Cisco FirePOWER is Blocking an Application

KB ID 0001286 

Problem

A few weeks ago I installed a 5525-X firewall for a client, and set it up as follows;

ASA Setup FirePOWER Services (for ASDM)

And all was well, then a week later I got an email…

One of our teachers is doing a project with MATHS and ICT involving bitcoin.
Basically, he has something called BITCOIN CORE WALLET installed and it used to work with the old Firewall.

I’ve installed it on my work laptop and taken it home on my Internet connection & it works fine.

BUT, when I bring it back into school, its failing.
When I bypass the Firewall, it also works – so I guess IPS/AMP is blocking something.

The software seems to start and then download/sync “stuff” for bitcoin.

In school it tries and then says “NO block source available“

Google seems to hint towards network issues.

If definitely did work, as the teacher has screen grabs of it working.

Any ideas what could be blocking this ?

 

 

Now Bitcoin uses a series of ledgers that update each other around the world, (to make it resilient). So if the FirePOWER was the culprit, then it was either identifying it as a bot, or I had a rule specifically blocking Bitcoin?

Solution

Note: Bitcoin does need TCP port 8883 open, but that didn’t seem to be the problem.

Thankfully on the monitoring tab, as soon as I logged in, the answer was staring me in the face, (I had to change the time frame to last 30 days first).

 

Not only does it confirm the FirePOWER IDS blocked it, but it also told me which ‘Rule’ it had matched, (PUA-OTHER Bitcoin outbound request attempt). PUA stands for Probably Unwanted Application, in case you were wondering. Edit your IDS policy, and search for ‘Bitcoin’.

I’ll leave the Malware rules alone, but I’ll allow both the PUA-Bitcoin rules, (i.e. set them to ‘Disable’).

Then don’t forget, you need to deploy the new FirePOWER policy and ensure that your access control policy says it’s up to date on all devices, before you test again. If you’re unsure how to do that, see the link I posted above.

 

Related Articles, References, Credits, or External Links

NA

Avaya / Nortel Switch Notes

KB ID 0001285 

Problem

I don’t often use Nortel (now Avaya) switches, I know they are decent, but in my day job I usually work on Cisco, occasionally HP, and other cheap assorted nastiness switches.

I was replacing an old 10/100 Cisco 3750 switch with a Nortel 4526GTX this week, and thought I’d take some notes for the common things I do, just in case I have to do another.

So this post is an eclectic collection of the various things I had to do, and worked out for the future.

Solution

I’m carrying the following out via console cable, the settings are the same as you would expect for a Cisco/HP switch, i.e. 

  • 9600 Baud
  • 8 bits
  • 1 stop bit
  • No Parity

WARNING: The console cable is NOT the same pinout as a normal console cable, it’s a straight through cable, (not a rollover cable). Though I did discover that the Cisco SMB switches also use the same cable.

Console: When connected it may look like nothing is happening, pressing enter etc shows no output. This is normal, you need to press CTRL+Y before you will get to command prompt.

Nortel / Avaya Switches Update the Firmware / Software

WARNING: Requires downtime, (2x reboots).

Nortel /  Avaya switches have a software image and a firmware file. ALWAYS update the firmware first! I’ve got a TFTP server setup on my laptop (see links below). With the firmware and software image files ready.

[box]

CTRL+Y 
enable 
download address {IP-address-of-TFTP-Server} diag {xxxx_xxxx_diag.bin}

[/box]

The switch will download the firmware, upgrade it and perform a reboot. When it’s back online perform the same procedure for the software image.

[box]

CTRL+Y 
enable 
download address {IP-address-of-TFTP-Server} image {xxxx_xxxxxxx_.img}

[/box]

Once again the switch will reboot, when it’s back online check the firmware, and software versions are correct on the welcome screen.

Backing up and Restoring Nortel / Avaya Switches via TFTP

I’m usually doing this for other switch vendors and for those I will backup the config to a readable text file, that I can also revert to to see how things are configured. You can do the same thing on a Nortel / Avaya switch, but YOU CANT restore the firewall from  that ‘readable’ backup, (unless you copy and paste the commands back in). To backup to a human readable file use the following  command;

[box]

copy running-config tftp address {IP-address-of-TFTP-Server} filename {File-Name}

[/box]

Well that’s all well and good, but to produce a file you can ‘restore’ the firewall from, you need to backup and restore the ‘code’. 

