Category Archives: Network

Networking topics – primary about Cisco.

Automated Fortigate Config Backup on Config-Change

With Forti-Manager it’s possible to automatically save a config-copy on every config change. However – If you don’t want to buy/operate/whatever a dedicated manager but still want the advantage off having a copy on every config-change that could also be accomplished with foritgates “automation stitches”.

The following config shows how this could be archived:

FORTIGATE-SHELL # show system automation-stitch Automated_Config_Backup
config system automation-stitch
    edit "Automated_Config_Backup"
        set description "Creates Backup of the Config on a detected change"
        set trigger "Config_change_detected"
        config actions
            edit 1
                set action "Execute_Config_Backup"
                set required enable
            next
        end
    next
end

FORTIGATE-SHELL # show system automation-trigger Config_change_detected
config system automation-trigger
    edit "Config_change_detected"
        set event-type event-log
        set logid 44546 44547
    next
end

FORTIGATE-SHELL # show system automation-action Execute_Config_Backup
config system automation-action
    edit "Execute_Config_Backup"
        set description "Creates a Backup of the current Config"
        set action-type cli-script
        set script "execute backup config sftp /path/on/sftp-server/backup_%%log.eventtime%%.conf <SFTP-SERVER> <USERNAME> <PASSWORD>
        set accprofile "super_admin"
    next
end

This stich will run the backup action every time an object attribute or attribute was configured and push the new config to the SFTP-server.,

On the server it will be named “backup_<TS_in_ns>.config”

Cisco – perimeter security – EEM disable port

Sometimes it is necessary to connect a device on your security permiters edge to your network. Doing so without any protection can be don, but might not be wise.

So how do you secure your PoE Surveillance-Cam which covers the from of your office or your IP-based intercom which are accessible by the public?

802.1x would be a good solution. However – for that you would require a CA/PKI + machine-certificates for the devices, would have to rotate them on a regular base which might not be possible and could be wuite some effort.

Furthermore – not all devices support 802.1x – so how could we secure these devices?

Before we start, lets analyse the threat:

A devices such as a PoE-Surveillance cam, an IP-InterCom or similar devices are located outside of a “protected” perimeter where anybody might have easy access to the device. An attacker could easily unplug the network-cable, add a switch in between and get access to the network.
MAC based ACLs could be used to ensure that only “allowlisted” devices (so devices with the correct MAC address) are granted access.
However running tcpdump, getting the allowed devices MAC and “cloning” it via macchanger --mac=XX:XX:XX:XX:XX:XX isn’t really that hard.
So that doesn’t really work! Yes, the network should be segmented anyways to reduce the impact of such a security incident. But still – there might be some interesting piece of hardware/software in that network which could be exploited by an attacker to get a foothold in the network or at least gather some additional information about other devices which are used.

So the best approach is, to do not even let the attacker in.

With Cisco we could do so by utilizing the EEM (Embeded Event Manager).
That piece of software allows us to react on events that are registered by the switch.

So what we want to archive is:

  • Given an (I)OT-device on the edge of your network perimeter
  • when the device is unplugged
  • then disable the port the device is attached to

Unplugging the network cable generates a port-down syslog entry on the switch, which can be utilized to execute a command/command set.

If we want to “secure” a device located on port 20 the following configuration could be used to manually shut down (disable) the port once a disconnect was detected.

event manager applet Interface_Down_PoE-CAM
 event syslog pattern "Line protocol on Interface GigabitEthernet1/0/20, changed state to down"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface GigabitEthernet1/0/20"
 action 2.5 cli command "shutdown"
 action 3.0 cli command "end"
 action 3.5 cli command "who"

The above example will immediately set the port to shutdown, once the line protocol went down/device was unplugged from the network.

However – keep in mind, that a restart of the device (especially for devices which use external PowerSupplies might also cause a port-down event while restarting which will result in a disabled port.
Doing maintenance could also result in a port down event, if somebody shuts down/unplugs the device while doing the maintenance tasks!

So is using this method to secure the perimeter, it is very important to also have some monitoring in place which will notify about disabled ports.

