PeteNetLive https://www.petenetlive.com Technology that 'Just Works' Fri, 09 Apr 2021 08:34:34 +0000 en-GB hourly 1 https://wordpress.org/?v=5.5.3 Adsense Alternative? https://www.petenetlive.com/kb/article/0001746 https://www.petenetlive.com/kb/article/0001746#comments Thu, 08 Apr 2021 12:28:13 +0000 https://www.petenetlive.com/?p=16613 KB ID 0001746 Way back in 2004 when PeteNetLive started, I didn’t even consider monetisation of the site, it was simply a place for me to store my personal scribblings about problems I’d faced in support. But as it grew and it had to move from a second hand PC under my desk, to a […]

The post Adsense Alternative? first appeared on PeteNetLive.]]>
KB ID 0001746

Way back in 2004 when PeteNetLive started, I didn’t even consider monetisation of the site, it was simply a place for me to store my personal scribblings about problems I’d faced in support. But as it grew and it had to move from a second hand PC under my desk, to a dedicated server, then a rented VPS. The cost began to raise. 

Back then there were a few ‘ad agencies’ but unless you were getting a LOT of traffic, they would not even let you though the door, but ANYONE could use Adsense, it was (and still is) the Advertising platform that Google provide.

Adsense

How does Adsense Work: Simply you put some code in your web pages, then decide what ‘size’ you want those ads to be, you place the provided code where you want the ads to appear. Then once they’ve generated enough income (clicks) Google will send you the calculated profit for those.

Have we ever used any other Ad ‘Providers’? Yes, we’ve advertised directly for Vendors (Veeam was a great partner for many years, and it was only because I felt we ‘outgrew’ the relationship that we discontinued it this year). We also use ‘BuySellAds‘ who are also an alternative but take a larger slice of revenue for themselves and getting your money out of them is a manual process, that can take a few days. We have used MediaNet who just seemed to resell Adsense, and take a middleman cut, or put video adverts in, that adversely affected my site speed and performance.

Why Look at an to Adsense Alternative?

Well for me there were two reasons. My web traffic has gone up dramatically, but my income from the site hasn’t got up at the same speed, so I can only deduce Google are taking larger and larger slices, and doing not a great deal more to justify that commission. And secondly they are effectively the worlds biggest ad agency and they cant even sort out ad code compliance without expecting me to fix it for them. (If they’ve fixed that in the interim great, but it was the straw that broke the camels back for me.)

Newor Media (The best Adsense Alternative)

In Autumn of 2020, I got an email from Newor Media, asking if I’d be interested in using them, I get a massive amount of emails from ad networks, SEO experts, people wanting consultancy, etc. Ninety Nine percent of them just get ‘speed read’ and deleted, and so did the one from Newor Media, but they politely followed up and I replied. 

Why Use Newor Media?

Well they differ from other ad networks, insofar as they exist to get the best revenue for your ad space. They do this by auctioning ad units to potential advertisers, (including Adsense) and other advertisers who are not using Adsense/Adwords. Plus when I have a query or a problem I can email a ‘person’ who responds and is helpful, (Kudos to Katie!), and can escalate things, and get support directly. If you use Adsense your only helpline is usually ‘Other users of Adsense’ which is frustratingly terrible! So I agreed to give them a trial run.

Whats Involved / How Difficult Is It To Setup?

To be accepted, you need to meet certain traffic levels (those being, 30k unique users per month, with the large majority of those being English speaking e.g. en-us, en-gb etc). Once accepted they sent you an Insertion Order (If you’ve hosted ads with other companies this will be routine,) for the uninitiated its the legal agreement between you the site host and the supplier (Newor) so READ IT, then sign, date, and return it).

From there on, it’s pretty much the same as for Adsense, you add some code you your sites HEAD section, and they (Newor Media) will send you a small code ‘snippet’ to post into where you want the Ad to appear. (In my case thats a mixture of WordPress’Widgets’, and for the main content wherever I tell ‘Ad Inserter’ to put them! You will also need to maintain an ads.txt file on the root of your website (this is simply a text file that periodically you have to update (copy and paste) some text into).

How Much More Than Adsense Will You Make?

The 64 thousand dollar question 🙂 Well Adsense rules dictate you are not allowed to disclose what you are earning, so I can’t give you a direct comparison BUT what I can do, is demonstrate how much more you would be making with Newor Media.

Newor Media and Adsense

The graph above shows a comparison of  BLUE Newor Media (Oct 20 to Mar 21) and GREY Adsense (Oct 19 to Mar 20). Bear in mind my YouTube earnings are included in the Adsense figures also!

Adsense Alternative: OK I’m sold, Where Do I Sign Up?

Providing you meet the 30k unique visitors a month (primarily English speaking) threshold. Note:   You can get this information from Google Analytics: (Audience > Active Users > 28 Day Active Users) and (Audience > Geo > Language). Then you can apply (Click the link below and tell them PeteNetLive sent you!)

