FortiGate – Outbound OSPF filtering

Just a quick post on filtering outbound OSPF advertisements. I had some struggle with this config today.

config router prefix-list
  edit “filter-outbound”
  config rule
    edit 1
      set prefix
      unset ge
      unset le
    edit 2
      set prefix
      unset ge
      unset le
    edit 3
      set action deny
      set prefix any
      unset ge
      unset le
config router ospf
 set router-id
  config area
      config filter-list
        edit 1
          set list “filter-outbound”
          set direction out

Like a said: a quick-and-dirty  note

Useful command: netsh wlan

The management of wireless networks can be done via the Windows command “netsh wlan”. This command is especially useful when using Windows 8. You can use other “netsh” subcommands to retrieve other system information, like “netsh lan” to get information about your Wired AutoConfig Service settings.

The following table describes some options for “netsh wlan”.

Command Description
show profiles show all save profiles
delete profile name=”profile name” delete a specific profile
show profile name=”profile name” key=clear retrieve saved WPA2 PSK
export profile “profile name” folder=c:\export export a profile with all settings to the directory c:\export
add profile filename=”c:\export\filename” user=all import a profile with all settings to all users profiles
show profile “profile name” display information on the specific wifi network
show interfaces shows a list of the wireless LAN interfaces on the system
show all display information on all currently available wifi networks

There are a lot more useful commands available. You can always use the question mark to get more options.

NetScaler VPX – upgrade firmware

I am fairly new to NetScaler to I tried to upgrade the software via CLI. This is what I if done.

  1. Download the upgrade firmware via
  2. Backup the configuration
  3. Upgrade the software to the NetScaler appliance (I used pscp.exe on a Windows machine to upload the software to the directory /var/nsinstall/11.0/63.16. I created the directories 11.0/63.16 before uploading the firmware)
  4. Untar the software
  5. Install the software (relax and take your time)
  6. Reboot the appliance
  7. Verify the upgrade (show version)

When everything goes according to plan, you would see the following output:

root@netscaler# tar zxvf build-11.0-63.16_nc.tgz
x .ns.version
x ns-11.0-63.16.gz
x ns-11.0-63.16.sha2
x Citrix_Netscaler_InBuilt_GeoIP_DB.csv.gz

root@netscaler# ./installns
installns: [94606]: BEGIN_TIME 1444387063 Fri Oct 9 12:37:43 2015
installns: [94606]: VERSION ns-11.0-63.16.gz
installns: [94606]: VARIANT v
installns: [94606]: No options
installns: [94606]: prompting for reboot
installns: [94606]: END_TIME 1444387469 Fri Oct 9 12:44:29 2015

Installation has completed.

Reboot NOW? [Y/N]

NetScaler VPX – management certificate

I would like to upgrade my current NetScaler VPX Express configuration via GUI. For some security reason Internet Explorer and FireFox aren’t able to access the GUI. They return the error message that the NetScaler is using a wrong SSL certificate.

The default SSL self-signed certificate is installed on the appliance. I have uploaded a “real” certificate to content switch and load balancing. I would like to use the same certificate for GUI management. To change the certificate, access the NetScaler via SSH.

Check the current certificate run the following command and you will get the following output.

sh run | grep “bind ssl service”
bind ssl service nshttps-::1l-443 -certkeyName ns-server-certificate
bind ssl service nsrpcs-::1l-3008 -certkeyName ns-server-certificate
bind ssl service nskrpcs- -certkeyName ns-server-certificate
bind ssl service nshttps- -certkeyName ns-server-certificate
bind ssl service nsrpcs- -certkeyName ns-server-certificate

If you would like to see all your available certificate enter the following command.

> sh run | grep “ssl certKey”
add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key
add ssl certKey wildcart-booches-nl -cert sslcert-wildcard-booches-nl.pem -key passwd-private-wildcard-1route-nl.pem -passcrypt “adfadf&*fU=”
add ssl certKey root-booches -cert cacert.pem

I would like to bind the certificate “wildcard-booches-nl”, so I use the following commands to bind the certificate to the different management services.

bind ssl service nskrpcs- -certkeyName wildcard-booches-nl
bind ssl service nshttps- -certkeyName wildcard-booches-nl
bind ssl service nsrpcs- -certkeyName wildcard-booches-nl

Export StartTLS certificate from SMTP server

While configuring Office365 as the messaging (SMTP) server within Aruba ClearPass, I needed to upload the certificate from the StartTLS session to the certificate trust list from ClearPass. I had to export the certificate for via the following OpenSSL command:

openssl s_client -showcerts -starttls smtp -crlf -connect

After running the command, you will see some output like shown in the image.

openssl starttls

I copied the both parts between BEGIN CERTIFICATE and END CERTIFICATE to two different text editore files and saved them with the extension .cer. Next I was able to upload both certificates to the certificate trust list in ClearPass and configure the message server with StartTLS Connection Security