EVE-NG Deploying Fortigate v6 Firewalls

KB ID 0001714

Problem

The firm I work for are looking at a replacement for Cisco ASA as their preferred firewall of choice. We are looking at Fortinet to fill this gap, but as a product/solution it’s something I know very little about.

So the best way to learn is to deploy and play with, and the test bench weapon of choice for discerning technical types is EVE-NG. So can I deploy the newest (v6.4.2 at time of writing) Fortigate firewall into EVE-NG? Indeed, read on.

Solution

Getting the VM is pretty easy, Fortinet allows you to create a free login account, and download the trial version. REMEMBER you want the KVM version of the appliance!

If you didn’t know EVE-NG (and the Qemu software that runs inside it) needs to have its images in certain named folders. So log into your EVE-NG  appliance and create a new folder;

[box]

mkdir /opt/unetlab/addons/qemu/fortinet-FGT-v6.4.2

[/box]

Note: fortinet-xxxxxxxxxx is the correct naming convention 🙂

Now copy your downloaded image into this folder, I use WinSCP, but FileZilla is also free. Remember that your transfer method should be set to ‘binary’.

Back in the EVE-NG console, you need to unzip the appliance, then rename it (EVE-NG also needs the images to have certain names). Then you can delete the original Zip file, and make sure the permissions are set correctly.

[box]

cd /opt/unetlab/addons/qemu/fortinet-FGT-v6.4.2
unzip FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip
mv fortios.qcow2 virtioa.qcow2
rm FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

[/box]

That’s the hard part done. Log into EVE-NG create a new lab and drop a Fortigate device into the workspace. (Note: You can raise the RAM to 2048 to get it to perform a little better, but no higher though, as only 2GB is permitted with the trial licence).

Allow Web Management Of Fortigate VM

I’ve included this bit because most articles don’t, and if I’m unfamiliar with Fortigate, then some of you will be also. Essentially you setup the interface that you will be using as the inside interface with a static IP and allow web management via HTTP. (Note: First you will be asked to change the Admin password).

[box]

config system interface
edit port1
set mode static
set ip 192.168.1.1 255.255.255.0
set allowaccess http 
end

[/box]

Then from a management VM, (on the same network segment) connect to the appliance and log in.

If you just see a blank screen with no logon options see this article.

Related Articles, References, Credits, or External Links

NA

Deploy Cisco ASA 55xx in Active / Standby Failover

KB ID 0000048 

Problem

You want to deploy 2 Cisco ASA 55xx Series firewalls in an Active/Standby failover configuration.

Solution

Assumptions.

Hardware on both ASA firewalls is identical.
The correct license’s for failover are installed on both firewalls.
The same software versions are installed on both firewalls.
You have your PRIMARY firewall set up and running correctly (Everything works!).

In this example the firewalls were ASA5510’s and all interfaces were being used, so the Management port was used as the “Failover Link” (That needs a security plus license!).
This Link will use a crossover cable (Only available after version 7.0(2) before that you had to use a switch – I think!).

Also I’m using the same link for LAN Based failover (heartbeat) AND Stateful replication.

IP Addresses

Each interface will need its existing IP address, and an address to use whilst in “Standby”. In this example I will use the following,


Click For Larger Image

Outside Interface (Ethernet 0/0) 123.123.123.123 255.255.255.0
Outside Interface STANDBY 123.123.123.124 255.255.255.0
DMZ1 Interface (Ethernet0/1) 192.168.1.1 255.255.255.0
DMZ1 Interface STANDBY 192.168.1.254 255.255.255.0
DMZ2 Interface (Ethernet0/2) 192.168.2.1 255.255.255.0
DMZ2 Interface STANDBY 192.168.2.254 255.255.255.0
Inside Interface (Ethernet 0/3) 172.16.1.1 255.255.255.0
Inside Interface (STANDBY) 172.16.1.254 255.255.255.0
Failover Interface (Management0/0) 172.16.254.254 255.255.255.0
Failover Interface STANDBY 172.16.254.250 255.255.255.0

Step 1 Carry Out this procedure on the PRIMARY (Already configured and working) firewall.

1. Backup the running config on the primary firewall.

[box]

PetesASA# copy run flash:/before_failover.cfg

Source filename [running-config]?

