To my surprise, commitconfirm.com was available to purchase, so I purchased the domain and going to move away from consentfactory.com.
Also, I want to move away from WordPress and move to something more simple, and Hugo+Cloudflare Pages+GitHub is pretty slick. So here we go!
So go there!
You know what I don’t like? Cottage cheese. It’s gross.
You know what else I don’t like?
This:
And this:
And this:
And this:
And yes, I just wasted a full page, maybe made you excessively scroll, made the readability scores upset, and I’m still not getting to my damn point.
My damn point: I don’t like managed devices that don’t have their web certificates updated, and I had Gigamon appliances that needed some certificate love so I’m jotting down here how to update the Gigamon certificates with externally generated ones.
“Why?” I hear you asking. Well, I don’t think Gigamon does a very good job explaining in their documentation how to update the certificates, so I’m going to do it here.
If you try googling for any combination of the words “gigamon install web certificate”, you’re going to get a whole list of links that are not applicable to Gigamon appliances, and really are focused on the management platform GigaVue-FM.
Quick note: the documentation here for GigaVue-FM and the web certificate is accurate, but it’s at the bottom of the search results. So if you’re looking for GigaVue-FM documentation, there you go.
The reason you’re not finding anything related in the search results is because everything related to certificates and the web interface under the crypto commands (much like Cisco). The basic process then is to import the certificate, private key, certificate chain (root and issuing) using the crypto commands, then tell the web service to use the new certificate.
First off, for importing third-party certificates you can do it two ways: paste in the certificate/key information, or download it (“fetch”) from somewhere else.
# Copying in the content
(config) # crypto certificate name steveBruleCA public-cert pem "<contents of cert>"
# Downloading/Fetching the CA certificate
(config) # crypto certificate name steveBruleCA public-cert pem fetch http://consentfactory.com/steveBruleCA.crt
My preference is to spin up Python http server and download from that location real quick. Assuming you have Python installed, you can run the following:
# Spins up Python with default setting
python3 -m http.server
Which results in this:
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Or run this:
# Spins up Python on default port 80, but you may need to run with elevated privileges since its a privileged port
python3 -m http.server 80
Which results in this:
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
You may or may not need to do this. For me, I did. I’ll show both ways to do it, but from here out, I’ll just be fetching from my Python server.
# Copying in the content
(config) # crypto certificate name steveBruleCA public-cert pem "
> -----BEGIN CERTIFICATE-----
> MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw
> CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
> MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
> MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
> Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEBAQUA
> A4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaMf/vo
> 27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7w
> Cl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjw
> TcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0Pfybl
> qAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaH
> szVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4Zor8
> Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUspzBmk
> MiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92
> wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70p
> aDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrN
> VjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQID
> AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
> FgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBAJ+qQibb
> C5u+/x6Wki4+omVKapi6Ist9wTrYggoGxval3sBOh2Z5ofmmWJyq+bXmYOfg6LEe
> QkEzCzc9zolwFcq1JKjPa7XSQCGYzyI0zzvFIoTgxQ6KfF2I5DUkzps+GlQebtuy
> h6f88/qBVRRiClmpIgUxPoLW7ttXNLwzldMXG+gnoot7TiYaelpkttGsN/H9oPM4
> 7HLwEXWdyzRSjeZ2axfG34arJ45JK3VmgRAhpuo+9K4l/3wV3s6MJT/KYnAK9y8J
> ZgfIPxz88NtFMN9iiMG1D53Dn0reWVlHxYciNuaCp+0KueIHoI17eko8cdLiA6Ef
> MgfdG+RCzgwARWGAtQsgWSl4vflVy2PFPEz0tv/bal8xa5meLMFrUKTX5hgUvYU/
> Z6tGn6D/Qqc6f1zLXbBwHSs09dR2CQzreExZBfMzQsNhFRAbd03OIozUhfJFfbdT
> 6u9AWpQKXCBfTkBdYiJ23//OYb2MI3jSNwLgjt7RETeJ9r/tSQdirpLsQBqvFAnZ
> 0E6yove+7u7Y/9waLd64NnHi/Hm3lCXRSHNboTXns5lndcEZOitHTtNCjv0xyBZm
> 2tIMPNuzjsmhDYAPexZ3FL//2wmUspO8IFgV6dtxQ/PeEMMA3KgqlbbC1j+Qa3bb
> bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c
> -----END CERTIFICATE-----
"
If you type in the quote, hit enter, you’ll be given a prompt to enter the data for the certificate, which you end with another quote, then enter.
For fetching the certificate, it’s straightforward:
# Downloading/Fetching the CA certificate
(config) # crypto certificate name steveBruleCA public-cert pem http://consentfactory.com/steveBruleCA.crt
Now after getting the certificate on the appliance, you need to put them in the trusted store like this:
(config) # crypto certificate ca-list default-ca-list name steveBruleCA
The CA certificate will be trusted now.
Now we’re cookin’. Let’s download and install for the web service.
(config) # crypto certificate name webServiceCert public-cert pem fetch http://consentfactory.com/webServiceCert.crt
That’s it for the certificate.
