Wednesday, November 14, 2012

Windows: Issue with Clipboard

Hi all,

in a day to day work every ms-windows user encounter issue with the clipboard.

Personnaly, every 10 or 15 days.

Here i'll write the different solution i've found.

Resetting the content of the clipboard:

cmd /c "echo off | clip"

Remote RDP clipboard :

kill the rdpclip.exe process and start it again. But you may have to restart your rdp session.

 

Seven: Checking System integrity

Using the newtool sfc (System File Checker) to determine which if there is file is causing corrupted.

First: scaning system integrity

sfc /scannow

Tuesday, September 11, 2012

NETASQ: LDAP migrer vers le format bdb

Bonjour,

voici comment migrer le format de fichier indexé vers BDB:


# Arrêt du service ldap
nstop ldap

# Export au format ldif de la base de donnée
slapd -T cat -f /var/ldap/slapd.conf > /log/export.ldif

# Copie de backup de la base ldap
mv /data/Main/Ldapbase /log/Ldapbase.old

# Crration du dossier pour la base
mkdir /data/Main/Ldapbase

# Tunning de la configuration, afin d'utiliser le nouveau format
setconf ~/ConfigFiles/ldap Server DBBackend bdb


# Creation du fichier DB_CONFIG spécifique au nouveau format
echo "set_lg_max 1000000" >/data/Main/Ldapbase/DB_CONFIG
echo "set_flags DB_LOG_AUTOREMOVE" >>/data/Main/Ldapbase/DB_CONFIG

# Import Complet des données
slapd -T add -f /var/ldap/slapd.conf -l /log/export.ldif

# Démarrage du service
nstart ldap


Et voici les étapes de vérifications:


# Listing du dossier LdapBase afin de valider le nouveau format:
ls /data/Main/Ldapbase
DB_CONFIG       __db.002        __db.004        dn2id.bdb       log.0000000001  uid.bdb
__db.001        __db.003        __db.005        id2entry.bdb    objectClass.bdb


# Verification du service ldap
dstat |grep ldap
ldap      : /var/supervise/ldap: up (pid 33177) 347 seconds

# Validation du service ldap
nsrpc admin@127.0.0.1

user list
101 code=00f01100 msg="User List:"
cn=philippe,ou=users,o=jnprlabs,dc=stagira.net
100 code=00a00100 msg="Ok"



Tuesday, September 4, 2012

NETASQ: Using External tools inside the FW

Hi folks,

so i need some tools on my unix FW, netasq comes with some, but lacks a lot of others. Great example is : wget.

So you need to figure it out which freebsd version you're netasq is running on:

Normaly for a V9, it is a Freebsd 7.3:

# uname -a
NS-BSD VUXXXA1GXXXXXX 9.0.3- NS-BSD 9.0.3- #0: Mon Apr  2 21:15:37 CEST 2012     build@buildmajclipp.netasq.com:/usr/home/build/fw-9.0.3/sys-7.3/work/sys/i386/compile/NETASQ.XL.FULLVIRT.RELEASE  i386

For a v8, it is a 6.3:

# uname -a
NS-BSD V50XXA0A0000001 8.1.0- NS-BSD 8.1.0- #0: Wed Mar 31 13:14:10 CEST 2010     build@81maj.netasq.com:/usr/home/build/fw-8.1.0/sys-6.3/work/sys/i386/compile/NETASQ.M.FULLVIRT.RELEASE  i386

In the following command:

root@linux$ Is the Prompt of the Linux Host ( yes, sure ! :- )
VUXXXXXX0000000>Is the Prompt of the Netasq FW ( huh ?? )

Download the packages from a Distribution server, for wget you will need:

