Thursday, 17 July 2025

hardening anyconnect ssl on cisco secure firewall 7.7

 Hardening

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html


Service access object (geo block anyconnect):

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222810-configure-geolocation-based-policies-for.html


Auto shun (flex config)

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html#toc-hId--1375473333



Threat detection service remote-access-authenticaiton hold-down 15 threshold 5


hold down - how long after the last failed attempt when new failures are counterd

thresthold - number of failed auths, if we fail login with in 5 mins 3 times



Show commands:

show threat-detection service remote-access-authentication

show threat-detection service remote-access-client-initiations

show threat-detection service invalid-vpn-access


Logs locations in FMC:

Some of them change depending on version of interface 

Cog (top right) > monitoring > syslog

Monitoring → VPN → Remote Access (anyconnect)

Analysis → Connections → Events (won't show auth success/failure here)

Health → Events (shows cpu/memory issues)

There is a unified log as well


Log level

FMC GUI → Devices → Platform Settings

syslog > logging


Syslog messages:

%ASA-6-113004: AAA user authenticated successfully

%ASA-6-113005: AAA user authentication Rejected

%ASA-4-722051: Group <group> User <user> IP <ip> Session connected

%ASA-6-722041: Session disconnected (reason...)



***

Enable Access Control Logging for VPN User Traffic

On the rule that allows anyconnect in (log at start/log at end/ send to FMC) (still won't show login attempts)



search messsage *x.x.x.x*



Ok so lessons learned there:

You won't see anything in analysis > connections > events (doesn't show ssl rejected stuff, only successful https etc connections)

SAML (staff profile) rejection was not showing in the logs. I will ask cisco about this maybe it's a different event ID or Duo doesn't send anytning back to the firewall when SAML fails. He could see it in Duo logs so was happy enough there.

AAA/radius (contractors profile) was where we saw the issues coming in.

We needed to enable informational level logging under devices > platform settings. (we hit a bug there it didn't set first time not sure what happened, I watched him set it so watch out for that)

Once we had informational we could see some stuff under the cog > monitor > syslog.

Filter "message" for *x.x.x.x* where x.x.x.x is the IP you are looking for

We saw ssl denied for the German IP based on geoblock

We saw username ***** denied from my UK IP

The username was hidden in the logs

Added flex config "no loggin hide username" cisco said you have to leave off the "g" loggin is not a typo

Shun settings were 20 failed logins in 10 mins, he said he had to set it high because users were actually typing password wrong 10 times so that is something he will have to live with. Attackers can still try from the approved IPs for 20 tries then get shun'd but at this stage they can change IP address and try again


*** SAML

SAML failed logins won't show in the FMC log in the same way. Best to review these in the SAML provider dashboard/logs (Duo/Azure etc). These logs can be forwarded from there to a central SIEM. Duo have a tool called duo log sync.

filter to include class “vpnc”, which outputs logs like:

%FTD-6-611102: User authentication failed: IP = IP address, Uname: user


Tuesday, 1 July 2025

Palo alto PCNSA notes

Palo alto firewall

Palo alto is next gen firewall with user-id and app-id. Dynamic lists/feeds (EDL) for blocking malicious traffic and allowing trusted traffic like azure and CDNs etc.

It can do its inspections on north/south traffic and east/west traffic.

It has IPS, URL, wildfire (unknown threats).

DNS sinkhole (DNS protection)

Advanced logging with cortex datalake (take in multiple log sources and apply machine learning)


Platforms

  • Virtual machines for public and private cloud (you control the VM)
  • Prisma access (hosted cloud based firewall as a  service)
  • Physical devices (physical boxes to install on site)

https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations


SP3

Single pass simultaneous traffic inspection, classification and enforcement in one pass

Traffic 

Control plane

  • config 
  • logging 
  • reporting 

Data plane

  • Signature matching 
  • security and network processing 

Management options
  • Web interface HTTPS over the network or MGMT port
  • CLI via SSH over the network or via console cable
  • Panorama - centralized platform for managing multiple firewalls. Good for MSP. 6+ devices.
  • API - XML REST based API. Good for automation and network programming
The management GUI on box help
There is an onbox documentation, usually in the top right

ACC - Application Command Centre
Analytical tool to provide actionable intelligence about network activity. Shows trends etc.

Monitor tab
  • Live logs
  • Reports

Policies 
  • Firewall / NAT rules etc

Objects
  • Setup objects for use in policies

Network
  • data plane interfaces and zones
  • VPN related items
Device
  • General settings
  • Management interface
  • User accounts
  • Licenses
  • Config backup
Management port is part of the control plane
Default 192.168.1.1/24
HTTPS
default user: admin/admin
We can disable it if needed and use network interface
By default dataplane ports won't accept mgmt packets

Service routes
For all items we need to reach out of the firewall for eg radius / log forwarding etc. 
By default it will use the mgmt port
Device > Setup > Services > Service Router Configuration > Customize 

CLI modes
  • Operational - basic network commands: ping traceroute, show, debug
  • Configuration - configure command, now you can make changes
  • Similar to cisco in that regard
CLI enhancements
  • User find to figure out the command syntax
  • use ? to get help
  • User tab to autocomplete
  • Use | pipe with match or except for output filtering
ping "tab"
We will sett options with symbols
+ count - plus means it needs a value
* host - * means its required
> - means you will have more options after

ping host 1.1.1.1

tail - useful for log messages

set is how we do some config 
show is how we show the config

Find all the commands related to the network
find command keyword network

W can see ethernet is under interface under network. To change ethernet1/1 from cli we need to use:
set network interface ethernet1/1

CLI is good for checking and debugging but most config will be done via CLI now

Firewall maintenance

Config files

Running config (running-config.xml)
sits in the dataplane and this one controls the firewall behaviour
When the firewall reboots this config is loaded when it boots up 


Candidate configuration (snapshot.xml)
Separate file/space in memory to store temporary configuration in the control plane
Its config we have configured but have not deployed yet. 
When we do a commit its merged into running config.
Saving the candidate config doesn't commit the changes

Candidate config is the running config + the new changes
Commit command merges the changes from candidate config into running config
New updated running config has the new changes

We can revert to last saved conf
Replaces current candidate config with a saved candidate config file

We can revert to running config (probably will use this one most)
Get rid of un-commited changes

Load 
over writes with a file saved earlier (usually from a backup, used when restoring) 

Save
Can save a named config snapshot.

Export
Export a named config (backup)

Dynamic updates
  • Make sure these are enabled and auto downloading / installing 
  • Antivirtus / Wildfire 
  • Apps and threats 
  • Global protect HIP
  • PAN-DB URL filtering (may use umbrella instead)

Palo alto policy types
  • Security (firewall rules etc)
  • NAT (global NAT, NoNats, public NATs etc)
  • QoS (voice QoS)
  • Policy based forward (PBR)
  • Decryption (SSL)
  • Authentication ( radius / SAML etc)
  • DoS protection 
  • Tunnel Inspection
  • SD-WAN
Palo alto works like ASA
works from top to bottom
when rule is match traffic is dispatched 
it doesn't check any futther rules

Security policies
  • The primary traffic control tool
  • Block rules at top like block lists, implicit deny at the bottom.
  • Add the most specific rules at the top

IntERzone vs IntRAzone
  • IntRAzone (same zone)
  • IntERzone (lan to dmz)
  • Universal (interzone + intrazone combined)
Application/Service 
  • select (pick which ports)
  • any (allow HTTP on any port for example)
  • application-default (web-browsing only allowed on default ports 80/443 but not 8881)
Generally we don't want to allow apps on lots of ports but some custom applications run HTTP etc on non standard ports.
  • applicaiton-default - use this where we can as first preference
  • select - in edge cases we can config the specific ports. Second choice.
  • any - only for testing or we can't get it working any other way. Last resort.

Default rules can be changed by using the override button.

Policy objects / groups
Its efficient to group items into groups so later the groups can be updated but your firewall rules can remain unchanged.

Security profiles
ping command source from inside to host
ping source 192.168.10.100 host 192.168.10.50

however if the clients try to ping the firewall it will fail by default. We would need to create a management profile, allow ping and apply it to that interface.

Wednesday, 18 June 2025

VMware remote console VMRC

 https://knowledge.broadcom.com/external/article/368995/download-vmware-remote-console.html

Wednesday, 4 June 2025

Cisco RMA steps

open case 

request RMA

enter serial

chat now

Can I request RMA for this serial number : xxxxxxx

creates a RMA ticket

address needs to have customer name (your address / eircode)

or ship the RMA to the customer site

Friday, 7 March 2025

export user cert from windows cert store

Open MMC 

Add certs snap-in

user account and computer store

Check certificates > personal

exported the user cert from user store (use PKCS12 or DER base-64 encoded)

imported user cert into machine

switch aaa and radius authentication settings for duo etc

 aaa group server radius DUO-AUTH

aaa authentication login default group DUO-AUTH local

aaa authentication login CON-LOCAL local



aaa group server radius DUO-AUTH

 server name DUO-AUTH-PROXY

 ip radius source-interface Vlan2


radius server DUO-AUTH-PROXY

 address ipv4 192.168.1.1 auth-port 18122 acct-port 18122

 pac key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


Wednesday, 5 March 2025

find what DH group an ikev1 S2S VPN is using in ASA

Move away from Groups 2, 5, 24. 

DH Groups 2, 5, 24 are considered insecure and are deprecated in FTD’s running 6.5/6.6 and will be removed in a later version.

check 6.7 and 7.1 release notes and search for group 5

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/vpn-s2s.html? 


IKEv1

show vpn-sessiondb detail l2l filter ipaddress x.x.x.x

Look for "D/H Group" in IKEv1 section

sh crypto isakmp sa detail | i Grp:


sh crypto isakmp sa | i PFS Group 2,

Looking for groups 2 and 5

 sh crypto isakmp sa detail | i Grp:2,

 sh crypto isakmp sa detail | i Grp:5,


Can copy the full output of " sh crypto isakmp sa detail" to a text file and search

Tuesday, 4 March 2025

QoS palo alto

Make QoS policies

Policies > QoS


Assign policies to a profile:

Network > Network Profiles > QoS Profile


Assign a profile to interfaces

Network > QoS



Thursday, 27 February 2025

why speed test results are usually lower than advertised speed

Overhead

  • Your internet speed is measured in raw bits per second (bps), but real-world data transfer includes additional information like headers, acknowledgments, and error checking.

  • TCP/IP, Ethernet, and other protocols add packet overhead, meaning some portion of the bandwidth is used for network management rather than your actual data.
  • This overhead typically accounts for 5-15% of the total bandwidth, which explains why you rarely see a full 1 Gbps in speed tests.

Speed test client and server

  • The speed test server’s capacity can impact results. Some servers may be congested or unable to fully utilize your bandwidth.
  • The distance between you and the test server affects latency, which can slightly reduce speeds.
  • The speed test client needs to have a good NIC (intel if possible) and good spec (RAM and CPU) because it needs to make many connections to test the connection. For example if you test with a 100mbps NIC that is the max speed you can see. You need a 1gig NIC or better to test a 1gig connection.

  • ISP and firewall/network management and contention

    • ISPs often use network shaping, congestion control, and peering agreements that affect speed.
    • During peak times, ISPs may limit speeds slightly to ensure fair distribution of bandwidth among users.
    • Your internal network/firewall may do the same
    • Its best to test out of hours with just your test laptop plugged into the internet connection to give the best results

    Thursday, 20 February 2025

    check a DNS TXT record

     

    https://mxtoolbox.com/SuperTool.aspx?action=txt%3a%40.dlrcoco.ie&run=toolpage#

    nslookup -type=TXT mail._domainkey.domain.com


    dig TXT domain.com +short


    Powershell

    Resolve-DnsName -Type TXT domain.com

    Wednesday, 12 February 2025

    Meraki monitoring pages

    Organisation -> Alerts

    Network-wide > clients

    Network wide > Traffic

    Tuesday, 28 January 2025

    geoblock on palo alto

    The FW needs to see the IP before geoblock can be applied 


    under monitor > logs > GlobalProtect

    ( stage eq 'login' ) and ( status eq 'success' )


    Also

    Network > Gateways, click on the "Remote Users" link on the right


    There is also the option to create the NAT for the GP IP only for the geo locations allowed


    Have a general security rules with geoblock to/from any deny

    Have a security rule to allow access to the GP IP only from the approved countries

    Set the countries up in the GP config (portal / gateway)

    Config the geoblock on any 2FA you might be using for 2FA as well as another line of defence

    Enable the palo EDL blocks and dynamic threats etc, strict IPS

    Wednesday, 22 January 2025

    exclude IP's from nessus scan

    Say we want to exclude 101 and 102 we can create targets like so:


    192.168.1.1-192.168.1.100, 192.168.1.103-192.168.1.254


    Reducing scan impact:

    1. Exclude or Limit Scanning of Network Infrastructure Devices

    • Exclude devices like:

      • Firewalls

      • Switches

      • Wireless access points

      • Routers

    • These devices often:

      • React poorly to port scans and probes

      • Have limited CPU/RAM for handling scan traffic

      • Could throttle or interrupt user traffic when overwhelmed

    Yes, you should exclude these devices unless you have a clear need to scan them and have coordinated with the network team.


    ✅ 2. Use Scan Throttling and Performance Settings

    Adjust the performance settings in Nessus:

    • Scan Configuration > Performance Settings:

      • Reduce the number of max simultaneous checks per host.

      • Lower the max simultaneous hosts scanned.

      • Increase the timeout to prevent retries.

      • Set network scan delay (e.g., 100–300 ms).

      • Use Safe Checks to avoid DoS-like behavior.

    This reduces the burst load on the network and the devices.


    ✅ 3. Use Targeted or Segmented Scans

    • Break the scan into smaller IP ranges or subnets.

    • Focus on servers, endpoints, or business-critical systems first.

    • Scan different segments at different times or windows.

    This distributes the load and avoids network congestion.


    ✅ 4. Schedule Scans During Off-Hours

    • Run scans during non-peak hours (e.g., late evening or weekends).

    • Coordinate with the customer for a maintenance window.

    This is often the simplest way to avoid affecting productivity.


    ✅ 5. Enable Credentialed Scanning Where Possible

    • Credentialed scans are less noisy on the network.

    • They use authenticated access (e.g., SSH, SMB) to gather data from inside the system.

    More accurate and less intrusive than aggressive remote scans.


    ✅ 6. Use Passive or External Discovery Methods First

    • Start with:

      • ARP sweep

      • DNS enumeration

      • SNMP discovery

      • Existing asset inventories

    • Use these to map devices before a full vulnerability scan.


    ✅ 7. Communicate and Test First

    • Run a scan in a test VLAN or lab to profile the impact.

    • Communicate with the network and system admins.

    • Make sure there’s monitoring in place to see how scans affect performance.


    Nessus HSTS check and redirects HTTP 3xx codes

     https://community.tenable.com/s/article/Verify-strict-transport-security-header-for-HSTS-Missing-From-HTTPS-Server?language=en_US


    curl -sSI http://domain.com/

    Friday, 17 January 2025

    Palo alto and azure SAML auth

    KBs:

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

    https://learn.microsoft.com/en-us/entra/identity/saas-apps/palo-alto-networks-globalprotect-tutorial



    Generate the the cert and make it active

    Delete the old cert

    Wait a few minutes for azure cloud to update 

    Download the xml

    delete old certs from palo

    Import the xml into palo this will create cert and SAML IDP profile

    Don't tick validate check box

    Select the new IDP profile in your azure auth profile

    Thursday, 2 January 2025

    NAT rules on palo alto

     Making a note because its a bit different to cisco ASA


    NAT rule

    OUTSIDE > OUTSIDE 

    Public src > Public dst


    FW rule 

    OUTSIDE > INSIDE (counted as inside because of the NAT)

    Public src > Public dst