Annexes (William)

# Annexes (William) ## Fortigate ### Créer une aggrégat d'interfaces : To create an aggregate interface using the GUI: Go to *Network* > *Interfaces* and select *Create New* > *Interface*. For *Interface Name*, enter *Aggregate*. For the *Type*, select *802.3ad Aggregate*. In the *physical Interface Members*, click to add interfaces and select ports 4, 5, and 6. For *Addressing mode*, select *Manual*. For the IP address for the port, enter 10.1.1.123/24. For*Administrative Access*, select *HTTPS* and *SSH*. Select *OK*. To create an aggregate interface using the CLI: ``` FG140P3G15800330 (aggregate) # show config system interface edit "aggregate" set vdom "root" set ip 10.1.1.123 255.255.255.0 set allowaccess ping https ssh snmp http fgfm radius-acct capwap ftm set type aggregate set member "port3" "port4" "port5" set device-identification enable set lldp-transmission enable set fortiheartbeat enable set role lan set snmp-index 45 next end ``` ### Configurer une interface externe ``` config system interface edit external set mode static set ip 172.16.21.2 255.255.255.0 end ``` ### Configurer une interface VLAN To add VLAN subinterfaces: ``` config system interface edit VLAN_100 set vdom root set interface internal set type vlan set vlanid 100 set mode static set ip 10.1.1.1 255.255.255.0 set allowaccess https ping next edit VLAN_200 set vdom root set interface internal set type vlan set vlanid 200 set mode static set ip 10.1.2.1 255.255.255.0 set allowaccess https ping end To add the firewall addresses: config firewall address edit VLAN_100_Net set type ipmask set subnet 10.1.1.0 255.255.255.0 next edit VLAN_200_Net set type ipmask set subnet 10.1.2.0 255.255.255.0 end ``` ### Configurer un serveur DHCP sur une interface To add a DHCP server on the GUI: ``` 1. Go to Network > Interfaces. 2. Edit an interface. 3. Enable the DHCP Server option and configure the settings. ``` To add a DHCP server on the CLI: ``` config system dhcp server edit 1 set dns-service default set default-gateway 192.168.1.2 set netmask 255.255.255.0 set interface "port1" config ip-range edit 1 set start-ip 192.168.1.1 set end-ip 192.168.1.1 next edit 2 set start-ip 192.168.1.3 set end-ip 192.168.1.254 next end set timezone-option default set tftp-server "172.16.1.2" next end ``` ### Configuration d'un VPN IPSec site-à-site avec certificat ``` 1. Import the certificate. 2. Configure user peers. 3. Configure the HQ1 FortiGate. a. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup: i. Enter a VPN name. ii. For Template Type, select Site to Site. iii. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites. v. Click Next. b. Configure the following settings for Authentication: i. For Remote Device, select IP Address. ii. For the IP address, enter 172.16.202.1. iii. For Outgoing interface, enter port1. iv. For Authentication Method, select Signature. v. In the Certificate name field, select the imported certificate. vi. From the Peer Certificate CA dropdown list, select the desired peer CA certificate. vii. Click Next. c. Configure the following settings for Policy & Routing: i. From the Local Interface dropdown menu, select the local interface. ii. Configure the Local Subnets as 10.1.100.0. iii. Configure the Remote Subnets as 172.16.101.0. iv. Click Create. 4. Configure the HQ2 FortiGate. a. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup: i. Enter a VPN name. ii. For Template Type, select Site to Site. iii. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites. v. Click Next. b. Configure the following settings for Authentication: i. For Remote Device, select IP Address. ii. For the IP address, enter 172.16.2001. iii. For Outgoing interface, enter port25. iv. For Authentication Method, select Signature. v. In the Certificate name field, select the imported certificate. vi. From the Peer Certificate CA dropdown list, select the peer CA certificate. vii. Click Next. c. Configure the following settings for Policy & Routing: i. From the Local Interface dropdown menu, select the local interface. ii. Configure Local Subnets as 172.16.101.0. iii. Configure the Remote Subnets as 10.1.100.0. iv. Click Create. ``` ### Configuration d'un VPN SSL pour l'accès nomades To configure SSL VPN using the GUI: ``` 1. Configure the interface and firewall address: a. Go to Network > Interfaces and edit the wan1 interface. b. Set IP/Network Mask to 172.20.120.123/255.255.255.0. c. Edit port1 interface and set IP/Network Mask to 192.168.1.99/255.255.255.0. d. Click OK. 2. Configure user and user group: a. Go to User & Authentication > User Definition to create a local user sslvpnuser1. b. Go to User & Authentication > User Groups to create a group sslvpngroup with the member sslvpnuser1. 