Connecting the world…

howto

FortiMail – Howto configure DLP

The previous post showed the steps necessary to enable DLP. This post describes the workflow to configure DLP. I needed DLP to relay outbound messages to a specific mail relay based on header information.

At first I create a DLP rule to define the matching conditions. I match specific header information, which is added to a message by the internal MS Exchange server.

DLP Rule

You can match multiple conditions, like subject, recipient, sender, body or attachments and you can also use regular expressions. This makes it very powerful to match specific or multiple characteristics from a message. You can also add exceptions to the DLP rule.

The next steps involves creating a DLP Profile. The DLP profile sets the action, when the DLP rule is matched. You need to specify a default action and you can overwrite is by defining specific actions for specific DLP rules. I create an action to deliver mail to an alternate host. The action can be configured from the DLP profile pane or you can configure the action under the Content Profile Actions. I needed to configure an outbound action, which needs to be created under the Content Profile Action.Relay Action

I use the above action as default in the DLP Profile and set my scan rule to use the default action.

DLP Profile

The DLP profile can be assigned to an IP Policy or Recipient Policy. I need to relay message in the outbound direction, so I create an Outbound Recipient Policy and assign the DLP profile.

FML DLP Recipient Policy

FortiMail – Howto enable DLP

FortiMail has the option to use Data Loss Prevention as enhanced security mechanism. This feature is introduced in firmware 5.3, according to the release notes. By default the DLP option is not visible on the GUI.

FortiMail - No DLP

DLP can be enabled via the CLI, but it is a well hidden feature. The option can be enabled from the “system global” configuration. When you do a “get” or “set ?” from the “system global” menu, you don’t see the option, but you are able to type it manually.

mail # config system global

mail (global) # set data-loss-prevention enable

mail (global) # end

This enables DLP and adds a new configuration menu to the GUI.

FortiMail - DLP enabled

Upgrade Juniper SA cluster

Add On: This procedure also works for the new Juniper MAG appliances. But keep in mind during the upgrade of the second host (and also the first): BE PATIENT!!

A Juniper SA cluster can be configured as active/active or active/standby cluster. An active/active cluster uses an external load balancer or DNS round-robin to enable load-sharing across multiple appliances. Today I had to upgrade an active/standby cluster and found an KB article on the Juniper website (restricted access) about the preferred upgrade method.

Juniper uses the following steps to upgrade a cluster:

  1. 1. Login directly to a member in the cluster as administrator;
  2. 2. Disable the member from the cluster;
  3. 3. Upgrade the service package on the disabled member;
  4. 4. After the upgrade is completed login back to the IVE and enable the disabled member in the cluster configuration;

The following notes are mentioned by Juniper:

  • In active/standby cluster mode, it is recommended to start the upgrade process with the passive members and after completing the upgrade on the passive IVE and moving to the upgrade of the active IVE please note all connections are dropped when the active IVE is disabled. However after disabling the active node the passive IVE becomes active;
  • Once the upgraded member is enabled back in the cluster, it shows the other nodes as Unreachable. This is expected behavior as the cluster members are running different versions and hence cannot sync with each other;
  • Once the second IVE is being upgraded all user connections are dropped and not migrated due to the mismatch of software versions. This limitation is addressed in 4.0 with the Minimal downtime cluster upgrade available in the licensable Central Manager feature set;

I followed the steps mentioned above and the upgrade of the IVE cluster went smoothly. I disabled the passive node and upgraded the firmware with the new package. After the upgrade (and a reboot) the passive node was reachable in standalone mode. Next I logged in to the active IVE and enabled the passive node back into the cluster. When you hit Enable you receive the warning message that the configuration of the new cluster node will be erased and overwritten with the configuration of the active node. Just choose Yes.

