Notepad++ edit previously opened sessions/files

Sometimes I have so many or too large files opened with Notepad++ (GitHub) --> it stops starting the next time and hangs.

To resolve this, simply either delete or edit the session.xml-file:
C:\Users\\AppData\Roaming\Notepad++\session.xml 
or
%AppData%\Notepad++\session.xml 

Each entry starting with "<File lang.." and ending with "/>" is a previously opened file. Example:
<File lang="Normal Text" mapIsWrap="
8...] 
firstVisibleLine="0"/> 

By deleting entries like this, you throw out that the file is automatically opened the next time when starting Notepad++.
🚩Hint: Delete the last entry, this resolves most times the issue.

SonicWALL SD-NAT (loopback NAT) for internal published services

If you're having a small network with a SonicWALL firewall and you've published a service using destination NAT (DNAT) to the internet (or another interface/networks), you sometimes want to to access the same published service using the same (public) address from the inside.

Example:


When SystemB is in the same subnet or same network zone as the API-Gateway and you want to access the API-Gateway address from SystemB, you can either use SplitDNS (internal DNS resolution resolves the public FQDN to the internal address), or only use public ip-addresses in that network/zone, or provide the API-Gateway multiple virtual addresses, or you use a "lookback NAT" which is a source- and destination-NAT at the same time.

The SonicWALL then changes the destination ip-address of every DMZ packet from the external ip-address of the API-Gateway to the internal ip-address of the API-Gateway and at the same time, changes the source ip-address from SystemB to its own internal interface ip-address. Changing the source-address makes sure that the API-Gateway does not sends the traffic directly back to SystemB, but instead to the SonicWALL, which then changes back the destination-NAT for the answered packets.

In the SonicWALL NAT-Table this setup looks like this:
Of course you have to setup the suiting access-rules in the SonicWALL as well. Keep in mind the SonicWALL internal traffic flow first checks the access rules, then changes the address using the NAT table. So you may have to setup Rules like DMZ>DMZ (or LAN>LAN) but as a destination the WAN-address objects!

I've set this up in many setups for over 10 years with very different SonicWALLs, FortiGates and other Firewalling-devices, and it works well (e.g. tested with SonicWALL on SonicOS3/4/5/6 from TZ-series, NSA-series to SuperMassive-series).
🚩However keep in mind, opening services using NAT might be a possible security-hole (for example VPN might help), publishing services to the internet always should go through an application reverse proxy like a WAF, API-Gateway or something else, the published services should be hardend, closely monitored and be located in a DMZ, have strong encryption and authentication (mutual TLS). Also I personally prefer to use SplitDNS and different virtual addresses in order to keep original ip-addresses (not having to use X-Forwarded-For which might cause lots of logging-volume on your logs/Logging-System/SIEM) etc.

Hardening FortiGate connection to FortiAnalyzer

The FortiGate uses OFTP (Fortinets proprietary Optimized Fabric Transfer Protocol, not Odette File Transfer Protocol) to transfer data between FortiGates and FortiAnalyzer. For encryption SSLv3 or TLS is used. In order to harden the connection, use the following commands:

Cfg for FortiAnalyzer 

 1. Set TLS to minimum version 1.2:


2. Change FAZ certificate to one using the correct FQDN from your/a public CA:



Debugging can be done using the fowlloing commands:


Oftpd daemon test usage:   diagnose test application oftpd <integer>
  • 1: show PID
  • 2: show statistics and state
  • 3: show connected device name and IP
  • 4: show detailed session state
  • 5: show oftp request statistics
  • 6: show cmdb device cache
  • 7: show logfwd thread stats
  • 8: show tasklist statistics
  • 9: show unreg dev cache
  • 10: log cluster bridge stats
  • 20: show forticlent end-user stats
  • 21: rebuild forticlient end-user avatar table
  • 90: reload un-reg device tree
  • 99: restart daemon

FAZ looks like this:
(global)# get
dh-params           : 8192
enc-algorithm       : high
fgfm-ssl-protocol   : tlsv1.2
oftp-ssl-protocol   : tlsv1.2
ssl-low-encryption  : disable
ssl-protocol        : tlsv1.2
ssl-static-key-ciphers: disable
webservice-proto    : tlsv1.2


Cfg for FortiGate


1. Change TLS ciphers to high:

config log fortianalyzer setting
    set enc-algorithm high
end

2. Change Global TLS-Settings

config system global
    set ssl-static-key-ciphers disable
    set dh-params 8192
    set strong-crypto enable
end


Cribl - Change values to lowerCase

Some logs (e.g. Microsoft Azure) sometimes are not fully normalized to all lowercase characters. You can use Cribl to adjust those values by...