ADCS Cert Templates for ISE Lab

In my ISE lab I’m going to be using EAP-TLS and TEAP, which means I’ll be needing user and computer certificates. The goal is to be able to enable the 802.1X supplicant via GPO and to distribute certificates automatically without requiring any user input. Another post will cover GPO, in this post I’ll cover creating the certificate templates in ADCS.

When opening the CA app, there are a number of templates provided by default:

There are already templates for User and Computer, but it’s better to leave the default templates alone and create new ones. First, we’ll create a template for user certificates. Start by right clicking Certificate Templates and selecting Manage:

Then we’re going to right click the User template and select Duplicate Template:

This is going to open up a new window with properties of the template:

Go to General and give the template a name:

Don’t select the Do not automatically reenroll option or it won’t be possible to renew certs before they expire.

Then go to Request Handling. We’re going to uncheck the Allow private key to be exported option as this is considered more secure:

Make sure Enroll subject without requiring any Continue reading

NB500: SolarWinds and MacOS Vulernabilities Get Attention; Amazon Invests in Nuclear to Meet Power, Carbon Goals

This week’s Network Break discusses a CISA warning that a serious SolarWinds vulnerability is being exploited, Microsoft turns the tables by discovering a MacOS vulnerability, and Amazon invests in small modular nuclear reactors to meet growing power demands and reduce carbon output. T-Mobile releases a new device using the 5G Reduced Capacity spec, Palo Alto... Read more »

Tech Bytes: From AWS Topography to On-Prem Flows, Cisco ThousandEyes Boosts Network Visibility (Sponsored)

The Tech Bytes podcast welcomes back sponsor Cisco ThousandEyes to talk about new features that improve visibility into both the public cloud and your on-prem network. We’ll get details on the new topographical mapping feature for AWS, as well as ThousandEyes’ new capability to consume flow records from on prem and correlate those records with... Read more »

Unlocking The Future of AI Infrastructure: Breaking Through Bottlenecks For Profitability And Performance

As the last several years have shown, scaling up AI systems to train larger models with more parameters across more data is a very expensive proposition, and one that has made Nvidia fabulously rich.

Unlocking The Future of AI Infrastructure: Breaking Through Bottlenecks For Profitability And Performance was written by Timothy Prickett Morgan at The Next Platform.

AI for Network Engineers: Multi-Class Classification

 Introduction 

This chapter explains the multi-class classification training process. It begins with an introduction to the MNIST dataset (Modified National Institute of Standards and Technology dataset). Next, it describes how the SoftMax activation function computes the probability of the image fed into the model during the forward pass and how the weight parameters are adjusted during the backward pass to improve training results. Additionally, the chapter discusses the data parallelization strategy from a network perspective.


MINST Dataset

We will use the MNIST dataset [1], which consists of handwritten digits, to demonstrate the training process. The MNIST dataset includes four files: (1) a training set with 60,000 gray-scale images (28x28 pixels) and their respective (2) labels, and a test set with 10,000 images (28x28 pixels) and their respective labels. Figure 3-1 illustrates the structure and dependencies between the test dataset and the labels.

The file train-images-idx3-ubyte contains metadata describing how the images are ordered, along with the image pixel order. The file train-labels-idx1-ubyte defines which label (the digits 0-9) corresponds to which image in the image file. Since we have ten possible outputs, we use ten output neurons.

Before the training process begins, the labels for each image-label pair are one-hot Continue reading

NOG.HR: A NOG Meeting Worth Attending

I never know what to expect when I’m invited to speak at a regional (or in-country) Network Operator Group (NOG) meeting. Sometimes, it turns out to be a large conference (PLNOG and ITNOG come to mind); other times, it’s just a few people gathered around free donuts and coffee1. Last week’s Croatian NOG (NOG.HR) meeting was in the Goldilocks zone between the extremes: plenty of interested networking engineers, but not large enough to be overpowering.

Also, it was such a nice experience ;)

Read more …

The IPv6 Transition

I wrote an article in May 2022, asking “Are we there yet?” about the transition to IPv6. At the time I concluded the article on an optimistic note, observing that we may not be ending the transition just yet, but we are closing in. I thought at the time that we won’t reach the end of this transition to IPv6 with a bang, but with a whimper. A couple of years later, I’d like to revise these conclusions with some different thoughts about where we are heading and why.

Global Protect VPN SAML SSO with Entra-ID

Global Protect VPN SAML SSO with Entra-ID

In this blog post, we will look at how to use Entra-ID SAML SSO with GlobalProtect VPN. This guide assumes you are already familiar with GlobalProtect VPN and have an existing VPN solution with other forms of authentication. If you are new to GlobalProtect VPN, feel free to check out my other blog post, which is linked below.

