FortiGate Auto Backup to SFTP configuration

Hello everyone, today I am going to show you how to automatically back up your FortiGate configuration. As you know, backing up the configuration is crucial for every network engineer. Sometimes, network engineers forget to download backups of their configurations. If you follow along with me in this video, your firewall configuration will be automatically backed up every day. Additionally, every time an admin user logs in to the FortiGate, it will also generate the configuration and upload it to SFTP.

Step 1: Access the FortiGate Web Interface

  1. Open a web browser and enter the IP address or hostname of your FortiGate device to access its web interface.

Step 2: Log in 2. Log in to the FortiGate web interface with administrative credentials.

Step 3: Configure the SFTP Server

a. Navigate to System > Config > Features. b. Locate the “Backup” section and ensure that “Enable SFTP” is enabled. This allows the FortiGate device to communicate with the SFTP server for backup purposes.

Step 4: Create a Backup Profile

a. Go to System > Admin > Settings. b. Under Backup, you’ll find the “Backup Profiles” section. Click on the “Create New” button to create a new backup profile.

Step 5: Configure the Backup Profile

a. In the “Create New Backup Profile” window, provide a descriptive name for the profile. This name will help you identify the backup profile later. b. Select the frequency at which you want backups to occur. You can choose from options like daily, weekly, or monthly. c. Specify the time of day when the backup should be initiated. Choose a time that is convenient and doesn’t disrupt your network operations. d. Under the “Backup Location” section, select “SFTP Server” as the backup destination.

Step 6: Configure SFTP Server Settings

a. After selecting “SFTP Server,” you’ll need to enter the following details for your SFTP server: – Server IP Address or Hostname: This is the address of your SFTP server where backups will be sent. – Port: Typically, SFTP uses port 22, but ensure it matches your SFTP server’s configuration. – Username: Provide the SFTP username for authentication. – Password: Enter the password associated with the SFTP username. – Directory: Specify the directory on the SFTP server where you want to store the FortiGate backups.

Step 7: Schedule the Backup

a. After configuring the SFTP server settings, go to System > Config > Backup. b. Click on “Create New” to create a new backup schedule. c. In the “Create New Backup Schedule” window: – Select the backup profile you created in the previous step from the dropdown menu. – Choose the days of the week for backups (for weekly backups) or the day of the month (for monthly backups).

Step 8: Review and Apply Configuration

a. Review your backup configuration to ensure that all settings are accurate and complete. b. Click “Apply” or “OK” to save and apply the changes.

With these detailed steps, your FortiGate device is now configured to automatically back up its configuration to the specified SFTP server at the scheduled time and frequency you defined. Regularly verify the backups to ensure they are functioning correctly and provide a reliable safeguard for your firewall’s settings.

Tagged Untagged Switch Configuration

Hello everyone , in this video I will describe and configure vlan on hp switch and assign vlans to ports as access and trunk. In HP (Hewlett-Packard) networking switches, “tagged” and “untagged” are terms commonly used to describe how VLANs (Virtual LANs) are handled on switch ports. Tagged ports are used to carry traffic for multiple VLANs simultaneously. These ports are typically used to interconnect switches or to connect devices that need to communicate with multiple VLANs. Tagged ports are also known as “trunk” ports in Cisco networking terminology. Untagged ports are used to connect end-user devices, such as computers, printers, or IP phones, to the network. Each untagged port is associated with a specific VLAN. Untagged ports are also known as “access” ports in cisco networking terminology.

Tagged Ports (Trunk Ports): Tagged ports are used to interconnect switches, routers, or other networking devices and carry traffic for multiple VLANs. They are configured with additional information called VLAN tags, which helps identify which VLAN each Ethernet frame belongs to. Here are the key details:

  • Port Configuration: To configure a port as tagged (trunk), you typically need to access the switch’s command-line interface or web-based management interface.

In Cisco devices, you might use commands like:

interface GigabitEthernet0/1

switchport mode trunk

switchport trunk allowed vlan 10,20,30

switchport trunk native vlan 10

In HP/Aruba switches, you might use commands like:

vlan 10

tagged 1-48

  • VLAN Membership: You specify which VLANs can traverse the tagged port using the “switchport trunk allowed vlan” (Cisco) or “tagged” (HP/Aruba) command. In the example above, VLANs 10, 20, and 30 are allowed to traverse the trunk port.
  • Native VLAN: The native VLAN is used for untagged frames on a tagged port. In the Cisco example, VLAN 10 is the native VLAN. Any untagged traffic entering the port is treated as part of this VLAN.

