Connecting the world…

1 3 4 5 6 7 53

FortiMail – Howto enable DLP

FortiMail has the option to use Data Loss Prevention as enhanced security mechanism. This feature is introduced in firmware 5.3, according to the release notes. By default the DLP option is not visible on the GUI.

FortiMail - No DLP

DLP can be enabled via the CLI, but it is a well hidden feature. The option can be enabled from the “system global” configuration. When you do a “get” or “set ?” from the “system global” menu, you don’t see the option, but you are able to type it manually.

mail # config system global

mail (global) # set data-loss-prevention enable

mail (global) # end

This enables DLP and adds a new configuration menu to the GUI.

FortiMail - DLP enabled

SMTP Auth testing via CLI

Just a quick note to describe the procedure for SMTP auth testing via the command-line. At first you need to encode username and password in Base64. This can be done in several ways. The easiest way would be via

Next you can use the following commando’s via telnet to test SMTP AUTH. I always use OpenSSL to connect to the mail server. OpenSSL give you the option to connect to the mail server using STARTTLS.

1) Connect to the mail server

openssl s_client -starttls smtp -crlf -connect

2) Send the EHLO command to see which items the server supports

EHLO ME Hello []
250-SIZE 157286400

3) Start SMTP AUTH

334 VXNlcm5hbWU6

4) The 334 command tells you to enter the Base64 username. When the correct username is entered, the server responses with “334 UGFzc3dvcmQ6”.
5) Enter the Base64 password. The server responses with a successful or unsuccessful message.

235 2.7.0 Authentication successful target host

6) Now enter the default command’s to send a mail.

SUBJECT: this is the subject

This is the body of the message


The Early Deployment release software from ArubaOS has been released. I looked into the release notes and found some interesting new features.

  • Cellular Handoff Assist is Configurable Per Virtual AP: The cellular handoff assist feature can help a dual-mode, 3G/4G-capable Wi-Fi device such as an iPhone, iPad, or Android client at the edge of Wi-Fi network coverage switch from Wi-Fi to an alternate 3G/4G radio that provides better network access. This setting can now be applied to individual virtual APs via the WLAN virtual-ap profile.
  • Plug and Play 4G USB Modem: ArubaOS supports the USB modem Plug and Play. The controller auto-configures the 4G USB modem as soon as the user plugs in the modem into an AP or a RAP.
  • Support for Secondary AP Master: Starting from ArubaOS, seamless connectivity is provided even when the master controller fails, by allowing an access point to terminate on a secondary master controller.
  • Customizing Authentication Reply-Message to Captive Portal Users: ArubaOS introduces the support for customizing authentication Reply-Message to captive portal users in the log-in page for better user experience. The purpose behind the Reply-Message is to return appropriate information to the captive portal system.
  • Multi-Version Licensing: ArubaOS supports multi-version licensing, which allows centralized licensing clients to run a different version of the license than that of the primary and backup licensing servers. If a license is introduced in a newer version of ArubaOS, the primary and backup licensing servers set can still distribute licenses to licensing clients running an older version of ArubaOS, even if the licensing client does not recognize the newer license type.
  • Subscription-Based Web Content Classification License: ArubaOS introduces support for the Web Content Classification (WebCC) license; a subscription-based, per-AP license that supports web content classification features on an AP for the duration of the subscription period (up to 10 years per license).
  • NTP Standalone: NTP standalone feature enables an Aruba controller to act as an NTP server so that the devices that do not have access to Internet can synchronize their clocks. Enabling this feature eliminates the need to provision and maintain another virtual machine on the network.
  • Geo-Location Filtering: Starting from ArubaOS, to support IP-classification-based firewall, an IP reputation database containing a list of IP addresses with malicious activities is introduced. This helps in rejecting the traffic sent to or received from those IP addresses classified as malicious based on the policy configured. Using the geolocation IP database, the geographical location of the malicious IP address is also determined, and traffic is permitted or denied after scanning the geography-based rules configured by the administrator.
  • Wi-Fi Calling: ArubaOS supports Wi-Fi Calling in the controller. Wi-Fi calling service allows cellular users to make or receive calls using a Wi-Fi network instead of using the carrier’s cellular network.
  • Blocked Session: Starting from ArubaOS, a new tab called Blocked Sessions is added in the Traffic Analysis page. The Blocked Sessions tab displays WebCC and AppRF sessions which are blocked by access control list (ACL) through system logging or that blocked on the WebUI interface.

The release notes can be downloaded here.

ClearPass – concurrent session limit

I tried to configure a restriction to the concurrent number of active sessions a user can have on the wireless network. I found a great article on AirHeads Community “How to deny access for authentication requests based on session limit?

In short the article tells you to:

  1. Edit the Insight Repository
  2. Add more Filiters on the Attributes tab
  3. Enter the following information
    1. Filter Name: sessions
    2. Filter Query: see below
    3. Name: sessions
    4. Alias Name: sessions
    5. Data Type: Integer
    6. Enabled As: Role
  4. Add the Insight Repository as Authorization Source
  5. Create an Enforcement Policy Condition to check the Insight Repository
    1. Type: Authorization:[Insight Repository]
    2. Name: sessions
    4. Value: <number of allowed simultaneous connections + 1

I configured my ClearPass environment like shown in the article, but I didn’t see any active sessions in the access tracker. The counter remained 0. I connected to the Insight database with the tool pgAdmin to see if the Insight database is updated. The database is updated, so every thing seems to be working.

Be accident I found the solution. The SSID is using EAP-PEAP authentication and users enter there username as <username>@<domain-name>, like This is necessary, because the SSID is configured to work with Govroam. Govroam provides government employees with seamless access to WiFi networks, wherever the service has been made available by participating organisations. To authenticated the users correctly, I configured the CPPM Service with Strip Username Rules.

Strip Username Rules

The SQL query checks the attribute %{Authentication:Username}

select count(*) as sessions from radius_acct where (username = ‘%{Authentication:Username}’) AND end_time is null AND termination_cause is null AND (updated_at BETWEEN (now() – interval ‘1 hour’) AND now());

In the InsightDB the username has the format <username>@<domain-name>, but the attribute %{Authentication:Username} has the format <username>. I saw this “mismatch” while checking the Access Tracker.

ClearPass Access Tracker

I altered the query by changing %{Authentication:Username} into %{Authentication:Full-Username}. After this the session information was correct and I could use the session counter in a Role Mapping or Enforcement Profile to limit the concurrent number of active sessions from a user.

FortiGate – IPSec with dynamic IP

Site-to-site VPN connections are a common way to connect a branch office to the corporate network. In the Netherlands it is still common to have a internet connection at a branch office with a dynamic IP address. The usage of dynamic IP address is not ideal when configuring a site-to-site VPN connection, because the configuration almost always relies on static IP addresses.

I recently configured an IPSec VPN between two FortiGate appliances and the branch appliance is using a dynamic IP address. I used Fortinet’s DDNS feature to configure the VPN.

To configure the branch FortiGate for DDNS, I had to configure the WAN interface to retrieve its IP address via DHCP. Next I configured DDNS.

config system ddns
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain “”
set monitor-interface “wan1”

This can also be done in the GUI.


The VPN configuration on the hub firewall for dynamic DNS support is the same as the configuration of a regular VPN connection. The only difference is the configuration of the peer IP address. Instead of a static IP, you configure the DDNS FQDN.

config vpn ipsec phase1-interface
edit “vpn_p1_branche01”
set type ddns
set interface “wan1”
set proposal 3des-sha1
set dhgrp 2
set remotegw-ddns “”
set psksecret P$k-VPN!

And as you can image, this can also be done via the GUI.

FortiDDNS IPSec - HQ

Check the status of the VPN connection via the regular methods like cli (get vpn ike gateway or get vpn ipsec tunnel name <tunnel-name>) or via the GUI.

1 3 4 5 6 7 53