Author Archives: russ

Some powershell to format phone numbers in AD

Posted on by

I needed to get all phone numbers stored in active directory into a unified format, the format we’ve chosen is canonical format. Since there were a whole bunch of numbers to update with varying formats I used this simple powershell to loop through, format the existing numbers and re-write to AD the new format. It uses Quest ActiveRolls snapin.

Here goes the code, my existing numbers are just in the format 0207XXXXXXX so I haven’t stripped any existing country or area codes.

#import the quest active roles ad snapin
Add-PSSnapin Quest.ActiveRoles.ADManagement

#get a list of users
$OU = "OU=Staff - Testing,OU=User Accounts,DC=acme,dc=local"
$users = get-qaduser -SearchRoot $OU -SizeLimit 0

#iterate through each user
foreach ($user in $users)
{
    #check if a phone number is stored already
    if (($user.PhoneNumber).length -gt 1)
    {
	#strip any undesired characters
	$user.PhoneNumber -replace "[).( -]"|

	#format the number in canonical format
	foreach
	{
           #format the number in canonical format
	   $i = "{0: +44 (0) ### ### ####}" -f [double]$_

	   #write the output so we can see what's happening
	   $output = New-Object PSObject
	   $output | Add-Member -MemberType NoteProperty UserName($user.DisplayName)
	   $output | Add-Member -MemberType NoteProperty OldNumber($user.PhoneNumber)
	   $output | Add-Member -MemberType NoteProperty NewNumber($i)

	   #actually make the change in ad,
	   #comment out the next line to test what it's going to look like
	   set-qaduser $user.dn -PhoneNumber $i
	}
	Write-Output $output
    }
}

The output looks like this, and of course updates these fields in AD.

UserName           OldNumber           NewNumber
--------           ---------           ---------
Joe Bloggs         (0)2071234567       +44 (0) 207 123 4567
John Smith         020 7234 5678       +44 (0) 207 234 5678
Jenny Smith        02073456789         +44 (0) 207 345 6789
June May           (02) 079 876 543    +44 (0) 207 987 6543

Bulk add of DHCP and DNS using bash

Posted on by

Why setting up our lab environment I needed a method to add multiple DNS zones and DHCP scopes to our lab server. I have subnetted a /16 into /24′s creating 254 labs to use so adding these manually seemed like a pain in the ass.

DNS was relatively easy as its stored in a text file %windir%\system32\dns\zone_name.dns. It simply a matter of editing this file, then right clicking the zone and choosing All Tasks > Reload. To make things super easy I just used a simple piece of bash to iterate each line.

Forward Lookup:
for i in {1..254}; do echo lab-core-sw01.lab-`printf "%03d" $i` A 172.31.$i.254; done

This produces an output as below, which can simply be pasted into your zone file (in this case lab.local).
lab-core-sw01.lab-001 A 172.31.1.254
lab-core-sw01.lab-002 A 172.31.2.254
lab-core-sw01.lab-003 A 172.31.3.254
..
lab-core-sw01.lab-254 A 172.31.254.254

For the reverse zone file (0.31.172.in-addr.arpa) it looks like this:
for i in {1..254}; do echo $i.254 PTR lab-core-sw01.lab-`printf "%03d" $i`.lab.local.; done

And similarly produces
1.254 PTR lab-core-sw01.lab-001.lab.local.
2.254 PTR lab-core-sw01.lab-002.lab.local.
3.254 PTR lab-core-sw01.lab-003.lab.local.
..
254.254 PTR lab-core-sw01.lab-254.lab.local.

It gets a bit more interesting when it comes to DHCP. As windows stores its DHCP configuration in a database we can make use of the netsh command to add our configuration.

Firstly we need launch netsh and connect to the DHCP server, on the widnows command line:
netsh
dhcp server
server \\localhost

From this context you can add, remove and alter all settings on your DHCP server. The basic commands I needed was to set up a scope for each subnet with 1000ms delay, add an address range for delegation and configure the DNS suffix as well as the next-hop gateway.

