And all was well, then a week later I got an email…
One of our teachers is doing a project with MATHS and ICT involving bitcoin. Basically, he has something called BITCOIN CORE WALLET installed and it used to work with the old Firewall.
I’ve installed it on my work laptop and taken it home on my Internet connection & it works fine.
BUT, when I bring it back into school, its failing. When I bypass the Firewall, it also works – so I guess IPS/AMP is blocking something.
The software seems to start and then download/sync “stuff” for bitcoin.
In school it tries and then says “NO block source available“
Google seems to hint towards network issues.
If definitely did work, as the teacher has screen grabs of it working.
Any ideas what could be blocking this ?
Now Bitcoin uses a series of ledgers that update each other around the world, (to make it resilient). So if the FirePOWER was the culprit, then it was either identifying it as a bot, or I had a rule specifically blocking Bitcoin?
Solution
Note: Bitcoin does need TCP port 8883 open, but that didn’t seem to be the problem.
Thankfully on the monitoring tab, as soon as I logged in, the answer was staring me in the face, (I had to change the time frame to last 30 days first).
Not only does it confirm the FirePOWER IDS blocked it, but it also told me which ‘Rule’ it had matched, (PUA-OTHER Bitcoin outbound request attempt). PUA stands for Probably Unwanted Application, in case you were wondering. Edit your IDS policy, and search for ‘Bitcoin’.
I’ll leave the Malware rules alone, but I’ll allow both the PUA-Bitcoin rules, (i.e. set them to ‘Disable’).
Then don’t forget, you need to deploy the new FirePOWER policy and ensure that your access control policy says it’s up to date on all devices, before you test again. If you’re unsure how to do that, see the link I posted above.
Related Articles, References, Credits, or External Links
I don’t often use Nortel (now Avaya) switches, I know they are decent, but in my day job I usually work on Cisco, occasionally HP, and other cheap assorted nastiness switches.
I was replacing an old 10/100 Cisco 3750 switch with a Nortel 4526GTX this week, and thought I’d take some notes for the common things I do, just in case I have to do another.
So this post is an eclectic collection of the various things I had to do, and worked out for the future.
Solution
I’m carrying the following out via console cable, the settings are the same as you would expect for a Cisco/HP switch, i.e.
9600 Baud
8 bits
1 stop bit
No Parity
WARNING: The console cable is NOT the same pinout as a normal console cable, it’s a straight through cable, (not a rollover cable). Though I did discover that the Cisco SMB switches also use the same cable.
Console: When connected it may look like nothing is happening, pressing enter etc shows no output. This is normal, you need to press CTRL+Y before you will get to command prompt.
Nortel / Avaya Switches Update the Firmware / Software
WARNING: Requires downtime, (2x reboots).
Nortel / Avaya switches have a software image and a firmware file. ALWAYS update the firmware first! I’ve got a TFTP server setup on my laptop (see links below). With the firmware and software image files ready.
Once again the switch will reboot, when it’s back online check the firmware, and software versions are correct on the welcome screen.
Backing up and Restoring Nortel / Avaya Switches via TFTP
I’m usually doing this for other switch vendors and for those I will backup the config to a readable text file, that I can also revert to to see how things are configured. You can do the same thing on a Nortel / Avaya switch, but YOU CANT restore the firewall from that ‘readable’ backup, (unless you copy and paste the commands back in). To backup to a human readable file use the following command;
As I mentioned above, I’m working on a 4526GTX switch, but the procedure is the same for;
400 Series, (450, 460, 470.)
2500 Series.
4500 Series.
5500 Series, ( 5510, 5520, 5530.)
Connect to the switch using a serial connection (settings above), then reboot the switch. If you watch the boot text, eventually it will say “Press Control C to Enter Diag” > Press Control+C > Choose option ‘i’ initiate config flash.
Then choose option ‘a’ to run agent code > The switch will now boot up.
Press CTRL+Y and the switch will have a blank, (factory reset) config.
Nortel / Avaya Set a Management IP (and Default Route)
Like other vendors, if you are going to deploy the switch in a ‘flat’ network (i.e. all ports in VLAN 1) then you only need to set up an IP address for for VLAN1.