After enabling the passive node, you will loose your web session with the active node. The VIP address is taken over by the new node in the cluster and the “old active” node starts updating automatically. This is a little tricky, because you don’t notice anything from the update process taken place. Just have patience and ping the node to check when it is online again. When the node is back online, login to the IVE and check the Cluster Status. Both IVE are now updated and members of the cluster. You could decide to do a manual Fail-Over IP to the “old active” node so everything is back to the original state before the upgrade.

Step-by-step guide: SwitchMap under CactiEZ

Switchmap is a Perl program that creates HTML pages that show information about a set of Cisco Ethernet switches. It uses SNMP to gather data from the switches. Normally I install Switchmap in conjunction with CactiEZ and every time I am struggling to get Switchmap to work perfectly.

During another installation I wrote this step-by-step guide to configure switchmap correctly. This step-by-step guide is based on switchmap version 11.19. At first you have to download switchmap, extract it to the /var/www/html directory and rename the folder.

tar zxvf switchmap-11.19.tar.gz
mv switchmap-11.19 switchmap

Switchmap depends on multiple Perl modules, so install the necessary modules.

perl -MCPAN -e shell
install Log::Log4perl
install Module::Build
install Net::SNMP
install Log::Dispatch::Screen

Make sure your routers and Catalyst switches are configured to speak SNMP.

snmp-server community read4switchmap RO

Now you have to define your site-specific variables in ThisSite.pm. I changed the following parameters.

@routers = ();
push @routers, ‘10.62.4.2’;

@LocalSwitches = ();
push @LocalSwitches, ‘10.62.4.2’;

$Community = ‘read4switchmap’;

$DnsDomain = ‘.booches.nl’;

$DestinationDirectory = ‘/var/www/html/switchmap’;

$DestinationDirectoryRoot = ‘/switchmap’;

$StateFileDirectory = ‘/var/www/html/switchmap’;

Change the configfile variable in index.php to the following:

$configfile=’/var/www/html/switchmap/ThisSite.pm’;

Switchmap has the option to search for IP addresses and MAC addresses, but you have to alter the configuration to get this functionality working. First change the following in FindOffice.pl.

use lib ‘/var/www/html/switchmap’;

Change the configuration of the web server to allow it to run CGI files from the switchmap directory. I added the following lines above the existing ScriptAlias in /etc/httpd/conf/httpd.conf.

ScriptAlias /cgi/ “/var/www/html/switchmap/”

<Directory “/var/www/html/switchmap”>
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>

Edit SearchPortLists.html and change the following lines.

<link href=”/switchmap/SwitchMap.css” rel=”stylesheet”>

<form method=GET action=”/cgi/FindOffice.pl”>

Change the rights on the files FindOffice.pl and ThisSite.pm

chmod 777 FindOffice.pl
chmod 777 ThisSite.pm

Now you can test run your installation by executing the following 3 commands:

perl GetArp.pl
perl ScanSwitch.pl
perl SwitchMap.pl

When the commands are executed you can point your browser to:

http://<cacti-url>/switchmap/index.html

and you should have a working Switchmap configuration.

The last step is configuring a cron job to schedule switchmap. Change the cron configuration using the command

crontab –e

and add the following lines.

44 * * * * perl /var/www/html/switchmap/ScanSwitch.pl
49 * * * * perl /var/www/html/switchmap/GetArp.pl
05 14 * * * perl /var/www/html/switchmap/SwitchMap.pl

You are good to go!! I hope this step-by-step guides makes my life (and hopefully also your life) a bit easier when installing a new Switchmap under CactiEZ.

OpenSSL & Cygwin – Certificate Authority

I am using OpenSSL in conjunction with Cygwin on my Windows laptop to generate Certificate Signing Request and other SSL certificate related issues. Today I configured my own Certificate Authority, using the following guideline.

Preparations

First I created some directories, like shown below:

mkdir /home/sslCA
cd /home/sslCA
mkdir certs private newcerts

Next I created a serial file which will be used to name the new certificates generated and an index.txt file.

echo 1000 > serial
touch index.txt

Generating the CA

After setting up the appropriate directory, I generated the Certificate Authority, like shown below.

cd /home/sslCA
openssl.exe req –new –x509 –days 3650 –extensions v3_ca \
-keyout private/cakey.pem –out cacert.pem \
-config /usr/ssl/openssl.cnf

The command above generates the following output:

Generating a 1024 bit RSA private key
.++++++
…………………++++++
writing new private key to ‘private/cakey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [NL]:
State or Province Name (full name) [Some-State]:Noord-Brabant
Locality Name (eg, city) []:Eindhoven
Organization Name (eg, company) [Internet Widgits Pty Ltd]:4IP BV
Organizational Unit Name (eg, section) []:IP Consultancy
Common Name (eg, YOUR name) []:4IP Root CA
Email Address []:

Now I have a running Certificate Authority, which is ready to signing new certificates.

SubjectAltNames

If you would like to add SubjectAltNames to your certificate, you can add the names by adding them to an extensions file. Below is an example of the file, which I named booches.extensions.cnf

basicConstraints=CA:FALSE
subjectKeyIdentifier = hash

[alt_names]
DNS.1 = *.booches.nl

ad

Performing an SSL Request

I used the following command, with it’s output, to generate an SSL Certificate Signing Request.

cd /home/sslCA
openssl req -sha256 –new –nodes \
-out cert-www-4ip-nl.pem \
-keyout private/priv-www-4ip-nl.pem \
-config /usr/ssl/openssl.cnf

Generating a 1024 bit RSA private key
………..++++++
….++++++
writing new private key to ‘private/priv-www-4ip-nl.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [NL]:NL
State or Province Name (full name) [Some-State]:Noord-Brabant
Locality Name (eg, city) []:Eindhoven
Organization Name (eg, company) [Internet Widgits Pty Ltd]:4IP BV
Organizational Unit Name (eg, section) []:IP Consultancy
Common Name (eg, YOUR name) []:www.4ip.nl
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Signing CSR

The last step in the process is signing the CSR. I used the following command to sign the CSR.

openssl ca –config /usr/ssl/openssl.cnf \
-out sslcert-www-4ip-nl.pem \
-extfile booches.extensions.cnf\
-infiles cert-www-4ip-nl.pem

When you want to configure a certificate to use with Windows Server 2003 IAS vor MS-PEAP authentication, you have to add the option ‘-extensions server_ext’. This command results in the following output:

Using configuration from /usr/ssl/openssl.cnf
Enter pass phrase for /home/sslCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Sep 30 11:01:11 2009 GMT
Not After : Sep 28 11:01:11 2019 GMT
Subject:
countryName               = NL
stateOrProvinceName       = Noord-Brabant
organizationName          = 4IP BV
organizationalUnitName    = IP Consultancy
commonName                = www.4ip.nl
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
37:6B:52:95:B6:2D:26:76:C1:CD:E9:3C:58:E5:89:B4:26:34:83:43
X509v3 Authority Key Identifier:
keyid:64:6A:E7:65:B0:96:F6:56:49:A2:4D:EA:7F:68:3F:18:D1:86:2B:0E

Certificate is to be certified until Sep 28 11:01:11 2019 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Now I have all the appropriate files:

  • Certificate: /home/sslCA/sslcert-www-4ip-nl.pem
  • Key: /home/sslCA/private/priv-www-4ip-nl.pem

Converting to PKCS#12

Windows environments normally use PKCS#12 files. The following command generates a PKCS#12 file with the user certificate, the private key and the CA certificate:

cd /home/sslCA

openssl pkcs12 –export –out www-4ip-nl.pfx \
-inkey private/priv-www-4ip-nl.pem \
-in sslcert-www-4ip-nl.pem \
-certfile cacert.pem

This commands generates the appropriate PFX file (www-4ip-nl.pfx) for specific Windows environments, like IIS. Other usefull commands to convert certificate formats can be found here.

I added the following lines to openssl.cnf to use the extensions option for EAP authentication with Windows Server 2003 IAS.

[ client_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ server_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1