Net Worker World

 Prepare USB disk: USB drive needs to be formatted as FAT (a.k.a FAT16). CMD on Windows PC: diskpart list disk select disk <INDEX OF USB DISK> clean create part primary size=4000 active Then format it to FAT in Windows explorer or Disk Management. only first 4G are formatted and usable for the device . Install vs. Bundle Mode Install Mode  out-of-the-box recommended, more features and fewer resources Switch# software expand file flash: cat3k_caa-universalk9.SPA.03.02.02.SE.150-1.EX2.bin to flash: Once this completes, you will have all the needed files in flash. You can then change the boot statement to boot to packages.conf Switch# Config t Switch(config)# no boot system Switch(config): boot system switch all flash:packages.conf   (do not modify this file, unless necessary) Switch# write memory The provisioning file contains a list of software packages to boot, mount, and run. The ISO file system in each installed package is mounted to the root file system directly from flash. NO

 Issue: ESA lost power, when it is back online after power restored, status shows:  Paused on services: antispam Solution: CLI: antispamupdate ironport force antivirusupdate force check status: antispamstatus

Each customer has its own VRF so that they have overlapping networks, a route distinguisher (RD) distinguishes one set of routes (one VRF) from another When VPN routes are advertised among PE routers via MP-BGP, the RD is included as part of the route along with the IP prefix. ip vrf Site_A  rd 65000:10 ! ip vrf Site_B  rd 65000:20 ! ip vrf Site_C  rd 65000:30     Whereas route distinguishers are used to maintain uniqueness among identical routes in different VRFs, route targets can be used to share routes among them. We can apply route targets to a VRF to control the import and export of routes among it and other VRFs.  ip vrf Customer_A  rd 65000:100  route-target export 65000:100  route-target import 65000:100    You can use the shortcut command route-target both as a macro to add both commands simultaneously.

 Reset: exe reset all-settings exe reset all-except-ip        !! keep interface and routing configuration exe format{disk}  deep-erase  

  Check ISE node role from CLI show tech-support ***************************************** Displaying ISE deployment ... ***************************************** Node Config Details NAME                PERSONA         ROLE       ACTIVE     REPLICATION ------------------- --------------- ---------- ---------- --------------- ISE30-A             PAN,MNT,PSN     PRIMARY    STANDBY    Not Applicable ISE30-B             PAN,MNT,PSN     SECONDARY  ACTIVE     SYNC COMPLETED  

  netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow

 Core: Minimum of two Fortigate devices: one root, and one or more downstream At least one of: FortiAnalyzer, FortiAnalyzer Cloud, or FortiGate Cloud LAB notes: on FGT, add FAZ got error, from cli: exec log fortianalyzer test-connectivity Failed to get FAZ's status. SSL error. (-3) Solution: on FAZ : FAZVM64 # config system global (global)# set enc-algorithm low (global)# set ssl-low-encryption enable (global)# set oftp-ssl-protocol tlsv1.0 (global)# end  enc-algorithm setting change will cause all existing FGFM tunnel/WebService connection reset. Do you want to continue? (y/n)y Local-Fortigate # show system csf config system csf     set status enable     set group-name "fortinet"     config trusted-list         edit "xxxxx"             set serial "xxxxx"             set index 1         next     end end Local-Fortigate # show full system csf config system csf .....     set downstream-access disable         !!Enable/disable downstream device access to t

  ASA: WCCP step by step configuration https://community.cisco.com/t5/security-knowledge-base/asa-wccp-step-by-step-configuration/ta-p/3126636 WCCP on ASA: Concepts, Limitations, and Configuration https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116046-config-wccp-asa-00.html WSA sends  WCCP2_HERE_I_AM ASA responses:  WCCP2_I_SEE_YOU   A service group is identified by Service Type and Service ID. There are two types of service groups: Well-known services Dynamic services Dynamic service group is defined on WSA and specify ports in  WCCP2_HERE_I_AM message, ASA needs configure corresponding service group. 1. Configure an access-list containing all members of WCCP servers. In this lab, it is WSA  ASA(config)# access-list wccp-servers permit ip host 10.1.1.50 any   2. Create an access-list of the traffic that needs to be re-directed to WCCP The access list should only contain network addresses. Port-specific entries are not supported. access-lis

  get demo licenses from Cisco license portal, local license use command " loadlicense " from ssh session.

  # config system global     set vdom-mode multi-vdom      <------- This should be typed in manually. There is no auto-display. end *** diag debug vm-print-license *** Global settings Global settings are configured outside of a VDOM. They effect the entire FortiGate, and include settings such as interfaces, firmware, DNS, some logging and sandboxing options, and so on. Global settings should only be changed by top level administrator Global and per-VDOM resources Global and per-VDOM resources can be configured when the FortiGate is in multi VDOM mode. Global resources apply to resources that are shared by the whole FortiGate, while per-VDOM resources are specific to each VDOM. By default, all per-VDOM resource settings are set to have no limits. This means that any single VDOM can use all of the FortiGate device's resources. VDOM types Admin Traffic LAN extension When the VDOM type is set to  Admin , the VDOM is used to administer and manage the FortiGate. Usually, the  Admin