Fortigate: Configure High Availability

So this may not be necessary for most home users out there but for those that need a quick rundown on how to configure High Availability between Fortigates, I hope this helps:

Prerequisites:

  • All Fortigates need to have the same hardware configuration i.e. hard disk configuration, optional components installed, same model version.
  • All Fortigates need to have the same firmware build e.g. v5.0,build0271 (GA Patch 6)
  • All Fortigates need to be using the same operating mode e.g. NAT or Transparent
  • All Fortigates need be operating in the same VDOM mode
  • If all Fortigates are operating in multiple VDOM mode, have they all got the same VDOM configuration
  • All interfaces need to have a static IP address. If any interface is using DHCP you can’t configure HA
  • Fortigates that have an in built switch will not work. You will need to configure Interface Mode.

Boring stuff done, let’s get to work.

High level steps required to configure HA:

  1. Configure Fortigate units for HA operation individually and power off.
  2. Connect the Fortigates to the network
  3. Connect all interfaces (LAN, Heartbeat, Internet)
  4. Power on both Fortigate units
  5. Test!

Details Instructions

  1. Log onto the first Fortigate unit (FG1) and configure all your interface settings, policies, hostnames, VIPs, firewall addresses, routes etc.

    FG1# conf sys hostname
    FG1# conf sys interface
    FG1$ conf firewall policy
    etc

  2. Configure High Availability via CLI. Here is my standard setup but ensure you read the Fortigate manual for further clarification

    FG1# conf sys ha
    FG1# set mode a-a
    FG1# set group-name SAMHA
    FG1# set password Th!sIs@s3CurePa$$w0rd
    FG1# set hbdev “port2” 50 “port3” 50
    FG1# set session-pickup enable
    FG1# set override disable
    FG1# set priority 50
    FG1# set monitor “port1” “wan1”
    FG1# set pingserver-monitor-interface “port1”
    FG1# set pingserver-failover-threshold 1
    FG1# end

    Notes:
    – Set “hbdev”: this is the interface that you will connect to your second unit and monitors the heartbeat of the unit i.e. port2 on FG1 will be connected to port2 on FG2. The number after is the priority of that interface. It is recommended that you have at least 2 heartbeat interfaces configured.
    – Set “monitor”: this is the interface that the Fortigate will monitor. If there is a fail on this interface, the unit will failover to the second unit.
    – Set “priority”: this sets the priority of the cluster device. Whenever you change the device priority of a cluster unit, when a cluster negotiation occurs, the unit with the highest priority becomes the primary unit.

  3. Power off FG1
  4. Perform steps 1 to 3 on FG2. Power off FG2
  5. Connect all interfaces correctly, ensure switching is correct, and heartbeat Interfaces are connected.
  6. Power on both Fortigates at the same time.
  7. Log on to one of the units and identify which of them is the master Fortigate by entering

    FG1# get sys stat

    You should get output that looks like the below. You can see from the output that this unit is the master unit.

    FG1 # get sys stat
    Version: FortiGate-60D v5.0,build0271,140124 (GA Patch 6)
    Virus-DB: 19.00098(2013-09-01 11:46)
    Extended DB: 1.00000(2012-10-17 15:46)
    IPS-DB: 4.00385(2013-08-28 22:38)
    IPS-ETDB: 0.00000(2001-01-01 00:00)
    Serial-Number: FG60D3911452369
    Botnet DB: 1.00229(2013-09-01 11:39)
    BIOS version: 04000007
    Log hard disk: Available
    Internal Switch mode: interface
    Hostname: FG1
    Operation Mode: NAT
    Current virtual domain: root
    Max number of virtual domains: 10
    Virtual domains status: 1 in NAT mode, 0 in TP mode
    Virtual domain configuration: disable
    FIPS-CC mode: disable
    Current HA mode: a-a, master
    Branch point: 271
    Release Version Information: GA Patch 6
    System time: Mon Mar 15 16:19:18 1996

  8. Test failover using these tests as a bare minimum:
  9. – Power off a Fortigate unit
    – Unplug port1 (production network)
    – Unplug internet connection (wan1)
    – Unplug one of the two heartbeat interfaces

Go forth and ensure you can keep that 99.999999999% uptime 🙂

Fortigate: Configure Interface Mode

Some of the SMB Fortigate units will have default settings that are good for the everyday user. But what if there’s more to life then an in built switch? What if we want to configure, respect and treat all interfaces as their own?

For anyone that has a Fortigate unit and does not want to use the internal switch (factory default), here are quick steps to configure interface mode i.e. all ports are treated as individual interfaces and will need to be configured appropriately:

1. Delete DHCP server entries

FG123456# conf sys dhcp server
FG123456# delete 1
FG123456# end

2. Delete default firewall policy

FG123456# conf firewall policy
FG123456# delete 1
FG123456# end

3. Enable interface mode

FG123456# conf system global
FG123456# set internal-switch-mode interface
FG123456# end

Done and dusted. Now get that config up and ready!

