Saturday, October 22, 2011

Troubleshooting Dynamic Updates on Palo Alto Firewalls

The following are troubleshooting steps to take when installing a Palo Alto Firewall in Virtual Wire mode or doing an initial configuration behind the existing firewalls and the dynamic updates for Threat Protection, AntiVirus and URL Filtering are not pulling down updates.
After verifying that the device is licensed and registered for updates, it is time to verify that there is not a connectivity issue:
All of these are done from the command line, so either connect via SSH or via a console cable.

PAN updates
First thing to check is the connection from the Management interface to the Palo Alto Networks update site.
ping host updates.paloaltonetworks.com
This will show the basic connectivity is in place. Updates.paloaltonetworks.com will respond to ping if the path is good.
If that fails, another test is to see there are routing issues
traceroute host updates.paloaltonetworks.com
If this does not reach the first hop, verify that the management interface is configured with the correct default gateway.
After determining that base level connectivity exists for updates, the next step is to verify that it is possible to connect to the service port for udpates.
telnet port 443 host updates.paloaltonetworks.com
If this is good, then it is possible to manually request updates. If not it will be necessary to verify or update the configuration for the current firewalls.
Anti-Virus
request anti-virus upgrade download latest
or if in an High Availability pair
request anti-virus upgrade download latest sync-to-peer
Applications and content
request content upgrade download latest
or if in an High Availability pair
request content upgrade download latest sync-to-peer

If the firewall is licensed for the BrightCloud URL filtering updates, the testing is slightly different since the updates come from a different site and service port.
Start by verifying the basic connectivity
ping host service.brightcloud.com
Verify that the traffic is routing properly
traceroute host service.brightcloud.com
Verify that it is possible to connect to port 80 on service.brightcloud.com
telnet port 80 host service.brightcloud.com
If this is good, then it is possible to manually request updates. If not it will be necessary to verify or update the configuration for the current firewalls.
URL filtering
request an update of the URL Filtering database
request url-filtering upgrade brightcloud
verify that the download is in progress
request url-filtering download status
if there is still an issue the following should appear
{data time} Error: dtMessageTime(bcnet.cpp:256): failed connect to 64.87.3.54 on 80
When the download begins successfully, the following should appear\
{data time} URL database download: 90% done
When successful a message similar to the following will appear
369745418 total bytes 16.90 secs -79112.66 kB/S

Hopefully someone will find this useful
Be safe out there
James

Thursday, August 25, 2011

Creating Palo Alto Reports at the Command Line

I have been working on creating reports on Palo Alto Firewalls from the command line.
For this scenario I have created two security policy rules for inbound and outbound. Now we want to get a weekly report that shows the top 50 applications that are flowing in each direction.

Either connect via the console port on the firewall or ssh:
Change to configuration mode:
configure

To configure the custom reports that will be used, the following syntax
set shared reports {name_of_report} period last-7-calendar-days topn 50 topm 10 query "rule eq "{rule_name}'" type traffic aggregate-by [ app from to ] values bytes sortby bytes

The text for the two custom reports would be:
set shared reports Inbound period last-7-calendar-days topn 50 topm 10 query "rule eq 'inbound_allow'" type traffic aggregate-by [ app from to ] values bytes sortby bytes
set shared reports Outbound period last-7-calendar-days topn 50 topm 10 query "rule eq 'outbound_allow'" type traffic aggregate-by [ app from to ] values bytes sortby bytes

Next set up the report group that will be used to assign the custom reports to the schedule:
set shared report-group {report_name} title-page no

The text for the custom report group
set shared report-group Weekly title-page no

Next add the custom reports to the report group
set shared report-group {report_name} custom-widget 1 custom-report {name_of_report}

The text for assigning the custom reports to the report
set shared report-group Weekly custom-widget 1 custom-report Inbound
set shared report-group Weekly custom-widget 2 custom-report Outbound

Next create the scheduler for the report
set shared email-scheduler {schedule_name} email-profile {email_profile} report-group {report_name} recurring weekly {day_of_week}

The text for creating the custom schedule:
set shared email-scheduler Weekly email-profile mail.example.com report-group Weekly recurring weekly monday

Don't forget to commit the configuration
commit

This process will generate a report that is delivered on Monday mornings to the email addresses that are configured for mail.example.com and will show the top 50 inbound and outbound applications by bytes. The report can then be used to narrow down what applications will be allowed inbound and outbound. The Palo Alto reporting features can also be used to identify what applications are being used by a particular service port to refine a security rule from using any application to specific applications.

Be safe out there.
James

Thursday, August 18, 2011

The TARDIS Corset Interview

This post will be slightly different from my usual fare. This is an interview that I did on Twitter with amazonv and mayfairemoon regarding the TARDIS Corset. The entire interview can be found by searching for #tardiscorset on twitter.

It has been an interesting week for my friends Nikki (amazonv) and Nikki (mayfairemoon). Mayfairemoon posted the following picture of a corset she has been working on for amazonv.

http://desmond.yfrog.com/Himg739/scaled.php?tn=0&server=739&filename=ekmvx.jpg&xsize=640&ysize=640

The TARDIS Corset was unveiled and then the Internet got excited.

Amazonv had mentioned the corset was being built earlier this summer and I for one could not wait to see the pictures.

After that first picture appeared, the TARDIS corset began making the round on a variety of web sites. Amazonv's has links to many of the articles at http://www.TARDIScorset.com

On Tuesday August 16th another set of pictures was posted that shows how the corset looks when worn

http://www.smugmug.com/gallery/18564894_ZSwzDj#1433802297_Q2nnZNK

On Tuesday evening amazonv and I were talking via twitter and the topic turned to the corset. I made a comment about how talented I thought amazonv was

amazonv @n0b0d4 why me? I didn't make the corset, @mayfairemoon did, I just put cash behind her amazing artistic talent

n0b0d4 @amazonv oh right wrong thought process. whose idea was it? yours or @mayfairemoon - talent and skill also need inspiration

amazonv @n0b0d4 @mayfairemoon she had the idea before me, but when sh
e mentioned it I was all over it, we had some plotting, sketching, then bam!

n0b0d4 @mayfairemoon @amazonv so it was collaborative then

amazonv @n0b0d4 @mayfairemoon did the hard work (idea to real) and its not done yet since canada posts hates me

n0b0d4 @mayfairemoon @amazonv since this is turning into an interview - is it ok to continue?

amazonv @n0b0d4 interviews should go to nikki ( @mayfairemoon ) not me, unless they do both (nikki^2)

I am not sure what inspired me to schedule an interview with amazonv and mayfairemoon for Wednesday August 17th. I provided my questions to the Nikki's ahead of time. The interview was conducted in near real time on twitter (thanks in part due to flakey Internet access at my hotel). I am including the transcript below:

How long have you known each other?

amazonv @n0b0d4 I first saw @mayfairemoon at the PA ren faire at least 6 years ago, we meet through @GilCnaan again 2 years ago

mayfairemoon @n0b0d4 Well, we've also been in the same scene for a while, now.

Who introduced you?

amazonv @n0b0d4 We were introduced by @GilCnaan a mutual friend we do have a lot of mutual friends

mayfairemoon @n0b0d4 @amazonv Probably @GilCnaan, but we have a bunch of the same friends, so it was inevitable, I think.

When did you come up with the original idea for the TARDIS corset?

amazonv @n0b0d4 When I had to cancel my wedding gown order with @mayfairemoon I said I wanted a corset still, she threw out ideas

amazonv @n0b0d4 I said I like tea, and scifi...and @mayfairemoon said "TARDIS" and I squealed and squealed some more

how much time did the design phase take?

mayfairemoon @n0b0d4 @amazonv I had the basics in my head all this time. Couldn't figure out tech aspects til I chatted w/ @damnedgoodesign

amazonv @n0b0d4 on my part I spent a night eating sushi & plotting with nikki, and a few emails and phone calls, then she took over

mayfairemoon @n0b0d4 @amazonv Refining the design took forever. Lots of "Will this work?" followed by "Ooops. No. Try again."

mayfairemoon @amazonv @n0b0d4 Because EVERYTHING is better with sushi. Absolutely.

What inspired the original idea for the TARDIS corset?

mayfairemoon @n0b0d4 I was wandering around Philcon 4 yrs or so ago, and thought, "How do I translate the fabulous geekery to my corsetry?"

mayfairemoon @amazonv @n0b0d4 I wanted to do the corset for all these years-- the sitch with @amazonv was was fabulous serendipity.

MorrigansWitch asked @mayfairemoon How did you and @amazonv decide which version of the TARDIS to use?

mayfairemoon @MorrigansWitch @amazonv @n0b0d4 That was Nikki S's choice. Eleven's is such a pretty blue. But we did discuss that a lot!

amazonv @MorrigansWitch I wanted bright blue , and so opted for the most recent also the St John's logo evens out the design

amazonv @MorrigansWitch we dug up pictures of all of the TARDIS images online to compare and contrast during our sushi meeting

How does that compare to most other corset designs?

mayfairemoon @n0b0d4 It's $860, which includes lights & sound. It'll make the sound of the TARDIS engines when you open the little door.

mayfairemoon @n0b0d4 My regular custom corsets start at $449 for a 3-lacing corset, and $549 for a corset with 5 sets of laces.

How much time has the build out had so far?

mayfairemoon @n0b0d4 I think...hm. Three or four months so far? Figuring out the panels, lights and sound has been the hardest part!

mayfairemoon @amazonv @MorrigansWitch @n0b0d4 Also, I gathered all my visual references and sent them to @damnedgoodesign. Awesome.

How does that compare to most other corset builds?

mayfairemoon @n0b0d4 @amazonv If I really have an emergency, I can do a regular corset in a week. Usually, orders take about 8 - 10 weeks.

mayfairemoon @n0b0d4 @amazonv When I do this again-- which I am-- it won't be this long. It's been a learning process.

mayfairemoon @n0b0d4 @amazonv The first set of panels died a horrible, messy death. Now we use acetate, which is MUCH better and cleaner.

What materials were used in construction?

amazonv @n0b0d4 The outside is silk, the panels are acetate with felt backing, the ribbons are organza (2 colors)

amazonv @n0b0d4 @mayfairemoon needs to attach the EL wire to make it light up, the sound card and a yale key

mayfairemoon @n0b0d4 @amazonv I also use 1/2" wide spring steel boning, and heavy cotton twill or canvas to line it.

The corset is not yet complete, what is still pending?

mayfairemoon @n0b0d4 @amazonv I have to install the electroluminescent wire, the soundcard, and do the inside of the little phone box.

amazonv @n0b0d4 And the phone needs to be painted, and the inside needs to be painted

mayfairemoon @n0b0d4 @amazonv There's also going to be a quote handwritten on the lining. One from "The Doctor's Wife."

Were there any materials you considered using that you eliminated? if so what were they?

mayfairemoon @n0b0d4 @amazonv The first set of panels was two layers of plastic w/printed paper in between. That...wow, did THAT not work.

How comfortable is it to wear as compared to other corsets you've worn?

amazonv @n0b0d4 very comfy (custom FTW!) once you wiggle and tighten it into place you get great posture & you are good for hours!

amazonv @n0b0d4 I own multiple off the shelf corsets and this is by far the best, I am reluctant to get a non-custom one in the future

mayfairemoon @n0b0d4 I've been wearing mine up to 10 hours a day for years. I think-- & people tell me-- they're most comfy they've had.

Is this going to be a unique creation or will it be made again for select individuals?

mayfairemoon @n0b0d4 I'm taking orders, and judging from interest there'll be a waiting list. But I'll never mass-produce them. Just a few!

amazonv @n0b0d4 each @mayfairemoon piece is custom - so yes you can have a TARDIS, a different model if you want too

amazonv @n0b0d4 I think my next @mayfairemoon may be boba fett ...

mayfairemoon @n0b0d4 @amazonv And yes, I can do any Doctor's specific TARDIS. When I do my own, it'll be Nine/Ten's.

Since this is Dr Who based I will shift to some Dr Who questions?

mayfairemoon @n0b0d4 @amazonv Squee! Go for it!

Who is your favorite Doctor?

amazonv @n0b0d4 TEN (david tennant)

mayfairemoon @n0b0d4 @amazonv That's a tough one. I started with 4 like most Americans, but first really fell for 5. But 10...oh, my.

mayfairemoon @n0b0d4 @amazonv I'm really torn bwtn 5 and 10. I love them both. Went to London to see Tennant in "Hamlet." That was amazing.

Who is your favorite companion?

mayfairemoon @n0b0d4 @amazonv I loved Nyssa/Tegan/Adric. SOBBED when he bit it. I also love Rose and Donna. And Amy's snark.

amazonv @n0b0d4 rose tyler

amazonv @n0b0d4 I have to say Sarah Jane Smith is my second love

mayfairemoon @amazonv @n0b0d4 See, I never could bond with Sarah Jane in Old Who. Loved her MUCH more in New Who.

n0b0d4 RT @amazonv: @n0b0d4 I have to say Sarah Jane Smith is my second love big fan as well

amazonv @n0b0d4 @mayfairemoon too bad K9 doesn't count as a companion, puppeh!

amazonv @n0b0d4 They tie him to humanity, they are our brige to connect with him (IMO)

Who/What is your favorite villain?

mayfairemoon @n0b0d4 @amazonv Didn't have a fave villain til Daleks out-bitched the Cybermen in Series Two. "You are better at dying!" SNAP!

amazonv @n0b0d4 The weeping angels scare the pants off me

What is your favorite episode or story arc (if old)?

mayfairemoon @n0b0d4 I loved "School Reunion," "Unicorn & Wasp," "Vincent & The Doctor," but my favourite is probably "Shakespeare Code."

amazonv @n0b0d4 currently, "the doctor's wife" because I loved meeting Idris/Sexy otherwise "Bad Wolf" "The Parting of the Ways"

amazonv @mayfairemoon only because you are a Shakespeare fiend! @n0b0d4

mayfairemoon @n0b0d4 @amazonv Oh, yeah. "The Doctor's Wife" has been on all week. Surprise, surprise. Watch it over and over-- LOVE it.

amazonv @n0b0d4 My Laptop I am using now is "Bad Wolf"

mayfairemoon @amazonv @n0b0d4 Yeah, guilty as charged on that one. Shakespeare corsets are coming, actually.

What are your thoughts on Captain Jack?

amazonv @n0b0d4 I was shocked by how he plays into the future and had to rewatch various episodes to make sure there was continuity.

amazonv @n0b0d4 Also he's the biggest slut (in a good way)

n0b0d4 @amazonv and rewatching was a hardship I am certain

mayfairemoon My thoughts? Simple: YES. RT: @amazonv @mayfairemoon what are your thought on Captain Jack?

mayfairemoon @n0b0d4 @amazonv Also? I reeeeally want to go shopping with John Barrowman.

amazonv @n0b0d4 oh yes so much a hardship to see Captain Jack over and over

What have you thought of your sudden Internet fame?

amazonv @n0b0d4 Nikki deserves it! she has made a screen accurate snape costume, steampunk corsets, & many other amazing geeky things

amazonv @n0b0d4 it's a little weird to see yourself on boing boing & see people commenting about the fact that you are free to public

mayfairemoon @n0b0d4 I've used the word "surreal" more times this week than in my entire life previously.

mayfairemoon @n0b0d4 Best part is all my friends commenting everywhere about how much they love my corsets. That's so wonderful.

amazonv @n0b0d4 exciting to watch my website analytics http://t.co/dv5UyuL & FB Likes double http://t.co/nEKY20O

What has been the coolest/most interesting aspect of the attention thus far (aside from this interview)?

mayfairemoon @n0b0d4 I thought I'd gotten popular with the Snape outfit I made for Nigel of @Platform01 . Oh, how little did I know....

amazonv @n0b0d4 being on boing boing, seeing people want my corset - assures me i am not the only geek out there who wants one.

amazonv @n0b0d4 Also, having my friends call or message me to say "is this your corset" or "i saw you on site XYZ" is kinda fun

mayfairemoon @n0b0d4 Getting queries from all over the world. Seeing the photos on sites where I'm used to going for Dr Who info.

mayfairemoon @n0b0d4 And all the lovely things people have been saying.

amazonv @n0b0d4 Also needing to do a last minute photo shoot so people could see me in TARDIS after nerdist and it's not done yet!

That is all of the questions that I had prepared, thank you so much for taking the time to talk about

amazonv @n0b0d4 You are welcome :)

amazonv Anyone else have questions for @mayfairemoon about ?

mayfairemoon @n0b0d4 @amazonv Oh, thank you! It's been delightful! I can't tell you how much fun everything has been. Seriously.

n0b0d4 @amazonv @mayfairemoon i will compile all of the questions and write something up for you

mayfairemoon @n0b0d4 @amazonv You are made of awesome. With a side of bananas.

n0b0d4 @mayfairemoon @amazonv I am very happy that we were able to do this.

mayfairemoon @n0b0d4 @amazonv So am I! Thanks again!

amazonv @n0b0d4 Me too, g'night all!

mayfairemoon If you want your own TARDIS corset, check out http://www.MayFaireMoon.com , & drop me a line at info@mayfairemoon.com

I really enjoyed interviewing these two wonderful ladies and getting to know more about the TARDIS corset. I want to thank both of them and everyone who followed along while we were talking. I also want to thank MorrigansWitch for adding a really great question in the middle of the interview and VioletBlue for reviewing my questions and offering suggestions before the interview itself

To find out more about Mayfairemoon, please visit http://www.mayfairemoon.com or Linkhttp://www.facebook.com/mayfairemoon


You can follow these lovely ladies on twitter. Amazonv - http://twitter.com/amazonv Mayfairemoon - http://twitter.com/mayfairemoon
I can be found as n0b0d4 at http://twitter.com/n0b0d4

Tuesday, August 16, 2011

Palo Alto Firewall Management address

I have been working with Palo Alto Networks firewalls exclusively over the last 6 months or so and wanted to start a series of postings regarding how to make changes at the command line
The first step in configuring a PAN is to configure the management address.
The firewall comes configured with 192.168.1.1/24 configured and you can connect to the management interface from your PC if you are on that subnet and the address is not in use or by changing your system IP.
The other way is to connect using the console connection with the provided serial to rj45 cable (hopefully you have a USB to serial adapter) - standard 9600/8/none/1
login to the system
type configure
hit enter
type set deviceconfig system ip-address 172.1.1.254 netmask 255.255.255.0 default-gateway 172.1.1.1
*replace the addresses above with the IPs you want to assign*
hit enter
type commit
hit enter
That will commit the configuration to the device. This will take a moment or two to complete
This same command can be issued via SSH to change the management IP at a later time, though it will cause your SSH session to disconnect.
Hope that helps someone
Be safe out there
James

Thursday, May 12, 2011

Setting up WiKID Community Edition on Ubuntu 10.04

I worked this up over the last couple of days.

#update system
sudo apt-get update
sudo apt-get upgrade

#update respositories to get sun-java6-jdk installed
sudo cp /etc/apt/sources.list /etc/apt/sources.list.backup
sudo nano /etc/apt/sources.list
#clear the "#" from the line deb http://archive.canonical.com/ lucid partner and save the file
sudo apt-get update
#install the java jdk, you will need to accept the license
sudo apt-get install sun-java6-jdk
# this installs the following packages
# avahi-daemon consolekit dbus defoma gsfonts gsfonts-x11 java-common libasound2 libavahi-common-data libavahi-common3 libavahi-core6 libck-connector0 libdaemon0 libeggdbus-1-0 libfontenc1 libltdl7 libnss-mdns libpam-ck-connector libpolkit-gobject-1-0 libxfont1 libxi6 libxtst6 odbcinst odbcinst1debian1 sun-java6-bin sun-java6-jdk sun-java6-jre unixodbc x11-common xfonts-encodings xfonts-utils

#create a logical link to /opt/java from /usr/lib/jvm/java-6-sun
sudo ln -s /usr/lib/jvm/java-6-sun /opt/java


#install the WikID Community Edition prerequisites
sudo apt-get install postgresql libpg-java libpg-perl libwww-perl ntp alien wget iptables
#The following NEW packages will be installed:
# alien binutils build-essential cvs debhelper dpkg-dev fakeroot g++ g++-4.4 gcc gcc-4.4 gettext html2text intltool-debian libc-dev-bin libc6-dev libcroco3 libfile-copy-recursive-perl libgomp1 liblua5.1-0 liblzma1 libmail-sendmail-perl libnspr4-0d libnss3-1d libpg-java libpg-perl libpq5 librpm0 librpmbuild0 librpmio0 libstdc++6-4.4-dev libsys-hostname-long-perl linux-libc-dev manpages-dev ntp po-debconf postgresql postgresql-8.4 postgresql-client-8.4 postgresql-client-common postgresql-common rpm rpm-common rpm2cpio ssl-cert update-inetd xz-utils



#connect to the database to set the password
sudo -u postgres psql postgres
#set the password for the postgres role
\password postgress


#download the deb files
wget http://downloads.sourceforge.net/project/wikid-twofactor/WiKID_Server/3.4/wikid-server-community_3.4.87-b824-1.deb?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fwikid-twofactor%2Ffiles%2FWiKID_Server%2F3.4%2F&ts=1305142670&use_mirror=cdnetworks-us-2
#you may need to move the file to a new name
mv wikid-server-community_3.4.87-b824-1.deb?r=http:%2F%2Fsourceforge.net%2Fprojects%2Fwikid-twofactor%2Ffiles%2FWiKID_Server%2F3.4%2F wikid-server-community_3.4.87-b824-1.deb
#run dpkg once to prep the install
sudo dpkg -i wikid-server-community_3.4.87-b824-1.deb
#this will fail the first time
#run a dependency update
sudo apt-get -f install
#The following NEW packages will be installed:
# ca-certificates-java fontconfig fontconfig-config hicolor-icon-theme icedtea-6-jre-cacao libaccess-bridge-java libaccess-bridge-java-jni libatk1.0-0 libatk1.0-data libavahi-client3 libcairo2 libcups2 libdatrie1 libdirectfb-1.2-0 libflac8 libfontconfig1 libgif4 libgtk2.0-0 libgtk2.0-bin libgtk2.0-common libice-dev libice6 libjasper1 libjpeg62 liblcms1 libogg0 libpango1.0-0 libpango1.0-common libpixman-1-0 libpthread-stubs0 libpthread-stubs0-dev libpulse0 libsm-dev libsm6 libsndfile1 libsysfs2 libthai-data libthai0 libtiff4 libts-0.0-0 libvorbis0a libvorbisenc2 libx11-dev libxau-dev libxcb-render-util0 libxcb-render0 libxcb1-dev libxcomposite1 libxcursor1 libxdamage1 libxdmcp-dev libxfixes3 libxft2 libxinerama1 libxrandr2 libxrender1 libxt-dev libxt6 openjdk-6-jdk openjdk-6-jre openjdk-6-jre-headless openjdk-6-jre-lib shared-mime-info tsconf ttf-dejavu-core ttf-dejavu-extra tzdata-java x-ttcidfont-conf x11proto-core-dev x11proto-input-dev x11proto-kb-dev xtrans-dev
#run dpkg again to install the package
sudo dpkg -i wikid-server-community_3.4.87-b824-1.deb
# run the configuration
sudo /opt/WiKID/sbin/wikidserver_config.sh
# firstboot config
sudo /opt/WiKID/conf/templates/wikid-firstboot.sh
#run the configuration wizard
sudo /opt/WiKID/bin/wikidctl setup
#start the services
sudo /opt/WiKID/bin/wikidctl start

#Connect to the WiKID Admin interface
http://servername.domain.com/WiKIDAdmin

username: WiKIDAdmin
passowrd: 2Factor

#Follow the instructions for set up for WiKID Community Edition
http://sourceforge.net/projects/wikid-twofactor/files/Documentation/WiKID-Docs/

WiKID posted a similar version on their web site - http://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/How_to_install_the_WiKID_debs_on_Ubuntu - which cuts out a few of the steps that I have above.

Be safe out there.
James