Newor Media

Related Articles, References, Credits, or External Links

NA

The post Adsense Alternative? first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001746/feed 2
FortiClient: Unlicensed VPN access is available until.. https://www.petenetlive.com/kb/article/0001745 https://www.petenetlive.com/kb/article/0001745#respond Tue, 06 Apr 2021 10:26:24 +0000 https://www.petenetlive.com/?p=16602 KB ID 0001745 Problem I got an email from a client I deployed SSL VPN for, (a couple of weeks ago), one of his users was seeing this;   Unlicensed VPN access is available until {Date} {Time} Solution: Unlicensed VPN access is available until… At first I was confused, unlike other vendors SSL VPN is […]

The post FortiClient: Unlicensed VPN access is available until.. first appeared on PeteNetLive.]]>
KB ID 0001745

Problem

I got an email from a client I deployed SSL VPN for, (a couple of weeks ago), one of his users was seeing this;

 Fotigate Unlicensed client

Unlicensed VPN access is available until {Date} {Time}

Solution: Unlicensed VPN access is available until…

At first I was confused, unlike other vendors SSL VPN is not a licensed requirement? As it turns out in my instructions, I’d written ‘Download the Forticliet” when I should have said ‘scroll to the bottom and download the ‘FortiClient VPN’ version’.

Fotigate Client FortiCLient VPN only client

That will teach me!

Related Articles, References, Credits, or External Links

NA

The post FortiClient: Unlicensed VPN access is available until.. first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001745/feed 0
A Pub? In the Garden? https://www.petenetlive.com/kb/article/0001744 https://www.petenetlive.com/kb/article/0001744#comments Thu, 01 Apr 2021 09:39:09 +0000 https://www.petenetlive.com/?p=16573 KB ID 0001744 Garden Pub During lockdown in 2020 I decided that seeing as I could not go to the pub, it would be a better idea to have one of my own. I’m not a builder, but being an ex Royal Engineer I’ve got enough know how to turn my hands to most things. […]

The post A Pub? In the Garden? first appeared on PeteNetLive.]]>
KB ID 0001744

Garden Pub

During lockdown in 2020 I decided that seeing as I could not go to the pub, it would be a better idea to have one of my own. I’m not a builder, but being an ex Royal Engineer I’ve got enough know how to turn my hands to most things. (Disclaimer: If you’re going to do you own electrics, get it checked by an electrician!)

What to Buy?

Well you are faced with two choices, fabricate you own, or buy a ‘pre-built’ flat packed building (probably sold as a ‘summer house’ or ‘garden room’). I had a budget for the building of about 2-2.5k and did a lot of looking online and eventually settled on a 16’x10′ Summer house from ‘Nordic Timber Buildings’ the base building was about 1.6k but by the time I’d added a 4′ canopy and upgraded the roof felt it was just shy of 2k. The problem was that (in Jun/Jul of 2020) I could not get one delivered and built before NOVEMBER! 

Prep Work (Footing)

I knew I needed something to stand it on, either a concrete pad (ideally) or I looked at plastic bases you filled with stones, or using slabs etc. I’ve done plenty of concreting in the past so that was the route I was looking at, but getting ready mixed concrete to my back garden would have been a pain. Luckily my neighbour was having a path put in his back garden, and after a quick discussion, it was arranged that he would put me down a 16’x10′ concrete pad for 1k. Now I could have done it cheaper, but 1) he’s got all the gear 2) Knows the contacts 3) Will do it much quicker than me 4) That would take me probably about 3-4 weekends  to sort out myself. 5) Another lump of concrete needed removing, and it saved me hiring a breaker. Finally he agreed to do another 6’x4′ pad on the other side of the garden to put my new garden shed on, for no extra charge (sold!)

So all I needed to do was clear all the trees and branches out of the way.

Garden pub baseSummer House Base

The base is sat on plate compacted material that looks a lot like Dolomite (but isn’t) and it compresses rock hard (I was told it’s made from reclaimed stone and concrete).

The guy picked up the concrete as a ‘semi-wet’ mix on his flatbed, then he (and another) wheelbarrowed it to the formwork, they did it in two ‘pours’ as you can see in the photo above.

Wait

As I said above I now had to wait until November 30th 2021. The firm were great (Nordic Timber Buildings). On the day they turned up it was tipping down with rain and their route from truck to concrete pad, (down the side of my house and round other outbuildings was ‘challenging’ but credit to them they were outside my house at about 08:00 and finished by lunchtime).

Summer House

 

Verdict: As I’m writing this I’m a few months down the line, so I’ve got a few more ‘opinions’. On the whole I’m satisfied, the company were great, communication was spot on, the assemblers were great, and it does exactly as it says on the tin.

Minor Gripes:

  1. Whatever they used to cut the exterior cladding at their factory was probably not as sharp as it should have been, (the edging particularly round the windows is a bit ‘ragged’. I can sort this out in time  with a Stanley knife or a chisel so I can let that go.
  2. The door hinges are terrible! One practically had no galvanisation on it at all and by January was brown with rust. I’m planing to replace the doors (long term), so that’s not the end of the world.
  3. The two front doors are not terribly well fitted to be honest, I’ve got them screwed shut presently (there’s a door on the side). In the long term I’ll replace them, but they are hard to secure (i.e fit a decent hasp and staple, or some bolts).
  4. There are a couple of ‘Knot Holes’ I’d have liked to have seen filled, but for what I paid, I can go to B&Q and get some wood filler.

Summer House Pub

 

Sorting Out The Interior

Well the building was soaking to start with, it was probably stored outdoors at the factory, and had been transported in the rain, I ran the dehumidifier in there for a few days to try and get it dried out a little.

Forums / Facebook Groups and ‘Experts’

I’ve never had to insulate a wooden building before, so I joined a few groups read a few posts and asked some questions. What I learned was that unfortunately the world is full of ‘Experts’ and if you don’t do things exactly the same way they’ve done them you’re a negligent idiot, (or its all going to go wrong).

I’m not an expert (not even close) I just sponged in as much information as I could, and made a decision on what I was going to do. Then got cracking.

