WirelessPhreak.com

I like to travel, f*ck with technology, and partake in the occasional tropical drink.
I am also a co-host on The NBD Show podcast.
Follow Me


After experiencing the Gingerbread cookies at Disneyland I started a quest to come up with a gingerbread cookie that was almost as good. The following is a combination of multiple Disneyland recipes I found online and a few rounds of trial and error to tweak the final recipe.

Enjoy!

Gingerbread Ingredients:

  • 1 1/2 sticks unsalted butter
  • 3/4 cup brown sugar
  • 2/3 cup “fancy” dark molasses *make sure it doesn’t say cooking, blackstrap, unsulphured, or lite
  • 1 egg
  • 3 1/2 cups all-purpose flour
  • 1/2 tsp. baking soda
  • 1 tsp. ground cloves
  • 3 tsp. ground cinnamon
  • 3 tsp. ground ginger
  • 3/4 tsp. salt
  • 1/4 tsp. ground cardamom
  • 1 tsp. vanilla extract 
  • 1/2 cup of water 

Gingerbread Instructions:

  • In a large mixing bowl, cream butter and brown sugar.
  • Add dark molasses and mix until completely blended.
  • Mix in the egg
  • Sift the dry ingredients together and add to butter mixture, 1/3 at a time.
  • Blend well.
  • Add water until dough comes together.
  • Wrap dough in plastic wrap and chill in refrigerator at least 1 hour, or up to a few days.
  • Preheat oven to 350 degrees. Grease cookie sheets or line with parchment paper.
  • Use a floured rolling pin to roll out dough on a floured surface, about 1/8th inch thick. (Don’t be afraid to use plenty of flour.)
  • Cut into desired shapes.
    Bake at 350 degrees for 8-10 minutes. Cool on wire racks.
    Optional: Decorate with Royal Icing or a light glaze when completely cooled.
  •  
     
     
     

I recently had a friend tell me, "I went to your website looking for a wireless router recommendation and couldn't find one," and I felt sad I had let them down. So I thought it may be to later for my friend but I do have a couple of thoughts about wireless in your home.

Wireless has evolved quite a bit since 802.11b days, and much of the technology that has been developed for an enterprise has moved to your home in the way of mesh wifi. Mesh wifi uses multiple access points to provide a more consistent and reliable network throughout your house. Traditional wireless routers needed to be powerful because there was only one wireless router that would need to penetrate multiple walls windows and the like. Where mesh only needs to provide wireless to a smaller area it can use different radios or wired connections to backhaul the traffic back to your router or modem.

If you live in a small to a medium home built with sheetrock walls you can get away with one router. But where mesh wifi truly excels is in older homes with plaster walls, larger homes, and multiple story homes. In those situations, the mesh router design is going to prove invaluable. I also have friends that live in condos or larger apartments where there is so much wifi pollution they can not find a clear wireless channel in the 2.4Ghz spectrum. Setting up mesh wifi and utilizing more of the 5Ghz spectrum will definitely provide a superior consistent and reliable wifi experience.

Luckily the price of Mesh router is dropping to the point where it is competitive with mid to high end standalone wireless routers. In any scenario, I can't think of a reason why you wouldn't want to go mesh wifi. In addition to the excellent coverage, many of the more popular wireless mesh providers are also very aggressive about software updates and automatic over the air updates almost eliminating the need for an individual to randomly check for updates, truly set it and forget it.

Not to promote any one brand, but I have the eero and really love it, I get coverage from my driveway to my pool and it has been a true set it and forget it setup. I have friends that have the Linksys VELOP and they also love mesh wireless since they put it. 

I hope this helped if you were in the middle of a wireless decision.

Fun F5 Troubleshooting 

Test your HTTP keep alive from the F5 CLI:
Using curl:
     curl -vvv -H "Host: domain.com" -H "Connection: Close" -H "User-Agent:" -H "Accept:" serverip:port/uripath.html

Using Telnet:
telnet serverip port
Then copy the first half of your keep alive
     GET /uripath.html

From the above listed commands you should see exactly what the F5 is receiving  when it sends a keep alive.  From the returned http request you can determine the best data to use for a receive string.




So F5 license has always been kind of funky. I am not saying it's bad but I've just always wondered why the auto license update didn't work. Then recently we licensed ASM and again had to perform the manual license process, it went all well as it always had but we were not getting ASM signature updates?

So it was time to dive into the F5 and start troubleshooting. The first thing was to confirm that the F5 could resolve the DNS name for the service updates... Check!

Next, you need to check the routing, there are two routing tables the LTM table and the sys management routing table. The LTM routing table had a default route that was not able to access the internet. This was by design since the interface it was attempting to use was in a secure DMZ. This may not affect you if you allow your F5 to the internet directly but we did not have the luxury.

So this is where we were a little confused. One would think the License update and ASM Signature updates would be part of the sys-management routing table, unfortunately, that isn't the case. We discovered that the F5 attempts to reach out were following the LTM default route and not the defined sys management-route default.

One the issue was identified it was easily resolved by adding a route to the F5 services int he sys-management routing table, outlined in italic.

10.0.0.1 Is the internal gateway or next hop in this scenario.
104.219.104.0/21 Is the IP space for F5 services.
The rest should be self-explanatory.
sys management-route F5_Service_Route {

    gateway 10.0.0.1

    network 104.219.104.0/21



sysadmin@(f5-guest-01)(cfg-sync Changes Pending)(/S1-green-P::Active)(/Common)(tmos)# create sys management-route F5_Service_Route network 104.219.104.0/21 gateway 10.0.0.1

sysadmin@(f5-guest-01)(cfg-sync Changes Pending)(/S1-green-P::Active)(/Common)(tmos)#

sysadmin@(f5-guest-01)(cfg-sync Changes Pending)(/S1-green-P::Active)(/Common)(tmos)# list sys management-route                                          


sys management-route F5_Service_Route {

    gateway 10.0.0.1

    network 104.219.104.0/21


}

sys management-route tacacs2 {

    gateway 10.0.0.1

    network10.0.0.10/32

}

sys management-route tacacs1 {

    gateway 10.0.0.1

    network 10.1.1.10/32

}

sys management-route default {

    gateway 10.0.0.1

    network default

}


Lastley this article has alot of good info about setting ASM and attack signitures.
https://api-u.f5.com/support/kb-articles/K8217?pdf
After we added the sys management route were able to perform auto license retrievals and get our ASM signatures update. I hope this helps anyone also stumped with the same issue.





