@gjacobse said in Palo Alto Networks patches critical buffer overflow bug:

Researchers wait 12 months to report vulnerability with 9.8 out of 10 severity rating

Palo Alto Networks patches critical buffer overflow bug in its GlobalProtect VPN.
DAN GOODIN - 11/11/2021, 8:30 AM

About 10,000 enterprise servers running Palo Alto Networks’ GlobalProtect VPN are vulnerable to a just-patched buffer overflow bug with a severity rating of 9.8 out of a possible 10.

Security firm Randori said on Wednesday that it discovered the vulnerability 12 months ago and for most of the time since has been privately using it in its red team products, which help customers test their network defenses against real-world threats. The norm among security professionals is for researchers to privately report high-severity vulnerabilities to vendors as soon as possible rather than hoarding them in secret.

(Click link for remainder of article)

I'm not sure this bolded part can actually be claimed. that's definitely the desired effect, but how can they know that it IS the norm?

@hobbit666 said in MPLS alternative:

So following on from another thread.

I'm today's modern day how would you handle:-
*Multiple site connections around 60 sites.
*Internet access via a
for "security" either at a single point or something per connection? Nice to have Intruction detection blah blah blah 😁 and content filtering. Will need to allow certain ports in and out (I know this is normally standard on Firewalls/UTMs but worth mentioning)
*semi managed with high SLA.

How would multiple vpns be handled. Would it be a case each sites router would have multiple vpns to each site? Or a single VPN to a singe "master" site/device.

About two years ago, we stopped using MPLS in favor of site-to-site virtual private networks. Costs are decreasing, speeds are increasing, and visibility is improving. We're using Fortigates for the firewalls, but you should be able to use whichever firewall you're comfortable maintaining. Similar use profile in terms of traffic type (Citrix ICA). We used hub and spoke vpn architecture, which works well for us; what works best for you will rely on the rest of your infrastructure topology.

Sorted this out.
For some reason the install was setting Allow Global IP and Allow Default Route.
Once I unticked these and ticked All Managed IP it all began working.

@ambarishrh said in PDQ Link:

@jaredbusch said in PDQ Link:

@Ambarishrh said in PDQ Link:

The only catch I could see is the mandatory port 443 as per their site

The majority of work for Link is done with our installer, but there is one bit that will have to be done by you or your network team. Your external firewall will need to route incoming TCP 443 to your PDQ Link server. 443 is the only port SSTP can utilize. This configuration is mandatory to allow your external clients to connect.

If you already have another service on 443 with a public IP, we need to use an additional IP for PDQ link.

That is what inbound proxy servers are for.

digging an older topic as I am testing this now. Regarding inbound proxy
, what would you suggest to be used?

This isn't that simple, you need a proxy that supports TCP streams, unless SSTP behaves just like HTTPS. You'd need to talk to PDQ support to get more details. If you do end up needing TCP streams, I think Nginx, Traefik, and Haproxy all support that, and there's a mod for Apache too, but if I recall it correctly, it was specifically for MSRPC, so Exchange OWA or RDS.

@JaredBusch said in Client VPN - Openswan / Strongswan:

@CCWTech said in Client VPN - Openswan / Strongswan:

I have a Ubiquiti USG that I have the Remote User VPN setup on (LT2P with PSK).

Can Openswan / Strongswan connect to that? I haven't found a walk through on the internet.

Background: I am using a Raspberry Pi running Raspbian that I am using to connect to the USG.

That is IPSEC. It is different settings, so not with your L2TP. But yes.

Awesome, thank you!

@stacksofplates
basically you have to update the planet definition and also include the public identity into the fold. Then they find each other and are online. I will bow try to make it work as a cluster. Keep this post updated...

@IRJ

This is the screen I get.
dd696ce9-3138-470c-a826-18571bfcfa73-image.png

I deleted everything. Then you re-enter the gateway, and it will ask you for your password.

