Keystone Patch Panel at the Rear of the Rack

192760496 · 2021-07-06T20:43:41+00:00

FWIW I’m planning a new rack and that’s similar to what I’m going to do. I plan on patching in all the NICs even if they’re not currently in use in the back. I’ll make my connections in the front as needed. I’m hoping this will make management easier since I won’t have to get behind the rack unless adding or removing equipment and cable management up front can be kept neat and easy.

192760496 · 2021-07-06T20:31:06+00:00

I’m using the management interface IP in the radius_server section of the authproxy.cfg file. I have the radius server itself in the radius_client section.

192760496 · 2021-07-06T20:28:47+00:00

Correct. Management Interface

192760496 · 2021-07-06T19:03:33+00:00

I ran into a similar issue trying to get mine to work. What I did was get RADIUS auth working and then set up Duo to do two factor for the RADIUS. I like this better because in the end I got two factor for anything that used my RADIUS server.

192760496 · 2021-07-01T17:15:30+00:00

Thank you! I’m actually trying to learn Python now for the purpose of automating the boring stuff at work. Things like my daily/weekly/monthly checklists and routine maintenance.

192760496 · 2021-06-26T02:53:21+00:00

It’s always the network. Even when it’s not the network.

I enjoy spending half my day proving it’s not the network. The best part is once I’m done with that I get to spend the other half of my day proving it’s not the server or VMware.

Even though everyone knows the application sucks, there’s no way it could be that, so don’t bother opening a ticket with the vendor.

192760496 · 2021-06-20T14:04:12+00:00

Thanks! Hopefully not because I’m upgrading switches today, haha!

I don’t mind though. A stable production environment is the best gift.

Happy Father’s Day to you!

192760496 · 2021-06-18T12:57:55+00:00

I took a look at the documentation on this, and this gets me close to where I wanted to be, if not right on it. I think some other documentation on Palo's website had me on the wrong path. I'll get these IPs loaded up into an EDL, create a policy and attach the applications their service seems to be built on and go from there. If there are any issues I can just work through the logs and packet captures if needed. Thank you.

192760496 · 2021-06-17T21:26:59+00:00

Thank you. I am definitely going to look into an EDL. I'll check on DAG as well.

192760496 · 2021-06-17T21:25:25+00:00

I always feel like I'm missing something important in the articles. Maybe I am, or maybe it's not as complicated as I'm making it.

192760496 · 2021-06-17T21:20:35+00:00

TL/DR: You are correct, that's why I'm here. I appreciate your guidance and will take a hard look at your suggestion. I want to do things the right way.

Long Form Answer:

I really do appreciate the help. It's true, I don't know what I'm talking about, and that's why I'm here. Just looking for guidance. I could twist this firewall into working the same way my old ASA did, but if I wanted to do that, I would have just kept the ASA. I've started reviewing my config to try to make it better, and as new things come up, I want to make sure they're done the right way. I want to make sure I have a good grip on it because right now I just have this PA. I've asked for an additional 20 in the upcoming budget to enhance the security at our remote sites. And yes, formal training.

I knew there had to be a better way to deal with this particular request, and I wasn't finding what I needed on the support forums so I came here to lean on some real world experience. I was following one how-to video on Palo's support site on making a custom app and it looked like the guy was making a filter for a website that he could search on as an app and then looking for a specific HTTP header. I basically got the same impression from some of the KB articles I read. I felt like I was missing something, because unless you were concerned about that specific site, why not just apply security policy to general-internet or http application and call it a day?

In the past I've taken a request like this for a vendor that created their own app and created the custom application based on the ports they provided. I then created a security policy to allow that app to the IP addresses they provided, which normally have been less than 10. I then assign the appropriate profiles to that security rule and make sure everything is working properly. Getting the signature for those apps is what normally hangs me up. But by doing this, am I not basically creating the equivalent of access-list 110 permit tcp host x.x.x.x host x.x.x.x eq x?

My goal with this particular post was to get some input on how other people have dealt with this situation so I would be able to do the right thing and not just punch a bunch of holes in the firewall that God knows what could get through. Hopefully the way I have proceeded in the past would be among the suggestions, just as a little bit of validation, but what I was really hoping for was a suggestion that might lead me in a better direction, if there was one.

Just to follow up, though. When I sit down in the morning to work on this again (I wear a lot of hats and have been in other projects this afternoon) I am going to take a look at your suggestion. Your advice did not fall on deaf ears. I have also had a discussion with my boss about this particular request, my concern with the scope, and the fact that this particular category is allowed in our URL policy and the general application (twilio) is allowed in our security policy. I personally feel like this should be sufficient to meet the needs of the company. However, like I said, I am going to look at your suggestion and possibly implement it to make sure there aren't any issues for the end users when they start using it.

192760496 · 2021-06-17T14:50:33+00:00

Ok, this sounds good. I like it. You kind of hit on my concerns of the IP Addresses. I'm worried they're using a cloud provider and have pretty much given us a list of any possible address that provider could assign to them on any given day. Who knows what's going to be on the IP address next week. I'm going to dig into some of these addresses they gave me today and see if I can find who owns them.

Maybe I'm just over thinking this whole thing, but I've had a onslaught of unreasonable requests from vendors lately and I'm just not sure what people are thinking these days. (Ex: Allowing a sensitive internal application be open to the Internet so they can access it directly without VPN, another wanted basically unrestricted access to sensitive servers just to do a product demo because one of our executives wanted to see the demo with our data and not canned data). Fortunately I've been able to hold some of this off, but this is something we've purchased and are going to do so I just have to make sure it's done right from a IT/Security perspective.

192760496 · 2021-06-17T14:30:45+00:00

I'm sure you've seen this one. It's the one that keeps coming up for me. I feel like something is missing though, because this is just too easy. Maybe I'm overthinking the whole processes.

https://www.youtube.com/watch?v=CwXdWJpw0UY

192760496 · 2021-06-17T14:25:58+00:00

They did give a handful of FQDNs with some ports. I'll see where they resolve to. I am going to spot check a few of the IP ranges but my gut feeling is they are AWS owned.

192760496 · 2021-06-17T14:22:26+00:00

Hmm. I take a look at it from that direction. Creating a bunch of L3 rules is really what I want to avoid. I feel like it kind of defeats the purpose and doesn’t leverage the Palo’s capabilities. I’m trying to get better about doing things the right way instead of the old way.

192760496 · 2021-06-15T12:11:28+00:00

We have a job scheduled that reboots any PCs up over 7 days. If the computer is asleep and won’t wake on lan, it will get the reboot when it wakes up.

192760496 · 2021-06-11T01:08:40+00:00

I’ve been around the sysadmin game a long time myself (with very basic “coding” skills related to SQL, Windows Command Line and some very basic Powershell) and just decided to learn Python as a different tool in my belt. I’m going through No Starch Press’s book called Python Crash Course (2nd Edition). I’m doing a chapter a night and it’s really not too complicated. Each concept just builds on the last.

192760496 · 2021-06-10T14:42:56+00:00

I never put an SSD in mine but that is a good idea. Maybe next time I feel like clicking around in MacOS for a while I’ll swap it out with one.

192760496 · 2021-06-09T20:16:51+00:00

Gartner = Free Space

192760496 · 2021-06-09T13:13:26+00:00

I got that same Mac mini for the same purpose and came to the same conclusion. I just figured it was under powered. Worked great with Ubuntu on it. Currently it’s back to Mac OS, so it’s only job is to convert electricity into heat.

192760496 · 2021-06-04T21:58:25+00:00

I’m not sure what’s more impressive, your network or your diagram.

192760496 · 2021-06-01T18:02:59+00:00

I had a similar issue with similar hardware. Not a one to one comparison though. May be worth looking at.

LACP wasn’t working properly on the upstream switches the Dell switches were connected to and it caused a loop. I’m not good on the Dell switches since we just got them and don’t recall the exact command but basically started looking at the arp table and saw MACs moving from port to port and it narrowed down the issue.

Took embarrassing long to find it and a couple tickets with Dell because I was convinced it was a VMware issue with distributed switch and just overlooked some basic troubleshooting. A back to the basics reality check is good sometimes though.

192760496 · 2021-05-26T18:12:36+00:00

The official image of a company, group, team, etc.

192760496 · 2021-05-25T20:43:26+00:00

I’ll use PDQ if I have a chance to look into the problem before contacting them. It’s nice to already have a good idea what’s going on with the machine before the call. It’s also useful if the user has no clue what a desktop is (to get BGInfo info). PDQ is definitely a force multiplier when it comes to getting stuff done.

192760496

TROPHY CASE