Fortigate – adding additional IP’s for PPPoE connections

Here in Australia we receive IP blocks for PPPoE connections. Since the IP is dynamically assigned to us we can’t manually add a “secondary IP” like you would with a static connection.

So what do you need to do?

Configure an IP pool!

  1. Go to Policy & Objects > Objects > IP Pools
  2. Specify whether it’s IPv4 or IPv6 and give a name
  3. Leave the type as Overload (unless you have a requirement to use the other types)
  4. Enter the additional IP’s given to you from your ISP
    Configuring IP Pools in GUI
  5. Now that you’ve configured your IP pool you can allocate inbound services to those additional IP’s. Configure your VIPs, VIP groups, and policies to use these additional IP’s and of course Test!

Configure IE 10/11 startup settings (registry)

I had an issue configuring the way Internet Explorer started up at a client site. They use an intranet home page and every time someone closed their current browsing session and reopened internet explorer, the software would hang momentarily then reopen the tabs they recently closed down. The option in IE is under Tools > Internet Options > General as below

IE Startup Options

Easy enough right, definitely. Now for a single user this isn’t such a big deal but as a sys admin running Windows 7, Server 2008 R2 infrastructure environment for several hundred users group policy would be the answer, right? I had a hard time looking around for the adm or admx files and tried leveraging the Internet Explorer Administration Kit to no avail. I didn’t have a Windows Server 2012 server onsite. So what’s the easy answer? Registry 🙂

They details of the entry are as follows

Key Name: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ContinuousBrowsing
DWORD Name: Enabled
Value: 0 – Start with home page, 1 – Start with tabs from the last session

IE Startup Registry

So amend this via GPO (add a user policy registry entry or logon script) and voila!

 

WSUS – Throttle Bandwidth Utilisation

Just had an issue today where I approved WSUS updates for maintenance and came to the realisation that as soon as you approve new updates WSUS automatically begins to download them. Here I am trying to isolate why the browsing internet, reviewed the gateway, noted download traffic was massive from the WSUS server, logged on and noticed…. akamai.

WSUS - Akamai

 

Yep, I didn’t even realise (noob I know) but I’ve found a way to manage the downloads by WSUS (and other Microsoft services that are chucking a sneaky). BITS is a sneaky little service that most people may not even realise is affecting the performance of their internet use. Here’s an acrostic poem I prepared earlier:

Background
Intelligent
Transfer
Service

All we need to do is throttle the amount of bandwidth the service uses during a certain time frame.

  1. Open Group Policy Management
  2. Browse to Computer Configuration > Policies > Administrative Templates > Network > Background Intelligent Transfer Serice
  3. Double click Limit the maximum network bandwidth for BITS background transfers
    WSUS - BITS GPO
  4. Enable the settings and configure as per your requirements
    WSUS - BITS GPO Details
  5. Hit OK, associate the GPO to your WSUS server.
  6. If you want it to take effect immediately, logon to the WSUS server and run a gpupdate /force
  7. You’ll notice the bandwidth utilisation drop within seconds.

 

TL;DR: Configure GPO to throttle BITS utilisation and force update on WSUS server.

 

 

 

 

A parent’s guide to web filtering

Following on from my previous post where parents/guardians don’t know what their kids are up to online, I wanted to provide a simple solution that could be used by today’s Internet parents (The Enforcers :p).

Now I know that this may cause some outrage among the teens out there BUT as a recent teen and someone that has seen some of the abysmal content roaming on the internet for all the world to see, I want to help who I can, where I can, if they look for it.

So let’s get down to business shall we?

Forticlient

What’s so special about it you may ask? It’s a comprehensive AV and Web Filtering solution that can be customised (with some technical mumbo jumbo) to suit your requirements, oh and did I mention it’s completely FREE!

Here is a quick step by step guide on how to configure and implement Forticlient to your PC’s and Laptops.

  1. Download the software.
  2. Install the software using the default options (next, next, next, finish).
  3. Open the software by clicking on Start > All Programs > FortiClient > FortiClient
    Awesome home screens
  4. You’ll notice a handy little tab that’ll tickle your curiosity – yes, Parental Control.
  5. Click into the Parentl Control tab.
  6. Click on the settings button and you can now configure category based web filtering.
    Mmmm Parental Control
  7. Here is where the parental wizardy (judgement) happens. Select all the categories that you would like blocked, allowedwarned, or monitored by right clicking the category and selecting the option. By default, all categories are allowed.
    Forticlient_Categories
  8. You’ll also notice that there is a Safe Search tickbox you can select. I would go ahead and tick that as well as the “Search Engine Safe Search (Google, Yahoo!, Bing, Yandex). If you type into google “Where can I get…..”, you’ll be surprised at what pops up!
  9. Once your Wizardy is complete and you’re satisfied at all the blocking you’ve done, click OK at the bottom. Your mission is almost complete…
    How do you lock settings so that the program cannot be easily uninstalled or settings altered?
  10. Lock it down: let’s do it. Click on File > Settings.
    Here you will see the settings page where you can configure other little wonderful things.
  11. Right on the bottom of the settings page, you will see a Lock. Here is where we will set our super awesome password.
    Lock it down
  12. Remember to put a password so awesome that only you will be able to remember it. Click OK on the password box, then click OK on the settings page to save the settings.
  13. Test, test, test! Try it out and see if all your hard work is actually working.
  14. Woohoo! Pat yourself on the back on a job well done 🙂

I’ll provide some more advanced management tips for this later but for now I believe you’re already one step ahead of the game!

Know what your kids are up to?

It’s funny (not really) how some parents have no idea what they’re kids are up to on the internet. Facebook, Youtube, Twitter, Instagram (selfies anyone?). Sure no problem. Some parents might walk by to double check that everything on the monitor looks legit (alt+tab) and some might even check their kids’ browser history just to make sure. Wow, no bad sites are showing up, that must mean my child’s doing all their homework. All smiles, right?

NO.

Incognito, Tor, VPN, Proxies… Woah. Who knows what else these kids are up to these days. I know that parents want to trust their children and believe that their little angel is using the internet for it’s intended purpose – access to an abundant amount of knowledge and information. Unfortunately, the internet can be a dark and scary place full of so many unknowns and risks that being an ignorant guardian will not cut it.

What are the risks?

  • Identity theft
  • Personal information leaked
  • Infected computers
  • De-sensitivity
  • Mental trauma
  • Distractions, distractions, distractions

My experience in the industry has led me to believe that there are too many people carelessly “sharing” information. Have you ever seen a friend setup a Facebook event requesting for “new numbers because they lost their phone”? Sometimes they forget to put their event on private *shakes head* and woop-dee-doo, their mobile number is now exposed as well as other numbers your friends may have posted. How about derm kids that unknowingly thrive on likes, hearts, retweets. I’ve seen too many instances where these same people are subjects of abuse and are prone to depression/anxiety because they seek to attain approval from anonymous “friends”. Hashtagging every #instagood possible word to reach all types of people around the world to accumulate the MOST LIKES POSSIBLE is what defines you in Generation “i“!

Some questions you should really consider before sharing anything online

  • How many people can see your Facebook profile picture, twitter posts, youtube videos?
  • What type of people can see these posts? Employers, Corporations, Paedophiles, Family, Workmates?
  • What can these people do with this information? Right click, save picture as, photoshop, post…
  • You probably think, who the heck would care anyway? Believe me, there are people out there that do care.

The information is no longer yours once it’s on the internet. As soon as it’s online, it’s there for the taking.