Entries by talebi_it@yahoo.com

Migrating ASA to FTD

For this post, we will be discussing migrating an ASA with FirePOWER services to a Firepower Threat Defense (FTD) image on an ASA 5506-X appliance. At a high level, you reimage the ASA unit with a FTD then use the migration tool (if you have an existing ASA configuration) to import the ASA configuration into […]

DVTI on Hub-Spoke IKEV2

R1 —————– (config)#crypto pki certificate map CAMP 1 #issuer-name co talebi (config)# default crypto ikev2 proposal (config)# crypto ikev2 proposal default # encryption aes-cbc-256 # integrity sha256 # group 14 (config)# default crypto ikev2 policy (config)# crypto ikev2 profile IKEV2-Profile # identity local dn # match certificate CMAP # authentication remote rsa-sig # authentication local […]

FlexVPN – Part 2

-Proposal ==>Dephi Helman Group – Encryption – Integrity -Policy -Profile (match), (keyring) show crypto ikev2 proposal default show crypto ikev2 policy default show crypto ikev2 transform-set default show crypto ipsec profile default Changing the default proposal (config)# crypto ikev2 proposal default (config-ikev2-proposal)# encryption aes-cbc-256 (config-ikev2-proposal)# integrity sha256 (config-ikev2-proposal)# group 2 revert back the default proposal […]

FlexVPN: IKEV2 – Part 1

FlexVPN = IKEV2 + NGE(Next Generation Encryption) IKEV1 = phase 1 => negotiate phase 2 => IPSec Tunnel IKEV2 => Initial neogtiation + IPSec Tunnel => proposals, key ring, policy, profile #show crypto ikev2 proposal default #show crypto ikev2 policy default (config)# crypto ikev2 keyring HRT-keyring peer container1 address 192.168.10.2 identity fqdn r2.test.local pre-shared-key local […]

Dynamic Virtual Tunnel Interfaces (VTIs)

Branches with Static VTI Hub : Dynamic VTI – ISAKMP Profile – Key ring with PSKs – Virtual Template R1(Hub) — (config)# crypto isakmp policy 1 (config-isakmp)# encr aes 192 (config-isakmp)# authentication pre-share (config-isakmp)# group 5 (config)# crypto keyring HRT-PSKS (config-keyrings)# pre-shared-key address 0.0.0.0(remote IP or all) key cisco123 (config)# crypto ipsec transform-set HRT-SET esp-aes […]

Site to Site- Static VTI IPSEC

R1 — (config)#crypto ipsec tranform-set HRT esp-aes 256 esp-sha-hmac (cfg-crypto-trans)# mode tunnel (config)#crypto ipsec profile P2P-PROFILE (ipsec-profile)# set transform-set HRT (config)#crypto isakmp policy 15 #encr aes 256 #authentication pre-share #group 14 (config)#crypto isakmp key cisco123 address 0.0.0.0 (config)#int tunnel 1 (config-if)# tunnel source serial 1/0 (config-if)# tunnel destination 35.0.0.3 (config-if)# tunnel mode ipsec ipv4 (config-if)# […]

DMVPN IKE Call Admission Control

DMVPN IKE Call Admission Control – To mitigate attack IKE Phase 1 Negotiation CAC protection -In Negotiation limit -SA limit # show crypto call admission statistics (config)# crypto call admission limit ike sa 2 (config)# crypto call admission limit ike in-negotiation-sa 10

DMVPN Commands

R1 int tunnel 0 tunnel source gi1/0 tunnel destination mode gre multipoint tunnel key HRT //should be the same ip nhrp network-id 1 //should be the same ip nhrp authentication cisco123 //should be the same ip nhrp map multicast dynamic ip nhrp shortcut //phase 3 ip nhrp redirect //phase 3 – we write it in […]

Configure the network settings for FMC

Configure the Network Settings On the Sourcefire3D login prompt, use these credentials to log in:For version 5.x Username: admin Password: Sourcefire For version 6.x and later Username: admin Password: Admin123 Tip: You will be able to change the default password in the initial setup process in the GUI. Initial configuration of the network is done with a script. You need to run the script […]

Excel file and fortinet automation

Simply make a batch file in windows and read from your excel file then convert the your datasheet to fortigate rules. In this code, I converted the excel file with 5 columns to the fortigate policy. My Excel File: any,any,ctldl.windowsupdate.com,80/443,Test1 any,any,microsoft.com,80,Test2 any,any,crl.microsoft.com,80,Test3 any,any,ssl.google-analytics.com,443,Test4 My Batch file: @echo off setlocal ENABLEDELAYEDEXPANSION >output-configuration-policy.txt ( echo:config firewall policy […]