jump to content
my subreddits
more »
Want to join? Log in or sign up in seconds.|

stonetear

1,648 post karma
1,090 comment karma
send a private messageredditor for
what's this?

TROPHY CASE

reset password

daily reddit gold goal

25%
help support reddit
reddit gold gives you extra features and helps keep our servers running. We believe the more reddit can be user-supported, the freer we will be to make reddit the best it can be.
Buy gold for yourself to gain access to extra features and special benefits. A month of gold pays for 231.26 minutes of reddit server time!
Give gold to thank exemplary people and encourage them to post more.
This daily goal updates every 10 minutes and is reset at midnight Pacific Time (18 hours, 45 minutes from now).
Yesterday's reddit gold goal
104%

subscribe to our newsletter

_('thanks for subscribing')

get the best of reddit, delivered once a week


×
sorted by:
new
[–]stonetear 1 point2 points3 points  (0 children)
We're using this script here to do something similar. It basically spits out a .csv file that lists all emails over X bytes, and emails it wherever you want. I've tried to put the things you need to modify in caps.
There's another part where you can modify the length of time it looks for (currently it's 168 hours/7 days) and the size limit (currently ~3 MB). The sections to look for are (Get-Date).AddHours(-168) and $_.totalbytes -gt "3000000"
[–]stonetear 0 points1 point2 points  (0 children)
Only a one year warranty? :(
2
3
4
[–]stonetear[S] 0 points1 point2 points  (0 children)
Ok, thanks. I guess we never realized that the 'official' way to do this is to keep one onsite box. Do you know of any documentation on this that I can share with the company? Due to the search terms involved I am getting a million non-related results
[–]stonetear[S] 0 points1 point2 points  (0 children)
Thanks for the reply - is this the 'real' official way to do it? I'm having trouble visualizing this - the advantages of using ADsync are pretty obvious, at least for password sync for users, but if that then forces you to use ADSIedit to change things that previously just required a checkbox click, and/or forcing you to keep an on-prem Exchange server... that seems like a huge pain.
For example, changing a distro group to allow external senders to send email to the group. That's a checkbox moment, and shouldn't require ADSIedit.
[–]stonetear[S] 0 points1 point2 points  (0 children)
I am going to look into this further later, but I think my immediate problem was something to do with the LAN here, as I was able to connect from a different customer site.
[–]stonetear[S] 0 points1 point2 points  (0 children)
I don't see any errors in the SSL VPN debug during connection/logging in. When I try to ping 10.1.1.1 I get the following:
id=20085 trace_id=16 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=1, 10.212.134.20:1->10.1.1.1:8) from ssl.root. code=8, type=0, id=1, seq=5."
id=20085 trace_id=16 func=init_ip_session_common line=4629 msg="allocate a new session-00042011"
id=20085 trace_id=16 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.1.1.1 via lan"
id=20085 trace_id=16 func=fw_forward_handler line=675 msg="Allowed by Policy-3:"
id=20085 trace_id=17 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=1, 10.1.1.1:1->10.212.134.20:0) from lan. code=0, type=0, id=1, seq=5."
id=20085 trace_id=17 func=resolve_ip_tuple_fast line=4539 msg="Find an existing session, id-00042011, reply direction"
id=20085 trace_id=17 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.212.134.20 via ssl.root"
[–]stonetear[S] 0 points1 point2 points  (0 children)
I tried the FortiClient from two additional Windows PCs (Windows 7 if it makes any difference) and it gets to 98% then just goes back to the user/password box (???) no error message or anything. This happens on both other computers.
[–]stonetear[S] 0 points1 point2 points  (0 children)
Thanks again Afroman for your followup on this.
