This section emphasizes on the Virtual IPs section in the FortiGate. I’ve learnt something which is not obvious behaviour and one of those ‘remind me later’ moments that I’ve encountered.

VIPs are essentially Destination Network Address Translation (DNAT) objects. For sessions matching the VIP, the destination address is translated. Let us go through some examples

In the above diagram, all connections going out from 10.10.10.10 will use 203.0.113.22 and not 203.0.113.10 address.


Now, this is where it gets a bit tricky and deviate from default firewall behaviour. In the below firewall policy we would assume that no connections will be allowed to the LAN(internal_network) but VIPs can live up to their name (very important IP) and get users to access the web server even though the deny policy is at the top of the list.





CWNA

I managed to get my CWNA certification today, this was my 2nd attempt. The first attempt was a failure a few months ago.

Failed Attempt: 53%

Passed Attempt: 82%

Below are a few tips which I would like to share so that you get most for this certification.

It would be quite beneficial if you already work for a Network/Wireless service provider or Manage wireless network for a company. Being in such a position certainly pays and gives room for joining the pieces of this puzzle.

This course will require some monetary investment. I managed to get some certification videos. Though the videos are for old CWNA course but majority of the conceptual stuff does not change for new revision. Here is the link > https://www.udemy.com/certified-wireless-network-administrator-cwna/

There are no video training courses available on CBT nuggets or INE as of today. I did check with CBT Nuggets via twitter but they do not have any official dates for the.

So back to the actual course curriculum. It would be highly beneficial to check the course outline and objectives – https://www.cwnp.com/uploads/cwna-107-objectives-2017.pdf You can check the differences from CWNA 106 so that you can prepare better https://www.cwnp.com/uploads/cwna-107-what-changed-2017.pdf

If would be good a good buy to get the new sybex CWNA official study guide > https://www.wiley.com/WileyCDA/WileyTitle/productCd-1119425786,miniSiteCd-SYBEX.html

This one is quite a thick book with over 1000 pages. I guess this book will be used throughout your career in wireless as a reference guide and a starting point for everything wireless. Some great work by the 2 David(s) Westcott & Coleman. When you buy the book you also get online flash cards + practice test questions valid for 1 year which you can use for further strengthen your knowledge.

Would be great and worth downloading the common terms used in the exam/book for the CWNA – https://www.cwnp.com/wp-content/uploads/pdf/cwnp_exam_terms.pdf

I read almost 1-2 chapters per week. The book might give you a feeling of information overload every once in a while. Another resource which I used during the preparation were some podcasts listed below.

  1. CleartoSend – https://www.cleartosend.net/
  2. WLAN Professional – https://www.wlanpros.com/
  3. Packet Pushers – https://packetpushers.net/
  4. WiFi for Beginners – https://wififorbeginners.com/category/podcast/

Twitterati (Twitterverse/Twitter users) – Would highly recommend you to join and follow the wireless enthusiasts. Thankful to the wireless online community! Many of them have a vast industry experience and certifications which go a long way in helping and coaching someone who is new to the wireless domain.

Slack Groups to recommended –
wi-fipros.slack.com
cleartosend.slack.com

All the best with your CWNA Study and the Exam! Please buy the exam voucher directly form CWNP website  (https://www.cwnp.com/cwna107v/) rather than going directly via PearsonVue. I saved $50USD by doing so.

I am on to the next Adventure of CWAP and will try and blog more often about the learnings from the course study.

Tagged with: , ,

Wireless has somehow made it to the human needs pyramid and has become mission-critical for most of the business around the world. Proper RF and QoS design is the only way to ensure real-time apps have acceptable QoE (Quality of Experience).

The wireless environments are half duplex shared medium they are quite susceptible to collisions. One of the biggest challenges for 802.11 networks is that there is no way to detect that the collision even occured.

802.11e was introduced to bring QoS to Wi-Fi

• EDCA was introduced by IEEE 802.11e in 2005, and has been adopted by the Wi-Fi Alliance as Wireless Multimedia (WMM)
• WMM is now a mandatory part of modern Wi-Fi
• 802.11a/b/g are based on DCF (no QoS) • 802.11n/ac are based on EDCA (QoS is supported)

NOTE: The post describes about QoS in general and can be applied to any networking realm.

