FortiNet Flow Traces

Flow Traces are useful for seeing things like which Policy Rule is getting hit, and which routes are being used to go to a specific IP.

Commands for using the Diag debug flow.

• addr ip address
• clear clear filter
• daddr dest ip address
• dport destination port
• negate inverse filter
• port port
• proto protocol number
• saddr source ip address
• sport source port

Example;

• diag debug enable
• diag debug flow filter daddr 10.10.10.10
• diag debug flow show console enable
• diag debug flow trace start 100
  
  
  
  
  
  
  
  

SNMP TNT / APX Management

All the SNMP manager configurations are stored in SNMP-MANAGER profiles. You can use "save console snmp-manager" to look over them.

Don't use SNMP::read-access-hosts or SNMP::write-access-hosts to specify a manager to be given read/write access anymore, since these fields are deprecated. Instead, SNMP-MANAGER profile should be used. E.g.

tnt6> new snmp-manager
SNMP-MANAGER/"" read
tnt6> set name = 203.97.93.168
(New index value; will save as new profile SNMP-MANAGER/203.97.93.168.)
tnt6> set active = yes
tnt6> write
SNMP-MANAGER/203.97.93.168 written
tnt6> snmpmgrstat
  SnmpManager       Illegal Access       Invalid Version        Bad Community
   135.252.141.3             0                  0                     0
 135.252.136.234             0                  0                     0
   203.97.93.168             0                  0                     0                                        <==== This is the manager just added.

tnt6> save co snmp-manager
; saved Tue Sep 14 12:48:11 2010
; saving profiles of type SNMP-MANAGER
new SNMP-MANAGER
set name = 135.252.136.234
set active = yes
write -f
;
new SNMP-MANAGER
set name = 135.252.141.3
set active = yes
write -f
;
new SNMP-MANAGER
set name = 203.97.93.168
set active = yes
write -f
;

So instead of using "set read-access-hosts 1 = 203.167.203.56", you are supposed to use the SNMP-Manager section. Then to view what you have made use the "save console snmp-manager".

SNMPTT for Trap Monitoring with Nagios + Cacti Install

Install & Configure Prerequisites

CentOS 5.5

Install Net-SNMP for the perl Modules

http://anarosnetwork.blogspot.com/2011_03_01_archive.html

yum install net-snmp net-snmp-utils net-snmp-devel -y

yum groupinstall 'Development Tools'

yum groupinstall 'Development Libraries'

yum install perl-Config-IniFiles-2.56-1.el5.rf.noarch

Install Apache

yum install httpd php gcc glibc glibc-common gd gd-devel 

Configure Apache to start on boot

/sbin/chkconfig --levels 345 httpd on 

Configure iptables to allow Apache traffic

/sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT 

/etc/init.d/iptables save 

/etc/init.d/iptables restart 

Install & Configure Nagios

Install Nagios & Plugins

yum install nagios nagios-plugins nagios-plugins-setuid

Create the default Nagios web access user & set a password

htpasswd -c /etc/nagios/htpasswd.users nagiosadmin

Verify default config files

nagios -v /etc/nagios/nagios.cfg

Start Nagios

/etc/init.d/nagios start

Start Apache

/etc/init.d/httpd start

Download SNMPTT

wget http://downloads.sourceforge.net/project/snmptt/snmptt/snmptt_1.3/snmptt_1.3.tgz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fsnmptt%2Ffiles%2Fsnmptt%2Fsnmptt_1.3%2F&ts=1299457062&use_mirror=cdnetworks-us-2

Extract SNMPTT

tar xvzf snmptt_1.3.tgz

From the files it extracts

1. Copy snmptt to /usr/sbin/ and ensure it is executable (chmod +x snmptt)


2. Copy snmptthandler to /usr/sbin/ and ensure it is executable (chmod +x snmptthandler)


3. Copy snmptt.ini to /etc/snmp/ or /etc/ and edit the options inside the file.


4. Create the log folder /var/log/snmptt/.

Create the file snmptrapd.conf in /etc/snmp

nano snmptrapd.conf and add

traphandle default /usr/sbin/snmptt
disableAuthorization yes
donotlogtraps no

5. For daemon mode:

Modify the Net-SNMP snmptrapd.conf file by adding the following line:

traphandle default /usr/sbin/snmptthandler

Create the spool folder /var/spool/snmptt/:

mkdir /var/spool/snmptt/

A startup script is included which can be used to start and stop snmptt on Mandrake, RedHat and other systems. Copy the script to the init.d directory (renaming the file during the copy):

cp snmptt.init.d /etc/rc.d/init.d/snmptt

Add the service using chkconfig:

chkconfig --add snmptt

Configure the service to start at runlevel 2345:

chkconfig --level 2345 snmptt on

Snmptt will be started at the next reboot, or can be started immediately with:

service snmptt start

or

/etc/rc.d/init.d/snmptt start

To manually start snmptt, use:

snmptt --daemon

6. A log rotation script is included which can be used to rotate the log files on Mandrake, RedHat and other systems. Copy the file to the logrotate.d directory (renaming the file during the copy):

cp snmptt.logrotate /etc/logrotate.d/snmptt

Edit the /etc/logrotate.d/snmptt and update the paths and rotate frequency as needed.

7. Start snmptrapd using the command line: snmptrapd -On.


You should be able to edit the /etc/rc.d/init.d/snmptrapd script if you have one and change

the OPTIONS to "-On".

Note: The -On is recommended. This will make snmptrapd pass OIDs in numeric form and prevent SNMPTT from having to translate the symbolic name to numerical form. If the UCD-SNMP / Net-SNMP Perl module is not installed, then you MUST use the -On switch. Depending on the version of UCD-SNMP / Net-SNMP, some symbolic names may not translate correctly. See the FAQ for more info.

As an alternative, you can edit your snmp.conf file to include the line: printNumericOids 1. This setting will take effect no matter what is used on the command line.










Install instructions




http://xavier.dusart.free.fr/joomla/index.php/en/nagios/47-traps-snmp-dans-nagios




and




http://www.snmptt.org/docs/snmptt.shtml






For Testing enable







unknown_trap_log_enable = 1

log_system_enable = 1










Place holder










Useful Websites


http://xavier.dusart.free.fr/joomla/index.php/en/nagios/47-traps-snmp-dans-nagios


http://docstore.mik.ua/orelly/networking_2ndEd/snmp/appc_03.htm






Testing traps on Centos










snmptrap -v 1 -c public localhost UCD-SNMP-MIB::ucdStart "" 6 17 "" SNMPv2-MIB::sysLocation.0 s "HelloWorld"

Linux Commands

Ubuntu

apt-get install
apt-get update
apt-get upgrade

sudo -s




CentOS

yum install
yum upgrade

snmptrap -v 1 -c public 10.10.10.60 '1.2.3.4.5.6' '192.193.194.195' 6 99 '55' 1.11.12.13.14.15  s "teststring" used for testing snmptt installs


/etc/sysconfig/network-scripts home of the ifcfg-eth0


dig www.google.com   dns info command

NagiosQL

NagiosQL3 Install on CentOS 4

So I downloaded the NagiosQL
wget http://ovh.dl.sourceforge.net/sourceforge/nagiosql/nagiosql302.tar.gz
tar xzf nagiosql302.tar.gz


Put the now extracted nagiosql3 folder into /var/www/html
nano /etc/httpd/conf/httpd.conf


Throw this at the bottom.


<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /var/www/html/nagiosql3
ServerName 10.10.10.60/nagiosql
ErrorLog logs/nagiosql3.log
CustomLog logs/nagiosql3 common
</VirtualHost>


touch /var/www/html/nagiosql3/install/ENABLE_INSTALLER

http://localhost


Follow the steps in the install once done.
rm /var/www/html/nagiosql3/install/ENABLE_INSTALLER


http://localhost
Done



Reserved for http://www.nagiosql.org/ write up.