Enjoy!


Load Balancing Multiple Tier Applications
Many multi-tier applications use proxy servers (PS). Proxy servers often provide authentication and/or security to allow clients to connect to web application servers (WebAPP).

In this scenario an F5 virtual servers sits in front of the PS server and is using source IP persistence. This means that based on the clients source IP they will be assigned to the same back-end PS server.

The proxy servers in front of the Web APP virtual server will be using HTTP Insertion cookie to maintain persistence. What this means is the F5 will present a cookie to the clients browser even though it is going through the PS server. So when that client connects to the web application through the PS server it will present that cookie in its header and the F5 will decrypt the cookie and send it to the correct Web APP server in the back-end.

Source IP benefits and short comings
Benefit:
There is no dependency on the client’s device or software such as browser or OS.
It is very easy to troubleshoot, and view current state on the clients’ persistence on the F5 using CLI command.
It is proven persistence method and is very dependable.
Many apps i have configured to use source IP have seen fairly balanced load balancing.

Short comings:
It will not give you as evenly distributed load balancing as a session based persistence. (Sites that have users behind a NAT)
It is not the correct load balancing persistence to set on the web application since the only IP addresses it would see are the PS servers.

HTTP cookie benefits and short comings:
Benefits:
This is a session based load balancing which means it doesn’t load balance each machine or IP, but the actual web session the client has open. When the users closes their browser the cookie is destroyed.
Create a very balanced load between back-end servers.
Cons:
Depended on user machines, browsers, security policies, or OS. If there systems or software does not support encrypted cookies, or their policy is not to accept or store cookies, this would break persistence.
More difficult to troubleshoot and map users back to a machine without actually having the clients cookie.

Solution:
The perfect solution would be to find a session based persistence that does not rely on the client’s machine to provide a cookie. At the very least we will need a session based persistence between the PS servers and the Web APP virtual server since we know source IP address is not a viable solution between the PS servers and the Web APP virtual server.

Recommendation:
Load balance the PS virtual  server using source IP persistence provides good load balancing as long as there is a diverse client pool, and allows for more visibility into troubleshooting specific end point connections. Then use a session based persistence between the PS servers and the Web APP virtual servers that does not involve the client.

F5 recommended using SSL persistence for the Web APP virtual server and sticking with source IP on the PS Virtual server. What this would do is set persistence based on the SSL session ID between the PS servers and the Web APP virtual server. SSL persistence also makes a persistence table entry so we would have similar troubleshooting visibility we would have with source ip persistence.

In addition we will need to make sure least connection is set as the load balancing algorithm for both the PS and Web APP pools. This will insure we are not blindly load balancing but leveraging the F5 visibility into connections to the pool members.

FYI:
Theoretically you can still use the HTTP cookie persistence on your WebAPP server, but as I found out the hard way many  PS servers will combine multiple client HTTP sessions into one back end connection to the WebApp virtual server. The default way F5 handles http cookie persistence is during the creation of an HTTP session it looks at the first HTTP request for the http cookie header, then based on the first cookie will load balance the entire HTTP session to the designated back end HTTP server. Where this breaks is if you are combining multiple HTTP client sessions and the web application servers are not expecting that clients traffic, (web application does not share user session information.) To fix this issue you can enable a OneConnect profile on the WebAPP virtual server. One of the actions that is taken by the OneConnect profile is to look at every HTTP request and load balance based on each request not just the first HTTP request.

If SSL Persistence and Cookie is not an option:
Universal persistence profile allows you to use an irule that will look for the x-forwarded-for header and use a hash value to maintain persistence. F5 warned us there would be some coding on our part to create a custom irule and it that this type of persistence is a very CPU expensive process on the F5. This one is definitely last on the list.

The beginning of the end for traditional cable companies may be upon us. More feasible and easy to use cord-cutting options are becoming main streams like Play Station Vue, Sling TV, and YouTube TV. We mustn't forget who started it all. Netflix and Hulu pioneered the over the top streaming services, then HBO leveraged their hit show Game of Thrones to launch HBO Now. But now the big boys have come to play, Disney and Apple are launching their new streaming services.

Disney+ is quickly going to be the big boy on the block. With their purchase of Star Wars, Marvel and Fox in addition to their existing massive archive there are no other studios in Hollywood with a catalog as deep. It only makes since Disney would want to create their app. If you look at their accusations of not only intellectual properties but also technology (BAMTech, LLC) you can see Disney has been planning this move to Digital for a while. If you have been to Disneyland you understand that Disney is the master of creating a curated and controlled experience. it only makes sense they would want to bring that same experience to their video content online.

Apple TV+... Well, there isn't much to be said yet. Apple is investing in its original content but doesn't have any sort of back catalog of content. So it is yet to be seen if Apple can pull off its streaming service.


The no-bake cheesecake is a no brainier dessert it’s easy and tastes good. You could probably even make it camping if you had a good cold cooler. But most recently at work we had a nacho party and I was volunteered to bring a dessert. I decided to experiment with the Jello no-bake cheesecake by adding an horchata flair. This recipe is practically as easy as the recipe on the box, you just need to get crafty with the milk substitute.


Horchata No-Bake Cheesecake

Ingredients:
1 box of Jello No-Bake Cheese Cake
½ c. Heavy Whipping Cream
1 c. horchata
1 t. cinnamon
1 t. vanilla
1 pre-made graham cracker crust or use the crust mix that comes with cheese cake mix
caramel sauce

Preparation:
  • Mix the horchata, heavy whipping cream, cinnamon, and vanilla in a bowl. (this is your milk alternative)
  • Pour it in the mixer with the cheesecake mix and follow the directions on the box.
  • Optional: When served drizzle caramel sauce over the slice.

 Enjoy
Since the F5 app for spunk has been abandoned I have been playing around with a simple F5 Splunk dashboard. This dashboard can be a quick one-stop health view for any application being load balanced by the F5.

Prerequisites are:
  • Your F5 LTM and or ASM are logging HSL (high-speed logging) to Splunk. (ASM is not a requirement)
  • Configure an HSL pool that includes the Splunk logging servers.
  • Configure the newest iRule on your F5 for logging to Splunk.
  • Associate the new logging iRule with virtual servers you want to monitor. 
  • Lastly set up an ASM logging profile to sending to Splunk. 

You can reference the documentation below to configure your F5 to log to Splunk.
 https://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup

Once that is complete you can create a new dashboard in Splunk. Then copy and paste the dashboard source code I have uploaded on my GitHub repository. Once you save the dashboard you should be able to type in the URL of the application you want to monitor, the corresponding F5 pool name and the time frame you are interested in.

GitHub link:
 https://github.com/wirelessphreak/F5-Dashboard-for-Splunk

If you have improvements or comments please let me know. This is a work in progress and I am always looking to make it better.




There are smells and tastes and instantly trigger memories. For me pizzelle cookies are the trigger that immediately teleports me to my grandma and grandpas home as a child. My grandmother recently asked if I wanted her pizzelle maker and of course I said yes. So even before I make my first batch I  wanted to share the manual, that includes the recipe and operation, with everyone.

Front

Back




Enjoy!!!



This list is courtesy of @tarah on twitter.

The top 20 most common mobile phone PINs are:

1234
1111
0000
1212
7777
1004
2000
4444
2222
6969
9999
3333
5555
6666
1122
1313
8888
4321
2001
1010

26% of all phones are cracked w these codes.

Change to short passphrase: Settings>Passcode (iOS)/Security (Android)


<3 stay safe!
California Adventure's Carthay Circle  Restaurant is pretty awesome. Walking into the saloon is like walking back in time and their cocktails are a large part of the experience. If your not a Gin fan you have to try this cocktail.

Ingredients:
1 part Pimm's No. 1 liqueur,
1 part Plymoth's gin
3 parts lemonade
1 part  Strawberry Puree 

Instructions:
Add crushed ice and the above ingredients into a shaker. Shake well and pour into a glass. 
Garnish with a strawberry and blackberry.

Enjoy!





I put together some Disney songs and sounds from around the park in an apple music Disney playlist. This is a work in progress but I want to make this everyone's playlist.  I am excited about the communities input please go to the contact page and submit any songs you would like added.