4fc4c919-de3e-4f1c-8d4c-fa87de0f5009-image.png

@Dashrender

firewall { all-ping enable broadcast-ping disable group { address-group trusted_IPs { address 1.2.3.4 address 5.6.7.8 address 9.10.11.12 description "for remote GUI access" } } ipv6-name WANv6_IN { default-action drop description "WAN inbound traffic forwarded to LAN" enable-default-log rule 10 { action accept description "Allow established/related sessions" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } ipv6-name WANv6_LOCAL { default-action drop description "WAN inbound traffic to the router" enable-default-log rule 10 { action accept description "Allow established/related sessions" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 30 { action accept description "Allow IPv6 icmp" protocol ipv6-icmp } rule 40 { action accept description "allow dhcpv6" destination { port 546 } protocol udp source { port 547 } } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action accept description "remote GUI" destination { port 443 } log disable protocol tcp source { group { address-group trusted_IPs } } } rule 20 { action accept description "Allow established/related" state { established enable related enable } } rule 30 { action accept description ike destination { port 500 } log disable protocol udp state { invalid enable } } rule 40 { action accept description esp log disable protocol esp } rule 50 { action accept description nat-t destination { port 4500 } log disable protocol udp } rule 60 { action accept description l2tp destination { port 1701 } ipsec { match-ipsec } log disable protocol udp } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address 10.10.10.10/30 description Internet duplex auto firewall { in { ipv6-name WANv6_IN name WAN_IN } local { ipv6-name WANv6_LOCAL name WAN_LOCAL } } speed auto } ethernet eth1 { address 10.15.20.254/24 description "LAN 1" duplex auto speed auto } ethernet eth2 { address 192.168.2.254/24 description "LAN 2" duplex auto speed auto } ethernet eth3 { duplex auto speed auto } loopback lo { } } port-forward { auto-firewall enable hairpin-nat disable wan-interface eth0 } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN2 { authoritative enable subnet 192.168.2.0/24 { default-router 192.168.2.254 dns-server 192.168.2.254 lease 86400 start 192.168.2.38 { stop 192.168.2.43 } } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 10000 listen-on eth1 listen-on eth2 name-server 1.1.1.1 name-server 9.9.9.9 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 5010 { description "masquerade for WAN" outbound-interface eth0 type masquerade } } ssh { port 22 protocol-version v2 } unms { connection wss:// } } system { domain-name ubnt gateway-address 10.10.10.1 host-name ER4 login { user ubnt { authentication { encrypted-password ubnt } level admin } } name-server 1.1.1.1 name-server 9.9.9.9 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { hwnat disable ipsec disable } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone UTC } vpn { ipsec { allow-access-to-local-interface disable auto-firewall-nat-exclude disable ipsec-interfaces { interface eth0 } } l2tp { remote-access { authentication { local-users { username hello { password 1234 } } mode local } client-ip-pool { start 192.168.100.100 stop 192.168.100.110 } dns-servers { server-1 1.1.1.1 server-2 9.9.9.9 } idle 1800 ipsec-settings { authentication { mode pre-shared-secret pre-shared-secret 1234 } ike-lifetime 3600 lifetime 3600 } mtu 1492 outside-address 10.10.10.10 } } }

I've already used this guide again. LOL, boy this is handy.

@Romo said in Unifi USG VPN from Behind NAT Firewall:

Also add the changes to a config.gateway.json file in the controller to changes directly made on the USG don't get deleted on next provision.

One reason I hate these units.

@krisleslie said in Anyone figured out how to ZeroTier with AD?:

@Dashrender all ubnt

They have two models, the unifi USGs and the EdgeRouter series - which are you sporting?

Update: this is what I ended up with.
Route based VPN using this guide as a template.

Master site: 1x ER 12 + 1x ER 4
Sites A, B, C & D :1x ER4 each location
Colo: 1x ER4 & 1x pfSense (SM x10SDV-TLN4F+)

@Pete-S said in ZeroTier vs VPN:

@Kelly said in ZeroTier vs VPN:

In the strictest sense ZT is a VPN. It is just a one to one IaaS that is routed through the cloud on ZT's systems instead of your edge. You can achieve the same effective security through rules on most VPN servers. ZT just makes it simpler, and reduces your ongoing effort assuming that 1 to 1 or 1 to few is your primary access model.

I haven't used it but why does ZT makes it easier? You have to install it on every machine you want access to, right? And I assume you have to setup some kind of routing on a computer if you want access to something on the network where you can't install ZT, like an appliance or something like an ilo interface.

With an OpenVPN (SSL VPN) connection through the firewall you have a routable VPN and no NAT problems. You can put whatever access to whatever resources you want without installing anything anywhere. And you have everything in one place.

I though ZT was a peer to peer network. So it would make most sense when there are no LAN or central resources and everything is spread out. But that not the network layout in this case.

You do have to install it on every machine. It is easier in the sense that to achieve the same level of lockdown paired with user specific access you would need to do a fair bit of work on your edge and keep it maintained. Deploying software to clients should be pretty straightforward if you're using quality tools: https://chocolatey.org/packages/zerotier-one.

@manxam said in USG to EdgeRouter VPN:

Interesting. The last time that I looked at the GUI (as we typically use CLI for VPN), it didn't give the option of DH group like so :

alt text

Wonder in what version this changed?

It has had it for as long as I recall. At least 1.5.

The CLI has had it 100% of the time since release at version 1.2.0