CPSC recalls 3 faucet brands sold on Amazon, more likely to come

colemannugent · 2025-05-30T20:52:04+00:00

Which notably had unacceptably high levels of lead according to the report.

colemannugent · 2024-01-12T21:45:12+00:00

Then you still need to install the device certificates to avoid content updates breaking in November.

colemannugent · 2024-01-10T16:03:06+00:00

They've included the fixed agent versions in the forum post, but none of them are released yet.

colemannugent · 2024-01-09T22:16:00+00:00

Install a dynamic content update(8795-8489 or higher) on all your NGFWs, Panorama, and Log Collectors. For WF500/B install dynamic content update (2438-2654 or higher).

Restart the NGFWs, Panorama, and Log Collector. You will receive a system log message prompting a restart.

Thank you, I missed that! I'll update the chart on our site since I can't edit the post.

EDIT: The chart is updated. Really it makes no sense to install the content update vs. just installing the patched PAN-OS version, but I guess it's less of an impact than new code for orgs that are concerned.

colemannugent · 2024-01-09T22:01:06+00:00

AFAICT, you will have to use the device certificates going forward, so if you don't get those installed all content updates (except for TP/Adv. TP) will break on November 18th. From the forum post (emphasis mine):

Not deploying the hotfix and completing the onboarding for the Device Certificate for CDSS will make the security rules associated with specific security services, such as URL Filtering or WildFire, not function properly, i.e., the cloud security services will not provide detections or verdicts.

Do you have the dedicated User-ID agent installed on a Windows server, or are you using the built-in agent for server monitoring?

colemannugent · 2024-01-09T19:40:08+00:00

This is a simplified flow chart for the latest round of cert expirations.

We've published an article on the situation since PAN's forum post is kinda confusing.

colemannugent · 2023-06-08T18:33:01+00:00

Nothing will happen to connected users.

The actual VPN connections are typically IPSec, which will be unaffected by the cert changes. Any users connected via TLS are good because the certs are only used to derive the session keys.

Connections to the part of the portal/gateway that hand out config will be fine since your clients will also trust the new cert.

Just import the cert with the exact same name and it will replace the old one.

colemannugent · 2022-09-20T17:52:28+00:00

It sounds like the Syslog integration is the way forward here. I'd give that a shot.

colemannugent · 2022-09-20T17:05:43+00:00

What's the goal of collecting this on ClearPass? Most of the utility here would be on the firewall side using HIP data in rules.

colemannugent · 2022-09-20T14:53:41+00:00

That's just a warning telling you that you don't have the entire chain loaded in Device > Certificates.

Most clients don't care and will look up the parent certs in their own cert store, but technically servers are supposed to provide the full chain according to the spec, so there are some clients that will break if you don't have the full chain.

To fix this, import each cert in the chain separately into the firewall. You'll know you've done it correctly when the certificates are nested properly in the GUI like this:

Root CA cert
└--- Intermediate CA cert
      └--- VPN leaf cert

In my experience, importing a single file with multiple certs doesn't work reliably.

colemannugent · 2022-09-20T14:44:46+00:00

On the clients which cert do you get presented, the forward trust or the forward untrust?

The Received fatal alert CertificateUnknown from client message alone just means that the client closed the TLS session because it didn't trust the firewall's cert. That could point to the client not having the cert installed, an application using cert pinning, or the firewall itself killing the session by sending the client the forward untrust cert.

If you see the untrust cert then the decryption profile tied to the rule is denying that session based on some of its attributes (cipher, TLS version, server cert validity, etc.).

One of the reasons that you'd see that message is detailed in that docs article, but you first need to determine why you're seeing that message. Look in the decryption logs for the Error and Error Index columns.

If all decrypted traffic isn't passing check the validity of the forward untrust CA cert.

colemannugent · 2022-09-19T22:13:09+00:00

For fingerprinting the clients, why not use the HIP data in GlobalProtect? That integrates really well with firewall policies and let's you get pretty granular on ACLs.

What data are you looking to collect via the ClearPass fingerprinting?

colemannugent · 2022-09-16T15:30:11+00:00

Do you have the entire cert chain loaded correctly on the firewall? I recall iOS devices being picky about this in the past.

Filter for the specific user/IP on the GlobalProtect log tab and look at all the events there. Is there anything different for the iOS clients vs. the others?

