Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
View
Sort
Coming soon
3

I'm about to deploy a couple dozen fortiAP's to a site. I'd like to be alerted if one of these things ever physically goes down. I have a couple of servers with monitoring software that I could add them to if they had static IP's. But I'm looking to avoid assigning statics. What does everyone else do?

3
8 comments

Hey /u/hamlen4,

I think you have a couple options:

  1. You can leave the APs configured for DHCP but assign DHCP reservations on the FGT. That way, if the APs ever rebooted, they could be guaranteed to get the same AP you reserved from the FGT.

  2. Not sure if you have a FortiAnalyzer or a syslog server, but you could look for the "ap-leave" (or "ap-fail") action from those logs. I have not been able to confirm this but I'm pretty sure that log will tell you if the AP is no longer communicating with the FortiGate.

Edit: Confirmed the logs.

see more
Original Poster1 point · 3 months ago

I do have a fotianalyzer and I'm probably vastly under-utilizing it! I will investigate, thank you for the quick response!

No problem. Look into using to creating an event monitor. What you are looking to do should be pretty straight forward to accomplish.

Ping back if you have questions.

see more
Original Poster1 point · 2 months ago

I was finally able to set some time aside today to work on this. Works great, thanks again!

Load more comments

2

This is my company's first venture into the world of Cisco VoIP. In fact, it's our first time using a cloud system. We have a small site using a new Cisco BE4000.

In order to manage this system we need to log into the Cisco Business Edition Selfcare Portal at (https://myphone.cisco.com/). I had the tech set me up with an admin login that is tied to my email address. It uses two factor authentication which required me to download the google authenticator app to my cell.

All good. Until I asked to have another one of my admins set up with an account. I'm told this can't be done, there can only be one admin per system. The fact that it's two factor authentication really leaves me in a bind as I can't simply share (not that I necessarily want to) my password with my other admin.

This seems absurd to me. Anyone else doing something similar?

UPDATE (7/12/18): Cisco finally got their act together and they are now allowing multiple admins.

2
2 comments

Maybe check with TAC?

see more
Original Poster1 point · 2 months ago

Currently waiting for this system to be added to our Cisco account so I can do just that. I cross posted this in the VoIP subreddit and looks like I've received a good workaround: "You can use "authy" which is on both IOS & Android. Authy is a secure 2fa that has all the capabilities and more to google auth. You can have the same Authy account on multiple devices all in sync." Initial tests look promising.

5

This is my company's first venture into the world of Cisco VoIP. In fact, it's our first time using a cloud system. We have a small site using a new Cisco BE4000.

In order to manage this system we need to log into the Cisco Business Edition Selfcare Portal at (https://myphone.cisco.com/). I had the tech set me up with an admin login that is tied to my email address. It uses two factor authentication which required me to download the google authenticator app to my cell.

All good. Until I asked to have another one of my admins set up with an account. I'm told this can't be done, there can only be one admin per system. The fact that it's two factor authentication really leaves me in a bind as I can't simply share (not that I necessarily want to) my password with my other admin.

This seems absurd to me. Anyone else doing something similar?

UPDATE (7/12/18) Cisco finally got their act together and is now allowing multiple admins.

5
12 comments

You can use "authy" which is on both IOS & Android. Authy is a secure 2fa that has all the capabilities and more to google auth. You can have the same Authy account on multiple devices all in sync.

see more
Original Poster2 points · 2 months ago

Authy for the win! I just set this up on two of my own devices and it worked great! I don't see any reason why it won't work on my coworker's device as well. THANK YOU!

2 points · 2 months ago

Thanks for the info, that all makes sense. Looks like one of the limitations of the BE4K platform. I don't have any suggestions for how to get around it, based on the link below, Cisco acknowledges only one portal admin per site.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/be/be4000/customeradmin/guide/be4k_b_customeradmin-portal-guide/getting-started.html

see more
Original Poster2 points · 2 months ago

Thanks! I may have come up with a workaround. I mentioned that this requires two factor authentication. I’m pulling this off with google authenticator on my phone. This is also new to me. Looks like there is a PC version. If I put this on a shared office PC then we would both be able to generate a code whenever needed.

Both of us will be in and out of this be4k quite often over the next couple of weeks as we get familiar with it. Sharing the code that can only be generated on my phone will get old fast.

This is all theory, need to test it out.

Load more comments

3

I'm trying to help my grandmother track down her 93 year old sister's birth certificate. Her sister isn't all that with it, but thinks she was born in NH. This is odd since they never lived in NH. I did a little digging on ancestry.com and according to an old census it does appear she was born in NH. I'm having trouble tracking down exactly where.

Any advice on tracking down the birth certificate based on what little info I have? Thanks in advance!

