Basics of Active Directory
With LDAP syntax the Bind DN, or the user authenticating to the LDAP Directory, is derived by using LDAP syntax and going up the tree starting at the user component.

For example, the user user1 is contained in the Users container, under the example.com domain. The corresponding Bind DN will look like the following:

CN=user1,CN=Users,DC=example,DC=com, but this will be discussed in more detail in the following steps.

In the following example, the domain example.com is used to find the Distinguished Name (Bind DN field for the Symantec Encryption Management Server) for user1. After obtaining the correct Distinguished Name, Softerra can be utilized to find users, attributes, and values. The query is detailed below and can be used with Active Directory 2003 and above.

Type the following command and press Enter

dsquery user dc=example,dc=com -name username-here*

If your user has a long name, the * will do a wildcard match for that user.  For the example below, we’ll use a username of “user1”

Or

dsquery user dc=example,dc=com -name user1

These commands will return the correct Bind DN:
“CN=user1,CN=Users,DC=example,DC=com”

Live example:
dsquery user dc=advanxer,dc=com -name palo*
“CN=Palo Alto User ID,OU=Service Accounts,OU=Users,DC=Advanxer,DC=com”

Configure the following on the Active Directory (AD) Server and the Palo Alto Networks device:

  1. Create the service account in AD, which is utilized on the device. Be sure the user is part of thethe following Groups:
    – Distributed COM Users
    – Event Log Readers
    – Server Operators
    Note: Domain Admin privileges are not required for the User-ID service account to function properly, see Best Practices for Securing User-ID Deploymentsfor more information.

    In Windows 2003, the service account must be given the “Audit and manage security log” user right through a group policy. Making the account a member of the Domain Administrators group provides rights for all operations. The built-in group named “Event Log Readers” is not available in Windows 2003.
    2016-08-10_08-13-20.jpg

  2. The device uses WMI Authentication and the user must modify the CIMV2 security properties on the AD server that connects to the device.
  3. Run ‘wmimgmt.msc’ on the command prompt to open the console and select these properties:2016-07-13_09-50-02.jpg
  4. From the Security tab on WMI Control Properties:
    1.) Select the CIMV2 folder.
    2.) Click Security,
    3.) Click Add and then select the service account from Step 1.
    4.) In this case, it is [email protected].
    5.) For this account, check both Allow for Enable Account and Remote Enable:
    6.) Click Apply,
    7.) Then click OK.
    2016-08-09_userid1.png
  5. Back in the Palo Alto WebGUI, Select Device > User Identification > User Mapping, then click the edit sproket in the upper right corner to complete the Palo Alto Networks User-ID Agent Setup.2016-08-09_userid2.png
  6. Be sure to configure with the domain\username format for username under WMI Authentication tab along with valid credentials for that user.
  7. Enable the Server Monitor options and enable the security log/enable session accordingly.
    Client probing is enabled by default, so disable if desired.
  8. If the domain is configured during Setup in the General Settings/Domain field, the user can elect to discover servers with which to connect. If not, manually add a server to the device:2016-07-13_10-02-16.jpg
  9. Confirm connectivity through the WebGUI or the CLI:
    > show user server-monitor statistics 
    
    Directory Servers:  
    Name                           TYPE     Host            Vsys    Status           
    -----------------------------------------------------------------------------   
    pantacad2003.pantac.lab        AD       pantacad2003.pantac.lab vsys1   Connected

    2016-07-13_10-02-17.jpg

  10. Confirm that ip-user-mapping is working.
    > show user ip-user-mapping all
    
    IP              Vsys  From    User                            IdleTimeout(s) MaxTimeout(s)
    --------------- ------ ------- -------------------------------- -------------- ----------
    192.168.28.15    vsys1  AD      pantac\tom                      2576          2541
    192.168.29.106   vsys1  AD      pantac\userid                   2660          2624
    192.168.29.110   vsys1  AD      pantac\userid                   2675          2638
    Total: 3 users
  11. Ensure Enable User Identification is enabled on the zones where identifiable traffic will be initiated. Select the zone in Network > Zone.
    2016-08-09_userid3.png

Situation:
You have HTTP service running on non-standard port and Palo Alto is blocking it

Steps:
1. Define new application
2. Apply policy

Define new application
1. Go to Object→Applications→Add
2. From the Application window, fill up necessary info as per below example.

