Net Worker World

SRU is cumulative  Note. Content  !!search for bytes in payload, payload starts after L4 header.                 can be text or binary within the pipe ("|") character Depth :    !!how many bytes need be searched in the payload for the content. Offset :     !!Search starting point (from the beginning of the payload) for the content. Within :    !!After match 1st content, only search # bytes for 2nd content. Distance :  !!After the previous pattern match, ignore # bytes then search another pattern match   Reference : https://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#depth http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION00457000000000000000 =======Create Firepower Custom IPS Rule========== # Copy from the existing rule # Import a rule # Create a new rule Add a content can match http info, for example match HTTP Method, HTTP header, HTTP URI ===================== https://www.rapid7.com/blog/post/2016/12/09/understanding-and-configuring-s

 HA cluster : 2 identical P/A: support L2, L3 and VW.  A/A: support L3 and VW. PA200 only support HA lite which is not stateful  HA1: Control Plane Link (L3): heartbeat, HA state info, routing sync, user-ID info. HA2: Data Plane Link (L2, stateful link): sync sessions, FIB, IPsec sa, ARP. HA3: For A/A, forward packet heartbeat backup can run on mgmt interface Preemptive : lower number has high priority Management interface has dedicated IP, data interface IP  on the active FW, standby FW has no IP. By default, data interface on standby FW is in shutdown status . When FWs are directly connected in same LAN, HA2 using ethernet Transport protocol, doesn't need an IP address  admin@PA-916-B(passive)> show interface hardware total configured hardware interfaces: 3 name                    id    speed/duplex/state        mac address -------------------------------------------------------------------------------- ethernet1/1             16    ukn/ukn/ down(power-down )  00:0c:29:7a:5c:

Configuration 1. Tunnel interface if no dynamic routing is required, tunnel interface can have no IP address 2. (Optional) IKE Crypto profile, PA comes with default IKE Crypto files. 4. (Optional) IPSec Crypto profile, PA comes with default IPSec Crypto files. 5. IKE gateways Specify peer IP address, IKE version, VPN physical interface/IP, pre-shared key, IKE identity (default non is IP address), and IKE Crypto Profile. 6. IPSec tunnel Specify tunnel interface, IKE gateway, IPSec Crypto Profile and Proxy IDs  7. Route route remote subnet to tunnel interface 8. Security Policy consider to add bidirectional Security policies for VPN traffic and encryption domain traffic .    rule for V PN traffic is not required  if it covers by the intrazone- default     rule.     rule for  encryption domain traffic is also not required if tunnel interface is in Trust zone and   covers by the  intrazone- default   rule. Verify - CLI show vpn tunnel     has Phase II info: proposal, proxy-id , Gateway Nam

 Notes: >   !!operation mode #   !!configuration mode serial cable wait for prompt "PA-VM" then login with below default account. admin/admin HW FW management port default IP is 192.168.1.1, VM FW management port doesn't have a static  IP,  it is DHCP client. show interface management To change mgmt IP: configure set deviceconfig system type static set deviceconfig system ip-address 172.16.1.100 set deviceconfig system netmask 255.255.255.0 set deviceconfig system default-gateway 172.16.1.1 or  set deviceconfig system ip-address 172.16.1.100  netmask 255.255.255.0  default-gateway 172.16.1.1 set deviceconfig system ip-address <Panorama-IP> netmask <netmask> default-gateway <gateway-IP> dns-setting servers primary <DNS-IP>   validate full show jobs all commit then login GUI  Change admin password. Device >Administrators Setup hostname, domain, and time zone. Device>Setup>Management Add DNS server and NTP server IPs. Device>Setup>Se