One annoying thing about the vSphere web client is the fact it throws you out after a period of inactivity. Now I know there are straight forward security reasons for this, and on a production environment thats fine. But on my test network theres just me, sighing every few minutes and logging back in again.
As the ‘Flash’ client is getting depreciated I’ll concentrate on the HTML5 client, but I’ll mention how to alter the flash client also. (If your version of VCSA still supports it!_
vSphere Disable Timeout
vCenter Appliance (VCSA) vSphere Disable Timeout
Connect directly to the console or via SSH. to launch a BASH type ‘shell‘, then execute the following commands
[box]
cd /etc/vmware/
ls
[/box]
You will see a folder for vsphere-ui (the HTML5 client)
Note: For older versions of the VCSA, you will also see vsphere-client (the legacy Flash client).
Change directory to the client you want to alter the settings for, then edit the web client-properties file.
[box]
cd vsphere-ui
vi webclient.properties
[/box]
Locate the ‘session.timeout = 120′ value and change it to zero ‘0’ to disable, (or a new figure in minutes).
Note: Navigate with the arrow keys > press ‘I’ to insert > change the text > press ‘Esc’ > type ‘:wq’ to save and exit.
Then restart the HTML5 client with the following commands’
In past articles I’ve got my F5 BIG IP appliance up and running, and I’ve built some web servers to test load balancing. Now to actually connect things together and start testing things. Below is my lab setup, I will be deploying simple web load balancing (Static: Round Robin) between three web servers, each serving a simple HTTP web site.
Test F5 to Web Server Connectivity
For obvious reasons the F5 needs to be able to speak to the web servers, so it needs to be on the same network/VLAN and have connectivity. To test that we can log onto the the F5 console directly, and ‘ping’ the web servers.
So connectivity is good, let’s make sure we can actually see the web content on those boxes, the best tool for that is to use curl, which will make a web request, and the wen server ‘should’ return some HTML.
[box]curl http://10.2.0.11[/box]
F5 BIG-IP Load Balancing Terminology
Yeah I said ‘load balancing‘ and not ADC sue me! There are a number of building blocks that F5 uses, and you need to understand the terminology to put things together, firstly lets look at things BEHIND the F5 appliance;
Node: An actual machine/appliance, (be that physical or virtual.) That provides some sort of service or a collections of services e.g. a web server, telnet server, FTP site etc.
Pool Member: Is a combination of a Node AND a Port/Service, e.g. 192.168.1.100:80 (IP address and TCP port 80 (or HTTP)).
Pool: A Logical collection on Pool Members, that provide the same service e.g a collection of pool members offering a website on TCP port 80.
F5 BIG-IP Adding Nodes
While connected to the web management portal > Local Traffic > Nodes > Create (Note: You can also press the green ‘add’ button on the Node pop-out on newer versions).
Specify a name > Description (optional) > IP address (or FQDN) > ‘Repeat‘ > Continue to add Nodes as required, then click ‘Finished‘.
F5 BIG-IP Adding Pools
Now we have our Nodes, We need to create a Pool. Local Traffic > Pools > Create, (again on newer versions theres a green add button on the pop-out).
Add a Name > Description (Optional) > Add an applicable Health Monitor (in our case http) > Select the ‘Node List’ radio button > Select your first Node > Set the Port/Service > Add > Continue to Add the remaining Nodes.
Note: Here is where you add the IPs to the Port/Service and create the Pool Members.
Sorry! Busy Screenshot
When all the Nodes are added > ‘Finished‘.
Your web pool ‘should‘ show healthy, Note: that does not mean ALL the nodes are online!
To make sure ‘all’ the Nodes are healthy > Go to the Members Tab.
F5 BIG-IP Virtual Servers
I’m not a fan of using this term ‘Virtual Server‘ I prefer Virtual IP (or VIP,) but we are where we are! Above we’ve looked at things BEHIND the F5, now we need to present those services IN FRONT of the F5 (Note: I don’t say publicly, because we deploy plenty of BIIG-IP solutions inside networks). So a Virtual Server is the outside IP address or FQDN of that a ‘consumer’ will connect to;
Local Traffic > Virtual Servers > Create.
