FortiAuthenticator – HA Clustering

FortiAuthenticator can be used when adding strong authentication to a network. FortiAuthenticator has more options, like FSSO (FortiNet Single Sign-On) in conjuction with a FortiGate firewall. You can create a FortiAuthenticator cluster very easily. I normally configure a active/passive cluster and not a load-balancing cluster. When creating an active/passive cluster you should follow these guidelines:

  1. use port1 as the default (production) port;
  2. use port2 as HA cluster port;
  3. The slave unit can only be managed via port2;
  4. When a failover occurs, the slave takes over the IP address of the masters port1;
  5. The HA IP address is always unique, so I use this IP address to register the licenses for both appliances;
  6. Configure priority High for the master and priority Low for the slave, like show in the image;

FAC-HA-config

Often I use FortiAuthenticator with FortiGate or appliances like Citrix NetScaler or Pulse Secure to enable two-factor authentication. Like I stated above, the slave unit takes over the masters port1 IP address. This implies that you only need to configure one RADIUS server in your front-end appliance. This is not true.

I added the master FAC as RADIUS server to a FortiGate firewall. Authentication is working fine. Next I shutdown the master FAC. The slave unit takes over and the “masters” port1 IP address is accessible, so it can be used for authentication. But when you authenticate to the master IP address something “strange” happens. The slave unit response to the RADIUS request with its own port1 IP address. You can see this in the packet sniffer on the FortiGate below. The master IP on port1 is 10.10.10.10 and the slave IP is 10.10.10.11. I shutdown the master unit and try to authenticate.

BZO-FG500-01 # diagnose sniffer packet any ‘udp and port 1812’
interfaces=[any]
filters=[udp and port 1812]
27.067084 10.10.200.201.1063 -> 10.10.10.10.1812: udp 129
27.074294 10.10.10.11.1812 -> 10.10.200.201.1063: udp 40
32.070029 10.10.200.201.1063 -> 10.10.10.10.1812: udp 129
32.070220 10.10.10.11.1812 -> 10.10.200.201.1063: udp 40

As you can see the FGT sends the RADIUS request to the master IP 10.10.10.10, but the slave FAC answers with the IP 10.10.10.11, so authentication is unsuccessful. I needed to add the slave FAC as well to the FortiGate as RADIUS server to successfully authenticate in the event the primary FAC is lost.

Flash clean-up

Lately I upgraded a Aruba Networks wireless controller or at least I tried…… The upload of a new image to the controller has two steps. First the copy process from a TFTP server to the controller and second the actual writing of the new firmware image to flash (system partition). The second step kept showing me exclamation marks for minutes. I left it running for one hour and finally decided to break the upload by ending the SSH session and starting a new SSH session. I wasn’t able to connect to the controller via SSH and physical access via the console didn’t work either. So I decided to reboot the controller via the hard reset. The controller rebooted the old system partition, but I noticed that the new system partition was imported and digitally signed (check via: show image version).

I changed the boot parameter to boot the new software and rebooted the controller. I received the following error message on the console after the reboot.

Ancillary image stored on flash is not for this release
************************************************************
* WARNING: An additional image upgrade is required to complete the *
* installation of the AP and WebUI files. Please upgrade the boot *
* partition again and reload the controller. *
************************************************************

I decided to upload the firmware a second time to the same system partition, but this time the controller “told” me that there wasn’t enough free space on the flash drive so I couldn’t copy the file. I noticed that I only had 35M flash storage left (check via: show storage).

I deleted some files from flash (via command: delete filename <file name>), but I couldn’t free enough space to copy the image a second time. Finally I used the tar command to clean up enough storage. The tar command archives a directory and creates a tar file in the flash memory, which can be deleted. The syntax is:

tar clean {crash|flash|logs}| crash | flash | logs {tech-support|user}}

I ran the commands:

tar crash
tar flash
tar logs.

This creates three separate files in the flash memory. The files can be deleted via the commands:

tar clean flash
tar clean logs
tar clean crash

After running these commands I had113.3M flash storage available, which is more than enough to copy the new firmware a second time to the system partition.

In my situation the crash files were the reason I didn’t have enough flash memory. Because I did a hard reset the controller created a lot of crash files, which are stored in flash memory.

FortiGate – Outbound OSPF filtering

Just a quick post on filtering outbound OSPF advertisements. I had some struggle with this config today.

config router prefix-list
  edit “filter-outbound”
  config rule
    edit 1
      set prefix 10.10.0.0 255.255.0.0
      unset ge
      unset le
    next
    edit 2
      set prefix 10.20.0.0 255.255.0.0
      unset ge
      unset le
    next
    edit 3
      set action deny
      set prefix any
      unset ge
      unset le
    next
  end
 next
end
!
config router ospf
 set router-id 1.1.1.10
  config area
    edit 1.1.1.1
      config filter-list
        edit 1
          set list “filter-outbound”
          set direction out
        next
end

Like a said: a quick-and-dirty  note

Useful command: netsh wlan

The management of wireless networks can be done via the Windows command “netsh wlan”. This command is especially useful when using Windows 8. You can use other “netsh” subcommands to retrieve other system information, like “netsh lan” to get information about your Wired AutoConfig Service settings.

The following table describes some options for “netsh wlan”.

Command Description
show profiles show all save profiles
delete profile name=”profile name” delete a specific profile
show profile name=”profile name” key=clear retrieve saved WPA2 PSK
export profile “profile name” folder=c:\export export a profile with all settings to the directory c:\export
add profile filename=”c:\export\filename” user=all import a profile with all settings to all users profiles
show profile “profile name” display information on the specific wifi network
show interfaces shows a list of the wireless LAN interfaces on the system
show all display information on all currently available wifi networks

There are a lot more useful commands available. You can always use the question mark to get more options.

NetScaler VPX – upgrade firmware

I am fairly new to NetScaler to I tried to upgrade the software via CLI. This is what I if done.

  1. Download the upgrade firmware via MyCitrix.com
  2. Backup the configuration
  3. Upgrade the software to the NetScaler appliance (I used pscp.exe on a Windows machine to upload the software to the directory /var/nsinstall/11.0/63.16. I created the directories 11.0/63.16 before uploading the firmware)
  4. Untar the software
  5. Install the software (relax and take your time)
  6. Reboot the appliance
  7. Verify the upgrade (show version)

When everything goes according to plan, you would see the following output:

root@netscaler# tar zxvf build-11.0-63.16_nc.tgz
x .ns.version
x ns-11.0-63.16.gz
x ns-11.0-63.16.sha2
…….
x libvpath_if.so
x Citrix_Netscaler_InBuilt_GeoIP_DB.csv.gz

root@netscaler# ./installns
installns: [94606]: BEGIN_TIME 1444387063 Fri Oct 9 12:37:43 2015
installns: [94606]: VERSION ns-11.0-63.16.gz
installns: [94606]: VARIANT v
installns: [94606]: No options
…….
installns: [94606]: prompting for reboot
installns: [94606]: END_TIME 1444387469 Fri Oct 9 12:44:29 2015

Installation has completed.

Reboot NOW? [Y/N]