Connect using your FortiGate VPN client with your Active Directory Username and password.

Login to your FW, Under User & Device click on LDAP Servers

Follow the image below and fill in with your domain and user details.

Test Connectivity, if you fill in the fields correctly you will get Success Popup.

Now please create Active Direcoty Group in your AD Server in this example we will call it VPN.

We create this group that only users that will be in this group will be allowed to connect to the VPN.

After we created VPN group and added users to it, we will go back to the FW and create SSLVPN group and assign to it the new VPN AD group that we just created.

Go to User Groups –> Add new group –>Give it a name –> Click on Add

Select your LDAP server and press OK.

After we created this group. lets add some users.

Last Step… you can now connect with your AD username and password using your vpn Client.

MTU & MSS Explained.

A maximum transmission unit (MTU) is the largest packet or frame size, specified in octets (eight-bit bytes) that can be sent in a packet- or frame-based network such as the internet. The internet’s transmission control protocol (TCP) uses the MTU to determine the maximum size of each packet in any transmission. MTU is usually associated with the Ethernet protocol, where a 1500-byte packet is the largest allowed in it (and hence over most of the internet).

One of the most common problems related to MTU is that sometimes higher-level protocols may create packets larger than a particular link supports, and you’ll need to make adjustments to make it work.

To get around this issue, IPv4 allows fragmentation which divides the datagram into pieces. Each piece is small enough to pass over the single link that it is being fragmented for, using the MTU parameter configured for that interface. This fragmentation process takes place at the IP layer (OSI layer 3) and marks the packets it fragments as such. This ensures the IP layer of the destination host knows it should reassemble the packets into the original datagram.

Fragmentation is sometimes not supported by applications, and is something we should avoid if possible. The best way to avoid fragmentation is to adjust the maximum segment size or TCP MSS so the segment will adjust its size before reaching the data link layer.

Before we look at TCP MSS, it helps to understand the build of the  “unit” that’s being sent over the internet.

TCP MSS

As mentioned, the common value of MTU in the internet is 1500 bytes.

As you can see in the figure above, the MTU is built from payload (also referred as data) and the TCP and the IP header, 20 bytes each. The total value of the IP and the TCP header is 40 bytes and mandatory for each packet, which leaves us 1460 bytes for our data.

Now, imagine that we are using the GRE protocol in our network, encapsulating the original packet and adding 24 bytes for the GRE header.

TCP MSS

The total size of this kind of packet will be 1524 bytes, exceeding the 1500 bytes MTU value. The “data” size in this packet is 1460, but we can and should decrease it in order to make sure the total size will be 1500 bytes or less. And this is where TCP MSS comes into the picture.

TCP MSS, the maximum segment size, is a parameter of the options field of the TCP header that specifies the largest amount of data, specified in bytes, that a computer or communications device can receive in a single TCP segment. It does not include the TCP header or the IP header. This value will dictate the maximum size of the “data” part of the packet. In the following case for the GRE tunnel, we will set the tcp mss value to be 1436 or lower, while the default size is 1460.

The MSS announcement (often mistakenly called a negotiation) is sent during the three-way handshake by both sides, saying: “I can accept TCP segments up to size x”. The size (x) may be larger or smaller than the default. The MSS can be used completely independently in each direction of data flow.

Since the end device will not always know about high level protocols that will be added to this packet along the way, like GRE packets for example, it won’t usually adjust the TCP MSS value. As a result the network devices have the option to rewrite the value of TCP MSS packets that are processed through them. For example, in a Cisco Router the command “ip tcp mss-adjust 1436” in the interface level will rewrite the value of the TCP MSS of any SYN packet that will go via this interface.

Windows Defender Application Guard as browser extensions in Google Chrome and Mozilla Firefox

The Windows Defender Application Guard extension for Google Chrome and Mozilla Firefox is rolling out to Windows Insiders today and will be generally available very soon. This is available for users on Win 10 Enterprise and Pro SKUs on 1803 or later.

To extend our container technology to other browsers and provide customers with a comprehensive solution to isolate potential browser-based attacks, we have designed and developed Windows Defender Application Guard extensions for Google Chrome and Mozilla Firefox.

Windows Defender Application Guard extension on Chrome web store

How it works

The extensions for Google Chrome and Mozilla Firefox automatically redirect untrusted navigations to Windows Defender Application Guard for Microsoft Edge. The extension relies on a native application that we’ve built to support the communication between the browser and the device’s Application Guard settings.

When users navigate to a site, the extension checks the URL against a list of trusted sites defined by enterprise administrators. If the site is determined to be untrusted, the user is redirected to an isolated Microsoft Edge session. In the isolated Microsoft Edge session, the user can freely navigate to any site that has not been explicitly defined as trusted by their organization without any risk to the rest of system. With our upcoming dynamic switching capability, if the user tries to go to a trusted site while in an isolated Microsoft Edge session, the user is taken back to the default browser.

To configure the Application Guard extension under managed mode, enterprise administrators can follow these recommended steps:

  1. Ensure devices meet requirements.
  2. Turn on Windows Defender Application Guard.
  3. Define the network isolation settings to ensure a set of trusted sites is in place.
  4. Install the new Windows Defender Application Guard companion application from the Microsoft Store.
  5. Install the extension for Google Chrome or Mozilla Firefox browsers provided by Microsoft.
  6. Restart the devices.