Suggest a Song

Here is my link to the playlist
Apple Music Playlist 

Currently 97 songs, 5 hours, 3 minutes 
  • All Aboard! (From "Main Street Station") Eddie Sotto 0:29
  • I See the Light Mandy Moore & Zachary Levi 3:44
  • The Mad Tea Party / The Unbirthday Song Kathryn Beaumont, Ed Wynn, James Macdonald & Jerry Colonna 4:31
  • Gaston Jesse Corti & RICHARD WHITE/JESSE CORTI 3:40
  • Down in New Orleans (From "The Princess and the Frog") Dr. John 2:25
  • Yo Ho (A Pirate's Life for Me) Pat O'Malley, Xavier Atencio, Paul Frees, The Mellomen & Thurl Ravenscroft 5:44
  • I've Got a Dream Mandy Moore, Brad Garrett, Tangled Ensemble, Zachary Levi & Jeffrey Tambor 3:11
  • Hi-Diddle-Dee-Dee (An Actor's Life for Me) Walter Catlett 1:40
  • True Love's Kiss Amy Adams & James Marsden 3:12
  • A Dream Is a Wish Your Heart Makes Ilene Woods & Cinderella's Mice Chorus 4:34
  • Married Life Michael Giacchino 4:10
  • I'm Late Bill Thompson 0:42
  • The Bear Band Serenade (From "Country Bear Jamboree Show") Pete Renoudet 1:45
  • Part of Your World Jodi Benson 3:15
  • Supercalifragilisticexpialidocious Julie Andrews, Dick Van Dyke & The Pearly Chorus 2:03
  • The Nutcracker Suite  Pyotr Ilyich Tchaikovsky - Leopold Stokowski & The Philadelphia Orchestra 2:36
  • In Summer Josh Gad 1:54
  • When Will My Life Begin Mandy Moore 2:32
  • Hakuna Matata Nathan Lane, Ernie Sabella, Jason Weaver & Joseph Williams 3:33
  • Heigh-Ho The Dwarf Chorus 2:46
  • Arabian Nights (Soundtrack Version) Bruce Adler 1:19
  • I Am Moana (Song of the Ancestors) Rachel House & Auli'i Cravalho 2:42
  • Dig a Little Deeper (feat. The Pinnacle Gospel Choir) Jenifer Lewis 2:47
  • Try Everything Shakira 3:16
  • Under the Sea Samuel E. Wright 3:15
  • Hawaiian Roller Coaster Ride Kamehameha Schools Children's Chorus & Mark Keali'i Ho'omalu 3:28
  • Soarin' (From "Soarin' Over California") Jerry Goldsmith 4:42
  • Bella Notte (Soundtrack Version) Bill Thompson, Disney Studio Chorus & George Givot 2:40
  • Shiny Jemaine Clement 3:05
  • Beauty and the Beast Angela Lansbury 2:46
  • I Wan'na Be Like You Louis Prima, Phil Harris & Bruce Reitherman 4:02
  • It's a Small World (From "It's a Small World") Disney Chorus 5:04
  • When I See an Elephant Fly Jim Carmichael, Cliff Edwards & The Hall Johnson Choir 1:47
  • Let It Go Idina Menzel 3:44
  • Kiss the Girl Samuel E. Wright 2:43
  • I Just Can't Wait to Be King Jason Weaver, Rowan Atkinson & Laura Williams 2:50
  • You Can Fly! You Can Fly! You Can Fly! (Soundtrack Version) Bobby Driscoll, Kathryn Beaumont, Paul Collins, The Jud Conlon Chorus & Tommy Luske 4:24
  • Grim Grinning Ghosts (From "The Haunted Mansion") The Melomen, Paul Frees, Betty Taylor, Bill Lee & Thurl Ravenscroft 5:33
  • The Bare Necessities Phil Harris & Bruce Reitherman 4:49
  • Love Is an Open Door Kristen Bell & Santino Fontana 2:07
  • One Jump Ahead (Soundtrack Version) Brad Kane 2:22
  • If I Didn't Have You Billy Crystal & John Goodman 3:37
  • Belle Paige O'Hara, RICHARD WHITE/JESSE CORTI & The Chorus of Beauty and the Beast 5:09
  • Woody's Roundup Riders In the Sky 1:53
  • The Ballad of Davy Crockett The Wellingtons 1:41
  • I've Got No Strings Dickie Jones 2:22
  • Whistle While You Work Adriana Caselotti 3:23
  • Cruella de Vil Bill Lee 5:03
  • Mother Knows Best Donna Murphy 3:10
  • A Pirate's Life (Soundtrack Version) The Jud Conlon Chorus 0:29
  • Happy Working Song Amy Adams 2:09
  • Poor Unfortunate Souls Pat Carroll 4:51
  • I'm Wishing / One Song Adriana Caselotti & Harry Stockwell 3:06
  • A Whole New World (Soundtrack Version) Lea Salonga & Brad Kane 2:40
  • Ev'rybody Wants to Be a Cat Scatman Crothers, Phil Harris & Thurl Ravenscroft 2:03
  • I'll Make a Man Out of You (Soundtrack Version) Donny Osmond & Chorus - Mulan 3:21
  • How Far I'll Go Auli'i Cravalho 2:43
  • A Spoonful of Sugar Julie Andrews 4:09
  • We Know the Way Opetaia Foa'i & Lin-Manuel Miranda 2:21
  • Zip-a-Dee-Doo-Dah (From "Song of the South") James Baskett 2:19
  • Touch the Sky Julie Fowlis 2:31
  • The Music Lesson / Oh, Sing Sweet Nightingale Ilene Woods, Oliver Wallace, Paul J. Smith & Rhoda Williams 2:06
  • Where You Are Christopher Jackson, Rachel House, Nicole Scherzinger, Auli'i Cravalho & Louise Bush 3:30
  • Circle of Life Carmen Twillie & Lebo M 3:59
  • Be Our Guest Angela Lansbury, Jerry Orbach & The Chorus of Beauty and the Beast 3:44
  • Bibbidi-Bobbidi-Boo (The Magic Song) Helena Bonham Carter 1:22
  • When You Wish Upon a Star Cliff Edwards & Disney Studio Chorus 3:15
  • Thomas O'Malley Cat Phil Harris 2:37
  • Do You Want to Build a Snowman? Kristen Bell, Agatha Lee Monn & Katie Lopez 3:27
  • What a Dog / He's a Tramp Peggy Lee & Oliver Wallace 2:24
  • What's This? Danny Elfman 3:05
  • La vie en Rose Louis Armstrong and His Orchestra 3:24
  • Almost There Anika Noni Rose 2:24
  • For the First Time in Forever Kristen Bell & Idina Menzel 3:45
  • An Unusual Prince / Once Upon a Dream (Soundtrack) Mary Costa, Bill Shirley & Sleeping Beauty Chorus 3:29
  • You're Welcome Dwayne Johnson 2:43
  • Just Around the Riverbend Judy Kuhn 2:27
  • Something There Paige O'Hara, Robby Benson, Jerry Orbach, Angela Lansbury & David Ogden Stiers 2:18
  • Colors of the Wind (End Title) Vanessa Williams 4:17
  • Scales and Arpeggios Robie Lester, Susan Novack, Gregory Novack, Victor Sweler & The Mike Sammes Singers 1:45
  • I Wan'na Be Like You (2016) Christopher Walken 3:01
  • The Little Mermaid Medley (From "Journey of The Little Mermaid") Howard Ashman, Jodi Benson, Pat Carroll, Phillip Lawrence & Chris Edgerly 9:56
  • Some Day My Prince Will Come Adriana Caselotti 1:54
  • 999 Happy Haunts The Happy Haunts 7:39
  • Jolly Holiday Dick Van Dyke & Julie Andrews 5:24
  • Main Street Electrical Parade Walt Disney World 4:32
  • The Hunchback of Notre Dame Disneyland 4:03
  • Following the Leader (Soundtrack Version) Bobby Driscoll & Paul Collins 1:42
  • Fixer Upper Maia Wilson & The Cast of Frozen 3:02
  • Un Poco Loco Anthony Gonzalez & Gael García Bernal 1:52
  • The World Es Mi Familia Anthony Gonzalez & Antonio Sol 0:50
  • Oo-De-Lally Roger Miller 0:59
  • The Tiki, TIki, Tiki Room Fulton Burley, The Mellomen, Thurl Ravenscroft & Wally Boag 2:38
  • Star Wars: Galaxy's Edge Symphonic Suite (Music Inspired by the Disney Themed Land) John Williams 4:57
  • Into the Open Air Julie Fowlis 2:41
  • Painting the Roses Red / March of the Cards The Mello Men & Kathryn Beaumont 2:48
  • The Twilight Zone Tower of Terror Theme (From "The Twilight Zone Tower of Terror") Richard Bellis & Marious Constant 1:42


Tcpdump Examples

I found this write up on hackertarget.com and thought it was one of the best write ups on TCP dump I have seen. Please visit their site to find this original article and many more. Knowing tcpdump is an essential skill that will come in handy for any system administrator, network engineer or security professional.