By default the switch will be on 192.168.1.1 which you can see with the following command;
[box]
4526GTX(config-if)#show ip
Bootp/DHCP Mode: Disabled
Configured In Use Last BootP/DHCP
--------------- --------------- --------------------
Stack IP Address: 192.168.1.2 0.0.0.0
Switch IP Address: 192.168.1.1 192.168.1.1 0.0.0.0
Switch Subnet Mask: 255.255.255.0 255.255.255.0 0.0.0.0
Default Gateway: 0.0.0.0
[/box]
To change that, first I’m going to rename VLAN, then remove that IP, and finally, set a new one.
[box]
4526GTX(config)#vlan name 1 Default-VLAN
4526GTX(config)#interface vlan 1
4526GTX(config-if)#no ip address 192.168.1.1 255.255.255.0
4526GTX(config-if)#ip address 192.168.254.1 255.255.255.0
[/box]
To set the default route, first I’m enabling routing, then setting the default route;
Then to enable telnet, (and SSH strangely), using local authentication’
[box]
4526GTX(config)#cli pass telnet local
[/box]
Note: I didn’t have to add any extra commands to enable web management via the GUI.
Nortel / Avaya Assigning Ports to VLANS
At command line this can get a little confusing, my colleagues point out that it’s much simpler to do in the web interface. But at PNL we don’t work on the web interface.
To understand how it works, you need to remember; ‘Any port can be ‘tagged’ in a vlan, (or any number of vlans). but a port can only be untagged in one vlan‘. This is the same for all vendors, they just use different terminology i.e. HP=Tagged and Untagged, (simple). Cisco=Access Port and Trunk, (simple if you are used to it).
Unlike ‘modern‘ Cisco switches, if you reference a VLAN that does not exist, it will just error, like older switches you need to create the VLAN and add it to the VLAN database first.
Creating and Naming a VLAN
Here I create VLAN 100, and call it PROD-NW.
[box]
4526GTX(config)#vlan create 100 name PROD-NW type port
[/box]
Assign an IP Address (SVI) to a VLAN
Using the VLAN I created above, I’m adding ip address 192.168.100.1/24 to it.
Remember what I said above about VLANs, (a port can be tagged in multiple VLANS.) If you are a Cisco-head a port with multiple VLAN tags is a trunk. (If all the HP engineers are confused at this point, read the link a the bottom of the page).
So you need to ‘Remove’ a port from VLAN1 (or the VLAN it is in) then make it a member of your new VLAN, and finally you need to assign the PVID of your new VLAN to the port!
So below I’m moving ports 1 to 4 into VLAN 100 from VLAN 1;
[box]
4526GTX(config)#vlan members remove 1 1-4
4526GTX(config)#vlan members add 100 1-4
4526GTX(config)#vlan ports 1-4 pvid 100
[/box]
Note: If you do it in the wrong order and get a warning you can stop the warnings with a ‘vlan configcontrol flexible‘ command.
To prove it worked;
[box]
4526GTX(config)#show vlan int info
Filter Filter
Untagged Unregistered
Port Frames Frames PVID PRI Tagging Name
---- -------- ------------ ---- --- ------------- --------------
1 No Yes 100 0 UntagAll Port 1
2 No Yes 100 0 UntagAll Port 2
3 No Yes 100 0 UntagAll Port 3
4 No Yes 100 0 UntagAll Port 4
5 No Yes 1 0 UntagAll Port 5
6 No Yes 1 0 UntagAll Port 6
7 No Yes 1 0 UntagAll Port 7
8 No Yes 1 0 UntagAll Port 8
9 No Yes 1 0 UntagAll Port 9
10 No Yes 1 0 UntagAll Port 10
11 No Yes 1 0 UntagAll Port 11
12 No Yes 1 0 UntagAll Port 12
-----------Config Removed for the Sake of Brevity----------
[/box]
You can also use the following command;
[box]
4526GTX(config)#show vlan
Id Name Type Protocol PID Active IVL/SVL Mgmt
--- -------------------- -------- ---------------- -------- ------ ------- ----
1 Default-VLAN Port None 0x0000 Yes IVL Yes
Port Members: 5-26
100 PROD-NW Port None 0x0000 Yes IVL No
Port Members: 1-4
Total VLANs: 2
[/box]
Or if you are running a newer version of the code;
[box]
4526GTX(config)#show run mod vlan
! Embedded ASCII Configuration Generator Script
! Model = Ethernet Routing Switch 4526GTX
! Software version = v5.6.3.025
!
