http://svendsen.me/change-clish-to-bash-and-back/
what works for me
In CLISH -> type "expert"
In expert -> type "/etc/clish"
clish might be in a different location for you try "locate clish" "whereis clish"
Try "csh" or "/etc/csh"
On PH CP's
I had to do
cd $FWDIR
cd bin
cphaprob -a if
Monday, 18 December 2017
Tuesday, 12 December 2017
clear config on an interface cisco ASA
Go into conf t
clear configure interface gigabitEthernet 0/4
Sets it back like this so be careful
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
clear configure interface gigabitEthernet 0/4
Sets it back like this so be careful
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
Friday, 1 December 2017
setup syslog on cisco ASA
Syslog is UDP traffic on port 514
The ASA will send traffic on its own IP address from SRC port 514 to dst server IP and port 514
192.168.1.254.514 > 192.168.1.100.514: udp 201
Usual config to enable
logging enable
logging timestamp
logging trap debugging
logging enable
logging timestamp
logging trap debugging
logging facility 23
logging device-id ipaddress inside system
logging host INSIDE x.x.x.x
logging host INSIDE x.x.x.x
no logging hide username
For FMC flex config drop the g for some reason "no loggin hide username"
Syslog over S2S VPN
First make sure the VPN is up and working
logging enable
logging timestamp
logging trap debugging
logging asdm debugging
logging device-id ipaddress inside
logging device-id ipaddress inside system (system Specifies to use the cluster system IP address of the interface to present an integrated view for all units)
Logging host can differ not sure why
logging host inside 10.36.0.200
logging host outside 10.36.0.200 (some cases I had to use outside ASA v8.2)
You will get a warning (because route is to outside) but it will work
WARNING: configured logging host interface conflicts with route table entry
You also need to have management access configured like so
management-access inside
Set route
route outside 10.36.0.200 255.255.255.255 100.100.200.200 1
Good idea to make sure you allow ssh on the outside (public IP) and inside (LAN IP) so you can SSH in and check/change settings
ssh 180.100.100.100 255.255.255.255 outside
ssh 192.168.200.200 255.255.255.255 inside
Permit host down
logging permit-hostdown
More detail
Examples:
logging host dmz1 192.168.1.5 udp 1026 format emblem
The format emblem keyword enables EMBLEM format logging for the syslog server with UDP only. The interface_name argument specifies the interface through which you access the syslog server. The syslog_ip argument specifies the IP address of the syslog server. The tcp[/ port ] or udp[/ port ] keyword and argument pair specify that the ASA and ASASM should use TCP or UDP to send syslog messages to the syslog server.
You can configure the ASA to send data to a syslog server using either UDP or TCP, but not both. The default protocol is UDP if you do not specify a protocol.
If you specify TCP, the ASA discover when the syslog server fails and as a security protection, new connections through the ASA are blocked. To allow new connections regardless of connectivity to a TCP syslog server, see Step 3. If you specify UDP, the ASA continue to allow new connections whether or not the syslog server is operational. Valid port values for either protocol are 1025 through 65535. The default UDP port is 514. The default TCP port is 1470.
logging trap debugging
Specifies which syslog messages should be sent to the syslog server. You can specify the severity level number (1 through 7) or name. For example, if you set the severity level to 3, then the ASA send syslog messages for severity levels 3, 2, and 1. You can specify a custom message list that identifies the syslog messages to send to the syslog server.
logging permit-hostdown
(Optional) If you negate this command and syslog server goes down then traffic stops flowing
logging facility 23
(Optional) Sets the logging facility to a value other than 20, which is what most UNIX systems expect.
logging buffered
Specifies which syslog messages should be sent to the internal log buffer, which serves as a temporary storage location. New messages are appended to the end of the list. When the buffer is full, that is, when the buffer wraps, old messages are overwritten as new messages are generated, unless you configure the ASA to save the full buffer to another location. To empty the internal log buffer, enter the clear logging buffer command.
logging buffer-size 16384
Changes the size of the internal log buffer. The buffer size is 4 KB.