This will install the key and prompt you for the password for the private key:
(config) # crypto certificate name webServiceCert private-key pem fetch http://consentfactory.com/webServiceCert.key
Now we’re set to enable the web service to use the new certificate.
This is the easy part:
web https certificate name webServiceCert
That it! No need to restart any services, as the appliance appears to take care of all of that on the backend.
You’re all done. Time to smile, look in the mirror, notice and ignore the zit, and maybe go look at some PCAPs.
When working with Cisco ASA configurations and with scripting/automation, you know that ASA configuration files are not written with structured data in mind. A great solution to this is to use a Python tool called Template Text Parser, or TTP for short, which is networking/systems focused Python library that allows you to create structured data (JSON or YAML) from semi-structured configuration files or from the output of CLI show commands.
More information about TTP can be found on the link above. If you want a great tutorial on TTP, Kirk Byers has a great series on TTP.
Below is a TTP template that I created to do the following:
The end goal for this template is to migrate configurations from ASA to Palo Alto PANOS, creating set commands for equivalent configurations. However, this template is only focused on creating structured data from ASA firewall rules (ACLs).
One note: ACL lines in ASA configuration files can be made up of likely a few hundred variations or more, particularly if you have logging/debugging on. This template includes most of the more common ACL configuration variations.
If you’re running a Palo 5200/7000 series firewall, you may have inserted transceiver modules and the only way you really know they’re recognized is if you get them online. While troubleshooting an issue, I found a item from the Palo Alto KB, namely the log file brdagent.log is where you can view the transceiver you inserted; the log itself is for monitoring interfaces and other networking chips being inserted (see book link below).
To view the log, I prefer to use the tail command to view the log, which is a Unix/Linux command to view the last section of the log file, and even to watch the log file as it’s being used.
The command:
tail lines 100 follow yes cp-log brdagent.log
<bunch of log files>
cp brdagent.log 2019-10-03 17:10:40 2019-10-03 17:10:40.001 -0600 Port 25: Down 40Gb/s-full duplex
cp brdagent.log 2019-10-03 17:10:40 2019-10-03 17:10:40.001 -0600 PORT25: board_port_autoneg_enabled -> board_port_autoneg, link: 0, mode: 1
cp brdagent.log 2019-10-03 17:11:40 2019-10-03 17:11:40.644 -0600 Error: gryphon_get_port_info(5200/gryphon_ports.c:1231): Remote fault detected on port 25!
cp brdagent.log 2019-10-03 17:13:22 2019-10-03 17:13:22.156 -0600 Port 25: sysd_obj_lookup for <QSFP> failed !!!
cp brdagent.log 2019-10-03 17:13:22 2019-10-03 17:13:22.156 -0600 Port 25: Empty QSFP+ detected
cp brdagent.log 2019-10-03 17:14:07 2019-10-03 17:14:07.441 -0600 QSFP+ detected on port 25
cp brdagent.log 2019-10-03 17:14:07 vendor 'FINISAR CORP. '; part 'FTL4E1QE1C-A5 '; id 'QSFPP'
The command broken down:
tail – the Unix/Linux command that displays the last section of a filelines 100– displays the last 100 lines (or less) of the filefollow yes – informs the cli to continue printing any additional input to the filecp-log– this is a directory for control plane logs, and according to Tom Piens with the Mastering Palo Alto Networks book below, there a few different directories for the management plane, data plane, and other logs. The log directories will vary based on models.brdagent.log– the log filename.As you see in the log above, you can see the the QSFP transceiver in the log. Using the tail follow command though, you can watch as transceivers are inserted, like this (I inserted a Cisco twinax as an example):
2021-05-25 13:50:34.663 -0600 Port 19: SFP Plus Empty detected
2021-05-25 13:50:51.756 -0600 Port 19 :: sfp_data.transceiver_codes(str) = 10000
2021-05-25 13:50:51.756 -0600 SFP Plus detected on port 19
vendor 'CISCO-TYCO '; part '2053783-3 '; tc '10000'
2021-05-25 13:50:51.757 -0600 Port 19: SFP Plus Fiber detected
2021-05-25 13:50:51.757 -0600 PORT19: board_port_sfp_nopop_0 -> board_port_startup, link: 0, mode: 2
2021-05-25 13:50:51.761 -0600 PORT19: board_port_startup -> board_port_autoneg, link: 0, mode: 2
2021-05-25 13:50:51.764 -0600 PORT19: board_port_autoneg -> board_port_autoneg_linked, link: 1, mode: 2
2021-05-25 13:50:51.764 -0600 Port 19: Up 10Gb/s-full duplex
I actually found a pretty good book that I purchased which breaks this down some of these commands. Mastering Palo Alto Networks: Deploy and manage industry-leading PAN-OS 10.x solutions to secure your users and infrastructure explains how to view some of these logs, particularly the section on ‘Debugging Processes’.
Some additional bits I’ve learned recently:
Personal KB Reference:
https://github.com/consentfactory/knowledgebase/blob/master/networking/cisco/security/palo_alto/viewing_transceivers.md