Destination filename [before_failover.cfg]?
Cryptochecksum: babed83d 62a5fba7 e5ea368d 642157bd

8549 bytes copied in 3.670 secs (2849 bytes/sec)
PetesASA#

[/box]

2. Blow away the config on the interface you are going to use for failover.

[box]

PetesASA(config)# clear configure interface GigabitEthernet1/7
PetesASA(config)# int GigabitEthernet1/7
PetesASA(config-if)# no shut
PetesASA(config)#

[/box]

3. Change the interface IP addresses – (to add the standby addresses for each interface).

[box]

PetesASA(config)#
PetesASA(config)# interface GigabitEthernet1/1
PetesASA(config-if)# speed 1000
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif outside
PetesASA(config-if)# security-level 0
PetesASA(config-if)# ip address 123.123.123.123 255.255.255.0 standby 123.123.123.124
PetesASA(config-if)# interface GigabitEthernet1/2
PetesASA(config-if)# speed 1000
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif DMZ1
PetesASA(config-if)# security-level 50
PetesASA(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.254
PetesASA(config-if)# interface GigabitEthernet1/3
PetesASA(config-if)# speed 1000
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif DMZ2
PetesASA(config-if)# security-level 55
PetesASA(config-if)# ip address 192.168.2.1 255.255.255.0 standby 192.168.2.254
PetesASA(config-if)# interface GigabitEthernet1/4
PetesASA(config-if)# speed 1000
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif inside
PetesASA(config-if)# security-level 100
PetesASA(config-if)# ip address 172.16.1.1 255.255.255.0 standby 172.16.1.254
PetesASA(config-if)# exit
PetesASA(config)#

[/box]

4. Set up the failover LAN interface (In config mode!).

[box]

PetesASA(config)#
PetesASA(config)# failover lan interface FAIL-OVER Gigabitethernet1/7
INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces
PetesASA(config)#

[/box]

5. Setup failover link IP address.

[box]

PetesASA(config)#
PetesASA(config)# failover interface ip FAIL-OVER 192.168.254.1 255.255.255.0 standby 192.168.254.2
PetesASA(config)#

[/box]

6. Setup a shared key.

[box]

PetesASA(config)#
PetesASA(config)# failover key 666999
PetesASA(config)#

[/box]

7. Set it as the primary firewall.

[box]

PetesASA(config)#
PetesASA(config)# failover lan unit primary
PetesASA(config)#

[/box]

8. Turn on failover.

[box]

PetesASA(config)#
PetesASA(config)# failover
PetesASA(config)#

[/box]

9. Now we need to enable stateful failover.

[box]

PetesASA(config)#
PetesASA(config)# failover link FAIL-OVER
PetesASA(config)#

[/box]

10. Save the config.

[box]

PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

 

NOW CONFIGURATION IS FINISHED ON THE PRIMARY FIREWALL, ENSURE THE CABLING IS IN PLACE ON BOTH FIREWALLS THEN CONNECT TO THE STANDBY FIREWALL

Step 2 Carry Out this procedure on the Standby Firewall.

11. Enter enable mode .

[box]

ciscoasa>
ciscoasa> enable
Password:********
ciscoasa#

[/box]

12. Clear the configuration on the failover interface (Management 0/0 in this example), then open the failover link and issue a “no shut” command.

[box]

ciscoasa#
ciscoasa# conf terminal
ciscoasa(config)# clear configure interface GigabitEthernet1/7
ciscoasa(config)# interface GigabitEthernet1/7
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
ciscoasa(config)#

[/box]

13. Turn on LAN interface for failover.

[box]

ciscoasa(config)#
ciscoasa(config)# failover lan interface FAIL-OVER Gigabitethernet1/7
INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces
ciscoasa(config)#

[/box]

YES: that’s the same as the primary firewall there WON’T be a conflict).

[box]

ciscoasa(config)#
ciscoasa(config)# failover interface ip FAIL-OVER 192.168.254.1 255.255.255.0 standby 192.168.254.2
ciscoasa(config)#

[/box]

15. Give it the same key you used above (In step 6).

[box]

ciscoasa(config)#
ciscoasa(config)# failover lan key 666999
ciscoasa(config)#

[/box]

16. Set it as the secondary (standby firewall).

[box]

ciscoasa(config)#
ciscoasa(config)# failover lan unit secondary
ciscoasa(config)#

[/box]

17. Turn on failover.

[box]

ciscoasa(config)#
ciscoasa(config)# failover
ciscoasa(config)#

[/box]

18. You should see……

[box]

Detected an Active mate
Beginning configuration replication from mate.

[/box]

19. When is says that is has ended replication On the secondary firewall, issue a “show failover” (Note: the hostname will have changed to the one on the primary firewall).

