Palo Alto HA Firewall PanOS upgrade

這個實測是由8.1.19升級到8.1.20

首先需要Export兩隻Firewall的Config設定, 兩隻Firewall都各Export一次

然後確定不要勾選Preemptive以免自動跳回Active影響升級計劃

升級開始, 選擇好版本按Download, 然後另一台亦自動下載(勾選Sync to HA Peer)

下載完後, 首先升級後備的Firewall(Local : Passive), 按Install

升級完後Reboot之後, 再次登入可以看到已經使用8.1.20, 但是HA not enabled, 再等等

Active還是看到Passive還未能使用

過一回就在Passive看到已經在線了, 但是和Active版本不對(PAN-OS Version: Mismatch)

Passive已經升級後, 到Active的頁面按Suspend local device轉換成後備

我的跳轉過程中會有數個Timeout

和之前Passive一樣按Install就可以, Reboot後就可以看到新版本, 而且沒有錯誤, 需要改回Active就去Passive裏按Suspend local device, 跳轉後記得要改回

Fortigate SSL VPN

FortiOS 6.2

VPN -> SSL-VPN Portals -> Create New

VPN -> SSL-VPN Settings

User & Device -> User Definition -> Create New -> Local User

Policy & Objects -> IPv4 Policy -> Create New

If we want to go to internet thought SSLVPN

VPN -> SSL-VPN Portals

Disable “Enable Split Tunneling”

Policy & Objects -> IPv4 Policy -> Create New

Sonicwall OSPF Route base VPN

Background

Office

NSA 2400, SonicOS 5.9.0.8-1o

Wan IP: 202.101.101.101
Lan IP: 192.168.1.254/23
TK5 Tunnel IP(TI2): 10.1.0.1
NC1 Tunnel IP(TI3): 10.2.0.1

Branch

TZ300, SonicOS 6.5.4.7-83n & 6.5.4.6-79n

All Branch Lan Subnet in 10.100.0.0/16

NC1:
Lan Subnet 10.100.1.0/24, Wan IP: 119.1.1.1., Tunnel IP: 10.1.0.254

TK5:
Lan Subnet 10.100.2.0/24, Wan IP: 61.2.2.2, Tunnel IP: 10.2.0.253

Start to config

Office Sonicwall

Add all Branch Address Object
Branch 10.100.0.0/255.255.0.0 Network VPN
NC1 10.100.1.0/255.255.255.0 Network VPN
TK5 10.100.2.0/255.255.255.0 Network VPN

Add Office group including Office vLan

Add VPN Policy

Add a new VPN Policy and change to Tunnel Interface

IPSec Primary Gateway enter NC1 WAN IP

Shared secret same with NC1

Office “Local IKE ID” equal NC1 “Peer IKE ID”
NC1 “Peer IKE ID” equal Office “Local IKE ID”

This lab are same in Local & Peer

SonicOS 5.9 default Phases 2 Encryption not the same with SonicOS 6.5

If NC1 configure correctly will show green light

Go to

Network -> Interfaces
Add Interface -> Tunnel Interface

This case enter a new Tunnel IP(TI3) 10.2.0.1

Add routing table

Enable OSFP let branch to learn every Lan subnet

OSPF Router-ID different then all Branch IP, this case we enter Lan IP: 192.168.1.254

Branch Sonicwall

Add Office vLan & a Branch Address Object
Branch 10.100.0.0/255.255.0.0 Network VPN
Office10 10.10.10.0/255.255.255.0 Network VPN
Office192 192.168.0.0/255.255.254.0 Network VPN

do the same thing with office

Tunnel IP 10.2.0.1

Router ID can be Lan IP 10.100.1.254

 

 

 

 

Huawei Switch Stack Lab 2

Add stack:
SW1
int stack-p 0/1
port int g0/0/8 enable
int stack-p 0/2
port int g0/0/7 enable
quit
stack slot 0 priority 200

SW2
int stack-p 0/1
port int g0/0/7 enable
int stack-p 0/2
port int g0/0/8 enable
quit
stack slot 0 renumber 1

save & reboot, and then plug stack cable(SW1 g0/0/8 to SW2 g0/0/8, SW1 g0/0/7 to SW2 g0/0/7)

Delete stack:
SW1
int stack-p 0/1
shut int g0/0/8
undo port int g0/0/8 enable
int stack-p 0/2
shut int g0/0/7
undo port int g0/0/7 enable
quit
stack slot 0 priority 100

SW2
int stack-p 1/1
shut int g1/0/7
undo port int g1/0/7 enable
int stack-p 1/2
shut int g1/0/8
undo port int g1/0/8 enable
quit
stack slot 1 renumber 0

Huawei Switch Stack Lab 1

Add stack:
SW1
int stack-p 0/1
port int g0/0/12 enable
stack slot 0 priority 200

SW2
int stack-p 0/2
port int g0/0/11 enable
quit
stack slot 0 renumber 1

save & reboot, and then plug stack cable

Delete stack:
SW1
int stack-p 0/1
shut int g0/0/12
undo port int g0/0/12 enable
stack slot 0 priority 100

SW2
int stack-p 1/2
shut int g1/0/11
undo port int g1/0/11 enable
quit
stack slot 1 renumber 0

Sophos XG Office 365 can’t install & update

https://community.sophos.com/kb/en-us/132291

Enable below 2 items

Microsoft Windows Update
O365 – 92 (Common – Default)

or Add below to Exceptions

^([A-Za-z0-9.-]*\.)?microsoft\.com/
^([A-Za-z0-9.-]*\.)?windowsupdate\.com/
^([A-Za-z0-9.-]*\.)?officecdn.microsoft.com.edgesuite.net/
^([A-Za-z0-9.-]*\.)?officecdn.microsoft\.com/