Backup Nortel / Avaya

[box]

copy config tftp address  {IP-address-of-TFTP-Server} filename {File-Name}

[/box]

Restore Nortel / Avaya

This reboots the switch!

[box]

copy tftp config address  {IP-address-of-TFTP-Server} filename {File-Name}

[/box]

Factory Reset Nortel Avaya Switches

As I mentioned above, I’m working on a 4526GTX switch, but the procedure is the same for;

  • 400 Series, (450, 460, 470.)
  • 2500 Series.
  • 4500 Series.
  • 5500 Series, ( 5510, 5520, 5530.)

Connect to the switch using a serial connection (settings above), then reboot the switch. If you watch the boot text, eventually it will say “Press Control C to Enter Diag” > Press Control+C > Choose option ‘i’ initiate config flash.

Then choose option ‘a’ to run agent code > The switch will now boot up.

Press CTRL+Y and the switch will have a blank, (factory reset) config.

Nortel / Avaya Set a Management IP (and Default Route)

Like other vendors, if you are going to deploy the switch in a ‘flat’ network (i.e. all ports in VLAN 1) then you only need to set up an IP address for for VLAN1. 

By default the switch will be on 192.168.1.1 which you can see with the following command;

[box]

4526GTX(config-if)#show ip
Bootp/DHCP Mode: Disabled

                      Configured        In Use         Last BootP/DHCP
                    --------------- --------------- --------------------
Stack IP Address:   192.168.1.2                       0.0.0.0
Switch IP Address:  192.168.1.1     192.168.1.1    0.0.0.0
Switch Subnet Mask: 255.255.255.0   255.255.255.0  0.0.0.0
Default Gateway:    0.0.0.0          

[/box]

To change that, first I’m going to rename VLAN, then remove that IP, and finally, set a new one.

[box]

4526GTX(config)#vlan name 1 Default-VLAN
4526GTX(config)#interface vlan 1
4526GTX(config-if)#no ip address 192.168.1.1 255.255.255.0
4526GTX(config-if)#ip address 192.168.254.1 255.255.255.0

[/box]

To set the default route, first I’m enabling routing, then setting the default route;

[box]

4526GTX(config)#ip routing
4526GTX(config)#ip route 0.0.0.0 0.0.0.0 192.168.254.254 1

[/box]

Nortel / Avaya Allowing Remote Management

This looks a little ‘Juniper SRX ‘ish”. Below the usernames will remain RW and RO. 

DONT set the RO and RW passwords the same!

To set the passwords;

[box]

4526GTX(config)#username RO Re@d0nly ro
4526GTX(config)#username RW P@ssw0rd123 rw

[/box]

Then to enable telnet, (and SSH strangely), using local authentication’

[box]

4526GTX(config)#cli pass telnet local

[/box]

Note: I didn’t have to add any extra commands to enable web management via the GUI.

Nortel / Avaya Assigning Ports to VLANS

At command line this can get a little confusing, my colleagues point out that it’s much simpler to do in the web interface. But at PNL we don’t work on the web interface.

To understand how it works, you need to remember; ‘Any port can be ‘tagged’ in a vlan, (or any number of vlans). but a port can only be untagged in one vlan‘. This is the same for all vendors, they just use different terminology i.e. HP=Tagged and Untagged, (simple). Cisco=Access Port and Trunk, (simple if you are used to it).

Unlike ‘modern‘ Cisco switches, if you reference a VLAN that does not exist, it will just error, like older switches you need to create the VLAN and add it to the VLAN database first.

Creating and Naming a VLAN

Here I create VLAN 100, and call it PROD-NW.

[box]

4526GTX(config)#vlan create 100 name PROD-NW type port

[/box]

Assign an IP Address (SVI) to a VLAN

Using the VLAN I created above, I’m adding ip address 192.168.100.1/24 to it. 

[box]

4526GTX(config)#interface vlan 100
4526GTX(config-if)#ip address 192.168.100.1 255.255.255.0

[/box]

Adding Ports to VLANS

Remember what I said above about VLANs, (a port can be tagged in multiple VLANS.) If you are a Cisco-head a port with multiple VLAN tags is a trunk. (If all the HP engineers are confused at this point, read the link a the bottom of the page).

