We have a small case of security breach in one of our sites, we have a contractor that is suppose to stay out of our firewall Fortinet, today i noticed these two paragraphs that look fishy. My site network administrator bailed on us few months ago and i am trying to wrap my head around these paragraphs without the need of paying someone to do it. I need your help experts!
> edit "Mycompany_to_Contractor"
> set vdom "root"
> set type tunnel
> set snmp-index 6
> set interface "wan1"
> next
> edit "Mycompany to Contractor2"
> set vdom "root"
> set type tunnel
> set snmp-index 8
> set interface "wan1"
> next
Any explanation would be appreciated!
Thank you
These snippets from the config interface section of a FortiOS config file show two virtual IPsec tunnel interfaces. When you create an IPsec config, these virtual interfaces are set up so that you can use them in policies to allow/filter traffic to or from the tunnel to any local interface.
The tunnel definition is kept in config vpn ipsec phase1-interface and starts with edit "Mycompany_to_Contractor". In this phase1 part you can see the IP address of the remote gateway which may give you a clue to whom the tunnel is connecting to.
The rest of the VPN definition, including local and remote subnets, is defined in config vpn ipsec phase2-interface.
To quickly disable remote access from these two contractors / remote sites, disable the policies referring to the tunnel interfaces. Without policy the tunnels cannot be established. For forensic purposes I would backup the config first.
Related
Could deploy Bosh and small footprint tanzu application service(tas) in Azure, without using the domains.All Vms are running.Can i access the ccapi and apps manager with the IP address instead of the api.SYSTEMDOMAIN?
The short answer is no. You really, really want to have DNS set up properly.
Here's the long answer that is more nuanced.
All requests to your foundation go through the Gorouter. Gorouter will take the incoming request, look at the Host header and use that to determine where to send the request. This happens the same for system services like CAPI and UAA as it does for apps you deploy to the foundation.
DNS is a requirement because of the Host header. A browser trying to access CAPI or an application on your foundation is going to set the Host header based on the DNS entry you type into your browser's address bar. The cf CLI is going to do the same thing.
There are some ways to work around this:
If you are strictly using a client like curl where you can set the Host header to arbitrary values. In that way, you could set the host header to api.system_domain and at the same time connect to the IP address of your foundation. That's not a very elegant way to use CF though.
You can manually set entries in your /etc/hosts` (or similar on Windows). This is basically a way to override DNS resolution and supply your own custom IP.
You would need to do this for uaa.system_domain, login.system_domain, api.system_domain and any host names you want to use for apps deployed to your foundation, like my-super-cool-app.apps_domain. These should all point to the IP of the load balancer that's in front of your pool of Gorouters.
If you add enough entries into /etc/hosts you can make the cf CLI work. I have done this on occasion to bypass the load balancer layer for troubleshooting purposes.
Where this won't work is on systems where you can't edit /etc/hosts, like customers or external users of software running on your foundation or if you're trying to deploy apps on your foundation that talk to each other using routes on CF (because you can't edit /etc/hosts in the container). Like if you have app-a.apps_domain and app-b.apps_domain and app-a needs to talk to app-b. That won't work because you have no DNS resolution for apps_domain.
You can probably make app-to-app communication work if you are able to use container-to-container networking and the apps.internal domain though. The resolution for that domain is provided by Bosh DNS. You have to be aware of this difference though when deploying your apps and map routes on the apps.internal domain, as well as setting network policy to allow traffic to flow between the two.
Anyway, there might be other hiccups. This is just off the top of my head. You can see it's a lot better if you can set up DNS.
The most easy way to achieve a portable solution is a service like xip.io that will work out of the box. I have setup and run a lot of PoCs that way, when wildcard DNS was something that enterprise IT was still oblivious about.
It works like this (excerpt from their site):
What is xip.io?
xip.io is a magic domain name that provides wildcard DNS
for any IP address. Say your LAN IP address is 10.0.0.1.
Using xip.io,
10.0.0.1.xip.io resolves to 10.0.0.1
www.10.0.0.1.xip.io resolves to 10.0.0.1
mysite.10.0.0.1.xip.io resolves to 10.0.0.1
foo.bar.10.0.0.1.xip.io resolves to 10.0.0.1
...and so on. You can use these domains to access virtual
hosts on your development web server from devices on your
local network, like iPads, iPhones, and other computers.