[box]

PetesASA(config)#
PetesASA(config)# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.2(2), Mate 7.0(5)
Last Failover at: 14:49:43 UTC May 4 2007
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.2(2)) status (Up Sys)
Interface Outside (123.123.123.124): Link Down (Waiting)
Interface DMZ1 (192.168.1.254): Link Down (Waiting)
Interface DMZ2 (192.168.2.254): Link Down (Waiting)
Interface Inside (172.16.1.254): Link Down (Waiting)
slot 1: empty
Other host: Primary - Active
Active time: 514 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.0(5)) status (Up Sys)
Interface Outside (123.123.123.123): Link Down (Waiting)
Interface DMZ1 (192.168.1.1): Link Down (Waiting)
Interface DMZ2 (192.168.1.1): Link Down (Waiting)
Interface Inside (172.16.1.1): Link Down (Waiting)
slot 1: empty

[/box]

20. To double check go back to the PRIMARY firewall and issue the same command.

[box]

PetesASA(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.0(5), Mate 7.2(2)
Last Failover at: 13:21:42 UTC May 4 2007
This host: Primary - Active
Active time: 616 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.0(5)) status (Up Sys)
slot 1: empty
Interface Outside (123.123.123.123): Link Down (Waiting)
Interface DMZ1 (192.168.1.1): Link Down (Waiting)
Interface DMZ2 (192.168.2.1): Link Down (Waiting)
Interface Inside (172.16.1.1): Link Down (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.2(2)) status (Up Sys)
slot 1: empty
Interface Outside (123.123.123.124): Link Down (Waiting)
Interface DMZ1 (192.168.1.254): Link Down (Waiting)
Interface DMZ2 (192.168.2.254): Link Down (Waiting)
Interface Inside (172.16.1.254): Link Down (Waiting)

[/box]

21. The failover time out of the box is a bit pants, to nail it down a little, on the PRIMARY ASA

[box]

PetesASA(config)#
PetesASA(config)# failover poll 1 hol 3
PetesASA(config)# failover poll interface 3
PetesASA(config)# int GigabitEthernet 1/7
PetesASA(config-if)# failover poll interface 3
PetesASA(config)#

[/box]

22. Save the config. (Note: config changed WILL be replicated to the standby firewall).

[box]

PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 6650f6c9 09bbb5f0 0dafa0d1 8fc08aba

8756 bytes copied in 3.680 secs (2918 bytes/sec)
[OK]
PetesASA(config)#

[/box]

23. When done pull the power on ASA 1 to fail. With a constant ping running you usually will only lose 1 ping packet.

Failover Commands to Copy and Paste

Note: This assumes you have already added ‘standby’ IP addresses to all you interfaces and is using GigabitEthernet0/4 as the failover interface. Change the values in bold to match your requirements.

[box]

Primary Firewall Config 

 

clear configure interface GigabitEthernet0/4
interface GigabitEthernet0/4
no shut
exit
!
failover lan interface failover GigabitEthernet0/4
failover interface ip failover 192.168.255.9 255.255.255.252 standby 192.168.255.10
failover lan key 666999
failover lan unit primary
failover
failover link failover GigabitEthernet0/4
!
failover poll 1 hol 3
failover poll interface 3
interface GigabitEthernet0/4
failover poll interface 3
exit
!

Standby Firewall Config

clear configure interface GigabitEthernet0/4
interface GigabitEthernet0/4
no shut
exit
!
failover lan interface failover GigabitEthernet0/4
failover interface ip failover 192.168.255.9 255.255.255.252 standby 192.168.255.10
failover lan key 666999
failover lan unit secondary
failover
failover link failover GigabitEthernet0/4
!

[/box]

 

Related Articles, References, Credits, or External Links

Thanks to Barry van Dijk for correcting up my syntax mistake 🙂

Cisco ASA 5500 Active/Standby – Zero Downtime Upgrade

PowerShell – Getting Server IP Address Information

KB ID 0001404

Problem

I’ve been rebuilding some Hyper-V hosts over the last few weeks, and one thing I learned rebuilding VMware ESX hosts is, ‘make sure you know what all the network cards are doing before you flatten it!’

The same is true of storage as well but here I’m just concentrating on networking.

List Network Cards and MAC Addresses

If you have these documented you can rename the network card correctly after the rebuild and the mac addresses ensure you have the right names assigned to the right NICs. (Without having to go and check all the cabling afterwards!)

