First, use hashdeep to capture the hash of the first directory:
$ hashdeep -b -r /home/user/one/ > one-results.txt
Then do the same for the second directory:
$ hashdeep -b -r /home/user/one > two-results.txt
Now you need to compare the two resulting files. Their order is likely to be different, so you will need to...Read More »
If you have a pair of HA Fortigates, sometimes you need to log into the slave device via SSH. Common examples including wanting to run a packet capture.
To do so, log into the primary device as usual, then run this command:
Fortigate1 # config global
Fortigate1 (global)# execute ha manage 0
Fortigate2 $...Read More »
If you find a situation where a site to site IPsec VPN on a Fortigate is apparently up and passing traffic, except ping (ICMP) is not flowing over the VPN, here is a solution.
The cause can be if the VPN flaps momentarily, and an ICMP packet is received in the...Read More »
A common requirement is to generate a random, unique and secure pre-shared key, typically for use in VPN’s. The Linux tool, APG (Automated Password Generator), is a great tool for this job, but you need to specify a few options to get the correct output.
If you just run ‘apg’, you...Read More »
firewall-asa(config)# no route INSIDE 192.168.0.0 255.255.255.0 172.16.0.254
ERROR: Cannot remove connected route
firewall-asa(config)#
The above error is caused when you try to route a directly connected interface to another subnet. In order to remove this route, you need to shutown the interface, then remove the route.
For example, if you...Read More »
The normal commands to show configuration items don’t work as expected for sysopt.
asa/pri/act# sh run sysopt
asa/pri/act#
asa/pri/act# sh run | include sysopt
asa/pri/act#
asa/pri/act# more system:running-config | include sysopt
asa/pri/act#
You need to use the “show run all sysopt” command.
asa/pri/act# show run all sysopt
no sysopt connection timewait
sysopt connection...Read More »
Never specific anything other than IP (such as TCP or UDP), when creating an ACL on the ASA for an ACL used within a NAT statement. If you do, you may get this error:
ERROR: ACE contains port, protocol, or deny. Removing NAT configuration
The above means that all of your NAT...Read More »
If your phase 1 negotiation is timing out from your SRX, it may be due to lack of IKE setting on the host-inbound-traffic setting.
Here is a typical error:
Jan 01 12:00:00 Phase-1 negotiation failed with error Timeout for p1_local=ipv4(
udp:500,[0..3]=192.0.2.1) p1_remote=ipv4(udp:500,[0..3]=198.51.100.1)
A broken config will look like this –...Read More »
A Juniper SRX cluster configuration does not allow access to the secondary device, even by out-of-band management, but default. This is expected behaviour, as the non-primary device in a cluster will not start the router process. So, unless your out-of-band management gives you access from the same layer 2 network,...Read More »
Don’t be tempted to use any random IP address or domain for documentation or testing purposes. It is quite easy to forgot to remove such an IP or domain from a config or diagram, which can cause outages and other unintended consequences.
RFC 5737 details IPv4 address blocked which have...Read More »
Why does packet-tracer sometimes work when used within a multi-context environment, but sometimes not work? It can seem rather random as to the success, but it is actually quite predictable, once you know why it does fail when it does.
Packet-tracer simulates a packet arriving on an interface, and the internal...Read More »
Leave a Reply