Dwain Hutten IT Pro
Time 2020-11-18 10:04:08Web Name: Dwain Hutten IT Pro
WebSite: http://dwainhutten.nl
ID:119871
Keywords:
Hutten,Dwain,Pro,Description:
Last time setup some IPsec S2S connections between multiple Fortigate firewalls and of course running BGP between them. Hub site must know all routes from Spokes. But only transport 192.168.1.0/24 via BGP.Spoke A (IP 192.168.254.2)must know only the route to the Hub Default route will remain on spoke locationSpoke B (IP 192.168.254.4) must know only the route to the Hub Default route will remain on spoke locationSince i m running BGP all sites known each others routes and this is not what i want. Of course i know and configure the equipment in Spoke A B, but let s assume i don t have that control. Then i want to use route-maps to filter :). And a route map can a prefix-list to make advanced filtering possible instead of a basic ACL.The following table lists show / diag/ update/ config commands for FortiGate, which can be handy. Will update this list once in a whileCommandWhat does it do?config system arp-tableAdd static ARP entriesconfig system interfaceShow all NIC sconfig router prefix-listAdd a prefix-listType show, to see current prefix-lists.config router route-mapAdd a route-mapType show, to see current route mapsdiag debug crashlog readGet crash log shows the crashlog in a readable format.diag debug ratingShow list of FortiGuard Servicesdiag ip arp delete interface name IP address Remove a single ARP table entrydiag ip arp listView ARP cachediagnose debug enable diagnose debug application fnbamd -1Debug LDAP or Radiusdiag debug resetdiag ip router bgp all enablediag ip router bgp level infodiag debug enableDebug BGPdiag debug disableDisable Debug outputdiagnose firewall ipgeo country-listShow Geo IP countriesdiagnose firewall ipgeo ip-listallShow Geo IP IPv4 address listdiagnose hardware deviceinfo nicShow hardware info for NICdiagnose hardware deviceinfo nic nic Show device information for specific NIC:diagnose hardware sysinfo shmShow shared memory information Look if conservemode is 1diagnose sys ha hadiff statusShow a HA diff:diagnose sys ha reset uptimeExecute a fail-overdiagnose sys kill process_id 15Kill processes uses a unconditional kill.diagnose sys session listShow session tablediagnose sys tcpsockList open networking ports:diagnose sys topShow top with processes:exec router clear bgp allClear all BGP sessionsexec router clear bgp all softSoft Clear all BGP (this will refresh the BGP routing table, but BGP session remains)exec router clear bgp ip soft x.x.x.xSoft Clear BGP for specific neighborexec ha manage 0/1Manage other cluster member through HA interfaceexec log displayDisplay logexec ping dst Execute a pingexec ping-optionsSet specific ping optionsexec ping-options sourceSet specific source IPexec tac reportGenerate a TAC reportexec telnet ip:portExecute a telnetexec ssh ip:portExecute a SSH clientexec tracerouteExecute a tracerouteexec clear system arp tableClear ARP cacheexec log filterSet a log filterexec update-geo-ipUpdate Geo IP addressesexec update-avUpdate Antivirus Databaseexec update-ipsUpdate IPS Databaseget router info routing-table allShow routing tableget router info routing-table databaseShow routing databaseget router info routing-table bgpShow BGP routesget router info routing-table ospfShow OSPF