Intuitive user experience

We designed the user interface to be transparent to users about Windows Defender Application Guard being installed on their devices and what it does. We want to ensure that users are fully aware that their untrusted navigations will be isolated and why.

  1. When users initially open Google Chrome or Mozilla Firefox after the extension is deployed and configured properly, they will see a Windows Defender Application Guard landing page.
Windows Defender Application Guard landing page

2.If there are any problems with the configuration, users will get instructions for resolving any configuration errors.

Error page instructions for resolving any configuration errors
Error page instructions for resolving any configuration errors


3. Users can initiate an Application Guard session without entering a URL or clicking on a link by clicking the extension icon on the menu bar of the browser.

Start an Application Guard session by clicking the extension icon on the menu bar of the browser
Start an Application Guard session by clicking the extension icon on the menu bar of the browser

Protect on-premises VMs by directly replicating to managed disks in Azure

Azure Site Recovery now supports disaster recovery of VMware virtual machines and physical machines by directly replicating to managed disks. You don’t need to create and manage multiple target storage accounts for replicating your machines anymore. On-premises data will be sent to a cache storage account in the target region and then written into managed disks by Site Recovery. Learn more.

Existing replications will continue to replicate to storage accounts.

Configure SNMPV3 on Cisco Catalyst 2960.

I found that SNMPV3 works only with Cisco ios ver 15.2 and higher.

If your Cisco IOS is not 15.2 or higher you need download it from here.

  1. in this configuration, we will create 3 groups.

GroupRW – have read and write permission
GroupR – have only read permission
Full-Access – to give access to all the snmp Tree view


Lets START…

Switch(config)#snmp-server view Full-Access iso included

In this command, we give read permission to all iso view Tree


Switch(config)#snmp-server enable traps snmp linkdown linkup

This command permits the SNMP service to send traps of link up or down.


Switch(config)#snmp-server group GroupRW v3 priv read Full-Access write Full-Access

With this command, we created and give Read and write permission to the groupRW to all the ISO Tree.


Switch(config)#snmp-server user TestRW GroupRW v3 aut MD5 Master200 priv des Master300

With this command, We created user TestRW in GroupRW with MD5 Hash password “Master200” and DES Encryption password “Master300”.


Switch(config)#snmp-server group GroupRW v3 priv context vlan- match prefix read Full-Access write Full-Access notify Full-Access

We give GroupRW privileges to all VLANs.


Switch(config)#snmp-server group GroupR v3 priv read Full-Access

We created the Seconde group “GroupR” With only Read permission to all the ISO Tree)


Switch(config)#snmp-server user TestR GroupR v3 aut MD5 Slave200 priv des Slave300

We created user TestR in GroupR with MD5 password “Slave200” and DES password “Slave300”.


After defining two types of SNMPV3, one has only read and the other for reading and writing. We need to associate the different types of SNMP V3 with the IP addresses we want.

Switch(config)#snmp-server host X.X.X.X version 3 priv TestRW

We give HOST Ip X.X.X.X permission Read and Write to the switch.

Switch(config)#snmp-server host X.X.X.X version 3 priv TestR

We give HOST Ip X.X.X.X permission only to read to the switch

This is the full config just Copy&Paste.

Switch(config)#snmp-server view Full-Access iso included
Switch(config)#snmp-server enable traps snmp linkdown linkup

Switch(config)#snmp-server group GroupRW v3 priv read Full-Access write Full-Access

Switch(config)#snmp-server user TestRW GroupRW v3 aut MD5 Master200 priv des Master300

Switch(config)#snmp-server group GroupRW v3 priv context vlan- match prefix read Full-Access write Full-Access notify Full-Access

Switch(config)#snmp-server group GroupR v3 priv read Full-Access

Switch(config)#snmp-server user TestR GroupR v3 aut MD5 Slave200 priv des Slave300


Switch(config)#snmp-server host X.X.X.X version 3 priv TestRW
Switch(config)#snmp-server host X.X.X.X version 3 priv TestR

Deploy Checkpoint Client using GPO

To build the script and create the GPO you first need to install the client on your pc and go to this location to find the build number of your checkpoint client version.

After you find the “build number” you need to enter him to the script and save it on your desktop.

@Echo Off
Find “986100112” “C:\Program Files (x86)\CheckPoint\Endpoint Connect\ver.ini” 2> nul
IF %errorlevel% equ 0 (goto end) ELSE goto install
:install
msiexec /i “\DOMAIN.COM\SysVol\DOMAIN.COM\Policies{5CC0B310-3CA0-4D3B-9A10-6ADFBFD7427C}\Machine\Scripts\Startup\E80.90_CheckPointVPN.msi” /quiet /norestart
:end
exit



Click on “ADD” it will generate a new folder path.

Put your script and your Checkpoint MSI in this folder.

Notice that the folder path that you put your script and client in.
Must include in the script!


Don’t forget to apply this GPO to your computers OU.

%d bloggers like this: