EVE-NG Deploying Fortigate v6 Firewalls

KB ID 0001714

Problem

The firm I work for are looking at a replacement for Cisco ASA as their preferred firewall of choice. We are looking at Fortinet to fill this gap, but as a product/solution it’s something I know very little about.

So the best way to learn is to deploy and play with, and the test bench weapon of choice for discerning technical types is EVE-NG. So can I deploy the newest (v6.4.2 at time of writing) Fortigate firewall into EVE-NG? Indeed, read on.

Solution

Getting the VM is pretty easy, Fortinet allows you to create a free login account, and download the trial version. REMEMBER you want the KVM version of the appliance!

If you didn’t know EVE-NG (and the Qemu software that runs inside it) needs to have its images in certain named folders. So log into your EVE-NG  appliance and create a new folder;

[box]

mkdir /opt/unetlab/addons/qemu/fortinet-FGT-v6.4.2

[/box]

Note: fortinet-xxxxxxxxxx is the correct naming convention 🙂

Now copy your downloaded image into this folder, I use WinSCP, but FileZilla is also free. Remember that your transfer method should be set to ‘binary’.

Back in the EVE-NG console, you need to unzip the appliance, then rename it (EVE-NG also needs the images to have certain names). Then you can delete the original Zip file, and make sure the permissions are set correctly.

[box]

cd /opt/unetlab/addons/qemu/fortinet-FGT-v6.4.2
unzip FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip
mv fortios.qcow2 virtioa.qcow2
rm FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

[/box]

That’s the hard part done. Log into EVE-NG create a new lab and drop a Fortigate device into the workspace. (Note: You can raise the RAM to 2048 to get it to perform a little better, but no higher though, as only 2GB is permitted with the trial licence).

Allow Web Management Of Fortigate VM

I’ve included this bit because most articles don’t, and if I’m unfamiliar with Fortigate, then some of you will be also. Essentially you setup the interface that you will be using as the inside interface with a static IP and allow web management via HTTP. (Note: First you will be asked to change the Admin password).

[box]

config system interface
edit port1
set mode static
set ip 192.168.1.1 255.255.255.0
set allowaccess http 
end

[/box]

Then from a management VM, (on the same network segment) connect to the appliance and log in.

If you just see a blank screen with no logon options see this article.

Related Articles, References, Credits, or External Links

NA

HP Intelligent Provisioning Cant See USB Media?

KB ID 0001555

Problem

Life was simpler when we had DVD Drives and a wallet full of CD/DVDs! I was building an HP DL360 This morning and needed to install Windows. I created a bootable USB with Unetbootin and selected a Windows Server ISO, it wouldn’t boot. So I thought ‘Fine I’ll play the game” I pressed F10 for Intelligent Provisioning.

After selecting USB media – the system could not see my USB Drive? 

After a couple of seconds head scrathing the penny dropped, it wants the iso not a bootable drive, (doofus!) So I used a FAT formatted USB and that didn’t work either?

Option 1: Use iLO

Before you all start emailing me, you can install an operating system from virtual media WITHOUT and advanced iLO licence! Annoyingly I was building the server on the bench, so I had to connect my laptop into the iLO with a crossover cable but, here’s me proving it works.

Option 2: Use ExFAT

Format your USB drive using ExFAT, luckily I use macOS and Disk Utility will format a drive using ExFAT for me.

Note: Windows will also format as ExFAT 🙂

Then simply put your install .iSO file(s) on the media.

Now you can see your install media.

Option 3: Use the HP Media Creator

I didn’t try this option, but feel free to download it and give it a try, comment below to let me know how you get on.

HP USB Key Utility for Windows v3.0.0

Related Articles, References, Credits, or External Links

NA

Dell iDRAC: ‘Virtual Media is Detached’

KB ID 0001459

Problem

I’d needed to present an .iso image to my Dell server and got this;

Either Virtual Media is detached or
Virtual Media redirection for the selected virtual disk is already in use

Solution

System  > Console Media > Configuration > Virtual Console > Enabled (tick)  > Status (Auto Attach) > Save.

