PeteNetLive https://www.petenetlive.com Technology that 'Just Works' Fri, 15 Jan 2021 14:58:19 +0000 en-GB hourly 1 https://wordpress.org/?v=5.5.3 FortiGate: SSL Inspection (HTTPS Inspection) https://www.petenetlive.com/kb/article/0001729 https://www.petenetlive.com/kb/article/0001729#respond Fri, 15 Jan 2021 14:57:51 +0000 https://www.petenetlive.com/?p=16211 KB ID 0001729 Problem Do you inspect the traffic on your network? You have a firewall? Maybe an IDS appliance? That’s good news, do you inspect HTTPS traffic? In most cases the answer is no. Because either you do not have the capability, or enabling SSL Inspection will degrade the firewall’s performance so much that […]

The post FortiGate: SSL Inspection (HTTPS Inspection) first appeared on PeteNetLive.]]>
KB ID 0001729

Problem

Do you inspect the traffic on your network? You have a firewall? Maybe an IDS appliance? That’s good news, do you inspect HTTPS traffic? In most cases the answer is no. Because either you do not have the capability, or enabling SSL Inspection will degrade the firewall’s performance so much that you accept the risk.

At time of writing (Early 2021) it’s estimated that 85% of all web traffic is now encrypted. Let that sink in, 85% of the web traffic traversing your firewalls and security appliances is potentially not even getting looked at, because it’s encrypted.

Probably over ten years ago I was at a security convention, and the speaker asked the crowd “What’s TCP Port 443?”, This prompted the obvious answer of “It’s HTTPS!” No, its the universal hacking and exploitation port! 

Do something ‘Nefarious‘ and it’s best to do it over HTTPS, (or protect it with SSL encryption.) The last time I was asked to look at inspecting HTTPS traffic, it had such an adverse affect on the firewalls performance, the client looked at extra hardware (SourceFire at the time,) to do this instead of the firewalls, and the firewalls in question were a pair of ASA-5585 SSP40’s (that’s a 6 FIGURE price tag!).

When I saw the comparison of degradation between firewall vendors I was somewhat skeptical, but Fortinet do make some bold claims. Typically their marketing and sales ‘Battlecards’ show about 15% degradation with SSL inspection enabled, (that’s on a 500E) and that is typically compared to 73% degradation on a Cisco Firepower (4000 series), or 79% on a Palo Alto (5220), or 79% on a Check Point (15600). Note: I’ve not checked these figures.

So how easy is it to setup? Well to be honest it’s painfully simple, just bear in mind on a FortiGate there’s two ‘Types’ of SSL Inspection;

  • SSL Certificate Inspection: The FortiGate Checks the certificates presented to ensure the common name is correct, (resolvable) and checks it against a database of problem URLs and certificates.
  • SSL Full Inspection (Deep Packet Inspection): The Fortigate ‘Brokers the SSL traffic’ and sits in the middle, it decrypts and re-enrypts the traffic before sending it onto the end user, or the remote server. To do this it needs to be able to generate and sign certificates for any domain, and you need to trust it to do so.

SSL Deep Packet Inspection

If you are already running a FortiGate, you probably already have SSL certificate inspection enabled on your default internet access policy and didn’t even realise it! Below we will look at deep packet inspection.

FortiGate SSL Inspection (Simply)

WARNING: Read the whole article first, simply turning this on without some forethought and planning (in production) will result in bad things happening! Remember your clients’ have to trust the Firewall and at the moment they probably do not!

The FortiGare has its own built in Certification Authority, initially I’ll use that (below I’ll demonstrate how I would do this with a ‘proper’ domain PKI deployment). From the firewalls management page System > Certificates > Locate the Fortigate_CA_SSL certificate and download it.

FortiGate Export CA Certificate

Put that certificate on one of your client machines and then import/trust it. Below I’m making things as difficult as possible, and using Kali Linux, on a Windows box, double click the cert import it, and manually place it into ‘Trusted Root Authorities’ store.

Kali Linux How To Import CA Certificate

Note: If you use Firefox as a browser, you will need to take extra steps see this article.

Now on the ‘Policy’ that’s being applied to your web traffic, we need to alter the SSL inspection. Policy & Options > Firewall Policy (or IPv4 Policy on older models) > Locate your policy for normal web traffic and edit it.

Fortigate Edit Internet Policy

Change SSL Inspection to ‘deep-inspection’ > OK

Note: In the example shown below, I have AntiVirus inspection enabled, I mention this because that’s what I will use to test that SSL inspection is working.

Fortigate Deep SSL Inspection

So now when my clients go to any https:// website, the certificate that the client sees, is actually signed by the firewall NOT a publicly signed certificate vendor.

Fortigate Deep SSL Inspection Swaps Certificate

To ‘Test’ that you can go to the Eicar website (if you didn’t know Eicar produce files for testing AntiVirus and AntiMalware solutions) and attempt to download one of the files (Note: MAKLE SURE you attempt to download from the HTTPS section!)

Fortigate Block Virus

 

What Next?