Supply a name > Description (optional) > Destination Address (the ‘available outside’) IP address > Set the service/port > Scroll down to the bottom.
Set the ‘Default Pool’ to the pool you created (above) > ‘Finished‘.
For a brief overview or check what you have created > Click Local Traffic > Network Map Note: This will look different on older versions of the F5.
Then test the service form the outside, here each web server serves a different colour page so I can test it’s working properly.
My Web Page Does Not Change? If you keep seeing the same colour/page then it’s probably because you chose browser is ‘caching’ web content on your test machine, you may need to disable caching on your chosen web browser, for an accurate test.
So that’s Static Round Robin (Equal Ratio) Based Load Balancing. In the next article I’ll look at how you can manipulate the ratios, to better serve your hardware, and requirements.
Related Articles, References, Credits, or External Links
In this article I will focus on ‘Remote Access’ VPN, which for Cisco FTD means using the AnyConnect client. Ive spent years deploying this solution for ASA so it’s a product I know well. As with all things Cisco, there are a couple of things that could trip you up. Let’s get them out of the way first.
If you are used to AnyConnect then you probably have the client software. It’s the same software package that’s installed with Cisco ASA. Sometimes just getting access to the download is a trial! Anyway you will need the AnyConnect ‘Package’ files, these typically have a .pkg extension, (Cisco refer to these as Head-End packages). Theres one for macOS, one for Windows, (well another one now for ARM processors, but I’ve not needed it yet), and one for Linux. You will need to download a package for each platform your users will need to connect with.
AnyConnect Licence! After years of getting a few free with a Cisco ASA, I was unhappy to find that’s not the case with Cisco FTD. If you want to use AnyConnect you need to have a licence, and it needs to be in your Smart Licensing Account, (before you enable Remote Access VPN).
Final Gotcha! Make sure you HAVE NOT enabled HTTPS management on the outside interface of the FTD before you start configuring AnyConnect, or you will get all the way to the end, and it will fall over and you will have to start again (thanks Cisco! How hard would it be to say, if you enable this, I will disable https outside management is this OK?)
Solution
If you haven’t already done so enable the Remote Access VPN licence > Smart Licence > Fire Configuration > RA VPN License > Enable > Change to licence type (mines Apex). Have a coffee and recheck everything is licensed OK.
Give the profile a name, a group alias, and group URL > I’m using the FTD as my AAA Identity source (so my username and passwords are held on the firewall) that’s fine for small deployments, but in production you should think about deploying an AAA solution (called a Special Identities Realm in FTD). Scroll down.
I typically create a new network object for my remote clients to use, you can select your internal DHCP server to send out addresses if you wish > Next.
I’m using Cisco Umbrella DNS servers, (or the DNS servers formally known as OpenDNS) > I’m setting a ‘welcome banner’ but you dont need to, (some people find them annoying!) > Scroll down.
Split tunnelling: As always Cisco assume you want to tunnel everything, in most cases that’s NOT the requirement (BUT it IS the most secure!) I setup split tunnelling by Excluding my internal networks > Next.
Client Profiles: If you have one you can set it here, if you want to create one, see the following article;
Select the certificate the FTD will present (don’t choose the web one it will error!) > Select the interface your client will connect to (typically outside) > Enter the FQDN of the device > I allow bypass for VPN traffic, if you want to scan remote traffic with firepower etc DON’T select this > Enable NAT Exemption (select the internal interface) > Internal Networks: Then add in the internal network, I’ve already got an object for that, (you may need to create one.) > Scroll down.
Here you upload your .pkg files (I mentioned above) when you have finished > Next.
Review the settings > Finish.
Cisco FTD Create User (via FDM)
You will need a username and password to authenticate (skip this as you are not using the FTD’s internal user database.) Objects > Users > Add > Supply a username and password > OK
Pending Changes > Deploy Now.
Go and have a coffee again, keep clicking pending changes until it looks like this. (Quite why it takes so long, I have no idea?) It’s even more fun, if you made a mistake, because it will just error and fall over, so you have to find the error (if you can) > then remove the pending change and start all over again. Cheers Cisco!
Finally go to an external client and give it a try, if your clients don’t have the client software installed simply ‘browse’ to the FTD to get it.
