PeteNetLive https://www.petenetlive.com Technology that 'Just Works' Fri, 27 Nov 2020 10:00:34 +0000 en-GB hourly 1 https://wordpress.org/?v=5.5.3 PDF File: Remove Password Protection https://www.petenetlive.com/kb/article/0001719 https://www.petenetlive.com/kb/article/0001719#respond Fri, 27 Nov 2020 10:00:34 +0000 https://www.petenetlive.com/?p=15997 KB ID 0001719 Problem My daughter had a file that was protected by a password, (it had sensitive personal information in it). She wanted to send this file to someone, but wanted to remove the password protection first. I thought this would be easy, open it in Acrobat Reader, find the bit that says ‘password […]

The post PDF File: Remove Password Protection first appeared on PeteNetLive.

]]>
KB ID 0001719

Problem

My daughter had a file that was protected by a password, (it had sensitive personal information in it). She wanted to send this file to someone, but wanted to remove the password protection first.

I thought this would be easy, open it in Acrobat Reader, find the bit that says ‘password protect’ and untick it right? Well to enable that ‘feature’ (called the “protect feature”), you have to pay Adobe?

Tech Rant: I really don’t like Adobe, I don’t like their pay for things monthly, nothing works without you paying for it, we can do whatever we like and you chumps will pay for it attitude. I’ve stopped using Photoshop because now I can only ‘rent it’. Adobe Acrobat needs to update at least once every two days, (which it has since 1985 for some unfathomable reason!) 

Solution

Microsoft is our saviour! (There’s a sentence I don’t use that often!) Open the offending file in Microsoft Edge browser. (I’m using a mac, but the process is identical on a Windows machine, (I know because I did it that way first!)

Remove Password form PDF File

Enter the password.

Remove Password from Acrobnat PDF

Print > Change the Printer > Save as PDF > OK > This will save the current file as a PDF file and it wont be password protected!

Edge Print to PDF

WARNING: Don’t message me below and ask ‘what if I dont know the password?‘ I’m not here to teach you how to hack into password protected PDF files. Learn to use Google properly.

Related Articles, References, Credits, or External Links

NA

The post PDF File: Remove Password Protection first appeared on PeteNetLive.

]]>
https://www.petenetlive.com/kb/article/0001719/feed 0
Fortigate: Cannot Ping an Interface? https://www.petenetlive.com/kb/article/0001718 https://www.petenetlive.com/kb/article/0001718#respond Wed, 25 Nov 2020 21:40:36 +0000 https://www.petenetlive.com/?p=15988 KB ID 0001718 Problem With other firewall vendors (i.e. Cisco) you can ping any interface you are ‘directly connected to‘. With Fortigate however you cannot (by default). That’s not the end of the world you can check connectivity using ARP (see below) which is what really cool network techs do instead! But if you want […]

The post Fortigate: Cannot Ping an Interface? first appeared on PeteNetLive.

]]>
KB ID 0001718

Problem

With other firewall vendors (i.e. Cisco) you can ping any interface you are ‘directly connected to‘. With Fortigate however you cannot (by default). That’s not the end of the world you can check connectivity using ARP (see below) which is what really cool network techs do instead! But if you want to be able to ping an interface (even for a short period of time). Here’s how to do it.

Solution

Fundamentally, the reason you can’t ping a Fortigate interface, is because ‘ping’ isn’t listed in the ‘allowaccess‘ section for that interface.

Fortigate allow ping

Let’s fix that;

config system interface
edit {port-name}
set allowances {Existing settings i.e. https http etc.} ping
end

Fortigate cannot ping an interface

Using ARP to check connectivity

A lot of people assume that if you can’t ping something, you are not connected to it, that’s not the case at all.  If you ‘think’ something is on the same layer 2 network segment as you, and you can’t ping it, then look in the ARP cache on your machine, (for Windows and Linux the command is arp -a).

Below: Shows you can see the MAC address of that IP address, even if you cannot receive a ping response!

