Friday, August 31, 2018

forcepoint API

In my day job I have support cases for host of issues. Here's is a short blog of some  basic  Forcepoint NGFW   API information.  1st the API interface is simple to enable on the SMC MgtServer under the server "properties" settings.


Here, I've have selected the port 8080 from the default 8082 and enabled the API
You do NOT need to reboot the MgtServer



You will need a API  client-user define ( the standard admin_users  are not API users ). After you  have crafted  a API client a authenticationkey will be display ( it's critical that you record that key , you will not see it again ).

To login,  the  API needs the  key and provided via a http.request.method POST in a simple call


curl -k -v -d '{"authenticationkey":"n7d3hj3k39l@se3ydieke"}' -H "Content-Type: application/json" -X POST https://mysmcserver.socpuppets.com:8080/login

If the key was correct, you should receive a status. response 200 and the SMC console will show the user logged on as a status "online"



The logout is similar but uses the http.request.method PUT

curl -k -v -d '{"authenticationkey":"n7d3hj3k39l@se3ydieke"}' -H "Content-Type: application/json" -X PUT https://mysmcserver.socpuppets.com:8080/login


To discovery entry points you  can use the API discovery at or whatever services port you have enabled

https://x.x.x.x:8080/api

example
As you can clearly see we have  5.10, 6.2, 6.3    support for this SMC v 6.3.8 . You can call these  versions up to see what entries are allowed


 {output truncated }


You can request  various  entry points by issuance of a  http.request.method GET

examples to follow below.


When constructing POST I prefer json  structure of a KEY and  Attribute Value

e.g


 { "name":"the_name_here", "address":"1.1.1.1"}


NOTE: ensure you set the application type as json if your using json, xml is also supported.
Keep in mind the  API client access is controlled by the role you define for the account



When initial login, you need to be aware that the JSESSSIONID cookie value is used for admin.session tracking with HTTP. With  HTTPS you can use the cookie or  SSLsession for tracking



Here's a few basic   API  examples







and yes the API supports IPv6













NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \




Posted by at No comments:

Thursday, August 30, 2018

Y2038 unix time

Y2038   "Time is on my side, yes it is "









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Posted by at No comments:

Saturday, August 25, 2018

Papertrails for audit

In this blog I will do a short demo  for papertrails  & for  raising a log alert events triggers  from a PANOS firewall. Papertrails is  a  cloud logging services.

https://papertrailapp.com/

The services  ofefrs a  low to high cloud storage options,  and even  free trials.

The portal is simple for crafting a  new logging source for the allocated destinations.

Keep in mind you can have multiple log.destinations and use a mix of UDP TCP or TLS






To craft  events, just use the string that your looking for from the logging source




Here's a breakdown of a config change  event that triggers the sending of a email.










NOTE: You  can use hitech bridge to  analyzer the TLS server component if your having issues establishing TLS just grab the CAfile   https://papertrailapp.com/tools/papertrail-bundle.pem

https://www.htbridge.com/ssl/












NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \


Posted by at No comments:

Saturday, August 18, 2018

Here's a few of the  NGFW  offerings  in the advance world of security

CiscoASA Firepower
Sophos XG
Juniper SRX
Fortinet Fortigate
Palo Alto PAN series
Zscaler CloudFW
Forcepoint  NGFW stonegate


What makes a NGFW
 
    Application Awareness
    User Identification
    SSL inspections
    DeepPacket Inspections
    Advance logging and alerting
    Threat and intelligence


https://en.wikipedia.org/wiki/Next-generation_firewall
http://www.nextgenfw.com/








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
Posted by at No comments:

Friday, August 17, 2018

Forcepoint NGFW router dynamic

Image result for quagga maillist +felix



The forcepoint routing  is all  driven via Quagga , and supports OSPF/BGP for dynamic routing protocols.


