Fortigate SDWAN – All-In-One internet resilience

SDWAN is booming, and lots of vendors are promoting their SDWAN. According to Wikipedia, any SDWAN should have these characteristics:

  • The ability to support multiple connection types, such as MPLSframe relay and higher capacity LTE wireless communications
  • The ability to do dynamic path selection, for load sharing and resiliency purposes
  • A simple interface that is easy to configure and manage
  • The ability to support VPNs, and third party services such as WAN optimization controllers, firewalls and web gateways
Continue reading “Fortigate SDWAN – All-In-One internet resilience”

Wider Network is Easy, Faster Network is Not

One of the most frequent request from my client is “Upgrade the circuit so that application performance get better”. The request itself is easy, because just upgrade 10Mbps MPLS to 20Mbps MPLS is nothing complicated than just a traffic shaping. However, the actual customer desire to get the better performance for their application is not that easy.

There are lots of factors making your application slow. It may be some network misconfiguration or it may be some security misconfiguration. But it is usually the later part when my client requests me to upgrade the circuit. At that time they usually have done all the troubleshooting they could, and still have not found a clue how to solve it. I understand how badly they want to do whatever they can to solve the problem. But, please wait for just a few days, and take a look at your slow application.

If your affected application is the one from Microsoft, it may be very chatty. Chatty application needs to talk to the data source very frequently, and it may not gain much improvement by upgrading the network bandwidth.


It is easier to see what I mean. To show how they differ, I created test environment in AWS as follows:

Test will be done from src to dst. I installed a linux instance to intercept the traffic to emulate various slowness of network.

First I use scp to transfer a bulk data through slow network. The result is as follows:

It is very simple. As the latency increases, the time to transfer the data increases. And the bandwidth increases, the time decreases.

Next, I send 1000 http get request sequentially. The result is as follows:

The lower the latency, the time to transfer gets shorter. However, the third and the fourth row, both of the time to transfer is the same even though the bandwidth are different. Why this can happen? Because this test was to send the http request sequentially, it suffered from the latency rather than the bandwidth. So it doesn’t matter how big bandwidth you have for your network as long as it has big latency.


If your application suffers from network latency, there are numbers of approaches you can take. Again it depends hugely how your application is making a network connection and need to know deeply about your application. For example, splitting database might be a good idea if your MS Access is suffering slowness.

Circuit upgrade is the easiest choice, but it is not necessarily the best solution. Various vendors have WAN optimisation/acceleration built into their product, and it might be worth trying as they usually have demo unit available for potential client. Always ask for help for your network support vendor before making decision by yourself.

Monitor HTTP endpoint from Zabbix – Cool graph

I’m a long user of Zabbix, about 9 years now. I’m using it to make sure all my services are working normal. However, it’s never been a go to tool for daily check, because the zabbix generated graph is usually very industrial and not exciting.

Zabbix 4.0.0 was released on October 2018, and it changed my mind. We can now have SVG graph on dashboard, it just looks like Grafana.

Continue reading “Monitor HTTP endpoint from Zabbix – Cool graph”

Fortigate config management in Github

After Github opened its free repository function to free users, I’m using Github private repository to store lots of my applications config file. I usually don’t use version management because they usually never changes after initial deployment. However, especially while I write blog post I need to make changes just to check the functionality. And sometimes I forgot to rollback config and need to check manually on the device.

In this post, I show you how to integrate Fortigate config backup script and Github API. And in the next post I will deploy them in CloudFunction so that it can be invoked by Fortigate automation stitch.

Continue reading “Fortigate config management in Github”

Fortigate RestAPI Config Backup – FortiOS 6.0.4

Previously I wrote a post how to backup the Fortigate config using session based authentication. As per the API reference, this is considered legacy, and other authentication method –API token, is preferred. In this post, I demonstrate how to use FortiOS RestAPI with API token. And I will introduce how to parse current configuration.

I used FortiOS 6.0.4 to deploy this, and it is most likely not working with other version(especially 5.x).

The flow is as follows:

  1. Create access profile for API user
  2. Create API user in Fortigate
  3. Generate API token for API user
  4. Send request and get the backup config
Continue reading “Fortigate RestAPI Config Backup – FortiOS 6.0.4”

Fortigate Config Change Notification

Whenever changes are made in configuration, Fortigate posts notification at Slack channel.

Fortigate automation is composed of three elements:

  1. automation trigger … available trigger -HA Failover, Config change, Log, IOC, High CPU, Conserve mode
  2. automation action … available action -Email, IP Ban, AWS lambda, Webhook
  3. automation stitch … Combination of trigger and action
Continue reading “Fortigate Config Change Notification”

Cisco Umbrella for Home Use – Good baseline

Is you PC protected at home? Where is your most valuable information stored?

In my case, my most valuable information is stored in my PC at home, or the cloud storage which only my PC can access to. It’s obvious that I need to protect my home network more than anything. It’s really scary for anyone getting your PC hacked like the one in BlackMirror.

Continue reading “Cisco Umbrella for Home Use – Good baseline”

KTHW Reinvented – Agenda

From the next post, I will guide you how to bring up Kubernetes cluster locally.

I use Kubernetes The Hard Way as a guidepost, but I will re-order the procedure so that it goes component by component. If you are willing to take CKA(Kubernetes Certified Administrator) Certification, you should follow original kubernetes the hard way again after completing this agenda, so that you can improve your deployment speed.

Agenda

  1. Compute resource procurement … I use my desktop pc to host 4 virtual ubuntu machines
  2. Etcd cluster bootstrap … Etcd is the base system of kubernetes to hold all the information
  3. Control plane bootstrap 01 … API server installation and flags investigation
  4. Control plane bootstrap 02 … Deploy LoadBalancer for API server
  5. Worker node bootstrap … kubelet and kube-proxy are installed on nodes.
  6. Control plane bootstrap 03 … Controller-Manager installation
  7. Control plane bootstrap 04 … Scheduller installation
  8. Pod network routes … configure network for inter-pod communication
  9. DNS … Deploy coredns in cluster
  10. Data encryption at rest … secure secret file encrypted

Continue reading “KTHW Reinvented – Agenda”

Kubernetes The Hard Way Picture

One of the most popular tutorial to bootstrap kubernetes components is¬†Kelsey Hightower’s “Kubernetes The Hard Way“. It is really helpful to understand the complicated component structure of kubernetes.

I saw some people asking if there is any equivalent tutorial which is not using GCP(e.g. on-prem, AWS).¬†Because Kubernetes The Hard Way is using GCP as its backend, it’s no wonder they think the tutorial is specific to GCP. But in fact, only a small bit of part is specific to GCP(maybe LoadBalancer, Swap configuration only), and most of the part is still applicable to any infrastructure.

Continue reading “Kubernetes The Hard Way Picture”