Todd's Blog

Todd's Tips for System Adminstrators

Connect

Real Time Block Lists with Palo Alto Firewalls

posted on

If you use a Palo Alto firewall, a new feature since PanOS 5.0 is the real time block lists. I’ve had a few people ask me how to set them up so here is the instructions.

To know what the max number of IPs that your firewall can handle in the RBL, run the following command from the CLI.

show system state | match cfg.general.max-address

This will give you the maximum number of IPs you can have in the list.

Next in the gui on your Palo Alto device, head to objects and then in the left, go to Dynamic Block Lists.

PaloAlto-RealTime-Block-Lists-1

Here is the list of block lists that I’ve configured. To create a new one, click on the add button and give the list a name and a web source for the list. Decide how often you want it to update.

PaloAlto-RealTime-Block-Lists-2

Finally you need to create a deny rule blocking these sites inbound.

PaloAlto-Deny-Policy

Commit the changes and you are off to the races. I often will leave logging on for a bit to see what is being blocked, but eventually, I turn it off because I don’t really care what traffic I am dropping.

Here is a list of sites I pull in. It appears some of these might be managed by a Palo Alto engineer, but I am not certain about this.

  • DSheild Top 20 – https://panwdbl.appspot.com/lists/dshieldbl.txt
  • https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
  • SpamHaus – https://panwdbl.appspot.com/lists/shdrop.txt (Spam list)
  • Zues Tracker – https://panwdbl.appspot.com/lists/zeustrackerbadips.txt
  • Malware Domain List – https://panwdbl.appspot.com/lists/mdl.txt
  • Openblock List – http://panwdbl.appspot.com/lists/openbl.txt

 

 

 

Canadian MVPDays East – Toronto, Ottawa, and Montreal

posted on

I’m happy to announce that I will be presenting at all of the MVPDays Community Roadshows in Toronto, Ottawa and Montreal. Its a great training opportunity for IT professionals who are looking to sharpen their skills. You’ll find the style very similar to the Microsoft TechDays which ran a few years back.
This community initiative is the result of hard work by several of Microsoft Canada’s Top MVPs (Most Valuable Professionals). It is our pleasure to be able to share our knowledge locally allowing the IT communities to learn and advance their technical knowledge base. You can follow Canadian MVPs on Twitter using the hashtags #CDNMVP and #MVPHour.

Expert Speakers will present topics based on their real world experience in short action packed sessions. Content will focus on the following topics:

    · Cloud
    · IT PRO
    · SharePoint / Office 365
    · Development

I will be presenting a session on migrating from on-premise Exchange to Office 365.
To register for any of the Roadshows, select the appropriate city below. Use code UGPROMO to save on your registration.

MVPDays Community Roadshow Toronto
Date: February 29, 2016
Location:
Hilton Garden Inn Toronto/Vaughan
3201 Highway 7
Vaughan, ON,  L4K 5Z7
Registration Link

MVPDays Community Roadshow Ottawa
Date: March 2, 2016
Location:
Ottawa Conference and Event Centre
200 Coventry Road
Ottawa, ON, K1K 4S3
Registration Link

MVPDays Community Roadshow Montreal
Date: March 4, 2016
Location:
Delta Montreal
475 Avenue du Président-Kennedy
Montreal, QC, H3A 1J7
Registration Link

We look forward to seeing you there.

Drivers Showing as Unsigned in Configuration Manager 2012 R2

posted on

A customer has a problem with importing drivers for their Surface Pro 3 devices in System Center Configuration Manager 2012 R2.

We keep noticing some of the drivers are unsigned. I immediately realized something is up as Microsoft releasing unsigned drivers isn’t going to happen. So I started digging and immediately came to KB3025419 which seems to cover my situation. My customer uses Windows 2008 R2 as the Host operating system for the Configuration Manager server and so this KB is relevant. Basically, Microsoft changed the way they signed drivers and now use a different method. This new method is different than what Server 2008 R2 recognizes and thus the change.

It affect Configuration Manager 2007, 2012 and 2012 R2 so you might see this as well down the road once hardware vendors use the new method.

Install the patches and don’t forget to reboot. A reboot is required even if it doesn’t prompt for a reboot. How do I know this, experience. Our server was patched by a different team but they didn’t reboot. The problem still persisted until the reboot.

Another thing you have to do is remove the “unsigned drivers”. This means delete the drivers that are showing unsigned before re-importing the drivers again. Once these two steps were performed we were back in business.

If you are running Windows Server 2008 R2 for your System Center Configuration Manager install you might just want to install this patch during your next maintenance schedule. As more vendors sign their drivers in the new method, you might start to see issues even if you don’t deploy Surface Pro. Of course, if you are running Windows Server 2012 R2 you probably have never saw this issue and the patches are not required.