Friday, November 21, 2014

Interesting recordings on Youtube

PyCon 2014,
33rd Degree Conference

Startup class @ Stanford

It is hard to follow at tech news without coming across some of these.

So, just another bookmark!

Walking past Expert Beginner stage

I think I have seen that word before when reading through Michael O Church’s The trajectory of a software engineer… and where it all goes wrong,

A post on Quora link me to Erik Dietrich’s “Expert Beginner” series, which I haven’t explored yet.    I am quite like the word so I will definitely catch up with the writings.

Not quite directly relevant, but an article “The Programmer’s Price” is also quite an interesting read,

And, Teach Yourself Programming In Ten Years by Peter Norvig is also related,

Thursday, November 20, 2014

Stand-alone NTP Server without Internet access

If you ever want to have an NTP server in environment where there is no internet access,  you can run ntp server on Linux with the following configuration.

# sudo vi /etc/ntp.conf
server stratum 12

# sudo /etc/init.d/ntp restart

Run ntpq to check the local stratum level.  (You can change it to any other level, it doesn’t have to be 12 as shown above)

# sudo ntpd –q

You will also have to adjust the ACL using “restrict” configuration.  (In this case, allow NTP server to be accessible from

# sudo vi /etc/ntp.conf

On "Introduction to Algorithms"

Algorithms seems to be quite a mainstream discussion topic lately.

In the past week, I found no less than 4 posts relevant to this book “Introduction to Algorithms” from different sources.

And since in general it is all about programming and coding, I think I will just put those relevant links together for later read.

  1. Why did CLRS decide to co-author the Introduction to Algorithms? How long did it take from the beginning to the end?,
  1. Khan Academy’s Algorithms section,
  1. There is also another piece of news about “Introduction to Algorithms” book’s co-author turn to crowd sourcing for input on what to be included/excluded in the next edition.  I couldn’t recall where I read it from but the quora thread in question is here

Installing Java JDK on Ubuntu

I am working on getting vert.x ( to run in a lab environment as part of my end-to-end troubleshooting effort.    The binary version of vert.x requires JDK to run.

Therefore, I found myself in need to having a working JDK install on my fresh Ubuntu Server

Essentially, I run these commands.  (Detail manual configuration can be done, but I love this short and simple method)

sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java7-installer
sudo apt-get install oracle-java7-set-default


sudo apt-get install oracle-java7-installer
sudo apt-get install oracle-java7-set-default

Initially I have a problem with ‘add-apt-repository’ command not found, but the solution is outlined here -

The ‘add-apt-repository’ is part of either one of these packages.

sudo apt-get install python-software-properties
sudo apt-get install software-properties-common

So, it is as simple as this!   I like it.


For Debian

echo "deb precise main" | tee -a /etc/apt/sources.list
echo "deb-src precise main" | tee -a /etc/apt/sources.list
apt-key adv --keyserver hkp:// --recv-keys EEA14886
apt-get update
apt-get install oracle-java7-installer

Monday, November 10, 2014

(Windows 7's GNS3 Version 1.1) Step-by-Step JUNOS Olive12.1R1.9.vmdk using QEMU

1. GNS3 Version 1.1’s Preferences

2. QEMU VMs, click “New”

3. Pick the name and just use Default for Type

4. Change RAM to 1024MB  (I didn’t try other amount of RAM  I also tried it with 256MB, it seems to boot just fine)  [Note: Running it on QEMU seems to boot slower than running it on VirtualBox.]

5. Browse to the “Disk image (had)”

6. Click Edit to change the amount of interface from 1 to 6

7. It is ready to be used.

7.1. Click on Browse all device

7.2. Start the JUNOS device

Wait for 5 minutes. (The boot process takes a long time, be patient, while waiting please smile at the “BTX loader 1.00” screen)

7.3. Login and use

Once the long waiting time is over, you will get to this screen.

User: root

Root> cli
Root> show version

(Windows 7's GNS3 Version 1.1) Running ASA 8.4.2 on QEMU

ASA Set up

1.      ASA images

2.      GNS Preferences

2.1.  Adding new QEMU image

2.2.  Choose ASA 8.4(2) and choose your image name

2.3. Choose 1GB of RAM (I didn’t try with anything else)

2.4. Browse for “Initial RAM disk (initrd):”

2.5. Browse for “Kernel Image”

2.6. Click Finish

2.7. Click OK

3.  Use the image in GNS3

3.1. Click on Browser all device

3.2. Drag it to use

3.3. Add a router and connect them

3.4. Run them


Ciscoasa> enable
Ciscoasa# config t

On Router

Tuesday, May 27, 2014

Firebug vs Firefox's native developer tool - Part 2

Other useful information from Firebug are
  • Amount of data loaded from cache (this value is not shown if “disk cache/memory cache” is turned off via about:config
  • Onload time. 

