Script to update Address entries in Fortigate

With our VPN being over utilized I had to implement split tunneling on our vpn. However there are some web services that require a known IP address to access. Unfortunately these services are on AWS which the IP address changes often. I built this script to lookup the addresses and then update the Fortigate firewalls VPN Routing list to make sure that the traffic goes over the vpn tunnel and through our known IP address to access the service.

 

#!/usr/bin/python3
#Update Epsilon on the Fortigate Firewall VPNs

from nslookup import Nslookup
from netmiko import ConnectHandler
import cred

device1 = {
    “host”: cred.hostname,
    “username”: cred.rancid_username,
    “password”: cred.rancid_password,
    “device_type”: “fortinet”,
    “secret”: cred.rancid_password,
}

#Connect to the Fortinet
net_connect = ConnectHandler(**device1)

#Listing of the domains to query
DOMAIN_FILE = open(“domains.txt”, “r”)
#DNS Server to query
DNS_SERVER = [‘x.x.x.x’]

def LOOKUP_DOMAIN():
    #queries the specified dns server to get the info for the urls and writes the data to a config file
    dns_query = Nslookup(dns_servers=(DNS_SERVER))
    ips_record = dns_query.dns_lookup(line)
    ORDERNUMBER = 1
        for x in ips_record.answer:
            FILE_CONFIG.write(“edit ” + line + “_” + str(ORDERNUMBER) + ‘\n’)
            FILE_CONFIG.write(“set subnet ” + x + ” 255.255.255.255″ +’\n’)
            FILE_CONFIG.write(“next” +’\n’)
            ORDERNUMBER = (ORDERNUMBER + 1)

 

FILE_CONFIG = open(‘config.txt’,’w’)
FILE_CONFIG.write(“config firewall address” +’\n’)

for line in DOMAIN_FILE:
line = line.rstrip(‘\n’)
LOOKUP_DOMAIN()

FILE_CONFIG.write(“end” +’\n’)

FILE_CONFIG.close()

# write to the Fortigate
output2 = net_connect.send_config_from_file(config_file=”config.txt”)

Python script to pull ip addresses from Meraki and then update Microsoft trusted locations in Azure AD

I needed a script that would automatically get all of the ip addresses for my stores and then upload them to Microsoft on a weekly basis and create a trusted location. I did this so that we wouldn’t have to use MFA for all of the stores and they would be able to log in with just their username and password. Since all of the data was sitting in Meraki I decided to pull it from there and then upload it to Microsoft. Here is the script that goes through all of the wireless devices in my Meraki org and then updates Microsoft with that data and sends an email when it’s been done successfully. I’ve posted the script for reference and anonymized the portions of the script that I didn’t put into the cred.py file.

I used the wireless devices from the Meraki cloud because they were easier to pull out and integrate into the script.

I posted the code to my GitHub repository so that others can see what I did and make recommendations for changes or other things that should be added.

 

https://github.com/undrwatr/Update_Location

 

Future changes for the script:

Keep just one database of the ip addresses and update it as needed instead of creating a new site

Additional error checking in case the script doesn’t run

Microsoft MFA login with Fortigate and Forticlient for SSLVPN

Since I am tired of being a beta tester for Cisco products. I decided to try a different firewall this time around for my company. I looked at both Fortigate and Palo Alto as they seemed to be the leaders in the market right now. I did a bake off for features/functionality vs cost and Fortigate came out as the winner. The firewall was implemented with minimal issues and has been working flawlessly for us. While we were on this project we are also in the process of moving to Azure AD so I decided to combine the Microsoft MFA with our new firewall/vpn solution to save ourselves some money since then we wouldn’t need another 2 factor solution.

I went through the documentation from Fortigate and Microsoft on setting up the SAML authentication and it was pretty good for the most part. Here was the main document that I followed to get everything setup:
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial
I did run into a few issues that I had to fix to get everything working with group memberships, so that users would be enabled to login based on their group and would have the correct policy applied to them.

Here are some things to be aware of and the changes I needed to make:

1. You must be on the 6.4.x code for Fortigate. There are issues with the lower code versions and SAML not working correctly or populating the tables with the necessary information.
2. Wipe out all of the extra entries under Users and Attributes Claims in Azure AD. This is all you should have:
UntitledImage
3. Here is the necessary configuration on the Fortigate side:
config user saml
edit “azure”
set cert “Fortinet_Factory”
set entity-id “https://XXXXXXX/remote/saml/metadata”
set single-sign-on-url “https://XXXXXX/remote/saml/login”
set single-logout-url “https://SSSSSSSS/remote/saml/logout”
set idp-entity-id “https://sts.windows.net/6XXXXXXX/”
set idp-single-sign-on-url “https://login.microsoftonline.com/XXXXX/saml2”
set idp-single-logout-url “https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0”
set idp-cert “REMOTE_Cert_2”
set user-name “username”
set group-name “group”
next
end

After these changes everything worked perfectly, I am now in the process of rolling out our new vpn to the users in the company along with the Microsoft MFA client.

