We wanted to swap a new SAN for a customer and our distributor wanted us to run the Nimble Space Savings Estimator , to find out how big the device needed to be.  Unlike Dell with LiveOptics tool , you have to run this across EVERY virtual machine, and run it across all drives for it to scan. I wrote a tool we could use inside BatchPatch to run this .exe from a share across all VM’s

This needs to be run out of hours due to heavy scanning of disk


#Find All Drives on PC (Not CDRom\System Partition)
$drives = Get-Volume | Where-Object {($_.FileSystemLabel -ne "System Reserved") -and ($_.DriveType -eq "Fixed")}

Foreach ($drive in $drives)

{
#Get DriveLetter
$drive = $drive.DriveLetter
& "\\share\Space Savings Estimator\NimbleSSE.exe" $drive`:

}
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Mimecast Best Practice

Setup

  • Remove text on stationary ( HTML and plain text ) before sending emails via Mimecast
  • Disable Office 365 Spam Filter
     

 

Maintenance

  • Enabled Digest Sets every Hour ( not every 4 hour )
  • Disable Device Enrollment
    1. Log on to the Administration Console.
    2. Click on the Administration menu item.
    3. Select the Account | Account Settings menu item.
    4. Expand the User Access and Permissions section.
    5. Select the Targeted Threat Protection Authentication option.
  • SAML for Authentication SSO via a provider like Office 365 for 2fa and Brute Force protection. If not Fall back to LDAPS ( EWS basic Auth is not Secure ) 
  • Disable Cloud Auth ( Or enable only for Continuity , and expire logins after 30 days ) 
  • Service Monitoring Setup
  • Acknowledge Disabled Users ( Make sure Receipt Validation is set to Known 
  • Setup impersonation protection for VIP
  • Restrict Administration Console to IP
  • Continuity Test
  • Confirm you have an account as Super Admin
  • Enable Outbond DKIM\SPF\DMARC
  • Inbound (  this we recommend a “Reject” setting. Out of the box we set it to ignore/managed permitted sender entries as some customers didn’t like that it was too aggressive. ) 
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Mimecast has a method to be able to replay emails to OnPremise Exchange which is neat 

We had a case needing to do this recently for a customer in 365. Mimecast tout their own product “Sync & Recover” for this however it was a one off thing and the extra cost couldn’t be justified

Thought of a way to do this without this , however you need to export the PST of individual users 

  1. Export Mail to PST of each user missing mail
  2. Reimport to PST to the office365 in the background for each user ( User the RootFolder in the CSV File as /Inbox

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Both Mailguard and Mimecast have a list of allowed emails for users. When migrating from one platform to another you will need to copy these over.

Mailguard does not have an export function for its “Active Whitelist” so you will need to copy the Table produced in the Admin Panel into Excel and remove all but your two columns of emails.

These two columns will need some more manipulation as they mix up Senders and Receivers in the lists and Mimecast needs one Column for Each. But the First Column in A in Excel and he Second in B

In C1 add the following ( If A1 does has @domain.com in it list it , if B1 has @domain.com in it list it ) 

=IF(ISNUMBER(SEARCH(“@domain.com”,A1)),A1,””)&IF(ISNUMBER(SEARCH(“@domain.com”,B1)),B1,””)

In D1 add the following ( If A1 does not have @domain.com in it list B1 , if B1 has @domain.com in it list A1) 

=IF(NOT(ISNUMBER(SEARCH(“@domain.com”,A1))),,B1)&IF(NOT(ISNUMBER(SEARCH(“@domain.com”,B1))),,A1)

Example

Once one , create a .xls file with columns

# addresstrusted_sendersblocked_sendersapproved_senders

Add the domain.com to #Address

Add the other domain field to either trusted_senders ( Allow Spam and Attachments ) or Approved Senders ( Allow Spam ) 

Import into Mangaed Senders using the PostIni Option 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Symptoms – staff unable to login to Outlook for Desktop 

Error found in event log on patched Domain controller

The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account.  