Untagged Ports (Access Ports): Untagged ports are used to connect end-user devices, such as computers, phones, or printers, to the network. They are associated with a single VLAN, and traffic on these ports is not tagged with VLAN information. Here are the key details:

  • Port Configuration: To configure a port as untagged (access), you typically follow a similar process as configuring tagged ports through the switch’s management interface or CLI.

In Cisco devices, you might use commands like:

interface FastEthernet0/1

switchport mode access

switchport access vlan 10

In HP/Aruba switches, you might use commands like:

vlan 10

untagged 1-48

  • VLAN Assignment: You specify which VLAN the port is associated with using the “switchport access vlan” (Cisco) or “untagged” (HP/Aruba) command. In the examples above, the port is assigned to VLAN 10.

Use Cases:

  • Tagged Ports: Tagged ports are used for scenarios where you need to carry traffic for multiple VLANs between network devices. Common use cases include connecting switches together, connecting to routers that perform inter-VLAN routing, and connecting to virtualization hosts where multiple virtual networks exist.
  • Untagged Ports: Untagged ports are used to connect end devices to the network. For example, a computer in a specific department would connect to an untagged port in that department’s VLAN, ensuring that all its traffic is part of that VLAN.

In summary, configuring tagged and untagged ports correctly is crucial for effective VLAN management. Tagged ports allow traffic from multiple VLANs to traverse a single physical link, while untagged ports connect end devices to a specific VLAN. This segmentation helps in maintaining network security, optimizing traffic flow, and organizing network resources.

Install and Configuration VMware vSphere Replication

Hello everyone , in this video I am going to install and configure vmware vsphere replication , by using this tools you can replicate virtual machines disks from one one datastore to another datastore. For example you can replicate your disks to disaster center datastore and if your server gets down you can bring up or restore your virtual machine in your disaster center in some seconds ,

Prerequisites:

Before you begin, make sure you have the following prerequisites in place:

  1. VMware Infrastructure: You should have a VMware vSphere environment set up with at least two vCenter Servers or ESXi hosts that you want to replicate VMs between.
  2. Network Connectivity: Ensure that there is proper network connectivity between the source and target vSphere environments. This includes firewalls, routers, and other networking components.
  3. vSphere Replication Appliance: Download the vSphere Replication appliance OVA file from the VMware website or portal.
  4. Licensing: Ensure that you have the necessary licensing for vSphere Replication. It’s typically included with VMware’s vSphere Essentials Plus and higher editions.

Installation and Configuration:

Follow these steps to install and configure VMware vSphere Replication:

  1. Deploy vSphere Replication Appliance:
    • Log in to the vCenter Server where you want to deploy the vSphere Replication Appliance.
    • From the vCenter Web Client, select “Hosts and Clusters.”
    • Right-click on a host or cluster and select “Deploy OVF Template.”
    • Browse to the location of the vSphere Replication Appliance OVA file and follow the deployment wizard, specifying network settings, deployment size, and other necessary configurations.
  2. Configure vSphere Replication Appliance:
    • After deploying the appliance, power it on and access the web-based management interface by entering its IP address in a web browser.
    • Log in with the default credentials (admin/vcdr).
  3. Pair vSphere Replication Appliances:
    • In the vSphere Replication management interface, select the “Configuration” tab.
    • Under “VR Servers,” click on “Add VR Server” to add the remote vSphere Replication Appliance. This pairs the appliances from the source and target sites.
  4. Create Replication VMs:
    • In the vSphere Web Client, navigate to the VM you want to replicate.
    • Right-click on the VM, select “All vSphere Replication Actions,” and then choose “Configure Replication.”
    • Follow the wizard to configure replication settings, including the target location, RPO (Recovery Point Objective), and other options.
  5. Monitor and Manage Replications:
    • In the vSphere Replication management interface, you can monitor and manage replication jobs.
    • You can perform actions like starting, stopping, or deleting replications, monitoring replication status, and configuring email notifications for replication events.
  6. Failover and Recovery:
    • In the event of a disaster or for planned migrations, you can initiate a failover to the replicated VMs in the target site.
  7. Testing and Validation:
    • It’s crucial to periodically test and validate your replication setup to ensure it meets your recovery objectives.
  8. Documentation and Best Practices:
    • Consult VMware’s documentation and best practices guides for vSphere Replication to optimize your setup and ensure data integrity.

Install and Config Mikrotik Router

Hello everyone, in this video I am going to install mikrotik router os on hyper-v and after that I will be configure routerOS to provide internet access for clients by configuring dhcp server , create a nat rule , setup pptp vpn server. Ok lets start

  1. Hardware Requirements:
    • MikroTik router device (such as a MikroTik RouterBOARD)
    • Ethernet cables
    • Computer with an Ethernet port
    • Power source for the router
  2. Initial Setup:
    • Connect the MikroTik router to a power source and to your computer using an Ethernet cable. The router usually has a default IP address for the initial configuration, such as 192.168.88.1. Ensure that your computer is set to obtain an IP address automatically through DHCP.
  3. Access the Router:
    • Open a web browser on your computer and enter the default IP address of the MikroTik router in the address bar (e.g., http://192.168.88.1).
    • You should see the MikroTik login page. The default username is “admin,” and there is no password by default. It is crucial to change the default password during the initial setup for security reasons.
  4. Basic Configuration:
    • Once logged in, you can start configuring the router. Here are some basic configurations:
      • Set a strong password for the “admin” user.
      • Set the router’s hostname.
      • Configure the time zone.
      • Set the DNS servers.
  5. LAN Configuration:
    • Configure the LAN (Local Area Network) settings, including the IP address and subnet mask for the router’s LAN interface.
    • You can create DHCP server pools to assign IP addresses to devices on your local network automatically.
  6. WAN Configuration:
    • Configure the WAN (Wide Area Network) interface, which could be connected to your internet service provider (ISP). This often involves configuring the IP address, subnet mask, gateway, and DNS servers provided by your ISP.
    • Set up NAT (Network Address Translation) if you have multiple devices on your LAN and want them to share a single public IP address.
  7. Firewall Configuration:
    • Create firewall rules to control incoming and outgoing traffic. MikroTik routers have a powerful firewall system that allows you to filter and control traffic based on various criteria.
  8. Security and Access Control:
    • Configure access control lists (ACLs) to restrict or allow specific traffic.
    • Enable SSH or secure Winbox access for remote management and disable insecure services like Telnet.
  9. Additional Features:
    • Depending on your needs, you can configure various additional features such as VPNs, VLANs, QoS (Quality of Service), routing protocols, and more.
  10. Save and Backup Configuration:
    • After configuring your MikroTik router, make sure to save your configuration settings and create regular backups. This can be done through the router’s web interface.
  11. Testing:
    • Test your network to ensure everything is working as expected. Check internet connectivity, LAN connectivity, and any specific services or features you’ve configured.
  12. Documentation:
    • Keep thorough documentation of your MikroTik router’s configuration, including any changes you make over time. This will be helpful for troubleshooting and future reference.

FortiGate Traffic Shaping Configuration

Traffic shaping is a method of optimizing network traffic by prioritizing different types of traffic according to their importance. FortiGate firewall offers a traffic shaping feature that can be used to prioritize traffic, limit bandwidth usage, and control network congestion. In this blog post, we’ll discuss how to configure traffic shaping on FortiGate firewall.

Fortigate Traffic Shaping

1. Log in to the FortiGate Web Interface:

  • Open a web browser and enter the IP address of your FortiGate firewall.
  • Log in with the appropriate credentials.

2. Define Traffic Shaping Policy:

  • Navigate to the “Policy & Objects” tab.
  • Click on “Traffic Shaper” to access the Traffic Shaping policies.

3. Create a New Traffic Shaping Policy:

  • Click the “+ Create New” button to create a new policy.
  • Give your policy a name and optionally add a comment for reference.

4. Set Traffic Shaping Parameters:

  • In the “Guaranteed Bandwidth” section, specify the minimum guaranteed bandwidth (in Kbps or Mbps) for the traffic you want to shape. This is the minimum speed that will be allocated to the traffic matching this policy.
  • In the “Maximum Bandwidth” section, set the maximum bandwidth (in Kbps or Mbps) that the traffic can use.
  • You can also configure a burst rate and burst time if needed. Burst rate allows traffic to exceed the defined limits for a short period if there’s available bandwidth.

