What is difference – network automation / configuration management

There are lots of network automation tools around. But do you know what is the difference of each tools? I’m going to introduce what you can achieve with each tools.

First of all, I want to classify this network automation into three categories:

  1. Network Operation Automation … in the old days, you need to log in to each devices via ssh / telnet to change configuration. Tools in this category aims to automate these processes.
  2. Configuration Management … this includes not only version management(e.g. RANCID, Oxidized), but also host grouping(e.g. AS numbers)
  3. Service Management … In the previous categories, each configurations are stored separately. In this category, configuration is separated into each services(e.g. snmp-community, ntp server settings) rather than each device. You can control all the devices by services.
Continue reading “What is difference – network automation / configuration management”

Silverpeak SDWAN – MPLS replacement?

Silverpeak is one of the vendor listed as SDWAN leader by Gartners, besides Cisco and VMware.

As I wrote a post about the basic characteristics of SDWAN in previous post, SDWAN solution from Silverpeak also has those basic functions. In a nutshell, the noteworthy characteristics of SIlverpeak SDWAN products are as follows:

  • Best WAN Optimization
  • Best WAN Accelleration
  • Very high redundancy over the internet which may be able to replace MPLS
  • Not for internet direct access
Continue reading “Silverpeak SDWAN – MPLS replacement?”

Fortigate SDWAN – All-In-One internet resilience

SDWAN is booming, and lots of vendors are promoting their SDWAN. According to Wikipedia, any SDWAN should have these characteristics:

  • The ability to support multiple connection types, such as MPLSframe relay and higher capacity LTE wireless communications
  • The ability to do dynamic path selection, for load sharing and resiliency purposes
  • A simple interface that is easy to configure and manage
  • The ability to support VPNs, and third party services such as WAN optimization controllers, firewalls and web gateways
Continue reading “Fortigate SDWAN – All-In-One internet resilience”

Wider Network is Easy, Faster Network is Not

One of the most frequent request from my client is “Upgrade the circuit so that application performance get better”. The request itself is easy, because just upgrade 10Mbps MPLS to 20Mbps MPLS is nothing complicated than just a traffic shaping. However, the actual customer desire to get the better performance for their application is not that easy.

There are lots of factors making your application slow. It may be some network misconfiguration or it may be some security misconfiguration. But it is usually the later part when my client requests me to upgrade the circuit. At that time they usually have done all the troubleshooting they could, and still have not found a clue how to solve it. I understand how badly they want to do whatever they can to solve the problem. But, please wait for just a few days, and take a look at your slow application.

If your affected application is the one from Microsoft, it may be very chatty. Chatty application needs to talk to the data source very frequently, and it may not gain much improvement by upgrading the network bandwidth.

It is easier to see what I mean. To show how they differ, I created test environment in AWS as follows:

Test will be done from src to dst. I installed a linux instance to intercept the traffic to emulate various slowness of network.

First I use scp to transfer a bulk data through slow network. The result is as follows:

It is very simple. As the latency increases, the time to transfer the data increases. And the bandwidth increases, the time decreases.

Next, I send 1000 http get request sequentially. The result is as follows:

The lower the latency, the time to transfer gets shorter. However, the third and the fourth row, both of the time to transfer is the same even though the bandwidth are different. Why this can happen? Because this test was to send the http request sequentially, it suffered from the latency rather than the bandwidth. So it doesn’t matter how big bandwidth you have for your network as long as it has big latency.

If your application suffers from network latency, there are numbers of approaches you can take. Again it depends hugely how your application is making a network connection and need to know deeply about your application. For example, splitting database might be a good idea if your MS Access is suffering slowness.

Circuit upgrade is the easiest choice, but it is not necessarily the best solution. Various vendors have WAN optimisation/acceleration built into their product, and it might be worth trying as they usually have demo unit available for potential client. Always ask for help for your network support vendor before making decision by yourself.

Cisco Umbrella for Home Use – Good baseline

Is you PC protected at home? Where is your most valuable information stored?

In my case, my most valuable information is stored in my PC at home, or the cloud storage which only my PC can access to. It’s obvious that I need to protect my home network more than anything. It’s really scary for anyone getting your PC hacked like the one in BlackMirror.

