728x90
admin@PA-VM>configure
admin@PA-VM#set deviceconfig system ip-address 192.168.200.63 netmask 255.255.255.0 default-gateway 192.168.200.254 dns-setting servers primary 8.8.8.8
 
 
If you have every worked on any
Juniper Box with JUNOS CLI, you will feel at home when working on Palo
Alto Firewall Appliance....
 
Operational Mode and Configuration Modes
 
username@hostname> (Operational mode)
 
username@hostname> configure
 
Entering configuration mode
 
[edit]
 
username@hostname# (Configuration mode)
 
 
Moving between Modes
 
up—changes the context to one level up in the hierarchy.
 
Example:
 
[edit network interface] (network level)
 
@abce# up
 
[edit network]
 
 
username@hostname# (now at the network level)
 
 
top—changes context to the top level of the hierarchy.
 
Example:
 
[edit network interface vlan] (network vlan level)
 
username@hostname# top
 
[edit]
 
username@hostname# (now at network vlan level)
 
 
Changing modes
 
username@hostname# exit
 
 
Software Version, Mgmt Address etc.
 
dmin@PA-VM> show system info
 
 
Grep/Match
 
admin@PA-VM> show system info | match model
 
model: PA-VM
 
 
Find commands with following keyword
 
username@hostname# find command keyword hsm
 
 
Restart Appliance
 
>request restart system
 
 
Show Configuration Hierarchy
 
username@hostname# show network interface ethernet
 
ethernet {
 
  ethernet1/1 {
 
    virtual-wire;
 
  }
 
  ethernet1/2 {
 
    virtual-wire;
 
  }
 
  ethernet1/3 {
 
    layer2 {
 
    units {
 
      ethernet1/3.1;
 
    }
 
  }
 
}
 
ethernet1/4;
 
}
 
[edit]
 
username@hostname#
 
 
Configure IP Address to a given Port
 
IP address/netmask 10.1.1.12/24 to the Layer 3 interface for the Ethernet port ethernet1/4:
 
[edit]
 
username@hostname# set network interface ethernet ethernet1/4 layer3 ip10.1.1.12/24
 
 
Check pending changes (uncommitted)
 
username@hostname# check pending-changes
 
 
Saves a snapshot of the firewall configuration or the device state files
 
username@hostname# save config to savefile
 
 
Get Hw Address of Interfaces
 
show system state | match hwaddr
 
 
Routing Table
 
> show routing route
 
 
Show running-configuration
 
admin@PA-VM#show
 
Logs
 
admin@PA-VM> less mp-log  ? (you will see all possible logs)
 
Packet Capture:-
 
admin@PA-VM> debug dataplane packet-diag set log on 
 
admin@PA-VM> debug dataplane packet-diag set filter on
 
 
admin@PA-VM> debug dataplane packet-diag set filter match source <ip Address>
 
Removing Filters
 
 
If setting command shows two filters configured and we want to remove on of them, then we can use
 
 
admin@PA-VM> debug dataplane packet-diag clear filter <filter number>
 
 
Export pcap file
 
 
scp export filter-pcap from <file> to <SCP_serv>
 
 
Viewing Packet Hitting Filter in live mode
 
 
admin@PA-VM> view-pcap follow yes filter-pcap test1_capture 
 
 
Show Packet Capture Setting
 
admin@PA-VM> debug dataplane packet-diag show setting
 
 
Management Traffic Capture:-
 
Their Mgmt Interface is eth0
 
admin@PA-VM> tcpdump filter "dst 49.0.0.254"
 
Press Ctrl-C to stop capturing
 
 
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
 
^C
 
11 packets captured
 
22 packets received by filter
 
 
0 packets dropped by kernel
 
admin@PA-VM> tcpdump filter "dst 49.0.0.254"
 
admin@PA-VM> view-pcap mgmt-pcap mgmt.pcap
 
 
Show all Sessions
 

 

>show session all

 

 

 

 

728x90
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Juniper Firewall Transparent mode config (Example)  (0) 2018.05.08
SRX Syslog config  (0) 2018.05.08
FortiGate FGSP  (0) 2018.05.08
FortiAnalyzer CLI  (0) 2018.05.08
fortigate File reached uncompressed size limit  (0) 2018.05.08
728x90
1. VDOM enable
conf sys global
set vdom-admin enable
end
 