Setting up the WLANPi as a remote capture device for Mac OS over USB

I wanted the ability to bring up Wireshark and then start taking packet captures with my wlanpi from my Mac. I didn’t want to always have to sacrifice wireless connection while I was doing it. Since most recent Macs lack a dedicated ethernet interface and I don’t always have a dongle around with me. My requirements were though to keep everything as stock as possible so that all I would have to do is hook the wlanpi up to my machine ensure that it was running and then be able to take wireless packet captures.

  1. I copied over my public key to the wlanpi under the default address. I wanted it to be as simple as possible and why mess with the generic user: ssh-copy-id -i ~/.ssh/id_rsa.pub wlanpi@wlanpi.local
  2. By following and using this wonderful github project from Adrian Granados there are only a few modifications that need to be made.
  3. When you are doing this part of his setup, the username will be wlanpi. $ sudo groupadd pcap
    $ sudo usermod -a -G pcap wlanpi
    $ sudo chgrp pcap /usr/sbin/tcpdump
    $ sudo chmod 750 /usr/sbin/tcpdump
    $ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
  4. servername is going to be wlanpi.local
    username is going to be wlanpi
    This is the tricky part you need to specify your private key in the config, but you can’t browse to your .ssh directory by default. So when you click on the … and it brings up the directory window you will do a “Command + Shift +G” and then in the search field type ~/.ssh

Passing the CWSP – PearsonVue Online

I passed the CWSP on my first try last week, which I was happy about. With Covid-19 running rampant and changing things I had to take the test at home with PearsonVue. I liked the idea of testing at home and ran through all of the steps for PearsonVue that they recommended. However that didn’t stop from needing to reboot my machine multiple times and have to spend quite a bit of time trying to get setup and talking to their online people over chat. It took about 30 minutes for them to finally present the test and for me to be able to take it online successfully.

Once I finally got the technical issues resolved with their service and I was able to take the test I was surprised at how quick it went and I was glad I could do it at home. Seeing as how it would have taken me longer to drive to and from the testing center than to take the test. The content was tough as I deal with it almost every day in regards to network security and trying to build a secure network

So now I get to display this logo:

Cwsp 200x200

My next exam is going to be the CWDP and given the fact that I am still working from home and testing centers aren’t open I will be taking this one also at home. Hopefully the whole testing experience will go better.

How to rebuild an F5 Physical Load Balancer

Because I forget this and it always seems to cause me more pain than it should to have to rebuild one. I’ve had this happen 3 times in the 8 years of dealing with the physical 1600 LTMs all of them have failed due to some power problem that won’t let them startup completely and I end up spending 8 or more hours having to rebuild them and figure out what the heck happened to them. Luckily they have always been in a fault tolerant pair so I haven’t been down completely, but have never wanted to push the amount of time one is down because of how important they are to my company.

Steps:

Call into Support and open a ticket with the s/n of the failed unit and the error message on the screen.

If you don’t already have enhanced 4 hour replacement ask for an upgrade to it via credit card. Waiting more than 4 hours is very painful and dangerous for us.

Wait 4 hours for the new unit to come in.

While waiting:
Unrack the currently failed unit making sure that all of the cables are correctly labeled and ready to be plugged into the new unit.

Download the current version ISO along with any hot fixes to match the current install version. Download your latest backup for the unit and have it all ready and waiting to go on your laptop.

On the active unit make sure to clear out any ssh keys if needed from the failover interface

Also Reset the Device Trust under Device Management/Device Trust on the active unit

When the new unit finally arrives rack it and plug in at least the serial cable and the management ethernet cable. Before powering on plug in the recovery USB stick if it came with one that has the version of LTM that you need on it. This will greatly simplify the upgrade process and get it to at least the major version you need.

Once the unit has been upgraded to at least the major base version that you need. Login via the serial console with root/default and type config. This will let you set the management IP address for the unit.

Once the management address is set, connect to it via the browser with admin/default and start going through the licensing and configuration process.

Upload the hot fixes if necessary to the replacement unit and update to the version needed to restore the backup file. Once the hot fixes are done updating go ahead and restore the backup to the failed unit.

Hookup the failover ethernet cable.

Set backup the HA configuration between the units and ensure that you can ssh between the units on their failover interfaces.

Push the configuration from the Active unit to the new unit with an override, if it fails or there is any issue during the time run this command on the failed unit to see what the issue is:

tmsh show cm sync-status

Once it’s all done and happy it should be back in sync and in an active/standby state.

Then plug in the last of the cables for the internal/external interfaces and then you should be done.

Pack the old unit up and ship it out.

