A reminder – The importance of network segmentation

Early in my Fortinet support career I deployed wireless 221B FAPs. When they were deployed I chose to leave them in the client VLAN while tunneling traffic to the Fortigate management devices. This seemed to give a decent amount of segmentation between the wireless traffic and client LAN traffic.

This setup functioned well for many years. I had thought many times about moving the actual AP management traffic to a separate VLAN but put it off as everything was working well, until a recent upgrade.

The 221B FAPS that had been running well were coming to the end of support with the new FortiOS 7.x software line so we decided to upgrade to something newer. . After upgrading to 7.2.5 on the firewall and plugging in a 231G FAP our VOIP phones were continually going offline and rebooting.  They would run for 5-10 minutes then reboot and sometimes reconnect.

At first I thought the firewall upgrade caused some changes between Fortilink and the LLDP profiles that were being used for the VOIP connections. I worked with multiple Fortinet TAC teams to resolve the issue with no luck. We could not find anything that pointed to the issue we were having. After many hours we narrowed it down to what seemed like traffic being generated by the 231G’s kicking the Avaya phones offline causing reboots and intermittent call issues.

Finally I realized the simplest and best solution was to properly segment the FAP’s to their own network like I should have from the beginning. After many days of support and troubleshooting segmentation resolved the issue in a matter of minutes and fixed a problem that should not have occured.  Everything is working now and we can investigate what traffic is causing the issues with the Avaya phone.

Reminder to self always segment and follow best practices.

Building a Training Log

A couple of years ago I set out to build a training log for tracking my workouts with a bias towards calisthenics and strength training. There are a lot of great training log applications on the market so this was a more of project to allow me to work on my programming skills while also writing something that fits my needs exactly. I never seemed to like most of the workout tracking applications out there. I wanted something fast and simple with manual entry.

Strengthnotes Training Log
Strengthnotes Traning log

I chose to use a mature frameworks Django and Bootstrap to see if I could build a solution that worked for my basic needs. Django and Bootstrap have proven to be powerful tools. In the past I have had a bad habit of jumping from various frameworks because I enjoy learning new tech. I decided I would not change frameworks instead I would focus on solid frameworks and the most basic technology as long as I could.

I have tracked about 250 of my workouts over the last few years, slowly adding features, while sticking to basic Django/Python and Bootstrap. I now have created a workout tracking system that works well for my needs.

I plan on working with a couple more tools to add a more Single Page Application feel. The first test will be HTMX keeping everything rendering on the server. My goal is to stay with a web applications and not move to any of the mobile frameworks available but time will tell. The second addition is a graphing library not sure what will be chosen for that.

Feel free and give the app a try strengthnotes.com.

FitnessFaq’s Begin Bodyweight

Needing to rebuild my strength base I Purchased FitnessFaqs Begin Bodyweight and Limitless Legs last year. I did not realize how weak I was and how high my bodyweight had gotten relative to my strength levels. Begin Bodyweight is an upper body 3 day week program focusing on the basic pushing and pulling. Dip, pushup, pullups, chinups, rows, handstand, and some core work are all included.

I began the program 3 days a week using the straight bar for pullup and chinups but the volume was a bit much to begin and ended up with some tennis elbow. I rested and began again using rings for the pullups and chinups and going to two days a week vs three and am now been following the program for about 6 months. I am currently on level four attempting to increase my pullup/chinups and dip number.

I modified the training frequency again after reading this article about training frequency by Lyle Mcdonald. Training an upper/lower split 3 times per week has been working well. I am now in my mid 40’s and been experimenting with lower frequency with good success. This also gives me the benefit of working on my cardio the other 3 days and one day off a week. My hopes with some improved lifestyle changes I will be able to handle greater volume in the future.

The program is excellent it comes with an e-book, photo book, videos and training programs with 6 levels each being 8 weeks but I have been running the same program for much longer to meet the minimums. The progressions work well and this program can scale from beginners to advance via harder progressions or adding weight.

If you are looking for well thought out programs focused primarly on calisthenics you Daniel Vadnal is an excellent resource and all his courses are worth spending money on.

I am now able to do rings based pullups and straight bar dips without any shoulder or other pain. That was one of my goals last year so I would consider this one of the more valuable programs.

Assign variable in Django Templates

I am learning Django by programming a site for tracking my workouts strengthnotes.com. I was struggling I needed to assign a variable to be used later in the template. It seems like this is not available by default in Django’s standard templates. I came across simple_tags and that seemed to fit the bill.

First step is create a templatetags directory at the same level as templates, migrations etc.

Inside that directory create a __init__.py and a file to store your tags for me mine was called workout_tags.py.

Inside that file you can setup a couple tags and use context to store the variable.

from django import template

register = template.Library()

@register.simple_tag(takes_context=True)
def set_current_set_id(context,val):
   context["current_set"] = val
   return ""
    
@register.simple_tag(takes_context=True)
def get_current_set_id(context):
    if context["current_set"] != None:
      return context["current_set"]
    else:
      return "A99"

Then inside the template you can easily assign and retrieve the values.

