Friday, 7 March 2025

export user cert from windows cert store

Open MMC 

Add certs snap-in

user account and computer store

Check certificates > personal

exported the user cert from user store (use PKCS12 or DER base-64 encoded)

imported user cert into machine

Posted by at No comments:

switch aaa and radius authentication settings for duo etc

 aaa group server radius DUO-AUTH

aaa authentication login default group DUO-AUTH local

aaa authentication login CON-LOCAL local



aaa group server radius DUO-AUTH

 server name DUO-AUTH-PROXY

 ip radius source-interface Vlan2


radius server DUO-AUTH-PROXY

 address ipv4 192.168.1.1 auth-port 18122 acct-port 18122

 pac key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


Posted by at No comments:
Labels: ,

Wednesday, 5 March 2025

find what DH group an ikev1 S2S VPN is using in ASA

 sh crypto isakmp sa detail | i Grp:


Looking for groups 2 and 5

 sh crypto isakmp sa detail | i Grp:2,

 sh crypto isakmp sa detail | i Grp:5,


Can copy the full output of " sh crypto isakmp sa detail" to a text file and search

Posted by at No comments:
Labels: , , ,

Tuesday, 4 March 2025

QoS palo alto

Make QoS policies

Policies > QoS


Assign policies to a profile:

Network > Network Profiles > QoS Profile


Assign a profile to interfaces

Network > QoS



Posted by at No comments:
Labels: , ,

Thursday, 27 February 2025

why speed test results are usually lower than advertised speed

Overhead

  • Your internet speed is measured in raw bits per second (bps), but real-world data transfer includes additional information like headers, acknowledgments, and error checking.

  • TCP/IP, Ethernet, and other protocols add packet overhead, meaning some portion of the bandwidth is used for network management rather than your actual data.
  • This overhead typically accounts for 5-15% of the total bandwidth, which explains why you rarely see a full 1 Gbps in speed tests.

Speed test client and server

  • The speed test server’s capacity can impact results. Some servers may be congested or unable to fully utilize your bandwidth.
  • The distance between you and the test server affects latency, which can slightly reduce speeds.
  • The speed test client needs to have a good NIC (intel if possible) and good spec (RAM and CPU) because it needs to make many connections to test the connection. For example if you test with a 100mbps NIC that is the max speed you can see. You need a 1gig NIC or better to test a 1gig connection.

    • ISP and firewall/network management and contention

    • ISPs often use network shaping, congestion control, and peering agreements that affect speed.
    • During peak times, ISPs may limit speeds slightly to ensure fair distribution of bandwidth among users.
    • Your internal network/firewall may do the same
    • Its best to test out of hours with just your test laptop plugged into the internet connection to give the best results
    Posted by at No comments:

    Thursday, 20 February 2025

    check a DNS TXT record

     

    https://mxtoolbox.com/SuperTool.aspx?action=txt%3a%40.dlrcoco.ie&run=toolpage#

    nslookup -type=TXT mail._domainkey.domain.com


    dig TXT domain.com +short


    Powershell

    Resolve-DnsName -Type TXT domain.com

    Posted by at No comments:

    Wednesday, 12 February 2025

    Meraki monitoring pages

    Organisation -> Alerts

    Network-wide > clients

    Network wide > Traffic

    Posted by at No comments:
    Labels:

    Tuesday, 28 January 2025

    geoblock on palo alto

    The FW needs to see the IP before geoblock can be applied 


    under monitor > logs > GlobalProtect

    ( stage eq 'login' ) and ( status eq 'success' )


    Also

    Network > Gateways, click on the "Remote Users" link on the right


    There is also the option to create the NAT for the GP IP only for the geo locations allowed


    Have a general security rules with geoblock to/from any deny

    Have a security rule to allow access to the GP IP only from the approved countries

    Set the countries up in the GP config (portal / gateway)

    Config the geoblock on any 2FA you might be using for 2FA as well as another line of defence

    Enable the palo EDL blocks and dynamic threats etc, strict IPS

    Posted by at No comments:
    Labels: , , , , , ,

    Wednesday, 22 January 2025

    exclude IP's from nessus scan

    Say we want to exclude 101 and 102 we can create targets like so:


    192.168.1.1-192.168.1.100, 192.168.1.103-192.168.1.254

    Posted by at No comments:
    Labels: ,

    Nessus HSTS check and redirects HTTP 3xx codes

     https://community.tenable.com/s/article/Verify-strict-transport-security-header-for-HSTS-Missing-From-HTTPS-Server?language=en_US


    curl -sSI http://domain.com/

    Posted by at No comments:
    Labels: , ,

    Friday, 17 January 2025

    Palo alto and azure SAML auth

    KBs:

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

    https://learn.microsoft.com/en-us/entra/identity/saas-apps/palo-alto-networks-globalprotect-tutorial



    Generate the the cert and make it active

    Delete the old cert

    Wait a few minutes for azure cloud to update 

    Download the xml

    delete old certs from palo

    Import the xml into palo this will create cert and SAML IDP profile

    Don't tick validate check box

    Select the new IDP profile in your azure auth profile

    Posted by at No comments:
    Labels: , ,

    Thursday, 2 January 2025

    NAT rules on palo alto

     Making a note because its a bit different to cisco ASA


    NAT rule

    OUTSIDE > OUTSIDE 

    Public src > Public dst


    FW rule 

    OUTSIDE > INSIDE (counted as inside because of the NAT)

    Public src > Public dst

    Posted by at No comments:
    Labels: , ,
    Subscribe to: Posts (Atom)