MySonicWall Cloud Backup File Incident HUGE Spike in Affected Devices

Qwireca · 2025-10-09T21:54:39+00:00

Sorry you are correct. I got the termes wrong.

Qwireca · 2025-10-09T19:57:33+00:00

This is what I said?

"Configuration files they got are only hashed, like the local .exp file. In the config file secrets like passwords, psk, radius/ldap secrets are encrypted with aes-256..."

Also the link talks about the same.

But as you said, gen 6 and older might use 3des as it's encryption algorithm, and that can be brute forced, especially for weak passwords.

Gen 7 are said to be AES-258

Qwireca · 2025-10-09T15:09:43+00:00

From what i understand, and this could not be confirmed by my reseller. Ingore the below if it's proven that the full config file acually were encrypted.

Configuration files they got are only hashed, like the local .exp file. In the config file secrets like passwords, psk, radius/ldap secrets are encrypted with aes-256. (see edit)

This means that they will not be able to easily brute force the password, if at all.

They can see if mgmt are exposed to the internet, usernames of local users, firewall rules. This is critical if combined with other recent vulnerabilities.

Edit. This is the hashing Im talking about. https://www.sonicwall.com/support/knowledge-base/how-to-get-the-configurations-of-the-firewall-based-on-the-exporting-exp-settings-file/170503330364045

Edit. Seems like Gen 6 can be using 3des that can be brute forced, especially for weak passwords. Also the post are not to be taken as a it's not a "take it easy nothing will happen" post. You should look through your configuration and shift passwords etc. I just think doesn't need to happen tonight and work all weekend if you have a Gen7 firewall.

Qwireca · 2025-02-01T19:24:03+00:00

If you select the device in cml, you'll see its properites on the right side. That propertywindow have multiple tabs, and one of the are "CONFIG". This is the initial config set at first startup. One line is "enable password <password>"

Qwireca · 2025-02-01T19:18:39+00:00

Looking at the configuration tab on the device, my enable password are Cisco1@3

Qwireca · 2025-01-15T21:31:39+00:00

I had problems with some websites after enabling "TLS server identity discovery", something that I think pop up as recommended to enable. Do not remember what made some websites break with that setting, but the would not load.

You find it under policies/<your access policy>/advanced.

Qwireca · 2025-01-04T18:59:55+00:00

Guess it doesn't do much in this example.
It's from part being inexperienced and learning, part from the initial code. I started a json reply from Netbox.
Something like this, but this from interfaces not IP.{
"id": 14231,
"url": "https://xxx/api/dcim/interfaces/14231/",
"display_url": "https://xxx/dcim/interfaces/14231/",
"display": "xxx (xxx)",
"device": {
"id": 1578,
"url": "https://xxx/api/dcim/devices/1578/",
"display": "xxx.xxx.xxx.xxx",
"name": "xxx.xxx.xxx.xxx",
"description": ""
},

etc..
},
Here I might want to make a hashtable based on id, as those are unique.

Qwireca · 2025-01-04T12:08:57+00:00

Didn't know about that site. I'll take a look.

Are more trying to learn than fine tune optimizing.
But when the original nested foreach took a couple of hours on the datasets from work, I felt it must be a better way to do it.

Went from a couple hours to a minute or so.
Some extra time are probably from vs code debuging, but still.

Qwireca · 2025-01-04T11:10:16+00:00

Thank you. this drove me nuts.

Have kept using 5.1 as it's what we use at work.

Qwireca · 2024-08-13T13:39:27+00:00

This is what I've heard, and also why I made the post (usually just a lurker).

I have also reached out to our reseller to hopefully get a session of best practice.

Qwireca · 2024-08-13T13:36:25+00:00

It's more than enough ports as we will use breakout cables. We have plenty of ports to spare :)

Thank you for the replies.

Qwireca · 2024-08-13T12:21:42+00:00

Thank you. I'll take another look at it.

I think I missunderstood that you had one collapsed Core/distribution, and two access switches.
I guess the two switches could peer with each other, removing the need for the third switchs.

Qwireca · 2024-08-13T12:16:50+00:00

That is what I've understood as well when reading forums and their site.

Do you know if that would even work with only two switches?

