Net Worker World

  netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow

 Core: Minimum of two Fortigate devices: one root, and one or more downstream At least one of: FortiAnalyzer, FortiAnalyzer Cloud, or FortiGate Cloud LAB notes: on FGT, add FAZ got error, from cli: exec log fortianalyzer test-connectivity Failed to get FAZ's status. SSL error. (-3) Solution: on FAZ : FAZVM64 # config system global (global)# set enc-algorithm low (global)# set ssl-low-encryption enable (global)# set oftp-ssl-protocol tlsv1.0 (global)# end  enc-algorithm setting change will cause all existing FGFM tunnel/WebService connection reset. Do you want to continue? (y/n)y Local-Fortigate # show system csf config system csf     set status enable     set group-name "fortinet"     config trusted-list         edit "xxxxx"             set serial "xxxxx"             set index 1         next     end end Local-Fortigate # show full system csf config system csf .....     set downstream-access disable         !!Enable/disable downstream device access to t

  ASA: WCCP step by step configuration https://community.cisco.com/t5/security-knowledge-base/asa-wccp-step-by-step-configuration/ta-p/3126636 WCCP on ASA: Concepts, Limitations, and Configuration https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116046-config-wccp-asa-00.html WSA sends  WCCP2_HERE_I_AM ASA responses:  WCCP2_I_SEE_YOU   A service group is identified by Service Type and Service ID. There are two types of service groups: Well-known services Dynamic services Dynamic service group is defined on WSA and specify ports in  WCCP2_HERE_I_AM message, ASA needs configure corresponding service group. 1. Configure an access-list containing all members of WCCP servers. In this lab, it is WSA  ASA(config)# access-list wccp-servers permit ip host 10.1.1.50 any   2. Create an access-list of the traffic that needs to be re-directed to WCCP The access list should only contain network addresses. Port-specific entries are not supported. access-lis

  get demo licenses from Cisco license portal, local license use command " loadlicense " from ssh session.

  # config system global     set vdom-mode multi-vdom      <------- This should be typed in manually. There is no auto-display. end *** diag debug vm-print-license *** Global settings Global settings are configured outside of a VDOM. They effect the entire FortiGate, and include settings such as interfaces, firmware, DNS, some logging and sandboxing options, and so on. Global settings should only be changed by top level administrator Global and per-VDOM resources Global and per-VDOM resources can be configured when the FortiGate is in multi VDOM mode. Global resources apply to resources that are shared by the whole FortiGate, while per-VDOM resources are specific to each VDOM. By default, all per-VDOM resource settings are set to have no limits. This means that any single VDOM can use all of the FortiGate device's resources. VDOM types Admin Traffic LAN extension When the VDOM type is set to  Admin , the VDOM is used to administer and manage the FortiGate. Usually, the  Admin

  At least w ith Windows 10 build 2004 and ISE 2.7 Patch 2. Using TEAP for EAP Chaining https://www.ise-support.com/2020/05/29/using-teap-for-eap-chaining/ Unfortunately there is no native support for EAP-TEAP in Group Policy Objects for Windows Server 2019 and below. There is a workaround however to use TEAP anyway. In short, we will configure TEAP on a Windows 10 Client and export the settings. This file can then be used to import the settings into a GPO. Even if they are not available for selection in the GUI. Create TEAP GPO using Windows Server 2019 and Below https://niksec.com/create-teap-gpo-using-windows-server-2019-and-below/ TEAP for Windows 10 using Group Policy and ISE TEAP Configuration https://community.cisco.com/t5/security-knowledge-base/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289 Certificate-based EAP methods like EAP-TLS are generally considered more secure than password-based methods like PEAP-MSCHAPv2. See  this blog  for details on two. Machine