location of vimrc for neovintageous plugin in sublime text

The file is called .neovintageousrc

Located in C:\Users\[USERNAME]\AppData\Roaming\Sublime Text 3\Packages\User

Palo alto setup process

Initial purchase and delivery

Customer buys equipment and licenses

Get hold of equipment and do initial config

Customer port account setup

Need to get customer to register on 

https://support.paloaltonetworks.com/Support/Index

They have to go to Members > Manage Users > add our email as super users 

Add firewalls to the portal

Once added we can add the serials of the firewalls

Activate licenses on firewalls

Device -> Licenses 

Refesh in top right

Retrieve license key from license server

Activate feature using auth code (auth codes found in email in job folder)

Once we have licenses 

Create a rule to allow fw IPs (mgmt and lan) to download updates

applications start with paloalto-

you usually want 

device-telemety

logging-service

shared-services

suppt-case

updates

wildfire-cloud

ssl

dns

ntp

google-base (for google dns)

Dynamic updates (AV and apps+threats)

Where possible choose sync to HA

Update wildfire and Apps and threats

Device -> Dynamic updates

Download (sync to ha peer)

Then install

Update PAN software

Where possible choose sync to HA

Device -> Software (check now button)

For example to upgrade to 11.0.1

We first need to download the base package 11.0.0

Then download and install 11.0.1

Often You will have to update dynamic updates first

Check back on Initial Dynamic updates

After config new things appear, make sure things are downloaded and installed and you have schedules setup

Wildfire = realtime

Device Dictionary = N/A

GP clientless VPN = Usually set to none, updates done at customer request

Apps + Threats = every 30 min, download + install, sync to peer

AV = every day, download + install, sync to peer

Setup security profiles

Under objects -> Security profiles

Config

AV 

AS

Vuln protection

URL (if needed)

File blocking (use strict profile)

Wildfire

DDos Protection

Refer to other FW's

Once all are configured you can make a group

Under objects -> Security profiles groups

Setup IPS and select all the profiles setup above

Apply the group to your firewall rules

Setup global protect

https://www.youtube.com/watch?v=rfO-9k2gw2M

Enable SNMP monitoring

Needs to be done twice because management interface config is not sync

Device -> setup -> operations -> misc -> snmp setup

Device -> setup -> interfaces -> Management -> networks services -> tick "SNMP"

For traps

Device -> Server profiles -> SNMP Trap -> Add

Not sure if you need FW rules but check on it after

Don't forget to commit changes

Make sure you have the config on both active + passive

Initial config

Keep in mind DNS, HA settings are not sync'd must be configured manually on each FW

Enable block for built in palo lists like tor exit nodes and known malicious IPs

Need to untick "application default"

Consider enabling geo block 

Can have lots of issues with cloud services 

After migration install 

• Consider BPA
• Consider SSL decryption

setup global protect from scratch on palo alto firewall

 https://www.youtube.com/watch?v=rfO-9k2gw2M

vpn.domain.com must be resolvable from the LAN

If not can cause some upgrade issues

jumbo frames on cisco switch

 Depends on make/model so will have to look it up

Mostly its a global setting 

check:

show system mtu

sh run all | i mtu

Set:

conf t

system mtu 9198

Often reboot of switch is needed for change to take affect (won't affect normal devices on 1500 as they will never go above.

packet tracer not working well in FMC/FTD

Packet-tracer never worked well with VPN traffic, that was ok but now in FMC/FTD its also not working at all if you have snort or geoblocking rules. You will see an ip any any allow. Instead you must use the system support trace on live traffic. The whole point of packet tracer is that we don't always have live traffic or access to generate live traffic.

From cisco:

Indeed, from the packet tracer side it looks like the packet is going through in that IP permit any any, but that rule in reality does not exist.

Any rule which relies on snort will be classified by the box as a L4 permit ip any any, and unfortunately having a geodb rule looks like a snort rule for the box.

This is documented here:

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/218196-understand-how-lina-rules-configured-wit.html

Rules with Snort Features Are Deployed As Permit Any Any

When you create a rule with features that are run by Snort side, like Geolocation, URL (Universal Resource Locator) filter, Application detection, etc, they are deployed on Lina side as a permit any any rule.

At a first glance, this can confuse you and make you think that the FTD allows all the traffic on that rule and stops the rule match verification for the rules that follow.

We also have an enhancement request for this: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd00446

Unfortunately, this breaks the usage of the packet tracer feature, and in this case, you should rather use “> system support trace” if there is live traffic.

Some syslog event IDs related to AnyConnect on cisco ASA

302013 - built inbound connection

302014 - teardown TCP connection

725012 - Device chooses cipher for the SSL session with peer interface

725008 - ssl client propose cipher

725007 - teardown new ssl connection / terminated

725001 - starting ssl handsharek

725002 - ssl handsake completed

725003 - request to resume

113005 - AAA user authentication rejected

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4776913

716001 - anyconnect when user logs on

716002 - anyconnect when user logs off

Each connection that passes through the ASA is 9 syslogs so that will be a lot of logs

Old TAC sec pod cast

https://community.cisco.com/t5/security-knowledge-base/tac-security-podcast-show-information-and-episode-listing/ta-p/3126414

General syslog tips

Text zip's up well so you can zip before sending

Knowing the time frame of the issue helps any source / destination IPs

Notepad++ / sublime are good for working with big files

For really big files we really want a linux box

For windows users you can run a VM as well or install cygwin

User grep to look for sev1 events

grep "ASA-1-" ASASYSLOG.txt

Looks for sev 6 and pipe to head 

grep "ASA-6" ASAlogs.txt | head -n 3

-v can be used to remove items from the log

grep "ASA-6" ASAlogs.txt | grep -v "ASA-6-302011" | grep -v "ASA-6-302015" | head -n 3

We can build up our command adding more -v items

grep "ASA-6" ASAlogs.txt | grep -v "ASA-6-302011" | grep -v "ASA-6-302015" | grep -v "ASA-6-305011" | head -n 3

Other linux CLI tools that are very useful

count / sed / awk / uniq / sort / bc

To remove all the charactors on the line leading up to "Mar 28",  use the sed program to find and replace that text with "nothing":

cat ASAlogs.txt | sed 's/^.*Mar 28/Mar 28/g' | head -n 4

cut can be used to display something specific from each line:

grep "ASA-6-305011" ASAlogs.txt  | cut -f 13 -d ' '

<166>Mar 28 2013 08:22:50: %ASA-6-305011: Built dynamic TCP translation from inside:10.10.103.38/63894 to outside:192.168.124.149/63894

becomes

outside:192.168.124.149/61128

Now lets say you wanted to get rid of the 'outside' text at the start of each line. Use sed to replace that text with nothing:

grep "ASA-6-305011" ASAlogs.txt  | cut -f 13 -d ' ' | sed 's/outside://g'

When connection is torn down (teardown event) there is a byte count included

You could look for the initiator and the byte count

IP and how many bytes transfer

Then sort that based on byte count

This would give you talker

Sort by IP addresses 

Use bc to sum up all the ip and sort on byte counts and see which IP was the top talker over all

You could also work on top number of connections. Look for usernames instead of IP's etc. A ddos may make a lot of connections but small amount of data transfered 

You could look at denied connections