Just Because you cant ping

However once ping is enabled, your ICMP responses will work fine.

Fortigate enable ping on an interface

Related Articles, References, Credits, or External Links

NA

The post Fortigate: Cannot Ping an Interface? first appeared on PeteNetLive.

]]>
https://www.petenetlive.com/kb/article/0001718/feed 0
Fortigate to Cisco ASA Site to Site VPN https://www.petenetlive.com/kb/article/0001717 https://www.petenetlive.com/kb/article/0001717#respond Tue, 24 Nov 2020 13:36:26 +0000 https://www.petenetlive.com/?p=15976 KB ID 0001717 Problem Continuing with my ‘Learn some Fortigate‘ theme’. One of the basic requirements of any edge firewall is site to site VPN. As the bulk of my knowledge is Cisco ASA it seems sensible for me to work out how to VPN both those firewalls together, like so; Well that’s the pretty […]

The post Fortigate to Cisco ASA Site to Site VPN first appeared on PeteNetLive.

]]>
KB ID 0001717

Problem

Continuing with my ‘Learn some Fortigate‘ theme’. One of the basic requirements of any edge firewall is site to site VPN. As the bulk of my knowledge is Cisco ASA it seems sensible for me to work out how to VPN both those firewalls together, like so;

Fortigate to Cisco ASA VPN

Well that’s the pretty picture, I’m building this EVE-NG so here’s what my workbench topology looks like;

Fortigate to Cisco ASA VPN EVE-NG

Disclaimer (Read First! Especially before posting any comments!)

Fortinet prides itself on you not needing to use the CLI, (until you actually need to use the CLI of course!) But both ends are configured using the GUI and ASDM. This is designed for the ‘Let’s just make it work, who cares what’s going on under the hood‘ generation. Which means it enables IKEv1 NOT IKEv2 on the Fortigate, and BOTH IKEv1 and IKEv2 gets enabled on the Cisco ASA. Couple that with all the weak Crypto sets that get enabled, because someone might have a hardware firewall from 1981 or something! So in production I’d consider doing things a little more manually. I will post another article on the same subject, but then I’ll make the tunnel as secure as I can, (watch this space). This is an exercise in getting the tunnel up and making it work.

Tech Note: If you just use both wizards it wont work, thankfully I could debug the tunnel on the Cisco ASA to work out why. Fortinet sets all the DH groups to 5, and Cisco sets them all to 2. And Fortinet enables PFS and Cisco don’t. (They do on older versions of the OS, but not on the newer ones).

Create IKE/IPSec VPN Tunnel On Fortigate

From the web management portal > VPN > IPSec Wizard  > Give the tunnel a name > Change the remote device type to Cisco > Next.

Give it the ‘public’ IP of the Cisco ASA > Set the port to the ‘outside’ port on the Fortigate > Enter a pre-shared key, (text string, you will need to enter this on the Cisco ASA as well, so paste it into Notepad or something for later) > Next.

Fortigate Site to Site VPN

Local interface will be in the ‘inside’ interface on the Fortigate > Enter the local subnet(s) > Enter the remote (behind the ASA) subnet(s) > Next.

Fortigate VPN Policy

Review the settings > Create.

Fortigate VPN Policy

Select IPSec Tunnels > Select the new tunnel  > Edit.

Fortigate VPN Not Established

Convert to Custom Tunnel.

Fortigate Customise VPN Tunnel

Phase 1 Proposal > Edit.

Fortigate Edit IKE Phase 1 Policy

Add in Diffie Hellman Group 2

Fortigate Add DH group 2

Phase 2 Selectors > Edit > Advanced > Untick Enable Perfect Forward Secrecy > OK.

Fortigate Disable PFS

Create IKE/IPSec VPN Tunnel On Cisco ASA (ASDM)

Connect to the ASDM > Wizards  > VPN Wizards > Site-to-Site VPN Wizard > Next.