2. Create VDOM
conf vdom
edit test
 
3. VDOM mode setting
TP
conf vdom
edit test
conf sys setting
set opmode transparent
set manageip 10.10.10.1/32
end
end
 
4. Management Port setting
conf sys interface
edit mgmt
set vdom root
set ip 10.10.10.1/24
next
edit port1
set vdom test
next
edit port2
set vdom test
next
edit port4
set ip 192.168.12.1/24
set allowaccess ping https ssh snmp telnet
next
end
 
5. Sessins-sync setting
conf system session-sync
edit 1
set peerip 192.168.12.2
set syncvd test
next
end
 
6. HA setting
conf sys ha
set hbdev port3 100
set session-sync-dev port4
set hb-interval 4
set hb-lost-threshold 12
set ha-uptime-diff-margin 1
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
set standalone-config-sync enable
set override disable

 

end

 

728x90
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

SRX Syslog config  (0) 2018.05.08
Palo Alto Firewall Appliance PA-VM - Useful Commands  (0) 2018.05.08
FortiAnalyzer CLI  (0) 2018.05.08
fortigate File reached uncompressed size limit  (0) 2018.05.08
FortiGate 점검 CLI  (0) 2018.05.08
728x90
get system sql
diagnose sql status
diagnose sql show db-size
diagnose log device
diagnose sql process list
diagnose dvm device list
diagose fortilogd msgrate-device
diagose fortilogd lograte
get system performance
get system status

 

execute log device logstore list

 

 

728x90
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Palo Alto Firewall Appliance PA-VM - Useful Commands  (0) 2018.05.08
FortiGate FGSP  (0) 2018.05.08
fortigate File reached uncompressed size limit  (0) 2018.05.08
FortiGate 점검 CLI  (0) 2018.05.08
How-to: Automate FortiGate configuration backups  (0) 2018.05.08
728x90
fortigate # config firewall profile-protocol-options
fortigate (profile-protocol~ons) # edit default
fortigate (default) # config smtp
fortigate (default) # set uncompressed-oversize-limit 5
fortigate (smtp) # get
ports : 25
status : enable
inspect-all : disable
options : oversize
oversize-limit : 10
uncompressed-oversize-limit: 5
uncompressed-nest-limit: 12
scan-bzip2 : enable

 

server-busy : disable

 

 

728x90
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

FortiGate FGSP  (0) 2018.05.08
FortiAnalyzer CLI  (0) 2018.05.08
FortiGate 점검 CLI  (0) 2018.05.08
How-to: Automate FortiGate configuration backups  (0) 2018.05.08
Scheduled Daily Reboot of FortiGate  (0) 2018.05.08
728x90
1.     get system performance status
-       현재 CPU & Memory, Traffic 사용량, Session수 및 Uptime 확인
2.     get system status
-       OS Version 및 Serial 정보 확인
3.     diag debug crashlog read
-       프로세서 Crash 내역 및 FortiGate의 주요 이슈 사항 확인
4.     diag log alertconsole list
-       관리자 계정 Login 실패 기록, 장비 재시작, 전원 off, FortiGuard 업데이트 내역 확인
5.     diag hardware device nic port1
-       해당 Port의 Speed/Duplex 및 Error확인 가능
6.     diag netlink device list
-       전체 Port에 대한 Error 확인
7.     get route info routing-table all
-       Routing Table 확인
8.     get sys arp
-       ARP Table 확인
9.     get system interface
-       Interface IP정보 확인
 
