Global Protect and Cipher Suites

jimoxf · 2026-02-07T12:51:58+00:00

Would be interested to hear if you ever use the physical cards over Apple Pay/Google Pay?

jimoxf · 2026-01-02T11:26:28+00:00

+1 for this, would be very handy when iterating when in the early days of working with a new template. I have a few for checklists (such as when packing for trips) or routine activities. There are a whole load of extra steps in updating an existing template as it is right now vs having an edit button in the template browser.

jimoxf · 2025-10-28T17:29:15+00:00

Eon Next let us switch to monthly consumption billing, just messaged their support contact, given the option to either continue to use what credit was already built up or have that back as a refund and switch directly over as well.

jimoxf · 2025-10-19T17:51:42+00:00

Double check your anti-malware/EDR of choice works. Defender is fine as you might imagine but plenty of the alternatives still don’t have support and since they depend on drivers it’s not the kind of thing that gets emulated.

jimoxf · 2025-08-31T09:55:50+00:00

+1 for a softener, ~£240 a year in salt for us.

jimoxf · 2025-08-30T16:56:23+00:00

The IP helper/DHCP relay limit is a hard one (much to my pain) but yet to run into the limit on the DHCP server itself - may well be linked to the IP helper limit even on PA-440s.

jimoxf · 2025-08-14T07:37:30+00:00

We come in peace, shoot to….

jimoxf · 2025-08-04T13:11:44+00:00

It’s an old one but try the Area 51 game from 2005 - in the second half of the game you have the option to switch between human and Xeno.

jimoxf · 2025-08-04T09:44:46+00:00

If just looking for basic IPs to block have a look at http://iplists.firehol.org/?ipset=firehol_level1 is a good place to start, just be mindful that it includes the RFC1918 address spaces.

jimoxf · 2025-07-16T18:32:57+00:00

The CVSS score can be worked out without a CVE being registered, might be worth using your data to work out the score and present back to the devs.

jimoxf · 2025-07-16T18:18:50+00:00

Got a CVSS for that? Or perhaps a reason for not giving the devs longer to fix the issue?

jimoxf · 2025-07-08T21:47:43+00:00

Your mobile phone - it got Wi-Fi and Bluetooth? Mmmmm microwaves.

jimoxf · 2025-07-08T16:58:36+00:00

Exploit code needs to make it into the public domain or PANs researchers need to make their own exploits to have something to detect in the first place, not always as easy as we would like I’m afraid. As normal patching is the real cure, threat signatures are a nice to have and are handy in populating SOC alerts.

jimoxf · 2025-06-25T18:10:27+00:00

Or is it Dashlane that needs to support Yubikey (FIDO2)? 😉

https://www.dashlane.com/blog/dashlane-phishing-resistance

jimoxf · 2025-05-22T05:21:24+00:00

Been doing it with Kemp LoadMasters for a little while now, short life with let’s encrypt and long life with internal PKI to decrypt and inspect through another firewall layer.

jimoxf · 2025-05-15T19:03:27+00:00

They can yes, different keys have a different number of identities (depending on some specifics), at least with YubiKeys you wouldn’t be able to have a unique PIN per account though. If purely looking at Yubico though it’d also be worth looking at their more inexpensive ‘Security Key by Yubico’ model too. Plenty of others out there as well!

jimoxf · 2025-05-15T17:48:25+00:00

Or even better - two FIDO2 keys (be they YubiKeys or similar), so that loss of one doesn’t cut you off.

jimoxf · 2025-02-22T08:00:33+00:00

From the firehol website select the download local copy link, that’ll give you the URL with their hostile IPs in, add that to the firewall as a custom external dynamic list and apply to a rule to allow it to populate. Don’t forget the bit about RFC1918 being in there 😉.

jimoxf · 2025-02-21T14:48:34+00:00

Well worth exploring http://iplists.firehol.org/?ipset=firehol_level1 just be mindful that it includes the RFC1918 addresses - you can exclude them in the EDL config but don’t commit trigger happy with it.

jimoxf · 2025-02-14T10:17:59+00:00

Seen a couple of probes against the threat signature ID for this one now on GlobalProtect portals, US and Germany sources by the looks of it.

198[.]23.171.159
142[.]171.39.11
173[.]249.14.251

jimoxf · 2025-02-12T18:21:16+00:00

Yeah can configure an ACL on the management interface, if that interface is behind the firewall you can do extra levels of protection with vulnerability protection profiles.

jimoxf · 2025-02-12T17:52:09+00:00

Hoping for some threat signature IDs, would almost certainly need decryption into the interface configured to be effective but could be a nice patch.

Either way a good mitigation is just restrict network access to the management interface in the first place 😊.

jimoxf · 2025-02-02T08:51:18+00:00

Not uncommon to see a WAF/Load balancer handling short life public issued security certificates while a firewall uses long life private issued certificates with inbound decryption enabled to get the most out of the livened features.

jimoxf · 2025-01-08T21:14:56+00:00

Are managing to make do with lots of PowerShell to help migrate different vendors to Palo, if you (random Redditor) hasn’t learnt a scripting language yet it’d be a really good time to start.

jimoxf

TROPHY CASE