3. Configure SSL VPN web portal: a. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-full-tunnel-portal. b. Disable Split Tunneling. 4. Configure SSL VPN settings: a. Go to VPN > SSL-VPN Settings. b. For Listen on Interface(s), select wan1. c. Set Listen on Port to 10443. d. Choose a certificate for Server Certificate. The default is Fortinet_Factory. e. In Authentication/Portal Mapping All Other Users/Groups, set the Portal to tunnel-access. f. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-full-tunnel-portal. 5. Configure SSL VPN firewall policies to allow remote user to access the internal network: a. Go to Policy & Objects > Firewall Policy and click Create New. b. Set Name to sslvpn tunnel mode access. c. Set Incoming Interface to SSL-VPN tunnel interface(ssl.root). d. Set Outgoing Interface to port1. e. Set the Source Address to all and User to sslvpngroup. f. Set Destination to all, Schedule to always, Service to ALL, and Action to Accept. g. Click OK. h. Click Create New. i. Set Name to sslvpn tunnel mode outgoing. j. Configure the same settings as the previous policy, except set Outgoing Interface to wan1. k. Click OK. ``` ## Cisco ### Configuration PAgP To configure interface to talk actively with PAgP packects (desirable mode): ``` Switch#configure terminal Switch(configure)#interface range f0/1 - 2 Switch(configure-if-range)#channel-group 5 mode desirable Switch(configure-if-range)#end ``` To verify if the ether channel is formed use following show command: `Switch#show ethernet channel summary` ### Configuration VTP 1. configuration domaine VTP qu’on appelle TEST: ``` Switch>enable Switch#configure terminal Switch(config)#vtp domain TEST Changing VTP domain name from NULL to TEST ``` 2. configuration du mode Server: ``` Switch(config)#vtp mode server Device mode already VTP SERVER. ``` 3. activation de la fonction pruning (à partir du switch Server): ``` Switch(config)#vtp pruning Pruning switched on ``` 4. configuration d’un mot de passe VTP (cisco123): ``` Switch(config)#vtp password cisco123 Setting device VLAN database password to cisco123 ``` 5. activation de la version 2 de VTP (à faire sur tous les switchs!): `Switch(config)#vtp version 2` Vérifications : 1. visualisation du mot de passe configuré Switch#show vtp password VTP Password: cisco123 2. vérification des compteurs des messages VTP envoyés et reçus: Switch#show vtp counters ## Bitdefender ### Installation appliance Bitdefender For installation and initial setup, you must have the following at hand: ● DNS names or fixed IP addresses (either by static configuration or via a DHCP reservation) for the GravityZone appliances ● Username and password of a domain administrator ● vCenter Server, XenServer details (hostname or IP address, communication port, administrator username and password) ● License keys (check the trial registration or purchase email) ● Outgoing mail server settings ● If needed, proxy server settings ● Security certificates To deploy and set up GravityZone: 1. Download the GravityZone virtual appliance image from the Bitdefender website (link provided in registration or purchase email). 2. Import the GravityZone virtual appliance image in your virtualized environment. 3. Power on the appliance. 4. From your virtualization management tool, access the console interface of the GravityZone appliance. 5. Configure the password for bdadmin, the built-in system administrator. ![](https://i.imgur.com/z9vCdyu.png) ![](https://i.imgur.com/qDEKwwj.png) To configure the hostname settings: 1. From the main menu, select Configure Hostname Settings. 2. Enter the hostname of the appliance and the Active Directory domain name (if needed). 3. Select OK to save the changes. You can configure the appliance to automatically obtain network settings from the DHCP server or you can manually configure network settings. If you choose to use DHCP, you must configure the DHCP Server to reserve a specific IP address for the appliance. 1. From the main menu, select Configure Network Settings. ![](https://i.imgur.com/EUqkFev.png) 2. Select the network interface. 3. Select the configuration method: ● Configure network settings manually. You must specify the IP address, network mask, gateway address and DNS server addresses. ● Obtain network settings automatically via DHCP. Use this option only if you have configured the DHCP Server to reserve a specific IP address for the appliance. ![](https://i.imgur.com/1Cue6lG.png) 4. You can check current IP configuration details or link status by selecting the corresponding options.