Posts on MKvLab Blog

FortiOS 8.0.0 vs 7.x: What’s New, What Improved, and What I Like Most

Wed, 22 Apr 2026 00:00:00 +0000

FortiOS 8.0.0 which has been released yesterday, is one of the more interesting Fortinet releases in recent years. While the 7.x branch focused heavily on platform refinement, operational maturity, and steady improvements to areas such as automation, inspection, SD-WAN, and manageability, FortiOS 8.0.0 feels more forward-looking in its positioning. It is built around themes that are now shaping enterprise security discussions much more directly: AI-aware protection, stronger data loss prevention, secure networking evolution, and quantum-safe readiness.

Licensing and Registration of VCF/VVF 9.0

Mon, 23 Feb 2026 00:00:00 +0000

VMware Cloud Foundation 9.0 and VMware vSphere Foundation 9.0 introduce a centralized licensing workflow through VCF Operations, replacing much of the version-specific key handling with a more unified entitlement and usage model.

VCF 9.0 supports two registration modes: connected and disconnected. Disconnected mode is intended for environments without internet connectivity or for fully air-gapped setups. Broadcom describes this mode as suitable for air-gapped networks, where administrators manually exchange registration, usage, and license files with the VCF Business Services portal.

Update your VMware ESXi 8.x, 9.x - Offline Mode

Thu, 20 Nov 2025 00:00:00 +0000

In my post How to update your VMware ESXi 6.x, Offline Mode, I walked you through updating an ESXi server in offline mode using the esxcli software vib update command. However, this method has been deprecated beginning with ESXi 8.0 Update 2 and replaced by profile-based update commands, which I will demonstrate in this post. Using the offline method, you can easily and efficiently update an air-gapped standalone ESXi host. Of course, for hosts managed by vCenter, updates should be performed using vLCM to automate the process through vCenter Server.

FortiOS 7.6.3 – SSL VPN tunnel mode is no longer supported!

Fri, 18 Apr 2025 00:00:00 +0000

In a significant update, Fortinet has announced that starting with FortiOS version 7.6.3 (has been released on April 17th), SSL VPN tunnel mode is no longer supported on ALL FortiGate models. Upon upgrading to FortiOS 7.6.3, existing SSL VPN configurations will be removed, and the SSL VPN web and tunnel mode features will no longer be accessible through the GUI or CLI. Fortinet is encoureging admins to migrating to IPsec VPN before upgrade. SSLVPN web-mode which is now called “agentless VPN” is still available, but only on certain models.

Critical zero-day vulnerability in FortiManager is actively exploited – CVE-2024-47575

Sun, 27 Oct 2024 00:00:00 +0000

A missing authentication for critical function vulnerability tracked as CVE-2024-47575 in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. Reports have shown this vulnerability to be exploited in the wild. The company privately warned FortiManager customers about the flaw starting October 13th in advanced notification emails seen by BleepingComputer that contained steps to mitigate the flaw until a security update was released.

Redeploy NSX Edge Trasport Node using API

Tue, 03 Sep 2024 00:00:00 +0000

In this post, we will redeploy the NSX Edge Transport Node using the NSX Manager API call where you can easily and quickly redeploy your edge node. I am in a situation, where my nodes are not responding as I am constantly testing things in my Lab, so I wanted to share how you can do that in your production environment.

There are many reasons you may need to redeploy your edge node:

FortiOS 7.6.0 has been released!

Fri, 09 Aug 2024 00:00:00 +0000

Fortinet has released the new version of FortiOS 7.6.0.

Documentation

The release includes the main FortiOS 7.6.0 documentation set:

Supported models

FortiOS 7.6.0 supports the following models.

FortiGate

FG-40F, FG-40F-3G4G, FG-60F, FG-61F, FG-70F, FG-71F, FG-80F, FG-80F-BP, FG-80F-DSL, FG-80F-POE, FG-81F, FG-81F-POE, FG-100F, FG-101F, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG-400E, FG-400E-BP, FG-401E, FG-400F, FG-401F, FG-500E, FG-501E, FG-600E, FG-601E, FG-600F, FG-601F, FG-800D, FG-900D, FG-900G, FG-901G, FG-1000D, FG-1100E, FG-1101E, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG-3200D, FG-3200F, FG-3201F, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3700F, FG-3701F, FG-3960E, FG-3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-4800F, FG-4801F, FG-5001E, FG-5001E1, FG-6000F, FG-7000E, FG-7000F.

