We use cookies on this page to better serve you. You can find more information about cookies here.

Latest posts

FortiGate Policy Mode vs Profile Mode
by

By default all Fortinet FortiGates are in Profile-based NGFW mode. There is nothing wrong with the default mode. However, I personally prefer policy mode more.

Profile mode works like most firewalls like SonicWall, pfSense and UniFi for example. All your rules are based on ports.

Policy mode works like Palo Alto Networks firewalls. All your rules are only based on ports if you define them but where the real power comes in is application based rules.

To better show the differences here’s an example. I am using Central SNAT in profile mode to keep it as similar as possible to Policy mode.

The Setup

  • VLAN for the Guests network and the IoT network and they are on a tagged interface.
  • The Corp network is untagged on interface x1.
  • An object exists for the entire Guest LAN and the entire IoT LAN. I’ve colored them blue.
  • An object exists for the DHCP server on the Corp network. I’ve colored it green.
  • I will make a rule to allow the Guest and IoT network to talk to the DHCP server on the Corp network to get a DHCP address.

Profile Mode

In profile mode I will build the Firewall Policy rule like this.

  • Name: Allow DHCP
  • Incoming Interface: Guests and IoT
  • Outgoing Interface: Corp
  • Source: Object for the Guest LAN and IoT LAN
  • Destination: Object for the DHCP server on the Corp LAN
  • Service: DHCP and DHCP6

Here is what that rule looks like.

Read more
IT
ComparisonFirewallFortiGateFortinetNetworking

FotiGate Enable Policy Mode
by

The default setup of a Fortinet FortiGate is Profile mode. Here’s step-by-step how to change a FortiGate from Profile Mode to Policy Mode. Due to the significant change between the two mode you will need to rebuild all your rules.

Notes

  • All existing firewall rules will be lost.
  • Any objects or interfaces will remain.
  • You will need to use Central NAT.

The Process

  • Login to the FortiGate
  • Click on System
  • Click on Settings
Read more
IT
FirewallFortiGateFortinetHow ToNetworking

Generate CSR with MMC
by

There are many ways to generate a CSR (Certificate Signing Request) one of them is with IIS. What if you don’t have IIS or you want to be stubborn and not use IIS at all? In this post I will detail step-by-step how to generate a CSR using MMC (Microsoft Management Console).

  • Open MMC
  • Add the Certificates Snap-in
  • Select Computer account and click Next.
Read more
IT
CertificatesHow ToMicrosoft Management ConsoleSSLWindows

Install VMware Horizon Connection Server
by

In this post I’ll show you step-by-step how to install the VMware Horizon Connection Server on-premises specifically version 2303 (other versions will follow a very similar process).

Prerequisites

  • A domain joined Windows Server that will be the Horizon Connection Server.
  • A static IP on the Windows Server.
  • An Active Directory Group for Horizon Administrators.
  • A password for Horizon data recovery backups.

The Process

  • Login to the server that you will be installing the Horizon Connection Server on, this should be the only function of that server.
  • Download a copy of the Horizon Connection Server installer from VMware.
  • Run the Horizon Connection Server installer that was just downloaded.
  • Click Next
Read more
IT
EUCHow ToInstallOmnissaOmnissa HorizonVMwareVMware Horizon

My VMware vExpert Journey
by

I’ve recently reached an exciting milestone. I became a VMware vExpert!

vExpert is a program run by VMware, it’s for people that want to give back to the VMware community, which can be done via a multitude of ways one of them being blogging like this very website. Anyone and everyone can apply, I highly encourage you to apply.

To fully understand why this is an important milestone in my life, we need more context. Computers and technology have always fascinated me. I look at everything with the mindset of trying to understand how and why something works. What does it take to break it? And what does it take to fix it?

I feel like I’ve always had some form of a home lab, at the time I had no idea what a home lab was. To me, it was just some computers that I could play with and break and fix and learn with. Almost all of what I know today is all self-taught from doing exactly that.

They say you never stop learning and I fully believe that. I am constantly learning new things and improving what I know.

My Path Forward

Some time ago, I decided to change my website into my notebook about tech things. My reasoning for this is to remember how I did something and, I want to give back to the internet as there have been countless times where other websites just like mine have helped solve a problem or taught me something.

After changing my blog real people started commenting on my posts, and I gained a new friend, Stephen Wagner who runs his own tech blog just like mine. You can find his blog here https://www.stephenwagner.com.

Stephen is vExpert Pro and he saw that my blog has VMware content, he told me about the vExpert program. I had no idea the vExpert program existed. He encouraged me to apply and helped me with the whole application process.

Read more
IT
Home LabmilestonevExpertVMUGVMware

Distinguished Name
by

Everything in AD (Active Directory) has a Distinguished Name. A Distinguished Name can be used in many situations such as setting up an application to use a service account or adding AD groups or users into applications and so much more.

A Distinguished Name is also known as a DN. A benefit of an using a DN is that no two objects in Active Directory can ever have the same DN.

In this post I’ll show step-by-step how to get the Distinguished Name for the various items in Active Directory via the GUI and PowerShell.