Latency, Jitter, and Loss

The quality of a network transmission is a result of three things:

■ Latency
■ Jitter
■ Loss

Latency is how long it takes for a packet to be received by the endpoint after it is sent from the source. Latency is also referred to as delay. Asymmetrical tunneling after a Layer 3 roaming event between controllers can introduce delay. Again, symmetrical mobility tunneling is the recommended configuration.

Delay can be broken into two parts:

■ Fixed delay: The time it takes to encode and decode the packets and the time it takes for the packet to traverse the network.

■ Variable delay: Caused by network conditions. If the network is highly utilized at certain times of the day, the variable delay would be higher at those times than others.

Jitter is the value that results from the difference in end-to-end latency between packets. If a packet takes 50 ms to traverse the network and the next packet takes 100 ms, you have a jitter value of 50 ms.

Loss is simply the ratio of packets that are successfully received by the endpoint to those that were sent by the transmitter.

Correct Packet Marking

Depending on the traffic flow of a packet, traffic can be classified or tagged. This can be used to prioritise the packet thereby impacting the traffic flow. Efforts should be made to ensure that QoS policies are applied end to end which means from WLAN Controller > Core Switch Ports > Access Switch Ports > AP Ports.

Upstream and Downstream QoS

As discussed above, it is important to understand the terminology and direction of the traffic flow to and from the AP and the controller. You have both upstream and downstream QoS:

Radio downstream: Traffic leaving the AP and traveling to the WLAN clients.

Radio upstream: Traffic leaving the WLAN clients and travelling to the AP. Enhanced Distributed Channel Access (EDCA) rules provide upstream QoS settings for WLAN clients

Network downstream: Traffic leaving the controller travelling to the AP. QoS can be applied at this point to prioritize and rate-limit LWAPP/CAPWAP traffic to the AP.

Wi-Fi Multimedia

WMM is a certification that applies to both clients and APs. The features are taken from the 802.11e draft.

Each of the four WMM queues competes for the wireless bandwidth available on the channel. Four queues namely – Background, Best Effort, Video, Voice. WMM uses Enhanced Distributed Coordination Function (EDCF) for handling the queue traffic. If more than one frame from different access categories collides internally, the frame with the higher priority is sent. The lower-priority frame adjusts its backoff parameters as though it had collided with a frame external to the queuing mechanism.

Tagged with: ,

This one will be short. The outcome of intermittent fasting has been positive. I have now successfully been able to adapt to the trends of intermittent fasting. I do a mix of 20/4 and 16/8 methods of fasting and follow them at least 4 days in the week, with 3 other days being normal or what is considered cheat days.

Bearing in mind that even though 3 days are referred to as cheat days do not actually end up cheating the whole time. I still aim for portion control and reduce the speed of food intake. Emphasize more on choosing a better quality of food rather than quantity. I am also limiting the intake of processed & sugary foods in particular. I can happily say that managed to reduce at least 4.5 kgs so far in the past 3 months. I have also lost 1.5 inches off my waist helping me to use some good old trousers. Next update will be close to completion of 6 months at the end of July 2019.

CWNA Chapter 2 – IEEE 802.11 Standards and Amendments.

“Defined” means the amendment either no longer exists or it was rolled into the existing (or prior versions) 802.11-2007 spec. “Defines” means it is a ratified amendment that will be rolled into 802.11-2011. “Will define” means it is a work in progress and not yet amended.

802.11-1997 (sometimes called 802.11 “prime”) — the original 802.11 specifications included the base functionality along with FHSS and DSSS PHYs.

802.11a — Defined OFDM usage in 5 GHz with data rates up to 54 Mbps.
802.11b —Defined 5.5 and 11 Mbps with HR/DSSS in 2.4 GHz.
802.11c — Defined MAC bridging for 802.11. Was incorporated into 802.1D.

802.11-1999 rolled up 802.11 prime with new enhancements.

802.11d — Defined 802.11 operation in new regulatory domains.
802.11e — Defined QoS
802.11F — Recommended Inter-Access Point Protocol (IAPP) for interoperability of different vendor products. Was not used by anyone and is now withdrawn.

Note: A capital letter designates a recommended practice standalone standard (similar to 802.1X). A lowercase letter designates an amendment to a parent standard. Hence, 802.11F was designed to be a standalone document (and also happened to be a recommended practice), not a part of the full 802.11 standards. This is often a confusing topic in standards naming.

802.11g — Defined ERP PHY, which introduces data rates up to 54 Mbps in 2.4 GHz.

802.11-R2003 rolled up 802.11-1999 and prior amendments, excluding 802.11e.

802.11h — Defined Dynamic Frequency Selection (DFS) for radar detection and avoidance in some 5 GHz bands. Also defined Transmit Power Control (TPC) for managing client transmit power.
802.11i — Defined security enhancements including TKIP, CCMP, and use of 802.1X with WLANs.
802.11j — Defined 4.9 – 5 GHz operation in Japan.

802.11-2007 rolled up 802.11-R2003 with prior amendments.

802.11k — Defines radio resource management processes for RF data collection and sharing.
802.11l — Due to potential confusion between an “l” (letter) and “1” (number), 802.11l was bypassed.
802.11m — Was used as a maintenance amendment that updated inaccuracies, omissions, and ambiguities.
802.11n — Defines High Throughput (HT) PHY with MCS rates up to 600 Mbps in 2.4 GHz and 5 GHz.
802.11o — For similar reasons as 802.11l, 802.11o was bypassed. ‘Is that an “o” (letter) or a “0” (number)? I don’t know, let’s just skip it.’
802.11p — Defines wireless access for the vehicular environment (WAVE).
802.11q — Due to potential confusion with 802.1Q, 802.11q was bypassed.
802.11r — Defines fast BSS transitions (fast secure roaming). Maybe one of these days we’ll use it.
802.11s — Will define 802.11 mesh internetworking.
802.11T — Specified a way to test wireless performance prediction. Remember, capital letters are recommended practices standalone standards. 802.11T was canceled.
802.11u — Will define internetworking with external networks, such as cellular.
802.11v — Will define enhancements for network management.
802.11w — Defines protected management frames to prevent some security vulnerabilities.
802.11x — 802.11 technologies as a whole are often referred to as 802.11x, so this amendment was bypassed.
802.11y — Defines use of OFDM in 3650-3700 MHz.
802.11z —Defines enhancements to Direct Link Setup, which no one uses.
802.11aa — Will define enhancements to video transport streams.
802.11ab —Was bypassed to avoid confusion with devices using 802.11a and 802.11b PHY technologies, which are often abbreviated as 802.11ab.
802.11ac — Will define Very High Throughput (VHT) with gigabit speeds, building on 802.11n MIMO technology.
802.11ad — Will define short range Very High Throughput (VHT) in the 60 GHz spectrum.
802.11ae — Will define enhancements for QoS management.
802.11af — Will define the usage of Wi-Fi in newly opened TV whitespace frequencies.
802.11ag — Similar to 802.11ab, 802.11ag was skipped to avoid confusion with devices using 802.11a and 802.11g PHY technologies, which are often abbreviated as 802.11ag.
802.11ah — Will define the usage of Wi-Fi in frequencies below 1 GHz. Also used as an expression of Wi-Fi pleasure. 802.11…ah!
802.11ai — Will define FILS (fast initial link setup). Designed to address challenges in high-density environments which a large number of mobile users face.
802.11aj – Will define modifications to the IEEE 802.11ad-2012 amendment’s PHY and MAC layer to provide support to the Chinese Millimeter Wave (CMMW).
802.11ak – Will define amendment to General Link for use in bridged networks.
802.11aq – Will define delivery of network service information prior to the association of stations on 802.11 networks.
802.11ax – Will define HE(High Efficiency). Expected to be next big PHY enhancement to the 802.11 standards. Operate in both 2.4/5GHz.
802.11ay – Will define improvement of an 802.11ad amendment providing faster speeds.
802.11az – TBC

Tagged with: , , , , ,

Overview of Wireless Standards, Organisations and Fundamentals.

4 Key organisations involved with wireless networking industry

– FCC and other regulatory domains (ITU-R (ACMA (Australia)) (ARIB(Japan)) – FCC regulates communication from/to/within US. Both licensed and unlicensed communications are typically regulated in the following 5 areas 

– Frequency, Bandwidth, Maximum power of the intentional radiator (IR),  Maximum equivalent isotropically radiated power (EIRP), Use (indoor and/or outdoor), Spectrum sharing rules.

– IEEE – 802.11 working group is responsible for creating WLAN standard.

