Microsoft MFA login with Fortigate and Forticlient for SSLVPN

Since I am tired of being a beta tester for Cisco products. I decided to try a different firewall this time around for my company. I looked at both Fortigate and Palo Alto as they seemed to be the leaders in the market right now. I did a bake off for features/functionality vs cost and Fortigate came out as the winner. The firewall was implemented with minimal issues and has been working flawlessly for us. While we were on this project we are also in the process of moving to Azure AD so I decided to combine the Microsoft MFA with our new firewall/vpn solution to save ourselves some money since then we wouldn’t need another 2 factor solution.

I went through the documentation from Fortigate and Microsoft on setting up the SAML authentication and it was pretty good for the most part. Here was the main document that I followed to get everything setup:
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial
I did run into a few issues that I had to fix to get everything working with group memberships, so that users would be enabled to login based on their group and would have the correct policy applied to them.

Here are some things to be aware of and the changes I needed to make:

1. You must be on the 6.4.x code for Fortigate. There are issues with the lower code versions and SAML not working correctly or populating the tables with the necessary information.
2. Wipe out all of the extra entries under Users and Attributes Claims in Azure AD. This is all you should have:
UntitledImage
3. Here is the necessary configuration on the Fortigate side:
config user saml
edit “azure”
set cert “Fortinet_Factory”
set entity-id “https://XXXXXXX/remote/saml/metadata”
set single-sign-on-url “https://XXXXXX/remote/saml/login”
set single-logout-url “https://SSSSSSSS/remote/saml/logout”
set idp-entity-id “https://sts.windows.net/6XXXXXXX/”
set idp-single-sign-on-url “https://login.microsoftonline.com/XXXXX/saml2”
set idp-single-logout-url “https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0”
set idp-cert “REMOTE_Cert_2”
set user-name “username”
set group-name “group”
next
end

After these changes everything worked perfectly, I am now in the process of rolling out our new vpn to the users in the company along with the Microsoft MFA client.

Sony A9ii Settings for airplane photography

Here are the settings that I am using for my Sony A9ii for taking pictures of airplanes while moving through the air. The lens I use for this most days is the 100-400.

Aperture – F14 or below so that Phase Detect will still work for the auto focus
Raw or JPG – RAW, since the camera is so fast it can keep up with just about anything
Metering Mode – Spot so that I can capture the frame
Shutter Speed – Trying to get as low as 1/160 for prop planes for jets as fast as possible to catch them as they fly by.
Focus Mode – Continuous + Wide with Tracking, the camera auto focus is so fast that it catches the planes pretty quickly
Exposure Compensation – usually + 2/3 if it’s dark plane on a bright sunny day, this helps bring out the colors of the plane.
Frame Rate – Continuous Mid – I find that high fills the buffer and mid gets more than enough shots.
ISO – as low as possible, unless it’s an overcast day and then I will move it to Auto-Iso to maintain the shutter speed when needed.

Setting up the WLANPi as a remote capture device for Mac OS over USB

I wanted the ability to bring up Wireshark and then start taking packet captures with my wlanpi from my Mac. I didn’t want to always have to sacrifice wireless connection while I was doing it. Since most recent Macs lack a dedicated ethernet interface and I don’t always have a dongle around with me. My requirements were though to keep everything as stock as possible so that all I would have to do is hook the wlanpi up to my machine ensure that it was running and then be able to take wireless packet captures.

  1. I copied over my public key to the wlanpi under the default address. I wanted it to be as simple as possible and why mess with the generic user: ssh-copy-id -i ~/.ssh/id_rsa.pub wlanpi@wlanpi.local
  2. By following and using this wonderful github project from Adrian Granados there are only a few modifications that need to be made.
  3. When you are doing this part of his setup, the username will be wlanpi. $ sudo groupadd pcap
    $ sudo usermod -a -G pcap wlanpi
    $ sudo chgrp pcap /usr/sbin/tcpdump
    $ sudo chmod 750 /usr/sbin/tcpdump
    $ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
  4. servername is going to be wlanpi.local
    username is going to be wlanpi
    This is the tricky part you need to specify your private key in the config, but you can’t browse to your .ssh directory by default. So when you click on the … and it brings up the directory window you will do a “Command + Shift +G” and then in the search field type ~/.ssh

75th Anniversary VJ Day Flyover

On 9/2/20 was the 75th Anniversary of the VJ Day Flyover. They flew the WW2 planes over Souther California. Since I was working from home and was able to take calls from my car I went to the Chino Airport to stake out a spot to catch the planes as they flew over. It took a while, but I was able to get a couple of shots, I really hoped they were going to land, but they just flew over on their way back home. I shot the planes with my Sony A9II and the 100-400 lens. F16 at 1/320 ISO 100

Map of flyover
A9208144A9208199A9208256A9208402

More Hummingbirds

Continuing to get up close and personal with those that share my backyard with me. Don’t think I can get much closer without losing most of them. I had to manually focus on a stand-in flower to try and get the birds in focus. This time it worked out well and I was able to use a remote trigger to capture with the camera on a tripod.

2020 8 29Humming bird 7749

2020 8 29Humming bird 8014