logging savelog latest-logfile.txt
Saves the current log buffer content to the internal flash memory.
logging asdm debugging
logging console debugging
Specifies which syslog messages should be sent to the console port.
logging monitor debugging
Specifies which syslog messages should be sent to a Telnet or SSH session.
terminal monitor
Enables logging to the current session only. If you log out and then log in again, you need to reenter this command. To disable logging to the current session, enter the terminal no monitor command.
logging standby
send logs from the standby ASA as well
logging list
More here:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_syslog.html
setting up syslog on cisco router
Send commands typed to syslog
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
Send debugging logs to syslog
Send our origin id as our ip
Set facility to local0
Set source interfaces to gig0/0
Set logging host IP address of the syslog server
Switch logging on for all destinations
logging trap debugging
logging origin-id ip
logging facility local0
logging source-interface GigabitEthernet0/0
logging host x.x.x.x
logging on
Make sure your have routes to your syslog server
Also firewall rules, you need syslog (udp 514 open)
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
Send debugging logs to syslog
Send our origin id as our ip
Set facility to local0
Set source interfaces to gig0/0
Set logging host IP address of the syslog server
Switch logging on for all destinations
logging trap debugging
logging origin-id ip
logging facility local0
logging source-interface GigabitEthernet0/0
logging host x.x.x.x
logging on
Make sure your have routes to your syslog server
Also firewall rules, you need syslog (udp 514 open)
Friday, 17 November 2017
installing line cards cisco in 6500
Install 720 sup in 6500
Fully open ejector levers on the new sup
Sups should be installed in
slot5 or slot6
Remove slot cover
look inside and make sure there is enough clearance, look at cables from other slots and anything inside the 6500.
line up the card and slot it in, push in slowly
Push down and in on the levers, left one then the right one you should feel it click in.
The LEDs should be green we don't want orange or red that needs to be investigated.
Install line card
Same process as above. Cards should be hot swappable but its always a good idea to schedule a maintenance window for this work.
Fully open ejector levers on the new sup
Sups should be installed in
slot5 or slot6
Remove slot cover
look inside and make sure there is enough clearance, look at cables from other slots and anything inside the 6500.
line up the card and slot it in, push in slowly
Push down and in on the levers, left one then the right one you should feel it click in.
The LEDs should be green we don't want orange or red that needs to be investigated.
Install line card
Same process as above. Cards should be hot swappable but its always a good idea to schedule a maintenance window for this work.
Friday, 10 November 2017
Clearing cache for cisco amp
Some times you might get a false positive. Cisco will update their signatures but you might have one in your cache. To make the alert go away you have to clear cache update and scan again, it should come up clean.
Removal of the FireAMP Cache and History Files on Windows
https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118565-technote-fireamp-00.html#anc1
Clear Cache firepower FMC/sensor
Follow following steps to clear cache on DC and Sensor (from CSCuu81183):
Management Center:
SSH into the Management Center
Become root: sudo su -
# pmtool restartbyid SFDataCorrelator
# pmtool disablebyid SFDataCorrelator
# cd /etc/sf
# rm malw_cache_seed_file.dc
# pmtool enablebyid SFDataCorrelator
Firepower Device:
SSH into the Firepower device
Become root: sudo su -
# pmtool restartbyid SFDataCorrelator
# pmtool disablebyid SFDataCorrelator
# cd /etc/sf
# rm malw_cache_seed_file.sensor
# pmtool enablebyid SFDataCorrelator
# pmtool restartbytype snort
# pmtool disablebytype snort
# cd /var/sf/detection-engines/<uuid> (you can find the UUID for this step by running de_info.pl and copying the UUID for the Primary Detection Engine)
# rm -rf instance?*/malw_seed*
# pmtool enablebytype snort
Removal of the FireAMP Cache and History Files on Windows
https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118565-technote-fireamp-00.html#anc1
Clear Cache firepower FMC/sensor
Follow following steps to clear cache on DC and Sensor (from CSCuu81183):
Management Center:
SSH into the Management Center
Become root: sudo su -
# pmtool restartbyid SFDataCorrelator
# pmtool disablebyid SFDataCorrelator
# cd /etc/sf
# rm malw_cache_seed_file.dc
# pmtool enablebyid SFDataCorrelator
Firepower Device:
SSH into the Firepower device
Become root: sudo su -
# pmtool restartbyid SFDataCorrelator
# pmtool disablebyid SFDataCorrelator
# cd /etc/sf
# rm malw_cache_seed_file.sensor
# pmtool enablebyid SFDataCorrelator
# pmtool restartbytype snort
# pmtool disablebytype snort
# cd /var/sf/detection-engines/<uuid> (you can find the UUID for this step by running de_info.pl and copying the UUID for the Primary Detection Engine)
# rm -rf instance?*/malw_seed*
# pmtool enablebytype snort
Wednesday, 8 November 2017
Cisco umbrella install and setup doc's
Good Youtube setup video
https://www.youtube.com/watch?v=8B7xP6wV9dg
https://docs.umbrella.com/product/umbrella/1-ad-integration-setup-overview/
Prereqs (firewall rules)
https://docs.umbrella.com/product/umbrella/2-prerequisites/
Setting up the VA's
https://docs.umbrella.com/product/umbrella/3-setup-dns-forwarding-with-your-vas/
https://docs.umbrella.com/deployment-umbrella/docs/active-directory-integration-with-the-virtual-appliances
Troubleshoot doc's:
Troubleshoot doc's:
AD connector
https://support.umbrella.com/hc/en-us/articles/230902468-Provide-Support-with-AD-Connector-Logs
On the DC's you need to run an script (connect to VA) and install a windows service so it can look in on AD users. You also need an OpenDNS_Connector user setup in AD.
In umbrella dashboard
AD server = Script (needs to be assigned to VA after its run)
AD Connector = service
On the DC's you need to run an script (connect to VA) and install a windows service so it can look in on AD users. You also need an OpenDNS_Connector user setup in AD.
In umbrella dashboard
AD server = Script (needs to be assigned to VA after its run)
AD Connector = service
More Docs:
AD integration VA vs Roaming client
https://support.umbrella.com/hc/en-us/articles/115004651366-AD-Integration-Delivery-via-VA-vs-Roaming-Client
By default the roaming client will switch itself off when it detects a VA on the LAN with it "VA backoff" this default option can be changed.
https://support.umbrella.com/hc/en-us/articles/230901168#VirtualAppliance
Best practice for policy creation
https://docs.umbrella.com/deployment-umbrella/docs/best-practices-for-defining-policies
https://docs.umbrella.com/deployment-umbrella/docs/policy-precedence
Comms flow (good diagrams on how it works)
https://docs.umbrella.com/deployment-umbrella/docs/appx-a-communication-flow-and-troubleshooting
Why use VA
https://docs.umbrella.com/deployment-umbrella/docs/1-introduction#section-why-should-i-use-virtual-appliances
VA setup guide
https://docs.umbrella.com/deployment-umbrella/docs/2-prerequisites-1#section-networking-requirements
Limitations
Umbrella can't work with RDS/citrix where multiple users are logging into the same server this is because the user ID it got from the login event. The work around is to create an internal network object for that server and assign it to a policy with a higher priority. Every user will have the same access from that one policy.
https://docs.umbrella.com/deployment-umbrella/docs/8-sites-and-internal-networks
RDP, when you RDP to a server the source IP shows as the server you RDP'd from not the server you RDP'd to. This can lead to identity switching issues
Prepare AD
https://docs.umbrella.com/deployment-umbrella/docs/4-prepare-your-active-directory-environment
Summary steps
Set domain controller DNS forwarders to umbrella
208.67.222.222 (resolver1.opendns.com)
208.67.220.220 (resolver2.opendns.com)
Remove any other DNS forwarders from other ISP etc.
In each windows domain
Run the script first on each DC (get files from umbrella dashboard)
Install the AD connector (get files from umbrella dashboard)
You only need to install one AD connector but two is a good idea. You can put one on each DC if you like.
Setup OpenDNS_Connector user. Record password in PW manager.
Config public IP range(s)
Config public IP ranges under deployments > core identities > networks
Install 2 VA's in VMware. (get files from umbrella dashboard)
You need 2 VA because you need to give out DNS servers
You need VA's for user ID
VA Install
Download OVA from Dashboard
Open VMware
Deploy the OVA file
Should be next, next finish to deploy the ova
CTRL + B to get into config mode
*** NOTE
VMware web console may not pass through.
Try right ctrl key
otherwise need to download / VMRC
exit to get out of config mode (need to wait a little bit)
default password Is Umbrella[orgid] eg Umbrella1234567
OrgID can be got from the dashboard URL /o/123456
You will be asked to change password. Won't be able to paste. PW must be recored.
config va name <name>
config va interface <ipaddress> <netmask> <gateway>
config localdns add 192.168.1.10
config localdns add 192.168.1.20
Create firewall rules to allow your VA's and DC's out to umbrella
Ensure OSCP sites are allowed also
Assign your VA's and DCs to a site in umbrella cloud
Configure any internal domains needed (internal DNS servers need to be able to resolve)
Block top level domains (.ru .cn .cc .xyz etc)
https://docs.umbrella.com/deployment-umbrella/docs/add-top-level-domains-to-destination-lists
careful of
.co (columbia but can block .com, .co.uk as well)
.io (used by tech)
.ai (used by ai tech)
.in (India, used linked.in, logme.in)
Block anonymizer app category
Policies -> Policy components -> application settings
Edit default settings
Tick Anonymizer
Click Save
Then go to Policies -> Management -> DNS policies
Edit your policy
Edit the Application Setting applied -> Tick Anonymizer (or select default settings)
Click Save
Create umbrella DNS policies (will need customer input)
Cisco recommends most specific to least (this may not work for you but a good starting point)
1 - AD user policies (to specific users)
2 - AD group policies (to AD groups)
3 - Roaming computer (roaming computer ID's)
4 - Network / site (can setup internal networks /24 etc and /32 for hosts)
5 - Default policy (if we didn't match any other ID, give the default)
Block Apps
https://docs.umbrella.com/deployment-umbrella/docs/block-apps#configure-application-settings-for-a-policy
Limitations in DNS policy tester (doesn't pick up apps)
https://support.umbrella.com/hc/en-us/articles/230903708-Limitations-of-the-Umbrella-DNS-Policy-Tester
Check cloud for any issues with DCs/VA's and resolve
Set update window and upgrade VA's to latest
In the umbrella dashboard set the auto-upgrade window watch out for the time zone. Also upgrade your VA's (one at a time) to the latest software version
DNS config
Workstations and non-DC Servers
- set the DNS servers to VA IPs
DCs
- DNS servers set to loopback (127.0.0.1) and other DC IP
- External forwarders set to umb external servers 208.67.220.220 and 208.67.222.222
On Prem Mail servers
The other exception to that are mail servers, on-prem mail servers aren't as common these days:
Mail servers
- DNS servers set to loopback and other DC(s)
Change DHCP
Change DHCP/deploy a script to set all clients to use the VA's as their DNS servers.
Change firewall rules
Only allow internal DNS to VA IPs
Only allow external DNS to umbrella IPs. Block/log other DNS.
208.67.222.222 (resolver1.opendns.com)
208.67.220.220 (resolver2.opendns.com)
You may want a temp rule to allow IT to use 8.8.8.8 (google) or 1.1.1.1 (cloudflare) for testing or temp admin tasks.
Test sites
https://support.umbrella.com/hc/en-us/articles/115000411528-What-are-the-Umbrella-Test-Destinations
https://welcome.umbrella.com/
http://www.examplemalwaredomain.com/
internetbadguys.com
https://policy-debug.checkumbrella.com
Where to drop the OrgInfo.json file
Install cisco secure client
Tick umbrella module and dart/diagnostic
drop json file into
%ProgramData%\Cisco\Cisco Secure Client\Umbrella\OrgInfo.json
Subscribe to:
Posts (Atom)