Wget : http://ftp.stu.edu.tw/FreeBSD/ports/i386/packages-7.3-release/All/wget-1.12.tbz

gettext: http://ftp.stu.edu.tw/FreeBSD/ports/i386/packages-7.3-release/All/gettext-0.17_1.tbz

libiconv : http://ftp.stu.edu.tw/FreeBSD/ports/i386/packages-7.3-release/All/libiconv-1.13.1_1.tbz

unpack the files in a directory:

root@linux$ tar -jxvf wget-1.12.tbz

root@linux$ tar -jxvf gettext-0.17_1.tbz

root@linux$ tar -jxvf libiconv-1.13.1_1.tbz

So you have the tool, somes libs that will be used later on, now, transfer the wget binary from bin/wget to a netasq fw, in /log/wget-bsd73 for example:

VUXXXXXX0000000> mkdir /log/wget-bsd73

root@linux$ scp bin/wget mynetasqfw:/log/wget-bsd73

We'll test if all the shared libs are available

VUXXXXXX0000000>ldd wget
wget:
        libssl.so.5 => not found (0x0)
        libcrypto.so.5 => not found (0x0)
        libiconv.so.3 => not found (0x0)
        libintl.so.8 => not found (0x0)
        libc.so.7 => /lib/libc.so.7 (0x280cc000)

Well.... we miis a lot ? In fact no, we just miss 2 libs: libiconv.so and libintl.so.

Transfer the 2 libs:

root@linux$ scp lib/libiconv.so.3 mynetasqfw:/log/wget-bsd73

 root@linux$ scp lib/libintl.so.8 mynetasqfw:/log/wget-bsd73

 
For the rest we just need to create symlinks:

ln -s /usr/lib/libcrypto.so /usr/lib/libcrypto.so.5

ln -s /usr/lib/libssl.so /usr/lib/libssl.so.5

ln -s $PWD/libiconv.so.3 /usr/lib/libiconv.so.3

ln -s $PWD/libintl.so.8 /usr/lib/libintl.so.8

So, check again the shared libs:

VUXXXXXX0000000>ldd wget
wget:
        libssl.so.5 => /usr/lib/libssl.so.5 (0x280cc000)
        libcrypto.so.5 => /usr/lib/libcrypto.so.5 (0x2811d000)
        libiconv.so.3 => /usr/lib/libiconv.so.3 (0x28288000)
        libintl.so.8 => /usr/lib/libintl.so.8 (0x2837e000)
        libc.so.7 => /lib/libc.so.7 (0x28387000)

Everything is here !

To end this proc, just copy the wget binary to the  /usr/Firewall/sbin/ directory:

VUXXXXXX0000000>cp wget /usr/Firewall/sbin/wget

 

Now we can test the wget:

VUXXXXXX0000000>wget http://94.23.230.70/package/na_pack_updates_kasperskyStandard.md5
--2011-09-04 10:14:42--  http://94.23.230.70/package/na_pack_updates_kasperskyStandard.md5
Connecting to 94.23.230.70:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 72 [application/octet-stream]
Saving to: `na_pack_updates_kasperskyStandard.md5'

100%[===========================================================================>] 72          --.-K/s   in 0s

2011-09-04 10:14:43 (1.05 MB/s) - `na_pack_updates_kasperskyStandard.md5' saved [72/72]

That's all Folks !

 

 

 

 

 

 

 

Monday, September 3, 2012

NETASQ: ldap export / import without external tools (ie: Ldap Browser)

Hi Folks,

so, everytime you need to manipulate the ldap db you'll find a kb, a mail, a tips saying:

Hey you need and ldap browser tool .

 

Wrong !

 

The netasq have everything inside to do this!

lets see how:

 

where is the conf file:

/var/ldap/slapd.conf

Stop the ldap server:

nstop ldap

Export the db in an ldif format:

slapd -4 -T cat -f /var/ldap/slapd.conf > /tmp/export.ldif

Modify it:

vi /tmp/export.ldif

Move the old db:

cd /data/Main/

mv Ldapbase Ldapbase.old

mkdir Ldapbase

Recreate the DB:

slapd -T add -f /var/ldap/slapd.conf -l /tmp/export.ldif
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
=> bdb_tool_entry_put: id2entry_add failed: DB_KEYEXIST: Key/data pair already exists (-30996)
=> bdb_tool_entry_put: txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry dn="o=jnprlabs,dc=cons165.magirus.com" (line=1): txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
_##                    11.06% eta   none elapsed            none spd 368.9 k/s
Closing DB...

