Cisco ASA PBR - featured image

Policy Based Routing on a Cisco ASA

Cisco ASA 9.4 (and later) is now supporting Policy Based Routing. Yeah. Great news, since many customers are requesting something like “HTTP traffic to the left – VoIP traffic to the right”. Coming with a new Cisco ASA 5506-X I was happy to try the policy based routing feature.

The configuration steps through the ASDM GUI are not easy and full of errors, so I try to give some hints within this blog post.

Continue reading Policy Based Routing on a Cisco ASA

Palo Alto PBF w different VRs featured image

Policy Based Forwarding on a Palo Alto with different Virtual Routers

This guide is a little bit different to my other Policy Based Forwarding blog post because it uses different virtual routers for both ISP connections. This is quite common to have a distinct default route for both providers. So, in order to route certain traffic, e.g., http/https, to another ISP connection, policy based forwarding is used.

Continue reading Policy Based Forwarding on a Palo Alto with different Virtual Routers

ScreenOS PBF with VRs featured image

Policy-Based Routing on ScreenOS with different Virtual Routers

I already puslished a blog post concerning policy-based routing on a Juniper firewall within the same virtual router (VR). For some reasons, I was not able to configure PBR correctly when using multiple VRs. Now it works. ­čśë So, here are the required steps:

Continue reading Policy-Based Routing on ScreenOS with different Virtual Routers

Palo Alto HA featured image

Palo Alto High Availability Heartbeat

Beside the HA1 and HA2 interfaces on a Palo Alto Networks firewall, there are the HA1/HA2 Backup and Heartbeat Backup options. I was a bit confused while reading the documentation of the high availability instructions since it did not clearly specify when and where to use the dedicated management port for what kind of “backup”.

Basically, it should read that there are two different ways on how to use the dedicated management for a HA Backup: the heartbeat backup OR the HA1 backup.

Continue reading Palo Alto High Availability Heartbeat

Roundcube

Roundcube Installation Guide

Roundcube is an email webclient which is easy and intuitive to use. I am using it for my private mails, connecting via IMAP and SMTP to my hoster. One of the great advantages is the “flag” option which is synchronized via IMAP to my Apple devices.

Following is a step-by-step installation guide for Roundcube plus an update scenario. It is a kind of “memo for myself”, but hopefully, others can use it as well.

Continue reading Roundcube Installation Guide

Hop Counts featured image

1&1 DSL Routing: Hop Counts unterschiedlich

Seit ├╝ber einem Jahr zeichne ich die Anzahl der Hops von einer Reihe DSL-Anschl├╝ssen auf (siehe hier). Mein Monitoring-Server l├Ąuft dabei hinter einem statischen Anschluss der Telekom, w├Ąhrend die privaten Internetanschl├╝sse von diversen Anbietern (1&1, Kabel Deutschland, Telekom) kommen. Nun habe ich leider nicht im Detail die Ahnung davon, wie diese Anbieter ihren Traffic routen, zumindest scheint aber 1&1 irgendetwas Komisches bei sich verbaut zu haben, da sehr oft nach der n├Ąchtlichen Zwangstrennung ein deutlicher Unterschied in der Anzahl der Hops zu sehen ist.

Continue reading 1&1 DSL Routing: Hop Counts unterschiedlich

FortiGate Policy Route featured image

Policy Routing on a FortiGate Firewall

This is a small example on how to configure policy routes (also known as policy-based forwarding or policy-based routing) on a Fortinet firewall, which is really simple at all. Only one single configuration page and you’re done. ­čśë

Continue reading Policy Routing on a FortiGate Firewall

S2S VPN FortiGate - FritzBox

IPsec Site-to-Site VPN FortiGate <-> FRITZ!Box

Hier kommt ein kurzer Guide wie man ein Site-to-Site VPN zwischen einer FortiGate Firewall und einer AVM FRITZ!Box aufbaut. Anhand von Screenshots zeige ich die Einrichtung der FortiGate, w├Ąhrend ich f├╝r die FRITZ!Box ein Template der *.cfg Konfigurationsdatei bereitstelle.

Continue reading IPsec Site-to-Site VPN FortiGate < -> FRITZ!Box

ownCloud2

Yet another ownCloud Installation Guide

If you want to use you own ownCloud installation, you can find several documentation on the Internet on how to set up this server, e.g. the official ownCloud documentation, or installation guides such as this or that or here. But none of these page alone provided enough information for installing a secure server completely from the beginning.