Related Articles, References, Credits, or External Links
I prefer to think of OVF Templates as “Zip” files for Virtual Machines and Virtual Appliances. Where as the OVA file is the complete appliance pre packaged. There are two things you will want to do with an OVF Template;
5. Select the disk format (Thick or Thin) you want the new VM to use.
What does Lazy Zeroed and Eager Zeroed Mean?
Data on disks is stored as a 1 (one) or a 0 (zero), so if all the blocks on the disk are set to zero, when you put data on the disk, it only has half the work to do (i.e. write the ones). Eager Zeroed, puts zeros on all the blocks on the disks straight away, LazyZeroed puts all zeroes in a block the first time the block is read.
6. Read the summary, and if you want to power on the VM on completion, tick the box > Finish.
7. Depending upon the amount of data this can take a while.
8. It will give you the following message when it’s finished.
9. And here is your VM, imported, powered up, and working.
Related Articles, References, Credits, or External Links
In vSphere 5 and earlier versions this was not a ‘fun’ job at all, many times I sat down to do it, and lost the will to live. Now there’s a nice new tool built into vCenter that does ‘most’ of the hard work for you. Here I’m using the vCenter appliance but the tool is also available on the Windows version.
For my certificates I’m using Microsoft Certificate Services. I’m going to issue a ‘Subordinate CA’ certificate to my vCenter Appliance, then it can issue signed certificates to each of its services.
Solution
Make sure you have published a ‘Subordinate Certification Authority’ certificate template.
Connect the the vCenter appliance using SSH and enable ‘shell’
[box]
shell.set --enabled True
shell
[/box]
Create a directory to store our certificates and requests in, then launch the certification-manager tool.
The app will launch, and present you with a bunch of options.
Select option 2 > No we don’t want to use the configuration file > enter your logon information, (administrator@vsphere.local and password) > Enter all the items required for the certificate request.
Choose option 1 (Generate Certificate signing request) > Specify the folder you created above, (/root/SSLCerts) > Two files will be generated > Enter ‘2’ to exit.
The files;
vCenter 6.5
vmca_issued_key.key (the private key)
vmca_issued_csr.csr (the request)
vCenter 6.0.0
root_signing_cert.key (the private key)
root_signing_cert.csr (the request)
Now we need to get the CSR (signing request).
[box]
cat /root/SSLCerts/vmca_issued_csr.csr
OR
cat /root/SSLCerts/root_signing_cert.csr
[/box]
Copy the certificate PEM file.
Open the web enrolment portal of your certificate services server, (https://server.domain.com/certsrv) > Request a certificate > Advanced Certificate Request > Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file > Paste in the PEM text > Remember to use the Subordinate Certificate Authority template > Submit.
Base 64 Encoded > Download Certificate > Save it somewhere you can find it, and give it a sensible name!
Now download the Base 64 version of your CA certificate from the main page of your certificate services website, (press ‘back’ a few times).
Now back in your SSH session, change to your SSLCerts directory, and create an ’empty’ file to paste our certificate information into.
[box]
cd /root/SSLCerts/
touch vmca_signing_cert.cer
vi vmca_signing_cert.cer
[/box]
Open the certificate for the vCenter Appliance in a text editor, and PASTE INBELOW it, the text from the Root-CA certificate. Then copy ALL the text to the clipboard, and go back to the SSH session.
Paste the text you have coped into the open ‘vi editor’ page (Press I, then P) > Save and Exit (Press Esc > :wq {enter})
If you ‘ls’ (thats list short, or dir if you are a Windows type), you will see you now have a .CSR, a .KEY and a .CER file. (the names of which vary between version 6 and 6.5).
Version 6.5
Version 6.0
Launch the certificate-manager application again > Option 2 again > No (again) > Login (again) > ‘N’ > Option 2 (Import custom certificate(s)) > Give it the path to the certificate file > Then the path to the key file.
The vCenter Appliance used to be a simple to deploy from OVA, but now you need to deploy it from another machine, (and it has to be a Windows machine).
Solution
Before you attempt to deploy the appliance, ‘pre-create’ its host records in your DNS.
Download the vCenter Appliance .ISO file and mount it on your Windows machine, navigate to the vcsa-iu-installer directory, and run the installer.exe file.