10. 기타
# excute tac report
 
# fnsysctl ls -l /dev/shm
# fnsysctl ls -l /tmp
# diagnose hardware sysinfo shm
# diagnose hardware sysinfo slab
# diagnose hardware sysinfo interrupt
# diagnose ip arp list
# diagnose ip rtcache list
# diagnose ip router command show show int
# diagnose ips anomaly list
# diagnose ips anomaly status
# diagnose ips dissector status
# diagnose ips packet status
# diagnose ips raw status
# get ips session
# diagnose sys session stat
# get system auto-update status
# get system auto-update versions
# diagnose test update info
# diagnose sys flash list
# fnsysctl df -k
# diagnose sys logdisk smart
# diagnose sys logdisk status
# diagnose sys ha status
# diagnose sys ha showcsum
# diagnose sys ha hadiff status
# diagnose sys ha dump-by all-vcluster
# diagnose sys ha dump-by rcache
# diagnose sys ha dump-by all-group
# diagnose sys ha dump-by memory
# diagnose sys ha dump-by vdom
# diagnose sys ha dump-by debug-zone
# diagnose sys ha dump-by kernel
# diagnose sys ha dump-by device
# get sys session-info statistics
# get system session-info ttl
# get system session-helper-info list
# diagnose netlink aggregate list
# diagnose netlink brctl list
# diagnose netlink device list
# diagnose firewall fqdn list
# diagnose firewall iplist list
# diagnose firewall ipmac list
# diagnose firewall ipmac status
# diagnose firewall iprope list
# get firewall proute
# diagnose firewall schedule list
# get system performance firewall statistics
# get router info routing-table all
# get router info routing-table database
# get vpn ipsec stats crypto
# get vpn ipsec tunnel details
# get vpn status ssl list
# get webfilter ftgd-statistics
# get webfilter status
# diagnose spamfilter fortishield statistics list
# diagnose spamfilter fortishield servers
# get hardware nic mgmt2
# get hardware nic mgmt1
# get hardware nic port32
# get test proxyacceptor 1
# get test proxyacceptor 4
# get test proxyworker 1
# get test proxyworker 4
# get test proxyworker 4444
# get test http 444
# get test http 11
# diagnose sys scanunit stats all
# get test urlfilter 10
# diagnose sys sip-proxy filter clear
# diagnose sys sip-proxy redirect list
# diagnose sys sip-proxy config list
# diagnose sys sip-proxy config profiles
# diagnose sys sip-proxy meters list
# diagnose sys sip-proxy stats proto
# diagnose sys sip-proxy stats call
# diagnose sys sip-proxy stats udp
# diagnose sys sip-proxy calls idle
# diagnose sys sip-proxy session list
# diagnose sys sccp-proxy stats list
# diagnose sys sccp-proxy phone list
# get test ipsmonitor 1
# get test ipsmonitor 3
# get test radiusd 5
# diagnose test application miglogd 6

 

# diagnose debug crashlog read

 

 

728x90
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

FortiAnalyzer CLI  (0) 2018.05.08
fortigate File reached uncompressed size limit  (0) 2018.05.08
How-to: Automate FortiGate configuration backups  (0) 2018.05.08
Scheduled Daily Reboot of FortiGate  (0) 2018.05.08
FortiGate DNS Translation  (0) 2018.05.08
728x90
시작>powershell ISE 실행.
 
# User 추가
 $a=1
DO
{
  dsadd user "cn=user$a,ou=test,dc=sbbaek,dc=com"
  $a++
  } while ($a -le 1000) 
 
# Group 추가
 $a=1
DO
{
  dsadd group "cn=group$a,ou=test,dc=sbbaek,dc=com"
  $a++

 

  } while ($a -le 1000) 

 

 

728x90
저작자표시 비영리 변경금지

'업무이야기 > OS' 카테고리의 다른 글

[Linux] NTOPNG 설치 및 구동  (0) 2021.01.15
[MacOS] MAC 프로 root 비빌번호 설정 MAC / 운영체제  (0) 2018.05.08
[MicroSoft] AD GPO  (0) 2018.05.08
[MicroSoft] Windows Server 2008 R2에서 비활성화된 암호 복잡성 변경  (0) 2018.05.08
[MicroSoft] SSL Certificate SHA256 관련  (0) 2018.05.08
728x90

How-to: Automate FortiGate configuration backups

 
The FortiGates don't have any backup automation abilities out of the box. Generally you'd use a FortiManager for the config, backup and control of multiple FortiGates.

I've recently setup a lab with several FortiGates for testing and wanted a simple way of backing up the configs every day so I could always revert back to a previous day quickly.

You could just backup the config before making changes, but I wanted to automate this process. Below is a quick and dirty script to automate the config backup.