Palo Alto Global Protect VPN Configuration Example
In this blog post, we will cover how to configure Palo Alto Global Protect VPN. We’ll go through setting up the portal, gateway, authentication profile, IP pools, split-tunnel, security policy, NAT policy and other necessary components.
Global Protect VPN SAML SSO with Entra-IDPacketswitchSuresh Vina
Global Protect VPN SAML SSO with Entra-ID

Adding GlobalProtect to the Admin Centre

  1. Sign in to the Microsoft Entra admin centre and navigate to Identity > Applications > Enterprise applications > New application.
  2. Add the Palo Alto Networks - GlobalProtect application.
  3. Once added, select Palo Alto Networks - GlobalProtect > Single sign-on.
Global Protect VPN SAML SSO with Entra-ID
Global Protect VPN SAML SSO with Entra-ID

On the Set up single sign-on with SAML page, click the pencil icon in the Basic SAML Configuration section to edit the settings.

💡
In the Basic SAML Configuration section, for the Entity ID and Reply URL, ensure that you include :443 after the URL, otherwise, it won't work. I Continue reading

What Is the Future of the .io Domain?

The .io domain was originally created for the British Indian Ocean Territory but eventually became popular with the tech sector, for obvious reasons. Part of the reason for this is that ‘io’ is similar in appearance to I/O (aka input/output), which is why the tech sector started gobbling up the .io domains. There were issues soon after the creation of the domain that had to do with the distribution of profit. A lot of app developers use the .io domain. The New Stack uses the .io domain. It’s everywhere. But there’s a problem, and it’s one that could have a cascading effect within the realm of the tech sector. What has happened is that the

Global Protect Internal Host Detection & Internal Gateways – Lessons Learnt

Global Protect Internal Host Detection & Internal Gateways - Lessons Learnt

I already had Palo Alto GlobalProtect VPN configured with an external gateway and portal, allowing me to connect back to my home network when I'm outside. Even when I'm inside my internal network, I can still connect to the VPN. However, I wanted to use the Internal Host Detection feature of GlobalProtect VPN, so that if I'm on my internal network and try to connect, it won't connect to the external gateway. Throughout the configurations, I learned a few lessons. Let’s dive in.

If you're completely new to GlobalProtect VPN, please check out my introductory blog post linked below.

Palo Alto Global Protect VPN Configuration Example
In this blog post, we will cover how to configure Palo Alto Global Protect VPN. We’ll go through setting up the portal, gateway, authentication profile, IP pools, split-tunnel, security policy, NAT policy and other necessary components.
Global Protect Internal Host Detection & Internal Gateways - Lessons LearntPacketswitchSuresh Vina
Global Protect Internal Host Detection & Internal Gateways - Lessons Learnt

Please note that this setup was tested on PAN-OS 10.2.9-h1 and the GlobalProtect macOS client version 6.2.4.

What is Internal Host Detection?

If you're already in your office or internal network, there's no need to connect to the VPN, what’s the point, right? This is especially relevant if you're using an Continue reading

Before Facebook, the Late Ward Christensen Booted Up the First Social Network

Back in the 70s, if you wanted to be online, you had to be a college student, researcher, or in the military to be on the internet. That was it. Joe or Jane User? Forget about it. Then, during a Chicago blizzard, a young computer scientist, online services such as CompuServe started as early as 1969. However, unlike the free BBSs, these services could cost as much as $30 an hour in 1970s dollars or $130 an hour in today’s money. XMODEM file transfer protocol in 1977. This innovative method broke binary files into packets, ensuring reliable delivery over unstable analog telephone lines. XMODEM became a cornerstone of early online file sharing and inspired numerous subsequent file transfer protocols. While considered inefficient by today’s standards, XMODEM established key concepts that are still used in file transfers. These include breaking data into packets for transmission, using checksums or CRCs for error detection, and implementing handshaking between sender and receiver. Thanks to XMODEM, people began sharing files with one another. This, in turn, helped create

Building a Simple HTTP Source for Firewall EDL

Building a Simple HTTP Source for Firewall EDL

Recently, I wanted to add a list of domains to the Palo Alto DNS policy to block them from resolving. However, I soon realized that I couldn't just add a list of domains directly to the firewall, I needed to use an External Dynamic List (EDL). Palo Alto and I believe other firewalls as well, require a simple HTTP URL that hosts a list of domains or IP addresses. While there are amazing EDL projects available, in this blog post, we'll explore the simplest way to deploy an EDL.

Python HTTP Server

Python's HTTP server module lets you create a basic web server using just a single command. This server can serve files from a directory over the network, making it an excellent tool for quick testing and file sharing without the complexity of setting up a full-fledged web server.

All you need to do is create a list of domains, save it as a text file, and run python -m http.server 8085 from the directory where the file is saved. You can use any port, but remember that a lower number of ports like 80 require admin privileges. Once the server is running, navigate to http://IP_ADDRESS:8085/domains.txt in Continue reading

1 49 50 51 52 53 3,789