Install > Next > Accept the EULA > Next > Select Embedded Platform Services Controller* > Next.
*Note: For larger environments you can install the PSC on a separate appliance, and it handles things like single sign on, provisioning and certification etc.
Enter the details for the ESX server the appliance is getting deployed on > Next > Enter the name for the VC and its root password > Next > Select the deployment type > Next > Select the storage you want to deploy to, and whether you want to use thin provisioning > Next.
Fill in the IP details for the new appliance, and its DNS settings > Next > Finish.
The appliance will deploy > When completed, you can further configure the appliance > Next > Enter your NTP settings > Next.
Set the SSO configuration* > username = administrator@vsphere.local > Password = {something complex}, (you will need it in a minute! (DON’T EVER LOOSE THESE CREDENTIALS!!)) > Next > I usually untick CIEP > Next > Finish
*Note: We will configure domain authentication later.
It will take while to reconfigure, when complete click the hyperlink > vSphere Web Client > Log on with the credentials you entered above.
Join the vCenter Appliance to a Domain
You cannot perform domain authentication unless the appliance is a domain member, so first you need to join a domain.
Provide the domain name and an account, (with rights to add machines to the domain) > OK.
Nothing happens! This is normal don’t worry, you need to reboot the appliance, this can take a while (actually it reboots quite quickly, but it will be a while before you can login to the web console) > OK.
Over in Active directory you will see a new computer object.
The only indication you will see on the appliance, is now you have a domain name, and the ability to ‘Leave’.
Enable Domain Authentication
Note: If you have a separate Platform Services Controller, use the following article instead;
I’m simply going to add my Domain Admins group to the the administrators group on the Virtual Center, there are a number of different roles on ESX you can map to whatever domain groups you want to create.
Administration > Single Sign On > Configuration > Identity Sources > Add.
Active Directory (Integrated Windows Authentication) > Next > You domain should be shown > Next > Finish.
Select you domain and set is as the default identity source.
Users and Groups > Groups > Administrators > Add.
Change the domain to yours, and add in the Domain Admins group > OK
In ‘Hosts and Clusters‘ view > Select the Virtual Center > Permissions > Add.
Select the Administrators ‘role’ > Then add the Domain Admins group in the same way you did above.
Add your licence code(s) > Next > Give them a sensible name > Next > Finish.
Assets Tab > Select the Virtual Center > Assign Licences > Select the appropriate licence > OK.
Deployment, > System Configuration >Nodes > Manage > Advanced > Active Directory > Join.
Note: If you have already added hosts you can assign their licences here also, I will assign the host licences when I add the hosts to the cluster.
Create a vSphere DataCenter
In hosts and Clusters view > Right click the vCenter > New DataCenter > Give it a name > OK
Create a vSphere Cluster
Right click the DataCenter you have just created > New Cluster > Give it a name > OK
Note: You can enable licensed features here, like DRS, HA, EVC etc. Bur I prefer to do this later.
Adding ESX Hosts to your vSphere Cluster
Right click you cluster > Add Host.
Enter the name or IP > Next > Enter the root account and password > Next (If you get a certificate warning click OK > Next.
Select an appropriate licence, (or select the evaluation licence if you have not yet added any licences) > Next > I always disable lockdown mode > Next > Finish.
Related Articles, References, Credits, or External Links
Once deployed, authentication is handled by the appliances own internal user database, in larger organisations this is a little impractical. So the ability to create an Active Directory Group, and delegate access to Firesight to members of that group is a little more versatile.
Solution
I’m making the assumption that the appliance does not already have external authentication setup at all, so I’ll cover everything from start to finish.
Newer Versions
Logon to the Appliance > System >Users > External Authentication > Add External Authentication Object
Older Versions
Logon to the Appliance > System > Local User Management > External Authentication > Create External Authentication Object.
Authentication Method: LDAP
Name: Chose a sensible name for the connection.
Server Type: MS Active Directory
Host Name/IP Address: the IP of your domain controller
Port:389 (this is standard LDAP)
If you have a second Domain Controller enter the details here.
Note: In Active Directory, I’ve created a USER to make the connection to Active Directory with, and I’ve also created a SECURITY GROUP that my administrators will be in.