Moisture Barrier

Briefly, a moisture barrier is a membrane, (usually a tight woven plastic fabric) that is used to ‘wrap’ buildings. You will also see it ‘in modern buildings’ under roof tiles. It’s designed to allow water vapour to pass though it outwards and stop water coming inwards. (If you’ve ever worn GoreTex clothing you get the idea). 

Q. Did you wrap the outside of your building?

A. No? I get asked this a lot. If you build a timber framed building then you wrap the ‘frame’ in a membrane, and then you clad the outside of that. For me to do the same I’d have to disassemble the entire building remove all the upright batons from the external cladding, cover the cladding in membrane and rebuild the building again? I’m not going to do that, because that’s a monumental waste of time and effort?

So I covered the ‘inside’ of my building with membrane, completely like so;

Summer House Vapour permeable Membrane

Q.What did you use?

A. Protect TF200 2.7m x 100m Roll (approx £165)

Q. How did you fix it to the walls?

A. It’s stapled, if you can get galvanised or stainless staples use those (I didn’t, I used cheap steel ones – yes they will probably rust, but they will be buried in the wall cavity and the PIR (Insulation) will keep it in place anyway).

Q. Why is it blue?

A. I’ve not got a clue, I wanted it in 2.7m widths so I didn’t have to cut it so much, and the blue was the first one I saw.

Q: Did you leave and Vents/Gaps?

A: Yes across the top of each section it’s vented to the outside to allow air flow and potentially get rid of any condensation from inside the walls after I’ve finished.

Garden Pub: Insulation

Depending on your budget, you have probably three choices, Rockwool (like the stuff that’s in your loft), PIR (Polyisocyanurate) boards, or a combination of foil/bubblewrap. I like the idea of Rockwool because it also deadens sound, and I intend to have at least one electric guitar in here. But in the end I went for PIR.

It comes with many brand names Celotex, KingSpan etc. But they are all essentially the same. It’s a layer of foil then some foam, then another layer of foil. It comes in different thicknesses I chose 50mm.

Q: Why did you choose 50mm PIR?

A: My wall batons are 62x38mm. If I put 50mm PIR in that leaves me a 12mm cavity between the PIR and the inside of the interior walls.

Q: How much was it?

A: £280 for the PIR, then you need some foil tape (I recommend you get this from Screwfix and buy the 100mm stuff it’s miles better!)

It comes in 2.4×1.2m sheets (or 6×4 in old money) The best price I found was insulation4less but BEWARE they sting you with a delivery charge. So order it all at once, and make sure you get the quantity right. Note: Later on I’ll be doing the floor so I made the mistake of ordering twice!

Installation

Put your Stanley knife away! the best way to cut this stuff is with a good old fashioned hand saw, get a decent straight edge, and always cut it 2mm bigger than you actually need it. If you can, cut it outside! The dust is terrible, it’s not harmful, but it gets in your throat, so do like I didn’t, and wear a mask!

Q: How do I know how much I need?

A: I measured each piece I needed in the building, then sat and drew a page of rectangles (PIR boards) and worked out how to use the LEAST amount of boards.

Garden pub insulation.

Q: How do you stop it falling out of the roof and walls?

A: The more you work with it, the better you will be at cutting it correctly, by the time you finish, everything will be a snug friction fit, so that wont be a problem it will just stay there. But if you cut a little too short, get some cheap plastic headed push pins from the stationary shop they will hold it there until you need to tape it later.

Summer House PIR

Vapour Barrier

Why? If you are in a warm outbuilding and it’s cold outside, then water vapour in the air is going to form in there and you will get condensation usually on the coldest surface, (the inside face of your outside wall/cladding.) To stop that happening you need a barrier (preferably on a well ventilated air void) to protect from a build up of moisture in the walls.

You can either put up a stand alone vapour membrane (basically a decent sheet of polythene, though there are specific building membranes you can use). Or if you’ve used PIR (like I did) you can ‘Tape’ all the joints with moisture proof tape. Which is the same tape that you use to join pieces of PIR. 

Q: What Tape?

A: Try not to get the tape thats got a backing you need to peel off, if you have nails like mine it’s a pain in the backside. I used 100mmx75m Diall insulation board tape from Screwfix it’s about £6 a roll. Get plenty! I used 4 rolls on the walls and roof, and I will need more when I do the floor. 

Vapur foil tape

Here you can see the roof fully taped (excuse the wires).

Summer House Taped PIR

Walls & Lining

My original plan was to use plasterboard, because it’s reasonably cheap, and I know a good plasterer. In the end I decided to clad it it with softwood tongue and groove. This is more expensive and takes a LOT longer, but I think it will look  nicer. You can of course line yours with plywood or OSB (Oriented Strand Board) old farts like me will call that chip board, but it’s a great deal stronger than chip board and is designed for use in construction, if you choose to use OSB then use OSB3 as it’s more moisture resistant.

Plasterboard Warning: I’ve seen many posts by people, who get upset when people advise to use plasterboard, because it’s porous and can get wet and degrade, there are moisture resistant (and foil backed versions). Ive not got the experience so I can comment.

I’m using 7.6mm cladding so it’s quite thin. Best advice I can give you is every few layers make sure you are level, and if you have to clad around a door or window and then ‘meet’ above it put in a vertical joint, because unless you laser level in each run they wont meet up at the same point! Unless your a master carpenter, or at least a better chippy than I am (which is not difficult 🙂 

Below: I’ve finished cladding the walls. I will also clad the roof, Im just waiting on the light fittings.

Q: How did you fix the cladding?

A: Headless nails, you can normally hide the nails in the tongue and groove, but as I was using 7.5mm cladding it was a bit too thin, so its nailed directly onto the batons.

Garden Pub – Underfloor Insulation & Vapour Barrier

This time I’m using 25mm PIR and then I’ll cover with OSB, and finally lay laminate. 

Floor Battens Insulation

In fact just covering the floor in vapour permeable membrane has raised the temperature 2-3 degrees in there, and I can see how much the wind catches it!

Q: Why 25mm PIR?

A: Because the same timber I used in the batons (62x38mm) is also used in the floor but sideways on, so I can use 25mm PIR and still have a 13mm void.

Q: Why so many sockets.

A: See Below

Here’s the first section insulated and taped, BE AWARE OSB boards are 2.44 x 1.22m (because they are still 8’x4′) So don’t start screwing batons down until you’ve put them in the correct place. Your insulation boards will be 2.4 x 1.22m.

This time I cut them outside to stop choking on dust!

Floor Insulation Summer House

 

The following shows each section of the floor construction, and one section of the OSB in place.

Floor Insulation Summer House complete

Now with the OSB down, floors ready for laminate to be laid.

OSB Floor completeOSB Floor complete

Q: What did it cost to insulate the floor?

A: OSB Qty 5 12mm 8×4 sheets was £150.00, the 25mm PIR Qty 5 sheets was £138.30, the 62 x 38mm timber was (approx) £55.00 

 

Why So Many Sockets?

No I’m not planning on planning a Ganja farm. Apart from being a bar in the garden, I also intend to to be working out here, (as I work from home). And I’ll be out here with my electric guitars.

Thats still a LARGE amount! Well yes it is, but because I’ve never done this before, I decided to find out other peoples thoughts…

Sockets How Many

Now in my home, theres a constant, every single plug socket in the house has a 5 way extension plugged into it, and some more than one. What I don’t want out there is a sea of extension sockets.

As you can see from the construction, once cladded adding additional sockets (internally) will be a ball ache. BUT the next build phase is to deck outside, If I want to put external power in, it’s simple as peas to drill out the back of an existing socket.

So for every socket I ‘think’ I need I’ve put a double socket in.

Under the Consumer unit: Theres two doubles, one for EOP ethernet feed, the other in case I need a Power Injector for the Meraki AP26 Wireless point I’ll be fitting in the roof. That leave me capacity to fit a Gigabit switch, and have a spare socket in the consumer unit cupboard

Behind the Bar: Theres three doubles: Two for Beer Fridges, two for Perfect Draft beer dispensers, One for an Ice Machine, One for an Air Fryer (Shit I’ve already ran out).

That leaves me: 21 Double sockets, that’s loads right?

TV, Amazon FireTV box (Firestick don’t cut it for me), Sound Bar, PS4, Juke Box, 1060p Projector, Line 6 Guitar Amp, Vox ToneLab Guitar Pedal, My MacBook Pro  docking station, my HP Elitebook Docking Station, External Monitor, MFD, Chargers for my work and personal phones.

That’s more than half of them gone already? And that’s  before my daughters, visitors and visitors kids want to plug all their devices in, and jump on the wireless. Also, let’s not forget this this in my garden, it’s going to be easier to plug lawn mowers, strimmers, and hedge trimmers in here as well, (without unplugging stuff)

So no, I think I’m pretty much spot on, I’ve applied the Seven P’s

Prior, Preparation, and Planning , Prevents Piss Poor Performance.

 

Garden Pub: Whats Next?

Floor needs laminate, I’ll start that next weekend.

Related Articles, References, Credits, or External Links

NA

 

The post A Pub? In the Garden? first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001744/feed 2
FortiGate Certificates Missing? https://www.petenetlive.com/kb/article/0001743 https://www.petenetlive.com/kb/article/0001743#respond Thu, 01 Apr 2021 09:27:44 +0000 https://www.petenetlive.com/?p=16569 KB ID 0001743 Problem Nice quick easy one today, while setting up SSL VPNs for a client I needed to import their Root CA certificate, and found  the Fortigate Certificates Missing? Usually they are under System > Certificates. But the tab was simply not there? Solution: Fortigate Certificates Missing Fortunately it was simple to fix, […]

The post FortiGate Certificates Missing? first appeared on PeteNetLive.]]>
KB ID 0001743

Problem

Nice quick easy one today, while setting up SSL VPNs for a client I needed to import their Root CA certificate, and found  the Fortigate Certificates Missing? Usually they are under System > Certificates. But the tab was simply not there?

Solution: Fortigate Certificates Missing

Fortunately it was simple to fix, it’s a ‘feature‘ you simply need to ‘enable‘. Go to System > Feature Visibility > Enable Certificates, et voila!

Fortigate Certificates Missing

If only all my problems were that simple!

Related Articles, References, Credits, or External Links

NA

The post FortiGate Certificates Missing? first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001743/feed 0
FortiGate Port Forwarding https://www.petenetlive.com/kb/article/0001742 https://www.petenetlive.com/kb/article/0001742#respond Tue, 30 Mar 2021 08:40:36 +0000 https://www.petenetlive.com/?p=16557 KB ID 0001742 Problem I was back on the tools again today setting up FortiGate Port Forwarding! This was for one of our partners that I have to do some remote work for, so I temporarily needed to get onto their servers. Normally I’d just SSL VPN in, (but that’s what I’m setting up!) So […]

The post FortiGate Port Forwarding first appeared on PeteNetLive.]]>
KB ID 0001742

Problem

I was back on the tools again today setting up FortiGate Port Forwarding! This was for one of our partners that I have to do some remote work for, so I temporarily needed to get onto their servers. Normally I’d just SSL VPN in, (but that’s what I’m setting up!) So to get onto their servers I had to setup a port forward for RDP.