[box]Get-NetAdapter | Select Name, MACAddress, vlanID[/box]

List Network Teams and Members

From the names of the network connections above we can see we are using network teaming, but even if yours dont have sensible names, you can get the team names and the NICs that are a member of each team with the following command;

[box]Get-NetLbfoTeam[/box]

List NICs and IP addresses

To see what IP addresses are in use on which NICs, (physical or virtual) use the following;

[box]Get-NetIPAddress -AddressState Preferred -AddressFamily IPv4 | Select Name, IPAddress, PrefixLength[/box]

Hyper-V: Get vSwitch and Virtual NIC info

As stated above, I’m rebuilding Hyper-V hosts, the following lists all the Management vSwitch(es) and vNICS, (and their names).

[box]Get-VMNetworkAdapter -ManagementOS[/box]

Hyper-V: Get vSwitch and Virtual NIC VLAN info

In addition to above, I also need to know the VLANs the vNICs are on.

[box]Get-VMNetworkAdapterVLAN -ManagementOS[/box]

Related Articles, References, Credits, or External Links

NA

ASA Setup FirePOWER Services (for ASDM)

KB ID 0001107 

Problem

Both the 5506-X (rugged version and wireless), and 5508-X now come with a FirePOWER services module inside them. This can be managed from either ASDM* (with OS and ASDM upgraded to the latest version), and via the FireSIGHT management software/appliance.

Related Articles, References, Credits, or External Links

*UPDATE: All ASA ‘Next-Gen’ firewalls can now have their Firepower Service Module managed from the ASDM.

Solution

1. The first thing to do is cable the management interface and the interface you are going to use as the ‘inside’ (LAN) into the same network (VLAN).

2. The next step might seem strange if you are used to working with Cisco firewalls, but you need to make sure there is no IP address configured on the management interface. Try to think of it as just the hole that the FirePOWER services module (which will get its own IP) speaks out though.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# interface Management1/1
Petes-ASA(config-if)# no nameif
WARNING: DHCPD bindings cleared on interface 'management', address pool removed
Petes-ASA(config-if)# no security-level
Petes-ASA(config-if)# no ip address 

[/box]

3. So it should look like this;

[box]

Petes-ASA(config-if)# show run
: Saved

ASA Version 9.3(2)2
!
----Output removed for the sake of brevity----
!
interface Management1/1
management-only
no nameif
no security-level
!
----Output removed for the sake of brevity---- 

[/box]

4. Lets make sure the FirePOWER service module is ‘up’ and healthy.

[box]

Petes-ASA(config)# show module 


Mod  Card Type                                    Model              Serial No.

---- -------------------------------------------- ------------------ -----------

   1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            JAD19090XXX

 sfr FirePOWER Services Software Module           ASA5506            JAD19090XXX


Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version

---- --------------------------------- ------------ ------------ ---------------

   1 a46c.2a99.eec5 to a46c.2a99.eece  1.0          1.1.1        9.3(2)2

 sfr a46c.2a99.eec4 to a46c.2a99.eec4  N/A          N/A          5.4.1-211


Mod  SSM Application Name           Status           SSM Application Version

---- ------------------------------ ---------------- --------------------------

 sfr ASA FirePOWER                  Up               5.4.1-211


Mod  Status             Data Plane Status     Compatibility

---- ------------------ --------------------- -------------

   1 Up Sys             Not Applicable

 sfr Up                 Up

[/box]

5. The SFR module is actually a Linux box that’s running within the firewall, to connect to it you issue a ‘session sfr’ command.

  • Default Username: admin
  • Default Password: Sourcefire (capital S)
  • Default Password (after version 6.0.0): Admin123 (capital A)

As this is the first time you have entered the SFR you need to page down (press space) though the sizable EULA, then accept it.

[box]

Petes-ASA(config)# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5506 v5.4.1 (build 211)

Sourcefire3D login: admin

Password: Sourcefire

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Linux OS v5.4.1 (build 12)

Cisco ASA5506 v5.4.1 (build 211)

You must accept the EULA to continue.

Press <ENTER> to display the EULA:

END USER LICENSE AGREEMENTIMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. IT IS VERY

----Output removed for the sake of brevity---- 

Product warranty terms and other information applicable to Cisco products are

available at the following URL: http://www.cisco.com/go/warranty.
----Output removed for the sake of brevity---- 

Please enter 'YES' or press <ENTER> to AGREE to the EULA: YES

[/box]

6. Set a new password.

[box]

System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.