If I ping from the Forticlient PC in, I see what I assume are normal ping traffic entries (though note I actually see request timed out on the Forticlient PC and don't get a ping reply)
8.879626 ssl.root in 10.212.134.20 -> 10.1.1.1: icmp: echo request
8.880055 lan out 10.1.1.254 -> 10.1.1.1: icmp: echo request
8.880431 lan in 10.1.1.1 -> 10.1.1.254: icmp: echo reply
8.880528 ssl.root out 10.1.1.1 -> 10.212.134.20: icmp: echo reply
If I try to ping from the 10.1.1.1 device, I only see the following, with no other types of entries:
159.208613 lan in 10.1.1.1 -> 10.212.134.20: icmp: echo request
There is a static route which references the SSL VPN client IP range which points to the ssl.root interface. There is also the standard/automatically added policy for ssl.root to LAN. I tried adding an additional policy back from LAN to ssl.root but it doesn't seem to have made any difference.
It does appear to be all traffic, as I can't telnet to a few open ports on the 10.1.1.1 device either (ie, it's not just ICMP)
If I run the debug flow, then ping from 10.1.1.1 to the SSL VPN client IP, I get the following:
# id=20085 trace_id=3 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=1, 10.1.1.1:1->10.212.134.20:8) from lan. code=8, type=0, id=1, seq=18921."
id=20085 trace_id=3 func=init_ip_session_common line=4629 msg="allocate a new session-000325fa"
id=20085 trace_id=3 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.212.134.20 via ssl.root"
id=20085 trace_id=3 func=fw_forward_handler line=675 msg="Allowed by Policy-4: SNAT"
id=20085 trace_id=3 func=__ip_session_run_tuple line=2606 msg="SNAT 10.1.1.1->23.24.145.45:62464"
Pinging from the VPN client PC to 10.1.1.1 yields:
id=20085 trace_id=4 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=1, 10.212.134.20:1->10.1.1.1:8) from ssl.root. code=8, type=0, id=1, seq=34."
id=20085 trace_id=4 func=init_ip_session_common line=4629 msg="allocate a new session-0003262f"
id=20085 trace_id=4 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.1.1.1 via lan"
id=20085 trace_id=4 func=fw_forward_handler line=675 msg="Allowed by Policy-3:"
id=20085 trace_id=5 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=1, 10.1.1.1:1->10.212.134.20:0) from lan. code=0, type=0, id=1, seq=34."
id=20085 trace_id=5 func=resolve_ip_tuple_fast line=4539 msg="Find an existing session, id-0003262f, reply direction"
id=20085 trace_id=5 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.212.134.20 via ssl.root"
[–]stonetear[S] 0 points1 point2 points  (0 children)
Afroman, looks like the user group not being in the policy was the cause. I can connect via the FortiClient now. However, I can't seem to get to/ping the regular LAN. The inbound policy from ssl.root to LAN looks normal. NAT is enabled, I believe this is normal from looking at some other FGT units. We don't need a separate LAN -> ssl.root policy correct?
[–]stonetear[S] 0 points1 point2 points  (0 children)
We do have a few port forwards, but they are not set up as 1:1 NAT
[–]stonetear[S] 1 point2 points3 points  (0 children)
No, I don't see the open port. What might this indicate?
[–]stonetear[S] 0 points1 point2 points  (0 children)
I just found the following in the FortiGuard section:
SSL-VPN Package Information
SSL-VPN Package Version Unreachable [Update]
Problem with the SSL VPN package perhaps?
Edit: I checked another 30D and it says the same thing
[–]stonetear[S] 0 points1 point2 points  (0 children)
Thanks for the reply
Yes, there are inbound policies for both the ssl.root and IPsec VPN interfaces
[–]stonetear 0 points1 point2 points  (0 children)
5.4.1
When is 5.4.1 being released? :)
view more: next ›
Use of this site constitutes acceptance of our User Agreement and Privacy Policy (updated). © 2016 reddit inc. All rights reserved.
REDDIT and the ALIEN Logo are registered trademarks of reddit inc.
π Rendered by PID 16517 on app-317 at 2016-09-19 12:14:33.857731+00:00 running 4b3bc27 country code: NL.
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies.  Learn More
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%