In standard netsh syntax this is as follows:
echo add scope 172.31.1.0 255.255.255.0 "Lab 1 Scope"
v4 scope 172.31.1.0 add iprange 172.31.1.64 172.31.1.95
v4 scope 172.31.1.0 set optionvalue 15 STRING lab-001.lab.local
v4 scope 172.31.1.0 set optionvalue 3 IPADDRESS 172.31.1.254
v4 scope 172.31.1.0 set delayoffer 1000

And this can be achieved in bash too, for readability on multiple lines:
for i in {1..254}; do
j=`printf "%03d" $i`
echo add scope 172.31.$i.0 255.255.255.0 \"Lab $j Scope\"
echo v4 scope 172.31.$i.0 add iprange 172.31.$i.64 172.31.$i.95
echo v4 scope 172.31.$i.0 set optionvalue 15 STRING lab-$j.wavexlab.local
echo v4 scope 172.31.$i.0 set optionvalue 3 IPADDRESS 172.31.$i.254
echo v4 scope 172.31.$i.0 set delayoffer 1000
done

Now just copy and paste into your windows terminal and watch your scopes populate :)

Mikrotik Hotspot – Expire users after 7 days

Posted on by

The Mikrotik Hotspot / captive portal is a great feature, however its limited by the ability to expire a user based on the login time/date. The existing options available to expire a user are uptime (cumulative time online) or bytes sent/received. Something better suited to our office environment is to give a user access for a period of time, say one day or one week. For a small office deployment it seems excessive to deploy and support a RADIUS server for this task, Mikrotik User Manager also doesn’t seem to contain this feature either. To get around this limitation I have devised a couple of scripts which can be used to achieve this function.

The scripts work by setting a comment on the user when they log in for the first time, the comment contains the date the user is logging in. Another script is then scheduled to run daily to find all the users where the date has reached greater than the specified period and disable the accounts.

Form simplicity I’m just going to apply this to the default user profile under /ip hotspot user profile

The script to add the date comment:

{
 :local date [ /system clock get date ]
 :if ( [ /ip hotspot user get $user comment ] = "" ) do={
  [ /ip hotspot user set $user comment=$date ]
 }
}

And the script to expire users, this converts the current date to an integer by summing the day, months and year together and comparing it against the same addition on the comment we placed on each user above. If the user is to be disabled, we also disconnect them if they are active. You can change the offset variable to how many days you would like to expire the user after.

{
 :local offset 7
 :global today

 {
  :local date [ /system clock get date ]
  :local montharray ( "jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec" )
  :local monthdays ( 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 )
  :local days [ :pick $date 4 6 ]
  :local monthtxt [ :pick $date 0 3 ]
  :local year [ :pick $date 7 11 ]
  :local months ([ :find $montharray $monthtxt]  )
  :for nodays from=0 to=$months do={
   :set days ( $days + [ :pick $monthdays $nodays ] )
  }
  :set days ($days + $year * 365)
  :set today $days
 }

 :foreach i in [ /ip hotspot user find where disabled=no ] do={
  :if ([ :find [ /ip hotspot user get $i comment ] ] = 0 ) do={
   :local date [ /ip hotspot user get $i comment ]
   :local montharray ( "jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec" )
   :local monthdays ( 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 )
   :local days [ :pick $date 4 6 ]
   :local monthtxt [ :pick $date 0 3 ]
   :local year [ :pick $date 7 11 ]
   :local months ( [ :find $montharray $monthtxt ] )
   :for nodays from=0 to=$months do={
    :set days ( $days + [ :pick $monthdays $nodays ] )
   }
   :set days ($days + $year * 365)
   :if ( ($days + $offset) < $today ) do={
    :local name [/ip hotspot user get $i name]
    :log info "HOTSPOT EXPIRE SCRIPT: Disabling Hotspot user $name first logged in $date"
    [ /ip hotspot user disable $i ]
    [ /ip hotspot active remove [find where user=$user] ]
   }
  }
 }
}

Lastly we need to add this to the system scheduler to run each day. I run it at 5mins past midnight.