Well that was easy! Now for a real world deployment. Your problem is getting your client to trust the firewalls CA Signing certificate. You have THREE OPTIONS

Option 1: Manually install the certificate on your clients, if you have a small organisation then that might be a good option, the built in cert lasts ten years, you will probably have a new firewall before that certificate expires.

Option 2: Distribute the FortiGates CA signing certificate by Group Policy. For medium sized deployments, of if you are one of those that’s typically terrified of certificates, this might be your option.

Option 3: You have a properly deployed Certificate Services PKI deployment already, you can issue a SubCA certificate to the firewall to do the signing with, and your domain clients will trust it automatically.

I wont insult your intelligence explaining Option 1, but Options 2 and 3 I will outline below.

Deploying FortiGate CA Signing Certificate By Group Policy

On the Fortigate you need to download a copy of the CA certificate it uses, typically it is called Fortigate_CA_SSL. From the management GUI > System > Certificates > Select Fortigate_CA_SSL > Download > Save a copy somewhere you can get to it.

On a domain controller > Administrative tools >Group Policyy Management > Create a new policy (or you can edit an existing one.) Below I’m linking mine to the root of my domain, you may want to link yours to the OUs that your computer objets are in.

Group Policy FortiGate Certificate.

Edit the new policy and navigate to;

Computer Configuration > Policies > Windows Settings > Security Settings >Public Key Policies > Trusted Root Certification Authorities

Right click > Import.

GPO FortiGate Certificate.

Follow the wizard, navigate to and select the certificate from the FortiGate > Make sure that it gets put in the Trusted Root Certification Authority store!

GPO FortiGate CA Certificate.

Close the policy editor, then wait a couple of hours or Force a Domain Policy Refresh.

Replace FortiGate SSL Inspection CA Cert with a Microsoft Certificate Services SubCA Cert

This would be my preferred choice, if you have a proper PKI deployment in your domain your client will already trust it, so all you have to do is use a SubCA cert to the firewall. If you don’t have a PKI deployment yet, but this is the correct route to take run though the following first to get up and running;

Microsoft PKI Planning and Deploying Certificate Services

Even with your own Microsoft Certificate Services deployment, it’s just worth a quick check that you already have a template for ‘Subordinate Certification Authority‘. (it’s typically deployed by default).

Subordinate CA Certificat Template

I’m going to apply for my certificate using the ‘Certificate Authority Web Enrollment Role’ (this is an additional role you can add to Certificate Services to give you this nice web portal for getting certificates). Web browse to https://(FQDN-of-Certificate-Server}/Certsrv  (Note: yours may be on http://) > Request a Certificate > Advanced Certificate Request > Create and Submit a Request to this CA.

Subordinate CA Certificat Template

  • Template: Subordinate Certification Authority
  • Name: The FQDN of the firewall (must be resolvable in DNS!)
  • Email to Country/Region: Fill out as applicable
  • Key Size: 2048
  • Mark keys as exportable: Ticked

Submit.

ortigate Apply for SubCA Certificate

Install this certificate.

Use MMC to Inspect User Certificates

This will have dropped the certificate in YOUR user certificate container, we now need to locate and export it.

Windows Key +R > mmc.exe > File > Add/Remove Snap-in > Certificates > Add > Select User Account.

Fortigate Install SubCA Certificate

Expand Certificates – Current User > Personal > Certificates > Locate the certificate > All Tasks > Export.

Export Certificate

Next  > Yes: Export the private key > Next > Personal Information Exchange (PFX) > Next > Password (Type and confirm password you will remember) > Change the encryption to AES256SHA256 > Next  > Select a location to save the certificate > Next > Finish.

Export PFX Certificate

Back at the FortiGate > System >Certificates > Import Local Certificate.

FortiGate Import Sub CA Certificate

Type: PKCS # 12 > Upload > Locate and select the certificate you exported above > Enter The password > Upload > OK.

Import Certificate FortiGate SSL Inspection

FortiGate: Create SSL Inspection Profile

Security Profiles > SSL/SSH Inspection > Create New.

FortiGate Create SSL Inspection Profile

Give the policy a sensible name > Change the CA Certificate to the one you just uploaded > OK.

FortiGate Custom SSL Inspection Profile

To use that Profile in your web access policy, Policy & Objects > Firewall Policy > Locate the policy that defines web traffic and edit it.

Edit Firewall Policy

Change the SSL Inspection to use your new profile > OK.

Change Deep Inspection Policy Certificate

Now you can test the deployment by going to an https secure website (like this one!) and taking a look at the certificate, it should have been issued by your SubCA/Firewall.