– IETF – International community of people whose goal is to make the internet work better. 

– Wi-Fi Alliance – Global, non-profit organisation of more than 550 member companies devoted in making the wireless communication better. Its main task is to ensure interoperability of WLAN products by providing certification testing.

ISO – international Organisation for Standardisation. 

OSI model – Open Systems Interconnection (APSTNDP)

Application Layer 7- WWW browsers, NFS, SNMP, Telnet, HTTP, FTP
Presentation Layer 6 – Include encryption, ASCII, TIFF, GIF, JPEG, MPEG, etc..
Session Layer 5 –  NFS, NetBIOS names, RPC, SQL
Transport Layer 4 – TCP, UDP 
Network Layer 3 – Provides switching and routing technologies, creates logical paths, known as virtual circuits.
Data Link Layer 2 -The MAC layer and the Logical link control (LLC) layer. IEEE 802.3, ATM, Frame Relay.
Physical Layer 1 – Cables, Ethernet, Fibre, etc.

The 802.11-2016 standard defines communication mechanism only at the Physical and the MAC sublayer of the Data-Link layer of the OSI model. 

Communications Terminology 

Simplex – Device is either capable of transmitting or receiving.
Half-Duplex- Capable of transmitting and receiving but not at the same time. Only 1 device can transmit at a time.
Full- Duplex – Capable of transmitting and receiving at the same time.

Radio Frequency Fundamentals 

1. Amplitude – Height, force, or the power of the wave. 
2. Wavelength – Distance between similar points on two back to back waves.

Frequency – Describes a behaviour of waves. How fast the wave travels, or more specifically how many waves are generated over a period of time, is known as frequency.

Phase – is a relative term. It is the relationship between 2 waves with the same frequency

Keying Methods – Some more explanation here.

1. Amplitude-Shift Keying
2. Frequency-Shift Keying
3. Phase-Shift Keying.

EXAM ESSENTIALS 

1. Know the 4 Industry Organisations
2. Understand core, distribution and access layer
3. Explain the difference between simplex, half-duplex, and full duplex.
4. Understand Wavelength, Frequency, Amplitude & Phase.
5. Keying Methods.

Tagged with: ,

Often times we come across website which use certificates that not match the certificate of the site. It presents us with a warning message and option to proceed with risks, below image is quite common.

A number of applications and website that use SSL encryption correctly. In this case, the traffic goes through a Secure Sockets Layer (SSL) and is encrypted. However, there are risks associated with its use, since encrypted traffic can be used to around network. In common cases, users can unknowingly download a malicious file during an e-commerce session or there can be a phishing attachment sent with the secure email. Since the traffic is encrypted it can bypass the network’s security measures. To protect from the threat, SSL encryption can hold the key to unlock the sessions, examine the packets to find possible threats and blocks them.

When the deep inspection is used, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. After successful inspection, it re-encrypts the content and creates a new session between FortiGate and recipient. A certificate is used from FortiGate’s own repository in order to re-encrypt the content.

There are 2 methods of deployment being used for SSL inspection.

Multiple clients connecting to multiple servers – This uses a CA certificate and applied to outbound policies destined to unknown servers or websites.



Protecting SSL server – Uses a server certificate, typically used for inbound policies

Tagged with: ,

A couple of days ago I bumped into an opportunity to setup Cisco Mobility Express for one of the clients. Cisco has enabled to accomplish a mobility solution which can hep you deploy wireless LAN networks and be able to manage WLAN with APs on the network acting as the controller. Here’s how Cisco describes it in layman’s terms –

“Mobility Express integrates wireless LAN (WLAN) controller functions into the Cisco Aironet  3800, 2800, 1850, 1830, 1815, 1560 and 1540 Series Access Points. As such, Mobility Express is the latest in a series of Cisco efforts to turn WLAN controllers into a software function that any network component can host. Cisco controller capabilities also can be housed in standalone appliances (Cisco Wireless LAN Controllers, or WLCs), Cisco switches, Cisco routers, a private cloud, and a public cloud.”

I started with first AP to be converted to mobility express. In my case I’ve used a Cisco 3800 indoor AP. You will either need a POE+ capable switch or a POE+ injector. In case you only have POE injector the configuration is still possible but radios will receive insufficient POE to power up and cannot test the solution. You can convert the AP to mobility express but radios won’t receive enough power to start up.

