Friday, 23 February 2018

Windows QoS settings

Windows 10 don't allow applications to mark outgoing packets with QoS DSCP values.

In order to overcome this you have 2 options

  • Create a group policy QoS which works only on domain networks
  • Run a powershell command to create a group policy attached to all network connections Domain / Private / Public
The powershell command is (Match on executable name):

New-NetQosPolicy -Name "CiscoJabber" -AppPathNameMatchCondition "CiscoJabber.exe" -DSCPAction 46 

Use the following command to view the QoS policies as the powershell created policies don't show up in Local Computer Policy snap-in.

 Get-NetQosPolicy

References:
Microsoft New-NetQoSPolicy
Microsoft   Get-NetQosPolicy

-
Labels: , ,

Tuesday, 20 February 2018

FTD policy configuration delpoy failed

Make sure that FlexConfig is proper.
Remove all policies (NAT/ FlexConfig/ Access etc). and create empty ones and assign them to the device, then push the policy, if this works try to enabled original policies one by one to pinpoint the issue.
-
Labels: , , , , ,

FTD Configuration Reset

I recently run into an issue that I needed to clear the configuration on a FTD 2100 series .

The steps followed are
  1. Remove the FTD from FMC
  2. SSH to FTD 
  3. configure manager delete
  4. You will be prompted to reset the configuration, choose yes
  5.  configure firewall transparent
  6.  Check configuration is clear and..
  7. configure firewall routed
Now you have a FTD with clear configuration.


Another way is to connect to FTD and run the following

  1. connect local-mgmt
  2. erase configuration
This will reset the configuration and you have to go through the setup again after you reboot the device. Keep in mind that FTD instance will be reinstalled after that.



-
Labels: , , , , ,

Thursday, 8 February 2018

QoS General notes

The following are notes regarding QoS that I consider helpful for my work.
I will update this as I learn more.

Cisco's Differentiated Services Code Point (DSCP) Values for Various Types of Traffic 




Traffic Type




Layer 2 Class of Service




Layer 3 IP Precedence




Layer 3 DSCP

Call signaling

3

3

CS3 (24)

Voice

5

5

EF (46)

Video

4

4

AF41 (34)

TelePresence

4

4

CS4 (32)

Class selector values
DSCP Binary Hex Decimal Typical application Examples
CS0 (Default) 000 000 0x00 0

CS1 001 000 0x08 8 Scavenger YouTube, Gaming, P2P
CS2 010 000 0x10 16 OAM SNMP,SSH,Syslog
CS3 011 000 0x18 24 Signaling SCCP,SIP,H.323
CS4 100 000 0x20 32 Realtime TelePresence
CS5 101 000 0x28 40 Broadcast video Cisco IPVS
CS6 110 000 0x30 48 Network control EIGRP,OSPF,HSRP,IKE
CS7 111 000 0x38 56


Commonly used DSCP values
DSCP value Hex value Decimal value Meaning Drop probability Equivalent IP precedence value
101 110 0x2e 46 Expedited forwarding (EF) N/A 101 Critical
000 000 0x00 0 Best effort N/A 000 - Routine
001 010 0x0a 10 AF11 Low 001 - Priority
001 100 0x0c 12 AF12 Medium 001 - Priority
001 110 0x0e 14 AF13 High 001 - Priority
010 010 0x12 18 AF21 Low 010 - Immediate
010 100 0x14 20 AF22 Medium 010 - Immediate
010 110 0x16 22 AF23 High 010 - Immediate
011 010 0x1a 26 AF31 Low 011 - Flash
011 100 0x1c 28 AF32 Medium 011 - Flash
011 110 0x1e 30 AF33 High 011 - Flash
100 010 0x22 34 AF41 Low 100 - Flash override
100 100 0x24 36 AF42 Medium 100 - Flash override
100 110 0x26 38 AF43 High 100 - Flash override























Cisco switch COS to DSCP fix
because EF (DSCP46) -> COS 5
but COS = 5 -> DSCP CS5 (40)
mls qos map cos-dscp 0 8 16 24 32 46 48 56
-
Labels: , , ,

Tuesday, 6 February 2018

Palo Alto Firewall CLI admin access setup

Hi,

I run into an issue where a customer couldn't access his firewall via HTTPS and SSH. Somehow management access rules and services got disabled.

Using the console do the following (adjust to your environment & requirements)
configure
set deviceconfig system permitted-ip 10.0.0.0/8
set deviceconfig system service disable-telnet no
set deviceconfig system service disable-http no
set deviceconfig system service disable-ssh no
set deviceconfig system service disable-https no
commit
 
-
Labels: , ,

Thursday, 1 February 2018

Check URLs opened in a web page

Recently I was called to adjust a firewall rule to allow access to 2 specific URL's only and nowhere else.
So I created a expression for the 2 specific URL and tested to see if it's working.

Guess what, it didn't! So further looking in to the issue I discovered that the specific developers had used more than a dozen domain to fetch images, scripts, ads, fonts, style sheets etc.

In order to test that I used the developer tools included in Firefox and Chrome, to access the tools either use the menu on each browser and locate them under tools or use Ctrl+Shift+I to open the console. Then select network and visit the page from an non restricted computer and disable any ad blockers that you might use.

Record all the domains and try to whitelist them in your rule.

It's a try and error procedure but helps especially if you are dealing with slow responding 3rd parties etc.
-
Labels: ,

ICMP DoS attack Blacknurse

Black nurse is an ICMP DoS attack witch can bring systems down with a little as 18Mbps traffic.
As they state "it CAN bring you down"

More at blacknurse.dk 

-
Labels: , ,
Subscribe to: Posts (Atom)