routesget router info routing-table connectedShow Direct Connected routesget router info routing-table details host Get routing information for specific host get router info bgp summaryShow BGP Peer status and received prefixesget router route-mapShow available route-mapsget router prefix-listShow available prefix-listsget system arpShow ARP tableget system checksum statusShow HA checksumget system ha statusShow HA statusget system performance statusShow performance usageget system performance topShow top , use SHIFT+M to sort on memory usage.get system session listShort list for session tableget system statusShow system statusget vpn ipsec tunnel detailsShow details for IPSEC VPN tunnelget vpn ipsec tunnel summaryShow summary list of IPSEC VPN tunnelsWhen upgrading an SSL cert last week i had to run the Exchange Hybrid Configuration Wizard again. Of course when you update something like this or the AD Connect something is broken . Before the Free/Busy was working from Microsoft 365 Exchange Online to the On-Prem environment. Resulted in an empty response. To fix the Free/Busy time this needs to be filled in, in there are subdomains. If you have let s @test.com it s fine, but if you have @nl.test.com it goes wrong. Because it tries to reach autodiscover.nl.test.com instead of autodiscover.test.com. Even if you have some CNAME records, it takes to long.Instead of letting autodiscover finding out what the URL is, as told in the beginning, i had this issue in the past, simply put the Hybrid servers in the TargetSharingEpr directly. So https://hybrid.test.com/ews/exchange.asmxSet-OrganizationRelationship -TargetSharingEpr https://hybrid.test.com/ews/exchange.asmx -Identity yourmicrosoftidentity Often when we you buy / get a new certificate you need to have another certificate depending on your needs.PEM FormatThe PEM format is the most common format that CA s issue certificates in. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain BEGIN CERTIFICATE and END CERTIFICATE statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.Apache and other similar servers like Citrix NetScaler use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.DER FormatThe DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. All types of certificates and private keys can be encoded in DER format. DER is typically used with JAVA related platforms.PKCS#7/P7B FormatThe PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain BEGIN PKCS7 and END PKCS7 statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.PKCS#12/PFX FormatThe PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statments) to its own individual text file and save them as certificate.cer, CACert.cer, and privateKey.key respectively.OpenSSL Commands to Convert SSL CertificatesThere are several online convertors for SSL certificates but I urge you to use convert the certificate locally via OpenSSL. You don t wont to store your PRIVATE key on someone else it s machine. If you do it locally you have the private key on your machine. I good point here is that you should have some form of disk encryption on your laptop in event that your PC/laptop is stolen that the keys remain safe. Use the following OpenSSL commands to convert SSL certificate to different formats:OpenSSL Convert PEMConvert PEM to DERopenssl x509 -outform der -in certificate.pem -out