Tuesday, November 10, 2009

FortiAnalyzer and traffic monitoring with an HP ProCurve

A client has been seeing unusual traffic volumes on the Internet side of their Fortinet firewall, FortiGate FG-80C.

We connected a FortiAnalyzer to perform traffic analysis.

Scenario:
FA port 1 is the management port, connected to the HP ProCurve in VLAN 1.
FA port 2 is the traffic collection port, connected to the same ProCurve on port 26.
ProCurve ports 21 and 22 are configured as VLAN 2.
The inside port of the router is connected to port 21.
The WAN1 port of the FG is connected to port 22.

configure the ProCurve:
conf t
no ip routing
mirror-port 26
vlan 2
name "external"
untagged 21-22
ip address
exit
int 21
monitor
exit
int 22
monitor
exit
write mem


Then enable Network Analyzer on the FortiAnalyzer and set Port2 as the mirror port:
config log settings
set analyzer enable
set analyzer-gui enable
set analyzer-quota 10240
set analyzer-interface "port2"
end

(Logoff the GUI and logon to see Network Analyzer under the 'Tools' menu.)

Configure the Fortigate to log to the FortiAnalyzer
config log fortianalyzer setting
set status enable
set server 192.168.1.99
end


Start the monitor from the FortiAnalyzer
Tools -> Network Analyzer -> Real-Time -> Start

The easy part is done. Now *you* have to figure out what to make out of the logs ;o)




Fix .pdf file association

Windows Explorer has its own file associations, independent of HKCR.

A client needed to replace Foxit Reader with Acrobat Reader on their Citrix servers because some third party software required the Adobe rendering engine. After removing Foxit and installing Acrobat Reader, users couldn't open any .pdf documents from Explorer or Outlook.

First thought was the file type association. FTYPE and ASSOC showed the correct associations,but I reset them anyway:

ftype AcroExch.Document="C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe" "%1"
assoc .pdf=AcroExch.Document

to no avail.

Then I lucked out and realized that on one of the servers, I'd failed to remove Foxit, had installed Acrobat Reader alongside. Users on that server were still able to open .pdf files and they were getting Foxit.

A quick registry search for "Foxit" returned several values, including one under the "Progid" value beneath HKCU\Software\Microsoft\Windows\Currentversion\Explorer\FileExts\.pdf

I don't know why Explorer needs a different file association, but deleting it solved the problem and after logoff and logon, users were blissfully (and silently) opening .pdfs with Acrobat Reader.

To delete the key for each user, I added this line to %SystemRoot%\system32\usrlogn1.cmd (it may wrap in this post, but it's all one line):

reg delete "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\FileExts\.pdf" /f

The line could also be added to a domain logon script.

(I initially changed the file type in the registry to point to Acrobat Reader, but then decided to try deleting it altogether. I prefer the deletion, since it appears to force Explorer to lookup the HKCR association. If you need the Explorer FileExt entry, this works:

reg add "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\FileExts\.pdf" /v Progid /t REG_SZ /d AcroExch.Document /f
)