Cisco ASA to Fortigate VPN

You should already have an object for your Local Network add that in > Then add in a new Network Object for the remote (behind the Fortigate) subnet. MAKE SURE that the new object is selected as the Remote Network > Next.

Cisco ASA to Fortigate Subnets

Enter the Pre-Shared key you used (above)  > Next > Tick to DISABLE NAT > Next > Finish.

Tech Note: Look at all those Ciphers/Hashing/Additional Protocols that are about to be turned on! 🙁 That’s why I work at command line.

Cisco ASA to Fortigate VPN From ASDM

Finally you will need to send some traffic over the tunnel to ‘bring it up’.

Test VPN Fortinet to Cisco

If you have a problem, see the debugging/troubleshooting links below.

Related Articles, References, Credits, or External Links

Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels

The post Fortigate to Cisco ASA Site to Site VPN first appeared on PeteNetLive.

]]>
https://www.petenetlive.com/kb/article/0001717/feed 0
Fortigate: One to One (Static NAT) https://www.petenetlive.com/kb/article/0001716 https://www.petenetlive.com/kb/article/0001716#comments Thu, 19 Nov 2020 10:56:14 +0000 https://www.petenetlive.com/?p=15954 KB ID 0001716 Problem If you have a host that you want to be able to access from the outside of the firewall e.g. a webserver then this is the process you want to carry out. I didn’t find this process particularly intuitive and it highlighted why I don’t like GUI management interfaces, (in 6.4 […]

The post Fortigate: One to One (Static NAT) first appeared on PeteNetLive.

]]>
KB ID 0001716

Problem

If you have a host that you want to be able to access from the outside of the firewall e.g. a webserver then this is the process you want to carry out. I didn’t find this process particularly intuitive and it highlighted why I don’t like GUI management interfaces, (in 6.4 the menu names have changed, this rendering a million blog pages inaccurate!)

I’m setting this up in EVE-NG on the work bench and this is what I’m trying to achieve;

Fortigate Web Server NAT

So to access my web server from ‘outside‘ the firewall I need to give it a NATTEDpublic‘ address on 192.168.100.0/24. Here the server is on the LAN if yours is in a DMZ then substitute the DMZ interface for the inside one I’m using.

Solution

First task is to create a ‘Virtual IP‘, this will be the ‘public IP‘ that the web server will use. From the management interface > Policy and Objects > Virtual IPs > Create  New > Virtual IP

Fortigate 1 to 1 NAT Create VIP

‘Give it a sensible name, and add a comment if you wish  >  Set the interface to the public facing port > Type, set to ‘Static NAT‘ > External IP, (although it says range just type in the single public IP) > Internal IP =  Enter the LAN IP > OK.

Fortigate Static NAT VIP

Firewall Policy > Create New.

Note: If your firewall is older then 6.4 the tab is called ‘IPv4 Policy

Fortigate Firewall Policy

Give the entry a name > Incoming interface = the public interface > Outgoing Interface = the inside/LAN interface > Source = ALL > Destination = SET TO YOUR VIRTUAL IP > Schedule = Always > Service = ALL (though you can of course select http and or https in production) > DISABLE NAT. (Trust me I know that makes no sense) > OK.

Static One to One NAT Web Server

Just to prove this is not all ‘Smoke and Mirrors‘ here’s my topology running in EVE-NG, and my external host (Named: Public-Client) Browsing to 192.168.100.110, and the Fortigate translates that to 192.168.1.123

Fortigate Testing static NAT

Related Articles, References, Credits, or External Links

EVE-NG Deploying Fortigate v6 Firewalls

TinyCore Linux: Build a ‘Persistent’ Web Server

The post Fortigate: One to One (Static NAT) first appeared on PeteNetLive.