3
3 comments

93 years old means she was born around 1925. So she should appear on the 1930 and 1940 census. If you look at the census image you can see the county and district that they lived in. Sometimes you can see the street or city, or if it is rural, the nearest post office. At least you will be able to get the county that they were living in for the 1930 census. It is possible that they moved after her birth but it is also quite possible that they did not. If you can find the family in the 1920 census and determine that they are in the same place then most likely she was born wherever the 1930 census has them living. Then you need to google for the county and do the work to obtain a birth certificate from that county.

see more
Original Poster1 point · 3 months ago

Thanks for the response. So here's the problem..... they always lived in MA. Never NH. It sounds like they were on a road trip to NH and she was born then. This is all new to my grandmother so she was taking it with a grain of salt. However, the 1930 census for the MA county in which they live in it confirms that she was born in NH. It strictly says "New Hampshire" under the place of birth column. But that's about all the info I have.

2

Exchange 2007. Version 08.03.0417.001. Windows 2008 R2.

We use a fortimail as our gateway to the outside world. Recently on the fortimail we enabled disclaimers for incoming external mail warning users that the message came from the outside world. For the most part this went well. But we are having an issue with a small percentage of incoming emails. With these messages the disclaimer shows up appropriately, however the body of the message shows up as an attachment (AT00001.txt) when you view the message in outlook. Viewing it on your iphone looks fine.

Thoughts? Thanks in advance.

2
7 comments

Upgrading to what?

see more
Original Poster1 point · 3 months ago

A new exchange 2013 server.

Why 2013? Curious...

see more
Original Poster1 point · 3 months ago

I believe it was something to do with money. To be honest, I don't handle the exchange side of the house. I'm in charge of maintaining the Fortimail. I'm still pushing Fortinet for answers, but I thought I'd throw the question out here as well.

I know......by the time we are on Exchange 2013 it won't be long before it is end of life as well!

Load more comments

That takes about a minute. If you want to sell again, it won’t take much effort.

see more

Same boat. I agree that it wouldn't take much effort to create a new email address in order to start selling again, but it's still a ridiculous request. I've had the same primary email address for 15 years. I use it for everything. My account was closed due to inactivity. Just re-enable it!!

1

Fortigate 1000C. 5.6.3. We utilize rsa ondemand tokens for our forticlient ssl vpn. Enter your username along with your pin and then you are emailed a token. It appears you only have 60 seconds to enter your token. Wait longer than that and you'll end up with the error "Unable to logon to the server. Your user name or password may not be configured properly for thsi connection. (-12)".

I'm looking to double this timer. On the RSA side the token is good for 60 minutes so I think it's a timer on the fortigate.

I've been going back and forth with support for a couple of days with no luck so far. They suggested I increase one of the timers below. I've done so with no change in behavior:

fortigate (global) # get system global | grep two-
    two-factor-email-expiry: 60
    two-factor-fac-expiry: 60
    two-factor-ftk-expiry: 60
    two-factor-ftm-expiry: 72
    two-factor-sms-expiry: 60
1
3 comments
Original Poster1 point · 4 months ago

After much trial and error by support, I finally got the right command:

#config vpn ssl settings 
#set login-timeout 180 
#end

The default is 30. Max is 180.

Pretty sure those timers are irrelevant if you're using your own 2FA system.
What about increasing remoteauthtimeout in config sys global?

see more
Original Poster1 point · 4 months ago

I will investigate and let you know. Thanks!

4

I have a situation where I'm putting a couple of ipads onto another company's network. This company is using WPA2 Enterprise and has provided me with a username and password. I want to create a wifi configuration policy in mobileiron so that these ipads automatically join this network with the given credentials.

I have been successful in the past with WPA2 personal configurations, but I've never attempted an enterprise. I'm no sure how to format the username. The info button next to the username text box states "Include at least one of the following variables: $USERID$, $EMAIL$ and so on." If I don't include these variables it won't let me save. Do I go with $USERID$:actualusername ?

The password field is a little different. There's a dropdown where I select $PASSWORD$ and then there's another text box to the right where I assume I put the actual password.

I'm trying to pull this off remotely, I don't want to go on site if I don't have to. Otherwise I'd put a little trial and error into it.

Thanks in advance!

4
6 comments
5 points · 4 months ago · edited 4 months ago

So you have a static username that is not variable that you want all iPads with this configuration to use? I have not done this with a WiFi config, but I HAVE done it with other account types in MobileIron. If it lets you, try using $NULL$ in conjunction with the static username/password.

So it would be...

Username: actualusername$NULL$ Password: actualpassword$NULL$

Edit: Sorry didn't see your note on the password part.