No configuration required!
My case is as follows:
While at office, I use site-to-site VPN and my DNS servers are part of the office domain, which can be accessed only through the VPN.
While at home, I can connect to point-to-site VPN and DNS is working just fine.
The problem occurs while not connecting to the VPN in either way. I'm using systemd-resolved and my first 2 DNS servers are the domains servers, while the rest of the DNS servers can be reached without VPN.
Every request is sent to the first 2 servers, waiting for their response and since they are unreachable, it will take a few seconds for each request to reach a working DNS server.
My question is, can I set the system to ignore unreachable DNS servers for defined time before trying them again?
You can use work around with simplest script. If your VPN is off just change DNS. like this for example.
status=$(systemctl is-active --quiet service "your vpn site-to-site.service" && echo "running" );
if [ "$status" != "running" ]
then
"put your command here to change DNS when VPN is OFF"
else
"put your command here to change DNS when VPN is ON"
fi
Of course you can also checking current DNS settings to prevent no needed
the same changes in file if you will use cron for example.
I can help you with this script, but I need to see your
/etc/systemd/resolved.conf first. Of course without original IP
Your DNS settings should also be dynamically configured. If (for whatever strange reason) that is not possible, you have two options:
You can do some tweaking in your /etc/resolv.conf by adding line
options timeout:1
This will make internal resolver wait max. 1 second for answer before trying the next nameserver (default value is 5)
Install local DNS server, preferably lightweight one like dnsmasq or unbound. Configure it to forward requests for "example.com" to your internal DNS servers, and all other requests to default (public) DNS servers. Configure your OS resolver to use local DNS server.
We have prod and dr servers, we would like to have VIP for them. They are not exposed to internet. Any one server will be active for 1st 6 months, and after DR drill DR server will act as prod for next 6 months. Here, we have upstream systems which pushes files ( csv or text or zip ) via SFTP to our servers which would be nearly 200 - 300mb size per day. Currently, during every DR drill these upstream systems need to raise change request to update the IP before DR drill. This take atleast 2 weeks. to resolve this issue we decided to provide a VIP from our end. So that they can use VIP to transfer files via SFTP.
Note: DR server will be up and won't be active. App Services won't be up
File transfer is not recommended via SFTP on F5 network.( we are not on F5 ).
Both the servers Prod and DR running on vmWare.
We would like to have a VIP for these servers. Need your advice and suggestion.
Thanks in advance.
Bala
Bala, I think I understand your question, it's not quite clear what the question is but my perception leads me to believe that you are trying to determine how to load balance the two server nodes.
== > first of all your group will have to acquire an F5 load balancer that is configured in accordance with your network requirements. I am assuming the load balancer is already live on the network. In order to load balance the two servers, you will have to create a pool consisting of the two servers, once the pool has been created, you then create a virtual server and associate the pool with the virtual server. Below are the essential steps required to make this happen. Also note that, the server nodes have to be added to the Nodes in the load balancer(this has to be done first)
Add Node:
Go to local Traffic --- > Nodes -- > Create
a. Give the nodes a name
b. enter the IP address of the node in the IP field.
c. In the Configuration section, select "Node Default" for the Health Monitor
leave the rest at their default settings of 1,0,0.
Create Pool:
From the GUI go to Local Traffic -- > Pool --- > Create
a. give the pool a name
b. For now use tcp as the monitor (select from the available options)
c. In the Resources section Fill in the ff
Load Balancing Method == > Round Robin (traffic distributed in a circular
fashion)
Other options include Least connections, observed, random .... much more, a
good reference which has links to creating pools, vips etc.
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_pools.html
Create the Virtual Server:
In the GUI, go to --- > Local Traffic --- > Virtual Servers -- > create
a. Give the virtual server a name
b. In the Type description Select "Standad" in this case, there are other options, that do not apply to your request at the moment, but I advice you to read up on them they are (forwarding (layer 2), Forwarding IP, Performance HTTP, Performance (layer 4), stateless, Reject, Internal)
c. In the source field enter 0.0.0.0/0
d. In the Destination Field Select "Host" and enter the IP address of the vip
which is normally the url's dns address.
e. Select the service Port, for http traffic select http/80, this could be whatever port your services are being heard on. Note for port 443/https, you will require an ssl certificate.
f. In the Configuration section , select Advanced and select the ff:
Protocol: TCP
Protocol Profile (client): tcp
Http Profile: http
Snat : Autosnat
I am assuming you are using Autosnat here, this is much simpler to deal with, otherwise, a snat pool will have to be created.
g. At the bottom under "Resources" In the drop down for the "Default Pool" select the pool you created above.
h Select "Source Address" for the "Default Persistence Profile"
Click finish.