Related Articles, References, Credits, or External Links

NA

vSphere – Floppy Drive ‘Won’t Appear’

KB ID 0001020

Problem

“It’s 2015 why are you messing around with floppy drives?” I hear you ask! Well for importing certificate requests, and issued certificates from an offline root CA server, it’s still considered best practice to use a virtual floppy drive rather than connect the offline root server to the production network.

So today while deploying a PKI infrastructure, I needed to present a floppy drive to a Windows Server 2012 R2 Issuing (subordinate CA). Despite me adding the hardware, presenting a floppy image and ticking ‘connected’ the floppy drive refused to ‘appear’ in Windows.

Solution

The problem was the client had a ‘Pre-hardened’ Server 2012 R2 template, that I had used to deploy the server, and in the BIOS of the template the floppy drive was disabled.

1. Set the VM to boot into BIOS next time it starts (you can reboot and keep pressing F2).

2. Main > Legacy Diskette A: > Set to [1.44/1.25 MB 3 1/2].

3. At this point I hit F10 (Save and Exit), booted up the VM, and it was still missing!

4. Turns out (after some more BIOS digging) that the controller was also disabled! Advanced > I/O Device Configuration.

5. Set Floppy disk controller to ‘Enabled’ > F10 > Boot the VM. Problem solved!

Related Articles, References, Credits, or External Links

NA

Windows XP – Sysprep (for imaging)

KB ID 0000599 

Problem

A client who we recently did a WDS (Windows 7) install for, needed to image a couple of Windows XP machines, (They had some software that either would not run, or was not supported on Windows 7).

They asked me for some documentation on how to do this, it’s been such a long time since I imaged any XP machine, so I took the opportunity to document it properly.

Solution

Before you begin, be aware you need to be building your reference machine with a Volume Licenced copy of Windows XP NOT an OEM or Retail copy (i.e. DONT build the machine with manufacturers rescue disks like Dell or HP). If you don’t do this you will need to activate every Windows machine that you deploy with Microsoft.

Make sure the version of sysprep you are using is at the same service pack level as the reference machine or bad things will happen.

Windows XP SP3 version of Deploy.cab

1. Build your reference machine, and configure it as you require.

2. Create a folder on the root of the C: Drive called ‘Sysprep”. Insert the Windows XP CD and locate the Deploy cabinet file. (This is ‘like’ a zip file and it’s in the supporttools folder).

3. Double click the support cab, then copy over the sysprep.exe file, the setupcl.exe file and the setupmgr.exe file to your c:sysprep folder.

4. You can now run sysprep.exe and skip to step 13. BUT if you require an answerfile (a script that will answer all the questions Windows will ask while it’s reinstalling post sysprep) then run the setupmgr.exe program, at the welcome screen click next.

5. Create New > Sysprep Setup > Windows XP Professional.

6. Fully Automate > Enter Name and Organisation > Set the Display Properties.

7. Set Time Zone > Enter the Volume Licence unlock code > If you are joining a domain, I suggest generating a random name then changing it later.

8. Set the Local Administrators password > Typical settings will enable DHCP > Supply any domain and domain credentials you need to join your domain.

9. Telephony (I just skip this) > Regional Settings > Languages.

10. Printers > Run Once commands > Additional Commands.

11. Enter a string that will go into the registry, and can be identified later > Finish > Accept the default save path > OK > At this point it looks like it’s crashed, you can manually close the setupmgr.

12. Now you can run sysprep.exe > OK > I select ‘mini-setup’ (If you don’t, it will run the welcome to windows session and play the annoying music you cant turn down!) > If you have installed applications and are going to image the machine click Reseal > OK.

Note: Factory will literally set the machine back to a ‘day one’ install of Windows XP.

The machine will then shut down and can be imaged.

Final Note: If you power it back on, it will rebuild itself and delete the c:sysprep directory. Which is fine unless you are doing some testing and realise you have to do the whole thing from scratch!

Related Articles, References, Credits, or External Links

Windows Deployment Services (Server 2003)
Deploying Windows XP

Windows Deployment Services (On Server 2008 R2)
Deploying Windows 7

Window Server Where is Sysprep

KB ID 0000419 

Problem

You have a 2008 R2 Server to sysprep, but your not sure where sysprep is.

Solution

1. Thankfully in Server 2008 R2, there’s no messing about, its in c:windowssystem32sysprep. (Note: to regenerate a SID don’t forget to tick “Generalize”).

