WirelessPhreak.com

I like to travel, f*ck with technology, and partake in the occasional tropical drink.
I am also a co-host on The NBD Show podcast.
Follow Me

 

Enhanced Data Visualization Dashboard using Splunk

 

I am a fan of Palo Alto Networks NGFW, especially the visibility it can give you in to your traffic. PAN does a pretty good job within their management tools of organizing and reporting on the data, but most of us also have large SIEMs or Logging solutions like Elastic's ELK stack. Splunk, exabeam, etc.

Splunk being one of the more popular SIEM and logging solutions, I created a PAN Threat Dashboard I wanted to share. If you have Splunk running in your environment and the Splunk Palo Alto Networks add-on installed all the pre-defined fields should work correctly. If not, you may need to tweak 1 or 2 fields in the dashboard to make it work. When you copy the code from my GitHub save it in a text editor and perform the following steps.  It should be up and running in your environment in no time.

 
You will need to identify your Palo Alto firewall host= fields (how Splunk identifies the device sending logs) to populate the field2 drop down menus.
 

Directions:

  1. Log into Splunk and go to Search
  2. Click on Dashboards and Create a new Dashboard
  3. Once you have created your new dashboard go to edit and select source tab on the top
  4. Clear out the default text in the dashboard and copy and paste the dashboard from GitHub.
  5. Before you save the dashboard you will need to identify your Palo Alto firewall host= fields to populate the field2 drop down menus, I have space holders firewall-1, firewall-2, etc. configured currently

 

You should be good to go!

 

 


The following is complete speculation but wanted to at least start a discussion around what could have happened at Facebook today.

 I don't think it was an honest mistake that caused the Facebook outage. With DNS reported down  BGP routing issues and reports that even internal networks are affected, this looks bigger than a single mistake. Facebook most certainly has complicated network segmentation and redundancy in place for there internal and external networks.

Also, the timing is very suspect since it is the day after the Facebook Whistleblower interview on 60 Minutes.

If this isn't the work of a disgruntled employee, it is some sophisticated shit, and they have been living rent-free in the Facebook network for a long time. They got all the bytes they need and decided to blow that shit up after the interview.

I hope Facebook shares the details of the outage. If it was indeed an internal error that caused the outage it may be an eye opener for other large platforms to learn from the mistake.  If it was nefarious activities that caused this, it could be an epic learning opportunity for the Cyber security world.

Either way please share the outcome Facebook....


 
Soft and chewy chocolate chip cookies. I like all cookies but chewy warm chocolate chip cookies are my favorite.  Since there is only two of us the recipe I posted is cut in half.  Just double it if you want the full batch, the half batch will make about 1 1/2 dozen.
 

Ingredients

  • 1 1/8 cup of all purpose flower
  • 1/4 teaspoon of Baking Soda
  • 1 stick of un-salted butter (room temperature)
  • 1/4 cup of granulated sugar
  • 1/2 cup of packed brown sugar
  • 1/2 teaspoon of Kosher Salt
  • 1 teaspoon of Vanilla Extract
  • 1 large egg
  • 1 cup of smi-sweet chocolate chips

 

 Directions

  1. Preheat oven to 350°F with racks in the upper and lower third positions. 
  2. In a small bowl, whisk together flour and baking soda; set aside.
  3.  In the bowl of a stand mixer fitted with the paddle attachment, beat butter and both sugars on medium speed until light and fluffy, about 3 minutes.
  4. Add salt, vanilla, and eggs; mix to combine.
  5. Reduce speed to low and gradually add flour mixture, mixing until just combined.  
  6. Mix in chocolate chips.

 

Preparing to Bake

  1. Using a tablespoon measure, drop heaping portions of dough about 2 inches apart on baking sheets lined with parchment paper.

 

 Baking

  1. Bake until cookies are golden around the edges, but still soft in the center, 8 to 10 minutes.  
  2. Remove from oven, and let cool on baking sheet 1 to 2 minutes.
  3. Transfer cookies to a wire rack and let cool completely. Store cookies in an airtight container at room temperature up to 1 week. 

 


 

 

 

Recently there has been a change in the behavior when a user tries to upgrade the GP client, they are challenged with the uninstall password if configured with one. Working with Palo Alto networks TAC they identified that during the upgrade the GP client package will uninstall the old version first before it will begin to install the new package. In GP client 5.2.4 and older the upgrade would complete even if uninstall with a password or disallow was enabled. This was identified as a software issue so in clients 5.2.5 and newer the ability to upgrade the client with uninstall option set to password or disallow was disabled.

In a nutshell with the new GP clients you will need to set the client setting to allow uninstall, if you want to utilize the Global Protect client upgrade process. 


Clients 5.2.4 or older, following is the behavior:

  • If you are using GP version older than 5.2.4, the transparent upgrade should work where the user will have no interaction and they can upgrade even if the allow uninstalled is disallowed.

 

Starting with 5.2.5 or above, following is the behavior:

  • Allow User to Uninstall GlobalProtect App is set to Allow
  • Allow User to Upgrade GlobalProtect App as Allow with Prompt/Manually/Transparently. (In this case, the users will be able to upgrade transparently without any interaction and the passcode/password will not be allowed)

  • Allow User to Uninstall GlobalProtect App is set to Disallow
  • Allow User to Upgrade GlobalProtect App as Allow with Prompt/Manually/Transparently (This will be blocked)

  • Allow User to Uninstall GlobalProtect App is set to "Allow with password"
  • Allow User to Upgrade GlobalProtect App as Allow with Prompt/Manually/Transparently. ( In this case, the users will need to enter the uninstall password to complete the upgrade) 


To allow the users to upgrade without providing them a password, you would need to use following.

  • Allow User to Uninstall GlobalProtect App is set to Allow
  • Allow User to Upgrade GlobalProtect App as Allow with Prompt/Manually/Transparently.”

 

My personal recommendation is to allow the client uninstall so you can leverage the GP client upgrade process. I feel the ability to upgrade the clients to ensure functionality and security is more important than blocking them from uninstalling the client. In addition we have tested with clients that are not Admins on the local machine and they were unable to uninstall the client from the windows software manager. So that is a win...


Perhaps the client upgrade functionality can also be managed with an mdm solution or with a software management tool like SCCM. But it will take some testing to find the best process that works for your environment.





Magic Candle Company

Disney Park withdrawals?

Click on the image and get 10% off!

Join the EFF

Join the EFF
#privacy #digitalrights