Enter new password: Password123

Confirm new password: Password123

[/box]

7. Set up all the IP and DNS settings, then exit from the module session.

[box]

You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.

Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: manual
Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.100.22
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface []: 192.168.100.1
Enter a fully qualified hostname for this system [Sourcefire3D]: SFire
Enter a comma-separated list of DNS servers or 'none' []: 192.168.100.10,192.168.100.11
Enter a comma-separated list of search domains or 'none' [example.net]: petenetlive.com,pnl.net

If your networking information has changed, you will need to reconnect.

For HTTP Proxy configuration, run 'configure network http-proxy'

Applying 'Default Allow All Traffic' access control policy.
You can register the sensor to a Defense Center and use the Defense Center

----Output removed for the sake of brevity---- 

sensor to the Defense Center.

> exit

Remote card closed command session. Press any key to continue.

[/box]

8. Now you need to ‘send’ traffic though the module, in this case I’m going to send all IP traffic though, I’m also going to set it to ‘fail open’, If you set it to fail closed then traffic will cease to flow though the firewall if the FirePOWER services module goes off-line. I’m making the assumption you have a default policy-map applied.

[box]

Petes-ASA(config)# access-list SFR extended permit ip any any
Petes-ASA(config)# class-map SFR
Petes-ASA(config-cmap)# match access-list SFR
Petes-ASA(config-cmap)# exit

[/box]

9. Add that new class-map to the default policy-map.

WARNING: If you are going to set ‘fail-close‘ then make sure your SFR module is operating normally, or you will cause downtime, best to do this in a maintenance window!)

[box]

Petes-ASA(config)# policy-map global_policy 
Petes-ASA(config-pmap)# class SFR
Petes-ASA(config-pmap-c)# sfr fail-open
Petes-ASA(config-pmap-c)# exit
Petes-ASA(config-pmap)# exit

[/box]

10. Save the changes.

[box]

Petes-ASA(config)# write mem
Building configuration...

Cryptochecksum: 72c138e3 1fa6ec32 31c35497 621cff02

35819 bytes copied in 0.210 secs

[OK]

[/box]

11. At this point the firewall should be able to ping the management IP of the SFR module.

[box]

Petes-ASA# ping 192.168.100.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Petes-ASA#

[/box]

12. Now when you connect to the ASDM you can manage the FirePOWER services module.Note: I have seen some firewalls that flatly refuse to connect to the Firepower Services Module, and give an error ‘unable to connect on port 443’ every time you launch ASDM. I just re-image the module and load in a fresh install (40 mins to an hour), and start again.

Code to Copy & Paste

If you are lazy like me!

[box]

access-list ACL-FirePOWER extended permit ip any any
 class-map CM-SFR
 match access-list ACL-FirePOWER
 exit
policy-map global_policy 
 class CM-SFR
 sfr fail-open
 exit
 exit
write mem

[/box]

Note If you get an unable to connect error see the following article;

Cisco – Cannot Connect to the ASA FirePOWER Module

13. I suggest you update everything first, the ASA will configure an access control policy set to allow and inspect all traffic by default, which we will edit, set everything to update on a schedule, (rule updates and geolocation info).

Cisco FirePOWER Services Adding Licences (ASDM)

In the box with the firewall, you will have an envelope, you don’t need to open it (as below) because the PAK number you need is printed on the outside anyway. This is the firewalls CONTROL LICENCE, it allows it to be managed, we will install it into the ASDM, if you have a SourceFIRE appliance to manage the firewall you would install it there. You need two  bits of information the PAK and the LICENCE KEY of the FirePOWER module, (See Below).

The Licence Key is the MAC address of the Module, (Not the ASA). You can find it at Configuration > ASA FirePOWER Configuration > Licence. This is also where you will add all the licences. Go to www.cisco.com/go/licence and register the licence (and any additional licences i.e. AMP, Web filtering, etc.)

The Licence(s) will be emailed to you open them in a text editor and copy the text of each licence. You can see I’ve indicated below what you should be copying.

Paste that into the ASDM > Submit Licence.

It should say success, if it fails you’ve pasted to much text, or there’s a problem with the licence.

Review you licences, here Ive added AMP and web filtering but Ive yet to add the control licence. If you don’t add the control licence then when you try and edit the access control policy it will say you need a PROTECTION LICENCE (confusingly!)

FirePOWER Services Setup IPS

Disclaimer: These settings, (and allotters below,) are to get you up and running, As with any security device, you need to tune settings accordingly. Please don’t follow these instructions, then email me with complaints that you been attacked by ISIS/Scammers/Bots etc.