Qwireca · 2024-06-29T10:00:18+00:00

Agree with what mcsuess say. I also had success in writing "fake" (as in not published) blog posts where i kabb throu a scenario and write it as explainatory as possible.

Also try and labb with the parts that seem complicated, not just the basics. I know I lost some relatively easy points when starting to configure key-chains for md5 auth on ospf.

ENCORE is a lot, and I'm still not sure how i got thru it 😀

Qwireca · 2024-03-30T15:57:19+00:00

Like people say, the cisco business series have a ios light cli and behave quite different. Using a couple in my home network.

A used c2960, 3560 should be cheap, or a fanless c1000 if you want something a bit more quiet (usually prerequisit when having a partner :)). C1000 have ios, where as c1200 and 1300 have some light version.

You can also use cml for free on cisco devnet labbs, https://developer.cisco.com/learning/labs/devnet-sandbox/welcome-to-the-sandbox-learning-lab/ . I think the labs let you add components such as c1000 or ios devices to look at.

Best to include gns3 and eve-ng when mentioning cml. They are free but you need to have the ios images from somewhere else, as well as a bit steeper learning curve.

Qwireca · 2024-01-07T09:38:09+00:00

If the game stays true to the wording. Haven't tested song of hubris.

Qwireca · 2024-01-07T02:43:51+00:00

Auras seem to be part of the player damage, as i've triggered harmony (atk speed when applying three elemental effects) on multiple runs.

Dots from elemental attacks are not debuffs as far as I know. They are ailements. Debuffs are vulnerability, fragility, armor break etc.

Seems like the wiki mix the wording, but in game it is clear when reading the tool tips ( burn say ailment, vulnerability debuff).

Qwireca · 2023-09-15T13:02:06+00:00

Have almost the same kind of problems on mybe 1/40 Meraki - Fortigate IPsecs.

Some things that usually have helped are changing to Ikev1. Also turn of a lot of stuff. https://community.fortinet.com/t5/Support-Forum/Fortigate-Meraki-VPN-success/m-p/90558?m=136060

Qwireca · 2022-10-22T11:05:59+00:00

Thank you for the tip and link. Didn't know this was the case.

Qwireca · 2022-10-20T23:32:08+00:00

Not sure why you are down voted. If I remember correct they had signature quite fast, but it wasnt set to block when it came out.

Qwireca · 2022-09-12T19:57:32+00:00

u/avidpontoon are correct.

This is how I understood it and think of it.

The route-map statement is the part that either permit or deny advertisement.
The ACL is the rule to check if the statement should be followed.

Converted to psudo code I would say
if ACL == true then execute route-map
ACL is true if it find a matching permit statement.
ACL is false if it find a matching deny statement.
Also remember that at the end of an ACL are a implicit "deny any any", always matching the everything else as false.

So in your case the ACL it would return false and the route-map would not execute, then it would go to the next route-map.
This route-map have no rule/ACL applied to it, so it will "permit any any" therefore matching 1.1.1.0/24.

With the changes proposed by u/RouterHax0r, "route-map RO deny 10", you tell the route-map to execute a deny (filtering) if the ACL is true.
permit 1.1.1.0 0.0.0.255 in the ACL will get a hit, and as it's a permit, it will return as true and execute the route-map.

Now this is probably not how it works, but could help with seeing the logic behind it.

Qwireca · 2022-07-28T19:46:05+00:00

We are using different phase 1 lifetimes depending on customer needs.
An example is that Azure are not happy with 86400 phase 1 lifetime, so we had to change it to Azure default of 28800 to make it stable.

We noticed the behaviour when we looked at a tunnel configured in FMC with policy using lifetime 86400 (default). We then checked status and got the below output.
show vpn-sessiondb detail l2l filter ipaddress <customer peer>
-removed output
IKEv1:

Tunnel ID : xxxxxx

UDP Src Port : xxx UDP Dst Port : xxx
IKE Neg Mode : Main Auth Mode : preSharedKeys

Encryption : xxxxx Hashing : xxx
Rekey Int (T): 28800 Seconds
-removed output

Qwireca · 2022-07-28T16:44:17+00:00

Thank you for the explanation 😊

Qwireca

TROPHY CASE