Start the ldap server:

nstart ldap

Lets see if the modif is here:

slapd -4 -T cat -f /var/ldap/slapd.conf

Taht's all !!!

Friday, August 24, 2012

VMWARE: How to transform OVA files to OVF files

There is sometimes when you need to transform virtual images from one format to another ones.

There is a tool from vmware named ovftool, simple no ?

you can do with it:

ova2ovf : ova to ovf transformation

ovf2vmx: ovf to vmx transformation

And many many more !

Where to find the tool ?

http://www.vmware.com/support/developer/ovf/

The documentation:

http://www.vmware.com/support/developer/ovf/ovf21/ovftool-210-userguide.pdf

The tool itself:

http://www.vmware.com/downloads/download.do?downloadGroup=OVF-TOOL-2-1

Just a tiny Example:

i just downloaded an ova image file, and i want to publish it to vsphere.

The tool can let you push directly from ova to vsphere, but here i'll stay soft, simple. i will only transform from one format to another.

Just install the package, and add the installation path to your system path, or inside your console:

set PATH="C:\Program Files\VMware\VMware OVF Tool";%PATH%

Then just do it:

ovftool --lax file.ova newfile.ovf

The --lax option is relevant only for OVA-OVF sources files, and here is the doc:

Relax OVF specification conformance and virtual
hardware compliance checks. (For advanced
users only.)

It is a really needed option, because OVA files can have unsupported hardware saved insides (ie: xen, virtualbox...)

Using Converter:

With vmware converter you may want to convert your ova file in a vmx format, which can be a source for the tool.

ovftool --lax file.ova newfile.vmx

And then use converter.

Thursday, July 19, 2012

Traduction en Ligne ??

Bonjour,

peut-on réellement se fier aux outils de traduction qui nous sont proposé un peu partout ?

Surtout quand l'on doit écrire un texte important pour nous, pour notre avenir...

l'exemple ci-dessous vient d'un célèbre outils se basant sur un "poissons de Babel", de plus il s'agit non pas d'une demande de traduction à la volée, mais d'un encart publicitaire:

En lisant ce texte, ma confiance à très... très nettement chuté. Euh....non je ment là, je n'avais déjà pas confiance à l'origine.

For our English speakers: (i'm quite sur you will understand nothing), guys fell like us:

-------------REALLY BAD ON-THE-FLY TRANLATION---------------------------------
Hello

can we really rely on translation tools that we are offered everywhere?

Especially when one must write a text important to us, for our future...

the following example comes from a famous tools based on a "Babel fish", in addition it is not an application of translation on the fly, but an advertising insert:

By reading this text, my confidence at very... very sharply. UH.... no I ment there, I already did not have confidence in the origin.

-------------------------------------------------------------------------------------

Philippe

Tuesday, June 19, 2012

vmware esxi5.0: How to Add a driver for the card QLogic Corp SP232-based 4Gb Fibre Channel to PCI Express HBA

How to Add a driver for the card QLogic Corp SP232-based 4Gb Fibre Channel to PCI Express HBA
i know, there is various post on the net regarding this tips, but my blog is my place to put my tips :-)
So, you requested to your IT if they have a SAN card, to put on one server you just received from another service, and they send you a:
QLogic Corp SP232-based 4Gb Fibre Channel to PCI Express HBA.
No chance, this card is unsupported on the esxi5.0.
But still, you can have access to your san with it, here is howto do:

1 - Activate the card on the BIOS,
2- Connect with ssh to your ssh server
then lspci -v show us this:
000:011:00.0 Fibre Channel Serial bus controller: QLogic Corp SP232-based 4Gb Fibre Channel to PCI Express HBA
         Class 0c04: 1077:5432
And the content of the driver map is:
cd /tmp
cp /bootbank/scsi-qla.v00 /tmp/
vmtar -x scsi-qla.v00 -o  scsi-qla
tar xvf scsi-qla
cat etc/vmware/driver.map.d/qla2xxx.map
regtype=linux,bus=pci,id=1077:2400 0000:0000,driver=qla2xxx,class=storage
regtype=linux,bus=pci,id=1077:2422 0000:0000,driver=qla2xxx,class=storage
regtype=linux,bus=pci,id=1077:2432 0000:0000,driver=qla2xxx,class=storage
regtype=linux,bus=pci,id=1077:2532 0000:0000,driver=qla2xxx,class=storage
regtype=linux,bus=pci,id=1077:8001 0000:0000,driver=qla2xxx,class=storage
regtype=linux,bus=pci,id=1077:8021 0000:0000,driver=qla2xxx,class=storage
regtype=linux,bus=pci,id=1077:8432 0000:0000,driver=qla2xxx,class=storage
edit the file etc/vmware/driver.map.d/qla2xxx.map and add the line
regtype=linux,bus=pci,id=1077:5432 0000:0000,driver=qla2xxx,class=storage
so your qla2xxx.map will be:
cat etc/vmware/driver.map.d/qla2xxx.map
regtype=linux,bus=pci,id=1077:2400 0000:0000,driver=qla2xxx,class=storage
regtype=linux,bus=pci,id=1077:2422 0000:0000,driver=qla2xxx,class=storage
regtype=linux,bus=pci,id=1077:2432 0000:0000,driver=qla2xxx,class=storage
regtype=linux,bus=pci,id=1077:2532 0000:0000,driver=qla2xxx,class=storage
regtype=linux,bus=pci,id=1077:5432 0000:0000,driver=qla2xxx,class=storage
regtype=linux,bus=pci,id=1077:8001 0000:0000,driver=qla2xxx,class=storage
regtype=linux,bus=pci,id=1077:8021 0000:0000,driver=qla2xxx,class=storage
regtype=linux,bus=pci,id=1077:8432 0000:0000,driver=qla2xxx,class=storage

rm scsi-qla
mv scsi-qla.v00 scsi-qla.v00.ini
tar -zcvf scsi-qla etc usr
vmtar -v -c scsi-qla -o scsi-qla.v00
cp scsi-qla.v00 /bootbank/scsi-qla.v00
That's all, restart your server and you should see, if all goes well: (note the vmhba at the end):
000:011:00.0 Serial bus controller: QLogic Corp SP232-based 4Gb Fibre Channel to PCI Express HBA [vmhba2]

Tuesday, May 15, 2012

NETSCREEN: NAT DEST

Pour parler du DNAT, il existe en effet trois moyen de le faire:

- MIP: cette methode est la plus simple, mais aussi la plus gourmande car vous allez reservez une IP complete,
et en réalité on ne fait pas de PAT (port translation), juste du NAT (adresse translation).

- VIP: methode simplifié pour faire du PAT et du DNAT, mais si vous avez déjà une MIP configurée sur une addr ip,
vous ne pourrez pas configfurer la VIP

- Policy Based NAT: methode la plus compliqué mais aussi la plus souple, le DNAT requiert des regles strict:

- Interface based NAT: non applicable pour du DNAT.

La précédence des methodes est celle-ci:

MIP -> VIP -> Pol.NAT -> Int.NAT

cela veux dire, que si une IP X se trouve en même temps dans une règle MIP, et dans une Policy,
il n'y a que la MIP qui sera executé. Si une ip Y se trouve dans une VIP et dans une Polixy, seuleument la VIP sera executé.

