FortiGate not logging denied/violation traffic

FortiGate not logging denied/violation traffic

I’ve checked the “log violation traffic” on the implicit deny policy in both the GUI and CLI and it is on (which I believe should be the default anyway).

As a test I also created a policy singling out some specific traffic and set the action to deny, with logging enabled. The traffic is blocked but the deny is not logged

You need to change also severity logging doing

config log memory filter

set severity information

Fortigate Multiple DDNS

Fortigate Multiple DDNS

When Dynamic DNS (DDNS) is enabled on FortiGates, VPN Manager supports DDNS. First VPN Manager searches for the interface IP for IPsec Phase2. If no IP is found, then VPN Manager searches for DDNS.

You can use FortiManager and the CLI-only objects menu to enable DDNS on each FortiGate device. The CLI-only objects menu is available in the Device Manager pane. See CLI-Only Objects menu.

With the CLI-only objects menu, you can use the config system ddns command to enable DDNS on a per-device basis. The selected monitoring interface must be the interface that supports your tunnel, for example:

config system ddns

edit 1

set ddns-server FortiGuardDDNS

set ddns-domain “<HOST1>.fortiddns.com”

set monitor-interface “port14”

next

end

You can also use the CLI-only objects menu to configure DDNS on multiple FortiGate interfaces. Once configured, you can use FortiManager to view all the DDNS entries, but you cannot edit the entries.

Following is an example of how to configure DDNS on multiple FortiGates by using the CLI-only objects menu:

config system ddns

edit 1

set ddns-server FortiGuardDDNS

set ddns-domain “<HOST1>.fortiddns.com”

set use-public-ip enable

set monitor-interface “wan”

next

edit 2

set ddns-server FortiGuardDDNS

set ddns-domain “<HOST2>.fortiddns.com”

set use-public-ip disable

set monitor-interface “wwan”

next

end

Multiple DDNS entries are useful when using SDWAN and multiple broadband links.

TLS and NPS

TLS and NPS

Looks like NPS only supports TLS1.0 by default. So if you go restricting your ciphers too much you’ll find none of your NPS clients able to connect using EAP.

That’s a bit of a problem when you have an 802.1x secure network and every client is expected to authenticate. If a cipher is not available on both client and server then you’ll get a client unable to connect or reconnect when their sessions require.

So in order to expand the ciphers supported by newer systems you should ensure you can deliver them over a wider number of protocols , including TLS1.1 and 1.2.

Ensure you have the required update patch for your system

To add these registry values, follow these steps:

  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following subkey in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type TlsVersion for the name of the DWORD, and then press Enter.
  5. Right-click TlsVersion, and then click Modify.
  6. In the Value data box, use the following values for the various versions of TLS, and then click OK. TLS version DWORD value TLS 1.0 0xC0 TLS 1.1 0x300 TLS 1.2 0xC00 Any OR’ed combination of these values will enable the corresponding protocols. By default, TLS 1.0 is enabled. If any invalid value is configured, TLS 1.0 will be used.
  7. Exit Registry Editor, and then either restart the computer or restart the EapHost service.

Support for TLS1.0, 1.1 and 1.2 = 0xFC0. TLS1.1 and 1.2 only = 0xF00.

What does Robocopy mean by tweaked, lonely, and extra?

What does Robocopy mean by tweaked, lonely, and extra?

“Tweaked”, “Lonely”, and “Extra” refer to RoboCopy “Classes” of files.

For each directory processed RoboCopy constructs a list of files matching the Include Filespecs, in both the source and destination directories. The program then cross-references these lists, seeing which files exist where, comparing file times and sizes where possible, and places each selected file in one of the following classes:

File        Exists In   Exists In        Source/Dest     Source/Dest   Source/Dest
Class       Source      Destination      File Times      File Sizes    Attributes
=========== =========== ================ =============== ============= ============
Lonely      Yes         No               n/a             n/a           n/a
Tweaked     Yes         Yes              Equal           Equal         Different
Same        Yes         Yes              Equal           Equal         Equal
Changed     Yes         Yes              Equal           Different     n/a
Newer       Yes         Yes              Source > Dest   n/a           n/a
Older       Yes         Yes              Source < Dest   n/a           n/a
Extra       No          Yes              n/a             n/a           n/a
Mismatched  Yes (file)  Yes (directory)  n/a             n/a           n/a

y default, Lonely files (and directories) are always copied, unless /XL switch is used. Changed, Newer and Older files will be considered to be candidates for copying (subject to further filtering described below), Same files will be skipped (not copied), and Extra and Mismatched files (and directories) will simply be reported in the output log.

Normally, Tweaked files are neither identified nor copied – they are usually identified as Same files by default. Only when switch /IT is used will the distinction between Same and Tweaked files be made, and only then will Tweaked files be copied.