! Displaying only parameters different to default
!================================================
enable
configure terminal
!
! *** VLAN ***
!
vlan create 100 type port 1
vlan name 1 "Default-VLAN"
vlan name 100 "PROD-NW"
vlan configcontrol flexible
vlan members 1 5-26
vlan members 100 1-4vlan ports 1-4 pvid 100
no auto-pvid
!
! *** VLAN Phase 2***
!
[/box]
Other Quick Examples
[box]
Create VLAN 200 named 8021x-NW, with SVI of 192.68.100.1 and add ports 13 to 16
vlan create 200 name 8021x-NW type port
vlan members remove 1 13-16
vlan members add 200 13-16
vlan ports 13-16 pvid 200
int vlan 200
ip address 192.168.200.1 255.255.255.0
exit
Create a VLAN 101 named DMZ-NW, and add ports 7 to 10
vlan create 101 name DMZ-NW type port
vlan members remove 1 7-10
vlan members add 101 7-10
vlan ports 7-10 pvid 101
Add Ports 5 and 6 to (Existing) VLAN 100
vlan members remove 1 5-6
vlan members add 100 5-6
vlan ports 5-6 pvid 100
[/box]
Related Articles, References, Credits, or External Links
Special thanks for Kevin Almond, for his assistance.
I’ve seen one person use Edge as their browser in a business environment. I’ve got nothing against it, (I use a macOSX anyway). But I had a client that asked me how to make sure his machines are set to NOT use Edge as the default browser.
I’m going to use Internet Explorer instead, but you can do the same with Chrome or Firefox depending on your browser of choice.
Solution
What I’m going to do, is set the browser on one machine, then export the default associations for that machine to an XML file, then via GPO Im going to get my Windows 10 machines to use that XML file, (by filtering the GPO so it only applies to Windows 10).
Servers locking themselves after a period of inactivity is, (in most cases) a good thing. But on my test network that only I use it gets a bit annoying switching between machines and constantly having to unlock Windows all the time!
Note: For obvious security reasons don’t do this on a production network!
Solution
Create a new GPO linked to your computer OU, (or edit an existing one).
I’ve written hundreds of posts about doing things with group policies. Every time I finish one, I write a couple of paragraphs on how long to wait, or how to force the policy etc. So I’ve finally got round to writing a post I can simply reference!
How Long Before Group Policy Changes Are Applied?
This is something that hasn’t changed since I was doing Windows 2000 exams 🙂 The default interval between policies being applied is 90 minutes, plus or minus a figure between 0 and 30 minutes. (This avoids all user and computer policies being seen and applied at the same time. So between 60 minutes and 120 minutes if you are going to wait.
Now you can change this interval with group policy;
[box]
User Configuration > Administrative Templates > System > Group Policy > Group Policy refresh interval for users
Computer Configuration > Administrative Templates > System > Group Policy > Group Policy refresh interval for users
[/box]
As you can see, you can change the interval up to 64,800 seconds (45 days). If you set it to ‘0’ the policy updates every 7 seconds (NEVER DO THIS!) unless you’re on a test bench with a couple of computers! Personally I’ve never needed to mess around with these settings.
Solution
Force Group Policy Update From GPMC
If you have Windows 2012 server with the group policy management console installed, you can force a group policy refresh on an OU in Active Directory.
Either right click the OU, and select ‘Group Policy Update..’ (or from the Action menu) > Yes.
Some will fail, they might not be turned on, or (like some below,) they might be linux machines.
Manually Force a Group Policy Update on a Single Host
While testing new policies this command is your friend, it gives you a chance to test the result on a client instantly, (as soon as policy editing is finished). By opening an administrative command window, and running the following command.
[box]gpupdate /force[/box]
Note: Some policies require a log off/log on, or even a reboot, you should be told this after running gpupdate.
Force Group Policy Update with PowerShell
You can also get single/multiple machines/users to update their policies using PowerShell. For this to work you need Server 2012 and at least Windows 8 clients. You also need to make some changes to the machines firewalls. Luckily you can also do that with group policy, and Microsoft have already written the policy for you, (it’s in starter policies).