You get an IPS/IDS Licence with any of the subscription based licences, its less hassle to set this up before the the access control policy. Configuration > ASA FirePOWER Configuration  > Policies > Intrusion Policy  > Create Policy > Give it a name > I tend to use ‘Balanced Security and connectivity’ look at the other options and choose whichever you prefer > Create and Edit Policy.

Give the policy a name > Commit changes (I accept all the defaults).

FirePOWER Services Enable Malware Inspection and Protection

Note: Obviously this needs you to have added an AMP Licence!

 Configuration > ASA FirePOWER Configuration  > Policies > Intrusion Policy  > Files > New File Policy > Give it a name > Store FirePOWER Changes.

Add new file rule > I add everything  > and Set it to ‘Block Malware’ > Store FirePOWER Changes.

“Store ASA FirePOWER Changes”.

Warning: Nothing will be inspected, until you add this file policy to an access control policy.

ASA FirePOWER Services Edit / Create Access Control Policy

I renamed the default policy, Note: Even though I’ve called it ‘Base-Access-Control-Policy’ you can only apply one policy, you just add different rules to the policy as required. Add Rule.

In Source Networks > Add in ‘Private Networks’ (See Warning Below).

Inspection Tab > Add in the IPS and file policy you created above (That’s why I’ve done it in this order).

I set it to log at the end of the connection  > Add.

“Store ASA FirePOWER Changes”.

FirePOWER Private Networks Warning

Private networks only cover RFC1918 addresses, if you LAN/DMZ etc subnets are different you should create a new Network object, then add the subnets for your network. If you do this, then substitute your network object every time I mention the Private Networks object.

Blocking a Particular URL with FirePOWER Services

Even if you don’t have a Web Filtering licence you can block particular URL’s here Im going to block access to Facebook.  Configuration > ASA FirePOWER Configuration  > Object Management > URL > Individual Objects > Add URL > Note Im adding http and https.

Then add a rule to your existing access control policy ABOVE the permit all rule, (they are processed like ACLS from the top down). Set the source network to your private subnets.

On the URLs tab add in your URL objects and set the action to block with reset, or Interactive block with reset if you want to let the users proceed to Facebook after a warning.

Note: If you have a Web filtering Licence you can select ‘Social Networking’ from the Categories tab, and that would also block Facebook, and Twitter etc.

ASA FirePOWER Services Commit and Deploy The Changes

FirePOWER services behaves the same on-box as it does when you use the SourceFIRE Appliance, you can make changes but nothing gets deployed until you commit the changes. If you have made a change then there will be a ‘Store ASA FirePOWER services button active. Then you need to select File > Deploy FirePOWER Changes.

Note: You will only see the Deploy option on SFR modules running 6.0.0 or newer.

Deploy.

Even now its not deployed, it takes a while, to see progress navigate to Monitoring > ASA FirePOWER Monitoring > Task Status > It will probably have a ‘running’ task.

Wait until the policy deployment says completed before testing.

Related Articles, References, Credits, or External Links

Originally Published 17/11/15

Thanks to Eli Davis for the feedback.

Cisco ASA 5506-X / 5508-X Restart the FirePOWER Service Module

VMware Error – Host {name} currently has no management network redundancy

KB ID 0000231 

Problem

Seen in Vmware ESX / Vmware Vsphere environments with both ESX and ESXi hosts.

Solution

As far as errors go this one’s pretty straight forward (and very common). I’ve seen it in ESX3 and VSphere networks, with high availability clusters.

It’s complaining because there is only one physical NIC presented to the Service Console (I know ESXi does not have a service console, but it has a management IP).

To fix the problem you can do any one of the following.

1. Ignore the error, HA will still work (though it’s simple to stop it giving an error).

2. Present another physical NIC to the virtual switch that has the Service Console/Management port. On a host with loads of NIC’s that easy, but if your pushed for NIC’s then that’s not an option.

3. The easiest, and my preferred option; You already have Vmotion running for HA, so simply add a Service Console (or a vmkernel management port if your running ESXi) to the vmotion switch, you will never need to connect to it anyway, and it will stop the system presenting this error.

Select your Vmotion switch and select “Add Networking” If you’re on an ESXi host then select “vmkernel”, or on an ESX host select “Service Console”

For ESXi

For ESX

If you are on an ESX host skip to the next step, ESXi users only select use this port for management option. Take note of the IP address of your existing Vmotion kernel port.

