https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/R6BGArNQ/TECSEC-3004.pdf
system support trace
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/R6BGArNQ/TECSEC-3004.pdf
system support trace
You can use the migration tool to do this
After version 10.1 there is also a log forwarding for security services policy optimizer under
Policies > Security
Policy optimizer in the bottom left
You need to have configured logging and your log forwarding profile in advance
Select "None" to find all the rules with no logging policy applied
click the first rule
scroll to the bottom
hold shift and click the last rule to select all
In the bottom left click "Attach log forwarding profile"
Select your profile "LOG-FWD-PROFILE"
Click ok
Commit
Info found on:
https://live.paloaltonetworks.com/t5/general-topics/log-forwarding-profile-in-all-security-policies/td-p/205426
Get hostname
hostname
Get current user
whoami
Get serial number
wmic bios get serialnumber
Get manufacturer model name
wmic csproduct get name
Print out date/time
echo %DATE% %TIME%
Get OS name and ver (takes a few seconds to run)
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
All IP config details
ipconfig /allcompartments /all
Get all NIC details
wmic nicconfig get description,IPAddress,MACaddress
Display the DNS cache
ipconfig /displaydns
Check hosts file
more %SystemRoot%\System32\Drivers\etc\hosts
Netstat (run as admin)
Get listening/established ports and PIDs
netstat -naob
netstat -naob | findstr LIST
Print routing table
netstat -nr
route print
List sessions with other computers
net session
net session \\pcname /list
Print our machines we can see on domain
net view
net view \\127.0.0.1
View Netbios over TCP details
nbtstat -S
Show arp table
arp -a
WLAN info
netsh wlan show interfaces
netsh wlan show all
List services
services.msc
tasklist
Show whats inside svhosts
tasklist /svc
tasklist.exe /FI "PID eq 8988" /svc
sc query
wmic service list config
Sysinternals
pslist
pskill
Event logs
eventvwr
wevtutil qe security /f:text | more
Localusers
Lusrmgr
net users
Startup apps
msconfig
autoruns
xcopy find files for a specific date (note date format)
xcopy \\servername\sharename$\*.* /S /L /H /D:mm-dd-yyyy | more
Find files bigger than 30MB
for /R c:\ %i in (*) do @if %~zi gtr 30000000 echo %i %~zi
Sysinternals
tcpviewcon -a
psloggedon
logonsession
handle
listdlls
processexplorer
processmon
sysmon
autoruns
debug software restart log-receiver
debug software restart management-server
This can be done from the web gui under Monitor > Packet capture
Setup your filters
Add your stages rx,tx,fw,drop
Switch on filter and packet capture
You can also run tcpdump from the CLI which is the only one that will show mgmt interface traffic like syslog
https://www.sonicwall.com/support/knowledge-base/configuring-aggressive-mode-site-to-site-vpn-when-a-site-has-dynamic-wan-public-ip-address/170505565649605/
https://docs.paloaltonetworks.com/resources/edl-hosting-service
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/configure-the-firewall-to-access-an-external-dynamic-list-from-the-edl-hosting-service/create-an-external-dynamic-list-using-the-edl-hosting-service
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/enforce-policy-on-an-external-dynamic-list#id65d71322-1c04-4eb7-ab66-4d9bb3f41a52
Also need a FW rule to allow the mgmt IP to download EDLs from:
saasedl.paloaltonetworks.com on ssl
10.46.251.254
Logging on
logging origin-id ip
logging facility local0
logging source-interface Vlan250
logging host x.x.x.x
x.x.x.x = your syslog server
For testing
send log TEST
The roaming client and anyconnect client are both going end of life and will be replaced by the cisco secure client. The new client is becoming a general endpoint client for many cisco products. It will work until April 2025:
Before April 2025, you will need to uninstall the roaming client and install the new cisco secure client with umbrella module and the json file for all roaming computers that you want to protect with umbrella when they are at home.
All are available for download in your umbrella dashboard:
Download the new cisco secure client and .json file.
You can use SCCM or similar to deploy it out to your clients.
echo "" | openssl s_client -connect website.ie:443 -showcerts
echo "" | openssl s_client -connect website.ie:443 -showcerts | openssl x509 -noout -text -fingerprint
echo "" | openssl s_client -connect AD01.domain.local:636 -showcerts
echo "" | openssl s_client -connect AD01.domain.local:389 -starttls ldap -showcerts
openssl pkcs12 -nokeys -nocerts -info -in Example1.pfx
openssl.exe s_client -connect 100.100.50.8:443 -servername fs1.domain.com -showcerts
Get info
openssl pkcs12 -nokeys -nocert -info
Export key
openssl pkcs12 -in bundle.pfx -out key.enc.key
openssl rsa -in key.enc.key -out key.key
Export private key from PFX
opennssl pkcs12 -in bundle.pfx -nodes -nocerts -out key.enc.key
(tcp.analysis.retransmission or tcp.analysis.fast_retransmission)
https://live.paloaltonetworks.com/t5/general-topics/rdp-freeze-fix-globalprotect/td-p/335816
Important: This regedit goes on the machine you are remoting into, not the machine you are remoting from.
HKLM\SOFTWARE\Microsoft\Terminal Server Client
UseURCP (Create this new DWORD with value of 0)
You can use this from a command prompt as long as you have admin privileges on the box:
REG ADD "HKLM\SOFTWARE\Microsoft\Terminal Server Client" /v UseURCP /t REG_DWORD /d 0 /f
Backup config
Device > Setup > Operations > export
Download the software and sync to HA peer
Device > Software > Check now
You can jump with in a major release like 10.2.10 to 10.2.10-h3
If you need to go up a few versions you need to go
10.2.5 > 10.2.10 > 11.0 > 11.5
Go onto the standby and install the update
Let that install and reboot
reboot can take 15 minutes
You may see an error on primary that config is not sync'd you can ignore
Disable HA on primary to let the secondary take over
Device > High Availability > Suspend local device for high availability
Install update and reboot on primary
When it comes back up re-enable HA
They need these details
example
Device: Palo alto firewall PA-850
Device serial number: 1234567890
Software version: 10.1.5-h1
End user company: Customer Name
Reseller company: MSP Company Name
Contact number: +xxx xxxxxxxx
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-3/configuration_guide/b_163_consolidated_3850_cg/b_163_consolidated_3850_cg_chapter_01001011.html
https://www.youtube.com/watch?v=GxRdPPsIHH8&t=1186s
Identifier (Entity ID) URL: https://vpn.domain.com:443/SAML20/SP
The 443 is needed
Reply URL (Assertion Consumer Service URL): https://vpn.domain.com:443/SAML20/SP/ACS