So here comes my step-by-step guide which surely won’t be complete, too. ­čśë However, hopefully it will help other people while searching for their way to install ownCloud. Additionally I am showing how to upgrade an ownCloud server.

Continue reading Yet another ownCloud Installation Guide

ntopng featured image

Out of the Box Network Analyzer “ntopng”

Some time ago I installed a new firewall at the customer’s site. Meanwhile the customer was interested in the flows that are traversing through the firewall right now. Oh. Good question. Of course it is easy to filter through log messages of firewalls, but theses logs are only for finished sessions. Yes, there are “session browsers” or the like on all firewalls, but they are not nice and handy to analyze the sessions in realtime.

The solution was to bring a network analyzer on a mirror port near to the firewall. I decided to use ntopng running on the live Linux distribution Knoppix. Great choice! An old notebook with two network adapters fits perfectly. A handful commands and you’re done:

Continue reading Out of the Box Network Analyzer “ntopng”

F5 Single DH use

F5 SSL Profile: “Single DH use” not working?

In the paper of the Logjam attack, a sentence about the F5 load balancers confused me a bit: “The F5 BIG-IP load balancers and hardware TLS frontends will reuse g^{b} unless the “Single DH” option is checked.” This sounds like “it does NOT use a fresh/ephemeral diffie-hellman key for new connections”. I always believed, that when a cipher suite with EDH/DHE is chosen, the diffie-hellman key exchange always generates a new b for computing g^{b}. Hm.

Therefore, I tested this “Single DH use” option on my lab F5 unit, in order to find out whether the same public key (as noted in Wireshark) is used for more than one session.

Continue reading F5 SSL Profile: “Single DH use” not working?

PPP Featured Image

Telekom Dual-Stack Verbindungsaufbau

Bis neulich hatte ich einen normalen DSL-Anschluss von 1&1: Per PPPoE eingew├Ąhlt und eine IPv4-Adresse bekommen – fertig. Das kann neben der FRITZ!Box nat├╝rlich auch jeder vern├╝nftige Router oder Firewall.

Jetzt habe ich endlich einen richtigen Dual-Stack (IPv4 und IPv6) Anschluss der Telekom (Glasfaser “MagentaZuhause M” ohne Fernsehen, siehe hier). Juchu! ­čśë Bevor ich jedoch den mitgelieferten Speedport durch diverse andere Testger├Ąte ersetze, wollte ich mal vern├╝nftig mitschneiden, welche Protokolle denn bei einem Verbindungsaufbau genau eingesetzt werden. Vor allem die Prefix Delegation ├╝ber DHCPv6 interessierte mich…

Continue reading Telekom Dual-Stack Verbindungsaufbau

jw-nb10.cfg-192.168.120.10-cpu-ys-l2

BOINC Load depends on Processor Type

I am running two old notebooks in my laboratory for several server purposes. Last year, I started to support the World Community Grid project with the idle times on these laptops. Nothing interesting so far. However, it is interesting to track the load of the CPUs since they vary on both laptops due to the projects that require different CPU types.

Continue reading BOINC Load depends on Processor Type

Basic IPv6 Messages - Featured Image

Basic IPv6 Messages: Wireshark Capture

When explaining IPv6 I am always showing a few Wireshark screenshots to give a feeling on how IPv6 looks like. Basically the stateless autoconfiguration feature (SLAAC), DHCPv6, Neighbor Discovery, and a simple ping should be seen/understood by any network administrator before using the new protocol.

Therefore I captured the basic IPv6 autoconfiguration with a Knoppix Linux behind a Telekom Speedport router (German ISP, dual-stack) and publish this capture file here. I am using this capture to explain the basic IPv6 features.

Continue reading Basic IPv6 Messages: Wireshark Capture

Ping DSL vs. Glasfaser featured image

Ping Times/Latency: DSL vs. Glasfaser, IPv4 vs. IPv6

Seit wenigen Tagen bin ich gl├╝cklicher Kunde eines Telekom Glasfaseranschlusses. Mit satten 50/10 MBit/s rasen die Daten bei mir ein und aus. Neben der deutlich h├Âheren Geschwindigkeit war ich aber auch an den Latenzen der beiden Anschl├╝sse interessiert und habe entsprechende Tests gemacht. Hier kommen die Ergebnisse.

Continue reading Ping Times/Latency: DSL vs. Glasfaser, IPv4 vs. IPv6