Give it an IP address in the same range as your Vmotion ports.

Now you can either wait, or right click each host and select “Reconfigure for HA

 

Related Articles, References, Credits, or External Links

NA

Exchange 2007 – Install the x32 Bit Management Tools

KB ID 0000285 

Problem

As you may already be aware Exchange 2007 on a x32 bit machine is NOT supported in a production environment, however there is one exception, x32 bit Exchange 2007 IS supported for management only.

Note: There is NO x32 bit support, (or media) for Exchange 2010 (and newer).

Solution

You can install these tools on XP, 2003, Vista or Windows 7. For this Example I’ll use XP

Pre-Requisites

1. Install IIS: Start > run > appwiz.cpl > add remove Windows Components > Internet Information Services(IIS) > Next.

2. Download and install .Net Version 2.0

3. Download and Install .Net SP1

4. Download and Install MMC 3.0

5. Download and Install Powershell

Install the Exchange 2007 x32 Management Tools

1. Download the Management Tools.

2. Run the .exe file and extract the files to a folder > From that folder run setup.exe

3. Select “Step 4 Install Microsoft Exchange Server 2007 SP1”

5. At the intro page > Next > Tick “I Accept…” > Next > Next >

6. Select “Custom Exchange Server Installation” > Next > Select Management Tools > Next.

7. Exchange will perform its readiness checks > Next > Finish.

8. Exchange Management Tools will launch automatically.

Related Articles, References, Credits, or External Links

NA

HP MSM765zl and 775zl – Initial Setup and Routing

KB ID 0000917 

Problem

The MSM 765zl and 775zl, unlike the rest of the HP MSM controller series, do not have any physical Ethernet ports on them.

So before you can get to its web management interface, you need to be able to give it an IP address, and then the controller needs to be able to find a route back to where you are, assuming you are not on a flat unrouted/single VLAN. Obviously if you are directly connected to the same network segment then you can set the devices ‘default route’ from the web management console.

Solution

1. Connect to the chassis that the controller is in, either via telnet or console cable. As I outlined in an earlier article you need to find the controllers slot letter and index number with a services command. (If you are sat in front of the switch the slot letter should already be known!)

2. Now, connect to the MSM directly and give the controller its LAN and WAN IP addresses.

Note: HP call them LAN and WAN interfaces, (I know it’s confusing), the WAN interface does not have to connect to the WAN it only points in that direction. I’m assuming it’s a throw back from when these devices were developed by Colubris.

[box] CORE-SW# services F 2
CORE-SW(msm765-aplication-F)> enable
CORE-SW(msm765-aplication-F)# config
CORE-SW(msm765-aplication-F)(config)# interface ip wan
CORE-SW(msm765-aplication-F)(config-if-ip)# ip address 192.168.1.1/24
CORE-SW(msm765-aplication-F)(config-if-ip)# ip address mode static
CORE-SW(msm765-aplication-F)(config-if-ip)# end
CORE-SW(msm765-aplication-F)(config)# interface ip lan
CORE-SW(msm765-aplication-F)(config-if-ip)# ip address 10.254.0.100/16
CORE-SW(msm765-aplication-F)(config-if-ip)# ip address mode static
CORE-SW(msm765-aplication-F)(config-if-ip)# end
[/box]

3. Now if you are on the same network (or VLAN) as the controller, you should be able to connect to the web management console. If not you will need to do two further steps

a) Connect the TWO virtual ports of the MSM to the correct VLANs on the switch.

b) Add a route back to the network you are on, either by setting a default route (if there is only one) or a static route.

Connect The Two MSM Virtual Ports

At this point the MSM blade can be treated like any other blade with Ethernet ports on it. Above we found out the blade was in slot F, so the ports with show up on the chassis switch as F1 and F2.

Port number 1: Is the WAN/Internet port
Port number 2: Is the LAN port

At the very least the WAN port should be in a different VLAN like so;

[box]

CORE-SW> enable
Password xxxxxxxx
CORE-SW# configure terminal
CORE-SW(config)# vlan 210 name WifiLink
CORE-SW(config)# vlan 210
CORE-SW(vlan-210)# untagged F1
CORE-SW(vlan-210)# exit
CORE-SW(config)#

If all your LAN traffic is on VLAN 1 (which is the default), then the MSM LAN port will already be untagged in VLAN 1. If not you will also need to present the MSM LAN port to the LAN VLAN.