First Home Buyer Tips!

If you’re young and dumb and always wanted to run to the streets ’cause you though that was where it was at OR are a Gen Y’er, living in Sydney, and trying to buy your first home, then we’re in the same rowboat (paddling and getting nowhere). The Mrs and I have been pretty caught up in the buzz and excitement of property this last quarter of 2013. Wow oh wow has it been a rollercoaster. I just wanted to give a few tips to any other potential first home buyers out there so that they can avoid some of the traps and pitfalls we’ve experienced:

  • Don’t be fooled by the FHOG. Sure, $15,000 is quite a bit of money BUT when you’re buying brand new (say ~$550k) keep in mind that this “grant” makes up 2% of the value of your house.
  • Don’t skim on Building and Pest Inspection Reports. These might cost you a few hundred dollars but could save you thousands of dollars, migraines, heartache, stress, health problems, diabetes etc etc.
  • Save, Save, Save. The biggest hurdle for any first purchaser is the initial deposit. You’ll most likely be paying LMI (lenders mortgage insurance) if you don’t have at least a 20% deposit (typically over $100k). I know that some people in our generation have the opportunity to save this much before they turn 25 but for the majority of us, this just isn’t possible.
  • If you’re young and not looking to buy for a few years, open a First Home Savers Account. BUT don’t put all your eggs in one basket. Put in at least $6,000 a year to reap the benefits of a $1,000 gov’t contribution and save the rest in your everyday savings account. This way you can use the liquid cash if you need and get the maximum return from the government. At the end of your account period (4 years) you would’ve received a free $4,000 from your friends in ACT.
  • The LMI you pay grows exponentially from borrowing 80% going up to 100%. So don’t borrow more than you can chew. Do your best to borrow less than 90% because anything higher is going to cost you some serious money.
  • If you’ve found a place you like, talk to your potential neighbors. Don’t be anti. Seriously. You may find out insightful information like who the previous owners were, whether the house is haunted etc.
  • Don’t feel pressured to buy just because interest rates are at an all time low. It’s a sellers market right now and yes our generation is being priced out BUT just keep saving.

If I think of anything else I’ll add a new post. Good luck to anyone and everyone in the same boat. Let’s paddle together.

Disclaimer: I’m not a financial expert, mortgage broker, money guru etc. I’m just your friendly, neighborhood spiderma…. IT guy 🙂

Force all VPN traffic out the remote gateway

Have you ever needed to connect to a remote site and tried a whatsmyip, and realised that “Hey my IP is still the same. All the internetz sites will know where I’m browsing from”. A bit of an extreme scenario but by default Windows VPN does not force ALL your VPN traffic out the remote gateway. Instead it will pass traffic not required in the remote network through your own gateway, for example, web traffic. So how do you force all VPN traffic out the remote gateway? Here’s how you can do it on a Windows 7/8 machine (very similar to XP so don’t stress)

  1. Open up Network and Sharing Center.
  2. Click on Change adapter settings.
  3. Locate the VPN adapter that you’ve configured previously. Right click and select Properties.
  4. Here comes the good stuff… When the properties Window appears, go to the “Networking” tab.
    VPN_Networking
  5. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties
  6. Click on the Advanced button
    VPN_Advanced
  7. In the IP Settings Tab, select the check box next to Use default gateway on remote network.
    VPN_Gateway
  8. If you are using an IPv6 IP scheme then make sure you make the changes for the IPv6 protocol from Step 5.
  9. Click OK, OK and OK!
  10. Try a whatsmyip again and voila your IP will now be that of the remote network. Note: you may need to disconnect the VPN and reconnect for the changes to take effect

Great work 🙂

CA ARCserve 2012 R2 Support

So Citrix XenApp 6.5 is now EOS and we’re forced to go to XenDesktop going forward? What’s the big deal right? Well I guess that means that Server 2012 and Server 2012 R2 will not be supported to deliver XenApp and future customers may need to pay for a full fledged VDI/Session Based remote solution (even if they don’t require it) and of course pay the premium price. So what may be an alternative? Well with Server 2012’s improved RDP sessions (PDF scrolling, internet browsing etc), this may be a viable option for smaller businesses that do not require a full VDI environment.

But questions you always need to ask when moving to a new OS, what other applications will you need to run on this OS and will they be supported. Third party AV, monitoring tools, firewalls, backup, line of business applications …. and the list goes on! Which leads me to the above title (since we conveniently stumbled upon this today).