Alteon Commands

To find the VI

/c/slb/cur

To show stats about the VI

>> a1pcs2 - Main# stat/slb/vi 22

------------------------------------------------------------------

Virtual server 22 stats:

                                  Current      Total  Highest

Real IP address                  Sessions   Sessions Sessions           Octets

---- --------------------------- -------- ---------- --------  ---------------

  20 x

                                      805  190631382    23757    6821870549737

  21 x

                                      836  191753681    16004    6964881038203

---- --------------------------- -------- ---------- --------  ---------------

                         1641  382385063    39761   13786751587940

To show Info about the VI info/slb/vi 22

>> a1pcs2 - Main# stat/slb/vi 22

------------------------------------------------------------------

Virtual server 22 stats:

                                  Current      Total  Highest

Real IP address                  Sessions   Sessions Sessions           Octets

---- --------------------------- -------- ---------- --------  ---------------

  20 x1

                                      805  190631382    23757    6821870549737

  21 x

                                      836  191753681    16004    6964881038203

---- --------------------------- -------- ---------- --------  ---------------

                          1641  382385063    39761   13786751587940

InfoBlox Support Info

To download the support Bundle, from Grid perspective -> select the specific appliance -> 'Tools' on the top menu bar -> Download Support Bundle -> Save the file to your PC


To download an existing backup file, From the Grid tab, select the Grid Manager tab, and the click Backup -> Use the Local Backup option from the Toolbar and backup the file locally.

How to add a new device to Cacti.

Under the Management Tab select Devices.

This will load the devices page from where you can change existing devices or add a new device.

In the top right corner click the add button to add a new device. This will load the Devices page from where all the new information can be entered.

In the Description Tab you enter the name of what you want the device to show up as eg. BC10. Under Host name you can either add the fully qualified host name or the IP address of the host. Under Host Template you can either select a template that you have made ( I find the template normally doesn’t work) or you can leave it as non and add the data sources later. Leave Downed Device Detection as SNMP and the other values for Ping Timeout Value and Ping Retry Count as default.

SNMP Version can be changed to version 2, you could slect Version 3 if you like or if the device requires it, mostly I don’t because version 2 will suffice with less to fill in. Community string needs to be filled in with the community string you put onto the device you wish to monitor. SNMP port can be left as deauflt unless you set the port number on the device to be something different or the device deafualts to a different port. SNMP Timeout and Max OID’s can be left as default. Notes can be anything you want to write about the device for future reffernce.

Once you have filled out everything, click the create button at the bottom right of the page to create the device.

If you created it properly you should get something at the top of the page that is similar to this.

BC10 (***.***.***.***)
SNMP Information System:******* Uptime: ***** Hostname: *****-******-bc10 Location: ****** Contact:******* Otherwise you may likely get if either the device is unresponvie or incorrectly set up. If you get this you will need to change the setting till you get no SNMP errors.

Ot

BC8 (***.***.***.***) SNMP Information SNMP error

FortiNet 3G Redundacy

Changing the default distance on the 3G connection

FGT# conf sys modem
FGT# set distance <1-255>
FGT# end

 Routing
You need one default route for each interface. Indicate which route is preferable by specifying the distance - the lower distance route is declared active and placed in the routing table.

Determining whether link is down (ping servers)Define the ping server - this is a device that will respond to ping thereby indicating whether that link is up. It is usually recommended that you use the next hop / gateway device as your ping server.

Define the ping server under System>Network>Edit Interface.

Firewall policies
You must define duplicate firewall policies to ensure that after traffic fails over, it is permitted through the firewall. For example, Internal>WAN1 & Internal>WAN2.

Setting up the modem for NZ (Vodafone)

config system modem

set status enable

set mode redundant

set connect-timeout 30

set interface "wan1"

set phone1 "*99***1#" #This is specific to Vodafone

set extra-init1 "AT&FE0V1X1&D2&C1S0=0" #This appears to be specific to Vodafone E220

set distance 100

end

config system interface

edit "wan1"

set detectserver "74.125.155.104" #Find some reliable upstream server to ping test

next

end

3G Telecom Settings

set phone1 "#777"

set username1 "mobile@jamamobile"

set passwd1 "telecom"

#No “extra-init1” is necessary

Notes to Self: 

Dont forget the ping server!

Currently 3G redundancy only works for one interface , eg one internet connection, so in the case of VPN redundancy and multiple connection to the internet, place the redundancy on the last resort connection. 

Lazy Mans Monitoring CactiEZ

For all those who dont want to create their own Cacti/Nagios image here is a great place to go.