Reboot Meraki APs

I have found myself several times over the last couple of months needing to reboot all of the APs within a Meraki network. Sometimes due to changes or sometimes due to them not responding for some reason. There really isn’t a clean way of going through and rebooting them aside from one a time within the console. I thought hey I can make this one better and do it via the API. So I went through and built this script to allow someone to put in the Org id and then it will pull back all of the networks that are in that Org and allow you to choose one to reboot all of the APs. It will ask should it go as fast as possible or would you like to put in a delay so that they all don’t go down at the same time. I’ve tested it a couple of times and everything works as its supposed to. As always I look forward to any comments or updates that I can put into the code to make it better.

https://github.com/undrwatr/MERAKI_AP_REBOOT

As usually my code isn’t fancy or special, just serviceable and able to get done what I need and save me some time and headaches.

Retrieve SSID info from Meraki Wireless Network

I support multiple Meraki Wireless networks and I wanted the ability to pull in pertinent data from the wireless networks that I support. This will allow me to pull in the data and then upload it into the wireless mapping programs and design software. This will also allow me to easily pull the channels, power settings, SSIDs, and other pertinent information. Here is the link to my GitHub site where I will be keeping the most up to date program as I fix things and work to improve it.

#!/usr/bin/env python

#import necessary modules
import cred
import requests
#Meraki site information
MERAKI_DASHBOARD = 'https://api.meraki.com'
HEADERS = {'X-Cisco-Meraki-API-Key': (cred.key), 'Content-Type': 'application/json'}
#NETWORK = input(str("What network are we looking at? "))
NETWORK = cred.network
NETWORK_URL = MERAKI_DASHBOARD + '/api/v0/networks/%s/devices' % NETWORK
NETWORK_GET = requests.get(NETWORK_URL, headers=HEADERS)
NETWORK_RESPONSE = NETWORK_GET.json()
#Create a function pull in the information
def WIRELESS_SETTINGS():
WIRELESS_SETTINGS_URL = MERAKI_DASHBOARD + '/api/v0/networks/%s/devices/%s/wireless/status' % (NETWORK, DEVICE['serial'])
WIRELESS_SETTINGS_GET = requests.get(WIRELESS_SETTINGS_URL, headers=HEADERS)
WIRELESS_SETTINGS_RESPONSE = WIRELESS_SETTINGS_GET.json()
for SSIDS in WIRELESS_SETTINGS_RESPONSE['basicServiceSets']:
if SSIDS['enabled'] == True:
print("SSID " + (SSIDS['ssidName']) + " BAND " + (SSIDS['band']) + " BSSID " + str(SSIDS['bssid']) + " Channel " + str(SSIDS['channel']) + " Power " + str(SSIDS['power']))
#Loops through the network and the devices to find all of the information.
for DEVICE in NETWORK_RESPONSE:
if DEVICE['model'] == "MR42":
print("AP " + DEVICE['name'])
WIRELESS_SETTINGS()

Passing the CWAP

Last weekend I was able to pass the CWAP exam on my second attempt. The first time through the exam I was thrown by some of the questions and didn’t have as good a grasp on some of the random things that were asked for. So I spent 2 weeks between exam takes watching all of the videos again and then going through all of my notes and flash cards that I had made. I also spent a good amount of time looking at packet traces and figuring out where all of the information and how Transmit Beamforming works with NDP. Overall I felt it was a good exam even though it took me two times to pass it. I definitely feel a lot better now about the information and that I was able to absorb it for the exam. So now I get to use the cool CWAP image for things:Cwap 200x200 My next exam will be the CWSP exam as I work my through to the CWNP.

Here are some of the resources that I used while for the CWAP:
CWNP – Video training
CWNP – Practice Tests
WIFItraining – CWAP Workbook
CWNP – Official CWAP Study Guide

One Source of the truth for IP Addressing

I’ve been working on my python programming skills and using scripts to configure all of my Meraki equipment through their API and cloud platform. It’s been a lot of work building the scripts and working through some of the limitations that are inherent in Meraki’s cloud and also in the way we manage our environment. I have over 1500 stores and use 2 /28 ranges for each store and I have been trying to use a formal IP management solution that would support it. Unfortunately after looking at Solarwinds, Bluecat, and other IPAMs I didn’t find what I wanted. I ended up going with a MS SQL Database that I can call via PYODBC and get the data based on the store#. This also allows me to put in other specialized information and I can basically build out what I need then call it from within my python programs.

Obviously I would never be confused with a web designer of any sort. However what it is, is quick and easy to use. The asp page pulls up fast and things can be added and removed within a few minutes. The amount of time I was going to have to spend in a formal solution was just more time than I had. The downside of course is that if I leave someone else has to learn what I did and then take over the support of it. That will however be a problem for a different day, unless of course I find a great solution that allows me to treat everything separately and not as part of a huge network.