/system scheduler add name=expire-hotspot-users on-event="/system script run expire-hotspot-users" \
policy=read,write start-time=00:05:00 interval=1d

Here’s the entire export:

/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m on-login=":local date [ /system clock get date ]\r\
    \n:if ( [ /ip hotspot user get \$user comment ] = \"\" ) do={\r\
    \n [ /ip hotspot user set \$user comment=\$date ]\r\
    \n}" rate-limit=1024000/2048000 shared-users=unlimited
/system scheduler
add interval=1d name=expire-hotspot-users on-event="/system script run expire-hotspot-users" policy=read,write start-date=\
    may/30/2012 start-time=00:05:00
/system script
add name=expire-hotspot-users policy=read,write, source="{\r\
    \n :local offset 7\r\
    \n :global today\r\
    \n \r\
    \n {\r\
    \n  :local date [ /system clock get date ]\r\
    \n  :local montharray ( \"jan\",\"feb\",\"mar\",\"apr\",\"may\",\"jun\",\"jul\",\"aug\",\"sep\",\"oct\",\"nov\",\
    \"dec\" )\r\
    \n  :local monthdays ( 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 )\r\
    \n  :local days [ :pick \$date 4 6 ]\r\
    \n  :local monthtxt [ :pick \$date 0 3 ]\r\
    \n  :local year [ :pick \$date 7 11 ]\r\
    \n  :local months ([ :find \$montharray \$monthtxt]  )\r\
    \n  :for nodays from=0 to=\$months do={\r\
    \n   :set days ( \$days + [ :pick \$monthdays \$nodays ] )\r\
    \n  }\r\
    \n  :set days (\$days + \$year * 365) \r\
    \n  :set today \$days\r\
    \n }\r\
    \n \r\
    \n :foreach i in [ /ip hotspot user find where disabled=no ] do={\r\
    \n  :if ([ :find [ /ip hotspot user get \$i comment ] ] = 0 ) do={\r\
    \n   :local date [ /ip hotspot user get \$i comment ]\r\
    \n   :local montharray ( \"jan\",\"feb\",\"mar\",\"apr\",\"may\",\"jun\",\"jul\",\"aug\",\"sep\",\"oct\",\"nov\"\
    ,\"dec\" )\r\
    \n   :local monthdays ( 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 )\r\
    \n   :local days [ :pick \$date 4 6 ]\r\
    \n   :local monthtxt [ :pick \$date 0 3 ]\r\
    \n   :local year [ :pick \$date 7 11 ]\r\
    \n   :local months ( [ :find \$montharray \$monthtxt ] )\r\
    \n   :for nodays from=0 to=\$months do={\r\
    \n    :set days ( \$days + [ :pick \$monthdays \$nodays ] )\r\
    \n   }\r\
    \n   :set days (\$days + \$year * 365)\r\
    \n   :if ( (\$days + \$offset) < \$today ) do={ \r\
    \n    :local name [/ip hotspot user get \$i name]\r\
    \n    :log info \"HOTSPOT EXPIRE SCRIPT: Disabling Hotspot user \$name first logged in \$date\"\r\
    \n    [ /ip hotspot user disable \$i ]\r\
    \n    [ /ip hotspot active remove [find where user=\$user] ]\r\
    \n   }\r\
    \n  }\r\
    \n }\r\
    \n}"

Steps for moving an Opsview database to a new server

Posted on by

Recently I’ve had to move a few opsview servers databases from the Opsview master onto an alternate server, mostly because of disk space issues, but I’ve found this to be a pretty good performance increase on busy servers too, so its well worth doing anyway.

Firstly you want to build yourself a new server, I’m using Ubuntu and so have rolled out the 12.04 LTS beta. Installing mysql is pretty simple – apt-get install mysql-server.

There’s a few things you’ll want to change in the my.cnf config file (/etc/mysql/my.cnf on Ubuntu).

Change the bind address so that we can connect to our server across the LAN:

bind-address = 0.0.0.0

And the following performance based settings as recommend by Opsview: (check out http://docs.opsview.com/doku.php?id=opsview-community:mysql)

key_buffer = 256MB
query_cache_size = 16M
table_cache = 768
innodb_buffer_pool_size = 1024M
innodb_file_per_table=1
innodb_flush_log_at_trx_commit=2

Now give your mysql a restart, check the log for errors: /etc/init.d/mysql restart if you’re oldschool or service mysql restart.

Now we need to get the data off the master server and onto the new dedicated mysql server. We can do this over SSH to save storing multiple copies of the database (mine was 50GB or so).