   {% set_current_set_id "A3" %}
   {% get_current_set_id %}

This seems to work and reading the documentations this was the best method I could find.

Year One Giant Pumpkin Experiment

This year we decided to try growing a “Giant Pumpkin”. We knew nothing about giant pumpkin growing so did a bit a reading and research but still made way to many mistakes so not sure what we will end up with.

I began by reading Growing Giant Pumpkins by Jason Johns this gave me a start but ended up winging most of it.

We ended up with a few different Giant Pumpkin seeds from Amazon Canailles 10 pack, Park Seed Dills Atlantic Giant and some big box store Giant Pumpkin seeds. Not understanding the importance of proper seeds I did not track which was which but I think my best plant this year came from the Park Seed Dills Atlantic Giant.

We began the seeds in peat moss pots on May 1. Wyoming has a growing season that can frost as late as June 11 so I thought 4-5 weeks should be enough. I think it should have been earlier next week we will begin growing mid to late April indoors.

Next year I will be sure and label each plant and make sure I know what seed is actually planted and where.

Growing direction – First True Leaf

Our large plant was planted near a fence and it also grew the direction of the fences so we had to guide it around the fence limiting the already limited area we were using for growing. Next year I will mark the pot so I know what direction it will grow when planting.

We planted June 11th with very little soil preparation just dug a hole and added a few bags of garden soil. I used black plastic this year to help keep the soil warm and retain water. Next year we will do more soil prep adding manure October 2022.

We had two pumpkins on the vine the first one was growing well until we let the second pumpkin on the vine and then the pumpkin began turning white and rotting. Still not sure if it was related to fungus or something else.

Rotting Pumpkin?

The second pumpkin is continuing to grow into the middle of September but due to late start not sure if it will fully ripen.

Attempting to grow a large pumpkin has been enjoyable and look forward to trying again in 2023 if life allows.

UPDATE 9/24/2022

We finally harvested on 9/24/2022 it weighed in at 40lbs. Not impressive in the world of giant pumpkins but happy with our first year attempt.

Two Rules For Fortigate Beginners

After managing a small number of Fortigates for a handful of years I have came up with two rules that I wished I would have known when I started. There are numerous best practices but these two have caused me the most pain recently.

  1. Never install a dot zero release of the Fortigate firmware and more specifically wait till .4 or .5 or later before upgrading. For example if you are on 6.2.7 and would like to upgrade to the latest currently at this time it is 6.4.x wait until 6.4.5. Each main release branch includes large number of new features and each of the dot releases include fixes. I have made the mistake twice when starting out and the firewalls became unstable and difficult to maintain and upgrade.
  2. Always use zones for building policies. Zones allow you to add and remove interfaces from a zone and inherit all policies associated with that zone. If you build policies directly against interfaces when you need to add interfaces that fall into similar zones you have to rebuild all of those policies for the new interface vs adding the interface to a zone and being done. Zones really shine when doing upgrades from one hardware platform to the next when interface names and counts differ. You can easily remove all interfaces from the zone transfer the config and add the new interfaces to the correct zone.

Those are two simple rules that would have saved me a lot of time.

Azure Application Insights On-Prem Web Farm

On each of the nodes of the web farm with a shared config run the following commands.


Download: https://www.powershellgallery.com/packages/Az.ApplicationMonitor/

$pathToNupkg = "C:\temp\az.applicationmonitor.1.1.2.nupkg"
$pathToZip = ([io.path]::ChangeExtension($pathToNupkg, "zip"))
$pathToNupkg | rename-item -newname $pathToZip
$pathInstalledModule = "$Env:ProgramFiles\WindowsPowerShell\Modules\az.applicationmonitor"
Expand-Archive -LiteralPath $pathToZip -DestinationPath $pathInstalledModule


Enable-ApplicationInsightsMonitoring -InstrumentationKey xxxxx-xxx-xxx-xxxxx -IgnoreSharedConfig -EnableInstrumentationEngine

After the commands have been run go into IIS on one of the machines in the web farm and add a module with name ManagedHttpModuleHelper pointing to Microsoft.AppInsights.IIS.ManagedHttpModuleHelper.ManagedHttpModuleHelper in the dropdown box.

https://docs.microsoft.com/en-us/azure/azure-monitor/app/status-monitor-v2-overview

Vmware workstation error code 0xc00000005

Kept getting error code 0xc00000005 when trying to install windows 2019 as a guest on VMware workstation. I uninstalled and tried VirtualBox and got a different error. Searching the log files lead me to the following post about hyper-v interference. I had uninstalled Hyper-v but there must have been some hyper-v feature left. The following commands worked.

bcdedit /set hypervisorlaunchtype off

DISM /Online /Disable-Feature:Microsoft-Hyper-V

Finally passing the CISSP certification

After multiple starts and stops I finally was forced to take the CISSP November 23rd as I was not able to postpone the cert further.

I have been working as a sysadmin/security analyst in a single location for over 20 years. When working at the same job for so long, there is a risk of not growing and learning to help keep up with the industry. I take certs to help fill the gaps.