Replace Websites Certificate

Related Articles, References, Credits, or External Links

NA

The post FortiGate: SSL Inspection (HTTPS Inspection) first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001729/feed 0
The Web Site for the CA Must be Configured to use HTTPS https://www.petenetlive.com/kb/article/0000838 Wed, 13 Jan 2021 10:27:28 +0000 http://www.petenetlive.com/windows-server-2012-certification-authority-in-order-to-complete-certificate-enrolment-the-web-site-for-the-ca-must-be-configured-to-use-https-authentication/ KB ID 0000838  Problem When attempting to contact a server running the Certification Authority Web Enrolment role, you may see the following error. In order to complete certificate enrolment, the Web site for the CA must be configured to use HTTPS authentication Solution The correct fix is to set the web server (IIS) to serve […]

The post The Web Site for the CA Must be Configured to use HTTPS first appeared on PeteNetLive.]]>
KB ID 0000838 

Problem

When attempting to contact a server running the Certification Authority Web Enrolment role, you may see the following error.

In order to complete certificate enrolment, the Web site for the CA must be configured to use HTTPS authentication

Solution

The correct fix is to set the web server (IIS) to serve the certificate website securely using https, though you can just set Internet explorer to ‘work’ from your client machine if you are in a hurry.

Make Internet Explorer Accept Your Certification Authority

Note: This would need to be done on every machine that you wanted to access the Certificate Services web portal from.

1. From within Internet Explorer > Internet Options > Security > Trusted Sites > Sites.

Internet Explorer Security Settings

 

2. Untick ‘Require server verification (https:) for all sites in this zone’ > Then add in the URL of the CA > Close.

Internet Explorer Trusted Sites

3. With Trusted sites still selected > Custom level > ‘Initialize and script ActiveX controls not marked as safe for scripting’ > Enable > OK > Yes.

Allow ActiveX

4. Restart the browser and try again.

Set IIS to serve Certificate Services Securely (via https).

This assumes you have your CA and the web portal installed correctly.

1. On the Certificate Services Server > Launch IIS Manager > Expand {server-name} > Sites > Default Web Site > Right Click > Edit Bindings > https > Edit > Select the self signed server certificate [NOT the CA ONE] > OK.

Note: If https is missing simply add it!

IIS Certificate Bindings

2. Expand Default Web Site > Certsrv > SSL Settings.

IIS SSL Settings

 

3. Tick ‘Require SSL’ > Apply.

IIS Require SSL

4. That should be all you need, if it does not take effect straight away then drop to command line and run iisreset /noforce.

Related Articles, References, Credits, or External Links

NA

The post The Web Site for the CA Must be Configured to use HTTPS first appeared on PeteNetLive.]]>
EVE-NG: Create Windows Server 2019 VM https://www.petenetlive.com/kb/article/0001728 https://www.petenetlive.com/kb/article/0001728#respond Wed, 13 Jan 2021 08:41:49 +0000 https://www.petenetlive.com/?p=16194 KB ID Article  Problem I’ve had a Windows 2012R2 server image that I’ve ben using in EVE-NG for ever. This week it bit the dust so I thought, can I deploy a shiny new 2019 server? EVE-NG Windows Virtual Machines Yes! In fact the deployment procedure is the same for 2019 as it was for […]

The post EVE-NG: Create Windows Server 2019 VM first appeared on PeteNetLive.]]>
KB ID Article 

Problem

I’ve had a Windows 2012R2 server image that I’ve ben using in EVE-NG for ever. This week it bit the dust so I thought, can I deploy a shiny new 2019 server?

EVE-NG Windows Virtual Machines

Yes! In fact the deployment procedure is the same for 2019 as it was for earlier versions of Windows server. First log onto your EVE-NG host and create the folder;

mkdir /opt/unetlab/addons/qemu/winserver-2019/

Then ‘upload’ a copy of the Windows Server 2019 installation iso into that folder with WinSCP or FileZilla.

EVE-NG Upload Server 2019

Now rename the ISO image file to cdrom.iso, then create a new, (empty) hard drive file, that we will install windows onto. (Note: below I’m setting it to 60GB in size).

mv en_windows_server_2019_updated_nov_2020_x64_dvd_860005f.iso cdrom.iso
/opt/qemu/bin/qemu-img create -f qcow2 virtioa.qcow2 60G

EVE-NG Create hard disk windows server

In EVE-NG create a new Lab and add in your Windows 2019 Server, then power it on.

EVE-NG Add 2019 windows server

It wont find the hard drive, because it has not got the controller driver, click ‘Load Driver‘.

EVE-NG 2019 No Disk

Navigate to B:\Storage\2003R2\amd64 OK > Next > It will detect and load the ‘Red Hat Virtio‘ driver and install Windows. Once done shut the Windows server down.

EVE-NG 2019 Disk Driver

Now you need to ‘commit’ that image (so all new VMs will be created form that image). Ive written about this before, see the following link;

EVE-NG: Committing / Saving Qemu Virtual Machine Settings

But essentially get the ‘Pod Number’ from user management, and the Lab ID from Lab details.