Within the Group Policy Management Console > Locate Stater GPOs > Group Policy Remote Update Firewall Ports > New GPO From Starter GPO > Give the new policy a name.
Link that new policy to your user/computer organisational units (as required).
You can now use the ‘Invoke-Gpupdate‘ commandlet, here I’m applying the update to the ‘Servers’ OU.
Warning: This displays output on the affected machines, and might start some users ringing the help desk!
See What Group Policies are Being Applied
Forcing them is one thing, proving they actually get to the target computers is something else. For peace of mind, and troubleshooting, it helps to see what policies have filtered down to the computers and users.
Or to see things a little more ‘granularly’. Windows Key + R > mmc {enter} > File Add/Remove Snap-In > Resultant Set of Policy > Add > OK.
Generate RSoP Data > Follow the Wizard.
When complete it will show you the ‘sum total’ of all policies being applied – it can also show you any problems that are occurring. The next best place for troubleshooting group policies is the Event Viewer on the target machine.
Related Articles, References, Credits, or External Links
I was tasked with working out how to do this for a client a couple of weeks ago, so I thought it would make a decent article. I’m going to have a central server share, with some photos in, then I’m going to copy them down to all the clients, and finally set their screen saver to use those photos as a ‘slide show’ screen saver.
I’ve done this with Windows 10 clients, but it should work with anything newer than Windows XP.
Solution : Screen Saver via GPO
Create a share folder to put all your photos in, I’m setting Share Permissions Everyone = Read, then on the Security tab, Domain users = Read, and Domain Admins = Full Control.
Now I’m creating a basic script that will map a drive letter (x:) on the client machine to that share, and copy down all the photos into a folder called “C:\IT Dept\Screensaver”. Save the file with a .bat (batch file) extension.
Now create (or Edit) a GPO thats linked to the OU that contains your users, (remember the thing that looks like an OU in AD called users, isn’t an OU, it’s a ‘container’).
Now, STAY in the folder when it opens, and copy/paste your batch file in there, its icon should look like the one below.
Open > OK > Apply.
Set ScreenSaver Settings via Group Policy
Navigate to;
[box]User Configuration > Policies > Administrative Templates > Control Panel > Personalization >Force specific screen saver [/box]
Enable the policy and type in PhotoScreensaver.scr > OK > Apply.
Leave the policy editor open!
Screen Saver via GPO : Windows 10 Screen Saver Settings
These are well hidden, thanks Microsoft! Remember these setting can be deployed to Win7/8 as well. You need to have the local folder with the photos in already to get some settings from, you will have to do this one manually just make sure the folder path is correct!
On a client machine > Start > Settings > Personalization > Lock Screen.
Scroll down > Screen Saver Settings > Set ‘Photos’ > Settings.
Browse to the photo folder > Tick Shuffle Pictures > Save.
Run regedit and navigate to;
[box]HKEY_CURRENT_USER > Software > Microsoft > Windows Photo Viewer > Slideshow > Screensaver[/box]
Right click and export the whole ‘Screensaver’ key, save it somewhere you can find it.
Now copy the file you just exported to the server, and double click it to ‘merge’ it into the registry.
WARNING: There is a registry value in here called EncryptedPIDL, it’s the actual path to the folder that contains the photos, and it’s been encrypted. Because Windows is a bit stupid, it breaks the text down so when you try and import/merge it, it does not work. Also it does not tell you anything went wrong. You can open the file you exported in Notepad, and disable word wrap, then make sure that the EncryptedPIDL value copies over correctly. Or simply create a new ‘string value‘ called EncryptedPIDL and copy and paste it directly from your client onto the servers registry value.
Back in the policy editor that you left open above, navigate to;
[box]User Configuration > Preferences > Windows Settings > Registry > New > Registry Wizard > Next[/box]
Browse down to;
[box]HKEY_CURRENT_USER > Software > Microsoft > Windows Photo Viewer > Slideshow > Screensaver[/box]
Select all the values as shown, (if you cant see EncryptedPIDL see my warning above) > Finish.
Close the policy editor and wait for the policy to apply, or force it on the clients.
Related Articles, References, Credits, or External Links