It’s been a while since posting and I do hope to sort that out but for now another quick mention of some work with Ruckus Cloudpath.
Although massively flexible in its design I’ve come into a few niche cases where administrators would like a single DPSK pool (which is bound to a single SSID) but where different users have different expiry dates on those DPSKs. Thus far I’m planning on interacting with the API via Node-RED to update these entries in the API as the provisioning process takes place – something for another blog post.
However for those who are just getting to grips with the API (using PowerShell in my case) I hope the short example in this GitHub repo can be of use: https://github.com/jamesfed/RuckusCloudpathAPI.
Ruckus Cloudpath is quickly turning into one of my favourite add-ons for a wireless network in a residential/University setting. It’s doing this by letting users bring all manner of ‘smart’ devices into an ‘enterprise grade’ network and connect them securely with a personal WPA2 pre shared key.
Even better Cloudpath has loads of options for customizing the onboarding portal – the little tutorial below shows how to change the colour of the font in the footer of the page with a custom CSS file.
You may find that when doing decryption on a Palo Alto Networks Next Generation Firewall that images in Slack channels are not displayed or are only shown in a very low resolution – in addition images cannot be uploaded. When inspecting the HTTP error messages in your browser a 503 response may also be seen.
To top off the issue you may also see that User-ID isn’t mapping traffic from the Slack desktop application against the traffic which negates any User-ID based decryption exception you might have.
While helpful the Slack connection test tool at https://my.slack.com/help/test also doesn’t appear to throw any errors.
To fix this issue you need a decryption exception custom URL rule for the files.slack.com domain (which fixes viewing images) along with the base domain for your Slack tenancy (fixes uploads). This domain can be found by clicking the drop down in the top left corner of the Slack client.
If you have multiple Slack tenancies then you will need an exception for each one.
As always when making exceptions for your decryption policy please consider how it might degrade your ability to detect malicious usage of the network – in this case the sharing of files with unknown payloads.
For more information about Slack network usage visit: https://slack.com/intl/en-gb/help/articles/360001603387-Manage-Slack-connection-issues.
XML: The returned XML does not match the expected schema. (code: PE233) — JSON: The returned JSON does not match the expected structure (Invalid JSON.). (code: PE231)The cause is the default encoding from PowerShell is UCS-2 LE BOM as shown in Notepad++ below. The fix is simple in that when generating your REST configuration append -Encoding utf8 at the end of the Out-File command. I’ve also seen this apply to a few other situations when using PowerShell to output some form of text – in particular feeds for Palo Alto Networks Next Generation Firewalls.
It’s a bit of an odd situation but sometimes you might want to take information from a cloud service in this case Cortex XDR from Palo Alto Networks and drag it into an on premise logging service. This guide will have a look at how to get this log data in as well as parse it such that you can break out the individual fields in the log entry.
In looking at the documentation it appears that the logs are in the Comment Event Format (CEF) but are then wrapped up in syslog for transmission. Although Graylog can absorb CEF directly this additional layer of syslog means we have to take in the syslog and then send the event messages through a processing pipeline in Graylog to extract the CEF data.
So onto the guide – which assume you are familiar with the operation of the Cortex XDR management console and Graylog (shown version is 3.3), for simplicity the code snippet you’ll need is also shown below from GitHub.
A handy trick I learnt recently from this video (ICX Serial Console Server with Raspberry Pi by Terry Henry) which I’ve condensed into this screenshot guide. In short the ‘screen’ command in Linux can be used to turn any device into a serial console server – very handy if you need ‘out of band’ access to the management console of devices. This can be very handy for Firewalls/Routers/Network Switches where a misconfiguration (and forgetting to set a rollback) can lead to the administrators network connection to the device being cut off.
This guide assumes you have some experience of using the Raspberry Pi (although this will work on many other types of hardware) and Linux.
If you are looking to build out Zone Protection Profiles on your Palo Alto Networks Next Generation Firewall then it can be handy to know just what your connections per second metrics look over time for each zone. Quite lucky Palo Alto Networks have a little (although not entirely descript) guide on where you can get this data – https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds/how-to-measure-cps.html.
With that information in hand it was just a matter of time before working out how to collect this data through PRTG so do follow on with the screenshot guide to find out how!
[rowidentifier] Connections Per Second
Not meant as a complete in depth guide but certainly enough to point you in the right direction here’s my list of the most commonly seen (from my point of view) HPE Aruba (e.g. the 2540, 2930F, 5400R series) fibre optics and their respective part numbers:
The format is effectively <Speed> <Fibre Type> <Maximum Range> – <Part Code>
1Gbit Multi Mode 500m – J4858D
1Gbit Single Mode 10km – J4859D
10Gbit Multi Mode 300m – J9150D
10Gbit Single Mode 10km – J9151E
In configuring the Microsoft Intune Certificate Connector and attempting to issue certificates to your client via Intune you might run into the error message below.
IssuePfx – COMException: System.Runtime.InteropServices.COMException (0x80094800): The requested certificate template is not supported by this CA. (Exception from HRESULT: 0x80094800)at CERTENROLLLib.IX509CertificateRequestPkcs10V2.InitializeFromTemplateName (X509CertificateEnrollmentContext Context, String strTemplateName)
at Microsoft.Management.Services.NdesConnector.MicrosoftCA.GetCertificate (PfxRequestDataStorage pfxRequestData, String& certificate, String& password)
Failed to issue Pfx certificate for Device ID 24c2445e-6cd2-4629-a942-081bdaca9b12 :
In short when configuring the certificate name to be used you’ve probably entered the ‘Template display name’ instead of the ‘Template name’ – note the difference in the screenshot where the template name doesn’t include any spaces.
Given the complexity of this feature I’ve found the guide at this link really handy in setting it up in the past:
The default graph options in PRTG (Setup > System Administration > User Interface) for extended periods of time (e.g. over 10 days) will display the average over a set period (e.g. 1 hour) – while this may be ideal for some data on occasion you may want to display the maximum or minimum value for the data over that period.
The example below shows just how much this can change the graphical representation of the data with the ‘max’ value when averaged as 48% while this climbs all the way to 53% when the graph purely displays the maximum values.
To change this display of data hop into the channel settings for the sensor and follow the screenshot guide below: