Paloalto Firewall Commands Reference

Group-Mapping:

1. view the state of Group Mapping whether any error occurred:

admin@HNSPAFW (active) > show user group-mapping state all

2. View list of Active Directory members synced with PA: say you have newly added a user to an internet access group in AD and want to check that it is reflected in PA

admin@HNSPAFW (active) > show user group name “hsngroup.net\level-internet-access-group”

3. Refresh members of specific AD Group in group mapping: say you have newly added a user to an internet access group in AD but he is still not able to browse, then refresh Group Mapping, below command doesn’t affect your existing traffic

admin@HNSPAFW (active) > debug user-id refresh group-mapping …………

4. Refresh members of all AD Groups in group mapping: below command doesn’t affect your existing traffic

admin@HNSPAFW (active) > debug user-id refresh group-mapping all

Juice Jacking – Free mobile charging stations can steal your data

Are you a frequent traveler and have habit of charging your mobile phone via public mobile charging stations? This article is for you and read further…

Juice jacking is a way of stealing mobile data via public mobile charging units or stations that basically provides you an USB cable to charge your phone. Hackers can hijack such mobile stations (or even hide a tiny computer inside) and steal the data from the mobile phone that you plugged in actually just to charge your dying phone. Sometimes, they inject malwares into your phones to facilitate later exploitation.

These mobile charging stations are almost available in many public places – malls, airports and in conference rooms.

How to protect your data?

All you need to follow is just prevent USB charging cords in public places from transmitting data.

1. Carry your own power socket charger – the most safest and simplest option of all

charger

 

2. Purchase and carry your mobile power bank. 

3. There are times when you can’t find a power socket, then in that case, buy and use juice jack defending devices (you can see a tiny device plugged into USB charging station as if a connector). These “juice jack defending devices will prevent transmitting data while you are charging your phone via USB.

Where to buy such juce-jack defenders – www.chargedefense.com sells such device for $15

Step by Step guide to upgrade Cisco ASA IOS and ASDM Version

Important: Even though below steps are common to upgrade any version of Cisco ASA IOS and ASDM, you need to verify in cisco.com website to understand the vendor recommended upgrade path. Below is the step by step guide to upgrade Cisco ASA IOS version from 8.6(1)2 to 9.1(2).

Refer Cisco recommended upgrade path for Cisco ASA  IOS Version

(config)# show version
Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)
Compiled on Fri 01-Jun-12 02:16 by builders
System image file is “disk0:/asa861-2-smp-k8.bin”
Config file at boot was “startup-config”

so, our upgrade path is as follows

first upgrade 8.6(1) to 9.0(2) and finally to 9.1(2), simultaneously we will upgrade our ASDM version to 7.1(5) that supports 9.1(2) version of IOS

Upgrade ASA version from 8.6(1)2 to 9.0(2)

Note: No need to upgrade ASDM version at this stage as we still need to upgrade to our final version 9.1(2) so we can upgrade ADSM at the later stage.

Step 1: Verify that you have enough disk space in Cisco ASA to load new bin, I have 3.7 Gbytes space, so no worries!
Note: Use Whatsbyte.com for bytes conversion

asa-disk-space

Step 2: Download following versions from cisco.com (you need a smartnet login!)

  • Download 9.0(2) and 9.1(2) version of IOS
  • Download 7.1(5) version of ASDM

Step 3: Download and setup TFTP server from solarwinds.com

Step 4: Upload 9.0(2) version to ASA via tftp server
(config) # copy tftp: disk0:
Run ‘show disk0:‘ command to verify that bin is copied to ASA

asa-upgrade-tftp-disk0

Step 5: Set ASA to boot with new image 9.0(2) when it is rebooted next time (don’t forget to save the image!).
(config)# boot system disk0:/asa902-10-smp-k8.bin
(config)# wr mem
(config) # reload

asa-boot-new-bin

Step 6: Once ASA started operating, run ‘Show Version‘ and verify that the running IOS version is 9.0(2)

Upgrade ASA version from 9.0(2) to 9.1(2)  and ASDM version to 7.1(5)

Note: Nothing new, except we are going to upload latest ASDM version

Step 1: Upload 9.1(2) version to ASA via tftp server

asa-upload-bin-912

Step 2: Upload ASDM 7.1(5) version to ASA via tftp server

asa-upload-asdm-715

Step 3: Set ASA to boot with new image 9.1(2) and also ASDM with 7.1(5) when it is rebooted next time (don’t forget to save the image!).

(config)# boot system disk0:/asa912-smp-k8.bin

(config)# asdm image disk0:/asdm-715.bin

asa-boot-912

Step 4: Verify that the loaded version is 9.1(2) and then We are done!

Config SSH and ASDM in Cisco ASA 5500 series

SSH Configuration Commands

Step 1: Create a username and password

(config t)# domain-name hackandsecure.com
(config t)# username hns1 password ******* privilege 15

Step 2: Enable SSH from inside
(If you would like to restrict to a specific IP, specify as ssh 10.240.102.8 255.255.255.0 inside)

(config t)# ssh 0.0.0.0.0 0.0.0.0 inside

Step 3: Allow LOCAL authentication
Note: LOCAL should be mentioned exactly as it is (CAPS)

(config t)# aaa authentication ssh console LOCAL

asa-ssl-authentication

Step 4: Create RSA key-pair

(config t)# crypto key gen rsa gen mod 1024

Step 5: It is always good practice to specify timeout for inactive SSH session to say 10 mins.
(config t)# ssh timeout 10

 

ASDM Configuration Commands

Step 1: Using ‘Show Version’ command verify that correct version of ASDM image is loaded matching ASA version.

asa-asdm-version

Step 2: Enable http server

(config)# http server enable
(config)# http 0.0.0.0 0.0.0.0 inside

enable-asdm-http

You can run ‘Show run http’ to verify that http server is already enabled.

Note: WebVPN uses the same 443 port as ASDM, so if ASDM is enabled, change http port to a different port 4443

(config)# no http server enable
(config)# http server enable 4443

Step 3: Allow LOCAL authentication
Note: LOCAL should be mentioned exactly as it is (CAPS), you can see as an example, ASA couldn’t recognize the command locaL

aaa authentication http console LOCAL

asa-asdm-authentication

Step 4: Ensure ASA is listening on port 443

asdm-liten-port

Step 5: Timeout for inactive session of 10 mins.
(config t)# http server time-out 10

Do you still have problem accessing through SSH or ASDM?

• Add SSL encryption standard to ASA. Most default browsers and SSH clients would reject the default cipher that is present in Cisco ASA
(config)# ssl encryption rc4-shal1 aes128-sha1 aes256-sha1 3des-sha1

ssl-cipher-asa-standard

Failed to enable Virtual Adapter in Cisco VPN Client in 64bit Windows 8

We have Windows 8 64 bit laptop users who receive this error while trying to use Cisco VPN.

Cisco VPN on Windows 8.1 - Reason 442: Failed to enable Virtual Adapter

Fix:

  • Click Start and type regedit in the Search field and hit enter.
  • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA
  • Find the String Value called DisplayName
  • Right click and select Modify from the context menu.
  • In Value data, remove @oemX.inf,%CVirtA_Desc%;. The Value data should only contain Cisco Systems VPN Adapter for 64-bit Windows.
  • Click Ok.
  • Close Registry Editor.
  • Retry your Cisco VPN Client connection.

Cisco VPN on Windows 8.1 - Reason 442: Failed to enable Virtual Adapter Registry Before

Cisco VPN on Windows 8.1 - Reason 442: Failed to enable Virtual Adapter Registry After

I noticed that some VPN Clients even though have correct DisplayName Value, they still receive VPN error, then I followed the below steps and it worked for me!

  1. Go to services by issuing command services.msc in command prompt
  2. Stop the Cisco Systems,Inc.VPN service
  3. Stop the Internet Connection Sharing (ICS) service
  4. Right click on ICS service and choose Properties. Then change Startup type to Disabled or Manual.
  5. Start Cisco Systems,Inc.VPN service