5. Define Traffic Matching Criteria:

  • In the “Matching Criteria” section, specify the criteria for matching traffic to this policy. You can configure this based on source and destination IP addresses, ports, services, etc.
  • Click the “+” icon to add multiple conditions if necessary.

6. Enable the Policy:

  • In the “Actions” section, set the action to “Apply Shaper” to enable traffic shaping for the matched traffic.
  • Click “OK” to save the policy.

7. Apply Traffic Shaping Policy to Firewall Policy:

  • After creating the traffic shaping policy, you need to apply it to a firewall policy.
  • Go to the “Policy & Objects” tab and click on “Firewall Policy.”
  • Edit an existing policy or create a new one, and in the “Traffic Shaping” section, select the traffic shaping policy you created earlier from the dropdown menu.

8. Monitor Traffic Shaping:

  • You can monitor the traffic shaping policies in action by going to the “Monitor” tab and selecting “Traffic Shaping Monitor.” Here, you can see statistics and real-time information on the traffic matching your policies.

9. Test and Fine-Tune:

  • After configuring traffic shaping, it’s essential to monitor network performance and adjust policies as needed to ensure your network operates efficiently and as intended.

10. Save and Apply Changes:

  • Don’t forget to save your changes and apply the configuration for it to take effect.

Remember that traffic shaping should be used judiciously, as improper configuration can negatively impact network performance. It’s essential to understand your network’s traffic patterns and prioritize traffic accordingly to achieve your desired outcomes with traffic shaping on a FortiGate firewall.

Fortigate Captive Portal Configuration

A captive portal is a web page that is presented to users when they attempt to connect to a network. Captive portals are commonly used in public Wi-Fi hotspots, hotels, and other places where the network owner wants to control the access to the network. FortiGate firewall offers a captive portal feature that can be used to authenticate users and control network access. In this blog post, we’ll discuss how to configure captive portal on FortiGate firewall.

Fortigate Captive Portal Configuration

1. Log in to the FortiGate Web Interface:

  • Open a web browser and enter the IP address of your FortiGate device.
  • Log in using your administrative credentials.

2. Configure Network Interfaces:

  • Ensure that you have configured your network interfaces correctly. You should have at least two interfaces: one for the unauthenticated guest network and another for the trusted network.

3. Create a User Group:

  • Before setting up the captive portal, create a user group that will contain the users allowed to access the network through the captive portal.
    • Go to “User & Device” > “User Groups” and click “Create New.”
    • Define the group’s name and add users to it if needed.

4. Create a Security Policy:

  • You need to create a security policy to control traffic between the unauthenticated network and the trusted network.
    • Go to “Policy & Objects” > “IPv4 Policy” and click “Create New.”
    • Configure the source interface, source address (unauthenticated network), destination interface, and destination address (trusted network).
    • Set the “Action” to “Captive Portal.”

5. Configure Captive Portal:

  • Now, you need to set up the captive portal itself.
    • Go to “Security Fabric” > “Captive Portal” and click “Create New.”
    • Enter a name for the captive portal.

6. Configure Authentication Settings:

  • Under the “Authentication” tab:
    • Select the user group you created earlier.
    • Choose the authentication method (usually, you’d use “Local Database” for basic username and password authentication).
    • Set the authentication timeout.
    • Customize the authentication message if desired.

7. Configure Authentication Portal Settings:

  • Under the “Authentication Portal” tab:
    • Define the portal message and login message.
    • Customize the look and feel of the portal page, including logos and background images.

8. Configure Redirect Settings:

  • Under the “Redirect” tab:
    • Specify the redirection type. Typically, you’d use “External Web Page” to direct users to a terms and conditions page or login page hosted externally.

9. Create a Firewall Policy for Redirect:

  • Create a firewall policy to redirect traffic to the captive portal.
    • Go to “Policy & Objects” > “IPv4 Policy” and click “Create New.”
    • Set the source and destination interfaces and addresses.
    • Set the action to “SSL-VPN” and choose the captive portal you created earlier as the SSL-VPN portal.

10. Configure DNS and Web Filtering: – You may want to configure DNS and web filtering policies to control access for authenticated users.

