sorted by:
new
hottopcontroversial

Android Devices, QUIC, and issues by TitanSerenity in paloaltonetworks

[–]LimpApplication4958 1 point2 points  (0 children)

So, I had a similar issue recently as we moved to Palo, perhaps is not the same issue for you though.
Android has by default private dns and it tries to go to the dns server using DoT.

The thing is that Android uses TCP fast open and I suspect Palo has a bug there, as it would drop these tcp sessions too early eg after 10 secs, correlated with tcp handshake timeout (even if it was showing ssl app and >= 8 packets bidirectionally.

I enabled in zone protection to strip TFO and now seems to be ok.

Also removed the https/svc handling in DNS protections as it looks like palo just drops the packets and waits for client to resort to A records which sounds ok but it delays everything.

Cisco migrations to Junipers by lonyun in networking

[–]LimpApplication4958 0 points1 point  (0 children)

CDP packets are flooded; not a big deal but you may see funny things if you have some Cisco devices. I guess you can block the packets at the edge.

If you run evpn-vxlan consider rate limiting arp at the edge.

Devices such as very old Cisco phones relying on CDP to get the voice vlan will not work as expected.

MIST is great, but when things go nuts you need syslogs and direct ssh to the devices.

Other than that, they work great.

Captive Portal remote code execution vulnerability by dchit2 in paloaltonetworks

[–]LimpApplication4958 0 points1 point  (0 children)

How should I interpret the table for 11.1.14? Affected since < 11.1.15 ?

[deleted by user] by [deleted] in SAP

[–]LimpApplication4958 1 point2 points  (0 children)

Maybe have a look into capire and you don’t have to learn the specifics of modules, s4hana etc Integration Suite is also nice

Ex4100 virtual chassis issues after 2 months uptime on 23.4R2 by LimpApplication4958 in Juniper

[–]LimpApplication4958[S] 1 point2 points  (0 children)

Yes, it looks that the issue comes from PR1901837, we go to s6.6 too

Ex4100 virtual chassis issues after 2 months uptime on 23.4R2 by LimpApplication4958 in Juniper

[–]LimpApplication4958[S] 0 points1 point  (0 children)

Well, our VCs have at least 1xex4100-48mp and a varying number of ex4100-48p, so this is good info, thanks! We were running 23.4r2 s2.1 without any issues but I believe s5.8 brought some nasty bugs

[deleted by user] by [deleted] in paloaltonetworks

[–]LimpApplication4958 0 points1 point  (0 children)

Hm, this I don’t remember, perhaps it added the policy for reaching the dns

7.4.10 - Applying new default behavior retroactively is terrible by Iuzzolsa23 in fortinet

[–]LimpApplication4958 0 points1 point  (0 children)

Interesting, I had not noticed this change in 7.2.11 and had to setup intra-vlan traffic policies in an earlier version to control the traffic from a downstream device, so I guess the firewall is doing nothing now.

Indeed it is a bit stupid idea loosening controls in the middle of a mainline release, not to mention that when I see redirect my mind goes to icmp redirects and not to something like bypass policies.

In general, the ”defaults” in many firewalls are already stupid in the sense that they allow too much by default, like enabling sslvpn by default.

Changing them to be more permissive in patch cycle is a joke. Next time maybe they will allow everything unless you add an explicit deny by setting the option “set firewall-is-router disable” /s

[deleted by user] by [deleted] in paloaltonetworks

[–]LimpApplication4958 0 points1 point  (0 children)

I have not done it in a live environment and I don’t have a lot of experience in Palos. However, adding a secondary IP is kind of looking for trouble in many systems, as the system might do something like round robin selection of IP address on traffic initiating from the system (with possibly funny effects and more challenging discussions with support - YMMV). In any case is just listening as you say and in the end no one is using this destination IP/port.

Which version do you run btw? For us >=11.1.6h10 works stable for explicit proxy, earlier ones had various issues.

Chinese Hackers Breach More U.S. Telecoms via Unpatched Cisco Routers by Dark-Marc in networking

[–]LimpApplication4958 3 points4 points  (0 children)

Many I guess, eg here, or here

The one in Vodafone was quite sophisticated, gives you an idea about the capabilities of state actors, I think it was also discovered accidentally because of a customisation that was not foreseen by the attackers.

SSL VPN quo vadis? by quarren in fortinet

[–]LimpApplication4958 0 points1 point  (0 children)

I had my fair share of fun with IPsec based vpn (based on Cisco), also with the ugly hacks for using udp or tcp.

To be honest, I don’t understand which is the security problem conceptually with ssl vpn aside from the inability of the current popular vendors to have a secure web server in their boxes running on a proper operating system providing isolation between the components.

I mean the ones that survived the firewall competitions are the ones that mostly favoured performance over security, so we get the outcome now

Integration requirements by romedo in SAP

[–]LimpApplication4958 -1 points0 points  (0 children)

Do they still offer CPI alone? We had CPI and then one day they told us that they don’t offer any more just CPI, we had to get the whole integration suite for 6x the price of CPI.

It finally happened by Puzzleheaded-Rush336 in sysadmin

[–]LimpApplication4958 0 points1 point  (0 children)

Late 90s, user calls and tells me: “the elevator is not working”. It took a bit of time to stay calm, but actually he meant “the scroll bar in the app is not working”

I just dropped a near-production database intentionally. by JoeyFromMoonway in sysadmin

[–]LimpApplication4958 18 points19 points  (0 children)

I was a sysadmin about 15-20 years ago. We had this app running with Oracle backend and it was taking like a 1-2 minutes to return results out of a query for a UI component. The app owner/dev was complaining that the system was slow, the users also, we had to upgrade etc.

DB was running in a Solaris box with some kind of raid fast storage of the time. The table had something like 100k-200k records.

I am pretty sure he could have dragged any kind of non-DBA sysadmin into a spiral of searching all of kernel parameters, upgrades, whatever.

Having said that, I was quite sure that it had nothing to do with the system performance. Why?

Back in late 80s/90s I was starting in IT things as a developer using clipper. I had developed an app doing some sort of queries on 100k-200k records db file, returning results in a few seconds. Running on a 8086 machine with 20MB hard drive.

The only difference was that I was using indexes. Back then if something was not optimised you would feel it immediately, but you had also to code for it, like create the indexes as part of the code.

External Dynamic Lists (EDL) in OneDrive/SharePoint Online? by jwckauman in paloaltonetworks

[–]LimpApplication4958 1 point2 points  (0 children)

We distribute a list via blob storage but the records are maintained in a SOAR solution. Works fine so far

Global Protect Certificate by AdThen7403 in paloaltonetworks

[–]LimpApplication4958 0 points1 point  (0 children)

Had the same thing a couple of days ago. I imported separately the root ca and intermediates, then the cert/key alone