While some active object (such as chartbeat) would continue to run, "onload" time is the time taken for page to load fully in the first time – the time that the “spinning” icon stopped.

Firebug vs Firefox's native developer tool

I think Firebug gives me more accurate info regarding object fetch time.

For example, this URL,, overall taken 1.43s to load.

According to Firefox’s developer tool, 914ms of that is for “connecting….”.

Firebug however tell me that overall it tooks 1.41s to load the object and of those 914ms is in blocking state. 

If multiple requests are to be sent to the same server IP, they are queuing up and time spent in queue is “blocking” time.

Without this clarification, one could wrongly interpret “Connecting…” time as the time taken purely for 3-way handshaking.

Thursday, April 10, 2014

We are bitten, again! Fortigate as WCCP client as ASA as WCCP server

After much troubleshooting, tracing and head scratching, we found out why!

Unlike Squid, Fortigate as WCCP client can only do GRE return mode.     ASA’s WCCP server implementation, on the other hand, do not support GRE return mode.

Well, Fortigate as WCCP client can also do both L2 forward & return mode, but ASA can't do L2 mode at all.   

So, in essence, **they** don’t talk.     At least, for the time being, you can’t deploy ASA as WCCP server and have Fortigate as WCCP client.

Note: BlueCoat as a WCCP client can do all of those modes, L2, Return directly to client and GRE return.

Other links of interest

“….WCCP redirection is supported only on the ingress of an interface. The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client, without going through the adaptive security appliance….”

Tuesday, April 8, 2014

FortiManager "Out-of-Sync" Diff View's Deficiency

There are a few improvable part of FortiManager, this is one of them.

When changes are made on Fortigate locally, the FortiManager will detect that change and report “Out-of-Sync” state.    This is well and good.

The idea is good, the execution however can still be improved.       

As an administrator, I would want to verify the change I know I have made locally on the device.     

The “View Diff” feature here is just not good enough, I couldn’t see easily what change I have made, because it reported wrongly changes that I didn’t make and changes that simply is because configs are just mis-aligned.

I seriously did not modify 1210 Line(s).

So, as a result, I need to fly “blind”.   Either Accept wrongly or Reject wrongly.  

Simply is very annoying given that the other part of FortiManager handle the “Diff” so brilliantly such as “ADOM Revisions” Diff.

Monday, April 7, 2014

Running Script Against FortiManager's Policy Package

A CLI script can be applied to the Policy Package’s Object as well as Policy Package’s Policy.    

Use the CLI commands as if you are working with the device locally, but if you have VDOM in place, just remove that part.

Instead of using

config vdom
edit “VDOM1”
…list of command…

Simply remove the VDOM reference, and leave the rest of the command.

On the script page, just use “Advanced - Override Script Target” and change the Target to Run on “Policy Package, ADOM Database or Global Policy”.

FortiManager Bug - "+" sign in Web Filtering Profile Name

There is a bug in FortiManager, when ‘+’ sign is used for Web Filtering Profile Name.    “Where Used” function is not working correctly.

Once the plus sign is removed from the profile name, it works correctly.

Saturday, April 5, 2014

FortiManager - Import Policy from Device

Why do I need this?

Sometimes it is easier to make change locally on Fortigate.    In my case, I want to create a “ftp-proxy” rule on Fortigate because I seems that the rule cause a problem when install to the device if it is implemented on FortiManager.  

Step by Step

First, lock ADOM

Then, right click on device, select “Import Policy”

Then, select on the VDOM that change has been made, and skip the rest.   Place the policy in a new TEMP POLICY PACKAGE so that it doesn’t mix up with our existing POLICY PACKAGE.  To save space, I won’t show the screen shot of every screen.   I just click next through until finish and click “Skip Remaining”.

After that we can change it the way we like.

If you have created new objects locally on the Fortigate VDOM, it will be imported at this step.

Now, rule #5 is imported as I wish.

From a temporary POLICY PACKAGE “VUFG1_VUWF101” , I just need to COPY & PASTE it into my production POLICY PACKAGE “VU-WEBFILTER-PACKAGE”.

Clean up steps

Now, we need to clean up a few things.

First, place the VDOM back to production POLICY PACKAGE.

Click on Policy & Objects -> YOUR TEMPORARY POLICY PACKAGE -> ‘Install’ Tab -> Right click on your VDOM, then Edit

Select the VDOMs that will use this POLICY PACKAGE.

Remove the VDOM from this temporary POLICY PACKAGE.

And, it will be removed from the list

Check the production POLICY PACKAGE, ‘Install’ Tab, it should be there.

Push to device

Now, the next step is to click on SAVE and then push the revise POLICY PACKAGE to the VDOMs using “Install Wizard”.

Then, on Device tab, it should display “SYNCHRONIZED”

The last step is to simply Unlock VDOM.