WARNING: Port forwarding RDP from ALL / Any is a BAD IDEA (Cryptolocker anyone?) So if you must port forward RDP, then lock it down to a particular source IP like I’m about to do.

Fortigate Port Forwarding

The Process is;

  1. Setup a ‘Virtual IP’ (with port forward enabled)
  2. Create a ‘Virtual IP Group
  3. Allow traffic to the Virtual IP Group.

FortiGate Port Forwarding: Create a Virtual IP

Policy and Objects  >Virtual IPs > Create New > Virtual IP.

FortiGate Port Forward

Give it a sensible name > Set the interface to the outside/WAN interface > External IP set to the public IP address of the firewall* > Mapped IP address, set to the internal IP address of the server you are forwarding to > Enable ‘Port forwarding’ > Select TCP or UDP > Type in the port(s) you want to forward. Forwarding a range of ports is much easier on a FortiGate than ‘some other’ vendors! > OK.

*Note: I’m assuming if you are port forwarding you only have one public IP, (or you’ve ran out). 

Fortinet Port Forward

FortiGate Port Forwarding: Create a Virtual IP Group

From the Virtual IP menu > Create New > Virtual IP Group.

Fortigate Port Forward Virtual IP

Give the group a name > Select the outside/WAN interface > Add in the Virtual IP you created above > OK.

Fortigate Port Forward Virtual IP

FortiGate Port Forwarding: Fortigate Add an ‘Address’

If you are port forwarding something  like HTTP/HTTPS to a web server, or SMTP to a mail server you can skip this step. As per my warning above I’m restricting public access to one single public IP (mine). For most port forwarding scenarios you would set the source to ‘ALL‘.

Anyway for completeness here’s how to create an Address object. Policy & Objects > Addresses > Create New > Address.

Fortigate add external Address

Give it a recognisable name > Type=Subnet > Type the IP into the IP range box > Set the interface to outside/WAN > OK.

Fortigate add external Address

FortiGate Port Forwarding: Allow Port Forwarded Traffic

Policy and Objects > IPv4 Policy (or Firewall Policy on the newer firmware) > Create New.

Fortigate Allow Port Forwarded traffic

  • Name: Something identifiable
  • Incoming Interface: Outside / WAN
  • Source: For RDP specify the single address you created above for all other port forwarding simply use ALL instead.
  • Destination: Your Virtual IP Group
  • Schedule: Always
  • Service: RDP (or the port you are forwarding if different)
  • Allow: Accept

Click OK.

Fortigate Port Forwarding Rule

FortiGate Port Forwarding: Troubleshooting Port Forwarding

You can see what’s going on by using the packet sniffer in the firewall.

diagnose sniffer packet {interface} 'host {External IP} and port {Port Number}' 4

e.g.

diagnose sniffer packet wan 'host 234.234.234.234 and port 3389' 4

Fortigate Testing Port Forwarding with packet sniffer

Note: In the example above I’m getting no return (ACK) traffic, (because the Windows firewall was on and dropping the traffic!) I diagnosed that by attempting to ping the server from the firewall (execute ping {internal IP address}) and failing to see a response!

Related Articles, References, Credits, or External Links

Fortigate: One to One (Static NAT)

The post FortiGate Port Forwarding first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001742/feed 0
macOS – SSH Error ‘No Matching Exchange Method Found’ https://www.petenetlive.com/kb/article/0001245 https://www.petenetlive.com/kb/article/0001245#comments Wed, 24 Mar 2021 12:43:21 +0000 http://www.petenetlive.com/?p=6933 KB ID 0001245  Problem Note Certified working all the way up to macOS Big Sur version 11.2.3 I thought my RoyalTSX had broken today, I upgraded it a couple of weeks ago, and I upgraded to macOS Catalina 10.15 the other day. After this, all my SSH sessions refused to connect with this error;   […]

The post macOS – SSH Error ‘No Matching Exchange Method Found’ first appeared on PeteNetLive.]]>
KB ID 0001245 

Problem

Note Certified working all the way up to macOS Big Sur version 11.2.3

I thought my RoyalTSX had broken today, I upgraded it a couple of weeks ago, and I upgraded to macOS Catalina 10.15 the other day. After this, all my SSH sessions refused to connect with this error;

Mac SSH Error no matching key exchange

 

Unable to negotiate with x.x.x.x port 22: no matching key exchange found. Their offer diffie-hellman-group1-sha1

Note: You may also see the following error;

Mac SSH error No Matching Cipher found

Unable to negotiate with x.x.x.x port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Update: 10/04/20: With newer equipment you may see the following error;

Unable to negotiate with x.x.x.x port 22: no matching MAC found Their offer: hmac-sha2-256

Mac SSH Error – Fix

This is not Apple’s fault, it’s OpenSSH version 7. SHA1 is weak, so support for it has been removed. Which is fine, but all my clients Cisco Firewalls/Routers/Switches are probably all using  RSA/SHA1. So until they re all updated I’m going to need to re-enable SHA1.

Open a terminal windows and execute the following;

sudo nano /etc/ssh/ssh_config
ENTER YOUR PASSWORD

Locate the line ‘ #   MACs hmac-md5,hmac-sha1,hmac-sha2-256,umac-64@openssh.com,hmac-ripemd160′ and remove the Hash/Pound sight from the beginning, and add the extra hashing algorithm that I’ve shown above in red. 