VMware Cloud Foundation 5.2 has been released

Wed, 24 Jul 2024 00:00:00 +0000

VCF 5.2 has been released today!

What’s New

Support for Identity Federation with Entra ID: VCF users can now configure Microsoft Entra ID (formerly known as Azure AD) as an identity provider.
APIs for Auditing PCI Compliance: VCF users can now use a new set of APIs that audit VCF configuration for compliance with 9 relevant PCI-DSS controls.
vSAN Max support: vSAN Max is a disaggregated storage offering which enables petabyte scale storage-only clusters. vSAN Max is powered by ESA as the underlying storage platform, which is a high-performance file system that can scale up to high densities with no penalty to performance. ESA also provides other benefits such as built-in, efficient, scalable snapshots, and low overhead data services such as encryption and compression.
vSAN ESA Stretched Cluster: VCF users can now configure ESA Stretched Cluster in vSAN Ready Nodes. It enables customers to take the concept of fault domains to protect an environment spanning two physical sites from downtime in the event of a site failure.
VCF Import Tool (for vSphere & vSAN): The VCF Import Tool integrates existing vSphere environments into VMware Cloud Foundation, centralizing management and optimizing resources without needing a full rebuild.
Dual DPU Support: VCF users can now leverage Dual DPU support. Dual DPU support boosts availability and performance. Active/Standby ensures continuity against failures, while dual independent DPUs double offload capacity and provide isolation.
Avi Load Balancer Integration with VCF: VCF users can now deploy Avi (formerly NSX Advanced Load Balancer) as part of a new workload domain and perform password rotation and certificate management of the ALB infrastructure from SDDC Manager.
Deploying NSX as a Day-N Operation: VCF users can now choose to deploy NSX (VLAN Backed) from SDDC Manager on top of a workload domain originally deployed/converted/imported with vSphere Networking.
Out of Band Changes from vCenter: Out of Band changes from vCenter can be manually synced with SDDC Manager. This includes inventory changes (for example, adding a host to a cluster) and object name changes (for example, datacenter name, datastore name, port group name).
ESXi Live Patching: VCF users can now apply ESXi security patches without requiring VM evacuation on ESXi hosts.
Flexible Target BOM for Upgrades: VCF users can now create a composite and customized BOM using patches when upgrading workload domains. Customers can plan an upgrade along with patches in one orchestrated workflow instead of performing an upgrade and applying patches in separate maintenance windows.
Async Patching with SDDC Manager: Customers previously used the standalone Async Patch Tool to apply patches to the VCF BOM components. VCF 5.2 provides the ability to apply BOM component patches from the SDDC Manager UI.
Day N workflows with Embedded Async Patching: VCF users can now add new workload domains and clusters with patched versions of individual BOM components from SDDC Manager.
Asynchronous SDDC Manager Upgrades: VCF users can now upgrade SDDC Manager independently from the rest of the BOM to apply critical fixes, security patches, and to enable specific features related to SDDC Manager.
Authenticated Proxy: VCF users can now use proxy authentication from SDDC Manager to enable secure connectivity from SDDC Manager to the internet.
Offline Depot: VCF users can now perform lifecycle bundle downloads in offline/air-gapped environments in a simplified manner. The offline depot downloads and stages VCF SDDC Manager and BOM component bundles and enables customers to configure SDDC Manager to download the bundles directly from the offline depot.
Isolated Workload Domains Sharing NSX: VCF users can now create and manage isolated workload domains that can share an NSX Manager instance between them.
Language support: Beginning with the next major release, VCF will be supporting the following localization languages:
- English
- Japanese
- Spanish
- French

VMware Cloud Foundation Bill of Materials (BOM)

VMware Cloud Foundation on my Lab

Sat, 20 Jul 2024 00:00:00 +0000

I am writing this article because I had trouble understanding the best way to deploy VMware Cloud Foundation (VCF) in a lab environment, given our limited resources and the high demands of VCF. For example, using the VCF Holodeck Toolkit requires 384 GB of RAM, which is beyond our current capacity. To address this issue, I searched for ways to reduce the resource requirements. I found that consolidating the NSX Manager from three instances to one and reducing the management workload cluster from a minimum of four hosts to just one can significantly lower the needed resources.