GUI Way

  • Open Active Directory Users and Computers
  • Click on View > Advanced Features
  • Right click on anything in AD and click on Properties
  • Click on the Attribute Editor tab.
Read more
IT
Active DirectoryHow ToMicrosoftPowerShell

Microsoft 365 Audit Logging
by

For whatever reason the default fresh setup of Microsoft 365 has no audit logging turned on. Audit logging is very useful for IT troubleshooting and auditors love logs.

Microsoft says that it is enabled by default for Microsoft 365 and Office 365 enterprise organizations. I suspect that means only if you have E1 or higher. The new tenants I’ve made recently are not E1 or higher, that could be why I didn’t see it already on.

Someone asked for clarification about this on GitHub however the replies all say that it is on by default for everything but that isn’t true based on my experience. You can read the GitHub issue here.

Microsoft’s documentation also says to double check that audit logging is enabled which you 100% should be doing as if it’s on or not seems inconcistant.

In this post I will detail how to check if audit logging is enabled and how to enable it via the Web UI or PowerShell.

Prerequisites

The Web UI Way

  • Login to Microsoft 365 Admin center.
  • Click on Security or Compliance (you can get to auditing from either one)
  • From the Security or Compliance admin centers click on Audit

If audit logging isn’t enable the page will look something like this.

  • Click on Start recording user and admin activity

Audit Logging is now enabled it may take a bit for it to actually start working.

The PowerShell Way

  • Connect to Exchange Online with PowerShell
  • Run the following command to check if Audit Logging is enabled Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

In my example the returned result is false so audit logging isn’t enabled and we want to turn that on.

Read more
IT
AuditingComplianceExchange OnlineHow ToLogsMicrosoftMicrosoft 365Office 365PowerShellSecure Score

Lenovo Update TPM 1.2 to 2.0
by

If you have an older Lenovo server with a TPM (Trusted Platform Module) it may be running with TPM version 1.2 and not TPM version 2.0. One of many reasons to upgrade your TPM is because TPM 2.0 is needed to install ESXi 8.

In this post I will show you how to update the Lenovo TPM from version 1.2 to version 2.0.

Prerequisites

You will need to know how to assert physical presence on the Lenovo server. If you don’t know how to do that I detail the process in a post called Lenovo Remote Physical Presence.

I would also make sure all your firmware is fully up to date as you may not see this option if it is super old and you should be keeping your firmware up to date.

Make sure you understand that anything stored in TPM will be lost. This likely isn’t an issue if you are doing a fresh setup.

The Process

  • Login to the XClarity Controller
  • Enter the BIOS setup
  • Assert your physical presence over the Lenovo server.
  • Click on UEFI Setup
  • Click on System Settings
Read more
IT
FirmwareHow ToLenovoThinkServerTPMXClarity

Palo Alto Predefined IP Commit Error Fix
by

In this post I will detail how to resolve the Palo Alto commit error when trying to commit a predefined IP list.

Below is an example of the error

Validation Error:
external-list -> Palo Alto Networks Tor exit IP Addresses -> type -> predefined-ip -> url 'panw-torexit-ip-list' is not a valid reference
external-list -> Palo Alto Networks Tor exit IP Addresses -> type -> predefined-ip -> url is invalid

I’ve commonly ran into the issue on a fresh Palo Alto setup right after loading the day 1 configuration and trying to make that commit.

Here is step-by-step how to fix the predefined IP list error.

  • Login to the Palo Alto firewall.
  • Click on Device
  • Click on Dynamic Updates
Read more
FixesIT
FirewallFixHow ToNetworkingPalo Alto NetworksPAN-OS

Onyx (MLNX-OS) Upgrade
by

In this post I will show you how to upgrade your switch running Onyx (MLNX-OS). I will detail how to do it via command line and via the web interface.

The best way to make sure your upgrade is a success is to plan your upgrade path. I recommend following the upgrade paths as sometimes jumping from an old version to the newest version isn’t supported and could lead to issues.

When Nvidia purchased Mellanox some of the upgrade path planning resources became locked away behind a login/pay wall. One of the items behind the wall are the detailed release notes.

The release notes are the documents that will tell you exactly which versions are supported on which switches and what your upgrade path should be as sometimes direct upgrades skipping version can cause issues.

You get access to the release notes on your switch directly but only for the version you are currently running. I tried to see if I could extract the release notes from the upgrade image but they seem to be stored as blobs and I couldn’t figure out a way to open them.

Fortunately Onyx is used by other OEMs like Hewlett Packard Enterprise for example. You can find a public version of the upgrade path the HPE documentation here.

My SN2410 switch was originally running version 3.6.6102 my upgrade path was the following

  • 3.7.1134
  • 3.8.2204
  • 3.9.1020
  • 3.9.3302
  • 3.10.2102
  • 3.10.4006

With the upgrade path planning out of the way I will now show you step-by-step how to upgrade Onyx (MLNX-OS) via CLI or the Web UI.

The CLI Way

  • SSH into the switch.
  • Run the show version command to see what version you are currently running.
Read more
IT
FirmwareHow ToMellanoxMLNX-OSNetwork OSNetworkingNvidiaOnyxSwitchUpdateUpgrade
theDXT on GitHub
theDXT on X (Twitter)
theDXT on YouTube