TS FTD like TAC

 https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/R6BGArNQ/TECSEC-3004.pdf

system support trace

network design ideas

Just writing down some idea's

Dual internet connection with failover
Share public range with BGP
Alternativly two public IP ranges with dyndns
OOB mananagement (open gear)
Redundancy starting at the SAN
Rule of thumb 2 of everything
HA firewall
HA switch (stack)
Vlans/networks LAN,WIFI, DMZ, DB, APP, VOICE, RSPAN, OOBMGMT, BACKUPS, MONITORING
Off site (cloud) backups or tape taken off site
Monitoring, graphing, alerting, PTRG, Netflow, SNMP
NTP server
TFTP server
config backup 
radius and MFA (DUO) where possible 
syslog (syslog-ng)
opendns (Cisco umbrella / dnsfilter)

IPS like security onion

Multiple DMZs or Private VLANS in your DMZ alternatively consider reverse proxy.

palo alto bulk add log forwarding profile to security policy rules

You can use the migration tool to do this 

After version 10.1 there is also a log forwarding for security services policy optimizer under 

Policies > Security 

Policy optimizer in the bottom left

You need to have configured logging and your log forwarding profile in advance

Select "None" to find all the rules with no logging policy applied 

click the first rule

scroll to the bottom

hold shift and click the last rule to select all

In the bottom left click "Attach log forwarding profile"

Select your profile "LOG-FWD-PROFILE"

Click ok

Commit

Info found on: 

https://live.paloaltonetworks.com/t5/general-topics/log-forwarding-profile-in-all-security-policies/td-p/205426

useful windows cmds

Get hostname

hostname

Get current user

whoami

Get serial number

wmic bios get serialnumber

Get manufacturer model name

wmic csproduct get name

Print out date/time

echo %DATE% %TIME%

Get OS name and ver (takes a few seconds to run)

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

All IP config details

ipconfig /allcompartments /all

Get all NIC details

wmic nicconfig get description,IPAddress,MACaddress

Display the DNS cache

ipconfig /displaydns

Check hosts file

more %SystemRoot%\System32\Drivers\etc\hosts

Netstat (run as admin)

Get listening/established ports and PIDs

netstat -naob 

netstat -naob | findstr LIST

Print routing table 

netstat -nr 

route print

List sessions with other computers

net session

net session \\pcname /list

Print our machines we can see on domain

net view

net view \\127.0.0.1

View Netbios over TCP details

nbtstat -S

Show arp table

arp -a

WLAN info

netsh wlan show interfaces

netsh wlan show all

List services

services.msc

tasklist

Show whats inside svhosts

tasklist /svc

tasklist.exe /FI "PID eq 8988" /svc

sc query

wmic service list config

Sysinternals

pslist 

pskill

Event logs

eventvwr

wevtutil qe security /f:text | more

Localusers

Lusrmgr

net users

Startup apps 

msconfig

autoruns

xcopy find files for a specific date (note date format)

xcopy \\servername\sharename$\*.* /S /L /H /D:mm-dd-yyyy | more

Find files bigger than 30MB

for /R c:\ %i in (*) do @if %~zi gtr 30000000 echo %i %~zi

Sysinternals

tcpviewcon -a 

psloggedon

logonsession

handle

listdlls

processexplorer

processmon

sysmon

autoruns

restart services on palo alto firewall from CLI

 debug software restart log-receiver

debug software restart management-server

packet capture on palo alto

 This can be done from the web gui under Monitor > Packet capture

Setup your filters

Add your stages rx,tx,fw,drop

Switch on filter and packet capture

You can also run tcpdump from the CLI which is the only one that will show mgmt interface traffic like syslog

dynamic VPN on sonicwall to HQ with a static IP

 https://www.sonicwall.com/support/knowledge-base/configuring-aggressive-mode-site-to-site-vpn-when-a-site-has-dynamic-wan-public-ip-address/170505565649605/

zoom firewall IPs

 https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0060548

cisco sfp compatibility matrix fibre

 https://tmgmatrix.cisco.com/?npf=1181

palo EDL

 https://docs.paloaltonetworks.com/resources/edl-hosting-service

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/configure-the-firewall-to-access-an-external-dynamic-list-from-the-edl-hosting-service/create-an-external-dynamic-list-using-the-edl-hosting-service

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/enforce-policy-on-an-external-dynamic-list#id65d71322-1c04-4eb7-ab66-4d9bb3f41a52

Also need a FW rule to allow the mgmt IP to download EDLs from:

saasedl.paloaltonetworks.com on ssl

setup syslog on cisco switch

 10.46.251.254

Logging on

logging origin-id ip

logging facility local0

logging source-interface Vlan250

logging host x.x.x.x

x.x.x.x = your syslog server

For testing

send log TEST

cisco secure client replacing anyconnect

The roaming client and anyconnect client are both going end of life and will be replaced by the cisco secure client. The new client is becoming a general endpoint client for many cisco products. It will work until April 2025:

Before April 2025, you will need to uninstall the roaming client and install the new cisco secure client with umbrella module and the json file for all roaming computers that you want to protect with umbrella when they are at home.

All are available for download in your umbrella dashboard:

Download the new cisco secure client and .json file.

You can use SCCM or similar to deploy it out to your clients.

useful openssl commands

 echo "" | openssl s_client -connect website.ie:443 -showcerts

echo "" | openssl s_client -connect website.ie:443 -showcerts | openssl x509 -noout -text -fingerprint

echo "" | openssl s_client -connect AD01.domain.local:636 -showcerts

echo "" | openssl s_client -connect AD01.domain.local:389 -starttls ldap -showcerts

openssl pkcs12 -nokeys -nocerts -info -in Example1.pfx

openssl.exe s_client -connect 100.100.50.8:443 -servername fs1.domain.com -showcerts

Get info

openssl pkcs12 -nokeys -nocert -info

Export key

openssl pkcs12 -in bundle.pfx  -out key.enc.key

openssl rsa -in key.enc.key -out key.key

Export private key from PFX

opennssl pkcs12 -in bundle.pfx -nodes -nocerts -out key.enc.key

Filter out TCP re transmissions wireshark

 (tcp.analysis.retransmission or tcp.analysis.fast_retransmission)

palo global protect rdp freeze issue

 https://live.paloaltonetworks.com/t5/general-topics/rdp-freeze-fix-globalprotect/td-p/335816

Important: This regedit goes on the machine you are remoting into, not the machine you are remoting from.

 

HKLM\SOFTWARE\Microsoft\Terminal Server Client

UseURCP (Create this new DWORD with value of 0)

 

You can use this from a command prompt as long as you have admin privileges on the box:

REG ADD "HKLM\SOFTWARE\Microsoft\Terminal Server Client" /v UseURCP /t REG_DWORD /d 0 /f

palo alto software upgrade

Backup config 

Device > Setup > Operations > export 

Download the software and sync to HA peer

Device > Software > Check now

You can jump with in a major release like 10.2.10 to 10.2.10-h3

If you need to go up a few versions you need to go

10.2.5 > 10.2.10 > 11.0 > 11.5

Go onto the standby and install the update

Let that install and reboot

reboot can take 15 minutes

You may see an error on primary that config is not sync'd you can ignore

Disable HA on primary to let the secondary take over

Device > High Availability > Suspend local device for high availability

Install update and reboot on primary

When it comes back up re-enable HA

open case with palo support

They need these details

example 

Device: Palo alto firewall PA-850

Device serial number: 1234567890

Software version: 10.1.5-h1

End user company: Customer Name

Reseller company: MSP Company Name

Contact number: +xxx xxxxxxxx

packet capture on cisco switch

 https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-3/configuration_guide/b_163_consolidated_3850_cg/b_163_consolidated_3850_cg_chapter_01001011.html

Palo alto GP MFA setup with MS Azure MFA

 https://www.youtube.com/watch?v=GxRdPPsIHH8&t=1186s

Identifier (Entity ID) URL: https://vpn.domain.com:443/SAML20/SP

The 443 is needed

Reply URL (Assertion Consumer Service URL):  https://vpn.domain.com:443/SAML20/SP/ACS