PDF File: Remove Password Protection

KB ID 0001719

Problem

My daughter had a file that was protected by a password, (it had sensitive personal information in it). She wanted to send this file to someone, but wanted to remove the password protection first.

I thought this would be easy, open it in Acrobat Reader, find the bit that says ‘password protect’ and untick it right? Well to enable that ‘feature’ (called the “protect feature”), you have to pay Adobe?

Tech Rant: I really don’t like Adobe, I don’t like their pay for things monthly, nothing works without you paying for it, we can do whatever we like and you chumps will pay for it attitude. I’ve stopped using Photoshop because now I can only ‘rent it’. Adobe Acrobat needs to update at least once every two days, (which it has since 1985 for some unfathomable reason!) 

Solution

Microsoft is our saviour! (There’s a sentence I don’t use that often!) Open the offending file in Microsoft Edge browser. (I’m using a mac, but the process is identical on a Windows machine, (I know because I did it that way first!)

Enter the password.

Print > Change the Printer > Save as PDF > OK > This will save the current file as a PDF file and it wont be password protected!

WARNING: Don’t message me below and ask ‘what if I dont know the password?‘ I’m not here to teach you how to hack into password protected PDF files. Learn to use Google properly.

Related Articles, References, Credits, or External Links

NA

Fortigate: Cannot Ping an Interface?

KB ID 0001718

Problem

With other firewall vendors (i.e. Cisco) you can ping any interface you are ‘directly connected to‘. With Fortigate however you cannot (by default). That’s not the end of the world you can check connectivity using ARP (see below) which is what really cool network techs do instead! But if you want to be able to ping an interface (even for a short period of time). Here’s how to do it.

Solution

Fundamentally, the reason you can’t ping a Fortigate interface, is because ‘ping’ isn’t listed in the ‘allowaccess‘ section for that interface.

Let’s fix that;

[box]

config system interface
edit {port-name}
set allowances {Existing settings i.e. https http etc.} ping
end

[/box]

Using ARP to check connectivity

A lot of people assume that if you can’t ping something, you are not connected to it, that’s not the case at all.  If you ‘think’ something is on the same layer 2 network segment as you, and you can’t ping it, then look in the ARP cache on your machine, (for Windows and Linux the command is arp -a).

Below: Shows you can see the MAC address of that IP address, even if you cannot receive a ping response!

However once ping is enabled, your ICMP responses will work fine.

Related Articles, References, Credits, or External Links

NA

Fortigate to Cisco ASA Site to Site VPN

KB ID 0001717

Problem

Continuing with my ‘Learn some Fortigate‘ theme’. One of the basic requirements of any edge firewall is site to site VPN. As the bulk of my knowledge is Cisco ASA it seems sensible for me to work out how to VPN both those firewalls together, like so;

Well that’s the pretty picture, I’m building this EVE-NG so here’s what my workbench topology looks like;

Disclaimer (Read First! Especially before posting any comments!)

Fortinet prides itself on you not needing to use the CLI, (until you actually need to use the CLI of course!) But both ends are configured using the GUI and ASDM. This is designed for the ‘Let’s just make it work, who cares what’s going on under the hood‘ generation. Which means it enables IKEv1 NOT IKEv2 on the Fortigate, and BOTH IKEv1 and IKEv2 gets enabled on the Cisco ASA. Couple that with all the weak Crypto sets that get enabled, because someone might have a hardware firewall from 1981 or something! So in production I’d consider doing things a little more manually. I will post another article on the same subject, but then I’ll make the tunnel as secure as I can, (watch this space). This is an exercise in getting the tunnel up and making it work.

Tech Note: If you just use both wizards it wont work, thankfully I could debug the tunnel on the Cisco ASA to work out why. Fortinet sets all the DH groups to 5, and Cisco sets them all to 2. And Fortinet enables PFS and Cisco don’t. (They do on older versions of the OS, but not on the newer ones).

Create IKE/IPSec VPN Tunnel On Fortigate

From the web management portal > VPN > IPSec Wizard  > Give the tunnel a name > Change the remote device type to Cisco > Next.

Give it the ‘public’ IP of the Cisco ASA > Set the port to the ‘outside’ port on the Fortigate > Enter a pre-shared key, (text string, you will need to enter this on the Cisco ASA as well, so paste it into Notepad or something for later) > Next.

Local interface will be in the ‘inside’ interface on the Fortigate > Enter the local subnet(s) > Enter the remote (behind the ASA) subnet(s) > Next.

Review the settings > Create.

Select IPSec Tunnels > Select the new tunnel  > Edit.

Convert to Custom Tunnel.

Phase 1 Proposal > Edit.

Add in Diffie Hellman Group 2

Phase 2 Selectors > Edit > Advanced > Untick Enable Perfect Forward Secrecy > OK.