Try something like this: https://imgur.com/nBvM5hV

see more
Original Poster2 points · 4 months ago

Yes, static username and password. I was not anticipating any of this variable requirements. I was expecting a blank text field for both in which I could type whatever I wanted.

I never would have thought to try what you suggested. I will give it a shot as soon as they are done setting up the wifi on their end. Thanks for the quick response!

3 points · 4 months ago

See my edit, I added a screen shot that might help if you didn't see it already.

see more
Original Poster2 points · 4 months ago

I finally got a chance to try this today, worked like a champ. Thanks again!

Load more comments

1

Fortigate 1000C. 5.6.3.

I've noticed recently that every time I go to my IPv4 policies they all open up expanded. I have a port3->port4 section, port4->port3 section, etc etc. I often collapse the ones I don't care about, but as soon as I leave and come back they are all expanded again. This results in a lot of scrolling and clicking to get what I want to review, which is always towards the bottom!

I'm not sure when this started. I did upgrade to 5.6.3 a couple of months ago, it could have been then. Or I toggled something by accident and just don't remember. I've been configuring this device for years and I don't think it's always been an issue.

Anyone know of a fix?

1
10 comments

You can collapse all by right clicking any of the section tabs. I found this out by accident. I agree that it is annoying having all the sections open.

see more
Original Poster1 point · 5 months ago

Genius! Never tried that before, thank you!

I am running 5.6.3 on one set of Fortigates and 5.4 on another set. I spoke with Tac about this while reviewing a different problem and was told it would be fixed in 5.4.8 (which it was). I asked about the 5.6 branch and he said he thought 5.6.4 but that he wasn’t positive on that one.

see more
Original Poster1 point · 5 months ago

I'll open a quick ticket with them as well. Thanks!

Load more comments

I've had similar problems and I resolved it by telling the fortigate to use a different source ip for its connection to the analyzer. Maybe your 80CM is using its WAN IP for this connection and the FAZ doesn't know how to route to that IP? To change this:
config log fortianalyzer setting
set source-ip "X.X.X.X" <---- I'd try putting the LAN IP for your fortigate here

2

I'm using a fortimail running 5.4.2 in gateway mode. An exchange server sits on the other side.

We have a few corporate employees who are being duped. They are receiving very simple emails that look like they are coming from our CEO. The from field will display the CEO's full name. The subject will say something like "Request" and then the body will simply say "Do you have a minute?" The employee responds and soon after they receive another email similar to the following: "I need you to complete a wire transfer for me today, I am presently busy in a meeting but I can send you the details once you are ready." The employee then forwards the email to us demanding to know how something like this would be let through.

If you take a deeper look you'll see that the email did not come from within the company, but instead from a comcast address or something similar. This is pretty easy to tell when running outlook as it will say the CEO's name followed by the sender's address. But when viewing it on an iPhone it doesn't show the email address, it strictly shows the CEO's name.

Anyone run into similar issues? These are very difficult to block as they aren't coming from blacklisted addresses or ip's. Do I need to get clever with the dictionary? Thanks in advance.

Update: One other note, I've only used the antispam dictionary once before. I have something in there like this: from:.*\b\@mycompany.com\b

This is blocking any incoming mail from someone that tries to make it look like it their message came from within the company. Let's say the CEO's name is John Doe, I'm wondering if I could mimic this rule by doing something like this: from:.*\b\John Doe\b

But again, I am not too familiar with dictionary rules. Thanks.

2
9 comments

Confirmed on the additional false positives - lasted a day here :)

see more
Original Poster1 point · 6 months ago

Thanks, I do believe I had this set a while back and did get a bunch of false positives. Never ending battle of either allowing to much or blocking too much. I think I’m in good shape for right now.

Original Poster3 points · 6 months ago

Update: I tested the dictionary entry above and it appears to be working. We're good until someone who legitimately has the same name as our CEO starts emailing us. If this happens his emails will be dropped. Oh well!

Load more comments

1

I'm curious what everyone else out there does for vendors who require remote access to servers on your network for support purposes.

In the past I've set up a vendor or two with ssl vpn portal credentials. This portal is set up with an RDP link to their specific server. The vendor logs into the server with specific credentials that we assign them.

I don't love this approach as if an employee for that vendor ever left there is nothing preventing him from logging into our server from somewhere else if he takes the credentials with him.

What's everyone else doing?

1
7 comments
Original Poster1 point · 6 months ago

Thanks for the feedback everyone.

hamlen4 commented on

This sounds like something that I've done a few times recently. From my experience:
1) Create the VPN tunnel as interface based as opposed to policy based. This will create a new tunnel interface under your physical interface.
2) Create two addresses for your host. One under the VIP section and one under the standard section which will just be the real IP of your host. When you create the VIP assign it to the newly created tunnel interface.
3) Create a firewall policy from your inside network to the tunnel interface. Use the real address for your inside address. Enable NAT on this policy.
4) Create a firewall policy from your tunnel interface to your inside network. This policy will utilize the VIP. No need to enable NAT on this policy, the VIP takes care of it.

