Windows NPS + NXlog to Palo Alto User-ID

Andrew CheremisovUncategorizedLeave a Comment

NXlog configuration file Configure Palo Alto to accept User-ID Syslog Device -> Setup -> Interfaces -> Management or if you have network profile Network -> Interface Mgmt. Add syslog filter profile. Device -> User identification -> Click gear on the right side of “Palo Alto Networks User-ID Agent Setup” -> Syslog Filters Add new filter Check “Regex Identifier” Event Regex: (“Acct-Status-Type”:”1″){1} Username Regex: “User-Name”:”([a-zA-Z0-9\\\._\-]+)” Address Regex: “Framed-IP-Address”:”([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})” Disconnect event Check “Regex Identifier” Event Regex: (“Acct-Status-Type”:”2″){1} Username Regex: “User-Name”:”([a-zA-Z0-9\\\._\-]+)” Address Regex: “Framed-IP-Address”:”([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})” Save and close. Go to Device -> User Identification -> Section “Server Monitoring”. Click add … Read More

Windows NPS + NXlog to Graylog

Andrew CheremisovSecurity, UncategorizedLeave a Comment

Saving Windows NPS logs to any folder Downloading NXlog Community Edition from here Changing NXlog config file at C:\Program Files (x86)\nxlog\conf\nslog.conf #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\\cert define CONFDIR %ROOT%\\conf define LOGDIR %ROOT%\\data define LOGFILE %ROOT%\\logs\\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\\modules CacheDir %ROOT%\\data Pidfile %ROOT%\\data\ SpoolDir %ROOT%\\data <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists(‘%LOGFILE%’) and \ (file_size(‘%LOGFILE%’) >= 5M)) \ file_cycle(‘%LOGFILE%’, 8); </Schedule> # Rotate our log file every … Read More

Licensing AnyConnect and Cisco FTD

Andrew CheremisovCisco FTDLeave a Comment

As you might already know the new Cisco Firepower Threat Defense appliances have only “Smart License” licensing. Lets say you bought L-AC-PLS-P-100 which is 100 User Plus AnyConnect licensing and in the description it shows “Family: ASA 5500 Series”. How to register it to the Smart Account and activate for Cisco FTD? If you try to “Convert to Smart Licensing”… Nope, doesn’t work The proper way is outlined in AnyConnect Licensing Frequently Asked Questions (FAQ). You need to open a case with Cisco Global Licensing (GLO) at and send following information: … Read More

Cisco ISE Guest API – PHP script

Andrew CheremisovCisco ISE1 Comment

Adds user to ISE via POST request. Returns first/last name and ISE generated username and password. GitHub repository: Postman POST request to the script ISE guest user is created

OSCP Guide. Where to start, what to read, how to practice.

Andrew CheremisovSecurity11 Comments

Around a month ago, I started my preparation for OSCP (Offensive Security Certified Professional)  exam and signed up for PWK course from Offensive Security in the mid-January. If you just started your path to OSCP certification you might have a lot of questions. Is there any official guide? What to read? Where to start? What kind of knowledge is required? In this article, I tried to unite all the information that I gathered from the Internet. I will constantly update the post with the new information.

How to add Palo Alto firewall to VIRL

Andrew CheremisovSimulation2 Comments

Get a Palo Alto VM image in *.qcow2 format If you have a Palo Alto support account – login to your Support Panel at and navigate to Software Updates section Look for PAN-OS for VM-Series KVM Base Images section and download PA installation image.

Cisco ISE 2.2 – Open ports 9102 and 9103

Andrew CheremisovCisco ISE, SecurityLeave a Comment

One of our clients did a vulnerability scan of the new Cisco ISE 2.2 and found out two strange ports 9102 and 9103. After some research I find that those ports are related to ISE Wireless Setup. How to disable? At ISE admin CLI, issue application configure ise  Select option 17 ([17]Enable/Disable Wifi Setup). Note: If you have ISE 2.2 Patch 1 the ports will re-appear after 15-20 seconds and will not be able to disable them permanently. This behaviour is fixed in ISE 2.2 Patch 2

Refresh PMK every X seconds – Cisco ISE and Meraki

Andrew CheremisovCisco ISE, Security, WirelessLeave a Comment

One of our clients requested to refresh PMK (more about PMK) every 5 minutes during deployment of Cisco ISE and Meraki solution. Create new Authorization Profile in Cisco ISE (Policy – Policy Elements – Results – Authorization Profile) –Reauthentication—To choose, select the check box and enter a value in seconds for maintaining connectivity during reauthentication. You can also choose attribute values from the Timer drop-down list. You choose to maintain connectivity during reauthentication by selecting to use either the default (a value of 0) or RADIUS-Request (a value of 1) … Read More

Cisco ISE 2.2 OVA image and VMware vCenter 6.5+

Andrew CheremisovCisco ISE, SecurityLeave a Comment

Recently I installed the new ISE virtual appliance for one of our customers and found out that you no longer can natively import OVA image to VMware vSphere center. Cisco has one line explanation in ISE 2.2 guide The ISE 2.2 OVA templates are not compatible with VMware web client for vCenter 6.5. As a workaround, use the VMware OVF tool to import the OVA templates. Workaround: Download OVF tool from VMware site – Download the latest ISE appliance OVA image from Cisco site Go to OVF tool folder in command … Read More