Thursday, October 21, 2021

Fortigate 6.x ADVPN on secondary IP 

ADVPN on Secondary IP 

Hub 
config vpn ipsec phase1-interface
    edit "ADVPN123"
        set type dynamic
        set interface "DMZ1"
        set local-gw XXX.XXX.XXX.XXX  <-- this command on hub is telling FGT that this ADVPN123 is accepting traffic on this public IP
        set peertype any
        set net-device disable
        set proposal 
        set add-route disable
        set dpd on-idle
        set dhgrp 2
        set auto-discovery-sender enable
        set tunnel-search nexthop
        set psksecret ENC 
        set dpd-retryinterval 5

config vpn ipsec phase2-interface
    edit "ADVPN123"
        set phase1name "ADVPN123"
        set proposal 
    next

config system interface 
    edit "ADVPN123"
        set vdom "CORE"
        set ip 10.7.123.1 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 10.7.123.254 255.255.255.0
        set interface "vD1-DMZ1"
    next

config router bgp 

    config neighbor-group
        edit "ADVPN123"
            set link-down-failover enable
            set remote-as 65501
            set route-reflector-client enable
        next
    end
    config neighbor-range
        edit 123
            set prefix 10.7.123.0 255.255.255.0
            set neighbor-group "ADVPN123"
        next

then config firewall policy 

spoke 

config vpn ipsec phase1-interface
    edit "ADVPN"
        set interface "wan"
        set peertype any
        set net-device enable
        set proposal 
        set dpd on-idle
        set dhgrp 2
        set auto-discovery-receiver enable
        set remote-gw XXX.XXX.XXX.XXX
        set psksecret ENC 
        set dpd-retryinterval 5
    next
end

VIC-TEMP-FW # sh vpn ipsec phase2-interface
config vpn ipsec phase2-interface
    edit "ADVPN"
        set phase1name "ADVPN"
        set proposal 
        set auto-negotiate enable
    next
end

config system interface 

    edit "ADVPN"
        set vdom "root"
        set ip 10.7.123.12 255.255.255.255
        set allowaccess ping https ssh snmp http
        set type tunnel
        set remote-ip 10.7.123.1 255.255.255.0
        set interface "wan"
    next

config router bgp
    set as 65501
    set ebgp-multipath enable
    config neighbor
        edit "10.7.123.1"
            set advertisement-interval 1
            set link-down-failover enable
            set remote-as 65501
        next
    end
    config network
        edit 1
            set prefix 10.99.16.0 255.255.255.0
        next

then config firewall policy 
but if you see "recursive via ..." in routing table and can not reach network in hub

config router static 
    edit 3
        set dst 10.64.128.0 255.255.224.0
        set device "ADVPN"
    next
    edit 2
        set dst 10.64.32.0 255.255.224.0
        set device "ADVPN"
    next
Posted by at No comments:

Wednesday, January 13, 2021

Elastiflow Install

reference from https://edennington.wordpress.com/2020/02/28/installing-elastiflow/ Turn off firewalld & disable selinux sudo yum -y install java-openjdk-devel java-openjdk tcpdump net-tools yum-utils epel-release iftop sudo rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch cat < Saved objects page and import downloaded json file. send netflow from network device using udp port 2055 and you should see flow data.
Posted by at No comments:

Tuesday, March 5, 2019

CENTOS7 LVM Resize

I have been received disk warning for about two weeks and figured out how to resize LVM include shrink.
When I first setup this CENTOS7 VM I have just configured as default by system and it set up the /dev/mapper/centos-root with 50G and /dev/mapper/centos-home with 950G.

Firstly, I have allocated another 1T to virtual hdd and it requires physical volume resize.
pvresize /dev/sda2

Then I need to resize the logical volume centos-root to fill all the free space.
lvresize -l +100%FREE /dev/mapper/centos-root

And I have xfs volume so run the following to grow volume to fit size.
xfs_growfs /

Then I realize /dev/mapper/centos-home is too big so I have done
lvreduce -L 100G /dev/mapper/centos-home

then I had to resize /dev/mapper/centos-root with another 900G
lvresize -l +100%FREE /dev/mapper/centos-root

and then I ran again
xfs_growfs /

then now it seems like

[root@localhost librenms]# fdisk -l

Disk /dev/sda: 2148.6 GB, 2148557389824 bytes, 4196401152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk label type: dos
Disk identifier: 0x00005fbb

Device Boot Start End Blocks Id System
/dev/sda1 * 2048 2099199 1048576 83 Linux
/dev/sda2 2099200 4196401151 2097150976 8e Linux LVM

Disk /dev/mapper/centos-root: 2031.6 GB, 2031649554432 bytes, 3968065536 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes


Disk /dev/mapper/centos-swap: 8455 MB, 8455716864 bytes, 16515072 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes


Disk /dev/mapper/centos-home: 107.4 GB, 107374182400 bytes, 209715200 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes




Resources,
https://serverfault.com/questions/806107/trying-to-increase-centos-root-partition-size-to-consume-full-ssd-capacity
https://www.rootusers.com/lvm-resize-how-to-decrease-an-lvm-partition/

Posted by at No comments:

Wednesday, December 26, 2018

Fortigate VXLAN with MPLS

it was required to test VXLAN using MPLS in between, so I have done following



for MPLS I have just used simple BPG config with static redistribution and VXLAN config on Fortigate VM is

Fortinet(Right Side)
config system interface
edit "port1"
set vdom "root"
set ip 10.9.9.1 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set alias "WAN"
set role wan
set snmp-index 1
next
edit "port2"
set vdom "root"
set type physical
set snmp-index 2
next
edit "VXLAN"
set vdom "root"
set l2forward enable
set type tunnel
set snmp-index 6
set interface "port1"
next
edit "VXLAN-SW"
set vdom "root"
set type switch
set snmp-index 7
next
end

config router static
edit 1
set gateway 10.9.9.254
set device "port1"
next
end

config vpn ipsec phase1-interface
edit "VXLAN"
set interface "port1"
set peertype any
set proposal des-sha1
set encapsulation vxlan
set encapsulation-address ipv4
set encap-local-gw4 10.9.9.1
set encap-remote-gw4 10.8.8.1
set remote-gw 10.8.8.1
set psksecret ENC
2dkyyFtjtIQBdTJ73VMqH6zAMkfcmiwWjvPL1dTK3EESBCYgHKa6g5mEmdhh8ii3Z7AaRxnjs4NSiC7IwJCtUCfEBybyffoTu/PQnIKxRBTVoselQI3U4HN/A
w8axaAvmQzz04vmuqU9ekbmVH7srAoNpaN2AoqDj7rOyvk+LktxfBKD1yZpNzJrY918Hccl7b86Zg==
next
end
config vpn ipsec phase2-interface
edit "VXLAN-PH2"
set phase1name "VXLAN"
set proposal des-sha1
next
end
config system switch-interface
edit "VXLAN-SW"
set vdom "root"
set member "port2" "port3" "VXLAN"
set intra-switch-policy explicit
next
end
config firewall policy
edit 1
set uuid f67278de-0991-51e9-ff02-6f463ab0772d
set srcintf "port2"
set dstintf "VXLAN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set uuid 65857082-0992-51e9-e783-dec60d292f79
set srcintf "VXLAN"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

another Fortigate config on the left side is just changing ip address of peer.
Two very important things to point when config fortigate,

1. when config system switch-interface make sure to "set vdom root"
2. when config system switch-interface make sure complete configuration at once, since it won't accept adding additional config

then test simply ping each VPCs and you can see icmp is working.
Also, I can see ARP information of other side's VPC NIC.




Reference: https://travelingpacket.com/2017/09/28/fortigate-vxlan-encapsulation/
Posted by at No comments:

Monday, July 13, 2015

When USB flash disk isn't ejected properly and have an issue that your computer saying "you need to format" then following article will help. I had an USB comes with RAW disk and kept asking me to format. I read through all of the article and it fixed my issue. If USB HDD is containing important information then proceed with caution and if possible make a backup. http://html5.litten.com/updated-how-to-fix-external-disk-drive-suddenly-became-raw
Posted by at No comments:

Thursday, November 20, 2014

Change .vmdk from Thick to Thin

1. Login to esx/esxi using ssh 2. CD into datastore where .vmdk is stored such as cd /vmfs/volumes/prod.esxi2.datastore/ 3. Check vmkfstools help using vmkfstools (no need to but it is good to know :) ) 4. Clone .vmdk you want to convert using '-d thin' option with different name like vmkfstools -i whatever.vmdk -d thin whatever1.vmdk 5. Then open vsphere client and login to esx/esxi then browse to datastore 6. download .vmx file and open it with text editor 7. search whatever.vmdk file and change it to whatever1.vmdk 8. remove whatever.vmdk file then that's it
Posted by at No comments:

Tuesday, March 12, 2013

simple website health check script

Original post: http://serverfault.com/questions/176436/simple-web-server-monitoring-alive wget --timeout=3 --tries=1 http://serverfault.com if [ $? -ne 0 ];then echo "Site Down" | mail -s "Site Down" admin@yourdomain.com fi to have the mail sent without content just change the mail -s "Site Down" admin@yourdomain.com to mail -s "Site Down" admin@yourdomain.com
Posted by at No comments:
Subscribe to: Comments (Atom)