When trying to Setup Citrix SAML , on redirect , the Netscaler showed

Matching policy not found while trying to process Assertion; Please contact your administrator

Navigate to your Virtual Server

Add a new Authentication

Choose SAML and Primary

Leave Priority as 100
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Finding issues in wireless networks can be hard , however there are some tools you can use before you get the Spectrum Analyser in! 

Auditing

Download and install inSSIDer Home

Great way to visualise SSID strength and channels, just to note when you run this , your Pings will go up!

 

How to check to DeAuths 

Once you identify the channel, launch https://www.wireshark.org/ on that channel and listen for a minute or two.

First, apply this filter:

wlan.fc.type_subtype == 0xc

This will show you all the deauthentication frames that have been sent out.

Deauth Flood

Apply this filter next:

wlan.fc.type_subtype == 0x8 && wlan.sa == <BSSID of the SSID you are inspecting>

This will display beacon frames from your AP. Check the signal strength. In this case, we’ve got a good strong signal because we’re right next to the AP (right around -40 dBm on average).

Our Beacons

Next, apply this filter:

wlan.fc.type_subtype == 0xc && wlan.sa == <BSSID of the SSID you are inspecting>

This shows deauthentication frames from your AP. Note the signal strength on the far right…

Spoofed Deauths

The deauthentication frames are coming in much weaker than the valid beacon frames. This indicates strongly that another AP is spoofing your system.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently we found a Fortigate Router not listening locally 

Login to Console via Serial Cable ( Putty ) 

config system interface
edit wan1
set allowaccess ping http https
end


config system admin
edit admin
set trusthost1 %publicip%/32
set trusthost2 %localIprange%/24
end
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Connect to http://wired.meraki.com/#configure on a PC/Server connect to the meraki. The default username is the serial number of the device which can be got from the Cloud Dashboard and password is blank

The following will restart the Meraki so make sure you arrange downtime.

Change Port 2 to Internet from LAN and add the IP details and click Save

Make sure all ethernets are set to Auto for Negotiation

By default the Meraki will put the connections on Active / Passive , to enable Active / Active 

Login to your Meraki Cloud Dashboard and Enable Load Balancing : 

This will spread both inbound and outbound via both links

To force one port e.g. to a specific Link , add an Internet Traffic Flow setting

e.g.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Get Model Number and Serial for Firmware

Login to your switch via SSH and run 

show switch

This will show you the System Type ( Model of the switch ) and if its stacked, now type 

show version

This will show you your current firmware and Also Serial Number ( In Red ) 

Download Firmware

1. Go to Extremenetwork Support and Click Downloads for ExtremeXOS for your switch model
2. Login using your account. You have to register if you don’t have account.
3. Click Accept All.
4. Type the serial number.
5. Click Software Downloads.
6. Click the correct ExtremeXOS image and download to your tftp server.

Setup TFTP

Free tftp tools such as tftp32 will work for the switch upgrade

Make sure Port UDP 69 is allowed through Windows Firewall

Even if your windows Firewall is disabled , make sure its disabled on Guest Networks as this will usually be the network the management speaks on not domain

Make sure the machine you are using does not have WDS enabled , WDS uses TFTP 

Run TFTP and make sure the server is listening on an Network IP ( NOT 172.0.0.1 )

Copy the .xos file to the TFTP Directory 

In SSH make sure you can Ping the IP of the TFTP server from the Switch via

ping %IP OF TFTPServer% 

And you get a reply 

Backup Existing Config

upload config %IP OF TFTPServer% config.xsf VR-Default

Download and install new Image

download image %IP OF TFTPServer%  summitX-22.3.1.4-patch1-8.xos “VR-Default” secondary\

Do you want to install image after downloading? (y – yes, n – no, – cancel) Yes

You will need to reboot the switch and if the switch is in a stack you will need to reboot them both as Stack switches cannot be in different versions

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Login to Fortigate WebUI

Go to System , then Administrators, Enable Trusted Hosts for the user account and add the IP/Subnet to the allow lists ( remember to do internal as well ) 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

The Category blocked was Alcohol, however, I whitelisted this category. Disabling the filter based category allowed this.

Problem was the Fortigate GUI was not displaying the actual committed config on the firewall ( the profile was screwed )

solution

this way the “default” profile was visible

Also you might want tod DNS Filter

basically DNS filters work like webfilter but at DNS level

so let say you want to go to youporn

the firewall try to resolve the name of youporn.com but since it is a blocked category

it blocks the resolution of the name even before you get to browse itWe saved this conversation. You’ll see it soon in the Conversations tab in Skype for Business and in the Conversation History folder in Outlook.

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

You might have setup a new Ubiqiti access point using a controller based at another site, which is not the final destination of the device, so it is no longer configurable when you get to the new site.

If you can get the Old controller back up and connect to the access points you can use the below to move the Access Points to a new site via the Site Migration

https://help.ubnt.com/hc/en-us/articles/115002869188-UniFi-Migrating-Sites-with-Site-Export-Wizard 

If you cannot connect to the old controller anymore you can try logging into the access point via IP and doing:

You can use the Same Old Controller name : 

  1. SSH into AP with former controller’s credentials
  2. in controller, forget AP
  3. reset to default with ‘syswrapper.sh restor-default’
    connection will be terminated
  4. SSH into AP with ubnt/ubnt
  5. use mca-cli shell
  6. set-inform x.x.x.x:8080/inform
  7. where x.x.x.x is the ip of the new unifi controller
  8. in controller, adopt the AP
  9. repeat step 7 after adoption (sometimes this is necessary to get to provisioning)
  10. AP will reboot and provision

Finally you can perform a factory reset on the device to join it to a new controller

https://help.ubnt.com/hc/en-us/articles/205143490-UniFi-How-to-Reset-the-UniFi-Access-Point-to-Factory-Defaults 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

When a user VPN into a Fortigate Router , make sure they can access all Subnet available to the router not just the local one :

  1. Added security policy – allow from SSL VPN interface to IPsec VPN  

Name : SSL VPN to New Subnet

Incoming Interface : SSL-VPN tunnlel Interface ( ssl.root ) 

Outgoing Interface – %Interface of Site to Site VPN for Remote Site%

Source : SSL VPN Client Range / SSLVPN_Users

Destination Address : %new subnet%

Schedule : Always

Service : ALl

Action : Accept

Nat : Enabled (  to traverse IPsec VPN as local address (192.168.0.x) as opposed to SSL VPN client range (192.168.1.x) 

IP Pool Configuration : Use Dymanic IP Pool and NAT Pool for SSL VPN Clients

 

2.  Make you have DHCP NAT pool Range excluded from your onsite DHCP 

3.Added New Subnet to routing address in SSL VPN portal – tunnel mode

VPN – > SSL VPN Portals

Tunnel Mode -> Enable Split Tunnelings -> Routing Address 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)