Renew NSX Internal Self-Signed Certificates

Fri, 12 Jul 2024 00:00:00 +0000

Once you have installed the NSX Manager, the internal self-sign certificate will be generated and configured with different services like the manager web console. These certificates have a lifetime and will expire one day, so we need to renew the certificates and we are going to renew the self-sign certificates. One important aspect of this is ensuring that the self-signed certificates are up-to-date. Self-signed certificates, while not as robust as those issued by a Certificate Authority (CA), are often used in internal networks for ease of setup and management. I will write another blog post to show how to generate a request sign the certificate in PKI and import and apply to services. In this blog post, I will walk you through the process of renewing the NSX self-signed certificate. This process is relatively straightforward, but it is essential to follow each step carefully to avoid disruptions in your network services.

NSX Training | Segment DHCP Server

Mon, 13 May 2024 00:00:00 +0000

Today, I’m excited to share a new tutorial video that I’ve created, which walks you through the process of configuring a Segment DHCP server in VMware NSX.

Why Configure a DHCP Server in VMware NSX?

Dynamic Host Configuration Protocol (DHCP) is crucial for automating IP address allocation and management in a network. By configuring a DHCP server within VMware NSX, you can efficiently manage IP addresses within your virtualized network segments, improving both performance and scalability.

Change NSX User Password with API

Fri, 10 May 2024 00:00:00 +0000

In this article, I am going to show how to change the NSX user password in different ways, but specifically using the API.

You will need your API tool, here I am going to use Postman to explore and send API requests to the NSX Manager.

But first I would like to take a moment and show 2 other ways to change the password.

Using Alarm in NSX Manager UI.

Exchange Server 2019 and 2016 Hotfix Update

Tue, 23 Apr 2024 00:00:00 +0000

Microsoft released a hotfix for Exchange Server 2016 and 2019 which includes some fixes but most importantly includes a very important feature, Hybrid Modern Authentication support for OWA and ECP in Exchange Server 2019 CU14.

in this link, you find the Microsoft original KB regarding the hotfix and some useful information.

Exchange 2019 CU14 HU2 | 15.02.1544.011 | Download
Exchange 2019 CU13 HU6 | 15.02.1258.034 | Download
Exchange 2016 CU23 HU13 | 15.01.2507.039 | Download

This update is also available through Windows Update as an Optional update.

NSX Training | Deploying NSX Manager

Sat, 20 Apr 2024 00:00:00 +0000

In this video, I am going to demonstrate how to deploy the NSX Manager and some tricks to reduce the RAM and CPU usage in your Home Lab.

Multiple FortiOS Firmware Patches have been released

Wed, 07 Feb 2024 00:00:00 +0000

Fortinet has released multiple FortiOS firmware patches today 07.02.2024. You find the link to the released note as well as known issues and resolved issues. For the download, you will need the Fortinet Support Portal access.

FortiOS 7.4.3 build 2573 | Release Note | Resolved issues | Known issues

FortiOS 7.2.7 build 1577 | Release Note | Resolved issues | Known issues

FortiOS 6.4.15 build 2095 | Release Note | Resolved issues | Known issues

FortiOS 6.2.16 build 1392 | Release Note | Resolved issues | Known issues

VMSA-2024-0002 - VMware Aria Operations for Networks - Multiple Vulnerabilities

Wed, 07 Feb 2024 00:00:00 +0000

Multiple vulnerabilities in Aria Operations for Networks were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

CVE(s):

CVE-2024-22237, CVE-2024-22238, CVE-2024-22239, CVE-2024-22240, CVE-2024-22241

Impacted Products:

VMware Aria Operations for Networks (formerly vRealize Network Insight)

Local Privilege Escalation Vulnerability (CVE-2024-22237)

Description: Aria Operations for Networks contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

VMware Fusion 13 is GA - Install Windows 11 on M1/M2 Mac using VMware Fusion

Sun, 27 Nov 2022 00:00:00 +0000

There is no doubt that VMware Fusion is one of the best (if not the best) hypervisor software to run macOS, Windows, Linux, and other x86-based operating systems as virtual machines on your Mac computer. Recently VMware released version 13 of the product to support the Intel or Apple Silicon Mac. This means now they are supporting Microsoft Windows 11 and now you should be able to run it on your M1/M2 Mac using macOS 12 Monterey and macOS 13 Ventura.

