show ports listening on cisco router

show tcp brief all

show control-plane host open-ports

dynamic split tunnel FTD

 https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220247-configure-anyconnect-dynamic-split-tunne.html

gre tunnels not coming up

Have an issues but not sure of the cause, sometimes the GRE tunnel does not re-establish over a S2S VPN.

Save backup config and check routes

Ensure your S2S VPN config is correct, usually you will see VPN p1 up but GRE tunnel showing as up/down.

shut down both tunnel interfaces on either end

save the router config

reboot the remote router config

bring up tunnel interface in HQ router

Now bring it up on the remote router

Ensure all routes are in place

remote > HQ (tunnelxx)

HQ > remote (tunnelxx)

FMC 7.4 notes

Create a blank policy called onboarding with nothing attached 

This is if you are moving FTD's between FMC there is some unique things like NAT and interface zones so best to

Make sure to backup your policy

ASA side IP / routing conifg

delete the manager

wipe FTD

add to new manager (onboarding policy)

Once added switch to your new real policy

review eol switches for replacement

The eol doc will recommend a replacement path. If not your will need to figure it out.

check software and hardware

check for fibre connections

check cdp

check routing (2 eigrp neighbors we may need advantage license)

sh ver (check port numbers)

sh inv | i stack (check stack cables)

sh switch

Cisco ASA check for SSL running

show asp table socket | include SSL

show running-config all ssl

ip sla config examples

ip sla 1

tcp-connect 192.168.0.1 23 control disable (use telnet port)

ip schedule 1 start-time now life forever

sh ip sla stat

ip sla

tcp-connect 192.168.0.1 5555 source-ip 192.168.0.2 control enable (standard port)

R2

ip sla responder

***********************************

ip sla 2

icmp-echo 192.168.0.2 source-ip 192.168.0.1

freq 5

ip schedule 2 start-time now life forever

can use with the track object to change routes 

track 2 ip sla 2

sh track

*************************************

udp-echo

ip sla 3 

udp-echo 192.168.0.2 5000

freq 5

ip schedule 3 start-time now life forever

R2

ip sla responder udp-echo

*************************************

ip access-list extended SLA (acl if you want to see the ef packets going up)

permit ip any any dsp ef

permit ip any any

int fa0/0

ip access-group SLA in

int s0/1 

ip access-group SLA in

ip sla udp-jitter config

ip sla 4

udp-jitter 192.168.0.2 6000 g729a control enable

freq 5

ip schedule 4 start-time now life forever

show ip sla stat 1

switch a meraki mx to bridged mode with vodafone DSL

Switch meraki first to PPPOE as you will lose connection once you switch the modem into bridge mode. You can still access via the local status page mx.meraki.com

PPPOE settings to config vodafone modemL

username: [serial_number_of_modem]@vfiefttc.ie

password: broadband

Then switch vodafone modem to Bridged mode

You may need to untick TR-069 (used for managing CPE devices)

You may need to reboot vodafone modem for it to go into bridge mode

whitelist domains on checkpoint firewall

 https://support.checkpoint.com/results/sk/sk173345

meraki local status pages to access from local LAN

MR - http://ap.meraki.com

MS - http://switch.meraki.com  

MX - http://mx.meraki.com or http://wired.meraki.com

MG - http://mg.meraki.com

Any - http://setup.meraki.com or http://my.meraki.com

https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page

ISE-PIC

ISE-PIC requires a zero cost license which needs to be ordered from your usual disti.

Name: isepic

Product:Identity services engine

PID: ISE-VM-K9

meraki MTU

 You need to call meraki support to check and get MTU changed.