Locate the line ‘ #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc’ and remove the Hash/Pound sight from the beginning.

Then paste the following on the end;

HostkeyAlgorithms ssh-dss,ssh-rsa

KexAlgorithms +diffie-hellman-group1-sha1

Like so;

Mac SSH Error – Quitting Nano

To quit nano, use the Ctrl-X key combination. because you are working on has been modified since the last time you saved it, you will be prompted to save the file first. Type y to save the file.

Theres no reason to reboot, it should work straight away.

But Wait – Theres More!

This is going to happen every time you upgrade your mac, I’ve started taking a backup of the ssh_config file, then I can just restore it back again, like so;

Backup macOS SSH Settings & Ciphers

sudo cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak

Backup-Mac-SSH -Settings

Restore macOS SSH Settings & Ciphers

sudo rm /etc/ssh/ssh_config
sudo mv /etc/ssh/ssh_config.bak /etc/ssh/ssh_config
sudo cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak

Restore-Mac-SSH -Settings

 

Related Articles, References, Credits, or External Links

NA

The post macOS – SSH Error ‘No Matching Exchange Method Found’ first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001245/feed 99
Replacing Cisco Firewalls with Fortinet Firewalls https://www.petenetlive.com/kb/article/0001741 https://www.petenetlive.com/kb/article/0001741#comments Mon, 22 Mar 2021 11:57:13 +0000 https://www.petenetlive.com/?p=16516 KB ID 0001741 Replacing Cisco If you’ve been following articles on the site you will know that the focus of the firewall related output is shifting from Cisco ASA / Cisco FirePOWER to Fortinet (FortiGate) firewalls. This article is so you can make an informed choice about what you want to replace your Cisco firewall […]

The post Replacing Cisco Firewalls with Fortinet Firewalls first appeared on PeteNetLive.]]>
KB ID 0001741

Replacing Cisco

If you’ve been following articles on the site you will know that the focus of the firewall related output is shifting from Cisco ASA / Cisco FirePOWER to Fortinet (FortiGate) firewalls.

This article is so you can make an informed choice about what you want to replace your Cisco firewall with.

Note: I’m starting with SOHO and Business sized firewalls but I will extend this to ‘Enterprise sized’ firewalls as I have the time.

Replacing Cisco SOHO Small Business Firewalls with FortiGate

Replacing Cisco

If ever there was something that was incorrectly sold it was likely a SOHO Cisco firewall. The problem was, back in the day of the ASA5505 the only alternative was a ASA5510 and that was four times the price, plus the 5505 had a built in switch which saved you having to buy one of those as well. Even now (in 2021) these things are ubiquitous, I see them balanced in wall mounted comms cabinets, and sat in data centres and popped under peoples desks.

To make matters worse it’s replacement the ASA5506-X was a decent firewall but it wasn’t also a switch! (Cisco half heartedly tried to fix this and made it worse). To add insult to injury if you paid for the NGFW Firepower option Cisco just disabled it without warning in version 9.10.(1)

Then we got the FPR1010 this comes in two flavours, the ASA Code version which I deploy, and the FDM version which is bobbins! (I get 10 questions a day on the site to help people set them up). This (at time of writing) is a relatively new firewall but I’ll include it for completeness, (and article longevity).

High Availability: Seriously? I see this more often than I should! Don’t be deploying home sized firewalls and wanting Enterprise solutions! Stop it now. On a serous note, all the little ASA/FPR support it, but they all need additional licensing to do so. 

Stats: Remember when comparing the stats, we are comparing (mostly) old hardware against brand new (purpose built) hardware so the FortiGates will always look better on paper.

Cisco ASA5505, 5506-X and FPR1010 Specifications

SA5505 5506-X FPR1010 stats

Fortigate 40F, 60F, and 80F Specifications

Replacing Cisco SOHO Firewalls Conclusion

  • Unless you need 10Gb connectivity (on your WAN) then go for the 60F, if you need all those 1Gb ports and you want it to function as a switch.
  • If you don’t need so many LAN ports then go for the 40F (Note: even with 1x WAN port you can deploy SDWAN by using another interface!)

Replacing Cisco Medium Business / Small enterprise Firewalls with FortiGate

Replace ASA medium with Fortigate.

This is a difficult one to call, you can’t really say FortiGate model X is a direct comparison for Cisco model Y. To size a FortiGate firewall you need to 

First: Decide what throughput you need (remember to factor in NGFW/IDS/ATP and possibly HTTPS Throughput this will be LOWER than the max throughput!)

Second: Decide what connectivity you want.

FortiGate throughput for these classes of firewalls falls into roughly three different categories;

  1. 10Gbps Throughput (1Gbps HTTPS Inspection throughput) to 27Gbps Throughput (4Gbps HTTPS throughput) = 100 and 200 Series.
  2. 32Gbps Throughput (3.9Gbps HTTPS Inspection throughput) to 36Gbps Throughput (5.7Gbps HTTPS throughput) = 300, 400 and 500 Series.
  3. 36Gbps Throughput (8Gbps HTTPS Inspection throughput) to 52Gbps Throughput (3.9Gbps HTTPS throughput) = 600, 800 and 900 Series.

Note: If the figures dont overlap neatly, thats because these are a mixture of D, E and F Releases.

Cisco ASA5500 and 5500-X  Specifications

ASA 5500 and 5500-X Comparison.