First The Basics

Breaking down the Tcpdump Command Line

The following command uses common parameters often seen when wielding the tcpdump scalpel.
:~$ sudo tcpdump -i eth0 -nn -s0 -v port 80
-i : Select interface that the capture is to take place on, this will often be an ethernet card or wireless adapter but could also be a vlan or something more unusual. Not always required if there is only one network adapter. -nn : A single (n) will not resolve hostnames. A double will not resolve hostnames or ports. This is handy for not only viewing the IP / port numbers but also when capturing a large amount of data, as the name resolution will slow down the capture. -s0 : Snap length, is the size of the packet to capture. -s0 will set the size to unlimited - use this if you want to capture all the traffic. Needed if you want to pull binaries / files from network traffic. -v : Verbose, using (-v) or (-vv) increases the amount of detail shown in the output, often showing more protocol specific information. port 80 : this is a common port filter to capture only traffic on port 80, that is of course usually HTTP.

Display ASCII text

Adding -A to the command line will have the output include the ascii strings from the capture. This allows easy reading and the ability to parse the output using grep or other commands. Another option that shows both hexadecimal output and ASCII is the -X option.
:~$ sudo tcpdump -A -s0 port 80
 

Capture on Protocol

Filter on UDP traffic. Another way to specify this is to use protocol 17 that is udp. These two commands will produce the same result. The equivalent of the tcp filter is protocol 6.
:~$ sudo tcpdump -i eth0 udp
:~$ sudo tcpdump -i eth0 proto 17
 

Capture Hosts based on IP address

Using the host filter will capture traffic going to (destination) and from (source) the IP address.
:~$ sudo tcpdump -i eth0 host 10.10.1.1
Alternatively capture only packets going one way using src or dst.
:~$ sudo tcpdump -i eth0 dst 10.10.1.20
 

Write a capture file

Writing a standard pcap file is a common command option. Writing a capture file to disk allows the file to be opened in Wireshark or other packet analysis tools.
:~$ sudo tcpdump -i eth0 -s0 -w test.pcap
 

Line Buffered Mode

Without the option to force line (-l) buffered (or packet buffered -C) mode you will not always get the expected response when piping the tcpdump output to another command such as grep. By using this option the output is sent immediately to the piped command giving an immediate response when troubleshooting.
:~$ sudo tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'
 

Combine Filters

Throughout these examples you can use standard logic to combine different filters.
and or &&
or or ||
not or !
 

Practical Examples

In many of these examples there are a number of ways that the result could be achieved. As seen in some of the examples it is possible to focus the capture right down to individual bits in the packet.
The method you will use will depend on your desired output and how much traffic is on the wire. Capturing on a busy gigabit link may force you to use specific low level packet filters.
When troubleshooting you often simply want to get a result. Filtering on the port and selecting ascii output in combination with grep, cut or awk will often get that result. You can always go deeper into the packet if required.
For example when capturing HTTP requests and responses you could filter out all packets except the data by removing SYN /ACK / FIN however if you are using grep the noise will be filtered anyway. Keep it simple.
This can be seen in the following examples, where the aim is to get a result in the simplest (and therefore fastest) manner.

1. Extract HTTP User Agents

Extract HTTP User Agent from HTTP request header.
:~$ sudo tcpdump -nn -A -s1500 -l | grep "User-Agent:"
By using egrep and multiple matches we can get the User Agent and the Host (or any other header) from the request.
:~$ sudo tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'
 

2. Capture only HTTP GET and POST packets

Going deep on the filter we can specify only packets that match GET.
:~$ sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
Alternatively we can select only on POST requests. Note that the POST data may not be included in the packet captured with this filter. It is likely that a POST request will be split across multiple TCP data packets.
:~$ sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'
The hexadecimal being matched in these expressions matches the ascii for GET and POST.
As an explanation tcp[((tcp[12:1] & 0xf0) >> 2):4] first determines the location of the bytes we are interested in (after the TCP header) and then selects the 4 bytes we wish to match against.

3. Extract HTTP Request URL's

Simply parse Host and HTTP Request location from traffic. By not targeting port 80 we may find these requests on any port such as HTTP services running on high ports.
:~$ sudo tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

tcpdump: listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
 POST /wp-login.php HTTP/1.1
 Host: dev.example.com
 GET /wp-login.php HTTP/1.1
 Host: dev.example.com
 GET /favicon.ico HTTP/1.1
 Host: dev.example.com
 GET / HTTP/1.1
 Host: dev.example.com 
 

4. Extract HTTP Passwords in POST Requests

Lets get some passwords from the POST data. Will include Host: and request location so we know what the password is used for.
:~$ sudo tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:25:54.799014 IP 10.10.1.30.39224 > 10.10.1.125.80: Flags [P.], seq 1458768667:1458770008, ack 2440130792, win 704, options [nop,nop,TS val 461552632 ecr 208900561], length 1341: HTTP: POST /wp-login.php HTTP/1.1
.....s..POST /wp-login.php HTTP/1.1
Host: dev.example.com
.....s..log=admin&pwd=notmypassword&wp-submit=Log+In&redirect_to=http%3A%2F%2Fdev.example.com%2Fwp-admin%2F&testcookie=1
 

5. Capture Cookies from Server and from Client

MMMmmm Cookies! Capture cookies from the server by searching on Set-Cookie: (from Server) and Cookie: (from Client).
:~$ sudo tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp58s0, link-type EN10MB (Ethernet), capture size 262144 bytes
Host: dev.example.com
Cookie: wordpress_86be02xxxxxxxxxxxxxxxxxxxc43=admin%7C152xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfb3e15c744fdd6; _ga=GA1.2.21343434343421934; _gid=GA1.2.927343434349426; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86be654654645645645654645653fc43=admin%7C15275102testtesttesttestab7a61e; wp-settings-time-1=1527337439
 

6. Capture all ICMP packets

See all ICMP packets on the wire.
:~$ sudo tcpdump -n icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:34:21.590380 IP 10.10.1.217 > 10.10.1.30: ICMP echo request, id 27948, seq 1, length 64
11:34:21.590434 IP 10.10.1.30 > 10.10.1.217: ICMP echo reply, id 27948, seq 1, length 64
11:34:27.680307 IP 10.10.1.159 > 10.10.1.1: ICMP 10.10.1.189 udp port 59619 unreachable, length 115
 