Continue reading “Cisco Umbrella for Home Use – Good baseline”

Fortigate How-To: DLP

Data Leak Prevention (or Data Loss Prevention) is becoming a must for almost all networks. But it is usually not deployed if the customer doesn’t specifically request because of the function nature that the “general” practice is not available for this DLP. Some company might want to prevent users to export any data which is bigger than 10MB to the internet, while some of the company might need to send bulk files everyday.

This time, I will add basic DLP with following functions:

  • Prevent users to upload any file which is 10MB or bigger, to the internet
  • Prevent users to download any executable(exe) or MS installer package(msi)



Create DLP Profile

Security Profiles > Data Leak Prevention

Create New Profile called “ConfidentialFileDLP”.

Add policy to Block the file, which filename starts with “Confidential”, to be exported over HTTP POST method.

Add policy to Block any download of the file, which is either executable(exe) or MS installer package(msi).


Add DLP on policy

Policy & Objects > IPv4 Policy

Add DLP on the policy.



Access any file transfer service(eg. wetransfer), and try to send the file. It will be timed out if that file name starts with “Confidential”.

And the log shows the UTM is blocked the upload.


Next, download any executable(exe). It should be blocked and it prompts you that activity is suspected as “data leak”.


And the log shows the UTM is blocked the download.

Fortigate How-To: Anti Virus

It is essential that the firewall is deployed as it is supposed to. Surprisingly, there often are cases the firewall is deployed with just a couple of simple policies and not utilized for its purpose. I once had a conversation with a solution architect of a big security company, and he mentioned the biggest problem of the firewall deployment today is misconfiguration(and which leads the admin to criticise one vendor) rather than the vendor firewall functionality.

This time, I will add antivirus function in the policy.


Before AntiVirus is deployed

The most popular site to test AntiVirus function of your network is EICAR. You can download pseudo(not harmful) test file from here.

You can download there 8 files, and ideally all of them should trigger some kind of anti-virus system.At least, both “eicar.com” for http and https should be blocked by your firewall. Should either of them successfully downloaded, most likely the firewall is not configured correctly. In my (no antivirus configured on the firewall) cases, all of the files are blocked by Windows Defender. But in other words, all of the files are downloaded (at least) onto the client PC. And the malware can do anything if those clients antivirus are not updated, or antivirus are not good enough to block that particular malware.


Add AntiVirus on policy

Security Profiles > AntiVirus

I use built-in “default” policy this time.


Policy & Objects > IPv4 Policy

Add AntiVirus on the policy.

That’s all. Once configured, you can download the eicar file, and it should show the web page like follows:

It is tedious to test all files, instead there is a Fortinet URL to  test it automatically. Once you click “Run All Tests”, it tries all 18 cases, all of which uses different compression algorithm.

Fortigate How-To: Basic Web Filtering – Certificate Import

Last time, I created policy to deploy web filtering. It filters unwanted website(eg. youtube), but the error page showed “Chrome blocked” and not informative. In this post, I will import the certificate so that the intended block pages are displayed.


Download Certificate

Security Profiles > SSL/SSH Inspection


Select the profile you are using in the policy(in my case, default). And click “Download Certificate” to start download.

If you are using AD, you can use Group Policy to install this certificate to your PCs.


Import Certificate

This is done on the client(this time WindowsVM).

Open Chrome > Settings > Advanced > Manage Certificates

Select “Trusted Root Certification Aithorities” Tab. Then click “Import”

Follow the instruction to import the certificate which you downloaded in the previous section.


Once it’s imported, re-launch the chrome.

And try one of the site which is supposed to be blocked…


Yes, and now it shows the genuine “Block” page now.

Fortigate How-To: Basic Web Filtering

I’m going to deploy basic web filtering on Fortigate VM@AWS.

VPC Diagram


Basic Setup

Basic procedure to deploy Fortigate in AWS can be found here.


Web Filtering

Systems > Settings > System Operation Settings

  • Inspection Mode … This is how packet is being processed. Basically Proxy Mode looks deeper in the packet but slower. I use Proxy Mode here.
  • NGFW Mode … This  is how we are going to configure security policies. I prefer “Profile-based” as I can re-use those profile for multiple policies. Note that this option is not available if you select Proxy Mode, and it uses Profile-based anyway.


