter or doctor DNS responses. One use case for this might be that you can have your internal hosts receive an internal DNS address whilst keeping them pointing to an external ISP’s DNS. I could go on but somebody already has: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html So I thought […]

Firewalls
30 April 2022

Cisco Firepower and non-std SSH

At my new place of work I have encountered Cisco’s NGFW offering: Firepower. The firewall policies are administered on an FMC (Firewall Management Center) and pushed or deployed to enforcement modules called FTDs (Firepower Threat Defense) . Instead of FTD’s you can do this on ASAs with an SFR module but I digress . Posts passim will testify that I like to test NGFWs by […]

DNS
20 March 2022

CNAME of shame

Before I left work on Friday some of our proxies were showing a DNS error getting to https://app.powerbi.com our MSP was left pursuing this. I decided to do a bit of digging myself. A DNS query can provide an ‘A’ response which tells the querier the ip address associated with the given name, but often a CNAME record can be returned (Canonical Name) which effectively […]

Encryption
16 February 2022

OpenSSL Cheatsheet

Ed Harmoush, whose SSL course I waxed lyrical on in an earlier post, has released a freely shareable OpenSSL cheatsheet to publicise a new course specifically on… OpenSSL. So here it is… I haven’t done the OpenSSL course but intend to and I repeat my recommendation for his SSL course… links to his site are on the cheat sheet…