CORE-SW# configure terminal
CORE-SW(config)# vlan 10 name LANTraffic
CORE-SW(config)# vlan 10
CORE-SW(vlan-10)# untagged F2
CORE-SW(vlan-10)# exit
CORE-SW(config)#

[/box]

Adding Default and Static Routes to the MSM controller.

The controller needs a default route, or it will not be able to send traffic out of the local LAN. In a simple flat network that should be all that you need. But if you have multiple network segments (or VLANs), then it will also need a static route adding for each of these. This is important for both access to the web management console, and because your wireless access points need to be able to speak to the controller! If your wireless access points are on a different network you may need to follow the article below to let them know where the controller is.

Register HP Wireless Access Points With an HP MSM Controller on a Different Subnet

[box]

CORE-SW# services F 2
CORE-SW(msm765-aplication-F)> enable
CORE-SW(msm765-aplication-F)# config
CORE-SW(msm765-aplication-F)(config)# ip route gateway 0.0.0.0/0 192.168.1.254 1

If you need to add additional routes the syntax is the same as above.

CORE-SW(msm765-aplication-F)(config)# ip route gateway 10.100.0.0/16 10.254.0.254 1
CORE-SW(msm765-aplication-F)(config)# ip route gateway 10.200.0.0/16 10.254.0.254 1

[/box]

Now you should be able to connect to the web management console and configure your wireless networks, this process is identical to configuring the physical controllers, like the MSM 720 see the link below.

Manually Configuring HP Wireless (MSM 720 controller) for Public and Private Wireless Networks

Related Articles, References, Credits, or External Links

NA

 

Cisco Catalyst Switches – Set a Management IP and Allow Telnet and Web Management

KB ID 0000614 

Problem

If you want to manage your Cisco Catalyst switch it’s not always practical to plug a console cable in to change its settings or monitor what it is doing. Putting an IP address on it and enabling remote management via Telnet or from your web browser is a better alternative, particularly if you have a lot of switches.

Solution

Enable Telnet Management on Cisco Catalyst Switch

1. Connect to the Switch using a terminal emulation program like HyperTerminal or Putty,

2. Issue the following commands;

[box]

enable
{enter enable password if prompted}
conf t
line vty 0 15
password {password required}
login
exit 

[/box]

Add a Management IP to a Cisco Catalyst Switch

3. Whilst still in configure terminal mode issue the following commands;

[box]

int vlan1
ip address {IP address required} {Subnet required}
no shutdown
exit

[/box]

Cisco Catalyst Set an Enable Password

4. If you telnet in you cant change any system settings without an enable password being set.

[box]enable password {Password required}[/box]

Optional : Set the Cisco Catalyst Switches Default Gateway

5. Just in case you need to manage the switch from another subnet, you will need to set a default gateway.

[box]ip default-gateway {IP address required}[/box]

Enable Web Management on Cisco Catalyst Switch

6. To connect to and manage the switch from a web browser execute the following command, and then exit configure terminal mode.

[box]

ip http server
exit 

[/box]

7. Finally save the changes with a “write mem” command.

[box]write mem[/box]

Testing the Configuration

8. From a machine on the same network segment make sure you can ping the switch on its new IP address.

9. Then make sure you can “telnet” into it.

10. Open a web browser and navigate the the switches IP > Select ‘Web Console’.

Note: You will require Java for this to work.

11. After entering the enable password you should see the following.

Related Articles, References, Credits, or External Links

Cisco Catalyst Password Recovery / Reset

Manage your Cisco Firewall from your Windows Mobile Device

KB ID 0000158 

Problem

You have a new windows mobile device and your bored! – well not really, I hope I never have to do this in anger but, It was an exercise in proving it can be done 🙂

Solution

Before you start you need to ensure the following has been done,

1. The firewall in question needs an RSA Key generating on it, (on the firewall issue the following command “crypto key generate rsa” {without the quotes}.

2. The IP of the phone needs allowing – you can analyse the logs to see what’s trying to connect on port 22 and allow that, or issue the following command “ssh 0 0 outside” NOTE that opens your firewall up to SSH access from ANY IP address – so only turn that on when you need it, or find the ip of the phone and allow that!

3. You need a copy of “PocketPuTTY” on your phone.

To put PocketPuTTY on your phone, either use Active Sync, Windows Mobile Device Center, or copy it on with an SD card.

Then on the phone simply navigate to PocketPuTTY, run it, and give it the IP address of the firewall. (Note: You may need to un-tick the “Use Compression” option).

Related Articles, References, Credits, or External Links

Connecting to and Managing Cisco Firewalls