7. Show ICMP Packets that are not ECHO/REPLY (standard ping)

Filter on the icmp type to select on icmp packets that are not standard ping packets.
:~$ sudo tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:37:04.041037 IP 10.10.1.189 > 10.10.1.20: ICMP 10.10.1.189 udp port 36078 unreachable, length 156
 

8. Capture SMTP / POP3 Email

It is possible to extract email body and other data, in this example we are only parsing the email recipients.
:~$ sudo tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'
 

9. Troubleshooting NTP Query and Response

In this example we see the NTP query and response.
:~$ sudo tcpdump dst port 123

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:02:19.112502 IP test33.ntp > 199.30.140.74.ntp: NTPv4, Client, length 48
21:02:19.113888 IP 216.239.35.0.ntp > test33.ntp: NTPv4, Server, length 48
21:02:20.150347 IP test33.ntp > 216.239.35.0.ntp: NTPv4, Client, length 48
21:02:20.150991 IP 216.239.35.0.ntp > test33.ntp: NTPv4, Server, length 48
 

10. Capture SNMP Query and Response

Using onesixtyone the fast SNMP protocol scanner we test an SNMP service on our local network and capture the GetRequest and GetResponse. For anyone who has had the (dis)pleasure of troubleshooting SNMP, this is a great way to see exactly what is happening on the wire. You can see the OID clearly in the traffic, very helpful when wrestling with MIBS.
:~$ onesixtyone 10.10.1.10 public

Scanning 1 hosts, 1 communities
10.10.1.10 [public] Linux test33 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64
:~$ sudo tcpdump -n -s0  port 161 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp58s0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:39:13.725522 IP 10.10.1.159.36826 > 10.10.1.20.161:  GetRequest(28)  .1.3.6.1.2.1.1.1.0
23:39:13.728789 IP 10.10.1.20.161 > 10.10.1.159.36826:  GetResponse(109)  .1.3.6.1.2.1.1.1.0="Linux testmachine 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64"
 

11. Capture FTP Credentials and Commands

Capturing FTP commands and login details is straight forward. After the authentication is established an FTP session can be active or passive this will determine whether the data part of the session is conducted over TCP port 20 or another ephemeral port. With the following command you will USER and PASS in the output (which could be fed to grep) as well as the FTP commands such as LIST, CWD and PASSIVE.
:~$ sudo tcpdump -nn -v port ftp or ftp-data
 

12. Rotate Capture Files

When capturing large amounts of traffic or over a long period of time it can be helpful to automatically create new files of a fixed size. This is done using the parameters -W, -G and -C.
In this command the file capture-(hour).pcap will be created every (-G) 3600 seconds (1 hour). The files will be overwritten the following day. So you should end up with capture-{1-24}.pcap, if the hour was 15 the new file is (/tmp/capture-15.pcap).
:~$ tcpdump  -w /tmp/capture-%H.pcap -G 3600 -C 200
 

13. Capture IPv6 Traffic

Capture IPv6 traffic using the ip6 filter. In these examples we have specified the TCP and UDP protocols using proto 6 and proto 17.
tcpdump -nn ip6 proto 6
IPv6 with UDP and reading from a previously saved capture file.
tcpdump -nr ipv6-test.pcap ip6 proto 17
 

14. Detect Port Scan in Network Traffic

In the following example you can see the traffic coming from a single source to a single destination. The Flags [S] and [R] can be seen and matched against a seemingly random series of destination ports. These ports are seen in the RESET that is sent when the SYN finds a closed port on the destination system. This is standard behaviour for a port scan by a tool such as Nmap.
We have another tutorial on Nmap that details captured port scans (open / closed / filtered) in a number of Wireshark captures.
:~$ tcpdump -nn

21:46:19.693601 IP 10.10.1.10.60460 > 10.10.1.199.5432: Flags [S], seq 116466344, win 29200, options [mss 1460,sackOK,TS val 3547090332 ecr 0,nop,wscale 7], length 0
21:46:19.693626 IP 10.10.1.10.35470 > 10.10.1.199.513: Flags [S], seq 3400074709, win 29200, options [mss 1460,sackOK,TS val 3547090332 ecr 0,nop,wscale 7], length 0
21:46:19.693762 IP 10.10.1.10.44244 > 10.10.1.199.389: Flags [S], seq 2214070267, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], length 0
21:46:19.693772 IP 10.10.1.199.389 > 10.10.1.10.44244: Flags [R.], seq 0, ack 2214070268, win 0, length 0
21:46:19.693783 IP 10.10.1.10.35172 > 10.10.1.199.1433: Flags [S], seq 2358257571, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], length 0
21:46:19.693826 IP 10.10.1.10.33022 > 10.10.1.199.49153: Flags [S], seq 2406028551, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], length 0
21:46:19.695567 IP 10.10.1.10.55130 > 10.10.1.199.49154: Flags [S], seq 3230403372, win 29200, options [mss 1460,sackOK,TS val 3547090334 ecr 0,nop,wscale 7], length 0
21:46:19.695590 IP 10.10.1.199.49154 > 10.10.1.10.55130: Flags [R.], seq 0, ack 3230403373, win 0, length 0
21:46:19.695608 IP 10.10.1.10.33460 > 10.10.1.199.49152: Flags [S], seq 3289070068, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695622 IP 10.10.1.199.49152 > 10.10.1.10.33460: Flags [R.], seq 0, ack 3289070069, win 0, length 0
21:46:19.695637 IP 10.10.1.10.34940 > 10.10.1.199.1029: Flags [S], seq 140319147, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695650 IP 10.10.1.199.1029 > 10.10.1.10.34940: Flags [R.], seq 0, ack 140319148, win 0, length 0
21:46:19.695664 IP 10.10.1.10.45648 > 10.10.1.199.5060: Flags [S], seq 2203629201, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695775 IP 10.10.1.10.49028 > 10.10.1.199.2000: Flags [S], seq 635990431, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695790 IP 10.10.1.199.2000 > 10.10.1.10.49028: Flags [R.], seq 0, ack 635990432, win 0, length 0
 