Cisco Firepower 1100 to 2100 Series Specifications

FPR 1100 ancd 2100 Series comparison

Fortigate 100 to 900 Series Specifications

FortiGate Models Comparison

Replacing Cisco Bonuses

  • Remote VPN: You don’t need to buy additional remote VPN (AnyConnect) licences any more. With FortiGate remote SSL VPN is built in, and the client numbers are impressive.
  • Failover: Is supported even for Active / Active and good old Active / Passive. and Clustering.
  • SDWAN: You now have this capability if you require it.
  • Redundant Power Supply: Is on all FortiGate models in this class.

If anyone wants to add any real world experiences or comments, please do so below.

Related Articles, References, Credits, or External Links

NA

The post Replacing Cisco Firewalls with Fortinet Firewalls first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001741/feed 2
VMware ESX – Sockets and Cores (Logical Processors) https://www.petenetlive.com/kb/article/0001124 https://www.petenetlive.com/kb/article/0001124#respond Tue, 16 Mar 2021 13:29:46 +0000 http://www.petenetlive.com/?p=3421 KB ID 0001124  Problem While explaining to a client the difference between Sockets, Cores, Logical processors, I had to revisit this post today, so I updated it for vSphere7 Calculating Sockets and Cores  Essentially; A: Processor Sockets: The Physical amount of CPUs on the motherboard. B: Cores Per Socket: For a dual core processor this […]

The post VMware ESX – Sockets and Cores (Logical Processors) first appeared on PeteNetLive.]]>
KB ID 0001124 

Problem

While explaining to a client the difference between Sockets, Cores, Logical processors, I had to revisit this post today, so I updated it for vSphere7

Calculating Sockets and Cores

sockets and cores

Logical Processors, Cores and Sockets

 Essentially;

A: Processor Sockets: The Physical amount of CPUs on the motherboard.

B: Cores Per Socket: For a dual core processor this would be 2, triple core=3, quad core = 4, hex core = 6, octa core=8, deca core=12, etc.

C: Logical Processors: This is the amount of sockets, multiplied by the cores, and if Hyperthreading is enabled on the processors (see above), then that figure is doubled.

Related Articles, References, Credits, or External Links

NA

The post VMware ESX – Sockets and Cores (Logical Processors) first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001124/feed 0
Azure Traffic Manager (DNS Failover) https://www.petenetlive.com/kb/article/0001740 https://www.petenetlive.com/kb/article/0001740#respond Wed, 03 Mar 2021 09:23:37 +0000 https://www.petenetlive.com/?p=16487 KB ID 0001740 Problem Why Azure Traffic Manager? I had to price up a hardware load balancer (ADC)  a couple of weeks ago for a client. I wont mention the vendor, (though I’m sure you can guess). Over 3 years it was going to cost (for a pair) about £100k, (so about 33k a year). […]

The post Azure Traffic Manager (DNS Failover) first appeared on PeteNetLive.]]>
KB ID 0001740

Problem

Why Azure Traffic Manager? I had to price up a hardware load balancer (ADC)  a couple of weeks ago for a client. I wont mention the vendor, (though I’m sure you can guess). Over 3 years it was going to cost (for a pair) about £100k, (so about 33k a year). That included the global DNS failover, this was so they, (the client) could fail over their services between multiple data centres.

OK there are other ADC vendors, and there’s even some budget vendors, I could use ARR, or even deploy NGINX. (Though supporting those deployments is another matter!) Whilst discussing this with my colleagues, the consensus was “We would be better deploying Azure Traffic Manager”. So I though I’d take a look to see just how difficult that was to deploy.

What is Azure Traffic Manager? Essentially a cloud based ADC that can provide availability and DNS failover, between Azure regions, and (more importantly in my case)  ‘External‘ endpoints, (so on premises, multiple data centres, other public clouds, etc.)

What Does Azure Traffic Manager Cost? Therein lies most people’s ‘bug-bear‘ with public cloud, that’s hard to quantify. So per million DNS lookups it’s £0.403p a month (up to a billion DNS queries,) THEN £0.28p per million DNS queries (over a billion) per month. I’m not sure how you would begin to calculate that? I can tell you how many people are on this website while you are reading this text, and how many hits we get a month, but DNS queries?

I no longer host my own DNS, I used to, but it was getting hammered by script kiddies 24/7 and my servers were just using processor cycles to do nothing productive. So I pay someone else to host my records now. I asked them..

DNS Queries

Additionally you pay: £0.403p a month per (basic) monitored external endpoint or £1.41 a month per (rapid) monitored external endpoint.

I’m being a little disingenuous to Microsoft, in their defence this is a traffic management solution NOT a web load balancing/HA solution. If you look at it from that perspective then DNS queries is a better measurement than ‘web-hits‘ or ‘page-impressions’. But you will be billed on multiples of something that you have no control over and you have to just ‘Trust’ that when Microsoft tells you you’ve had 36 million DNS lookups then that’s correct.

Deploy Azure Traffic Manager

From the Azure portal > Create a Resource.

Azure Create Resource

You will need to search for ‘Traffic Manager Profile” > Create.

Azure Traffic Manager Profile

Give it a sensible name > Set the routing meshing to Priority > Pick a Resource group (or create a new one) > Select your resource group location > Create.

Azure DNS Load Balance

Locate your traffic manager profile (look under all resources if you can’t find it) > Configuration.

Traffic Manager Configuration

Drop the DNS TTL to 30 seconds > I’m monitoring HTTPS on Port 80> Leave the probing interval on 30 seconds > Save.