WAN MTU is 1500 by default

Auto VPN MTU is 69 bytes less (1431 by default)

If you call meraki to change MTU it should create a blip, they said full reboot not needed

-20 for TCP

-20 for IP

-8 for PPPOE

palo alto mtu

 https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-released-in-gp-app/configurable-maximum-transmission-unit-for-globalprotect-connections

port scanner info

nmap - oldest and lots of documentation and help out there, script archive

rustscan - new (made in rust) very fast for scanning all ports

massscan - fast for scanning public IP blocks and /16s

unable to upload secure client to FMC web interface

1. Open CLI to the FMC

a. expert

sudo su

vim +76 /usr/local/sf/htdocs/ddd/fileUpload.cgi

b. Enter in i on the keyboard to go to interactive mode on vim

c. Update the line by increasing the maxFileSizeMap

From: ANY_CONNECT_IMAGE => 100 * 1024 * 1024,

To: ANY_CONNECT_IMAGE => 200 * 1024 * 1024,

d. Save the file by entering in ESC then :wq

2. Upload the file again now

backup config on palo alto

There are a few options:

• Panorama (I don't use it)
• API call with curl
• Cattools

API with curl

https://smartnets.wordpress.com/2017/06/06/automated-configuration-backup-of-palo-alto-firewalls-without-using-a-panorama/

Create an admin role / profile for an api-user, only give read/api access, no web gui access.

Create an api-user, set password and set profile to admin role > api-profile

Generate API key for that user:

curl -k "https://FIREWALL_IP/api/?type=keygen&user=api-user&password=api-password"

Save your key somewhere safe

You can download config via

curl -k -o running-config.xml "https://$FIREWALL_IP/api/type=export&category=configuration&key=$API_KEY"

Cattools

It's also possible to use kiwi cat tools to download the config but it gives it to you in the command/set format. I'm not sure if this can be restored as easy but I will look into it.

Create you device

• Choose palo alto, palo alto FW
• Name
• IP
• Direct connect
• SSH
• port 22

On passwords tab, fill in

• SSH username
• SSH Password
• Tick initial login requires username/password

Leave prompts tab blank

Run a test backup on just this device with debug logging enabled

POE standards

POE (802.3af)

POE+ (802.3at)

POE+UPOE (802.3bt)

High power POE (802.3bt)

 https://planetechusa.com/ieee-802-3bt-type-4-hi-poe/

We can see new devices not work or go into low power mode if the POE switch they are plugged into is too old/doesn't have new standards / enough juice.

common VPN lifetime values

Found on palo alto we can't config seconds 86400 (max value allowed was 65xxx). Have to use 1 day but my P1 still wasn't coming up. Changed to seconds and dropped to 28800 on both sides and VPN came up

3600 - 1 hr

28800 - 8 hr

43200 - 12 hr

86400 - 24 hr

how to enable web application scanning in nessus

Download / install docker

Docker "WAS" image gets downloaded and install

https://www.youtube.com/watch?v=c4mkTh7fx4o&list=PLOMx6Layn69hnaUx9iD6FzecX5DQoCn48&index=7

config trunk in VMware

 Identify VMNICs 

VMware names them as they boot up so not always in the order you might thing.

Easiest way is plug in the port and watch the VMware interface to see if it shows as up.

Also a good idea to enable CDP on the VMware and the switch on the other side.

We  want to run at least 2 high bandwidth (10gig plus) cables from switch to VMwrae.

Config as trunk on switch

VCenter config

Network virtual siwtches

Go to VMhost

Configurte

Virtual switches 

Add networking

Virtual machine port or for standard switch

select vswitch

Give a name DMZ

Fill in vlan number

Finish

VLAN modes

vlan - pick 250

vlan trunking - pass the trunk onto the VM (won't use it often)

Private vlan - for Pvlans (won't use often either(

punycode phishing

 https://en.wikipedia.org/wiki/Punycode

Scammers using non English characters to make phishing URLs look more legit, some are harder to spot than others.

Urls will have a xn-- in them, some plantforms auto block, some will render the real URL and some will show the punycode which can trick users into clicking it.

You get prompted twice for GlobalProtect with MFA/2FA on palo alto firewall

The usual fix is to put

portal auth > AD 

gateway auth > MFA server

However we found with some OTP/fob code users it wasn't working well

Fix was 

Upgrade GP to preferred release (6.2.3 a time of writing)

Enable the authentication cookie settings on GP

Portal - Generate cookie for auth override

Choose the same cert you use for the GP 

Gateway - Accept cookie for auth override

Choose the same cert you used in portal

Push policy

Watch out for any AD changes may take 15 mins to update on the palo so if you move a user into another group for testing it might not work for 15 minutes

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004MACCA2&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

SSL block on FMC

 You may see SSL Block but not sure of the reason 

Pick out a blocked connection

Search for src and dst IP

Go into table view

Click "x" on a column (remember to recheck it)

Add the columns "SSL Flow error" and "SSL Flow Messages"

Apply

BGP config on cisco ASA

 

interface GigabitEthernet0/5

 description *** Connection to BGP ***

 nameif BGP

 security-level 50

 ip address 10.1.252.1 255.255.255.252

router bgp 65534

 bgp log-neighbor-changes

 address-family ipv4 unicast

  neighbor 10.1.252.2 remote-as 65533

  neighbor 10.1.252.2 transport path-mtu-discovery

  neighbor 10.1.252.2 activate

  network 10.1.0.0

  redistribute static metric 4294967295 route-map RM_ROUTES_TO_REDIST

  default-information originate

  no auto-summary

  no synchronization

 exit-address-family

Nessus expert attack surface discovery

It wasn't working

Need FW access with no SSL decrypt to these sites:

https://community.tenable.com/s/article/Which-Tenable-sites-should-I-whitelist?language=en_US

make palo alto passive become active firewall

CLI

 request high-availability state peer suspend

Switched FTD to ASA code but strong encryption license disabled/missing (3DES-AES)

 Self-service steps to obtain  3DES (-K9) license in LRP

1- Log in License Registration Portal (https://tools.cisco.com/SWIFT/LicensingUI/Quickstart) using your Cisco.com ID.

2- Select “Show: All Licenses for (your name)”.

3- Select the “Get Licenses” menu, then “IPS, Crypto, Other”.

4- Select “Security Products” under “Product Family”.

5- Select the required 3DES/AES license type and hit “Next”.

6- Enter the “show ver” Serial Number of the ASA the license will be registered to and hit “Next”.

7- Follow screen prompts to complete the transaction.

nessus plugins constantly compiling

 This was a disk space issue

SSH to nessus core server and run df -h look for full drives 

/opt needs 50GB

Location of nessus CLI on linux

/opt/nessus/sbin/nessuscli

nessuscli fix --reset

nessuscli fetch --register <ACTIVATION_CODE>

old way

service nessusd stop

/opt/nessus/sbin/nessusd -R

service nessusd start

If there is still an issue, open a case with nessus and get a debug file from the nessus core server

Reference: https://community.tenable.com/s/article/Requesting-Debugs

nessus activation

reset plugins

/opt/nessus/sbin/nessuscli fix --reset

Apply new activation code

 /opt/nessus/sbin/nessuscli fetch --register xxxx-xxxx-xxxx-xxxx

email security DMARC, SPF and DKIM

SPF 

Sender policy framework

Identify who (what servers) can send emails for your domain

Like protecting the envelope 

DKIM

DomainKey Identified Mail standard 

Emails are signed with a signature 

Let's the other end know the email really came from you and not a spammer/attacker 

Like protecting the "letter" or email 

Summary

• MX (Mail exchange record) - Just like a DNS record that tells people where to send email for your domain. Like a sign telling people which letterbox to drop the mail into.
• SPF (Sender policy framework) - Who can send emails for your domain. Like a guard standing at the post box.
• DKIM (DomainKey Identified Mail standard)  - emails are signed with a signature - like a seal or stamp on the letter confirming to the other end it really came from you.
• DMARC (Domain based Message Authentication Reporting and Conformance) - Combines SPF and DKIM. Checks from address and confirms domain is valid, check return path, checks its a valid signed email.