15. Example Filter Showing Nmap NSE Script Testing

In this example the Nmap NSE script http-enum.nse is shown testing for valid urls against an open HTTP service.
On the Nmap machine:
:~$ nmap -p 80 --script=http-enum.nse targetip
On the target machine:
:~$ tcpdump -nn port 80 | grep "GET /"

GET /w3perl/ HTTP/1.1
GET /w-agora/ HTTP/1.1
GET /way-board/ HTTP/1.1
GET /web800fo/ HTTP/1.1
GET /webaccess/ HTTP/1.1
GET /webadmin/ HTTP/1.1
GET /webAdmin/ HTTP/1.1
 

16. Capture Start and End Packets of every non-local host

This example is straight out of the tcpdump man page. By selecting on the tcp-syn and tcp-fin packets we can show each established TCP conversation with timestamps but without the data. As with many filters this allows the amount of noise to be reduced in order to focus in on the information that you care about.
:~$ tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'
 

17. Capture DNS Request and Response

Outbound DNS request to Google public DNS and the A record (ip address) response can be seen in this capture.
:~$ sudo tcpdump -i wlp58s0 -s0 port 53

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp58s0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:19:06.879799 IP test.53852 > google-public-dns-a.google.com.domain: 26977+ [1au] A? play.google.com. (44)
14:19:07.022618 IP google-public-dns-a.google.com.domain > test.53852: 26977 1/0/1 A 216.58.203.110 (60)
 

18. Capture HTTP data packets

Only capture on HTTP data packets on port 80. Avoid capturing the TCP session setup (SYN / FIN / ACK).
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
 

19. Capture with tcpdump and view in Wireshark

Parsing and analysis of full application streams such as HTTP is much easier to perform with Wireshark (or tshark) rather than tcpdump. It is often more practical to capture traffic on a remote system using tcpdump with the write file option. Then copy the pcap to the local workstation for analysis with Wireshark.
Other than manually moving the file from the remote system to the local workstation it is possible to feed the capture to Wireshark over the SSH connection in real time. This tip is a favorite, pipe the raw tcpdump output right into wireshark on your local machine. Don't forget the not port 22 so you are not capturing your SSH traffic.
:~$ ssh root@remotesystem 'tcpdump -s0 -c 1000 -nn -w - not port 22' | wireshark -k -i -
Another tip is to use count -c on the remote tcpdump to allow the capture to finish otherwise hitting ctrl-c will not only kill tcpdump but also Wireshark and your capture.

20. Top Hosts by Packets

List the top talkers for a period of time or number of packets. Using simple command line field extraction to get the IP address, sort and count the occurrances. Capture is limited by the count option -c.
sudo tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
200 packets captured
261 packets received by filter
0 packets dropped by kernel
    108 IP 10.10.211.181
     91 IP 10.10.1.30
      1 IP 10.10.1.50
 

21. Capture all the plaintext passwords

In this command we are focusing on standard plain text protocols and chosing to grep on anything user or password related. By selecting the -B5 option on grep the aim is to get the preceding 5 lines that may provide context around the captured password (hostname, ip address, system).
:~$ sudo tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '
 

22. DHCP Example

And our final tcpdump example is for monitoring DHCP request and reply. DHCP requests are seen on port 67 and the reply is on 68. Using the verbose parameter -v we get to see the protocol options and other details.
:~$ sudo tcpdump -v -n port 67 or 68

tcpdump: listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:37:50.059662 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:xx:xx:xx:d5, length 300, xid 0xc9779c2a, Flags [none]
   Client-Ethernet-Address 00:0c:xx:xx:xx:d5
   Vendor-rfc1048 Extensions
     Magic Cookie 0x63825363
     DHCP-Message Option 53, length 1: Request
     Requested-IP Option 50, length 4: 10.10.1.163
     Hostname Option 12, length 14: "test-ubuntu"
     Parameter-Request Option 55, length 16: 
       Subnet-Mask, BR, Time-Zone, Default-Gateway
       Domain-Name, Domain-Name-Server, Option 119, Hostname
       Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route
       NTP, Classless-Static-Route-Microsoft, Static-Route, Option 252
14:37:50.059667 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:xx:xx:xx:d5, length 300, xid 0xc9779c2a, Flags [none]
   Client-Ethernet-Address 00:0c:xx:xx:xx:d5
   Vendor-rfc1048 Extensions
     Magic Cookie 0x63825363
     DHCP-Message Option 53, length 1: Request
     Requested-IP Option 50, length 4: 10.10.1.163
     Hostname Option 12, length 14: "test-ubuntu"
     Parameter-Request Option 55, length 16: 
       Subnet-Mask, BR, Time-Zone, Default-Gateway
       Domain-Name, Domain-Name-Server, Option 119, Hostname
       Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route
       NTP, Classless-Static-Route-Microsoft, Static-Route, Option 252
14:37:50.060780 IP (tos 0x0, ttl 64, id 53564, offset 0, flags [none], proto UDP (17), length 339)
    10.10.1.1.67 > 10.10.1.163.68: BOOTP/DHCP, Reply, length 311, xid 0xc9779c2a, Flags [none]
   Your-IP 10.10.1.163
   Server-IP 10.10.1.1
   Client-Ethernet-Address 00:0c:xx:xx:xx:d5
   Vendor-rfc1048 Extensions
     Magic Cookie 0x63825363
     DHCP-Message Option 53, length 1: ACK
     Server-ID Option 54, length 4: 10.10.1.1
     Lease-Time Option 51, length 4: 86400
     RN Option 58, length 4: 43200
     RB Option 59, length 4: 75600
     Subnet-Mask Option 1, length 4: 255.255.255.0
     BR Option 28, length 4: 10.10.1.255
     Domain-Name-Server Option 6, length 4: 10.10.1.1
     Hostname Option 12, length 14: "test-ubuntu"
     T252 Option 252, length 1: 10
     Default-Gateway Option 3, length 4: 10.10.1.1
 

Wrapping Up

These tcpdump examples, tips and commands are intended to give you a base understanding of the possibilities. Depending on what you are trying to achieve there are many ways that you could go deeper or combine different capture filters to suit your requirements.
Combining tcpdump with Wireshark is a powerful combination, particularly when you wish to dig into full application layer sessions as the decoders can assemble the full stream. We recently did a major update to our Wireshark Tutorial.
Thanks for reading, check out the man page for more detail and if you have any comments or suggestions please drop me a note using the contact form. Happy Packet Analysis!