If ports shall be automatically enabled again (e.g. when office hours start) the EEM + KRON can be used.
As it seemed that execution actions like with the EEM are not supported in the KRON-policies i used the workaround to generate another syslogevent via cron which does the “reset” (no shutdown) for the perimeter ports.

! define the cron-occurence - so when our job should be run. 
kron occurrence Daily_8AM at 8:00 recurring
 ! list policies which shall be excuted
 policy-list Policy_A
 policy-list Policy_B
!
kron policy-list Policy_A
 ! send the following message to syslog:
 cli send log 0 "set_port_Gi1/0/35_UP"
!
kron policy-list Policy_B
 ! send the following message to syslog:
 cli send log 0 "set_port_Gi1/0/20_UP"
!
! DISABLE the port when a defined syslog message is detected
event manager applet EEM_01
 event syslog pattern "Line protocol on Interface GigabitEthernet1/0/20, changed state to down"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface GigabitEthernet1/0/20"
 action 2.5 cli command "shutdown"
 action 3.0 cli command "end"
 action 3.5 cli command "who"
!
! DISABLE the port when a defined syslog message is detected
event manager applet EEM_02
 event syslog pattern "Line protocol on Interface GigabitEthernet1/0/35, changed state to down"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface GigabitEthernet1/0/35"
 action 2.5 cli command "shutdown"
 action 3.0 cli command "end"
 action 3.5 cli command "who"
!
! enable the port when a defined syslog message is detected
event manager applet EEM_03
 event syslog pattern "set_port_Gi1/0/35_UP"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface GigabitEthernet1/0/35"
 action 2.5 cli command "no shutdown"
 action 3.0 cli command "end"
 action 3.5 cli command "who"
!
! enable the port when a defined syslog message is detected
event manager applet EEM_04
 event syslog pattern "set_port_Gi1/0/20_UP"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "interface GigabitEthernet1/0/20"
 action 2.5 cli command "no shutdown"
 action 3.0 cli command "end"
 action 3.5 cli command "who"
!
end

References:

Kiwix – Make Wikipedia anD other websites availAble offline

In some cases it might be handy to have a website available offline for cases where no internet connection is available.

With Kiwix and the ZIM-package format it’s quite easy to do so. It can easily be run on a Raspberry and made accessible on the local network.

To automate updates of ZIM packages I wrote some little scripts which are available in the following Github repo: https://github.com/fawcs-at/zim-downloader

Information on how to use the scripts can be found in the readme in the GIT repo.

To automate the process of updating ZIM packages once a month the “updateZim.sh” should be added as a cronjob to your crontab:

e.g.:

#cat /etc/crontab
45 2    1 * *  <username> /<path_to_script>/updateZim.sh

Will start an update on ever 1st day of the month at quarter to 3 in the morning.

MIkrotik packet loss (Ping <70%)

Today I experienced an interesting story with my Mikrotik router at home. While updating the PiHole instance the system hat quite some problems obtaining either system updates but also the PiHole update packages. A ping on 9.9.9.9 showed that the Raspberry – on which the PiHole was hosted – had somewhat between 70-80% packet loss. Pinging the same IP from a Windows machine resulted in 0% packet.

All this happened only on wired connections but did not cause any problmes when connected via wifi.

As the Raspberry is directly attached to the Mikrotik router I also tried to connect it via a switch in between as that’s the setup for the windows machine. Same behavior.
Running pings from 3 Linux systems in the network and two Windows systems (even with exchanging network connections to be directly connected to the Mikrotik and connecting through the switch) came up with an interesting result:
All Windows machines had hardly any packet loss in 10 mins (<3%) and all the Linux systems had somewhat between 70%-80% packet loss (tested with a ping).
Any ping that involved the Mikrotik routers L2 functionality seemed to result in packet loss on the Linux machines.
Pinging any other machine on the same subnet worked without problems, but as soon as there was one hob in between the problem occurred.

Interestingly the problem vanished as far as the Torch tool was activated and no more packet loss occurred on any of the systems.