certificate.derConvert PEM to P7Bopenssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cerConvert PEM to PFXopenssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crtOpenSSL Convert DERConvert DER to PEMopenssl x509 -inform der -in certificate.cer -out certificate.pemOpenSSL Convert P7BConvert P7B to PEMopenssl pkcs7 -print_certs -in certificate.p7b -out certificate.cerConvert P7B to PFXopenssl pkcs7 -print_certs -in certificate.p7b -out certificate.ceropenssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.ceropenssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfxOpenSSL Convert PFXConvert PFX to PEMopenssl pkcs12 -in certificate.pfx -out certificate.cer -nodes Today busy with some Policy Based Routing (PBR) routing on an HPE Aruba 3800 series switch.Situation:The default gateway is set to 172.16.1.1 which is ISP A a line dedicated for business traffic.So in the config of the switchip route 0.0.0.0 0.0.0.0 172.16.1.1ip routingLet s assume that we have another ISP, named B which needs to used for Office 365 in particular Exchange Online. Of course the best option would be to change the default gateway because Microsoft has a lot of IP addreses which are changing on regular basis. So my advice would be to set the default gateway to ISP B and make a PBR for the things that should go to ISP A. Users of VLAN 5 needs to have this in place.We start by creating a Class which contains the IP version 4 address for Exchange Online listed on this Microsoft page. The class name is case sensitive, also please not that we can t use normal subnetmasks (the switch accepts it, but it s not working) we should use Wildcard masking over here.class ipv4 Office365-Subnets 5 match ip 0.0.0.0 255.255.255.255 13.107.6.152 0.0.0.110 match ip 0.0.0.0 255.255.255.255 13.107.9.152 0.0.0.115 match ip 0.0.0.0 255.255.255.255 13.107.18.10 0.0.0.120 match ip 0.0.0.0 255.255.255.255 13.107.19.10 0.0.0.125 match ip 0.0.0.0 255.255.255.255 23.103.160.0 0.0.15.25530 match ip 0.0.0.0 255.255.255.255 23.103.224.0 0.0.31.25535 match ip 0.0.0.0 255.255.255.255 40.96.0.0 0.7.255.25540 match ip 0.0.0.0 255.255.255.255 40.104.0.0 0.3.255.25545 match ip 0.0.0.0 255.255.255.255 70.37.151.128 0.0.0.12750 match ip 0.0.0.0 255.255.255.255 111.221.112.0 0.0.7.25555 match ip 0.0.0.0 255.255.255.255 131.253.33.215 0.0.0.060 match ip 0.0.0.0 255.255.255.255 132.245.1.128 0.0.0.12765 match ip 0.0.0.0 255.255.255.255 132.245.2.0 0.0.1.25570 match ip 0.0.0.0 255.255.255.255 132.245.4.0 0.0.3.25575 match ip 0.0.0.0 255.255.255.255 132.245.8.0 0.0.7.25580 match ip 0.0.0.0 255.255.255.255 132.245.16.0 0.0.15.25585 match ip 0.0.0.0 255.255.255.255 132.245.32.0 0.0.31.25590 match ip 0.0.0.0 255.255.255.255 132.245.64.0 0.0.31.25595 match ip 0.0.0.0 255.255.255.255 132.245.96.0 0.0.15.255100 match ip 0.0.0.0 255.255.255.255 132.245.113.128 0.0.0.127105 match ip 0.0.0.0 255.255.255.255 132.245.114.0 0.0.1.255110 match ip 0.0.0.0 255.255.255.255 132.245.116.0 0.0.3.255115 match ip 0.0.0.0 255.255.255.255 132.245.120.0 0.0.7.255120 match ip 0.0.0.0 255.255.255.255 132.245.129.128 0.0.0.127125 match ip 0.0.0.0 255.255.255.255 132.245.130.0 0.0.1.255130 match ip 0.0.0.0 255.255.255.255 132.245.132.0 0.0.3.255135 match ip 0.0.0.0 255.255.255.255 132.245.136.0 0.0.7.255140 match ip 0.0.0.0 255.255.255.255 132.245.144.0 0.0.15.255145 match ip 0.0.0.0 255.255.255.255 132.245.160.0 0.0.31.255150 match ip 0.0.0.0 255.255.255.255 132.245.192.0 0.0.63.255155 match ip 0.0.0.0 255.255.255.255 134.170.68.0 0.0.1.255160 match ip 0.0.0.0 255.255.255.255 157.56.96.16 0.0.0.15165 match ip 0.0.0.0 255.255.255.255 157.56.96.224 0.0.0.15170 match ip 0.0.0.0 255.255.255.255 157.56.106.128 0.0.0.15175 match ip 0.0.0.0 255.255.255.255 157.56.232.0 0.0.7.255180 match ip 0.0.0.0 255.255.255.255 157.56.240.0 0.0.15.255185 match ip 0.0.0.0 255.255.255.255 191.232.96.0 0.0.31.255190 match ip 0.0.0.0 255.255.255.255 191.234.6.152 0.0.0.0195 match ip 0.0.0.0 255.255.255.255 191.234.140.0 0.0.3.255200 match ip 0.0.0.0 255.255.255.255 191.234.224.0 0.0.3.255205 match ip 0.0.0.0 255.255.255.255 204.79.197.215 0.0.0.0210 match ip 0.0.0.0 255.255.255.255 206.191.224.0 0.0.31.255215 match ip 0.0.0.0 255.255.255.255 207.46.150.128 0.0.0.127220 match ip 0.0.0.0 255.255.255.255 207.46.203.128 0.0.0.63exitNow we have a class we can bind it in a policy and set the next-hop to 172.16.1.2.policy pbr POL-Office365-Subnets 5 class ipv4 Office365-Subnets action ip next-hop 172.16.1.2 exit exitSince the implementation of HPE states that we need to map to a VLAN and we only created a policy but didn t bind it anywhere we have to do the following:vlan 5 name test untagged 1 ip address 192.168.1.0 255.255.255.0 service-policy POL-Office365-Subnets in exitKeep in mind that you only can bind one PBR to a VLAN. You can enter again the command service-policy POL-test in and give enter, you won t get a warning but you simply override the PBR. Also you can only set the PBR to incoming packets on a VLAN.Some show commands:show policy POL-Office365-SubnetsOutputStatements for policy POL-Office365-Subnets policy pbr POL-Office365-Subnets 5 class ipv4 Office365-Subnets action ip next-hop 172.16.1.2 exit exit show statistics policy POL-Office365-Subnets vlan 5 inOutput: Hit Counts for Policy POL-Office365-Subnets Total 5 class ipv4 Office365-Subnets action ignore( 0 ) 5 match ip 0.0.0.0 255.255.255.255 13.107.6.152 0.0.0.1( 0 ) 10 match ip 0.0.0.0 255.255.255.255 13.107.9.152 0.0.0.1( 0 ) 15 match ip 0.0.0.0 255.255.255.255 13.107.18.10 0.0.0.1( 0 ) 20 match ip 0.0.0.0 255.255.255.255 13.107.19.10 0.0.0.1( 0 ) 25 match ip 0.0.0.0 255.255.255.255 23.103.160.0 0.0.15.255( 0 ) 30 match ip 0.0.0.0 255.255.255.255 23.103.224.0 0.0.31.255( 0 ) 35 match ip 0.0.0.0 255.255.255.255 40.96.0.0 0.7.255.255( 0 ) 40 match ip 0.0.0.0 255.255.255.255 40.104.0.0 0.3.255.255( 0 ) 45 match ip 0.0.0.0 255.255.255.255 70.37.151.128 0.0.0.127( 0 ) 50 match ip 0.0.0.0 255.255.255.255 111.221.112.0 0.0.7.255( 0 ) 55 match ip 0.0.0.0 255.255.255.255 131.253.33.215 0.0.0.0( 0 ) 60 match ip 0.0.0.0 255.255.255.255 132.245.1.128 0.0.0.127( 0 ) 65 match ip 0.0.0.0 255.255.255.255 132.245.2.0 0.0.1.255( 0 ) 70 match ip 0.0.0.0 255.255.255.255 132.245.4.0 0.0.3.255( 0 ) 75 match ip 0.0.0.0 255.255.255.255 132.245.8.0 0.0.7.255( 0 ) 80 match ip 0.0.0.0 255.255.255.255 132.245.16.0 0.0.15.255( 0 ) 85 match ip 0.0.0.0 255.255.255.255 132.245.32.0 0.0.31.255( 0 ) 90 match ip 0.0.0.0 255.255.255.255 132.245.64.0 0.0.31.255( 0 ) 95 match ip 0.0.0.0 255.255.255.255 132.245.96.0 0.0.15.255( 0 ) 100 match ip 0.0.0.0 255.255.255.255 132.245.113.128 0.0.0.127( 0 ) 105 match ip 0.0.0.0 255.255.255.255 132.245.114.0 0.0.1.255( 0 ) 110 