The  NGFW requires you  manually execute the  DYNAMIC routing templates and then you  can configure the route aspects after selecting the template(s)




Here's a WebGUI of a  bgp-configuration





The legacy  vtysh cmd is used to  access the  quagga engine













NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
Posted by at No comments:

Tuesday, August 14, 2018

ssllab and exmple.com | org| net

SSLLAB  does not analyze these two websites  www.example.com and www.example.net / www.example.org


But rest assure you can call up any of the other the AltName for testing the site to get by the test restriction.









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Posted by at No comments:
TLS  1.3 mitm  testing from cloudflare


The following link supports a TLS 1.3 MiTM test checker   https://tls13.mitm.watch/

The results and test identifier is listed in the output;

    test1



Here's the same test when I have re-enabled my TLS decryption device on my network that does not support TLS v1.3

    test2



So keep in mind for the 2nd test , I have the same ;  host ( browser )  , the same network, but the TLS inspection device does not support  TLS v1.3.


NOTE: if you suspect a MiTM device is  inspecting your TLS traffic confirm the cert issuer for the web-server . Reference how to use "crt.sh" to find all listed issues for  website certificates that are using known public  CAs. If your issues string does NOT match the  listed string in "crt.sh" , than a MiTM device is installed and probably  decrypting. This is why SSL/TLS  does not really mean your  100% protected, since the average end-users see a padlock and think they are secured. A MiTM device could be plant in between you and the web-site and unless you know what to look at and look for, you would have no clue.


 http://socpuppet.blogspot.com/2017/10/howto-find-certificate-issued-against.html








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Posted by at No comments:

maildomain checker tool

Openssl is used for webserver and websites for analyzing  SSL/TLS. But luxsci is used for mail systems. Here's a few  screenshots for  maildomain socpuppets  that's hosted by  godaddy


https://luxsci.com/smtp-tls-checker







This online tool is great for when you need simple to understand results and need to  analyze TLS/SSL issues regarding mail.

Other tools that I have mention a few years back are also  great

http://socpuppet.blogspot.com/2016/11/tls-for-smtp-how-do-we-check-if-our.html



NOTE: They { luxsci } has  a HIPAA  secure email  solution that works great. This allows for selective delivery of  email  and mets HIPAA compliance.

https://luxsci.com/hipaa-compliant-email-encryption







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \


Posted by at No comments:

Monday, August 13, 2018

DSN check-name and how to analze

Here's a quick burb about  dns and names and syntax.  A work  associate ran into this issue today and I figure I would explain a few items.


With most  bind  deployments if you have a "underscore" in the name and do not specifically set   check-names ignore ,  the bind daemon will balk and failed to load the domain zone.



Bind is user friendly and will tell why and where in the file the error is located at . Here it's line #13 and on line #13 I have the following entry that I crafted for this example.



So  that's a quick means for finding  the error and now in order to get the domain load, you need to  enable check-names ignore  (  the other options are fail and warn )








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
Posted by at No comments:

Friday, August 10, 2018

sidewinder download alternative


Howto build a sidewinder 8.3 repository. This can be useful in a fenced environment &  where the  firewall has no internet access to the forcepoint download site.

1st you need to retrieves the pkgs from the real  sidewinder-download site and reconstruct the  site,  and ensure the pkglist.txt is present in your  serving directory.
https://pkg.sidewinder.downloads.forcepoint.com/packages/sidewinder/8.3/




In my setup I'm  using the lite  ftp-server ftpdmin. I’ve  only installed  the   packages for hotfix P10 and P11 in the  ftp user_directory . It probably best to  md5sum or sha1sum check the files  to ensure no  corruptiom.
 After you have set the base directory  and installed the package(s) and pkglist.txt you can change the sidewinder appliance to download the pkgs. This will allow the appliance to call out to the ftp-server and  download/install the pkgs.
You can monitor the ftpmin process to determine if any transfers exist or failures.





After the installation and reboot, you might have to wait for any aux-updates/upgrades for the console











NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \




Posted by at No comments:
Subscribe to: Posts (Atom)