Here’s a quick run down:

  • CA ARCserve Backup r16.5 WITH update 3 now supports Server 2012 R2 as well as Windows 8.1
  • D2D is currently not supported (as per ARCserve’s compatibility matrix)

For the friendly IT guys out there who haven’t had the chance to test whether D2D works on 2012 R2, I have already done this for you. Here are my findings:

  • D2D installation completes without errors or issues
  • Full D2D backups work without errors or issues
  • Incremental D2D backups work without errors or issues
  • Granular file restore work without errors or issues
  • Bare metal restores work without errors or issues

So I guess in a nutshell, it works! Woohoo! Keep in mind though that this is still not “officially” supported.

A parent’s guide to web filtering

Following on from my previous post where parents/guardians don’t know what their kids are up to online, I wanted to provide a simple solution that could be used by today’s Internet parents (The Enforcers :p).

Now I know that this may cause some outrage among the teens out there BUT as a recent teen and someone that has seen some of the abysmal content roaming on the internet for all the world to see, I want to help who I can, where I can, if they look for it.

So let’s get down to business shall we?

Forticlient

What’s so special about it you may ask? It’s a comprehensive AV and Web Filtering solution that can be customised (with some technical mumbo jumbo) to suit your requirements, oh and did I mention it’s completely FREE!

Here is a quick step by step guide on how to configure and implement Forticlient to your PC’s and Laptops.

  1. Download the software.
  2. Install the software using the default options (next, next, next, finish).
  3. Open the software by clicking on Start > All Programs > FortiClient > FortiClient
    Awesome home screens
  4. You’ll notice a handy little tab that’ll tickle your curiosity – yes, Parental Control.
  5. Click into the Parentl Control tab.
  6. Click on the settings button and you can now configure category based web filtering.
    Mmmm Parental Control
  7. Here is where the parental wizardy (judgement) happens. Select all the categories that you would like blocked, allowedwarned, or monitored by right clicking the category and selecting the option. By default, all categories are allowed.
    Forticlient_Categories
  8. You’ll also notice that there is a Safe Search tickbox you can select. I would go ahead and tick that as well as the “Search Engine Safe Search (Google, Yahoo!, Bing, Yandex). If you type into google “Where can I get…..”, you’ll be surprised at what pops up!
  9. Once your Wizardy is complete and you’re satisfied at all the blocking you’ve done, click OK at the bottom. Your mission is almost complete…
    How do you lock settings so that the program cannot be easily uninstalled or settings altered?
  10. Lock it down: let’s do it. Click on File > Settings.
    Here you will see the settings page where you can configure other little wonderful things.
  11. Right on the bottom of the settings page, you will see a Lock. Here is where we will set our super awesome password.
    Lock it down
  12. Remember to put a password so awesome that only you will be able to remember it. Click OK on the password box, then click OK on the settings page to save the settings.
  13. Test, test, test! Try it out and see if all your hard work is actually working.
  14. Woohoo! Pat yourself on the back on a job well done 🙂

I’ll provide some more advanced management tips for this later but for now I believe you’re already one step ahead of the game!

Batch script to delete printer drivers

Friday the 13th…

HP Universal Print drivers… HP1606dn running off server 2008R2… If you’re already starting to get chills down your spine, don’t worry, you’re not alone! Have you had corrupt drivers downloaded from your print server onto your client workstations and BAM your print spooler service chugs and chugs? Here is a quick script that has saved our service desk from painstakingly removing drivers manually:

@echo off
::Delete All Printer Drivers
::Written by samontech

net stop spooler
taskkill /F /IM explorer.exe
taskkill /F /IM spoolsv.exe
taskkill /F /IM printisolationhost.exe
cd /d %windir%\system32\spool\drivers
for /F “delims=” %%i in (‘dir /b’) do (rmdir “%%i” /s/q || del “%%i” /s/q)
start explorer.exe
net start spooler

Delete All Printer Drivers.zip

Note: Any Windows Explorer windows open will automatically close.

If you have a print server and your printers are deployed via group policy, then restart your workstations. If this is a standalone machine, restart and reinstall working print drivers.

It’s still a work in progress but for the most part it should do the trick. I’ll be adding more scripts to help you with any future printer problems.

Know what your kids are up to?

It’s funny (not really) how some parents have no idea what they’re kids are up to on the internet. Facebook, Youtube, Twitter, Instagram (selfies anyone?). Sure no problem. Some parents might walk by to double check that everything on the monitor looks legit (alt+tab) and some might even check their kids’ browser history just to make sure. Wow, no bad sites are showing up, that must mean my child’s doing all their homework. All smiles, right?

NO.

Incognito, Tor, VPN, Proxies… Woah. Who knows what else these kids are up to these days. I know that parents want to trust their children and believe that their little angel is using the internet for it’s intended purpose – access to an abundant amount of knowledge and information. Unfortunately, the internet can be a dark and scary place full of so many unknowns and risks that being an ignorant guardian will not cut it.

What are the risks?