match ip 0.0.0.0 255.255.255.255 132.245.116.0 0.0.3.255( 0 ) 115 match ip 0.0.0.0 255.255.255.255 132.245.120.0 0.0.7.255( 0 ) 120 match ip 0.0.0.0 255.255.255.255 132.245.129.128 0.0.0.127( 0 ) 125 match ip 0.0.0.0 255.255.255.255 132.245.130.0 0.0.1.255( 0 ) 130 match ip 0.0.0.0 255.255.255.255 132.245.132.0 0.0.3.255( 0 ) 135 match ip 0.0.0.0 255.255.255.255 132.245.136.0 0.0.7.255( 0 ) 140 match ip 0.0.0.0 255.255.255.255 132.245.144.0 0.0.15.255( 0 ) 145 match ip 0.0.0.0 255.255.255.255 132.245.160.0 0.0.31.255( 0 ) 150 match ip 0.0.0.0 255.255.255.255 132.245.192.0 0.0.63.255( 0 ) 155 match ip 0.0.0.0 255.255.255.255 134.170.68.0 0.0.1.255( 0 ) 160 match ip 0.0.0.0 255.255.255.255 157.56.96.16 0.0.0.15( 0 ) 165 match ip 0.0.0.0 255.255.255.255 157.56.96.224 0.0.0.15( 0 ) 170 match ip 0.0.0.0 255.255.255.255 157.56.106.128 0.0.0.15( 0 ) 175 match ip 0.0.0.0 255.255.255.255 157.56.232.0 0.0.7.255( 0 ) 180 match ip 0.0.0.0 255.255.255.255 157.56.240.0 0.0.15.255( 0 ) 185 match ip 0.0.0.0 255.255.255.255 191.232.96.0 0.0.31.255( 0 ) 190 match ip 0.0.0.0 255.255.255.255 191.234.6.152 0.0.0.0( 0 ) 195 match ip 0.0.0.0 255.255.255.255 191.234.140.0 0.0.3.255( 0 ) 200 match ip 0.0.0.0 255.255.255.255 191.234.224.0 0.0.3.255( 0 ) 205 match ip 0.0.0.0 255.255.255.255 204.79.197.215 0.0.0.0( 0 ) 210 match ip 0.0.0.0 255.255.255.255 206.191.224.0 0.0.31.255( 0 ) 215 match ip 0.0.0.0 255.255.255.255 207.46.150.128 0.0.0.127( 0 ) 220 match ip 0.0.0.0 255.255.255.255 207.46.203.128 0.0.0.63<<< Thank you for your visit >>>
Websites to related : 287 Ontel Products Reviews and C
A company's rating is calculated using a mathematical algorithm that evaluates the information in your profile. The algorithm parameters are: users' r
NonToxicReviewsDisney on Ice returns to the Capital One Arena, and for the first time in our nation s capital, presents Frozen. We were lucky enough to check out the
Custom Bowling Balls, Custom BowTo contact customer service either call 1-866-682-2695 Monday - Friday 8 AM - 5 PM CT or email customerservice@ontheballbowling.com International cus
Industrial Fasteners and BronzeAbout Company Nature of BusinessManufacturerTotal Number of Employees11 to 25 PeopleYear of Establishment1989Legal Status of FirmIndividual - Propriet
Publications de l’Institut natiLes publications de l Institut national d histoire de l art (www.inha.fr) sont destin es valoriser les manifestations expositions, colloques, travaux
Precision Investment Castings -AUTOMATED MANUFACTURING. ON TIME.Precision Investment Castings Made in Franklin, PA USA An automated investment casting foundry offering tooling and
Heat Treating of All Metals, IncSurface EnhancementRhode Island Heat Treating can provide atmosphere batch brazing in a low temperature application i.e. under 1250F.more...Rhode Isla
The WallacThis is a site-wide search, however if you are looking for specific collection pieces, please use the Collection Search feature. WE ARE TEMPORARILY CL
Arrow Bronze - Classic | OrigiWHOLESALE ONLY ALL PRODUCTS ARE AVAILABLE FROM YOUR CEMETERY, CREMATORIUM OR ARCHITECTURAL AGENT. PRODUCTS AND SERVICES ARE PROTECTED BY COPYRIGHT TO
Welcome to Pilikula Nisarga DhamWelcome to Pilikula Nisarga Dhama Pilikula Nisarga Dhama (Pilikula) is a major eco-education and tourism development project promoted by the District
adsHot Websites