Hope this helps.

3

I've been successful in the past with establishing a VPN tunnel to my fortigate via an iOS device, but once connected I'm often asking myself the question "now what?" Is anyone out there using this? If so, for what purpose? Intranet browsing? Internal server browsing?

This is something that I always think may be useful to deploy, but then I struggle with a good use case.

3
8 comments
Original Poster1 point · 8 months ago

Thanks for the feedback everyone. It's been a while since I've tested, but I believe one problem I always had was DNS. I had to hit everything by IP as the VPN wasn't providing DNS. This test was done with the Forticlient, not the builtin ios vpn.

I honestly didn't spend much time on this part of it, just curious what everyone else is doing.

8
Archived

Pretty simple setup here, I have a cisco ASA with a static IP sitting behind a comcast modem. A switch sits behind the ASA. I have a vpn tunnel set up from this ASA to another site. I want to be able to hit specific devices at the remote site, but I also want to allow web browsing through the asa. To accomplish this I would PAT traffic to the IP of the outside interface. I've been able to get strictly VPN working and I've been able to get strictly internet browsing working. But I can't get both working at the same time. The subnet at my main site is 10.1.1.0 /24. The subnet at the remote site is 172.1.0.0 /16. Here are some snippets of my config:

access-list outside_access_in_1 extended permit ip 172.1.0.0 255.255.0.0 10.1.1.0 255.255.255.0
access-list inside_access_in_1 extended permit ip 10.1.1.0 255.255.255.0 any
access-list outside_cryptomap_1 extended permit ip 10.1.1.0 255.255.255.0 172.1.0.0 255.255.0.0
nat (inside,outside) source dynamic obj-10.1.1.0-01 interface
nat (inside,outside) source static obj-10.1.1.0-01 obj-10.1.1.0-01 destination static obj-172.1.0.0 obj-172.1.0.0
object network obj-10.1.1.0-01
subnet 10.1.1.0 255.255.255.0
object network obj-172.1.0.0
subnet 172.1.0.0 255.255.0.0

ASA 5505, running 9.2(4)14

Thanks in advance!

8
9 comments

Looks like your NAT exemption should be configured at a lower priority number so that it sits above the dynamic interface NAT.

nat (inside,outside) 1 source static .......

see more
Original Poster2 points · 9 months ago

You are exactly correct. I accidentally discovered this when I was troubleshooting earlier. I just came on here to view responses and provide an update. As soon as I reversed the order of those two NAT statements everything worked. Thank you!

You could just edit the OP

see more
Original Poster2 points · 9 months ago

Done, thank you. reddit newb.

Load more comments

1

Pretty simple setup here, I have a cisco ASA with a static IP sitting behind a comcast modem. A switch sits behind the ASA. I have a vpn tunnel set up from this ASA to another site. I want to be able to hit specific devices at the remote site, but I also want to allow web browsing through the asa. To accomplish this I would PAT traffic to the IP of the outside interface.

I've been able to get strictly VPN working and I've been able to get strictly internet browsing working. But I can't get both working at the same time.

The subnet at my main site is 10.1.1.0 /24. The subnet at the remote site is 172.1.0.0 /16.

Here are some snippets of my config: access-list outside_access_in_1 extended permit ip 172.1.0.0 255.255.0.0 10.1.1.0 255.255.255.0 access-list inside_access_in_1 extended permit ip 10.1.1.0 255.255.255.0 any access-list outside_cryptomap_1 extended permit ip 10.1.1.0 255.255.255.0 172.1.0.0 255.255.0.0

nat (inside,outside) source dynamic obj-10.1.1.0-01 interface nat (inside,outside) source static obj-10.1.1.0-01 obj-10.1.1.0-01 destination static obj-172.1.0.0 obj-172.1.0.0

object network obj-10.1.1.0-01 subnet 10.1.1.0 255.255.255.0 object network obj-172.1.0.0 subnet 172.1.0.0 255.255.0.0

Thanks in advance!

1
1 comment
Original Poster1 point · 9 months ago

I should also mention that this is a cisco asa 5505 running 9.2(4)14

You can also check from GUI: Security Profiles > Web rating overrides > Create new > put in the URL and press "lookup rating".

see more

This is the method I typically use and it is working for me today. I tried doing a lookup directly from the fortiguard website and can confirm that I am also seeing issues.

u/hamlen4
Karma
49
Cake day
September 18, 2015
Trophy Case (1)
Two-Year Club

Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.