So you need to ‘Remove’ a port from VLAN1 (or the VLAN it is in) then make it a member of your new VLAN, and finally you need to assign the PVID of your new VLAN to the port! 

So below I’m moving ports 1 to 4 into VLAN 100 from VLAN 1;

[box]

4526GTX(config)#vlan members remove 1 1-4 
4526GTX(config)#vlan members add 100 1-4 
4526GTX(config)#vlan ports 1-4 pvid 100

[/box]

Note: If you do it in the wrong order and get a warning you can stop the warnings with a ‘vlan configcontrol flexible‘ command.

To prove it worked;

[box]

4526GTX(config)#show vlan int info
      Filter     Filter
     Untagged Unregistered
Port  Frames     Frames    PVID PRI    Tagging    Name
---- -------- ------------ ---- --- ------------- --------------
1    No       Yes          100  0   UntagAll      Port 1
2    No       Yes          100  0   UntagAll      Port 2
3    No       Yes          100  0   UntagAll      Port 3
4    No       Yes          100  0   UntagAll      Port 4
5    No       Yes          1    0   UntagAll      Port 5
6    No       Yes          1    0   UntagAll      Port 6
7    No       Yes          1    0   UntagAll      Port 7
8    No       Yes          1    0   UntagAll      Port 8
9    No       Yes          1    0   UntagAll      Port 9
10   No       Yes          1    0   UntagAll      Port 10
11   No       Yes          1    0   UntagAll      Port 11
12   No       Yes          1    0   UntagAll      Port 12
-----------Config Removed for the Sake of Brevity----------

[/box]

You can also use the following command;

[box]

4526GTX(config)#show vlan
Id  Name                 Type     Protocol         PID      Active IVL/SVL Mgmt
--- -------------------- -------- ---------------- -------- ------ ------- ----
1   Default-VLAN         Port     None             0x0000   Yes    IVL     Yes
        Port Members: 5-26
100 PROD-NW              Port     None             0x0000   Yes    IVL     No
        Port Members: 1-4
Total VLANs: 2

[/box]

Or if you are running a newer version of the code;

[box]

4526GTX(config)#show run mod vlan
! Embedded ASCII Configuration Generator Script
! Model = Ethernet Routing Switch 4526GTX
! Software version = v5.6.3.025
!
! Displaying only parameters different to default
!================================================
enable
configure terminal
!
! *** VLAN ***
!
vlan create 100 type port 1
vlan name 1 "Default-VLAN"
vlan name 100 "PROD-NW"
vlan configcontrol flexible
vlan members 1 5-26
vlan members 100 1-4
vlan ports 1-4 pvid 100
no auto-pvid
!
! *** VLAN Phase 2***
!

[/box]

Other Quick Examples

[box]

Create VLAN 200 named 8021x-NW, with SVI of 192.68.100.1 and add ports 13 to 16

vlan create 200 name 8021x-NW type port
vlan members remove 1 13-16
vlan members add 200 13-16
vlan ports 13-16 pvid 200
int vlan 200
 ip address 192.168.200.1 255.255.255.0
 exit

Create a VLAN 101 named DMZ-NW, and add ports 7 to 10

vlan create 101 name DMZ-NW type port
vlan members remove 1 7-10
vlan members add 101 7-10
vlan ports 7-10 pvid 101

Add Ports 5 and 6 to (Existing) VLAN 100

vlan members remove 1 5-6
vlan members add 100 5-6
vlan ports 5-6 pvid 100

[/box]

 

Related Articles, References, Credits, or External Links

Special thanks for Kevin Almond, for his assistance.

Install and Use a TFTP Server

MAC OS X TFTP Software

CentOS – Install and Configure a TFTP Server

HP and Cisco – VLANs and Trunks Confusion!

Changing the Windows 10 Browser, So It Isn’t Edge

KB ID 0001284

Problem

I’ve seen one person use Edge as their browser in a business environment. I’ve got nothing against it, (I use a macOSX anyway). But I had a client that asked me how to make sure his machines are set to NOT use Edge as the default browser.

I’m going to use Internet Explorer instead, but you can do the same with Chrome or Firefox depending on your browser of choice.

Solution

What I’m going to do, is set the browser on one machine, then export the default associations for that machine to an XML file, then via GPO Im going to get my Windows 10 machines to use that XML file, (by filtering the GPO so it only applies to Windows 10).