EVE-NG Lab Number

Get the Node ID from the virtual machine, and execute the following command;

cd /opt/unetlab/tmp/POD-Number/Lab-ID/Node-Number/
e.g.
cd /opt/unetlab/tmp/1/b56699c-31b5-4399-af2e-697eab12981d/2/

EVE-NG Commit VM Image

Lastly, don’t forget to tidy up and delete the ISO image now you no longer need it.

cd /opt/unetlab/addons/qemu/winserver-2019
rm -f cdrom.iso

EVE-NG Delete CDROM image

Related Articles, References, Credits, or External Links

NA

The post EVE-NG: Create Windows Server 2019 VM first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001728/feed 0
Software is Preventing Firefox From Safely Connecting to this Site https://www.petenetlive.com/kb/article/0001727 https://www.petenetlive.com/kb/article/0001727#comments Tue, 12 Jan 2021 11:06:17 +0000 https://www.petenetlive.com/?p=16172 KB ID 0001727 Problem I was setting up some HTTPS/SSL inspection this week and while testing it, I ran into this problem; Firefox Certificate Settings So the machine I’m using DOES trust the CA that issued that certificate, (it’s a FortiGate firewall) But the BROWSER does not. (Firefox maintains its own list of certificates, and […]

The post Software is Preventing Firefox From Safely Connecting to this Site first appeared on PeteNetLive.]]>
KB ID 0001727

Problem

I was setting up some HTTPS/SSL inspection this week and while testing it, I ran into this problem;

Software is Preventing Firefox from Safely Connecting to this site

Firefox Certificate Settings

So the machine I’m using DOES trust the CA that issued that certificate, (it’s a FortiGate firewall) But the BROWSER does not. (Firefox maintains its own list of certificates, and more importantly which CA certificates it will trust). Essentially the browser is trying to protect you from a MITM attack.

Browse to about:prefernces#privacy > Certificates  > View Certificates.

Firefox View Trusted CA Certificates

Import.

Firefox View Import CA Certificates

Navigate to the CA certificate for the authority that signed the certificate(s) you are having a problem with, and import it > Select ‘Trust this CA to identify websites” > OK

Firefox Import CA Certificates

Related Articles, References, Credits, or External Links

NA

The post Software is Preventing Firefox From Safely Connecting to this Site first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001727/feed 2
FortiGate: SSL-VPN With FortiClient (AD Authenticated) https://www.petenetlive.com/kb/article/0001725 https://www.petenetlive.com/kb/article/0001725#comments Wed, 06 Jan 2021 20:38:15 +0000 https://www.petenetlive.com/?p=16116 KB ID 0001725 Problem FortiGate Remote Access (SSL–VPN ) is a solution that is a lot easier to setup than on other firewall competitors. Here’s how to setup remote access to a FortiGate firewall device, using the FortiClient software, and Active Directory authentication. This is what my topology looks like; Note: I’ve changed the FortiGates […]

The post FortiGate: SSL-VPN With FortiClient (AD Authenticated) first appeared on PeteNetLive.]]>
KB ID 0001725

Problem

FortiGate Remote Access (SSLVPN ) is a solution that is a lot easier to setup than on other firewall competitors. Here’s how to setup remote access to a FortiGate firewall device, using the FortiClient software, and Active Directory authentication. This is what my topology looks like;

Remote SSL-VPN with FortiClient

Note: I’ve changed the FortiGates default management HTTPS port from 443 to 4433 (before I started). This was to let me use the proper HTTPS port of 443 for remote access SSL VPN. I suggest you also do this, as running SSL-VPN over an ‘odd’ port may not work from some locations. See the following article;

FortiGate: Change the HTTPS Management Port

Certificate: I’m also using a self signed certificate on the FortiGate, in a production environment you may want to purchase a publicly signed one!

Step 1: FortiGate LDAPS Prerequisites

Before we start, we need to make sure your firewall can resolve internal DNS. (Because the Kerberos Certificate name on your Domain Controller(s) gets checked, when doing LDAPS queries, if you DON’T want to do this then disable server identity check when you setup your LDAP server below). Or you can add the IP address to the servers Kerberos certificate as a ‘Subject Alternative Name‘ but thats a bit bobbins IMHO

Network > DNS > Specify > Add in your ‘Internal” DNS servers > Apply.


Add Internal DNS Server Fortigate

Certificate Prerequisites

To perform LDAPS the FortiGate needs to trust the certificate(s) that our domain controller(s) use. To enable that you need a copy of the CA Certificate, for the CA that issued them. At this point if  you’re confused, you might want to run through the following article;

Get Ready for LDAPS Channel Binding

So to get a copy of your CA cert on a Windows CA server use the following command;

certutil -ca.cert My-Root-CA-Cert.cer


Windows Export CA Certificate

To ‘Import‘ the certificate into the Fortigate > System > Certificates > Import > CA Certificate.

Fortigate upload CA Certificate

File > Upload > Browse to your CA Certificate > Open > OK.

Fortigate Import CA Certificate

Take note of the certificate name, (CA_Cert_1 in the example below,) you will need this information below.

Fortigate Get Name CA Certificate

Step 2: Allow FortiGate LDAPS Authentication (Active Directory)

User & Authentication > LDAP Servers > Add.