From the master server first stop opsview:

/etc/init.d/opsview stop
/etc/init.d/opsview-web stop

Now run the following command to export the data and directly transfer into mysql on the new server over SSH. You should be a tad cautious here as the passwords are entered on the CLI in clear text.

mysqldump -u root -p<rootpassword> --databases odw opsview reports runtime |  ssh user@<new-server-hostname> 'mysql -u root -p<rootpassword>'

The data may take some time to copy, depending on its size. You should consider running this command inside screen or tmux in case your SSH session gets disconnected.

Once all your data has been transferred, you need to change the /usr/local/nagios/etc/opsview.conf file to point to the new database server. It’s simply a mater of assigning a few variables like so:

$dbpasswd = "yourpassword";
$dbhost = 'mysql-hostname.domain.local';
$runtime_dbpasswd = "yourpassword";
$runtime_dbhost = 'mysql-hostname.domain.local';
$odw_dbpasswd = "yourpassword";
$odw_dbhost = 'mysql-hostname.domain.local';
$reports_dbpasswd = "yourpassword";
$reports_dbhost = 'mysql-hostname.domain.local';

There’s a handy wee script provided for configuring credentials in MySQL – you just need to run it, again we’ll pipe it directly to the new server ready for execution:

/usr/local/nagios/bin/db_mysql -t | ssh user@mysql-hostname ~/opsview_access.sql

I prefer the database access to be slighly more secure that what this script generates so I’d recommend replacing the % (any host) entries in the file with the hostname of your opsview server. This can by done easily using sed:

sed -i 's/%/opsview-master.domain.local/g' opsview_access.sql

Now you can go ahead and import this into mysql:

mysql -u root -p < opsview_access.sql

All thats left to do is to regenerate the Opsview configuration and then start up the services. This can be done as follows:

/usr/local/nagios/bin/rc.opsview gen_config
/etc/init.d/opsview-web start

Once you’re happy that everything is running as expected, you can get rid of the old databases on the master server. Drop them like this:

drop database opsview;
drop database odw;
drop database runtime;
drop database reports;

RANCID auto collection from Syslog trigger

Posted on by

I wanted to have RANCID automatically alert our infrastructure team of any changes to network device configurations, as well as maintaining a history of configuration revisions. By default RANCID is designed to perform a daily or periodic poll of networks devices to collect configurations, however with a few small tweaks it is possible to get a snapshot every time the devices configuration changes.

There are a couple of ways to achieve this, either triggering RANCID via SNMP traps, or from the devices syslog. I elected to use the syslog method as this gives the added benefit of collecting logs from our network devices as well.

One of the challenges I came across while configuring this, was that when using a web gui to make changes on some devices (for example an netscreen), the device configuration is saved after every single change. This meant a high amount of RANCID spam if several things were being altered at once. The solution below gets around this by writing to a file for each device that has been updated and only grabbing the configuration after no further changes have occurred for a specified period (five minutes).

I won’t cover installing RANCID or Syslog-ng here as there is plenty of other resources floating about on how to do this. On Ubuntu its as simple as apt-get install rancid syslog-ng.

First of all we need to edit /etc/syslog-ng/syslog-ng.conf to create a filter for our syslogs and then specify what to do with them. Here is what I added.

The first line listens for incoming UDP syslog messages.

source s_net { udp (); };

Next we create a destination rule of what to do when we receive logs we are interested in. Note the perl script (/usr/bin/mark_for_rancid.pl) here is what we will run when we get some interesting syslog traffic.

destination d_rancid { program("perl /usr/bin/mark_for_rancid.pl" template("$HOST\n") ); };

Here is some filters that I have defined to catch syslog traffic that I’m interested in, for IOS a “Configured from” message, for Junos – a commit and for a netscreen the “System configuration saved” message.

filter f_cisco_configured{ match ("SYS-5-CONFIG_I: Configured"); };
filter f_juniper_commit{ match ("UI_COMMIT:"); };
filter f_netscreen_saved{ match ("System configuration saved"); };

The last part of the syslog-ng configuration is to put these together into a rule. There are three rules below, one for each of the filters.

log {
 source(s_net);
 filter(f_cisco_configured);
 destination(d_rancid);
};
log {
 source(s_net);
 filter(f_juniper_commit);
 destination(d_rancid);
};
log {
 source(s_net);
 filter(f_netscreen_saved);
 destination(d_rancid);
};

The next step is to create the first of two perl scripts we will use.  /usr/bin/mark_for_rancid.pl is the script that runs when syslog-ng sees our defined interesting log messages above. This creates a file for each host in a directory and updates the timestamp on that file each time it is triggered.