  • Identity theft
  • Personal information leaked
  • Infected computers
  • De-sensitivity
  • Mental trauma
  • Distractions, distractions, distractions

My experience in the industry has led me to believe that there are too many people carelessly “sharing” information. Have you ever seen a friend setup a Facebook event requesting for “new numbers because they lost their phone”? Sometimes they forget to put their event on private *shakes head* and woop-dee-doo, their mobile number is now exposed as well as other numbers your friends may have posted. How about derm kids that unknowingly thrive on likes, hearts, retweets. I’ve seen too many instances where these same people are subjects of abuse and are prone to depression/anxiety because they seek to attain approval from anonymous “friends”. Hashtagging every #instagood possible word to reach all types of people around the world to accumulate the MOST LIKES POSSIBLE is what defines you in Generation “i“!

Some questions you should really consider before sharing anything online

  • How many people can see your Facebook profile picture, twitter posts, youtube videos?
  • What type of people can see these posts? Employers, Corporations, Paedophiles, Family, Workmates?
  • What can these people do with this information? Right click, save picture as, photoshop, post…
  • You probably think, who the heck would care anyway? Believe me, there are people out there that do care.

The information is no longer yours once it’s on the internet. As soon as it’s online, it’s there for the taking.

Microsoft Exchange Administration Tips

Ever found yourself in a situation where all your staff have an unlimited quota for their Exchange mailboxes? Or you wanted to find out who your biggest culprits for large mailboxes were?

I ran into a situation yesterday where a manager requested that a quota be applied to all mailboxes but providing exclusions to the higher ups 🙂 now when you’re talking about a small site with 10 users it doesn’t sound too bad but as soon as your mailbox database starts dealing with hundreds or thousands of users, things don’t seem quite as easy. Fear not! Powershell is here to save us all!

Here are a few simple commands that may help you:

View all mailbox quotas
get-mailbox -filter { usedatabasequotadefaults -eq $false -AND recipientTypeDetails -eq ‘usermailbox’  }

Retrieve mailbox sizes
Get-MailboxStatistics -Database “Mailbox Database Name” | Select DisplayName, ItemCount, TotalItemSize | Sort-Object TotalItemSize -Descending | Export-CSV C:\MailboxSizes.csv

Set all mailboxes to use database defaults
get-mailbox -filter { usedatabasequotadefaults -eq $false -AND recipientTypeDetails -eq ‘usermailbox’  } | set-mailbox -UseDatabaseQuotaDefaults $true

Excluding special users

  1. Open Exchange Management Console
  2. Go to Microsoft Exchange On-Premises > Recipient Configuration > Mailbox.
  3. Locate the mailbox you want to provide an exception for. Right click and select properties.
  4. Click on Mailbox Settings > Storage Quota > Properties
  5. Untick “Use mailbox database defaults”
  6. Tick the options required and set the values for warning, prohibit send etc.

Now that you’ve set an awesome default mailbox size limit, want some customised warning messages? You know it!

Customize Quota Messages

Warning 
New-SystemMessage -QuotaMessageType WarningMailbox -Language EN -Text “Your mailbox is now within xMB of the allowable size limit. Please clean out emails to reduce your mailbox size. Move items to public folders or delete any items you don’t need from your mailbox and empty your Deleted Items folder.”

Prohibit Send
New-SystemMessage -QuotaMessageType ProhibitSendMailbox -Language EN -Text “Your mailbox can no longer send messages as the size limit has been reached. Please reduce your mailbox size. Move items to public folders or delete any items you don’t need from your mailbox and empty your Deleted Items folder.”

Prohibit Send and Receive (Ouch!)
New-SystemMessage -QuotaMessageType ProhibitSendReceiveMailbox -Language EN -Text “Your mailbox can no longer send or receive messages as the size limit has been reached. Please reduce your mailbox size. Move items to public folders or delete any items you don’t need from your mailbox and empty your Deleted Items folder.”

 

Enabling Active Directory Recycling Bin – Windows Server 2012

Ever have to do an authoritative restore? Tombstone Reanimation? Feeling chills down your spine?  Me too… Server 2012 says no to this! And I agree wholeheartedly. So how do we do it? Pre-requisites:

  •  The domain functional level of the forest needs to be at least Windows Server 2008 R2

How to set it up:

Powershell

  • Type the following command: Enable-ADOptionalFeature “Recycle Bin Feature’ -scope ForestOrConfigurationSet -target –domainname -server domaincontroller

GUI

  • Open Active Directory Administrative Center from the Tools menu in Server Manager
  • Right click your domain in the navigation tree and select “Enable Recycle Bin”

 

Notes:

  • Enabling the AD recycling bin is irreversible so once you do it you can’t undo it.
  • To confirm the recycling bin has been enabled, a Deleted Objects container will appear at the root of the Domain Controller.

Easy as pie 🙂