Add LDAPS Server Fortigate

  • Name: Something Sensible!
  • Server IP/Name: Use the FQDN of the server (or you need to put the IP on the Kerberos certificate as a SAN!)
  • ServerPort: 636 (We’re not using 389 LDAP is NOT secure!)
  • Common Name Identifier: sAMAccountName
  • Distinguished Name: Enter the DN for either the top level of your domain or an OU that’s got all your users/groups in.
  • Bind Type: Regular.
  • Username: in DOMAIN\username format Note: A normal domain user account is sufficient it DOES NOT need to be a domain administrator.
  • Password: For the above user.
  • Secure Connection: LDAPS.
  • Certificate: Select YOUR CA Certificate.
  • Server Identity Check: Enabled.

Click ‘Test Connectivity‘ It should say successful, then you can check some other domain user credentials as a test > OK.

Create LDAPS Server Fortigate

Domain / Active Directory Setup

Over in my Active Directory I’ve created a security group called GS-VPN-Users, and put my user object into it.

Fortigate AD Group Authentication

Now I need to create a FIREWALL GROUP and add my ACTIVE DIRECTORY GROUP to that. User & Authentication > User Groups > Create New.

Fortigate AD LDAPS Groups

  • Name: Something sensible!
  • Type: Firewall

Remote Groups > Add.

Fortigate Firewall Group

Change the Remote Server drop down list to be your LDAPS Server > Browse to your ACTIVE DIRECTORY GROUP, right click and Add Selected (Cheers, that took me three goes to find FortiNet!) > OK.

Fortigate Add AD Group to Firewall Group

All being well you should see your LDAPS server AND the distinguished name of your AD group, (check that’s not missing!) > OK.

Fortigate Remote VPN with AD Groups

Step 3: Setup FortiGate SSL-VPN

First we need an SSL Portal > VPN  > SSL-VPN Portals > Create New.

  • Name: Something sensible!
  • Enable Split Tunnelling: Enabled. (If you don’t do this then remote clients need to come though the FortiGate for web access, I usually enable split tunnel).
  • Source IP Pools: Add Then Create.

Fortigate Source IP Pools

Address.

Fortigate Source IP Pools Address

  • Name: Something sensible!
  • Type: IP Range
  • IP Range: The subnet you want to use. (Note:If you are routing on your LAN, make sure there’s a route back to the FortiGate for this subnet or bad things will happen!)
  • Interface: SSL-VPN tunnel interface

OK.

Fortigate VPN IP Pools Address

Enter a portal message, (the header on the page once a remote user connects)  > Enable FortiClient download > OK.

Fortigate VPN IP Pools Address

FortiGate SSL-VPN Settings

VPN  > SSL-VPN Settings > Listen on Interfaces.

Fortigate SSL-VPN Settings

Set to the outside (WAN) interface > Address Range > Specify custom IP Ranges > IP Ranges > Add in the pool you created above.

Fortigate SSL-VPN Interface

DNS Server > Specify > Add in your internal DNS servers > Authentication Portal Mapping > Create New.

Fortigate SSL-VPN DNS and Portal Mapping

  • Users/Groups: Your FIREWALL GROUP.
  • Portal: Your Portal

OK.

Apply (Note: If it complains ‘All Other User/Group‘ is not configured, set that to  web-access (as shown).

Fortigate Remote Access VPN

FortiGate SSL-VPN Firewall Policy

Policy & Objects > Firewall Policy (or IPV4 Policy on older versions) > Create New.

Fortigate SSL-VPN Firewall Policy

  • Name: Something sensible.
  • Incoming Interface: SSL-VPN Tunnel Interface.
  • Outgoing Interface: Inside (LAN).
  • Source: Your remote IP Pool AND your FIREWALL GOUP.
  • Destination: Local LAN (remember if you want DMZ access, add that in also)
  • Schedule: Always
  • Action: Accept
  • NAT: Disabled

Fortigate SSL-VPN No NAT

  • Generate logs when session starts: Enabled 

OK.

Fortigate SSL-VPN Logging

Step 4: Test FortiGate SSL-VPN

From your remote client, browse to the public IP/FQDN of the firewall and log in, you should see the SSL-VPN portal you created, and have the option to download the FortiClient (VPN) software for your OS version.

Download FortiClient

Install the FortiClient (Note: This is only the VPN component not the full FortiClient).

Install FortiClient

Remote Access > Configure VPN.

  • VPN: SSL-VPN.
  • Connection Name: Something sensible.
  • Remote Gateway: IP or FQDN of the FortiGate.
  • Authentication: Prompt on Logon (unless you want it to remember).
  • Do not warn invalid Server Certificate: Enabled (Unless you are using a publicly signed certificate on your FortiGate).

Save.

Configure FortiClient

Then test connection, make sure you can ping internal IP addresses and DNS names.