Also remember that – When trying to convert to Mobility Express Image the Access point must not join and existing WLC in your network

Download Mobility Express image from www.cisco.com. You will need a Cisco account and valid entitlement to download this image. Connect Console and Ethernet cables into their correct interface ports, Ethernet will also be used to power through the use of a Power injector. Plug Ethernet cable from network switch into data port of POE power injector unit and apply power to POE injector. Login to AP via console with username and password : Cisco

Check that the AP has been assigned a IP address from the DHCP server on your network. Identify that an IP address has been assigned to the AP. In my case I configured a DHCP on the switch and let the AP receive a newly assigned lease. Setup your TFTP server, (for this I will using Tftpd64) and browse to the folder that contains the Mobility Express image

In the Command line of the LAP enter the following to download and change the configuration to Mobility Express.

AP#ap-type mobility-express tftp://<TFTP Server IP>/<path to tar>/file

The transfer will now start and wait for it to complete. Once completed issue the command “reboot” on the AP to make sure that it starts extracting the file it has downloaded and apply the new mobility express software. Once the software is applied it will go through the CLI setup wizard.

enter “yes” to terminate the auto install

Enter your required configuration items in the config wizard.

Enter all the details with regards to the management interface IP, netmask, default gateway etc. Setup the SSID and provisioning. These settings can also be done at the later stage when you access the GUI. The AP will reboot with the settings.

I managed to add 3 APs in the network and complete the setup.


  • 5G is 5th Generation of Wireless Technology.
  • 5G is Software defined network.
  • 10x faster than 4G, 2hour film – 3G – 26 hours, 4G – 6hours, 5G – around 4 seconds.
  • Response times faster – 4G – 0.045 m/s, 5G – 0.01 m/s.
  • Foundation for ViR, IoT, Autonomous Driving, Online Gaming is just a start.
  • Might only start showing in production up late 2019 or early 2020.

TECHNOLOGIES

Millimeter Waves – Millimeter waves are broadcast at frequencies between 30 and 300 gigahertz, compared to the bands below 6 GHz that were used for mobile devices in the past. They are called millimeter waves because they vary in length from 1 to 10 mm, compared to the radio waves that serve today’s smartphones, which measure tens of centimeters in length.

Small Waves – Use mini base stations, small stations to relay signals around obstacles.
While traditional cell networks have also come to rely on an increasing number of base stations, achieving 5G performance will require an even greater infrastructure. 

Massive Mimo – Support up-to 100 ports, increase capacity of network by factor of 22 or more. Can cause more obstruction, next point helps.

Beamforming –Base station can send directional signals, focussed stream. Beamforming can help massive MIMO arrays, which are base stations arrayed with dozens or hundreds of individual antennas, to make more efficient use of the spectrum around them.

Full Duplex – Basic antenna can either send or receive at one point, but 5G can give room to send and receive at same time. This is similar to one track train but when it arrives/goes through a station/junction there is a room for another train to pass through on the same line.

I am slightly going off topic here with not posting or writing about IT related stuff. This is IR – The world of fasting/intermittent fasting. I was intrigued by the idea of intermittent fasting. It fascinated me to realize that my grand parents were indeed following this regimen by default. They used to be up early (5-6am), have tea and then have early lunch or late breakfast around 1130-12pm. Have some snack/tea around 3pm and then dinner around 6-7pm. This is the procedure for 16/8 intermittent fasting. You restrict to have heavy dinner and late breakfast. Of course my grandparents ate real food like wholegrains, fruits, vegetables, legumes and not fries/soda/pizza with solid cheese crust. They even did not indulge in heavy alcohol or resort to junk food mentioned above. Goes to show why they are healthier than we are right now.

This goes without saying that quality of food produced today cannot be compared to what was produced few decades ago. Population/Politics and Pesticides – the 3Ps have played the major role on the quality of the food we eat today.

Coming back to IR – I’ve started this regime from 29th Jan 2019. Trying to keep it to the routine. So far it has been good. I have also included running in my daily schedule and aim to run a minimum of 4 days in week on an average of 4kms per day. This is end of week 2 haven’t seen much changes in weight, though feeling less bloated and bulky around the waist line could be the starting signs. I’ve also included to eat salad lunches at least 4 days in the week and induce portion control while eating dinner.

I will update again on the progress in the beginning of March.