Start > Settings > System > Default Apps.

Change Web browser  > Select the one you prefer.

Open an administrative command window, and execute the following command;

[box]

Dism /Online /Export-DefaultAppAssociations:C:\Windows\Temp\DefaultApps.xml

[/box]

If you open that file with notepad you should see the browser associations.

Create a central share , and ensure domain computers have ‘read’ rights.

Now copy your DefaultApps.xml file from your client into the central share.

Create a GPO for your file associations linked to the OU with your Windows 10 computers in.

Edit it.

Navigate to;

[box]Computer Configuration > Policies> Administrative Templates > Windows Components > File Explorer > Set default associations configuration file[/box]

Enable the policy and put in the path to your DefaultApps.xml file.

Filter the Group Policy For Windows 10

Only Windows 10 has Edge, so you can create a WMI filter, then this policy does not try and apply to previous versions.

Like so;

See the following for explanation: Windows 10 Create a WMI Filter for Group Policy.

You can prove it’s working with the group policy modelling feature.

 

Related Articles, References, Credits, or External Links

NA

Stop Windows Servers ‘Locking’ with Group Policy

KB ID 0001283 

Problem

Servers locking themselves after a period of inactivity is, (in most cases) a good thing. But on my test network that only I use it gets a bit annoying switching between machines and constantly having to unlock Windows all the time!

 

Note: For obvious security reasons don’t do this on a production network!

Solution

 

Create a new GPO linked to your computer OU, (or edit an existing one).

Edit the policy.

Navigate to;

[box]Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Interactive Logon : Machine inactivity limit[/box]

The Explain tab is ‘a bit pants’ > To disable, Define the policy and set it to ‘0’ (zero).

Then wait, or force a policy update to test.

Related Articles, References, Credits, or External Links

NA

Windows – Forcing Domain Group Policy

KB ID 0001282

Problem

I’ve written hundreds of posts about doing things with group policies. Every time I finish one, I write a couple of paragraphs on how long to wait, or how to force the policy etc. So I’ve finally got round to writing a post I can simply reference!

How Long Before Group Policy Changes Are Applied?

This is something that hasn’t changed since I was doing Windows 2000 exams 🙂 The default interval between policies being applied is 90 minutes, plus or minus a figure between 0 and 30 minutes. (This avoids all user and computer policies being seen and applied at the same time. So between 60 minutes and 120 minutes if you are going to wait.

Now you can change this interval with group policy;

[box]

User Configuration > Administrative Templates > System > Group Policy > Group Policy refresh interval for users
Computer Configuration > Administrative Templates > System > Group Policy > Group Policy refresh interval for users

[/box]

As you can see, you can change the interval up to 64,800 seconds (45 days). If you set it to ‘0’ the policy updates every 7 seconds (NEVER DO THIS!) unless you’re on a test bench with a couple of computers! Personally I’ve never needed to mess around with these settings.

Solution

Force Group Policy Update From GPMC

If you have Windows 2012 server with the group policy management console installed, you can force a group policy refresh on an OU in Active Directory.

Either right click the OU, and select ‘Group Policy Update..’ (or from the Action menu) > Yes.

Some will fail, they might not be turned on, or (like some below,) they might be linux machines.

Manually Force a Group Policy Update on a Single Host

While testing new policies this command is your friend, it gives you a chance to test the result on a client instantly, (as soon as policy editing is finished). By opening an administrative command window, and running the following command.

[box]gpupdate /force[/box]

Note: Some policies require a log off/log on, or even a reboot, you should be told this after running gpupdate.

Force Group Policy Update with PowerShell

You can also get single/multiple machines/users to update their policies using PowerShell. For this to work you need Server 2012 and at least Windows 8 clients. You also need to make some changes to the machines firewalls. Luckily you can also do that with group policy, and Microsoft have already written the policy for you, (it’s in starter policies).

Within the Group Policy Management Console > Locate Stater GPOs > Group Policy Remote Update Firewall Ports > New GPO From Starter GPO > Give the new policy a name.

Link that new policy to your user/computer organisational units (as required).

You can now use the ‘Invoke-Gpupdate‘ commandlet, here I’m applying the update to the ‘Servers’ OU.