Connect FortiClient SSL-VPN

Related Articles, References, Credits, or External Links

NA

The post FortiGate: SSL-VPN With FortiClient (AD Authenticated) first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001725/feed 2
GIMP: Post Upgrade Tools Missing? https://www.petenetlive.com/kb/article/0001726 https://www.petenetlive.com/kb/article/0001726#respond Wed, 06 Jan 2021 11:47:31 +0000 https://www.petenetlive.com/?p=16160 KB ID 0001726 Problem I’ve been running an older version of GIMP for a while, it’s been a bit ‘flaky’ since the Big Sur upgrade, so yesterday I took the plunge and updated it. As expected I had to recreate my custom arrow brushes and things. But the problem that hit me the most was […]

The post GIMP: Post Upgrade Tools Missing? first appeared on PeteNetLive.]]>
KB ID 0001726

Problem

I’ve been running an older version of GIMP for a while, it’s been a bit ‘flaky’ since the Big Sur upgrade, so yesterday I took the plunge and updated it. As expected I had to recreate my custom arrow brushes and things. But the problem that hit me the most was ‘Where have all the tools gone!

GIMP Tool Menu Not Showing Tools

Solution

I know it’s open source software and I’ve no right to complain, but come on? After some investigation it seems the tools are there, they are just grouped together so they are more difficult to find? Why was this considered a good thing? The resolution on my mac is staggering I’m not exactly pushed for screen space?

Anyway, to put things back the way you are used to then, navigate to Preferences.

GIMP Preferences

Disable GIMP Tool Groups

Interface  >Toolbox  > UNTICK Use tool groups > OK.

GIMP Disable Tool Groups

Relax

Related Articles, References, Credits, or External Links

NA

 

The post GIMP: Post Upgrade Tools Missing? first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001726/feed 0
Download Veeam https://www.petenetlive.com/kb/article/0001724 https://www.petenetlive.com/kb/article/0001724#respond Mon, 04 Jan 2021 10:37:42 +0000 https://www.petenetlive.com/?p=16070 KB ID 0001724 Download Veeam At PNL we have always championed Veeam, below are our links to download Veeam, Theres no surprise it’s the market leader in backup and recovery, it came onto the market when backups were a major IT headache. I can remember having to change nearly 30 different server tapes (a day) […]

The post Download Veeam first appeared on PeteNetLive.]]>
KB ID 0001724

Download Veeam

At PNL we have always championed Veeam, below are our links to download Veeam, Theres no surprise it’s the market leader in backup and recovery, it came onto the market when backups were a major IT headache. I can remember having to change nearly 30 different server tapes (a day) and from 09:00 to probably lunch time every day I was fixing backup issues. (Simply Download Veeam and give it a trial!)

Now we still have backup issues, (don’t get me wrong) but with the correct product and some planning, design and forethought Backups these days are less painful and that’s due in no small part to the Veeam product suite.

Disclaimer: This is an affiliate sponsored document. By downloading Veeam products from these links you will support the upkeep of this site.

Veeam Backup and Recovery Download

Download Veeam Backup and Recovery

B&R The one you are probably looking for!
This product is for all Virtualised and Physical environment based servers. It is the backup product that we use and stand behind.

Veeam Availability Suite Download

Download Veeam Availability Suite

VAS adds Veeam ONE advanced monitoring, reporting and capacity-planning functionality to your B&R environment.

Veeam Backup For Office 365 Download

Download Veeam Office 365 Backup

Want to quickly restore Office 365 emails, files, sites and Teams data ? You need to use Veeam Backup for Office 365

Veeam Backup For Azure Download

Backup and restore workloads within Microsoft Azure. Note: Part of ‘Veeam Platform for cloud’, for seamless Cloud Mobility and data portability.

Veeam Backup for AWS Download

Manage, protect, and recover workloads within Azure AWS.

Why Buy Veeam?

A myriad of reasons;

  • Supports vSphere and Hyper-V
  • Instant VM recovery (from backup media into production)
  • Replication is included (often overlooked but this gives you a faster recovery method in the event of hardware failure and can also be used to recover files from). The product is called ‘Backup and Replication’ after all!
  • Instant file level recovery.
  • Application Aware backups (Exchange, SQL).
  • Simple offsite backup.
  • Built in compression and deduplication.
  • Simple to deploy and monitor.
  • Hardware agnostic.

Related Articles, References, Credits, or External Links

Veeam: Backup to Public Cloud?

Veeam: Restore / Migrate a VM to Azure

Veeam: Virtual Labs & SureBackup

Veeam: Restore/Migrate vSphere VM to Hyper-V

Creating a ‘Seeded’ Veeam Replication Job

Using Azure Site Recovery for Migrations

Migrate a VM from vCenter to Azure

The post Download Veeam first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001724/feed 0
FortiGate: Change the HTTPS Management Port https://www.petenetlive.com/kb/article/0001723 https://www.petenetlive.com/kb/article/0001723#respond Wed, 23 Dec 2020 15:08:32 +0000 https://www.petenetlive.com/?p=16054 KB ID 0001723 Problem Like all firewalls that have ‘web management’ the default ports are 80 and 443 for insecure and secure management. IF you have secure (https) management on the outside interface of your firewall on the normal TCP port of 443. Then you can’t use the same interface to terminal SSL–VPNs. You can […]

The post FortiGate: Change the HTTPS Management Port first appeared on PeteNetLive.]]>
KB ID 0001723

Problem

Like all firewalls that have ‘web management’ the default ports are 80 and 443 for insecure and secure management. IF you have secure (https) management on the outside interface of your firewall on the normal TCP port of 443. Then you can’t use the same interface to terminal SSLVPNs.

