myITmicroblog

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an

Today I would like to present one interesting feature you may find on your Fortigate - Data Leak Prevention. I know there are much better, dedicated solutions on the market but in certain situations the DLP feature available on FortiOS is good enough. Why you should use it? This is very important to say: the DLP in such deployment (on Fortigate) can't protect your data against every data leak. Users in your network with his/her mobile can easily take a photo of any document. Why we should still consider it? It is a good (and easy to deploy) method to prevent users' mistakes. It happened hundreds of time when a user attached a wrong file. Sound familiar? Using the DLP you can create policies which stop such leak. Let me show you how you can configure it. Step #1 First, you have to check if DLP is enabled in a "Feature Visibility" and "Security Features" section: When you do not see the feature, make sure your Fortigate works in a proxy-ba

Network design is not fixed process. Every time when we add or change something in the network, we should analyze if the network is still resilient, as it was in the original design. Let's analyze below scenario: Firewall - Fortigate 5.x Core switch - Nexus 5k NX-OS 7.X  Routing between core and firewalls - static With direct connection between FW01-Core01 and FW02-Core02 we can detect link failure easily. Firewalls here are in HA Active-Passive mode, what means the secondary box doesn't process any traffic. In case of Port1, Port2 or device failure - the secondary takes its role and sends ARP updates to the core switch. The same situation when Core01 or Core02 fails, FW01/02 can notice it and triggers failover. Let's imagine your are tasked to put IDS between core switches and perimeter firewalls, like on the diagram below: What is wrong with this scenario? Let's think if following failure scenarios are backed up: 1) FW01/Port1/Port2 failure -

I would like to work today with Nexus5k in VTP Server mode and see what steps are necessary to recover configuration from the backup. This is the platform I have in my lab: N5548A# sh ver Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html Copyright (c) 2002-2013, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. Software   BIOS:      version 3.6.0   loader:    version N/A   kickstart: version 6.0(2)N2(3)   system:    version 6.0(2)N2(3)   Power Sequencer Firmware:              Module 1: version v3.0              Module 2: version v1.0              Module 3: version v5.0   Microcontroller Firmware:    

Today I review my OSPF notes and I'd like to share below pdf, I think it can be useful to understand what is the impact on the reachability between nodes when we change area type.

This is the second part of 'EIGRP - routing optimalization' series. Before reading this one, please review part 1 availab le here . This is the network and as I said in part 1 I'm going to enable 'stub' feature to see what is the impact and how EIGRP works: R5(config-router)# R5(config-router)#router eigrp 100 R5(config-router)#eigrp stub R5(config-router)# The same configuration I add to R6, R9 and R10. The test I'm going to perform is the same from previous post. I shutdown 10.5.2.0/24 network and I check the query scope. R5(config)#int loop2 R5(config-if)#sh R5(config-if)# R3# *Feb 19 23:47:06.411: DUAL: AS(100) rcvquery: 10.5.2.0/24 via 8.1.7.5 metric 72057594037927935/72057594037927935, RD is 156160 for tid 0 *Feb 19 23:47:06.411: EIGRP-IPv4(100): Find FS for dest 10.5.2.0/24. FD is 156160, RD is 156160 on tid 0 *Feb 19 23:47:06.415: EIGRP-IPv4(100):  8.1.7.5 metric 72057594037927935/72057594037927935 not found Dmin is 72057594037927935 *Feb 1

Today I would like to test EIGRP optimalization by using different features like summarization or stub to see what are the limitations we should be aware of. We have 4 sites with one access router on every site. There are 5 subnets connected to every access device and every device can see all prefixes:   Below you can see routing table from R1, R3 and R5 as it will be the same logic on rest of them: R1#sh ip route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP        + - replicated route, % - next hop override Gateway