Donc ne pourrez pas effectuer une translation de port sur une IP déjà utilisée dans un MIP. Si vous souhaitez vraiment le faire,

vous devrez déconfigurer la MIP, puis recreer toutes les translation avec du Policy Based NAT, avec en général des double policy,
car les MIP font du SNAT et du DNAT.

NOTE POUR LE DNAT:

Rappel pour ScreenOS: le process des packet se fait comme suit:

-1- session lookup
-2- route lookup
-3- policy lookup

Comme la validation de la route se fait avant la validation de la regle policy, il _FAUT_ qu'il y ai une route qui existe dans la zone de destination du packet.

Un exemple étant toujours plus parlant en voici un en utlisans le Pol-NAT:

Prenons une install comme suit:

Zone Trust:   interface e1/1, IP:10.1.20.1/24
Zone Untrust: interface e1/8, IP:1.1.10.1/24

On souhaite publier l'addresse d'une ressouce interne tels que:

Public Addr: 1.1.10.20
Private Addr: 10.1.20.5

Etapes pour ce faire:

1: Configurer Addr Book (addr public dans la zone privée ==> pretranslation)

    set address Trust MyPCPublic 1.1.10.20/32

2: Etre Joignable: On choisi soit la methode A soit la B:

2a: set interface e1/1 ip 1.1.10.1/24 secondary
2b: set route 1.1.10.20/32 int e1/1

3: Configurer la policy, avec translation de port:

set policy from untrust to trust any MyPCPublic http nat dest ip 10.1.20.5 port 8080 permit

4: on verifie le resultat apres avoir testé avec un 'get session'

Netasq : pb acces sur le site des impots (NOT ACCEPTABLE) avec proxy http en v9.x

Firewall NETASQ

Si vous avez ce message d'erreur lorsqu'un client se connecte en http sur le site des impots (n'importe quelle rubrique dans impots.gouv.fr, par exemple espace particulier)

NOT ACCEPTABLE
The requested URL could not be retrieved
________________________________________
The requestor is not willing to accept the available resource. This is probably due to an Accept-Encoding header on the request. The standard available Content-Encodings are: gzip, compress, deflate and identity. Footprint 4.8/FPMCP
________________________________________
Generated Wed, 09 May 2012 15:01:03 GMT by 4.26.232.254 (Footprint 4.8/FPMCP)

Voici la ligne de commande permettant de passer cette erreur. (note, le "01" de /Firewall/ConfigFiles/Protocols/http/01 correspond au slot du profil sortant, si vous en utilisez un autre, il faudra adapter la commande)

setconf /Firewall/ConfigFiles/Protocols/http/01 Proxy EncodingFilter 00
enproxy


Thursday, January 12, 2012

Juniper: SRX / J-Serie: Configure syslog to enable web policy log

JUNOS J-Web Policy Log display
So, you've just intalled a new srx in place of your netscreen, so you go through Config / Security /Policy FW and add a new policy, you tick the check-box logging seesiion-init and session-close.
You start some traffic that match the policy, go again on j-web to view the policy logs....and found nothing ! Why ????
This is because you first need to configure the syslog in a special way so the j-web can display the logs.
As you know, or not, all components of junos config works internaly with XML. So you need to create an xml syslog file.
Two way to do so:
- directly with the jweb,
- manually with cli.

CLI Method
under cli, in configuration mode you have to configure this:
[edit system syslog]
root@gwoob#
file policy_session {
    user info;
    match RT_FLOW;
    archive size 1000k world-readable;
    structured-data;
}

by entering the command:
set system syslog file policy_session user info
set system syslog file policy_session match RT_FLOW
set system syslog file policy_session archive size 1000k
set system syslog file policy_session archive world-readable
set system syslog file policy_session structured-data

J-Web Method
If you have no log under Monitor / Event and Alarms / Security Event
You have to click on the button: Create log configuration in the middle panel. Same path ( Monitor / Event and Alarms / Security Event ).

Now you will be able to see the policy log's.

Phil.