I started studying for the CISSP two years ago but life continued to get in the way.  I thought I  was prepped and ready to go when COVID hit and I was forced to postpone.  After rescheduling multiple times I was forced to take it because pearson vue wouldn’t allow me to reschedule any later.

Users in the reddit.com/r/cissp group recommended taking 3-4k questions and using multiple study guides and resources.  Although that seems like overkill it ended up being about right for me to understand the material well enough.  

I hear a lot of complaints about the CISSP, but I found it to be valuable coming from a purely technical role all these years it helped me fit the various “pieces” together.  Being forced to spend more time looking at security from a management point was very valuable.  CISSP gave me value due to the preparation required to sit and pass the test.

I used the following resources.

https://reddit.com/r/cissp – This is a valuable resource helping me to know what to study and what resources.

https://thorteaches.com/ – Thor does a good job of breaking down the material and giving a good overview.  I watched all the videos and answered all the questions.  The questions were slightly repetitive but still good.

Sybex official study guide and questions.  – This was one of the better resources read the book twice and go through all the question in the online test bank.

https://www.cccure.education/home – Good questions used this towards the end of my preparation.

https://www.studynotesandtheory.com/ – I like Luke’s videos, his questions are very challenging but may be of value.

Boson CISSP Practice questions.

Eric Conrad’s 11th hour and CISSP study guide books were a good review and worthwhile to read once or twice.

Glad to have it over now I am looking into Azure certifications or Offensive Security AWAE certification.

Fortigate to Fortigate VXLAN – Disaster Recovery

Been working on a solution for a disaster recovery one of the goals was a stretched layer 2 network. Since we would need a similar firewall with similar rules at the DR location I have been investigating vxlan over and IPSEC tunnel.

This is the current test config I will update it when more testing has been completed.

config sys global
 set hostname FIREWALL1
end

config system interface
    edit "wan1"
        set vdom "root"
        set mode static
        set ip 173.1.1.1 255.255.255.0
        set allowaccess ping fgfm
        set type physical
        set role wan
        set snmp-index 1
    next
end

config vpn ipsec phase1-interface
    edit "to_HQ2"
        set interface "wan1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set wizard-type static-fortigate
        set remote-gw 173.1.1.2
        set psksecret supersecret
    next
end
   
config vpn ipsec phase2-interface
    edit "to_HQ2"
        set phase1name "to_HQ2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set comments "VPN: to_HQ2 (Created by VPN wizard)1"
        set src-addr-type ip
        set dst-addr-type ip
        set src-start-ip 1.1.1.1
        set dst-start-ip 1.1.1.2
    next
end


config system vxlan
    edit "vxlan1"
        set interface "to_HQ2"
        set vni 1000
        set remote-ip "1.1.1.2"
    next
end



config system interface
   edit "to_HQ2"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.2 255.255.255.255
        set snmp-index 8
        set interface "wan1"
    next
   edit vlan100
     set vdom root
     set vlanid 100
     set interface dmz
   next
   edit vxlan100
     set type vlan
     set vlanid 100
     set vdom root
     set interface vxlan1
   next
end


config system switch-interface
  edit sw1
    set vdom root
    set member vlan100 vxlan100
  next
end
config system interface 
edit "sw1"
        set vdom "root"
        set ip 192.168.4.1 255.255.255.0
        set type switch
        set snmp-index 12
next
end
config router static
    edit 1
        set dst 1.1.1.2 255.255.255.255
        set device "to_HQ2"
    next
end


//////////  FIREWALL 2

config sys global
 set hostname FIREWALL2
end

config system interface
    edit "wan1"
        set vdom "root"
        set mode static
        set ip 173.1.1.2 255.255.255.0
        set allowaccess ping fgfm
        set type physical
        set role wan
        set snmp-index 1
    next
end

config vpn ipsec phase1-interface
    edit "to_HQ1"
        set interface "wan1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set wizard-type static-fortigate
        set remote-gw 173.1.1.1
        set psksecret supersecret
    next
end
   
config vpn ipsec phase2-interface
    edit "to_HQ1"
        set phase1name "to_HQ1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type ip
        set dst-addr-type ip
        set src-start-ip 1.1.1.2
        set dst-start-ip 1.1.1.1
    next
end


config system vxlan
    edit "vxlan1"
        set interface "to_HQ1"
        set vni 1000
        set remote-ip "1.1.1.1"
    next
end



config system interface
   edit "to_HQ1"
        set vdom "root"
        set ip 1.1.1.2 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.1 255.255.255.255
        set snmp-index 8
        set interface "wan1"
    next

   edit vlan100
     set vdom root
     set vlanid 100
     set interface dmz
   next
   edit vxlan100
     set type vlan
     set vlanid 100
     set vdom root
     set interface vxlan1
   next
end


config system switch-interface
  edit sw1
    set vdom root
    set member vlan100 vxlan100
  next
end
config system interface 


edit "sw1"
        set vdom "root"
        set ip 192.168.4.2 255.255.255.0
        set type switch
        set snmp-index 12
next
end

config router static
    edit 1
        set dst 1.1.1.1 255.255.255.255
        set device "to_HQ1"
    next
end