Security – my world of IT

Palo Alto Networks Decryption – Azure CLI won’t connect ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier’

Posted on 23 April, 2026 Updated on 23 April, 2026

It looks like the more recent releases of Azure CLI are running off Python versions that enforce ‘Authority Key Identifier’ checks of the security certificates when connecting to Azure CLI (az login). You might see an error message similar to the below if bumping into this issue. HTTPSConnectionPool(host=’login.microsoftonline.com’, port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED]… Read more

CITC 2026 Protecting High Risk Accounts with Strong (Phishing Resistant) Authentication

Posted on 27 March, 2026 Updated on 30 March, 2026

CITC is back for 2026 and this year I’m talking about how trivial it is to compromise identities and how to prevent it with phishing resistant authentication. Please see below the video presentation. Reference article links: The Register – Lock down Microsoft Intune, feds warn after Stryker attack – https://www.theregister.com/2026/03/19/microsoft_intune_lockdown_stryker/ The Register – 1K+ cloud environments infected following Trivy supply… Read more

Panorama PAN-OS 12.1 upgrade fails, ‘no enough disk space to hold image’

Posted on 12 January, 2026

In getting ready to move Panorama to PAN-OS 12.1 from 11.1 (to manage some new PA-5×0 series firewalls) if you haven’t already performed the ‘224GB’ disk size increase you are likely to bump into this error message: Successfully downloaded Software version: 12.1.2 Preloading into software manager Failed to create required free space. Free space: 3191 MB, Required space: 3717 MB… Read more

Palo Alto Networks NGFW does not respond to ping from HPE Procurve/Aruba switches

Posted on 16 June, 2025

Another unexpected Zone Protection Profile doing it’s thing – in this case sending a ping from an end-user device (such as Windows/macOS computer) to an IP interface (gateway) on a Palo Alto Networks Next Generation Firewall was coming back with a response, but requests from HPE ProCurve (Aruba) switches (2920/2530) appeared to disappear into oblivion with no response. A little… Read more

CITC 2025 Logging for disaster

Posted on 21 April, 2025 Updated on 21 April, 2025

By kind invite of the organising committee I had the pleasure of presenting at the CITC 2025 conference at the RAF Museum Hendon. Shaking things up even more from last year I not only presented from a GitHub repo but also managed to convince screen recording on my iPad mini to work to capture the slides. I’ve had to exclude… Read more

Graylog JSON extractor ‘skipping’ keys and values

Posted on 13 March, 2025

In having a play with a general purpose way to get CSVs and other log data into Graylog with PowerShell I’ve been converting the files contents into JSON to then import over RAW HTTP – hardly the most speedy way but as a proof of concept it works. However, after configuring a JSON extractor (System > Inputs > (your input)… Read more

Users on Palo Alto GlobalProtect cannot connect to Citrix VDA

Posted on 9 May, 2024

In investigating issues with users on GlobalProtect VPN not being able to connect to Citrix VDA servers I bumped into this forum post. In investigating I first disabled the Packet Based Attack Protection > IP Drop > Fragmented traffic at Network > Network Profiles > Zone Protection > Profiles for GlobalProtect and the zone hosting the Citrix application. While this… Read more

CITC 2024 Practical steps to help mitigate the risk of Zero-Day vulnerabilities

Posted on 22 March, 2024 Updated on 22 March, 2024

Something new for this year’s presentation at CITC, instead of your classic PowerPoint slides I’ve produced a GitHub repo with the intent on building out the knowledge and ideas presented overtime. GitHub repo: https://github.com/jamesfed/0DayMitigations/

Microsoft Remote Desktop connection – ‘An internal error has occurred’ and ‘The server security layer detected an error (0x80090304)’ event ID 139.

Posted on 17 January, 2024 Updated on 17 January, 2024

An interesting issue that was discovered after deploying security certificates for Remote Desktop Authentication into the TPM of desktop computers and some (physical) servers, after go live with the security certificate clients could no longer connect with the error below being displayed in the Remote Desktop Services log on the server. The server security layer detected an error (0x80090304) in… Read more

FreeIPA to Palo Alto Networks Next Generation Firewall User-ID

Posted on 18 July, 2023

Logs from the FreeIPA server can be used with the Syslog receiver function of a PAN NGFW to send username to IP address mappings into User-ID and in turn be used to create policies based on the users identity. To extract the data from the logs you will need the parser shown below. View the code on Gist. I could… Read more