Workaround

Deploy GPO to allow insecure connections (this should be done only until machines are patched)

 

Refer to https://support.microsoft.com/en-au/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Error is show per attached

 

This is because Personal Enrollment is disabled

Go to Intune Blade – Device Enrollment and Enrollment restrictions. Click on Default policy under Device Type Restriction:

Allow Windows (MDM) on Corporate as well as Personal

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Trying to setup a Mimecast Sync Engine Application on Prem out the Box comes up with 

“validation failed: invalid mimecast user or insufficient permissions”

This is because by default 2fa is enabled on all Accounts created in Mimecast , you need create a new Authentication Profile and Disable 2fa on this , then assign it to that user group and bind it all together with a Profile

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Fortigate Logging

Flow Trace

Now I will show a flow trace from my computer to 4.2.2.2

diagnose debug reset 
diagnose debug flow filter saddr 10.22.22.122 
diagnose debug flow filter daddr 10.100.1.1 
diagnose debug flow show function-name enable
diagnose debug enable 
diagnose debug flow trace start 100  #display the next 100 packets, after that, disable the flow: 

When complete, you can disable manually with

diagnose debug disable

2020-04-23_12-14-48

 

The output, it will show you what interface the connection came in on, because of the function-name enable you will see NAT, Routing, etc, IPS, offloading to NPU and SPUs, etc.

Sessions

You can also see the sessions using the following commands

diagnose sys session filter clear
diagnose sys session filter dst 4.2.2.2
diagnose sys session filter dport 53
diagnose sys session list           #show the session table with the filter just set

Use the filter that work for you from a source or destination as well as ports

2020-04-23_12-22-53

 

With this filter, you can clear the sessions based on the filter you created by issuing the diagnose sys session clear NOTE: Without the filter in place, you will clear ALL sessions on the FortiGate.  It is always a good habit to run diag sys session filter ? to list the filter you have configured.

Packet Capture

You can either use the GUI or the CLI to run packet captures.

diagnose sniffer packet any 'host 8.8.8.8' 4 4 l 
diagnose sniffer packet any 'host 8.8.8.8 and dst port 53' 4 10 a 
diagnose sniffer packet wan1 'dst port (80 or 443)' 2 50 l 

The verbosity is controlled by the following:

verbose:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
count: number of packets
time-format:
a: UTC time
l: local time

You can use the GUI by going to Network then Packet Capture then Create

2020-04-23_12-36-04

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Speeds

Disable low Data Rates

To turn off rates 1, 2, 5.5, and 11, you go into the CLI on the FortiGate and use the following:

config wireless-controller vap
      edit <vap_name>
              set rates-11a 12-basic 18 24 36 48 54
             set rates-11bg 12-basic 18 24 36 48 54
       end

Channels

Avoid 80+ MHz wide channels in 5GHz and only use 20 MHz channels in 2.4GHz. There are use cases for wider channels, but there is not enough spectrum available today for proper channel reuse in an enterprise deployment or a multitenant environment. You will end up with CCI and ACI (co-channel and adjacent channel interference).

Use the Widest Channel Available

Check your counteries DFS Channels – That means these have special rules and have to coexist with things like weather radar and military functions. When an AP detects a “hit” on DFS it has to change to a non-DFS channel for a specified time in order to free up that spectrum. In some places DFS is nearly unusable because of so many DFS hits. In many cases DFS is usable and frees up spectrum. This allows more channels which also means the potential for using 40 MHz wide channels because you have less chance of CCI and ACI.

 No 802.11b Devices = SGI (Short Guard Interval) On , otherwise Off. Use of 11b clients necessitates use of low (non-OFDM) data rates, which forces the use and ripple of protection mechanisms (e.g. RTS/CTS and CTS-to-Self)

Reduce SSID’s and Split Networks using Authentication methods ( Radius -> Corporate , Guest to Guest )

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)