After some additional troubleshooting time (and disabling nearly all Mikrotik-configuration -> Firewall-Rules/Interfaces) the problem seemed to be with the Bridge interface used. It seems that the deactivation of the IP Firewall for the bridge interface caused the problem. After enabling it the behavior vanished and all systems no longer had any packet loss issues.

[admin@MikroTik] /interface bridge settings> /interface bridge settings 
[admin@MikroTik] /interface bridge settings> set use-ip-firewall yes    

Create you onw 4to6-tunnel / Access IPv6 service from IPv4 address

With my recent ISP-change for my internet at home there where quite a lot of changes. One of that changes was, that UPC – my current provider – uses DualStack Lite.
For me it’s the first ISP that really provides IPv6. So that’s pretty cool and I finally had the chance (was forced) into digging deeper into IPv6.

In general everything is working quite well but, as it’s dual stack lite my router doesn’t provide an option to do some portforwarding to one of my hosts inside my local network. At least not for IPv4 connections. So I have no chance to access one of my devices via my public IPv4 address what becomes a problem when I want to connect to my home network via VPN from an IPv4 only network.

I couldn’t find any suitable 4to6 tunnel broker that lets me access my IPv6-devices through an IPv4 address, but luckily I have a VPS that runs on real dualstack and therefor has an IPv4 and IPv6 address.

So to access my IPV6 VPN server in my private network from an IPv4 only network I created an SSH-tunnel from my VPN-server (that runs on a Raspberry PI) to my VPS and forwarded the OpenVPN port.

To do that the VPS’ sshd-configuration needs to be adapted to expose forwarded ports to it’s public IP-address(es). For that the following setting needs to be added to/ changed in the sshd_config:

[pastacode lang=”bash” manual=”GatewayPorts%20yes” message=”” highlight=”” provider=”manual”/]

 

After that I created the following script on my VPN-Raspberry:

[pastacode lang=”bash” manual=”%23!%2Fbin%2Fbash%0A%0AvarConnectionString%3D%22-nNT%20-R%201194%3Alocalhost%3A1194%20%3Cusername%3E%40%3Cservername%3E%20-p%20%3Cport%3E%22%0A%0Aif%20%5B%5B%20%24(ps%20aux%20%7C%20grep%20-v%20%22grep%22%20%7C%20grep%20%22%24(echo%20%24varConnectionString%20%7C%20sed%20’s%2F%5E-%2F%5C%5C-%2Fg’)%22)%20%5D%5D%3B%20then%0A%0Aecho%20%22Found%20active%20connection%22%0A%0Aelse%0A%0Aecho%20%22No%20active%20connection%20found%22%0Assh%20%24(echo%20%24varConnectionString)%20%26%0Afi” message=”create SSH-tunnel” highlight=”” provider=”manual”/]

That script is added to be exectuted every half hour as a cronjob. So if the connection (for whatever reason) gets diconnected it will automatically reconnect to the VPS and forward the port again.

 

VMware Workstation Player – No Bridge Adapter available

Lately Microsoft convinced me to upgrade my Windows 7 @ home up to Windows 10. When I upgraded my Windows I checked all the installed tools for Upgrades and also upgrade my old VMware Player 6 to the new VMware Workstation Player 12.
Today I was playing with MDT at home and wanted to set up a test VM to check if everything is working, but I was not able to get the bridged interface working.
I was able to selct it, but I didn’t get an IP from my DHCP so I thought I’ll disable all adapter except the LOM which is connected to my Router, but there were no adapters. šŸ™

VMwareWokrstationPlayerBridge

 

After a little bit of investigating I found out, that my LOM didn’t have the VMware Bridge ServiceĀ installed.Ā VMwareBridgeService

After installing the service I was able to set up the bridge adapter for the VM.

 

 

Cisco Deployment Guide

Today I received an useful link regarding Cisco L2 Access Switch-deployments with some interesting settings I wasn’t aware of till know.
The document is available via the following Link.

http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Oct2015/CVD-Campus_LAN_L2_Access_Simplified_Dist_Deployment-Oct2015.pdf