You can set SSL-VPN to use a different port of course, but for your remote workers who may be in hotels, or in locations where only web (port 80) and secure web/HTTP (port 443) are only allowed that’s going to be a problem.

The lesser of the two evils is to change the secure web management port to something that is not 443!

Solution

Note: I’m talking about changing the TCP port, NOT the physical management port, if that’s what you are trying to do, then you simply enable that on the INTERFACE on the firewall like so;

FortiGate Change Management Port via CLI

Firstly to find out/check the port that https is currently configured on use;

show full | grep admin-sport

Then to change the port number (in this case to 4433) use;

config system global
set admin-sport 4433

Fortigate CLI Change https managment port

FortiGate Change Management Port via GUI

System > Settings  > Administration Settings > HTTPS Port.

Fortigate Change Managment Port

Change the port number accordingly > Apply  >After a while it will try and reconnect and probably fail, (that’s OK).

Fortigate Change HTTPS Managment Port

Reconnect to the firewall using https://{IP-or-Hostname}:{Port-Number}

Fortigate Alternate HTTPS Managment Port

Related Articles, References, Credits, or External Links

NA

The post FortiGate: Change the HTTPS Management Port first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001723/feed 0
Microsoft Teams: Suppress Annoying Message Pop-ups https://www.petenetlive.com/kb/article/0001722 https://www.petenetlive.com/kb/article/0001722#respond Thu, 17 Dec 2020 12:21:13 +0000 https://www.petenetlive.com/?p=16047 KB ID 0001722 Problem Wow! Who at Microsoft Teams thought that enabling that by default was a good idea? I was on a large conference call this morning, (about 150 people). Every message to the message feed was spewing onto my screen and making a noise during the meeting! Thought: Why do ALL developers think […]

The post Microsoft Teams: Suppress Annoying Message Pop-ups first appeared on PeteNetLive.]]>
KB ID 0001722

Problem

Wow! Who at Microsoft Teams thought that enabling that by default was a good idea? I was on a large conference call this morning, (about 150 people). Every message to the message feed was spewing onto my screen and making a noise during the meeting!

Stop Microsoft Teams Popup Chat Notifications

Thought: Why do ALL developers think it’s a good idea to have pop-up banner massages appear top right of the screen, (where your windows control buttons and things live), why not bottom right?

Anyway, I want them off completely, (if I want to read the messages I’ll open the message feed window!)

Microsoft Teams Notifications

Click your picture/Initials > Settings.

suppress Teams Pop up Notifications

Chat > Edit.

Supporett Chat Toast Notifications MS Teams

Set as shown > Back to settings.

Disable Chat Notifications MS Teams

You may also want to alter, Notifications Section > Custom.

Annoying Teams Pop ups

I’ve disabled ‘Banner’ for EVERYTHING and set them to only show in the feed.

Teams message Pop ups

Related Articles, References, Credits, or External Links

NA

The post Microsoft Teams: Suppress Annoying Message Pop-ups first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001722/feed 0
Cisco ASA to Fortigate VPN (Properly!) https://www.petenetlive.com/kb/article/0001721 https://www.petenetlive.com/kb/article/0001721#respond Mon, 14 Dec 2020 11:29:29 +0000 https://www.petenetlive.com/?p=16019 KB ID 0001721 Problem A while ago I did a run through on site to site VPNs from Cisco ASA to Fortigate firewalls. Back then I said that the default settings were a bit ‘shoddy‘ and that I’d revisit it once I had more time. What do you mean shoddy? Well, Cisco and Fortinet are […]

The post Cisco ASA to Fortigate VPN (Properly!) first appeared on PeteNetLive.]]>
KB ID 0001721

Problem

A while ago I did a run through on site to site VPNs from Cisco ASA to Fortigate firewalls. Back then I said that the default settings were a bit ‘shoddy‘ and that I’d revisit it once I had more time.

What do you mean shoddy? Well, Cisco and Fortinet are both guilty of enabling ‘Everything’ to make the tunnel come up, so people can just use a wizard and not put to much thought into the process, for most people thats absolutely fine. However I’ve found ‘Many Times‘ I’ve been trying to put a VPN into third party and it’s like a game of ‘Encryption Bingo‘ e.g. ‘Can you change it from AES128 to AES256 and change the hash to SHA512‘, or ‘Do you not support elliptical curve’. Who are these people? Do they expect Tom Cruise  to come rappelling out of a skylight to steal the details of their 2016 Christmas golf event!

I digress, so here’s how to set up a site to site VPN using IKEv2 with some weapons grade encryption. Here’s a pretty picture of what it will look like;

Fortigate to Cisco ASA VPN

And here’s what my test bench topology looks like in EVE-NG.

Fortigate to Cisco ASA VPN EVE-NG

Configuring the Fortigate for Site to Site VPN

After saying don’t use the wizard, I’m going to use the wizard to do the Fortigate end, then I’ll edit the tunnel it creates and make it a bit more ‘fit for purpose’.

