Net Worker World

Situation: Attacker attempts to connect Anyconnect, Anyconnect sends authentication to ISE, ISE sends authentication to AD. In ISE logs, there are lots failed Radius requests with non-exist username, AD is overwhelmed, can't process more legitimate AD authentication request. During this attack, ISE normally is not the one get overwhelmed.   Anyconnect user's public IP is in Radius attribute calling-station-ID Issue: 1. ISE failed authentication suppression seems only for existing user accounts. 2. FTD /ASA Anyconnect doesn't have the ability to filter source IP geo location. 3. FTD Security Intelligence doesn't block IP to AC 4. FTD Prefilter policy doesn't work.  Cisco Enhancement request: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs65322?rfs=iqvred Solution: 1. "shun"  command on FTD/ADA CLI 2. deny attacker's IP in control plane ACL in appendix 1 3. enable anti-spoof on FW AC interface, create null0 route for attack er's IP.   ===========

 insert a 2T USB flash drive to Fortigate-70F: FortiGate-70F # exe usb-device list T:  Bus=02 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#=  1 Spd=5000 MxCh= 1 B:  Alloc=  0/800 us ( 0%), #Int=  0, #Iso=  0 D:  Ver= 3.00 Cls=09(hub  ) Sub=00 Prot=03 MxPS= 9 #Cfgs=  1 P:  Vendor=1d6b ProdID=0003 Rev= 3.0a S:  Manufacturer=Linux 3.10.15 xhci-hcd S:  Product=xHCI Host Controller S:  SerialNumber=f3008000.usb3 C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=  0mA I:* If#= 0 Alt= 0 #EPs= 1 Cls=09(hub  ) Sub=00 Prot=00 Driver=hub E:  Ad=81(I) Atr=03(Int.) MxPS=   4 Ivl=256ms T:  Bus=01 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#=  1 Spd=480  MxCh= 1 B:  Alloc=  0/800 us ( 0%), #Int=  0, #Iso=  0 D:  Ver= 2.00 Cls=09(hub  ) Sub=00 Prot=01 MxPS=64 #Cfgs=  1 P:  Vendor=1d6b ProdID=0002 Rev= 3.0a S:  Manufacturer=Linux 3.10.15 xhci-hcd S:  Product=xHCI Host Controller S:  SerialNumber=f3008000.usb3 C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=  0mA I:* If#= 0 Alt= 0 #EPs= 1 Cls=09(hub  ) Sub=00 Prot=00 Driver=hub E:  Ad=81(I) Atr=03(Int.) M

 https://community.cisco.com/t5/security-knowledge-base/remediation-module-for-security-intelligence-blacklist/ta-p/3144850/page/2/show-comments/true?attachment-id=26130 https://finkotek.com/firepower-custom-remediation-action/ Lab: 1. Install the module     Policies > Modules > Install a new module 2. Create an instance of the new module, and configure remediation.     Policies > Instance > Select a module type > Add      3. Create a correlation rule 4. Create a correlation policy, add above rule. 5. Assign the remediation instance to the rule 6. Create SI feed object 7. Add the new blacklist in ACP Verification: 1. Create a custom IPS rule 2. Enable the custom IPS rule 3. Ping 1.1.1.1 from PC 10.10.10.30 4. Check Intrusion event 5. Check correlation event 6. Verify SI event, and ping from PC stops because SI blocking. Location of the local blacklist file:  /var/sf/htdocs root@fmc67:/var/sf/htdocs# ls | grep html custom_blacklist.html custom_blacklist_md5.html html_temp

  https://community.fortinet.com/t5/FortiGate/Technical-Tip-Hardware-switch-Software-switch-VLAN-switch-Use/ta-p/210153 'HW Switch' which was initially of 'Hardware Switch' type is now showing as 'VLAN Switch' after enabling 'VLAN Switch' example: Fortigate70F, out of box, all 5 LAN ports in VLAN switch type interface call internal  in CLI, it shows as hardware-switch  FortiGate-70F # config system interface FortiGate-70F (interface) # edit "internal" FortiGate-70F (internal) # show config system interface     edit "internal"         set vdom "root"         set ip 10.20.20.1 255.255.255.0         set allowaccess ping https ssh fgfm fabric         set type hard-switch         set alias "LAN"         set stp enable         set role lan         set snmp-index 15     next end FortiGate-70F (internal) # Multiple VLAN switches can be created. Software-switch has a few extra options like can act as Hub Recommended- Hardwa

  User ID: AD user agent LDAP user agent captive portal TS agent PAN client Configure LDAP 1. Create a service account called "ldap" in AD Managed Service Accounts OU. 2. Verify FW DNS is configured with internal AD/DNS server. 3. Verify Service route for DNS/LDAP points internal LAN. 4. Add a LDAP Server Profile and commit the change 5. Verify LDAP connection is good.      5.1 Can see Base DN show up, select it. 6. Add group mapping, commit the change. 7. Verify Security policy can use username or groups. Configure User-IP mapping WinRM is recommenced. 1. En able User-ID by zone       2. Verify Kerberos service route points to internal and FW DNS is configured with internal AD/DNS server. 3. Create a Kerberos server profile        4. Configure agentless settings. If use dedicated service account, refer: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/create-a-dedicated-service-account-for-the-user-id-agent      5. Add monitor serv

  In addition to the standard URL categories, there are 3 more system-defined categories: not-resolved - The website was not found in the local URL filtering database and cloud connectivity was not possible. We will talk later in this document about the connectivity to the cloud and the way it works. private-ip-address - Either the website is a single domain, the IP address is in a private IP range, or the URL Root domain is unknown to the cloud. unknown - The website has not been categorized yet. URL filtering works on 2 major protocols: HTTP and HTTPS(SSL). In order to identify a certain category for a website, the firewall must do a query in the following order: It checks its local data plane cache. If no match is found, it checks its local management plane cache. If no match is found, it performs a query to the cloud (public or private). For HTTP traffic, the firewall is going to look primarily at the HTTP GET message. For HTTPS traffic, since this protocol is being