At this point, if the server nodes are live, configured with the appropriate page, access to the appropriate resources should be reachable. There are other criteria such as monitors which can be specifically configured to monitor a particular page, but that is for another session.
I hope I pointed you in the right direction.
Note: You have to determine the type of service and application running on the servers, if the url requires request to return to the same server then in this case
Background:
I've recently setup my Cable router in Bridged mode to use Pfsense for OpenVPN and some other features at my house. Once my modems in bridged mode I can only have 1 port connected. So without having another Gbit switch around, I figured I could add a 4 Port HP Intel NIC to my pfsense box and use it similarly to my old setup. This proved to be problematic.
PF Sense Box
Onboard Nic [em4] Set as DHCP to Modem. Bridged mode tested working by my laptop.
HP Nic
[em0] OPT1
[em1] OPT2
[em2] OPT3
[em3] LAN (first port on the card) 192.168.2.0/24
My goal is to Have all Ports on the HP Nic act as a bridge/switch like they did on my modem.
On first Setup: Wan port received its Public facing IP address ok and default rules worked for LAN. So with my laptop wired to LAN everything is a Go. with OPT ports not working as expected.
I enabled all OPT interfaces and set their IPv4 Configuration Type to None as mentioned in the bridge guide.
I added the OPT and Lan interfaces to the bridge0 here: Interfaces > (assign)
Under System > Advanced on the System Tunables
I set:
net.link.bridge.pfil_member 0
net.link.bridge.pfil_bridge 1
For the firewall rules I left OP's blank as I assumed from a guide they would inherit settings from LAN as being set on the bridge. But I have played around with so many firewall settings that I'm not even sure of what to post here for the question. But I've tried setting up default allow all rules for each.
So far I just can't seem to get DCHP connected to OPT's to work. If I set my clients to static I can access the pfsense box. I noticed also that I can communicate with another system via static IP if both are set on different OPT connections. so I guess the bridge is working to some extent. I can also use nslookup with my system set on an opt port with a static IP set but I can't access the web. so it's resolving dns names, but still not allowing traffic. I must be missing some documentation on setting up the rules with a bridged configuration.
Any advice? anyone done it before?
you want:
Each OPT is a different network (VLAN) but leaving by the same port Internet? .. If?.. valid and that the firewall allows navigation for each OPT? (review in the rules, the name OPT)
I couldnĀ“t find a specific answer for my question so here it goes: We have a local network with 5 computers and a server running Windows Server 2003. The network was working properly but it seems that the server rebooted and we had to give a static DNS address to each workstation, otherwise they connect to the router 192.168.1.1 and are unable to access the local network or the Internet.
So my question is, how do you set up the server so that each workstation uses the serverĀ“s IP as primary DNS automatically? Or is it better to configure each client with a static DNS?
Thanks in advance.
First, open services (WIndows Key + R, services.msc, Hit enter) and check that 'DHCP Server' is running and set to automatic, if not, right click and select start. While your there restart the DNS Server service.
Secondly, if you are still getting your Router's DNS, log in to your router and ensure DHCP is disabled - you router may have been reset and this may have enabled DHCP which is causing all these problems.
Third, Open DHCP (Start > Administrative Tools > DHCP), Expand your server, you should then see a folder with 'scope' in the name, if not your DHCP needs to be configured (last resort), expand the scope, then select Scope options, it is in this that you will see the IP address of the '006 DNS server'. If it is missing, right click and select configure options, scoroll down to 006 DNS Servers and enter the name or (preferably) the IP address of your DNS server.
I'm 90% sure it'll be your router was reset.
I also thoroughly recommend you migrate from your Server 2003 machine to a new OS and new hardware if it is older than 4 years old as Server 2003 reached end of life on 08/04/2014 along with Windows XP and Office 2003.
Lastly, this may be more suited to ServerFault rather than StackOverflow (same family of websites)