Create IKE/IPSec VPN Tunnel On Cisco ASA (ASDM)

Connect to the ASDM > Wizards  > VPN Wizards > Site-to-Site VPN Wizard > Next.

You should already have an object for your Local Network add that in > Then add in a new Network Object for the remote (behind the Fortigate) subnet. MAKE SURE that the new object is selected as the Remote Network > Next.

Enter the Pre-Shared key you used (above)  > Next > Tick to DISABLE NAT > Next > Finish.

Tech Note: Look at all those Ciphers/Hashing/Additional Protocols that are about to be turned on! 🙁 That’s why I work at command line.

Finally you will need to send some traffic over the tunnel to ‘bring it up’.

If you have a problem, see the debugging/troubleshooting links below.

Related Articles, References, Credits, or External Links

Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels

Fortigate: One to One (Static NAT)

KB ID 0001716

Problem

If you have a host that you want to be able to access from the outside of the firewall e.g. a webserver then this is the process you want to carry out. I didn’t find this process particularly intuitive and it highlighted why I don’t like GUI management interfaces, (in 6.4 the menu names have changed, this rendering a million blog pages inaccurate!)

I’m setting this up in EVE-NG on the work bench and this is what I’m trying to achieve;

So to access my web server from ‘outside‘ the firewall I need to give it a NATTEDpublic‘ address on 192.168.100.0/24. Here the server is on the LAN if yours is in a DMZ then substitute the DMZ interface for the inside one I’m using.

Solution

First task is to create a ‘Virtual IP‘, this will be the ‘public IP‘ that the web server will use. From the management interface > Policy and Objects > Virtual IPs > Create  New > Virtual IP

‘Give it a sensible name, and add a comment if you wish  >  Set the interface to the public facing port > Type, set to ‘Static NAT‘ > External IP, (although it says range just type in the single public IP) > Internal IP =  Enter the LAN IP > OK.

Firewall Policy > Create New.

Note: If your firewall is older then 6.4 the tab is called ‘IPv4 Policy

Give the entry a name > Incoming interface = the public interface > Outgoing Interface = the inside/LAN interface > Source = ALL > Destination = SET TO YOUR VIRTUAL IP > Schedule = Always > Service = ALL (though you can of course select http and or https in production) > DISABLE NAT. (Trust me I know that makes no sense) > OK.

Just to prove this is not all ‘Smoke and Mirrors‘ here’s my topology running in EVE-NG, and my external host (Named: Public-Client) Browsing to 192.168.100.110, and the Fortigate translates that to 192.168.1.123

Related Articles, References, Credits, or External Links

FortiGate Port Forwarding

EVE-NG Deploying Fortigate v6 Firewalls

TinyCore Linux: Build a ‘Persistent’ Web Server

VMware Fusion: Not Enough Physical Memory

KB ID 0001715

Problem

I upgraded to macOS Big Sur this week, and was surprised everything still worked! That was until I tried to start up my Windows 1o Virtual machine.

“Not enough physical memory is available to power on this virtual machine with its configured settings.”

Solution

Though it took me a while to ‘fix’, the fix is quite straight forward, I was running version 11 (see Below).

As soon as I upgraded to version 12.

Everything worked correctly. Only version 12 is fully supported on macOS Big Sur.

Related Articles, References, Credits, or External Links

NA

Running Dropbox On Windows Server

KB ID 0001489

Problem

If you are here, you have probably already found out that Dropbox is not supported on Windows Server platforms. You can install it and set it up happily but it stops working and needs to be relaunched all the time (manually).

I love dropbox! So much I actually pay for it! I run it on my management server and its handy for copying file up into my test network, so I can appreciate how annoying it is having to restart it all the time. So to fix the problem we have to use a piece of software that’s over 15 years old! 

Running Dropbox as a Service on Windows Server

First you have to stop dropbox running.

Then download srvany and extract the executable to the Dropbox install directory (C:\Program Files (x86)\Dropbox). Note: This file is form the old Server 2003 resource kit.

From an elevated command prompt run the following command;

[box]sc create Dropbox binPath= “C:\Program Files (x86)\Dropbox\srvany.exe” DisplayName= “Dropbox Service”[/box]

Run services.msc > locate the dropbox Service  > And set its ‘LogOn’ to the account you were logged in with, when you installed the Dropbox software.

Change the startup type to Automatic, (Don’t start the service yet!) > OK.

Execute the following three commands;

[box]

New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\Dropbox\Parameters

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Dropbox\Parameters -Name Application -PropertyType String -Value “C:\Program Files (x86)\Dropbox\Client\Dropbox.exe”

Start-Service Dropbox

[/box]

Update:

You also need to execute the following from an ‘Administrative command window’, (or Dropbox will stop synchronising after a few hours).