Windows 365

Fri, 20 Aug 2021 00:00:00 +0000

Windows 365 combines the power and security of the cloud with the versatility and simplicity of the PC.

Introducing Windows 365

Windows 365, your Cloud PC | What it is, how it works, and how to set it up

PrintNightmare - Print Spooler Remote Code Execution Vulnerability

Fri, 02 Jul 2021 00:00:00 +0000

All Windows systems are vulnerable!!!

Microsoft (01.07.2021) has published the information related to remote code execution vulnerability that affects Windows Print Spooler and has assigned CVE-2021-34527 to this vulnerability -nicknamed PrintNightmare-. A remote code execution vulnerability exists when the Windows Print Spooler service is improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Security Update Exchange Server 2013-2019 | Pwn2Own Vulnerability

Wed, 14 Apr 2021 00:00:00 +0000

Microsoft has released critical security update -April 2021- for on-premises Exchange Servers 2013, 2016 and 2019 to fix the following Remote Code Execution vulnerabilities:

More details: Microsoft April 2021 Security Update Summary and Exchange Team Blog

Commands i use on my Mac

Wed, 17 Mar 2021 00:00:00 +0000

dig Tool

dig <host.doamin>
dig <domain> TXT
dig <domain> MX
dig <domain> NS

Check the record from specific DNS Server

dig @9.9.9.9 <host.domain>

Check Open Ports

curl -v mail.test.com:22

nc -vz 192.168.13.4 25

OPENSSL

openssl s_client -connect <serveFQDN>:443 -showcerts

Console on my Mac

ls /dev/*usb*
screen </dev/NAME> 9600

TCP dump

sudo tcpdump -n icmp

What is My IP

curl http://ifconfig.co
curl http://ifconfig.co/country

Speed Test

curl -s https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py | python -
curl -s https://raw.githubusercontent.com/khodaeifard/speedtest/master/speedtest.py | python -

PowerShell Command-Line

Thu, 11 Mar 2021 00:00:00 +0000

Active Directory

Export All AD Users to CSV:

Get-ADUser -Filter * -Properties * | Select-Object name, mail, LastLogonDate, WhenCreated | export-csv -path c:\userexport.csv

Get AD User Properties:

Get-ADUser -Identity <ACCOUNT> -Properties *

Get all GPOs and their creation time:

DSQuery * -Filter “(ObjectCategory=GroupPolicyContainer)” –attr DisplayName WhenCreated

Hyper-V

Get Snapshot on VM:

Get-VMSnapshot -VMName <NAME>
Get-VMSnapshot -ComputerName <NAME-OF-COMPUTER> -VMName <VM-NAME>

Delete VM Snapshot:

Get-VMSnapshot -VMName <VM-NAME> | Remove-VMSnapshot

Office 365

Connect to Tenant:

Exchange Servers 0-day exploits -HAFNIUM-

Sun, 07 Mar 2021 00:00:00 +0000

On March 2, 2021 Microsoft has released several security update for Microsoft Exchange Server to address the vulnerabilities that has beed exposed targeting on-premises version of Exchange server. Microsoft has categorised this as a critical vulnerabilities and recommended the update the Exchange Server as soon as possible.

The Exchange versions affected are:

Microsoft Exchange Server 2013
Microsoft Exchange Server 2016
Microsoft Exchange Server 2019

NOTE: Exchange Online is not affected. also Microsoft Exchange Server 2010 is being updated for Defense in Depth purposes.

How to set up SPF, DKIM, and DMARC records for Microsoft Office 365

Sun, 07 Mar 2021 00:00:00 +0000

In this particular post i would like to talk about 3 very important DNS records for any mail server and in this individual case Office 365. SPF, DKIM and DMARC are ways to authenticate your mail server and to prove to the world, and other receiving mail servers that senders are truly authorised to send email and when properly set up, all three prove that the sender is legitimate, that their identity has not been compromised and that they’re not sending email on behalf of someone else.

Fortigate - I see only 'Default' Security Profile

Sat, 05 Dec 2020 00:00:00 +0000

Problem:

I have came across this issue years ago but recently due to unit upgrades for our customers Fortigate firewalls i have seen it more often and also asked by customers and colleagues. said why not i just blog it maybe it will be useful for someone else as well.