11. Test the Captive Portal: – To test the captive portal, connect a device to the unauthenticated network and attempt to access the internet. You should be redirected to the captive portal login page.

12. Monitor and Troubleshoot: – Continuously monitor the captive portal for user activity and any issues that may arise. Check logs and statistics for troubleshooting.

Remember that this is a high-level overview of the FortiGate captive portal configuration process. Depending on your specific requirements and network setup, there may be additional configuration options and steps needed to meet your needs. Always refer to the FortiGate documentation and consult with Fortinet support if you encounter any difficulties or require advanced features.

Reset Vcenter SSO administrator@vsphere.local Password

1. Access the vSphere Authentication Proxy:

  • Log in to the vCenter Server using the vSphere Client with an account that has administrative privileges.
  • Navigate to the “Administration” section in the vSphere Client.
  • Under “Single Sign-On,” click on “Configuration.”

2. Reset the Password:

  • In the “Configuration” tab, click on “System Configuration.”
  • Click on the “Nodes” tab and select the vCenter Server node.
  • Click on the “Manage” tab and select “Settings.”
  • Under “Settings,” click on “Reset Password” next to “Single Sign-On Administrator Password.”
  • Enter and confirm the new password for the administrator@vsphere.local account.
  • Click “OK” to reset the password.

3. Verify the Password Reset:

  • Log out of the vSphere Client and log back in using the administrator@vsphere.local account and the new password to verify that the password reset was successful.

4. (Optional) Change the Password Using the CLI:

  • If you have SSH access to the vCenter Server, you can also use the vdcadmintool command-line utility to reset the password.
  • SSH into the vCenter Server and run the following command to access the utility:

/usr/lib/vmware-vmdir/bin/vdcadmintool

  • Select option 3 for “Reset account password” and follow the prompts to reset the password for the administrator@vsphere.local account.

By following these steps, you can reset the VMware vCenter Single Sign-On (SSO) administrator@vsphere.local password using the vSphere Client or the vdcadmintool command-line utility.

Deploy BgInfo by Group Policy

1. Download and Install BgInfo:

  • Download BgInfo from the official Microsoft Sysinternals website.
  • Extract the downloaded ZIP file and copy the BgInfo.exe and BgInfo64.exe files to a network share that is accessible to all client machines.

2. Create a Configuration File:

  • Launch BgInfo on a test machine and configure the desired settings, such as the information to display and the background color.
  • Save the configuration as a .bgi file to the same network share where you copied the BgInfo executables.

3. Create a Group Policy Object (GPO):

  • Open the Group Policy Management Console (GPMC) on a domain controller or a machine with the Remote Server Administration Tools (RSAT) installed.
  • Right-click on the desired Organizational Unit (OU) or the domain name and select “Create a GPO in this domain, and Link it here.”
  • Give the GPO a descriptive name, such as “Deploy BgInfo.”

4. Edit the Group Policy Object:

  • Right-click on the newly created GPO and select “Edit.”
  • Navigate to “Computer Configuration” > “Policies” > “Windows Settings” > “Scripts (Startup/Shutdown).”
  • Double-click on “Startup” in the right pane.

5. Add a Startup Script to Run BgInfo:

  • Click on the “Add” button in the “Startup Properties” window.
  • In the “Script Name” field, enter the UNC path to the BgInfo executable (e.g., \\server\share\BgInfo.exe).
  • In the “Script Parameters” field, enter the path to the configuration file (e.g., \\server\share\config.bgi).
  • Click “OK” to save the script.

6. Copy BgInfo Files to Client Machines:

  • Ensure that the BgInfo executable (BgInfo.exe or BgInfo64.exe) and the configuration file (config.bgi) are accessible from the network share specified in the startup script.

7. Apply the Group Policy:

  • Close the Group Policy Management Editor and link the GPO to the desired OU or domain.
  • Run gpupdate /force on client machines or wait for Group Policy to apply automatically.

8. Verify Deployment:

  • Restart a client machine (or run gpupdate /force) to apply the Group Policy.
  • The system information specified in the BgInfo configuration file should be displayed on the desktop background.

By following these steps, you can deploy BgInfo using Group Policy to automatically display system information on the desktop background of Windows machines in your domain.

Install Windows OS from Network | Install And Configure Windows Deployment Service (WDS)

1. Install Windows Deployment Services Role:

  • Open Server Manager on a Windows Server machine.
  • Click on “Add roles and features.”
  • Select “Windows Deployment Services” as the role to install.
  • Follow the wizard to complete the installation.

2. Configure Windows Deployment Services:

  • After installing the role, open the Windows Deployment Services console from the Server Manager.
  • Right-click on the server name and select “Configure Server.”
  • Follow the wizard to configure the server.
  • Choose the location to store the images (you can use the default location).
  • Select “Integrated with Active Directory” if you want to use Active Directory Domain Services (AD DS) to authorize clients and manage computer accounts.
  • Specify the DHCP server settings. You can choose to configure DHCP options 60, 66, and 67, or you can manually configure DHCP options if you’re using a separate DHCP server.

3. Add Boot and Install Images:

  • In the Windows Deployment Services console, expand the server name.
  • Right-click on “Boot Images” and select “Add Boot Image.”
  • Browse to the location of the Windows installation files and select the boot image (boot.wim) file.
  • Repeat the process to add the install image (install.wim) file for the Windows version you want to deploy.

4. Configure DHCP Options (if not done in step 2):

  • If you didn’t configure DHCP options during the WDS configuration, you’ll need to do it manually on your DHCP server.
  • Configure option 60 to PXEClient.
  • Configure option 66 to the IP address of the WDS server.
  • Configure option 67 to boot\x64\pxeboot.n12 for BIOS-based systems or boot\x64\wdsmgfw.efi for UEFI-based systems.

5. PXE Boot and Install Windows:

  • Boot the client computer from the network (PXE boot). This usually involves pressing a key (e.g., F12) during startup to access the boot menu and selecting the network boot option.
  • The client will contact the WDS server and load the boot image.
  • Follow the on-screen instructions to select the install image and complete the Windows installation.

6. Monitor Deployment:

  • Use the Windows Deployment Services console to monitor the deployment process and view the status of client installations.

By following these steps, you can set up Windows Deployment Services to deploy Windows operating systems over the network, making it easier to manage and deploy Windows installations across multiple computers.

Install And Configure DHCP Server Cluster

1. Preparing the Environment:

  • Ensure that both servers meet the hardware and software requirements for Windows Server and DHCP.
  • Assign static IP addresses to each server.
  • Ensure that DNS is properly configured and that both servers can resolve each other’s names.

2. Installing the DHCP Server Role:

  • Open Server Manager on both servers.
  • Select “Add roles and features” and proceed with the installation wizard.
  • Select “DHCP Server” as the role to install.
  • Complete the DHCP Server installation wizard.

3. Configuring DHCP Failover:

  • Open DHCP Manager on one of the servers.
  • Right-click on the DHCP server name and select “Configure Failover.”
  • Follow the wizard to configure DHCP failover.
  • Choose the partner server, configure the shared secret, and set the mode (Load Balance or Hot Standby) and relationship (Primary or Secondary).

4. Installing the Failover Clustering Feature:

  • Open Server Manager on both servers.
  • Select “Add roles and features” and proceed with the installation wizard.
  • Select “Failover Clustering” as the feature to install.

5. Creating the Cluster:

  • Open Failover Cluster Manager on one of the servers.
  • Click on “Create Cluster” and follow the wizard.
  • Add both servers to the cluster.
  • Configure cluster settings such as the cluster name and IP address.

6. Configuring DHCP Server Role in the Cluster:

  • In Failover Cluster Manager, right-click on “Services and Applications” and select “Configure a Service or Application.”
  • Select “DHCP Server” as the service to configure.
  • Follow the wizard to add the DHCP server role to the cluster.

7. Testing Failover:

  • Perform a failover test to ensure that the DHCP server cluster functions correctly.
  • Use the Failover Cluster Manager to initiate a failover and verify that DHCP services remain available during the failover process.

8. Monitoring and Maintenance:

  • Regularly monitor the DHCP server cluster using Failover Cluster Manager to ensure it remains healthy.
  • Perform regular maintenance tasks, such as applying updates and patches, to keep the cluster secure and up-to-date.

Note: Ensure that you have sufficient IP address ranges and leases configured to handle the increased demand that comes with clustering. Additionally, testing failover in a controlled environment is crucial to ensure proper functioning in a production environment.