You can use the ldp.exe tool to locate and find the correct LDAP path for the user you created, (and the group because you will need that in a minute as well).
Base DN: Usually the root of the domain, in standard LDAP format.
Username: The LDAP path to the user you created.
Password: For the user above.
UI Access Attribute: sAMAccountName
Shell Access Attribute: sAMAccountName
I’m simply having one administrative group, if you have a granular RBAC requirement, there are a number of pre-configured roles you can assign your AD groups to, (or you can create custom ones). So I’m adding the LDAP path of my administrators group to the ‘Administrator’ role.
Also set the default role to ‘Security Analyst (Read Only).
Group Member Attribute: member.
Username: A user in the AD Administrative group you created.
Password: Password for the above account.
Press ‘Test’
All being well you should see a success, Press Save.
Newer Versions
Switch the ‘slider’ to enabled > Save > Save and Apply. (Now skip to All Systems below).
Older Versions
You now need to add this to the policy being applied to this appliance. System > Local System Policy > Select the policy in use >Edit.
External Authentication
Status: Enabled
Default User Role: System Analyst (Read Only)
Finally change the slider button and ensure it is ticked. Save policy and exit.
Now apply the policy (green tick).
Tick the appliance > Apply.
Success.
All Systems
Now you can login with your administrative AD accounts.
You can also create a local user to match an AD account.
And get the appliance to use AD for authentication of this user.
Related Articles, References, Credits, or External Links
I installed a Barracuda Web Filter 410 hardware appliance last week for a client on a 30 day trial. It was in ‘inline’ mode in front of their firewall and was happily logging all web activity and sites that were getting blocked. The problem was when you looked in the log this is what you saw;
With other vendors you simply need to put an agent in to fix this, and as it turns out Barracuda is no different.
Solution
I went onto the web and tried to get the agent, but you can download it straight from the appliance. (Users and Groups > Authentication Tab)
To proceed you need to add your domain controllers onto the Barracuda
Note: You will need a domain account (a simple domain user is fine, it does not need any additional rights). Here I’m connecting via 389, if you wanted to connect with LDAPS see the following article.
Once you have installed the ADAgent.exe, (on each domain controller), run it and enter your domain user account, and test it connects properly.
Then add in your Barracuda device.
Note: Theres nothing else you need to do in the agent but while you are setting it up I suggest you see the logging level to debugging.
Now, before the successful logon events can be uploaded to the barracuda, the domain controllers need to have auditing enabled for;
Audit account logon events (success)
Audit logon events (success)
Set this in the ‘local security policy’ on each of the domain controllers, (administrative tools local security policy).
On the Barracuda itself you now have to register the agent for each one you have deployed, after a few minutes they should ‘go green’ this is done on the same tab you specified the domain controllers.
You now need to wait until your users have logged off and back on again before it starts logging properly so leave it a while to slowly populate.
Related Articles, References, Credits, or External Links
For most people that’s fine, but if you have a lot of FirePOWER devices to manage that does not scale well. In those cases you should use theFMC (FirePOWER Management Center). Here ‘Im going to use the Vmware virtual appliance, (at time of writing there is no Hyper-V version).
This lets you create policies centrally and then deploy them to your devices in bulk.
Solution
Deploy the FirePOWER Management Center Appliance
Obviously before you start you need to have VMware (ESX or vCenter). With 250GB of storage free, (you can deploy it thin provisioned). You will also need to allocate 8GB of RAM and 4 virtual CPUs. Whichever network (or VMware port Group) you connect the appliance to it needs to have IP connectivity to the devices you intend to manage.
Download the FMC Appliance: Be aware it downloads in tar.gz format so on a Windows machine you will need something like 7Zip to uncompress the files. You WONT find the file under the firewalls, they are listed under;
You will need to accept the EULA, then set the admin password, and some basic IP settings.
I’ve got IPv6 disabled, if you want to address the appliance with IPv6 enter the details here.
Even after the appliance has been imported and powered on it can take 20-30 minutes before you can log on. At this point I would go and do something else. If you really must, then open a ‘console’ session and wait until the logon prompt is shown. You can then logon to the web portal.