]]>
https://www.petenetlive.com/kb/article/0001716/feed 4
VMware Fusion: Not Enough Physical Memory https://www.petenetlive.com/kb/article/0001715 https://www.petenetlive.com/kb/article/0001715#respond Wed, 18 Nov 2020 14:22:25 +0000 https://www.petenetlive.com/?p=15945 KB ID 0001715 Problem I upgraded to macOS Big Sur this week, and was surprised everything still worked! That was until I tried to start up my Windows 1o Virtual machine. “Not enough physical memory is available to power on this virtual machine with its configured settings.” Solution Though it took me a while to […]

The post VMware Fusion: Not Enough Physical Memory first appeared on PeteNetLive.

]]>
KB ID 0001715

Problem

I upgraded to macOS Big Sur this week, and was surprised everything still worked! That was until I tried to start up my Windows 1o Virtual machine.

Fusion Not enough physical memory

“Not enough physical memory is available to power on this virtual machine with its configured settings.”

Solution

Though it took me a while to ‘fix’, the fix is quite straight forward, I was running version 11 (see Below).

Fusion 11 not working on Big Sur

As soon as I upgraded to version 12.

Fusion 12 working on Big Sur

Everything worked correctly. Only version 12 is fully supported on macOS Big Sur.

Related Articles, References, Credits, or External Links

NA

The post VMware Fusion: Not Enough Physical Memory first appeared on PeteNetLive.

]]>
https://www.petenetlive.com/kb/article/0001715/feed 0
Running Dropbox On Windows Server https://www.petenetlive.com/kb/article/0001489 https://www.petenetlive.com/kb/article/0001489#comments Fri, 13 Nov 2020 07:00:49 +0000 https://www.petenetlive.com/?p=10863 KB ID 0001489 Problem If you are here, you have probably already found out that Dropbox is not supported on Windows Server platforms. You can install it and set it up happily but it stops working and needs to be relaunched all the time (manually). I love dropbox! So much I actually pay for it! […]

The post Running Dropbox On Windows Server first appeared on PeteNetLive.

]]>
KB ID 0001489

Problem

If you are here, you have probably already found out that Dropbox is not supported on Windows Server platforms. You can install it and set it up happily but it stops working and needs to be relaunched all the time (manually).

I love dropbox! So much I actually pay for it! I run it on my management server and its handy for copying file up into my test network, so I can appreciate how annoying it is having to restart it all the time. So to fix the problem we have to use a piece of software that’s over 15 years old! 

Running Dropbox as a Service on Windows Server

First you have to stop dropbox running.

Stop Dropbox On Server

Then download srvany and extract the executable to the Dropbox install directory (C:\Program Files (x86)\Dropbox). Note: This file is form the old Server 2003 resource kit.

Dropbox as a Service

From an elevated command prompt run the following command;

sc create Dropbox binPath= “C:\Program Files (x86)\Dropbox\srvany.exe” DisplayName= “Dropbox Service”

Run Dropbox on a Server

Run services.msc > locate the dropbox Service  > And set its ‘LogOn’ to the account you were logged in with, when you installed the Dropbox software.

Dropbox on Server 2019

Change the startup type to Automatic, (Don’t start the service yet!) > OK.

Dropbox Always On

Execute the following three commands;

New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\Dropbox\Parameters

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Dropbox\Parameters -Name Application -PropertyType String -Value “C:\Program Files (x86)\Dropbox\Client\Dropbox.exe”

Start-Service Dropbox

Keep Dropbox Running On a Server

Update:

You also need to execute the following from an ‘Administrative command window’, (or Dropbox will stop synchronising after a few hours).

SETX /M QT_OPENGL software

Dropbox Keeps Stopping On Server

Related Articles, References, Credits, or External Links

Special Thanks to Frédéric for the SETX command to fix the timeout.

The post Running Dropbox On Windows Server first appeared on PeteNetLive.

]]>
https://www.petenetlive.com/kb/article/0001489/feed 5
EVE-NG Deploying Fortigate v6 Firewalls https://www.petenetlive.com/kb/article/0001714 https://www.petenetlive.com/kb/article/0001714#respond Thu, 12 Nov 2020 11:39:24 +0000 https://www.petenetlive.com/?p=15930 KB ID 0001714 Problem The firm I work for are looking at a replacement for Cisco ASA as their preferred firewall of choice. We are looking at Fortinet to fill this gap, but as a product/solution it’s something I know very little about. So the best way to learn is to deploy and play with, […]

The post EVE-NG Deploying Fortigate v6 Firewalls first appeared on PeteNetLive.

]]>
KB ID 0001714

Problem

The firm I work for are looking at a replacement for Cisco ASA as their preferred firewall of choice. We are looking at Fortinet to fill this gap, but as a product/solution it’s something I know very little about.

So the best way to learn is to deploy and play with, and the test bench weapon of choice for discerning technical types is EVE-NG. So can I deploy the newest (v6.4.2 at time of writing) Fortigate firewall into EVE-NG? Indeed, read on.

Solution

Getting the VM is pretty easy, Fortinet allows you to create a free login account, and download the trial version. REMEMBER you want the KVM version of the appliance!

If you didn’t know EVE-NG (and the Qemu software that runs inside it) needs to have its images in certain named folders. So log into your EVE-NG  appliance and create a new folder;

mkdir /opt/unetlab/addons/qemu/fortinet-FGT-v6.4.2

Note: fortinet-xxxxxxxxxx is the correct naming convention 🙂

EVE-NG Fortigate VM Folder Naming

Now copy your downloaded image into this folder, I use WinSCP, but FileZilla is also free. Remember that your transfer method should be set to ‘binary’.

EVE-NG Upload Fortigate v6

Back in the EVE-NG console, you need to unzip the appliance, then rename it (EVE-NG also needs the images to have certain names). Then you can delete the original Zip file, and make sure the permissions are set correctly.

cd /opt/unetlab/addons/qemu/fortinet-FGT-v6.4.2
unzip FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip
mv fortios.qcow2 virtioa.qcow2
rm FGT_VM64_KVM-v6-build1778-FORTINET.out.kvm.zip
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions2

EVE-NG Connfigure Fortigate v6

That’s the hard part done. Log into EVE-NG create a new lab and drop a Fortigate device into the workspace. (Note: You can raise the RAM to 2048 to get it to perform a little better, but no higher though, as only 2GB is permitted with the trial licence).

Deploy Fortigate on EVE-NG

Allow Web Management Of Fortigate VM

I’ve included this bit because most articles don’t, and if I’m unfamiliar with Fortigate, then some of you will be also. Essentially you setup the interface that you will be using as the inside interface with a static IP and allow web management via HTTP. (Note: First you will be asked to change the Admin password).

configure system inteface
edit Port1
set mode static
set ip 192.168.1.1 255.255.255.0
set allowaccess http 
end

Configure Fortigate for Web Access

Then from a management VM, (on the same network segment) connect to the appliance and log in.

Fortigate Web Access

If you just see a blank screen with no logon options see this article.

Related Articles, References, Credits, or External Links

NA

The post EVE-NG Deploying Fortigate v6 Firewalls first appeared on PeteNetLive.

]]>
https://www.petenetlive.com/kb/article/0001714/feed 0
Fortigate Blank Web Page? https://www.petenetlive.com/kb/article/0001713 https://www.petenetlive.com/kb/article/0001713#respond Thu, 12 Nov 2020 10:33:26 +0000 https://www.petenetlive.com/?p=15916 KB ID 0001713 Problem I’ve been trying to deploy a Fortigate into EVE-NG (article to follow) this week. I could get the appliance running fine but when I tried to access the web management console all I got was the following. Note: I have a couple of management VMs in EVE-G (Windows 7 and Server […]

The post Fortigate Blank Web Page? first appeared on PeteNetLive.

]]>
KB ID 0001713

Problem

I’ve been trying to deploy a Fortigate into EVE-NG (article to follow) this week. I could get the appliance running fine but when I tried to access the web management console all I got was the following.

