Thursday 26 January 2023

find loop on cisco switch

Old school method for old/cheap switches with no CLI.

Front LEDs can provide indications like all on solid or call flashing in unison but not reliable across switch models.

WIth this method you need to know where all your trunk/uplinks are. Start by unplugging all trunks does the traffic stop ? If yes then traffic is probably coming from another switch start plugging back in trunks until the loop starts again. You should be able to find the switch and repeat the process there.

If the traffic does not stop then its coming from a server/user port or an unknown trunk. Start disconnecting each cable one by one until the traffic stops.


Cisco switch CLI method:

Can check ram and CPU usage is usually a good indicator or a loop.


Look at the 5 minute input rate packets/sec for the interfaces 

Looking for high values like 28458 packets/sec

show interfaces | in Gigabit|rate

You may have a mix of interfaces

show interfaces | i TwoGig|TenGig|TwentyGig|rate

show cdp neighbors | in "same-switch-name"


Wireshark

You can also take a Wireshark capture and look for high levels of arp/broadcast. Also look out for DHCP requests flying around again and again 

Posted by at No comments:

Wednesday 25 January 2023

Other Administrators are holding device wide commit locks on palo alto firewall

 I couldn't make changes. It said my user had the lock but still couldn't make the changes.

Check you are not on the passive firewall.

Clicked the padlock in top right that had a (3) beside it. I could clicked  on all users and clicked "remove lock"


Others reported having to use the CLI

show commit-locks
request commit-lock remove
Posted by at No comments:

Wednesday 18 January 2023

Cisco umbrella VA config


To configure Virtual appliance (VA), enter configuration mode (CTRL+B)

config va name umbrella01 (this name is just a label)

config va interface 172.16.0.6 255.255.255.0 172.16.0.1

config localdns add 172.16.0.8 (DC1)

config localdns add 172.16.0.9 (DC2)


From

https://docs.umbrella.com/deployment-umbrella/docs/appendix-d-troubleshooting-the-va-using-a-restricted-shell#section-use-configuration-mode-to-troubleshoot


Config auto updates

Need 2 VAs'

FW access to the URLS in setup doc

Config Deployments > Configuration > Sites and Active Directory.

Settings button top right

Auto upgrade


Posted by at No comments:
Labels: , , , ,

issue with palo alto expedition tool

 Palo Migrations tool kept failing without an explanation

The tool seems to have an issue with psks on the VPNs

When you load the config from the migration you need to change / update the psks and it will load correctly

Posted by at No comments:
Labels: ,

Friday 13 January 2023

nessus M365 scan

Get the customer to give you MS account global admin on their tenant

Nessus doc's don't quite match up to MS interface as MS interface is changing all the time:

https://docs.tenable.com/integrations/Microsoft/Azure/Content/ConfigureAzureComplianceAudit.htm?Highlight=microsoft%20365


Log into portal.azure.com (azure.microsoft.com)

Setup on OTP portal and update boost

Log into the customer tenant

Copy tenant ID from Home -> overview into a notepad


Click on active directory (entra ID triangle icon)

App registrations on the left

Click the + New App registration button

Client credentials -> Add a certificate or secret

+ New client secret

Give name

Set expire 

Copy value and secret ID *** IMPORTANT it will disappear and you will have to start again

ID looks like 7777701d-xxxx-yyyy-zzzz-6b6a1c969999 (don't think you need this but record anyway)

value is the secret key

Get the app ID from the app registrations and search Nessus


put them in a safe notepad with tenant ID (will need later)


To find the app reg again

Click app registrations, all applications and search your app reg name "Nessus"


Home -> Entra ID -> customer -> roles and administraors -> all roles -> 

Search Global Reader

Right click description 

Assignments on the lef

+ Add assignments 

Add to NessusScan app reg


Create new app

Get app ids + keys 

Create a new client secret

You need to save the secret when it appears as it only displays once


Microsoft Graph

Home -> Microsoft Entra ID > App Registrations > Your Application > API Permissions

Permissions -> applications -> read all (reader role)

Expand all and tick Read.All



Config in Nessus

https://docs.tenable.com/integrations/Microsoft/Azure/Content/ConfigureAzureComplianceAudit.htm?Highlight=microsoft%20365


Add scan -> choose template audit cloud infra (or copy from previous scan)

credentials (key method, fill in tenant, app ID, secret)
MS 
Fill in
  • select key
  • Tenant ID (get from home overview)
  • app id (app registrations page)
  • Client secret (secret value)

CIS Microsoft add:
L1 
L2 

To export do report button in top right
tick html
select compliance 
generate report

Posted by at No comments:
Subscribe to: Posts (Atom)