Howto read session table
redir, may_dirty
When the session is going through the proxy, it will be marked as redir.
AV scan, content archive and something else will mark the session as redir. IPS won't do that.
The sequence number will be changed if it is proxied.
Ex: Content archive session
root) # d sys session li
session info: proto=6 proto_state=11 expire=3587 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=4 use=3
bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0 ha_id=0 hakey=0
tunnel=/
state=redir local may_dirty ndr br npu npr
statistic(bytes/packets/err): org=686/12/0 reply=596/8/0 tuples=2
orgin->sink: org pre->post, reply pre->post dev=25->26/26->25 gwy=8.8.103.104/8.8.103.108
hook=pre dir=org act=noop 8.8.103.108:54438->8.8.103.104:21(0.0.0.0:0)
hook=post dir=reply act=noop 8.8.103.104:21->8.8.103.108:54438(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=20004 policy_id=1 auth_info=0 ids=0x3 vd=4 serial=00001db8 tos=ff/ff app=0
total session 1
Pure IPS session:
# d sys session li
session info: proto=6 proto_state=01 expire=3598 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0 ha_id=0 hakey=0
tunnel=/
state=ext may_dirty ndr br npu npr
statistic(bytes/packets/err): org=686/12/0 reply=596/8/0 tuples=2
orgin->sink: org pre->post, reply pre->post dev=25->26/26->25 gwy=8.8.103.104/8.8.103.108
hook=pre dir=org act=noop 8.8.103.108:41329->8.8.103.104:21(0.0.0.0:0)
hook=post dir=reply act=noop 8.8.103.104:21->8.8.103.108:41329(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=20004 policy_id=1 auth_info=0 ids=0x2 vd=4 serial=00001dc2 tos=ff/ff app=0
total session 1
may_dirty and dirty.
Most session which go through the firewall will be marked as may_dirty. This flag means the session is able to be marked as dirty when asymmetric route switch over.
ex: chage the gw of your default route will cause dirty flag show up.
before changing the gw:
FG3K9B3E10700005 # d sys session list
session info: proto=6 proto_state=01 duration=7 expire=3592 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=535
policy_dir=0 tunnel=/
state=may_dirty npu npr rem
statistic(bytes/packets/allow_err): org=164/3/1 reply=132/2/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=17->18/18->17 gwy=94.1.1.12/93.1.1.11
hook=pre dir=org act=noop 93.1.1.11:51895->94.1.1.12:22(0.0.0.0:0)
hook=post dir=reply act=noop 94.1.1.12:22->93.1.1.11:51895(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=000011e6 tos=ff/ff app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=93.1.1.11, bps=0
total session 1
=========================
FG3K9B3E10700005 # d sys session list
session info: proto=6 proto_state=01 duration=1056 expire=3562 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=535
policy_dir=0 tunnel=/
state=dirty may_dirty npu npr rem
statistic(bytes/packets/allow_err): org=164/3/1 reply=132/2/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=17->0/18->0 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 93.1.1.11:51895->94.1.1.12:22(0.0.0.0:0)
hook=post dir=reply act=noop 94.1.1.12:22->93.1.1.11:51895(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=000011e6 tos=ff/ff app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=93.1.1.11, bps=0
total session 1
Tuesday, July 22, 2008
COURSE OBJECTIVES
After completing this course, students will gain competency in the following topics:
Layer 2 Technologies
* PPPoE
* MPLS over ATM
* 802.1Q Tunneling
Interior Gateway Routing
*OSPF
*IS-IS
*Redistribution
*Summarization
*Filtering
*Policy Routing
Exterior Gateway Routing
*IPv4 Unicast BGP
*VPNv4 BGP
*Route Reflection
*Confederation
*Next-Hop Processing
*Redistribution
*Summarization
*Filtering
*Communities
MPLS
*TDP
*LDP
*BGP + Label
*Inter-AS MPLS
*Carrier Supporting Carrier
*Controlling MPLS Label Distribution
*MPLS Traffic Engineering
VPN
*PE-CE Routing with Static Routing
*PE-CE Routing with RIPv2
*PE-CE Routing with OSPF
*PE-CE Routing with EIGRP
*PE-CE Routing with EBGP
*Central Services MPLS VPNs
*MPLS VPNs Extranets
*VRF Import/Export Maps
*BGP Site-Of-Origin
*OSPF Sham-Links
*OSPF Domain-IDs
*Back-to-Back VRF
*Inter-AS MPLS VPNs
*Hierarchical MPLS VPNs
*VRF-Lite
*L2TPv3
IP Multicast
*PIM Dense Mode
*PIM Sparse Mode
*Multicast RPF Failure
*Auto-RP
*PIM NBMA Mode
*Bootstrap Router
*Multicast Source Distribution Protocol (MSDP)
*Anycast RP
*Multicast BGP
*Multicast MPLS VPNs
QoS
*Congestion Management
*Congestion Avoidance
*Shaping
*Policing
*IP Precedence
*DSCP
*MPLS EXP
*QoS Groups
*NBAR
*RSVP
Security
*ACLs
*RPF
*Routing update security
*Common attacks
System Management
*SNMP
*RMON
*Syslog
*NTP
*IP Services
*First Hop Redundancy Protocols
*Netflow
*Accounting
Friday, July 18, 2008
Howto capture the traffic on Av/Ref?
1, select the project you wanna do
2, Locate the tag: Run -> Config
3, enable client and server trace
4, run the trial test or full test
5, Go to tag: Result. High light the test you just did
6, Double click client-subtest or server-subtest. .pcap file should be there.
Thursday, July 17, 2008
Tuesday, July 8, 2008
Configure for FreeRadiusd
#more /etc/raddb/users
clilogin Auth-Type :=LOCAL, User-Password == "qa654321"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 8.8.130.0,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
sslvpnuser Auth-Type :=LOCAL, User-Password == "qa654321"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.18.9.0,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
msuser Auth-Type:= MS-CHAP, User-Password=="qa654321", Simultaneous-Use:=1
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.18.9.0,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
chapuser Auth-Type:= CHAP, User-Password=="qa654321", Simultaneous-Use:=1
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.18.9.0,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
#more client.conf
client 172.18.9.0/24 {
secret = test1
shortname = company-network
}
client 172.18.4.0/24 {
secret = test1
shortname = company-network
}
client 8.8.110.0/24 {
secret = test1
shortname = company-network
}
client 8.8.130.0/24 {
secret = test1
shortname = company-network
}
client 172.16.0.0/12 {
secret = test1
shortname = company-network
}
==== For new version from FC6 autoinstall ====
steve Cleartext-Password := "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.18.9.0,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
[[[
# As of 1.1.4, you SHOULD NOT use Auth-Type. See "man rlm_pap"
# for a much better way of dealing with differing passwords.
]]]
====
(root) # d test authserver radius r169 chap steve testing
authenticate 'steve' against 'chap' succeeded, server=primary assigned_rad_session_id=21168128 session_timeout=0 secs!
(root) # exit
login: steve
Password: *******
Welcome !
3305 #
Test Multicast on FortiOS
1, test tools: mint
download link
2, command:
sender:
#mint -s 239.0.0.1 -p 4321 -n 1 -b 100 ; #default, ttl=1. it will cause some issue
FOS will decrement the ttl by one.
receiver:
#mint -r 239.0.0.1 -p 4321 -d 5
Ready to recieve packets:
Received 323 packets..
Notes: need to change the default route to make it make sense.
mint: invalid option -- -
Usage: mint -[s|r] [OPTIONS] ADDR
OPTIONS:
-h This help.
-N Don't log to file.
-L Specify alternate path for log file.(Default is /var/tmp/mint.log)
-r Configures MINT to be a multicast receiver.
-p specifies the port number MINT should listen to.
Default is 4321.
-d delay in seconds for waiting in receiving state.
Default is 1 second.
-s Configures MINT to be a multicast sender (Default).
-l specifies whether loopback should be enabled(1) or disable(0).
Disabled by default.
-p specifies the port MINT should send data to.
Default is 4321.
-t specifies the TTL MINT should use.
Default is 1.
-q specifies IP TOS.
IP Precedence Values are 0-7, default is 0
-n number of packets to be sent per second,
-1(default) means sends as many packets as possible.
DANGER: -1 creates a great deal of traffic.
-b specifies how much data to send in bytes.
-6 Using IPv6 instead of IPv4 (EXPERIMENTAL).
3, config on fortios:
config firewall multicast-policy
edit 1
set dstaddr 239.0.0.0 255.255.255.0
next
end
4, sniffer on FortiOS;
DS_127 (kontron) # d sniffer pack any udp 4
interfaces=[any]
filters=[udp]
0.517596 kvlan103 in 8.8.103.109.4321 -> 239.0.0.1.4321: udp 400
0.517611 kvlan104 out 8.8.103.109.4321 -> 239.0.0.1.4321: udp 400
0.517615 fabric1 out 8.8.103.109.4321 -> 239.0.0.1.4321: udp 400
1.521307 kvlan103 in 8.8.103.109.4321 -> 239.0.0.1.4321: udp 400
1.521318 kvlan104 out 8.8.103.109.4321 -> 239.0.0.1.4321: udp 400
1.521321 fabric1 out 8.8.103.109.4321 -> 239.0.0.1.4321: udp 400
2.525144 kvlan103 in 8.8.103.109.4321 -> 239.0.0.1.4321: udp 400
2.525153 kvlan104 out 8.8.103.109.4321 -> 239.0.0.1.4321: udp 400
5, IGMP report
http://nemesis.sourceforge.net/manpages/nemesis-igmp.1.html
Monday, July 7, 2008
Checklist for BEIJING OFFICE
Assemble all your documents as listed. Check () each applicable item on the checklist and attach the checklist to your documents (a paper clip will do). Send photocopies of all documents, unless instructed otherwise. The Engagement, if you intend to live in the province of Québec, and the police certificates, must be originals. If your documents are not in English or French, send a notarized (certified) translation with a
copy of the originals.
1. IMMIGRATION FORMS
Check that they are complete and, where applicable, signed:
a) Application for Permanent Residence. - This form is completed by you, the principal applicant. PR申请表
b) Schedule 1. - You and each of your family members 18 years of age or older must complete their own copy of the form Schedule 1 - Background/Declaration.
c) Additional Family Information. - You and each of your family members 18 years of age or older must complete their own copy of this form. Please ensure that the form includes Chinese characters and pinyin for all names.
d) Use of a Representative. - If you want us to deal with a representative on your behalf, be sure you have completed and signed the Use of a Representative form (IMM 5476).
2. IDENTITY AND CIVIL STATUS DOCUMENTS
a) Your original “hukou” or that of the head of your household.
b) Original birth certificates for yourself and spouse or common-law partner.
c) Original marriage certificate and clear legible photocopy.
d) Original final divorce/annulment/separation certificates, death certificates for former spouse if applicable.
e) Certified true copy of Citizenship Certificate or Immigrant Visa for any dependants who are Canadian citizens or permanent residents of Canada.
4. TRAVEL DOCUMENTS AND PASSPORTS
Passports for you and accompanying dependents are required for processing your application for immigration to Canada. They are required for you to travel to Canada if your application is successful.
If you already have a valid passport and intend to use it to immigrate to Canada, copies of only the pages showing the passport number, date of issue and expiration, your photo, name, date and place of birth.
If you reside in a country different from your nationality, include a copy of your visa for the country in which you currently reside.
All prospective immigrants must hold a valid regular or private passport at the time of landing. Diplomatic, official, service or public affairs passports are not valid for immigration in Canada.
5. PROOF OF RELATIONSHIP IN CANADA
Proof of relationship to your sponsor in Canada, such as birth, adoption, marriage certificates.
Proof of your sponsor’s status in Canada: certified true copy of the Record of Landing (IMM 1000) or proof of Canadian citizenship
6. POLICE CERTIFICATES AND CLEARANCES
Police certificates or clearances from each country in which you and everyone in your family aged 18 years or over have resided six months or more since reaching 18 years of age. You must attach the original police document(s).
Notarial certificates are acceptable in lieu of police certificates for periods of residence in PRC. They must, however, be issued by the notarial office in the city in which you actually reside.
8. PHOTOS REQUIREMENTS
Supply five (5) recent photos for each member of your family and yourself. Follow the instructions in your guide (see Photos in section on completing the Application for Permanent Residence in Canada) and in Appendix C: Photo Specifications.
9. SPONSORSHIP EVIDENCE
A photocopy of the sponsorship approval letter sent to your sponsor in Canada from the CPC in Mississauga.
10. ADDRESS IN CHINESE CHARACTERS AND LABELS
Where indicated, provide your address in Chinese characters as well as in English, including postal code, to ensure effective communication with the visa office. The mailing address you provide must be the residential address of a person or the business address of a firm. A post office box number is not acceptable.
If you have designated a third party to represent you, we will automatically direct all correspondence to this person or firm at their mailing address.
It is your responsibility to ensure that the mailing address is reliable and that any changes are reported to us promptly. Failure to do so could result in substantial processing delays and even in the refusal of your application.
Include four (4) mailing labels with mailing address in both Chinese characters and in Pinyin – be sure to indicate your postal code.
Place all of your documents in a sealed envelope and mail them to:
The Canadian Embassy
19 Dong Zhi Men Wai Dajie
Chao Yang District
Beijing 100600
The People's Republic of China