#!/usr/bin/perl
use warnings;

my $host=<>;
my $collectdir = "/usr/local/rancid/var/collect";

chomp($host);
$host=lc($host);

if ($host) {system("su - rancid -c \"touch $collectdir/$host\"");};
1;

You can change the collectdir to some meaningful location, best to give your rancid user ownership of this directory as its that user who will be running the cron job to remove these files.

The next scrip is designed to be run from cron, I run it every minute to get changes as quickly as possible, but you may wish to decrease its frequency if you like. I’ve stored this as /usr/bin/rancid_collect.pl and it looks like this:

#!/usr/bin/perl
use warnings;
use File::stat;

use constant DEBUG => (0); #set to 1 to enable log text
my $age = 60*5;
my $collectdir = "/usr/local/rancid/var/collect";
@files = <$collectdir/*>;

print (scalar @files . " routers to consider collecting\n") if DEBUG;
foreach $file (@files) {
 @fileparts = split('/', $file);
  if ((time - stat($file)->mtime) > $age) {
   print "Running collection for $fileparts[6]\n" if DEBUG;
   system("/usr/bin/rancid-run -r $fileparts[6]");
   unlink($file);
   print "Collection completed\n" if DEBUG;
} else {
   print "$fileparts[6] is younger than $age seconds\n" if DEBUG;
}
}
1;

Essentially this lists all files in our collect dir and if the timestamp is older than the specified age (5 minutes) executes rancid-run to grab the devices config. It then removes the file.

The last step is to add this script to your rancid users crontab, something like this:

* * * * * /usr/bin/rancid_collect.pl 2>&1 > /dev/null

It’s worth mentioning that your forward and reverse DNS needs to be setup properly as the file that is created is the hostname of each device received via syslog, RANCID should be configured to use this name for the host.

Problem with certificate checking on check_esx.pl plugin

Posted on by

Either a change in newer Perl libraries or version 5 of the vSphere Perl SDK has meant that certificates are now being checked by default, and the check_esx.pl plugin is returning something like the following as output:

CHECK_ESX.PL CRITICAL - Server version unavailable at 'https://vcenter-server.domain.com:443/sdk/vimService.wsdl' at /usr/share/perl/5.10/VMware/VICommon.pm line 545, <AUTH_FILE> line 2.

Here’s a quick patch to add a -i option which will disable the certificate check.

Installing VMWare vSphere Perl SDK on Ubuntu 10.04 LTS

Posted on by

Just a couple of quick notes to streamline your install of the Perl SDK for vSpehere 5.

 

It will speed up your install to grab a few prerequisites via aptitude first:

apt-get install libarchive-zip-perl libcrypt-ssleay-perl libclass-methodmaker-perl libdata-dump-perl libsoap-lite-perl perl-doc libssl-dev libuuid-perl liburi-perl libxml-libxml-perl ia32-libs

 

We also need to set the http_proxy and ftp_proxy vars for some reason, the installer will fail if they are not set, so to work around this we can just configure blank variables:

export http_proxy=
export ftp_proxy=

 

Now untar the package and run the installer:

tar -zxvf VMware-vSphere-Perl-SDK-5.0.0-422456.x86_64.gz
cd vmware-vsphere-cli-distrib
./vmware-install.pl

 

Accept the licence, and complete the install process.

Set out of office for an exchange user

Posted on by

Some simple powershell commands to set out of office for a user via exchange console.

To set the external out of office:

Set-MailboxAutoReplyConfiguration -Identity JBloggs -ExternalMessage "<html><body>Thank you for your email.<br><br>Please note that I am currently out of the office, during my absence please contact <person>who will assist with your query.<br><br><Many Thanks<br><br>Joe Bloggs</body></html>"

To set the internal out of office:

Set-MailboxAutoReplyConfiguration -Identity JBloggs -InternalMessage "<html><body>Thank you for your email.<br><br>Please note that I am currently out of the office, during my absence please contact <person>who will assist with your query.<br><br><Many Thanks<br><br>Joe Bloggs</body></html>"

Set the date range:

Set-MailboxAutoReplyConfiguration -Identity JBloggs -StartTime "02/12/2011 18:00:00" -EndTime "10/12/2011 08:00:00"

And Finally to review: 

Get-MailboxAutoReplyConfiguration -Identity JBloggs

Securely enable outside management on SRX

Posted on by
2

Thought I’d document the rough process for securing access to the management interface of a new SRX device.