Fortigate Blank Browser Window

Note: I have a couple of management VMs in EVE-G (Windows 7 and Server 2012), they had a mixture of IE, Chrome and Firefox on them but still I could not get in?

Solution

All forums yielded no more info other than ‘Check you have allowed access for http“. But as you can see (above) for Fortinet Logo is on the windows I was hitting the firewall and http was allowed? (Also the http daemon was running inside the appliance.

Just for fun I connected the outside interface to my test network, allowed http, and tried from there, it worked perfectly? So I deployed another Fortigate and connected the ‘inside’ interface to my test network, again it worked fine? At this point it was becoming obvious that my management machines browsers were probably the problem. Is I deployed a new Kali Linux VM fired up Firefox and;

Fortigate Web Access

That took a LOT longer than it needed to!

Related Articles, References, Credits, or External Links

NA

 

The post Fortigate Blank Web Page? first appeared on PeteNetLive.

]]>
https://www.petenetlive.com/kb/article/0001713/feed 0
Fortigate: Show IP (DHCP) From CLI https://www.petenetlive.com/kb/article/0001712 https://www.petenetlive.com/kb/article/0001712#respond Wed, 11 Nov 2020 23:44:11 +0000 https://www.petenetlive.com/?p=15909 KB ID 0001712 Problem I was having some problems setting up a Fortigate (VM64-KVM) firewall, and I needed to know, (at command line,) how to view the address that had been assigned to it via DHCP. View Fortigate DHCP address (from CLI) The syntax required is; Note: Dont Forget the “?” at the end, it […]

The post Fortigate: Show IP (DHCP) From CLI first appeared on PeteNetLive.

]]>
KB ID 0001712

Problem

I was having some problems setting up a Fortigate (VM64-KVM) firewall, and I needed to know, (at command line,) how to view the address that had been assigned to it via DHCP.

View Fortigate DHCP address (from CLI)

The syntax required is;

config system interface
edit ?

Note: Dont Forget the “?” at the end, it will not show onscreen as seen below.

Fortigate Show IP CLI

View Fortigate DHCP address (from GUI)

If the GUI/Web access is working, simply go to Network > Interfaces.

Fortigate Show IP GUI

Related Articles, References, Credits, or External Links

NA

The post Fortigate: Show IP (DHCP) From CLI first appeared on PeteNetLive.

]]>
https://www.petenetlive.com/kb/article/0001712/feed 0
Your vSphere Client Session Is No Longer Authenticated https://www.petenetlive.com/kb/article/0001711 https://www.petenetlive.com/kb/article/0001711#respond Fri, 06 Nov 2020 10:12:45 +0000 https://www.petenetlive.com/?p=15902 KB ID 0001711 Problem I updated my vCenter to 6.7.0.45100 yesterday, and since then every time I tried to login to the HTML5 web client, it authenticated, let me in, showed me the error (below), then kicked me out again? Solution I assumed, (wrongly) that the upgrade had overwritten the webclient.properties file that controls timeouts. […]

The post Your vSphere Client Session Is No Longer Authenticated first appeared on PeteNetLive.

]]>
KB ID 0001711

Problem

I updated my vCenter to 6.7.0.45100 yesterday, and since then every time I tried to login to the HTML5 web client, it authenticated, let me in, showed me the error (below), then kicked me out again?

vSphere HTML5 Timeout Error

Solution

I assumed, (wrongly) that the upgrade had overwritten the webclient.properties file that controls timeouts. this may be you problem, see the following article If my ‘fix’ does not work for you.

vSphere HTML5 Web Client – Disable the Console Timeout

In the end my fix was quick and simple, go to add/remove programs and locate the vSphere Enhanced Authentication Plugin (in my case version 6.5.0) and uninstall it.

vSphere Enhanced integration plugin

Related Articles, References, Credits, or External Links

NA

The post Your vSphere Client Session Is No Longer Authenticated first appeared on PeteNetLive.

]]>
https://www.petenetlive.com/kb/article/0001711/feed 0