[box]get-adcomputer -SearchBase “OU=Servers,OU=PNL,DC=pnl,DC=com” -Filter * | %{invoke-gpupdate -Computer $_.Name -RandomDelayInMinute 0; “Refreshing host $_.”}
[/box]

Warning: This displays output on the affected machines, and might start some users ringing the help desk!

See What Group Policies are Being Applied

Forcing them is one thing, proving they actually get to the target computers is something else. For peace of mind, and troubleshooting, it helps to see what policies have filtered down to the computers and users.

The easiest way, is to open an administrative command window, and run the following command;

[box]gpresult -R[/box]

Or to see things a little more ‘granularly’. Windows Key + R > mmc {enter} > File Add/Remove  Snap-In > Resultant Set of Policy > Add > OK.

Generate RSoP Data > Follow the Wizard.

When complete it will show you the ‘sum total’ of all policies being applied – it can also show you any problems that are occurring. The next best place for troubleshooting group policies is the Event Viewer on the target machine.

Related Articles, References, Credits, or External Links

NA

Windows – Deploy and Configure Photo Screen Saver via GPO

Screen Saver via GPO KB ID 0001281

Problem

I was tasked with working out how to do this for a client a couple of weeks ago, so I thought it would make a decent article. I’m going to have a central server share, with some photos in, then I’m going to copy them down to all the clients, and finally set their screen saver to use those photos as a ‘slide show’ screen saver.

I’ve done this with Windows 10 clients, but it should work with anything newer than Windows XP.

Solution : Screen Saver via GPO

Create a share folder to put all your photos in, I’m setting Share Permissions Everyone = Read, then on the Security tab, Domain users = Read, and Domain Admins = Full Control.

Now I’m creating a basic script that will map a drive letter (x:) on the client machine to that share, and copy down all the photos into a folder called “C:\IT Dept\Screensaver”. Save the file with a .bat (batch file) extension.

Now create (or Edit) a GPO thats linked to the OU that contains your users, (remember the thing that looks like an OU in AD called users, isn’t an OU, it’s a ‘container’).

Edit your group policy.

Run a Logon Script from Group Policy

Navigate to;

[box]User Configuration > Policies > Windows Settings > Scripts > Logon > Properties[/box]

Add > Browse.

Now, STAY in the folder when it opens, and copy/paste your batch file in there, its icon should look like the one below.

Open > OK > Apply.

Set ScreenSaver Settings via Group Policy

Navigate to;

[box]User Configuration > Policies > Administrative Templates > Control Panel > Personalization >Force specific screen saver [/box]

Enable the policy and type in PhotoScreensaver.scr > OK > Apply.

Leave the policy editor open!

Screen Saver via GPO : Windows 10 Screen Saver Settings

These are well hidden, thanks Microsoft! Remember these setting can be deployed to Win7/8 as well. You need to have the local folder with the photos in already to get some settings from, you will have to do this one manually just make sure the folder path is correct!

On a client machine > Start > Settings > Personalization > Lock Screen.

Scroll down > Screen Saver Settings > Set ‘Photos’ > Settings.

Browse to the photo folder  > Tick Shuffle Pictures > Save.

Run regedit and navigate to;

[box]HKEY_CURRENT_USER > Software > Microsoft > Windows Photo Viewer > Slideshow > Screensaver[/box]

Right click and export the whole ‘Screensaver’ key, save it somewhere you can find it.

Now copy the file you just exported to the server, and double click  it to ‘merge’ it into the registry.

WARNING: There is a registry value in here called EncryptedPIDL, it’s the actual path to the folder that contains the photos, and it’s been encrypted. Because Windows is a bit stupid, it breaks the text down so when you try and import/merge it, it does not work. Also it does not tell you anything went wrong. You can open the file you exported in Notepad, and disable word wrap, then make sure that the EncryptedPIDL value copies over correctly. Or simply create a new ‘string value‘ called EncryptedPIDL and copy and paste it directly from your client onto the servers registry value.

Back in the policy editor that you left open above, navigate to;

[box]User Configuration > Preferences > Windows Settings > Registry > New > Registry Wizard > Next[/box]

Browse down to;

[box]HKEY_CURRENT_USER > Software > Microsoft > Windows Photo Viewer > Slideshow > Screensaver[/box]

Select all the values as shown, (if you cant see EncryptedPIDL see my warning above) > Finish.

Close the policy editor and wait for the policy to apply, or force it on the clients.

Related Articles, References, Credits, or External Links

NA