Symptoms

As people become more focused on securing their home network, the idea of a "enterprise" firewall for home use is not out of the ordinary. Of course, this focus has grown over time because of teleworking/job requirements but also because some people realize that securing their home network is just as important as securing their "enterprise" network. Of course for us gamers, this causes an issue. I have be given the benefit to use my own Palo Alto Networks (PAN) PA-220 firewall for home use. While the initial setup didn't cause any issues, I had one major issue which was almost make or break for keeping the PA-220. The issue of course was my Xbox One did not function properly and I could not update games, group chat, or do anything an Xbox One should do.

Issue

When connecting to the Xbox Live service or PlayStation Network the console establishes client connections to the service. When hosting some games, or using some applications, a connection from the Xbox Live service or PlayStation Network inbound to the console is required. If these inbound connections can not be established then the console will report that strict NAT has been detected.

The consoles are compatible with uPnP devices to allow dynamic opening of TCP and UDP ports to forward traffic required for connectivity to the service. uPnP-enabled routers allow port forwarding to be configured on the device dynamically based on requests coming from internal devices. In a uPnP environment, the console will request the appropriate ports be forwarded to allow the traffic.

Palo Alto Networks firewalls are not compatible with uPnP. Requests from a console via uPnP to open ports will be ignored by the firewall. A 1-to-1 static NAT mapping must be created to forward the appropriate ports to the console from the Xbox Live service or PSN.

Resolution

The following is my configuration setup to fix my Xbox One as well as other gaming consoles which need Universal Plug and Play (UPnP).

Quick Tangent: While UPnP is a great idea to make home networking easier, it opens up the inside resources to many potential attacks. At a basic level, UPnP allows devices to discover each other on the same network dynamically so that all devices can communicate with each other for data sharing and entertainment purposes. While this sounds good, the security risk is that UPnP also dynamically adds port forwarding to the home router without human invention. This dynamic port forwarding allows for any and all ports to have access inside the network from the outside Internet without no protection. It is for this reason that any "enterprise" firewall will NEVER support UPnP. Of course, when it comes to gaming and our relaxation time, we don't care about the risks we just want our games to work.

The following configuration assumes that all basic connectivity has already been configured on your PA-220. The following configuration is my current setup and has never had any issues since the day I configured it.

The below is an extremely basic PA-220 configuration but the security policy that I want to highlight is the Outbound-Xbox Rule.

All firewall polices are created under Polices>>Security>>Add

Note: The Outbound-Xbox NAT must be above the general Outbound Internet Rule otherwise the Xbox traffic will never hit the dedicated Xbox NAT rule (this to be created next).

Xbox Security Rule:

I configured my Xbox Security Policy to use the dedicated or reserved ip address, this will be the source address (Creating a DHCP address reservation is not covered in this article)

  • The source is my dedicated Xbox/Gaming reserved address as I only wanted to NAT my Xbox traffic

  • The destination is to my UnTrust Zone or Outside security zone.

  • Application: This is the bread and butter of Palo Alto's Next Generation Firewall

  • The list in the image below are the applications which I have fingerprinted at the time of this article. As applications default ports change and Microsoft adds more application, this field will need to be updated from time to time.
    • Please note: A Layer 4 firewall rule will work but what is the point in having a Ferrari in the garage if you're not going to use it to its potential.

  • Action; of course allow

All other options not covered

The below is an extremely basic PA-220 configuration but the NAT policy that I want to highlight is the Xbox_NAT rule.

All firewall NAT polices are created under Polices>>NAT>>Add

Xbox NAT Rule:

I configured my Xbox NAT Policy to have a dedicated source address (Creating a DHCP address is not covered in this article)
  • The packet source is from the Trust/Inside Network
  • The packet destination is to my UnTrust Zone or Outside
  • The packet destination interface is the interface facing my ISP/Dynamic Client
  • The source is my dedicated Xbox/Gaming reserved address as I only wanted to NAT my Xbox traffic
  • The packet destination and service are set to ANY as we want all traffic from the Xbox to be NAT'd

The FOLLWING IS THE SECRET TO FIXING ALL UPnP ISSUES
  • Translated Packet
  • The source translated packet must be a fixed static-ip address
  • The IP missing below MUST be the IP address given to your home "modem" now firewall by the ISP.
    • NOTE: If the address assigned to your Internet Layer3 link ever changes, this NAT rule MUST be updated. Since having this implemented for over a year, I have never had to change this address as the ISP want to be stable and followings the basic rules of DHCP. My ISP always assigned me the same address when my DHCP reservation renews
  • The last major configuration is to check "bi-drectional: yes".

If the above NAT rule and security policy are configured with the proper information, all UPnP issues with be a problem of the past. I have never had an issue except to add applications to my security policy from time-to-time. I have used this configuration on multiple PA-220s and it works every time without any issues. Without the above rules, some games might work but group chat will always be broken.

For information on how to configure a static 1-to-1 destination NAT policy, or bi-directional NAT mapping please refer to the Understanding PAN-OS NAT document.

Please enjoy and hopefully this will help anyone avoid the headaches and research that I went through along with trail and error. Also, hopefully this configuration will allow everyone, including myself, the ability to keep our games but also make sure we are securing and protecting on valuable resources on the inside of the network. With this configuration, we have the ability to function without any issues as well as protect the network from UPnP vulnerabilities that all gaming systems rely on; especially Xbox/Microsoft.