Go to System > Updates > Download and install any updates > Visit both the ‘Rule Updates’ and the ‘Geolocation Updates’ tabs and set a time to download them.
Don’t Install the licences Just Yet! Add your devices to the FMC first, then if there’s a problem and you need to rebuild/redeploy, you don’t have to go cap in hand to Cisco licensing to get the licences re-armed. To add the SFR devices see the following article;
Network Discovery: Older version of the FMC used to only look for RFC 1918 IP ranges, This was changed at some point to 0.0.0.0/0 so you couldn’t misconfigure the system by having a private address space internally for example. This was a good idea but Ive seen some firewalls fall over trying to run discovery on every IP address they see! So lets manually add in our subnets. Objects > Object Management > Add Network > Add Object > Add one for you internal network(s).
Policies > Network Discovery > Remove the 0.0.0.0 Rule.
Create a new discovery rule using just your subnet(s).
Adding Licences To FirePOWER Management Center
You used to have to licence the appliance itself, after version 6 you don’t need to do that, if you have a licence and you try and apply it nothing happens and you just see this message;
Note: FireSIGHT is the old name for FirePOWER Management Center.
What Licences do I need to Add? Your Next Generation Firewalls now come with a ‘CONTROL LICENSE‘ in the box, it is in a large white card envelope, you don’t need to open it the number you need is on the front of the envelope. You add a control licence for every device you want to manage (they do not expire).
System > Licences > Classic Licenses > You need to take a note of the ‘Licence Key’, (which is the MAC address of the appliance with a 66 in front of it). This is the serial number you need to enter on the Cisco licensing portal.
When you get the licence back, if you open it in a text editor, it will look like this (its essentially a digital certificate). Copy everything from ‘— BEGIN‘ to ‘License —‘
Paste in the text > Submit License.
Repeat for each licence (IDS, AMP, URL Filtering ,etc)
You will also need to allocate the licenses to devices. Devices > Device Management Select the Device in question > Edit.
To use an intrusion policy the devices each need a ‘Protection‘ licence. Note: You get a protection licence now automatically when you add a CONTROL licence, but you still need to pay a subscription to legally obtain the updates.
Policies > Access control > Intrusion > Create Policy.
Give the policy a recognisable name > Create and Edit policy.
The policy it creates is based on the ‘Balances Security and Connectivity’ Template. You might want to add a few extra rules > Rules > Blacklist > Select All.
Rule State > Drop and Generate Events.
Repeat for ‘Malware’. Note: This does NOT require and AMP licence@
Repeat for PUA (Probably Unwanted Applications).
Repeat for ‘Indicator Compromise‘.
Repeat for ‘Exploit Kit‘.
Search for ‘1201’ and locate the ‘INDICATOR-COMPROMISE 403 Forbidden’ rule and DISABLE IT.
Policy Information > Commit Changes > OK.
Note: To be used, the Intrusion policy needs to be declared in an Access control policy (or set as a Default Action).
Also in the Access Policy set the logging to ‘Log at the end of connection‘.
As mentioned above you can also set it as the ‘Default Action‘.
Configuring FirePOWER AMP and File Policy
You need an AMP, (subscription based licence) to enable the ‘Malware Cloud Lookup, or Block Malware‘ Actions, but you can have a file policy and block specific file types.
Polices > Access Control > Malware and File > New File Policy.
Give the policy a name you will remember > Save.
Action = Malware Cloud lookup > Add in the files you want to scan > Below I’ve set it to store unknown files > Save.
Then create another rule below that that detects all files.
As above the file policy wont be applied to anything unless you specify it in an access policy.
In the rule also set the logging to ‘log at the end of connection’.
Configuring FirePOWER URL Filtering Policy
You need to have a URL filtering licence allocated to the devices you want to use this policy on.
Unlike File policies and Intrusion policies, URL filtering is configured directly on your Access Control policy > Add Rule.
Here’s an example of blocking some categories you don’t want viable in tour organisation.
In a rule that only has URL filtering set the login to ‘Log at the beginning of the conneciton‘.
When done, don’t forget to ‘Deploy‘ the new policy to your managed devices. Deploy > Select Devices > Deploy.
hen Related Articles, References, Credits, or External Links