Use the following switches to override this default behaviour:

Switch   Function
======== =====================
/XL      eXclude Lonely files and directories.
/IT      Include Tweaked files.
/IS      Include Same files.
/XC      eXclude Changed files.
/XN      eXclude Newer files.
/XO      eXclude Older files.

Use the following switch to suppress the reporting and processing of Extra files:  
/XX      eXclude eXtra files
Windows cannot access the specified device, path or file.

Windows cannot access the specified device, path or file.

On Windows 2019 you can get this error trying to opening some setting.

To resolve please run gpedit.msc to open Group Policy Editor, then switch to Computer Configuration—> Windows Settings—> Security Settings —> Local Policies—> Security Options, then enable “User Account Control: Admin Approval Mode for the Built-in Administrator account”.

After all restart Windows to take effect.

Figure as below:

Server 2012/2016/2019 Deduplication Data – how check save data

Server 2012/2016/2019 Deduplication Data – how check save data

If you have a file server and you want get know how much data  you will be able save if  migrate to Server 2012 , copy from Windows Server 2012  from path c:\windows\system32\ you will found  tool ddpeval.exe

This tool only show you, how much data You will be able to save. This tool does not deduplicate ! Examples

ddpeval.exe \\dchv\d 

or

ddpeval.exe :d

————————————————————————————————————

In pictures below you can see how turn on deduplication on the server and result of real deduplication

FIRST  “enable deduplication data”  ( feature of file server role ),

start-DedupJob
get-DedupStatus

Deduplicate features works with local disks, volumes , no remote network store, remote network shares

Fortigate SNMP monitoring

Fortigate SNMP monitoring

Technical Note: SNMP ifDescr missing in FortiOS 5.4

Description With FortiOS 5.2, and lower the “ifDescr” OID is systematically filled in with the interface name. 

This behavior was not compliant as per RFC 1213 that states: “ifDescr should be filled in with a textual string containing information about the interface. This string should include the name of the manufacturer, the product name and the version of the hardware interface.” 

Since  FortiOS 5.4 and above, the “ifDesc” OID now behaves as per RFC 1213 i.e. “ifDesc” OID is effectively filled in with the interface description, that is: 
– The “description” variable value of each specific interface (CLI) 
– The “comment” field value of each specific interface (GUI) 

To summarize, in FortiOS 5.4 and above: 
– ifDescr OID returns the interface description 
– ifAlias OID returns interface alias 
– ifName OID returns interface name 

On FortiGates running FortiOS 5.2.x, all interfaces by default have SNMP ifDescr MIB populated.$ snmpwalk -v3 -u blahblah -a MD5 -A blahblah1 -x DES -X blahblah1 -l authPriv -Oa 10.8.8.8 | grep -i descSNMPv2-MIB::sysDescr.0 = STRING: Fortigate v5.2.11SNMPv2-MIB::sysORDescr.1 = STRING:IF-MIB::ifDescr.1 = STRING: port1IF-MIB::ifDescr.2 = STRING: port2IF-MIB::ifDescr.3 = STRING: port3IF-MIB::ifDescr.4 = STRING: port4IF-MIB::ifDescr.5 = STRING: port5IF-MIB::ifDescr.6 = STRING: port6IF-MIB::ifDescr.7 = STRING: port7IF-MIB::ifDescr.8 = STRING: port8IF-MIB::ifDescr.9 = STRING: port9IF-MIB::ifDescr.10 = STRING: port10IF-MIB::ifDescr.13 = STRING: ssl.root

FortiGate running FortiOS 5.4.x the default SNMP ifDescr MIB values have changed
$ snmpwalk -v3 -u blahblah -a MD5 -A blahblah1 -x DES -X blahblah1 -l authPriv -Oa 10.8.8.8 | grep -i descSNMPv2-MIB::sysDescr.0 = STRING: Fortigate v5.4.5SNMPv2-MIB::sysORDescr.1 = STRING:IF-MIB::ifDescr.1 = STRING:IF-MIB::ifDescr.2 = STRING:IF-MIB::ifDescr.3 = STRING:IF-MIB::ifDescr.4 = STRING:IF-MIB::ifDescr.5 = STRING:IF-MIB::ifDescr.6 = STRING:IF-MIB::ifDescr.7 = STRING:IF-MIB::ifDescr.8 = STRING:IF-MIB::ifDescr.9 = STRING:IF-MIB::ifDescr.10 = STRING:IF-MIB::ifDescr.11 = STRING: Workaround

In FortiOS v5.4 you can get the port descriptions using the following MIB

IF-MIB:ifMIB.ifMIBObjects.ifXTable.ifXEntry – 1.3.6.1.2.1.31.1.1.1

OpsView wrong ipmi result

OpsView wrong ipmi result

Opsview cache the result into /var/log/nagios/.freeipmi/sdr-cache with file named by ip address.

Remove them to recreate cache from new device