Security&Profiles > Web Filter

Usually default is acceptable in most cases. But it is sometimes too restrictive(eg. YouTube is blocked). And most of the cases, some URLs needs to be whitelisted so that it wouldn’t be blocked by any mistake, which can be achieved in URL Filter.


Now we can test the basic function, let’s make the policy.

Policy&Object > IPv4 Policy

Here, port1 is the interface connecting to external-1, and port2 is connecting to internal-1.

And here is the web browsing test from WindowsVM.

We can browse the internet. Then let’s try other website which is supposed to be blocked.

mmm, it is blocked. But the error page looks misleading. This is because Fortigate is trying to show the resulting(which says Blocked) error page, but Chrome finds the page contains invalid certificate and blocked that “Blocked” message from showing.

I’m going to fix this in the next article.

IOx on Cisco: Launch Python

It’s been a long time since Cisco announced Fog computing, and implemented somewhat of programmability on their network devices. However I had never really looked at those functionalities until very recently.

I’m working in telecom industry and there has been no single day I don’t see Cisco devices, but most (if not all) of deployment is legacy, which utilizes only network function of those devices. It’s good as it is what those devices are meant to do, but I took a look on these new capabilities and found it very useful, and fun!

As Cisco mentioned in their article, these function should be used for non-networking functions. But these will be new weapons for those who knows networking very well to add-on new features as they wish, and on the other hand these will also be a good entry point for those who didn’t take care network(i.e developer, application engineer) until now. One of the most reliable network vendor provides small app platform on their small routers and switches.


Enable IOX service

It’s not enabled on boot, so you need to enable services on IOS-XE. As this test is done on CSR1000v on AWS, it uses LXC.

usrt01#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
usrt01(config)#do sh iox-service
Virtual Service Global State and Virtualization Limits:

Infrastructure version : 1.7
Total virtual services installed : 0
Total virtual services activated : 0

Machine types supported   : LXC
Machine types disabled    : KVM

Maximum VCPUs per virtual service : 0
Resource virtualization limits:
Name                         Quota     Committed     Available
system CPU (%)                  75             0            75
memory (MB)                   1024             0          1024
bootflash (MB)               20000             0          6751

IOx Infrastructure Summary:
IOx service (CAF)    : Running
IOx service (HA)     : Not Running
IOx service (IOxman) : Running
Libvirtd             : Running


The environment is almost ready.

  1. Create connection … VirtualPortGroup, which is the connection point between the IOS and the guest system.
  2. Allocate resource for application
  3. Start application
usrt01(config)#int virtualportGroup 0
usrt01(config-if)#ip addre
usrt01(config)#app-hosting appid guestshell
usrt01(config-app-hosting)#vnic gateway1 virtualportgroup 0 guest-interface 0 guest-ipaddress netmask gateway name-server default
usrt01(config-app-hosting)#resource profile custom cpu 1500 memory 512
usrt01#guestshell enable
Interface will be selected if configured in app-hosting
Please wait for completion
guestshell installed successfully
Current state is: DEPLOYED
guestshell activated successfully
Current state is: ACTIVATED
guestshell started successfully
Current state is: RUNNING
Guestshell enabled successfully

usrt01#sh app-hosting list
App id                           State
guestshell                       RUNNING


[guestshell@guestshell ~]$
[guestshell@guestshell ~]$ hostname -I

[guestshell@guestshell ~]$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=2 ttl=255 time=0.525 ms
64 bytes from icmp_seq=3 ttl=255 time=0.550 ms
64 bytes from icmp_seq=4 ttl=255 time=0.580 ms
--- ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.525/0.551/0.580/0.035 ms

[guestshell@guestshell ~]$
[guestshell@guestshell ~]$ cat /flash/work/i_am_running.py

import cli

# you can execute IOS command from guestshell
print "Hello, I\'m running on {}".format(cli.execute("show ver | inc Cisco IOS XE Software"))

[guestshell@guestshell ~]$ python /flash/work/i_am_running.py
Hello, I'm running on Cisco IOS XE Software, Version 16.07.01a

[guestshell@guestshell ~]$