Wednesday, March 30, 2016

Automation backups F5 with bash & tmsh and GNU's gpg ( pgp )

Here in this current role ,  we use F5-LTMs. As you know or should know, the F5 appliances are running  linux currently ( previously they ran NetBSD ). If you have advance console access, you can do just about anything and everything in a  linux bash shell.

Here's a simple script that can be used on the appliance that I'm sharing &  that does the following;

1: builds a archive  ucs type file that's compressed  ( UserConfigurationSet )

2:  symmetrical encrypt the file using a static passphrase and with GNU's gpg

You can run this commands as a crontab  job and even scp, ftp or even  get creative push it via  a HTTP POST and curl to a upload site since the file is encrypted.

e,g


curl  -H "X_F5: backup "  -X POST -d @backupfilename  http://myusername:mypassword@ftp1.socpuppets.com/backups/ltms
 
 
Here's the backup script contents and execution.
 
 
 


Enjoy.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Monday, March 28, 2016

PCNSE 7 exam is ready and available

Palo has PCNSE7  exam ready now thru pearson VUE.

https://www8.pearsonvue.com/testtaker/registration/ExamSeriesDetailPage/PALOALTO/713765

I'm  going to  take my very  1st stab at this  exam in mid-April.  Very little study materials exist for the exam, so you need to really look at the exam objectives.



https://www.paloaltonetworks.com/services/education

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, March 16, 2016

Controlling fortigate cisco ACS 5.8 tacacs+ access profiles

To pass access profiles with the cisco ACS  you need to craft custom attributes for tacacs. The tacacs attributes should match a local define accprofile.

The profiles are used only after a ACCEPT from a success authentication. This is how authorization and the level is granted to the end_user.

Here's a screen shot of the Shell Profiles from the profile elements within cisco ACS.
( see  the blue and  wine colored arrows )





Key Points:


  • The user can only be within ONE accprofile. The AccessProfile provide READ NONE or WRITE for the various commands section levels ( e.g firewall, system,etc.....)

  • If a wildcard user is enable, this profile can override the define accprofile for the wildcard.

  • If the accprofile reference does not exist, the "default accprofile for that user is granted"

A  FortiOS sample  accprofile configuration:

config sys accprofile
    edit "CORP_LEVEL2"
        set comments "TIER#2 ENGINEERS"
        set mntgrp read
        set admingrp read
        set updategrp read
        set authgrp read-write
        set sysgrp read
        set netgrp read
        set loggrp read
        set routegrp read
        set fwgrp custom
        set vpngrp read
        set utmgrp read
        set wanoptgrp read
        set endpoint-control-grp read
        set wifi read
            config fwgrp-permission
                set policy read-write
                set address read-write
                set service read-write
                set schedule read
                set packet-capture read
                set others read-write
            end
    next
    edit "CORP_ENG_SR"
        set comments "SENIOR SEC-ENG"
        set mntgrp read-write
        set admingrp read
        set updategrp read-write
        set authgrp read-write
        set sysgrp read-write
        set netgrp read-write
        set loggrp read-write
        set routegrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wanoptgrp read-write
        set endpoint-control-grp read-write
        set wifi read-write
    next

end

The cli diag debug app fnbamd -1 command will provide details on authen/authorization.

and  the following command will show authentication  PASS/FAIL and any accprofile  that's applied

diag test authserver tacacs+ < TAC_USER_NAME_HERE>  <username> <password>


e.g testing socadmin1


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Monday, March 14, 2016

tacacs.net and fortigate

We've been testing the tacacs.net windows AAA server and I wanted to share the authorization profile that will allows you to pass  accprofile to the system admin  user if set accprofile-override has been enabled for the wildcard account.

Under tac_plus shruberry,  the configuration is similar.

shrubberry ( http://www.shrubbery.net/tac_plus/ )


Under tacaces.net you will deploy this in the authorization.xml group sections

tacacs.net    ( http://tacacs.net/documentation.asp )







Don't forget that fortiOS has a diagnostics debug command that will show you what's being passed.

e.g




Alternatively you can use the diag  debug app fnbamd -1 to see what & how the final tacacs reply-authorization status  for accept reply.




Both are great  diagnostic tools and methods for troubleshooting authserver  for both local or remote accounts.

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \