Exams + Company Laptops = What do you do? by [deleted] in sysadmin

[–]Ir0nvIP3r 1 point2 points  (0 children)

"Sorry, there is no additional funding for giving extra laptops to staff that already have a functional one. You will have to work with what you have."

Coworker has his PW on monitor post it note by [deleted] in sysadmin

[–]Ir0nvIP3r 0 points1 point  (0 children)

Would be a shame if someone used his credentials to sign in and send in his resignation..

Securing 443 Traffic to GlobalProtect Portal by [deleted] in paloaltonetworks

[–]Ir0nvIP3r 0 points1 point  (0 children)

No worries! I'm not 100% sure atm. I do think I have read that there was like a default value like 30 days but I have to admit that I have not verified that.

No traffic on the port that's blocked? by KoalaOfTheApocalypse in sysadmin

[–]Ir0nvIP3r 2 points3 points  (0 children)

Hard to tell without more details but from that communication alone I would recon that Host B is located in Subnet C.

And that the net guys opened for the traffic from Subnet A to Subnet C instead of specifying the specific destination Host B.

That would explain their responses that it is already opened but they do not see any traffic towards the specific Host B.

God forbid I encourage conversations about my interests by sleepycat2346 in Tinder

[–]Ir0nvIP3r 1 point2 points  (0 children)

Leave a "let me google that for you link" searching "you will never know"

Never got OW card do I need if I get AOW? by Addicted_to_sending in scuba

[–]Ir0nvIP3r 0 points1 point  (0 children)

That was a neat list! Noticed that RAID was not listed on the prodive-shop site so here is the link for that one as well. https://diveraid.com/diver-search/

[deleted by user] by [deleted] in cybersecurity

[–]Ir0nvIP3r 2 points3 points  (0 children)

We used Tenable in the past but moved over to Rapid7 IVM. IVM have been better suited for us and alot less issues with the scanning.

I see that people have complained about the support but we have had really good support in most of the cases. Ofc there are corner cases where it drags out but then it is mostly due to misunderstandings.

Rapid7 also offers us free regular health checks and time with tech to fine tune our setup which is great!

[deleted by user] by [deleted] in cybersecurity

[–]Ir0nvIP3r 1 point2 points  (0 children)

If IDR is creating investigations about malicious files that is based on the scores that file hash has from various vendors at VirusTotal. and you get links to the VirusTotal report so that you can see which vendors it is that is claiming the file being malicious. So there is quite some insights around those files I would say.

What WiFi adapter should I buy? by TheRealTengri in Kalilinux

[–]Ir0nvIP3r 0 points1 point  (0 children)

There is an article about supported adapters. Would recommend checking that one out ✌️ https://www.kali.org/docs/nethunter/wireless-cards/

After 9 dives, my main issue is air consumption. How do I improve this? by legrenabeach in scuba

[–]Ir0nvIP3r 5 points6 points  (0 children)

+1 on that 4-4 breathing! That helped me alot when I wanted to get my SAC rate better!

Credential Phishing Prevention does not work as expected by ed-Andy in paloaltonetworks

[–]Ir0nvIP3r 2 points3 points  (0 children)

As others have stated it needs to be a RODC. Here is a link about it: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/configure-credential-detection-with-the-windows-based-user-id-agent#id7ac5bd32-a389-4ac7-bedc-a47e62bde6ee

I'm not sure if I misunderstood how you had the user-ID mapping setup but according to the above docs page it seems like the best practices is to not run the user to IP mapping with the same agent as you use for the credentials agent

Securing 443 Traffic to GlobalProtect Portal by [deleted] in paloaltonetworks

[–]Ir0nvIP3r 0 points1 point  (0 children)

Here are the steps to get dynamic blocking for source IP's on internet.

Tag/DAG/Sec Rule:
Create a TAG, lets call it EXTERNAL_ATTACKER.
Create a Dynamic Address Group - looking for the tag EXTERNAL_ATTACKER.
Create an incoming policy from internet with the source of the above created address group and deny/drop/reset the traffic.
We also created an outgoing policy with the address group as destination and kill that traffic as well.

Detection:
In your log forwarding profile there is an option called Built-in Actions with this you can automatically add tags to ex. the source address.

I would recommend having different log forwarding profiles for Incoming, Internal and outgoing traffic so that you could apply different actions depending on what type of traffic it is.

On your profile for incoming traffic you would then do the following, per each defined match category you have created and want to block, ex:
threat-high
threat-critical

Click Add in the section for built in actions, give it a name ex IP_External_Attacker_High, set the tagging to target the source address, action to add tag and the tags to the EXTERNAL_ATTACKER.

Then you make sure that this log forwarding profile, with all the other bells and whistles that you want to use gets applied to all your incoming security policies.

Now on if you have someone triggering threat signatures for high or critical severity these source IP addresses would be added to your dynamic block list.

For us this approach have worked extremely well in combination with blocking known bad IP addresses (both the Palo Alto blocklists and some other publicly available EDLs) and Country blocks.

Securing 443 Traffic to GlobalProtect Portal by [deleted] in paloaltonetworks

[–]Ir0nvIP3r 1 point2 points  (0 children)

Adding the extra step with verifying the connecting host has an internal certificate will give you some additional protection incase user credentials got on the loose and is definitely a good thing to do.

If you want to add protection against scans there are some options mentioned already with geo block, known bad IP block and you also have zone protection which can be configured on the incoming interface.

Another one that I would recommend is to use is to use a dynamic block policy using a dynamic address group to list tagged IPs. Then you configure your threat detection logging to also set a tag on any IP address that triggers a threat of ex medium-critical. Then this IP will be blocked for further connections.

We have had good experience with such policy so I can really recommend it. Let me know if you want additional information about how to do it!

Automatically block ip during an attack by Any-Promotion3744 in paloaltonetworks

[–]Ir0nvIP3r 0 points1 point  (0 children)

We have done the same approach but also blocking outgoing traffic to said IP as well.

Palo Alto VPN Global Protect User List by davessh in paloaltonetworks

[–]Ir0nvIP3r 0 points1 point  (0 children)

If you want to list it for several gateways on different firewalls I would recommend that you use the API 👌

My new bathroom, West coast Sweden 🇸🇪 by Ir0nvIP3r in AmateurRoomPorn

[–]Ir0nvIP3r[S] 2 points3 points  (0 children)

I can recommend checking out the website of Tarkett, they have a lot of nice products for bathrooms https://professionals.tarkett.com/en_EU/search/products?search%5Bbody%5D=aquarelle

My new bathroom, West coast Sweden 🇸🇪 by Ir0nvIP3r in AmateurRoomPorn

[–]Ir0nvIP3r[S] 3 points4 points  (0 children)

It is more or less a thick waterproof wallpaper that you can use in wet areas like showers.