Cut n Paste from their site.

Cacti Made Easy

CactiEZ is a self installing Linux Distribution based off CentOS that sets up and configures a customized Cacti install. Everything is designed to be completely automated and working directly out of the box. This compact distro is loaded with extra features such as Syslog and Netflow data collection, Weathermaps, Reports, Auto Discovery, Router Config backup, Nagios, and much more! Both 32 Bit and 64 Bit installations are possible from the same CD.

This gives your system administrators more time to work on the real issues, and less time configuring and setting up your Monitoring System. Best of all, its absolutely FREE!

http://cactiez.cactiusers.org/

Fierce DomainScanner

About Fierce the DomainScanner

Fierce is currently used as a brute force Domain Scanner. This means that you feed it the domain eg, rapidshare.com, along with some of the variations that the domain uses for sub domains rs100,rs101 and so on. It will the then try to find anything matching the Domain within the subnets it find scanning up and down the range for more addresses matching the supplied Domain. Currently I use the following sites to generate the wordlists that will be used for the brute force. http://mytexttools.com/Generate-List-of-Numbers.html to generate the strings that I gather from http://www.robtex.com/dns.

How to use Fierce.

Hosts.txt

This is the default brute force list that fierce will use if another isnt supplied through the –wordlist command.

Fierce.pl

This is the main script. The for help type perl fierce.pl –help. Default example is perl fierce.pl –dns rapidshare.com –file rapidshare.com. This will scan the rapidshare domain using the default hosts.txt file and output the information to the fire rapidshare.com.

Other useful commands

-wide   This will scan the whole range as opposed to the default which is 5 either side of a conformed hit.

-wordlist  textfile.txt      This is to supply a custom brute force list.

Example; perl fierce.pl –dns rapidshare.com –wide –wordlist rapidshare.txt –file rapidshare.com

This will scan rapdishare.com using all the variations supplied in the rapidshare.txt file. Any hits it does get it will scan up and down the whole subnet range for more hits and then output the information to a file called rapidshare.com.

Limitations

The limitation I have found are if you supply far to many variations to the brute force lists, it can cause the script to either fall over and not complete or to take days to complete. Normally around 30-40 Thousand will run fine, though these can still fall over, over 100 Thousand and its highly unlikely that the script will complete.

Its best to create a wordlist for each domain to keep the number of brute force entries to a minimum.

Usage

perl fierce.pl -dns rapidshare.com -wide -threads 50 -wordlist filename -file outputfile






Thanks to the Great People at http://ha.ckers.org/fierce/ for the code and know how.

The procedure to disable/enable a slot card on APX/TNT

. Use “show” command to address which slot you want to disable/enable(in this case, we use slot 1 as example) slot 1;

> show

Shelf 1 ( standalone ):

Reqd Oper Slot Type

{ shelf-1 slot-1 0 } UP UP 8e1-card

{ shelf-1 slot-2 0 } UP UP 8e1-card

{ shelf-1 slot-3 0 } UP UP 8e1-card

{ shelf-1 slot-4 0 } UP UP ether3nd-card

{ shelf-1 slot-5 0 } UP UP madd2-card

……..

2. Get into the corresponding slot-admin profile

> dir slot-admin

15 09/09/2009 08:44:48 { shelf-1 slot-1 0 }

15 09/09/2009 08:44:48 { shelf-1 slot-2 0 }

15 09/09/2009 08:44:48 { shelf-1 slot-3 0 }

15 09/09/2009 08:44:48 { shelf-1 slot-4 0 }

……..

> read slot-admin {1 1 0}

SLOT-ADMIN/{ shelf-1 slot-1 0 } read

> list

[in SLOT-ADMIN/{ shelf-1 slot-1 0 }]

slot-address* = { shelf-1 slot-1 0 }

reqd-state = reqd-state-up

3. Change the state as you want:

> set reqd-stat ?

reqd-state:

The required operational state of the slot. Changing this value initiates a state change. The change is complete when the current state changes to match the reqd-state. this value is initialized from the administrative state of the slot at system startup.

Enumerated field, values:

reqd-state-down: The addressed device is required to be in the down, non-operational state.

reqd-state-up: The addressed device is required to be in a normal operating state.

reqd-state-maint: The addressed device is required to be in a non-operational maintenance state.

> set reqd-stat =reqd-state-down

> write

4. Use “show” to double-confirm whether the change is activated:

> show

Shelf 1 ( standalone ):

Reqd Oper Slot Type

{ shelf-1 slot-1 0 } DOWN RESET 8e1-card

{ shelf-1 slot-2 0 } UP UP 8e1-card

{ shelf-1 slot-3 0 } UP UP 8e1-card

{ shelf-1 slot-4 0 } UP UP ether3nd-card

{ shelf-1 slot-5 0 } UP UP madd2-card

TX and RX errors or RAS ethernet port

labapx>show

Controller { right-controller } ( PRIMARY ):

Reqd Oper Slot Type

{ left-controller } UP UP ( SECONDARY )

{ shelf-1 slot-11 0 } UP UP 8e1-card

{ shelf-1 slot-12 0 } UP UP 8e1-card

{ shelf-1 slot-13 0 } UP UP 8e1-card

{ shelf-1 slot-14 0 } DOWN RESET madd2-card

{ shelf-1 slot-15 0 } UP UP madd2-card

{ shelf-1 slot-16 0 } UP UP madd2-card

{ shelf-1 slot-17 0 } UP UP madd2-card

{ shelf-1 slot-18 0 } UP UP madd2-card

{ shelf-1 slot-20 0 } UP UP ether3nd-card

{ shelf-1 slot-40 0 } UP UP ether3nd-card

cwam-t-006>open 20

Step 2, Find out the logic interface number for the physical ports

ether3nd-1/20> ifmgr -d

if slot:if u p ifname mac addr local-addr

----------------------------------------------------------------

000 0:00:000 * pb0 00:00:00:00:00:00 0.0.0.0/32

002 1:42:587 * ie1-20-2 00:d0:52:04:70:b1 203.22.111.20/25

003 1:42:588 * ie1-20-3 00:d0:52:04:70:b2 0.0.0.0/0

004 1:42:589 * ie1-20-4 00:d0:52:04:70:b3 192.168.201.8/24

009 1:20:009 * lo0 00:00:00:00:00:00 127.0.0.1/32

010 1:20:000 * rj0 00:00:00:00:00:00 127.0.0.2/32

011 1:20:000 * bh0 00:00:00:00:00:00 127.0.0.3/32

012 0:00:000 * local 00:00:00:00:00:00 127.0.0.1/32

Step 3, Check the stastics

ether3nd-1/20> ifstat 2

Octets Unicast Multicast Broadcast Discards Errors UnkProto

IF 2 : ie1-20-2

In: 5040460 82642 0 0 655 0 8

Out: 0 0 0 0 0 0

Useful Lucent APX/TNT Commands

show (shows all the cards and status)

fatal (shows error log and event messages)

redundant (swaps controller cards over)

red-bits (shows current hardware revision for controller card)

modem -help (command info)

mdmdis (disables a set number of modems on a slot (eg mdmdis 1 15 1 96) this would disable 1-96 modems on slot 15 shelf 1)

mdmen (same as mdmdis but for enabling modems)

read slot-info { 1 15 0}

list serial (these two commands allow you to read the serial number of a card that has been installed into a box without having to remove it)

uptime -a (show the uptime of the slot cards)

slot –b (bounce a slot card eg slot -b 8)

save console (shows the config)

log –p (shows the log, though limited in space so doesnt hold alot)

APX>get slot-info {1 15 0}

[in SLOT-INFO/{ shelf-1 slot-15 0 }]

slot-address* = { shelf-1 slot-15 0 }

serial-number = 1035301756

software-version = 10.1

software-revision = 0

software-level = ""

hardware-level = " A"

software-release = e153

Save console (prints out the setting for the box, can be used as save console snmp to print specific settings)

The Beginning

Why a blog?

Mainly this blog is going to be my dumping grounds for information that I pick up along the way that I feel could be a help to myself and need to store or publish for me to find easier. Hopefully some of the networking stuff I post on here will help others to.

Also if any of my blog posts are copies of your own IP throw it in the comments with your own http address of the content and I will change/remove my blog post.