For my job I am in the process of migrating from an ASA to a FortiGate firewalls. Part of this has been moving the configuration that we already have in place on the ASA and translating it too FortiGate. I needed to convert several address lists. Some of those address lists where hundreds of addresses long and I didn’t want to type those in. So I started using my python skills to build out the configuration by taking in a list of the ip addresses and then outputting the configuration needed for the FortiGate firewall.
Here is the current version of that script:
# variables needed througout:
file = input(“Name of file? “)
title = input(“Name of hosts and group? “)
addresses = open(file, “r”)
print(“config firewall address”)
incr = 1
host_entries = ‘set member’
for address in addresses:
address = address.rstrip(‘\n’)
print(‘edit “H_’ + title + str(incr) + ‘”’)
host_entries = (host_entries + (‘ “H_’ + title + str(incr) + ‘”’))
print(“set subnet ” + address + ” 255.255.255.255”)
incr = (incr + 1)
print(“config firewall addrgrp”)
print(‘edit “G_’+ title + ‘”‘)
Since I am tired of being a beta tester for Cisco products. I decided to try a different firewall this time around for my company. I looked at both Fortigate and Palo Alto as they seemed to be the leaders in the market right now. I did a bake off for features/functionality vs cost and Fortigate came out as the winner. The firewall was implemented with minimal issues and has been working flawlessly for us. While we were on this project we are also in the process of moving to Azure AD so I decided to combine the Microsoft MFA with our new firewall/vpn solution to save ourselves some money since then we wouldn’t need another 2 factor solution.
I went through the documentation from Fortigate and Microsoft on setting up the SAML authentication and it was pretty good for the most part. Here was the main document that I followed to get everything setup:
I did run into a few issues that I had to fix to get everything working with group memberships, so that users would be enabled to login based on their group and would have the correct policy applied to them.
Here are some things to be aware of and the changes I needed to make:
1. You must be on the 6.4.x code for Fortigate. There are issues with the lower code versions and SAML not working correctly or populating the tables with the necessary information.
2. Wipe out all of the extra entries under Users and Attributes Claims in Azure AD. This is all you should have:
3. Here is the necessary configuration on the Fortigate side:
config user saml
set cert “Fortinet_Factory”
set entity-id “https://XXXXXXX/remote/saml/metadata”
set single-sign-on-url “https://XXXXXX/remote/saml/login”
set single-logout-url “https://SSSSSSSS/remote/saml/logout”
set idp-entity-id “https://sts.windows.net/6XXXXXXX/”
set idp-single-sign-on-url “https://login.microsoftonline.com/XXXXX/saml2”
set idp-single-logout-url “https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0”
set idp-cert “REMOTE_Cert_2”
set user-name “username”
set group-name “group”
After these changes everything worked perfectly, I am now in the process of rolling out our new vpn to the users in the company along with the Microsoft MFA client.
Here are the settings that I am using for my Sony A9ii for taking pictures of airplanes while moving through the air. The lens I use for this most days is the 100-400.
Aperture – F14 or below so that Phase Detect will still work for the auto focus
Raw or JPG – RAW, since the camera is so fast it can keep up with just about anything
Metering Mode – Spot so that I can capture the frame
Shutter Speed – Trying to get as low as 1/160 for prop planes for jets as fast as possible to catch them as they fly by.
Focus Mode – Continuous + Wide with Tracking, the camera auto focus is so fast that it catches the planes pretty quickly
Exposure Compensation – usually + 2/3 if it’s dark plane on a bright sunny day, this helps bring out the colors of the plane.
Frame Rate – Continuous Mid – I find that high fills the buffer and mid gets more than enough shots.
ISO – as low as possible, unless it’s an overcast day and then I will move it to Auto-Iso to maintain the shutter speed when needed.
I wanted the ability to bring up Wireshark and then start taking packet captures with my wlanpi from my Mac. I didn’t want to always have to sacrifice wireless connection while I was doing it. Since most recent Macs lack a dedicated ethernet interface and I don’t always have a dongle around with me. My requirements were though to keep everything as stock as possible so that all I would have to do is hook the wlanpi up to my machine ensure that it was running and then be able to take wireless packet captures.
- I copied over my public key to the wlanpi under the default address. I wanted it to be as simple as possible and why mess with the generic user: ssh-copy-id -i ~/.ssh/id_rsa.pub firstname.lastname@example.org
By following and using this wonderful github project from Adrian Granados there are only a few modifications that need to be made.
When you are doing this part of his setup, the username will be wlanpi.
$ sudo groupadd pcap
$ sudo usermod -a -G pcap wlanpi
$ sudo chgrp pcap /usr/sbin/tcpdump
$ sudo chmod 750 /usr/sbin/tcpdump
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
servername is going to be wlanpi.local
username is going to be wlanpi
This is the tricky part you need to specify your private key in the config, but you can’t browse to your .ssh directory by default. So when you click on the … and it brings up the directory window you will do a “Command + Shift +G” and then in the search field type ~/.ssh
Finally finished some post processing on the C-47 that I shot a little while ago. I’ve been practicing quite a bit with Lightroom and I am pretty happy with how this shot has finished off.
Continuing to get up close and personal with those that share my backyard with me. Don’t think I can get much closer without losing most of them. I had to manually focus on a stand-in flower to try and get the birds in focus. This time it worked out well and I was able to use a remote trigger to capture with the camera on a tripod.