From the web management portal > VPN > IPSec Wizard  > Give the tunnel a name > Change the remote device type to Cisco > Next.

Give it the ‘public’ IP of the Cisco ASA > Set the port to the ‘outside’ port on the Fortigate > Enter a pre-shared key, (text string, you will need to enter this on the Cisco ASA as well, so paste it into Notepad or something for later) > Next.

Fortigate Site to Site VPN

Local interface will be in the ‘inside’ interface on the Fortigate > Enter the local subnet(s) > Enter the remote (behind the ASA) subnet(s) > Next.

Fortigate VPN Policy

Review the settings > Create.

Fortigate VPN Review

Select IPSec Tunnels > Select the new tunnel  > Edit.

Fortigate VPN Not Established

In the Authentication Section > Edit > Change the IKE Version to 2 > Edit the Phase 1 Proposal.

Fortigate VPN Enable IKEv2

Delete all the factory ones and add one for;

Then under Phase 2 Selectors click the pencil icon to edit.

Fortigate VPN Edit Phase 1

Advanced.

Fortigate VPN Edit Phase 2

Remove any existing Phase 2 proposals, add a new one

Encryption: AES256GCM 

Fortigate VPN IPSEC Phase 2

Click OK to close.

Manually Configuring the Cisco ASA For Site to Site VPN

Manual VPN via CLI

We all know real men work at command line, paste this in, boom done!

WARNING: If your ASA already has a crypto map then use the name of that map rather than CRYPTO-MAP (as below) or all your existing VPNs will break!

!
crypto ikev2 policy 5
 encryption aes-gcm-256
 integrity null
 group 21
 prf sha512
 lifetime seconds 86400
crypto ikev2 enable outside
!
object network OBJ-SITE-B
subnet 172.16.1.0 255.255.255.0
object network OBJ-SITE-A
subnet 192.168.1.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-B object OBJ-SITE-A
!
nat (inside,outside) source static OBJ-SITE-B OBJ-SITE-B destination static OBJ-SITE-A OBJ-SITE-A no-proxy-arp route-lookup
!
tunnel-group 192.168.100.100 type ipsec-l2l
tunnel-group 192.168.100.100 ipsec-attributes
ikev2 remote-authentication pre-shared-key 123456
ikev2 local-authentication pre-shared-key 123456
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev2 ipsec-proposal VPN-FORTIGATE
 protocol esp encryption aes-gcm-256
 protocol esp integrity null
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 192.168.100.100
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-FORTIGATE
crypto map CRYPTO-MAP interface outside
!

Manual VPN via ASDM

You can do the first couple of steps together, but I like to do the Phase1 and Phase 2 proposals first, then tie it all up at the end. Configuration > Site to Site VPN > Advanced > IKE Policies > IKEv2 Policies > Add.

  • Priority: 5
  • D-H Group: 21
  • Encryption: AES-GCM-256 
  • Integrity Hash: null (GCM protocols don’t need an integrity hash)
  • Pseudo Random Function (PRF) Hash: sha512

OK > Apply

Cisco ASA VPN ISAKMP Phase 1

Now for Phase 2 (On a Cisco ASA that’s defined with a ‘transform  set’). IPsec  Proposals (Transform Sets)  > IKEv2 > Add.

OK > Apply

Cisco ASA VPN IPSEC Phase 2

Connection Profiles > Tick IKEv2 on the OUTSIDE interface to enable it.

Cisco ASA Enable IKEv2

Connection Profile > Add

  • Peer IP: (Public address of the Fortigate)
  • Local Network: Add in the network behind the ASA.
  • Remote Network: You may need to add an object-group for the remote network (behind the Fortigate).
  • Group Policy Name: FORTIGATE_VPN
  • Local Passphrase: An alphanumeric string of characters (it’s a pre-shared key it must match the one you set on the Fortigate).
  • Remote Passphrase: Set the same at the local passphrase.

Scroll down.

Cisco ASA VPN Config Manually

Make sure your IKE  Phase 1 policy is in the list, (you may have many) > IPSec proposal > Select > locate yours and add it in > OK > OK > Apply.

Cisco ASA VPN Config Manually

The last thing to do is make sure that the traffic travelling over the VPN DOES NOT get NAT translated > Firewall > NAT Rules > Select the top one > Add  >Add Nat Rule Before.

  • Source Interface: inside
  • Destination Interface: outside
  • Source Address: any
  • Destination Address: {The group you created above for the network address behind the Fortinet}
  • Source NAT Type: Static
  • Disable Proxy ARP :  Tick
  • Lookup Route Table: Tick

OK > Apply

Cisco ASA ASDM Static NAT

Don’t forget to save the changes > File > Save Running configuration to flash

Finally send some interesting traffic across the VPN to bring up the tunnel.

Test VPN Fortinet to Cisco

Related Articles, References, Credits, or External Links

NA

The post Cisco ASA to Fortigate VPN (Properly!) first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001721/feed 0