Patch vCenter Appliance

Download and Installation:
You can download this patch by going to the VMware Patch Download Center and choosing VC from the Search by Product drop down.

Attach VMware-vCenter-Server-Appliance-6.0.0.30400-7464101-patch-FP.iso file to vCenter Server Appliance.
Go to command prompt and run the commands given below:
To stage ISO:
software-packages stage –iso
To see the staged content:
software-packages list –staged
To install the staged rpms:
software-packages install –staged

Useful Tools

1. Subnet Calculator
2.0 IP Void Lookup Tools
2.1 Numerous Tools (whois, ping, tracert, nslookup, port check etc)
2.2 AdminKit
3. Time Calculator
4. Cisco Coverage Checker
4.1 Cisco Vulnerability IOS and IOS XE checker
5. UDP Port Scan
6. Check Blacklisted IPs
7. Check MAC Address Vendor
8. Speed Test Site
9.0 Palo Alto URL Category verification tool
10. Bright Cloud (Cisco URL Category Verification tool)
11.0 Online Curl Test (Banner grab)
12.0 Virus Total (Analyze suspicious files and URLs for Malware)
12.1 Malware/Virus Has checker
13.0 HashCalc (Hash Calculator)
14.0 BinText (Find plain ASCII text, Unicode (double byte ANSI) text and Resource strings from any file)
15.0 RegShost (Track and take snapshot of windows registry)
16.0 PE View (Displays header, import table, export table, and resource information within EXE and DLL)
17.0 Download Time Calculator
18.0 pentest-tools.com
19.0 Diagramming Online Tool

Juniper SRX Commands (VPN TSHOOT) (Important)

To see Phase1 and Phase2 of VPNs:
user@host> show security ike security-associations
user@host> show security ike active-peer

user@host> show security ipsec security-associations

To see the reason of tunnel inactivity:
user@host> show security ipsec inactive-tunnels
Configure syslog to display VPN status messages:
# set system syslog file kmd-logs daemon info
# set system syslog file kmd-logs match KMD
# commit
To see these VPN Logs:
> show log kmd-logs

> show security ike security-associations
> show security ike security-associations index 3654851 detail
> show security ipsec security-associations
> show security ipsec security-associations index 131081 detail
> show configuration | display set | match VPN_to_PEER_FIREWALL
> show security ipsec security-associations index 131081
> show security ipsec statistics index 131081
> show security ipsec security-associations index 131081 detail

Upgrade Palo Firewalls (CLI)

Steps:
0. Confirm firewalls are in sync and turn preemption off on both
1. Failover to Secondary
2. Install 8.1.6 on Primary
3. Reboot Primary
4. Login and check if 8.1.6 is installed on Primary and then failback to Primary
5. Check traffic going through Primary
6. Install and reboot 8.1.6 for Secondary
7. Login and check if 8.1.6 is installed on Secondary
8. Turn preemption on both

Useful commands:
request system software info
request system software check
request system software download version 8.1.6
request restart system
delete software version 8.1.6

show high-availability state

request system software install version 8.1.6
request high-availability state suspend
request high-availability state functional
request high-availability sync-to-remote
show jobs all

Palo Alto Commands (Important)

Show version command on Palo:
>show system info

Set management IP address:
>configure
#set deviceconfig system ip-address 192.168.3.100 netmask 255.255.255.0
(# set deviceconfig system ip-address <ip address> netmask <netmask> default-gateway <default gateway> dns-setting servers primary <DNS ip address>)
#commit

To see interfaces status:
>show interface all

Ping from a dataplane interface to a destination IP address:
> ping source <ip-address-on-dataplane> host <destination-ip-address>

Trigger a Gratuitous ARP (GARP) from a Palo Alto Networks Device:
> show interface ethernet1/3
> test arp gratuitous ip 10.66.24.139 interface ethernet1/3

Display the routing table:
> show routing route

Restart or Shutdown Palos:
request shutdown system
request restart system

Restart management server on Palo:
debug software restart process management-server

System logs to see for Errors:
less mp-log ms.log

HA pair sync error logs:
less mp-log ha_agent.log

Push the config/sync to the HA peer:
request high-availability sync-to-remote running-config

HA:
Force configuration and session synchronisation to peer device:
>request high-availability sync-to-remote
Fail to peer and suspend current device:
>request high-availability state suspend
Re-enable HA on suspended system:
>request high-availability state functional
Shows the high-availability information on current device:
>show high-availability all
Shows the control link statistics:
>show high-availability control-link
Shows the high-availability state information:
>show high-availability state
Shows the synchronisation state to the peer device:
>show high-availability state-synchronisation

To see the sessions (sip sessions):
show session all
show session all | match sip
To clear all the sessions:
clear session all
clear session all filter application skype
clear session all filter source 192.168.51.71
clear session all filter destination 8.8.8.8

To test authentication for a user:
>test authentication authentication-profile AD username iee\tungera password

Palo Monitoring Authentication logs:
>debug authentication on debug
>tail follow yes mp-log authd.log
>debug authentication off

User-group mapping for a specific user:
show user ip-user-mapping ip 192.168.64.18

Force refresh group mappings:
>debug user-id refresh group-mapping all
To see the groups that the firewall knows about:
>show user group name
The lists for every group can be read using the following CLI command:
> show user group list
To use the needed group in the previous step:
> show user group name cn=firewall-mf-rave-pcs,ou=_groups,dc=iee,dc=mfh
The group-mappings on the LDAP profile can be reset with the following CLI command:
> debug user-id reset group-mapping AD_Group_Mapping

Verify that the groups are being pulled:
> show user group-mapping state all
> show user group-mapping statistics

The following commands can be used to clear and see the user to IP mappings:
> clear user-cache-mp ip <IP-address> //user-cache-mp (Clear management plane user cache)
> clear user-cache ip <IP-address> //user-cache (Clear dataplane user cache)
> clear user-cache all
> show user ip-user-mapping ip <IP-address>
> show user ip-user-mapping all

Restart ldap user-id service Palo:
debug software restart process user-id

See the user-id agent version from the CLI on Palo:
show user user-id-agent config name MM-DC_MMISEXCHANGE_LOCAL

Check GlobalProtect currently connected users:
show global-protect-gateway current-user

Show IKE phase 1 SAs:
> show vpn ike-sa
Show IKE phase 2 SAs:
> show vpn ipsec-sa

Save an Entire Configuration for Import into Another Palo Alto Networks Device:
> configure
# save config to 2014-09-22_CurrentConfig.xml
# exit
> scp export configuration from 2014-09-22_CurrentConfig.xml to username@scpserver/PanConfigs

> scp import configuration username@scpserver/PanConfigs/2014-09-22_CurrentConfig.xml
> configure
# load config from 2014-09-22_CurrentConfig.xml
# commit
# exit

See NTP status:
>show ntp
To manually restart the NTP process, use the following CLI command:
>debug software restart process ntp
To view whether the NTP process has a new PID, execute:
>show system software status | match ntp
To verify current system date and time, use the following CLI command:
> show clock
To see the jobs being processed or all the jobs:
show jobs all
show jobs processed
Immediately after restarting, every Palo Alto Networks firewall performs an auto-commit. This takes place in the background and can last up to 30 minutes. The firewall can be accessed from the management interface during that time, but the data plane will be down and the physical interfaces will be down.

Palo Upgrade Commands:

request high-availability state suspend
request system software info
request system software check
request system software download version 7.1.19
request system software install version 7.1.19
request restart system
request high-availability state functional
show jobs all

Example NAT Rules (Important)

(Note: NAT rules are looked at, but not implemented until after the security policy run)

PAT (Inside to Outside): Many-to-One, Hide NAT, Source NAT:
NAT Rule:
Sourcezone: Inside | SourceIP: PrivateIP/InsideSubnet | DestinationZone: Outside | DestinationIP: Any | DestinationInterface: OutsideInterface |
SourceAddressTranslation:(TranslateType: DynamicIP&Port | AddressType: Interface | Interface: OutsideInterface | IP: PublicIP)
Security Policy: 
Sourcezone: Inside | SourceIP: PrivateIP/InsideSubnet | DestinationZone: Outside | DestinationIP: Any | Service: http

Many-to-Many NAT

A variation on the simple hide NAT policy, is to add more source addresses if more are available. If, for example, your ISP provided a public subnet of /29 or larger, you have additional IP addresses that can be used for all sorts of things. If your internal network is quite large, these additional addresses may be needed to prevent oversubscription of the NAT pool.

For this configuration the Address Type is changed from ‘Interface’ to ‘translated Address.’ Then the available IP addresses are added either as an IP range, or an IP subnet:

2016-09-28_16-15-33.png

The firewall will select an IP from the available pool based on a hash of the source IP address. This source address will remain the same for all sessions from that source IP. The source port will still be randomized.

If the source ports need to remain the same (some applications may require a specific source port) the Translation Type can be set to Dynamic IP, which will preserve the client’s source port per session. The translated address is assigned by ‘next available’ which means there are some caveats:

  • No more than 32.000 consecutive IP addresses are supported
  • The translated addresses pool needs to be of the same size or greater than your internal number of hosts, as each internal host is assigned its own translated address

If the above criteria are usually met but could sometimes be broken, a backup can be set to fail back to Dynamic IP and Port. Both the Translated Address and the Interface Address options are available, the default is none:

2016-09-28_16-46-49.png

Source NAT (DMZ server) (Perspective of the Server): (Bi-directional)
NAT Rule:
Sourcezone: DMZ | SourceIP: PrivateIP | DestinationZone: outside | DestinationIP: Any | DestinationInterface: OutsideInterface |
SourceAddressTranslation:(TranslateType: Static | TranslatedAddress: PublicIP (Bi-directional))
Security Policy:
(Remains the same i.e. PostNATZones and PreNATAddreses)
Sourcezone: Outside | SourceIP: Any | DestinationZone: DMZ | DestinationIP: PublicIP | Service: http

Destination NAT (DMZ Server) (Perspective of the Client): Destination NAT Example—One-to-One Mapping:(Uni-Directional: Allows PAT)
NAT Rule:
Sourcezone: Outside | SourceIP: Any | DestinationZone: Outside | DestinationIP: PublicIP | DestinationInterface: OutsideInterface |
DestinationAddressTranslation:(TranslatedAddress: PrivateIP)
Security Policy:
(Remains the same i.e. PostNATZones and PreNATAddreses)
Sourcezone: Outside | SourceIP: Any | DestinationZone: DMZ | DestinationIP: PublicIP | Service: http

Destination NAT with Port Translation Example:

Destination NAT Example—One-to-Many Mapping:

Source and Destination NAT Example:

In some scenarios it may be required to perform source and destination NAT at the same time. One common example is a U-Turn situation, where internal hosts need to connect to an internal server, that is on the same network as the client, on it’s public IP address.

To be able to reach internal resources on a public IP, a new NAT policy needs to be created to accomodate trust to untrust translation.

If source translation is not included in this policy, the server will receive packets with the original source address, causing the server to send reply packets directly to the client.

This creates an asymmetric loop: client-firewall-server-client and the firewall session will be terminated as it violates TCP sanity checks.

The solution is to add source translation to, for example, the firewall IP, so the server’s reply packets are sent to the firewall, allowing for ‘stateful’ sessions.

2016-09-29_17-13-56.png

In this example, NAT rules translate both the source and destination IP address of packets between the clients and the server.

Source NAT—The source addresses in the packets from the clients in the Trust-L3 zone to the server in the Untrust-L3 zone are translated from the private addresses in the network 192.168.1.0/24 to the IP address of the egress interface on the firewall (10.16.1.103). Dynamic IP and Port translation causes the port numbers to be translated also.

Destination NAT—The destination addresses in the packets from the clients to the server are translated from the server’s public address (80.80.80.80) to the server’s private address (10.2.133.15).

source_dest_nat_example.png

The following address objects are created for destination NAT.
  • Server-Pre-NAT: 80.80.80.80
  • Server-post-NAT: 10.2.133.15
The following screen shots illustrate how to configure the source and destination NAT policies for the example.
source_dest_nat_ss_original.png
source_dest_nat_ss_translated.png
To verify the translations, use the CLI command show session all filter destination 80.80.80.80. A client address 192.168.1.11 and its port number are translated to 10.16.1.103 and a port number. The destination address 80.80.80.80 is translated to 10.2.133.15.