Server 2008 – It’s in the same place.

Server 2003 – As with Windows XP, you need to get it from the Windows install CD, its in the supporttoolsdeploy.cab.

Once the files are extracted you can run sysprep (Note: setupmgr.exe is used to create the unattended / answer files for sysprep.)

 

Related Articles, References, Credits, or External Links

Server 2012 – Sysprep

Adding Drivers to Images on WDS

KB ID 0000314

Problem

Before Server 2008 R2 when we needed to inject drivers into our WDS images we had to do it like this.

Now however the process is a lot more elegant! Simply import the drivers into WDS, then inject them into the boot images (Yes the boot images NOT the Windows Images you are deploying!)

Solution

Add Driver Packages to Image is “Greyed out”

If while attempting to add drivers, the option to “Add Driver Packages to Image” is grayed out.

Then you may need to update your boot images from Server 2008/Vista images to 2008 R2/Windows 7 Images. (or from version 6.0.6000 to 6.1.7600).

 

Related Articles, References, Credits, or External Links

NA

Windows Deployment Services – Asks for Locale and Keyboard

KB ID 0000734 

Problem

Seen when deploying images with WDS, even though you have specified language, and keyboard settings in your answerfile. The system still asks you to set the language and keyboard options. For a couple of machines you might put up with this, but for a few thousand machines it can get quite annoying!

Solution

There is a reason it’s doing this, and it’s because the next thing it asks you to do is authenticate to the WDS server like so;

if there was a problem you might not be able to log in, (because you are using complex passwords like all good sysadmins) and all those ‘special characters’ can be on lots of different keys, with lots of different languages and keyboard layouts.

So to stop it asking for language settings, set the answerfile to auto authenticate to WDS. You do this by adding the ‘Windows Deployment Services‘ sub component, from the ‘Microsoft-Windows-Setup_neutral‘ component. Add it to the ‘1 windowsPE‘ pass and fill in the credentials accordingly.

Note: This is set in the WDS Unattended answerfile, NOT the one for the image you are deploying.

Adding via System Image Manager

Adding to the Answerfile (via XML)

Related Articles, References, Credits, or External Links

NA

WDS Deploying Windows Part 1: Install and Configure WDS

KB ID 0000735 

Problem

You want to deploy the Windows 8 Client Operating System, to a number of clients using WDS. In this part we will configure the WDS Server, then we will move onto taking an image of your reference Windows 8 machine. Finally we will cover taking that image, and deploying it out to many target systems.

Solution

Add the WDS Role

1. From Server Manager (ServerManager.exe) > Local Server.

2. Manage > Add Roles and Features.

3. Next.

4. Next.

5. Next.

6. Select ‘Windows Deployment services’ > Next > It will ask to install some other features let it do so.

7. Next.

8. Next.

9. Accept the default (both roles) > Next.

10. Install.

Configure the WDS Server

11. From the Start menu > Launch the Windows Deployment Services management console.

12. Expand servers > Right click the server name > Configure Server.

13. Read the prerequisites > Next.

14. Next.

15. Select the location where you want to store your images and keep the WDS files.

16. Note: In this case it’s warning me NOT to use the C: drive, as this is just a test server I will accept the warning and leave it as it is. In production environments make sure you are using a different drive/volume.

17. This particular server IS a DHCP server, but we will address the DHCP requirements when we are finished > Next.

18. I’m going to choose ‘Respond to all (known and unknown)’ > Next.

19. WDS should configure and the service SHOULD start.

20. Here we can see the service has not started (the server will have a small stop symbol on it).

21. So I need to manually start the service.

Adding Image Groups and Images

22. Firstly I’m going to create an group that will hold all my Windows 8 Client machine images. Right click Install Images > Add Image Group.

23. Give it a name > OK.

Adding a boot image (To send an image to a remote machine)

24. Now I need to add a boot image, so I can boot my remote clients from the WDS server and use this image to load WindowsPE on them, so they can be imaged. Right click Boot Images > Add Boot Image.

25. You can use either a Windows 8 DVD or a Windows Server 2012 DVD, you will need to navigate to the sources directory, and locate Boot.wim > Open.

26. Next.

27. Rename the image ‘Install an Image’ > Enter a description > Next.

28. Next.

29. The Image will be imported.

30. Finish.

Adding a Capture Image (To take an image from a remote machine)

31. Right click the image we have just added > Create Capture Image.

32. Call this one ‘Capture an Image’ > Give it a description > Save the image (with a .wim extension). Note: It does not matter where you save the image, but I would suggest somewhere in the ‘Remote Install’ folder > Next.

33. The image will be created.

34. Finish

35. Now even through we have created the capture image, we still need to import it. Right click > Add Boot Image.

36. Select the capture image you created earlier > Next.

37. Make sure it’s called ‘Capture and Image’ > Next.

38. Next.

39. Now the capture image will be imported into WDS.

40. Finish.

Configure DHCP with WDS Options

41. Launch the DHCP management console.

42. Open the active scope > IPv4 > Server Options > Configure Options.

43. Tick Option 66 > Set its value to the IP address of the WDS server > Apply > OK.

44. Tick Option 67 > Set its value to;

[box] bootx64wdsnbp.com [/box]

Apply OK

45. Now you are ready to capture an image of your reference Windows 8 machine.

 

Related Articles, References, Credits, or External Links

2012 – WDS Deploying Windows 8 Part 2: Prepare Windows 8, and Capture to WDS

WDS 2003 Deploying Windows XP

WDS 2008 R2 Deploying Windows 7

Using Windows Deployment Services with Symantec Ghost

 

Exchange 2010 Adding Custom Disclaimers

KB ID 0000317

Problem

The ability to add mail disclaimers was brought in with Exchange 2007, with Exchange 2010 the “Transport Rule” can be modified further, so that you can embed html, this means you can populate the disclaimer with Active Directory attributes.

Solution

Example Active Directory Attributes

Display Name %%DisplayName%%
Company %%Company%%
Department %%Department%%
Address %%StreetAddress%%
City %%City%%
State %%StateOrProvince%%
Post / Zip code %%PostalCode%%
Work Phone %%Phone%%
Fax %%Fax%%
Mobile Phone %%MobilePhone%%
Webpage %%webpage%%
UserLogonName %%UserLogonName%%
FirstName %%FirstName%%
Initials %%Initials%%
LastName %%LastName%%
PhoneNumber %%PhoneNumber%%
OtherPhoneNumber %%OtherPhoneNumber%%
HomePhoneNumber %%HomePhoneNumber%%
OtherHomePhoneNumber %%OtherHomePhoneNumber%%
PagerNumber %%PagerNumber%%
MobileNumber %%MobileNumber%%
OtherFaxNumber %%OtherFaxNumber%%
Email %%Email%%
Street %%Street%%
POBox %%POBox%%
Country %%Country%%
Title %%Title%%
Manager %%Manager%%
Office %%Office%%
Notes %%Notes%%
CustomAttribute1 to CustomAttribute15 %%CustomAttribute1%% to %%CustomAttribute1%%

Examples

1. This,


<hr /> <b>%%DisplayName%%</b><br /> <font size=”small”> %%Department%% – %%Company%% <br /> %%StreetAddress%% – %%City%% – %%StateOrProvince%% – %%PostalCode%% <br /> Telephone: %%Phone%% <br /><br />

<h5> <font color=”gray”> The content of this e-mail (including any attachments) is strictly confidential and may be commercially sensitive. If you are not, or believe you may not be, the intended recipient, please advise the sender immediately by return e-mail, delete this e-mail and destroy any copies. </h5>


Would give you this

2. This,


<br /> <hr /> <div style=”font-size:9pt; font-family:Arial, Helvetica, sans-serif;” > <b>%%DisplayName%%</b><br /> %%title%% %%company%%<b> </div> &nbsp;</b> <div><img alt=”PeteNetLive” src=”http://www.petenetlive.com/Images/logosmall.jpg” /></div> <div><p style=”font-size:8pt; line-height:10pt; font-family:Arial, Helvetica, sans-serif”> The content of this e-mail (including any attachments) is strictly confidential and may be commercially sensitive. If you are not, or believe you may not be, the intended recipient, please advise the sender immediately by return e-mail, delete this e-mail and destroy any copies. </p> </div>


Would give you this

 

Related Articles, References, Credits, or External Links

NA