The Cisco Email Security Appliance (ESA) is well-known for its very good Anti-Spam features. But it completely lacks a usable implementation for mail encryption with S/MIME or OpenPGP. That is: We are using other appliances for that such as Zertificon, SEPPmail, or totemo.
However, the Cisco ESA still remains the main MTA for incoming and outgoing mails, hence mails must be routed to the encryption appliance of your choice for signing/encrypting (outgoing) or verifying/decrypting (incoming) mails. Such mail routings should be done with CLI-only message filters, rather than content filters. Here we go:
Continue reading Cisco ESA: Mail Flow for Encryption Appliances →
A security device such as a firewall should rely on NTP authentication to overcome NTP spoofing attacks. Therefore I am using NTP authentication on the FortiGate as well. As always, this so-called next-generation firewall has a very limited GUI while you need to configure all details through the CLI. I hate it, but that’s the way Fortinet is doing it. Furthermore the “set authentication” command is hidden unless you’re downgrading to NTPv3 (?!?) and it only supports MD5 rather than SHA-1. Not that “next-generation”!
Finally, you have no chance of knowing whether NTP authentication is working or not. I intentionally misconfigured some of my NTP keys which didn’t change anything in the NTP synchronization process while it should not work at all. Fail!
Continue reading Fortinet FortiGate (not) using NTP Authentication →
With Infoblox you’re almost doing everything through the WebUI on the Infoblox Grid Master. At least the daily business such as adding/changing/deleting/moving/whatever DNS, DHCP, and IPAM stuff. Even troubleshooting is almost done through this HTTPS-based GUI. However, some circumstances require the use of the CLI on an Infoblox appliance/VM, called “Remote Console Access” aka SSH. Here are the most common troubleshooting CLI commands for Infoblox DDI. Samples on how to use the IPMI/LOM features round things up:
Continue reading CLI Commands for Troubleshooting Infoblox →
I want to talk about a fun fact concerning my blog statistics: Since a few years I have some “CLI troubleshooting commands” posts on my blog – one for the Palo Alto Networks firewall and another for the FortiGate firewall from Fortinet. If you are searching on Google for something like “palo alto cli commands” or “fortigate troubleshooting cli” my blog is always listed amongst the first 2-4 results.
But for some reasons the article for Fortinet has much more hits. I don’t know why but I have two different ideas. What do you think?
Continue reading Palo vs. Forti: Blog Stats →
Following is a list of the most common Cisco device configuration commands that I am using when setting up a router or switch from scratch, such as hostname, username, logging, vty access, ntp, snmp, syslog. For a router I am also listing some basic layer 3 interface commands, while for a switch I am listing STP and VTP examples as well as the interface settings for access and trunk ports.
This is not a detailed best practice list which can be used completely without thinking about it, but a list with the most common configurations from which to pick out the once required for the current scenario. Kind of a template. Of course with IPv6 and legacy IP.
Continue reading Basic Cisco Configuration →
Yes I know, ScreenOS is “End of Everything” (EoE). However, for historical reasons I am still managing many Netscreen/ScreenOS firewalls for some customers. Similar to my troubleshooting CLI commands for Palo Alto and Fortinet I am listing the most common used commands for the ScreenOS devices as a quick reference / cheat sheet. These are only the commands that are needed for deep troubleshooting sessions that cannot be done solely on the GUI.
Continue reading CLI Commands for Troubleshooting Juniper ScreenOS Firewalls →
This blog post is a list of common troubleshooting commands I am using on the FortiGate CLI. It is not complete nor very detailled, but provides the basic commands for troubleshooting network related issues that are not resolvable via the GUI. I am not focused on too many memory, process, kernel, etc. details. These must only be used if there are really specific problems. I am more focused on the general troubleshooting stuff. I am using it personally as a cheat sheet / quick reference and will update it from time to time.
Continue reading CLI Commands for Troubleshooting FortiGate Firewalls →
It’s really great that the FortiGate firewalls have a DHCPv6 server implemented. With this mandatory service, IPv6-only networks can be deployed directly behind a FortiGate because the stateless DHCPv6 server provides the DNS server addresses. (This is unlike Palo Alto or Cisco which have no DHCPv6 server implemented.)
UPDATE: In the meantime Fortinet has implemented the RDNSS and DNSSL options as well. Great. Hence you don’t need DHCPv6 at all anymore to run an IPv6-only network. I updated my listings below as well.
However, the configuration on the FortiGate is really bad because nothing of the IPv6 features can be set via the GUI. (And this is called a Next-Generation Firewall? Not only the features count, but also the usability!) Everything must be done through the CLI which is sometimes hard to remember. Therefore I am publishing this memo of the appropriate CLI configuration commands.
Continue reading Basic IPv6 Configuration on a FortiGate Firewall →
When working with Cisco devices anyone knows that the output of a “show running-config” on one device can be used to completely configure a new device. On a Palo Alto Networks firewall, this is not that obvious. There are several commands that must be used to achieve the same.
However, I tested this procedure a few times and it did NOT work. :( So, the short version is: If you want to replace a Palo Alto firewall, move your configuration files (xml) through the GUI or tftp/scp. But do not use the mere CLI.
Continue reading Palo Alto: Save & Load Config through CLI →
I am using Nmap to do basic port scans for customers that requested them. The Nmap GUI “Zenmap” offers some profiles to choose the appropriate options for the scan. But when using a mere ssh session, these profiles are not given.
On the Internet, there are many good and detailed examples of how to use Nmap, such as here or here. However, I mostly need a simple and standard Nmap command for my basic scans. Here I list the command that I am using by default as a short memo for myself: :)
Continue reading My Nmap Command →
In a basic environment with a Cisco ASA firewall I am logging everything to a syslog-ng server. As there aren’t any reporting tools installed, I am using grep to filter the huge amount of syslog messages in order to get the information I want to know. In this blog post I list a few greps for getting the interesting data.
Continue reading Grep Commands for Cisco ASA Syslog Messages →
When troubleshooting network and security issues on many different devices/platforms I am always missing some command options to do exactly what I want to do on the device I am currently working with. Therefore I list a few commands for the Palo Alto Networks firewalls to have a short reference / cheat sheet for myself. Maybe some other network professionals will find it useful.
However, since I am almost always using the GUI this quick reference only lists commands that are useful for the console while not present in the GUI. Continue reading CLI Commands for Troubleshooting Palo Alto Firewalls →