Note: this will take 3 lots of 30 seconds before it will fail over (90 seconds). If you drop the poll interval to 10 seconds then you get billed the additional ‘fast interval charges‘ I mentioned above). You can set it to 0 lots of 10 seconds to make it fail over quicker, but that’s more expensive.

Traffic Manager Polling

Endpoints > Add.

Traffic Manager Add Endpoints

Add your primary site in with a priority of ‘1’, the repeat for your standby site(s), with lower priorities.

Traffic Manager Externla Endpoint

Before testing, make sure all the endpoints are ‘Online‘.

Traffic Manager Endpoint Online

Overview > Copy the DNS name.

Azure Failover DNS

In your own DNS config, simply create a CNAME DNS record to point to the Azure one you copied above.

Azure Failover DNS CNAME

Testing Azure Traffic Manager

First let’s test Azure > Ping the domain name you coped from the Azure portal, you will notice it resolves to my primary site IP (that wont respond to pings, but that’s not important for testing. Power off the primary endpoint (or disconnect its NIC). And wait 90 seconds. Then ping it again, this time the IP address it responds to has changed to my secondary endpoint. That proves the Azure Traffic Manager works.

Test Azure DNS Failover

To illustrate I’ve got a slightly different web page on my primary and secondary external node, just to prove its working.

Prove Azure DNS Failover

Related Articles, References, Credits, or External Links

NA

The post Azure Traffic Manager (DNS Failover) first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001740/feed 0
Free Exchange Certificate https://www.petenetlive.com/kb/article/0001739 https://www.petenetlive.com/kb/article/0001739#respond Tue, 02 Mar 2021 08:38:23 +0000 https://www.petenetlive.com/?p=16462 KB ID 0001739 Problem A couple of weeks ago I wrote an article about getting free certificates for IIS with ‘Let’s Encrypt’. Last week the renewal for my ‘test’ Exchange server’s certificate came though. So I thought “Why don’t I try and get a ‘Free Exchange Certificate’?” Free Exchange Certificate Before we start let’s take […]

The post Free Exchange Certificate first appeared on PeteNetLive.]]>
KB ID 0001739

Problem

A couple of weeks ago I wrote an article about getting free certificates for IIS with ‘Let’s Encrypt’. Last week the renewal for my ‘test’ Exchange server’s certificate came though. So I thought “Why don’t I try and get a ‘Free Exchange Certificate’?”

Free Exchange Certificate

Before we start let’s take a moment to take a look at our existing Exchange Certificate, as you can see it’s a publicly signed and trusted certificate, the only thing wrong with it, is it’s going to expire in a couple of weeks, yours may have already expired, or you may be running a self signed SSL certificate, (horror!)

Exchange Free Certificate

To do all the heavy lifting you need a peice of software, the easiest (I’ve seen) is win-acme (at time of writing the latest version is 2.1.14.996) you simply download it as a zip file.

Free Certificate Let's Encrypt

Extract the contents of that zip file to a folder on your hard drive.

win-acme free IIS certificate

Apply For & Install the Free Exchange Certificate

Open an administrative command prompt > Navigate to the folder you just created > run wacs.exe

Install Let's Encrypt Certificate in IIS

WARNING: Some other run throughs I’ve read, have different option numbers, (wacs.exe has obviously been updated). So instead of just posting the Number to select I’ll post the Option, then put the number, (or letter) of that option in brackets, (in case they change the option numbers again!)

Create a new certificate (full options) {m} > Manual Input {2}.

Free Exchange Certificate

Manual Input {2} > Enter the public filly qualified domain name(s) of your exchange server (spectated by commas) > Press Enter to accept the default friendly name (unless you want to specify your own).

Get a Free Exchange Certificate

[http-01] Serve certification files from memory {2} > RSA Key {2}. 

Note: You will need TCP Port 80 open to the Exchange server for this to work, (in most cases you will only have HTTPS or TCP Port 443 open!)

Aquire a Free Exchange Certificate

Windows certificate store {4} > No (additional) store steps {5}.

How to Get a Free Exchange Certificate

Create or update https binding in IIS {1} > Default Web Site {1} > Start external script or program {3} > Paste in the following;

./Scripts/ImportExchange.ps1

Let's Encrypt Exchange

At the prompt paste in the following;

'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'

No (additional) installation steps {4}.

Free Let's Encrypt Exchange SAN Certificate

No, (or it will open the terms and conditions in another window) > Yes (your soul now belongs to Let’s Encrypt!) > Type in an email address  > Quit {q}

Free Let's Encrypt Exchange Autodiscover Certificate

Now reconnect to either OWA or the Exchange Admin Center > And you should see you have a new certificate.

Replace Exchange Certificate with Free one

It only lasts three months! That’s correct but;

Let’s Encrypt Free Exchange Certificate Auto Renewal

As well as getting your certificate, win-acme also created a scheduled task to check your certificate validity and renew it before it expires. Cool eh?

Lets Encrypt auto renew

Where Does Win-ACME Store its information

Good question, it took me a little while to find that out, essentially once ran it creates a new folder in %programdata% (That’s a hidden folder on the C drive usually) called win-acme all your settings are in there, so if you make a mistake like enter the wrong email address, you can delete this folder and start again.

How To Remove Let’s Encrypt Exchange Free Certificate & Settings

  1. Remove the certificate from Exchange Admin Center.
  2. Remove the win-acme folder from %Programdata%.
  3. Delete the scheduled update task from ‘Task Sheduler‘.

Related Articles, References, Credits, or External Links

NA

The post Free Exchange Certificate first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001739/feed 0