[box]

SETX /M QT_OPENGL software

[/box]

Related Articles, References, Credits, or External Links

Special Thanks to Frédéric for the SETX command to fix the timeout.

EVE-NG Deploying Fortigate v6 Firewalls

KB ID 0001714

Problem

The firm I work for are looking at a replacement for Cisco ASA as their preferred firewall of choice. We are looking at Fortinet to fill this gap, but as a product/solution it’s something I know very little about.

So the best way to learn is to deploy and play with, and the test bench weapon of choice for discerning technical types is EVE-NG. So can I deploy the newest (v6.4.2 at time of writing) Fortigate firewall into EVE-NG? Indeed, read on.

Solution

Getting the VM is pretty easy, Fortinet allows you to create a free login account, and download the trial version. REMEMBER you want the KVM version of the appliance!

If you didn’t know EVE-NG (and the Qemu software that runs inside it) needs to have its images in certain named folders. So log into your EVE-NG  appliance and create a new folder;

[box]

mkdir /opt/unetlab/addons/qemu/fortinet-FGT-v6.4.2

[/box]

Note: fortinet-xxxxxxxxxx is the correct naming convention 🙂

Now copy your downloaded image into this folder, I use WinSCP, but FileZilla is also free. Remember that your transfer method should be set to ‘binary’.

Back in the EVE-NG console, you need to unzip the appliance, then rename it (EVE-NG also needs the images to have certain names). Then you can delete the original Zip file, and make sure the permissions are set correctly.

[box]

cd /opt/unetlab/addons/qemu/fortinet-FGT-v6.4.2
unzip FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip
mv fortios.qcow2 virtioa.qcow2
rm FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

[/box]

That’s the hard part done. Log into EVE-NG create a new lab and drop a Fortigate device into the workspace. (Note: You can raise the RAM to 2048 to get it to perform a little better, but no higher though, as only 2GB is permitted with the trial licence).

Allow Web Management Of Fortigate VM

I’ve included this bit because most articles don’t, and if I’m unfamiliar with Fortigate, then some of you will be also. Essentially you setup the interface that you will be using as the inside interface with a static IP and allow web management via HTTP. (Note: First you will be asked to change the Admin password).

[box]

config system interface
edit port1
set mode static
set ip 192.168.1.1 255.255.255.0
set allowaccess http 
end

[/box]

Then from a management VM, (on the same network segment) connect to the appliance and log in.

If you just see a blank screen with no logon options see this article.

Related Articles, References, Credits, or External Links

NA

Fortigate Blank Web Page?

KB ID 0001713

Problem

I’ve been trying to deploy a Fortigate into EVE-NG (article to follow) this week. I could get the appliance running fine but when I tried to access the web management console all I got was the following.

Note: I have a couple of management VMs in EVE-G (Windows 7 and Server 2012), they had a mixture of IE, Chrome and Firefox on them but still I could not get in?

Solution

All forums yielded no more info other than ‘Check you have allowed access for http“. But as you can see (above) for Fortinet Logo is on the windows I was hitting the firewall and http was allowed? (Also the http daemon was running inside the appliance.

Just for fun I connected the outside interface to my test network, allowed http, and tried from there, it worked perfectly? So I deployed another Fortigate and connected the ‘inside’ interface to my test network, again it worked fine? At this point it was becoming obvious that my management machines browsers were probably the problem. Is I deployed a new Kali Linux VM fired up Firefox and;

That took a LOT longer than it needed to!

Related Articles, References, Credits, or External Links

NA

 

Fortigate: Show IP (DHCP) From CLI

KB ID 0001712

Problem

I was having some problems setting up a Fortigate (VM64-KVM) firewall, and I needed to know, (at command line,) how to view the address that had been assigned to it via DHCP.

View Fortigate DHCP address (from CLI)

The syntax required is;

[box]

config system interface
edit ?

[/box]

Note: Dont Forget the “?” at the end, it will not show onscreen as seen below.

View Fortigate DHCP address (from GUI)

If the GUI/Web access is working, simply go to Network > Interfaces.

Related Articles, References, Credits, or External Links

NA

Your vSphere Client Session Is No Longer Authenticated

KB ID 0001711

Problem

I updated my vCenter to 6.7.0.45100 yesterday, and since then every time I tried to login to the HTML5 web client, it authenticated, let me in, showed me the error (below), then kicked me out again?

Solution

I assumed, (wrongly) that the upgrade had overwritten the webclient.properties file that controls timeouts. this may be you problem, see the following article If my ‘fix’ does not work for you.

vSphere HTML5 Web Client – Disable the Console Timeout

In the end my fix was quick and simple, go to add/remove programs and locate the vSphere Enhanced Authentication Plugin (in my case version 6.5.0) and uninstall it.

Related Articles, References, Credits, or External Links

NA