DMARC 

Domain based Message Authentication Reporting and Conformance 

Makes use of SPF and DKIM

DMARC check 3 things

• From address, check the from @domain.com (is it real, is it valid)
• Return path: is it valid (server the mail came from)
• DKIM: is it a valid signed email

You will need DNS TXT records to set it up, where to send reports and what policy

Version

v=DMAR1 

Policy (good idea to set to none at the start for monitoring)

p=reject 

Email where aggregate DMARC reports will be sent, must be set

rua=mailto:dmarc@domain.com

Forensic data (can have sensitive data inside, should be secure email)

ruf=mailto:dmarc@domain.com

Failure reporting option for forensic DMARC reports 

fo=1

Can't use subdomain (r relaxed, s strict)

adkim=r

Alignment mode for SPF, again about subdomains

aspf=r

• Monitor / test first
• Setup proper SPF and DKIM records
• Then set p=reject
• Test again

BIMI

Brand Indicators for Message Identification

A way for company logos to show up for confirmed brands

Most people consider it useless

Maybe users will spot and issue with an email if it has no logo

Not everyone adopts/uses it (MS did not support at time of writing) 

If other's are using it you can set it up so your company logo shows up

There are vendors to send the reports and view the reports in a console with graphs etc.

https://dmarcian.com/

https://easydmarc.com/

deploy happiness site for scripting and gpo deployment

 https://deployhappiness.com/start-here/

TS FTD like TAC

 https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/R6BGArNQ/TECSEC-3004.pdf

system support trace

network design ideas

Just writing down some idea's

Dual internet connection with failover (wired and radio/4g would be best but most expensive)
Share public range with BGP if possible between HQ and a DR site.
Alternatively two public IP ranges with dyndns or script to update DNS during failover
OOB management (open gear etc)
Redundancy starting at the SAN.
Rule of thumb 2 of everything

L2 site link between HQ and DR sites for failover/vmware/backups etc
HA firewall with SSL/IPS/AV enabled

HA switch (stack or 2 smaller stacks with HSRP/VRRP)
Vlans/networks LAN,WIFI, DMZ, DB, APP, VOICE, RSPAN, OOBMGMT, BACKUPS, MONITORING, 3RDPARTY-ACCESS
Off site (cloud) backups or tape taken off site
Monitoring, graphing, alerting, PTRG, Netflow, SNMP
NTP server
TFTP server

syslog (syslog-ng)
config backup 
radius and MFA (DUO) where possible 
DNS protection opendns (Cisco umbrella / dnsfilter)

NAT all DNS requests to the umbrella VA's ? or block on firewall other DNS requests

IPS on edge firewalls

SIEM security onion (needs lots of resources)

Nessus scans on internal and external IPs.

Emails security with SPF etc.

Multiple DMZs or Private VLANS in your DMZ alternatively consider reverse proxy for extra security.

palo alto bulk add log forwarding profile to security policy rules

You can use the migration tool to do this 

After version 10.1 there is also a log forwarding for security services policy optimizer under 

Policies > Security 

Policy optimizer in the bottom left

You need to have configured logging and your log forwarding profile in advance

Select "None" to find all the rules with no logging policy applied 

click the first rule

scroll to the bottom

hold shift and click the last rule to select all

In the bottom left click "Attach log forwarding profile"

Select your profile "LOG-FWD-PROFILE"

Click ok

Commit

Info found on: 

https://live.paloaltonetworks.com/t5/general-topics/log-forwarding-profile-in-all-security-policies/td-p/205426

useful windows cmds

Get hostname

hostname

Get current user

whoami

Get serial number

wmic bios get serialnumber

Get manufacturer model name

wmic csproduct get name

Print out date/time

echo %DATE% %TIME%

Get OS name and ver (takes a few seconds to run)

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

All IP config details

ipconfig /allcompartments /all

Get all NIC details

wmic nicconfig get description,IPAddress,MACaddress

Display the DNS cache

ipconfig /displaydns

Check hosts file

more %SystemRoot%\System32\Drivers\etc\hosts

Netstat (run as admin)

Get listening/established ports and PIDs

netstat -naob 

netstat -naob | findstr LIST

Print routing table 

netstat -nr 

route print

List sessions with other computers

net session

net session \\pcname /list

Print our machines we can see on domain

net view

net view \\127.0.0.1

View Netbios over TCP details

nbtstat -S

Show arp table

arp -a

WLAN info

netsh wlan show interfaces

netsh wlan show all

List services

services.msc

tasklist

Show whats inside svhosts

tasklist /svc

tasklist.exe /FI "PID eq 8988" /svc

sc query

wmic service list config

Sysinternals

pslist 

pskill

Event logs

eventvwr

wevtutil qe security /f:text | more

Localusers

Lusrmgr

net users

Startup apps 

msconfig

autoruns

xcopy find files for a specific date (note date format)

xcopy \\servername\sharename$\*.* /S /L /H /D:mm-dd-yyyy | more

Find files bigger than 30MB

for /R c:\ %i in (*) do @if %~zi gtr 30000000 echo %i %~zi

Sysinternals

tcpviewcon -a 

psloggedon

logonsession

handle

listdlls

processexplorer

processmon

sysmon

autoruns

restart services on palo alto firewall from CLI

 debug software restart log-receiver

debug software restart management-server

packet capture on palo alto

 This can be done from the web gui under Monitor > Packet capture

Setup your filters

Add your stages rx,tx,fw,drop

Switch on filter and packet capture

You can also run tcpdump from the CLI which is the only one that will show mgmt interface traffic like syslog

dynamic VPN on sonicwall to HQ with a static IP

 https://www.sonicwall.com/support/knowledge-base/configuring-aggressive-mode-site-to-site-vpn-when-a-site-has-dynamic-wan-public-ip-address/170505565649605/

zoom firewall IPs

 https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0060548

cisco sfp compatibility matrix fibre

 https://tmgmatrix.cisco.com/?npf=1181

palo EDL

 https://docs.paloaltonetworks.com/resources/edl-hosting-service

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/configure-the-firewall-to-access-an-external-dynamic-list-from-the-edl-hosting-service/create-an-external-dynamic-list-using-the-edl-hosting-service

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/enforce-policy-on-an-external-dynamic-list#id65d71322-1c04-4eb7-ab66-4d9bb3f41a52

Also need a FW rule to allow the mgmt IP to download EDLs from:

saasedl.paloaltonetworks.com on ssl

setup syslog on cisco switch

 10.46.251.254

Logging on

logging origin-id ip

logging facility local0

logging source-interface Vlan250

logging host x.x.x.x

x.x.x.x = your syslog server

For testing

send log TEST

cisco secure client replacing anyconnect

The roaming client and anyconnect client are both going end of life and will be replaced by the cisco secure client. The new client is becoming a general endpoint client for many cisco products. It will work until April 2025:

Before April 2025, you will need to uninstall the roaming client and install the new cisco secure client with umbrella module and the json file for all roaming computers that you want to protect with umbrella when they are at home.

All are available for download in your umbrella dashboard:

Download the new cisco secure client and .json file.

You can use SCCM or similar to deploy it out to your clients.

useful openssl commands

 openssl s_client -connect 100.100.100.20:443

echo "" | openssl s_client -connect website.ie:443 -showcerts

echo "" | openssl s_client -connect website.ie:443 -showcerts | openssl x509 -noout -text -fingerprint

echo "" | openssl s_client -connect AD01.domain.local:636 -showcerts

echo "" | openssl s_client -connect AD01.domain.local:389 -starttls ldap -showcerts

openssl pkcs12 -nokeys -nocerts -info -in Example1.pfx

openssl.exe s_client -connect 100.100.50.8:443 -servername fs1.domain.com -showcerts

Get info

openssl pkcs12 -nokeys -nocert -info

Export key

openssl pkcs12 -in bundle.pfx  -out key.enc.key

openssl rsa -in key.enc.key -out key.key

Export private key from PFX

opennssl pkcs12 -in bundle.pfx -nodes -nocerts -out key.enc.key

Filter out TCP re transmissions wireshark

 (tcp.analysis.retransmission or tcp.analysis.fast_retransmission)

palo global protect rdp freeze issue

 https://live.paloaltonetworks.com/t5/general-topics/rdp-freeze-fix-globalprotect/td-p/335816

Important: This regedit goes on the machine you are remoting into, not the machine you are remoting from.

 

HKLM\SOFTWARE\Microsoft\Terminal Server Client

UseURCP (Create this new DWORD with value of 0)

 

You can use this from a command prompt as long as you have admin privileges on the box:

REG ADD "HKLM\SOFTWARE\Microsoft\Terminal Server Client" /v UseURCP /t REG_DWORD /d 0 /f

palo alto software upgrade

Lookup preferred release for your hardware

https://live.paloaltonetworks.com/t5/Customer-Resources/Support-PAN-OS-Software-Release-Guidance/ta-p/258304

Backup configs

Device > Setup > Operations > export 

Make note of relevant IP's and URLs

• Management IP's
• Public IP
• LAN IP
• GP portal IP and URL
• Record S2S VPNs up/down
• Maybe start a continuous ping to IPs

Download the software and sync to HA peer

Device > Software > Check now

You can jump with in a major release like 10.2.10 to 10.2.10-h3

If you need to go up a few versions you need to go

10.2.5 > 10.2.10 > 11.0 > 11.5

• Start on 10.2.5
• Download and install latest in family 10.2.10
• Download 11.0
• Download latest in next family 11.5
• Install 11.5 so long as 11.0 files are downloaded it will be ok
• Don't go more than 1 major version ahead of the other FW, keep in step

Install on secondary

• Go onto the standby and install the update
• Let that install and reboot
• reboot takes about 20 minutes
• You may see an error on primary that config is not sync'd you can ignore

Switch over to secondary which has just been upgraded

• Disable HA on primary to let the secondary take over
• Device > High Availability > Suspend local device for high availability

Completed install on primary

• Install update and reboot on primary
• When it comes back up it will re-enable HA but check that it has
• Repeat the process until upgrade to preferred release 

After upgrade

Testing (internet, email, teams, GP)

Run all the dynamic updates and make sure updates are scheduled

GP client

GP client can be updated as well but this can introduce other issues to best done separately

vpn.domain.com should resolve on the LAN 

open case with palo support

They need these details

example 

Device: Palo alto firewall PA-850

Device serial number: 1234567890

Software version: 10.1.5-h1

End user company: Customer Name

Reseller company: MSP Company Name

Contact number: +xxx xxxxxxxx

packet capture on cisco switch

 https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-3/configuration_guide/b_163_consolidated_3850_cg/b_163_consolidated_3850_cg_chapter_01001011.html

Palo alto GP MFA setup with MS Azure MFA

 https://www.youtube.com/watch?v=GxRdPPsIHH8&t=1186s

Identifier (Entity ID) URL: https://vpn.domain.com:443/SAML20/SP

The 443 is needed

Reply URL (Assertion Consumer Service URL):  https://vpn.domain.com:443/SAML20/SP/ACS

MFA setting 

https://portal.azure.com/

Burger menu top left > Microsoft Entra ID

Enterprise applcations

Search global protect app "Palo Alto Networks - GlobalProtect"

From the left expand security > conditional access

You will see the policies here

You can see what policoes are being used by expanding Activity on the left

click on Sign in and logs

Make GP connection 

Click on entry for more details

In the top right click on Conditional Access