Lets go through the steps:
First lets get rid of nasty http and telnet access and then enable ssh and https for use on the interfaces we need:

delete system services web-management http
delete system services telnet
set system services ssh
set system services web-management https interface ae0.0

Next lets permit this access in the zones our interfaces are bound to:

set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services https

And now create a prefix-list to define the hosts we want to be-able to manage the SRX from:

set policy-options prefix-list management-hosts 192.0.2.0/24
set policy-options prefix-list management-hosts 203.0.113.64/27
set policy-options prefix-list management-hosts 2001:0DB8:100::/64

Now create a firewall filter to permit the prefix list to tcp 443 and 22: 

set firewall family inet filter filter-management term block_unauthorised from source-address 0.0.0.0/0
set firewall family inet filter filter-management term block_unauthorised from source-prefix-list management-hosts except
set firewall family inet filter filter-management term block_unauthorised from protocol tcp destination-port [ssh https]
set firewall family inet filter filter-management term block_unauthorised then discard
set firewall family inet filter filter-management term accept_default then accept

set firewall family inet6 filter filter-management6 term block_unauthorised from source-address ::/0
set firewall family inet6 filter filter-management6 term block_unauthorised from source-prefix-list management-hosts except
set firewall family inet6 filter filter-management6 term block_unauthorised from destination-port [ssh https]
set firewall family inet6 filter filter-management6 term block_unauthorised then discard
set firewall family inet6 filter filter-management6 term accept_detault then accept

Finally add this filter to the loopback interface:

set interfaces lo0 unit 0 family inet filter input filter-management
set interfaces lo0 unit 0 family inet6 filter input filter-management6

A quick check of the configuration should confirm something like this: 

root@SRX-FW011> show configuration system services
ssh;
web-management {
    https {
        system-generated-certificate;
        interface [ vlan.0 fe-0/0/0.0 ae0.0 ];
    }
}

root@SRX-FW011> show configuration security zones
security-zone trust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        vlan.0;
    }
}
security-zone untrust {
    screen untrust-screen;
    host-inbound-traffic {
        system-services {
            ping;
            ssh;
            https;
        }
        protocols {
            bgp;
        }
    }
    interfaces {
        ae0.0 {
            host-inbound-traffic {
                system-services {
                    ssh;
                    https;
                }
            }
        }
    }
}

root@SRX-FW011> show configuration policy-options
prefix-list management-hosts {
    192.0.2.0/24;
    203.0.113.64/27;
    2001:0DB8:100::/64;
}

root@SRX-FW011> show configuration firewall
family inet {
    filter filter-management {
        term block_unauthorised {
            from {
                source-address {
                    0.0.0.0/0;
                }
                source-prefix-list {
                    management-hosts except;
                }
                protocol tcp;
                destination-port [ ssh https ];
            }
            then {
                discard;
            }
        }
        term accept_default {
            then accept;
        }
    }
}
family inet6 {
    filter filter-management6 {
        term block_unauthorised {
            from {
                source-address {
                    ::/0;
                }
                source-prefix-list {
                    management-hosts except;
                }
                destination-port [ ssh https ];
            }
            then discard;
        }
        term accept_default {
            then accept;
        }
    }
}

root@SRX-FW011> show configuration interfaces lo0
unit 0 {
    family inet {
        filter {
            input filter-management;
        }
    }
    family inet6 {
        filter {
            input filter-management6;
        }
    }
}

If it all looks good, we can go ahead and commit the changes:

commit

Fortigate remove default configuration

Posted on by
Reply

it always frustrates me how vendors like to ship network appliances with a default configuration. Depending on what you want to do with the device it often hinders the configuration as opposed to making it easier. Here’s a quick series of commands I have put together to remove the most annoying bits of the default configuration from a Fortigate or FortiWifi 60c. Your mileage may vary on other Fortigate units.