James Preston

An issue that I’ve now run into a few times now so I thought it was worth a blog post – if you are using the REST Custom sensor within PRTG Network Monitor you may see the error below if you have generated your REST configuration using PowerShell.
XML: The returned XML does not match the expected schema. (code: PE233) — JSON: The returned JSON does not match the expected structure (Invalid JSON.). (code: PE231)
The cause is the default encoding from PowerShell is UCS-2 LE BOM as shown in Notepad++ below.
The fix is simple in that when generating your REST configuration append -Encoding utf8 at the end of the Out-File command. I’ve also seen this apply to a few other situations when using PowerShell to output some form of text – in particular feeds for Palo Alto Networks Next Generation Firewalls.

ResultIt’s a bit of an odd situation but sometimes you might want to take information from a cloud service in this case Cortex XDR from Palo Alto Networks and drag it into an on premise logging service. This guide will have a look at how to get this log data in as well as parse it such that you can break out the individual fields in the log entry.

In looking at the documentation it appears that the logs are in the Comment Event Format (CEF) but are then wrapped up in syslog for transmission. Although Graylog can absorb CEF directly this additional layer of syslog means we have to take in the syslog and then send the event messages through a processing pipeline in Graylog to extract the CEF data.

So onto the guide – which assume you are familiar with the operation of the Cortex XDR management console and Graylog (shown version is 3.3), for simplicity the code snippet you’ll need is also shown below from GitHub.

Code snippet from the screenshot sequence:

A handy trick I learnt recently from this video (ICX Serial Console Server with Raspberry Pi by Terry Henry) which I’ve condensed into this screenshot guide. In short the ‘screen’ command in Linux can be used to turn any device into a serial console server – very handy if you need ‘out of band’ access to the management console of devices. This can be very handy for Firewalls/Routers/Network Switches where a misconfiguration (and forgetting to set a rollback) can lead to the administrators network connection to the device being cut off.

This guide assumes you have some experience of using the Raspberry Pi (although this will work on many other types of hardware) and Linux.

If you are looking to build out Zone Protection Profiles on your Palo Alto Networks Next Generation Firewall then it can be handy to know just what your connections per second metrics look over time for each zone. Quite lucky Palo Alto Networks have a little (although not entirely descript) guide on where you can get this data – https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds/how-to-measure-cps.html.

With that information in hand it was just a matter of time before working out how to collect this data through PRTG so do follow on with the screenshot guide to find out how!

Handy strings:
1.3.6.1.4.1.25461.2.1.2.3.10
[rowidentifier] Connections Per Second
TCP
UDP
Other IP

Some more information on Zone Protection/Flood Protection: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-zone-protection/flood-protection.html

Not meant as a complete in depth guide but certainly enough to point you in the right direction here’s my list of the most commonly seen (from my point of view) HPE Aruba (e.g. the 2540, 2930F, 5400R series) fibre optics and their respective part numbers:

The format is effectively <Speed> <Fibre Type> <Maximum Range> – <Part Code>

1Gbit Multi Mode 500m – J4858D

1Gbit Single Mode 10km – J4859D

10Gbit Multi Mode 300m – J9150D

10Gbit Single Mode 10km – J9151E

Data from: https://support.hpe.com/hpesc/public/docDisplay?docId=a00028947en_us

In configuring the Microsoft Intune Certificate Connector and attempting to issue certificates to your client via Intune you might run into the error message below.

IssuePfx – COMException: System.Runtime.InteropServices.COMException (0x80094800): The requested certificate template is not supported by this CA. (Exception from HRESULT: 0x80094800)at CERTENROLLLib.IX509CertificateRequestPkcs10V2.InitializeFromTemplateName (X509CertificateEnrollmentContext Context, String strTemplateName)
at Microsoft.Management.Services.NdesConnector.MicrosoftCA.GetCertificate (PfxRequestDataStorage pfxRequestData, String& certificate, String& password)

Failed to issue Pfx certificate for Device ID 24c2445e-6cd2-4629-a942-081bdaca9b12 :

In short when configuring the certificate name to be used you’ve probably entered the ‘Template display name’ instead of the ‘Template name’ – note the difference in the screenshot where the template name doesn’t include any spaces.

Given the complexity of this feature I’ve found the guide at this link really handy in setting it up in the past:

https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-configuring-and-troubleshooting-pfx-pkcs/ba-p/516450

The default graph options in PRTG (Setup > System Administration > User Interface) for extended periods of time (e.g. over 10 days) will display the average over a set period (e.g. 1 hour) – while this may be ideal for some data on occasion you may want to display the maximum or minimum value for the data over that period.

The example below shows just how much this can change the graphical representation of the data with the ‘max’ value when averaged as 48% while this climbs all the way to 53% when the graph purely displays the maximum values.

It's the same data but the top graph shows a 1 hour average whereas the bottom graph shows the 1 hour maximum.

It’s the same data but the top graph shows a 1 hour average whereas the bottom graph shows the 1 hour maximum.

To change this display of data hop into the channel settings for the sensor and follow the screenshot guide below:

In looking to keep occupied with the current pandemic going on I’ve taken my Microelectronics projects to a new level and have over the past few weeks kicked out a series of soil moisture sensors which are powered by battery (18650) with a small solar panel keeping them topped up.

As the battery charges/discharges the voltage changes and moves outside of the acceptable ranges for the little ESP32 MCU, here a load drop out voltage regulator like the Microchip MCP1700 comes into play by ensuring that the controller is fed the right voltage all the time. In researching this project I’ve come across a fair few articles which mention the regulator is only ‘stable’ or ‘the supply is smoothed out’ with a set of capacitors in line. Just to test that out I hooked my multimeter up to the MCP1700 without the capacitors and lone behold the wrong voltage is being kicked out. Put the capacitors in line and everything works as expected.

Without capacitors

Image 1 of 2

Without the capacitors in line the voltage hangs around 2.6-2.8V

The article I followed when putting my final projects together is at these links:

There does appear to be a discrepancy (1uF vs 100nF) between the capacity of the capacitors in the datasheet and the article (and indeed I’m having occasional issues with controllers resetting due to what appears to be a power problem) but for now things are working well enough.

So after realising that my desktop PC has been running in BIOS mode (how 1970s and probably the result of multiple clones from HDD to 10k HDD, to 10k HDD in RAID0 to SSD and to another SSD) and with a free weekend I thought it was time to have a look at the MBR2GPT tool.

However in running the validate phase I was getting the error message:

Disk layout validation failed for disk 0

After following through a few red herrings on the internet I had a bit more of a dig into what the tool was up to and it appears that one of the first steps is to shrink the OS partition.

It appears that the fix is actually to preempt this and shrink the OS partition yourself (I reduced it by about 1GB – which made sense as one of the new partitions goes right in at the end of the disk), given these kinds of steps should only be performed by a person who knows what they are doing and understands the implications I won’t go into any detail as to how to do this other than providing the screenshot below.


Today we have the answer to the question – Without SSL decryption how many threats/attempted vulnerability exploits/other bad stuff will I miss that are coming from the internet at my internally hosted (externally published) web sites and services?
To run some simple tests (which will be detected as malicious attacks) I’m going to be running the Nessus scanner against a website behind a Palo Alto Networks Next Generation Firewall, while we won’t get the same results that might be seen from a ‘determined attacker’ we will get an idea of how things look from the standpoint of a ‘casual attacker’.

In short the answer is you’ll miss a lot – without decryption of traffic coming at your own web servers it’s pretty much impossible to detect attacks (with some minor exceptions) that are hiding inside HTTPS, either way let’s see how it’s done…

Kit list for this testing:

  • An ‘internal’ web service, in this case the web console for PRTG Network Monitor (running on Windows Server)
  • A Palo Alto Networks Next Generation Firewall – a PA-850 running PAN-OS 8.1 with a full suite of licences
  • The Nessus vulnerability scanner

Both the firewall and the web service have been configured to run TLS1.2 with the private key for the certificate on both (which allows the firewall to decrypt the traffic without breaking connections) and the latest firmware/security updates have been applied across the board. Continue reading