Fortigate 80C Flash problem solution

While the Fortigate 80C is pretty good UTM, some of the units has arrived with faulty flash which result in boot failures, configuration lost and you wasn’t able to use the log memory option that cause flash memory stress and led to failure.

The solution to solve this issue is to use USB disk drive instead of the built-in 8G.

First get a USB disk drive, I bought a SanDisk Cruzer Fit 16GB

Then open the case and locate jumper J15 (or J3 for newer models):

Put a jumper to short this connector:

Now the appliance will use the external USB instead of the built-in flash.

1. Plug the USB disk drive into one of the USB ports in the appliance

2. Connect your PC with serial cable to the console port

3. Connect network cable from the PC to port internal 1

4. Configure your PC with IP address 192.168.1.168

5. Copy a firmware file (image.out) into your TFTP server folder

6. Launch a TFTP server (tftpd32 for example)

7. Boot the appliance and follow the instruction to recover an image:

FortiGate-80C (16:50-09.27.2011) Ver:04000009 Serial number:FGT80C1483814587 RAM activation Total RAM: 1024MB Enabling cache...Done. Scanning PCI bus...Done. Allocating PCI resources...Done. Enabling PCI resources...Done. Zeroing IRQ settings...Done. Verifying PIRQ tables...Done. Disabling local APIC...Done. Boot up, boot device capacity: 14907MB. Press any key to display configuration menu... .. [G]:  Get firmware image from TFTP server. [F]:  Format boot device. [B]:  Boot with backup firmware and set as default. [I]:  Configuration and information. [Q]:  Quit menu and continue to boot with default firmware. [H]:  Display this list of options. Enter Selection [G]: Enter G,F,B,I,Q,or H: Please connect TFTP server to Ethernet port "1". Enter TFTP server address [192.168.1.168]: Enter local address [192.168.1.188]: Enter firmware image file name [image.out]: MAC:02050E8ACA1A ########################## Total 27567478 bytes data downloaded. Verifying the integrity of the firmware image. Total 40000kB unzipped. Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?D Programming the boot device now. ....................................... Reading boot image 1437434 bytes. Initializing firewall... System is starting... Resizing shared data partition...done Starting system maintenance... Scanning /dev/sda1... (100%)  Formatting shared data partition ... done! (Depend on your USB disk size it may take a little while...)   FGT80C1483814587 login:  admin Password: Welcome !

Cisco bug for RPC/DCE traffic on ASR 1000 series

Device: Cisco ASR1001-X
Image: asr1001x-universalk9.03.17.00.S.156-1.S-std.SPA.bin

Currently we found that there is problem with RPC/DCE traffic traversing the ASR router, all domain controller sync traffic and netlogon services are affected.
Downgrade to asr1001x-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin has solved the problem.

CCIE #51784

At 27^th January 2016 the journey comes to his end, after hundreds of learning and lab hours I finally got my CCIE number (CCIE R&S v5 #51784).

Now a new journey begins…. The pursuit for CCIE Security.

Check Point MSVCR100.dll error

When installing Check Point Smart Console on 64 bit systems you man encounter the following error:

This, as the error indicates, related to MSVCR100.dll, the solution is to install Microsoft Visual C++ 2010 Redistributable Package 32 bit instaed of the 64 bit.

You can download the package from the following URL:

http://www.microsoft.com/en-us/download/details.aspx?id=5555

Cisco AnyConnect LDAP configuration

Device:	Cisco ASA 5506X-SFR
Software version:	9.5(1)
ASDM version:	7.5(1)
Client version:	Anyconnect 3.1.12020-k9

First configure LDAP server group under Remote Access VPN -> AAA/Local Users -> AAA Server Groups:

Then configure beneath LDAP server:

Next configure address pool under Remote Access VPN -> Network (Client) Access -> Address Assignment -> Address Pools:

Now configure group policy under Remote Access VPN -> Network (Client) Access -> Group Policies:

You can leave all parameters inherit, in this case all traffic will be tunneled through the ASA, in order to change it go to Advanced -> Split Tunneling uncheck Policy and choose Tunnel Network Below, and uncheck Network List, click on Manage, create standard access-list with the ASA internal networks, and select this ACL in the Network List:

Now go to Remote Access VPN -> AnyConnect Connection Profiles and click on Add to configure new connection profile, type in a name, choose AAA as authentication method and choose the LDAP server, choose the client address pool and default group policy we made:

Check SSL Enabled and IPsec Enabled for this given profile and we are ready to connect.

Now let’s add DAP (Dynamic Access Policy) based on LDAP attribute, go to Remote Access VPN -> AAA/Local Users -> LDAP Attribute Map and click Add, in the LDAP Attribute Name type memberOf (case sensitive) and under Cisco Attribute Name choose Group-Policy:

Click on Mapping of Attribute Value and click Add, under LDAP Attribute Value type the syntax for the corresponding group (here in my example a group called VPN-USERS):

The syntax is as follow: CN=VPN-USERS,OU=Groups,DC=lab,DC=local

And in the Cisco Attribute Value type in the group policy name we just made, here in my example RA-ANYCONNECT-GroupPolicy.

In this attribute map we have linked between LDAP attributes receive from the LDAP server to Cisco known (by the ASA) parameters.

Now go to Remote Access VPN -> AAA/Local Users -> AAA Server Groups and click edit on the server configured in the Servers in the Selected Group for the LDAP group, under LDAP Attribute Map choose the map we’ve just created:

Now we can start configure DAP based on user or group, go to Remote Access VPN -> Network (Client) Access -> Dynamic Access Policies and click Add, type in the policy name, set ACL priority (all policies are evaluated from high to low), choose whenever the attribute should have ANY, ALL or NONE and click Add to configure LDAP attribute type with ID of memberOf and the value that we want to use, here is the group name VPN-USERS but we can also use the username for example:

Then we can configure different settings for the particular user/group, here I choose the Network ACL Filters (client) and set an ACL for the group:

Because DfltAccessPolicy is the last DAP configure an ACL with deny any which will require the remote users to be matched with prior policies else they will be denied.