Apply policy
1. Go to Policy→Application Override→Add
2. Create new policy and select custom application, set to allow

Situation:
1. You need to do hardware swap (POC unit to actual unit)
2. You don’t have Panorama, and you need to do hardware swap due to RMA

Steps:
1. Ensure components are in the same version
2. Export and Import config
3. Commit configuration

Ensure components are in the same version
1. Make sure all components (PAN-OS, PAN-DB, Threat Prevention, Wildfire, GlobalProtect) are in the same version, license too.
1. To do PAN-OS software update, navigate to Device→Software
2. To do components update, navigate to Device→Dynamic Updates
3. To do PAN-DB update, navigate to Device→Licenses→PAN-DB Url Filtering

Export and Import config
1. From the old unit, navigate to Device→Setup→Operations

2. Click “Save named configuration snapshot” and give it a name. Example: ABC123.xml

3. Click “Export named configuration snapshot” and select ABC123.xml.

4. From the new unit, navigate to Device→Setup→Operations
5. Click “Import named configuration snapshot” and select ABC123.xml (config file from old unit)
6. Once imported, click “Load named configuration snapshot” and select ABC123.xml

Commit configuration
1. When you click commit, the firewall will start applying the configuration, meaning there’s a possibility that the ip will be duplicated in the network.
2. Normally I only connect Management port in the new unit, and leave other interfaces unplugged.
3. Click commit, and immediately unplug Management interface in the old unit. You will no longer have access to the old unit. New unit will be taking over the Management ip.

Streisand sets up a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, a Tor bridge, and WireGuard. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.

The problem with Streisand though is the install is amazingly complicated using ansible from your local system to a cloud provider using API calls and if you are not in a shop that uses this technology it can be difficult to get working correctly

Method 1
Below script is an automated bash script to enable streisand vpn server to your traditional VPS

Method 2
Installing Streisand from Mac OS to Ubuntu 16.04 VPS. I will be executing the ansible playbook from my Mac OS Sierra (with homebrew)

Install git
brew install git

Install pip
sudo easy_install pip
sudo pip install pycurl

Homebrew library fix
/Library/Python/2.7/lib/python/site-packages
echo '/usr/local/lib/python2.7/site-packages' > ~/Library/Python/2.7/lib/python/site-packages/homebrew.pth

Install Ansible (via pip)
sudo pip install ansible markupsafe

Clone the Streisand repository and enter the directory.
git clone https://github.com/jlund/streisand.git && cd streisand

Edit the inventory file and uncomment the final two lines. Replace the sample IP with the address (or addresses) of the servers you wish to configure.
nano inventory
[streisand-host]
195.112.97.180 ansible_user=root

Execute script
ansible-playbook playbooks/streisand.yml --ask-pass

Credit:
https://github.com/jlund/streisand

The VPN You Should Be Using


http://stackoverflow.com/questions/34854806/ansible-permission-denied-publickey-password

I just noticed that my VPS just expired 3 weeks ago, and there is no way to retrieve it back. That VPS equipped with 128MB RAM, 10GB HDD space for USD4.99 per year (damn cheap).

Then I’m seeking for another poor man VPS. I do not need humongous memory and disk space, just enough for me to SSH and perform remote network troubleshooting (nmap, nslookup, dig, telnet and sometimes for R&D purpose). Ramnode was the best candidate due to their SSD or SSD-Cached disk, but I want to explore another cheap provider.

I found a good deal with HostUS, for USD12 per year they provide:
– 768MB RAM
– 768MB vSwap
– 1 vCPU Core (Fair Use)
– 20GB Disk Space
– 2TB transfer
– 1Gbps uplink
– 1x IPv4
– 4x IPv6
– OpenVZ / Breeze Panel

Breeze Panel is their modified WHCMS integrated with SolusVM (maybe).
vps1
Benchmark:
hwinfo
bench

USD12/year available from this link (affiliate). You can’t find from their main page. While stock last.

p/s: From TM Unifi, I’m getting better latency when I choose London Data Center.
pp/s: You can also use coupon code TOPPROVIDER for 20% off any unmanaged plans on their site

HP Procurve
Download latest firmware from https://h10145.www1.hpe.com/support/SupportLookUp.aspx
ProCurve Switch 2510B-24#copy flash tftp 192.168.1.12 Q_11_07.swi (make a firmware backup to TFTP server)
ProCurve Switch 2510B-24#copy tftp flash 192.168.1.12 Q_11_73.swi primary (download new firmware and overwrite primary storage)
ProCurve Switch 2510B-24#boot system flash primary (optional, to switch to primary image)

3COM (4500G)
<4500>delete /unreserved s3p01_00.web
<4500>delete /unreserved s3n03_01_00s56p01.app
<4500>tftp 192.168.0.1 get s3q05_02_00s168p20.app
<4500>tftp 192.168.0.1 get s3r05_06.btm

Next step is to configure which files will be used by the switch on the next boot.
<4500>boot-loader file flash:/s3q05_02_00s168p20.app
<4500>bootrom update file flash:/s3r05_06.btm
<4500>save

This post shows how to configure a TACACS+ server for system authentication in Juniper SRX with open source tac_plus software.

Brocade IronStack configuration
aaa authentication web-server default local
aaa authentication login default tacacs+ enable local
aaa authentication login privilege-mode
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
tacacs-server host 10.14.14.55
tacacs-server host 10.18.15.145
tacacs-server key NASKEYHERE
tacacs-server timeout 10
ip tacacs source-interface ve 998

reference: http://www1.brocade.com/downloads/documents/html_product_manuals/FI_ICX6650_07500_SCG/wwhelp/wwhimpl/common/html/wwhelp.htm#context=Security-converted&file=FI_Security.03.6.html