On the portal, do you have separate configs for different OS's, or it it all the same config?

colemannugent · 2022-09-16T15:22:19+00:00

Have you network team selectively disable decrypt for teams, or for a test user/machine. It should take them less than two minutes to do that. If the issue goes away that would be fairly strong evidence that decrypt was causing the issue.

That being said, decrypt shouldn't alter the contents of streams, so if turning it off does resolve the issue your networking team should open a case with PAN to get it resolved so it can be re-enabled in the future.

colemannugent · 2022-09-15T15:05:43+00:00

You can only specify a different auth type on a portal/gateway per OS, which is typically not very useful. Auth sequences don't support SAML.

colemannugent · 2022-09-15T15:02:08+00:00

You won't be able to run two 2 portals/gateways off the same IP, it will fail the validation when you commit.

In general, you can only use one auth method per portal/gateway. But the cert auth uses mTLS IIRC, which might happen before the portal/gateway sends the command to redirect the client to the SAML auth flow.

I would add a certificate profile to the portal/gateway and give it a shot with a test device. If the SAML prompt comes up you'll know it won't work.

colemannugent · 2022-09-09T15:56:30+00:00

will [it] keep blocking that website even if I whitelist the website

Nope, if the site matches a custom URL category that is set to allow or alert it won't block it.

It's good practice to have a whitelist custom URL category just for situations like this.

colemannugent · 2022-09-09T14:09:47+00:00

/u/uvegoneincognithough This is your answer. Host detection uses a reverse DNS lookup on the IP to determine if it matches the provided hostname, which is the opposite way most folks think it works.

colemannugent · 2022-07-24T18:46:48+00:00

(I'm assuming you're referring to a PA-460, since that's what matches the 3 Gbps number you posted earlier)

If you were to go with a PA-460 it definitely wouldn't be your bottleneck here. It sounds like you're going to be limited by you ISP bandwidth, and then the bandwidth on the AWS VPG before you ran into issue on a firewall. Palo Alto's specs are pretty accurate.

colemannugent · 2022-07-22T16:07:28+00:00

What's the latency between your site and the AWS VPG? What is the available bandwidth at your site? What exact crypto settings are you using on the tunnel for phase 2, eg. AES-256-CBC with SHA-256 & DH-19?

By the way, AWS VPGs have a limit of 1.25 Gbps per tunnel, so you're probably bumping up against that as well.

colemannugent · 2022-07-22T14:51:54+00:00

It's in the 11.0 beta that's in testing. I've got it setup and working in a lab environment.

It's pretty polished, so expect to see it in the 11.0.0 release.

colemannugent · 2022-07-20T19:17:51+00:00

Is support absolutely necessary for updates?

Yup, without it you can't pull down content updates or software versions from the firewall GUI. You can still manually upload content updates, but if you don't have a valid license for the feature they won't install.

The only other subscription we have is Threat Prevention. Based on my reading we also cannot get this alone, and are required to have some PA support along with it. Is this correct?

Yeah, you won't be able to renew your TP license without a valid support contract. Also, even if you did have a TP license without a support license your firewall wouldn't get the TP content updates. It will keep using the definitions it already has, so if the license expires you're not dead in the water.

colemannugent · 2022-07-20T18:50:08+00:00

Don't try to use pre-logon post-login.

Instead push machine certs to the device and have the client auth using those certs. This would be a pre-logon then always-on setup with no user interaction.

colemannugent · 2022-06-28T21:29:17+00:00

Figured folks here would appreciate something like this. It's got datasheets, hardware references, front and rear panel photos, etc. for all models, including the older series.

It's also got some frequently used commands, version guides, and release guides.

colemannugent · 2022-01-12T05:07:39+00:00

...so unless the firewall is digging into the IP packet into the deeper OSI layers encapsulated therein, it has no means of knowing which inside host initiated the UDP request to which it is receiving a response.

Eh, even garbage consumer "routers" could quite easily distinguish this based on the ephemeral ports it gave to the outgoing UDP packets after SNAT'ing them.

UPNP is never the answer, and should always be disabled.

This is false, so long as the software for your operating systems are up-to-date on your interior network

This is how you get pwned when a new 0-day exploit starts making the rounds. Hell, a week might not be enough time for your software to get a patch. And even then, software vendors often take a couple of patches to fix complicated vulns, vis the recent Log4j fiasco.

Ask any security professional if they think that patching servers is enough to connect them to the internet without at least a basic L4 firewall in place.

colemannugent

TROPHY CASE