A few notes to begin with; this script requires a read only user to be created on each FortiGate that have the same password. These passwords are stored in the script itself; so while it never gets transmitted in cleartext over the link, be aware that it is stored in the file. Since this is a lab and it's a readonly account I'm not too fussed. Another thing to note is that the strict host check for the SSH keys has been disabled (so you don't get a confirmation request for new IP addresses). There is a more secure way to do this without using passwords but ssh keys which I may create a blog on at a latter date.

The only dependency is that the script requires sshpass to be installed.

My guide goes through setting this all up on a Debian based Linux system (like Mint or Ubuntu). It should be fine to work on other distributions with few command changes.


Steps involved:

1. Install sshpass
2. Enable SCP and SSH on FortiGates
3. Create a read only profile
4. Create a read only user
5. Create script and edit the code
6. Make script executable
7. Test the script
8. Configure crond to automatically run the script

1. Install sshpass

From your linux terminal type the following to install sshpass:

sudo apt-get install -y sshpass

2. Enable SCP and SSH on the FortiGate

For this example we'll configure port6 with SSH. Login to the CLI of your FortiGate and config the following:

config system interface
edit port6
set allowaccess ssh
end

Then type the below to enable SCP:

config system global
set admin-scp enable
end

3. Create a read only profile

In the webgui goto System > Admin > Admin Profiles and click 'Create New'.

Give your profile a name and select the 'Read Only' tick-box to ensure all access control options change to read only. Click 'Ok' to save.


4. Create a read only user

Goto System > Admin > Administrators and click 'Create New'.

Type in the users login name, give a password and select the read-only profile we created in step 3. Click 'Ok' to save.


5. Create script and edit the code

Copy the script below in a text editor and then change the following settings:

a) SERVERS: Replace the IP addresses here with the IP addresses (and/or hostnames) of the FortiGate units you want to connect to (and that you've enabled SSH/SCP for). Separate server addresses with a space.
b) USR: Replace with your read-only username we created in step 4.
c) PWD: Replace with your read-only password we created in step 4.
d) This is the directory that the file will be saved in. Ensure that this directory exists and the user that runs the script has write access to it.


The full script is below:

#!/bin/bash #linux/UNIX SERVERS="172.16.100.91 192.168.200.99" # SSH User name USR="readonly" PWD="password"  timestamp=$(date +"%y-%m-%d")  # connect each host for host in $SERVERS do sshpass -p $PWD scp -oStrictHostKeyChecking=no $USR@$host:sys_config /home/user/backup/"$timestamp"_"$host".conf done echo 'Backup Completed!' exit

Once this is done save the file with the .sh extension (for this exmple I use fortinet-backup.sh).

6. Make script executable

To be able to run the script you'll need to make it executable.

chmod u+x fortinet-backup.sh

7. Test the script

Now the fun part, to test the script! Goto the directory that the script is located in an run it with the following ./fortinet-backup.sh. After a while you should get the 'Backup completed!' message. If you do an ls you should now see the configs. The naming scheme is the date followed by the IP or domain name of the firewall.

allan@amouawad-mint ~/backup $ ./fortinet-backup.sh 
Backup completed!
allan@amouawad-mint ~/backup $ ls
14-01-10_172.16.100.91.conf  14-01-10_192.168.200.99.conf  fortinet-backup.sh

8. Configure crond to automatically run the script

Now this is done and confirmed working, we want to get the script to run on a schedule. For this we need to configure cron with the following command: crontab -e.

If you're unsure howto use cron I'd suggest you search for a few examples. The key here is to add a line at the end of the file that will determine the frequency that you wish the script to run, and the scripts name/location.

For example I've used the following:

0 1 * * * /home/user/backup/fortinet-backup.sh

This will run the script located in /home/user/backup/fortinet-backup.sh once everyday at 1am.


Save the file and you should be done!

 

728x90
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

fortigate File reached uncompressed size limit  (0) 2018.05.08
FortiGate 점검 CLI  (0) 2018.05.08
Scheduled Daily Reboot of FortiGate  (0) 2018.05.08
FortiGate DNS Translation  (0) 2018.05.08
[FortiGate의 자주 쓰는 debug 명령]  (0) 2018.05.08
728x90

AD GPO

 

http://www.unixwiz.net/techtips/deploy-webcert-gp.html

 

Several customers are deploying the latest version of the excellent Evolution payroll service-bureau software from iSystems, and the new management interface is web based via SSL. This is a major improvement over the previous version that required interaction with the server via a logged-in user.

But the web certificate used by the vendor is self-signed, which means that Internet Explorer users visiting the management interface are greeted with an untrusted-certificate message:

Though it's not difficult to dispense with this message - one can accept the certificate with a few clicks - all users on all workstations must go through this, and we'd prefer to avoid it. Fortunately, we can capture and deploy the certificate with Group Policy throughout the enterprise. It's worked really well.

Note - this Tech Tip is intended to be used generally for any kind of certificate deployment, but we're using the specific example of Version 6 ("Garfield") of Evolution. Our server platform is SBS2003 with XP/SP2 workstations. We've not investigated this process for any browser other than IE.

Disclaimer - We'll also note that we are not even remotely approaching PKI or Group Policy experts, and we have mainly muddled through several of the choices offered on the road to something that appears to work well. We'd certainly welcome input from those who actually know this stuff.

Getting a copy of the certificate into a file

Ultimately we need a copy of the public certificate into a file so that it may be imported into Group Policy, and though some vendors may publish this certificate on a website, it's easy to use the browser itself and export the cert to a file.

Begin the process by loading IE, visiting the website of interest, and provoking the security warning. It may be necessary to exit all instances of IE if the certificate had previously been accepted, but once visible, click the [View Certificate] button.

 

There is lots of information about this certificate, and we want the [Details] tab which confirms that the certificate is from who we think it's from. Click the [Copy to File] button:

Here we're offered quite a few choices of certificate format, and we have chosen Cryptographic Message Syntax Standard (PKCS #7) for no particularly good reason - we know that it imports correctly into the Group Policy editor. We don't think the certificate path matters.

Clicking [Next] prompts for a filename, and it should be of the form vendorcert.p7b (the .p7b extension matters). The file should then be somehow moved to the Windows Server with the Group Policy Management.

Deploying the Certificate with Group Policy

With vendorcert.p7b now on the server, we're ready to deploy the certificate.

Launch the Group Policy Manager and navigate to a suitable object: we prefer the Default Domain Policy because there is no harm in deploying this certificate throughout the entire enterprise. Right-click on that object and select Edit:

In the Group Policy Object Editor, navigate down to: Computer Configuration

» Windows Settings

» Security Settings

» Public Key Policies

» Trusted Root Certification Authorities

Then right-click and select Import.

In the Certificate Import Wizard, browse to the location of the file; here we're looking for vendorcert.p7b. Click [Next].

With the file selected, we're shown the Certificate Store dialog that selects the target location for the cert. We've seen only one choice available with all the rest grayed out. Click Next.

In the wizard completion dialog, review the settings: they should all be familiar. Click Finish.

Finished! The certificate has been imported, and it appears in the Group Policy object. The next time a user logs in, these settings will be applied and the certificate will be trusted by Internet Explorer.

Multiple (and unrelated) certificates may be deployed in the same way, so that as other systems enter production with self-signed certs, they may be included in the same Group Policy object.

We should note, however, that this procedure is intended for intionally self-signed certificates that are known to be trusted, and it's not meant to ameliorate browsing sites with broken certs (expired, wrong server name, etc.). Please keep in mind that SSL certificates are a security measure, and bypassing it thoughtlessly may lead to unpleasant surprises.

 

출처: <http://www.unixwiz.net/techtips/deploy-webcert-gp.html>

 

 

728x90
저작자표시 비영리 변경금지

'업무이야기 > OS' 카테고리의 다른 글

[MacOS] MAC 프로 root 비빌번호 설정 MAC / 운영체제  (0) 2018.05.08
[MicroSoft] Windwos Powershell ISE  (1) 2018.05.08
[MicroSoft] Windows Server 2008 R2에서 비활성화된 암호 복잡성 변경  (0) 2018.05.08
[MicroSoft] SSL Certificate SHA256 관련  (0) 2018.05.08
[Linux] Centos root passewd for parallels desktop  (0) 2018.05.08

+ Recent posts

티스토리툴바