open case
request RMA
enter serial
chat now
Can I request RMA for this serial number : xxxxxxx
creates a RMA ticket
address needs to have customer name (your address / eircode)
or ship the RMA to the customer site
open case
request RMA
enter serial
chat now
Can I request RMA for this serial number : xxxxxxx
creates a RMA ticket
address needs to have customer name (your address / eircode)
or ship the RMA to the customer site
Open MMC
Add certs snap-in
user account and computer store
Check certificates > personal
exported the user cert from user store (use PKCS12 or DER base-64 encoded)
imported user cert into machine
aaa group server radius DUO-AUTH
aaa authentication login default group DUO-AUTH local
aaa authentication login CON-LOCAL local
aaa group server radius DUO-AUTH
server name DUO-AUTH-PROXY
ip radius source-interface Vlan2
radius server DUO-AUTH-PROXY
address ipv4 192.168.1.1 auth-port 18122 acct-port 18122
pac key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Move away from Groups 2, 5, 24.
DH Groups 2, 5, 24 are considered insecure and are deprecated in FTD’s running 6.5/6.6 and will be removed in a later version.
check 6.7 and 7.1 release notes and search for group 5
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/vpn-s2s.html?
IKEv1
show vpn-sessiondb detail l2l filter ipaddress x.x.x.x
Look for "D/H Group" in IKEv1 section
sh crypto isakmp sa detail | i Grp:
sh crypto isakmp sa | i PFS Group 2,
Looking for groups 2 and 5
sh crypto isakmp sa detail | i Grp:2,
sh crypto isakmp sa detail | i Grp:5,
Can copy the full output of " sh crypto isakmp sa detail" to a text file and search
Make QoS policies
Policies > QoS
Assign policies to a profile:
Network > Network Profiles > QoS Profile
Assign a profile to interfaces
Network > QoS
Overhead
https://mxtoolbox.com/SuperTool.aspx?action=txt%3a%40.dlrcoco.ie&run=toolpage#
nslookup -type=TXT mail._domainkey.domain.com
dig TXT domain.com +short
Powershell
Resolve-DnsName -Type TXT domain.com
Organisation -> Alerts
Network-wide > clients
Network wide > Traffic
The FW needs to see the IP before geoblock can be applied
under monitor > logs > GlobalProtect
( stage eq 'login' ) and ( status eq 'success' )
Also
Network > Gateways, click on the "Remote Users" link on the right
There is also the option to create the NAT for the GP IP only for the geo locations allowed
Have a general security rules with geoblock to/from any deny
Have a security rule to allow access to the GP IP only from the approved countries
Set the countries up in the GP config (portal / gateway)
Config the geoblock on any 2FA you might be using for 2FA as well as another line of defence
Enable the palo EDL blocks and dynamic threats etc, strict IPS
Say we want to exclude 101 and 102 we can create targets like so:
192.168.1.1-192.168.1.100, 192.168.1.103-192.168.1.254
Reducing scan impact:
Exclude devices like:
Firewalls
Switches
Wireless access points
Routers
These devices often:
React poorly to port scans and probes
Have limited CPU/RAM for handling scan traffic
Could throttle or interrupt user traffic when overwhelmed
✅ Yes, you should exclude these devices unless you have a clear need to scan them and have coordinated with the network team.
Adjust the performance settings in Nessus:
Scan Configuration > Performance Settings:
Reduce the number of max simultaneous checks per host.
Lower the max simultaneous hosts scanned.
Increase the timeout to prevent retries.
Set network scan delay (e.g., 100–300 ms).
Use Safe Checks to avoid DoS-like behavior.
This reduces the burst load on the network and the devices.
Break the scan into smaller IP ranges or subnets.
Focus on servers, endpoints, or business-critical systems first.
Scan different segments at different times or windows.
This distributes the load and avoids network congestion.
Run scans during non-peak hours (e.g., late evening or weekends).
Coordinate with the customer for a maintenance window.
This is often the simplest way to avoid affecting productivity.
Credentialed scans are less noisy on the network.
They use authenticated access (e.g., SSH, SMB) to gather data from inside the system.
More accurate and less intrusive than aggressive remote scans.
Start with:
ARP sweep
DNS enumeration
SNMP discovery
Existing asset inventories
Use these to map devices before a full vulnerability scan.
Run a scan in a test VLAN or lab to profile the impact.
Communicate with the network and system admins.
Make sure there’s monitoring in place to see how scans affect performance.
https://community.tenable.com/s/article/Verify-strict-transport-security-header-for-HSTS-Missing-From-HTTPS-Server?language=en_US
curl -sSI http://domain.com/
KBs:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE
https://learn.microsoft.com/en-us/entra/identity/saas-apps/palo-alto-networks-globalprotect-tutorial
Generate the the cert and make it active
Delete the old cert
Wait a few minutes for azure cloud to update
Download the xml
delete old certs from palo
Import the xml into palo this will create cert and SAML IDP profile
Don't tick validate check box
Select the new IDP profile in your azure auth profile
Making a note because its a bit different to cisco ASA
NAT rule
OUTSIDE > OUTSIDE
Public src > Public dst
FW rule
OUTSIDE > INSIDE (counted as inside because of the NAT)
Public src > Public dst