So the problem is sometimes we do see only the Fortigate Default UTM profile in the FortiOS user interface and the default ones can be assign to firewall policy. we can always modify profiles and assign them to firewall policies using command line but it is convenient if we can see then and edit them in graphical interface.

Check SHA1 and MD5 Hash on your Mac

Wed, 21 Jun 2017 00:00:00 +0000

SHA hashing is frequently used with distribution control systems to determine revisions and to check data integrity by detecting file corruption or tampering. For common usage, a SHA checksum provides a string that can be used to verify a file been transferred as intended. If SHA checksums match, the files integrity has been maintained.

Using SHA1 hash strings are also an easy way to verify file transfers from peer to peer networks and to make sure a download has finished, or that a file was not tampered with somewhere along the line. By knowing the origin SHA1 checksum, you can verify your version of the file(s) in question matches, and determine if the file is indeed valid and has arrived as intended.

How to View SSL Certificate Details on Chrome

Tue, 07 Mar 2017 00:00:00 +0000

Probably all of you know what the SSL certificate is and how this SSL certificate helps us to have a secure connection (HTTPS) with websites by now. this day’s everyone looks at the beautiful green padlock next to the website address to make sure that he or she has secure and trusted connection. I just always like to see this little green sign.

by clicking this green padlock you will see the certificate details. that helps admins a lot, trusted domain, issue authority, expire date and … are some of this information.

How to Fix a Failed Database Content Index for Exchange Server 2013

Mon, 06 Mar 2017 00:00:00 +0000

Last week I was facing the problem that user of exchange server 2013 couldn’t search mail or contact in outlook. I had the same problem before, the reason is damaged index! We have to repair the index file, therefore, exchange server able to search throw the contact.

That is not a big operation and also no needs to have downtime and you can do it during server usage without any side effect, well you have to stop exchange search service but as far as your client cannot search anyway there is no side effect. This exchange server is not the member of DAG or Database Availability Group.

How to update your VMware ESXi 6.x, Offline Mode

Sun, 26 Feb 2017 00:00:00 +0000

I have talked about how to update ESXi hypervisor in online mode in my past article. And I said that I will write a post about updating ESXi host in offline mode. So, there we go!

But first of all, answer the question:

Why do we need to use offline mode when we can update in the online mode very easy?

And the answer is:

There are many reasons, but most frequently reason is sometimes our host has no internet access! And we cannot use online mode.

Fortinet Command Line Portal

Sun, 19 Feb 2017 00:00:00 +0000

Always having official and thorough reference is handy for admins. we do spend so much time to find the complete reference of commands and options to configure or troubleshoot or device other than their brands, currently, I am involved mostly with networks that equipped with Fortinet devices and need to find appropriate and fast command and options for doing my everyday job. Fortinet has great reference resources as well as community and I would say excellent support. recently they just announced CLI portal which is great idea, simple and integrated interface to find commands. currently, they are running BETA version and also available only for FortiOS 5.4 and I would say not complete resource but I’m pretty sure during the month ahead they will continue to work and publish more stuff. I really like the idea.

Add New Disk and Partition to Your Linux Server

Fri, 17 Feb 2017 00:00:00 +0000

Today I would like to share with you very easy steps to add a new disk to your existing Linux server which often requires.

In this post, I would like to talk about local disk and in another post, I will talk about NFS partitions and how to add them into your Linux box.

Current partition status:

Okay, if you would like to see what is your box partitions status you can find out with the command:

How to update your VMware ESXi 6.x, Online Mode

Fri, 10 Feb 2017 00:00:00 +0000

Today I would like to show you how to easily update your VMware ESXi 6.x to latest version using online repository. I am going to update my ESXi host to current latest version which is 6.5.01, you can read the VMware ESXi 6.5.0a Released Noted from here.

Also, you can see the ESXi Version 6.5.0 History to get more information about all releases in the future.

Basically, there is 2 way to update your ESXi host:

SSH to Linux Server Without Password Using SSH Key-Pair

Mon, 06 Feb 2017 00:00:00 +0000

The SSH public-private key pair allows you to securely log into AST’s servers and perform authentication, without having to specify a password using the public key. It also allows you to send files via an encrypted network connection. You can add as many key pairs as you. all pairs are independent and each computer only has information regarding its own pair. you can easily transfer your client machine public RSA key to your Linux box and then the world will be nicer for you.