I initially stored my ownCloud data on an external NTFS hard disk. (Yes, this was not a good idea at all.) After some time now I wanted to move the files to a bigger ext4 drive on the same machine. Unluckily there are many posts and articles that are really irritating on the Internet, such as: 1, 2, 3, 4, 5. At least I found some promising hints at the official GitHub forums (this and that) and gave it a try:
A few weeks ago I swapped a FortiGate 100D firewall to a 90D firewall. The 100D was defective and needed to be replaced. Since the customer only has a 20 Mbps ISP connection, I thought that a FortiGate 90D would fit for the moment, since it has a firewall throughput of 3,5 Gbps, compared to the lower value of 2,5 Gbps from the 100D.
Indeed, it worked. However, the CPU usage increase was huge, almost related to the NGFW throughput. Here are some graphs:
This blog post is about using NetFlow for sending network traffic statistics to an nProbe collector which forwards the flows to the network analyzer ntopng. It refers to my blog post about installing ntopng on a Linux machine. I am sending the NetFlow packets from a Palo Alto Networks firewall.
My current ntopng installation uses a dedicated monitoring ethernet port (mirror port) in order to “see” everything that happens in that net. This has the major disadvantage that it only gets packets from directly connected layer 2 networks and vlans. NetFlow on the other hand can be used to send traffic statistics from different locations to a NetFlow flow collector, in this case to the tool nProbe. This single flow collector can receive flows from different subnets and routers/firewalls and even VPN tunnel interfaces, etc. However, it turned out that the “real-time” functionalities of NetFlow are limited since it only refreshes flows every few seconds/bytes, but does not give a real-time look at the network. It should be used only for statistics but not for real-time troubleshooting.
This is a really cool and easy to use feature of the FortiGate firewall: the traffic shaper. Once an application category uses too much traffic, the bandwidth consumption can be decreased with it. Just about three clicks:
I really like the FortiGate firewalls. They are easy to manage and have lots of functionality. However, I am also aware of some other firewall products and therefore have some feature requests to Fortinet that are not currently implemented in their firewalls. I am sometimes forwarding these FRs to the Fortinet support or to an SE, but they are not really interested in that. ;( So here is a list of my ideas that could improve the firewall. Hopefully/maybe some of them will be implemented one day…
Once more some throughput tests, this time the Palo Alto Networks firewalls site-to-site IPsec VPN. Similar to my VPN speedtests for the FortiGate firewall, I set up a small lab with two PA-200 firewalls and tested the bandwidth of different IPsec phase 2 algorithms. Compared to the official data sheet information from Palo Alto that state an IPsec VPN throughput of 50 Mbps, the results are really astonishing.
After I have done some speedtests on the FortiGate firewall I was interested in doing the same tests on a Palo Alto. That is: What are the throughput differences of IPv4 vs. IPv6, measured with and without security profiles, i.e., with and without threat prevention.
It turned out that the throughput is much higher than the official information from Palo Alto. Furthermore, I was not able to test the threat prevention at all, because non of my traffic (Iperf and mere HTTP) went through the antivirus engines. I have to test this again. However, here are the measured values so far:
Auch ich merke, dass ich älter werde. Mittlerweile ist es soweit, dass Technik, die “zu meiner Jugendzeit” hochaktuell war, total veraltet ist. Ein schönes und für mich trauriges Beispiel ist die Maglite. DIE Taschenlampe der Cops in den USA, welche man sogar als Schlagstock verwenden kann! Längst wurde sie durch eine high-tech LED Taschenlampe (in meinem Fall eine ThruNite) ersetzt. Hier ein paar Abschiedszeilen…
Nachdem meine selbst gebauten ADS-B Antennen bereits sehr gut laufen hat mich jemand auf die Idee gebracht, mal eine speziell auf diesen Frequenzbereich zugeschnittene ADS-B Antenne bei eBay zu kaufen (siehe diesen Kommentar). In der Tat ist man mit wenigen Euros bereits dabei. Ob eine solche semi-professionelle Antenne einen weiteren Empfangsbereich als meine Antenne bringt musste in einem Vergleichstest bewiesen werden.
Juchu, endlich mal wieder ein Bastelprojekt. Für den Spielzeug-Synthesizer Monotron von Korg gibt es eine kleine Platine namens MIDI-IF, die anstelle des nicht ernsthaft zu spielenden Ribbon-Controller ein MIDI-Keyboard als Eingabequelle verwenden kann. Sprich: Man kann richtige Töne damit spielen, da man die Tasten einer Klaviatur natürlich viel besser bedienen kann als den Ribbon-Controller, bei dem man nur ungefähr die richtige Taste treffen kann. Für knapp 30,- € (inkl. Versand) und ein paar Stunden Löt- und Bastelarbeit kann man loslegen.
Zusätzlich habe ich die Schose in ein Alugehäuse gebaut und mit einer DI-Box versehen. Somit kann es direkt groß losgehen. 😉
Sometimes you want to reinstall your Raspberry Pi without switching the SD-card or via remote since it is located on another physical location. Here is a solution to reinstall the operating system remotely.
Since almost two years I am running a RIPE Atlas Probe in my server room. It resides in an own security zone on a Palo Alto firewall (which also powers the probe via its USB port :)). With this post I publish a few traffic statistics about the RIPE Atlas Probe.
I had an error on my PA-200 with PAN-OS 7.0.5 while trying to download a new firmware version. “Error: There is not enough free disk space to complete the desired operation. […]”. Even the tips to delete older software, dynamic updates, etc., and to use the “set max-num-images count” command did not lead to a successful download.
Finally, the TAC support could solve the problem via root access to the Palo Alto firewall and by manually moving data files…
I really love ping! It is easy to use and directly reveals whether the network works or not. Refer to Why Ping is no Security Flaw! (But your Friend) and Advanced Tracerouting. At least outgoing pings (from trust to untrust) should be allowed without any security concerns. However, many companies are denying these ICMP echo-requests from untrust into the DMZ which makes it difficult to test whether all servers are up and running.
I was sitting at the customer’s site replacing the DMZ firewall. Of course I wanted to know (from the outside) whether all servers are connected correctly (NAT) and whether the firewall permits the connections (policy). However, ping was not allowed. Therefore I used several layer 7 ping tools that generate HTTP, DNS, or SMTP sessions (instead of ICMP echo-requests) and revealed whether the services (and not only the servers) were running. Great!
This post shows the installation and usage of httping, dnsping, and smtpping on a Linux machine, in my case a Ubuntu server 14.04.4 LTS, as well as some Wireshark screenshots from captured sessions.