Author Archives: Gos

About Gos

Have been working in the IT business since 2003 and have had network and security as field of focus since 2008.

Cisco 9800-series WLC / c9115AX and option 43

Because of a typo that sent me down a rabbit hole, I am writing this post as a reminder to myself. First reminder: Option 60 is not needed for modern APs. It is only used to define VCI (Vendor Class Identifier) so we can return different option 43 results based on “who asks?” (E.g. a […]

Unable to remove Check Point evaluation license

I had an issue with a firewall that showed three blades, TP-blades, licensed as “evaluation” and furthermore the license was expired. The firewall itself, showed the licenses to be alright as shown in the picture below: Various things were tried in order to solve the issue, but none of them made any difference. cplic eval_disable […]

How to search and lookup in FortiGate Internet Service Database(ISDB)

Just a quick note on how to lookup and search in the FortiGate Internet Service Database(ISDB) for later reference. Search for a service: FortiGate80D # get system status | grep Version Version: FortiGate-80D v6.2.2,build1010,191008 (GA) FortiGate80D # diagnose internet-service id | grep -i microsoft ID: 327681 name: “Microsoft-Web” ID: 327682 name: “Microsoft-ICMP” ID: 327683 name: […]

How to check external CA store on FortiGate

Didn’t find alot of information on how to view the FortiNet approved CA-store, so I thought I’d make a post about it.This is the command to check the store (details can be omitted). Note there is a difference between an unit running VDOM – With VDOM: get certificate ca details – Without VDOM: get vpn […]

Does AP need to follow Cisco WLC upgrade path – a small test

Does AP need to follow WLC upgrade and get the intermediate release? Or will the Access Points survive if it skips the intermediate release? The release notes says yes – “When you upgrade Cisco WLC to an intermediate release, wait until all the APs that are associated with Cisco WLC are upgraded to the intermediate […]

Windows Update fails when Check Point HTTPS-inspection is enabled

In a freshly installed Windows Server 2016-environment, there was feedback that Windows Update failed when HTTPS-inspection was enabled. Even though “Bypass HTTPS inspection of traffic to well known software update services” was ticked off. The servers was stuck with this error message: Some update files aren’t signed correctly.Error code: (0x800b0109) In the tracker I could […]

Passive Virtual System on Check Point VSX ARPs using physical intf. IP address instead og Cluster IP

I came across some important information. Although I did not find any useful information (at first), so hopefully this post will help speed up someone elses troubleshooting. Problem statement: Passive VS on VSX ARPs for default GW using physical interface IP instead of cluster IP and no traffic flows from passive Virtual System. If ARP […]

Check Point VSX DHCP relaying

In order to enable DHCP-relaying for interfaces belonging to Virtual Systems on a VSX-cluster, you have to set the context to the specific virtual system the interface belongs to. List all Virtual Systems on the VSX-cluster show virtual-system all

Nested group object not present on FortiGate when configured through FortiManager

I encountered a problem with a firewall blocking traffic even though it was supposed to let traffic through. This particular policy used nested object grouping (Main group > Sub-group > NetworkAdr-member). The odd thing was, it seemed to only affect one vDom. What was happening: The traffic did not match the configured policy and was […]