The Category blocked was Alcohol, however, I whitelisted this category. Disabling the filter based category allowed this.

Problem was the Fortigate GUI was not displaying the actual committed config on the firewall ( the profile was screwed )

solution

this way the “default” profile was visible

Also you might want tod DNS Filter

basically DNS filters work like webfilter but at DNS level

so let say you want to go to youporn

the firewall try to resolve the name of youporn.com but since it is a blocked category

it blocks the resolution of the name even before you get to browse itWe saved this conversation. You’ll see it soon in the Conversations tab in Skype for Business and in the Conversation History folder in Outlook.

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

You might have setup a new Ubiqiti access point using a controller based at another site, which is not the final destination of the device, so it is no longer configurable when you get to the new site.

If you can get the Old controller back up and connect to the access points you can use the below to move the Access Points to a new site via the Site Migration

https://help.ubnt.com/hc/en-us/articles/115002869188-UniFi-Migrating-Sites-with-Site-Export-Wizard 

If you cannot connect to the old controller anymore you can try logging into the access point via IP and doing:

You can use the Same Old Controller name : 

  1. SSH into AP with former controller’s credentials
  2. in controller, forget AP
  3. reset to default with ‘syswrapper.sh restor-default’
    connection will be terminated
  4. SSH into AP with ubnt/ubnt
  5. use mca-cli shell
  6. set-inform x.x.x.x:8080/inform
  7. where x.x.x.x is the ip of the new unifi controller
  8. in controller, adopt the AP
  9. repeat step 7 after adoption (sometimes this is necessary to get to provisioning)
  10. AP will reboot and provision

Finally you can perform a factory reset on the device to join it to a new controller

https://help.ubnt.com/hc/en-us/articles/205143490-UniFi-How-to-Reset-the-UniFi-Access-Point-to-Factory-Defaults 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

When a user VPN into a Fortigate Router , make sure they can access all Subnet available to the router not just the local one :

  1. Added security policy – allow from SSL VPN interface to IPsec VPN  

Name : SSL VPN to New Subnet

Incoming Interface : SSL-VPN tunnlel Interface ( ssl.root ) 

Outgoing Interface – %Interface of Site to Site VPN for Remote Site%

Source : SSL VPN Client Range / SSLVPN_Users

Destination Address : %new subnet%

Schedule : Always

Service : ALl

Action : Accept

Nat : Enabled (  to traverse IPsec VPN as local address (192.168.0.x) as opposed to SSL VPN client range (192.168.1.x) 

IP Pool Configuration : Use Dymanic IP Pool and NAT Pool for SSL VPN Clients

 

2.  Make you have DHCP NAT pool Range excluded from your onsite DHCP 

3.Added New Subnet to routing address in SSL VPN portal – tunnel mode

VPN – > SSL VPN Portals

Tunnel Mode -> Enable Split Tunnelings -> Routing Address 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Switch-A(config)#interface port-channel 1
Switch-A(config-if)#switchport trunk encapsulation dot1q
Switch-A(config-if)#switchport mode trunk
Switch-A(config-if)#speed nonegotiate

Switch-A(config)#interface GigabitEthernet1/1/1
Switch-A(config-if)#switchport mode trunk
Switch-A(config-if)#speed nonegotiate
Switch-A(config-if)#channel-group 1 mode active

Switch-A(config)#interface GigabitEthernet2/1/1
Switch-A(config-if)#switchport mode trunk
Switch-A(config-if)#speed nonegotiate
Switch-A(config-if)#channel-group 1 mode active
——————————————————-

Switch-B(config)#interface port-channel 1
Switch-B(config-if)#switchport trunk encapsulation dot1q
Switch-B(config-if)#switchport mode trunk
Switch-B(config-if)#speed nonegotiate

Switch-B(config)#interface GigabitEthernet1/1/1
Switch-B(config-if)#switchport mode trunk
Switch-B(config-if)#speed nonegotiate
Switch-B(config-if)#channel-group 1 mode active

Switch-B(config)#interface GigabitEthernet2/1/1
Switch-B(config-if)#switchport mode trunk
Switch-B(config-if)#speed nonegotiate
Switch-B(config-if)#channel-group 1 mode active

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Find the latest Firmware : https://software.cisco.com/download/release.html?mdfid=284846029&softwareid=282046477&release=3.3.0SE&flowid=45549

Setup TFTP Server ( Download : http://tftpd32.jounin.net/tftpd32_download.html )

Copy Bin file to TFTP Directory

3650-SW1#copy tftp flash

3650-SW1#Address or name of remote host []? 10.1.1.250
3650-SW1#Source filename []? cat3k_caa-universalk9.SPA.03.06.06.E.152-2.E6.bin
3650-SW1#Destination filename [cat3k_caa-universalk9.SPA.03.03.01.SE.150-1.EZ1.bin]?<enter>

3850-SW1#software install file flash:cat3k_caa-universalk9.SPA.03.06.06.E.152-2.E6.bin switch 1-4

The install should ask you to reload which will restart the whole stack ( All Stack members should run the same IOS ) 

If the SSH console disconnects during the install progress you will need to do an Manual Reload Command

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Trying to enable LCAP on a Cross Stack Cisco Switch via EtherChannel.

On Enabled this I got an error on one side of the LACP Switch , I got 

suspended: LACP currently not enabled on the remote port.

I broke the Port Channel , and set it back to switch mode trunk

Then re-enabled the Portchannel in order

Switch 1 Port One

Switch 2 Port One

Switch 2 Port Two

Switch 1 Port Two

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Err-Disabled happens when you insert a SFP that doesn’t match or when there is a general error on the port. It will stay Err Disabled so you can clear the errors SFP or cable

When ready run

 

  • Conf t
  • Interface GigabitEthernet (number of err-disabled )
  • shut
  • no shut

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Prepare the Switch Config

Vlan ID 1 = Guest

Vlan ID 10 = Corporate

Access point ports and controllers should be Untagged with VlanID 1 and Tagged with Vlan 10

Guest Wifi Internet Input should be Untagged with Vlan 1 as well as your Management port you control the switch with

Input of Corporate Network into the switch needs to be Tagged port 10

Access point configuration

  1. Check you are not using an Array of AP’s and if you are you are, log into the Master AP in your array. Any other access point you login to the changes will not save

2) Create a new SSID with password

Enabled VLAN Status

Create VID 1 Default per below and Corp for Vlan ID 

Change the PVID settings to 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

If you’ve never used a Cisco Access point ( Aironet ) by default out of the box or after a factory reset the dot11rad 0 interface will be set to shutdown and will no broadcast any of your SSID’s

Also by default only webpage administration is available, you can enable SSH through the website Administration

Enabled through SSH :  

ap(config)#interf dot11rad 0

ap(config)#no shutdown

Depending if you have 1 or 2 SSID you will need to enable Guest mode or MutliGuest Mode

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)